Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.

Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:

There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:

The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.

The equation:

cmd[0] = 69

cmd[1] = 78

cmd[1] + cmd[2] = 154

cmd[2] + cmd[3] = 202

cmd[3] + cmd[4] = 241

cmd[4] + cmd[5] = 233

cmd[5] + cmd[6] = 217

cmd[6] + cmd[7] = 218

cmd[7] + cmd[8] = 228

cmd[8] + cmd[9] = 212

cmd[9] + cmd[10] = 195

cmd[10] + cmd[11] = 195

cmd[11] + cmd[12] = 201

cmd[12] + cmd[13] = 207

cmd[13] + cmd[14] = 203

cmd[14] + cmd[15] = 215

cmd[15] + cmd[16] = 235

cmd[16] + cmd[17] = 242

The solution:

cmd[0] = 69

cmd[1] = 75

cmd[2] = 79

cmd[3] = 123

cmd[4] = 118

cmd[5] = 115

cmd[6] = 102

cmd[7] = 116

cmd[8] = 112

cmd[9] = 100

cmd[10] = 95

cmd[11] = 100

cmd[12] = 101

cmd[13] = 106

cmd[14] = 97                    

cmd[15] = 118

cmd[16] = 117

cmd[17] = 125

The flag:

EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor

More information

1. Bluetooth Hacking Tools Kali
2. How To Hack
3. Pentest Tools Online
4. Pentest Tools Open Source
5. Pentest Tools Url Fuzzer
6. Termux Hacking Tools 2019
7. Hacker Tools Apk
8. Pentest Tools Windows
9. Hacking Tools For Pc
10. Hack Tools Github
11. Hacker Tools Apk Download
12. Growth Hacker Tools
13. Hacker Tools Apk Download
14. Hacker Tools List
15. Pentest Tools Url Fuzzer
16. Computer Hacker
17. Top Pentest Tools
18. Hacking Tools For Windows 7
19. Hack App
20. Hacker Techniques Tools And Incident Handling
21. Pentest Tools Online
22. Hack Apps
23. World No 1 Hacker Software
24. Pentest Tools Url Fuzzer
25. Hacker Techniques Tools And Incident Handling
26. Pentest Tools Download
27. Hacking Tools Windows 10
28. Nsa Hack Tools Download
29. Hacker Tools Online
30. Blackhat Hacker Tools
31. Hacker Tools Linux
32. Hack Tools For Pc
33. Hack Rom Tools
34. Hacker Tool Kit
35. Hack And Tools
36. Best Pentesting Tools 2018
37. Hak5 Tools
38. Kik Hack Tools
39. Hack Tools
40. Hacking Tools Windows 10
41. Bluetooth Hacking Tools Kali
42. Pentest Tools Alternative
43. Hacking Tools For Games
44. Free Pentest Tools For Windows
45. Hacker Tools Online
46. Hacker Hardware Tools
47. Ethical Hacker Tools
48. Hack Tool Apk
49. Hacking Tools Name
50. Tools Used For Hacking
51. Hacker Hardware Tools
52. Hacking Tools Software
53. Pentest Tools Port Scanner
54. Nsa Hacker Tools
55. Hacker Tools Linux
56. Hacking Tools For Games
57. Pentest Reporting Tools
58. Hack Tool Apk
59. Hacking Tools Kit
60. Easy Hack Tools
61. Top Pentest Tools
62. Pentest Tools Tcp Port Scanner
63. Hacking Tools For Windows Free Download
64. Hacker Search Tools
65. Hacker Tools Hardware
66. Hack Tools
67. Best Hacking Tools 2020
68. Pentest Tools Download
69. Hacking Tools For Kali Linux
70. Hack Tools Github
71. Hacking Tools Download
72. Pentest Tools For Android
73. Hacker Tools
74. Hack Tools 2019
75. Pentest Tools Linux
76. Hacking Tools For Kali Linux
77. Pentest Tools Subdomain
78. Pentest Tools
79. Termux Hacking Tools 2019
80. Hacking Tools Hardware
81. Hacking Tools 2020
82. Hacking Tools Github
83. Hacker Tools 2020
84. Hack Tools For Pc
85. What Is Hacking Tools
86. Pentest Tools Find Subdomains
87. Hacking Apps
88. Pentest Tools Apk
89. Hacking Tools For Mac
90. Hacker Tools For Mac
91. Hackers Toolbox
92. Usb Pentest Tools
93. Pentest Automation Tools
94. Hacking Tools For Kali Linux
95. Best Hacking Tools 2020
96. Hack Tools Online
97. Pentest Tools Alternative
98. Hacker Tools Online
99. Hack Tools For Pc
100. Hacking Tools For Beginners
101. Hacker Search Tools
102. Hack Tools For Pc
103. Pentest Tools Apk
104. Nsa Hacker Tools
105. Hacking Tools Github
106. Hacker Tools Apk
107. Easy Hack Tools
108. Hack Tools Download
109. Pentest Recon Tools
110. Hacker Tools 2019
111. Hackers Toolbox
112. Hacker Tools List
113. Hacker Tools Apk
114. Pentest Tools Online
115. Wifi Hacker Tools For Windows
116. Ethical Hacker Tools
117. Hack Tools Github
118. Bluetooth Hacking Tools Kali
119. Pentest Tools
120. How To Hack
121. Growth Hacker Tools
122. Hacker Tools 2019
123. Hack And Tools
124. Hacker Tools Apk
125. Pentest Tools Find Subdomains
126. Hack Tool Apk