Understanding Shellcode: The Reverse Shell

david@systemoverlord.com (David Tomaschik) — Tue, 30 Oct 2018 00:00:00 +0000

A recent conversation with a coworker inspired me to start putting together a series of blog posts to examine what it is that shellcode does. In the first installment, I’ll dissect the basic reverse shell.

First, a couple of reminders: shellcode is the machine code that is injected into the flow of a program as the result of an exploit. It generally must be position independent as you can’t usually control where it will be loaded in memory. A reverse shell initiates a TCP connection from the compromised host back to a host under the control of the attacker. It then launches a shell with which the attacker can interact.

Even shorter x86-64 shellcode

david@systemoverlord.com (David Tomaschik) — Wed, 27 Apr 2016 00:00:00 +0000

So about two years ago, I put together the shortest x86-64 shellcode for execve("/bin/sh",...); that I could. At the time, it was 25 bytes, which I thought was pretty damn good. However, I’m a perfectionist and so I spent some time before work this morning playing shellcode golf. The rules of my shellcode golf are pretty simple:

The shellcode must produce the desired effect.
It doesn’t have to do things cleanly (i.e., segfaulting after is OK, as is using APIs in unusual ways, so long as it works)
It can assume the stack pointer is at a place where it will not segfault and it will not overwrite the shellcode itself.
No NULLs. While there might be other constraints, this one is too common to not have as a default.

So, spending a little bit of time on this, I came up with the following 22 byte shellcode:

Shellcode on System Overlord

Understanding Shellcode: The Reverse Shell

Even shorter x86-64 shellcode