TL;DR
The source code of this idea is available on GitHub
And the weaponized version is available in emp3r0r
Use echo ‘print __libc_dlopen_mode(“/path/to/library.so”, 2)’ | gdb -p <PID> for process injection
Write a shared library to inject into sshd process
In the library, fork a child process to monitor sshd children then attach (PTRACE_ATTATCH) to them
For each ssh session, search its memory for a code pattern in auth_password function, and set its address (seek to the beginning of an instruction) as breakpoint
Read registers on breakpoint, the password argument is stored in RSI, we follow its address and read the password
Restore sshd process, keep monitoring until it exits
• SSHD Injection and Password Harvesting.
• https://jm33.me/sshd-injection-and-password-harvesting.html
#backdoor #linux #SSH
https://jm33.me/sshd-injection-and-password-harvesting.html
