1--TEST-- 2Bug #70284 (Use after free vulnerability in unserialize() with GMP) 3--EXTENSIONS-- 4gmp 5--FILE-- 6<?php 7 8$inner = 'r:2;a:1:{i:0;a:1:{i:0;r:4;}}'; 9$exploit = 'a:2:{i:0;s:1:"1";i:1;C:3:"GMP":'.strlen($inner).':{'.$inner.'}}'; 10 11$data = unserialize($exploit); 12 13$fakezval = ptr2str(1122334455); 14$fakezval .= ptr2str(0); 15$fakezval .= "\x00\x00\x00\x00"; 16$fakezval .= "\x01"; 17$fakezval .= "\x00"; 18$fakezval .= "\x00\x00"; 19 20for ($i = 0; $i < 5; $i++) { 21 $v[$i] = $fakezval.$i; 22} 23 24var_dump($data); 25 26function ptr2str($ptr) 27{ 28$out = ''; 29 for ($i = 0; $i < 8; $i++) { 30 $out .= chr($ptr & 0xff); 31 $ptr >>= 8; 32 } 33 return $out; 34} 35?> 36--EXPECTF-- 37Fatal error: Uncaught Exception: Could not unserialize number in %sbug70284.php:6 38Stack trace: 39#0 %sbug70284.php(6): unserialize('%s') 40#1 {main} 41 thrown in %sbug70284.php on line 6 42