From: Bruno Morisson (morissongenhex.org)
Date: Tue Sep 21 2004 - 03:29:09 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Check out http://packetstorm.widexs.nl/0007-exploits/7350qpop.c

  * The pop pointer has to be exact, if it hits one of the forbidden
characters
  * (0x0a, 0x41-0x5b, 0x80-0x9f) you're out of luck. The return address
can be
  * modified in a window of about 50 bytes, this is enough.

It seems you're hitting the forbidden range...

regards
--
Bruno Morisson <morissongenhex.org>

Joshua Davis wrote:
> Hi. I developed some simple shellcode and sent it to my FreeBSD box along
> with a custom format string to exploit Qpop 2.53. When the shellcode didn't
> work and GDB reported 'illegal instruction', I compared and contrasted. To
> my suprise, Qpop or FreeBSD had taken the bytes 0x80, 0x88, and 0x89 from my
> shellcode. Does anyone have any idea why this occurred? I assume a range of
> values is being exclused. 0x79 was fine.
>

• application/pgp-signature attachment: OpenPGP digital signature

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]