Every C99 / C99.php Shell Is Backdoored (A.K.A. Free Shells for Everyone!)

Earlier I made a post calling out the wrong people for backdooring the C99.php shell hosted on r57.gen.tr. They look to possibly be only exploiting an already existing vulnerability in the C99 shell. The truth is the C99 shell is just plain backdoored. I’d apologize but the JavaScript tracking on their distributed shells is still pretty sketchy so I have a feeling they are aware of the backdoor.

For those who missed it, the C99 shell has a backdoor due to a vulnerability in the use of the extract() command.

The vulnerable lines:

This line allows you to overwrite any variable using an array:

Which is weirdly right over this code:

Which means if we change our URL to:
http://127.0.0.1/c99.php?c99shcook[login]=0

We bypass all of that nasty authentication!

Selection_099

This can also be done via POST or via cookies for easier access.

If you intended on using the C99 shell for anything I’d recommend against it, or if you do, feel free to share the link.

For more fun, here is a list of C99 shell Google dorks: http://www.hackingsec.in/2012/04/google-dorks-find-backdoor-c99-find.html

(For those looking for a better shell, check out Weevely)

20 comments

  1. So, they not only have been collection information about _hacked_ websites, they also know/have the way to remotely execute commands from those servers. A really good way to crowdsource the creation of your own botnet.

  2. Welcome to 2007.

    C99 has been a well-known backdoor for a long, long time, and files referencing R57 are very likely to be so as well, or a proxy.

    It is so well-known that most vulnerability scanning software can identify these with 95-99% certainty, and have done so for years.

    What’s next, discovering that PHPMailer for PHP 4 has remote spamming vulnerabilities?

    1. Well clearly C99 is a backdoor – see the original post where I joke about that. The point is it’s a backdoored backdoor, which is the funny part.

  3. C99 has been a well-known backdoor for a long, long time, and files referencing R57 are very likely to be so as well, or a proxy.

    It is so well-known that most vulnerability scanning software can identify these with 95-99% certainty, and have done so for years.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">