search

Gui774ume / ebpfkit

ebpfkit is a rootkit powered by eBPF
Apache License 2.0
761 stars 91 forks source link

Error: couldn't start: couldn't start main manager: couldn't start main manager: probes activation validation failed: 2 errors occurred: #7

Closed jackcily closed 2 years ago

jackcily commented 2 years ago

hello i'm trying to run ebpfkit rootkit with exploit effect described in 《blackhat 2021》:container breakout1 :escaping throngh a pipe.

the environment configure :

but when i run ebpfkit ,i got the error:

Error: couldn't start: couldn't start main manager: couldn't start main manager: probes activation validation failed: 2 errors occurred:
        * {UID:egress Section:classifier/egress}: couldn't add a "clsact" qdisc to interface 2: netlink receive: no such file or directory
        * {UID:lo Section:classifier/egress}: couldn't add a "clsact" qdisc to interface 1: netlink receive: no such file or directory

Have you come across such issues? Any helpful suggestions? Thanks : )

@lebauce @L3n41c @safchain @paulcacheux @JulesDT

Gui774ume commented 2 years ago

Hey there 👋🏻

Thank you for reporting the bug. Please note that this repo was first and foremost a research project, we built it for a specific kernel version and environment and didn't plan any support for it. We wanted to prove that building a rootkit with eBPF was possible, not release an omnipotent one to the world.

The error you're seeing means that the interface you provided in the CLI doesn't exist. I would suggest using the name of the interface instead of its index. For example, have you tried lo, eth0, enp0s3 or whatever the name of your interface is instead of an interface index ?

Gui774ume commented 2 years ago

Feel free to reopen the issue if it doesn't solve your problem.

jackcily commented 2 years ago

hello, i have tried lo, eth0, enp0s3 in my VMs' interface ,but it didn't work.

my host env config:

## host kernel version
Linux VirtualBox 5.4.0-110-generic #124-Ubuntu SMP Thu Apr 14 19:46:19 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux

## my kernel with  bpf compile config
$ cat /boot/config-$(uname -r) |grep bpf
CONFIG_CGROUP_BPF=y
CONFIG_BPF=y
CONFIG_BPF_SYSCALL=y
CONFIG_BPF_JIT_ALWAYS_ON=y
CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
CONFIG_IPV6_SEG6_BPF=y
CONFIG_NETFILTER_XT_MATCH_BPF=m
CONFIG_BPFILTER=y
CONFIG_BPFILTER_UMH=m
CONFIG_NET_CLS_BPF=m
CONFIG_NET_ACT_BPF=m
CONFIG_BPF_JIT=y
CONFIG_BPF_STREAM_PARSER=y
CONFIG_LWTUNNEL_BPF=y
CONFIG_HAVE_EBPF_JIT=y
CONFIG_BPF_EVENTS=y
CONFIG_BPF_KPROBE_OVERRIDE=y
CONFIG_TEST_BPF=m

and that's my interfaces in host and docker i used.

enp0s3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.2.15  netmask 255.255.255.0  broadcast 10.0.2.255
        inet6 fe80::1ad6:b997:5c8c:d269  prefixlen 64  scopeid 0x20<link>
        ether 08:00:27:ac:19:0b  txqueuelen 1000  (Ethernet)
        RX packets 15027  bytes 18707045 (18.7 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8244  bytes 557794 (557.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

the command and error when i run ebpfkit as follows.

root@service:/data/ebpfkit/bin# ./ebpfkit -i enp0s3 -e enp0s3

Error: couldn't start: couldn't start main manager: couldn't start main manager: probes activation validation failed: 2 errors occurred:
        * {UID:egress Section:classifier/egress}: couldn't add a "clsact" qdisc to interface 2: netlink receive: no such file or directory
        * {UID:lo Section:classifier/egress}: couldn't add a "clsact" qdisc to interface 1: netlink receive: no such file or directory

Any helpful suggestions? Thanks : )

And can you tell me,which kernel version and bpf compile you used ?