Man
Professional
- Messages
- 3,222
- Reaction score
- 807
- Points
- 113
If you visit any vulnerability publishing website (such as CVE), you'll find numerous exploits presented in code that might appear cryptic at first glance, similar to the examples provided below:
This article aims to demystify the combination of Assembly and shell code, typically executed in lower-level languages like C, and to explain their operational mechanisms. Let's begin with assembly code.
Regardless of the programming languages you are familiar with, when you compile them, they are translated into machine code. Machine code is the most fundamental level of programming language, directly interpreted and executed by the computer's central processing unit (CPU). Just one level above machine code is assembly code. Although complex, it is more readable for humans. Commands like 'push' and 'mov' in assembly language instruct the CPU. When you disassemble a program using a tool like OllyDbg, it usually results in decompiled assembly commands.
Then there's shellcode. Typically written in machine code, shellcode is employed to exploit software vulnerabilities. It's named 'shellcode' because the exploit often initiates a command shell, granting the attacker complete control. Shellcode isn't executed directly; it's usually embedded within another language, like C, and executed as a byte buffer (buffers are memory areas that store data temporarily). But what happens when the size limits of the buffer are exceeded? This scenario leads to buffer or stack overflows.
This is working as expected. But say you were to exceed the allowed limit and start entering exploit code. This could function as shown below:
When you exceed the permissible limit of a buffer, it can lead to unpredictable behavior in a program, potentially overwriting areas of memory designated for executable code. This is the crux of how such exploits function. By using a buffer overflow to replace a specific memory location with stored shellcode, malicious code can be executed, leading to the compromise of a system. This type of vulnerability is particularly prevalent in lower-level languages like C, which offer limited safeguards against overwriting allocated memory areas.
For a deeper understanding, it's recommended to explore various kinds of buffer overflows and the methodologies of shellcode encoding.
This article aims to demystify the combination of Assembly and shell code, typically executed in lower-level languages like C, and to explain their operational mechanisms. Let's begin with assembly code.
Regardless of the programming languages you are familiar with, when you compile them, they are translated into machine code. Machine code is the most fundamental level of programming language, directly interpreted and executed by the computer's central processing unit (CPU). Just one level above machine code is assembly code. Although complex, it is more readable for humans. Commands like 'push' and 'mov' in assembly language instruct the CPU. When you disassemble a program using a tool like OllyDbg, it usually results in decompiled assembly commands.
Then there's shellcode. Typically written in machine code, shellcode is employed to exploit software vulnerabilities. It's named 'shellcode' because the exploit often initiates a command shell, granting the attacker complete control. Shellcode isn't executed directly; it's usually embedded within another language, like C, and executed as a byte buffer (buffers are memory areas that store data temporarily). But what happens when the size limits of the buffer are exceeded? This scenario leads to buffer or stack overflows.
What Are Buffer Overflows?
Explained in straightforward terms, a buffer overflow occurs when data written to a specific memory location, known as a buffer, surpasses its designated limit and begins to spill over into adjacent memory areas. For instance, consider a program that allocates 8 bytes for storing a value. If you input '12345678', it would be stored as shown in the example of "1st" below:This is working as expected. But say you were to exceed the allowed limit and start entering exploit code. This could function as shown below:
When you exceed the permissible limit of a buffer, it can lead to unpredictable behavior in a program, potentially overwriting areas of memory designated for executable code. This is the crux of how such exploits function. By using a buffer overflow to replace a specific memory location with stored shellcode, malicious code can be executed, leading to the compromise of a system. This type of vulnerability is particularly prevalent in lower-level languages like C, which offer limited safeguards against overwriting allocated memory areas.
For a deeper understanding, it's recommended to explore various kinds of buffer overflows and the methodologies of shellcode encoding.
