- Shellcode
In
computer security , a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine. Shellcode is commonly written inmachine code , but any piece of code that performs a similar task can be called shellcode. Because the function of a payload is not limited to merely spawning a shell, some have suggested that the name shellcode is insufficient. ["Sockets, Shellcode, Porting, & Coding: Reverse Engineering Exploits and Tool Coding for Security Professionals." by James C. Foster and Stuart McClure (April 12, 2005). ISBN 1-59749-005-9] However, attempts at replacing the term have not gained wide acceptance.Types of shellcode
Shellcode can either be "local" or "remote", depending on whether it gives an attacker control over the same machine as it runs on (local) or over another machine through a network (remote).
Local shellcode
A local shellcode is used by an attacker who has limited access to a machine but can exploit a vulnerability in a process on that machine that has higher privileges. If successfully executed, the shellcode will provide the attacker access to the machine with the same higher privileges as the targeted process. Local shellcode is relatively easy to create; often the only thing it does is execute a shell executable.
Remote shellcode
A remote shellcode is used when an attacker wants to target a vulnerable process running on another machine on the local network or
internet . If successfully executed, the shellcode can provide the attacker access to the target machine across the network. Remote shellcodes normally use standard TCP/IP socket connections to allow the attacker access to the shell on the target machine. Such shellcode can be sub-divided based on how this connection is set up: if the shellcode can establish this connection, it is called connect-back shellcode because the shellcode "connects back" to the attacker's machine. On the other hand, if the attacker needs to create the connection, the shellcode is called a bindshell because the shellcode "binds" to a certain port on which the attacker can connect to control it. A third, much less common type is socket-reuse shellcode. This type of shellcode is sometimes used when an exploit establishes a connection to the vulnerable process that is not closed before the shellcode is run. The shellcode can then "re-use" this connection to communicate with the attacker. Socket re-using shellcode is harder to create because the shellcode needs to find out which connection to re-use and the machine may have many connections open.A
firewall can be used to detect the outgoing connections made by connect-back shellcodes and the attempt to accept incoming connections made by bindshells. They can therefore offer some protection against an attacker, even if the system is vulnerable, by preventing the attacker from gaining access to the shell created by the shellcode. This is one reason why socket re-using shellcode is sometimes used because it does not create new connections and therefore is harder to detect and block.Download and execute shellcode
A remote shellcode is useful if an attacker wants to "browse around" the target system, but more often an attacker will just want to install some form of malware on the target system. In such cases, download and execute shellcode is often used: this type of shellcode does not spawn a shell, but rather instructs the machine to download a certain executable file off the network, save it to disk and execute it. Nowadays, it is commonly used in
drive-by download attacks, where a victim visits a malicious webpage that in turn attempts to run such a download and execute shellcode in order to install software on the victim's machine.hellcode execution strategy
An exploit will commonly inject a shellcode into the target process before or at the same time as it exploits a vulnerability to gain control over the
program counter . The program counter is adjusted to point to the shellcode, after which it gets executed and performs its task. Injecting the shellcode is often done by storing the shellcode in data sent over the network to the vulnerable process, by supplying it in a file that is read by the vulnerable process or through the command line or environment in the case of local exploits.hellcode encoding
Because most processes filter or restrict the data that can be injected, shellcode often need to be written to allow for these restrictions, this includes making the code small, null-free or alphanumeric. Various solutions have been found to get around such restrictions, including:
* Design and implementation optimizations to decrease the size of the shellcode.
* Implementation modifications to get around limitations in the range of bytes used in the shellcode.
* Self-modifying code that modifies a number of the bytes of its own code before executing them to re-create bytes that are normally impossible to inject into the process.Sinceintrusion detection can detect signatures of simple shellcodes being sent over the network, it is often encoded, made self-decrypting or polymorphic to avoid detection.Percentage encoding
Exploits that target browsers commonly encode shellcode in a JavaScript string using
Percent-encoding , "uXXXX"-encoding or entity encoding. Some exploits also obfuscate the encoded shellcode string further to prevent detection by IDS.For example, on theIA-32 architecture, here's how two NOP instructions would look, first unencoded: 90NOP 90NOP Then encoded into a string using percent-encoding (using the unescape() function to decode): unescape("%u9090");Next encoded into a string using "uXXXX"-encoding: "u9090";And finally encoded into a string using entity encoding: "邐"or "邐"Null free shellcode
A vast majority of shellcodes are written without the use of null bytes because they are intended to be injected into a target process through null-terminated strings. When a null-terminated string is copied, it will be copied up to and including the first null but subsequent bytes of the shellcode will not be processed. When shellcode that contains nulls is injected in this way, only part of the shellcode would be injected, making it very unlikely to run successfully.
