[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

gdb bug



--- Begin Message --- self corrupted gdb (which gdb itself is warning  about), corrupting the stack that by chance has a jump instruction causing a loop,  An attacker can exploit this vulnerability to inject malicious commands to be run under the permissions of the current gbb session. , effects gdb 6.*-7.* I tested.



aserisk exploit

gdb asterisk
ctrl+c
r asterisk
ctrl+c

r asterisk -r      <----- reason for crash ( -r is a flag for asterisk gdb mistakes this for run not run)
x 0xb7e7dde8
r

ret 0xb7e7dde8

Program received signal SIGINT, Interrupt.
[Switching to Thread -1211655968 (LWP 3208)]
0xb7e7dde8 in poll () from /lib/tls/libc.so.6
(gdb) ret 0xb7e7dde8
Make selected stack frame return now? (y or n) y

reakpoint 1, 0x080a5e17 in main ()
(gdb) ret 0xb7e7dde8


0  0xb7db9ea4 in __libc_start_main () from /lib/tls/libc.so.6
(gdb) backtrace
#0  0xb7db9ea4 in __libc_start_main () from /lib/tls/libc.so.6
#1  0x080554f1 in _start ()

Program received signal SIGINT, Interrupt.
[Switching to Thread -1211655968 (LWP 3208)]
0xb7e7dde8 in poll () from /lib/tls/libc.so.6
internal-error: frame_register: Assertion `frame != NULL && frame->next != N
A problem internal to GDB has been detected,
further debugging may prove unreliable.
Create a core file of GDB? (y or n)
Please answer y or n.
/build/buildd/gdb-6.4/gdb/frame.c:616: internal-error: frame_register: Assertion `frame != NULL && frame->next != NULL' failed.
A problem internal to GDB has been detected,
further debugging may prove unreliable.
Create a core file of GDB? (y or n)   

poll failed: No such file or directory
x86*CLI> Aborted

0xb7e101c2

0xb7e1021e <glob64+22478>:      0xff
(gdb) x86*CLI> x86*CLI> x86*CLI> x8

0x7e1012b6 <-----

0x7e10126e

0x080a5554

0xb7e10012 <posix_fallocate+258>:        "\002"


0xb7e10012 <posix_fallocate+258>:        "\002"
(gdb) x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*C


ret 0xb7e101de


x/s 0xb7e0fde8






xb7e10887 <sendfile64+1319>:    "\213EØ\215µtûÿÿ\211t$\b\211D$\004è³\230ÿÿ\205À\017\210;ÿÿÿ\213M\020\213\205xûÿÿ\2139\213q\004\211½\bûÿÿ\213\225\bûÿÿ\211µ\fûÿÿ\213½tûÿÿ\213\215\fûÿÿ1×1Á\tù\017\205\003ÿÿÿ\213Uà\211\225(ûÿÿ\211\225pûÿÿ\213µ(ûÿÿ\205öto\213½(ûÿÿ¹,"
(gdb)
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*C



0xb7edb350 <system>




0xb7e10348 <sendfile+40>:        "\201Á\224§\006"








ebx            0xbfa6c69c       -1079589220
esp            0xbfa6c45c       0xbfa6c45c
ebp            0xbfa6c468       0xbfa6c468
esi            0xbfa6c71a       -1079589094
edi            0xb7e7aadc       -1209554212
eip            0xb7e0fde8       0xb7e0fde8 <poll+56>


xmm0           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
  uint128 = 0x00000000000000000000000000000000}
xmm1           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
  uint128 = 0x00000000000000000000000000000000}
xmm2           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},

xmm6           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
  uint128 = 0x00000000000000000000000000000000}
xmm7           {v4_float = {0x0, 0x0, 0x0, 0x0}, v2_double = {0x0, 0x0},
  v16_int8 = {0x0 <repeats 16 times>}, v8_int16 = {0x0, 0x0, 0x0, 0x0, 0x0,
    0x0, 0x0, 0x0}, v4_int32 = {0x0, 0x0, 0x0, 0x0}, v2_int64 = {0x0, 0x0},
  uint128 = 0x00000000000000000000000000000000}
mxcsr          0x1f80   8064



mm0            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm1            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm2            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm3            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm4            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm5            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm6            {uint64 = 0x0, v2_int32 = {0x0, 0x0}, v4_int16 = {0x0, 0x0,
    0x0, 0x0}, v8_int8 = {0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0}}
mm7            {uint64 = 0xe41900e9e96363f9, v2_int32 = {0xe96363f9,
    0xe41900e9}, v4_int16 = {0x63f9, 0xe963, 0xe9, 0xe419}, v8_int8 = {0xf9,
    0x63, 0x63, 0xe9, 0xe9, 0x0, 0x19, 0xe4}}


