Persistent ssh root backdoor on android

Posted on by sector

Tested on Android 10.
Get a root shell to your android via adb and execute;

remount
ssh-keygen -A
mkdir /root
cp -r /data/ssh /root
cp /etc/ssh/sshd_config /root
chmod 740 /root
chmod 700 /root/ssh
touch /root/ssh/authorized_keys
chmod 600 /root/ssh/authorized_keys
chown root:root -R /root

Add your ssh pub-key to “/root/ssh/authorized_keys” than execute:

sed -i 's/\/data\//\/root\//g' /etc/ssh/sshd_config
echo "HostKey /root/ssh/ssh_host_ed25519_key" >> /etc/ssh/sshd_config

Add the file “/root/start” with content;

#!/bin/sh
/bin/sshd -f /root/sshd_config

Add our daemon under “/system/etc/init/sshd.rc”;

service sshd /system/bin/sh /root/start
    user root
    group root
    oneshot
    seclabel u:r:su:s0

on property:sys.boot_completed=1 && property:sys.logbootcomplete=1
    start sshd

Reboot your device, done.

(On LineageOS 18.1 sshd will crash at the moment)
https://gitlab.com/LineageOS/issues/android/-/issues/3437

signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0
Cause: null pointer dereference
    x0  0000000000000000  x1  0000007b0bd1dfb8  x2  0000000000000008  x3  0000000000000010
    x4  0000000000000000  x5  8080808080808080  x6  fefefefefefefeff  x7  7f7f7f7f7f7f7f7f
    x8  0101010101010101  x9  ffffff84f42e2047  x10 0000000000000068  x11 000000000b52b678
    x12 000000004f1d3b2b  x13 0000007ff25268cb  x14 0000007b0b6ddd42  x15 0000ffff00000fff
    x16 00000058c010e3f8  x17 0000007b0b66bb30  x18 0000007b0c578000  x19 0000000000000000
    x20 00000058c0110000  x21 000000791b5241f0  x22 000000791b5248e0  x23 0000000000000000
    x24 00000058c00d9e8d  x25 0000007b0baa6ae0  x26 0000000000000001  x27 0000000000000003
    x28 00000058c0111000  x29 0000007ff2527910
    lr  00000058c01071c8  sp  0000007ff2527330  pc  0000007b0b66bb40  pst 0000000080000000

backtrace:
      #00 pc 000000000004ab40  /apex/com.android.runtime/lib64/bionic/libc.so (strlen_default+16) (BuildId: be9c72fe4db37cd191b589b74d090d13)
      #01 pc 00000000000361c4  /system/bin/sshd (main+1720) (BuildId: 610e2671bc203f1b61ef273d60564a86)
      #02 pc 000000000004988c  /apex/com.android.runtime/lib64/bionic/libc.so (__libc_init+108) (BuildId: be9c72fe4db37cd191b589b74d090d13)