Bugtraq mailing list archives
Re: Mail-Max Remote Buffer Overflow Exploit
From: pw () NACS NET (pw)
Date: Tue, 16 Feb 1999 18:54:15 -0500
On Tue, 16 Feb 1999, der Mouse wrote: Hehe, my bad. For some stupid reason when I was writing that I thought 17h (pop ss) was ret. I really meant C3h which is ret. :) When I say ret I am referring to the x86 assembly language instruction. When I was using ret in the exploit code mailmax would stop overflowing the buffer at it. So I changed the ret to "pop eax; jmp eax" and it never gave me trouble like that again.
When putting code in the buffer to execute there are no major restrictions on character set. The only character I found to interfere besides null was 17h (ret).It's not clear which character you're referring to here. RET is not one of the ASCII mnemonics. You could plausibly be referring to CR, carriage return, or NL, newline (the latter also known as LF, line feed). CR is octal 15, hex 0d, decimal 13, while NL is octal 12, hex 0a, decimal 10. 17 hex is ETB. 17 octal is SI. 17 decimal is DC1. der Mouse mouse () rodents montreal qc ca 7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B
Current thread:
- Mail-Max Remote Buffer Overflow Exploit pw (Feb 13)
- <Possible follow-ups>
- Re: Mail-Max Remote Buffer Overflow Exploit der Mouse (Feb 15)
- Re: Mail-Max Remote Buffer Overflow Exploit pw (Feb 16)