Shellcode
From Wikipedia, the free encyclopedia
A shellcode is a relocatable piece of machine code used as the payload in the exploitation of a software bug which typically allows an unauthorised user to communicate with the computer via the operating system's command line as a result of exploiting a vulnerability in software running on the machine. Normally stored as a null terminated string, it cannot contain null characters.
Contents |
[edit] Shellcode execution strategy
A shellcode may be used as an exploit payload, providing a cracker with command line access to a computer system with the privileges of the process that has been exploited. To avoid detection by anti-intrusion measures and to store more than one string, crackers often make use of self-decrypting code, polymorphic code and alphanumeric code.
Shellcodes can be stored in a process' memory space and subsequently executed as a result of the attacker gaining control of the program counter using vulnerabilities such as stack and heap-based buffer overflows, or format string attacks. There are various methods of controlling the program counter which vary between operating systems and processor architectures. They include but are not limited to: overwriting the return address in a stack frame, overwriting exception handlers and Windows-based shatter attacks.
[edit] Shellcode communication methods
There are two main methods of communicating with a compromised machine: a listening port to accept connections or a connect-back shell, the latter connects back to a predetermined address whilst the other waits for any incoming connections. The main practical difference occurs at a firewall that is configured to block connection requests for ports that do not run an authorised service, whereas outward bound connections may be assumed to be legitimate.
[edit] Shellcode mitigation strategies
There are several steps which can mitigate the threat of shellcode being executed on a system: configuration of a firewall, packet filtering, minimising the number of privileged services running on a machine and Intrusion Detection Systems (IDS). In addition, several methods are available of randomising memory usage - this makes inserting and executing shellcode very difficult, as the location of a buffer overflow in memory cannot be predicted.
[edit] See also
[edit] External links
- http://www.phrack.org/archives/49/P49-14 An introduction to buffer overflows and shellcode
- http://samy.kerneled.org/articles/shellcode.html A good introduction into writing x86 Linux shellcode with some advanced topics
- The Basics of Shellcoding (PDF) An overview of x86 shellcoding by Angelo Rosiello
- http://www.shellcode.com.ar/docz/bof/Writing_shellcode.html An introduction to shellcode development
- http://www.metasploit.com/shellcode.html Contains x86 and non-x86 shellcode samples and an online interface for automatic shellcode generation and encoding, from the Metasploit Project
- http://www.shellcode.org/ Contains x86 and non-x86 shellcode samples
- http://www.linux-secure.com/endymion/shellcodes/ a shellcode archive, sorted by Operating system.
- http://www.milw0rm.com/papers/11 Windows and linux shellcode design tutorial going from basic to advanced.
- http://www.vividmachines.com/shellcode/shellcode.html Windows and linux shellcode tutorial containing step by step examples.
- http://www.enderunix.org/docs/en/sc-en.txt Designing shellcode demystified