jueves, 27 de agosto de 2020

Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.





Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:



There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:


The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.



The equation:
cmd[0] = 69
cmd[1] = 78
cmd[1] + cmd[2] = 154
cmd[2] + cmd[3] = 202
cmd[3] + cmd[4] = 241
cmd[4] + cmd[5] = 233
cmd[5] + cmd[6] = 217
cmd[6] + cmd[7] = 218
cmd[7] + cmd[8] = 228
cmd[8] + cmd[9] = 212
cmd[9] + cmd[10] = 195
cmd[10] + cmd[11] = 195
cmd[11] + cmd[12] = 201
cmd[12] + cmd[13] = 207
cmd[13] + cmd[14] = 203
cmd[14] + cmd[15] = 215
cmd[15] + cmd[16] = 235
cmd[16] + cmd[17] = 242

The solution:
cmd[0] = 69
cmd[1] = 75
cmd[2] = 79
cmd[3] = 123
cmd[4] = 118
cmd[5] = 115
cmd[6] = 102
cmd[7] = 116
cmd[8] = 112
cmd[9] = 100
cmd[10] = 95
cmd[11] = 100
cmd[12] = 101
cmd[13] = 106
cmd[14] = 97                    
cmd[15] = 118
cmd[16] = 117
cmd[17] = 125


The flag:
EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor


Related articles


  1. Hacking Tools For Windows 7
  2. Hacks And Tools
  3. Hack Rom Tools
  4. Hacker
  5. Hacking Tools For Beginners
  6. Hacking Tools 2020
  7. Nsa Hack Tools Download
  8. Pentest Tools Subdomain
  9. Pentest Tools Framework
  10. Hacker Tools 2020
  11. Hacker Tools For Windows
  12. Ethical Hacker Tools
  13. Hacking Tools And Software
  14. Hacking Tools And Software
  15. Nsa Hack Tools
  16. Hack Rom Tools
  17. Pentest Tools Framework
  18. Hacking Tools For Mac
  19. Hacking Tools 2020
  20. Best Pentesting Tools 2018
  21. Hack Tools Github
  22. Hackers Toolbox
  23. Hacking Tools Kit
  24. Hack Tools For Ubuntu
  25. Hacker Tools 2020
  26. World No 1 Hacker Software
  27. Hak5 Tools
  28. Hacker Tools Hardware
  29. Pentest Tools Review
  30. Hacking Tools Mac
  31. Kik Hack Tools
  32. Hacker Tools For Pc
  33. Hacking Tools Windows 10
  34. Beginner Hacker Tools
  35. Hacking Tools For Mac
  36. Hack Tools Download
  37. Beginner Hacker Tools
  38. Hacker Tools Free
  39. Computer Hacker
  40. Tools Used For Hacking
  41. Pentest Box Tools Download
  42. Pentest Tools Tcp Port Scanner
  43. Easy Hack Tools
  44. Hacker Hardware Tools
  45. Easy Hack Tools
  46. Pentest Tools Windows
  47. Hacking Tools Usb
  48. Usb Pentest Tools
  49. Hacker Tools Hardware
  50. Hacking Tools Online
  51. Hacker Tools For Pc
  52. Pentest Tools List
  53. Hacking Tools And Software
  54. Hacking Tools Github
  55. Pentest Tools Github
  56. Pentest Tools Free
  57. Easy Hack Tools
  58. Pentest Tools Find Subdomains
  59. Best Pentesting Tools 2018
  60. Pentest Tools Free
  61. Hack Tools For Windows
  62. Hack Tool Apk No Root
  63. Hack Apps
  64. Hack Tools Download
  65. Best Pentesting Tools 2018
  66. Tools Used For Hacking
  67. Hacker Tools For Pc
  68. Nsa Hack Tools
  69. Usb Pentest Tools
  70. New Hack Tools
  71. Hacker Hardware Tools
  72. Pentest Automation Tools
  73. Hacking Tools 2020
  74. Hacker Tools List
  75. Hacking Tools 2020
  76. Pentest Tools Alternative
  77. Hack Tool Apk
  78. Hacking Tools Github
  79. Hacker Tools Software
  80. Pentest Tools Download
  81. Hackers Toolbox
  82. What Is Hacking Tools
  83. Pentest Automation Tools
  84. Top Pentest Tools
  85. Pentest Tools Review
  86. Pentest Tools Online
  87. Pentest Tools Port Scanner
  88. Hacker Tools
  89. Pentest Tools Online
  90. Pentest Tools Free
  91. Hack Tools Mac
  92. Hack And Tools
  93. Pentest Tools Url Fuzzer
  94. Hacker Security Tools
  95. Pentest Tools Website Vulnerability
  96. Hacker Tools For Windows
  97. Easy Hack Tools
  98. Hack Website Online Tool
  99. Hacker Tools List
  100. Hack Tool Apk
  101. Pentest Tools Online
  102. Underground Hacker Sites
  103. Pentest Tools Free
  104. Free Pentest Tools For Windows
  105. Hack Tools For Games
  106. Hacker Tools Windows
  107. Kik Hack Tools
  108. Hacking Tools Kit
  109. Hackers Toolbox
  110. Hacks And Tools
  111. Install Pentest Tools Ubuntu
  112. Hacker Tools
  113. Hacking Tools For Beginners
  114. Best Hacking Tools 2019
Publicado por en

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)