Jumat, 02 Juni 2023

Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.





Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:



There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:


The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.



The equation:
cmd[0] = 69
cmd[1] = 78
cmd[1] + cmd[2] = 154
cmd[2] + cmd[3] = 202
cmd[3] + cmd[4] = 241
cmd[4] + cmd[5] = 233
cmd[5] + cmd[6] = 217
cmd[6] + cmd[7] = 218
cmd[7] + cmd[8] = 228
cmd[8] + cmd[9] = 212
cmd[9] + cmd[10] = 195
cmd[10] + cmd[11] = 195
cmd[11] + cmd[12] = 201
cmd[12] + cmd[13] = 207
cmd[13] + cmd[14] = 203
cmd[14] + cmd[15] = 215
cmd[15] + cmd[16] = 235
cmd[16] + cmd[17] = 242

The solution:
cmd[0] = 69
cmd[1] = 75
cmd[2] = 79
cmd[3] = 123
cmd[4] = 118
cmd[5] = 115
cmd[6] = 102
cmd[7] = 116
cmd[8] = 112
cmd[9] = 100
cmd[10] = 95
cmd[11] = 100
cmd[12] = 101
cmd[13] = 106
cmd[14] = 97                    
cmd[15] = 118
cmd[16] = 117
cmd[17] = 125


The flag:
EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor


More info


  1. Hacker Tools
  2. Hacker Tools Free
  3. Pentest Tools Website
  4. Install Pentest Tools Ubuntu
  5. Hacking Tools 2019
  6. Black Hat Hacker Tools
  7. Hacking Tools For Windows
  8. Game Hacking
  9. Pentest Tools Free
  10. Best Hacking Tools 2019
  11. Hacker Tools 2020
  12. New Hack Tools
  13. Ethical Hacker Tools
  14. Hacking App
  15. Hack Tools
  16. Hacker Tools For Mac
  17. Hacker Tools Windows
  18. Pentest Tools Find Subdomains
  19. Android Hack Tools Github
  20. Pentest Recon Tools
  21. Install Pentest Tools Ubuntu
  22. Hack Tools Online
  23. Hack Tool Apk
  24. Pentest Tools Tcp Port Scanner
  25. Hack Tools For Pc
  26. Hacking Tools For Windows 7
  27. Hacker Tools For Pc
  28. Hacker Tools For Windows
  29. Hack Tools For Ubuntu
  30. Nsa Hacker Tools
  31. Growth Hacker Tools
  32. Hacker Hardware Tools
  33. Hacking Tools Github
  34. Hacker Tools Online
  35. Hack Rom Tools
  36. Hackers Toolbox
  37. Hacking Tools 2020
  38. Hack Tools Online
  39. Hack Tools For Windows
  40. Hacker Tools For Ios
  41. Hacking Tools For Games
  42. Hacker Tools Software
  43. Hacking Tools Usb
  44. Hacker Tools 2019
  45. Hacker Security Tools
  46. Pentest Tools Url Fuzzer
  47. Hacking Tools Pc
  48. Computer Hacker
  49. Hacking Tools Name
  50. Pentest Tools Port Scanner
  51. Pentest Tools Website Vulnerability
  52. Hack Tools Mac
  53. Hacker Tools
  54. Hacker Tools Github
  55. How To Make Hacking Tools
  56. Hack Tools For Mac
  57. Best Hacking Tools 2019
  58. Hacker Techniques Tools And Incident Handling
  59. Hack Tools Mac
  60. Hacker Techniques Tools And Incident Handling
  61. Hacking Tools For Kali Linux
  62. Hacker Tools Github
  63. Pentest Tools Url Fuzzer
  64. Pentest Automation Tools
  65. Pentest Tools Linux
  66. Hacking Tools Windows
  67. Hack Tools Mac
  68. Hacking Tools Free Download
  69. Top Pentest Tools
  70. Ethical Hacker Tools
  71. New Hack Tools
  72. Pentest Box Tools Download
  73. Hack And Tools
  74. Hacker Tools For Ios
  75. Hacking Tools Github
  76. Termux Hacking Tools 2019
  77. How To Hack
  78. Hacking Tools Kit
  79. Hacker Tools Free Download
  80. Pentest Tools Find Subdomains
  81. Hacker Tools Windows
  82. Hack Tools For Ubuntu
  83. Pentest Tools Online
  84. How To Hack
  85. Hack Tools Online
  86. Hacker Tools For Pc
  87. Ethical Hacker Tools
  88. New Hack Tools
  89. Pentest Tools List
  90. Hacking Tools For Pc
  91. What Are Hacking Tools
  92. Pentest Tools Apk
  93. Hacker Tools 2019
  94. Hacking Tools 2019
  95. Hacker Tool Kit
  96. Top Pentest Tools
  97. Hacker Tools Windows
  98. Pentest Tools Download
  99. Hacker Hardware Tools
  100. Hacker Security Tools
  101. Bluetooth Hacking Tools Kali
  102. Hacker Search Tools
  103. Hacker Tools 2019
  104. Github Hacking Tools
  105. Hacker Tools 2020
  106. Hacker Tools For Ios
  107. Blackhat Hacker Tools
  108. Ethical Hacker Tools
  109. Hacker Tools Software
  110. Hack Tools Mac
  111. Pentest Tools Url Fuzzer
  112. Github Hacking Tools
  113. Hack Tools
  114. Pentest Tools Bluekeep
  115. Hacker Tools Online
  116. World No 1 Hacker Software
  117. Hacking Tools Windows
  118. Install Pentest Tools Ubuntu
  119. Pentest Tools Framework
  120. Hack Tools
  121. Hacking Tools Name
  122. Hacking Tools For Mac
  123. Pentest Tools Port Scanner
  124. Hacking Tools For Windows Free Download
  125. Hack And Tools
  126. Pentest Tools Online
  127. Hacker Tools Linux
  128. Hacking Tools For Windows
  129. Hack Tools Github
  130. Pentest Tools Download
  131. Hacking Tools For Games
  132. What Is Hacking Tools
  133. Android Hack Tools Github
  134. Hacker Tool Kit
  135. Hacker Search Tools
  136. New Hacker Tools
  137. Pentest Tools Online
  138. Game Hacking
  139. Install Pentest Tools Ubuntu
  140. Hacking Apps
  141. Hacker Tools Windows
Diposting oleh Sek. Lab. Umum Widyatama di 14.32

Tidak ada komentar:

Posting Komentar

Menu