1--TEST-- 2Bug #70172 - Use After Free Vulnerability in unserialize() 3--FILE-- 4<?php 5class obj implements Serializable { 6 var $data; 7 function serialize() { 8 return serialize($this->data); 9 } 10 function unserialize($data) { 11 $this->data = unserialize($data); 12 } 13} 14 15class obj2 { 16 var $ryat; 17 function __wakeup() { 18 $this->ryat = 1; 19 } 20} 21 22$fakezval = ptr2str(1122334455); 23$fakezval .= ptr2str(0); 24$fakezval .= "\x00\x00\x00\x00"; 25$fakezval .= "\x01"; 26$fakezval .= "\x00"; 27$fakezval .= "\x00\x00"; 28 29$inner = 'r:2;'; 30$exploit = 'a:2:{i:0;O:4:"obj2":1:{s:4:"ryat";C:3:"obj":'.strlen($inner).':{'.$inner.'}}i:1;a:1:{i:0;a:1:{i:0;R:4;}}}'; 31 32$data = unserialize($exploit); 33 34for ($i = 0; $i < 5; $i++) { 35 $v[$i] = $fakezval.$i; 36} 37 38var_dump($data); 39 40function ptr2str($ptr) 41{ 42 $out = ''; 43 for ($i = 0; $i < 8; $i++) { 44 $out .= chr($ptr & 0xff); 45 $ptr >>= 8; 46 } 47 return $out; 48} 49?> 50--EXPECTF-- 51array(2) { 52 [0]=> 53 object(obj2)#%d (1) { 54 ["ryat"]=> 55 int(1) 56 } 57 [1]=> 58 array(1) { 59 [0]=> 60 array(1) { 61 [0]=> 62 object(obj2)#%d (1) { 63 ["ryat"]=> 64 int(1) 65 } 66 } 67 } 68}