[PHP][Python] Root Exploiter – No Back-Connect

Lets start with a quick demo of the script.


Have you ever had any of the following issues?

  • Shell access to a vulnerable (Rootable) server with a known root exploit but no reverse or back connection.
  • Shell access to a server and you know the root login credentials but no SSH or any other means to connect.
  • Issues with port forwarding and back connect.

If yes, then say no more because I had similar issues a while back. But then I came across Python’s libraries subprocess, pty and pexpect. I decided to explore these issues and see If we can use Python in post exploitation.


Python must be available on the target machine. Obviously, we won’t be able to install any fancy thrid-party packages/modules because most of em require higher privileges than a simple apache user.


We need to interact with another process/program on the target machine. For example, if I execute another program (in this case a local root exploit), I can interact with it without loosing session. If I run su – root and it asks for the password, I’d be able to provide the STDIN and read STDOUT. We cannot do this with weevely or other similar tools. To understand this concept, try to do this with weevely. You can’t.

With this goal in mind, I started some research on processes, the subprocess PIPES and how STDIN and STDOUT actually work. To test and verify this stuff, I  used a php shell to interact with a local web server. I uploaded a python executable with the following code:

If I can somehow, interact with this python code using PHP interface and provide input string at the prompt and read the output, then there’s hope 😀 . After some research on subprocess, popen and pipes in Python, my initial code was:

This script actually worked. And I got this output on my PHP console interface.


After this successful try, my next goal was to execute a local root exploit on the target machine and interact with it at least to an extent where I can plant a permanent backdoor like creating another user with root privileges. I modified the previous code to :

Here /tmp/ofs was my local root exploit i.e. Ubuntu Overlay Fs Exploit and the target machine was Ubuntu 14.04 (Vulnerable kernel). This code did half the job. It executed the local root exploit and added the user. But it couldn’t change the passwd. There were some issues.


These errors occurred because we know the default behaviour of passwd.

It couldn’t interact with this dual passwd inputs. It entered only one. So I tried some other ways to set the passwd like.

It didn’t work because here we were dealing with a child process (a process within a process). I also tried to spawn another shell within this process.

And tried to interact with this shell but because of it’s blocking behaviour, the process hanged and terminated with no results. Finally, I came across pexpect, which is a pure python package written for versions 3.xx based on pty and subprocess. This module made it a lot easier 😀 . But now the problem was in python 2.x, this has to be installed with root privileges on the machine. In latest versions, there’s no standalone file like pexpect.py which can be included and called from any other program. This is a make-install package which has to be installed.

Somewhere, a blog post suggested that the old versions of pexpect had a standalone module 😀 So I pulled an old repository of pexpect and It actually had a standalone module. Perfect 😀 . That’s all I needed at this stage. Now time to do some final testing with pexpect.

To login as a different user, All I had to do was 😀 :

And it worked perfectly 😀 . Next, to execute a local root exploit and use that same session to add another user with root privileges.

And it worked perfectly again.

Now, all I had to do was to make a PHP interface to automate all this. A PHP based user interface which can interact with the vulnerable target, automatically create necessary python libraries and modules, execute any local root exploit and If everything goes well, Interact with the target as a privileged user. My final code was 😀 :

Final Code:

And now this is what it looks like.


So far, I have tested this script on 5 different servers and it worked perfectly but it may not work on some very old servers which are running very old instances of python. You can download the final version of the script here.

Download: (Source Updated – 29-09-2015 – Fixed a minor bug)

GitHub Repository:

Root Exploiter – Part 2:

In Part-2, I have explained a rather simpler approach by using a binary executable coded in C++ which will serve as an exploit handler and a persistent backdoor. Read it here [PHP][C++] Root Exploiter (Part 2) – No Back-Connect.

If you have any suggestions to improve this further, feel free to contact me. Details are in the footer. Thanks.