initial import

ezdiy · Nov 29, 2019 · ddf0ae1 · ddf0ae1
1 parent 0542e94
commit ddf0ae1
Show file tree

Hide file tree

Showing 64 changed files with 32,465 additions and 6 deletions.
diff --git a/.gitmodules b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "dropbear-hacks"]
+	path = dropbear-hacks
+	url = https://github.com/zcutlip/dropbear-hacks
diff --git a/Makefile b/Makefile
@@ -1,2 +1,53 @@
+HOST=arm-buildroot-linux-musleabihf
+proftpd=proftpd-1.3.5e
+CONFIG_OPTIONS=--disable-pam --disable-syslog --disable-shadow --disable-lastlog --disable-utmp --disable-utmpx --disable-wtmp --disable-wtmpx --disable-loginfunc --disable-pututline --disable-pututxline --disable-zlib
+
+#--disable-syslog --disable-zlib --disable-pam --disable-shadow
+all: pbjb.zip
+pbjb.zip: Uninstall.app Jailbreak.app Services.app
+	zip pbjb.zip *.app
+clean:
+	rm -f Jailbreak.app Services.app pbjb.zip svc/bin/dropbear svc/bin/smbd svc/bin/ntlmhash svc/bin/proftpd
+	make -C $(proftpd) clean || true
+	make -C dropbear-hacks/src clean || true
 Jailbreak.app: hax.c
 	arm-buildroot-linux-musleabihf-gcc -s -static $< -o $@
+Services.app: FORCE
+	(cat svc.sh && tar cvzf - -C svc .) > Services.app
+	#tar cvf test.tar -C svc .
+svc: svc/bin/dropbear svc/bin/smbd svc/bin/ntlmhash svc/bin/proftpd
+	echo done
+
+pure-ftpd-1.0.49:
+	wget -c https://download.pureftpd.org/pub/pure-ftpd/releases/pure-ftpd-1.0.49.tar.gz
+	tar -xvzf pure-ftpd-1.0.49.tar.gz
+svc/bin/pure-ftpd: pure-ftpd-1.0.49
+	(cd pure-ftpd-1.0.49 && ./configure --without-inetd --without-privsep --without-shadow --without-ascii --without-globbing --with-puredb --disable-silent-rules --prefix=/mnt/secure --sbindir=/mnt/secure/bin --sharedstatedir=/var --localstatedir=/var --datadir=/mnt/secure --host=arm-linux-gnueabi CC="arm-buildroot-linux-musleabihf-gcc" LDFLAGS="-static -Wl,-gc-sections" CFLAGS="-ffunction-sections -fdata-sections -DACCEPT_ROOT_VIRTUAL_USERS=1")
+	make -C pure-ftpd-1.0.49
+	cp -f pure-ftpd-1.0.49/src/pure-ftpd svc/bin/pure-ftpd
+	cp -f pure-ftpd-1.0.49/src/pure-pw svc/bin/pure-pw
+	arm-buildroot-linux-musleabihf-strip svc/bin/pure-*
+
+$(proftpd).tar.gz:
+	wget -c ftp://ftp.proftpd.org/distrib/source/$(proftpd).tar.gz
+	tar -xvzf $(proftpd).tar.gz
+
+svc/bin/proftpd:
+	(cd $(proftpd) && ./configure --disable-autoshadow --without-pic --disable-auth-pam  --disable-cap --disable-facl --disable-dso  --disable-trace  --disable-ipv6 CC=arm-buildroot-linux-musleabihf-gcc LDFLAGS="--static -Wl,-gc-sections" CFLAGS="-D__mempcpy=mempcpy -ffunction-sections -fdata-sections" --prefix=/mnt/secure --sbindir=/mnt/secure/bin --sharedstatedir=/var --datarootdir=/mnt/secure)
