Paolo Ardoino - ideas, programming, web and more... » Linux

Kernel Socks Bouncer – linux anonymous connections

Paolo Ardoino — Wed, 12 Mar 2008 07:00:58 +0000

ksb26 ( Kernel Socks Bouncer ) is a Linux Kernel 2.6.x Loadable Kernel Module that hijacks tcp connections (to user-defined target hosts) through socks 5 servers chains.
ksb26 works as an hidden layer that adds anonymity to software that doesn’t support anonymous connections.

ksb26 is divided into a lkm ( Linux Loadable Kernel Module ) and a userspace manager which communicate via a character device.
- ksb26 lkm intercepts and redirects tcp connections.
- ksb26manager keeps updated socks and target-hosts lists.

Version: 0.0.4
Website: http://ksb.sourceforge.net

Learn more about hijacking system calls in Linux 2.6 kernel.

Hijacking Linux kernel 2.6 sys_connect system call

Paolo Ardoino — Fri, 28 Oct 2005 07:00:00 +0000

In Linux-2.4.x kernel it was very simple create an lkm to hijack the sys_connect system call using the exported symbol:

1	extern void *sys_call_table[];

So, it is very simple to substitute the pointer to another system call, the one we have created!

static inline _syscall1(int,close,int,fd);
int ( * o_socketcall) (int, unsigned long *);
int my_socketcall (int, unsigned long *);
o_socketcall = sys_call_table[SYS_socketcall]; //saving original pointer
sys_call_table[SYS_socketcall] = (void *)my_socketcall; //hijacking system call
sys_call_table[SYS_socketcall] = (void *)o_socketcall; //restoring original syscall

( Read Phrack n.50 to learn more about system call hijacking in Linux-2.4.x kernels )

In Linux-2.6.x kernels the sys_call_table symbol is no more exported for security and stability reasons. So how can we hijack connections?Here is the solution I use in Kernel Socks Bouncer and it works very well!

//Use this to restore original conditions
static int unpatch_unix_stream_connect(void)
{
	if (unix_stream_ops && orig_unix_stream_connect) {
		unix_stream_ops->connect = orig_unix_stream_connect;
		return 0;
	}
	return -1;
}
 
//Use this to substitute your connect to the original
static int patch_unix_stream_connect(void)
{
	struct socket *sock_stream = NULL;
	if (sock_create(2, 1, 0, &sock_stream) < 0)
		return -1;
if (sock_stream &&
(unix_stream_ops = sock_stream->ops)) {
		orig_unix_stream_connect = unix_stream_ops->connect;
		unix_stream_ops->connect = ksb26_unix_stream_connect;
		sock_release(sock_stream);
	}
	return 0;
}

This function causes the use of ksb26_unix_stream_connect instead of the real connect; as in 2.4 kernel we have to save the pointer to the original call and then we can push our call!

Simple file encrypter/decrypter ( DES / Blowfish / IDEA / MD5 / RSA algorithms )

Paolo Ardoino — Sun, 07 Mar 2004 07:00:01 +0000

UNISFED is a simple file encrypter / decrypter that supports DES / Blowfish / IDEA / MD5 / RSA algorithms based on OpenSSL libraries.

Version: 0.1

Download the code

Some code chunks

/* DES
 * If mode = DES_ENCRYPT encrypts *filein file with DES algorithm
 * If mode = DES_DECRYPT decrypts *filein file with DES algorithm
 * output is written in *fileout file
 * Returns 1 if the function runs successfully
 * Works on 8 bytes blocks
 *
 */
void des_encrypt_decrypt(int mode, char *filein, char *fileout)
{
        FILE *fpin,*fpout;
        char buf[MAXPASSLEN];
        des_cblock key,inmsg,outmsg; /* key, plaintext, ciphertext must be 8 byte blocks */
        des_key_schedule sched;
 
