1. When a hackers successfully exploit vulnerabilities like buffer overflows, they will typically open a shell at the end of the exploit. With a command-line shell, the hacker will then be able to carry out any task they desire. However, opening shells within buffer overflow exploits can be difficult. Therefore, hackers often maintain libraries of "shellcode": code fragments for various operating systems that can be pasted into buffer overflow exploits. Key point: One of the difficulties in writing shellcode is that need to pass through filters. For example, when exploiting a bug in an SMTP server, you may find that the server strips the high-order bit from all bytes (i.e. will pass text but not binary). Therefore, all bytes between 0x00-07F will pass through, but not 0x80-0xFF. Alternately, a big limitation is systems that won't pass nul characters (0x00) because they terminate strings in functions like strcpy(). Therefore, when a hacker picks shellcode to append to their script, they must be fully aware of the limitations of the system they are dealing with. Key point: When creating new shellcode, create a C program that calls something like "system("/bin/sh");" or "execve("/bin/sh",0,0);" and grab the assembly output. At that point, pare it down to what you need. This requires extensive knowledge of assembly, needless to say. Key point: Sometimes you won't be able to grab a shell, so you have to create the exploit script to run a command. Typical choices of commands would be those that change passwords, add accounts, or in some fashion open up some other hole on the system. Key point: The vast majority of buffer overflow attacks will execute /bin/sh. Therefore, by simply removing this program (or replacing it with something that double-checks what's being done), you can protect yourself against many 0-day exploits. From Hacking-Lexicon