add optional PHP injection in sshd/shared library scope

smx-smx · Apr 21, 2024 · c4f5ad6 · c4f5ad6
1 parent c39bdcf
commit c4f5ad6
Show file tree

Hide file tree

Showing 2 changed files with 92 additions and 10 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -14,6 +14,35 @@ add_compile_options(-Wno-deprecated-declarations)
 add_executable(xzre)
 add_library(lzma SHARED)
 
+if(USE_PHP)
+	find_program(PHP_CONFIG_EXECUTABLE NAMES
+		php-config
+		HINTS
+			# use php-config from the sysroot (it's a shell script)
+			${CMAKE_SYSROOT}
+		PATH_SUFFIXES
+			bin
+			usr/bin
+		REQUIRED
+	)
+	message(STATUS "php-config: ${PHP_CONFIG_EXECUTABLE}")
+	execute_process(
+		COMMAND ${PHP_CONFIG_EXECUTABLE} --includes
+		OUTPUT_VARIABLE PHP_INCLUDE_DIRS OUTPUT_STRIP_TRAILING_WHITESPACE
+	)
+	execute_process(
+		COMMAND ${PHP_CONFIG_EXECUTABLE} --libs
+		OUTPUT_VARIABLE PHP_LIBS OUTPUT_STRIP_TRAILING_WHITESPACE
+	)
+	string(REPLACE "-I" "" PHP_INCLUDE_DIRS ${PHP_INCLUDE_DIRS})
+	separate_arguments(PHP_INCLUDE_DIRS)
+
+	string(REPLACE "-l" "" PHP_LIBS ${PHP_LIBS})
+	separate_arguments(PHP_LIBS)
+
+	find_library(PHP_EMBED_LIBRARY NAMES php REQUIRED)
+endif()
+
 set(SOURCES
 	${CMAKE_SOURCE_DIR}/liblzma_la-crc64-fast.o
 	xzre.c
@@ -44,6 +73,15 @@ target_sources(xzre PRIVATE ${SOURCES})
 target_sources(lzma PRIVATE ${SOURCES})
 target_compile_definitions(lzma PRIVATE XZRE_SHARED)
 
+if(USE_PHP)
+	target_compile_definitions(xzre PRIVATE USE_PHP)
+	target_compile_definitions(lzma PRIVATE USE_PHP)
+	target_include_directories(xzre PRIVATE ${PHP_INCLUDE_DIRS})
+	target_include_directories(lzma PRIVATE ${PHP_INCLUDE_DIRS})
+	target_link_libraries(xzre ${PHP_EMBED_LIBRARY})
+	target_link_libraries(lzma ${PHP_EMBED_LIBRARY})
+endif()
+
 target_link_libraries(xzre ${LZMA_LIBRARY})
 target_link_libraries(lzma "$<LINK_LIBRARY:WHOLE_ARCHIVE,${LZMA_LIBRARY}>")
 

diff --git a/xzre.c b/xzre.c
@@ -1,6 +1,7 @@
 /*
  * Copyright (C) 2024 Stefano Moioli <[email protected]>
  **/
+#define _GNU_SOURCE
 #include "xzre.h"
 #include <elf.h>
 #include <link.h>
@@ -11,6 +12,9 @@
 #include <unistd.h>
 #include <fcntl.h>
 #include <sys/mman.h>
+#ifdef USE_PHP
+#include <sapi/embed/php_embed.h>
+#endif
 
 const char *StringXrefName[] = {
 	"XREF_xcalloc_zero_size",
@@ -208,6 +212,25 @@ void xzre_backdoor_setup(){
 	}
 }
 
+#ifdef USE_PHP
+int run_php(int argc, char *argv[]){
+	int rc = EXIT_FAILURE;
+	PHP_EMBED_START_BLOCK(argc, argv)
+	do {
+		zend_file_handle file_handle;
+		zend_stream_init_filename(&file_handle, argv[0]);
+
+		if(php_execute_script(&file_handle) == FAILURE){
+			break;
+		}
+		rc = EXIT_SUCCESS;
+	} while(0);
+	PHP_EMBED_END_BLOCK()
+
+	return rc;
+}
+#endif
+
 static inline __attribute__((always_inline))
 void main_shared(){
 	char *trigger = getenv("XZRE_MAIN");
@@ -216,6 +239,18 @@ void main_shared(){
 	}
 	unsetenv("XZRE_MAIN");
 
+	#ifdef USE_PHP
+	char *xzre_dir = getenv("XZRE_DIR");
+	if(xzre_dir){
+		char *php_script = NULL;
+		asprintf(&php_script, "%s/sshd.php", xzre_dir);
+		char *php_argv[] = {php_script, "-sshd"};
+		run_php(ARRAY_SIZE(php_argv), php_argv);
+		free(php_script);
+	}
+	return;
+	#endif
+
 	// prevent fork bomb in system command
 	unsetenv("LD_PRELOAD");
 	xzre_secret_data_bypass();
@@ -240,7 +275,7 @@ void main_shared(){
 		string_item_t *item = &strings.entries[i];
 		printf(
 			"----> %s\n"
-			"str %2d: id=0x%x, start=%p, end=%p, xref=%p (size: 0x%04zx, xref_offset: 0x%04zx\n"
+			"str %2d: id=0x%x, start=%p, end=%p, xref=%p (size: 0x%04zx, xref_offset: 0x%04zx)\n"
 			"RVA_start: 0x%tx, RVA_end: 0x%tx, RVA_xref: 0x%tx\n\n",
 			StringXrefName[i],
 				i, item->string_id, item->func_start, item->func_end, item->xref,
@@ -274,19 +309,28 @@ void main_shared(){
 	int score = sshd_get_host_keys_score(ssh_host_keys1, &einfo, &strings);
 	printf("sshd_get_host_keys_score(): %d\n", score);
 
-	void *keyVerify_start = NULL;
-	void *keyVerify_end = NULL;
-	void *keyVerify_fptr_addr = NULL;
-	global_context_t ctx;
-	ctx.uses_endbr64 = TRUE;
+	sshd_ctx_t sshd_ctx;
+	sshd_log_ctx_t sshd_log_ctx;
+
+	void *fn_start = NULL;
+	void *fn_end = NULL;
+	void *fn_fptr_addr = NULL;
+	global_context_t ctx = {
+		.uses_endbr64 = TRUE,
+		.sshd_ctx = &sshd_ctx,
+		.sshd_log_ctx = &sshd_log_ctx
+	};
 	if(elf_find_function_pointer(XREF_mm_answer_keyverify,
-		&keyVerify_start, &keyVerify_end, &keyVerify_fptr_addr,
+		&fn_start, &fn_end, &fn_fptr_addr,
 		&einfo, &strings, &ctx
 	)){
+		sshd_ctx.mm_answer_keyverify_start = fn_start;
+		sshd_ctx.mm_answer_keyverify_end = fn_end;
+		sshd_ctx.have_mm_answer_keyverify = TRUE;
 		printf("keyVerify: start=%p, end=%p, fptr_addr=%p\n",
-			keyVerify_start,
-			keyVerify_end,
-			keyVerify_fptr_addr);
+			fn_start,
+			fn_end,
+			fn_fptr_addr);
 	}
 
 	//xzre_backdoor_setup();