# Types of Shellcode ### 2. Types of Shellcode Depending on how shellcode run and give control to the attacker, we can identify several types of execution strategies: * **Local** shellcode\ **Local** shellcode is used to exploit local processes in order to get higher privileges on that machine. These are also known as privilege escalation shellcodes and are used in local code execution vulnerabilities. * **Remote** shellcode\ **Remote** shellcode is sent through the network along with an exploit. The exploit will allow the shellcode to be injected into the process and executed. The goal of **remote** code execution is to provide remote access to the exploited machine by means of common network protocols such as **TCP/IP**. Remote shellcodes can be sub-divided based on how this connection is set up: * Connect back\ A **connect back** shellcode initiates a connection back to the attacker's machine * Bind shell\ A **bind shell** shellcode binds a shell (or command prompt) to a certain port on which the attacker can connect * Socket reuse\ A **socket reuse** shellcode stablishes as connection to a vulnerable process that does not close before the shellcode is run. The shellcode can then re-use this connection to communicate with the attacker. However, due to their complexity, they are generally not used. **Staged** shellcodes are used when the shellcode is bigger than the space that an attacker can use for injection (within the process). In this case, a small piece of shellcode (*Stage 1*) is executed. This code then fetches a larger piece of shellcode (*Stage 2*) into the process memory and executes it. Staged shellcode may be local or remote and can be sub-divided into **Egg-hunt** shellcode and **Omelet** shellcode. * **Egg hunt shellcode**\ **Egg-hunt shellcode** is used when a larger shellcode can be injected into the process but, it is unknown where in the process this shellcode will be actually injected. It is divided into 2 pieces: * A small shellcode (egg-hunter) * The actual bigger shellcode (egg) The only thing the egg-hunter shellcode has to do is searching for the bigger shellcode (the egg) within the process address space. At that point, thee execution of the bigger shellcode begins. * **Omelet shellcode**\ **Omelet shellcode** is similar to the egg-hunt shellcode. However, we do not have one larger shellcode (the egg) but a number of smaller shellcodes, eggs. They are combined together and executed This type of shellcode is also used to avoid shellcode detectors because each individual egg might be small enough not to raise any alarms but collectively they become a complete shellcode. **Download and execute shellcodes** do not immediately create a shell when executed. Instead, they download an executable from the Internet and execute it. This executable can be a data harvesting tool, malware, or simply a backdoor. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://zer0verflow.gitbook.io/ecpptv2-notes/system-security/shellcoding/types-of-shellcode.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.