Re: FreeBSD shellcode

[Bruno Morisson <morisson () genhex org>]

Check out http://packetstorm.widexs.nl/0007-exploits/7350qpop.c

 * The pop pointer has to be exact, if it hits one of the forbidden 
characters
 * (0x0a, 0x41-0x5b, 0x80-0x9f) you're out of luck. The return address 
can be
 * modified in a window of about 50 bytes, this is enough.

It seems you're hitting the forbidden range...

regards
--
Bruno Morisson <morisson () genhex org>

Joshua Davis wrote:
>   Hi.  I developed some simple shellcode and sent it to my FreeBSD box along 
> with a custom format string to exploit Qpop 2.53.  When the shellcode didn't 
> work and GDB reported 'illegal instruction', I compared and contrasted.  To 
> my suprise, Qpop or FreeBSD had taken the bytes 0x80, 0x88, and 0x89 from my 
> shellcode.  Does anyone have any idea why this occurred?  I assume a range of 
> values is being exclused.  0x79 was fine.

Attachment: signature.asc
Description: OpenPGP digital signature