During the development of nepenthes we have seen many different shellcodes that are being used by bots. This page is an attempt to collect all the information gathered so far. Some shellcodes are known and have a name because the bot developer copied some proof of concept exploit. We try to stick with this name as far as possible. Many of the shellcodes received however don’t have a name (or we haven’t found one), so they are called how we felt like.
Shellcodes are usually executed because of a (C-)string buffer overflow. A C-string is zero-terminated, i.e. an array of characters where the 0-character defines the end. Plain shellcodes will contain the 0-character quite often, though. Thus shellcodes are encoded so that they don’t contain 0-characters at all. A small decoder (which is guaranteed to not contain 0-chars) is then prepended to the actual shellcode that will decode the payload.
Memory is limited, that does also apply to shellcodes. Depending on the bug the room can be very small, so small that it’s not possible to use a full-featured shellcode. In that case the exploit process is split up into two or more stages. That means the very first exploit-shellcode sets up a small environment and loads additional code over a new connection.
See decoders.
These shellcodes have been worked on and are recognized by nepenthes.
| Nepenthes name | Official name1) | bind/c’tback | Encoder? | Multiple stages? | Service(s) exploited | Remarks |
|---|---|---|---|---|---|---|
| Link-shellcode2) | - | connectback | yes | yes | DCOM & LSASS | recognized, see analysis. |
Make sure to use the template when creating a detailed page for a shellcode.
