Chapter 22. Alternative Payload Strategies
If you browse a shellcode archive, you will normally see operating-system specific variants on the following themes:
passive connect ("reverse shell")
Reverse shell using
This list comprises the basic, shell-based types of exploit code that are most often posted to mailing lists and most security Web sites. Although a number of complex issues related to the development of this kind of traditional shellcode exist, you will sometimes find situations in which it's necessary for you to do something beyond developing traditional shellcode — perhaps because there's a more direct way to achieve your objective, or because there's some defense mechanism that blocks traditional shellcode, or perhaps just because you prefer to use a more interesting or obscure method.
So, this chapter won't cover traditional shellcode; instead, we'll focus on the more subtle or unusual things that arbitrary code executed in a target process can do — such as modifying the code of the process while it's running, manipulating the operating system directly to add users or change configurations, or using covert channels to transmit data from the target host. If this book were a menagerie of exploits, this chapter would contain the Manatee, the Aardvark, the Duck-billed Platypus, and even the Dragon.
We'll also deal with a few generic shellcode tricks and tips, mostly for the ...