Skip to main content

Shellcode

Set of instructions injected and executed by an exploited program. It directly manipulates registers, written in assembler and translated into hex opcodes.

Understanding System Calls

One way to manipulate a program is to force it to make a system call. System calls allow us to access the kernel and enable us to read and write files. System calls are an interface between user and the protected kernel mode.

In Linux, there are 2 common ways to execute a syscall:

  • Using C library wrapper libc (indirect).
  • Loading arguments into registers and calling a system interrupt (direct).

The process to a syscall is:

  1. Specific syscall number is loaded into EAX.
  2. Arguments to syscall are loaded into other registers starting from EBX, ECX, EDX, ESI, EDI, EPB. If more arguments are needed, they are passed using a data structure to the first argument.
  3. The int 0x80 instruction is executed.
  4. The CPU switches to kernel mode.
  5. The syscall is executed.

Steps for Creating Shellcode

  1. Writing shellcode in high-level language (e.g. C).
  2. Compiling and disassembling compiled binary.
  3. Reviewing Assembly instructions.
  4. Cleaning up, decreasing size and generifying Assembly instructions.
  5. Extracting opcodes and creating the shellcode.

Creating Shellcode for exit()

See here

Creating Injectable Shellcode for exit()

See here

Spawning a Shell

See here

Format String Bugs

See her