mirror of
https://github.com/hackerschoice/segfault.git
synced 2024-06-25 16:28:37 +00:00
ssh -R fix
This commit is contained in:
parent
013ce483a8
commit
1baf8f7744
@ -1,4 +1,5 @@
|
||||
0.4.9p1 - 2023-09
|
||||
* ssh -R fix in serverloop.c
|
||||
* a2enmod for php8.2 (thanks matthew)
|
||||
|
||||
0.4.9a1 - 2023-08-13
|
||||
|
1
Makefile
1
Makefile
@ -65,6 +65,7 @@ FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/share/applications/burpsuite.d
|
||||
FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/share/applications/thc-tips-and-tricks.desktop"
|
||||
FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/share/icons/metasploit.svg"
|
||||
FILES_GUEST += "segfault-$(VER)/guest/fs-root/usr/share/icons/thc-logo.jpg"
|
||||
FILES_GUEST += "segfault-$(VER)/guest/fs-root-amd64/usr/bin/xmap"
|
||||
|
||||
FILES_MASTER += "segfault-$(VER)/master/Dockerfile"
|
||||
FILES_MASTER += "segfault-$(VER)/master/Makefile"
|
||||
|
@ -628,6 +628,7 @@ services:
|
||||
- SF_DIRECT
|
||||
- SF_DEBUG
|
||||
- SF_BACKING_FS
|
||||
# - SF_DEBUG_SSHD=1 # FIXME-2022 sshd debug
|
||||
volumes:
|
||||
- "${SF_BASEDIR:-.}/config:/config/host"
|
||||
- "${SF_BASEDIR:-.}/data/share:/sf/share:ro"
|
||||
@ -639,7 +640,8 @@ services:
|
||||
- "/var/run/docker.sock:/var/run/docker.sock"
|
||||
- "/var/lib/lxcfs:/var/lib/lxcfs:ro"
|
||||
- "${SF_SHMDIR:-/dev/shm/sf}/run/redis/sock:/redis-sock"
|
||||
# - /research/segfault/host/fs-root/bin/segfaultsh:/bin/segfaultsh:ro # FIXME-2022
|
||||
# - /research/segfault/host/fs-root/bin/segfaultsh:/bin/segfaultsh:ro # FIXME-2022
|
||||
# - /research/segfault/host:/host:ro # FIXME-2022 sshd debug
|
||||
|
||||
nginx:
|
||||
image: nginx
|
||||
|
@ -663,6 +663,10 @@ RUN /pkg-install.sh WEB apt-get install -y --no-install-recommends \
|
||||
libnginx-mod-stream-js \
|
||||
njs
|
||||
RUN /pkg-install.sh DEV apt-get install -y --no-install-recommends \
|
||||
gengetopt \
|
||||
libgmp3-dev \
|
||||
libjson-c-dev \
|
||||
libunistring-dev \
|
||||
ninja-build \
|
||||
repo
|
||||
# Android build tools:
|
||||
@ -749,7 +753,8 @@ RUN /pkg-install.sh GUI apt-get install -y --no-install-recommends \
|
||||
RUN /pkg-install.sh LARGE apt-get install -y --no-install-recommends \
|
||||
php8.2-fpm \
|
||||
php8.2-xml
|
||||
RUN /pkg-install.sh HACK pipx install pwncat-cs
|
||||
RUN /pkg-install.sh HACK pipx install pwncat-cs \
|
||||
&& /pkg-install.sh HACK ghbin praetorian-inc/noseyparker 'linux-' noseyparker
|
||||
RUN sed 's/deb-src.*//' -i /etc/apt/sources.list \
|
||||
&& apt-get autoremove -y \
|
||||
&& apt-get update
|
||||
@ -759,6 +764,9 @@ RUN sed 's/deb-src.*//' -i /etc/apt/sources.list \
|
||||
|
||||
# Do fs-root last (on vmbox it messes with permissions on directories and setup.sh fixes it)
|
||||
COPY setup.sh /fs-root/ /
|
||||
# Some tools are pre-compiled on existing segfaults and supplied as binary
|
||||
# (Mostly tools which are a bitch to build during 'docker build')
|
||||
COPY /fs-root-amd64/ /
|
||||
RUN /setup.sh \
|
||||
&& rm -f /setup.sh /pkg-install.sh
|
||||
|
||||
|
@ -7,6 +7,7 @@ albuild:
|
||||
docker run --network host --name alpine-gcc alpine sh -c 'apk update && apk add gcc patch libc-dev musl-dev zlib-dev openssl-dev make linux-headers libcap-dev bash' \
|
||||
&& docker commit alpine-gcc alpine-gcc; }"
|
||||
|
||||
# See mk_sshd.sh for manual debugging
|
||||
fs-root/usr/sbin/sshd: sf-sshd.patch mk_sshd.sh
|
||||
docker run --rm -v$$(pwd):/src --net=host -w /tmp alpine-gcc /src/mk_sshd.sh
|
||||
|
||||
|
@ -250,6 +250,7 @@ vboxfix /bin/segfaultsh
|
||||
# Allow segfaultsh access to /sf/bin if mounted from extern (during debugging)
|
||||
vboxfix /sf/bin
|
||||
|
||||
[[ -n $SF_DEBUG_SSHD ]] && sleep infinity
|
||||
# This will execute 'segfaultsh' on root-login (uid=1000)
|
||||
exec 0<&- # Close STDIN
|
||||
exec /usr/sbin/sshd -u0 -D
|
||||
|
@ -3,6 +3,11 @@
|
||||
# Executed inside alpine-gcc context to build patched sshd
|
||||
# diff -x '!*.[ch]' -u -r openssh-9.2p1-orig openssh-9.2p1-sf | grep -v ^Only
|
||||
|
||||
# Manual debugging:
|
||||
# cd /research/segfault/host
|
||||
# docker run --rm -v$(pwd):/host --net=host -it alpine-gcc bash -il
|
||||
# export PS1='ssh-build:\w\$ '
|
||||
|
||||
DSTDIR="/src/fs-root/usr/sbin"
|
||||
DSTBIN="${DSTDIR}/sshd"
|
||||
set -e
|
||||
|
@ -1,6 +1,6 @@
|
||||
diff -x '!*.[ch]' -u -r openssh-9.2p1-orig/channels.c openssh-9.2p1-sf/channels.c
|
||||
--- openssh-9.2p1-orig/channels.c 2023-02-02 12:21:54.000000000 +0000
|
||||
+++ openssh-9.2p1-sf/channels.c 2023-08-07 11:02:57.954485279 +0000
|
||||
diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/channels.c openssh-9.2p1-sf/channels.c
|
||||
--- openssh-9.2p1-orig/channels.c 2023-02-02 12:21:54
|
||||
+++ openssh-9.2p1-sf/channels.c 2023-08-15 06:13:05
|
||||
@@ -3639,7 +3639,7 @@
|
||||
ssh->chanctxt->IPv4or6 = af;
|
||||
}
|
||||
@ -18,9 +18,9 @@ diff -x '!*.[ch]' -u -r openssh-9.2p1-orig/channels.c openssh-9.2p1-sf/channels.
|
||||
strcmp(listen_addr, "0.0.0.0") != 0 &&
|
||||
strcmp(listen_addr, "*") != 0) {
|
||||
ssh_packet_send_debug(ssh,
|
||||
diff -x '!*.[ch]' -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1-sf/serverloop.c
|
||||
--- openssh-9.2p1-orig/serverloop.c 2023-02-02 12:21:54.000000000 +0000
|
||||
+++ openssh-9.2p1-sf/serverloop.c 2023-08-07 17:38:57.711615443 +0000
|
||||
diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1-sf/serverloop.c
|
||||
--- openssh-9.2p1-orig/serverloop.c 2023-02-02 12:21:54
|
||||
+++ openssh-9.2p1-sf/serverloop.c 2023-08-15 06:18:17
|
||||
@@ -102,6 +102,12 @@
|
||||
/* requested tunnel forwarding interface(s), shared with session.c */
|
||||
char *tun_fwd_ifnames = NULL;
|
||||
@ -34,15 +34,18 @@ diff -x '!*.[ch]' -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1-sf/serverl
|
||||
/* returns 1 if bind to specified port by specified user is permitted */
|
||||
static int
|
||||
bind_permitted(int port, uid_t uid)
