Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.

Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:

There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:

The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.

The equation:

cmd[0] = 69

cmd[1] = 78

cmd[1] + cmd[2] = 154

cmd[2] + cmd[3] = 202

cmd[3] + cmd[4] = 241

cmd[4] + cmd[5] = 233

cmd[5] + cmd[6] = 217

cmd[6] + cmd[7] = 218

cmd[7] + cmd[8] = 228

cmd[8] + cmd[9] = 212

cmd[9] + cmd[10] = 195

cmd[10] + cmd[11] = 195

cmd[11] + cmd[12] = 201

cmd[12] + cmd[13] = 207

cmd[13] + cmd[14] = 203

cmd[14] + cmd[15] = 215

cmd[15] + cmd[16] = 235

cmd[16] + cmd[17] = 242

The solution:

cmd[0] = 69

cmd[1] = 75

cmd[2] = 79

cmd[3] = 123

cmd[4] = 118

cmd[5] = 115

cmd[6] = 102

cmd[7] = 116

cmd[8] = 112

cmd[9] = 100

cmd[10] = 95

cmd[11] = 100

cmd[12] = 101

cmd[13] = 106

cmd[14] = 97                    

cmd[15] = 118

cmd[16] = 117

cmd[17] = 125

The flag:

EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor

More articles

1. Hack Tools Download
2. Pentest Tools Subdomain
3. Hack Tool Apk
4. Hacker Tools
5. Pentest Tools Bluekeep
6. Computer Hacker
7. Hackers Toolbox
8. Hack Tools Github
9. Hack Tool Apk No Root
10. How To Make Hacking Tools
11. Hacker Tools Linux
12. Hackers Toolbox
13. Hacker Tools Mac
14. Pentest Tools Url Fuzzer
15. Pentest Tools Website
16. Hacking Tools For Windows 7
17. World No 1 Hacker Software
18. Hack Tools Pc
19. Pentest Tools Website Vulnerability
20. New Hacker Tools
21. Hacker Tools Online
22. Hacking Tools For Pc
23. Hack Tools Mac
24. Hacking Tools For Beginners
25. Nsa Hack Tools Download
26. Pentest Tools For Mac
27. Pentest Reporting Tools
28. Hacker Tools Free Download
29. Hacker Tools Mac
30. Pentest Tools Android
31. Pentest Tools Kali Linux
32. Hacking Tools Name
33. Pentest Tools Open Source
34. Hacking Tools For Kali Linux
35. Easy Hack Tools
36. Hacking Tools 2019
37. Best Hacking Tools 2020
38. Hacker Tools Software
39. Hacker Tools Linux
40. Hacking Tools Usb
41. Hack Rom Tools
42. Tools 4 Hack
43. Hacker Tools Free
44. Pentest Tools Port Scanner
45. New Hacker Tools
46. Pentest Tools Bluekeep
47. Hack Tools Mac
48. Pentest Tools Online
49. Hacker Security Tools
50. Hacking Tools For Mac
51. Hack Tools For Mac
52. Pentest Tools Online
53. Hacker Tools
54. Hacking Tools For Beginners
55. Pentest Tools Open Source
56. Hacking Tools For Pc
57. Hacking Tools For Beginners
58. Hacking Tools Download
59. Black Hat Hacker Tools
60. Computer Hacker
61. Top Pentest Tools
62. Hack Tools For Windows
63. Pentest Tools Windows
64. Hack Tools Github
65. Hack And Tools
66. What Is Hacking Tools
67. Hak5 Tools
68. Tools 4 Hack
69. Hacker Security Tools
70. Pentest Tools Subdomain
71. Hack Tools 2019
72. Hack App
73. Pentest Tools Tcp Port Scanner
74. Pentest Tools Github
75. Hacking Tools Software
76. Pentest Tools Open Source
77. Hacker Tools List
78. What Is Hacking Tools
79. Wifi Hacker Tools For Windows
80. Nsa Hack Tools Download
81. Kik Hack Tools
82. Pentest Tools Tcp Port Scanner
83. Hack And Tools
84. Hack Tools For Games
85. Hacking Tools Usb
86. Hack Tools
87. Underground Hacker Sites
88. Hacker Tools 2020
89. Pentest Tools Free
90. Hacker Tools Software
91. Pentest Tools Subdomain
92. Ethical Hacker Tools
93. Wifi Hacker Tools For Windows
94. Pentest Tools List
95. Blackhat Hacker Tools
96. Pentest Tools List
97. Hack Tools Github
98. Hacking Tools Usb
99. Kik Hack Tools
100. Hacker Tools Windows
101. Pentest Tools Open Source
102. Pentest Automation Tools
103. Pentest Tools Linux
104. Hacking Tools Usb
105. Hacker Tools Hardware
106. Blackhat Hacker Tools
107. Pentest Tools Tcp Port Scanner
108. Pentest Tools Kali Linux
109. Pentest Tools Online
110. Hack Tools For Mac
111. Hacker Techniques Tools And Incident Handling
112. Hacking Tools Hardware
113. Hacking Tools Download
114. Hacking Tools For Windows
115. Hacker Tools List
116. Pentest Tools Website Vulnerability