Wednesday, 31 May 2023

Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.





Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:



There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:


The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.



The equation:
cmd[0] = 69
cmd[1] = 78
cmd[1] + cmd[2] = 154
cmd[2] + cmd[3] = 202
cmd[3] + cmd[4] = 241
cmd[4] + cmd[5] = 233
cmd[5] + cmd[6] = 217
cmd[6] + cmd[7] = 218
cmd[7] + cmd[8] = 228
cmd[8] + cmd[9] = 212
cmd[9] + cmd[10] = 195
cmd[10] + cmd[11] = 195
cmd[11] + cmd[12] = 201
cmd[12] + cmd[13] = 207
cmd[13] + cmd[14] = 203
cmd[14] + cmd[15] = 215
cmd[15] + cmd[16] = 235
cmd[16] + cmd[17] = 242

The solution:
cmd[0] = 69
cmd[1] = 75
cmd[2] = 79
cmd[3] = 123
cmd[4] = 118
cmd[5] = 115
cmd[6] = 102
cmd[7] = 116
cmd[8] = 112
cmd[9] = 100
cmd[10] = 95
cmd[11] = 100
cmd[12] = 101
cmd[13] = 106
cmd[14] = 97                    
cmd[15] = 118
cmd[16] = 117
cmd[17] = 125


The flag:
EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor


Related articles
  1. Hacking Tools Usb
  2. Hack Tools For Games
  3. Hacker Search Tools
  4. Nsa Hack Tools
  5. Pentest Tools Kali Linux
  6. Hacking Tools
  7. Pentest Tools For Android
  8. Hacker Tools Hardware
  9. Pentest Tools For Ubuntu
  10. New Hacker Tools
  11. Top Pentest Tools
  12. Hacking Tools 2020
  13. Pentest Box Tools Download
  14. Hack Website Online Tool
  15. Hacker
  16. What Is Hacking Tools
  17. Hacking Tools And Software
  18. Hacker Security Tools
  19. Hacker Security Tools
  20. Hacker Tools Free
  21. Hacker Tools Online
  22. Hacking Tools For Games
  23. Pentest Tools Download
  24. Nsa Hack Tools Download
  25. Usb Pentest Tools
  26. Hak5 Tools
  27. Hacking Tools 2020
  28. Hack Tools 2019
  29. Pentest Tools Android
  30. Hacker Tools Hardware
  31. Hacker Tools Mac
  32. How To Make Hacking Tools
  33. Pentest Tools Open Source
  34. Hack Tools For Mac
  35. Hack App
  36. Hack Tools For Games
  37. Hacking Tools Online
  38. Hack Tools Download
  39. Hacker Tools List
  40. Pentest Tools List
  41. Hack Tools For Ubuntu
  42. Hack Rom Tools
  43. Hack Tools
  44. Top Pentest Tools
  45. Hacking Tools For Windows 7
  46. Hacker Tools Linux
  47. Hacker Tools For Ios
  48. Hack Tools Pc
  49. Pentest Tools Website
  50. Pentest Tools Alternative
  51. Hacker
  52. Pentest Tools Port Scanner
  53. Hacking Tools For Windows
  54. Hacker Tools Software
  55. Pentest Tools Free
  56. Tools Used For Hacking
  57. Computer Hacker
  58. Hacking Tools For Kali Linux
  59. How To Install Pentest Tools In Ubuntu
  60. Hacking Tools For Kali Linux
  61. Pentest Tools Open Source
  62. Pentest Reporting Tools

No comments:

Post a Comment