Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

gdb bug

From: digit2004 () optonline net
Date: Thu, 24 Jan 2008 21:49:16 +0000 (GMT)
--- Begin Message --- From: digit2004 () optonline net
Date: Mon, 21 Jan 2008 00:55:53 +0000 (GMT)
self corrupted gdb (which gdb itself is
warning  about), corrupting the stack that by chance has a jump
instruction causing a loop,  An attacker can exploit this vulnerability
to inject malicious commands to be run under the permissions of the
current gbb session. , effects gdb 6.*-7.* I tested.aserisk exploitgdb asteriskctrl+cr asteriskctrl+cr asterisk -r      
<----- reason for crash ( -r is a flag for asterisk gdb mistakes this for run not run)x 0xb7e7dde8rret 
0xb7e7dde8Program received signal SIGINT, Interrupt.[Switching to Thread -1211655968 (LWP 3208)]0xb7e7dde8 in poll () 
from /lib/tls/libc.so.6(gdb) ret 0xb7e7dde8Make selected stack frame return now? (y or n) yreakpoint 1, 0x080a5e17 in 
main ()(gdb) ret 0xb7e7dde80  0xb7db9ea4 in __libc_start_main () from /lib/tls/libc.so.6(gdb) backtrace#0  0xb7db9ea4 
in __libc_start_main () from /lib/tls/libc.so.6#1  0x080554f1 in _start ()Program received signal SIGINT, 
Interrupt.[Switching to Thread -1211655968 (LWP 3208)]0xb7e7dde8 in poll () from /lib/tls/libc.so.6internal-error: 
frame_register: Assertion `frame != NULL && frame->next != NA problem internal to GDB has been detected,further 
debugging may prove unreliable.Create a core file of GDB? (y or n)Please answer y or 
n./build/buildd/gdb-6.4/gdb/frame.c:616:
internal-error: frame_register: Assertion `frame != NULL &&
frame->next != NULL' failed.A problem internal to GDB has been detected,further debugging may prove unreliable.Create a 
core file of GDB? (y or n)    poll failed: No such file or directoryx86*CLI> Aborted0xb7e101c20xb7e1021e 
<glob64+22478>:      0xff(gdb) x86*CLI> x86*CLI> x86*CLI> x80x7e1012b6 <-----0x7e10126e0x080a55540xb7e10012 
<posix_fallocate+258>:        "\002"0xb7e10012 <posix_fallocate+258>:        "\002"(gdb)
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*Cret 0xb7e101dex/s 0xb7e0fde8xb7e10887
<sendfile64+1319>:   
"\213EØ\215µtûÿÿ\211t$\b\211D$\004è³\230ÿÿ\205À\017\210;ÿÿÿ\213M\020\213\205xûÿÿ\2139\213q\004\211½\bûÿÿ\213\225\bûÿÿ\211µ\fûÿÿ\213½tûÿÿ\213\215\fûÿÿ1×1Á\tù\017\205\003ÿÿÿ\213Uà\211\225(ûÿÿ\211\225pûÿÿ\213µ(ûÿÿ\205öto\213½(ûÿÿ¹,"(gdb)x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*C0xb7edb350 <system>0xb7e10348 <sendfile+40>:        "\201Á\224§\006"ebx            0xbfa6c69c       -1079589220esp 
           0xbfa6c45c       0xbfa6c45cebp            0xbfa6c468       0xbfa6c468esi            0xbfa6c71a       
-1079589094edi            0xb7e7aadc       -1209554212eip            0xb7e0fde8       0xb7e0fde8 <poll+56>xmm0          
 {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 
0x0, 0x0, 0x0,    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},  uint128 = 
0x00000000000000000000000000000000}xmm1           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},  v16_int8 = 
{0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, 
v2_int64 = {0x0, 0x0},  uint128 = 0x00000000000000000000000000000000}xmm2           {v4_float = {0x0, 0x0, 0x0, 0x0}, 
