Vulnerability Development mailing list archives
Re: FreeBSD shellcode
From: Bruno Morisson <morisson () genhex org>
Date: Tue, 21 Sep 2004 09:29:09 +0100
Check out http://packetstorm.widexs.nl/0007-exploits/7350qpop.c* The pop pointer has to be exact, if it hits one of the forbidden characters * (0x0a, 0x41-0x5b, 0x80-0x9f) you're out of luck. The return address can be
* modified in a window of about 50 bytes, this is enough. It seems you're hitting the forbidden range... regards -- Bruno Morisson <morisson () genhex org> Joshua Davis wrote:
Hi. I developed some simple shellcode and sent it to my FreeBSD box along with a custom format string to exploit Qpop 2.53. When the shellcode didn't work and GDB reported 'illegal instruction', I compared and contrasted. To my suprise, Qpop or FreeBSD had taken the bytes 0x80, 0x88, and 0x89 from my shellcode. Does anyone have any idea why this occurred? I assume a range of values is being exclused. 0x79 was fine.
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- FreeBSD shellcode Joshua Davis (Sep 20)
- Re: FreeBSD shellcode Bruno Morisson (Sep 22)