28 may 2023

Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.





Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:



There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:


The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.



The equation:
cmd[0] = 69
cmd[1] = 78
cmd[1] + cmd[2] = 154
cmd[2] + cmd[3] = 202
cmd[3] + cmd[4] = 241
cmd[4] + cmd[5] = 233
cmd[5] + cmd[6] = 217
cmd[6] + cmd[7] = 218
cmd[7] + cmd[8] = 228
cmd[8] + cmd[9] = 212
cmd[9] + cmd[10] = 195
cmd[10] + cmd[11] = 195
cmd[11] + cmd[12] = 201
cmd[12] + cmd[13] = 207
cmd[13] + cmd[14] = 203
cmd[14] + cmd[15] = 215
cmd[15] + cmd[16] = 235
cmd[16] + cmd[17] = 242

The solution:
cmd[0] = 69
cmd[1] = 75
cmd[2] = 79
cmd[3] = 123
cmd[4] = 118
cmd[5] = 115
cmd[6] = 102
cmd[7] = 116
cmd[8] = 112
cmd[9] = 100
cmd[10] = 95
cmd[11] = 100
cmd[12] = 101
cmd[13] = 106
cmd[14] = 97                    
cmd[15] = 118
cmd[16] = 117
cmd[17] = 125


The flag:
EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor


More information
  1. Ethical Hacker Tools
  2. Beginner Hacker Tools
  3. Pentest Tools Online
  4. Hacker Tools For Ios
  5. Pentest Box Tools Download
  6. Pentest Box Tools Download
  7. Hacking Tools Pc
  8. Hacker Hardware Tools
  9. Pentest Tools For Windows
  10. Pentest Tools Tcp Port Scanner
  11. Blackhat Hacker Tools
  12. Hacker Hardware Tools
  13. Hack Tools For Ubuntu
  14. Pentest Recon Tools
  15. Hacking App
  16. Game Hacking
  17. Hack Rom Tools
  18. Hack Rom Tools
  19. Hacker
  20. Hacking Tools Free Download
  21. Hacker Tools Hardware
  22. Top Pentest Tools
  23. Install Pentest Tools Ubuntu
  24. Hack Tools Online
  25. Hacking Tools
  26. Hacker Tools Free
  27. Termux Hacking Tools 2019
  28. Black Hat Hacker Tools
  29. Pentest Tools Find Subdomains
  30. How To Install Pentest Tools In Ubuntu
  31. Pentest Recon Tools
  32. Pentest Tools Windows
  33. Hacking Tools Windows 10
  34. Hacking Tools Online
  35. Nsa Hack Tools
  36. Pentest Tools Alternative
  37. Black Hat Hacker Tools
  38. Hack Tools
  39. Pentest Tools Framework
  40. Github Hacking Tools
  41. Pentest Tools Download
  42. Hack Tool Apk No Root
  43. Hacker Tools Mac
  44. New Hacker Tools
  45. Blackhat Hacker Tools
  46. Pentest Tools Tcp Port Scanner
  47. Hacking Tools Windows 10
  48. Ethical Hacker Tools
  49. How To Hack
  50. Pentest Tools Alternative
  51. Underground Hacker Sites
  52. Kik Hack Tools
  53. Hacking Tools Hardware
  54. Easy Hack Tools
  55. Hacking Tools 2020
  56. Hacking Tools 2020
  57. Hack Website Online Tool
  58. Hack Tools
  59. Hack Tools For Mac
  60. Computer Hacker
  61. Hack Tool Apk
  62. Hack Website Online Tool
  63. Pentest Tools Port Scanner
  64. Hack Tools Download
  65. Hacking Tools Software
  66. Hacking Tools 2020
  67. Hacking Tools
  68. Hacking Tools Github
  69. World No 1 Hacker Software
  70. Hacker Tools Github
  71. Hack Tools 2019
  72. Pentest Tools Port Scanner
  73. Hack Tools
  74. Hack Tools Download
  75. Pentest Tools Github
  76. Hack Tool Apk No Root
  77. Pentest Automation Tools
  78. How To Hack
  79. Hacker Search Tools
  80. Black Hat Hacker Tools
  81. How To Hack
  82. Hacker Tools Apk Download
  83. Tools For Hacker
  84. Hacker Tools Apk Download
  85. Bluetooth Hacking Tools Kali
  86. Hacker Tools Free
  87. Hacking Tools For Windows 7
  88. Hacker Tools Linux
  89. Computer Hacker
  90. Hack Tool Apk
  91. Usb Pentest Tools
  92. Hacking Tools Windows 10
  93. Pentest Reporting Tools
  94. Hack App
  95. Hacker Security Tools
  96. Hack Tools For Pc
  97. What Are Hacking Tools
  98. Hacking Tools For Windows 7
  99. Pentest Tools Website Vulnerability
  100. Hacking Tools For Windows Free Download
  101. Hack Tools For Ubuntu
  102. Hacker Tools List
  103. Pentest Tools Free
  104. New Hack Tools
  105. Hacking Tools
  106. Hacking Tools Software
  107. Hacker Search Tools
  108. Hack Tools For Ubuntu
  109. Hacking Tools Free Download
  110. Hack Website Online Tool
  111. Hack Tools
  112. How To Install Pentest Tools In Ubuntu
  113. Top Pentest Tools
  114. Pentest Tools Kali Linux
  115. Hacking Tools 2020
  116. Hacker Tools Software
  117. Physical Pentest Tools
  118. World No 1 Hacker Software
  119. New Hacker Tools
  120. Computer Hacker
  121. Pentest Tools For Mac
  122. Hacker Tools Apk
  123. How To Make Hacking Tools
  124. Hacker Tools Software
  125. Pentest Tools Nmap
  126. Hacking Tools For Mac
  127. Hacker Security Tools
  128. Github Hacking Tools
  129. Github Hacking Tools
  130. Hacking Tools For Mac
  131. Computer Hacker
  132. Hacking Tools Mac
  133. Hacking Tools For Mac
  134. Hackrf Tools
  135. Physical Pentest Tools
  136. Hacking Tools Mac
  137. Hack App
  138. Hacking Tools Pc
  139. Hacker Tools For Mac
  140. Hacking Tools For Mac
  141. Hacker Tools
  142. Hacking Tools Name
  143. Hacking Tools For Windows 7
Publicado por en

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)