namishelex01/Shellcode-Introduction

## Shellcode-Introduction
[This is the gist version of the wiki page of Shellcode.]
[For elaborated explaination, please visit:- en.wikipedia.org/wiki/Shellcode]
SHELLCODE is a small piece of code used as the payload in the exploitation of a spftware vulnerability
Its called shellcode because it typically starts a command shell from which attacker can control the compromised machines
TYPES:
  Local - Used by attacker who has limited access to a machine but can exploit a vulnerability
  Remote - Used to target a remote machine, if the shellcode establishes the connection, it called reverse-shell or connect-back shell.
           If attacker establishes the connection, shellcode is called bindshell because it binds certain port of victim's machine
  Download & execute - Type of remote shellcode that downloads and executes some form of malware on target system
  Staged - When amount of data that an attacker can inject into the target process is too limited to execute useful shellcode directly, it may be possible to execute it in stages
  Egg-hunt - Another form of staged shellcode, which is used if an attacker can inject shellcode into the process but cannot determine where in the process it will end up, so a small egg-hunt shellcode is injected and executed into the process at a predictable location and executed.  This code then searches the process's address space for the larger shellcode
  Omelette - Similar to egg-hunt but looks for multiple blocks of data and recombines then into one larger block, that is subsequently executed. This is used when an attacker can only inject a number of small blocks of data into the process

SHELLCODE EXEC STRATEGY : An exploit will commonly inject a shellcode into target process before or at time as it exploits a vulnerability to gain control over program counter. The program counter is adjusted to point to the shellcode, after which it gets executed and performs its task.
          Injecting the shellcode is often done by storing

SHELLCODE ENCODING : Most processes filter or restrict data that can be injected, shellcode often needs to be written to allow for these restrictions. This includes making the code small, null free and alphanumeric. Various evasion techniques are:
          - Design and Implementation optimizations to decrease the size of the shellcode
          - Implementation modifications to get around limitations in the range of bytes used in the shellcode
          - Self-modifying code that modifies a number of the bytes of its own code before executing then to re-create bytes that are normally impossible to inject into the process
          - Also, shellcodes are encoded, made self-decrypting or polymorphic to avoid detection by IDS/IPS

> Percent Encoding - Exploits that target browsers commonly encode shellcode in a JS string using percent-encoding, escape sequence encoding or entity encoding
> Null-free shellcode - Most of the shellcodes are written without the use of null bytes because they are intended to be injected into target process through null-terminated strings. When a null terminated string is copied, it will be copied up to and including the first null but subsequent bytes of the shellcode will not be processed
> Alphanumeric and printable shellcode - When target process filters any byte from the injected shellcode that is not a printable or alphanumeric character, it is possible to turn any code into alphanumeric code. THe technique often used to create self-modifying code[allows the code to include bytes outside of the normally allowed range] [Phrack 57]
> Unicode proof shellcode - ASCII strings are transformed into UTF-16, a zero byte is inserted after each byte[Phrack 61]

PLATFORMS : Most shellcode is written in machine language because of the low level at which the vulnerabilitybeing exploited gives an attacker access to the process. Shellcode is often created to target a specific platform [processor+OS+service pack]
	[This is the gist version of the wiki page of Shellcode.]
	[For elaborated explaination, please visit:- en.wikipedia.org/wiki/Shellcode]
	SHELLCODE is a small piece of code used as the payload in the exploitation of a spftware vulnerability
	Its called shellcode because it typically starts a command shell from which attacker can control the compromised machines
	TYPES:
	Local - Used by attacker who has limited access to a machine but can exploit a vulnerability
	Remote - Used to target a remote machine, if the shellcode establishes the connection, it called reverse-shell or connect-back shell.
	If attacker establishes the connection, shellcode is called bindshell because it binds certain port of victim's machine
	Download & execute - Type of remote shellcode that downloads and executes some form of malware on target system
	Staged - When amount of data that an attacker can inject into the target process is too limited to execute useful shellcode directly, it may be possible to execute it in stages
	Egg-hunt - Another form of staged shellcode, which is used if an attacker can inject shellcode into the process but cannot determine where in the process it will end up, so a small egg-hunt shellcode is injected and executed into the process at a predictable location and executed. This code then searches the process's address space for the larger shellcode
	Omelette - Similar to egg-hunt but looks for multiple blocks of data and recombines then into one larger block, that is subsequently executed. This is used when an attacker can only inject a number of small blocks of data into the process

	SHELLCODE EXEC STRATEGY : An exploit will commonly inject a shellcode into target process before or at time as it exploits a vulnerability to gain control over program counter. The program counter is adjusted to point to the shellcode, after which it gets executed and performs its task.
	Injecting the shellcode is often done by storing

	SHELLCODE ENCODING : Most processes filter or restrict data that can be injected, shellcode often needs to be written to allow for these restrictions. This includes making the code small, null free and alphanumeric. Various evasion techniques are:
	- Design and Implementation optimizations to decrease the size of the shellcode
	- Implementation modifications to get around limitations in the range of bytes used in the shellcode
	- Self-modifying code that modifies a number of the bytes of its own code before executing then to re-create bytes that are normally impossible to inject into the process
	- Also, shellcodes are encoded, made self-decrypting or polymorphic to avoid detection by IDS/IPS

	> Percent Encoding - Exploits that target browsers commonly encode shellcode in a JS string using percent-encoding, escape sequence encoding or entity encoding
	> Null-free shellcode - Most of the shellcodes are written without the use of null bytes because they are intended to be injected into target process through null-terminated strings. When a null terminated string is copied, it will be copied up to and including the first null but subsequent bytes of the shellcode will not be processed
	> Alphanumeric and printable shellcode - When target process filters any byte from the injected shellcode that is not a printable or alphanumeric character, it is possible to turn any code into alphanumeric code. THe technique often used to create self-modifying code[allows the code to include bytes outside of the normally allowed range] [Phrack 57]
	> Unicode proof shellcode - ASCII strings are transformed into UTF-16, a zero byte is inserted after each byte[Phrack 61]

	PLATFORMS : Most shellcode is written in machine language because of the low level at which the vulnerabilitybeing exploited gives an attacker access to the process. Shellcode is often created to target a specific platform [processor+OS+service pack]