segunda-feira, 29 de maio de 2023

Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.





Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:



There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:


The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.



The equation:
cmd[0] = 69
cmd[1] = 78
cmd[1] + cmd[2] = 154
cmd[2] + cmd[3] = 202
cmd[3] + cmd[4] = 241
cmd[4] + cmd[5] = 233
cmd[5] + cmd[6] = 217
cmd[6] + cmd[7] = 218
cmd[7] + cmd[8] = 228
cmd[8] + cmd[9] = 212
cmd[9] + cmd[10] = 195
cmd[10] + cmd[11] = 195
cmd[11] + cmd[12] = 201
cmd[12] + cmd[13] = 207
cmd[13] + cmd[14] = 203
cmd[14] + cmd[15] = 215
cmd[15] + cmd[16] = 235
cmd[16] + cmd[17] = 242

The solution:
cmd[0] = 69
cmd[1] = 75
cmd[2] = 79
cmd[3] = 123
cmd[4] = 118
cmd[5] = 115
cmd[6] = 102
cmd[7] = 116
cmd[8] = 112
cmd[9] = 100
cmd[10] = 95
cmd[11] = 100
cmd[12] = 101
cmd[13] = 106
cmd[14] = 97                    
cmd[15] = 118
cmd[16] = 117
cmd[17] = 125


The flag:
EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor


More articles


  1. Hack Tool Apk No Root
  2. Ethical Hacker Tools
  3. Tools For Hacker
  4. Pentest Tools Tcp Port Scanner
  5. Hackers Toolbox
  6. Pentest Tools For Ubuntu
  7. Hack Tools For Pc
  8. Hack Tools For Pc
  9. New Hacker Tools
  10. Hack Tools
  11. Hacking Tools Pc
  12. Tools Used For Hacking
  13. Tools For Hacker
  14. Hack Tools Pc
  15. Hacker Techniques Tools And Incident Handling
  16. Free Pentest Tools For Windows
  17. Hacker Search Tools
  18. Hacking Tools Online
  19. Hacks And Tools
  20. Hacking Tools For Pc
  21. Pentest Tools Download
  22. Pentest Tools For Windows
  23. Hacker Security Tools
  24. Hack Tools For Pc
  25. Hack And Tools
  26. Hack Tools For Mac
  27. Pentest Tools Framework
  28. Hack Tools 2019
  29. Tools For Hacker
  30. Pentest Tools For Windows
  31. Pentest Tools Port Scanner
  32. Hack Tools
  33. Hack And Tools
  34. Hack Tools 2019
  35. Hacking Apps
  36. How To Install Pentest Tools In Ubuntu
  37. Best Hacking Tools 2020
  38. Pentest Tools Github
  39. Hacker Tools For Pc
  40. Hacking Tools 2020
  41. Nsa Hack Tools Download
  42. Tools For Hacker
  43. Pentest Reporting Tools
  44. How To Make Hacking Tools
  45. Hack Tools
  46. Kik Hack Tools
  47. New Hacker Tools
  48. Game Hacking
  49. Hacker Tools 2020
  50. Wifi Hacker Tools For Windows
  51. Tools 4 Hack
  52. Hacking Tools Name
  53. Bluetooth Hacking Tools Kali
  54. Hacking Tools 2019
  55. Hacking Tools For Beginners
  56. Pentest Tools Framework
  57. Hacking Tools
  58. Hacking Tools Pc
  59. Hacker Tools Windows
  60. Pentest Tools Free
  61. Best Pentesting Tools 2018
  62. Hacking Tools Online
  63. Hacker Tools Linux
  64. Hacking Tools Windows 10
  65. Hack Tools For Ubuntu
  66. What Are Hacking Tools
  67. Nsa Hack Tools Download
  68. Hack App
  69. Pentest Tools Free
  70. Hack Tools For Ubuntu
  71. Hacker Tools
  72. Pentest Tools
  73. Hacker Tools Mac
  74. Hacker Techniques Tools And Incident Handling
  75. Hack Tools Download
  76. Hacker Techniques Tools And Incident Handling
  77. Hacking Tools Windows 10
  78. Pentest Tools Website Vulnerability
  79. Hack Tool Apk No Root
  80. Hack Tools For Pc
  81. Hack Tools
  82. Pentest Tools Framework
  83. Ethical Hacker Tools
  84. Hacker Techniques Tools And Incident Handling
  85. How To Hack
  86. Tools 4 Hack
  87. Top Pentest Tools
  88. Underground Hacker Sites
  89. Hacking Tools Mac
  90. Game Hacking
  91. Pentest Tools Review
  92. Pentest Tools Download
  93. Hacks And Tools
  94. How To Make Hacking Tools
  95. Game Hacking
  96. Hack Tools For Ubuntu
  97. Pentest Tools Website Vulnerability
  98. Hacker Tools 2020
  99. Hacker Tools Windows
  100. What Are Hacking Tools

Nenhum comentário:

Postar um comentário