Thursday, June 1, 2023

Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.





Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:



There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:


The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.



The equation:
cmd[0] = 69
cmd[1] = 78
cmd[1] + cmd[2] = 154
cmd[2] + cmd[3] = 202
cmd[3] + cmd[4] = 241
cmd[4] + cmd[5] = 233
cmd[5] + cmd[6] = 217
cmd[6] + cmd[7] = 218
cmd[7] + cmd[8] = 228
cmd[8] + cmd[9] = 212
cmd[9] + cmd[10] = 195
cmd[10] + cmd[11] = 195
cmd[11] + cmd[12] = 201
cmd[12] + cmd[13] = 207
cmd[13] + cmd[14] = 203
cmd[14] + cmd[15] = 215
cmd[15] + cmd[16] = 235
cmd[16] + cmd[17] = 242

The solution:
cmd[0] = 69
cmd[1] = 75
cmd[2] = 79
cmd[3] = 123
cmd[4] = 118
cmd[5] = 115
cmd[6] = 102
cmd[7] = 116
cmd[8] = 112
cmd[9] = 100
cmd[10] = 95
cmd[11] = 100
cmd[12] = 101
cmd[13] = 106
cmd[14] = 97                    
cmd[15] = 118
cmd[16] = 117
cmd[17] = 125


The flag:
EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor


More info
  1. Pentest Tools Open Source
  2. Tools For Hacker
  3. Hacker Security Tools
  4. Hacking Tools Kit
  5. Nsa Hacker Tools
  6. Hacker Tools Software
  7. Hacker Tools Free Download
  8. Hacker
  9. Pentest Tools Download
  10. Pentest Tools Free
  11. Pentest Tools Port Scanner
  12. Hacking Tools Github
  13. Pentest Tools Online
  14. Hacker Tools Linux
  15. Hack Tool Apk
  16. Hacking Tools 2019
  17. Usb Pentest Tools
  18. Hack Tools Pc
  19. Computer Hacker
  20. Hacking Tools Free Download
  21. Hacking Tools And Software
  22. Hacker Tools 2020
  23. Termux Hacking Tools 2019
  24. Pentest Tools Subdomain
  25. Bluetooth Hacking Tools Kali
  26. Pentest Tools Website Vulnerability
  27. Hacking App
  28. Hacker Techniques Tools And Incident Handling
  29. Hack Tools Online
  30. Hacking Tools
  31. Hack Rom Tools
  32. Hack Tools For Windows
  33. Hackrf Tools
  34. Pentest Tools Linux
  35. Hacker Tools Linux
  36. Hacker Tools List
  37. Hacking Tools 2020
  38. Pentest Tools Github
  39. Hacker Tools Mac
  40. Pentest Tools Framework
  41. Physical Pentest Tools
  42. Game Hacking
  43. Pentest Box Tools Download
  44. Pentest Tools Apk
  45. Nsa Hacker Tools
  46. Computer Hacker
  47. Hacker Tools Apk Download
  48. Pentest Tools Framework
  49. Best Hacking Tools 2019
  50. Github Hacking Tools
  51. Hackers Toolbox
  52. Pentest Box Tools Download
  53. Hacker Hardware Tools
  54. Hacker Tools
  55. Pentest Tools Android
  56. Growth Hacker Tools
  57. Hacker Hardware Tools
  58. What Is Hacking Tools
  59. How To Make Hacking Tools
  60. Pentest Tools Apk
  61. Pentest Tools Free
  62. Pentest Tools Alternative
  63. Hack Rom Tools
  64. Hacker Tools Free
  65. Hacker Tools 2020
  66. Pentest Recon Tools
  67. Hack Tools
  68. Hacking App
  69. Hacking Tools 2019
  70. Hacking Tools 2020
  71. Hak5 Tools
  72. Hacker Security Tools
  73. Pentest Tools For Ubuntu
  74. Hack Tools Download
  75. Pentest Tools Kali Linux
  76. Kik Hack Tools
  77. Pentest Tools Open Source
  78. Hack Tools For Windows
  79. Hacking App
  80. Install Pentest Tools Ubuntu
  81. Hacker
  82. Hacking Tools For Windows Free Download
  83. Hacker Tools
  84. Pentest Tools Port Scanner
  85. Hak5 Tools
  86. Pentest Tools Linux
  87. Hacking Tools Name
  88. What Are Hacking Tools
  89. Kik Hack Tools
  90. Hacking Tools For Windows
  91. Blackhat Hacker Tools
  92. Hacking Tools Name
  93. Pentest Tools Tcp Port Scanner
  94. Bluetooth Hacking Tools Kali
  95. Pentest Tools Linux
  96. Pentest Tools Find Subdomains
  97. Tools For Hacker
  98. Hack Tools 2019
  99. Hacking Apps
  100. Hack Tools
  101. Hacker Security Tools
  102. Nsa Hack Tools
  103. Hack Tools For Ubuntu
  104. Pentest Tools
  105. Pentest Tools Open Source
  106. Hacking Tools Windows
  107. Pentest Tools Review
  108. Hacking Tools For Kali Linux
  109. What Are Hacking Tools
  110. Hacking App
  111. Tools For Hacker
  112. Hacker Tools Software
  113. World No 1 Hacker Software
  114. Computer Hacker
  115. Install Pentest Tools Ubuntu
  116. Kik Hack Tools
  117. Black Hat Hacker Tools
  118. What Are Hacking Tools
  119. Pentest Tools Website Vulnerability
  120. Hack Tools Download
  121. Nsa Hack Tools
  122. Kik Hack Tools
  123. Hack Tools Mac
  124. Hack Tools For Ubuntu
  125. Hack Website Online Tool
  126. Pentest Tools Review
  127. Nsa Hacker Tools
  128. Hack Tools For Mac
  129. Top Pentest Tools
  130. Hacking Tools Online
  131. Pentest Tools Download
  132. Hacking Apps
  133. Pentest Tools Online
  134. Hacking Tools Online
  135. Hacker Search Tools
  136. Hacking Tools For Pc
  137. Bluetooth Hacking Tools Kali
  138. Hacking Tools For Mac
  139. Hack Tools

No comments:

Post a Comment