Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.

Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:

There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:

The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.

The equation:

cmd[0] = 69

cmd[1] = 78

cmd[1] + cmd[2] = 154

cmd[2] + cmd[3] = 202

cmd[3] + cmd[4] = 241

cmd[4] + cmd[5] = 233

cmd[5] + cmd[6] = 217

cmd[6] + cmd[7] = 218

cmd[7] + cmd[8] = 228

cmd[8] + cmd[9] = 212

cmd[9] + cmd[10] = 195

cmd[10] + cmd[11] = 195

cmd[11] + cmd[12] = 201

cmd[12] + cmd[13] = 207

cmd[13] + cmd[14] = 203

cmd[14] + cmd[15] = 215

cmd[15] + cmd[16] = 235

cmd[16] + cmd[17] = 242

The solution:

cmd[0] = 69

cmd[1] = 75

cmd[2] = 79

cmd[3] = 123

cmd[4] = 118

cmd[5] = 115

cmd[6] = 102

cmd[7] = 116

cmd[8] = 112

cmd[9] = 100

cmd[10] = 95

cmd[11] = 100

cmd[12] = 101

cmd[13] = 106

cmd[14] = 97                    

cmd[15] = 118

cmd[16] = 117

cmd[17] = 125

The flag:

EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor

More info

1. Hacker Techniques Tools And Incident Handling
2. Hacking Tools 2019
3. Pentest Tools Url Fuzzer
4. Pentest Tools Online
5. Hack Tools
6. Hacking App
7. Nsa Hacker Tools
8. Hacks And Tools
9. Hacking Tools For Mac
10. Hacker Tools For Pc
11. Pentest Tools Find Subdomains
12. Hack Tools Github
13. Hacking Tools Windows
14. Hacker Tools Apk
15. Pentest Tools Windows
16. Hacker Tools Hardware
17. Underground Hacker Sites
18. New Hack Tools
19. Hacking Tools For Games
20. Github Hacking Tools
21. Hack Tools For Windows
22. Pentest Tools Website
23. Hacker Tools Software
24. Hack Tools 2019
25. Hack Tools For Games
26. Usb Pentest Tools
27. Hack Tool Apk No Root
28. Hacker Tools Mac
29. Tools Used For Hacking
30. Pentest Recon Tools
31. Termux Hacking Tools 2019
32. Tools For Hacker
33. Pentest Tools Github
34. Hacker Tools Apk Download
35. Tools For Hacker
36. Hack Tools Github
37. Hacker Tools Mac
38. Hacker Tools Linux
39. Nsa Hacker Tools
40. Hacking Tools Usb
41. World No 1 Hacker Software
42. Pentest Tools Find Subdomains
43. Ethical Hacker Tools
44. Hacker Tools Mac
45. Hacker Tools Github
46. Pentest Automation Tools
47. Pentest Tools Framework
48. Black Hat Hacker Tools
49. Hack Tools For Mac
50. Hacker Search Tools
51. Hacker Tools For Ios
52. Hack Website Online Tool
53. Pentest Tools Tcp Port Scanner
54. Hacking Tools Kit
55. Hacker Tools Free
56. Tools Used For Hacking
57. Wifi Hacker Tools For Windows
58. Pentest Box Tools Download
59. Hacking Tools Usb
60. Hacking Tools Mac
61. Wifi Hacker Tools For Windows
62. Hackers Toolbox