Rapid7 Vulnerability & Exploit Database

PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)

Back to Search

PHP 4 unserialize() ZVAL Reference Counter Overflow (Cookie)



This module exploits an integer overflow vulnerability in the unserialize() function of the PHP web server extension. This vulnerability was patched by Stefan in version 4.5.0 and applies all previous versions supporting this function. This particular module targets numerous web applications and is based on the proof of concept provided by Stefan Esser. This vulnerability requires approximately 900k of data to trigger due the multiple Cookie headers requirement. Since we are already assuming a fast network connection, we use a 2Mb block of shellcode for the brute force, allowing quick exploitation for those with fast networks. One of the neat things about this vulnerability is that on x86 systems, the EDI register points into the beginning of the hashtable string. This can be used with an egghunter to quickly exploit systems where the location of a valid "jmp EDI" or "call EDI" instruction is known. The EDI method is faster, but the bandwidth-intensive brute force used by this module is more reliable across a wider range of systems.


  • hdm <x@hdm.io>
  • GML <grandmasterlogic@gmail.com>
  • Stefan Esser <sesser@hardened-php.net>





Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/php/php_unserialize_zval_cookie
msf exploit(php_unserialize_zval_cookie) > show targets
msf exploit(php_unserialize_zval_cookie) > set TARGET < target-id >
msf exploit(php_unserialize_zval_cookie) > show options
    ...show and set options...
msf exploit(php_unserialize_zval_cookie) > exploit

Time is precious, so I don’t want to do something manually that I can automate. Leveraging the Metasploit Framework when automating any task keeps us from having to re-create the wheel as we can use the existing libraries and focus our efforts where it matters.

– Jim O’Gorman | President, Offensive Security