Let's write four simple shellcodes from scratch, starting with programs in C, then converting them into assembly. Afterwards let's prepare them for shellcode use and finally optimise them.

A shellcode is an essential part of any exploit. During attack, it is injected into the target application and performs the desired actions within it. However, the basic rules for building shellcodes are not too widely known, even though they don't require advanced skills.

 

A shellcode (sometimes also called a bytecode) is a sequence of commands in machine code, constituting a vital element of all buffer overflow exploits. During attack, the exploit injects its shellcode into a running application, causing it to execute the intruder's commands within the target program. The name shellcode originates from the earliest codes of this type, whose purpose was to bring up the system shell (in Unix-based system, the shell is the /bin/sh program). The term currently encompasses all manner of codes, performing a huge variety of actions.

Any shellcode has to fulfil a number of requirements. The first is that cannot contain null bytes (0x00), since these signify the end of a character string and terminate processing for many functions commonly exploited for buffer overflows - strcpy(), strcat(), sprintf(), gets() etc. A shellcode must also be autonomous and operate independently of its current address in memory, so static addressing cannot be used. Other features which can occasionally be significant are the size and ASCII character set of the shellcode.

Let's have a look at writing shellcodes in practice. We will create four programs with different functionality and then go on to modify them so as to compact and adapt them for use in actual exploits. Note that we will be looking exclusively at shellcodes, not buffer overflow attacks or writing exploits.

To create an operational shellcode, we'll need a thorough understanding of assembly language for the shellcode's target processor (see Inset Registers and instructions). We'll be working on 32-bit x86 processors running the Linux operating system with the 2.4 kernel - all examples work with 2.6 series of Linux kernel, too - so we have a choice of two main assembler syntax conventions: AT&T and Intel. Although AT&T syntax is used by the majority of compilers and debuggers (including gcc and gdb), we will use Intel syntax for its greater clarity. All examples will be compiled using the Netwide Assembler (nasm) version 0.98.35, available in most popular Linux distributions. We will also use the ndisasm and hexdump utilities.

sum:

0 €