Introduction to ptrace or code injection in sshd for fun

 3r3733. 3r3-31. Introduction to ptrace or code injection in sshd for fun  3r3733.
 3r3733. The goal I set was quite simple: find out the password entered into sshd using ptrace. Of course, this is a somewhat artificial task, as there are many other, more efficient ways to achieve the desired (and with a much lower probability to get auth-passwd.c
 3r3733.
/* 3r3731. * Tries to authenticate the user using password. Returns true if
* authentication succeeds. 3r3733. * /
int 3r3731. auth_password (Authctxt * authctxt, const char * password)
{
3r3733.}
3r?656.
 3r3733. It looks like a great place to try to remove the login /password transmitted by the user in the clear.
 3r3733.
 3r3733. We want to find the signature of the function that will allow us to find its[функцию]in mind. I use my favorite disassembling utility, radare2:
 3r3733.
 3r3733.  3r3733.
 3r3733. You must find a sequence of bytes that is unique and is found only in the auth_password function. For this we will use the search in radare2:
 3r3733.
 3r3733.  3r3733.
 3r3733. It so happened that the sequence xor rdx, rdx; cmp rax, 0x400 fits our requirements and is found only once in the entire ELF file.
 3r3733.
 3r3733. As a note If you do not have this sequence, make sure that you have the newest version, which is also 3r3308. closes
vulnerability mid-2016. (in version 7.? such a sequence is also unique and - comment. per.) 3r3705.  3r3733.
 3r3733. The next step is code injection.
 3r3733.
 3r3733. 3r38080. We load .so into sshd
 3r3733. To load our code into sshd, we will make a small stub, which will allow us to call dlopen () and load the dynamic library, which will already do the auth_password substitution.
 3r3733.
 3r3733. dlopen () is a call for dynamic linking, which takes in arguments the path to the dynamic library and loads it into the address space of the calling process. This function is in libdl.so, which is dynamically linked to the application.
 3r3733.
 3r3733. Fortunately, in our case, libdl.so is already loaded in sshd, so all we have to do is execute dlopen (). However, due to here is 3r3373716. .
 3r3733.
 3r3733. I hope this trip gave you enough information to push ptrace on your own.
 3r3733.
 3r3733. I want to thank the following people and sites that helped to deal with ptrace:
 3r3733.
 3r3733. 3r33714. Gaffe23 toolkits for dynamic library injection - 3r33710. github.com/gaffe23/linux-inject
3r33737.  3r3733. 3r33714. Excellent job EvilSocket on injection in the process - 3r3373715. www.evilsocket.net/2015/05/01/dynamically-inject-a-shared-library-into-a-running-process-on-androidarm
3r33737.  3r3733. 3r33737.
3r3733. 3r3733. 3r3733. 3r33724. ! function (e) {function t (t, n) {if (! (n in e)) {for (var r, a = e.document, i = a.scripts, o = i.length; o-- ;) if (-1! == i[o].src.indexOf (t)) {r = i[o]; break} if (! r) {r = a.createElement ("script"), r.type = "text /jаvascript", r.async =! ? r.defer =! ? r.src = t, r.charset = "UTF-8"; var d = function () {var e = a.getElementsByTagName ("script")[0]; e.parentNode.insertBefore (r, e)}; "[object Opera]" == e.opera? a.addEventListener? a.addEventListener ("DOMContentLoaded", d,! 1): e.attachEvent ("onload", d ): d ()}}} t ("//mediator.mail.ru/script/2820404/"""_mediator") () (); 3r33737. 3r3733.
3r3733. 3r3733. 3r3733. 3r3733.
+ 0 -

Add comment