Shellcode is widely used in many attacks that involve code injection. Writing shellcode is quite challenging. Although we can easily find existing shellcode from the Internet, to be able to write our own shellcode from the scratch is always exciting. There are several interesting techniques involved in shellcode. The purpose of this lab is to help students understand these techniques so they can write their own shellcode.

There are several challenges in writing shellcode, one is to ensure that there is no zero in the binary, and the other is to find out the address of the data used in the command. The first challenge is not very difficult to solve, and there are several ways to solve it. The solutions to the second challenge led to two typical approaches to write shellcode. In one approach, data are pushed into the stack during the execution, so their addresses can be obtained from the stack pointer. In the second approach, data are stored in the code region, right after a call instruction, so its address are pushed into the stack (as the return address) when the call function is invoked. Both solutions are quite elegant, and we hope students can learn these two techniques.

Lab Tasks

  • VM version: This lab has been tested on our pre-built SEEDUbuntu16.04 VM.

Recommended Time

  • Supervised situation (e.g. a closely-guided lab session):
  • Unsupervised situation (e.g. take-home project):

Videos (New)

Files that are Needed

  • mysh.s: The basic shellcode for Task 1
  • mysh2.s: The basic shellcode for Task 2
  • convert.py: Converting machine code to Python array

Suggested Reading

  • SEED Book by Wenliang Du (Book website) (Chinese version)


SEED Books

SEED Lectures