Linux is an interpreter

Summary

This is a standalone addendum to an earlier four-part series. Reading the previous parts is not required. Links to previous parts, if you are interested: In a previous article, I left you with this mysterious command. curl https://astrid.tech/rkx.gz | gunzip | sudo sh What does it do? This can’t possibly be safe to run, can it? Am I distributing malware to you? Fine, fine, I’ll open it up and show you what’s inside. Reverse engineering rkx.gz First, we download it. astrid@chungus /tmp ❯ curl https://astrid.tech/rkx.gz | gunzip > rkx % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 14.31M 100 14.31M 0 0 28.16M 0 0 What kind of a file is it? astrid@chungus /tmp ❯ file rkx rkx: POSIX shell script, ASCII text executable Well, I guess I tell you to pipe it to sh, so it’s only expected it’s a shell script. Let’s see what it runs. astrid@chungus /tmp ❯ cat rkx ... Hr7vfOuMr610ygifa2yphI4pZCRAPHzf+dYZX1vplBE+19hSCR1TyECAePi+860zvrbSKSN8rrGl EjqmkHEA8fB951tnfG2lU0b4XGNLJXRMIcMA4uH7zrfO+NpKp4zwucaWSuiYQkYBSimllFJKKaWU vnXG11Y6ZYTPNbZUQscUMmYgHr7vfOuMr610ygifa2yphI4pZMhAPHzf+dYZX1vplBE+19hSCR1T yIiBePi+860zvrbSKSN8rrGlEjqmkAED8fB951tnfG2lU0b4XGNLJXRMIeMFa6211lprrbXWWmut KqFjChlIEA/fd751xtdWOmWEzzW2VELHFDKOIB6+73zrjK+tdMoIn2tsqYSOKWQYQTx83/nWGV9b ... Oops, that’s a lot of base64 junk! I guess that’s only to be expected given that it’s a 20 megabyte shell script. astrid@chungus /tmp/r ❯ du -sh ../rkx.gz --apparent-size # i have a compressed disk so this flag tells you actual uncompressed size 20M ../rkx.gz Well, if it’s a shell script, it has to be legible. Let’s just peek at its head and tail. astrid@chungus /tmp ❯ head rkx -n 15 astrid@chungus /tmp ❯ tail rkx #!/bin/sh set -x if [ "$(id -u)" -ne 0 ]; then echo "Please ensure you are running as root/sudo" exit 1 fi if ! command -v kexec && command -v base64 && command -v cpio 2>&1 >/dev/null ; then echo "Please ensure kexec-tools, base64, and cpio are installed" exit 1 fi b...