Build successfully but fail to run `ebpfkit`
brant-ruan opened this issue · 2 comments
Hello, nice rootkit!
I build it successfully on my env:
- Ubuntu 21.04
- clang/llvm 11.0.1
- kernel: 5.11.0-36-generic
But when I run ./ebpfkit, it exits with error:
➜ ./ebpfkit
Error: couldn't start: couldn't start main manager: couldn't init main manager: couldn't load eBPF programs: program xdp/ingress/syn_loop: can't load program: invalid argument: 0: (bf) r6 = r1
1: (b7) r9 = 2
2: (61) r1 = *(u32 *)(r6 +4)
3: (61) r8 = *(u32 *)(r6 +0)
4: (bf) r2 = r8
5: (07) r2 += 14
6: (2d) if r2 > r1 goto pc+358
R1_w=pkt_end(id=0,off=0,imm=0) R2_w=pkt(id=0,off=14,r=14,imm=0) R6_w=ctx(id=0,off=0,imm=0) R8_w=pkt(id=0,off=0,r=14,imm=0) R9_w=inv2 R10=fp0
7: (15) if r8 == 0x0 goto pc+357
R1_w=pkt_end(id=0,off=0,imm=0) R2_w=pkt(id=0,off=14,r=14,imm=0) R6_w=ctx(id=0,off=0,imm=0) R8_w=pkt(id=0,off=0,r=14,imm=0) R9_w=inv2 R10=fp0
8: (71) r3 = *(u8 *)(r8 +12)
9: (71) r4 = *(u8 *)(r8 +13)
10: (67) r4 <<= 8
11: (4f) r4 |= r3
12: (55) if r4 != 0x8 goto pc+352
R1=pkt_end(id=0,off=0,imm=0) R2=pkt(id=0,off=14,r=14,imm=0) R3=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R4=inv8 R6=ctx(id=0,off=0,imm=0) R8=pkt(id=0,off=0,r=14,imm=0) R9=inv2 R10=fp0
13: (bf) r7 = r8
14: (07) r7 += 34
15: (2d) if r7 > r1 goto pc+349
R1=pkt_end(id=0,off=0,imm=0) R2=pkt(id=0,off=14,r=34,imm=0) R3=inv(id=0,umax_value=255,var_off=(0x0; 0xff)) R4=inv8
......
Usage:
ebpfkit [flags]
Flags:
--append (file override feature only) when set, the content of the source file will be appended to the content of the target file
--comm string (file override feature only) comm of the process for which the file override should apply
--disable-bpf-obfuscation when set, ebpfkit will not hide itself from the bpf syscall
--disable-network-probes when set, ebpfkit will not try to load its network related probes
--docker string path to the Docker daemon executable (default "/usr/bin/dockerd")
-e, --egress string egress interface name (default "enp0s3")
-h, --help help for ebpfkit
-i, --ingress string ingress interface name (default "enp0s3")
-l, --log-level string log level, options: panic, fatal, error, warn, info, debug or trace (default "info")
--postgres string path to the Postgres daemon executable (default "/usr/lib/postgresql/12/bin/postgres")
--src string (file override feature only) source file which content will be used to override the content of the target file
--target string (file override feature only) target file to override
-p, --target-http-server-port int Target HTTP server port used for Command and Control (default 8000)
--webapp-rasp string path to the webapp on which the RASP is installed
Have you come across such issues? Any helpful suggestions? Thanks : )
Hey @brant-ruan 👋🏻
Thank you for the heads up ! I had a really quick look, and I can confirm it doesn't build on Ubuntu Hirsute for me either:
from 3278 to 170: R0=pkt(id=0,off=49,r=54,imm=0) R1=pkt(id=0,off=50,r=-2,imm=0) R2=pkt(id=0,off=0,r=54,imm=0) R3=pkt_end(id=0,off=0,imm=0) R4_w=inv(id=17) R5_w=inv(id=17) R6=ctx(id=0,off=0,imm=0) R7=inv(id=8) R8=inv(id=0) R9=inv(id=5) R10=fp0 fp-8=mmmmmmmm
170: (bf) r2 = r4
171: (57) r2 &= 65535
172: (77) r4 >>= 16
173: (57) r4 &= 65535
174: (0f) r4 += r2
175: (bf) r2 = r4
176: (77) r2 >>= 16
177: (0f) r2 += r4
178: (a7) r2 ^= -1
179: (dc) r2 = be16 r2
180: (6b) *(u16 *)(r1 +0) = r2
R1 offset is outside of the packet
processed 9179 insns (limit 1000000) max_states_per_insn 1 total_states 261 peak_states 261 mark_read 242
Looking at the error, it seems that xdp/ingress/syn_loop is attempting to access the packet at an offset that is potentially outside of the packet. I'll try to have a look this week, but no guarantees: we built the rootkit with the intent of demoing a PoC, we don't really expect the code we wrote to work on any other setup than the one we used for testing (= Ubuntu Focal) 😅
Hi @Gui774ume , thanks for replying. OK, I will try to figure out how to fix it as well.