sábado, 27 de maio de 2023

Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.





Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:



There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:


The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.



The equation:
cmd[0] = 69
cmd[1] = 78
cmd[1] + cmd[2] = 154
cmd[2] + cmd[3] = 202
cmd[3] + cmd[4] = 241
cmd[4] + cmd[5] = 233
cmd[5] + cmd[6] = 217
cmd[6] + cmd[7] = 218
cmd[7] + cmd[8] = 228
cmd[8] + cmd[9] = 212
cmd[9] + cmd[10] = 195
cmd[10] + cmd[11] = 195
cmd[11] + cmd[12] = 201
cmd[12] + cmd[13] = 207
cmd[13] + cmd[14] = 203
cmd[14] + cmd[15] = 215
cmd[15] + cmd[16] = 235
cmd[16] + cmd[17] = 242

The solution:
cmd[0] = 69
cmd[1] = 75
cmd[2] = 79
cmd[3] = 123
cmd[4] = 118
cmd[5] = 115
cmd[6] = 102
cmd[7] = 116
cmd[8] = 112
cmd[9] = 100
cmd[10] = 95
cmd[11] = 100
cmd[12] = 101
cmd[13] = 106
cmd[14] = 97                    
cmd[15] = 118
cmd[16] = 117
cmd[17] = 125


The flag:
EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor


Related links


  1. Pentest Tools For Ubuntu
  2. Blackhat Hacker Tools
  3. Hacking Tools For Mac
  4. Tools Used For Hacking
  5. How To Make Hacking Tools
  6. Pentest Tools For Ubuntu
  7. How To Install Pentest Tools In Ubuntu
  8. Hacker Tools Windows
  9. Beginner Hacker Tools
  10. Hacker Tools List
  11. Hacker Tools For Pc
  12. Blackhat Hacker Tools
  13. Tools For Hacker
  14. Pentest Tools Port Scanner
  15. Underground Hacker Sites
  16. Hacking Tools
  17. Hacking Tools And Software
  18. Tools For Hacker
  19. Hack And Tools
  20. Hacker Tools For Ios
  21. Easy Hack Tools
  22. Hack Tools
  23. Nsa Hack Tools
  24. Pentest Tools Subdomain
  25. Hack Tools For Windows
  26. Pentest Tools For Android
  27. Hacker Tools Windows
  28. Top Pentest Tools
  29. Hacking Tools Online
  30. Hack Tools Online
  31. Tools Used For Hacking
  32. Hack Tools For Ubuntu
  33. Hacking Tools Free Download
  34. Best Hacking Tools 2020
  35. Pentest Tools Website
  36. Pentest Tools Url Fuzzer
  37. Hack Tools Pc
  38. Hacks And Tools
  39. Wifi Hacker Tools For Windows
  40. Hacker Search Tools
  41. Hacking Tools 2019
  42. Hacker Search Tools
  43. Pentest Tools
  44. Github Hacking Tools
  45. Beginner Hacker Tools
  46. Beginner Hacker Tools
  47. Kik Hack Tools
  48. Pentest Tools Alternative
  49. Hacker Tools For Pc
  50. Hacking Tools Usb
  51. Hack Tools
  52. Hacker Tools Mac
  53. Hacking Tools For Windows 7
  54. Hacking Tools Online
  55. Hack Tool Apk No Root
  56. Pentest Tools Kali Linux
  57. Hacking Tools For Mac
  58. Hacking Tools Pc
  59. Pentest Reporting Tools
  60. Nsa Hacker Tools
  61. Pentest Tools Alternative
  62. Hacking Tools And Software
  63. Beginner Hacker Tools
  64. Hack Tools
  65. Nsa Hack Tools Download
  66. Pentest Tools Download
  67. Hacker Tools For Ios
  68. Hacker Tools Software
  69. Hacker Tools Windows
  70. Hacking Tools Pc
  71. How To Make Hacking Tools
  72. Hacker Tools Free
  73. Black Hat Hacker Tools
  74. Hacking Tools For Windows 7
  75. Hacking Tools For Mac
  76. Hacker Tools For Mac
  77. Pentest Tools Bluekeep
  78. Pentest Tools For Android
  79. Pentest Tools Bluekeep
  80. Hacking Tools Mac
  81. Hacking Tools For Games
  82. Hacking Tools Name
  83. Hacking App
  84. Hacker Security Tools

Nenhum comentário:

Postar um comentário