Binary Patching for Subterfuge, Fun, and Profit

Since I've finished up the assignment posts for my SLAE exam, I wanted to write a post about binary patching.

Binary Patching - Introduction

While hot patching binaries isn't the most useful technique for offensive security, it still has its uses. As a defender or attacker, you can change some strings that are sent by the application. In this case, I'll show changing the SSH banner to misdirect a potential attacker.

Starting the Service and Verification

First, I started up the SSH service on my local Kali VM.

root@kali:~# service ssh start
root@kali:~# service ssh status
● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; disabled; vendor preset: dis
   Active: active (running) since Sun 2018-09-30 15:27:38 EDT; 9s ago
  Process: 1730 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
 Main PID: 1731 (sshd)
    Tasks: 1 (limit: 2353)
   Memory: 2.2M
   CGroup: /system.slice/ssh.service
           └─1731 /usr/sbin/sshd -D

Sep 30 15:27:38 kali systemd[1]: Starting OpenBSD Secure Shell server...
Sep 30 15:27:38 kali sshd[1731]: Server listening on 0.0.0.0 port 22.
Sep 30 15:27:38 kali sshd[1731]: Server listening on :: port 22.
Sep 30 15:27:38 kali systemd[1]: Started OpenBSD Secure Shell server.

Next, I connected to the instance, to verify the banner.

root@kali:~# nc -vv 127.0.0.1 22
localhost [127.0.0.1] 22 (ssh) open
SSH-2.0-OpenSSH_7.7p1 Debian-2
^C sent 0, rcvd 32

Making the Change

First, I found the bytes where the banner was being set. Note that you can also use more or less and actual searching.

root@kali:~# xxd /usr/sbin/sshd | grep "OpenSSH"
00079340: 6e20 2200 4f70 656e 5353 485f 372e 3770  n ".OpenSSH_7.7p
00079410: 656e 7420 2573 2e0a 004f 7065 6e53 5348  ent %s...OpenSSH

Next, I verified that bytes I wanted to modify were as expected.

root@kali:~# echo -n OpenSSH_7.7p1 | xxd -p
4f70656e5353485f372e377031

I then needed to decide on what I wanted my "new" SSH banner to be, and converted it to the hex bytes. Note that your life will be infinitely easier if you use the same length string when performing this technique.

root@kali:~# echo -n VulnSSH_10.92 | xxd -p
56756c6e5353485f31302e3932

With the new bytes in hand, I used sed to replace the original bytes and created a new binary. The tr command is to remove the newlines, and the sed command replaces the byte string. Additionally, I changed the permissions of the new file to match the old one.

root@kali:~# root@kali:~# xxd -p /usr/sbin/sshd | tr -d '\n' | sed 's/4f70656e5353485f372e377031/56756c6e5353485f31302e3932/g;' | xxd -p -r > /tmp/sshd
root@kali:~# chmod --reference /usr/sbin/sshd /tmp/sshd

Next, I verified that the binary still worked and had the new banner.

root@kali:~# /tmp/sshd -v
unknown option -- v
VulnSSH_10.92 Debian-2, OpenSSL 1.0.2o  27 Mar 2018
usage: sshd [-46DdeiqTt] [-C connection_spec] [-c host_cert_file]
            [-E log_file] [-f config_file] [-g login_grace_time]
            [-h host_key_file] [-o option] [-p port] [-u len]

Finally, I stopped the service, backed up the original binary, replaced it, and started my "new" service.

root@kali:~# killall -9 sshd; mv /usr/sbin/sshd /usr/sbin/sshd.bak; mv /tmp/sshd /usr/sbin/sshd; /etc/init.d/ssh start
root@kali:~# service ssh status
● ssh.service - OpenBSD Secure Shell server
   Loaded: loaded (/lib/systemd/system/ssh.service; disabled; vendor preset: dis
   Active: active (running) since Sun 2018-09-30 17:34:19 EDT; 3s ago
  Process: 2165 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS)
 Main PID: 2166 (sshd)
    Tasks: 1 (limit: 2353)
   Memory: 1.0M
   CGroup: /system.slice/ssh.service
           └─2166 /usr/sbin/sshd -D

Sep 30 17:34:19 kali systemd[1]: Starting OpenBSD Secure Shell server...
Sep 30 17:34:19 kali sshd[2166]: Server listening on 0.0.0.0 port 22.
Sep 30 17:34:19 kali sshd[2166]: Server listening on :: port 22.
Sep 30 17:34:19 kali systemd[1]: Started OpenBSD Secure Shell server.

Verifying the Binary Patching

With my modified SSHD running, it was time to check the new banner. In this case, I connected using netcat again, and the banner was different!

root@kali:~# nc -vv 127.0.0.1 22
localhost [127.0.0.1] 22 (ssh) open
SSH-2.0-VulnSSH_10.92 Debian-2
^C sent 0, rcvd 32

Binary Patching - Conclusion

While this was a fairly straightforward process, you can use this for hot-patching the strings in binary files. This has some uses for defenders as well as attackers, plus general fun or trolling.

In theory, you can replace strings with shorter ones as well. That said, I was unable to get this to work. If you know any easy ways to do this, then please let me know!

This could be easily scripted as well, but I don't see myself needing this often enough to do that.

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCP, eCPPT, eWPT, eWPTX, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Penetration Testing Consultant for Secureworks. His previous position was a Senior Penetration Tester for a major financial institution.

When he's not figuring out what cert to get next (currently GXPN) or side project to work on, he enjoys playing video games, traveling, and watching sports.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.