+	make -C $(proftpd)
+	cp -f $(proftpd)/proftpd svc/bin
+	arm-buildroot-linux-musleabihf-strip svc/bin/proftpd
+
+svc/bin/dropbear:
+	cp options.h dropbear-hacks/src
+	cd dropbear-hacks/src && ./configure LDFLAGS="-static -Wl,-gc-sections" CFLAGS="-ffunction-sections -fdata-sections" --verbose $(CONFIG_OPTIONS) --host=$(HOST)
+	#make -C dropbear-hacks MULTI=1 CC=arm-buildroot-linux-musleabihf-gcc TRIP=arm-buildroot-linux-musleabihf-strip PROGRAMS="scp dbclient dropbear" BUILDSTATIC=1 || true
+	make -C dropbear-hacks/src MULTI=1 CC=arm-buildroot-linux-musleabihf-gcc HOST=arm-buildroot-linux-musleabihf STRIP=arm-buildroot-linux-musleabihf-strip PROGRAMS="scp dbclient dropbear" BUILDSTATIC=1 || true
+	cp dropbear-hacks/src/dropbearmulti svc/bin/dropbear
+	arm-buildroot-linux-musleabihf-strip svc/bin/dropbear
+svc/bin/smbd:
+	cp -f ./samba-3.6.25/source3/bin/smbd svc/bin
+	arm-buildroot-linux-musleabihf-strip svc/bin/smbd
+svc/bin/ntlmhash: ntlmhash.c
+	arm-buildroot-linux-musleabihf-gcc -static -s ntlmhash.c -o svc/bin/ntlmhash
+FORCE:
diff --git a/Uninstall.app b/Uninstall.app
@@ -0,0 +1,5 @@
+#!/mnt/secure/su /bin/sh
+chattr -i /mnt/secure/su /mnt/secure/runonce/*.sh
+rm -rf /mnt/secure/su /mnt/secure/runonce/*.sh /mnt/secure/bin /mnt/secure/etc
+rm -f $0
+reboot
diff --git a/dropbear-hacks b/dropbear-hacks
diff --git a/hax.c b/hax.c
@@ -18,7 +18,7 @@ int main(int argc, char *argv[]) {
 	static char buf[] =
 		"\xff\xff\xff\x7f\x00\x00\x00\x00\x24\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
 		"\";mv                                                                           "
-		SU "&& chown root:root " SU " && chmod 4755 " SU " && chmod 755 /mnt/secure && sync && /sbin/reboot;\"";
+		SU ";chmod 755 /mnt/secure;chown 0:0 " SU " && chmod 4755 " SU ";/sbin/reboot;\"";
 	char *prog = argv[0];
 	for (int i = 0; *prog; i++)
 		buf[i+25] = *prog++;

diff --git a/ntlmhash.c b/ntlmhash.c
@@ -0,0 +1,144 @@
+#include <unistd.h>
+#include <string.h>
+
+//Init values
+#define INIT_A 0x67452301
+#define INIT_B 0xefcdab89
+#define INIT_C 0x98badcfe
+#define INIT_D 0x10325476
+
+#define SQRT_2 0x5a827999
+#define SQRT_3 0x6ed9eba1
+
+unsigned int nt_buffer[16];
+unsigned int output[4];
+char hex_format[33];
+char itoa16[16] = "0123456789ABCDEF";
+
+//This is the MD4 compress function
