From 82b5ad0c91fa8b236488c630ba1e782c6c607fd9 Mon Sep 17 00:00:00 2001 From: Stefano Moioli Date: Mon, 22 Apr 2024 23:43:36 +0200 Subject: [PATCH] sshd_auth_bypass -> sshd_proxy_elevate (+ preliminary docs) --- xzre.h | 41 +++++++++++++++++++++++++++-------------- xzre.lds.in | 2 +- 2 files changed, 28 insertions(+), 15 deletions(-) diff --git a/xzre.h b/xzre.h index c799ccc..31aba66 100644 --- a/xzre.h +++ b/xzre.h @@ -960,6 +960,8 @@ typedef struct __attribute__((packed)) global_context { * making future invocations return immediately. * * It's likely both a safety check and an anti tampering mechanism. + * + * It's also used to avoid running the payload more than once, if the hooks gets called multiple times */ BOOL disable_backdoor; PADDING(4); @@ -1716,7 +1718,7 @@ assert_offset(instruction_search_ctx_t, hooks, 0x30); assert_offset(instruction_search_ctx_t, imported_funcs, 0x38); static_assert(sizeof(instruction_search_ctx_t) == 0x40); -typedef struct __attribute__((packed)) auth_bypass_args { +typedef struct __attribute__((packed)) sshd_proxy_args { u32 cmd_type; PADDING(4); cmd_arguments_t *args; @@ -1726,24 +1728,35 @@ typedef struct __attribute__((packed)) auth_bypass_args { u16 payload_body_size; PADDING(6); RSA *rsa; -} auth_bypass_args_t; +} sshd_proxy_args_t; -assert_offset(auth_bypass_args_t, cmd_type, 0); -assert_offset(auth_bypass_args_t, args, 0x8); -assert_offset(auth_bypass_args_t, rsa_n, 0x10); -assert_offset(auth_bypass_args_t, rsa_e, 0x18); -assert_offset(auth_bypass_args_t, payload_body, 0x20); -assert_offset(auth_bypass_args_t, payload_body_size, 0x28); -assert_offset(auth_bypass_args_t, rsa, 0x30); +assert_offset(sshd_proxy_args_t, cmd_type, 0); +assert_offset(sshd_proxy_args_t, args, 0x8); +assert_offset(sshd_proxy_args_t, rsa_n, 0x10); +assert_offset(sshd_proxy_args_t, rsa_e, 0x18); +assert_offset(sshd_proxy_args_t, payload_body, 0x20); +assert_offset(sshd_proxy_args_t, payload_body_size, 0x28); +assert_offset(sshd_proxy_args_t, rsa, 0x30); /** - * @brief + * @brief + * forges a new `MONITOR_REQ_KEYALLOWED` packet, and injects it into the server to gain root privileges + * through the sshd monitor. + * + * this function is called if the calling function, @ref run_backdoor_commands , is invoked without root + * (which is what normally happens when sshd is sandboxed) * - * @param args - * @param ctx - * @return BOOL + * the code will then construct a new packet and send a monitor request with type `MONITOR_REQ_KEYALLOWED` and the payload as key. + * the receiving end (`mm_answer_keyallowed`) will then run the payload, likely as soon as `RSA_get0_key` is invoked, through the hook + * (TODO: confirm this) + * + * the `disable_backdoor` flag is used to avoid running the payload more than once, in case of multiple calls + * + * @param args arguments used to build the SSH packet + * @param ctx the global context + * @return BOOL TRUE if the packet was sent successfully, FALSE otherwise */ -extern BOOL sshd_auth_bypass(auth_bypass_args_t *args, global_context_t *ctx); +extern BOOL sshd_proxy_elevate(sshd_proxy_args_t *args, global_context_t *ctx); /** * @brief disassembles the given x64 code diff --git a/xzre.lds.in b/xzre.lds.in index 7a9f5bc..9737283 100644 --- a/xzre.lds.in +++ b/xzre.lds.in @@ -117,7 +117,7 @@ SECTIONS_BEGIN() DEFSYM(verify_signature, .text.lzma_index_dua) DEFSYM(sshd_patch_variables, .text.lzma_block_unpadded_siza) DEFSYM(sshd_find_monitor_struct, .text.lzma_mf_bt4_fina) - DEFSYM(sshd_auth_bypass, .text.lzip_decoder_memconfia) + DEFSYM(sshd_proxy_elevate, .text.lzip_decoder_memconfia) DEFSYM(sshd_get_client_socket, .text.index_encoda) DEFSYM(sshd_get_sshbuf, .text.threads_stoz) SECTIONS_END(.text)