Jump to content

Shellcode

From Wikipedia, the free encyclopedia
This is an old revision of this page, as edited by Smaffy (talk | contribs) at 20:46, 28 April 2003. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.
(diff) ← Previous revision | Latest revision (diff) | Newer revision → (diff)

In computer science (or more likely, in computer underground terms), shellcode is a practical aproach to exploiting stack based overflows.

How does shellcodes work?

Shellcodes exploits computer bugs in how the stack is handled. Temporary arrays is often the target of the cracker as they are fairly easy to overflow if the "right" conditions are met.

Temporary arrays is located onto the stack, along with the saved frame pointer (sfp) and the return address (ret). The return address is a pointer to where the function should return when it has completed its task. If the cracker can overwrite this pointer she would be able to direct the flow of the program as she wishes! 

top of stack <-- (temporary array)(sfp)(ret) --> bottom of stack
(the stack grows towards left, the temporary array grows towards right.)

Because the stack grows downwards instead of upwards, the bottom of the stack is towards higher address spaces. That means that an overflow in the temporary array is the same thing as overwriting the sfp and the ret! If the cracker knows how large the array is (it easy to obtain that info), its easy to overwrite the return value with anything the cracker likes. The cracker could also inject her own code along with the shellcode and redirect the return value to point into the new code.

This technique could be used to get access to remote computers and get access to other user-accounts (such as root).

Countermeasures

IDS (Intrusion Detection Software), NIDS (Network Intrusion Detection Software), Firewalls, regular patching, et.c., et.c., et.c..

The crackers counter-countermeasures

Crackers writing shellcodes that is suposed to slip through unnoticed use some special techniques to hide their attack. They often tries to exploit the failings of how intrusion detection software tries to notice any incoming attack. A typical IDS usually search trough all the incoming packets for shellcode specific patterns, if it finds any such pattern the packet is discarded before it reaches its destination application. The IDS's weak point is that it cannot do any realy good searches as it takes too much time and would therefor slow down the connection to the internet.

Shellcode almost allways contains a string with the name of a shell. All incoming packets containing such a string is undoubltly quiet suspisous in the eyes of the IDS. Also, some applications does not accept non-alphanumeric input (they does not accept anything else than a-z, A-Z, 0-9, and some more letters.)

To get trough such kinds of anti-intrusion measures, crackers sometimes makes use of encryption, self-modifying code, pollymorphic code and alphanumeric code.

http://www.phrack.org/phrack/49/P49-14 tutorial on how to write x86-shellcodes
http://www.shellcode.com.ar/docz/bof/Writing_shellcode.html

see also

heap overflows, computer security, assembly language

Retrieved from "https://en.wikipedia.org/w/index.php?title=Shellcode&oldid=871421"