v2_double = {0x0, 0x0},  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,    0x0, 0x0, 0x0}, 
v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},xmm6           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = 
{0x0, 0x0},  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,    0x0, 0x0, 0x0}, v4_int32 = 
{0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},  uint128 = 0x00000000000000000000000000000000}xmm7           {v4_float = 
{0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 
0x0,    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},  uint128 = 
0x00000000000000000000000000000000}mxcsr          0x1f80   8064mm0            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, 
v4_int16 = {0x0, 0x0,    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}mm1            {uint64 = 0x0, 
v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}mm2       
     {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
0x0, 0x0}}mm3            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,    0x0, 0x0}, v8_int8 = {0x0, 0x0, 
0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}mm4            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,    0x0, 0x0}, 
v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}mm5            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = 
{0x0, 0x0,    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}mm6            {uint64 = 0x0, v2_int32 = 
{0x0, 0x0}, v4_int16 = {0x0, 0x0,    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}mm7            
{uint64 = 0xe41900e9e96363f9, v2_int32 = {0xe96363f9,    0xe41900e9}, v4_int16 = {0x63f9, 0xe963, 0xe9, 0xe419}, 
v8_int8 = {0xf9,    0x63, 0x63, 0xe9, 0xe9, 0x0, 0x19, 0xe4}}0xb7e4e90b 0x080a806c 0x80a8791  0x80a933e 0x80aa391 
0x80afc9c <aes_encrypt+1356>:    ""gdb) x/a8 0x0a106A syntax error in expression, near `0x0a106'.(gdb) call 0x0a106$2 = 
41222(gdb) ret 0x0a106Make selected stack frame return now? (y or n)   #0  0x080a5554 in ast_safe_system ()(gdb) ret 
0x0a106Make selected stack frame return now? (y or n) yx86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> 
x86*Cbuild/buildd/gdb-6.4/gdb/frame.c:616:
internal-error: frame_register: Assertion `frame != NULL &&
frame->next != NULL' failed.A problem internal to GDB has been detected,further debugging may prove unreliable.Quit 
this debugging session? (y or n)Please answer y or n./build/buildd/gdb-6.4/gdb/frame.c:616:
internal-error: frame_register: Assertion `frame != NULL &&
frame->next != NULL' failed.A problem internal to GDB has been detected,further debugging may prove 
unreliable.0xb7f8e350 0xb7f8e505:      "\207߸®"/build/buildd/gdb-6.4/gdb/frame.c:616:
internal-error: frame_register: Assertion `frame != NULL &&
frame->next != NULL' failed.A problem internal to GDB has been detected,further debugging may prove 
unreliable./build/buildd/gdb-6.4/gdb/frame.c:616:
internal-error: frame_register: Assertion `frame != NULL &&
frame->next != NULL' failed.A problem internal to GDB has been detected,further debugging may prove unreliable.Create a 
core file of GDB? (y or n) y/build/buildd/gdb-6.4/gdb/frame.c:616:
internal-error: frame_register: Assertion `frame != NULL &&
