What Is a Shellcode?

Shellcode is sequence of machine code, or executable instructions, that is injected into a computer's memory with the intent to take control of a running program. In such an attack, one of the steps is to to gain control of the program counter, which identifies the next instruction to be executed. Program flow can then be redirected to the inserted code. The intrusive machine code is called the payload of the attack and is the element commonly referred to by the term shellcode. This method has often been used to grant an attacker access by opening an operation system command shell, so code injection attacks in general have come to be known as shellcode.

The vulnerability being exploited typically involves how a program assigns memory, checks the validity of input data and handles memory errors. Software developers can usually avoid this threat by strictly defining input data and rejecting improper values. If unchecked, values needing more storage space than the memory allotted for that value might be accepted. This causes a security breech called a buffer overflow, where part of the data is written into memory locations adjacent to the the value's assigned space. When carefully manipulated, this anomaly can allow intrusive code to be introduced.

Shellcode is normally written in a programming language with low-level system access such as assembly, C or C++. Depending on the targeted vulnerability, however, the same result might be realized by inserting code for an interpreted scripting language, like PERL, or bytecode for a virtual machine, such as JAVA. The code can be implanted before, during or after the hijack of the program counter. Thus, the intrusive code may be contained in a file on the targeted machine or transmitted over a network connection in real time.

Local shellcode exploits are designed to give an attacker control over a machine to which he or she has physical access. An objective in this case might be to create an account with administrator privileges, for example. Similarly, if a running process has a high privilege level, a successful exploit would temporarily grant the same level of access to the intruder.

Processes running on a remote machine can be exploited using standard network protocols to communicate with the target computer. Connect-back shellcode instructs the target machine to initiate a connection to the intruder's computer. If the intruder initiates the connection, the code is called a bindshell, as it attempts to take control of a network connection called a port on the remote machine. The connect-back method is more widely used, since firewalls rarely prohibit outbound connections.