Part 4: Advanced Materials

Overview

If you browse a shellcode archive, you will normally see operating-system specific variants on the following themes:

• Unix

  • execve /bin/sh

  • port-binding /bin/sh

  • passive connect ("reverse shell") /bin/sh

  • setuid

  • breaking chroot

• Windows

  • WinExec

  • Reverse shell using CreateProcess cmd.exe

This list comprises the basic, shell-based types of exploit code that are most often posted to mailing lists and most security Web sites. Although a number of complex issues related to the development of this kind of traditional shellcode exist, you will sometimes find situations in which it's necessary for you to do something beyond developing traditional shellcodeperhaps because there's a more direct way to achieve your objective, or because there's some defense mechanism that blocks traditional shellcode, or perhaps just because you prefer to use a more interesting or obscure method.

So, this chapter won't cover traditional shellcode; instead, we'll focus on the more subtle or unusual things that arbitrary code executed in a target process can dosuch as modifying the code of the process while it's running, manipulating the operating system directly to add users or change configurations, or using covert channels to transmit data from the target host. If this book were a menagerie of exploits, this chapter would contain the Manatee, the Aardvark, the Duck-billed Platypus, and even the Dragon. But we'll come to that later.

We'll also deal with a few generic shellcode tricks and tips, mostly for the Windows platforms, such as techniques for reducing the size of shellcode and problems with service-pack and target-version independence.