Is writing shellcode still a valid skill to have/learn?

Question

Following up from this question: Should I bother teaching buffer overflows any more?

I am a it sec researcher and also security course instructor. Recently questions have been raised about the validity of buffer overflow, buffer overflow techniques and the like, given that the subject itself is involving over the year (new countermeasure, new techniques, etc.). The question I linked rationalized the learning of buffer overflow concept as a whole, but I would like to ask for a more specific area.

So in short, is writing shellcode still worth learning? Also some other techniques like egghunting, NOP sled, etc.

...meaning all the tricks of the trade are still valuable... — Deer Hunter, May 08 '13 at 20:06
Isn't this more relevant to systems than to programming? You can run an 'idiotic' program on a system with NX countermeasure, and shellcode would still be irrelevant. — Pham Trung Nghia, May 08 '13 at 20:50
absolutely worth while. As a SysAdmin / Biz Dev, i've written a lot of shell code over the years. Some of it good, some of it bad. also, legacy systems likely have more of it, and those are likely to be more vulnerable anyways... — SnakeDoc, May 09 '13 at 01:09

score 3 · Accepted Answer · answered May 08 '13 at 17:39

3

Yes it's still worth learning. People who are in the early stages of learning exploit development are not going to come out of the gate knowing everything. It's good to use the buffer overflow, that you reference and shell code writing to get ppl's interest piqued and to use as a stepping stone to becoming a professional exploit developer. You never know, you may be teaching the next exploit developer genius and learning about shell code development might trigger a new innovation. So yes keep teaching it. Besides it's still used.

answered May 08 '13 at 17:39

Jason H

304
1
5

So what you're saying is that it would serve as steps and knowledge to more recent exploits? Also, you said that it's still used, does this mean there are still legacy system that shellcode is still valid, or is there some solid usage of shellcode in newer exploits? – Pham Trung Nghia May 08 '13 at 19:24
1

On one hand you still have a lot of legacy systems on the other exploits like Meterpreter are still actively used. Another reason to actually learn how to shellcode is because you can't simply run exploits without knowing what they actually do. – Lucas Kauffman May 08 '13 at 19:34
Yes shellcode is still used. The exploit only opens the door. You have to jam that shellcode in there to get some kind of access. And there are plenty of legacy systems out there. Ran into some Win2k boxes on an assessment last month. That's not too old but it is passed end of life. – Jason H May 08 '13 at 19:47
@LucasKauffman Thanks for pointing out an actual example. Somehow I never thought of this as an assuring example of shellcode still living among us. – Pham Trung Nghia May 08 '13 at 20:54
@JasonH The legacy systems argument is definitely valid, but my students and peer sometimes don't accept this - despite it's being very true. – Pham Trung Nghia May 08 '13 at 20:55

score 3 · Answer 2 · answered May 09 '13 at 04:39

So far the answers have mentioned only the knowledge part that one gains from learning how to shell code. However, shell code knowledge is required for performing real world attacks and the knowledge is used by the attackers for remaining stealthy as well as for performing a task specific to a particular environment.

In order to give an example, look iTrust Consulting APT Technical Backstage document. It provides a step by step detail of how the researchers were able to compromise the server used by the attackers. On page 11, they provide details of how they developed their own customized shell code because both the reverse as well as bind shell code is visible in the netstat. In order to cover their communication, they had to customize the bind shell code and make it connect through the proxy server. If you don't have the shell code knowledge, you cannot customize the shell code for specific requirement.

Lucas Kauffman · Answer 3 · 2013-05-08T18:33:29.623

1

There are several reasons why shellcoding is still interesting, first of all it learns you how the operating system works at low level. Having good understanding of how these things work is still important.

Furthermore if you look at the numbers, bufferoverflow vulnerabilities are still being found, so it's still relevant, albeit these days it might be a lot harder to actually get an exploit working.

edited May 08 '13 at 18:33

answered May 08 '13 at 18:17

Lucas Kauffman

54,169
17
112
196

Both answers so far are pointing at the 'knowledge and/or stepping stone' side. I would love to see some example of recent exploit techniques that still rely on the use of shellcode. Don't get me wrong though, learning shellcode as a method of understanding more is a very valid reason. – Pham Trung Nghia May 08 '13 at 19:27
check out metasploit's meterpreter shell. That's probably the most widely used shell code out there. Also check exploit-db.com They still post shellcode. – Jason H May 08 '13 at 19:48
Will have to look more closely to what you have pointed out. Thanks! – Pham Trung Nghia May 08 '13 at 20:51

Is writing shellcode still a valid skill to have/learn?

3 Answers3