boopkit v1.4.1 releases: Linux eBPF backdoor over TCP
Boopkit
Linux backdoor, rootkit, and eBPF bypass tools. Remote command execution over raw TCP.
- Tested on Linux kernel 5.16
- Tested on Linux kernel 5.17
- Remote code execution over TCP (SSH, Nginx, Kubernetes, etc)
- Network gateway bypass (bad checksums, TCP reset)
- Self obfuscation at runtime (eBPF process hiding)
Boop Vectors
Boopkit will respond to various events on the network. Both of which can be triggered with the boopkit-boop tool.
TCP Header Format. Taken from RFC 793. September 1981
1. Bad Checksum
First, the boopkit-boop tool will send a malformed TCP SYN packet with an empty checksum to the server over a SOCK_RAW socket. This will trigger boopkit remotely regardless of what TCP services are running. This works against any Linux server running boopkit, regardless of the state of TCP services.
Use -p with boopkit-boop to only use this first vector.
⚠️ Some modern network hardware will DROP all malformed checksum packets such as the one required to exploit boopkit using this vector!
2. Sending ACK-RST packet
Next, the boopkit-boop tool will complete a valid TCP handshake with a SOCK_STREAM socket against a remote TCP service such as SSH, Kubernetes, Nginx, etc. After the initial TCP handshake is complete, boopkit-boop will repeat the process a 2nd time. The 2nd handshake will flip the TCP reset flag in the packet, and trigger a TCP reset on the server.
Either of these tactics are enough to independently trigger boopkit. Various network hardware and runtime conditions will make either tactic more viable. Boopkit will try both, by default.
Components
| eBPF Probe | Malicious Userspace Program | Remote Trigger |
|---|---|---|
| Responsible for sending tracepoint/tcp/tcp_bad_sum events to userspace | Persistent process in Linux, that does the dirty work | Remote way to trigger the RCE over a network and TCP server |
eBPF Probe
Can be loaded into the kernel at runtime using the userspace loader program. The probe responds to tcp/tcp_bad_csum events and will pass the saddr (Source Address) up to userspace using an eBPF map.
Loader Program
This is the malicious program that will respond to the bad checksum packets sent to the server. Whenever a malicious packet is sent, the loader program responds with remote code execution.
Trigger/Remote
The trigger binary is a small C program that will send a malformed SYN request without a properly calculated checksum to the server.
The remote script wraps the trigger and will use netcat to listen for a reverse shell.
eBPF and Loader Compile-Time Dependencies
- ‘clang’
- ‘linux-headers’
- ‘llvm’
- ‘libbpf’
- ‘lib32-glibc’
Boopkit runtime dependencies
- Linux kernel with eBPF enabled/supported
- Ncat running on the server
- Root access 🙂
Changelog v1.4.1
- Improved interface packet parsing (raised ring buffer size)
- Fixed clearing eBPF objects from queue
- Debugging symbols in boopkit for gdb
- Added
-pflag for protect mode (will NOT execute RCE) useful for debugging
Install & Use
Copyright (C) 2022 kris-nova