+static void ntlm_crypt()
+{
+	unsigned int a = INIT_A;
+	unsigned int b = INIT_B;
+	unsigned int c = INIT_C;
+	unsigned int d = INIT_D;
+
+	/* Round 1 */
+	a += (d ^ (b & (c ^ d)))  +  nt_buffer[0]  ;a = (a << 3 ) | (a >> 29);
+	d += (c ^ (a & (b ^ c)))  +  nt_buffer[1]  ;d = (d << 7 ) | (d >> 25);
+	c += (b ^ (d & (a ^ b)))  +  nt_buffer[2]  ;c = (c << 11) | (c >> 21);
+	b += (a ^ (c & (d ^ a)))  +  nt_buffer[3]  ;b = (b << 19) | (b >> 13);
+
+	a += (d ^ (b & (c ^ d)))  +  nt_buffer[4]  ;a = (a << 3 ) | (a >> 29);
+	d += (c ^ (a & (b ^ c)))  +  nt_buffer[5]  ;d = (d << 7 ) | (d >> 25);
+	c += (b ^ (d & (a ^ b)))  +  nt_buffer[6]  ;c = (c << 11) | (c >> 21);
+	b += (a ^ (c & (d ^ a)))  +  nt_buffer[7]  ;b = (b << 19) | (b >> 13);
+
+	a += (d ^ (b & (c ^ d)))  +  nt_buffer[8]  ;a = (a << 3 ) | (a >> 29);
+	d += (c ^ (a & (b ^ c)))  +  nt_buffer[9]  ;d = (d << 7 ) | (d >> 25);
+	c += (b ^ (d & (a ^ b)))  +  nt_buffer[10] ;c = (c << 11) | (c >> 21);
+	b += (a ^ (c & (d ^ a)))  +  nt_buffer[11] ;b = (b << 19) | (b >> 13);
+
+	a += (d ^ (b & (c ^ d)))  +  nt_buffer[12] ;a = (a << 3 ) | (a >> 29);
+	d += (c ^ (a & (b ^ c)))  +  nt_buffer[13] ;d = (d << 7 ) | (d >> 25);
+	c += (b ^ (d & (a ^ b)))  +  nt_buffer[14] ;c = (c << 11) | (c >> 21);
+	b += (a ^ (c & (d ^ a)))  +  nt_buffer[15] ;b = (b << 19) | (b >> 13);
+
+	/* Round 2 */
+	a += ((b & (c | d)) | (c & d)) + nt_buffer[0] +SQRT_2; a = (a<<3 ) | (a>>29);
+	d += ((a & (b | c)) | (b & c)) + nt_buffer[4] +SQRT_2; d = (d<<5 ) | (d>>27);
+	c += ((d & (a | b)) | (a & b)) + nt_buffer[8] +SQRT_2; c = (c<<9 ) | (c>>23);
+	b += ((c & (d | a)) | (d & a)) + nt_buffer[12]+SQRT_2; b = (b<<13) | (b>>19);
+
+	a += ((b & (c | d)) | (c & d)) + nt_buffer[1] +SQRT_2; a = (a<<3 ) | (a>>29);
+	d += ((a & (b | c)) | (b & c)) + nt_buffer[5] +SQRT_2; d = (d<<5 ) | (d>>27);
+	c += ((d & (a | b)) | (a & b)) + nt_buffer[9] +SQRT_2; c = (c<<9 ) | (c>>23);
+	b += ((c & (d | a)) | (d & a)) + nt_buffer[13]+SQRT_2; b = (b<<13) | (b>>19);
+
+	a += ((b & (c | d)) | (c & d)) + nt_buffer[2] +SQRT_2; a = (a<<3 ) | (a>>29);
+	d += ((a & (b | c)) | (b & c)) + nt_buffer[6] +SQRT_2; d = (d<<5 ) | (d>>27);
+	c += ((d & (a | b)) | (a & b)) + nt_buffer[10]+SQRT_2; c = (c<<9 ) | (c>>23);
+	b += ((c & (d | a)) | (d & a)) + nt_buffer[14]+SQRT_2; b = (b<<13) | (b>>19);
+
+	a += ((b & (c | d)) | (c & d)) + nt_buffer[3] +SQRT_2; a = (a<<3 ) | (a>>29);
+	d += ((a & (b | c)) | (b & c)) + nt_buffer[7] +SQRT_2; d = (d<<5 ) | (d>>27);
