Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.





Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:



There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:


The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.



The equation:
cmd[0] = 69
cmd[1] = 78
cmd[1] + cmd[2] = 154
cmd[2] + cmd[3] = 202
cmd[3] + cmd[4] = 241
cmd[4] + cmd[5] = 233
cmd[5] + cmd[6] = 217
cmd[6] + cmd[7] = 218
cmd[7] + cmd[8] = 228
cmd[8] + cmd[9] = 212
cmd[9] + cmd[10] = 195
cmd[10] + cmd[11] = 195
cmd[11] + cmd[12] = 201
cmd[12] + cmd[13] = 207
cmd[13] + cmd[14] = 203
cmd[14] + cmd[15] = 215
cmd[15] + cmd[16] = 235
cmd[16] + cmd[17] = 242

The solution:
cmd[0] = 69
cmd[1] = 75
cmd[2] = 79
cmd[3] = 123
cmd[4] = 118
cmd[5] = 115
cmd[6] = 102
cmd[7] = 116
cmd[8] = 112
cmd[9] = 100
cmd[10] = 95
cmd[11] = 100
cmd[12] = 101
cmd[13] = 106
cmd[14] = 97                    
cmd[15] = 118
cmd[16] = 117
cmd[17] = 125


The flag:
EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor


Related articles


  1. Hacker Tools 2019
  2. Hacking Tools For Mac
  3. Pentest Tools Github
  4. Hacker Tools 2020
  5. Hackrf Tools
  6. Hacks And Tools
  7. Hacking Tools Github
  8. Game Hacking
  9. Pentest Tools Subdomain
  10. Bluetooth Hacking Tools Kali
  11. Hacker Tools Hardware
  12. Hacker Tools 2019
  13. Hacker Tools
  14. Hacking Tools Windows 10
  15. How To Hack
  16. Hack Tools Github
  17. Pentest Tools Alternative
  18. Hacker Tools 2019
  19. New Hacker Tools
  20. Hacker Tools Github
  21. Tools 4 Hack
  22. Hacker Tools Apk
  23. Hacking Tools For Mac
  24. Top Pentest Tools
  25. Nsa Hack Tools
  26. Pentest Tools Bluekeep
  27. Hack Tools For Windows
  28. Hacker Tools Linux
  29. Hacker Tools Apk Download
  30. Hack Tools Github
  31. Pentest Tools Bluekeep
  32. Hacker Tools Hardware
  33. Hacking Tools For Windows 7
  34. How To Hack
  35. Hacking Tools And Software
  36. What Is Hacking Tools
  37. Pentest Tools For Android
  38. Hacking Tools For Kali Linux
  39. Hack Tools Mac
  40. Best Hacking Tools 2020
  41. Nsa Hack Tools Download
  42. Pentest Automation Tools
  43. Pentest Tools For Ubuntu
  44. Pentest Tools Alternative
  45. Growth Hacker Tools
  46. Hacking Tools For Windows
  47. Hacker Tools For Windows
  48. Hacking Tools For Games
  49. Hacker Tools List
  50. Pentest Tools Port Scanner
  51. New Hack Tools
  52. Tools For Hacker
  53. Hacking Tools Online
  54. Pentest Automation Tools
  55. Black Hat Hacker Tools
  56. Pentest Tools Find Subdomains
  57. Hacking Tools Pc
  58. Blackhat Hacker Tools
  59. Github Hacking Tools
  60. Hack App
  61. World No 1 Hacker Software
  62. Hacking Tools 2019
  63. Kik Hack Tools
  64. How To Install Pentest Tools In Ubuntu
  65. New Hacker Tools
  66. Hacker Tools Free
  67. Hacking Tools Windows 10
  68. Hacker Tools
  69. Hacker
  70. Hacker Tools 2019
  71. Hack Tools For Pc
  72. Hack Tools
  73. Blackhat Hacker Tools
  74. Hacking Tools Hardware
  75. Hacking Tools And Software
  76. Pentest Tools Find Subdomains
  77. Pentest Tools Windows
  78. Hacker Tools Linux
  79. Pentest Tools For Android
  80. Pentest Tools Online
  81. Hacker Tools Apk Download
  82. World No 1 Hacker Software
  83. Pentest Tools Open Source
  84. Hacker Search Tools
  85. Pentest Tools Find Subdomains
  86. Physical Pentest Tools
  87. Hacking Tools Mac
  88. New Hack Tools
  89. Hacker Tools Apk
  90. Hacking Tools For Kali Linux
  91. Pentest Tools Review
  92. Hacker Tools For Mac
  93. Hacker Tools Apk
  94. Pentest Recon Tools
  95. Hacker Tools For Ios
  96. Hack Tools Mac
  97. Pentest Tools Nmap
  98. Hackrf Tools
  99. Termux Hacking Tools 2019
  100. Pentest Tools Download
  101. Hack And Tools
  102. Hacking Tools For Windows 7
  103. What Is Hacking Tools
  104. How To Install Pentest Tools In Ubuntu
  105. Hacker Tools 2020
  106. Hak5 Tools
  107. Pentest Tools Subdomain
  108. Pentest Tools Port Scanner
  109. Hackrf Tools
  110. Best Hacking Tools 2020
  111. Hack Tools Online
  112. Pentest Tools Review

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)