Bug#861180: shc: infinite loop does not work properly

Mon, 08 May 2017 09:18:29 -0700 

Hi,
As stated in https://github.com/neurobin/shc/issues/23#issuecomment-299035820 the problem can be in a change in the way the kernel does the "Address space layout randomization", different each time even when the same command with the same PID re-executes itself recursively. 


I use the address of a function of the code itself (chkenv) to try to 
verify that the code is not "tampered / substituted" in order to 
discover the unencrypted version of the original script.



I have made the attached patch from 
https://github.com/neurobin/shc/blob/release/src/shc.c

I hope it will work.

Thanks,

Francisco Rosales.

On 04/05/17 21:44, Eriberto wrote:

Control: severity 861180 normal

2017-05-04 16:30 GMT-03:00 Tong Sun <suntong...@users.sourceforge.net>:

Hi Eriberto,

Hi,


Do you still want to mark the Severity: as grave
after Jörg Sommer has explained in
https://github.com/neurobin/shc/issues/23#issuecomment-299035820
that there is a workaround?

I tested this workaround yesterday. Setting normal.

Cheers,

Eriberto



--- shc-3.9.3.c	2016-10-11 23:25:11.000000000 +0200
+++ shc-3.9.4.c	2017-05-08 17:28:27.705206932 +0200
@@ -17,7 +17,7 @@
  */
 
 static const char my_name[] = "shc";
-static const char version[] = "Version 3.9.3";
+static const char version[] = "Version 3.9.4";
 static const char subject[] = "Generic Shell Script Compiler";
 static const char cpright[] = "GNU GPL Version 3";
 static const struct { const char * f, * s, * e; }
@@ -251,6 +251,8 @@
 "		*argv = argv[1];",
 "}",
 "",
+"void chkenv_end(void);",
+"",
 "int chkenv(int argc)",
 "{",
 "	char buff[512];",
@@ -259,8 +261,12 @@
 "	char * string;",
 "	extern char ** environ;",
 "",
-"	mask  = (unsigned long)&chkenv;",
-"	mask ^= (unsigned long)getpid() * ~mask;",
+"	mask = (unsigned long)getpid();",
+"	stte_0();",
+"	 key(&chkenv, (void*)&chkenv_end - (void*)&chkenv);",
+"	 key(&data, sizeof(data));",
+"	 key(&mask, sizeof(mask));",
+"	arc4(&mask, sizeof(mask));",
 "	sprintf(buff, \"x%lx\", mask);",
 "	string = getenv(buff);",
 "#if DEBUGEXEC",
@@ -282,6 +288,8 @@
 "	return -1;",
 "}",
 "",
+"void chkenv_end(void){}",
+"",
 "#if !TRACEABLE",
 "",
 "#define _LINUX_SOURCE_COMPAT",
@@ -343,6 +351,7 @@
 "	char * me = getenv(\"_\");",
 "	if (me == NULL || !isFile(me)) { me = argv[0]; }",
 "",
+"	ret = chkenv(argc);",
 "	stte_0();",
 "	 key(pswd, pswd_z);",
 "	arc4(msg1, msg1_z);",
@@ -358,7 +367,6 @@
 "	arc4(chk1, chk1_z);",
 "	if ((chk1_z != tst1_z) || memcmp(tst1, chk1, tst1_z))",
 "		return tst1;",
-"	ret = chkenv(argc);",
 "	arc4(msg2, msg2_z);",
 "	if (ret < 0)",
 "		return msg2;",






















					Reply via email to