1--TEST-- 2Bug #70172 - Use After Free Vulnerability in unserialize() 3--FILE-- 4<?php 5class obj implements Serializable { 6 var $data; 7 function serialize() { 8 return serialize($this->data); 9 } 10 function unserialize($data) { 11 $this->data = unserialize($data); 12 } 13} 14 15class obj2 { 16 var $ryat; 17 function __wakeup() { 18 $this->ryat = 1; 19 } 20} 21 22$fakezval = ptr2str(1122334455); 23$fakezval .= ptr2str(0); 24$fakezval .= "\x00\x00\x00\x00"; 25$fakezval .= "\x01"; 26$fakezval .= "\x00"; 27$fakezval .= "\x00\x00"; 28 29$inner = 'r:2;'; 30$exploit = 'a:2:{i:0;O:4:"obj2":1:{s:4:"ryat";C:3:"obj":'.strlen($inner).':{'.$inner.'}}i:1;a:1:{i:0;a:1:{i:0;R:4;}}}'; 31 32$data = unserialize($exploit); 33 34for ($i = 0; $i < 5; $i++) { 35 $v[$i] = $fakezval.$i; 36} 37 38var_dump($data); 39 40function ptr2str($ptr) 41{ 42 $out = ''; 43 for ($i = 0; $i < 8; $i++) { 44 $out .= chr($ptr & 0xff); 45 $ptr >>= 8; 46 } 47 return $out; 48} 49?> 50--EXPECTF-- 51Deprecated: %s implements the Serializable interface, which is deprecated. Implement __serialize() and __unserialize() instead (or in addition, if support for old PHP versions is necessary) in %s on line %d 52array(2) { 53 [0]=> 54 object(obj2)#%d (1) { 55 ["ryat"]=> 56 int(1) 57 } 58 [1]=> 59 array(1) { 60 [0]=> 61 array(1) { 62 [0]=> 63 object(obj2)#%d (1) { 64 ["ryat"]=> 65 int(1) 66 } 67 } 68 } 69} 70
