Some stuff about evil ebpf Prog for container.

Note that the following ebpf progs are not panacea for every different scenarios.

From my point of view, these sorts of bpf-kits are able to be used in Post-Container Penetration in Cloud-Native Environment. Image that the attackers gain full control of a special container which has the capability SYS_ADMIN or BPF in Cluster Environment. The next step is to extend the results of the attack using the Eebpf-kit. Whilst, unfortunately, there are several applications running in the container needs the correspoding capabilities. For instance: cilium , Falco ,

Thanks to https://github.com/libbpf/libbpf-bootstrap , which is a really awesome Project.

And I wrote all of my codes based on libbpf-bootstrap.

I deem that U are able to find my codes in /root/Eebpf-kit/libbpf-bootstrap/examples/c

• Eebpf-kit/libbpf-bootstrap/examples/c/hello is a specific implementation for eBPF prog to inject CMD from container to host. And is able to achieve the following effects:

From SYS_BPF container to inject CMD which can be executed as ROOT user.

Inspired by Tencent TEG Blue Team

• Eebpf-kit/libbpf-bootstrap/examples/c/sshd is a specific implementation for eBPF prog to attack and hijack SSHD, resulting in some malicious attacks.

We can inject an inexistent evil user to login now, notice the EVIL_PASSWD in esshd.bpf.c

And there are two different but correspoding modes. For EVIL_SHADOW and EVIL_PASSWD are both able to be reviewed.

• Eebpf-kit/libbpf-bootstrap/examples/c/kprobe and Eebpf-kit/libbpf-bootstrap/examples/c/spray are two correspoding files, for the sake of implementing the information leakage.

The prerequisite is akin to the hello