Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.

Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:

There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:

The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.

The equation:

cmd[0] = 69

cmd[1] = 78

cmd[1] + cmd[2] = 154

cmd[2] + cmd[3] = 202

cmd[3] + cmd[4] = 241

cmd[4] + cmd[5] = 233

cmd[5] + cmd[6] = 217

cmd[6] + cmd[7] = 218

cmd[7] + cmd[8] = 228

cmd[8] + cmd[9] = 212

cmd[9] + cmd[10] = 195

cmd[10] + cmd[11] = 195

cmd[11] + cmd[12] = 201

cmd[12] + cmd[13] = 207

cmd[13] + cmd[14] = 203

cmd[14] + cmd[15] = 215

cmd[15] + cmd[16] = 235

cmd[16] + cmd[17] = 242

The solution:

cmd[0] = 69

cmd[1] = 75

cmd[2] = 79

cmd[3] = 123

cmd[4] = 118

cmd[5] = 115

cmd[6] = 102

cmd[7] = 116

cmd[8] = 112

cmd[9] = 100

cmd[10] = 95

cmd[11] = 100

cmd[12] = 101

cmd[13] = 106

cmd[14] = 97                    

cmd[15] = 118

cmd[16] = 117

cmd[17] = 125

The flag:

EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor

More articles

1. Hack Tool Apk No Root
2. Ethical Hacker Tools
3. Tools For Hacker
4. Pentest Tools Tcp Port Scanner
5. Hackers Toolbox
6. Pentest Tools For Ubuntu
7. Hack Tools For Pc
8. Hack Tools For Pc
9. New Hacker Tools
10. Hack Tools
11. Hacking Tools Pc
12. Tools Used For Hacking
13. Tools For Hacker
14. Hack Tools Pc
15. Hacker Techniques Tools And Incident Handling
16. Free Pentest Tools For Windows
17. Hacker Search Tools
18. Hacking Tools Online
19. Hacks And Tools
20. Hacking Tools For Pc
21. Pentest Tools Download
22. Pentest Tools For Windows
23. Hacker Security Tools
24. Hack Tools For Pc
25. Hack And Tools
26. Hack Tools For Mac
27. Pentest Tools Framework
28. Hack Tools 2019
29. Tools For Hacker
30. Pentest Tools For Windows
31. Pentest Tools Port Scanner
32. Hack Tools
33. Hack And Tools
34. Hack Tools 2019
35. Hacking Apps
36. How To Install Pentest Tools In Ubuntu
37. Best Hacking Tools 2020
38. Pentest Tools Github
39. Hacker Tools For Pc
40. Hacking Tools 2020
41. Nsa Hack Tools Download
42. Tools For Hacker
43. Pentest Reporting Tools
44. How To Make Hacking Tools
45. Hack Tools
46. Kik Hack Tools
47. New Hacker Tools
48. Game Hacking
49. Hacker Tools 2020
50. Wifi Hacker Tools For Windows
51. Tools 4 Hack
52. Hacking Tools Name
53. Bluetooth Hacking Tools Kali
54. Hacking Tools 2019
55. Hacking Tools For Beginners
56. Pentest Tools Framework
57. Hacking Tools
58. Hacking Tools Pc
59. Hacker Tools Windows
60. Pentest Tools Free
61. Best Pentesting Tools 2018
62. Hacking Tools Online
63. Hacker Tools Linux
64. Hacking Tools Windows 10
65. Hack Tools For Ubuntu
66. What Are Hacking Tools
67. Nsa Hack Tools Download
68. Hack App
69. Pentest Tools Free
70. Hack Tools For Ubuntu
71. Hacker Tools
72. Pentest Tools
73. Hacker Tools Mac
74. Hacker Techniques Tools And Incident Handling
75. Hack Tools Download
76. Hacker Techniques Tools And Incident Handling
77. Hacking Tools Windows 10
78. Pentest Tools Website Vulnerability
79. Hack Tool Apk No Root
80. Hack Tools For Pc
81. Hack Tools
82. Pentest Tools Framework
83. Ethical Hacker Tools
84. Hacker Techniques Tools And Incident Handling
85. How To Hack
86. Tools 4 Hack
87. Top Pentest Tools
88. Underground Hacker Sites
89. Hacking Tools Mac
90. Game Hacking
91. Pentest Tools Review
92. Pentest Tools Download
93. Hacks And Tools
94. How To Make Hacking Tools
95. Game Hacking
96. Hack Tools For Ubuntu
97. Pentest Tools Website Vulnerability
98. Hacker Tools 2020
99. Hacker Tools Windows
100. What Are Hacking Tools