miércoles, 31 de mayo de 2023

Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.





Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:



There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:


The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.



The equation:
cmd[0] = 69
cmd[1] = 78
cmd[1] + cmd[2] = 154
cmd[2] + cmd[3] = 202
cmd[3] + cmd[4] = 241
cmd[4] + cmd[5] = 233
cmd[5] + cmd[6] = 217
cmd[6] + cmd[7] = 218
cmd[7] + cmd[8] = 228
cmd[8] + cmd[9] = 212
cmd[9] + cmd[10] = 195
cmd[10] + cmd[11] = 195
cmd[11] + cmd[12] = 201
cmd[12] + cmd[13] = 207
cmd[13] + cmd[14] = 203
cmd[14] + cmd[15] = 215
cmd[15] + cmd[16] = 235
cmd[16] + cmd[17] = 242

The solution:
cmd[0] = 69
cmd[1] = 75
cmd[2] = 79
cmd[3] = 123
cmd[4] = 118
cmd[5] = 115
cmd[6] = 102
cmd[7] = 116
cmd[8] = 112
cmd[9] = 100
cmd[10] = 95
cmd[11] = 100
cmd[12] = 101
cmd[13] = 106
cmd[14] = 97                    
cmd[15] = 118
cmd[16] = 117
cmd[17] = 125


The flag:
EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor


Related news

  1. Pentest Tools Port Scanner
  2. Hacking Tools Windows
  3. Game Hacking
  4. Pentest Tools Website Vulnerability
  5. Pentest Tools For Mac
  6. Hacking Tools And Software
  7. Tools For Hacker
  8. Hacking Tools For Pc
  9. Pentest Tools Github
  10. Hackrf Tools
  11. Pentest Box Tools Download
  12. Hack Tools For Games
  13. Pentest Tools Review
  14. How To Hack
  15. Pentest Tools Alternative
  16. Hack App
  17. Hacker Tools Apk
  18. Hack Apps
  19. Hack Tools Online
  20. Free Pentest Tools For Windows
  21. What Is Hacking Tools
  22. Pentest Recon Tools
  23. Pentest Reporting Tools
  24. Pentest Tools Android
  25. Hacker Techniques Tools And Incident Handling
  26. Hacker Tools Apk Download
  27. Nsa Hacker Tools
  28. Github Hacking Tools
  29. Hacking Tools Software
  30. Hack Tools For Mac
  31. Pentest Tools Website Vulnerability
  32. Hacking Tools For Windows
  33. Growth Hacker Tools
  34. Hacking Tools
  35. Hacking Tools For Beginners
  36. Termux Hacking Tools 2019
  37. Hacker Tools Free Download
  38. Nsa Hack Tools Download
  39. Pentest Tools Port Scanner
  40. Pentest Tools Windows
  41. Hacker Tools Software
  42. Hacker Tools For Ios
  43. Pentest Tools Free
  44. Best Hacking Tools 2020
  45. Hacker Tools 2020
  46. Pentest Tools
  47. Pentest Tools Online
  48. Hacking Tools For Windows Free Download
  49. Hacking Tools Usb
  50. Hacking Tools 2019
  51. Hacking Tools Software
  52. Hacker Tools For Windows
  53. Hack Tool Apk No Root
  54. Underground Hacker Sites
  55. Pentest Tools For Ubuntu
  56. Hacking Tools Windows 10
  57. Top Pentest Tools
  58. Hacker Tools For Ios
  59. Hackrf Tools
  60. Hacking Tools For Kali Linux
  61. How To Install Pentest Tools In Ubuntu
  62. Pentest Tools Url Fuzzer
  63. Hacker Tools For Pc
  64. Hacker Tools Github
  65. Hacker Tools Linux
  66. Pentest Tools Free
  67. Hacking Tools For Beginners
  68. Pentest Tools Apk
  69. Pentest Tools Download
  70. Hacking Tools For Mac
  71. Hack Tools Download
  72. Game Hacking
  73. New Hacker Tools
  74. Pentest Tools Review
  75. Hacker Tool Kit
  76. Hack Tool Apk
  77. Hacking Tools For Windows
  78. Nsa Hack Tools
  79. Growth Hacker Tools
  80. Hack Tools Github
  81. Blackhat Hacker Tools
  82. Pentest Reporting Tools
  83. Pentest Tools Website
  84. Pentest Box Tools Download
  85. Hacking Tools
  86. Hack Tools For Pc
  87. Nsa Hacker Tools

No hay comentarios:

Publicar un comentario