0xb7e4e90b 0x080a806c 0x80a8791  0x80a933e 0x80aa391 0x80afc9c <aes_encrypt+1356>:    ""




gdb) x/a8 0x0a106
A syntax error in _expression_, near `0x0a106'.
(gdb) call 0x0a106
$2 = 41222
(gdb) ret 0x0a106
Make selected stack frame return now? (y or n)  







#0  0x080a5554 in ast_safe_system ()
(gdb) ret 0x0a106
Make selected stack frame return now? (y or n) y
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*C


build/buildd/gdb-6.4/gdb/frame.c:616: internal-error: frame_register: Assertion `frame != NULL && frame->next != NULL' failed.
A problem internal to GDB has been detected,
further debugging may prove unreliable.
Quit this debugging session? (y or n)
Please answer y or n.
/build/buildd/gdb-6.4/gdb/frame.c:616: internal-error: frame_register: Assertion `frame != NULL && frame->next != NULL' failed.
A problem internal to GDB has been detected,
further debugging may prove unreliable.


0xb7f8e350

0xb7f8e505:      "\207߸®"

/build/buildd/gdb-6.4/gdb/frame.c:616: internal-error: frame_register: Assertion `frame != NULL && frame->next != NULL' failed.
A problem internal to GDB has been detected,
further debugging may prove unreliable.


/build/buildd/gdb-6.4/gdb/frame.c:616: internal-error: frame_register: Assertion `frame != NULL && frame->next != NULL' failed.
A problem internal to GDB has been detected,
further debugging may prove unreliable.
Create a core file of GDB? (y or n) y


/build/buildd/gdb-6.4/gdb/frame.c:616: internal-error: frame_register: Assertion `frame != NULL && frame->next != NULL' failed.
A problem internal to GDB has been detected,
further debugging may prove unreliable.
Quit this debugging session? (y or n)
Please answer y or n.
/build/buildd/gdb-6.4/gdb/frame.c:616: internal-error: frame_register: Assertion `frame != NULL && frame->next != NULL' failed.
A problem internal to GDB has been detected,
further debugging may prove unreliable.
Quit this debugging session? (y or n) n


#0  0xb7e8dde8 in poll () from /lib/tls/libc.so.6
#1  0x080a5554 in ast_safe_system ()

x/0xcd b7e8de85


#0  0xb7e8dde8 in ?? () from /lib/tls/libc.so.6
#1  0x080a5554 in ?? ()

(gdb) ret 0x80a5554
Make selected stack frame return now? (y or n) y     

0xb7e8de85 <posix_fadvise+37>:  0xcd
(gdb) x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*


(gdb) backtrace
#0  0x080a5554 in ast_safe_system ()
(gdb)        


0x80a55ac <ast_safe_system+2126>:       0x0b
(gdb)




0x80a55e6 <ast_safe_system+2184>:       0x20
(gdb)
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI>




0x80a55b9 40x


0x080a4d81 <ast_safe_system+35>:        je     0x80a4e34 <ast_safe_system+214>

0x080a4d9d <ast_safe_system+63>:        je     0x80a4e52 <ast_safe_system+244>
0x080a4da3 <ast_safe_system+69>:        jle    0x80a4ea5 <ast_safe_system+327>


0x080a4de1 <ast_safe_system+131>:       call   0x8054e48 <pthread_mutex_lock@plt>

0x080a4da9 <ast_safe_system+75>:        lea    0x68(%esp),%ebp
0x080a4dad <ast_safe_system+79>:        lea    0x20(%esp),%edi

0x080a50cd <ast_safe_system+879>:       call   0x80551a8 <snprintf@plt>
0x080a50d2 <ast_safe_system+884>:       cmpb   $0x0,0x1c(%esp)


