A shellcode is a relocatable piece of machine code used as the payload in the exploitation of a software bug which allows an unauthorised user to communicate with the computer via the operating system's command line as a result of exploiting a vulnerability in software running on the machine. Normally stored as a null terminated string, it cannot contain null characters. The purpose of a loader is to move the object code in an object file into the computers main memory for execution. ... Machine code or machine language is a system of instructions and data directly understandable by a computers central processing unit. ... An operating system (OS) is a software program that manages the hardware and software resources of a computer. ...

Shellcode execution strategy

A shellcode may be used as an exploit payload, providing a cracker with command line access to a computer system with the privileges of the process that has been exploited. To avoid detection by anti-intrusion measures and to store more than one string, crackers often make use of self-decrypting code, polymorphic code and alphanumeric code. An exploit is a common term in the computer security community to refer to a piece of software that takes advantage of a bug, glitch or vulnerability, leading to privilege escalation or denial of service on a computer system. ... In cargo transport, the payload is the valuable contents of the vehicle. ... In the context of computer networking, cracking (also called black-hat hacking) is the act of compromising the security of a system without permission from an authorized party, usually with the intent of accessing computers connected to the network. ... Screenshot of a sample Bash session, taken on Gentoo Linux. ... A computer is a machine designed for manipulating data according to a list of instructions known as a program. ... In computer terminology, polymorphic code is code that mutates while keeping the original algorithm intact. ... In general, in computing, an alphanumeric code is a series of letters and numbers (hence the name) which are written in a form understandable and processable by a computer. ...

Shellcodes can be stored in a process' memory space and subsequently executed as a result of the attacker gaining control of the program counter using vulnerabilities such as stack and heap-based buffer overflows, or format string attacks. There are various methods of controlling the program counter which vary between operating systems and processor architectures. They include but are not limited to: overwriting the return address in a stack frame, overwriting exception handlers and Windows based shatter attacks. The program counter (also called the instruction pointer in some computers) is a register in a computer processor which indicates where the computer is in its instruction sequence. ... To meet Wikipedias quality standards, this article or section may require cleanup. ... In computer science, dynamic memory allocation is the allocation of memory storage for use in a computer program during the runtime of that program. ... In computer security and programming, a buffer overflow, or buffer overrun, is an anomalous condition where a process attempts to store data beyond the boundaries of a buffer. ... Format string attacks are a new class of vulnerabilities discovered in June of 2000 previously thought harmless. ... The program counter (also called the instruction pointer in some computers) is a register in a computer processor which indicates where the computer is in its instruction sequence. ... In computing, a stack frame is a data structure used to create temporary storage for data and saved state in functions. ... Exception handling is a programming language construct or computer hardware mechanism designed to handle the occurrence of some condition that changes the normal flow of execution. ... ‹ The template below has been proposed for deletion. ... In computing, a shatter attack is a programming technique employed by hackers on Microsoft Windows operating systems that can be used to bypass security restrictions between processes. ...

Shellcode communication methods

There are two main methods of communicating with a compromised machine: a listening port to accept connections or a connect-back shell, the latter connects back to a predetermined address whilst the other waits for any incoming connections. The main practical difference occurs at a firewall that is configured to block connection requests for ports that do not run an authorised service, whereas outward bound connections may be assumed to be legitimate. In computing, a firewall is a piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy, analogous to the function of firewalls in building construction. ...

Shellcode mitigation strategies

There are several steps which can mitigate the threat of shellcode being executed on a system: configuration of a firewall, packet filtering, minimising the number of privileged services running on a machine and Intrusion Detection Systems (IDS). In computing, a firewall is a piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy, analogous to the function of firewalls in building construction. ... In computing, a firewall is a piece of hardware and/or software which functions in a networked environment to prevent some communications forbidden by the security policy, analogous to the function of firewalls in building construction. ... An Intrusion Detection System or IDS is a software tool used to detect unauthorised access to a computer system or network. ...

See also

• Operating System Shell
• Buffer overflow
• Heap overflow
• Computer security

In computing, a shell is a piece of software that essentially provides a kind of interface for end-users. ... In computer security and programming, a buffer overflow, or buffer overrun, is an anomalous condition where a process attempts to store data beyond the boundaries of a buffer. ... A heap overflow is another name for a buffer overflow occurring in the heap data area. ... Computer security is a field of computer science concerned with the control of risks related to computer use. ...

External links

• http://www.phrack.org/phrack/49/P49-14 An introduction to buffer overflows and shellcode
• http://samy.kerneled.org/articles/shellcode.html A good introduction into writing x86 Linux shellcode with some advanced topics
• The Basics of Shellcoding (PDF) An overview of x86 shellcoding by Angelo Rosiello
• http://www.shellcode.com.ar/docz/bof/Writing_shellcode.html An introduction to shellcode development
• http://www.metasploit.com/shellcode.html Contains x86 and non-x86 shellcode samples and an online interface for automatic shellcode generation and encoding, from the Metasploit Project
• http://www.shellcode.org/ Contains x86 and non-x86 shellcode samples
• http://www.linux-secure.com/endymion/shellcodes/ a shellcode archive, sorted by Operating system.
• http://www.vividmachines.com/shellcode/shellcode.html Windows and linux shellcode tutorial containing step by step examples.
• http://www.enderunix.org/docs/en/sc-en.txt Designing shellcode demystified