Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: Re: FreeBSD shellcode

Re: FreeBSD shellcode

From: Bruno Morisson <morisson_at_genhex.org>
Date: Tue, 21 Sep 2004 09:29:09 +0100

Check out http://packetstorm.widexs.nl/0007-exploits/7350qpop.c

  * The pop pointer has to be exact, if it hits one of the forbidden
characters
  * (0x0a, 0x41-0x5b, 0x80-0x9f) you're out of luck. The return address
can be
  * modified in a window of about 50 bytes, this is enough.

It seems you're hitting the forbidden range...

regards 

--
Bruno Morisson <morisson_at_genhex.org>
Joshua Davis wrote:
>   Hi.  I developed some simple shellcode and sent it to my FreeBSD box along 
> with a custom format string to exploit Qpop 2.53.  When the shellcode didn't 
> work and GDB reported 'illegal instruction', I compared and contrasted.  To 
> my suprise, Qpop or FreeBSD had taken the bytes 0x80, 0x88, and 0x89 from my 
> shellcode.  Does anyone have any idea why this occurred?  I assume a range of 
> values is being exclused.  0x79 was fine.
>

Received on Sep 22 2004
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos