Is shellcode always considered exploit code? If not, in what respect are they related to each other?
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
Shellcode is basically a list of carefully crafted instructions that can be executed once the code is injected into a running application. Stack and heap-based buffer overflows are the most popular way of doing so.
The term shellcode literally refers to written code that starts a command shell. The most common shellcode instruction is to execute a shell such as /bin/sh, or cmd.exe. The only possible reason for launching such commands is to take control or exploit a compromised machine.
So to answer your question: yes, shellcode is always considered exploit code. Nowadays, shellcode refers to any byte code that can be inserted into an exploit to accomplish a particular objective. Other common shellcode objectives include adding a root user account to a system, or performing a reverse telnet back to the attacker's machine.
The shellcode is normally the payload of an exploit. The malicious instructions provide the attacker command-line access to a computer, all with the privileges of the process being exploited. Typically, the exploit code is written in C or C++, as most Web servers and operating systems are written in these languages. When the exploit code causes what would normally be a critical error in the targeted program, the program jumps to the shellcode and is tricked into executing the attacker's commands.
Anyone writing shellcode needs to have an in-depth understanding of assembly or machine code, C or C++ programming, processor architecture and the targeted operating system. It's worth noting that Windows shellcode is quite different from Linux shellcode. Unlike Linux, Windows does not have a direct kernel interface. The addresses of the functions found in Windows' dynamic link libraries (DLLs) vary from version to version, while Linux has a fixed numbering system for all kernel-level actions.
The main reason such shellcode exploits are possible is because of a lack of input validation. Software developers should properly inspect how much data is written into a specific part of a program's code. In higher-level languages, like Java and C#, such coding errors are harder to make. But because there are so many applications written in lower-level languages like C and C++, these exploits are likely to be around for some time to come. Also, with many attackers now using self-decrypting, polymorphic and various static but non-standard encodings, intrusion detection systems cannot detect their shellcode using simple signature matching.
- Learn about the shellcode that Metasploit creator HD Moore published for Apple's iPhone.
- See the three different shellcode techniques researchers used to gain remote-level access to Cisco Systems' Internetwork Operating System (IOS).
Dig Deeper on Application Attacks (Buffer Overflows, Cross-Site Scripting)
Related Q&A from Michael Cobb
An old Java vulnerability was discovered to have been ineffectually patched. Expert Michael Cobb explains how this happened and what can be done to ...continue reading
Google's Certificate Transparency tool publicly logs certificates issued by CAs. Expert Michael Cobb explains how the log viewer works to improve ...continue reading
Crowning the most secure web browser is difficult, with research often turning up biased results. Expert Michael Cobb explains how to make a choice ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.