IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [shellcode]

In computer security, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode.

231 questions
8
votes
1 answer

SafeSEH and x64

I read here that /SAFESEH is only valid when linking for x86 targets. /SAFESEH is not supported for platforms that already have the exception handlers noted. For example, on x64 and Itanium, all exception handlers are noted in the…
John Smith
  • 509
  • 1
  • 5
  • 8
7
votes
2 answers

Do I always have to overwrite EIP to get to write on the stack in a buffer overflow?

Do I always have to overwrite EIP to get to write on the stack in a buffer overflow? How's the memory organized? I can't find a proper graph with google
John Smith
  • 509
  • 1
  • 5
  • 8
7
votes
1 answer

Why does my x86 shellcode test program segfault?

I am trying to learn how to create shellcode, my goal is to call execve(). I wrote the code in assembly and it works perfectly, there are no null-bytes or absolute addressing methods. The code works fine, but when I copy the opcodes into a c program…
tropz
  • 79
  • 1
  • 3
7
votes
1 answer

Why would legitimate programs have a `jmp esp` instruction?

It appears that a common exploit trick is to use stack overflow to overwrite the instruction pointer such that it points to a jmp esp instruction somewhere in the code segment which then executes the arbitrary code of the attacker's choice. However,…
1110101001
  • 231
  • 1
  • 5
7
votes
2 answers

Difference between Code Injection, Command Injection and Remote Code Execution

If one has to describe fundamental difference in between these three terms (i.e. Code Injection, Command Injection and Remote Code Execution) what will that be? How they are different from each other in terms approach to perform the attack and it's…
Khopcha
  • 465
  • 5
  • 11
7
votes
3 answers

What is the difference between a payload and shellcode?

I am new to penetration testing and I would like to know the differences between these two things: Payload (reverse TCP vs. bind shell) Shell vs. Shellcode Any help?
user156894
  • 121
  • 1
  • 3
7
votes
2 answers

Serving a php webshell without running it locally

I am using Kali Linux in a pentesting lab. By entering the following URL on the victim system I can get it to access my apache server (I see a 200 access response in my logs), but the php file renders on my system and then I spawn a webshell on my…
Shrout1
  • 365
  • 1
  • 5
  • 11
6
votes
1 answer

Removing null bytes from shell code

I am learning the basics of shell coding so that I can learn to exploit buffer overflows. The problem is, the example byte code that I wrote contains null bytes. Here is the example: xor %edi,%edi > 31 ff mov $0x3c,%eax …
SivaDotRender
  • 326
  • 3
  • 11
6
votes
3 answers

Buffer overflow stack adjustment

I am quite new to buffer overflows and I am practicing right now different types of buffer overflow attacks. the shellcode was not executed until it was padded with NOPs although its set properly in memory and execution flow works as needed. After…
Ahmed Taher
  • 701
  • 6
  • 13
  • 23
6
votes
2 answers

Stack canaries protection and ROP

As far as I know stack canaries are values written on the stack that, if overwritten by a buffer overflow, force the application to close at return. My question is: if I overwrite both EIP and stack because I want to ROP something... and I NEVER…
John Smith
  • 509
  • 1
  • 5
  • 8
6
votes
3 answers

What methodologies are useful when reverse-engineering malware / shellcode?

Whilst I'm familiar with reverse engineering techniques from a technical standpoint, I've never found a good methodology for approaching and dissecting malware / shellcode. I've found hundreds of tutorials on the technical aspects of analysing…
Polynomial
  • 132,208
  • 43
  • 298
  • 379
6
votes
1 answer

Generating unicode javascript shellcode

I'm trying to generate shellcode to modify this exploit: https://www.exploit-db.com/exploits/24947/ It says in the basic exploit: {'$where':'shellcode=unescape("METASPLOIT JS GENERATED SHELLCODE"); And I'm not really sure what it means. Looking at…
user134167
  • 141
  • 1
  • 3
  • 8
6
votes
2 answers

Linux Kernel ROP - Returning to userland from kernel context?

I have a vulnerable Linux Kernel module (32-bit), which I can successfully exploit, and have gained privileges out of it. Basically, my exploit uses an ROP chain to disable SMEP, and directly jumps to my shellcode mapped at userland. My shellcode at…
Mukesh Sai Kumar
  • 220
  • 1
  • 12
6
votes
2 answers

C shellcode explanation

I've found this shellcode at https://www.exploit-db.com/exploits/39624/: #include char sh[]="\xeb\x0b\x5f\x48\x31\xd2\x52\x5e\x6a\x3b\x58\x0f\x05\xe8\xf0\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68"; void main(int argc, char **argv) { int…
Shomz
  • 163
  • 7
5
votes
2 answers

ASLR and how a program can actually call its functions

I'm studying protection techniques and I've got a doubt about how ASLR works for a program in a Windows environment. As far as I know ASLR works by randomizing part of the imagebase address when loading the module into memory so that exploits…
Marco A.
  • 169
  • 1
  • 7
1
2
3
15 16