Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.





Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:



There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:


The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.



The equation:
cmd[0] = 69
cmd[1] = 78
cmd[1] + cmd[2] = 154
cmd[2] + cmd[3] = 202
cmd[3] + cmd[4] = 241
cmd[4] + cmd[5] = 233
cmd[5] + cmd[6] = 217
cmd[6] + cmd[7] = 218
cmd[7] + cmd[8] = 228
cmd[8] + cmd[9] = 212
cmd[9] + cmd[10] = 195
cmd[10] + cmd[11] = 195
cmd[11] + cmd[12] = 201
cmd[12] + cmd[13] = 207
cmd[13] + cmd[14] = 203
cmd[14] + cmd[15] = 215
cmd[15] + cmd[16] = 235
cmd[16] + cmd[17] = 242

The solution:
cmd[0] = 69
cmd[1] = 75
cmd[2] = 79
cmd[3] = 123
cmd[4] = 118
cmd[5] = 115
cmd[6] = 102
cmd[7] = 116
cmd[8] = 112
cmd[9] = 100
cmd[10] = 95
cmd[11] = 100
cmd[12] = 101
cmd[13] = 106
cmd[14] = 97                    
cmd[15] = 118
cmd[16] = 117
cmd[17] = 125


The flag:
EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor


Related posts


  1. Pentest Tools
  2. Pentest Tools Bluekeep
  3. Underground Hacker Sites
  4. Pentest Tools Find Subdomains
  5. Hacking Tools Free Download
  6. Hacker
  7. Hacking Tools Windows
  8. Hacker Techniques Tools And Incident Handling
  9. Android Hack Tools Github
  10. Wifi Hacker Tools For Windows
  11. Hacking Tools For Windows Free Download
  12. Best Hacking Tools 2019
  13. Pentest Tools Website
  14. Hacking Tools
  15. Pentest Tools Kali Linux
  16. Hacker
  17. Hack Tool Apk
  18. Hack Tools Download
  19. Hacker Tools Apk
  20. Tools 4 Hack
  21. Hacker
  22. Growth Hacker Tools
  23. Hacker Tools 2019
  24. How To Install Pentest Tools In Ubuntu
  25. Hacking Tools Pc
  26. How To Make Hacking Tools
  27. Hacking Tools For Mac
  28. Pentest Tools For Windows
  29. Hacker Security Tools
  30. Hacking Tools Windows 10
  31. Hacking Tools Usb
  32. Hack Tools Pc
  33. Hack Tools For Mac
  34. Hacker Security Tools
  35. Tools 4 Hack
  36. Pentest Recon Tools
  37. Pentest Tools Nmap
  38. Hacker Tools Hardware
  39. Physical Pentest Tools
  40. Hacker Tools List
  41. Hacker Techniques Tools And Incident Handling
  42. Hack And Tools
  43. Pentest Tools Port Scanner
  44. Hacker Tools Online
  45. Hacker Techniques Tools And Incident Handling
  46. Android Hack Tools Github
  47. Hack Tools Download
  48. Hack Rom Tools
  49. Android Hack Tools Github
  50. Nsa Hack Tools Download
  51. Hacking Tools Hardware
  52. Hack Tools Online
  53. Hacking Tools For Windows 7
  54. Hacker Tools For Ios
  55. Pentest Tools Windows
  56. Pentest Box Tools Download
  57. Hacking Tools For Windows 7
  58. Hacker Tools For Pc
  59. Pentest Tools Framework
  60. Best Hacking Tools 2019
  61. Hacking Apps
  62. Hacking Tools Free Download
  63. Hackers Toolbox
  64. Hacker Tools For Windows
  65. Pentest Tools Apk
  66. Pentest Tools Alternative
  67. Hacker Hardware Tools
  68. Hacking Tools Hardware
  69. Hacker Tools Github
  70. Pentest Tools Url Fuzzer
  71. Top Pentest Tools
  72. Pentest Tools Download
  73. Pentest Tools For Windows
  74. Nsa Hack Tools Download
  75. Hacker Tools 2020
  76. Pentest Tools For Android
  77. Hack Tools For Windows
  78. Pentest Tools Find Subdomains
  79. Nsa Hack Tools Download
  80. Pentest Tools Nmap
  81. Github Hacking Tools
  82. Hacker Tools Apk Download
  83. Hack Tools
  84. Hacking Tools For Windows Free Download
  85. Pentest Automation Tools
  86. Hack Tools For Mac
  87. Hacking Tools For Windows
  88. Pentest Tools Bluekeep
  89. Hacker Tools For Windows
  90. Hack Website Online Tool
  91. Hack Apps
  92. Hacking Tools For Windows
  93. Hack Tools Online
  94. Pentest Tools Kali Linux

沒有留言:

張貼留言

訂閱: 張貼留言 (Atom)