Monday, May 29, 2023

Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.





Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:



There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:


The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.



The equation:
cmd[0] = 69
cmd[1] = 78
cmd[1] + cmd[2] = 154
cmd[2] + cmd[3] = 202
cmd[3] + cmd[4] = 241
cmd[4] + cmd[5] = 233
cmd[5] + cmd[6] = 217
cmd[6] + cmd[7] = 218
cmd[7] + cmd[8] = 228
cmd[8] + cmd[9] = 212
cmd[9] + cmd[10] = 195
cmd[10] + cmd[11] = 195
cmd[11] + cmd[12] = 201
cmd[12] + cmd[13] = 207
cmd[13] + cmd[14] = 203
cmd[14] + cmd[15] = 215
cmd[15] + cmd[16] = 235
cmd[16] + cmd[17] = 242

The solution:
cmd[0] = 69
cmd[1] = 75
cmd[2] = 79
cmd[3] = 123
cmd[4] = 118
cmd[5] = 115
cmd[6] = 102
cmd[7] = 116
cmd[8] = 112
cmd[9] = 100
cmd[10] = 95
cmd[11] = 100
cmd[12] = 101
cmd[13] = 106
cmd[14] = 97                    
cmd[15] = 118
cmd[16] = 117
cmd[17] = 125


The flag:
EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor


More articles
  1. Hacker Tools Online
  2. How To Make Hacking Tools
  3. Hacker Tools For Windows
  4. Pentest Tools Free
  5. Hack Tools
  6. What Is Hacking Tools
  7. Pentest Recon Tools
  8. Hack Tools For Mac
  9. Pentest Tools Kali Linux
  10. Best Pentesting Tools 2018
  11. Hak5 Tools
  12. Bluetooth Hacking Tools Kali
  13. Install Pentest Tools Ubuntu
  14. Pentest Tools Open Source
  15. Best Hacking Tools 2020
  16. Pentest Reporting Tools
  17. Hack Tools Github
  18. Hacking Tools For Windows 7
  19. Pentest Tools Port Scanner
  20. Pentest Automation Tools
  21. Tools For Hacker
  22. Bluetooth Hacking Tools Kali
  23. Hacking Tools Windows
  24. Hacking Tools Download
  25. Game Hacking
  26. Hack Tool Apk
  27. Hacking Tools
  28. Hack Tools
  29. Nsa Hack Tools
  30. Pentest Tools Windows
  31. Hacker Tools List
  32. Hacker Tools Linux
  33. Pentest Tools Tcp Port Scanner
  34. Hacker Techniques Tools And Incident Handling
  35. Hack Tools Download
  36. Hacker Tools Free
  37. Hacker Tools Hardware
  38. Hacker Tools Free
  39. Hacker Techniques Tools And Incident Handling
  40. Hacking Tools Download
  41. How To Install Pentest Tools In Ubuntu
  42. Hack Website Online Tool
  43. Pentest Tools Github
  44. How To Hack
  45. Hacking Tools Pc
  46. Hacking Tools
  47. Blackhat Hacker Tools
  48. Hacker Tools
  49. Hacker Tools
  50. Pentest Tools Linux
  51. Pentest Reporting Tools
  52. Free Pentest Tools For Windows
  53. Pentest Tools Open Source
  54. Hacking Tools For Mac
  55. Pentest Tools Website
  56. Hacking Tools
  57. Hacking App
  58. Pentest Tools Android
  59. Hacker Tools For Ios
  60. Pentest Tools Tcp Port Scanner
  61. Hacking Tools Kit
  62. Hackrf Tools
  63. Hack Rom Tools
  64. Hacking Tools Usb
  65. Physical Pentest Tools
  66. Hacking Apps
  67. Hacks And Tools
  68. Hack Tools
  69. Hacking Tools For Pc
  70. Hacker Tools Hardware
  71. Bluetooth Hacking Tools Kali
  72. Hacker Tools Free
  73. Hacker Tools
  74. Tools 4 Hack
  75. Hacks And Tools
  76. Pentest Tools Download
  77. Pentest Recon Tools
  78. Tools For Hacker
  79. Pentest Tools Subdomain
  80. Hack Tools Mac
  81. Pentest Tools Alternative
  82. Pentest Tools Subdomain
  83. Hacking Tools Mac
  84. Hacking Tools For Pc
  85. Wifi Hacker Tools For Windows
  86. Hacker Tools Github
  87. Install Pentest Tools Ubuntu
  88. Hacking Tools Usb
  89. Hack Tool Apk No Root
  90. Hacking Tools For Beginners
  91. Pentest Tools Online
  92. Hacker Tools For Ios
  93. Hack Tools Github
  94. Best Hacking Tools 2020
  95. Hacker Tools 2020
  96. Hacker Tools Free
  97. Pentest Tools Alternative
  98. Hack Tools Download
  99. Hacking Tools Mac
  100. Tools For Hacker
  101. Pentest Tools Online
  102. Hack Apps
  103. Hacker Security Tools
  104. Hacking Tools And Software
  105. Hacking Tools Free Download
  106. Hacking Tools Usb
  107. Hacker Tools Hardware
  108. Pentest Tools
  109. Hacking Tools And Software
  110. Hacking Tools Kit
  111. Hacker Techniques Tools And Incident Handling
  112. Pentest Automation Tools
  113. Hacking Tools For Kali Linux
  114. Pentest Tools Free
  115. Best Hacking Tools 2019
  116. Hack App
  117. Pentest Tools List
  118. Hacker Tools Free Download
  119. Hacker
  120. Github Hacking Tools
  121. Pentest Automation Tools
  122. Free Pentest Tools For Windows
  123. Physical Pentest Tools
  124. Pentest Tools Subdomain
  125. Hacking Tools For Mac
  126. Hack Tools For Games
  127. Hack Tools Download
  128. Hack Tools 2019
  129. Beginner Hacker Tools
  130. Wifi Hacker Tools For Windows
  131. Hacker Tools Apk Download
  132. Pentest Tools Android
  133. Hack Website Online Tool
  134. Hacking Tools For Games
  135. Nsa Hack Tools Download
  136. Wifi Hacker Tools For Windows
  137. Pentest Tools For Android
  138. Hacking Tools For Mac
  139. Hacker Tools List
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)