Saturday, 12 December 2009

Really crap obscurity for bash scripts

Take a look at the following:

eval $'\x73\x75\x64\x6f\x20\x2d\x6e\x20\x74\x6f\x75\x63\x68\x20\x6f\x77\x6e\x65\x64\x2e\x74\x78\x74\x20\x3e\x2f\x64\x65\x76\x2f\x6e\x75\x6c\x6c\x20\x32\x3e\x26\x31\x0a'

What does it do when you run it? Hah, good question. Something like the following should help:

echo "\x68\x65\x6c\x6c\x6f\x20\x74\x68\x65\x72\x65\x2c\x20\x68\x6f\x77\x20\x61\x72\x65\x20\x79\x6f\x75\x3f\x0a" | perl -ne 'foreach (split(/\\x/, $_)) { /([a-f0-9]{2})/i && print chr(hex($1)) }; print "\n";'

I leave it as an exercise for the reader to work out how to create this silly obscurity.

May I just remind people that security through obscurity doesn't work, and just because something isn't obvious, it doesn't mean it is secure.

No comments:

Post a Comment