stealth / crash Goto Github PK
View Code? Open in Web Editor NEWcrypted admin shell: SSH-like strong crypto remote admin shell for Linux, BSD, Android, Solaris and OSX
License: Other
crypted admin shell: SSH-like strong crypto remote admin shell for Linux, BSD, Android, Solaris and OSX
License: Other
$ make
c++ -Wall -O2 -DHAVE_UNIX98 -std=c++11 -pedantic -ansi -c server.cc
server.cc: In member function ‘int Server::loop()’:
server.cc:192:44: error: ‘snprintf’ was not declared in this scope
snprintf(dst, sizeof(dst), "p%hu", port);
^
Makefile:73: recipe for target 'server.o' failed
make: *** [server.o] Error 1
What's the license for code in this repo?
So I have been testing out the triggerfile/message mechanism, by launching crashd with the following arguments:
./crashd -A self -a -e -U -H REDACTED -p 6969 -t /tmp/tests -m hackingisfun
/tmp/tests
contains some random crap initially - just lines of 'lol' and such.
When I echo the string 'hackingisfun' into /tmp/test
, nothing happens.
So I decided to strace -f the process and see what was happening:
openat(AT_FDCWD, "/tmp/tests", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=13, ...}) = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=13, ...}) = 0
lseek(3, 0, SEEK_SET) = 0
read(3, "lol\nlol\nlol\n\n", 13) = 13
read(3, "", 4096) = 0
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=3, tv_nsec=0}, 0x7ffd63b546f0) = 0
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=3, tv_nsec=0}, 0x7ffd63b546f0) = 0
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=3, tv_nsec=0}, 0x7ffd63b546f0) = 0
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=3, tv_nsec=0}, 0x7ffd63b546f0) = 0
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=3, tv_nsec=0}, 0x7ffd63b546f0) = 0
...
Now, I've not attached a proper debugger yet, but it seems that the loop definately is working, but its hitting the sleep call and the strstr is never doing its thing.
I've tried having a bash loop in another term echo the trigger message into the file a load of times, waiting a while, etc, but that function (read_until) seems to never break - despite the string being in the file after crashd is launched.
I also notice read is not being called in the loop, only sleep. In tests, fgets always calls read() in the strace output.
I have no idea why the fgets never seems to be hit.
Built as per instructions, but when I get to testing - everything goes horribly wrong. No matter what I try, authentication fails every time.
Wondering if there is a subtle bug somewhere that I'm missing, or a problem existing between the user and the keyboard? I had this working before, on different systems, in the past.
I've tried with the following OpenSSL's and the issue is consistent:
OpenSSL 1.1.1n
OpenSSL 1.1.1t
OpenSSL 3.0.2
$ ./crashc -K ./HK_127.0.0.1 -H 127.0.0.1 -l user -i authkey.priv -v
crypted admin shell (C) 2022 Sebastian Krahmer https://github.com/stealth/crash
crashc: starting crypted administration shell
crashc: connecting to 127.0.0.1:2222 ...
Enter PEM pass phrase:
crashc: Major/Minor versions match (3/2)
crashc: Cipher: TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
crashc:{
-----BEGIN PUBLIC KEY-----
SNIPPED
-----END PUBLIC KEY-----
crashc:}
crashc: closing connection.
crashc: No input received. Error. Auth failure?
$ ./crashc -v -K none -i authkey.priv -H 127.0.0.1 -p 2222 -l user
crypted admin shell (C) 2022 Sebastian Krahmer https://github.com/stealth/crash
crashc: starting crypted administration shell
crashc: connecting to 127.0.0.1:2222 ...
Enter PEM pass phrase:
crashc: Major/Minor versions match (3/2)
crashc: Cipher: TLS_AES_256_GCM_SHA384 TLSv1.3 Kx=any Au=any Enc=AESGCM(256) Mac=AEAD
crashc: Hostkey checking disabled!
crashc: client_session::authenticate::unable to complete authentication
This is a weird bug, I've no idea why its happening and I've yet to cross build gdb for that target machine.
TL;DR: when ran in self-extract mode, on certain ARMv4l targets, the 'extractor' routine seems to pick up on some part of the binary before the keys begin, and gets to work, producing a 400kb file in /tmp with a load of garbage and then the keys.
I'd hazard a wild guess that somehow, somewhere, there are some strings in the ARM binary that I made which crashd's extractor confuses for the beginning of the stuff to go extract, and just starts doing its job a bit too soon.
I have no suggestions at this time for how to fix this, I'll upload the build, the build with the keys and the file it chucks out later.
Edit: its picking up on strings inside the statically linked openssl in the file, that is... fun. I can see now that the 'pattern' it detects in https://github.com/stealth/crash/blob/4cd01ca6c36e3a91a52e234a56929c1dda692998/src/misc.cc#L217C5-L217C5 would absolutely match on this.
# /bin/busybox-armv4tl head -n 3 sshdhkIdF
-----BEGIN -----
-----END ANY PRIVATE KEYENCRYPTED PRIVATE KEYX509 CERTIFICATETRUSTED CERTIFICATECMSPKCS #7 SIGNED DATAExpecting: Proc-Type:ENCRYPTEDDEK-Info:-----BEGIN -----
-----END crypto/pem/pem_oth.ccrypto/pem/pem_p
I noticed today that after doing a bunch of tests, sometimes the 'extracted' keys are left behind on the target in the tmp directory.
I guess it might be worthwhile to clean these after they are loaded into memory?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.