TL;DR all shells from http://www.r57.gen.tr/ are backdoored, shockingly. But in a pretty clever way you probably didn’t expect.

You know sometimes when I find things in security that are probably unethical, I’m more impressed than morally distressed.

I decided to poke around some of the online sources for the typical shells (c99, r57, etc) and after a quick search:

Selection_001

I’ve got all the shells I’d ever need!

Or do I? Let’s check out this first site shall we?

Selection_002

Selection_003

C99 is probably the more famous one, so let’s take a look at it!

[email protected]:~/Pentest/c99$ grep --color -n "https://" c99.php 

79:if ($surl_autofill_include and !$_REQUEST["c99sh_surl"]) {$include = "&"; foreach (explode("&",getenv("QUERY_STRING")) as $v) {$v = explode("=",$v); $name = urldecode($v[0]); $value = urldecode($v[1]); foreach (array("http://","https://","ssl://","ftp://","\\\\") as $needle) {if (strpos($value,$needle) === 0) {$includestr .= urlencode($name)."=".urlencode($value)."&";}}} if ($_REQUEST["surl_autofill_include"]) {$includestr .= "surl_autofill_include=1&";}}

1706:   if ((!eregi("http://",$uploadurl)) and (!eregi("https://",$uploadurl)) and (!eregi("ftp://",$uploadurl))) {echo "Incorect url!
";} [email protected]:~/Pentest/c99$ grep --color -n "http://" c99.php 11: http://ccteam.ru/releases/c99shell 13:* WEB: http://ccteam.ru 79:if ($surl_autofill_include and !$_REQUEST["c99sh_surl"]) {$include = "&"; foreach (explode("&",getenv("QUERY_STRING")) as $v) {$v = explode("=",$v); $name = urldecode($v[0]); $value = urldecode($v[1]); foreach (array("http://","https://","ssl://","ftp://","\\\\") as $needle) {if (strpos($value,$needle) === 0) {$includestr .= urlencode($name)."=".urlencode($value)."&";}}} if ($_REQUEST["surl_autofill_include"]) {$includestr .= "surl_autofill_include=1&";}} 99:$accessdeniedmess = "c99shell v.".$shver.": access denied"; 103:$c99sh_updatefurl = "http://ccteam.ru/releases/update/c99shell/"; //Update server 259:if (!preg_match($s,getenv("REMOTE_ADDR")) and !preg_match($s,gethostbyaddr(getenv("REMOTE_ADDR")))) {exit("c99shell: Access Denied - your host (".getenv("REMOTE_ADDR").") not allow");} 599:# Home page: http://ccteam.ru 855:?>

!C99Shell v. !

Software:  

uname -a: ",1); ?> 

",1);} else {echo get_current_user();} ?> 

Safe-mode: 

Incorect url!
";} 2912:if ($act == "about") {echo "

Credits:
Idea, leading and coding by tristram[CCTeaM].
Beta-testing and some tips - NukLeoN [[email protected] tEaM].
Thanks all who report bugs.
All bugs send to tristram's ICQ #656555 .
";} 2926:

--[ c99shell v. powered by Captain Crunch Security Team | r57 shell | Generation time: ]--

[email protected]:~/Pentest/c99$

Now immediately everyone’s first thought is to check the PHP itself for clever backdoors. After all, this is a backdoor shell so why wouldn’t it be a backdoored backdoor shell (bleh).

But notice this section:


Hmm, what’s the source for that page?

Selection_006

Ho-ho-ho that’s a little suspicious, so it’s making an image with the source being http://www.r57.gen.tr/yaz/yaz.php?a= plus our current URL?

Naughty naughty, navigating to this URL we find:
Selection_005

Oh a blank page, that’s probably nothing at all!

Or…just maybe…they are capturing IP addresses to alert the website owners or steal the shells for themselves (far more likely).

I’m willing to bet there is a PHP auth-bypass in the code as well…

Auth Bypass Exploit

Notice this piece of code here:
Selection_009

Found this after diffing this c99 shell against other online copies. For those not familiar, extract() is a VERY dangerous command to use. Basically you pass it an array and it extracts the values into variables.

This example from the official PHP site says it all:

 "blue",
                   "size"  => "medium",
                   "shape" => "sphere");
extract($var_array, EXTR_PREFIX_SAME, "wddx");

echo "$color, $size, $shape, $wddx_size\n";

?>

Guess what is right after that line?

Selection_010

So one could very easily over right $login, $md5_pass, etc to override the login.

EDIT: This same JS link is in all of the shells on the site. See r57.php:

  74 $head = '
  75 
  76 
  77 
  78 

The moral of this lesson is obvious but I’m more entertained by the fact that they went with a JS backdoor. Who would check the Javascript for backdoors? It’s the perfect crime!

The domain is apparently Turkish and has been registered for sometime, so I can’t imagine the amount of bad shells have been distributed.

** Registrant:
   Ýsmail Kalayli
   Gulbahar Mah. Gayret Sk. No:21 K:1
   Mecidiyekoy
   Ýstanbul,
     Türkiye
   Email Masking Image@natro.com
   + 90-212-3564407
   + 


** Registrar:
NIC Handle	 : cth16-metu
Organization Name	: Çizgi Telekomünikasyon Hizmetleri San. ve Tic.Ltd.Þti.
Address	 : Esentepe Mah. Elif Sk. No:4 K:1
  Mecidiyeköy / Þiþli
  Ýstanbul,34390
  Türkiye
Phone	 : + 90-212-2131213-
Fax	 : + 90-212-3564407


** Domain Servers:
ns1.teenficken.com
ns2.teenficken.com

** Additional Info:
Created on..............: 2008-Oct-22.
Expires on..............: 2015-Oct-21.

But let’s be honest, somebody has to have noticed this right…?
Selection_008

Or maybe nobody actually falls for this…?
*facepalm*

Which isn’t even the source but copied from http://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson11/

For archiving reasons I’ll keep the source here to show the *current* backdoor in case it’s changed: http://pastebin.com/LCDrr0e8

EDIT: I now have a moral dilemma because I’m sure people will abuse this exploit to break into more sites…Hmm…