Skip to main content

Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.





Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:



There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:


The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.



The equation:
cmd[0] = 69
cmd[1] = 78
cmd[1] + cmd[2] = 154
cmd[2] + cmd[3] = 202
cmd[3] + cmd[4] = 241
cmd[4] + cmd[5] = 233
cmd[5] + cmd[6] = 217
cmd[6] + cmd[7] = 218
cmd[7] + cmd[8] = 228
cmd[8] + cmd[9] = 212
cmd[9] + cmd[10] = 195
cmd[10] + cmd[11] = 195
cmd[11] + cmd[12] = 201
cmd[12] + cmd[13] = 207
cmd[13] + cmd[14] = 203
cmd[14] + cmd[15] = 215
cmd[15] + cmd[16] = 235
cmd[16] + cmd[17] = 242

The solution:
cmd[0] = 69
cmd[1] = 75
cmd[2] = 79
cmd[3] = 123
cmd[4] = 118
cmd[5] = 115
cmd[6] = 102
cmd[7] = 116
cmd[8] = 112
cmd[9] = 100
cmd[10] = 95
cmd[11] = 100
cmd[12] = 101
cmd[13] = 106
cmd[14] = 97                    
cmd[15] = 118
cmd[16] = 117
cmd[17] = 125


The flag:
EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor


Related word
  1. Pentest Tools Subdomain
  2. Pentest Tools Free
  3. How To Install Pentest Tools In Ubuntu
  4. Hacks And Tools
  5. Hacker Tools For Mac
  6. Pentest Tools Port Scanner
  7. Hack Tools For Windows
  8. Hacking Tools Free Download
  9. Hacking Tools Online
  10. Hacker Tools For Windows
  11. Beginner Hacker Tools
  12. Pentest Tools Download
  13. Hacker Tools Hardware
  14. Hacker Tools Software
  15. Hack Tools Mac
  16. Hack Tool Apk No Root
  17. Hacking Tools 2020

Comments

Popular posts from this blog

Reversing C++ String And QString

After the rust string overview of its internal substructures, let's see if c++ QString storage is more light, but first we'r going to take a look to the c++ standard string object: At first sight we can see the allocation and deallocation created by the clang++ compiler, and the DAT_00400d34 is the string. If we use same algorithm than the rust code but in c++: We have a different decompilation layout. Note that the Ghidra scans very fast the c++ binaries, and with  rust binaries gets crazy for a while. Locating main is also very simple in a c++ compiled binary, indeed is more  low-level than rust. The byte array is initialized with a simply move instruction:         00400c4b 48 b8 68        MOV        RAX,0x6f77206f6c6c6568 And basic_string generates the string, in the case of  rust this was carazy endless set of calls, detected by ghidra as a runtime, but nevertheless the basic_str...

5 Costly Crypto Investing Mistakes to Avoid in Choppy Markets

Crypto markets can be a wild ride, with exhilarating highs often followed by gut-wrenching lows. Many investors see massive gains during bullish trends only to watch them evaporate in sideways or bearish phases. The key to preserving your portfolio lies in avoiding common pitfalls that trap even seasoned traders. This article dives into five critical mistakes crypto investors make in choppy markets and offers actionable strategies to steer clear of them. Whether you're a beginner or a veteran, these insights will help you navigate the volatile crypto landscape with discipline and confidence. The Perils of Slow Decision-Making In crypto, hesitation can be costly. Opportunities often arise from compelling setups — whether it's a promising chart pattern, a groundbreaking technological innovation, or strong on-chain signals like whale wallet activity. However, in dull or sideways markets, investors often become lethargic, missing the window to act. By the time social media buzz ign...

דף הבית | הטכניון - מכון טכנולוגי לישראל

https://technion.ac.il http://library.technion.ac.il/he https://www.technion.ac.il/%D7%A8%D7%A9%D7%99%D7%9E%D7%AA-%D7%94%D7%A4%D7%A7%D7%95%D7%9C%D7%98%D7%95%D7%AA-2/ http://www.admin.technion.ac.il/dpcalendar/ https://www.technion.ac.il/%D7%94%D7%A0%D7%94%D7%9C%D7%94-%D7%91%D7%9B%D7%99%D7%A8%D7%94/ https://www.technion.ac.il/%D7%A1%D7%9E%D7%99%D7%A0%D7%A8%D7%99%D7%9D/ https://dean.web.technion.ac.il/%D7%A7%D7%9E%D7%A4%D7%95%D7%A1-%D7%AA%D7%95%D7%A1%D7%A1/ http://www.dmag.co.il/pub/technion/tmag.html http://moodle.technion.ac.il/ https://tender-logistics.web3.technion.ac.il http://cis.technion.ac.il/ http://video.technion.ac.il/ https://portal.technion.ac.il/irj/portal https://www.technion.ac.il/ https://www.technion.ac.il/en/home-2/ http://arabic.net.technion.ac.il https://www.technion.ac.il/%d7%97%d7%96%d7%95%d7%9f-%d7%94%d7%98%d7%9b%d7%a0%d7%99%d7%95%d7%9f/ https://www.technion.ac.il/%d7%94%d7%99%d7%a1%d7%98%d7%95%d7%a8%d7%99%d7%99%d7%aa-%d7%94%d7%98%d7%9b%d7%a0%d7%99%d7%95%d7%9f/ ht...