0x080a50d7 <ast_safe_system+889>:       je     0x80a5114 <ast_safe_system+950>
0x080a50d9 <ast_safe_system+891>:       mov    0x81093c0,%edx
0x080a50df <ast_safe_system+897>:       test   %edx,%edx
0x080a50e1 <ast_safe_system+899>:       je     0x80a53b7 <ast_safe_system+1625>
0x080a50e7 <ast_safe_system+905>:       mov    0x81093bc,%eax
0x080a50ec <ast_safe_system+910>:       test   %eax,%eax
0x080a50ee <ast_safe_system+912>:       je     0x80a53b7 <ast_safe_system+1625>
0x080a50f4 <ast_safe_system+918>:       lea    0x1c(%esp),%eax
0x080a50f8 <ast_safe_system+922>:       mov    %eax,0xc(%esp)
0x080a50fc <ast_safe_system+926>:       movl   $0x12,0x8(%esp)
0x080a5104 <ast_safe_system+934>:       lea    0x6c(%esp),%eax
0x080a5108 <ast_safe_system+938>:       mov    %eax,0x4(%esp)


0x080a51a7 <ast_safe_system+1097>:      call   0x805fd1e <ast_active_channels>
0x080a51ac <ast_safe_system+1102>:      mov    $0x80eac4a,%edx
0x080a51b1 <ast_safe_system+1107>:      test   %eax,%eax
0x080a51b3 <ast_safe_system+1109>:      jne    0x80a51ba <ast_safe_system+1116>
0x080a510c <ast_safe_system+942>:       mov    %edx,(%esp)     

0x080a5308 <ast_safe_system+1450>:      call   0x8054ef8 <execvp@plt>







0xb7f77365 <system+21>:  "\211\004$èg\215ÿÿZ[]Ã", '\220' <repeats 15 times>, "U\211å\203ì\b\211|$\004\213}\b\2114$e\2135\b



0x080a5375 <ast_safe_system+1559>:      jmp    0x80a5199 <ast_safe_system+1083>
0x080a537a <ast_safe_system+1564>:      call   0x805fd1e <ast_active_channels>
0x080a537f <ast_safe_system+1569>:      mov    $0x80eac04,%edx
0x080a5384 <ast_safe_system+1574>:      test   %eax,%eax
0x080a5386 <ast_safe_system+1576>:      jne    0x80a538d <ast_safe_system+1583>
0x080a5388 <ast_safe_system+1578>:      mov    $0x80eac4c,%edx
0x080a538d <ast_safe_system+1583>:      mov    %edi,0x8(%esp)
0x080a5391 <ast_safe_system+1587>:      mov    %edx,0x4(%esp)
0x080a5395 <ast_safe_system+1591>:      movl   $0x80eac0e,(%esp)
0x080a539c <ast_safe_system+1598>:      call   0x8056989 <ast_verbose>
0x080a53a1 <ast_safe_system+1603>:      jmp    0x80a5199 <ast_safe_system+1083>
0x080a53a6 <ast_safe_system+1608>:      movl   $0x80ebaec,(%esp)
0x080a53ad <ast_safe_system+1615>:      call   0x8056989 <ast_verbose>
0x080a53b2 <ast_safe_system+1620>:      jmp    0x80a5143 <ast_safe_system+997>
0x080a53b7 <ast_safe_system+1625>:      call   0x80a3de7 <ast_set_priority+2778>
0x080a53bc <ast_safe_system+1630>:      mov    0x81093c0,%edx
0x080a53c2 <ast_safe_system+1636>:      jmp    0x80a50f4 <ast_safe_system+918>
0x080a53c7 <ast_safe_system+1641>:      mov    $0x80e7f14,%eax
0x080a53cc <ast_safe_system+1646>:      jmp    0x80a501e <ast_safe_system+704>
0x080a53d1 <ast_safe_system+1651>:      sub    $0xc,%esp
0x080a53d4 <ast_safe_system+1654>:      mov    $0x1,%eax



0x080a56f7 <ast_safe_system+2457>:      mov    %eax,(%esp)
0x080a56fa <ast_safe_system+2460>:      call   0x8054a78 <fprintf@plt>
0x080a56ff <ast_safe_system+2465>:      call   0x808c708 <term_quit>

0x080a59c2 <ast_safe_system+3172>:      je     0x80a59e6 <ast_safe_system+3208>
0x080a59c4 <ast_safe_system+3174>:      movl   $0x0,0xc(%esp)
0x080a59cc <ast_safe_system+3182>:      movl   $0xa,0x8(%esp)
0x080a59d4 <ast_safe_system+3190>:      movl   $0x0,0x4(%esp)
0x080a59dc <ast_safe_system+3198>:      mov    %ebx,(%esp)
0x080a59df <ast_safe_system+3201>:      call   0x8054ec8 <__strtol_internal@plt>
0x080a59e4 <ast_safe_system+3206>:      mov    %eax,%ebp
0x080a59e6 <ast_safe_system+3208>:      mov    0x81093b8,%eax
0x080a59eb <ast_safe_system+3213>:      mov    %eax,0xc(%esp)
0x080a59ef <ast_safe_system+3217>:      movl   $0x80eacc4,0x8(%esp)
0x080a59f7 <ast_safe_system+3225>:      movl   $0x50,0x4(%esp)
0x080a59ff <ast_safe_system+3233>:      lea    0x20(%esp),%ebx
0x080a5a03 <ast_safe_system+3237>:      mov    %ebx,(%esp)
0x080a5a06 <ast_safe_system+3240>:      call   0x80551a8 <snprintf@plt>
0x080a5a0b <ast_safe_system+3245>:      mov    %ebx,%edx
0x080a5a0d <ast_safe_system+3247>:      mov    0x8104178,%eax
















<ast_safe_system+2185>:       0xff
(gdb)
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86
(0100 times 3 pages)

when I type ret and half way through the address it prints x86*CLI> for 3 pages. (even after I let it idle for a while)



0x80a560a <ast_safe_system+2220>:       0x00
(gdb)
x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> x86*C
very large keeps going 100x

0x80a56a0 <ast_safe_system+2370>:       0x04



0x80a5736 <ast_safe_system+2520>:       0x08
(gdb)
x86*CLI> x86*CLI> x86*CLI> 0x80a5737 <ast_safe_system+2521>:    0xe8
(gdb)











x86@3[newsploit]$ gdb gdb
GNU gdb 6.4-debian
Copyright 2005 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...(no debugging symbols found)
Using host libthread_db library "/lib/tls/libthread_db.so.1".

(gdb) x 0x80a561b
0x80a561b <validate_actionline+606>:    0xfd1400e8
(gdb)
0x80a561f <validate_actionline+610>:    0xec4589ff
(gdb)
0x80a5623 <validate_actionline+614>:    0xffff60e9
(gdb)
0x80a5627 <validate_actionline+618>:    0x2444c7ff
(gdb)
0x80a562b <validate_actionline+622>:    0x0a250704
(gdb)
0x80a562f <validate_actionline+626>:    0x24348908
(gdb)
0x80a5633 <validate_actionline+630>:    0x006825e8
(gdb)
0x80a5637 <validate_actionline+634>:    0x0fc08500
(gdb)
0x80a563b <validate_actionline+638>:    0x00008f84
(gdb)
0x80a563f <validate_actionline+642>:    0xec4d8b00
rogram received signal SIGINT, Interrupt.
0xb7e55de8 in poll () from /lib/tls/libc.so.6
(gdb) x 0xb7e55de8
0xb7e55de8 <poll+56>:   0x003dfb87
(gdb)
0xb7e55dec <poll+60>:   0x89fffff0
(gdb)
0xb7e55df0 <poll+64>:   0x893b77c7   


gdb) backtrace
#0  0xb7e55de8 in poll () from /lib/tls/libc.so.6
#1  0x08112244 in gdb_do_one_event ()
#2  0x0810f303 in catch_errors ()
#3  0x080bbd21 in _initialize_tui_hooks ()
#4  0x0810f59b in current_interp_command_loop ()
#5  0x080779cb in main ()

(gdb) ret 0x9010f5cb


0  0x08112244 in gdb_do_one_event ()

x/s $eip







0x8113d33 <inferior_event_handler_wrapper+49>:   "ÉÃ", '\220' <repeats 11 times>, "U\211å¡Ði(\b]ÃU\211å1À]ÃU\211åWVS\203ì\034Ç\004$\004"
(gdb)


0x81183b3 <gdbarch_pseudo_register_write+216>:   "Ç\004$|^#\bèepöÿU\211å\213U\f\213E\b\211Pt]ÃU\211åS\203ì\024\213]\b\205Ût/\213Cx\203øÿtk\203=ðã(\b\001~\030ÇD$\004áZ#\b¡h!*\b\211\004$èQ\200öÿ\213Cx\203Ä\024[]ÃÇD$\b\005"
(gdb













0x811b40d <set_gdbarch_unwind_sp+15>:    "]ÃU\211åVS\203ì \213]\b\213u\f\205Ût9\213\213X\001"
(gdb)
0x811b426 <gdbarch_deprecated_saved_pc_after_call+23>:   ""
(gdb)
0x811b427 <gdbarch_deprecated_saved_pc_after_call+24>:   "\205Éts\203=ðã(\b\001~\033ÇD$\004ü¤#\b¡h!*\b\211\004$è\tPöÿ\213\213X\001"
(gdb)
0x811b44e <gdbarch_deprecated_saved_pc_after_call+63>:   ""
(gdb)
0x811b44f <gdbarch_deprecated_saved_pc_after_call+64>:   "\211u\b\203Ä [^]ÿáÇD$\b\005"
(gdb)
0x811b460 <gdbarch_deprecated_saved_pc_after_call+81>:   ""
(gdb)
0x811b461 <gdbarch_deprecated_saved_pc_after_call+82>:   ""
(gdb)
0x811b462 <gdbarch_deprecated_saved_pc_after_call+83>:   "ÇD$\004\226s \bÇ\004$"
(gdb)

(it's jumping around) possible jmp trick exploit found


0x811b5d5 <set_gdbarch_frame_num_args+15>:       "]ÃU\211åVS\203ì \213]\b\213u\f\205Ût9\213\213`\001"
(gdb)
0x811b5ee <gdbarch_deprecated_stack_align+23>:   ""
(gdb)
0x811b5ef <gdbarch_deprecated_stack_align+24>:   "\205Éts\203=ðã(\b\001~\033ÇD$\004\224¥#\b¡h!*\b\211\004$èANöÿ\213\213`\001"
(gdb)
0x811b616 <gdbarch_deprecated_stack_align+63>:   ""
(gdb)



0x811cfb5 <deprecated_register_gdbarch_swap+52>:         "\213\023\213E\020\211B\b\213E\b\211\002\213E\f\211B\004\203Ä\004[]ÃU\211åVS\203ì \2135ài(\b\205ötW\213^$\205Ût=\213C\004\213\v\213\020\213@\004\211D$\b\211T$\004\211\f$诣õÿ\213C\004\213\020\213@\004\211D$\bÇD$\004"
(gdb)



















(being run as regular user )



Unable to connect to remote asterisk (does /var/run/asterisk/asterisk.ctl exist?)

Program exited with code 01.
(gdb) run asterisk -r |
Starting program: /usr/sbin/asterisk asterisk -r |
/bin/bash: -c: line 1: syntax error: unexpected end of file

Program exited with code 02.
You can't do that without a process to debug.
(gdb) run asterisk -r |x86*CLI> x86*CLI> x86*CLI> Quit
(gdb) run asterisk -vvvvvc
Starting program: /usr/sbin/asterisk asterisk -vvvvvc
(no debugging symbols found)
Error in re-setting breakpoint 1:
Function "main" not defined.
(no debugging symbols found)
Error in re-setting breakpoint 1:
Function "main" not defined.
(no debugging symbols found)
Error in re-setting breakpoint 1:
Function "main" not defined.
[Thread debugging using libthread_db enabled]
[New Thread -1212167968 (LWP 32289)]
(no debugging symbols found)
Error in re-setting breakpoint 1:
Function "main" not defined.
(no debugging symbols found)
Error in re-setting breakpoint 1:
Function "main" not defined.
(no debugging symbols found)
Error in re-setting breakpoint 1:
Function "main" not defined.
(no debugging symbols found)
Error in re-setting breakpoint 1:
Function "main" not defined.
(no debugging symbols found)
Error in re-setting breakpoint 1:
Function "main" not defined.
(no debugging symbols found)
Error in re-setting breakpoint 1:
Function "main" not defined.
(no debugging symbols found)
Error in re-setting breakpoint 1:
Function "main" not defined.
(no debugging symbols found)
Error in re-setting breakpoint 1:
Function "main" not defined.
Unable to open pid file '/var/run/asterisk/asterisk.pid': Permission denied
[New Thread -1212171344 (LWP 32293)]
[Thread -1212171344 (LWP 32293) exited]
Unable to bind socket to /var/run/asterisk/asterisk.ctl: Address already in use
  == Parsing '/etc/asterisk/asterisk.conf': Not found (Permission denied)
  == Parsing '/etc/asterisk/extconfig.conf': Not found (Permission denied)
Asterisk 1.2.7.1, Copyright (C) 1999 - 2006 Digium, Inc. and others.
Created by Mark Spencer <markster@xxxxxxxxxx>
Asterisk comes with ABSOLUTELY NO WARRANTY; type 'show warranty' for details.
This is free software, with components licensed under the GNU General Public
License version 2 and other licenses; you are welcome to redistribute it under
certain conditions. Type 'show license' for details.
=========================================================================
  == Parsing '/etc/asterisk/logger.conf': Not found (Permission denied)
Unable to open logger.conf: Permission denied
rJan 18 07:36:58 ERROR[32289]: logger.c:625 init_logger: Unable to create event log: Permission denied 












#0  0xb7da1ea4 in __libc_start_main () from /lib/tls/libc.so.6
(gdb)
Make selected stack frame return now? (y or n) y
#0  0x080554f1 in ?? ()
(gdb)
Make selected stack frame return now? (y or n) y

/build/buildd/gdb-6.4/gdb/frame.c:616: internal-error: frame_register: Assertion `frame != NULL && frame->next != NULL' failed.
A problem internal to GDB has been detected,
further debugging may prove unreliable.
Quit this debugging session? (y or n)         









\f\213E\b\211]ôè³\213ÿÿ\201ÃÍ4"
(gdb)
0xb7f7b70c <pthread_getaffinity_np@@GLIBC_2.3.4+28>:     ""
(gdb)
0xb7f7b70d <pthread_getaffinity_np@@GLIBC_2.3.4+29>:     "\211}ü\205ö\213U\020\213xH\211ñxJ\207߸ò"
(gdb)
0xb7f7b721 <pthread_getaffinity_np@@GLIBC_2.3.4+49>:     ""
(gdb)
0xb7f7b722 <pthread_getaffinity_np@@GLIBC_2.3.4+50>:     ""
(gdb)
0xb7f7b723 <pthread_getaffinity_np@@GLIBC_2.3.4+51>:     "Í\200\207û="
(gdb)
0xb7f7b729 <pthread_getaffinity_np@@GLIBC_2.3.4+57>:     "ðÿÿv\022\213]ô÷Ø\213uø\213}ü\211ì]Ã\215v"
(gdb)
0xb7f7b740 <pthread_getaffinity_np@@GLIBC_2.3.4+80>:     ")Æ\215\f\0021Ò\211t$\b\211T$\004\211\f$è\215\212ÿÿ\213]ô1À\213uø\213}ü\211ì]ùÿÿÿ\177ë¯\215v"
(gdb)
0xb7f7b770 <pthread_getaffinity_np@xxxxxxxxxxx>:         "U¹\200"
(gdb)
0xb7f7b774 <pthread_getaffinity_np@xxxxxxxxxxx+4>:       ""
(gdb)                                        








0x000008ec in ?? ()
(gdb)
Make selected stack frame return now? (y or n) y
#0  0x080ec8c4 in ?? ()
(gdb)
Make selected stack frame return now? (y or n) y
#0  0x080ec594 in ?? ()
(gdb)
Make selected stack frame return now? (y or n) y
#0  0x08110800 in ?? ()
(gdb)
Make selected stack frame return now? (y or n) y

#0  0xb7f43bf6 in _dl_rtld_di_serinfo () from /lib/ld-linux.so.2
(gdb)                                             
ret 0xb7da1ea4


LI> x86*CLI> x86*CLI> x86*CLI> x86*CLI> #0  0x080554f1 in ?? ()
(gdb)
Make selected stack frame return now? (y or n) y

/build/buildd/gdb-6.4/gdb/frame.c:616: internal-error: frame_register: Assertion `frame != NULL && frame->next != NULL' failed.
A problem internal to GDB has been detected,
further debugging may prove unreliable.
Quit this debugging session? (y or n) 



gdb)
Make selected stack frame return now? (y or n) y
#0  0x00000001 in ?? ()
(gdb)
Make selected stack frame return now? (y or n) y
#0  0x00000000 in ?? ()
(gdb)
Make selected stack frame return now? (y or n) y
#0  0x080ec8a6 in ?? ()
(gdb)
Make selected stack frame return now? (y or n) y
#0  0x080ec640 in ?? ()
(gdb)
Make selected stack frame return now? (y or n) y
#0  0x08110800 in ?? ()
(gdb)
Make selected stack frame return now? (y or n) y
#0  0xb7ece52e in in6addr_any ()
   from /lib/tls/libc.so.6
(gdb) backtrace
#0  0xb7ece52e in in6addr_any () from /lib/tls/libc.so.6
#1  0xb7fb7eec in ?? ()


    () from /lib/tls/libpthread.so.0
(gdb) backtrace
#0  0xb7f3d312 in sysctl_args.0 () from /lib/tls/libpthread.so.0
#1  0xb7f61b30 in _dl_rtld_di_serinfo () from /lib/ld-linux.so.2
#2  0xb7f35717 in __pthread_initialize_minimal_internal ()
   from /lib/tls/libpthread.so.0
#3  0xb7d62ea4 in __libc_start_main () from /lib/tls/libc.so.6
#4  0x080554f1 in ?? ()




   () from /lib/tls/libpthread.so.0
(gdb) backtrace
#0  0xb7f4a310 in sysctl_args.0 () from /lib/tls/libpthread.so.0
#1  0xb7f4a312 in sysctl_args.0 () from /lib/tls/libpthread.so.0
#2  0xb7f6eb30 in _dl_rtld_di_serinfo () from /lib/ld-linux.so.2
#3  0xb7f42717 in __pthread_initialize_minimal_internal ()
   from /lib/tls/libpthread.so.0
#4  0xb7d6fea4 in __libc_start_main () from /lib/tls/libc.so.6
#5  0x080554f1 in ?? ()




#0  0xb7dd0ea4 in __libc_start_main () from /lib/tls/libc.so.6
(gdb)
Make selected stack frame return now? (y or n) y
#0  0x080554f1 in ?? ()
(gdb)
Make selected stack frame return now? (y or n) y

/build/buildd/gdb-6.4/gdb/frame.c:616: internal-error: frame_register: Assertion `frame != NULL && frame->next != NULL' failed.
A problem internal to GDB has been detected,
further debugging may prove unreliable.



Object file /usr/sbin/asterisk:  Objfile at 0x82efce8, bfd at 0x82de9c0, 1178 minsyms


Object file system-supplied DSO at 0xffffe000:  Objfile at 0x83334c8, bfd at 0x8303d50, 4 minsyms


Object file /lib/tls/libdl.so.2:  Objfile at 0x83999b8, bfd at 0x836be08, 31 minsyms


Object file /lib/tls/libpthread.so.0:  Objfile at 0x83aa900, bfd at 0x831eb80, 696 minsyms


Object file /lib/libncurses.so.5:  Objfile at 0x83dd1b0, bfd at 0x8359e08, 760 minsyms


Object file /lib/tls/libm.so.6:  Objfile at 0x8400e80, bfd at 0x8319958, 331 min---Type <return> to continue, or q <return> to quit---
syms


Object file /lib/tls/libresolv.so.2:  Objfile at 0x84197f0, bfd at 0x831e8b0, 135 minsyms


Object file /usr/lib/i686/cmov/libssl.so.0.9.8:  Objfile at 0x842b9f0, bfd at 0x8359128, 665 minsyms


Object file /lib/tls/libc.so.6:  Objfile at 0x84590f0, bfd at 0x83b4338, 2120 minsyms


Object file /lib/ld-linux.so.2:  Objfile at 0x84c11e0, bfd at 0x83228f0, 32 minsyms


Object file /usr/lib/i686/cmov/libcrypto.so.0.9.8:  Objfile at 0x84c91e8, bfd at 0x8461160, 3344 minsy








rogram exited with code 01.
(gdb) x
0xb7da1ea5 <CAST_S_table0+60645>:        "PublicKey"
(gdb)
0xb7da1eaf <CAST_S_table0+60655>:        "i2d_RSA_NET"
(gdb)
0xb7da1ebb <CAST_S_table0+60667>:        "i2d_RSA_PUBKEY"
(gdb)
0xb7da1eca <CAST_S_table0+60682>:        "LONG_C2I"
(gdb)
0xb7da1ed3 <CAST_S_table0+60691>:        "OID_MODULE_INIT"
(gdb)
0xb7da1ee3 <CAST_S_table0+60707>:        "PARSE_TAGGING"
(gdb)
0xb7da1ef1 <CAST_S_table0+60721>:        "PKCS5_pb
0xb7da20c0 <CAST_S_table0+61184>:        "PBEPARAM"
(gdb)
0xb7da20c9 <CAST_S_table0+61193>:        "salt"
(gdb)
0xb7da20ce <CAST_S_table0+61198>:        "iter"
(gdb)
0xb7da20d3 <CAST_S_table0+61203>:        "p5_pbe.c"
(gdb)
0xb7da20dc <CAST_S_table0+61212>:        "PBKDF2PARAM"
(gdb)
0xb7da20e8 <CAST_S_table0+61224>:        "PBE2PARAM"
(gdb)
0xb7da20f2 <CAST_S_table0+61234>:        "keyfunc"
(gdb)
0xb7da20fa <CAST_S_table0+61242>:        "p5_pbev2.c"
(gdb)
0xb7da2105 <CAST_S_table0+61253>:        "PKCS8_PRIV_KEY_INFO"
(gdb)
0xb7da2119 <CAST_S_table0+61273>:        "pkeyalg"
(gdb)
0xb7da2121 <CAST_S_table0+61281>:        "oid_section"





0xb7da21b8 <CAST_S_table0+61432>:        "strlen(objstr)+23+2*enc->iv_len+13 <= sizeof buf"
                               (string exploit here)







gdb) disas 0xb7da31e4
Dump of assembler code for function CAST_S_table0:





nable to open pid file '/var/run/asterisk/asterisk.pid': Permission denied
[New Thread -1211937872 (LWP 15438)]

Program received signal SIGINT, Interrupt.
[Switching to Thread -1211934496 (LWP 15437)]
0xb7e0654c in nanosleep () from /lib/tls/libc.so.6
(gdb) backtrace
#0  0xb7e0654c in nanosleep () from /lib/tls/libc.so.6
#1  0xb7e3ce2a in usleep () from /lib/tls/libc.so.6
#2  0x080b34a8 in test_for_thread_safety ()
#3  0x00000064 in ?? ()
#4  0x00000000 in ?? ()






null byte - 0xb7da33cc <STORE_param_sizes+348>:      "\n"






0xb7e7e770 <catanh+176>:         "ÝE\f\203þ\002\017\224À1Ò\203ÿ\002\017\224ÂÝ]Ø\
205ÐÝE\024uÆÙ\203¤¯ÿÿÙÁÞÊÝE\fÝE\fÙÉØêÙÉØÂÙËÝUÐÙÉØÈÙËØÈÙËØÁÙËÞÁÝ\034$Ý]¨Ý]¸èj·ÿÿÝ
E¸ÙÉÝ]ØÝ\034$èZ·ÿÿÜmØÝE¨ÝE\024ÙÊØ\213è´ÿÿÙÊØÀÙÊÝ]ØÝE\fØÈÞéÜeÐÙóÝ]à\213E\bÝEàØ\21
3¨¯ÿÿÝEØéDÿÿÿ\215»Ð®ÿÿ\211<$èOåÿÿ\213E\bÝUØÝEØÙÉÝX\bÝ\030\213]ô\213uø\213"...
(gdb)
(parts lit up in black and blinking)
(looks like hi-ascii)

--- End Message ---