Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Shellcode
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Types of shellcode == Shellcode can either be ''local'' or ''remote'', depending on whether it gives an attacker control over the machine it runs on (local) or over another machine through a network (remote). === Local === ''Local'' shellcode is used by an attacker who has limited access to a machine but can exploit a vulnerability, for example a [[buffer overflow]], in a higher-privileged process on that machine. If successfully executed, the shellcode will provide the attacker access to the machine with the same higher privileges as the targeted process. === Remote === ''Remote'' shellcode is used when an attacker wants to target a vulnerable process running on another machine on a [[local area network|local network]], [[intranet]], or a [[internet|remote network]]. If successfully executed, the shellcode can provide the attacker access to the target machine across the network. Remote shellcodes normally use standard [[Internet protocol suite|TCP/IP]] [[Stream socket|socket]] connections to allow the attacker access to the shell on the target machine. Such shellcode can be categorized based on how this connection is set up: if the shellcode establishes the connection it is called a "reverse shell", or a ''connect-back'' shellcode because the shellcode ''connects back'' to the attacker's machine. On the other hand, if the attacker establishes the connection, the shellcode is called a ''bindshell'' because the shellcode ''binds'' to a certain port on the victim's machine. There's a peculiar shellcode named ''bindshell random port'' that skips the binding part and listens on a random port made available by the [[operating system]]. Because of that, the ''[https://github.com/geyslan/SLAE/blob/master/improvements/tiny_shell_bind_tcp_random_port_x86_64.asm bindshell random port]'' became the smallest stable bindshell shellcode for [[X86-64|x86_64]] available to this date. A third, much less common type, is ''socket-reuse'' shellcode. This type of shellcode is sometimes used when an exploit establishes a connection to the vulnerable process that is not closed before the shellcode is run. The shellcode can then ''re-use'' this connection to communicate with the attacker. Socket re-using shellcode is more elaborate, since the shellcode needs to find out which connection to re-use and the machine may have many connections open.<ref>{{cite web |url=http://www.blackhatlibrary.net/Shellcode/Socket-reuse |title=Shellcode/Socket-reuse |author=BHA |date=2013-06-06 |access-date=2013-06-07}}</ref> A [[Firewall (computer)|firewall]] can be used to detect outgoing connections made by connect-back shellcode as well as incoming connections made by bindshells. They can, therefore, offer some protection against an attacker, even if the system is vulnerable, by preventing the attacker from connecting to the shell created by the shellcode. One reason why socket re-using shellcode is sometimes used is that it does not create new connections and, therefore, is harder to detect and block. === Download and execute === ''Download and execute'' is a type of remote shellcode that ''[[downloads]] and [[Execution (computers)|executes]]'' some form of malware on the target system. This type of shellcode does not spawn a shell, but rather instructs the machine to download a certain executable file off the network, save it to disk and execute it. Nowadays, it is commonly used in [[drive-by download]] attacks, where a victim visits a malicious webpage that in turn attempts to run such a download and execute shellcode in order to install software on the victim's machine. A variation of this type of shellcode downloads and [[Dynamic loading|loads]] a [[Library (computing)|library]].<ref>{{cite web |url=http://skypher.com/index.php/2010/01/11/download-and-loadlibrary-shellcode-released/ |title=Download and LoadLibrary shellcode released |author=SkyLined |date=2010-01-11 |access-date=2010-01-19 |url-status=dead |archive-url=https://web.archive.org/web/20100123014637/http://skypher.com/index.php/2010/01/11/download-and-loadlibrary-shellcode-released/ |archive-date=2010-01-23}}</ref><ref>{{cite web |url=http://code.google.com/p/w32-dl-loadlib-shellcode/ |title=Download and LoadLibrary shellcode for x86 Windows |date=2010-01-11 |access-date=2010-01-19}}</ref> Advantages of this technique are that the code can be smaller, that it does not require the shellcode to spawn a new process on the target system, and that the shellcode does not need code to clean up the targeted process as this can be done by the library loaded into the process. === Staged === When the amount of data that an attacker can inject into the target process is too limited to execute useful shellcode directly, it may be possible to execute it in stages. First, a small piece of shellcode (stage 1) is executed. This code then downloads a larger piece of shellcode (stage 2) into the process's memory and executes it. === Egg-hunt === This is another form of ''staged'' shellcode, which is used if an attacker can inject a larger shellcode into the process but cannot determine where in the process it will end up. Small ''egg-hunt'' shellcode is injected into the process at a predictable location and executed. This code then searches the process's address space for the larger shellcode (the ''egg'') and executes it.<ref>{{cite web |url=http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf |title=Safely Searching Process Virtual Address Space |author=Skape |publisher=nologin |date=2004-03-09 |access-date=2009-03-19}}</ref> === Omelette === This type of shellcode is similar to ''egg-hunt'' shellcode, but looks for multiple small blocks of data (''eggs'') and recombines them into one larger block (the ''omelette'') that is subsequently executed. This is used when an attacker can only inject a number of small blocks of data into the process.<ref>{{cite web |url=http://skypher.com/wiki/index.php?title=Shellcode/w32_SEH_omelet_shellcode |title=w32 SEH omelet shellcode |author=SkyLined |publisher=Skypher.com |date=2009-03-16 |access-date=2009-03-19 |url-status=dead |archive-url=https://web.archive.org/web/20090323030636/http://skypher.com/wiki/index.php?title=Shellcode%2Fw32_SEH_omelet_shellcode |archive-date=2009-03-23}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)