Shellcode

   

A shellcode is an assembly_language program which executes a shell, such as the '/bin/sh' Unix shell, or the command.com shell on DOS and Microsoft Windows operating systems. A shellcode may be used as an exploit payload, providing a cracker with command line access to a computer system.

How do shellcodes work?

Shellcodes are typically injected into computer memory by exploiting stack and heap-based buffer_overflows, or format string attacks. Shellcode execution can be triggered by overwriting a stack return address with the address of the injected shellcode.

Detecting shellcode insertion

Crackers writing shellcodes often use techniques to hide their attack. They often try to exploit how intrusion detection systems recognize any incoming attack. A typical IDS usually searches through all the incoming packets for shellcode specific patterns (often a large array of no-operating codes ("NOP's")); if it finds any such pattern the packet is discarded before it reaches its destination application. The IDS's weak point is that it cannot do any really good searches as it takes too much time and would thereby slow down the connection to the Internet.

Shellcode almost always contains a string with the name of a shell. All incoming packets containing such a string are undoubtedly quite suspicious in the eyes of the IDS. Also, some applications do not accept non-alphanumeric inputs (they do not accept anything other than a-z, A-Z, 0-9, and a few other characters.)

To get through such kinds of anti-intrusion measures, crackers sometimes make use of encryption, self-modifying code, polymorphic code and alphanumeric code.

Outside links

See also

de:Shellcode es:Shellcode pl:Shellcode


Retrieved from "http://www.mywiseowl.com/articles/Shellcode"

This page has been accessed 340 times. This page was last modified 03:35, 31 Oct 2004. All text is available under the terms of the GNU Free Documentation License (see Copyrights for details).