Main Page | See live article | Alphabetical index

Shellcode

In computer science (or more likely, in computer underground terms), shellcode is a practical approach to exploiting stack-based overflows.

Table of contents
1 How do shellcodes work?

How do shellcodes work?

Shellcodes exploit computer bugs in how the stack is handled. Temporary arrays are often the target of the cracker as they are fairly easy to overflow if the "right" conditions are met.

Temporary arrays are pushed onto the stack, along with the saved frame pointer (sfp) and the return address (ret). The return address indicates where the function should return when it has completed its task. If the cracker can overwrite this pointer she would be able to direct the flow of the program as she wishes!

top of stack <-- (temporary array)(sfp)(ret) --> bottom of stack
(the stack grows towards left, the temporary array grows towards right.)

Because the stack grows downwards instead of upwards, the bottom of the stack is towards higher address spaces. That means that an overflow in the temporary array is the same thing as overwriting the sfp and the ret! If the cracker knows how large the array is (it easy to obtain this info), its easy to overwrite the return value with anything the cracker likes. The cracker could also inject her own code along with the shellcode and redirect the return value to point to the new code.

This technique could be used to get access to remote computers and get access to other user-accounts (such as root).

Countermeasures

IDS (Intrusion detection system), Firewalls, regular patching, et.c., et.c., et.c..

The crackers counter-countermeasures

Crackers writing shellcodes that are supposed to slip through unnoticed use some special techniques to hide their attack. They often try to exploit how intrusion detection systems recognize any incoming attack. A typical IDS usually searches through all the incoming packets for shellcode specific patterns (often a large array of no-operating codes, or simply NOP's); if it finds any such pattern the packet is discarded before it reaches its destination application. The IDS's weak point is that it cannot do any really good searches as it takes too much time and would thereby slow down the connection to the Internet.

Shellcode almost always contains a string with the name of a shell. All incoming packets containing such a string are undoubtedly quite suspicious in the eyes of the IDS. Also, some applications do not accept non-alphanumeric inputs (they do not accept anything other than a-z, A-Z, 0-9, and a few other characters.)

To get trough such kinds of anti-intrusion measures, crackers sometimes make use of encryption, self-modifying code, polymorphic code and alphanumeric code.

Outside links

http://www.phrack.org/phrack/49/P49-14 tutorial on how to write x86-shellcodes
" class="external">http://www.shellcode.com.ar/docz/bof/Writing_shellcode.html

see also

heap overflows, computer security, assembly language