Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.

Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:

There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:

The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.

The equation:

cmd[0] = 69

cmd[1] = 78

cmd[1] + cmd[2] = 154

cmd[2] + cmd[3] = 202

cmd[3] + cmd[4] = 241

cmd[4] + cmd[5] = 233

cmd[5] + cmd[6] = 217

cmd[6] + cmd[7] = 218

cmd[7] + cmd[8] = 228

cmd[8] + cmd[9] = 212

cmd[9] + cmd[10] = 195

cmd[10] + cmd[11] = 195

cmd[11] + cmd[12] = 201

cmd[12] + cmd[13] = 207

cmd[13] + cmd[14] = 203

cmd[14] + cmd[15] = 215

cmd[15] + cmd[16] = 235

cmd[16] + cmd[17] = 242

The solution:

cmd[0] = 69

cmd[1] = 75

cmd[2] = 79

cmd[3] = 123

cmd[4] = 118

cmd[5] = 115

cmd[6] = 102

cmd[7] = 116

cmd[8] = 112

cmd[9] = 100

cmd[10] = 95

cmd[11] = 100

cmd[12] = 101

cmd[13] = 106

cmd[14] = 97                    

cmd[15] = 118

cmd[16] = 117

cmd[17] = 125

The flag:

EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor

Continue reading

1. Hack Tools For Mac
2. Hacking Tools For Kali Linux
3. Pentest Tools For Mac
4. Pentest Tools Github
5. World No 1 Hacker Software
6. Hack And Tools
7. Hacking Tools Software
8. What Is Hacking Tools
9. Hacker Tools 2020
10. Hacking Tools 2019
11. New Hacker Tools
12. Hacking Tools For Mac
13. Hacking Tools And Software
14. Hacking Tools Hardware
15. Hacker Tools For Ios
16. Hack Tools Github
17. Pentest Tools Open Source
18. Hacker Tools Free Download
19. Hacker Tools Windows
20. Hacking Tools Windows
21. Bluetooth Hacking Tools Kali
22. Hack App
23. Hacking Apps
24. Pentest Tools Free
25. Hacking Tools Mac
26. Hacker Tools 2020
27. Pentest Tools List
28. Hackers Toolbox
29. Hacker Hardware Tools
30. Hacker Tools Hardware
31. Hack Tools Mac
32. Physical Pentest Tools
33. Hacking Tools For Windows
34. Hack Tools Download
35. Ethical Hacker Tools
36. Hack Tools Mac
37. Tools 4 Hack
38. Hackers Toolbox
39. Hacking Tools Software
40. Hack Tools For Games
41. Hacker Tools 2020
42. Hack Tools
43. Black Hat Hacker Tools
44. Hacking Tools Usb
45. Bluetooth Hacking Tools Kali
46. Pentest Box Tools Download
47. Easy Hack Tools
48. Pentest Box Tools Download
49. Pentest Tools Apk
50. Pentest Tools Find Subdomains
51. Hacker Tools Github
52. Hacking Tools Pc
53. Hacker Tools For Ios
54. Hack Apps
55. Best Hacking Tools 2019
56. Nsa Hacker Tools
57. Hacking Tools For Mac
58. Hacker
59. Pentest Tools Website
60. Pentest Tools Review
61. Pentest Tools Subdomain
62. Hacking Tools For Windows
63. Hack Tool Apk No Root
64. Wifi Hacker Tools For Windows
65. Bluetooth Hacking Tools Kali
66. Hacker Tools Online
67. Android Hack Tools Github
68. Hacking App
69. Best Hacking Tools 2020
70. Pentest Tools Website
71. Hacker Tools
72. Pentest Tools Android
73. Hack Tools For Ubuntu
74. Pentest Automation Tools
75. Black Hat Hacker Tools
76. Hacker Search Tools
77. Hacker Tools For Pc
78. Kik Hack Tools
79. Black Hat Hacker Tools
80. Termux Hacking Tools 2019
81. Tools 4 Hack
82. Pentest Tools Website Vulnerability
83. Black Hat Hacker Tools
84. Pentest Tools Website
85. Hacking Tools For Windows 7
86. Pentest Recon Tools
87. Pentest Box Tools Download
88. Hacker Tools For Mac
89. Nsa Hacker Tools
90. Ethical Hacker Tools
91. Nsa Hack Tools Download
92. Hacker Tools 2019
93. Pentest Automation Tools
94. Free Pentest Tools For Windows
95. Hacker Security Tools