Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.

Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:

There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:

The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.

The equation:

cmd[0] = 69

cmd[1] = 78

cmd[1] + cmd[2] = 154

cmd[2] + cmd[3] = 202

cmd[3] + cmd[4] = 241

cmd[4] + cmd[5] = 233

cmd[5] + cmd[6] = 217

cmd[6] + cmd[7] = 218

cmd[7] + cmd[8] = 228

cmd[8] + cmd[9] = 212

cmd[9] + cmd[10] = 195

cmd[10] + cmd[11] = 195

cmd[11] + cmd[12] = 201

cmd[12] + cmd[13] = 207

cmd[13] + cmd[14] = 203

cmd[14] + cmd[15] = 215

cmd[15] + cmd[16] = 235

cmd[16] + cmd[17] = 242

The solution:

cmd[0] = 69

cmd[1] = 75

cmd[2] = 79

cmd[3] = 123

cmd[4] = 118

cmd[5] = 115

cmd[6] = 102

cmd[7] = 116

cmd[8] = 112

cmd[9] = 100

cmd[10] = 95

cmd[11] = 100

cmd[12] = 101

cmd[13] = 106

cmd[14] = 97                    

cmd[15] = 118

cmd[16] = 117

cmd[17] = 125

The flag:

EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor

Continue reading

1. Pentest Tools Subdomain
2. Hacking Tools For Windows Free Download
3. Hacker Techniques Tools And Incident Handling
4. Hacker Security Tools
5. Android Hack Tools Github
6. Hacker
7. Pentest Tools Download
8. Tools Used For Hacking
9. Hacking Tools For Windows 7
10. Hacking Tools Free Download
11. Hacker Tools For Windows
12. Best Hacking Tools 2019
13. Nsa Hacker Tools
14. Pentest Tools Linux
15. Hacker Tools 2019
16. Pentest Tools Framework
17. Hack Tools 2019
18. Hack Tools For Ubuntu
19. Hacker Tools Apk
20. Hacker Tools For Pc
21. Hacker Tools 2019
22. Hack Tools For Mac
23. Nsa Hack Tools
24. Hacking Apps
25. Pentest Tools Find Subdomains
26. Hack App
27. Hacker Tools For Pc
28. Hacking Tools Software
29. Pentest Tools
30. Hacker Tools For Ios
31. Tools 4 Hack
32. Pentest Tools For Android
33. Game Hacking
34. How To Make Hacking Tools
35. How To Make Hacking Tools
36. Hack Tools For Ubuntu
37. Best Pentesting Tools 2018
38. Pentest Tools Apk
39. Pentest Tools Find Subdomains
40. Termux Hacking Tools 2019
41. Pentest Tools Review
42. Hacking Apps
43. Pentest Tools Kali Linux
44. Pentest Tools
45. Pentest Tools Linux
46. Pentest Recon Tools
47. Hacker Tools Apk Download
48. Hacker Techniques Tools And Incident Handling
49. Hacking Tools Kit
50. Hacking Tools For Beginners
51. Hacker Tools Mac
52. Best Hacking Tools 2020
53. Termux Hacking Tools 2019
54. Hack Website Online Tool
55. How To Install Pentest Tools In Ubuntu
56. Hacking Tools Mac
57. Pentest Tools Bluekeep
58. Hack Tool Apk No Root
59. Hacking Tools For Windows Free Download
60. World No 1 Hacker Software
61. What Is Hacking Tools
62. Hack Rom Tools
63. Kik Hack Tools
64. Hacking Tools For Mac
65. Pentest Tools Website
66. Underground Hacker Sites
67. Hackrf Tools
68. Hacker Techniques Tools And Incident Handling
69. Hack Tools Online
70. Hacker Tools 2020