1--TEST-- 2Bug #70172 - Use After Free Vulnerability in unserialize() 3--XFAIL-- 4Memory leak on debug build, needs fix. 5--FILE-- 6<?php 7class obj implements Serializable { 8 var $data; 9 function serialize() { 10 return serialize($this->data); 11 } 12 function unserialize($data) { 13 $this->data = unserialize($data); 14 } 15} 16 17$fakezval = ptr2str(1122334455); 18$fakezval .= ptr2str(0); 19$fakezval .= "\x00\x00\x00\x00"; 20$fakezval .= "\x01"; 21$fakezval .= "\x00"; 22$fakezval .= "\x00\x00"; 23 24$inner = 'r:2;'; 25$exploit = 'a:2:{i:0;i:1;i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}}'; 26 27$data = unserialize($exploit); 28 29for ($i = 0; $i < 5; $i++) { 30 $v[$i] = $fakezval.$i; 31} 32 33var_dump($data); 34 35function ptr2str($ptr) 36{ 37 $out = ''; 38 for ($i = 0; $i < 8; $i++) { 39 $out .= chr($ptr & 0xff); 40 $ptr >>= 8; 41 } 42 return $out; 43} 44?> 45--EXPECTF-- 46array(2) { 47 [0]=> 48 int(1) 49 [1]=> 50 object(obj)#%d (1) { 51 ["data"]=> 52 int(1) 53 } 54}