frame->next != NULL' failed.A problem internal to GDB has been detected,further debugging may prove unreliable.Quit 
this debugging session? (y or n)Please answer y or n./build/buildd/gdb-6.4/gdb/frame.c:616:
internal-error: frame_register: Assertion `frame != NULL &&
frame->next != NULL' failed.A problem internal to GDB has been detected,further debugging may prove unreliable.Quit 
this debugging session? (y or n) n#0  0xb7e8dde8 in poll () from /lib/tls/libc.so.6#1  0x080a5554 in ast_safe_system 
()x/0xcd b7e8de85#0  0xb7e8dde8 in ?? () from /lib/tls/libc.so.6#1  0x080a5554 in ?? ()(gdb) ret 0x80a5554Make selected 
stack frame return now? (y or n) y      0xb7e8de85 <posix_fadvise+37>:  0xcd(gdb)
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*(gdb) backtrace#0  0x080a5554 in ast_safe_system ()(gdb)         0x80a55ac 
<ast_safe_system+2126>:       0x0b(gdb)0x80a55e6 <ast_safe_system+2184>:       0x20(gdb)x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>0x80a55b9 40x0x080a4d81 <ast_safe_system+35>:        je     
0x80a4e34 <ast_safe_system+214>0x080a4d9d <ast_safe_system+63>:        je     0x80a4e52 <ast_safe_system+244>0x080a4da3 
<ast_safe_system+69>:        jle    0x80a4ea5 <ast_safe_system+327>0x080a4de1 <ast_safe_system+131>:       call   
0x8054e48 <pthread_mutex_lock@plt>0x080a4da9 <ast_safe_system+75>:        lea    0x68(%esp),%ebp0x080a4dad 
<ast_safe_system+79>:        lea    0x20(%esp),%edi0x080a50cd <ast_safe_system+879>:       call   0x80551a8 
<snprintf@plt>0x080a50d2 <ast_safe_system+884>:       cmpb   $0x0,0x1c(%esp)0x080a50d7 <ast_safe_system+889>:       je  
   0x80a5114 <ast_safe_system+950>0x080a50d9 <ast_safe_system+891>:       mov    0x81093c0,%edx0x080a50df 
<ast_safe_system+897>:       test   %edx,%edx0x080a50e1 <ast_safe_system+899>:       je     0x80a53b7 
<ast_safe_system+1625>0x080a50e7 <ast_safe_system+905>:       mov    0x81093bc,%eax0x080a50ec <ast_safe_system+910>:    
   test   %eax,%eax0x080a50ee <ast_safe_system+912>:       je     0x80a53b7 <ast_safe_system+1625>0x080a50f4 
<ast_safe_system+918>:       lea    0x1c(%esp),%eax0x080a50f8 <ast_safe_system+922>:       mov    
%eax,0xc(%esp)0x080a50fc <ast_safe_system+926>:       movl   $0x12,0x8(%esp)0x080a5104 <ast_safe_system+934>:       lea 
   0x6c(%esp),%eax0x080a5108 <ast_safe_system+938>:       mov    %eax,0x4(%esp)0x080a51a7 <ast_safe_system+1097>:      
call   0x805fd1e <ast_active_channels>0x080a51ac <ast_safe_system+1102>:      mov    $0x80eac4a,%edx0x080a51b1 
<ast_safe_system+1107>:      test   %eax,%eax0x080a51b3 <ast_safe_system+1109>:      jne    0x80a51ba 
<ast_safe_system+1116>0x080a510c <ast_safe_system+942>:       mov    %edx,(%esp)      0x080a5308 
<ast_safe_system+1450>:      call   0x8054ef8 <execvp@plt>0xb7f77365
<system+21>:  "\211\004$èg\215ÿÿZ[]Ã", '\220' <repeats 15
times>, "U\211å\203ì\b\211|$\004\213}\b\2114$e\2135\b0x080a5375 <ast_safe_system+1559>:      jmp    0x80a5199 
<ast_safe_system+1083>0x080a537a <ast_safe_system+1564>:      call   0x805fd1e <ast_active_channels>0x080a537f 
<ast_safe_system+1569>:      mov    $0x80eac04,%edx0x080a5384 <ast_safe_system+1574>:      test   %eax,%eax0x080a5386 