|
||||
@@ -391,6 +397,8 @@
|
||||
@@ -391,8 +397,10 @@
|
||||
/* Clean up sessions, utmp, etc. */
|
||||
cleanup_exit(255);
|
||||
}
|
||||
-
|
||||
channel_after_poll(ssh, pfd, npfd_active);
|
||||
+ if (sf_sigusr1_received != 0)
|
||||
+ sf_sshd2ns();
|
||||
|
||||
channel_after_poll(ssh, pfd, npfd_active);
|
||||
+
|
||||
if (conn_in_ready &&
|
||||
process_input(ssh, connection_in) < 0)
|
||||
break;
|
||||
@@ -637,12 +645,14 @@
|
||||
|
||||
if (strcmp(ctype, "session") == 0) {
|
||||
@ -87,10 +90,10 @@ diff -x '!*.[ch]' -u -r openssh-9.2p1-orig/serverloop.c openssh-9.2p1-sf/serverl
|
||||
}
|
||||
if ((resp = sshbuf_new()) == NULL)
|
||||
fatal_f("sshbuf_new");
|
||||
diff -x '!*.[ch]' -u -r openssh-9.2p1-orig/sshd.c openssh-9.2p1-sf/sshd.c
|
||||
--- openssh-9.2p1-orig/sshd.c 2023-02-02 12:21:54.000000000 +0000
|
||||
+++ openssh-9.2p1-sf/sshd.c 2023-08-07 17:38:29.479621863 +0000
|
||||
@@ -536,6 +536,69 @@
|
||||
diff --color=auto -x !*.[ch] -u -r openssh-9.2p1-orig/sshd.c openssh-9.2p1-sf/sshd.c
|
||||
--- openssh-9.2p1-orig/sshd.c 2023-02-02 12:21:54
|
||||
+++ openssh-9.2p1-sf/sshd.c 2023-08-15 06:13:05
|
||||
@@ -536,8 +536,71 @@
|
||||
return 0;
|
||||
}
|
||||
}
|
||||
@ -100,7 +103,7 @@ diff -x '!*.[ch]' -u -r openssh-9.2p1-orig/sshd.c openssh-9.2p1-sf/sshd.c
|
||||
+#ifndef SECBIT_KEEP_CAPS
|
||||
+#define SECBIT_KEEP_CAPS (1<<4)
|
||||
+#endif
|
||||
+
|
||||
|
||||
+int sf_done;
|
||||
+int sf_by_signal;
|
||||
+int sf_sigusr1_received;
|
||||
@ -108,7 +111,7 @@ diff -x '!*.[ch]' -u -r openssh-9.2p1-orig/sshd.c openssh-9.2p1-sf/sshd.c
|
||||
+size_t sf_ports_n;
|
||||
+static char sf_nsnet_name[128];
|
||||
+static struct ssh *sf_ssh;
|
||||
+static void
|
||||
static void
|
||||
+cb_sigusr1(int sig)
|
||||
+{
|
||||
+ debug("SIGUSR1 RECEIVED");
|
||||
@ -157,10 +160,12 @@ diff -x '!*.[ch]' -u -r openssh-9.2p1-orig/sshd.c openssh-9.2p1-sf/sshd.c
|
||||
+
|
||||
+ sf_done = 1;
|
||||
+}
|
||||
|
||||
static void
|
||||
+
|
||||
+static void
|
||||
privsep_postauth(struct ssh *ssh, Authctxt *authctxt)
|
||||
@@ -576,9 +639,35 @@
|
||||
{
|
||||
#ifdef DISABLE_FD_PASSING
|
||||
@@ -576,8 +639,34 @@
|
||||
|
||||
reseed_prngs();
|
||||
|
||||
@ -169,7 +174,7 @@ diff -x '!*.[ch]' -u -r openssh-9.2p1-orig/sshd.c openssh-9.2p1-sf/sshd.c
|
||||
+
|
||||
/* Drop privileges */
|
||||
do_setusercontext(authctxt->pw);
|
||||
|
||||
+
|
||||
+ // Set the effective CAPS to remove SECUREBITS
|
||||
+ cap_t caps = cap_get_proc();
|
||||
+ const cap_value_t cl[] = {CAP_SETPCAP};
|
||||
@ -192,7 +197,6 @@ diff -x '!*.[ch]' -u -r openssh-9.2p1-orig/sshd.c openssh-9.2p1-sf/sshd.c
|
||||
+ snprintf(sf_nsnet_name, sizeof sf_nsnet_name, "/dev/shm/ns-net-%d", getpid());
|
||||
+ sf_ssh = ssh;
|
||||
+ signal(SIGUSR1, cb_sigusr1);
|
||||
+
|
||||
|
||||
skip:
|
||||
/* It is safe now to apply the key state */
|
||||
monitor_apply_keystate(ssh, pmonitor);
|
||||
|
Loading…
Reference in New Issue
Block a user