Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- ┌─ process timing ─────────────────────────────────────┬─ overall results ─────┐
- │ run time : 2 days, 1 hrs, 55 min, 13 sec │ cycles done : 9 │
- │ last new path : 0 days, 0 hrs, 1 min, 47 sec │ total paths : 18.4k │
- │ last uniq crash : 0 days, 3 hrs, 0 min, 53 sec │ uniq crashes : 23 │ after 2 days, I've 23 unique crashes
- │ last uniq hang : 1 days, 11 hrs, 26 min, 39 sec │ uniq hangs : 500+ │
- ├──────────────────────────────────────────────────────┴───────────────────────┤
- ASAN output:
- =================================================================
- ==24483==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000d85a at pc 0x473376 bp 0x7ffd8e096950 sp 0x7ffd8e096928
- READ of size 11 at 0x60200000d85a thread T0
- ==24483==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
- #0 0x473375 (/home/ownager/perl/perl+0x473375)
- #1 0x190b202 (/home/ownager/perl/perl+0x190b202)
- #2 0x190a118 (/home/ownager/perl/perl+0x190a118)
- #3 0x11bcb21 (/home/ownager/perl/perl+0x11bcb21)
- #4 0xff1ac8 (/home/ownager/perl/perl+0xff1ac8)
- #5 0xfe8a7f (/home/ownager/perl/perl+0xfe8a7f)
- #6 0x122e865 (/home/ownager/perl/perl+0x122e865)
- #7 0x122dbe4 (/home/ownager/perl/perl+0x122dbe4)
- #8 0xce7c76 (/home/ownager/perl/perl+0xce7c76)
- #9 0x6b58b9 (/home/ownager/perl/perl+0x6b58b9)
- #10 0x498503 (/home/ownager/perl/perl+0x498503)
- #11 0x7f0d825b3ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
- #12 0x497fac (/home/ownager/perl/perl+0x497fac)
- 0x60200000d85a is located 0 bytes to the right of 10-byte region [0x60200000d850,0x60200000d85a)
- allocated by thread T0 here:
- #0 0x481ec9 (/home/ownager/perl/perl+0x481ec9)
- #1 0xcf34db (/home/ownager/perl/perl+0xcf34db)
- SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
- Shadow bytes around the buggy address:
- 0x0c047fff9ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- 0x0c047fff9ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- 0x0c047fff9ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- 0x0c047fff9ae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- 0x0c047fff9af0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- =>0x0c047fff9b00: fa fa fa fa fa fa fa fa fa fa 00[02]fa fa 00 02
- 0x0c047fff9b10: fa fa 00 02 fa fa fd fd fa fa fd fd fa fa fd fd
- 0x0c047fff9b20: fa fa 00 02 fa fa fd fd fa fa fd fd fa fa 07 fa
- 0x0c047fff9b30: fa fa 02 fa fa fa 00 04 fa fa 00 fa fa fa 00 05
- 0x0c047fff9b40: fa fa 00 03 fa fa 00 02 fa fa 00 07 fa fa 00 06
- 0x0c047fff9b50: fa fa 00 02 fa fa 00 fa fa fa 00 05 fa fa 00 02
- Shadow byte legend (one shadow byte represents 8 application bytes):
- Addressable: 00
- Partially addressable: 01 02 03 04 05 06 07
- Heap left redzone: fa
- Heap right redzone: fb
- Freed heap region: fd
- Stack left redzone: f1
- Stack mid redzone: f2
- Stack right redzone: f3
- Stack partial redzone: f4
- Stack after return: f5
- Stack use after scope: f8
- Global redzone: f9
- Global init order: f6
- Poisoned by user: f7
- ASan internal: fe
- ownager-VirtualBox crashes #
- =================================================================
- ==26762==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300000e170 at pc 0x95e3b7 bp 0x7ffd4e982140 sp 0x7ffd4e982138
- READ of size 1 at 0x60300000e170 thread T0
- ==26762==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
- #0 0x95e3b6 (/home/ownager/perl/perl+0x95e3b6)
- #1 0x90bed7 (/home/ownager/perl/perl+0x90bed7)
- #2 0x97846d (/home/ownager/perl/perl+0x97846d)
- #3 0x6a474f (/home/ownager/perl/perl+0x6a474f)
- #4 0x68c023 (/home/ownager/perl/perl+0x68c023)
- #5 0x498462 (/home/ownager/perl/perl+0x498462)
- #6 0x7fead7328ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
- #7 0x497fac (/home/ownager/perl/perl+0x497fac)
- 0x60300000e170 is located 0 bytes inside of 24-byte region [0x60300000e170,0x60300000e188)
- freed by thread T0 here:
- #0 0x481d49 (/home/ownager/perl/perl+0x481d49)
- #1 0xcf5c81 (/home/ownager/perl/perl+0xcf5c81)
- #2 0x10e443e (/home/ownager/perl/perl+0x10e443e)
- previously allocated by thread T0 here:
- #0 0x4820c3 (/home/ownager/perl/perl+0x4820c3)
- #1 0xcf484a (/home/ownager/perl/perl+0xcf484a)
- SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
