Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Build successfully but fail to run ebpfkit #4

Open
brant-ruan opened this issue Sep 23, 2021 · 2 comments
Open

Build successfully but fail to run ebpfkit #4

brant-ruan opened this issue Sep 23, 2021 · 2 comments

Comments

@brant-ruan
Copy link

Hello, nice rootkit!

I build it successfully on my env:

  • Ubuntu 21.04
  • clang/llvm 11.0.1
  • kernel: 5.11.0-36-generic

But when I run ./ebpfkit, it exits with error:

➜ ./ebpfkit
Error: couldn't start: couldn't start main manager: couldn't init main manager: couldn't load eBPF programs: program xdp/ingress/syn_loop: can't load program: invalid argument: 0: (bf) r6 = r1
1: (b7) r9 = 2
2: (61) r1 = *(u32 *)(r6 +4)
3: (61) r8 = *(u32 *)(r6 +0)
4: (bf) r2 = r8
5: (07) r2 += 14
6: (2d) if r2 > r1 goto pc+358
 R1_w=pkt_end(id=0,off=0,imm=0) R2_w=pkt(id=0,off=14,r=14,imm=0) R6_w=ctx(id=0,off=0,imm=0) R8_w=pkt(id=0,off=0,r=14,imm=0) R9_w=inv2 R10=fp0
7: (15) if r8 == 0x0 goto pc+357
 R1_w=pkt_end(id=0,off=0,imm=0) R2_w=pkt(id=0,off=14,r=14,imm=0) R6_w=ctx(id=0,off=0,imm=0) R8_w=pkt(id=0,off=0,r=14,imm=0) R9_w=inv2 R10=fp0
8: (71) r3 = *(u8 *)(r8 +12)
9: (71) r4 = *(u8 *)(r8 +13)
10: (67) r4 <<= 8
11: (4f) r4 |= r3
12: (55) if r4 != 0x8 goto pc+352
 R1=pkt_end(id=0,off=0,imm=0) R2=pkt(id=0,off=14,r=14,imm=0) R3=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R4=inv8 R6=ctx(id=0,off=0,imm=0) R8=pkt(id=0,off=0,r=14,imm=0) R9=inv2 R10=fp0
13: (bf) r7 = r8
14: (07) r7 += 34
15: (2d) if r7 > r1 goto pc+349
 R1=pkt_end(id=0,off=0,imm=0) R2=pkt(id=0,off=14,r=34,imm=0) R3=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R4=inv8 
......
Usage:
  ebpfkit [flags]

Flags:
      --append                        (file override feature only) when set, the content of the source file will be appended to the content of the target file
      --comm string                   (file override feature only) comm of the process for which the file override should apply
      --disable-bpf-obfuscation       when set, ebpfkit will not hide itself from the bpf syscall
      --disable-network-probes        when set, ebpfkit will not try to load its network related probes
      --docker string                 path to the Docker daemon executable (default "/usr/bin/dockerd")
  -e, --egress string                 egress interface name (default "enp0s3")
  -h, --help                          help for ebpfkit
  -i, --ingress string                ingress interface name (default "enp0s3")
  -l, --log-level string              log level, options: panic, fatal, error, warn, info, debug or trace (default "info")
      --postgres string               path to the Postgres daemon executable (default "/usr/lib/postgresql/12/bin/postgres")
      --src string                    (file override feature only) source file which content will be used to override the content of the target file
      --target string                 (file override feature only) target file to override
  -p, --target-http-server-port int   Target HTTP server port used for Command and Control (default 8000)
      --webapp-rasp string            path to the webapp on which the RASP is installed

Have you come across such issues? Any helpful suggestions? Thanks : )
@Gui774ume
Copy link
Owner

Gui774ume commented Sep 25, 2021
edited
Loading

Hey @brant-ruan 👋🏻

Thank you for the heads up ! I had a really quick look, and I can confirm it doesn't build on Ubuntu Hirsute for me either:

from 3278 to 170: R0=pkt(id=0,off=49,r=54,imm=0) R1=pkt(id=0,off=50,r=-2,imm=0) R2=pkt(id=0,off=0,r=54,imm=0) R3=pkt_end(id=0,off=0,imm=0) R4_w=inv(id=17) R5_w=inv(id=17) R6=ctx(id=0,off=0,imm=0) R7=inv(id=8) R8=inv(id=0) R9=inv(id=5) R10=fp0 fp-8=mmmmmmmm
170: (bf) r2 = r4
171: (57) r2 &= 65535
172: (77) r4 >>= 16
173: (57) r4 &= 65535
174: (0f) r4 += r2
175: (bf) r2 = r4
176: (77) r2 >>= 16
177: (0f) r2 += r4
178: (a7) r2 ^= -1
179: (dc) r2 = be16 r2
180: (6b) *(u16 *)(r1 +0) = r2
R1 offset is outside of the packet
processed 9179 insns (limit 1000000) max_states_per_insn 1 total_states 261 peak_states 261 mark_read 242

Looking at the error, it seems that xdp/ingress/syn_loop is attempting to access the packet at an offset that is potentially outside of the packet. I'll try to have a look this week, but no guarantees: we built the rootkit with the intent of demoing a PoC, we don't really expect the code we wrote to work on any other setup than the one we used for testing (= Ubuntu Focal) 😅

@brant-ruan
Copy link
Author

brant-ruan commented Sep 26, 2021
edited
Loading

Hi @Gui774ume , thanks for replying. OK, I will try to figure out how to fix it as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@brant-ruan @Gui774ume