h3xduck / triplecross Goto Github PK
View Code? Open in Web Editor NEWA Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities.
License: GNU General Public License v3.0
A Linux eBPF rootkit with a backdoor, C2, library injection, execution hijacking, persistence and stealth capabilities.
License: GNU General Public License v3.0
It is related to XDP and the packets can be redirected to it, but needs research on what can be done with it.
Hey, I have this error when I make all, how can I solve it, my environment is kali Thank you
libbpf: elf: skipping unrecognized data section(17) .rodata.str1.1
CC .output/kit.o
user/kit.c:29:10: fatal error: include/utils/files/path.h: No such file or directory
29 | #include "include/utils/files/path.h"
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~
compilation terminated.
make: *** [Makefile:97: .output/kit.o] Error 1
rm .output/kit.bpf.o
./injector: error while loading shared libraries: libssl.so.1.1: cannot open shared object file: No such file or directory
Completed, now user 'test' can use sudo without being on the sudoers file. Possible imporvements include setting which user to be selected remotely via the client
➜ src git:(master) make all
MKDIR .output
MKDIR .output/libbpf
LIB libbpf.a
MKDIR /home/u1tron/TripleCross/src/.output//libbpf/staticobjs
CC /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/bpf.o
CC /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/btf.o
CC /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/libbpf.o
CC /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/libbpf_errno.o
CC /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/netlink.o
CC /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/nlattr.o
CC /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/str_error.o
CC /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/libbpf_probes.o
CC /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/bpf_prog_linfo.o
CC /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/xsk.o
CC /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/btf_dump.o
CC /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/hashmap.o
CC /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/ringbuf.o
CC /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/strset.o
CC /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/linker.o
CC /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/gen_loader.o
CC /home/u1tron/TripleCross/src/.output//libbpf/staticobjs/relo_core.o
AR /home/u1tron/TripleCross/src/.output//libbpf/libbpf.a
INSTALL bpf.h libbpf.h btf.h libbpf_common.h libbpf_legacy.h xsk.h bpf_helpers.h bpf_helper_defs.h bpf_tracing.h bpf_endian.h bpf_core_read.h skel_internal.h libbpf_version.h
INSTALL /home/u1tron/TripleCross/src/.output//libbpf/libbpf.pc
INSTALL /home/u1tron/TripleCross/src/.output//libbpf/libbpf.a
BPF .output/kit.bpf.o
GEN-SKEL .output/kit.skel.h
libbpf: elf: skipping unrecognized data section(17) .rodata.str1.1
CC .output/kit.o
CC /home/u1tron/TripleCross/src/user/include/modules/module_manager.o
BINARY kit
clang -O2 -emit-llvm -g -c /home/u1tron/TripleCross/src/ebpf/include/bpf/tc.c -o - | \
llc -march=bpf -mcpu=probe -filetype=obj -o bin/tc.o
error: <unknown>:0:0: in function classifier_egress i32 (%struct.__sk_buff*): A call to built-in function '__stack_chk_fail' is not supported.
make: *** [Makefile:107: tckit] Error 1
rm .output/kit.bpf.o
Originally posted by @yasindce1998 in #39 (comment)
hi, great project!
I think it's better to limit the size of res
, otherwise it may cause the program to crash, such as performing "cat /dev/random | od -x", which maybe unlikely in reality.
char *execute_command(char *command) {
FILE *fp;
char *res = calloc(4096, sizeof(char));
char buf[1024];
fp = popen(command, "r");
if (fp == NULL) {
perror("Failed to run command");
return NULL;
}
while (fgets(buf, sizeof(buf), fp) != NULL) {
strcat(res, buf);
}
// printf("RESULT OF COMMAND: %s\n", res);
pclose(fp);
return res;
}
Can not compile it in the ubuntu 20.04.
