Friday, 21 August 2020

Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.





Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:



There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:


The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.



The equation:
cmd[0] = 69
cmd[1] = 78
cmd[1] + cmd[2] = 154
cmd[2] + cmd[3] = 202
cmd[3] + cmd[4] = 241
cmd[4] + cmd[5] = 233
cmd[5] + cmd[6] = 217
cmd[6] + cmd[7] = 218
cmd[7] + cmd[8] = 228
cmd[8] + cmd[9] = 212
cmd[9] + cmd[10] = 195
cmd[10] + cmd[11] = 195
cmd[11] + cmd[12] = 201
cmd[12] + cmd[13] = 207
cmd[13] + cmd[14] = 203
cmd[14] + cmd[15] = 215
cmd[15] + cmd[16] = 235
cmd[16] + cmd[17] = 242

The solution:
cmd[0] = 69
cmd[1] = 75
cmd[2] = 79
cmd[3] = 123
cmd[4] = 118
cmd[5] = 115
cmd[6] = 102
cmd[7] = 116
cmd[8] = 112
cmd[9] = 100
cmd[10] = 95
cmd[11] = 100
cmd[12] = 101
cmd[13] = 106
cmd[14] = 97                    
cmd[15] = 118
cmd[16] = 117
cmd[17] = 125


The flag:
EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor


Related news
  1. Blackhat Hacker Tools
  2. Usb Pentest Tools
  3. Hacker Tools List
  4. Hacking Tools 2020
  5. Hacking Tools Free Download
  6. Pentest Tools Online
  7. Hacker Search Tools
  8. Hacker Tools Software
  9. Pentest Tools For Mac
  10. World No 1 Hacker Software
  11. Hacker Tools For Windows
  12. Pentest Tools Subdomain
  13. Hack Apps
  14. Nsa Hacker Tools
  15. Hacking Apps
  16. Hack Tool Apk
  17. Hacker Tools Software
  18. Hack Tools For Pc
  19. Best Hacking Tools 2019
  20. New Hack Tools
  21. Hacking Tools Windows
  22. Hacking Tools For Windows 7
  23. Pentest Tools Bluekeep
  24. Hackrf Tools
  25. Nsa Hack Tools Download
  26. Pentest Tools For Mac
  27. Hacking Tools Online
  28. Hacking Apps
  29. Pentest Automation Tools
  30. Pentest Tools Find Subdomains
  31. Hacking Tools Hardware
  32. Best Hacking Tools 2019
  33. Pentest Tools Github
  34. Pentest Automation Tools
  35. Hack Tools Download
  36. Hack Website Online Tool
  37. Tools 4 Hack
  38. Blackhat Hacker Tools
  39. Hack Tools For Pc
  40. Hacking Tools Hardware
  41. Pentest Tools For Android
  42. Hack Tools 2019
  43. Pentest Tools Find Subdomains
  44. Hack Tools Online
  45. Physical Pentest Tools
  46. Hacking Tools For Beginners
  47. Pentest Tools Website Vulnerability
  48. Hacking Tools For Kali Linux
  49. Pentest Tools Open Source
  50. Hacking Tools Windows 10
  51. Hacker Tools 2019
  52. Computer Hacker
  53. Pentest Tools Nmap
  54. Github Hacking Tools
  55. Easy Hack Tools
  56. Hacker Tools 2019
  57. Pentest Tools Bluekeep
  58. Hacking Tools
  59. Hacker Tools For Ios
  60. Hacker Security Tools
  61. Wifi Hacker Tools For Windows
  62. Hacking Tools Kit
  63. Hacking Tools 2020
  64. Hack Tools Github
  65. Hacker Tools
  66. Install Pentest Tools Ubuntu
  67. Hack Tools For Windows
  68. Pentest Tools Download
  69. Pentest Reporting Tools
  70. Bluetooth Hacking Tools Kali
  71. Hacker Tools Hardware
  72. Pentest Recon Tools
  73. Hacker Security Tools
  74. Hack Tools For Windows
  75. Termux Hacking Tools 2019
  76. Easy Hack Tools
  77. Pentest Automation Tools
  78. Hacking Tools
  79. Pentest Tools Website Vulnerability
  80. New Hacker Tools
  81. Hacking Tools Online
  82. What Is Hacking Tools
  83. Pentest Tools Kali Linux
  84. Pentest Tools Online
  85. Hack Tools Pc
  86. Hacking Tools Usb
  87. Hacking Tools Hardware
  88. Hacking Tools Usb
  89. Game Hacking
  90. Hacking Tools Mac
  91. Hacking Tools Windows
  92. Kik Hack Tools
  93. Hacking Tools For Windows
  94. Easy Hack Tools
  95. Hacker Search Tools
  96. Hacker Tools
  97. Pentest Tools Subdomain
  98. Hacks And Tools
  99. Hacker Tools Github
  100. Tools Used For Hacking
  101. Nsa Hacker Tools
  102. Hack Tools For Games
  103. How To Hack
  104. Hacker Tools 2019
  105. Hack Tools Github
  106. Hack Tools
  107. Hacking Tools Download
  108. Pentest Tools For Mac
  109. Hack Tool Apk No Root
  110. Hacker Tools Software
  111. Hacking Tools Windows 10
  112. Pentest Tools Windows

0 comments:

Post a Comment