Address
304 North Cardinal St.
Dorchester Center, MA 02124
Work Hours
Monday to Friday: 7AM - 7PM
Weekend: 10AM - 5PM
Since I’ve finished up the assignment posts for my SLAE exam, I wanted to write a post about binary patching.
Binary Patching – Introduction
While hot patching binaries isn’t the most useful technique for offensive security, it still has its uses. As a defender or attacker, you can change some strings that are sent by the application. In this case, I’ll show changing the SSH banner to misdirect a potential attacker.
Starting the Service and Verification
First, I started up the SSH service on my local Kali VM.
root@kali:~# service ssh start root@kali:~# service ssh status �--� ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; disabled; vendor preset: dis Active: active (running) since Sun 2018-09-30 15:27:38 EDT; 9s ago Process: 1730 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) Main PID: 1731 (sshd) Tasks: 1 (limit: 2353) Memory: 2.2M CGroup: /system.slice/ssh.service �""�"�1731 /usr/sbin/sshd -D Sep 30 15:27:38 kali systemd[1]: Starting OpenBSD Secure Shell server... Sep 30 15:27:38 kali sshd[1731]: Server listening on 0.0.0.0 port 22. Sep 30 15:27:38 kali sshd[1731]: Server listening on :: port 22. Sep 30 15:27:38 kali systemd[1]: Started OpenBSD Secure Shell server.
Next, I connected to the instance, to verify the banner.
root@kali:~# nc -vv 127.0.0.1 22 localhost [127.0.0.1] 22 (ssh) open SSH-2.0-OpenSSH_7.7p1 Debian-2 ^C sent 0, rcvd 32
Making the Change
First, I found the bytes where the banner was being set. Note that you can also use more or less and actual searching.
root@kali:~# xxd /usr/sbin/sshd | grep "OpenSSH" 00079340: 6e20 2200 4f70 656e 5353 485f 372e 3770 n ".OpenSSH_7.7p 00079410: 656e 7420 2573 2e0a 004f 7065 6e53 5348 ent %s...OpenSSH
Next, I verified that bytes I wanted to modify were as expected.
root@kali:~# echo -n OpenSSH_7.7p1 | xxd -p 4f70656e5353485f372e377031
I then needed to decide on what I wanted my “new” SSH banner to be, and converted it to the hex bytes. Note that your life will be infinitely easier if you use the same length string when performing this technique.
root@kali:~# echo -n VulnSSH_10.92 | xxd -p 56756c6e5353485f31302e3932
With the new bytes in hand, I used sed to replace the original bytes and created a new binary. The tr command is to remove the newlines, and the sed command replaces the byte string. Additionally, I changed the permissions of the new file to match the old one.
root@kali:~# root@kali:~# xxd -p /usr/sbin/sshd | tr -d '\n' | sed 's/4f70656e5353485f372e377031/56756c6e5353485f31302e3932/g;' | xxd -p -r > /tmp/sshd root@kali:~# chmod --reference /usr/sbin/sshd /tmp/sshd
Next, I verified that the binary still worked and had the new banner.
root@kali:~# /tmp/sshd -v unknown option -- v VulnSSH_10.92 Debian-2, OpenSSL 1.0.2o 27 Mar 2018 usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file] [-E log_file] [-f config_file] [-g login_grace_time] [-h host_key_file] [-o option] [-p port] [-u len]
Finally, I stopped the service, backed up the original binary, replaced it, and started my “new” service.
root@kali:~# killall -9 sshd; mv /usr/sbin/sshd /usr/sbin/sshd.bak; mv /tmp/sshd /usr/sbin/sshd; /etc/init.d/ssh start root@kali:~# service ssh status �--� ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; disabled; vendor preset: dis Active: active (running) since Sun 2018-09-30 17:34:19 EDT; 3s ago Process: 2165 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) Main PID: 2166 (sshd) Tasks: 1 (limit: 2353) Memory: 1.0M CGroup: /system.slice/ssh.service �""�"�2166 /usr/sbin/sshd -D Sep 30 17:34:19 kali systemd[1]: Starting OpenBSD Secure Shell server... Sep 30 17:34:19 kali sshd[2166]: Server listening on 0.0.0.0 port 22. Sep 30 17:34:19 kali sshd[2166]: Server listening on :: port 22. Sep 30 17:34:19 kali systemd[1]: Started OpenBSD Secure Shell server.
Verifying the Binary Patching
With my modified SSHD running, it was time to check the new banner. In this case, I connected using netcat again, and the banner was different!
root@kali:~# nc -vv 127.0.0.1 22 localhost [127.0.0.1] 22 (ssh) open SSH-2.0-VulnSSH_10.92 Debian-2 ^C sent 0, rcvd 32
Binary Patching – Conclusion
While this was a fairly straightforward process, you can use this for hot-patching the strings in binary files. This has some uses for defenders as well as attackers, plus general fun or trolling.
In theory, you can replace strings with shorter ones as well. That said, I was unable to get this to work. If you know any easy ways to do this, then please let me know!
This could be easily scripted as well, but I don’t see myself needing this often enough to do that.
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.
