Re: Mail-Max Remote Buffer Overflow Exploit

[pw () NACS NET (pw)]

On Tue, 16 Feb 1999, der Mouse wrote:

Hehe, my bad.  For some stupid reason when I was writing that I thought
17h (pop ss) was ret.  I really meant C3h which is ret. :)  When I
say ret I am referring to the x86 assembly language instruction.  When I
was using ret in the exploit code mailmax would stop overflowing the
buffer at it.  So I changed the ret to "pop eax; jmp eax" and it never
gave me trouble like that again.


> > When putting code in the buffer to execute there are no major
> > restrictions on character set.  The only character I found to
> > interfere besides null was 17h (ret).
>
> It's not clear which character you're referring to here.
>
> RET is not one of the ASCII mnemonics.  You could plausibly be
> referring to CR, carriage return, or NL, newline (the latter also known
> as LF, line feed).  CR is octal 15, hex 0d, decimal 13, while NL is
> octal 12, hex 0a, decimal 10.
>
> 17 hex is ETB.  17 octal is SI.  17 decimal is DC1.
>
>                                       der Mouse
>
>                              mouse () rodents montreal qc ca
>                    7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B