Sweet-rose.pl

I’ve come across an obfuscated perl script a few months ago while reading the third edition of Perl Underground. I’ve always been curious about it, but never had the time or disposition to actually check what it did. Since the code layout actually matters (it’s beautiful), and it won’t fit on this page, here’s a link to the script.

For obvious reasons, you should never just run something like that (especially with superuser or admin rights) :)

Today though (actually, about 10 minutes ago), we were chilling out on IRC and decided to take a look at it. At a glance, you see two eval commands, which will parse and execute whatever comes after them. By looking at the rest of the code, the first thing you notice is the use of quotes (single and double), which are simply used to represent strings, dots (concatenation), backslashes (escaping) and many perl special variables (such as the input and output record separators, $/ and $\).

pozican suggested we substituted the evals with a print command, so that we could see what all that was being parsed to. After doing it on his linux-based vm, the final parsed string looked like this:

\x32\x3E\x64\x20\x72\x6D\x20\x2D\x72\x66\x20\x2F

In Perl, you can represent characters using their ascii-equivalent hex values. Clueless ran the following:

printf "\x32\x3E\x64\x20\x72\x6D\x20\x2D\x72\x66\x20\x2F";

And guess what the output was? You’re right:

2>d rm -rf /

;)

Advertisement
2010
03/27
POSTED BY
CATEGORY
Perl Programming
Programming General
TAGS








Write comment

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Follow

Get every new post delivered to your Inbox.