2024年1月20日土曜日

Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.





Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:



There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:


The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.



The equation:
cmd[0] = 69
cmd[1] = 78
cmd[1] + cmd[2] = 154
cmd[2] + cmd[3] = 202
cmd[3] + cmd[4] = 241
cmd[4] + cmd[5] = 233
cmd[5] + cmd[6] = 217
cmd[6] + cmd[7] = 218
cmd[7] + cmd[8] = 228
cmd[8] + cmd[9] = 212
cmd[9] + cmd[10] = 195
cmd[10] + cmd[11] = 195
cmd[11] + cmd[12] = 201
cmd[12] + cmd[13] = 207
cmd[13] + cmd[14] = 203
cmd[14] + cmd[15] = 215
cmd[15] + cmd[16] = 235
cmd[16] + cmd[17] = 242

The solution:
cmd[0] = 69
cmd[1] = 75
cmd[2] = 79
cmd[3] = 123
cmd[4] = 118
cmd[5] = 115
cmd[6] = 102
cmd[7] = 116
cmd[8] = 112
cmd[9] = 100
cmd[10] = 95
cmd[11] = 100
cmd[12] = 101
cmd[13] = 106
cmd[14] = 97                    
cmd[15] = 118
cmd[16] = 117
cmd[17] = 125


The flag:
EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor


More information
  1. Bluetooth Hacking Tools Kali
  2. How To Hack
  3. Pentest Tools Online
  4. Pentest Tools Open Source
  5. Pentest Tools Url Fuzzer
  6. Termux Hacking Tools 2019
  7. Hacker Tools Apk
  8. Pentest Tools Windows
  9. Hacking Tools For Pc
  10. Hack Tools Github
  11. Hacker Tools Apk Download
  12. Growth Hacker Tools
  13. Hacker Tools Apk Download
  14. Hacker Tools List
  15. Pentest Tools Url Fuzzer
  16. Computer Hacker
  17. Top Pentest Tools
  18. Hacking Tools For Windows 7
  19. Hack App
  20. Hacker Techniques Tools And Incident Handling
  21. Pentest Tools Online
  22. Hack Apps
  23. World No 1 Hacker Software
  24. Pentest Tools Url Fuzzer
  25. Hacker Techniques Tools And Incident Handling
  26. Pentest Tools Download
  27. Hacking Tools Windows 10
  28. Nsa Hack Tools Download
  29. Hacker Tools Online
  30. Blackhat Hacker Tools
  31. Hacker Tools Linux
  32. Hack Tools For Pc
  33. Hack Rom Tools
  34. Hacker Tool Kit
  35. Hack And Tools
  36. Best Pentesting Tools 2018
  37. Hak5 Tools
  38. Kik Hack Tools
  39. Hack Tools
  40. Hacking Tools Windows 10
  41. Bluetooth Hacking Tools Kali
  42. Pentest Tools Alternative
  43. Hacking Tools For Games
  44. Free Pentest Tools For Windows
  45. Hacker Tools Online
  46. Hacker Hardware Tools
  47. Ethical Hacker Tools
  48. Hack Tool Apk
  49. Hacking Tools Name
  50. Tools Used For Hacking
  51. Hacker Hardware Tools
  52. Hacking Tools Software
  53. Pentest Tools Port Scanner
  54. Nsa Hacker Tools
  55. Hacker Tools Linux
  56. Hacking Tools For Games
  57. Pentest Reporting Tools
  58. Hack Tool Apk
  59. Hacking Tools Kit
  60. Easy Hack Tools
  61. Top Pentest Tools
  62. Pentest Tools Tcp Port Scanner
  63. Hacking Tools For Windows Free Download
  64. Hacker Search Tools
  65. Hacker Tools Hardware
  66. Hack Tools
  67. Best Hacking Tools 2020
  68. Pentest Tools Download
  69. Hacking Tools For Kali Linux
  70. Hack Tools Github
  71. Hacking Tools Download
  72. Pentest Tools For Android
  73. Hacker Tools
  74. Hack Tools 2019
  75. Pentest Tools Linux
  76. Hacking Tools For Kali Linux
  77. Pentest Tools Subdomain
  78. Pentest Tools
  79. Termux Hacking Tools 2019
  80. Hacking Tools Hardware
  81. Hacking Tools 2020
  82. Hacking Tools Github
  83. Hacker Tools 2020
  84. Hack Tools For Pc
  85. What Is Hacking Tools
  86. Pentest Tools Find Subdomains
  87. Hacking Apps
  88. Pentest Tools Apk
  89. Hacking Tools For Mac
  90. Hacker Tools For Mac
  91. Hackers Toolbox
  92. Usb Pentest Tools
  93. Pentest Automation Tools
  94. Hacking Tools For Kali Linux
  95. Best Hacking Tools 2020
  96. Hack Tools Online
  97. Pentest Tools Alternative
  98. Hacker Tools Online
  99. Hack Tools For Pc
  100. Hacking Tools For Beginners
  101. Hacker Search Tools
  102. Hack Tools For Pc
  103. Pentest Tools Apk
  104. Nsa Hacker Tools
  105. Hacking Tools Github
  106. Hacker Tools Apk
  107. Easy Hack Tools
  108. Hack Tools Download
  109. Pentest Recon Tools
  110. Hacker Tools 2019
  111. Hackers Toolbox
  112. Hacker Tools List
  113. Hacker Tools Apk
  114. Pentest Tools Online
  115. Wifi Hacker Tools For Windows
  116. Ethical Hacker Tools
  117. Hack Tools Github
  118. Bluetooth Hacking Tools Kali
  119. Pentest Tools
  120. How To Hack
  121. Growth Hacker Tools
  122. Hacker Tools 2019
  123. Hack And Tools
  124. Hacker Tools Apk
  125. Pentest Tools Find Subdomains
  126. Hack Tool Apk

0 件のコメント:

コメントを投稿