[9653] in bugtraq
Re: Mail-Max Remote Buffer Overflow Exploit
daemon@ATHENA.MIT.EDU (pw)
Thu Feb 18 20:34:19 1999
Date: Tue, 16 Feb 1999 18:54:15 -0500
Reply-To: pw <pw@NACS.NET>
From: pw <pw@NACS.NET>
X-To: der Mouse <mouse@RODENTS.MONTREAL.QC.CA>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <199902160605.BAA22573@Twig.Rodents.Montreal.QC.CA>
On Tue, 16 Feb 1999, der Mouse wrote:
Hehe, my bad. For some stupid reason when I was writing that I thought
17h (pop ss) was ret. I really meant C3h which is ret. :) When I
say ret I am referring to the x86 assembly language instruction. When I
was using ret in the exploit code mailmax would stop overflowing the
buffer at it. So I changed the ret to "pop eax; jmp eax" and it never
gave me trouble like that again.
> > When putting code in the buffer to execute there are no major
> > restrictions on character set. The only character I found to
> > interfere besides null was 17h (ret).
>
> It's not clear which character you're referring to here.
>
> RET is not one of the ASCII mnemonics. You could plausibly be
> referring to CR, carriage return, or NL, newline (the latter also known
> as LF, line feed). CR is octal 15, hex 0d, decimal 13, while NL is
> octal 12, hex 0a, decimal 10.
>
> 17 hex is ETB. 17 octal is SI. 17 decimal is DC1.
>
> der Mouse
>
> mouse@rodents.montreal.qc.ca
> 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
>
