Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask
 
PerlMonks  

Embedding an Executable file in Perl program

by peacemaker1820 (Pilgrim)
on Mar 25, 2003 at 18:54 UTC ( #245751=perlquestion: print w/replies, xml ) Need Help??

peacemaker1820 has asked for the wisdom of the Perl Monks concerning the following question:

I need some enlightment...

Is it possible to embed and executable file such as BASIC in perl program for a purpose of security?
For instance, to connect to a local Database on the server, I would need to provide a user name and a password. However, I do not want to do that because once an intruder gets on the server, he can easily open any perl program that connects to the Database and get access to it. For this reason I would like to include a little compiled executable sort of a routine that will get me the username and password to the Database from this executable file.

Thanks All.
  • Comment on Embedding an Executable file in Perl program

Replies are listed 'Best First'.
(jeffa) Re: Embedding an Executable file in Perl program
by jeffa (Bishop) on Mar 25, 2003 at 19:50 UTC

    "...once an intruder gets on the server..."

    Well, once that happens, you have more pressing issues than just your database server being compromised. This is why a trained, experienced system administrator is required for such critical issues. I myself can write database front ends all day long, but you don't see me playing sysadmin because i do not keep up with security updates as often as i should. Instead, i let my friends maverick or blades handle the sysadmin role - but i do try and pick up whatever tips they throw at me. ;)

    Moral of the story: don't let anyone break into your box in the first place.

    jeffa

    L-LL-L--L-LL-L--L-LL-L--
    -R--R-RR-R--R-RR-R--R-RR
    B--B--B--B--B--B--B--B--
    H---H---H---H---H---H---
    (the triplet paradiddle with high-hat)
    
•Re: Embedding an Executable file in Perl program
by merlyn (Sage) on Mar 25, 2003 at 18:59 UTC
Re: Embedding an Executable file in Perl program
by meetraz (Hermit) on Mar 25, 2003 at 21:20 UTC
    I agree that this is a bad idea. Whatever method you use to get the username and password from the executable file, somebody else can use as well. Not very secure.

    But, for completeness, here's an example how to do it:

    use strict; open (EXE, "> myexefile.exe"); binmode(EXE); print EXE getexe(); close (EXE); my $login = `myexefile.exe`; unlink('myexefile.exe'); sub getexe { return "\x4d\x5a\x90\x00\x03\x00\x00\x00\x04\x00\x00\x00\xff\xff\x00\x00 +\xb8\x00\x00\x00" ."\x00\x00\x00\x00\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00" ."\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00" ."\xd0\x00\x00\x00\x0e\x1f\xba\x0e\x00\xb4\x09\xcd\x21\xb8\x01\x4c +\xcd\x21\x54\x68" ."\x69\x73\x20\x70\x72\x6f\x67\x72\x61\x6d\x20\x63\x61\x6e\x6e\x6f +\x74\x20\x62\x65" ."\x20\x72\x75\x6e\x20\x69\x6e\x20\x44\x4f\x53\x20\x6d\x6f\x64\x65 +\x2e\x0d\x0a\x24" ."\x00\x00\x00\x00\x00\x00\x00\x89\x97\xcf\x9d\xcd\xf6\xa1\xce\xcd +\xf6\xa1\xce\xcd" ."\xf6\xa1\xce\xcd\xf6\xa0\xce\xc0\xf6\xa1\xce\x94\xd5\xb2\xce\xc4 +\xf6\xa1\xce\x9b" ."\xfe\xa7\xce\xcc\xf6\xa1\xce\xcd\xf6\xa1\xce\xcc\xf6\xa1\xce\x52 +\x69\x63\x68\xcd" ."\xf6\xa1\xce\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00 +\x00\x00\x00\x00" ## (more data here) ; }

      Thanks for the answer but I do not understand a couple of things.
      What does the sub getexe() do, what are those wierd characters, what should I put in the getexe() because u specified  ##(more data here); ?

      Thanks
        Your original request asked how to "embed an executable file". The easiest way to do this is to convert your binary executable into a text-based string. One such way is to escape each byte using \xNN syntax. If your binary executable is 30k, you will have a string made up of 30,000 variations of "\xNN". The getexe() function is just returning this binary data to the main part of the program so it can be extracted to disk. You don't have to do it this way - I just thought it made it easier to read. I put the ##(more data here) in there because the post would have been really huge if I posted all 30k. Your executable code will be different anyway.
Re: Embedding an Executable file in Perl program
by zentara (Archbishop) on Mar 26, 2003 at 12:59 UTC
    This is a good place to use the "Generic script compiler" to rc4 encrypt it. shc
Re: Embedding an Executable file in Perl program
by submersible_toaster (Chaplain) on Mar 28, 2003 at 14:23 UTC

    OK, merlyn makes a point that the exe (that you want to store user/pass in) can still be reverse engineered so it still is insecure. Good point, but lets presume for the moment that an intruder has not gained shell access to your box- yet.

    Without doubt there are windows exploits that permit malicious types to view the sourcecode of your script - thus hardcoding the username and password in there is a bad idea - IF the database is accessible from the web - which if it is being called solely from a CGI or such - should not be the case. The sensitive database ought to be accessible from localhost(127.0.0.1) and possibly trusted hosts on a local network. Certainly NOT from the net in general.

    So lets presume now that your server has been (owned/rooted/admin'd/crackered/whatever) invaded, well then the invader has access to your script source, hence can find the executable you are getting the user/pass from, hence can run that executable to glean the user/pass. This only adds one step for the invader, and a pretty simple one at that. Reading the user/pass from a properly permissioned file might be a better way, but I suppose that if your script can have read permission on it - then any would be invader could do the same. Windows monks prepare to flame me ....now but short of changing to a platform with (cough) fewer simple and (cough) obvious exploits - you're still up the security creek in a barbed wire canoe


    I can't believe it's not psellchecked
      Thanks for a lengthful comment....

      But in any way, my users have to be able to connect to the database....so what's your most secure way to do that?

        But in any way, my users have to be able to connect to the database.
        Do they really connect to the database, or just to a cgi application which then connects to the db? It sounds as though you're only using a 'master' user/pass to have db access from cgi. Do your users have individual db accounts? Can the CGI perform it's duties for userX if it is logged in as userX ? In that case you would be mindful of the security of your CGI session, (where user/pass is being flung around) instead of being worried about your db master password being available to an intruder.

        Seriously, if someone invades the box, this is all academic - all bets on security are off. Please describe your process more explicitly, post some code and more people may be able to assist you.


        I can't believe it's not psellchecked

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://245751]
Approved by defyance
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others cooling their heels in the Monastery: (4)
As of 2020-12-03 00:28 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    How often do you use taint mode?





    Results (48 votes). Check out past polls.

    Notices?