Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.

Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:

There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:

The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.

The equation:

cmd[0] = 69

cmd[1] = 78

cmd[1] + cmd[2] = 154

cmd[2] + cmd[3] = 202

cmd[3] + cmd[4] = 241

cmd[4] + cmd[5] = 233

cmd[5] + cmd[6] = 217

cmd[6] + cmd[7] = 218

cmd[7] + cmd[8] = 228

cmd[8] + cmd[9] = 212

cmd[9] + cmd[10] = 195

cmd[10] + cmd[11] = 195

cmd[11] + cmd[12] = 201

cmd[12] + cmd[13] = 207

cmd[13] + cmd[14] = 203

cmd[14] + cmd[15] = 215

cmd[15] + cmd[16] = 235

cmd[16] + cmd[17] = 242

The solution:

cmd[0] = 69

cmd[1] = 75

cmd[2] = 79

cmd[3] = 123

cmd[4] = 118

cmd[5] = 115

cmd[6] = 102

cmd[7] = 116

cmd[8] = 112

cmd[9] = 100

cmd[10] = 95

cmd[11] = 100

cmd[12] = 101

cmd[13] = 106

cmd[14] = 97                    

cmd[15] = 118

cmd[16] = 117

cmd[17] = 125

The flag:

EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor

Read more

1. Hack Tools
2. Hacker Tools Free Download
3. Hack Rom Tools
4. Pentest Tools For Mac
5. Pentest Tools List
6. Termux Hacking Tools 2019
7. Hacker Tools Hardware
8. Pentest Tools Nmap
9. Hacking Tools For Games
10. Hacking Tools For Kali Linux
11. Easy Hack Tools
12. Computer Hacker
13. Hacking Tools For Kali Linux
14. Hacker Tool Kit
15. Hacker Tools For Ios
16. Hack Tool Apk
17. Black Hat Hacker Tools
18. Best Pentesting Tools 2018
19. Hack Tools For Mac
20. Hacking Tools And Software
21. Ethical Hacker Tools
22. Pentest Tools List
23. Pentest Tools Download
24. World No 1 Hacker Software
25. Hackers Toolbox
26. Ethical Hacker Tools
27. Pentest Tools For Mac
28. Hacker Tools Linux
29. Ethical Hacker Tools
30. Hack Tools Online
31. Hacker Tools Free Download
32. Kik Hack Tools
33. Hack Tools For Games
34. Hacker Tools Github
35. Hack Tools Github
36. New Hacker Tools
37. Hacker Tools Hardware
38. Kik Hack Tools
39. Hacking Tools For Mac
40. Hacking Tools For Windows Free Download
41. Pentest Tools Free
42. Hacker Techniques Tools And Incident Handling
43. Pentest Tools Bluekeep
44. Kik Hack Tools
45. What Are Hacking Tools
46. Pentest Tools List
47. Termux Hacking Tools 2019
48. Hacker Tools For Ios
49. Hackrf Tools
50. Hacking Tools Online
51. Hacker Tools Apk Download
52. Hack Tools
53. Pentest Tools Nmap
54. Hacker Tools Hardware
55. Hacks And Tools
56. Hacking Tools For Mac
57. Hacking Tools Online
58. New Hack Tools
59. Hak5 Tools
60. Pentest Tools Find Subdomains
61. Hacking Tools And Software
62. Wifi Hacker Tools For Windows
63. Pentest Tools Download
64. Hack App
65. Pentest Tools Android
66. Hackers Toolbox
67. Hacker Search Tools
68. Hacker Hardware Tools
69. Ethical Hacker Tools
70. Hack Tools Online
71. Hacker Tools Github
72. World No 1 Hacker Software
73. Free Pentest Tools For Windows
74. Hack Tools 2019
75. How To Hack
76. Hak5 Tools
77. Pentest Tools Apk
78. Usb Pentest Tools
79. Hack Tools For Pc
80. Pentest Tools Subdomain
81. Hacking Tools For Windows 7
82. Hack Tool Apk
83. Free Pentest Tools For Windows
84. Hacking Tools For Games
85. Hack Tools For Windows
86. Hacking Tools Pc
87. Hacking Tools 2019
88. Usb Pentest Tools
89. Hacking Tools For Mac
90. Pentest Tools Online
91. Hack Tools Github
92. Hacking Tools Download
93. Hacking Tools Windows
94. Pentest Automation Tools
95. Hacker Tools 2020
96. Pentest Tools Framework
97. Hack Tool Apk
98. Hacker Tools Mac
99. Pentest Tools Android
100. Pentest Tools Windows
101. Hacker Tools List
102. Pentest Tools Tcp Port Scanner
103. Pentest Tools Github
104. Computer Hacker
105. Pentest Tools For Mac
106. Hacker Tools Linux
107. Pentest Tools Find Subdomains
108. Wifi Hacker Tools For Windows
109. Pentest Tools Find Subdomains
110. Hacking Tools For Games
111. Hacker Security Tools
112. Pentest Tools
113. Hacking Tools Online
114. Hacker Tools Mac
115. Hacker Techniques Tools And Incident Handling
116. Pentest Tools Nmap
117. Hacker Search Tools
118. Pentest Box Tools Download
119. Bluetooth Hacking Tools Kali
120. Hacking Tools Github
121. Hack Tools
122. Hacking Tools For Windows
123. Android Hack Tools Github
124. Hacker Tools For Pc
125. Tools Used For Hacking
126. Hacking Tools Online
127. Beginner Hacker Tools
128. Hacks And Tools
129. Hack Tools For Games
130. Game Hacking
131. Usb Pentest Tools
132. Termux Hacking Tools 2019
133. Hack Tools For Pc
134. How To Hack
135. Hackrf Tools
136. Hacker Tools 2020
137. Hackers Toolbox
138. Hacking Apps
139. Best Hacking Tools 2020
140. Hacking Tools For Mac
141. Hacking Tools For Beginners
142. Hack Tools Online
143. Nsa Hack Tools Download
144. Hacker Techniques Tools And Incident Handling
145. Hacking Tools For Beginners
146. Hacker Hardware Tools
147. Hack Tools Mac
148. Hacking App
149. Pentest Tools Open Source
150. Hacker Tools
151. Pentest Tools Port Scanner