SHC protected shell script is vulnerable
This is a discussion on SHC protected shell script is vulnerable within the Linux Administration forums, part of the Linux Forums category; SHC protected shell scripts are vulnerable to debugging. SHC does not truly "compile" your script into a binary: ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
09-18-2003
|
|||
|
|||
SHC protected shell script is vulnerable
SHC protected shell scripts are vulnerable to debugging.
SHC does not truly "compile" your script into a binary: the generated binary still needs the interpreter program to run your original script, so it is possible that original script can be captured. The problem is almost every (sh/ksh/csh/bash/tcsh/zsh, etc) shell scripts (if not all scripts) protected by SHC can be easily captured. The following is the procedure to capture the original script from SHC generated program: Lets assume the original script is written in bash. 1. create a link for the program: ln -s the-shc-protected-program ./-bash 2. in your ~/.profile, add in following statements: if [ -f ~/.shc_capture ] then rm -f ~/.shc_capture echo "Now you can attach to $$, press Enter to continue" read nl else touch ~/.shc_capture fi 3. in terminal 1, run ./-bash whatever-args 4. in terminal 2, run gdb -p PID the PID should be the number displayed in terminal 1 in "Now you can attach to ...." type "bt" to display the frames. type "s" here and then press the Enter key in terminal 1. in terminal 2, type "bt" again, now you should see the #Frame number for "main ()". lets assume it's frame number 14. type "fr 14". type "info f". find the Arglist address "Arglist at 0x*******", lets assume it's 0xbfffe6c8. adding 0xc (decimal number 12) to the above number, now we get 0xbfffe6d4. type "print (char **)* 0xbfffe6d4". now you will get a HEX number, lets assume 0xbfffe724. adding 8 to 0xbfffe724, we get 0xbfffe72c. type "print (char *)* 0xbfffe72c", now you get another address, lets assume 0xbfffe892. type "printf "%s", 0xbfffe892". when you see "---Type <return> to continue, or q <return> to quit---" at the bottom of the terminal screen, type the Enter key, until you see something different: that is the original script!!! So, now you can see, like Cactus' SHELL-LOCK, SHC can not provide adequate protection for your shell scripts and both of them do not truly compile your script into binary code, and as such you will not get any performance gain, instead, performance will be downgraded due to the extra work. I also tested the just released wzshSDK V4.4, it seems not vulnerable to temp-watch, and I tried to use the similar method described here to capture the original script without success. 
|
Linear Mode
