Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.





Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:



There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:


The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.



The equation:
cmd[0] = 69
cmd[1] = 78
cmd[1] + cmd[2] = 154
cmd[2] + cmd[3] = 202
cmd[3] + cmd[4] = 241
cmd[4] + cmd[5] = 233
cmd[5] + cmd[6] = 217
cmd[6] + cmd[7] = 218
cmd[7] + cmd[8] = 228
cmd[8] + cmd[9] = 212
cmd[9] + cmd[10] = 195
cmd[10] + cmd[11] = 195
cmd[11] + cmd[12] = 201
cmd[12] + cmd[13] = 207
cmd[13] + cmd[14] = 203
cmd[14] + cmd[15] = 215
cmd[15] + cmd[16] = 235
cmd[16] + cmd[17] = 242

The solution:
cmd[0] = 69
cmd[1] = 75
cmd[2] = 79
cmd[3] = 123
cmd[4] = 118
cmd[5] = 115
cmd[6] = 102
cmd[7] = 116
cmd[8] = 112
cmd[9] = 100
cmd[10] = 95
cmd[11] = 100
cmd[12] = 101
cmd[13] = 106
cmd[14] = 97                    
cmd[15] = 118
cmd[16] = 117
cmd[17] = 125


The flag:
EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor


More articles


  1. Hackers Toolbox
  2. Hacking Tools Pc
  3. Pentest Tools Github
  4. What Are Hacking Tools
  5. Hacker Tools Free Download
  6. Pentest Tools Free
  7. Hacker Tool Kit
  8. Beginner Hacker Tools
  9. Hacker Tools Mac
  10. Computer Hacker
  11. Hak5 Tools
  12. Best Hacking Tools 2019
  13. Usb Pentest Tools
  14. Pentest Tools Android
  15. Best Hacking Tools 2020
  16. Pentest Recon Tools
  17. Hackers Toolbox
  18. Hacking Tools 2019
  19. Hacking Tools Download
  20. Hak5 Tools
  21. Hacking Apps
  22. Hacking Tools 2020
  23. Hack And Tools
  24. Hack Rom Tools
  25. Pentest Tools Download
  26. Pentest Tools For Windows
  27. Kik Hack Tools
  28. Pentest Tools Kali Linux
  29. Growth Hacker Tools
  30. Hacks And Tools
  31. How To Make Hacking Tools
  32. Hacker Tools Software
  33. Pentest Tools For Windows
  34. Hack Tools 2019
  35. Hack Tool Apk
  36. Black Hat Hacker Tools
  37. Android Hack Tools Github
  38. Hacking Tools Download
  39. Hack Tools Mac
  40. Hacking Tools Windows 10
  41. Hack Tools
  42. Hackers Toolbox
  43. Game Hacking
  44. Physical Pentest Tools
  45. Pentest Tools For Mac
  46. Hacker Tools Hardware
  47. Hacking Tools Free Download
  48. Hacker Tools 2020
  49. Hacking Tools Online
  50. Hacker Tools List
  51. Hacker Security Tools
  52. How To Hack
  53. Pentest Tools For Mac
  54. Hack Apps
  55. Pentest Tools Kali Linux
  56. Hacker Techniques Tools And Incident Handling
  57. Hacker Tools Github
  58. Hacking Tools For Windows
  59. Android Hack Tools Github
  60. Easy Hack Tools
  61. Hacker Hardware Tools
  62. Pentest Tools Find Subdomains
  63. Hack Tools For Ubuntu
  64. Hack Tools Download
  65. Hacking Tools Kit
  66. Game Hacking
  67. Hacking Tools Mac
  68. Hacker Tools Linux
  69. Hacking Tools Mac

تعليقات