Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.

Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:

There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:

The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.

The equation:

cmd[0] = 69

cmd[1] = 78

cmd[1] + cmd[2] = 154

cmd[2] + cmd[3] = 202

cmd[3] + cmd[4] = 241

cmd[4] + cmd[5] = 233

cmd[5] + cmd[6] = 217

cmd[6] + cmd[7] = 218

cmd[7] + cmd[8] = 228

cmd[8] + cmd[9] = 212

cmd[9] + cmd[10] = 195

cmd[10] + cmd[11] = 195

cmd[11] + cmd[12] = 201

cmd[12] + cmd[13] = 207

cmd[13] + cmd[14] = 203

cmd[14] + cmd[15] = 215

cmd[15] + cmd[16] = 235

cmd[16] + cmd[17] = 242

The solution:

cmd[0] = 69

cmd[1] = 75

cmd[2] = 79

cmd[3] = 123

cmd[4] = 118

cmd[5] = 115

cmd[6] = 102

cmd[7] = 116

cmd[8] = 112

cmd[9] = 100

cmd[10] = 95

cmd[11] = 100

cmd[12] = 101

cmd[13] = 106

cmd[14] = 97                    

cmd[15] = 118

cmd[16] = 117

cmd[17] = 125

The flag:

EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor

Read more

1. Hackrf Tools
2. Pentest Tools Review
3. Hack Tools
4. Hackrf Tools
5. Hacks And Tools
6. Hacking Tools 2019
7. Pentest Tools Find Subdomains
8. Pentest Tools Framework
9. Pentest Tools Github
10. Install Pentest Tools Ubuntu
11. Hack Tools For Ubuntu
12. Hacking Tools For Windows
13. Pentest Tools Windows
14. Best Hacking Tools 2020
15. Tools For Hacker
16. What Is Hacking Tools
17. Hacking App
18. What Are Hacking Tools
19. Hacking Tools For Kali Linux
20. Pentest Automation Tools
21. Hack Tools
22. Free Pentest Tools For Windows
23. Hack Tools Download
24. Pentest Tools Android
25. Hacker Hardware Tools
26. Android Hack Tools Github
27. Best Hacking Tools 2019
28. Hacker Tools For Mac
29. Hack Tools For Windows
30. Android Hack Tools Github
31. Physical Pentest Tools
32. Pentest Tools Url Fuzzer
33. Hack Tools For Windows
34. Pentest Tools Website
35. Pentest Tools Website
36. Hack Tools For Windows
37. Hacking Tools Kit
38. What Are Hacking Tools
39. Pentest Tools Nmap
40. Hacking Tools And Software
41. Hacker Security Tools
42. Termux Hacking Tools 2019
43. Hack Tools For Pc
44. Game Hacking
45. Pentest Tools For Android
46. Hacking Tools Windows
47. Best Hacking Tools 2020
48. Hacker Tools 2019
49. Hacker
50. Hacking Tools 2019
51. Hack Apps
52. Hacker Tools Hardware
53. Nsa Hack Tools
54. Pentest Recon Tools
55. Top Pentest Tools
56. Kik Hack Tools
57. What Are Hacking Tools
58. What Is Hacking Tools
59. Nsa Hacker Tools
60. Tools Used For Hacking
61. Hack And Tools
62. How To Hack
63. Pentest Box Tools Download
64. Hacker Tools List
65. Hack Tools Online
66. Hack App
67. Hacker Tools Online
68. Hacking App
69. Hacker Tools Online
70. Hacker Tools
71. Hacking Tools 2020
72. What Are Hacking Tools
73. Hack Tools Download
74. World No 1 Hacker Software
75. Hacker
76. Pentest Tools Find Subdomains
77. Blackhat Hacker Tools
78. Hacker Tools Linux
79. Pentest Tools Alternative
80. Growth Hacker Tools
81. Hack Tools Github
82. Pentest Tools Apk
83. Hacking Tools Software
84. Physical Pentest Tools
85. Pentest Tools Online
86. Hacker Tool Kit
87. Hack Tools For Windows
88. Android Hack Tools Github
89. Pentest Tools Tcp Port Scanner
90. Computer Hacker
91. Hacking Tools For Pc
92. World No 1 Hacker Software
93. Tools 4 Hack