        if (strcmp(filein,fileout) == 0) {
                fprintf(stderr,"Error: input and output files must not be the same file.\n");
                exit(EXIT_FAILURE);
        }
        /* des_read_pw_string reads password from stdin and stores it in buf */
        /* this function automatically asks to re-enter password and checks it */
        memset(buf,'\0',MAXPASSLEN);
        if (mode == DES_ENCRYPT) {
                printf("Encrypting file '%s' with des cipher.\n",filein);
                if (des_read_pw_string(buf,MAXPASSLEN - 1,"Enter the password:\n",1) != 0) {
                        fprintf(stderr,"Error: failed to read password.\n");
                        exit(EXIT_FAILURE);
                }
        } else {
                printf("Decrypting file '%s' with des cipher.\n",filein);
                if (des_read_pw_string(buf,MAXPASSLEN - 1,"Enter the password:\n",0) != 0) {
                        fprintf(stderr,"Error: failed to read password.\n");
                        exit(EXIT_FAILURE);
                }
        }
        /* des_string to key convers the password to a key */
        des_string_to_key(buf,&key);
        /* des_set_key_checked checks that a key passed in of odd parity and set up the key schedule */
        des_set_key_checked(&key,sched);
        fpin = fopen(filein,"r");
        if ((fpout = fopen(fileout,"w")) == NULL) {
                fprintf(stderr,"Error: failed to open output file.\n");
                exit(EXIT_FAILURE);
        }
        /* reads 8 bytes at a time(block=8bytes),encrypts/decrypts each block with ecb */
        while (fread(inmsg,1,8,fpin)) {
                memset(outmsg,'\0',8);
                des_ecb_encrypt(&inmsg,&outmsg,sched,mode);
                fwrite(outmsg,1,8,fpout);
                memset(inmsg,'\0',8);
        }
        fclose(fpin);
        fclose(fpout);
        printf("Done.\n");
        return;
}
 
/* Blowfish
 * If mode = BF_ENCRYPT encrypts *filein file with Blowfish algorithm
 * If mode = BF_DECRYPT decrypts *filein file with Blowfish algorithm
 * output is written in *fileout file
 * Returns 1 if the function runs successfully
 * Works on 8 bytes blocks
 *
 */
void bf_encrypt_decrypt(int mode, char *filein, char *fileout)
{
        FILE *fpin,*fpout;
        char buf[MAXPASSLEN];
        unsigned char inmsg[8],outmsg[8]; /* blowfish operates on 8 byte blocks */
        BF_KEY key;
 
        if (strcmp(filein,fileout) == 0) {
                fprintf(stderr,"Error: input and output files must not be the same file.\n");
                exit(EXIT_FAILURE);
        }
        /* reads password from stdin using the same function used for des passwords */
        memset(buf,'\0',MAXPASSLEN);
        if (mode == BF_ENCRYPT) {
                printf("Encrypting file '%s' with BlowFish cipher.\n",filein);
                if (des_read_pw_string(buf,MAXPASSLEN - 1,"Enter the password:\n",1) != 0) {
                        fprintf(stderr,"Error: failed to read password.\n");
                        exit(EXIT_FAILURE);
                }
        } else {
                printf("Decrypting file '%s' with BlowFish cipher.\n",filein);
                if (des_read_pw_string(buf,MAXPASSLEN - 1,"Enter the password:\n",0) != 0) {
                        fprintf(stderr,"Error: failed to read password.\n");
                        exit(EXIT_FAILURE);
                }
        }
        /* set up the key using password stored in buf from des_read_pw_string */
        BF_set_key(&key,strlen(buf),buf);
        fpin = fopen(filein,"r");
        if ((fpout = fopen(fileout,"w")) == NULL) {
                fprintf(stderr,"Error: failed to open output file.\n");
                exit(EXIT_FAILURE);
        }
        /* reads 8 bytes at a time(block=8bytes),encrypts/decrypts each block with ecb */
        while (fread(inmsg,1,8,fpin)) {
                memset(outmsg,'\0',8);
                BF_ecb_encrypt(inmsg,outmsg,&key,mode);
                fwrite(outmsg,1,8,fpout);
                memset(inmsg,'\0',8);
        }
        fclose(fpin);
        fclose(fpout);
        printf("Done.\n");
        return;
}