<ast_safe_system+1576>:      jne    0x80a538d <ast_safe_system+1583>0x080a5388 <ast_safe_system+1578>:      mov    
$0x80eac4c,%edx0x080a538d <ast_safe_system+1583>:      mov    %edi,0x8(%esp)0x080a5391 <ast_safe_system+1587>:      mov 
   %edx,0x4(%esp)0x080a5395 <ast_safe_system+1591>:      movl   $0x80eac0e,(%esp)0x080a539c <ast_safe_system+1598>:     
 call   0x8056989 <ast_verbose>0x080a53a1 <ast_safe_system+1603>:      jmp    0x80a5199 
<ast_safe_system+1083>0x080a53a6 <ast_safe_system+1608>:      movl   $0x80ebaec,(%esp)0x080a53ad 
<ast_safe_system+1615>:      call   0x8056989 <ast_verbose>0x080a53b2 <ast_safe_system+1620>:      jmp    0x80a5143 
<ast_safe_system+997>0x080a53b7 <ast_safe_system+1625>:      call   0x80a3de7 <ast_set_priority+2778>0x080a53bc 
<ast_safe_system+1630>:      mov    0x81093c0,%edx0x080a53c2 <ast_safe_system+1636>:      jmp    0x80a50f4 
<ast_safe_system+918>0x080a53c7 <ast_safe_system+1641>:      mov    $0x80e7f14,%eax0x080a53cc <ast_safe_system+1646>:   
   jmp    0x80a501e <ast_safe_system+704>0x080a53d1 <ast_safe_system+1651>:      sub    $0xc,%esp0x080a53d4 
<ast_safe_system+1654>:      mov    $0x1,%eax0x080a56f7 <ast_safe_system+2457>:      mov    %eax,(%esp)0x080a56fa 
<ast_safe_system+2460>:      call   0x8054a78 <fprintf@plt>0x080a56ff <ast_safe_system+2465>:      call   0x808c708 
<term_quit>0x080a59c2 <ast_safe_system+3172>:      je     0x80a59e6 <ast_safe_system+3208>0x080a59c4 
<ast_safe_system+3174>:      movl   $0x0,0xc(%esp)0x080a59cc <ast_safe_system+3182>:      movl   
$0xa,0x8(%esp)0x080a59d4 <ast_safe_system+3190>:      movl   $0x0,0x4(%esp)0x080a59dc <ast_safe_system+3198>:      mov  
  %ebx,(%esp)0x080a59df <ast_safe_system+3201>:      call   0x8054ec8 <__strtol_internal@plt>0x080a59e4 
<ast_safe_system+3206>:      mov    %eax,%ebp0x080a59e6 <ast_safe_system+3208>:      mov    0x81093b8,%eax0x080a59eb 
<ast_safe_system+3213>:      mov    %eax,0xc(%esp)0x080a59ef <ast_safe_system+3217>:      movl   
$0x80eacc4,0x8(%esp)0x080a59f7 <ast_safe_system+3225>:      movl   $0x50,0x4(%esp)0x080a59ff <ast_safe_system+3233>:    
  lea    0x20(%esp),%ebx0x080a5a03 <ast_safe_system+3237>:      mov    %ebx,(%esp)0x080a5a06 <ast_safe_system+3240>:    
  call   0x80551a8 <snprintf@plt>0x080a5a0b <ast_safe_system+3245>:      mov    %ebx,%edx0x080a5a0d 
<ast_safe_system+3247>:      mov    0x8104178,%eax<ast_safe_system+2185>:       0xff(gdb)x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86(0100 times 3 pages)when I type ret and half way through the address it prints x86*CLI> for 3 pages. (even 
after I let it idle for a while)0x80a560a <ast_safe_system+2220>:       0x00(gdb)x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*Cvery large keeps going 100x0x80a56a0 <ast_safe_system+2370>:       
0x040x80a5736 <ast_safe_system+2520>:       0x08(gdb)x86*CLI> x86*CLI> x86*CLI> 0x80a5737 <ast_safe_system+2521>:    
0xe8(gdb)x86@3[newsploit]$ gdb gdbGNU gdb 6.4-debianCopyright 2005 Free Software Foundation, Inc.GDB is free software, 
covered by the GNU General Public License, and you arewelcome to change it and/or distribute copies of it under certain 
conditions.Type "show copying" to see the conditions.There is absolutely no warranty for GDB.  Type "show warranty" for 
