1--TEST-- 2Bug #70284 (Use after free vulnerability in unserialize() with GMP) 3--SKIPIF-- 4<?php if (!extension_loaded("gmp")) print "skip"; ?> 5--FILE-- 6<?php 7 8$inner = 'r:2;a:1:{i:0;a:1:{i:0;r:4;}}'; 9$exploit = 'a:2:{i:0;s:1:"1";i:1;C:3:"GMP":'.strlen($inner).':{'.$inner.'}}'; 10 11$data = unserialize($exploit); 12 13$fakezval = ptr2str(1122334455); 14$fakezval .= ptr2str(0); 15$fakezval .= "\x00\x00\x00\x00"; 16$fakezval .= "\x01"; 17$fakezval .= "\x00"; 18$fakezval .= "\x00\x00"; 19 20for ($i = 0; $i < 5; $i++) { 21 $v[$i] = $fakezval.$i; 22} 23 24var_dump($data); 25 26function ptr2str($ptr) 27{ 28$out = ''; 29 for ($i = 0; $i < 8; $i++) { 30 $out .= chr($ptr & 0xff); 31 $ptr >>= 8; 32 } 33 return $out; 34} 35?> 36--EXPECTF-- 37array(2) { 38 [0]=> 39 string(1) "1" 40 [1]=> 41 object(GMP)#%d (2) { 42 [0]=> 43 array(1) { 44 [0]=> 45 NULL 46 } 47 ["num"]=> 48 string(1) "1" 49 } 50} 51
