Bug #72433: Use After Free Vulnerability in PHP's GC algorithm and unserialize
--FILE--
<?php
-// Fill any potential freed spaces until now.
-$filler = array();
-for($i = 0; $i < 100; $i++)
- $filler[] = "";
-// Create our payload and unserialize it.
$serialized_payload = 'a:3:{i:0;r:1;i:1;r:1;i:2;C:11:"ArrayObject":19:{x:i:0;r:1;;m:a:0:{}}}';
-$free_me = unserialize($serialized_payload);
-// We need to increment the reference counter of our ArrayObject s.t. all reference counters of our unserialized array become 0.
-$inc_ref_by_one = $free_me[2];
-// The call to gc_collect_cycles will free '$free_me'.
-gc_collect_cycles();
-// We now have multiple freed spaces. Fill all of them.
-$fill_freed_space_1 = "filler_zval_1";
-$fill_freed_space_2 = "filler_zval_2";
-var_dump($free_me);
+var_dump(unserialize($serialized_payload));
?>
--EXPECTF--
-Notice: unserialize(): Error at offset %d of %d bytes in %sbug72433.php on line 8
+Notice: unserialize(): Error at offset %d of %d bytes in %sbug72433.php on line 3
bool(false)
$inner = 'a:1:{i:0;O:9:"Exception":2:{s:7:"'."\0".'*'."\0".'file";R:4;}';
$exploit = 'a:2:{i:0;C:3:"obj":'.strlen($inner).':{'.$inner.'}i:1;R:4;}';
-$data = unserialize($exploit);
-echo $data[1];
+var_dump(unserialize($exploit));
?>
DONE
--EXPECTF--
Notice: unserialize(): Error at offset 46 of 47 bytes in %sbug72663.php on line %d
Notice: unserialize(): Error at offset 79 of 80 bytes in %sbug72663.php on line %d
+bool(false)
DONE
projects / php / commitdiff