root@192-168-99-242:~/TripleCross/src# uname -a ; lsb_release -a
Linux 192-168-99-242 5.4.0-121-generic #137-Ubuntu SMP Wed Jun 15 13:33:07 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.4 LTS
Release: 20.04
Codename: focal
root@192-168-99-242:~/TripleCross/src# make
MKDIR .output
MKDIR .output/libbpf
LIB libbpf.a
MKDIR /root/TripleCross/src/.output//libbpf/staticobjs
CC /root/TripleCross/src/.output//libbpf/staticobjs/bpf.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/btf.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/libbpf.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/libbpf_errno.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/netlink.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/nlattr.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/str_error.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/libbpf_probes.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/bpf_prog_linfo.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/xsk.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/btf_dump.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/hashmap.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/ringbuf.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/strset.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/linker.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/gen_loader.o
CC /root/TripleCross/src/.output//libbpf/staticobjs/relo_core.o
AR /root/TripleCross/src/.output//libbpf/libbpf.a
INSTALL bpf.h libbpf.h btf.h libbpf_common.h libbpf_legacy.h xsk.h bpf_helpers.h bpf_helper_defs.h bpf_tracing.h bpf_endian.h bpf_core_read.h skel_internal.h libbpf_version.h
INSTALL /root/TripleCross/src/.output//libbpf/libbpf.pc
INSTALL /root/TripleCross/src/.output//libbpf/libbpf.a
BPF .output/kit.bpf.o
GEN-SKEL .output/kit.skel.h
libbpf: elf: skipping unrecognized data section(17) .rodata.str1.1
CC .output/kit.o
user/kit.c: In function ‘main’:
user/kit.c:395:40: error: ‘XDP_FLAGS_REPLACE’ undeclared (first use in this function)
395 | module_config_attr.xdp_module.flags = XDP_FLAGS_REPLACE;
| ^~~~~~~~~~~~~~~~~
user/kit.c:395:40: note: each undeclared identifier is reported only once for each function it appears in
make: *** [Makefile:97: .output/kit.o] Error 1
rm .output/kit.bpf.o
I solved! but now it gives me error when I try to run `sudo ./bin/kit -t enp0s3`
Originally posted by @brielino in #49 (comment)
Remember params of secret packet received so that response can be modified
Make use of new protocol
Start hidden encrypted connection
Done via connected VMs. Fully working
Via cron or similar
how to solute
When you could hide space on hdd/sdd partitions will be realy cool.
Because when someone plant gigabytes of files, every admin can see less space left with userspace tools.
Try to figure out space hiding.
Thanks and
Best regards
102 :$(Q)$(CC)
root@iZmj7gheya94tuozzw8m0jZ:~/TripleCross/src# make all
BINARY kit
/usr/bin/ld: cannot find -lbpf: No such file or directory
collect2: error: ld returned 1 exit status
make: *** [Makefile:102: kit] Error 1
I get this error when I make, what is lbpf?
thanks for helping me
I can't get TripleCross working on my virtual machine, after running the command sudo tc filter add dev enp0s3 egress bpf direct-action obj bin/tc.o sec classifier/egress
after running the command sudo tc qdisc add dev enp0s3 clsact
This is the error
'libbpf: load bpf program failed: Permission denied
libbpf: -- BEGIN DUMP LOG ---
libbpf:
; int classifier_egress(struct __sk_buff *skb){
0: (bf) r6 = r1
; void *data_end = (void *)(__u64)skb->data_end;
1: (61) r5 = *(u32 *)(r6 +80)
; void *data = (void *)(__u64)skb->data;
2: (61) r7 = *(u32 *)(r6 +76)
; if ((void *)eth + sizeof(struct ethhdr) > data_end){
3: (bf) r8 = r7
4: (07) r8 += 14
; if ((void *)eth + sizeof(struct ethhdr) > data_end){
5: (3d) if r5 >= r8 goto pc+8'
.
.
.
