Blog ini non-partisan dan terbuka kepada semua tanpa mengira fahaman politik. Emel atau MMS ucapan / rayuan / keluhan / pengumuman anda ke tamanperpaduan.terusblog@blogger.com untuk tulisan anda tersiar di blog ini serta merta. Gambar juga boleh disertakan dan tertakluk kepada syarat.
Posting tidak sepatutnya akan dinyahsiarkan.

Khamis, 25 Januari 2024

Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.





Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:



There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:


The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.



The equation:
cmd[0] = 69
cmd[1] = 78
cmd[1] + cmd[2] = 154
cmd[2] + cmd[3] = 202
cmd[3] + cmd[4] = 241
cmd[4] + cmd[5] = 233
cmd[5] + cmd[6] = 217
cmd[6] + cmd[7] = 218
cmd[7] + cmd[8] = 228
cmd[8] + cmd[9] = 212
cmd[9] + cmd[10] = 195
cmd[10] + cmd[11] = 195
cmd[11] + cmd[12] = 201
cmd[12] + cmd[13] = 207
cmd[13] + cmd[14] = 203
cmd[14] + cmd[15] = 215
cmd[15] + cmd[16] = 235
cmd[16] + cmd[17] = 242

The solution:
cmd[0] = 69
cmd[1] = 75
cmd[2] = 79
cmd[3] = 123
cmd[4] = 118
cmd[5] = 115
cmd[6] = 102
cmd[7] = 116
cmd[8] = 112
cmd[9] = 100
cmd[10] = 95
cmd[11] = 100
cmd[12] = 101
cmd[13] = 106
cmd[14] = 97                    
cmd[15] = 118
cmd[16] = 117
cmd[17] = 125


The flag:
EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor


More info
  1. Hacker Techniques Tools And Incident Handling
  2. Hacking Tools 2019
  3. Pentest Tools Url Fuzzer
  4. Pentest Tools Online
  5. Hack Tools
  6. Hacking App
  7. Nsa Hacker Tools
  8. Hacks And Tools
  9. Hacking Tools For Mac
  10. Hacker Tools For Pc
  11. Pentest Tools Find Subdomains
  12. Hack Tools Github
  13. Hacking Tools Windows
  14. Hacker Tools Apk
  15. Pentest Tools Windows
  16. Hacker Tools Hardware
  17. Underground Hacker Sites
  18. New Hack Tools
  19. Hacking Tools For Games
  20. Github Hacking Tools
  21. Hack Tools For Windows
  22. Pentest Tools Website
  23. Hacker Tools Software
  24. Hack Tools 2019
  25. Hack Tools For Games
  26. Usb Pentest Tools
  27. Hack Tool Apk No Root
  28. Hacker Tools Mac
  29. Tools Used For Hacking
  30. Pentest Recon Tools
  31. Termux Hacking Tools 2019
  32. Tools For Hacker
  33. Pentest Tools Github
  34. Hacker Tools Apk Download
  35. Tools For Hacker
  36. Hack Tools Github
  37. Hacker Tools Mac
  38. Hacker Tools Linux
  39. Nsa Hacker Tools
  40. Hacking Tools Usb
  41. World No 1 Hacker Software
  42. Pentest Tools Find Subdomains
  43. Ethical Hacker Tools
  44. Hacker Tools Mac
  45. Hacker Tools Github
  46. Pentest Automation Tools
  47. Pentest Tools Framework
  48. Black Hat Hacker Tools
  49. Hack Tools For Mac
  50. Hacker Search Tools
  51. Hacker Tools For Ios
  52. Hack Website Online Tool
  53. Pentest Tools Tcp Port Scanner
  54. Hacking Tools Kit
  55. Hacker Tools Free
  56. Tools Used For Hacking
  57. Wifi Hacker Tools For Windows
  58. Pentest Box Tools Download
  59. Hacking Tools Usb
  60. Hacking Tools Mac
  61. Wifi Hacker Tools For Windows
  62. Hackers Toolbox

Tiada ulasan:

Catat Ulasan