Re: Suspicious post [was: Problème d'installation]
Hi.
On Tue, Sep 03, 2019 at 09:18:43AM +0200, tomas@tuxteam.de wrote:
> On Mon, Sep 02, 2019 at 11:50:12PM +0200, Siard wrote:
>
> [...]
>
> > Suspicious post, nevertheless. Strange e-mail address, strange name,
> > and... the .tar.xz file appears to contain an executable??
>
> Yikes. You're right:
>
> cv2019s: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV) [...]
>
> So kids, don't double-click on that (unless your architecture is
> different from x86-64 and you haven't installed binfmt-support,
> that is ;-)
>
> I haven't put much time into it, but running "strings" on it suggests
> that it's trying to do strange stuff:
This picked my interest, so I ran a decompiler on a thing.
Seems harmless enough - it downloads Debian libc.deb, prints OK and
tries to install it via dpkg.
Reco
undefined8 main(void)
{
long lVar1;
undefined8 *puVar2;
undefined local_98 [24];
ulong local_80;
__pid_t local_18;
__pid_t local_14;
__cpu_mask local_10;
lVar1 = 0x10;
puVar2 = (undefined8 *)local_98;
while (lVar1 != 0) {
lVar1 = lVar1 + -1;
*puVar2 = 0;
puVar2 = puVar2 + 1;
}
local_10 = 0xff;
local_80 = local_80 | 0x8000000000000000;
sched_setaffinity(0,0x80,(cpu_set_t *)local_98);
local_14 = fork();
putchar(10);
if (local_14 == 0) {
execl("/bin/sh","/bin/sh",&DAT_001009b5,
"curl --output libc http://ftp.de.debian.org/debian/pool/main/g/glibc/libc6_2.28-10_amd64.deb"
,0);
}
else {
syscall();
local_18 = fork();
putchar(10);
if (local_18 == 0) {
execl("/bin/sh","/bin/sh",&DAT_001009b5,"echo OK && echo dpkg -i libc",0);
}
else {
syscall();
syscall();
}
}
return 0;
}
Reply to: