[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
gdb bug

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: gdb bug
From: digit2004@xxxxxxxxxxxxx
Date: Thu, 24 Jan 2008 21:49:16 +0000 (GMT)
--- Begin Message ---
To: admin@xxxxxxxxxxxxxxxxx, *@securityfocus.com
Subject: gdb bug
From: digit2004@xxxxxxxxxxxxx
Date: Mon, 21 Jan 2008 00:55:53 +0000 (GMT)
self corrupted gdb (which gdb itself is
warning  about), corrupting the stack that by chance has a jump
instruction causing a loop,  An attacker can exploit this vulnerability
to inject malicious commands to be run under the permissions of the
current gbb session. , effects gdb 6.*-7.* I tested.aserisk exploitgdb 
asteriskctrl+cr asteriskctrl+cr asterisk -r      <----- reason for crash ( -r 
is a flag for asterisk gdb mistakes this for run not run)x 0xb7e7dde8rret 
0xb7e7dde8Program received signal SIGINT, Interrupt.[Switching to Thread 
-1211655968 (LWP 3208)]0xb7e7dde8 in poll () from /lib/tls/libc.so.6(gdb) ret 
0xb7e7dde8Make selected stack frame return now? (y or n) yreakpoint 1, 
0x080a5e17 in main ()(gdb) ret 0xb7e7dde80  0xb7db9ea4 in __libc_start_main () 
from /lib/tls/libc.so.6(gdb) backtrace#0  0xb7db9ea4 in __libc_start_main () 
from /lib/tls/libc.so.6#1  0x080554f1 in _start ()Program received signal 
SIGINT, Interrupt.[Switching to Thread -1211655968 (LWP 3208)]0xb7e7dde8 in 
poll () from /lib/tls/libc.so.6internal-error: frame_register: Assertion `frame 
!= NULL && frame->next != NA problem internal to GDB has been detected,further 
debugging may prove unreliable.Create a core file of GDB? (y or n)Please answer 
y or n./build/buildd/gdb-6.4/gdb/frame.c:616:
internal-error: frame_register: Assertion `frame != NULL &&
frame->next != NULL' failed.A problem internal to GDB has been detected,further 
debugging may prove unreliable.Create a core file of GDB? (y or n)    poll 
failed: No such file or directoryx86*CLI> Aborted0xb7e101c20xb7e1021e 
<glob64+22478>:      0xff(gdb) x86*CLI> x86*CLI> x86*CLI> x80x7e1012b6 
<-----0x7e10126e0x080a55540xb7e10012 <posix_fallocate+258>:        
"\002"0xb7e10012 <posix_fallocate+258>:        "\002"(gdb)
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*Cret 0xb7e101dex/s 0xb7e0fde8xb7e10887
<sendfile64+1319>:   
"\213EØ\215µtûÿÿ\211t$\b\211D$\004è³\230ÿÿ\205À\017\210;ÿÿÿ\213M\020\213\205xûÿÿ\2139\213q\004\211½\bûÿÿ\213\225\bûÿÿ\211µ\fûÿÿ\213½tûÿÿ\213\215\fûÿÿ1×1Á\tù\017\205\003ÿÿÿ\213Uà\211\225(ûÿÿ\211\225pûÿÿ\213µ(ûÿÿ\205öto\213½(ûÿÿ¹,"(gdb)x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*C0xb7edb350 <system>0xb7e10348 <sendfile+40>:        
"\201Á\224§\006"ebx            0xbfa6c69c       -1079589220esp            
0xbfa6c45c       0xbfa6c45cebp            0xbfa6c468       
0xbfa6c468esi            0xbfa6c71a       -1079589094edi            
0xb7e7aadc       -1209554212eip            0xb7e0fde8       0xb7e0fde8 
<poll+56>xmm0           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 
0x0},  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 
0x0,    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 
0x0},  uint128 = 0x00000000000000000000000000000000}xmm1           {v4_float = 
{0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},  v16_int8 = {0x0 <repeats 16 
times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,    0x0, 0x0, 0x0}, v4_int32 = 
{0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},  uint128 = 
0x00000000000000000000000000000000}xmm2           {v4_float = {0x0, 0x0, 0x0, 
0x0}, v2_double = {0x0, 0x0},  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = 
{0x0, 0x0, 0x0, 0x0, 0x0,    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, 
v2_int64 = {0x0, 0x0},xmm6           {v4_float = {0x0, 0x0, 0x0, 0x0}, 
v2_double = {0x0, 0x0},  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 
0x0, 0x0, 0x0, 0x0,    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, 
v2_int64 = {0x0, 0x0},  uint128 = 
0x00000000000000000000000000000000}xmm7           {v4_float = {0x0, 0x0, 0x0, 
0x0}, v2_double = {0x0, 0x0},  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = 
{0x0, 0x0, 0x0, 0x0, 0x0,    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, 
v2_int64 = {0x0, 0x0},  uint128 = 
0x00000000000000000000000000000000}mxcsr          0x1f80   8064mm0            
{uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,    0x0, 0x0}, 
v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}mm1            {uint64 = 
0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,    0x0, 0x0}, v8_int8 = {0x0, 
0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}mm2            {uint64 = 0x0, v2_int32 = 
{0x0, 0x0}, v4_int16 = {0x0, 0x0,    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 
0x0, 0x0, 0x0, 0x0}}mm3            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, 
v4_int16 = {0x0, 0x0,    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
0x0, 0x0}}mm4            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 
0x0,    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
0x0}}mm5            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 
0x0,    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
0x0}}mm6            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 
0x0,    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 
0x0}}mm7            {uint64 = 0xe41900e9e96363f9, v2_int32 = {0xe96363f9,    
0xe41900e9}, v4_int16 = {0x63f9, 0xe963, 0xe9, 0xe419}, v8_int8 = {0xf9,    
0x63, 0x63, 0xe9, 0xe9, 0x0, 0x19, 0xe4}}0xb7e4e90b 0x080a806c 0x80a8791  
0x80a933e 0x80aa391 0x80afc9c <aes_encrypt+1356>:    ""gdb) x/a8 0x0a106A 
syntax error in expression, near `0x0a106'.(gdb) call 0x0a106$2 = 41222(gdb) 
ret 0x0a106Make selected stack frame return now? (y or n)   #0  0x080a5554 in 
ast_safe_system ()(gdb) ret 0x0a106Make selected stack frame return now? (y or 
n) yx86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> 
x86*Cbuild/buildd/gdb-6.4/gdb/frame.c:616:
internal-error: frame_register: Assertion `frame != NULL &&
frame->next != NULL' failed.A problem internal to GDB has been detected,further 
debugging may prove unreliable.Quit this debugging session? (y or n)Please 
answer y or n./build/buildd/gdb-6.4/gdb/frame.c:616:
internal-error: frame_register: Assertion `frame != NULL &&
frame->next != NULL' failed.A problem internal to GDB has been detected,further 
debugging may prove unreliable.0xb7f8e350 0xb7f8e505:      
"\207ß¸®"/build/buildd/gdb-6.4/gdb/frame.c:616:
internal-error: frame_register: Assertion `frame != NULL &&
frame->next != NULL' failed.A problem internal to GDB has been detected,further 
debugging may prove unreliable./build/buildd/gdb-6.4/gdb/frame.c:616:
internal-error: frame_register: Assertion `frame != NULL &&
frame->next != NULL' failed.A problem internal to GDB has been detected,further 
debugging may prove unreliable.Create a core file of GDB? (y or n) 
y/build/buildd/gdb-6.4/gdb/frame.c:616:
internal-error: frame_register: Assertion `frame != NULL &&
frame->next != NULL' failed.A problem internal to GDB has been detected,further 
debugging may prove unreliable.Quit this debugging session? (y or n)Please 
answer y or n./build/buildd/gdb-6.4/gdb/frame.c:616:
internal-error: frame_register: Assertion `frame != NULL &&
frame->next != NULL' failed.A problem internal to GDB has been detected,further 
debugging may prove unreliable.Quit this debugging session? (y or n) n#0  
0xb7e8dde8 in poll () from /lib/tls/libc.so.6#1  0x080a5554 in ast_safe_system 
()x/0xcd b7e8de85#0  0xb7e8dde8 in ?? () from /lib/tls/libc.so.6#1  0x080a5554 
in ?? ()(gdb) ret 0x80a5554Make selected stack frame return now? (y or n) 
y      0xb7e8de85 <posix_fadvise+37>:  0xcd(gdb)
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*(gdb) backtrace#0  0x080a5554 in ast_safe_system 
()(gdb)         0x80a55ac <ast_safe_system+2126>:       0x0b(gdb)0x80a55e6 
<ast_safe_system+2184>:       0x20(gdb)x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>0x80a55b9 40x0x080a4d81 
<ast_safe_system+35>:        je     0x80a4e34 <ast_safe_system+214>0x080a4d9d 
<ast_safe_system+63>:        je     0x80a4e52 <ast_safe_system+244>0x080a4da3 
<ast_safe_system+69>:        jle    0x80a4ea5 <ast_safe_system+327>0x080a4de1 
<ast_safe_system+131>:       call   0x8054e48 
<pthread_mutex_lock@plt>0x080a4da9 <ast_safe_system+75>:        lea    
0x68(%esp),%ebp0x080a4dad <ast_safe_system+79>:        lea    
0x20(%esp),%edi0x080a50cd <ast_safe_system+879>:       call   0x80551a8 
<snprintf@plt>0x080a50d2 <ast_safe_system+884>:       cmpb   
$0x0,0x1c(%esp)0x080a50d7 <ast_safe_system+889>:       je     0x80a5114 
<ast_safe_system+950>0x080a50d9 <ast_safe_system+891>:       mov    
0x81093c0,%edx0x080a50df <ast_safe_system+897>:       test   
%edx,%edx0x080a50e1 <ast_safe_system+899>:       je     0x80a53b7 
<ast_safe_system+1625>0x080a50e7 <ast_safe_system+905>:       mov    
0x81093bc,%eax0x080a50ec <ast_safe_system+910>:       test   
%eax,%eax0x080a50ee <ast_safe_system+912>:       je     0x80a53b7 
<ast_safe_system+1625>0x080a50f4 <ast_safe_system+918>:       lea    
0x1c(%esp),%eax0x080a50f8 <ast_safe_system+922>:       mov    
%eax,0xc(%esp)0x080a50fc <ast_safe_system+926>:       movl   
$0x12,0x8(%esp)0x080a5104 <ast_safe_system+934>:       lea    
0x6c(%esp),%eax0x080a5108 <ast_safe_system+938>:       mov    
%eax,0x4(%esp)0x080a51a7 <ast_safe_system+1097>:      call   0x805fd1e 
<ast_active_channels>0x080a51ac <ast_safe_system+1102>:      mov    
$0x80eac4a,%edx0x080a51b1 <ast_safe_system+1107>:      test   
%eax,%eax0x080a51b3 <ast_safe_system+1109>:      jne    0x80a51ba 
<ast_safe_system+1116>0x080a510c <ast_safe_system+942>:       mov    
%edx,(%esp)      0x080a5308 <ast_safe_system+1450>:      call   0x8054ef8 
<execvp@plt>0xb7f77365
<system+21>:  "\211\004$èg\215ÿÿZ[]Ã", '\220' <repeats 15
times>, "U\211å\203ì\b\211|$\004\213}\b\2114$e\2135\b0x080a5375 
<ast_safe_system+1559>:      jmp    0x80a5199 <ast_safe_system+1083>0x080a537a 
<ast_safe_system+1564>:      call   0x805fd1e <ast_active_channels>0x080a537f 
<ast_safe_system+1569>:      mov    $0x80eac04,%edx0x080a5384 
<ast_safe_system+1574>:      test   %eax,%eax0x080a5386 
<ast_safe_system+1576>:      jne    0x80a538d <ast_safe_system+1583>0x080a5388 
<ast_safe_system+1578>:      mov    $0x80eac4c,%edx0x080a538d 
<ast_safe_system+1583>:      mov    %edi,0x8(%esp)0x080a5391 
<ast_safe_system+1587>:      mov    %edx,0x4(%esp)0x080a5395 
<ast_safe_system+1591>:      movl   $0x80eac0e,(%esp)0x080a539c 
<ast_safe_system+1598>:      call   0x8056989 <ast_verbose>0x080a53a1 
<ast_safe_system+1603>:      jmp    0x80a5199 <ast_safe_system+1083>0x080a53a6 
<ast_safe_system+1608>:      movl   $0x80ebaec,(%esp)0x080a53ad 
<ast_safe_system+1615>:      call   0x8056989 <ast_verbose>0x080a53b2 
<ast_safe_system+1620>:      jmp    0x80a5143 <ast_safe_system+997>0x080a53b7 
<ast_safe_system+1625>:      call   0x80a3de7 <ast_set_priority+2778>0x080a53bc 
<ast_safe_system+1630>:      mov    0x81093c0,%edx0x080a53c2 
<ast_safe_system+1636>:      jmp    0x80a50f4 <ast_safe_system+918>0x080a53c7 
<ast_safe_system+1641>:      mov    $0x80e7f14,%eax0x080a53cc 
<ast_safe_system+1646>:      jmp    0x80a501e <ast_safe_system+704>0x080a53d1 
<ast_safe_system+1651>:      sub    $0xc,%esp0x080a53d4 
<ast_safe_system+1654>:      mov    $0x1,%eax0x080a56f7 
<ast_safe_system+2457>:      mov    %eax,(%esp)0x080a56fa 
<ast_safe_system+2460>:      call   0x8054a78 <fprintf@plt>0x080a56ff 
<ast_safe_system+2465>:      call   0x808c708 <term_quit>0x080a59c2 
<ast_safe_system+3172>:      je     0x80a59e6 <ast_safe_system+3208>0x080a59c4 
<ast_safe_system+3174>:      movl   $0x0,0xc(%esp)0x080a59cc 
<ast_safe_system+3182>:      movl   $0xa,0x8(%esp)0x080a59d4 
<ast_safe_system+3190>:      movl   $0x0,0x4(%esp)0x080a59dc 
<ast_safe_system+3198>:      mov    %ebx,(%esp)0x080a59df 
<ast_safe_system+3201>:      call   0x8054ec8 <__strtol_internal@plt>0x080a59e4 
<ast_safe_system+3206>:      mov    %eax,%ebp0x080a59e6 
<ast_safe_system+3208>:      mov    0x81093b8,%eax0x080a59eb 
<ast_safe_system+3213>:      mov    %eax,0xc(%esp)0x080a59ef 
<ast_safe_system+3217>:      movl   $0x80eacc4,0x8(%esp)0x080a59f7 
<ast_safe_system+3225>:      movl   $0x50,0x4(%esp)0x080a59ff 
<ast_safe_system+3233>:      lea    0x20(%esp),%ebx0x080a5a03 
<ast_safe_system+3237>:      mov    %ebx,(%esp)0x080a5a06 
<ast_safe_system+3240>:      call   0x80551a8 <snprintf@plt>0x080a5a0b 
<ast_safe_system+3245>:      mov    %ebx,%edx0x080a5a0d 
<ast_safe_system+3247>:      mov    0x8104178,%eax<ast_safe_system+2185>:       
0xff(gdb)x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86(0100 times 3 pages)when I type ret and half way through the 
address it prints x86*CLI> for 3 pages. (even after I let it idle for a 
while)0x80a560a <ast_safe_system+2220>:       0x00(gdb)x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*Cvery large keeps going 
100x0x80a56a0 <ast_safe_system+2370>:       0x040x80a5736 
<ast_safe_system+2520>:       0x08(gdb)x86*CLI> x86*CLI> x86*CLI> 0x80a5737 
<ast_safe_system+2521>:    0xe8(gdb)x86@3[newsploit]$ gdb gdbGNU gdb 
6.4-debianCopyright 2005 Free Software Foundation, Inc.GDB is free software, 
covered by the GNU General Public License, and you arewelcome to change it 
and/or distribute copies of it under certain conditions.Type "show copying" to 
see the conditions.There is absolutely no warranty for GDB.  Type "show 
warranty" for details.This GDB was configured as "i486-linux-gnu"...(no 
debugging symbols found)Using host libthread_db library 
"/lib/tls/libthread_db.so.1".(gdb) x 0x80a561b0x80a561b 
<validate_actionline+606>:    0xfd1400e8(gdb)0x80a561f 
<validate_actionline+610>:    0xec4589ff(gdb)0x80a5623 
<validate_actionline+614>:    0xffff60e9(gdb)0x80a5627 
<validate_actionline+618>:    0x2444c7ff(gdb)0x80a562b 
<validate_actionline+622>:    0x0a250704(gdb)0x80a562f 
<validate_actionline+626>:    0x24348908(gdb)0x80a5633 
<validate_actionline+630>:    0x006825e8(gdb)0x80a5637 
<validate_actionline+634>:    0x0fc08500(gdb)0x80a563b 
<validate_actionline+638>:    0x00008f84(gdb)0x80a563f 
<validate_actionline+642>:    0xec4d8b00rogram received signal SIGINT, 
Interrupt.0xb7e55de8 in poll () from /lib/tls/libc.so.6(gdb) x 
0xb7e55de80xb7e55de8 <poll+56>:   0x003dfb87(gdb)0xb7e55dec <poll+60>:   
0x89fffff0(gdb)0xb7e55df0 <poll+64>:   0x893b77c7    gdb) backtrace#0  
0xb7e55de8 in poll () from /lib/tls/libc.so.6#1  0x08112244 in gdb_do_one_event 
()#2  0x0810f303 in catch_errors ()#3  0x080bbd21 in _initialize_tui_hooks 
()#4  0x0810f59b in current_interp_command_loop ()#5  0x080779cb in main 
()(gdb) ret 0x9010f5cb0  0x08112244 in gdb_do_one_event ()x/s $eip0x8113d33
<inferior_event_handler_wrapper+49>:   "ÉÃ", '\220' <repeats
11 times>, "U\211å¡Ði(\b]ÃU\211å1À]ÃU\211åWVS\203ì\034Ç\004$\004"(gdb)0x81183b3
<gdbarch_pseudo_register_write+216>:  
"Ç\004$|^#\bèepöÿU\211å\213U\f\213E\b\211Pt]ÃU\211åS\203ì\024\213]\b\205Ût/\213Cx\203øÿtk\203=ðã(\b\001~\030ÇD$\004áZ#\b¡h!*\b\211\004$èQ\200öÿ\213Cx\203Ä\024[]ÃÇD$\b\005"(gdb0x811b40d
 <set_gdbarch_unwind_sp+15>:    "]ÃU\211åVS\203ì 
\213]\b\213u\f\205Ût9\213\213X\001"(gdb)0x811b426 
<gdbarch_deprecated_saved_pc_after_call+23>:   ""(gdb)0x811b427
<gdbarch_deprecated_saved_pc_after_call+24>:  
"\205Éts\203=ðã(\b\001~\033ÇD$\004ü¤#\b¡h!*\b\211\004$è\tPöÿ\213\213X\001"(gdb)0x811b44e
 <gdbarch_deprecated_saved_pc_after_call+63>:   ""(gdb)0x811b44f 
<gdbarch_deprecated_saved_pc_after_call+64>:   "\211u\b\203Ä 
[^]ÿáÇD$\b\005"(gdb)0x811b460 <gdbarch_deprecated_saved_pc_after_call+81>:   
""(gdb)0x811b461 <gdbarch_deprecated_saved_pc_after_call+82>:   
""(gdb)0x811b462 <gdbarch_deprecated_saved_pc_after_call+83>:   "ÇD$\004\226s 
\bÇ\004$"(gdb)(it's jumping around) possible jmp trick exploit found0x811b5d5 
<set_gdbarch_frame_num_args+15>:       "]ÃU\211åVS\203ì 
\213]\b\213u\f\205Ût9\213\213`\001"(gdb)0x811b5ee 
<gdbarch_deprecated_stack_align+23>:   ""(gdb)0x811b5ef
<gdbarch_deprecated_stack_align+24>:  
"\205Éts\203=ðã(\b\001~\033ÇD$\004\224¥#\b¡h!*\b\211\004$èANöÿ\213\213`\001"(gdb)0x811b616
 <gdbarch_deprecated_stack_align+63>:   ""(gdb)0x811cfb5
<deprecated_register_gdbarch_swap+52>:        
"\213\023\213E\020\211B\b\213E\b\211\002\213E\f\211B\004\203Ä\004[]ÃU\211åVS\203ì
\2135ài(\b\205ötW\213^$\205Ût=\213C\004\213\v\213\020\213@\004\211D$\b\211T$\004\211\f$è¯£õÿ\213C\004\213\020\213@\004\211D$\bÇD$\004"(gdb)(being
 run as regular user )Unable to connect to remote asterisk (does 
/var/run/asterisk/asterisk.ctl exist?)Program exited with code 01.(gdb) run 
asterisk -r |Starting program: /usr/sbin/asterisk asterisk -r |/bin/bash: -c: 
line 1: syntax error: unexpected end of fileProgram exited with code 02.You 
can't do that without a process to debug.(gdb) run asterisk -r |x86*CLI> 
x86*CLI> x86*CLI> Quit(gdb) run asterisk -vvvvvcStarting program: 
/usr/sbin/asterisk asterisk -vvvvvc(no debugging symbols found)Error in 
re-setting breakpoint 1:Function "main" not defined.(no debugging symbols 
found)Error in re-setting breakpoint 1:Function "main" not defined.(no 
debugging symbols found)Error in re-setting breakpoint 1:Function "main" not 
defined.[Thread debugging using libthread_db enabled][New Thread -1212167968 
(LWP 32289)](no debugging symbols found)Error in re-setting breakpoint 
1:Function "main" not defined.(no debugging symbols found)Error in re-setting 
breakpoint 1:Function "main" not defined.(no debugging symbols found)Error in 
re-setting breakpoint 1:Function "main" not defined.(no debugging symbols 
found)Error in re-setting breakpoint 1:Function "main" not defined.(no 
debugging symbols found)Error in re-setting breakpoint 1:Function "main" not 
defined.(no debugging symbols found)Error in re-setting breakpoint 1:Function 
"main" not defined.(no debugging symbols found)Error in re-setting breakpoint 
1:Function "main" not defined.(no debugging symbols found)Error in re-setting 
breakpoint 1:Function "main" not defined.Unable to open pid file 
'/var/run/asterisk/asterisk.pid': Permission denied[New Thread -1212171344 (LWP 
32293)][Thread -1212171344 (LWP 32293) exited]Unable to bind socket to 
/var/run/asterisk/asterisk.ctl: Address already in use  == Parsing 
'/etc/asterisk/asterisk.conf': Not found (Permission denied)  == Parsing 
'/etc/asterisk/extconfig.conf': Not found (Permission denied)Asterisk 1.2.7.1, 
Copyright (C) 1999 - 2006 Digium, Inc. and others.Created by Mark Spencer 
<markster@xxxxxxxxxx>Asterisk comes with ABSOLUTELY NO WARRANTY; type 'show 
warranty' for details.This is free software, with components licensed under the 
GNU General PublicLicense version 2 and other licenses; you are welcome to 
redistribute it undercertain conditions. Type 'show license' for 
details.========================================================================= 
 == Parsing '/etc/asterisk/logger.conf': Not found (Permission denied)Unable to 
open logger.conf: Permission deniedrJan 18 07:36:58 ERROR[32289]: logger.c:625 
init_logger: Unable to create event log: Permission denied  #0  0xb7da1ea4 in 
__libc_start_main () from /lib/tls/libc.so.6(gdb)Make selected stack frame 
return now? (y or n) y#0  0x080554f1 in ?? ()(gdb)Make selected stack frame 
return now? (y or n) y/build/buildd/gdb-6.4/gdb/frame.c:616:
internal-error: frame_register: Assertion `frame != NULL &&
frame->next != NULL' failed.A problem internal to GDB has been detected,further 
debugging may prove unreliable.Quit this debugging session? (y or n)          
\f\213E\b\211]ôè³\213ÿÿ\201ÃÍ4"(gdb)0xb7f7b70c 
<pthread_getaffinity_np@@GLIBC_2.3.4+28>:     ""(gdb)0xb7f7b70d 
<pthread_getaffinity_np@@GLIBC_2.3.4+29>:     
"\211}ü\205ö\213U\020\213xH\211ñxJ\207ß¸ò"(gdb)0xb7f7b721 
<pthread_getaffinity_np@@GLIBC_2.3.4+49>:     ""(gdb)0xb7f7b722 
<pthread_getaffinity_np@@GLIBC_2.3.4+50>:     ""(gdb)0xb7f7b723 
<pthread_getaffinity_np@@GLIBC_2.3.4+51>:     "Í\200\207û="(gdb)0xb7f7b729 
<pthread_getaffinity_np@@GLIBC_2.3.4+57>:     
"ðÿÿv\022\213]ô÷Ø\213uø\213}ü\211ì]Ã\215v"(gdb)0xb7f7b740
<pthread_getaffinity_np@@GLIBC_2.3.4+80>:    
")Æ\215\f\0021Ò\211t$\b\211T$\004\211\f$è\215\212ÿÿ\213]ô1À\213uø\213}ü\211ì]Ã¹ÿÿÿ\177ë¯\215v"(gdb)0xb7f7b770
 <pthread_getaffinity_np@xxxxxxxxxxx>:         "U¹\200"(gdb)0xb7f7b774 
<pthread_getaffinity_np@xxxxxxxxxxx+4>:       
""(gdb)                                         0x000008ec in ?? ()(gdb)Make 
selected stack frame return now? (y or n) y#0  0x080ec8c4 in ?? ()(gdb)Make 
selected stack frame return now? (y or n) y#0  0x080ec594 in ?? ()(gdb)Make 
selected stack frame return now? (y or n) y#0  0x08110800 in ?? ()(gdb)Make 
selected stack frame return now? (y or n) y#0  0xb7f43bf6 in 
_dl_rtld_di_serinfo () from 
/lib/ld-linux.so.2(gdb)                                              ret 
0xb7da1ea4LI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> #0  0x080554f1 in ?? 
()(gdb)Make selected stack frame return now? (y or n) 
y/build/buildd/gdb-6.4/gdb/frame.c:616:
internal-error: frame_register: Assertion `frame != NULL &&
frame->next != NULL' failed.A problem internal to GDB has been detected,further 
debugging may prove unreliable.Quit this debugging session? (y or n)  gdb)Make 
selected stack frame return now? (y or n) y#0  0x00000001 in ?? ()(gdb)Make 
selected stack frame return now? (y or n) y#0  0x00000000 in ?? ()(gdb)Make 
selected stack frame return now? (y or n) y#0  0x080ec8a6 in ?? ()(gdb)Make 
selected stack frame return now? (y or n) y#0  0x080ec640 in ?? ()(gdb)Make 
selected stack frame return now? (y or n) y#0  0x08110800 in ?? ()(gdb)Make 
selected stack frame return now? (y or n) y#0  0xb7ece52e in in6addr_any ()   
from /lib/tls/libc.so.6(gdb) backtrace#0  0xb7ece52e in in6addr_any () from 
/lib/tls/libc.so.6#1  0xb7fb7eec in ?? ()    () from 
/lib/tls/libpthread.so.0(gdb) backtrace#0  0xb7f3d312 in sysctl_args.0 () from 
/lib/tls/libpthread.so.0#1  0xb7f61b30 in _dl_rtld_di_serinfo () from 
/lib/ld-linux.so.2#2  0xb7f35717 in __pthread_initialize_minimal_internal ()   
from /lib/tls/libpthread.so.0#3  0xb7d62ea4 in __libc_start_main () from 
/lib/tls/libc.so.6#4  0x080554f1 in ?? ()   () from 
/lib/tls/libpthread.so.0(gdb) backtrace#0  0xb7f4a310 in sysctl_args.0 () from 
/lib/tls/libpthread.so.0#1  0xb7f4a312 in sysctl_args.0 () from 
/lib/tls/libpthread.so.0#2  0xb7f6eb30 in _dl_rtld_di_serinfo () from 
/lib/ld-linux.so.2#3  0xb7f42717 in __pthread_initialize_minimal_internal ()   
from /lib/tls/libpthread.so.0#4  0xb7d6fea4 in __libc_start_main () from 
/lib/tls/libc.so.6#5  0x080554f1 in ?? ()#0  0xb7dd0ea4 in __libc_start_main () 
from /lib/tls/libc.so.6(gdb)Make selected stack frame return now? (y or n) y#0  
0x080554f1 in ?? ()(gdb)Make selected stack frame return now? (y or n) 
y/build/buildd/gdb-6.4/gdb/frame.c:616:
internal-error: frame_register: Assertion `frame != NULL &&
frame->next != NULL' failed.A problem internal to GDB has been detected,further 
debugging may prove unreliable.Object file /usr/sbin/asterisk:  Objfile at 
0x82efce8, bfd at 0x82de9c0, 1178 minsymsObject file system-supplied DSO at 
0xffffe000:  Objfile at 0x83334c8, bfd at 0x8303d50, 4 minsymsObject file 
/lib/tls/libdl.so.2:  Objfile at 0x83999b8, bfd at 0x836be08, 31 minsymsObject 
file /lib/tls/libpthread.so.0:  Objfile at 0x83aa900, bfd at 0x831eb80, 696 
minsymsObject file /lib/libncurses.so.5:  Objfile at 0x83dd1b0, bfd at 
0x8359e08, 760 minsymsObject
file /lib/tls/libm.so.6:  Objfile at 0x8400e80, bfd at 0x8319958, 331
min---Type <return> to continue, or q <return> to quit---symsObject file 
/lib/tls/libresolv.so.2:  Objfile at 0x84197f0, bfd at 0x831e8b0, 135 
minsymsObject file /usr/lib/i686/cmov/libssl.so.0.9.8:  Objfile at 0x842b9f0, 
bfd at 0x8359128, 665 minsymsObject file /lib/tls/libc.so.6:  Objfile at 
0x84590f0, bfd at 0x83b4338, 2120 minsymsObject file /lib/ld-linux.so.2:  
Objfile at 0x84c11e0, bfd at 0x83228f0, 32 minsymsObject file 
/usr/lib/i686/cmov/libcrypto.so.0.9.8:  Objfile at 0x84c91e8, bfd at 0x8461160, 
3344 minsyrogram exited with code 01.(gdb) x0xb7da1ea5 
<CAST_S_table0+60645>:        "PublicKey"(gdb)0xb7da1eaf 
<CAST_S_table0+60655>:        "i2d_RSA_NET"(gdb)0xb7da1ebb 
<CAST_S_table0+60667>:        "i2d_RSA_PUBKEY"(gdb)0xb7da1eca 
<CAST_S_table0+60682>:        "LONG_C2I"(gdb)0xb7da1ed3 
<CAST_S_table0+60691>:        "OID_MODULE_INIT"(gdb)0xb7da1ee3 
<CAST_S_table0+60707>:        "PARSE_TAGGING"(gdb)0xb7da1ef1 
<CAST_S_table0+60721>:        "PKCS5_pb0xb7da20c0 <CAST_S_table0+61184>:        
"PBEPARAM"(gdb)0xb7da20c9 <CAST_S_table0+61193>:        "salt"(gdb)0xb7da20ce 
<CAST_S_table0+61198>:        "iter"(gdb)0xb7da20d3 
<CAST_S_table0+61203>:        "p5_pbe.c"(gdb)0xb7da20dc 
<CAST_S_table0+61212>:        "PBKDF2PARAM"(gdb)0xb7da20e8 
<CAST_S_table0+61224>:        "PBE2PARAM"(gdb)0xb7da20f2 
<CAST_S_table0+61234>:        "keyfunc"(gdb)0xb7da20fa 
<CAST_S_table0+61242>:        "p5_pbev2.c"(gdb)0xb7da2105 
<CAST_S_table0+61253>:        "PKCS8_PRIV_KEY_INFO"(gdb)0xb7da2119 
<CAST_S_table0+61273>:        "pkeyalg"(gdb)0xb7da2121 
<CAST_S_table0+61281>:        "oid_section"0xb7da21b8 
<CAST_S_table0+61432>:        "strlen(objstr)+23+2*enc->iv_len+13 <= sizeof 
buf"                               (string exploit here)gdb) disas 
0xb7da31e4Dump of assembler code for function CAST_S_table0:nable to open pid 
file '/var/run/asterisk/asterisk.pid': Permission denied[New Thread -1211937872 
(LWP 15438)]Program received signal SIGINT, Interrupt.[Switching to Thread 
-1211934496 (LWP 15437)]0xb7e0654c in nanosleep () from /lib/tls/libc.so.6(gdb) 
backtrace#0  0xb7e0654c in nanosleep () from /lib/tls/libc.so.6#1  0xb7e3ce2a 
in usleep () from /lib/tls/libc.so.6#2  0x080b34a8 in test_for_thread_safety 
()#3  0x00000064 in ?? ()#4  0x00000000 in ?? ()null byte - 0xb7da33cc 
<STORE_param_sizes+348>:      "\n"0xb7e7e770 <catanh+176>:         
"ÝE\f\203þ\002\017\224À1Ò\203ÿ\002\017\224ÂÝ]Ø\205ÐÝE\024uÆÙ\203¤¯ÿÿÙÁÞÊÝE\fÝE\fÙÉØêÙÉØÂÙËÝUÐÙÉØÈÙËØÈÙËØÁÙËÞÁÝ\034$Ý]¨Ý]¸èj·ÿÿÝE¸ÙÉÝ]ØÝ\034$èZ·ÿÿÜmØÝE¨ÝE\024ÙÊØ\213è´ÿÿÙÊØÀÙÊÝ]ØÝE\fØÈÞéÜeÐÙóÝ]à\213E\bÝEàØ\213¨¯ÿÿÝEØéDÿÿÿ\215»Ð®ÿÿ\211<$èOåÿÿ\213E\bÝUØÝEØÙÉÝX\bÝ\030\213]ô\213uø\213"...(gdb)(parts
 lit up in black and blinking)(looks like hi-ascii)
--- End Message ---
Prev by Date: [CandyPress] eCommerce suite (SQL Injection + XSS + Path Disclosure)
Next by Date: C4 Security Advisory - GE Fanuc Proficy Information Portal 2.6 Authentication Vulnerability
Previous by thread: [CandyPress] eCommerce suite (SQL Injection + XSS + Path Disclosure)
Next by thread: C4 Security Advisory - GE Fanuc Proficy Information Portal 2.6 Authentication Vulnerability
Index(es):
- Date
- Thread