Hey. Today I’ll talk about the main subject of my first chapter in binary exploitation. I’ll talk about how unserialize works in PHP and think about some ways to exploit that to be able to do ROP with a use-after-free.
What’s unserialize?
unserialize() is a PHP function used to transform a string into various types of objects. As said in the previous post, there are a lot of types available in PHP, the only type unserialize is not capable to cast is resources. When creating these objects, unserialize will try to call their __wakeup() method then call __destruct() (since PHP 5) when the object is not used any more.
Format
unserialize() uses a special format used to represent its object, here’s an example:
<?php
$a = array("Hello", 1337, "WUFAR", array(1, 2, 3));
echo serialize($a);
?>
And the result:
a:4:{i:0;s:5:"Hello";i:1;i:1337;i:2;s:5:"WUFAR";i:3;a:3:{i:0;i:1;i:1;i:2;i:2;i:3;}}
Here’s what is is doing, “a” means array, it has 4 elements. Inside it, the first entry (0) is a string of length 5 with its value at “Hello”, the second entry (1) is an integer with a value of 1337, the third entry (2) is a string of length 5 with a value “WUFAR” and finally, the last entry (3) is an array of length 3, with 3 integers inside it.
References will be made using the “id” of the object created, for example if I want to reference WUFAR, I would use r:3, 0 would point to the general array, 1 to the string Hello and 2 to the integer 1337.