Some stuff about evil ebpf Prog for container.
Note that the following ebpf progs are not panacea for every different scenarios.
From my point of view, these sorts of bpf-kits are able to be used in Post-Container Penetration in Cloud-Native Environment. Image that the attackers gain full control of a special container which has the capability SYS_ADMIN or BPF in Cluster Environment. The next step is to extend the results of the attack using the Eebpf-kit. Whilst, unfortunately, there are several applications running in the container needs the correspoding capabilities. For instance: cilium
, Falco
,
Thanks to https://github.com/libbpf/libbpf-bootstrap , which is a really awesome Project.
And I wrote all of my codes based on libbpf-bootstrap.
I deem that U are able to find my codes in /root/Eebpf-kit/libbpf-bootstrap/examples/c
Eebpf-kit/libbpf-bootstrap/examples/c/hello
is a specific implementation for eBPF prog to inject CMD from container to host. And is able to achieve the following effects:
From SYS_BPF container to inject CMD which can be executed as ROOT user.
Inspired by Tencent TEG Blue Team
Eebpf-kit/libbpf-bootstrap/examples/c/sshd
is a specific implementation for eBPF prog to attack and hijack SSHD, resulting in some malicious attacks.
We can inject an inexistent evil user to login now, notice the EVIL_PASSWD in esshd.bpf.c
And there are two different but correspoding modes. For EVIL_SHADOW and EVIL_PASSWD are both able to be reviewed.
Eebpf-kit/libbpf-bootstrap/examples/c/kprobe
andEebpf-kit/libbpf-bootstrap/examples/c/spray
are two correspoding files, for the sake of implementing the information leakage.
The prerequisite is akin to the
hello