Sunday, June 4, 2023

Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.





Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:



There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:


The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.



The equation:
cmd[0] = 69
cmd[1] = 78
cmd[1] + cmd[2] = 154
cmd[2] + cmd[3] = 202
cmd[3] + cmd[4] = 241
cmd[4] + cmd[5] = 233
cmd[5] + cmd[6] = 217
cmd[6] + cmd[7] = 218
cmd[7] + cmd[8] = 228
cmd[8] + cmd[9] = 212
cmd[9] + cmd[10] = 195
cmd[10] + cmd[11] = 195
cmd[11] + cmd[12] = 201
cmd[12] + cmd[13] = 207
cmd[13] + cmd[14] = 203
cmd[14] + cmd[15] = 215
cmd[15] + cmd[16] = 235
cmd[16] + cmd[17] = 242

The solution:
cmd[0] = 69
cmd[1] = 75
cmd[2] = 79
cmd[3] = 123
cmd[4] = 118
cmd[5] = 115
cmd[6] = 102
cmd[7] = 116
cmd[8] = 112
cmd[9] = 100
cmd[10] = 95
cmd[11] = 100
cmd[12] = 101
cmd[13] = 106
cmd[14] = 97                    
cmd[15] = 118
cmd[16] = 117
cmd[17] = 125


The flag:
EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor


More articles


  1. Hacking Tools 2020
  2. Hacker Tools Free
  3. Hacker Tools For Ios
  4. Github Hacking Tools
  5. Pentest Tools Open Source
  6. Nsa Hack Tools
  7. Hacker Tools Software
  8. Pentest Tools For Windows
  9. How To Make Hacking Tools
  10. Hacking Tools For Games
  11. Pentest Tools For Android
  12. Hacking Tools Name
  13. Hack Tools Github
  14. Pentest Tools For Android
  15. Tools Used For Hacking
  16. Hack Tool Apk No Root
  17. How To Make Hacking Tools
  18. Hacker Security Tools
  19. Hacking Tools Software
  20. Pentest Tools For Ubuntu
  21. Pentest Tools Linux
  22. Pentest Tools Alternative
  23. Hacking Tools For Windows 7
  24. Computer Hacker
  25. Pentest Automation Tools
  26. Hacker Tools For Mac
  27. Hack Rom Tools
  28. Hacking Tools For Kali Linux
  29. Tools Used For Hacking
  30. Hacker Tools Hardware
  31. Pentest Tools Windows
  32. Pentest Tools For Android
  33. Pentest Tools Android
  34. Pentest Automation Tools
  35. Best Hacking Tools 2020
  36. Best Hacking Tools 2020
  37. Hacker Search Tools
  38. Hacking Apps
  39. Nsa Hack Tools Download
  40. Hackrf Tools
  41. Hacking Tools 2020
  42. Github Hacking Tools
  43. Pentest Tools Nmap
  44. Pentest Tools Subdomain
  45. New Hacker Tools
  46. Underground Hacker Sites
  47. Hack Tools Mac
  48. Pentest Tools Apk
  49. Hacker Tool Kit
  50. Pentest Tools Github
  51. Hacking Tools Usb
  52. Best Pentesting Tools 2018
  53. Pentest Tools Website Vulnerability
  54. Hacking Tools Windows
  55. Pentest Tools Port Scanner
  56. Pentest Tools For Windows
  57. Hacking Tools For Mac
  58. Hacking Tools Windows
  59. Pentest Box Tools Download
  60. Hacker Techniques Tools And Incident Handling
  61. Hacking Tools And Software
  62. Hacker Tools Github
  63. Hacking Tools
  64. Hacker Tool Kit
  65. How To Hack
  66. Hack Tools For Ubuntu
  67. Hacker Tools For Mac
  68. Pentest Tools Website
  69. Pentest Tools Framework
  70. What Is Hacking Tools
  71. Hack Tool Apk No Root
  72. Hack And Tools
  73. Hack Tool Apk No Root
  74. Hack Tools Mac
  75. Pentest Tools Website Vulnerability
  76. What Is Hacking Tools
  77. World No 1 Hacker Software
  78. Hack Tools For Games
  79. Pentest Tools Nmap
  80. Install Pentest Tools Ubuntu
  81. Hacker
  82. Hacker Tools 2019
  83. What Are Hacking Tools
  84. Pentest Tools Bluekeep

No comments:

Post a Comment