Types of Shellcode

2. Types of Shellcode

Depending on how shellcode run and give control to the attacker, we can identify several types of execution strategies:

Local shellcode Local shellcode is used to exploit local processes in order to get higher privileges on that machine.
These are also known as privilege escalation shellcodes and are used in local code execution vulnerabilities.
Remote shellcode Remote shellcode is sent through the network along with an exploit. The exploit will allow the shellcode to be injected into the process and executed.
The goal of remote code execution is to provide remote access to the exploited machine by means of common network protocols such as TCP/IP.
Remote shellcodes can be sub-divided based on how this connection is set up:
- Connect back A connect back shellcode initiates a connection back to the attacker's machine
- Bind shell A bind shell shellcode binds a shell (or command prompt) to a certain port on which the attacker can connect
- Socket reuse A socket reuse shellcode stablishes as connection to a vulnerable process that does not close before the shellcode is run. The shellcode can then re-use this connection to communicate with the attacker. However, due to their complexity, they are generally not used.

Staged shellcodes are used when the shellcode is bigger than the space that an attacker can use for injection (within the process).

In this case, a small piece of shellcode (Stage 1) is executed. This code then fetches a larger piece of shellcode (Stage 2) into the process memory and executes it.

Staged shellcode may be local or remote and can be sub-divided into Egg-hunt shellcode and Omelet shellcode.

Egg hunt shellcode Egg-hunt shellcode is used when a larger shellcode can be injected into the process but, it is unknown where in the process this shellcode will be actually injected. It is divided into 2 pieces:
- A small shellcode (egg-hunter)
- The actual bigger shellcode (egg)
The only thing the egg-hunter shellcode has to do is searching for the bigger shellcode (the egg) within the process address space.
At that point, thee execution of the bigger shellcode begins.
Omelet shellcode Omelet shellcode is similar to the egg-hunt shellcode. However, we do not have one larger shellcode (the egg) but a number of smaller shellcodes, eggs. They are combined together and executed
This type of shellcode is also used to avoid shellcode detectors because each individual egg might be small enough not to raise any alarms but collectively they become a complete shellcode.

Download and execute shellcodes do not immediately create a shell when executed. Instead, they download an executable from the Internet and execute it.

This executable can be a data harvesting tool, malware, or simply a backdoor.

PreviousShellcoding NextEncoding of Shellcode

Last updated 4 years ago

Was this helpful?

Types of Shellcode

2. Types of Shellcode

Depending on how shellcode run and give control to the attacker, we can identify several types of execution strategies:

Local shellcode Local shellcode is used to exploit local processes in order to get higher privileges on that machine.
These are also known as privilege escalation shellcodes and are used in local code execution vulnerabilities.
Remote shellcode Remote shellcode is sent through the network along with an exploit. The exploit will allow the shellcode to be injected into the process and executed.
The goal of remote code execution is to provide remote access to the exploited machine by means of common network protocols such as TCP/IP.
Remote shellcodes can be sub-divided based on how this connection is set up:
- Connect back A connect back shellcode initiates a connection back to the attacker's machine
- Bind shell A bind shell shellcode binds a shell (or command prompt) to a certain port on which the attacker can connect
- Socket reuse A socket reuse shellcode stablishes as connection to a vulnerable process that does not close before the shellcode is run. The shellcode can then re-use this connection to communicate with the attacker. However, due to their complexity, they are generally not used.

Staged shellcodes are used when the shellcode is bigger than the space that an attacker can use for injection (within the process).

In this case, a small piece of shellcode (Stage 1) is executed. This code then fetches a larger piece of shellcode (Stage 2) into the process memory and executes it.

Staged shellcode may be local or remote and can be sub-divided into Egg-hunt shellcode and Omelet shellcode.

Egg hunt shellcode Egg-hunt shellcode is used when a larger shellcode can be injected into the process but, it is unknown where in the process this shellcode will be actually injected. It is divided into 2 pieces:
- A small shellcode (egg-hunter)
- The actual bigger shellcode (egg)
The only thing the egg-hunter shellcode has to do is searching for the bigger shellcode (the egg) within the process address space.
At that point, thee execution of the bigger shellcode begins.
Omelet shellcode Omelet shellcode is similar to the egg-hunt shellcode. However, we do not have one larger shellcode (the egg) but a number of smaller shellcodes, eggs. They are combined together and executed
This type of shellcode is also used to avoid shellcode detectors because each individual egg might be small enough not to raise any alarms but collectively they become a complete shellcode.

Download and execute shellcodes do not immediately create a shell when executed. Instead, they download an executable from the Internet and execute it.

This executable can be a data harvesting tool, malware, or simply a backdoor.

PreviousShellcoding NextEncoding of Shellcode

Last updated 4 years ago

Was this helpful?