details.This GDB was configured as "i486-linux-gnu"...(no debugging symbols found)Using host libthread_db library 
"/lib/tls/libthread_db.so.1".(gdb) x 0x80a561b0x80a561b <validate_actionline+606>:    0xfd1400e8(gdb)0x80a561f 
<validate_actionline+610>:    0xec4589ff(gdb)0x80a5623 <validate_actionline+614>:    0xffff60e9(gdb)0x80a5627 
<validate_actionline+618>:    0x2444c7ff(gdb)0x80a562b <validate_actionline+622>:    0x0a250704(gdb)0x80a562f 
<validate_actionline+626>:    0x24348908(gdb)0x80a5633 <validate_actionline+630>:    0x006825e8(gdb)0x80a5637 
<validate_actionline+634>:    0x0fc08500(gdb)0x80a563b <validate_actionline+638>:    0x00008f84(gdb)0x80a563f 
<validate_actionline+642>:    0xec4d8b00rogram received signal SIGINT, Interrupt.0xb7e55de8 in poll () from 
/lib/tls/libc.so.6(gdb) x 0xb7e55de80xb7e55de8 <poll+56>:   0x003dfb87(gdb)0xb7e55dec <poll+60>:   
0x89fffff0(gdb)0xb7e55df0 <poll+64>:   0x893b77c7    gdb) backtrace#0  0xb7e55de8 in poll () from /lib/tls/libc.so.6#1  
0x08112244 in gdb_do_one_event ()#2  0x0810f303 in catch_errors ()#3  0x080bbd21 in _initialize_tui_hooks ()#4  
0x0810f59b in current_interp_command_loop ()#5  0x080779cb in main ()(gdb) ret 0x9010f5cb0  0x08112244 in 
gdb_do_one_event ()x/s $eip0x8113d33
<inferior_event_handler_wrapper+49>:   "ÉÃ", '\220' <repeats
11 times>, "U\211å¡Ði(\b]ÃU\211å1À]ÃU\211åWVS\203ì\034Ç\004$\004"(gdb)0x81183b3
<gdbarch_pseudo_register_write+216>:  
"Ç\004$|^#\bèepöÿU\211å\213U\f\213E\b\211Pt]ÃU\211åS\203ì\024\213]\b\205Ût/\213Cx\203øÿtk\203=ðã(\b\001~\030ÇD$\004áZ#\b¡h!*\b\211\004$èQ\200öÿ\213Cx\203Ä\024[]ÃÇD$\b\005"(gdb0x811b40d
 <set_gdbarch_unwind_sp+15>:    "]ÃU\211åVS\203ì \213]\b\213u\f\205Ût9\213\213X\001"(gdb)0x811b426 
<gdbarch_deprecated_saved_pc_after_call+23>:   ""(gdb)0x811b427
<gdbarch_deprecated_saved_pc_after_call+24>:  
"\205Éts\203=ðã(\b\001~\033ÇD$\004ü¤#\b¡h!*\b\211\004$è\tPöÿ\213\213X\001"(gdb)0x811b44e 
<gdbarch_deprecated_saved_pc_after_call+63>:   ""(gdb)0x811b44f <gdbarch_deprecated_saved_pc_after_call+64>:   
"\211u\b\203Ä [^]ÿáÇD$\b\005"(gdb)0x811b460 <gdbarch_deprecated_saved_pc_after_call+81>:   ""(gdb)0x811b461 
<gdbarch_deprecated_saved_pc_after_call+82>:   ""(gdb)0x811b462 <gdbarch_deprecated_saved_pc_after_call+83>:   
"ÇD$\004\226s \bÇ\004$"(gdb)(it's jumping around) possible jmp trick exploit found0x811b5d5 
<set_gdbarch_frame_num_args+15>:       "]ÃU\211åVS\203ì \213]\b\213u\f\205Ût9\213\213`\001"(gdb)0x811b5ee 
<gdbarch_deprecated_stack_align+23>:   ""(gdb)0x811b5ef
<gdbarch_deprecated_stack_align+24>:  
"\205Éts\203=ðã(\b\001~\033ÇD$\004\224¥#\b¡h!*\b\211\004$èANöÿ\213\213`\001"(gdb)0x811b616 
<gdbarch_deprecated_stack_align+63>:   ""(gdb)0x811cfb5
<deprecated_register_gdbarch_swap+52>:        
"\213\023\213E\020\211B\b\213E\b\211\002\213E\f\211B\004\203Ä\004[]ÃU\211åVS\203ì
\2135ài(\b\205ötW\213^$\205Ût=\213C\004\213\v\213\020\213@\004\211D$\b\211T$\004\211\f$诣õÿ\213C\004\213\020\213@\004\211D$\bÇD$\004"(gdb)(being
 run as regular user )Unable to connect to remote asterisk (does /var/run/asterisk/asterisk.ctl exist?)Program exited 
with code 01.(gdb) run asterisk -r |Starting program: /usr/sbin/asterisk asterisk -r |/bin/bash: -c: line 1: syntax 
