Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.

Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:

There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:

The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.

The equation:

cmd[0] = 69

cmd[1] = 78

cmd[1] + cmd[2] = 154

cmd[2] + cmd[3] = 202

cmd[3] + cmd[4] = 241

cmd[4] + cmd[5] = 233

cmd[5] + cmd[6] = 217

cmd[6] + cmd[7] = 218

cmd[7] + cmd[8] = 228

cmd[8] + cmd[9] = 212

cmd[9] + cmd[10] = 195

cmd[10] + cmd[11] = 195

cmd[11] + cmd[12] = 201

cmd[12] + cmd[13] = 207

cmd[13] + cmd[14] = 203

cmd[14] + cmd[15] = 215

cmd[15] + cmd[16] = 235

cmd[16] + cmd[17] = 242

The solution:

cmd[0] = 69

cmd[1] = 75

cmd[2] = 79

cmd[3] = 123

cmd[4] = 118

cmd[5] = 115

cmd[6] = 102

cmd[7] = 116

cmd[8] = 112

cmd[9] = 100

cmd[10] = 95

cmd[11] = 100

cmd[12] = 101

cmd[13] = 106

cmd[14] = 97                    

cmd[15] = 118

cmd[16] = 117

cmd[17] = 125

The flag:

EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor

Read more

• Hack App
• Hack Tools 2019
• Pentest Tools Website Vulnerability
• Pentest Tools Apk
• Hacking Tools Mac
• Hacker Tools Software
• Hacker Tools For Pc
• Github Hacking Tools
• Hacking Tools For Games
• Hacker Hardware Tools
• Hack Tools For Games
• Hacking Tools Download
• Hacker Security Tools
• Underground Hacker Sites
• Ethical Hacker Tools
• Hacker Tools Hardware
• Hacking Tools Name
• Hacking Tools For Kali Linux
• Hack Tools For Games
• Best Hacking Tools 2020
• Hacker Tools List
• Hacking Apps
• Hacker Tools For Pc
• Hacker Tools Apk Download
• Hack And Tools
• New Hacker Tools
• Pentest Tools Nmap
• Hacking Tools For Windows
• Tools 4 Hack
• Hackers Toolbox
• Hacking Tools For Windows 7
• Hacking Tools Hardware
• New Hacker Tools
• Pentest Tools Website Vulnerability
• Pentest Tools For Android
• Hack Tools Mac
• Pentest Tools Review
• Hacking Tools Mac
• Hacking Tools Hardware
• Pentest Tools Download
• Hack Tools For Windows
• Hacker Tools Apk
• Pentest Tools For Windows
• Pentest Recon Tools
• Pentest Tools For Android
• Hacking Tools For Windows Free Download
• Hacker Tools Mac
• Hacking Tools Pc
• Hack Tools 2019
• Hacking Tools Windows
• Physical Pentest Tools
• Hacker Tools Free
• New Hacker Tools
• Termux Hacking Tools 2019
• Hack Tools Mac
• Hacking Tools Usb