- Shadow bytes around the buggy address:
- 0x0c067fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- 0x0c067fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- 0x0c067fff9bf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- 0x0c067fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- 0x0c067fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- =>0x0c067fff9c20: fa fa fa fa fa fa fa fa fd fd fd fd fa fa[fd]fd
- 0x0c067fff9c30: fd fa fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa
- 0x0c067fff9c40: 00 00 00 03 fa fa 00 00 04 fa fa fa 00 00 00 01
- 0x0c067fff9c50: fa fa 00 00 04 fa fa fa 00 00 03 fa fa fa 00 00
- 0x0c067fff9c60: 00 fa fa fa 00 00 00 01 fa fa 00 00 02 fa fa fa
- 0x0c067fff9c70: 00 00 01 fa fa fa 00 00 02 fa fa fa 00 00 00 00
- Shadow byte legend (one shadow byte represents 8 application bytes):
- Addressable: 00
- Partially addressable: 01 02 03 04 05 06 07
- Heap left redzone: fa
- Heap right redzone: fb
- Freed heap region: fd
- Stack left redzone: f1
- Stack mid redzone: f2
- Stack right redzone: f3
- Stack partial redzone: f4
- Stack after return: f5
- Stack use after scope: f8
- Global redzone: f9
- Global init order: f6
- Poisoned by user: f7
- ASan internal: f
- =================================================================
- ==30729==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000d7fa at pc 0x473376 bp 0x7ffffb113460 sp 0x7ffffb113438
- READ of size 11 at 0x60200000d7fa thread T0
- ==30729==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
- #0 0x473375 (/home/ownager/perl/perl+0x473375)
- #1 0x190b202 (/home/ownager/perl/perl+0x190b202)
- #2 0x190a118 (/home/ownager/perl/perl+0x190a118)
- #3 0x11bcb21 (/home/ownager/perl/perl+0x11bcb21)
- #4 0xff1ac8 (/home/ownager/perl/perl+0xff1ac8)
- #5 0xffd102 (/home/ownager/perl/perl+0xffd102)
- #6 0x123aab4 (/home/ownager/perl/perl+0x123aab4)
- #7 0xce7c76 (/home/ownager/perl/perl+0xce7c76)
- #8 0x527eae (/home/ownager/perl/perl+0x527eae)
- #9 0x4f3de0 (/home/ownager/perl/perl+0x4f3de0)
- #10 0x986290 (/home/ownager/perl/perl+0x986290)
- #11 0x6a474f (/home/ownager/perl/perl+0x6a474f)
- #12 0x68c023 (/home/ownager/perl/perl+0x68c023)
- #13 0x498462 (/home/ownager/perl/perl+0x498462)
- #14 0x7fbfb440eec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
- #15 0x497fac (/home/ownager/perl/perl+0x497fac)
- 0x60200000d7fa is located 0 bytes to the right of 10-byte region [0x60200000d7f0,0x60200000d7fa)
- allocated by thread T0 here:
- #0 0x481ec9 (/home/ownager/perl/perl+0x481ec9)
- #1 0xcf34db (/home/ownager/perl/perl+0xcf34db)
- SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 ??
- Shadow bytes around the buggy address:
- 0x0c047fff9aa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- 0x0c047fff9ab0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- 0x0c047fff9ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- 0x0c047fff9ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- 0x0c047fff9ae0: fa fa fa fa fa fa 00 02 fa fa fd fd fa fa fd fd
- =>0x0c047fff9af0: fa fa 00 02 fa fa fd fd fa fa 00 02 fa fa 00[02]
- 0x0c047fff9b00: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 00 02
- 0x0c047fff9b10: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
- 0x0c047fff9b20: fa fa 00 02 fa fa fd fd fa fa 00 04 fa fa 07 fa
- 0x0c047fff9b30: fa fa 02 fa fa fa 00 04 fa fa 00 fa fa fa 00 05
- 0x0c047fff9b40: fa fa 00 03 fa fa 00 02 fa fa 00 07 fa fa 00 06
- Shadow byte legend (one shadow byte represents 8 application bytes):
- Addressable: 00
- Partially addressable: 01 02 03 04 05 06 07
- Heap left redzone: fa
- Heap right redzone: fb
- Freed heap region: fd
- Stack left redzone: f1
- Stack mid redzone: f2
- Stack right redzone: f3
- Stack partial redzone: f4
- Stack after return: f5
- Stack use after scope: f8
- Global redzone: f9
- Global init order: f6
- Poisoned by user: f7
- ASan internal: fe
- =================================================================
- ==31485==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000007913 at pc 0x520927 bp 0x7ffe690f2c70 sp 0x7ffe690f2c68
- READ of size 1 at 0x625000007913 thread T0
- ==31485==WARNING: Trying to symbolize code, but external symbolizer is not initialized!
