The ABC of Next-Gen Shellcoding

Conference:  Defcon 27



The presentation discusses techniques for writing alphanumeric shellcodes on constrained instruction sets, with a focus on non-x86 architectures.
  • Writing code using alphanumeric characters can help avoid filters and target specific applications
  • The x86 environment is already mature, but new architectures like RISC-V are gaining momentum
  • Markov chains can be used to generate English-like shellcode
  • Compiling assembly code directly to alphanumeric instructions is a possible approach, but may not work when constraints are on operands
  • Emulation and unpacking techniques can also be used to write alphanumeric shellcodes on constrained instruction sets
The presenter demonstrates a demo of a standard set userID exploitation, where a program executed as a root program can be executed by a standard user. They send an English-like shellcode to the program and successfully obtain a root shell. However, the techniques discussed may not work on non-x86 architectures like RISC-V due to constraints on operands and addressing modes.


Shellcodes are short executable stubs that are used in various attack scenarios, whenever code execution is possible. After briefly recalling how they work in general and what interesting things they can do, besides obviously running a reverse-shell, we'll have to deal with the reality that shellcodes are usually not particularly stealthy, due in part to the very suspicious presence of non-printable characters. In a tutorial-like fashion, we'll address increasingly more complex constraints. As a reward, we reveal new methods for writing in particular alphanumeric shellcodes and attacking platforms for which (to the best of our knowledge) no such shellcode was previously known. Don't know anything about constrained shellcodes? Do not worry: we'll start from the ground up. Black-belt in shellcoding? We have you covered, stay until the end were we'll get our hands dirty!



Post a comment

Related work