1--TEST-- 2Bug #70172 - Use After Free Vulnerability in unserialize() 3--FILE-- 4<?php 5class obj implements Serializable { 6 var $data; 7 function serialize() { 8 return serialize($this->data); 9 } 10 function unserialize($data) { 11 $this->data = unserialize($data); 12 } 13} 14 15$fakezval = ptr2str(1122334455); 16$fakezval .= ptr2str(0); 17$fakezval .= "\x00\x00\x00\x00"; 18$fakezval .= "\x01"; 19$fakezval .= "\x00"; 20$fakezval .= "\x00\x00"; 21 22$inner = 'R:2;'; 23$exploit = 'a:2:{i:0;i:1;i:1;C:3:"obj":'.strlen($inner).':{'.$inner.'}}'; 24 25$data = unserialize($exploit); 26 27for ($i = 0; $i < 5; $i++) { 28 $v[$i] = $fakezval.$i; 29} 30 31var_dump($data); 32 33function ptr2str($ptr) 34{ 35 $out = ''; 36 for ($i = 0; $i < 8; $i++) { 37 $out .= chr($ptr & 0xff); 38 $ptr >>= 8; 39 } 40 return $out; 41} 42?> 43--EXPECTF-- 44array(2) { 45 [0]=> 46 int(1) 47 [1]=> 48 object(obj)#%d (1) { 49 ["data"]=> 50 int(1) 51 } 52} 53
