Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.

Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:

There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:

The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.

The equation:

cmd[0] = 69

cmd[1] = 78

cmd[1] + cmd[2] = 154

cmd[2] + cmd[3] = 202

cmd[3] + cmd[4] = 241

cmd[4] + cmd[5] = 233

cmd[5] + cmd[6] = 217

cmd[6] + cmd[7] = 218

cmd[7] + cmd[8] = 228

cmd[8] + cmd[9] = 212

cmd[9] + cmd[10] = 195

cmd[10] + cmd[11] = 195

cmd[11] + cmd[12] = 201

cmd[12] + cmd[13] = 207

cmd[13] + cmd[14] = 203

cmd[14] + cmd[15] = 215

cmd[15] + cmd[16] = 235

cmd[16] + cmd[17] = 242

The solution:

cmd[0] = 69

cmd[1] = 75

cmd[2] = 79

cmd[3] = 123

cmd[4] = 118

cmd[5] = 115

cmd[6] = 102

cmd[7] = 116

cmd[8] = 112

cmd[9] = 100

cmd[10] = 95

cmd[11] = 100

cmd[12] = 101

cmd[13] = 106

cmd[14] = 97                    

cmd[15] = 118

cmd[16] = 117

cmd[17] = 125

The flag:

EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor

Related links

1. How To Hack
2. Best Hacking Tools 2019
3. Hack App
4. How To Make Hacking Tools
5. Hack Tool Apk
6. Hack Tools For Ubuntu
7. Hacking Tools For Kali Linux
8. Hacker Tools For Windows
9. Kik Hack Tools
10. Hacks And Tools
11. Free Pentest Tools For Windows
12. Hackrf Tools
13. Pentest Tools Port Scanner
14. Hacking Tools Mac
15. Hacker
16. Best Hacking Tools 2020
17. Best Hacking Tools 2019
18. Beginner Hacker Tools
19. Underground Hacker Sites
20. Nsa Hack Tools
21. Pentest Tools Tcp Port Scanner
22. Hacking Tools Software
23. Pentest Tools Tcp Port Scanner
24. Hacker Tools Free
25. Hackers Toolbox
26. Pentest Tools Framework
27. Hacker
28. Pentest Tools Website Vulnerability
29. Pentest Tools Framework
30. Pentest Automation Tools
31. What Is Hacking Tools
32. Android Hack Tools Github
33. Hacker Tools For Windows
34. Underground Hacker Sites
35. World No 1 Hacker Software
36. Hacker
37. Pentest Tools Port Scanner
38. Hacker Tools 2020
39. Hacker Tools
40. Hacker Tools
41. Hacking Tools Name
42. Hack Tools
43. Black Hat Hacker Tools
44. Hacker Hardware Tools
45. Pentest Tools For Windows
46. Hack Tools
47. Hacker Tools Hardware
48. Hack Rom Tools
49. Pentest Tools Port Scanner
50. Pentest Tools For Ubuntu
51. Physical Pentest Tools
52. Hacker Tools Apk Download
53. Pentest Tools
54. Hacking Tools Windows 10
55. Pentest Tools Nmap
56. Pentest Tools Kali Linux
57. Hack Tools Online