Thursday, August 27, 2020

Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.





Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:



There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:


The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.



The equation:
cmd[0] = 69
cmd[1] = 78
cmd[1] + cmd[2] = 154
cmd[2] + cmd[3] = 202
cmd[3] + cmd[4] = 241
cmd[4] + cmd[5] = 233
cmd[5] + cmd[6] = 217
cmd[6] + cmd[7] = 218
cmd[7] + cmd[8] = 228
cmd[8] + cmd[9] = 212
cmd[9] + cmd[10] = 195
cmd[10] + cmd[11] = 195
cmd[11] + cmd[12] = 201
cmd[12] + cmd[13] = 207
cmd[13] + cmd[14] = 203
cmd[14] + cmd[15] = 215
cmd[15] + cmd[16] = 235
cmd[16] + cmd[17] = 242

The solution:
cmd[0] = 69
cmd[1] = 75
cmd[2] = 79
cmd[3] = 123
cmd[4] = 118
cmd[5] = 115
cmd[6] = 102
cmd[7] = 116
cmd[8] = 112
cmd[9] = 100
cmd[10] = 95
cmd[11] = 100
cmd[12] = 101
cmd[13] = 106
cmd[14] = 97                    
cmd[15] = 118
cmd[16] = 117
cmd[17] = 125


The flag:
EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor


Related links


  1. Ethical Hacker Tools
  2. Hacking Tools
  3. Hacker Tools Software
  4. Hack App
  5. Nsa Hack Tools Download
  6. Hacker Hardware Tools
  7. Hack Tools For Games
  8. Kik Hack Tools
  9. Pentest Box Tools Download
  10. How To Hack
  11. Nsa Hack Tools
  12. Hacker Tools 2019
  13. Hacker Tools Linux
  14. Pentest Tools For Windows
  15. Hacker Tools Apk Download
  16. Hacking Tools Free Download
  17. How To Install Pentest Tools In Ubuntu
  18. Ethical Hacker Tools
  19. Hak5 Tools
  20. Pentest Tools Url Fuzzer
  21. Hacking Tools Name
  22. Bluetooth Hacking Tools Kali
  23. Hacking App
  24. Computer Hacker
  25. Ethical Hacker Tools
  26. Hacker Security Tools
  27. Easy Hack Tools
  28. Hack Tools
  29. Hack Tools Pc
  30. Hack Tools Download
  31. Hacker Tool Kit
  32. Underground Hacker Sites
  33. Hack Tools Online
  34. Hacker Tools For Windows
  35. Hack Tools For Windows
  36. Hacking Apps
  37. Pentest Tools Linux
  38. Pentest Box Tools Download
  39. Pentest Automation Tools
  40. Hackers Toolbox
  41. Hack Website Online Tool
  42. Hack And Tools
  43. Computer Hacker
  44. Physical Pentest Tools
  45. New Hack Tools
  46. Hacking Tools
  47. Hacking Tools Usb
  48. Hacker Tools For Windows
  49. Hack Tools 2019
  50. Hack Rom Tools
  51. Hacking Tools For Windows 7
  52. Hacker Hardware Tools
  53. Pentest Tools Kali Linux
  54. Hackers Toolbox
  55. Hack And Tools
  56. Hacker Tools Hardware
  57. Wifi Hacker Tools For Windows
  58. Hacker Tools Mac
  59. Hacking Tools Software
  60. Pentest Tools Bluekeep
  61. Computer Hacker
  62. Hacking Tools Github
  63. Hack Tools
  64. Hacking Tools Kit
  65. How To Install Pentest Tools In Ubuntu
  66. Pentest Tools Online
  67. Pentest Tools Url Fuzzer
  68. Hacker
  69. Hack Website Online Tool
  70. How To Hack
  71. Github Hacking Tools
  72. Hackrf Tools
  73. Hacker Tools For Windows
  74. Pentest Tools Online
  75. Hacking Tools Kit
  76. Pentest Tools Review
  77. Pentest Tools Kali Linux
  78. Hacker Tools Free
  79. Pentest Tools Online
  80. What Is Hacking Tools
  81. What Is Hacking Tools
  82. Pentest Tools Tcp Port Scanner
  83. Pentest Tools Url Fuzzer
  84. Game Hacking
  85. Pentest Tools Url Fuzzer
  86. Hack Tools For Ubuntu
  87. Nsa Hack Tools
  88. Tools 4 Hack
  89. Hack Tools For Windows
  90. Wifi Hacker Tools For Windows
  91. Pentest Tools Alternative
  92. Pentest Tools Subdomain
  93. Hack Tool Apk
  94. Hack Tool Apk
  95. Computer Hacker
  96. Pentest Tools
  97. Hacking Tools Windows
  98. Pentest Tools Website Vulnerability
  99. Nsa Hacker Tools
  100. Hacking Tools For Windows Free Download
  101. Pentest Tools
  102. What Is Hacking Tools
  103. Hack Tools For Pc
  104. Hack Tools Pc
  105. Underground Hacker Sites
  106. Hack Tools Download
  107. Kik Hack Tools
  108. Pentest Reporting Tools
  109. Hacking Tools Online
  110. Pentest Tools Open Source
  111. Hack Apps
  112. Pentest Tools Tcp Port Scanner
  113. Bluetooth Hacking Tools Kali
  114. World No 1 Hacker Software
  115. Ethical Hacker Tools
  116. Hacker Tools Windows
  117. Wifi Hacker Tools For Windows
  118. Hack And Tools
  119. Pentest Recon Tools
  120. Hacker Tools Software
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)