A computer shellcode is a small, low-level piece of code used in exploitation attacks to gain control over a system. It’s typically written in assembly or machine code and injected into a vulnerable program to execute arbitrary commands.
🧠 What Is Shellcode?
- Originally, shellcode was designed to open a shell (command-line interface) on the target machine—hence the name.
- Today, it refers more broadly to any payload that gets executed after exploiting a vulnerability.
- It’s often used in buffer overflow, remote code execution, or privilege escalation attacks.
As SentinelOne explains, shellcode is not related to shell scripting languages like Bash—it’s raw binary code designed to run directly on the CPU.
🧬 How Shellcode Works
- An attacker finds a vulnerability (e.g., buffer overflow).
- They inject shellcode into the memory of the target program.
- The program’s execution flow is redirected to the shellcode.
- The shellcode runs—often spawning a shell, downloading malware, or opening a backdoor.
🧪 Example: Linux Exit Shellcode
Here’s a basic shellcode snippet that exits a program in Linux:
section .text
global _start
_start:
mov eax, 1 ; syscall number for exit
mov ebx, 0 ; exit code
int 0x80 ; interrupt to invoke syscall
This gets compiled into machine code and injected into a vulnerable app. You can see a full walkthrough in Exploit DB’s Shellcode for Beginners.
🛡️ How to Defend Against Shellcode
- Use Address Space Layout Randomization (ASLR) to make memory locations unpredictable.
- Enable Data Execution Prevention (DEP) to block execution of code in non-executable memory regions.
- Keep software updated to patch known vulnerabilities.
- Use intrusion detection systems to monitor for shellcode behavior.
Here’s a deep dive into how shellcode is used in real-world exploits and how security tools detect it:
🧨 Real-World Shellcode Exploit Example
In a typical attack, a hacker might:
- Identify a vulnerable application—often through fuzzing or reverse engineering.
- Craft shellcode—a small payload that opens a shell or downloads malware.
- Inject the shellcode—via buffer overflow, format string vulnerability, or malicious input.
- Redirect execution—so the program runs the shellcode instead of its normal code.
🔍 For example, attackers often use tools like Metasploit to generate shellcode that opens a reverse shell. This allows them to control the victim’s machine remotely. Here’s a snippet from a shellcode string that spawns /bin/sh on Linux:
\x48\x31\xf6\x56\x48\xbf\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x57\x54\x5f\x6a\x3b\x58\x99\x0f\x05
This is a compact, null-byte-free payload designed to bypass input filters.
🛡️ How Security Tools Detect Shellcode
Security systems use several techniques to catch shellcode:
1. Signature-Based Detection
- Compares code against known malicious patterns.
- Effective for well-known shellcode (e.g., Metasploit payloads).
- Weak against obfuscated or custom shellcode.
2. Heuristic Analysis
- Looks for suspicious behavior like:
- Use of system calls (
execve,VirtualAlloc) - Unusual byte sequences
- Memory injection patterns
- Use of system calls (
- Can detect novel shellcode but may produce false positives.
3. Emulation
- Runs the suspected code in a safe, virtual environment.
- Observes behavior (e.g., does it open a shell or download files?).
- Helps detect shellcode that’s hidden or dynamically loaded.
4. Behavioral Monitoring
- Tracks runtime actions like:
- Memory allocation with execute permissions
- Network connections to unknown IPs
- File system changes
- Often used by Endpoint Detection and Response (EDR) tools.
Here’s how you can learn to write shellcode for educational purposes, along with resources and examples to guide you:
🧠 What You’ll Learn
- Basics of assembly language
- How to use Linux system calls to create shellcode
- Techniques to avoid null bytes and ensure portability
- How to test shellcode safely in a virtual lab environment
🧪 Educational Resources
📘 Shellcode Development Lab by SEED Security Labs
- Offers hands-on tasks to write and modify shellcode.
- Covers stack-based and call-based shellcode techniques.
- Includes a pre-built Ubuntu VM for safe testing.
- Ideal for beginners and intermediate learners.
📗 Manual Shellcode Writing Guide – Exploit DB
- Teaches how to write shellcode by hand using Windows API.
- Demonstrates how to call functions like
MessageBoxAusing hardcoded memory addresses. - Includes setup instructions for tools like OllyDbg and Code::Blocks.
🛠️ Shellcode Generator for Education
- Introduces a beginner-friendly shellcode generator.
- No need to write assembly manually.
- Great for understanding system calls and low-level execution.
🧼 Safety First
Always test shellcode in a controlled lab environment:
- Use virtual machines (like Kali Linux or SEED Ubuntu VM).
- Disable internet access to prevent accidental exposure.
- Never run shellcode on production systems.
Here’s a simple educational shellcode example that spawns a shell (/bin/sh) on a Linux system using the execve syscall. This is a classic payload used in many exploit demonstrations.
🧪 Assembly Shellcode Example (x86_64 Linux)
.global _start
_start:
mov rax, 59 ; syscall number for execve
lea rdi, [rip+binsh] ; pointer to "/bin/sh"
xor rsi, rsi ; argv[] = NULL
xor rdx, rdx ; envp[] = NULL
syscall ; invoke execve
binsh:
.string "/bin/sh"
This code:
- Loads the syscall number for
execveintorax. - Sets up the arguments: path to shell, and null pointers for
argvandenvp. - Executes the syscall to spawn a shell.
You can compile and extract the shellcode using tools like gcc, objdump, and xxd.
🧪 How to Compile and Extract Shellcode
- Save the code as
shellcode.s. - Compile:
gcc -nostdlib -static shellcode.s -o shellcode-elf - Extract raw bytes:
objdump -d shellcode-elf | grep '[0-9a-f]:' | \ cut -f2 -d: | cut -f1-6 -d' ' | tr -s ' ' | \ tr '\t' ' ' | sed 's/ $//g' | sed 's/ /\\x/g' | \ sed 's/^/"/' | sed 's/$/"/g'
This gives you the raw shellcode string you can inject into a vulnerable program.
📚 Learn More
- Linux Shellcoding Examples – cocomelonc
- Shellcode Tutorial – Practical CTF
- Shellcode for Beginners – Exploit DB