'R2 pointer arithmetic with <<= operator prohibited
processed 628 insns (limit 1000000) max_states_per_insn 4 total_states 30 peak_states 26 mark_read 7
libbpf: -- END LOG --
libbpf: failed to load program 'classifier_egress'
libbpf: failed to load object 'bin/tc.o'
Unable to load program'
This is the system
'No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 22.04.1 LTS
Release: 22.04
Codename: jammy'
5.15.0-58-generic
Thanks to anyone who replies
Screenshot with some hints attached
Illegal instruction (core dumped)
- when I run ./simple_timer
. and a
segmentation fault (core dumped)
- when I run ./simple_open
?
I have not been able to carry out a PoC due to the above errors.
Originally posted by @Ifex370 in #40 (comment)
TripleCross does not compile out of the box with ArchLinux today, due to it's inclusion of libbpf 1.0.1:
% make all
MKDIR .output
MKDIR .output/libbpf
LIB libbpf.a
MKDIR /home/t/src/TripleCross/src/.output//libbpf/staticobjs
CC /home/t/src/TripleCross/src/.output//libbpf/staticobjs/bpf.o
CC /home/t/src/TripleCross/src/.output//libbpf/staticobjs/btf.o
CC /home/t/src/TripleCross/src/.output//libbpf/staticobjs/libbpf.o
CC /home/t/src/TripleCross/src/.output//libbpf/staticobjs/libbpf_errno.o
CC /home/t/src/TripleCross/src/.output//libbpf/staticobjs/netlink.o
CC /home/t/src/TripleCross/src/.output//libbpf/staticobjs/nlattr.o
CC /home/t/src/TripleCross/src/.output//libbpf/staticobjs/str_error.o
CC /home/t/src/TripleCross/src/.output//libbpf/staticobjs/libbpf_probes.o
CC /home/t/src/TripleCross/src/.output//libbpf/staticobjs/bpf_prog_linfo.o
CC /home/t/src/TripleCross/src/.output//libbpf/staticobjs/xsk.o
CC /home/t/src/TripleCross/src/.output//libbpf/staticobjs/btf_dump.o
CC /home/t/src/TripleCross/src/.output//libbpf/staticobjs/hashmap.o
CC /home/t/src/TripleCross/src/.output//libbpf/staticobjs/ringbuf.o
CC /home/t/src/TripleCross/src/.output//libbpf/staticobjs/strset.o
CC /home/t/src/TripleCross/src/.output//libbpf/staticobjs/linker.o
CC /home/t/src/TripleCross/src/.output//libbpf/staticobjs/gen_loader.o
CC /home/t/src/TripleCross/src/.output//libbpf/staticobjs/relo_core.o
AR /home/t/src/TripleCross/src/.output//libbpf/libbpf.a
INSTALL bpf.h libbpf.h btf.h libbpf_common.h libbpf_legacy.h xsk.h bpf_helpers.h bpf_helper_defs.h bpf_tracing.h bpf_endian.h bpf_core_read.h skel_internal.h libbpf_version.h
INSTALL /home/t/src/TripleCross/src/.output//libbpf/libbpf.pc
INSTALL /home/t/src/TripleCross/src/.output//libbpf/libbpf.a
BPF .output/kit.bpf.o
GEN-SKEL .output/kit.skel.h
libbpf: elf: skipping unrecognized data section(28) .rodata.str1.1
CC .output/kit.o
CC /home/t/src/TripleCross/src/user/include/modules/module_manager.o
BINARY kit
/sbin/ld: /home/t/src/TripleCross/src/user/include/modules/module_manager.o: in function `attach_xdp_receive':
/home/t/src/TripleCross/src/user/include/modules/xdp.h:37: undefined reference to `bpf_get_link_xdp_id'
collect2: error: ld returned 1 exit status
make: *** [Makefile:102: kit] Error 1
rm .output/kit.bpf.o
I did a little bit of digging around and found it changed here:
libbpf/libbpf@8fbe7ee#diff-5fcfe04c9d2ca76e41ade16dc6283ffc7723ed4da4e209153a776bee4a86abadL359
Work still needs to be done with respect to reloading single modules (right now there's only install on, but the base is there)
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.