works that system has access to. You’ve effectively turned the compromised system
into a router. We could have accomplished the same thing without using the
auto‐
route
module. The
route
function in Meterpreter could also be used. To do the same
thing as we did with
autoroute
, you would use
route add 192.168.2.0/24 1
. This tells
Meterpreter to set a route to the 192.168.2.0/24 (meaning 192.168.2.0-192.168.2.255)
through session 1. The last value is the session ID. This would accomplish the same
thing as
autoroute
did for us.
Maintaining Access
You may not want to have to keep exploiting the same vulnerability over and over to
gain access to your remote system. For a start, someone may come by and patch the
vulnerability, which would mean you would no longer be able to exploit that vulnera‐
bility. Ideally, you want to leave behind a backdoor that you could access anytime you
want. One challenge is that if you just create a process that is a backdoor, it may be
discovered as a rogue process. Fortunately, there is a program we can use:
cymothoa
.
Because we are again going to use Metasploitable 2 and it’s a 32-bit system, I need to
download the source code to generate a 32-bit executable.
Once you have your
cymothoa
executable, you can either place it into your web server
directory and download it to your target system or you can just use
upload
through
Meterpreter. With
cymothoa
in place, we can get a shell open to start up
cymothoa
.
The program works by infecting a running process. This means a running process
gets a new chunk of code that will start up a listener, and anyone connecting to the
port
cymothoa
is listening on will be able to pass shell commands into the system to
have them run. If you infect a process running as root, you will have root permis‐
sions.
Example 6-21
shows a run of
cymothoa
to infect a process. The process selected is the
Apache2
process that starts up first. This is the one that has root permissions before
dropping the permissions for the children it spawns. The permission drops because
in order to listen on port 80, the process has to have root permissions. However, in
order to read the content from the filesystem, the application does not need root per‐
missions. Apache takes in the request from the network by using the bound port
established by the root process and then hands processing of the request on to one of
the children.
cymothoa
requires a PID as well as the shell code to inject. This is done
using the command-line parameter
-s 1
. There are 15 possible shell codes to inject.
The first one is just binding
/bin/sh
to the listening port provided with the
-y
parame‐
ter.
Example 6-21. Running cymothoa to create a backdoor
./cymothoa -p
5196
-s
1
-y 9999
[
+
]
attaching to process 5196
