Shellcoding

1. Execute on Shellcode

Once an attacker has identified a vulnerable application, his first objective is to inject shellcode in the software. Then, when the shellcode is successfully injected, the instruction pointer register (EIP) is adjusted to point to the shellcode. At this point, the shellcode runs unrestricted.

The shellcode can work two ways; it can get sent through the network (remote buffer overflows) or through the local environment.

But, the EIP is not the only method of execution of shellcode. It is possible for a shellcode to execute when a SEH (Structured Exception Handling) frame activates. The SEH frames store the address to jump to when there is an exception, such as division by zero.

By overwriting the return address, the attacker can take control of the execution.