Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.

Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:

There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:

The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.

The equation:

cmd[0] = 69

cmd[1] = 78

cmd[1] + cmd[2] = 154

cmd[2] + cmd[3] = 202

cmd[3] + cmd[4] = 241

cmd[4] + cmd[5] = 233

cmd[5] + cmd[6] = 217

cmd[6] + cmd[7] = 218

cmd[7] + cmd[8] = 228

cmd[8] + cmd[9] = 212

cmd[9] + cmd[10] = 195

cmd[10] + cmd[11] = 195

cmd[11] + cmd[12] = 201

cmd[12] + cmd[13] = 207

cmd[13] + cmd[14] = 203

cmd[14] + cmd[15] = 215

cmd[15] + cmd[16] = 235

cmd[16] + cmd[17] = 242

The solution:

cmd[0] = 69

cmd[1] = 75

cmd[2] = 79

cmd[3] = 123

cmd[4] = 118

cmd[5] = 115

cmd[6] = 102

cmd[7] = 116

cmd[8] = 112

cmd[9] = 100

cmd[10] = 95

cmd[11] = 100

cmd[12] = 101

cmd[13] = 106

cmd[14] = 97                    

cmd[15] = 118

cmd[16] = 117

cmd[17] = 125

The flag:

EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor

Related news

1. Pentest Tools Port Scanner
2. Pentest Tools Subdomain
3. Hacking Tools For Kali Linux
4. Hacker Tools 2019
5. Pentest Tools Online
6. Game Hacking
7. Pentest Tools For Mac
8. Pentest Tools For Windows
9. Hacking Tools For Beginners
10. Hacker Tools Online
11. Hacker Tools Free
12. Termux Hacking Tools 2019
13. Pentest Tools Website Vulnerability
14. Hacker Tools For Mac
15. How To Hack
16. Pentest Tools Tcp Port Scanner
17. Hacker Tools Software
18. Pentest Tools For Windows
19. Pentest Tools Free
20. Pentest Tools Framework
21. Hacker Tools Hardware
22. Nsa Hack Tools Download
23. New Hack Tools
24. Pentest Tools Subdomain
25. Hack Tool Apk
26. New Hack Tools
27. Hacker Tools For Mac
28. Computer Hacker
29. How To Make Hacking Tools
30. Hacker Tools Free Download
31. What Is Hacking Tools
32. Hacking Tools For Pc
33. Hackrf Tools
34. Pentest Tools Github
35. Pentest Recon Tools
36. Pentest Tools Nmap
37. Hackers Toolbox
38. Hacker Tools For Pc
39. Hacking Tools And Software
40. Android Hack Tools Github
41. Pentest Tools Review
42. Pentest Automation Tools
43. Pentest Tools Apk
44. Android Hack Tools Github
45. Pentest Tools Nmap
46. Pentest Tools Android
47. Termux Hacking Tools 2019
48. Hacker Tools Hardware
49. Best Hacking Tools 2020
50. Hacker Tools For Windows
51. Hack Tool Apk No Root
52. Hack Tools For Pc
53. What Is Hacking Tools
54. Pentest Tools Website Vulnerability
55. Hacker Tools For Pc
56. Pentest Tools Android
57. Android Hack Tools Github
58. Pentest Tools For Windows
59. What Is Hacking Tools
60. Hacker Search Tools
61. Pentest Tools Find Subdomains
62. Hak5 Tools