Vsftpd Backdoor - Ekoparty Prectf - Amn3S1A Team

It's a 32bits elf binary of some version of vsftpd, where it have been added a backdoor, they don't specify is an authentication backdoor, a special command or other stuff.

I started looking for something weird on the authentication routines, but I didn't found anything significant in a brief period of time, so I decided to do a bindiff, that was the key for locating the backdoor quickly. I do a quick diff of the strings with the command "strings bin | sort -u" and "vimdiff" and noticed that the backdoored binary has the symbol "execl" which is weird because is a call for executing elfs, don't needed for a ftp service, and weird that the compiled binary doesn't has that symbol.

Looking the xrefs of "execl" on IDA I found that code that is a clear backdoor, it create a socket, bind a port and duplicate the stdin, stdout and stderr to the socket and use the execl:

There are one xrefs to this function, the function that decides when trigger that is that kind of systems equations decision:

The backdoor was not on the authentication, it was a special command to trigger the backdoor, which is obfuscated on that systems equation, it was no needed to use a z3 equation solver because is a simple one and I did it by hand.

The equation:

cmd[0] = 69

cmd[1] = 78

cmd[1] + cmd[2] = 154

cmd[2] + cmd[3] = 202

cmd[3] + cmd[4] = 241

cmd[4] + cmd[5] = 233

cmd[5] + cmd[6] = 217

cmd[6] + cmd[7] = 218

cmd[7] + cmd[8] = 228

cmd[8] + cmd[9] = 212

cmd[9] + cmd[10] = 195

cmd[10] + cmd[11] = 195

cmd[11] + cmd[12] = 201

cmd[12] + cmd[13] = 207

cmd[13] + cmd[14] = 203

cmd[14] + cmd[15] = 215

cmd[15] + cmd[16] = 235

cmd[16] + cmd[17] = 242

The solution:

cmd[0] = 69

cmd[1] = 75

cmd[2] = 79

cmd[3] = 123

cmd[4] = 118

cmd[5] = 115

cmd[6] = 102

cmd[7] = 116

cmd[8] = 112

cmd[9] = 100

cmd[10] = 95

cmd[11] = 100

cmd[12] = 101

cmd[13] = 106

cmd[14] = 97                    

cmd[15] = 118

cmd[16] = 117

cmd[17] = 125

The flag:

EKO{vsftpd_dejavu}

The binary:
https://ctf.ekoparty.org/static/pre-ekoparty/backdoor

Related links

1. Termux Hacking Tools 2019
2. Github Hacking Tools
3. Hack Tools Online
4. Hacker Tools For Mac
5. Hack Tools For Mac
6. Pentest Tools Linux
7. Tools Used For Hacking
8. Hacking Tools Github
9. Pentest Tools Bluekeep
10. Hacker Techniques Tools And Incident Handling
11. Nsa Hack Tools Download
12. Hacker Hardware Tools
13. Hack Tools For Games
14. Hacking Tools Free Download
15. Black Hat Hacker Tools
16. Hacking Tools For Kali Linux
17. Hack Tools
18. Hacker Tool Kit
19. Pentest Tools Framework
20. Hackrf Tools
21. Hacker Tools For Mac
22. Wifi Hacker Tools For Windows
23. Pentest Tools Nmap
24. Hacking Tools Online
25. Hack Tools For Pc
26. Hacker Tools Mac
27. Hacker Techniques Tools And Incident Handling
28. Hackrf Tools
29. Hacker Hardware Tools
30. Hacker Tools
31. Beginner Hacker Tools
32. Nsa Hack Tools Download
33. Hacking Tools For Kali Linux
34. Hacker
35. Hack Tools
36. Top Pentest Tools
37. Hacking Tools Online
38. Pentest Tools Linux
39. Pentest Box Tools Download
40. Hacks And Tools
41. Hacker Tools
42. Pentest Tools Alternative
43. Hackers Toolbox
44. Pentest Tools Github
45. Hacking Apps
46. Hacks And Tools
47. Hack Tools
48. Pentest Tools For Windows
49. Hacking Tools Mac
50. Pentest Tools Alternative
51. Tools Used For Hacking
52. Hack Tools For Mac
53. Hack Tools For Ubuntu
54. Hacker Tools Apk
55. Hacker Tools For Windows
56. Hacker Tools Apk
57. Growth Hacker Tools
58. Computer Hacker
59. Install Pentest Tools Ubuntu
60. Pentest Tools List
61. Hackers Toolbox
62. Hacking Tools For Windows
63. Hacker Tools For Windows
64. Hack Tools For Pc
65. Hacker Tools Free
66. Hacking Tools Mac
67. Hacker Tools Apk Download
68. Nsa Hack Tools Download
69. Hacker Tools For Ios
70. What Is Hacking Tools
71. Hacking Tools For Kali Linux
72. Hacker