- #0 0x520926 (/home/ownager/perl/perl+0x520926)
- #1 0x98a95b (/home/ownager/perl/perl+0x98a95b)
- #2 0x6a474f (/home/ownager/perl/perl+0x6a474f)
- #3 0x68c023 (/home/ownager/perl/perl+0x68c023)
- #4 0x498462 (/home/ownager/perl/perl+0x498462)
- #5 0x7f5a562d2ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
- #6 0x497fac (/home/ownager/perl/perl+0x497fac)
- 0x625000007913 is located 19 bytes inside of 8200-byte region [0x625000007900,0x625000009908)
- freed by thread T0 here:
- #0 0x4820c3 (/home/ownager/perl/perl+0x4820c3)
- #1 0xcf484a (/home/ownager/perl/perl+0xcf484a)
- previously allocated by thread T0 here:
- #0 0x4820c3 (/home/ownager/perl/perl+0x4820c3)
- #1 0xcf484a (/home/ownager/perl/perl+0xcf484a)
- SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
- Shadow bytes around the buggy address:
- 0x0c4a7fff8ed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 0x0c4a7fff8ee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 0x0c4a7fff8ef0: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
- 0x0c4a7fff8f00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- 0x0c4a7fff8f10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
- =>0x0c4a7fff8f20: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x0c4a7fff8f30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x0c4a7fff8f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x0c4a7fff8f50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x0c4a7fff8f60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- 0x0c4a7fff8f70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
- Shadow byte legend (one shadow byte represents 8 application bytes):
- Addressable: 00
- Partially addressable: 01 02 03 04 05 06 07
- Heap left redzone: fa
- Heap right redzone: fb
- Freed heap region: fd
- Stack left redzone: f1
- Stack mid redzone: f2
- Stack right redzone: f3
- Stack partial redzone: f4
- Stack after return: f5
- Stack use after scope: f8
- Global redzone: f9
- Global init order: f6
- Poisoned by user: f7
- ASan internal: fe
- Then I run the script under GDB that the output will look something like this:
- /ownager/perl/perl /tmp/vuln.pl
- Program received signal SIGSEGV, Segmentation fault.
- ──[registers]──
- $rax 0x3e352c4c4c475047 $rbx 0x000062100001bd00 $rcx 0x0000000000000047 $rdx 0x0000000000665a00 $rsp 0x00007fffffffd438
- $rbp 0x00007fffffffd470 $rsi 0x0000000000000000 $rdi 0x3e352c4c4c475047 $rip 0x00007ffff6d1faea $r8 0x0000000000000000
- $r9 0x00000ffffffffad4 $r10 0xfffffffffffffffc $r11 0x00007fffffffd6a0 $r12 0x3e352c4c4c475047 $r13 0x000000000000000e
- $r14 0x3e352c4c4c475047 $r15 0x0000000000000000 $cs 0x0000000000000033 $ss 0x000000000000002b $ds 0x0000000000000000
- $es 0x0000000000000000 $fs 0x0000000000000000 $gs 0x0000000000000000 $eflags [ CF PF AF SF IF RF ]
- Flags: [ CARRY PARITY ADJUST zero SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification ]
- ──[stack]──
- 0x00007fffffffd438│+0x00: 0x0000000000473297 → <strlen+55>: mov r14,rax ← $sp
- 0x00007fffffffd440│+0x08: 0x00007fffffffdb00 → 0x000060200000d752 → 0xbebebebebebe00
- 0x00007fffffffd448│+0x10: "[...]"
- 0x00007fffffffd450│+0x18: 0x000062100001bd68 → 0x0
- 0x00007fffffffd458│+0x20: -0x4
- 0x00007fffffffd460│+0x28: "GPGLL,5>"
- 0x00007fffffffd468│+0x30: 0x0
- 0x00007fffffffd470│+0x38: 0x00007fffffffdae0 → 0x00007fffffffdba0 → 0x00007fffffffdc20 → 0x00007fffffffdd90 → 0x00007fffffffde10 → 0x0
- ──[code:i386:x86-64]──
- 0x7ffff6d1fad7 <strlen+23> mov rcx,rdi
- 0x7ffff6d1fada <strlen+26> and rcx,0xfff
- 0x7ffff6d1fae1 <strlen+33> cmp rcx,0xfcf
- 0x7ffff6d1fae8 <strlen+40> ja 0x7ffff6d1fb50 <strlen+144>
- 0x7ffff6d1faea <strlen+42> movdqu xmm12,XMMWORD PTR [rax] ← $pc
- 0x7ffff6d1faef <strlen+47> pcmpeqb xmm12,xmm8
- 0x7ffff6d1faf4 <strlen+52> pmovmskb edx,xmm12
- 0x7ffff6d1faf9 <strlen+57> test edx,edx
- 0x7ffff6d1fafb <strlen+59> je 0x7ffff6d1fb01 <strlen+65>
- ───────────────────────────────────────────────────────────────────────────
- #kayfadavam
Add Comment
Please, Sign In to add comment