XZ Utils liblzma supply-chain backdoor

This repository provides a Bash script ('obfuscate_payload.sh') that recreates the obfuscation technique used in the XZ Utils supply chain attack (CVE-2024-3094). The script takes a user-supplied payload, compresses and obfuscates it, and embeds it into a modified 'good-large_compressed.lzma' file. This file is intended to be placed in the 'test/files' directory of the xzutils 5.6.0 source code. When xzutils is built, the backdoor payload is extracted and executed, enabling arbitrary code execution on the build system. The repository includes a README with detailed instructions for both obfuscation and deobfuscation, as well as a LICENSE file. The exploit is a proof-of-concept for demonstrating the obfuscation and delivery technique used in the real-world XZ backdoor incident. No network endpoints are present; all operations are local file manipulations and build process hijacking.

This repository provides a comprehensive toolkit for analyzing, exploiting, and detecting the XZ Utils (liblzma) backdoor (CVE-2024-3094) affecting versions 5.6.0 and 5.6.1. The structure includes: - **bot.go**: A Go-based exploit tool that crafts a malicious SSH authentication request, leveraging the backdoored liblzma to execute arbitrary commands on the target system. It connects to a specified SSH address (default 127.0.0.2:2222) and sends a payload that triggers the backdoor. - **reverse_shell.py**: A Python script that can interact with the backdoor, acting as a custom SSH agent to facilitate further exploitation, such as establishing a reverse shell. - **patch.py** and **patch_libzma.py**: Scripts to patch the vulnerable liblzma shared object, replacing the backdoor's key generation routine with a static key, making exploitation deterministic for testing or demonstration. - **generator.py**: Generates Ed448 key pairs used in the exploit process. - **detector.sh**: A Bash script to detect if the system's sshd is linked to a vulnerable (backdoored) liblzma library by checking for specific function signatures. - **configure.sh** and **inject.sh**: Scripts to automate the setup of a vulnerable environment and inject the malicious library into the system. - **rule.yar**: YARA rule for detecting the malicious code in liblzma binaries. The repository is intended for educational and defensive research. It demonstrates how the backdoor can be exploited to bypass SSH authentication and execute arbitrary commands, and provides tools for both exploitation and detection. The main attack vector is network-based, targeting SSH services linked against the compromised liblzma library. The exploit requires the attacker to know the specific cryptographic keys used by the backdoor, which are generated or patched using the provided scripts.

This repository provides a comprehensive toolkit for exploring and exploiting the xz/liblzma backdoor (CVE-2024-3094). The main components are: - `main.go`: Implements a Go-based CLI tool (`xzbot`) that crafts and sends a specially formatted SSH certificate to a vulnerable SSH server, triggering the backdoor and executing an arbitrary shell command (default: `id > /tmp/.xz`). The tool allows configuration of the target address, the ED448 key seed, and the command to execute. - `patch.py`: A Python script that patches a backdoored `liblzma.so.5.6.1` shared object, replacing the embedded ED448 public key with one generated from a known seed, allowing the user to exploit the backdoor with their own key. - `openssh.patch`: A patch for OpenSSH that adds logging for connections attempting to exploit the backdoor, useful for honeypot or detection purposes. - `README.md`: Provides detailed technical documentation, including the backdoor's cryptographic format, usage instructions, and references. The exploit works by sending a malicious SSH certificate with a payload in the CA signing key field, which the backdoored liblzma interprets as a command to execute via system(). The repository also includes detection and research tools, such as a honeypot patch for OpenSSH. The exploit is operational and can be used to achieve remote code execution on vulnerable systems, provided the attacker controls the ED448 key used by the backdoor.

This repository contains a single C-language exploit (exploit.c) targeting the OpenSSH 9.2p1 server vulnerability known as 'regreSSHion' (CVE-2024-6387). The exploit leverages a race condition in the SSH daemon's signal handler, allowing remote code execution as root on glibc-based Linux systems. The exploit is operational and requires the attacker to specify the target's IP address and SSH port. The code includes a shellcode placeholder, which the user is expected to replace with a custom payload. The exploit attempts to brute-force the race condition, iterating over possible glibc base addresses and performing thousands of attempts as recommended in the advisory. The README provides basic usage instructions. No hardcoded IPs, domains, or file paths are present; the exploit is generic and requires user-supplied target information. The repository is focused and contains only the exploit code, a README, and a .gitattributes file.

This repository is an Ansible role designed to automate the installation (and optional removal) of the xz backdoor (CVE-2024-3094) on Debian-based Linux systems. The role downloads a malicious version of the liblzma shared library from a remote GitHub repository and replaces the system's liblzma.so.5 with a symlink to the malicious version, thereby activating the backdoor. It can also install the xzbot command-line tool, which is used to interact with the backdoor. The role supports both installation and uninstallation (restoring the original library). The main logic is implemented in Ansible YAML files under the 'tasks' directory, with 'tasks/main.yml' serving as the entry point. The attack vector is local, as the role must be executed with administrative privileges on the target system. The repository is intended for use in controlled environments (e.g., Ludus cyber ranges) for demonstration or research purposes, but it deploys real malware and should be handled with caution. Notable endpoints include the URLs for downloading the malicious library and the file paths where the backdoor and tools are installed.