Ask the Expert

What is the relationship between shellcode and exploit code?

Is shellcode always considered exploit code? If not, in what respect are they related to each other?

    Requires Free Membership to View

Shellcode is basically a list of carefully crafted instructions that can be executed once the code is injected into a running application. Stack and heap-based buffer overflows are the most popular way of doing so.

The term shellcode literally refers to written code that starts a command shell. The most common shellcode instruction is to execute a shell such as /bin/sh, or cmd.exe. The only possible reason for launching such commands is to take control or exploit a compromised machine.

So to answer your question: yes, shellcode is always considered exploit code. Nowadays, shellcode refers to any byte code that can be inserted into an exploit to accomplish a particular objective. Other common shellcode objectives include adding a root user account to a system, or performing a reverse telnet back to the attacker's machine.

The shellcode is normally the payload of an exploit. The malicious instructions provide the attacker command-line access to a computer, all with the privileges of the process being exploited. Typically, the exploit code is written in C or C++, as most Web servers and operating systems are written in these languages. When the exploit code causes what would normally be a critical error in the targeted program, the program jumps to the shellcode and is tricked into executing the attacker's commands.

Anyone writing shellcode needs to have an in-depth understanding of assembly or machine code, C or C++ programming, processor architecture and the targeted operating system. It's worth noting that Windows shellcode is quite different from Linux shellcode. Unlike Linux, Windows does not have a direct kernel interface. The addresses of the functions found in Windows' dynamic link libraries (DLLs) vary from version to version, while Linux has a fixed numbering system for all kernel-level actions.

The main reason such shellcode exploits are possible is because of a lack of input validation. Software developers should properly inspect how much data is written into a specific part of a program's code. In higher-level languages, like Java and C#, such coding errors are harder to make. But because there are so many applications written in lower-level languages like C and C++, these exploits are likely to be around for some time to come. Also, with many attackers now using self-decrypting, polymorphic and various static but non-standard encodings, intrusion detection systems cannot detect their shellcode using simple signature matching.

More information:

  • Learn about the shellcode that Metasploit creator HD Moore published for Apple's iPhone.
  • See the three different shellcode techniques researchers used to gain remote-level access to Cisco Systems' Internetwork Operating System (IOS).
  • This was first published in December 2007

    There are Comments. Add yours.

     
    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to: