Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.

Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:

There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:

The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.

The equation:

cmd[0] = 69

cmd[1] = 78

cmd[1] + cmd[2] = 154

cmd[2] + cmd[3] = 202

cmd[3] + cmd[4] = 241

cmd[4] + cmd[5] = 233

cmd[5] + cmd[6] = 217

cmd[6] + cmd[7] = 218

cmd[7] + cmd[8] = 228

cmd[8] + cmd[9] = 212

cmd[9] + cmd[10] = 195

cmd[10] + cmd[11] = 195

cmd[11] + cmd[12] = 201

cmd[12] + cmd[13] = 207

cmd[13] + cmd[14] = 203

cmd[14] + cmd[15] = 215

cmd[15] + cmd[16] = 235

cmd[16] + cmd[17] = 242

The solution:

cmd[0] = 69

cmd[1] = 75

cmd[2] = 79

cmd[3] = 123

cmd[4] = 118

cmd[5] = 115

cmd[6] = 102

cmd[7] = 116

cmd[8] = 112

cmd[9] = 100

cmd[10] = 95

cmd[11] = 100

cmd[12] = 101

cmd[13] = 106

cmd[14] = 97                    

cmd[15] = 118

cmd[16] = 117

cmd[17] = 125

The flag:

EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor

Related articles

1. Hacking Tools Usb
2. Hack Tools For Games
3. Hacker Search Tools
4. Nsa Hack Tools
5. Pentest Tools Kali Linux
6. Hacking Tools
7. Pentest Tools For Android
8. Hacker Tools Hardware
9. Pentest Tools For Ubuntu
10. New Hacker Tools
11. Top Pentest Tools
12. Hacking Tools 2020
13. Pentest Box Tools Download
14. Hack Website Online Tool
15. Hacker
16. What Is Hacking Tools
17. Hacking Tools And Software
18. Hacker Security Tools
19. Hacker Security Tools
20. Hacker Tools Free
21. Hacker Tools Online
22. Hacking Tools For Games
23. Pentest Tools Download
24. Nsa Hack Tools Download
25. Usb Pentest Tools
26. Hak5 Tools
27. Hacking Tools 2020
28. Hack Tools 2019
29. Pentest Tools Android
30. Hacker Tools Hardware
31. Hacker Tools Mac
32. How To Make Hacking Tools
33. Pentest Tools Open Source
34. Hack Tools For Mac
35. Hack App
36. Hack Tools For Games
37. Hacking Tools Online
38. Hack Tools Download
39. Hacker Tools List
40. Pentest Tools List
41. Hack Tools For Ubuntu
42. Hack Rom Tools
43. Hack Tools
44. Top Pentest Tools
45. Hacking Tools For Windows 7
46. Hacker Tools Linux
47. Hacker Tools For Ios
48. Hack Tools Pc
49. Pentest Tools Website
50. Pentest Tools Alternative
51. Hacker
52. Pentest Tools Port Scanner
53. Hacking Tools For Windows
54. Hacker Tools Software
55. Pentest Tools Free
56. Tools Used For Hacking
57. Computer Hacker
58. Hacking Tools For Kali Linux
59. How To Install Pentest Tools In Ubuntu
60. Hacking Tools For Kali Linux
61. Pentest Tools Open Source
62. Pentest Reporting Tools