+	c += ((d & (a | b)) | (a & b)) + nt_buffer[11]+SQRT_2; c = (c<<9 ) | (c>>23);
+	b += ((c & (d | a)) | (d & a)) + nt_buffer[15]+SQRT_2; b = (b<<13) | (b>>19);
+
+	/* Round 3 */
+	a += (d ^ c ^ b) + nt_buffer[0]  +  SQRT_3; a = (a << 3 ) | (a >> 29);
+	d += (c ^ b ^ a) + nt_buffer[8]  +  SQRT_3; d = (d << 9 ) | (d >> 23);
+	c += (b ^ a ^ d) + nt_buffer[4]  +  SQRT_3; c = (c << 11) | (c >> 21);
+	b += (a ^ d ^ c) + nt_buffer[12] +  SQRT_3; b = (b << 15) | (b >> 17);
+
+	a += (d ^ c ^ b) + nt_buffer[2]  +  SQRT_3; a = (a << 3 ) | (a >> 29);
+	d += (c ^ b ^ a) + nt_buffer[10] +  SQRT_3; d = (d << 9 ) | (d >> 23);
+	c += (b ^ a ^ d) + nt_buffer[6]  +  SQRT_3; c = (c << 11) | (c >> 21);
+	b += (a ^ d ^ c) + nt_buffer[14] +  SQRT_3; b = (b << 15) | (b >> 17);
+
+	a += (d ^ c ^ b) + nt_buffer[1]  +  SQRT_3; a = (a << 3 ) | (a >> 29);
+	d += (c ^ b ^ a) + nt_buffer[9]  +  SQRT_3; d = (d << 9 ) | (d >> 23);
+	c += (b ^ a ^ d) + nt_buffer[5]  +  SQRT_3; c = (c << 11) | (c >> 21);
+	b += (a ^ d ^ c) + nt_buffer[13] +  SQRT_3; b = (b << 15) | (b >> 17);
+
+	a += (d ^ c ^ b) + nt_buffer[3]  +  SQRT_3; a = (a << 3 ) | (a >> 29);
+	d += (c ^ b ^ a) + nt_buffer[11] +  SQRT_3; d = (d << 9 ) | (d >> 23);
+	c += (b ^ a ^ d) + nt_buffer[7]  +  SQRT_3; c = (c << 11) | (c >> 21);
+	b += (a ^ d ^ c) + nt_buffer[15] +  SQRT_3; b = (b << 15) | (b >> 17);
+
+	output[0] = a + INIT_A;
+	output[1] = b + INIT_B;
+	output[2] = c + INIT_C;
+	output[3] = d + INIT_D;
+}	
+
+//This include the Unicode conversion and the padding
+static void prepare_key(char *key)
+{
+	int i=0;
+	int length=strlen(key);
+	memset(nt_buffer,0,16*4);
+	//The length of key need to be <= 27
+	for(;i<length/2;i++)	
+		nt_buffer[i] = key[2*i] | (key[2*i+1]<<16);
+
+	//padding
+	if(length%2==1)
+		nt_buffer[i] = key[length-1] | 0x800000;
+	else
+		nt_buffer[i]=0x80;
+	//put the length
+	nt_buffer[14] = length << 4;
+}
+
+//This convert the output to hexadecimal form
+static void convert_hex()
+{
+	int i=0;
+	//Iterate the integer
+	for(;i<4;i++)
+	{
+		int j=0;
+		unsigned int n=output[i];
+		//iterate the bytes of the integer		
+		for(;j<4;j++)
+		{
+			unsigned int convert=n%256;
+			hex_format[i*8+j*2+1]=itoa16[convert%16];
+			convert=convert/16;
+			hex_format[i*8+j*2+0]=itoa16[convert%16];
+			n=n/256;
+		}	
+	}
+	//null terminate the string
+	hex_format[33]=0;
+}
+
+int main(int argc, char **argv)
+{
+	prepare_key(argv[1]);
+	ntlm_crypt();
+	convert_hex();
+	write(1, hex_format, 32);
+	return 0;
+}