Is shellcode always considered exploit code? If not, in what respect are they related to each other?
Shellcode is basically a list of carefully crafted instructions that can be executed once the code is injected into a running application. Stack and heap-based buffer overflows are the most popular way of doing so.
The term shellcode literally refers to written code that starts a command shell. The most common shellcode instruction is to execute a shell such as /bin/sh, or cmd.exe. The only possible reason for launching such commands is to take control or exploit a compromised machine.
So to answer your question: yes, shellcode is always considered exploit code. Nowadays, shellcode refers to any byte code that can be inserted into an exploit to accomplish a particular objective. Other common shellcode objectives include adding a root user account to a system, or performing a reverse telnet back to the attacker's machine.
The shellcode is normally the payload of an exploit. The malicious instructions provide the attacker command-line access to a computer, all with the privileges of the process being exploited. Typically, the exploit code is written in C or C++, as most Web servers and operating systems are written in these languages. When the exploit code causes what would normally be a critical error in the targeted program, the program jumps to the shellcode and is tricked into executing the attacker's commands.
Anyone writing shellcode needs to have an in-depth understanding of assembly or machine code, C or C++ programming, processor architecture and the targeted operating system. It's worth noting that Windows shellcode is quite different from Linux shellcode. Unlike Linux, Windows does not have a direct kernel interface. The addresses of the functions found in Windows' dynamic link libraries (DLLs) vary from version to version, while Linux has a fixed numbering system for all kernel-level actions.
The main reason such shellcode exploits are possible is because of a lack of input validation. Software developers should properly inspect how much data is written into a specific part of a program's code. In higher-level languages, like Java and C#, such coding errors are harder to make. But because there are so many applications written in lower-level languages like C and C++, these exploits are likely to be around for some time to come. Also, with many attackers now using self-decrypting, polymorphic and various static but non-standard encodings, intrusion detection systems cannot detect their shellcode using simple signature matching.
- Learn about the shellcode that Metasploit creator HD Moore published for Apple's iPhone.
- See the three different shellcode techniques researchers used to gain remote-level access to Cisco Systems' Internetwork Operating System (IOS).
Dig Deeper on Application Attacks (Buffer Overflows, Cross-Site Scripting)
Related Q&A from Michael Cobb
The increasing popularity of bug bounty programs leaves many wondering if they can improve enterprise software security. Expert Michael Cobb ...continue reading
Expert Michael Cobb explains how password change frequency and reuse for third-party apps should be addressed in enterprise password policies.continue reading
Learn how a Web-based free spam-filtering service can secure email and prevent spam from attacking your enterprise.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.