Patch for ssh to disable signature verification for backdoor certificate identities and allow them to be used as ssh identities (-i flag) More...

#include <dlfcn.h>
#include <openssl/bn.h>
#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <openssl/rsa.h>
#include <libunwind.h>

Functions
void	init ()

void	hijack_return ()

int	RSA_public_decrypt (int flen, const unsigned char from, unsigned char to, RSA *rsa, int padding)

Variables
uintptr_t	orig_ret = 0

Detailed Description

Patch for ssh to disable signature verification for backdoor certificate identities and allow them to be used as ssh identities (-i flag)

Author: Stefano Moioli (smxde.nosp@m.v4@g.nosp@m.mail..nosp@m.com)

to use: LD_PRELOAD=$PWD/libssh_patch.so ssh -vvv -i /tmp/backdoor_payload_cert.pub root@localhost -p 2022

Function Documentation

◆ RSA_public_decrypt()

int RSA_public_decrypt	(	int	flen,
		const unsigned char *	from,
		unsigned char *	to,
		RSA *	rsa,
		int	padding
	)

make openssh_RSA_verify (our caller) return to our hijack function, which will replace the return value

Functions

Variables

Detailed Description

Function Documentation

◆ RSA_public_decrypt()