1--TEST-- 2Bug #70436: Use After Free Vulnerability in unserialize() 3--FILE-- 4<?php 5 6class obj implements Serializable 7{ 8 var $data; 9 10 function serialize() 11 { 12 return serialize($this->data); 13 } 14 15 function unserialize($data) 16 { 17 $this->data = unserialize($data); 18 } 19} 20 21$fakezval = ptr2str(1122334455); 22$fakezval .= ptr2str(0); 23$fakezval .= "\x00\x00\x00\x00"; 24$fakezval .= "\x01"; 25$fakezval .= "\x00"; 26$fakezval .= "\x00\x00"; 27 28$inner = 'C:3:"obj":3:{ryat'; 29$exploit = 'a:4:{i:0;i:1;i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:2;s:'.strlen($fakezval).':"'.$fakezval.'";i:3;R:5;}'; 30 31$data = unserialize($exploit); 32 33var_dump($data); 34 35function ptr2str($ptr) 36{ 37 $out = ''; 38 39 for ($i = 0; $i < 8; $i++) { 40 $out .= chr($ptr & 0xff); 41 $ptr >>= 8; 42 } 43 44 return $out; 45} 46?> 47DONE 48--EXPECTF-- 49Notice: unserialize(): Error at offset 0 of 3 bytes in %sbug70436.php on line %d 50 51Notice: unserialize(): Error at offset 16 of 17 bytes in %sbug70436.php on line %d 52 53Notice: unserialize(): Error at offset 93 of 94 bytes in %sbug70436.php on line %d 54bool(false) 55DONE 56