Is shellcode always considered exploit code? If not, in what respect are they related to each other?
Shellcode is basically a list of carefully crafted instructions that can be executed once the code is injected into a running application. Stack and heap-based buffer overflows are the most popular way of doing so.
The term shellcode literally refers to written code that starts a command shell. The most common shellcode instruction is to execute a shell such as /bin/sh, or cmd.exe. The only possible reason for launching such commands is to take control or exploit a compromised machine.
So to answer your question: yes, shellcode is always considered exploit code. Nowadays, shellcode refers to any byte code that can be inserted into an exploit to accomplish a particular objective. Other common shellcode objectives include adding a root user account to a system, or performing a reverse telnet back to the attacker's machine.
The shellcode is normally the payload of an exploit. The malicious instructions provide the attacker command-line access to a computer, all with the privileges of the process being exploited. Typically, the exploit code is written in C or C++, as most Web servers and operating systems are written in these languages. When the exploit code causes what would normally be a critical error in the targeted program, the program jumps to the shellcode and is tricked into executing the attacker's commands.
Anyone writing shellcode needs to have an in-depth understanding of assembly or machine code, C or C++ programming, processor architecture and the targeted operating system. It's worth noting that Windows shellcode is quite different from Linux shellcode. Unlike Linux, Windows does not have a direct kernel interface. The addresses of the functions found in Windows' dynamic link libraries (DLLs) vary from version to version, while Linux has a fixed numbering system for all kernel-level actions.
The main reason such shellcode exploits are possible is because of a lack of input validation. Software developers should properly inspect how much data is written into a specific part of a program's code. In higher-level languages, like Java and C#, such coding errors are harder to make. But because there are so many applications written in lower-level languages like C and C++, these exploits are likely to be around for some time to come. Also, with many attackers now using self-decrypting, polymorphic and various static but non-standard encodings, intrusion detection systems cannot detect their shellcode using simple signature matching.
- Learn about the shellcode that Metasploit creator HD Moore published for Apple's iPhone.
- See the three different shellcode techniques researchers used to gain remote-level access to Cisco Systems' Internetwork Operating System (IOS).
Dig Deeper on Application Attacks (Buffer Overflows, Cross-Site Scripting)
Related Q&A from Michael Cobb
A privacy breach at ClixSense led to user account details being put up for sale. Expert Michael Cobb explains how companies should be held ...continue reading
A password-verification flaw in iOS 10 allowed attackers to decrypt local backups. Expert Michael Cobb explains how removing certain security checks ...continue reading
HTTP public key pinning, a security mechanism to prevent fraudulent certificates, was not used by Firefox, and left it open to attack. Expert Michael...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.