Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.

Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:

There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:

The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.

The equation:

cmd[0] = 69

cmd[1] = 78

cmd[1] + cmd[2] = 154

cmd[2] + cmd[3] = 202

cmd[3] + cmd[4] = 241

cmd[4] + cmd[5] = 233

cmd[5] + cmd[6] = 217

cmd[6] + cmd[7] = 218

cmd[7] + cmd[8] = 228

cmd[8] + cmd[9] = 212

cmd[9] + cmd[10] = 195

cmd[10] + cmd[11] = 195

cmd[11] + cmd[12] = 201

cmd[12] + cmd[13] = 207

cmd[13] + cmd[14] = 203

cmd[14] + cmd[15] = 215

cmd[15] + cmd[16] = 235

cmd[16] + cmd[17] = 242

The solution:

cmd[0] = 69

cmd[1] = 75

cmd[2] = 79

cmd[3] = 123

cmd[4] = 118

cmd[5] = 115

cmd[6] = 102

cmd[7] = 116

cmd[8] = 112

cmd[9] = 100

cmd[10] = 95

cmd[11] = 100

cmd[12] = 101

cmd[13] = 106

cmd[14] = 97                    

cmd[15] = 118

cmd[16] = 117

cmd[17] = 125

The flag:

EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor

More articles

1. Beginner Hacker Tools
2. Hacking Tools
3. Pentest Tools Bluekeep
4. Hacker Tools Online
5. Hack Tools For Games
6. Hacking App
7. Hacking Tools Free Download
8. Hack Tools Online
9. Hack Rom Tools
10. What Is Hacking Tools
11. Hack Rom Tools
12. Hack And Tools
13. Hack Rom Tools
14. Pentest Tools Find Subdomains
15. Hack Tools Pc
16. Termux Hacking Tools 2019
17. Hack Tools For Mac
18. Hacking App
19. Hacking App
20. Hack Tools Pc
21. Hacker Hardware Tools
22. Hack Tools Mac
23. Black Hat Hacker Tools
24. Hacking Tools Windows 10
25. World No 1 Hacker Software
26. Hack Tools
27. Hacker Tools
28. Hacking Tools Windows 10
29. Hacker Security Tools
30. Hacker Tools Github
31. Pentest Tools Windows
32. Blackhat Hacker Tools
33. Beginner Hacker Tools
34. Hacking Tools Usb
35. Hacker Tools Hardware
36. How To Make Hacking Tools
37. What Is Hacking Tools
38. Pentest Tools Subdomain
39. Ethical Hacker Tools
40. Hacker Tools For Pc
41. Growth Hacker Tools
42. Pentest Tools For Ubuntu
43. What Is Hacking Tools
44. Hacker Tools Github
45. How To Hack
46. Pentest Tools Subdomain
47. Hack Tools
48. How To Install Pentest Tools In Ubuntu
49. Hack Tools
50. Pentest Tools Website
51. Hak5 Tools
52. Hacking Tools For Pc
53. Hacking Tools Windows
54. Hacking Tools Free Download
55. Hacker Tool Kit
56. Hacking Tools Github
57. Hacker Tools Github
58. Hacker Tools For Mac
59. Hacker Tools List
60. Hack Tools For Mac
61. Pentest Tools Download
62. Hacking Tools Free Download
63. Hacker Tools Windows
64. Hacking Tools For Windows Free Download
65. Pentest Tools Website
66. Tools For Hacker
67. Growth Hacker Tools
68. Hacking Tools Online
69. Hack Tools 2019
70. Tools For Hacker
71. Pentest Tools Find Subdomains
72. Computer Hacker
73. Hacking Tools For Pc
74. Underground Hacker Sites
75. Hacking App
76. Pentest Tools Windows
77. Hack Tools Download
78. Pentest Tools Website
79. Black Hat Hacker Tools
80. Blackhat Hacker Tools
81. Hacker Tools Apk Download
82. Hack Website Online Tool
83. Hack And Tools
84. Hacker Security Tools
85. Android Hack Tools Github
86. Install Pentest Tools Ubuntu
87. Hacking Tools Name
88. Hacker Tool Kit
89. Nsa Hacker Tools
90. How To Make Hacking Tools
91. Pentest Tools Nmap
92. World No 1 Hacker Software
93. Hacking Tools Github
94. Hacker Tools For Mac
95. Hak5 Tools
96. Growth Hacker Tools
97. Hacking Tools Github
98. Pentest Tools List
99. Hacking Tools And Software
100. Hack And Tools
101. Pentest Tools Tcp Port Scanner
102. Hacker Tools Mac
103. Hack Tools Github
104. Top Pentest Tools
105. Hack Tool Apk No Root
106. Top Pentest Tools
107. New Hack Tools
108. Hack Apps
109. Growth Hacker Tools
110. Pentest Tools List
111. Hacking Tools Name
112. Pentest Tools Free
113. Hacker Tools Free
114. Kik Hack Tools
115. Hacker Tools Hardware
116. Ethical Hacker Tools
117. Pentest Tools Url Fuzzer
118. Hacking Tools For Mac
119. Pentest Tools Url Fuzzer
120. Hack Tools For Ubuntu
121. Ethical Hacker Tools
122. Hacker Tools
123. Hacking Tools Usb
124. Hacker Security Tools
125. Usb Pentest Tools
126. Hacker Tools Apk Download
127. Pentest Automation Tools
128. Hacker Security Tools