Thursday, January 18, 2024

Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.





Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:



There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:


The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.



The equation:
cmd[0] = 69
cmd[1] = 78
cmd[1] + cmd[2] = 154
cmd[2] + cmd[3] = 202
cmd[3] + cmd[4] = 241
cmd[4] + cmd[5] = 233
cmd[5] + cmd[6] = 217
cmd[6] + cmd[7] = 218
cmd[7] + cmd[8] = 228
cmd[8] + cmd[9] = 212
cmd[9] + cmd[10] = 195
cmd[10] + cmd[11] = 195
cmd[11] + cmd[12] = 201
cmd[12] + cmd[13] = 207
cmd[13] + cmd[14] = 203
cmd[14] + cmd[15] = 215
cmd[15] + cmd[16] = 235
cmd[16] + cmd[17] = 242

The solution:
cmd[0] = 69
cmd[1] = 75
cmd[2] = 79
cmd[3] = 123
cmd[4] = 118
cmd[5] = 115
cmd[6] = 102
cmd[7] = 116
cmd[8] = 112
cmd[9] = 100
cmd[10] = 95
cmd[11] = 100
cmd[12] = 101
cmd[13] = 106
cmd[14] = 97                    
cmd[15] = 118
cmd[16] = 117
cmd[17] = 125


The flag:
EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor


Related links
  1. Hacking Tools Free Download
  2. Pentest Tools List
  3. Hacking Tools Usb
  4. Hacks And Tools
  5. Hacker Tools 2020
  6. Hacking Tools Name
  7. Hacking Tools Github
  8. Hacker Tools List
  9. Github Hacking Tools
  10. Android Hack Tools Github
  11. Hacking Tools Mac
  12. New Hacker Tools
  13. Pentest Tools Review
  14. Hacker Tools 2020
  15. Hacking Tools For Windows Free Download
  16. Termux Hacking Tools 2019
  17. Hacking Tools For Beginners
  18. Hacks And Tools
  19. Hack Tools For Pc
  20. Hacker Tools Github
  21. Beginner Hacker Tools
  22. Pentest Tools
  23. Pentest Tools Kali Linux
  24. Hacking Tools For Windows 7
  25. Pentest Tools Free
  26. Hack Tools For Pc
  27. Physical Pentest Tools
  28. Hack Rom Tools
  29. Pentest Tools For Mac
  30. Pentest Tools For Ubuntu
  31. Hacker Tools For Windows
  32. New Hacker Tools
  33. Install Pentest Tools Ubuntu
  34. Hacker Tools Free
  35. Pentest Tools Apk
  36. New Hack Tools
  37. Hacker Tools Hardware
  38. Pentest Tools For Windows
  39. Hack Tools Download
  40. Hacking Tools For Kali Linux
  41. Hacker Tools Software
  42. Hacker Tools 2020
  43. Hacking Tools For Beginners
  44. Hacking Tools 2020
  45. Hacking Tools For Windows
  46. Hacker Tools Mac
  47. Hackrf Tools
  48. Hacker Tools Linux
  49. Tools For Hacker
  50. Hacker Tools Free
  51. Pentest Tools Kali Linux
  52. Pentest Tools Linux
  53. Termux Hacking Tools 2019
  54. Hacker Tools
  55. What Are Hacking Tools
  56. Install Pentest Tools Ubuntu
  57. Hack Rom Tools
  58. Pentest Tools Port Scanner
  59. Black Hat Hacker Tools
  60. Hacker Search Tools
  61. Hack Tools For Mac
  62. Hack And Tools
  63. Pentest Tools Apk
  64. Hacking Tools Windows
  65. Nsa Hack Tools Download
  66. What Are Hacking Tools

No comments:

Post a Comment