error: unexpected end of fileProgram exited with code 02.You can't do that without a process to debug.(gdb) run 
asterisk -r |x86*CLI> x86*CLI> x86*CLI> Quit(gdb) run asterisk -vvvvvcStarting program: /usr/sbin/asterisk asterisk 
-vvvvvc(no debugging symbols found)Error in re-setting breakpoint 1:Function "main" not defined.(no debugging symbols 
found)Error in re-setting breakpoint 1:Function "main" not defined.(no debugging symbols found)Error in re-setting 
breakpoint 1:Function "main" not defined.[Thread debugging using libthread_db enabled][New Thread -1212167968 (LWP 
32289)](no debugging symbols found)Error in re-setting breakpoint 1:Function "main" not defined.(no debugging symbols 
found)Error in re-setting breakpoint 1:Function "main" not defined.(no debugging symbols found)Error in re-setting 
breakpoint 1:Function "main" not defined.(no debugging symbols found)Error in re-setting breakpoint 1:Function "main" 
not defined.(no debugging symbols found)Error in re-setting breakpoint 1:Function "main" not defined.(no debugging 
symbols found)Error in re-setting breakpoint 1:Function "main" not defined.(no debugging symbols found)Error in 
re-setting breakpoint 1:Function "main" not defined.(no debugging symbols found)Error in re-setting breakpoint 
1:Function "main" not defined.Unable to open pid file '/var/run/asterisk/asterisk.pid': Permission denied[New Thread 
-1212171344 (LWP 32293)][Thread -1212171344 (LWP 32293) exited]Unable to bind socket to /var/run/asterisk/asterisk.ctl: 
Address already in use  == Parsing '/etc/asterisk/asterisk.conf': Not found (Permission denied)  == Parsing 
'/etc/asterisk/extconfig.conf': Not found (Permission denied)Asterisk 1.2.7.1, Copyright (C) 1999 - 2006 Digium, Inc. 
and others.Created by Mark Spencer <markster () digium com>Asterisk comes with ABSOLUTELY NO WARRANTY; type 'show 
warranty' for details.This is free software, with components licensed under the GNU General PublicLicense version 2 and 
other licenses; you are welcome to redistribute it undercertain conditions. Type 'show license' for 
details.=========================================================================  == Parsing 
'/etc/asterisk/logger.conf': Not found (Permission denied)Unable to open logger.conf: Permission deniedrJan 18 07:36:58 
ERROR[32289]: logger.c:625 init_logger: Unable to create event log: Permission denied  #0  0xb7da1ea4 in 
__libc_start_main () from /lib/tls/libc.so.6(gdb)Make selected stack frame return now? (y or n) y#0  0x080554f1 in ?? 
()(gdb)Make selected stack frame return now? (y or n) y/build/buildd/gdb-6.4/gdb/frame.c:616:
internal-error: frame_register: Assertion `frame != NULL &&
frame->next != NULL' failed.A problem internal to GDB has been detected,further debugging may prove unreliable.Quit 
this debugging session? (y or n)          \f\213E\b\211]ôè³\213ÿÿ\201ÃÍ4"(gdb)0xb7f7b70c 
<pthread_getaffinity_np@@GLIBC_2.3.4+28>:     ""(gdb)0xb7f7b70d <pthread_getaffinity_np@@GLIBC_2.3.4+29>:     
"\211}ü\205ö\213U\020\213xH\211ñxJ\207߸ò"(gdb)0xb7f7b721 <pthread_getaffinity_np@@GLIBC_2.3.4+49>:     
""(gdb)0xb7f7b722 <pthread_getaffinity_np@@GLIBC_2.3.4+50>:     ""(gdb)0xb7f7b723 
