Skip to main content

Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.





Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:



There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:


The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.



The equation:
cmd[0] = 69
cmd[1] = 78
cmd[1] + cmd[2] = 154
cmd[2] + cmd[3] = 202
cmd[3] + cmd[4] = 241
cmd[4] + cmd[5] = 233
cmd[5] + cmd[6] = 217
cmd[6] + cmd[7] = 218
cmd[7] + cmd[8] = 228
cmd[8] + cmd[9] = 212
cmd[9] + cmd[10] = 195
cmd[10] + cmd[11] = 195
cmd[11] + cmd[12] = 201
cmd[12] + cmd[13] = 207
cmd[13] + cmd[14] = 203
cmd[14] + cmd[15] = 215
cmd[15] + cmd[16] = 235
cmd[16] + cmd[17] = 242

The solution:
cmd[0] = 69
cmd[1] = 75
cmd[2] = 79
cmd[3] = 123
cmd[4] = 118
cmd[5] = 115
cmd[6] = 102
cmd[7] = 116
cmd[8] = 112
cmd[9] = 100
cmd[10] = 95
cmd[11] = 100
cmd[12] = 101
cmd[13] = 106
cmd[14] = 97                    
cmd[15] = 118
cmd[16] = 117
cmd[17] = 125


The flag:
EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor


Related word
  1. Hacking Tools Usb
  2. Nsa Hacker Tools
  3. Install Pentest Tools Ubuntu
  4. Hacking Tools Windows
  5. Top Pentest Tools
  6. Hacker Tools Mac
  7. Hacker Tools Mac
  8. Hack Tools Mac
  9. Hacking Tools Online
  10. Hacker Tools Free
  11. Hacking Tools Mac
  12. Github Hacking Tools
  13. Hacker Tools Hardware
  14. Pentest Tools Apk
  15. Hacking Tools 2019
  16. Kik Hack Tools
  17. Hacker Tools Mac
  18. Hacking Tools
  19. Hack Tools For Games
  20. Pentest Tools Download
  21. Hacking Tools For Pc
  22. Pentest Tools Website
  23. Hacker Tools Apk
  24. Hacking Tools For Beginners
  25. Hack Tools For Games
  26. Hacking Tools 2019
  27. Hack Tools For Mac
  28. Usb Pentest Tools
  29. Hacker Tools Apk
  30. Pentest Tools Find Subdomains
  31. Pentest Tools For Mac
  32. Hack Tool Apk
  33. Pentest Tools Free
  34. Hacker Tools List
  35. Hacker Search Tools
  36. Usb Pentest Tools
  37. Hacking Apps
  38. Hacker Security Tools
  39. Hacking App
  40. Github Hacking Tools
  41. Hacking Tools Usb
  42. Hacker Tools For Mac
  43. Pentest Tools Port Scanner
  44. Hackrf Tools
  45. Hacking Tools Mac
  46. Pentest Tools For Mac
  47. Android Hack Tools Github
  48. Pentest Tools Windows
  49. Pentest Tools Github
  50. Hacking Tools For Windows Free Download
  51. Pentest Tools
  52. Hacking Tools Mac
  53. Computer Hacker
  54. How To Install Pentest Tools In Ubuntu
  55. Black Hat Hacker Tools
  56. Hacking Tools Pc
  57. Hacking Apps
  58. Hacks And Tools
  59. Hacker Tool Kit
  60. Pentest Reporting Tools
  61. Hack Tools Online
  62. Hacking Tools Software
  63. New Hacker Tools
  64. Hacker Tool Kit
  65. Termux Hacking Tools 2019
  66. Pentest Tools Kali Linux
  67. Pentest Tools Linux
  68. Hacker Techniques Tools And Incident Handling
  69. Github Hacking Tools
  70. Pentest Automation Tools
  71. Nsa Hack Tools Download
  72. Hack Website Online Tool
  73. Pentest Tools Github
  74. Physical Pentest Tools
  75. What Are Hacking Tools
  76. Hacking Tools For Mac
  77. Hacking Tools Hardware
  78. Hacker Tools
  79. Growth Hacker Tools
  80. Pentest Box Tools Download
  81. New Hacker Tools
  82. Hacker Hardware Tools
  83. What Are Hacking Tools
  84. Hacker Tools For Pc
  85. Pentest Tools Bluekeep
  86. Black Hat Hacker Tools
  87. Hacking Tools And Software
  88. Hacking App
  89. Hacking Tools For Windows Free Download
  90. Hack Tools Online
  91. Hacking Tools For Mac
  92. Hack Tools Github
  93. Pentest Tools Android
  94. Hacker Tools Hardware
  95. Best Pentesting Tools 2018
  96. Hacker Tools Free
  97. Top Pentest Tools
  98. Pentest Tools For Android
  99. Hacking Tools Github
  100. Hacking Tools For Beginners
  101. Physical Pentest Tools
  102. Nsa Hacker Tools

Comments

Post a Comment

Popular posts from this blog

Drupal Answers Weekly Newsletter - Wednesday, December 31, 2014

Top new questions this week: Can I delete old hook_update_N functions? Suppose you have a custom module, and you have hook_update_N() implementations in your .install file. If you have old update functions, and all updates have run in all sites that the module is ... node-update hook-update-n   asked by AyeshK ...
Post a Comment
Read more

[New post] 8th Class Result 2014 PEC Hafizabad Board

Muhammad Waqas posted: "PEC Hafizabad Board 8th Class Result 2014 expected date is 28th March, 2014 by PEC. Punjab Examination Commission (PEC) will announce 8th class result for Hafizabad Board soon and all the students of Hafizabad Board who are extremely waiting for the resul" New post on Jobs in Pakistan 8th Class Result 2014 PEC Hafizabad Board by Muhammad Waqas ...
Post a Comment
Read more

[New post] 1st Year (11th Class) Result 2014 BISE Rawalpindi Board

Xaib Aslam posted: "BISERWP board Inter part 1 result expected on 10th October 2014 according our source. students of Rawalpindi board desperately waiting for 11th class result. 1st they upload the 12th class result and after some time they ready for showing the 1st year fin" New post on Jobs in Pakistan 1st Year (11th Class) Result 2014 BISE Rawalpindi Board by Xaib Aslam ...
Post a Comment
Read more