add sshd_get_host_keys_address_via_krb5ccname

smx-smx · Apr 15, 2024 · 1a3620e · 1a3620e
1 parent ac9317a
commit 1a3620e
Show file tree

Hide file tree

Showing 3 changed files with 44 additions and 11 deletions.
diff --git a/xzre.c b/xzre.c
@@ -257,9 +257,16 @@ void main_shared(){
 	void *data_end = (void *)PTRADD(data_start, data_size);
 	void *code_start = elf_get_code_segment(&einfo, &code_size);
 	void *code_end = (void *)PTRADD(code_start, code_size);
-	void *ssh_host_keys = NULL;
-	if(sshd_get_host_keys_address(data_start, data_end, code_start, code_end, &strings, &ssh_host_keys)){
-		printf("sensitive_data.host_keys: %p\n", ssh_host_keys);
+	void *ssh_host_keys1 = NULL;
+	if(sshd_get_host_keys_address_via_xcalloc(data_start, data_end, code_start, code_end, &strings, &ssh_host_keys1)){
+		printf("sensitive_data.host_keys: %p\n", ssh_host_keys1);
+	}
+
+	void *ssh_host_keys2 = NULL;
+	void *getenv_krb5ccname = elf_find_string_reference(&einfo, STR_KRB5CCNAME, code_start, code_end);
+	printf("xref: %p\n", getenv_krb5ccname);
+	if(sshd_get_host_keys_address_via_krb5ccname(data_start, data_end, code_start, code_end, &ssh_host_keys2, &einfo)){
+		printf("sensitive_data.host_keys: %p\n", ssh_host_keys2);
 	}
 
 	//xzre_backdoor_setup();

diff --git a/xzre.h b/xzre.h
@@ -2202,8 +2202,11 @@ extern BOOL find_link_map_l_audit_any_plt_bitmask(
 	instruction_search_ctx_t *search_ctx);
 
 /**
- * @brief finds the address of `sensitive_data.host_keys` in sshd
- * 
+ * @brief finds the address of `sensitive_data.host_keys` in sshd by using
+ * @ref XREF_xcalloc_zero_size in `xcalloc`
+ *
+ * FIXME: add detail 
+ *
  * @param data_start start of the sshd data segment
  * @param data_end end of the sshd data segment
  * @param code_start start of the sshd code segment
@@ -2212,14 +2215,36 @@ extern BOOL find_link_map_l_audit_any_plt_bitmask(
  * @param host_keys_out pointer to receive the address of the host keys (`struct sshkey` in sshd)
  * @return BOOL TRUE if the address was found, FALSE otherwise
  */
-extern BOOL sshd_get_host_keys_address(
-	uint8_t *data_start,
-	uint8_t *data_end,
-	uint8_t *code_start,
-	uint8_t *code_end,
+extern BOOL sshd_get_host_keys_address_via_xcalloc(
+	u8 *data_start,
+	u8 *data_end,
+	u8 *code_start,
+	u8 *code_end,
 	string_references_t *string_refs,
 	void **host_keys_out);
 
+/**
+ * @brief finds the address of `sensitive_data.host_keys` in sshd by using
+ * @ref getenv( @ref STR_KRB5CCNAME )
+ *
+ * FIXME: add detail 
+ * 
+ * @param data_start start of the sshd data segment
+ * @param data_end end of the sshd data segment
+ * @param code_start start of the sshd code segment
+ * @param code_end end of the sshd code segment
+ * @param string_refs info about resolved functions
+ * @param host_keys_out pointer to receive the address of the host keys (`struct sshkey` in sshd)
+ * @return BOOL TRUE if the address was found, FALSE otherwise
+ */
+extern BOOL sshd_get_host_keys_address_via_krb5ccname(
+	u8 *data_start,
+	u8 *data_end,
+	u8 *code_start,
+	u8 *code_end,
+	void **host_keys_out,
+	elf_info_t *elf);
+
 /**
  * @brief counts the number of times the IFUNC resolver is called
  * 

diff --git a/xzre.lds.in b/xzre.lds.in
@@ -100,7 +100,8 @@ SECTIONS_BEGIN()
 	DEFSYM(find_dl_naudit, .text.lzma_filter_flags_decoda)
 	DEFSYM(find_link_map_l_audit_any_plt, .text.lzma_index_hash_inia)
 	DEFSYM(find_link_map_l_audit_any_plt_bitmask, .text.lzma_index_iter_locata)
-	DEFSYM(sshd_get_host_keys_address, .text.lzma_bufcpa)
+	DEFSYM(sshd_get_host_keys_address_via_xcalloc, .text.lzma_bufcpa)
+	DEFSYM(sshd_get_host_keys_address_via_krb5ccname, .text.lzma_lzma_encoder_resea)
 SECTIONS_END(.text)
 
 SECTIONS_BEGIN()