Linux eBPF backdoor over TCP. Spawn reverse shells, RCE, on prior privileged access. Less Honkin, More Tonkin.
APACHE-2.0 License
Memory improvements (fixed segmentation fault) thanks bl4sty for the help.
-p
flag for protect mode (will NOT execute RCE) useful for debuggingPublished by krisnova over 2 years ago
More improvements to code (docs, stability, etc)
-x
for SYN only mode (which is what I will use in my demo)Published by krisnova over 2 years ago
Boopkit is flipping the logic around. I am trying to move the toolchain to be a little more useful to the end user. By default it will no longer do a reverse dial for an RCE string. It will search for it in the packet buffer, or it will do nothing. However there is a new flag (-r
) that can be passed to both the client and the server that will support a reverse dial. A reverse dial is substantially more stable, however has a lot of implications.
Published by krisnova over 2 years ago
Better packet filtering for -p
. Boopkit is now running stable with full RCE using only -p
for both the client and the server. Also made improvements to the deep packet inspection mechanism which will increase stability of the rootkit.
Published by krisnova over 2 years ago
Adding a very important "halt" command.
-9, halt/kill Halt or kill the boopkit malware on a server.
Running remotely:
[nova@emily]: ~/boopkit>$ sudo -E boopkit-boop -9
================================================================
██████╗ ██████╗ ██████╗ ██████╗ ██╗ ██╗██╗████████╗
██╔══██╗██╔═══██╗██╔═══██╗██╔══██╗██║ ██╔╝██║╚══██╔══╝
██████╔╝██║ ██║██║ ██║██████╔╝█████╔╝ ██║ ██║
██╔══██╗██║ ██║██║ ██║██╔═══╝ ██╔═██╗ ██║ ██║
██████╔╝╚██████╔╝╚██████╔╝██║ ██║ ██╗██║ ██║
╚═════╝ ╚═════╝ ╚═════╝ ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝
Author: Kris Nóva <[email protected]> Version 1.2.0
IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES.
DO NOT ATTEMPT TO USE THE TOOLS TO VIOLATE THE LAW.
THE AUTHOR IS NOT RESPONSIBLE FOR ANY ILLEGAL ACTION.
MISUSE OF THE SOFTWARE, INFORMATION, OR SOURCE CODE
MAY RESULT IN CRIMINAL CHARGES.
Use at your own risk.
================================================================
-> *[RCE] : X*x.HALT.x**X
-> *[Local] : 127.0.0.1:3535
-> *[Remote] : 127.0.0.1:22
-> *[Payload] : (RCE, *bad csum) SYN only!
================================================================
-> [090 bytes] TX SYN : 127.0.0.1:22 (RCE, *bad csum)
================================================================
Published by krisnova over 2 years ago
A slightly less hacky version of the program. This now supports a "single SYN" mode! There is also a really terrible multithreaded ring buffer for pcap
packet captures that probably should never be ran by anyone.
Major features
-p
for "payload-only" mode. This means that boopkit will NOT reverse dial for an RCE payload. It only searches using DPI.-c
for boopkit-boop commands (moving from -x
)lipcap
until we have time for a proper XDP integration. We have an interface for now.Published by krisnova over 2 years ago
Mostly a cosmetic and userspace runtime improvement release.
tplist
to generate structsPublished by krisnova over 2 years ago
This tag is the first release of boopkit!
-x
feature for noisy localhostTested on 5.16 and 5.17 kernels running Archlinux.