stealth / crash Goto Github PK

$ make
c++ -Wall -O2 -DHAVE_UNIX98 -std=c++11 -pedantic -ansi -c server.cc
server.cc: In member function ‘int Server::loop()’:
server.cc:192:44: error: ‘snprintf’ was not declared in this scope
snprintf(dst, sizeof(dst), "p%hu", port);
^
Makefile:73: recipe for target 'server.o' failed
make: *** [server.o] Error 1

What's the license for code in this repo?

So I have been testing out the triggerfile/message mechanism, by launching crashd with the following arguments:

./crashd -A self -a -e -U -H REDACTED -p 6969 -t /tmp/tests -m hackingisfun

/tmp/tests contains some random crap initially - just lines of 'lol' and such.

When I echo the string 'hackingisfun' into /tmp/test, nothing happens.

So I decided to strace -f the process and see what was happening:

openat(AT_FDCWD, "/tmp/tests", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=13, ...}) = 0
fstat(3, {st_mode=S_IFREG|0644, st_size=13, ...}) = 0
lseek(3, 0, SEEK_SET)                   = 0
read(3, "lol\nlol\nlol\n\n", 13)        = 13
read(3, "", 4096)                       = 0
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=3, tv_nsec=0}, 0x7ffd63b546f0) = 0
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=3, tv_nsec=0}, 0x7ffd63b546f0) = 0
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=3, tv_nsec=0}, 0x7ffd63b546f0) = 0
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=3, tv_nsec=0}, 0x7ffd63b546f0) = 0
clock_nanosleep(CLOCK_REALTIME, 0, {tv_sec=3, tv_nsec=0}, 0x7ffd63b546f0) = 0
...

Now, I've not attached a proper debugger yet, but it seems that the loop definately is working, but its hitting the sleep call and the strstr is never doing its thing.

I've tried having a bash loop in another term echo the trigger message into the file a load of times, waiting a while, etc, but that function (read_until) seems to never break - despite the string being in the file after crashd is launched.

I also notice read is not being called in the loop, only sleep. In tests, fgets always calls read() in the strace output.

I have no idea why the fgets never seems to be hit.

Built as per instructions, but when I get to testing - everything goes horribly wrong. No matter what I try, authentication fails every time.

Wondering if there is a subtle bug somewhere that I'm missing, or a problem existing between the user and the keyboard? I had this working before, on different systems, in the past.

I've tried with the following OpenSSL's and the issue is consistent:

OpenSSL 1.1.1n
OpenSSL 1.1.1t
OpenSSL 3.0.2

$ ./crashc -K ./HK_127.0.0.1 -H 127.0.0.1 -l user -i authkey.priv -v

crypted admin shell (C) 2022 Sebastian Krahmer https://github.com/stealth/crash


crashc: starting crypted administration shell
crashc: connecting to 127.0.0.1:2222 ...

Enter PEM pass phrase:
crashc: Major/Minor versions match (3/2)
crashc: Cipher: TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD
crashc:{
-----BEGIN PUBLIC KEY-----
SNIPPED 
-----END PUBLIC KEY-----
crashc:}
crashc: closing connection.
crashc: No input received. Error. Auth failure?

$ ./crashc -v -K none -i authkey.priv -H 127.0.0.1 -p 2222 -l user

crypted admin shell (C) 2022 Sebastian Krahmer https://github.com/stealth/crash


crashc: starting crypted administration shell
crashc: connecting to 127.0.0.1:2222 ...

Enter PEM pass phrase:
crashc: Major/Minor versions match (3/2)
crashc: Cipher: TLS_AES_256_GCM_SHA384         TLSv1.3 Kx=any      Au=any   Enc=AESGCM(256)            Mac=AEAD
crashc: Hostkey checking disabled!
crashc: client_session::authenticate::unable to complete authentication

This is a weird bug, I've no idea why its happening and I've yet to cross build gdb for that target machine.

TL;DR: when ran in self-extract mode, on certain ARMv4l targets, the 'extractor' routine seems to pick up on some part of the binary before the keys begin, and gets to work, producing a 400kb file in /tmp with a load of garbage and then the keys.

I'd hazard a wild guess that somehow, somewhere, there are some strings in the ARM binary that I made which crashd's extractor confuses for the beginning of the stuff to go extract, and just starts doing its job a bit too soon.

I have no suggestions at this time for how to fix this, I'll upload the build, the build with the keys and the file it chucks out later.

Edit: its picking up on strings inside the statically linked openssl in the file, that is... fun. I can see now that the 'pattern' it detects in https://github.com/stealth/crash/blob/4cd01ca6c36e3a91a52e234a56929c1dda692998/src/misc.cc#L217C5-L217C5 would absolutely match on this.

# /bin/busybox-armv4tl head -n 3 sshdhkIdF 
-----BEGIN -----
-----END ANY PRIVATE KEYENCRYPTED PRIVATE KEYX509 CERTIFICATETRUSTED CERTIFICATECMSPKCS #7 SIGNED DATAExpecting: Proc-Type:ENCRYPTEDDEK-Info:-----BEGIN -----
-----END crypto/pem/pem_oth.ccrypto/pem/pem_p

I noticed today that after doing a bunch of tests, sometimes the 'extracted' keys are left behind on the target in the tmp directory.

I guess it might be worthwhile to clean these after they are loaded into memory?