Skip to main content

Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

By admin
It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.





Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:



There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:


The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.



The equation:
cmd[0] = 69
cmd[1] = 78
cmd[1] + cmd[2] = 154
cmd[2] + cmd[3] = 202
cmd[3] + cmd[4] = 241
cmd[4] + cmd[5] = 233
cmd[5] + cmd[6] = 217
cmd[6] + cmd[7] = 218
cmd[7] + cmd[8] = 228
cmd[8] + cmd[9] = 212
cmd[9] + cmd[10] = 195
cmd[10] + cmd[11] = 195
cmd[11] + cmd[12] = 201
cmd[12] + cmd[13] = 207
cmd[13] + cmd[14] = 203
cmd[14] + cmd[15] = 215
cmd[15] + cmd[16] = 235
cmd[16] + cmd[17] = 242

The solution:
cmd[0] = 69
cmd[1] = 75
cmd[2] = 79
cmd[3] = 123
cmd[4] = 118
cmd[5] = 115
cmd[6] = 102
cmd[7] = 116
cmd[8] = 112
cmd[9] = 100
cmd[10] = 95
cmd[11] = 100
cmd[12] = 101
cmd[13] = 106
cmd[14] = 97                    
cmd[15] = 118
cmd[16] = 117
cmd[17] = 125


The flag:
EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor


Related word
  1. Pentest Tools Subdomain
  2. Pentest Tools Free
  3. How To Install Pentest Tools In Ubuntu
  4. Hacks And Tools
  5. Hacker Tools For Mac
  6. Pentest Tools Port Scanner
  7. Hack Tools For Windows
  8. Hacking Tools Free Download
  9. Hacking Tools Online
  10. Hacker Tools For Windows
  11. Beginner Hacker Tools
  12. Pentest Tools Download
  13. Hacker Tools Hardware
  14. Hacker Tools Software
  15. Hack Tools Mac
  16. Hack Tool Apk No Root
  17. Hacking Tools 2020

Comments

Post a Comment

Popular posts from this blog

דף הבית | הטכניון - מכון טכנולוגי לישראל

By admin
https://technion.ac.il http://library.technion.ac.il/he https://www.technion.ac.il/%D7%A8%D7%A9%D7%99%D7%9E%D7%AA-%D7%94%D7%A4%D7%A7%D7%95%D7%9C%D7%98%D7%95%D7%AA-2/ http://www.admin.technion.ac.il/dpcalendar/ https://www.technion.ac.il/%D7%94%D7%A0%D7%94%D7%9C%D7%94-%D7%91%D7%9B%D7%99%D7%A8%D7%94/ https://www.technion.ac.il/%D7%A1%D7%9E%D7%99%D7%A0%D7%A8%D7%99%D7%9D/ https://dean.web.technion.ac.il/%D7%A7%D7%9E%D7%A4%D7%95%D7%A1-%D7%AA%D7%95%D7%A1%D7%A1/ http://www.dmag.co.il/pub/technion/tmag.html http://moodle.technion.ac.il/ https://tender-logistics.web3.technion.ac.il http://cis.technion.ac.il/ http://video.technion.ac.il/ https://portal.technion.ac.il/irj/portal https://www.technion.ac.il/ https://www.technion.ac.il/en/home-2/ http://arabic.net.technion.ac.il https://www.technion.ac.il/%d7%97%d7%96%d7%95%d7%9f-%d7%94%d7%98%d7%9b%d7%a0%d7%99%d7%95%d7%9f/ https://www.technion.ac.il/%d7%94%d7%99%d7%a1%d7%98%d7%95%d7%a8%d7%99%d7%99%d7%aa-%d7%94%d7%98%d7%9b%d7%a0%d7%99%d7%95%d7%9f/ ht...
Post a Comment
Read more

Gu Energy Gel for Sale

By admin
Get Gu Energy Gel Here - https://bit.ly/3f97Wvz _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
Post a Comment
Read more

To Kilinochchi or Mankulam?- The Nation- 2008/09/07

By admin
This week saw one of the most ferocious battles since the security forces started their campaign to regain the Wanni around mid last year. The LTTE’s much anticipated counter strike was launched along their newly built trench line from the western coastal town Nachchikudah to the deep interior region Akkarayankulam, a fair distance of 18-20 km in length. This trench line, which is mainly an earth bund of around 7-15 feet at certain places, was built in recent times with heavy machinery cutting across shrub jungles. In a series of waves, the LTTE attacked personnel of the Army’s 58 and 57 Divisions last Wednesday in a battle that lasted 36 hours. The LTTE claimed to have killed up to 100 military personnel, while the military initially claimed that only nine soldiers were killed. However, with the LTTE claiming that they had recovered the bodies of 29 soldiers and posted pictures of the dead on pro-LTTE websites, the Army said that ...
3 comments
Read more