dualbus@debian:~/bash-fuzzing/read-readline$ base64 loop
AAAbLbUA9loQGDIYLhwYGBkYGJgYGBj4FwAYYBlEAERLG0YK
dualbus@debian:~/bash-fuzzing/read-readline$ od -c loop
0000000 \0 \0 033 - 265 \0 366 Z 020 030 2 030 . 034 030 030
0000020 031 030 030 230 030 030 030 370 027 \0 030 ` 031 D \0 D
0000040 K 033 F \n
0000044
(gdb) r -c 'exec <loop; read -e'
Starting program: /home/dualbus/src/gnu/bash/bash -c 'exec <loop; read -e'
U^@^A^@^@U^@^A^@^@U^C
Program received signal SIGINT, Interrupt.
0x000000000052f42c in _rl_find_next_mbchar (string=0xffffffff00000001
<error: Cannot access memory at address 0xffffffff00000001>,
seed=102, count=0, flags=1) at mbutil.c:355
355 return _rl_find_next_mbchar_internal (string, seed, count, flags);
(gdb) bt
#0 0x000000000052f42c in _rl_find_next_mbchar (
string=0xffffffff00000001 <error: Cannot access memory at address
0xffffffff00000001>, seed=102, count=0, flags=1)
at mbutil.c:355
#1 0x000000000052426a in rl_forward_word (count=1, key=102) at text.c:470
#2 0x00000000004fe797 in _rl_dispatch_subseq (key=102, map=0x771d80
<emacs_meta_keymap>, got_subseq=0) at readline.c:851
#3 0x00000000004fe139 in _rl_dispatch (key=102, map=0x771d80
<emacs_meta_keymap>) at readline.c:797
#4 0x00000000004fe6b1 in _rl_dispatch_subseq (key=70, map=0x771d80
<emacs_meta_keymap>, got_subseq=0) at readline.c:840
#5 0x00000000004fed5f in _rl_dispatch_subseq (key=27, map=0x772d90
<emacs_standard_keymap>, got_subseq=0) at readline.c:985
#6 0x00000000004fe139 in _rl_dispatch (key=27, map=0x772d90
<emacs_standard_keymap>) at readline.c:797
#7 0x00000000004fe0a9 in readline_internal_char () at readline.c:629
#8 0x00000000004ff692 in readline_internal_charloop () at readline.c:656
#9 0x00000000004fda02 in readline_internal () at readline.c:670
#10 0x00000000004fd8c0 in readline (prompt=0x551319 "") at readline.c:374
#11 0x00000000004ccfd6 in edit_line (p=0x551319 "", itext=0x0) at
./read.def:1070
#12 0x00000000004cbc13 in read_builtin (list=0x0) at ./read.def:550
#13 0x000000000044efaf in execute_builtin (builtin=0x4cad80
<read_builtin>, words=0x8296c8, flags=0, subshell=0)
at execute_cmd.c:4605
#14 0x000000000044e3e0 in execute_builtin_or_function (words=0x8296c8,
builtin=0x4cad80 <read_builtin>, var=0x0, redirects=0x0,
fds_to_close=0x829628, flags=0) at execute_cmd.c:5103
#15 0x0000000000447095 in execute_simple_command
(simple_command=0x8299c8, pipe_in=-1, pipe_out=-1, async=0,
fds_to_close=0x829628)
at execute_cmd.c:4391
#16 0x0000000000444b71 in execute_command_internal (command=0x829988,
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x829628)
at execute_cmd.c:812
#17 0x0000000000448b18 in execute_connection (command=0x829c48,
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x829628)
at execute_cmd.c:2639
#18 0x0000000000444f2e in execute_command_internal (command=0x829c48,
asynchronous=0, pipe_in=-1, pipe_out=-1, fds_to_close=0x829628)
at execute_cmd.c:980
#19 0x00000000004c1fd7 in parse_and_execute (string=0x811268 "exec
<loop; read -e", from_file=0x535b5f "-c", flags=4)
at evalstring.c:430
#20 0x00000000004271af in run_one_command (command=0x7fffffffe70c
"exec <loop; read -e") at shell.c:1405
#21 0x00000000004251fd in main (argc=3, argv=0x7fffffffe458,
env=0x7fffffffe478) at shell.c:718
(gdb) frame 1
#1 0x000000000052426a in rl_forward_word (count=1, key=102) at text.c:470
470 rl_point = MB_NEXTCHAR (rl_line_buffer,
rl_point, 1, MB_FIND_NONZERO);
(gdb) p rl_point
$1 = 1
(gdb) p rl_end
$2 = 11
(gdb) p rl_line_buffer
$3 = 0x82d408 "U"
# if the first payload doesn't work, try with:
dualbus@debian:~/bash-fuzzing/read-readline$ base64
id\:000459\,sig\:06\,src\:021330+019452\,op\:splice\,rep\:4
AAAbLbUA9loQGDIYLhwYGBkYGJgYGBj4FwAYYBlEAERLG0ZKRBkZOxkZMC24FWT/nEoRgPoAABlR
GRkwN5gVZP+AShGD+gAF+hlEAEQABAFKLgBESxsBSlcCJiYmSCZKRBkmJn//Jn8mIiYmJiYZnj/l
np6CnqiJGRkZGwU=