<pthread_getaffinity_np@@GLIBC_2.3.4+51>:     "Í\200\207û="(gdb)0xb7f7b729 <pthread_getaffinity_np@@GLIBC_2.3.4+57>:    
 "ðÿÿv\022\213]ô÷Ø\213uø\213}ü\211ì]Ã\215v"(gdb)0xb7f7b740
<pthread_getaffinity_np@@GLIBC_2.3.4+80>:    
")Æ\215\f\0021Ò\211t$\b\211T$\004\211\f$è\215\212ÿÿ\213]ô1À\213uø\213}ü\211ì]ùÿÿÿ\177ë¯\215v"(gdb)0xb7f7b770 
<pthread_getaffinity_np@GLIBC_2.3.3>:         "U¹\200"(gdb)0xb7f7b774 <pthread_getaffinity_np@GLIBC_2.3.3+4>:       
""(gdb)                                         0x000008ec in ?? ()(gdb)Make selected stack frame return now? (y or n) 
y#0  0x080ec8c4 in ?? ()(gdb)Make selected stack frame return now? (y or n) y#0  0x080ec594 in ?? ()(gdb)Make selected 
stack frame return now? (y or n) y#0  0x08110800 in ?? ()(gdb)Make selected stack frame return now? (y or n) y#0  
0xb7f43bf6 in _dl_rtld_di_serinfo () from /lib/ld-linux.so.2(gdb)                                              ret 
0xb7da1ea4LI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> #0  0x080554f1 in ?? ()(gdb)Make selected stack frame return now? (y 
or n) y/build/buildd/gdb-6.4/gdb/frame.c:616:
internal-error: frame_register: Assertion `frame != NULL &&
frame->next != NULL' failed.A problem internal to GDB has been detected,further debugging may prove unreliable.Quit 
this debugging session? (y or n)  gdb)Make selected stack frame return now? (y or n) y#0  0x00000001 in ?? ()(gdb)Make 
selected stack frame return now? (y or n) y#0  0x00000000 in ?? ()(gdb)Make selected stack frame return now? (y or n) 
y#0  0x080ec8a6 in ?? ()(gdb)Make selected stack frame return now? (y or n) y#0  0x080ec640 in ?? ()(gdb)Make selected 
stack frame return now? (y or n) y#0  0x08110800 in ?? ()(gdb)Make selected stack frame return now? (y or n) y#0  
0xb7ece52e in in6addr_any ()   from /lib/tls/libc.so.6(gdb) backtrace#0  0xb7ece52e in in6addr_any () from 
/lib/tls/libc.so.6#1  0xb7fb7eec in ?? ()    () from /lib/tls/libpthread.so.0(gdb) backtrace#0  0xb7f3d312 in 
sysctl_args.0 () from /lib/tls/libpthread.so.0#1  0xb7f61b30 in _dl_rtld_di_serinfo () from /lib/ld-linux.so.2#2  
0xb7f35717 in __pthread_initialize_minimal_internal ()   from /lib/tls/libpthread.so.0#3  0xb7d62ea4 in 
__libc_start_main () from /lib/tls/libc.so.6#4  0x080554f1 in ?? ()   () from /lib/tls/libpthread.so.0(gdb) backtrace#0 
 0xb7f4a310 in sysctl_args.0 () from /lib/tls/libpthread.so.0#1  0xb7f4a312 in sysctl_args.0 () from 
/lib/tls/libpthread.so.0#2  0xb7f6eb30 in _dl_rtld_di_serinfo () from /lib/ld-linux.so.2#3  0xb7f42717 in 
__pthread_initialize_minimal_internal ()   from /lib/tls/libpthread.so.0#4  0xb7d6fea4 in __libc_start_main () from 
/lib/tls/libc.so.6#5  0x080554f1 in ?? ()#0  0xb7dd0ea4 in __libc_start_main () from /lib/tls/libc.so.6(gdb)Make 
selected stack frame return now? (y or n) y#0  0x080554f1 in ?? ()(gdb)Make selected stack frame return now? (y or n) 
y/build/buildd/gdb-6.4/gdb/frame.c:616:
internal-error: frame_register: Assertion `frame != NULL &&
frame->next != NULL' failed.A problem internal to GDB has been detected,further debugging may prove unreliable.Object 
file /usr/sbin/asterisk:  Objfile at 0x82efce8, bfd at 0x82de9c0, 1178 minsymsObject file system-supplied DSO at 
