Sunday, August 30, 2020

Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.





Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:



There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:


The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.



The equation:
cmd[0] = 69
cmd[1] = 78
cmd[1] + cmd[2] = 154
cmd[2] + cmd[3] = 202
cmd[3] + cmd[4] = 241
cmd[4] + cmd[5] = 233
cmd[5] + cmd[6] = 217
cmd[6] + cmd[7] = 218
cmd[7] + cmd[8] = 228
cmd[8] + cmd[9] = 212
cmd[9] + cmd[10] = 195
cmd[10] + cmd[11] = 195
cmd[11] + cmd[12] = 201
cmd[12] + cmd[13] = 207
cmd[13] + cmd[14] = 203
cmd[14] + cmd[15] = 215
cmd[15] + cmd[16] = 235
cmd[16] + cmd[17] = 242

The solution:
cmd[0] = 69
cmd[1] = 75
cmd[2] = 79
cmd[3] = 123
cmd[4] = 118
cmd[5] = 115
cmd[6] = 102
cmd[7] = 116
cmd[8] = 112
cmd[9] = 100
cmd[10] = 95
cmd[11] = 100
cmd[12] = 101
cmd[13] = 106
cmd[14] = 97                    
cmd[15] = 118
cmd[16] = 117
cmd[17] = 125


The flag:
EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor


Related word


  1. Hacker Tools Online
  2. How To Install Pentest Tools In Ubuntu
  3. Hacking Tools Windows 10
  4. Pentest Tools Bluekeep
  5. Hacking Tools For Windows
  6. Nsa Hack Tools
  7. Pentest Tools For Windows
  8. World No 1 Hacker Software
  9. Hack Tools Github
  10. Hack Tools For Games
  11. New Hacker Tools
  12. Pentest Tools Free
  13. Pentest Tools
  14. Hacking App
  15. Hak5 Tools
  16. Hacking Tools Download
  17. Hack Tools Download
  18. Hack Tool Apk No Root
  19. Pentest Tools For Android
  20. Hacking Tools Name
  21. What Is Hacking Tools
  22. Best Pentesting Tools 2018
  23. Pentest Reporting Tools
  24. Hacking Tools 2019
  25. Hacker Techniques Tools And Incident Handling
  26. Pentest Tools Review
  27. Hacking Tools Usb
  28. Pentest Tools Online
  29. How To Hack
  30. Pentest Tools Website Vulnerability
  31. Hack Website Online Tool
  32. Hacker Tools For Mac
  33. Github Hacking Tools
  34. Growth Hacker Tools
  35. Pentest Tools Website
  36. Hacking App
  37. What Is Hacking Tools
  38. Hacking Tools Windows
  39. Pentest Tools Windows
  40. Hak5 Tools
  41. Hacking Tools Pc
  42. Hacker Tools For Ios
  43. Pentest Tools Bluekeep
  44. Hack And Tools
  45. World No 1 Hacker Software
  46. Hackers Toolbox
  47. How To Hack
  48. Hack Tools For Ubuntu
  49. Nsa Hack Tools Download
  50. Pentest Tools Website Vulnerability
  51. Hacking Tools For Kali Linux
  52. Hack App
  53. Hack Tools
  54. Hack Tools Download
  55. Pentest Tools Apk
  56. Pentest Tools Website Vulnerability
  57. Hacker Security Tools
  58. Nsa Hacker Tools
  59. Top Pentest Tools
  60. Kik Hack Tools
  61. Pentest Tools For Ubuntu
  62. Black Hat Hacker Tools
  63. Hacking Tools For Windows
  64. Pentest Tools Apk
  65. Hacker Tool Kit
  66. Hack Tools Download
  67. Hacking Tools Hardware
  68. Hack App
  69. Pentest Tools Nmap
  70. Pentest Tools Url Fuzzer
  71. Pentest Tools Find Subdomains
  72. Hacking Tools Pc
  73. Hacker Tools Free Download

No comments:

Post a Comment