To produce null free shellcode from shellcode that contains null bytes one can substitute machine instructions that contain zeroes with instructions that have the same effect but are free of nulls. For example, on the
IA-32 architecture one could replace this instruction: B8 01000000 MOV EAX,1 // Set the register EAX to 0x000000001which contains zeroes as part of the literal (1 expands to 0x00000001) with these instructions: 33C0 XOR EAX,EAX // Set the register EAX to 0x000000000 40 INC EAX // Increase EAX to 0x00000001which have the same effect but take less bytes to encode and are free of nulls.Alphanumeric and printable shellcode
:"See also:
Alphanumeric code ."In certain circumstances, a target process will filter any byte from the injected shellcode that is not a printable oralphanumeric character. Under such circumstances, the range of instructions that can be used to write a shellcode becomes very limited. A solution to this problem was published by Rix inPhrack 57 [cite web|url=http://www.phrack.org/issues.html?issue=57&id=15#article |first=Rix |title=Writing ia32 alphanumeric shellcodes|publisher=Phrack |date=2001-11-08 |accessdate=2008-02-29] in which he showed it was possible to turn any code into alphanumeric code. A technique often used is to create self-modifying code, because this allow the code to modify its own bytes to include bytes outside of the normally allowed range, thereby expanding the range of instructions it can use. Using this trick, a self-modifying decoder can be created that uses only bytes in the allowed range. The main code of the shellcode is encoded, also only using bytes in the allowed range. When the output shellcode is run, the decoder can modify its own code to be able to use any instruction it requires to function properly and then continues to decode the original shellcode. After decoding the shellcode the decoder transfers control to it, so it can be executed as normal.Unicode proof shellcode
Modern programs use
Unicode strings to allow internationalization of text. Often, these programs will convert incomingASCII strings to Unicode before processing them. Unicode strings encoded inUTF-16 use two bytes to encode each character (or four bytes for some special characters). When anASCII string is transformed into UTF-16, a zero byte is inserted after each byte in the original string. Obscou proved inPhrack 61 [cite web|url=http://www.phrack.org/issues.html?issue=61&id=11#article |first=obscou |title=Building IA32 'Unicode-Proof' Shellcodes |publisher=Phrack |date=2003-08-13 |accessdate=2008-02-29] that it is possible to write shellcode that can run successfully after this transformation. Programs that can automatically encode any shellcode into alphanumeric UTF-16-proof shellcode exist, based on the same principle of a small self-modifying decoder that decodes the original shellcode.Platforms
Most shellcode is written in
machine code because of the low level at which the vulnerability being exploited gives an attacker access to the process. Shellcode is therefore often created to target one specific combination of processor,operating system andservice pack , called a platform. For some exploit, because of the constraints put on the shellcode by the target process, a very specific shellcode must be created. However, it is not impossible for one shellcode to work for multiple exploits, service packs, operating systems and even processors. [cite web|url=http://www.phrack.org/issues.html?issue=57&id=14#article |first=eugene |title=Architecture Spanning Shellcode |publisher=Phrack |date=2001-08-11 |accessdate=2008-02-29] Such versatility is commonly achieved by creating multiple versions of the shellcode that target the various platforms and creating a header that branches to the correct version for the platform the code is running on. When executed, the code behaves differently for different platforms and executes the right part of the shellcode for the platform it is running on.ee also
*
Shell (computing)
*Buffer overflow
*Heap overflow
*Stack buffer overflow
*Computer security References
External links
* [http://www.phrack.org/issues.html?issue=49&id=14#article An introduction to buffer overflows and shellcode]
* [http://www.infosecwriters.com/text_resources/pdf/basics_of_shellcoding.pdf The Basics of Shellcoding] (PDF) An overview ofx86 shellcoding by [http://www.rosiello.org/ Angelo Rosiello]
* [http://www.shellcode.com.ar/docz/bof/Writing_shellcode.html An introduction to shellcode development]
* [http://www.metasploit.com/shellcode/ Contains x86 and non-x86 shellcode samples and an online interface for automatic shellcode generation and encoding, from the Metasploit Project]
* [http://www.shellcode.org/ Contains x86 and non-x86 shellcode samples]
* [http://www.linux-secure.com/endymion/shellcodes/ a shellcode archive, sorted by Operating system] .
* [http://www.milw0rm.com/papers/11 Microsoft Windows and Linux shellcode design tutorial going from basic to advanced] .
* [http://www.vividmachines.com/shellcode/shellcode.html Windows and Linux shellcode tutorial containing step by step examples] .
* [http://www.enderunix.org/docs/en/sc-en.txt Designing shellcode demystified]
* [http://skypher.com/wiki/index.php?title=Www.edup.tudelft.nl/~bjwever/documentation_alpha2.html.php ALPHA2: Zero tolerance by SkyLined] A shellcode encoder that can turn any shellcode into both Unicode and ASCII, uppercase and mixedcase, alphanumeric shellcode.
* [http://www.ngssoftware.com/research/papers/WritingSmallShellcode.pdf Writing Small shellcode by Dafydd Stuttard] A whitepaper explaining how to make shellcode as small as possible by optimizing both the design and implementation.
* [http://skypher.com/wiki/index.php?title=Www.edup.tudelft.nl/~bjwever/whitepaper_shellcode.html.php Writing IA32 Restricted Instruction Set Shellcode Decoder Loops by SkyLined] A whitepaper explaining how to create shellcode when the bytes allowed in the shellcode are very restricted.
* [http://www.edup.tudelft.nl/~bjwever/src/beta.c Beta: Multi-format shellcode encoding tool by SkyLined] A shellcode encoder that can encode shellcode using the various encodings commonly used by browser exploits.
Wikimedia Foundation. 2010.