Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.

Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:

There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:

The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.

The equation:

cmd[0] = 69

cmd[1] = 78

cmd[1] + cmd[2] = 154

cmd[2] + cmd[3] = 202

cmd[3] + cmd[4] = 241

cmd[4] + cmd[5] = 233

cmd[5] + cmd[6] = 217

cmd[6] + cmd[7] = 218

cmd[7] + cmd[8] = 228

cmd[8] + cmd[9] = 212

cmd[9] + cmd[10] = 195

cmd[10] + cmd[11] = 195

cmd[11] + cmd[12] = 201

cmd[12] + cmd[13] = 207

cmd[13] + cmd[14] = 203

cmd[14] + cmd[15] = 215

cmd[15] + cmd[16] = 235

cmd[16] + cmd[17] = 242

The solution:

cmd[0] = 69

cmd[1] = 75

cmd[2] = 79

cmd[3] = 123

cmd[4] = 118

cmd[5] = 115

cmd[6] = 102

cmd[7] = 116

cmd[8] = 112

cmd[9] = 100

cmd[10] = 95

cmd[11] = 100

cmd[12] = 101

cmd[13] = 106

cmd[14] = 97                    

cmd[15] = 118

cmd[16] = 117

cmd[17] = 125

The flag:

EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor

Related posts

1. Pentest Tools Find Subdomains
2. Best Pentesting Tools 2018
3. Install Pentest Tools Ubuntu
4. Bluetooth Hacking Tools Kali
5. Beginner Hacker Tools
6. Hacking Tools For Kali Linux
7. Hacking Tools For Windows 7
8. Pentest Tools Linux
9. How To Make Hacking Tools
10. World No 1 Hacker Software
11. Pentest Tools Nmap
12. Pentest Reporting Tools
13. Pentest Tools Android
14. Tools 4 Hack
15. Pentest Tools Bluekeep
16. Wifi Hacker Tools For Windows
17. Hack Tool Apk No Root
18. Physical Pentest Tools
19. Android Hack Tools Github
20. Usb Pentest Tools
21. Pentest Tools Android
22. Pentest Tools Framework
23. Hacking Tools And Software
24. Growth Hacker Tools
25. What Are Hacking Tools
26. Ethical Hacker Tools
27. New Hacker Tools
28. How To Install Pentest Tools In Ubuntu
29. Pentest Tools Github
30. What Are Hacking Tools
31. Nsa Hacker Tools
32. Best Hacking Tools 2019
33. Hack Rom Tools
34. Hacker Tools Windows
35. Hacker Tools Apk
36. Pentest Tools Linux
37. Hack Tool Apk
38. Pentest Tools Review
39. Hacking Tools 2019
40. Pentest Tools Online
41. Hack Rom Tools
42. Hacker Tool Kit
43. Hacker Tools Linux
44. Pentest Tools Online
45. Pentest Tools For Mac
46. Hack Tools Mac
47. New Hacker Tools
48. Hacks And Tools
49. Hacker Tools Linux
50. Pentest Automation Tools
51. Hacking Tools For Windows 7
52. Pentest Tools Alternative
53. Hacking Tools And Software
54. Game Hacking
55. Pentest Tools Subdomain
56. Pentest Tools Apk
57. Pentest Box Tools Download
58. Pentest Tools Linux
59. Hacking Tools 2019
60. Top Pentest Tools
61. Hacker Security Tools
62. Hacker Tools Online
63. Tools 4 Hack
64. Hacker Tools Software
65. Hacker Tools List
66. Hacker Search Tools
67. Bluetooth Hacking Tools Kali
68. Easy Hack Tools
69. How To Hack
70. Hacking Tools
71. Pentest Tools Website
72. Hack Tools For Games
73. What Are Hacking Tools
74. Hacker Tools Software
75. Hack Tool Apk No Root
76. Pentest Tools Website Vulnerability
77. Free Pentest Tools For Windows
78. Pentest Tools Alternative
79. Pentest Tools For Ubuntu
80. Pentest Tools Github
81. Hacking Tools For Beginners
82. Hacker Tools Apk
83. Pentest Tools Find Subdomains
84. Hacker Tools For Ios
85. Hack Tools
86. Pentest Tools Url Fuzzer
87. Hacker Hardware Tools
88. How To Install Pentest Tools In Ubuntu
89. Hacker Tools Linux
90. Pentest Tools For Ubuntu
91. Pentest Tools Port Scanner
92. Pentest Tools For Mac
93. Pentest Tools Nmap
94. Pentest Tools Website
95. Pentest Box Tools Download
96. Hacking Tools Software
97. Pentest Tools Windows
98. Hack Rom Tools
99. Pentest Tools For Android
100. Pentest Tools Tcp Port Scanner
101. Hacker Tools Free Download
102. Hacker Tools Apk Download
103. Blackhat Hacker Tools
104. Pentest Tools Find Subdomains
105. Hacker Tools
106. Hacker Tools 2019
107. Termux Hacking Tools 2019
108. Hacking Tools Github
109. Hack Tools For Pc
110. Hacking Tools For Beginners
111. Hacker Tools Online
112. Pentest Tools Tcp Port Scanner
113. Pentest Tools Website Vulnerability
114. Hack Tools For Mac
115. Best Hacking Tools 2019
116. Pentest Tools Subdomain
117. Hacking App
118. Free Pentest Tools For Windows
119. Hacking Tools Windows 10
120. Top Pentest Tools
121. Hacker Tools Linux
122. Pentest Tools Online
123. Ethical Hacker Tools
124. Hacker Tools Free Download
125. How To Install Pentest Tools In Ubuntu
126. Hacker Tools