0xffffe000:  Objfile at 0x83334c8, bfd at 0x8303d50, 4 minsymsObject file /lib/tls/libdl.so.2:  Objfile at 0x83999b8, 
bfd at 0x836be08, 31 minsymsObject file /lib/tls/libpthread.so.0:  Objfile at 0x83aa900, bfd at 0x831eb80, 696 
minsymsObject file /lib/libncurses.so.5:  Objfile at 0x83dd1b0, bfd at 0x8359e08, 760 minsymsObject
file /lib/tls/libm.so.6:  Objfile at 0x8400e80, bfd at 0x8319958, 331
min---Type <return> to continue, or q <return> to quit---symsObject file /lib/tls/libresolv.so.2:  Objfile at 
0x84197f0, bfd at 0x831e8b0, 135 minsymsObject file /usr/lib/i686/cmov/libssl.so.0.9.8:  Objfile at 0x842b9f0, bfd at 
0x8359128, 665 minsymsObject file /lib/tls/libc.so.6:  Objfile at 0x84590f0, bfd at 0x83b4338, 2120 minsymsObject file 
/lib/ld-linux.so.2:  Objfile at 0x84c11e0, bfd at 0x83228f0, 32 minsymsObject file 
/usr/lib/i686/cmov/libcrypto.so.0.9.8:  Objfile at 0x84c91e8, bfd at 0x8461160, 3344 minsyrogram exited with code 
01.(gdb) x0xb7da1ea5 <CAST_S_table0+60645>:        "PublicKey"(gdb)0xb7da1eaf <CAST_S_table0+60655>:        
"i2d_RSA_NET"(gdb)0xb7da1ebb <CAST_S_table0+60667>:        "i2d_RSA_PUBKEY"(gdb)0xb7da1eca <CAST_S_table0+60682>:       
 "LONG_C2I"(gdb)0xb7da1ed3 <CAST_S_table0+60691>:        "OID_MODULE_INIT"(gdb)0xb7da1ee3 <CAST_S_table0+60707>:        
"PARSE_TAGGING"(gdb)0xb7da1ef1 <CAST_S_table0+60721>:        "PKCS5_pb0xb7da20c0 <CAST_S_table0+61184>:        
"PBEPARAM"(gdb)0xb7da20c9 <CAST_S_table0+61193>:        "salt"(gdb)0xb7da20ce <CAST_S_table0+61198>:        
"iter"(gdb)0xb7da20d3 <CAST_S_table0+61203>:        "p5_pbe.c"(gdb)0xb7da20dc <CAST_S_table0+61212>:        
"PBKDF2PARAM"(gdb)0xb7da20e8 <CAST_S_table0+61224>:        "PBE2PARAM"(gdb)0xb7da20f2 <CAST_S_table0+61234>:        
"keyfunc"(gdb)0xb7da20fa <CAST_S_table0+61242>:        "p5_pbev2.c"(gdb)0xb7da2105 <CAST_S_table0+61253>:        
"PKCS8_PRIV_KEY_INFO"(gdb)0xb7da2119 <CAST_S_table0+61273>:        "pkeyalg"(gdb)0xb7da2121 <CAST_S_table0+61281>:      
  "oid_section"0xb7da21b8 <CAST_S_table0+61432>:        "strlen(objstr)+23+2*enc->iv_len+13 <= sizeof buf"              
                 (string exploit here)gdb) disas 0xb7da31e4Dump of assembler code for function CAST_S_table0:nable to 
open pid file '/var/run/asterisk/asterisk.pid': Permission denied[New Thread -1211937872 (LWP 15438)]Program received 
signal SIGINT, Interrupt.[Switching to Thread -1211934496 (LWP 15437)]0xb7e0654c in nanosleep () from 
/lib/tls/libc.so.6(gdb) backtrace#0  0xb7e0654c in nanosleep () from /lib/tls/libc.so.6#1  0xb7e3ce2a in usleep () from 
/lib/tls/libc.so.6#2  0x080b34a8 in test_for_thread_safety ()#3  0x00000064 in ?? ()#4  0x00000000 in ?? ()null byte - 
0xb7da33cc <STORE_param_sizes+348>:      "\n"0xb7e7e770 <catanh+176>:         
"ÝE\f\203þ\002\017\224À1Ò\203ÿ\002\017\224ÂÝ]Ø\205ÐÝE\024uÆÙ\203¤¯ÿÿÙÁÞÊÝE\fÝE\fÙÉØêÙÉØÂÙËÝUÐÙÉØÈÙËØÈÙËØÁÙËÞÁÝ\034$Ý]¨Ý]¸èj·ÿÿÝE¸ÙÉÝ]ØÝ\034$èZ·ÿÿÜmØÝE¨ÝE\024ÙÊØ\213è´ÿÿÙÊØÀÙÊÝ]ØÝE\fØÈÞéÜeÐÙóÝ]à\213E\bÝEàØ\213¨¯ÿÿÝEØéDÿÿÿ\215»Ð®ÿÿ\211<$èOåÿÿ\213E\bÝUØÝEØÙÉÝX\bÝ\030\213]ô\213uø\213"...(gdb)(parts
 lit up in black and blinking)(looks like hi-ascii)

--- End Message ---
Previous By Date Next
Previous By Thread Next

Current thread: