h3xduck / triplecross Goto Github PK

View Code? Open in Web Editor NEW

1.7K 40.0 219.0 88.47 MB

A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities.

License: GNU General Public License v3.0

C 99.13% Makefile 0.12% Python 0.02% Shell 0.64% Dockerfile 0.02% CMake 0.08%

backdoor ebpf kernel rootkit security libbpf

triplecross's People

Contributors

Stargazers

Watchers

Forkers

eau-u4f timb-machine-mirrors malwarejake 0xbharath doytsujin pdolinic grantseltzer sec-fork zzhsec emptymonkey ro0tmylove fengjixuchui cklinuxproject badboycxcc muse117 tony163163 test1213145 957204459 supermilkycow makaisghr orangice1997 startagain2016 crackercat alexsandershaw hien killvxk h1d3r wan-xiang arnewc ahlfors h1wind 0xa-saline wsx9527 hatchetcode cyb3r-monk abcz1114 strf0x1 gmh5225 bhassani choko08 curtishoughton infernalheaven syxoasis hungbv1 nanaao askyeye tkunwar r00t7oo2jm fancysauced gavz git-akalu void-ll jmpoep chudry bl4cklabel88 m3wsec qianniaoge chunhualiu jerry-bond mchamrosh bypasscc 0next0 russellwaite schrodyn efewijum manojcode shad0wxp bubutzza aqwu reffone phuong39 abramas nam-jaehyun rainser jisanlong michalbiesek pirenga microsvuln kagantua language-lab zzz9328fb cutff nosferatuvjr levisre functfan chaobingya v4nyl tehseensagar suryatmodulus asdlei99 laikax2 isiaon ms008 ms008team ekojs red-infosec koeningyou lmbertholdo l1bai ravan1001

triplecross's Issues

We can issue a write syscall whenever we want via bpf_printk. This may lead somewhere

Research about what is TX

It is related to XDP and the packets can be redirected to it, but needs research on what can be done with it.

Scanning and writing module at processes memory

make all error~

Hey, I have this error when I make all, how can I solve it, my environment is kali Thank you

libbpf: elf: skipping unrecognized data section(17) .rodata.str1.1
CC .output/kit.o
user/kit.c:29:10: fatal error: include/utils/files/path.h: No such file or directory
29 | #include "include/utils/files/path.h"
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
make: *** [Makefile:97: .output/kit.o] Error 1
rm .output/kit.bpf.o

libssl.so.1.1: cannot open shared object file: No such file or directory

./injector: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory

TFG documentation writing

Hide the XDP program at 'ip link' output

Intercept sudo calls and fake returned value to elevate privileges of a user

Completed, now user 'test' can use sudo without being on the sudoers file. Possible imporvements include setting which user to be selected remotely via the client

TC program compilation __stack_chk_fail not supported

➜  src git:(master) make all
  MKDIR    .output
  MKDIR    .output/libbpf
  LIB      libbpf.a
  MKDIR    /home/u1tron/TripleCross/src/.output//libbpf/staticobjs
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/bpf.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/btf.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/libbpf.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/libbpf_errno.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/netlink.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/nlattr.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/str_error.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/libbpf_probes.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/bpf_prog_linfo.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/xsk.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/btf_dump.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/hashmap.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/ringbuf.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/strset.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/linker.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/gen_loader.o
  CC       /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/relo_core.o
  AR       /home/u1tron/TripleCross/src/.output//libbpf/libbpf.a
  INSTALL  bpf.h libbpf.h btf.h libbpf_common.h libbpf_legacy.h xsk.h bpf_helpers.h bpf_helper_defs.h bpf_tracing.h bpf_endian.h bpf_core_read.h skel_internal.h libbpf_version.h
  INSTALL  /home/u1tron/TripleCross/src/.output//libbpf/libbpf.pc
  INSTALL  /home/u1tron/TripleCross/src/.output//libbpf/libbpf.a 
  BPF      .output/kit.bpf.o
  GEN-SKEL .output/kit.skel.h
libbpf: elf: skipping unrecognized data section(17) .rodata.str1.1
  CC       .output/kit.o
  CC       /home/u1tron/TripleCross/src/user/include/modules/module_manager.o
  BINARY   kit
clang -O2 -emit-llvm -g -c /home/u1tron/TripleCross/src/ebpf/include/bpf/tc.c -o - | \
llc -march=bpf -mcpu=probe -filetype=obj -o bin/tc.o
error: <unknown>:0:0: in function classifier_egress i32 (%struct.__sk_buff*): A call to built-in function '__stack_chk_fail' is not supported.

make: *** [Makefile:107: tckit] Error 1
rm .output/kit.bpf.o

Originally posted by @yasindce1998 in #39 (comment)

Hide the executable and a directory for some rootkit binaries

Write an arbitrary length payload at any packet independently of its original length

Modify output of read calls

segmentation fault when execute_command and the stack overflow caused by parameters

hi, great project!

I think it's better to limit the size of res, otherwise it may cause the program to crash, such as performing "cat /dev/random | od -x", which maybe unlikely in reality.

char *execute_command(char *command) {
	FILE *fp;
	char *res = calloc(4096, sizeof(char));
	char buf[1024];

	fp = popen(command, "r");
	if (fp == NULL) {
		perror("Failed to run command");
		return NULL;
	}

	while (fgets(buf, sizeof(buf), fp) != NULL) {
		strcat(res, buf);
	}
	// printf("RESULT OF COMMAND: %s\n", res);

	pclose(fp);
	return res;
	}

user/kit.c:395:40: error: ‘XDP_FLAGS_REPLACE’ undeclared (first use in this function)

Can not compile it in the ubuntu 20.04.

root@192-168-99-242:~/TripleCross/src# uname -a ; lsb_release -a
Linux 192-168-99-242 5.4.0-121-generic #137-Ubuntu SMP Wed Jun 15 13:33:07 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.4 LTS
Release: 20.04
Codename: focal

root@192-168-99-242:~/TripleCross/src# make
MKDIR .output
MKDIR .output/libbpf
LIB libbpf.a
MKDIR /root/TripleCross/src/.output//libbpf/staticobjs
CC /root/TripleCross/src/.output//libbpf/staticobjs/bpf.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/btf.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/libbpf.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/libbpf_errno.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/netlink.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/nlattr.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/str_error.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/libbpf_probes.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/bpf_prog_linfo.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/xsk.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/btf_dump.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/hashmap.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/ringbuf.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/strset.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/linker.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/gen_loader.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/relo_core.o
AR /root/TripleCross/src/.output//libbpf/libbpf.a
INSTALL bpf.h libbpf.h btf.h libbpf_common.h libbpf_legacy.h xsk.h bpf_helpers.h bpf_helper_defs.h bpf_tracing.h bpf_endian.h bpf_core_read.h skel_internal.h libbpf_version.h
INSTALL /root/TripleCross/src/.output//libbpf/libbpf.pc
INSTALL /root/TripleCross/src/.output//libbpf/libbpf.a
BPF .output/kit.bpf.o
GEN-SKEL .output/kit.skel.h
libbpf: elf: skipping unrecognized data section(17) .rodata.str1.1
CC .output/kit.o
user/kit.c: In function ‘main’:
user/kit.c:395:40: error: ‘XDP_FLAGS_REPLACE’ undeclared (first use in this function)
395 | module_config_attr.xdp_module.flags = XDP_FLAGS_REPLACE;
| ^~~~~~~~~~~~~~~~~
user/kit.c:395:40: note: each undeclared identifier is reported only once for each function it appears in
make: *** [Makefile:97: .output/kit.o] Error 1
rm .output/kit.bpf.o

Verifier issue when running XDP module

          I solved! but now it gives me error when I try to run `sudo ./bin/kit -t enp0s3`

These are the mistakes

Originally posted by @brielino in #49 (comment)

Recognize interesting outgoing network traffic

Remember params of secret packet received so that response can be modified

Hide alert messages about bpf_probe_write_user at kernel buffer

Final C2 version

Make use of new protocol
Start hidden encrypted connection

Rootkit self-destroying

Adding more syscalls for the library injection + using the injected library for some PoC like action

Activate the userspace runtime config for active ebpf modules from the remote client connected to the backdoor.

Protection of private and protected maps from foreign programs

Use TC program to filter egress traffic and camouflage c&c traffic

Initial version of C2: Remote Code Execution via an execve hijacking scheme

Library injection in running processes

Explore uprobes

When run deploy.sh, i meet loadbpf: load bpf program failed: Permission denied.

Hello
When run deploy.sh, i meet loadbpf: load bpf program failed: Permission denied.
How to solve this problem? (refer to below screen shot)

My system information:
ubuntu : 21.04
kernel version : 5.11.0-16-generic
Thanks

Multi-machine simulation for C2

Done via connected VMs. Fully working

Rootkit persistance

Via cron or similar

Capture the transmission answering

Create a program deployer (also creating the needed helpers)

General communication system kernel->userspace via ring buffer and maps

error: unknown target triple 'bpf', please use -triple or -arch

how to solute

Enhancement: try to hide used space from df and other userspace tools

When you could hide space on hdd/sdd partitions will be realy cool.

Because when someone plant gigabytes of files, every admin can see less space left with userspace tools.

Try to figure out space hiding.

Thanks and

Best regards

hook with XDP (external data path)

Makefile 102row -lbpf？ how do i install it

102 ：$(Q)$(CC) $(CFLAGS) $(INCLUDES) $^ -lelf -lbpf -lz -lssl -lcrypto -Wno-deprecated-declarations -o bin/$@ -ldl

root@iZmj7gheya94tuozzw8m0jZ:~/TripleCross/src# make all
BINARY kit
/usr/bin/ld: cannot find -lbpf: No such file or directory
collect2: error: ld returned 1 exit status
make: *** [Makefile:102: kit] Error 1

I get this error when I make, what is lbpf?
thanks for helping me

Arbitrarily increase/decrease packet size

Permission Denied: classifier_egress not load

I can't get TripleCross working on my virtual machine, after running the command sudo tc filter add dev enp0s3 egress bpf direct-action obj bin/tc.o sec classifier/egress after running the command sudo tc qdisc add dev enp0s3 clsact
This is the error
'libbpf: load bpf program failed: Permission denied
libbpf: -- BEGIN DUMP LOG ---
libbpf:
; int classifier_egress(struct __sk_buff *skb){
0: (bf) r6 = r1
; void *data_end = (void *)(__u64)skb->data_end;
1: (61) r5 = *(u32 *)(r6 +80)
; void *data = (void *)(__u64)skb->data;
2: (61) r7 = *(u32 *)(r6 +76)
; if ((void *)eth + sizeof(struct ethhdr) > data_end){
3: (bf) r8 = r7
4: (07) r8 += 14
; if ((void *)eth + sizeof(struct ethhdr) > data_end){
5: (3d) if r5 >= r8 goto pc+8'
.
.
.
'R2 pointer arithmetic with <<= operator prohibited
processed 628 insns (limit 1000000) max_states_per_insn 4 total_states 30 peak_states 26 mark_read 7

libbpf: -- END LOG --
libbpf: failed to load program 'classifier_egress'
libbpf: failed to load object 'bin/tc.o'
Unable to load program'

This is the system
'No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.1 LTS
Release: 22.04
Codename: jammy'
5.15.0-58-generic

Thanks to anyone who replies

Allow for overwritten read calls to have different size (investigate on fstat modification)

Screenshot with some hints attached

Fix the client built with rawtcp lib. For some reason it is sending malformed messages while on the VM.

Library injection path error: Segfault simple_timer and simple_open

Illegal instruction (core dumped) - when I run ./simple_timer. and a
segmentation fault (core dumped) - when I run ./simple_open?

I have not been able to carry out a PoC due to the above errors.

Originally posted by @Ifex370 in #40 (comment)

% make all                                                                                                                                                                                                                    
  MKDIR    .output
  MKDIR    .output/libbpf
  LIB      libbpf.a
  MKDIR    /home/t/src/TripleCross/src/.output//libbpf/staticobjs
  CC       /home/t/src/TripleCross/src/.output//libbpf/staticobjs/bpf.o
  CC       /home/t/src/TripleCross/src/.output//libbpf/staticobjs/btf.o
  CC       /home/t/src/TripleCross/src/.output//libbpf/staticobjs/libbpf.o
  CC       /home/t/src/TripleCross/src/.output//libbpf/staticobjs/libbpf_errno.o
  CC       /home/t/src/TripleCross/src/.output//libbpf/staticobjs/netlink.o
  CC       /home/t/src/TripleCross/src/.output//libbpf/staticobjs/nlattr.o
  CC       /home/t/src/TripleCross/src/.output//libbpf/staticobjs/str_error.o
  CC       /home/t/src/TripleCross/src/.output//libbpf/staticobjs/libbpf_probes.o
  CC       /home/t/src/TripleCross/src/.output//libbpf/staticobjs/bpf_prog_linfo.o
  CC       /home/t/src/TripleCross/src/.output//libbpf/staticobjs/xsk.o
  CC       /home/t/src/TripleCross/src/.output//libbpf/staticobjs/btf_dump.o
  CC       /home/t/src/TripleCross/src/.output//libbpf/staticobjs/hashmap.o
  CC       /home/t/src/TripleCross/src/.output//libbpf/staticobjs/ringbuf.o
  CC       /home/t/src/TripleCross/src/.output//libbpf/staticobjs/strset.o
  CC       /home/t/src/TripleCross/src/.output//libbpf/staticobjs/linker.o
  CC       /home/t/src/TripleCross/src/.output//libbpf/staticobjs/gen_loader.o
  CC       /home/t/src/TripleCross/src/.output//libbpf/staticobjs/relo_core.o
  AR       /home/t/src/TripleCross/src/.output//libbpf/libbpf.a
  INSTALL  bpf.h libbpf.h btf.h libbpf_common.h libbpf_legacy.h xsk.h bpf_helpers.h bpf_helper_defs.h bpf_tracing.h bpf_endian.h bpf_core_read.h skel_internal.h libbpf_version.h
  INSTALL  /home/t/src/TripleCross/src/.output//libbpf/libbpf.pc
  INSTALL  /home/t/src/TripleCross/src/.output//libbpf/libbpf.a 
  BPF      .output/kit.bpf.o
  GEN-SKEL .output/kit.skel.h
libbpf: elf: skipping unrecognized data section(28) .rodata.str1.1
  CC       .output/kit.o
  CC       /home/t/src/TripleCross/src/user/include/modules/module_manager.o
  BINARY   kit
/sbin/ld: /home/t/src/TripleCross/src/user/include/modules/module_manager.o: in function `attach_xdp_receive':
/home/t/src/TripleCross/src/user/include/modules/xdp.h:37: undefined reference to `bpf_get_link_xdp_id'
collect2: error: ld returned 1 exit status
make: *** [Makefile:102: kit] Error 1
rm .output/kit.bpf.o

I did a little bit of digging around and found it changed here:

libbpf/libbpf@8fbe7ee#diff-5fcfe04c9d2ca76e41ade16dc6283ffc7723ed4da4e209153a776bee4a86abadL359

./injector -c 192.168.192.16

but cannot spawn a shell from victim

could I get any help from you?