Introduction

In this chapter, you will learn how to write the most efficient shellcode for different purposes. The chapter is designed to help you understand the development process of shellcode and provides many example codes, which are explained step by step. Because shellcode is injected in running programs, it has to be written in a special manner so that it is position-independent. This is necessary because the memory of a running program changes very quickly; using static memory addresses in shellcode to, for example, jump to functions or refer to a string, is not possible.

When shellcode is used to take control of a program, it is first necessary to get the shellcode in the program s memory and then to let the program somehow execute it. This means you will have to sneak it into the program s memory, which sometimes requires very creative thinking. For example, a single-threaded Web server may have data in memory from an old request while already starting to process a new one. So you might embed the shellcode with the rest of the payload in the first request while triggering the execution of it using the second request.

The length of shellcode is also very important because the program buffers used to store shellcode often are very small. In fact, with 50 percent of all vulnerabilities every byte of the shellcode counts. Chapters 11 and 12 of this book focus on buffer overflows and the fact that within the payload the shellcode has to be...