Skip to main content

Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

By admin
It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.





Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:



There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:


The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.



The equation:
cmd[0] = 69
cmd[1] = 78
cmd[1] + cmd[2] = 154
cmd[2] + cmd[3] = 202
cmd[3] + cmd[4] = 241
cmd[4] + cmd[5] = 233
cmd[5] + cmd[6] = 217
cmd[6] + cmd[7] = 218
cmd[7] + cmd[8] = 228
cmd[8] + cmd[9] = 212
cmd[9] + cmd[10] = 195
cmd[10] + cmd[11] = 195
cmd[11] + cmd[12] = 201
cmd[12] + cmd[13] = 207
cmd[13] + cmd[14] = 203
cmd[14] + cmd[15] = 215
cmd[15] + cmd[16] = 235
cmd[16] + cmd[17] = 242

The solution:
cmd[0] = 69
cmd[1] = 75
cmd[2] = 79
cmd[3] = 123
cmd[4] = 118
cmd[5] = 115
cmd[6] = 102
cmd[7] = 116
cmd[8] = 112
cmd[9] = 100
cmd[10] = 95
cmd[11] = 100
cmd[12] = 101
cmd[13] = 106
cmd[14] = 97                    
cmd[15] = 118
cmd[16] = 117
cmd[17] = 125


The flag:
EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor


Related word
  1. Pentest Tools Subdomain
  2. Pentest Tools Free
  3. How To Install Pentest Tools In Ubuntu
  4. Hacks And Tools
  5. Hacker Tools For Mac
  6. Pentest Tools Port Scanner
  7. Hack Tools For Windows
  8. Hacking Tools Free Download
  9. Hacking Tools Online
  10. Hacker Tools For Windows
  11. Beginner Hacker Tools
  12. Pentest Tools Download
  13. Hacker Tools Hardware
  14. Hacker Tools Software
  15. Hack Tools Mac
  16. Hack Tool Apk No Root
  17. Hacking Tools 2020

Comments

Post a Comment

Popular posts from this blog

9774 hash passwords

By admin
blake2b-256(jade41) blake2b-256(jade420) blake2b-256(jade429) blake2b-256(jade44) blake2b-256(jade456) blake2b-256(jade4ever69) blake2b-256(jade50) blake2b-256(jade5264) blake2b-256(jade555) blake2b-256(jade5565) blake2b-256(jade69) blake2b-256(Jade69) blake2b-256(jade98) blake2b-256(jadebaby11121) blake2b-256(jadebink) blake2b-256(jadeblue) blake2b-256(jadecape) blake2b-256(jadeck) blake2b-256(jadeclub) blake2b-256(jaded) blake2b-256(jaded1) blake2b-256(jaded2) blake2b-256(jaded69) blake2b-256(jadedbaby) blake2b-256(jadedd) blake2b-256(jadedragonflower) blake2b-256(jadeds) blake2b-256(jadeduck) blake2b-256(jadeee) blake2b-256(jadeeeee) blake2b-256(jadefox) blake2b-256(jadehungder) blake2b-256(jadejade) blake2b-256(jadejord) blake2b-256(jadejs) blake2b-256(jadeland) blake2b-256(jadelilly) blake2b-256(jadelugo) blake2b-256(jadelyn) blake2b-256(jadelynn) blake2b-256(jadelynp) blake2b-256(jaden) blake2b-256(jaden0) blake2b-256(jaden1) blake2b-2...
Post a Comment
Read more

The Base Blockchain Airdrop: Hidden Opportunities You Don’t Want to Miss!

By admin
The Base blockchain, supported by Coinbase, is making waves in the crypto space with its surging Total Value Locked (TVL) and potential airdrop opportunities. In this article, we'll dive deep into Base's ecosystem, its key protocols, and strategies for maximizing potential rewards. We'll also explore SynFutures, a standout perpetual protocol, and other exciting opportunities that could set the stage for a lucrative airdrop. Base Blockchain: A Rising Star Current Status Base has climbed to the sixth position among blockchains in terms of TVL, surpassing even Arbitrum, the long-time leader in Ethereum Layer 2 solutions. With $4 billion+ in TVL , Base's rapid growth is drawing attention from the crypto community. Why the Excitement Around a Potential Airdrop? Coinbase Backing: As a leading exchange, Coinbase's involvement ensures credibility and innovation. Changing Regulations: With evolving regulatory clarity, there's renewed optimism for potential rewards lik...
Post a Comment
Read more

5525 Interesting News

By admin
TikTok Restoring Service for U.S. Users, After Trump Signals He Will Save It The pandemic has changed the shape of global happiness The "Scream" franchise adds another self-referential sequel Millions of Chinese people play guandan. Is that good or bad? A theatre in Jenin offers a different kind of Palestinian resistance Economic data, commodities and markets Covid-19 has shone a light on racial disparities in health Is Syria's drug-dealing dictator coming in from the cold? Female soldiers are changing how armed forces work This Tool Probes Frontier AI Models for Lapses in Intelligence How much cash should be removed from the financial system? Can the voluntary carbon market save the Amazon? File-Unpumper - Tool That Can Be Used To Trim Useless Things From A PE File Such As The Things A File Pumper Would Add This week's cover War in space is no longer science fiction The best Apple deals you can get right now: Save on Apple TV+, AirPods, iPads and more Trump's Agg...
Post a Comment
Read more