Is shellcode always considered exploit code? If not, in what respect are they related to each other?
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Shellcode is basically a list of carefully crafted instructions that can be executed once the code is injected into a running application. Stack and heap-based buffer overflows are the most popular way of doing so.
The term shellcode literally refers to written code that starts a command shell. The most common shellcode instruction is to execute a shell such as /bin/sh, or cmd.exe. The only possible reason for launching such commands is to take control or exploit a compromised machine.
So to answer your question: yes, shellcode is always considered exploit code. Nowadays, shellcode refers to any byte code that can be inserted into an exploit to accomplish a particular objective. Other common shellcode objectives include adding a root user account to a system, or performing a reverse telnet back to the attacker's machine.
The shellcode is normally the payload of an exploit. The malicious instructions provide the attacker command-line access to a computer, all with the privileges of the process being exploited. Typically, the exploit code is written in C or C++, as most Web servers and operating systems are written in these languages. When the exploit code causes what would normally be a critical error in the targeted program, the program jumps to the shellcode and is tricked into executing the attacker's commands.
Anyone writing shellcode needs to have an in-depth understanding of assembly or machine code, C or C++ programming, processor architecture and the targeted operating system. It's worth noting that Windows shellcode is quite different from Linux shellcode. Unlike Linux, Windows does not have a direct kernel interface. The addresses of the functions found in Windows' dynamic link libraries (DLLs) vary from version to version, while Linux has a fixed numbering system for all kernel-level actions.
The main reason such shellcode exploits are possible is because of a lack of input validation. Software developers should properly inspect how much data is written into a specific part of a program's code. In higher-level languages, like Java and C#, such coding errors are harder to make. But because there are so many applications written in lower-level languages like C and C++, these exploits are likely to be around for some time to come. Also, with many attackers now using self-decrypting, polymorphic and various static but non-standard encodings, intrusion detection systems cannot detect their shellcode using simple signature matching.
- Learn about the shellcode that Metasploit creator HD Moore published for Apple's iPhone.
- See the three different shellcode techniques researchers used to gain remote-level access to Cisco Systems' Internetwork Operating System (IOS).
Dig Deeper on Application attacks (buffer overflows, cross-site scripting)
Related Q&A from Michael Cobb
A technique known as the GhostHook attack can get around PatchGuard, but Microsoft hasn't patched the flaw. Expert Michael Cobb explains why, as well...continue reading
Software developed by the hacking group Platinum takes advantage of Intel AMT to bypass the built-in Windows firewall. Expert Michael Cobb explains ...continue reading
Tensions between the U.S. and Russia have led to source code reviews on security products, but the process isn't new. Expert Michael Cobb explains ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.