Last active
August 17, 2018 07:24
-
-
Save namishelex01/8cb07047f03aa2bedfa80d25044ca6cc to your computer and use it in GitHub Desktop.
Short wiki of Shellcode
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
[This is the gist version of the wiki page of Shellcode.] | |
[For elaborated explaination, please visit:- en.wikipedia.org/wiki/Shellcode] | |
SHELLCODE is a small piece of code used as the payload in the exploitation of a spftware vulnerability | |
Its called shellcode because it typically starts a command shell from which attacker can control the compromised machines | |
TYPES: | |
Local - Used by attacker who has limited access to a machine but can exploit a vulnerability | |
Remote - Used to target a remote machine, if the shellcode establishes the connection, it called reverse-shell or connect-back shell. | |
If attacker establishes the connection, shellcode is called bindshell because it binds certain port of victim's machine | |
Download & execute - Type of remote shellcode that downloads and executes some form of malware on target system | |
Staged - When amount of data that an attacker can inject into the target process is too limited to execute useful shellcode directly, it may be possible to execute it in stages | |
Egg-hunt - Another form of staged shellcode, which is used if an attacker can inject shellcode into the process but cannot determine where in the process it will end up, so a small egg-hunt shellcode is injected and executed into the process at a predictable location and executed. This code then searches the process's address space for the larger shellcode | |
Omelette - Similar to egg-hunt but looks for multiple blocks of data and recombines then into one larger block, that is subsequently executed. This is used when an attacker can only inject a number of small blocks of data into the process | |
SHELLCODE EXEC STRATEGY : An exploit will commonly inject a shellcode into target process before or at time as it exploits a vulnerability to gain control over program counter. The program counter is adjusted to point to the shellcode, after which it gets executed and performs its task. | |
Injecting the shellcode is often done by storing | |
SHELLCODE ENCODING : Most processes filter or restrict data that can be injected, shellcode often needs to be written to allow for these restrictions. This includes making the code small, null free and alphanumeric. Various evasion techniques are: | |
- Design and Implementation optimizations to decrease the size of the shellcode | |
- Implementation modifications to get around limitations in the range of bytes used in the shellcode | |
- Self-modifying code that modifies a number of the bytes of its own code before executing then to re-create bytes that are normally impossible to inject into the process | |
- Also, shellcodes are encoded, made self-decrypting or polymorphic to avoid detection by IDS/IPS | |
> Percent Encoding - Exploits that target browsers commonly encode shellcode in a JS string using percent-encoding, escape sequence encoding or entity encoding | |
> Null-free shellcode - Most of the shellcodes are written without the use of null bytes because they are intended to be injected into target process through null-terminated strings. When a null terminated string is copied, it will be copied up to and including the first null but subsequent bytes of the shellcode will not be processed | |
> Alphanumeric and printable shellcode - When target process filters any byte from the injected shellcode that is not a printable or alphanumeric character, it is possible to turn any code into alphanumeric code. THe technique often used to create self-modifying code[allows the code to include bytes outside of the normally allowed range] [Phrack 57] | |
> Unicode proof shellcode - ASCII strings are transformed into UTF-16, a zero byte is inserted after each byte[Phrack 61] | |
PLATFORMS : Most shellcode is written in machine language because of the low level at which the vulnerabilitybeing exploited gives an attacker access to the process. Shellcode is often created to target a specific platform [processor+OS+service pack] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment