Browse Source

Revert "Merge branch using Rex sockets as IO"

This reverts commit c48246c91c, reversing
changes made to 3cd9dc4fde.
jvazquez-r7 4 years ago
parent
commit
5e9faad4dc

+ 46
- 2
lib/msf/java/rmi/client.rb View File

@@ -19,6 +19,23 @@ module Msf
19 19
         include Msf::Java::Rmi::Client::Jmx
20 20
         include Exploit::Remote::Tcp
21 21
 
22
+        def initialize(info = {})
23
+          super
24
+
25
+          register_advanced_options(
26
+            [
27
+              OptInt.new('RmiReadLoopTimeout', [ true, 'Maximum number of seconds to wait for data between read iterations', 1])
28
+            ], Msf::Java::Rmi::Client
29
+          )
30
+        end
31
+
32
+        # Returns the timeout to wait for data between read iterations
33
+        #
34
+        # @return [Fixnum]
35
+        def read_loop_timeout
36
+          datastore['RmiReadLoopTimeout'] || 1
37
+        end
38
+
22 39
         # Returns the target host
23 40
         #
24 41
         # @return [String]
@@ -86,8 +103,9 @@ module Msf
86 103
         # @see Rex::Proto::Rmi::Model::ProtocolAck.decode
87 104
         def recv_protocol_ack(opts = {})
88 105
           nsock = opts[:sock] || sock
106
+          data = safe_get_once(nsock)
89 107
           begin
90
-            ack = Rex::Proto::Rmi::Model::ProtocolAck.decode(nsock)
108
+            ack = Rex::Proto::Rmi::Model::ProtocolAck.decode(StringIO.new(data))
91 109
           rescue Rex::Proto::Rmi::DecodeError
92 110
             return nil
93 111
           end
@@ -105,15 +123,41 @@ module Msf
105 123
         # @see Rex::Proto::Rmi::Model::ReturnData.decode
106 124
         def recv_return(opts = {})
107 125
           nsock = opts[:sock] || sock
126
+          data = safe_get_once(nsock)
108 127
 
109 128
           begin
110
-            return_data = Rex::Proto::Rmi::Model::ReturnData.decode(nsock)
129
+            return_data = Rex::Proto::Rmi::Model::ReturnData.decode(StringIO.new(data))
111 130
           rescue Rex::Proto::Rmi::DecodeError
112 131
             return nil
113 132
           end
114 133
 
115 134
           return_data.return_value
116 135
         end
136
+
137
+        # Helper method to read fragmented data from a ```Rex::Socket::Tcp```
138
+        #
139
+        # @param nsock [Rex::Socket::Tcp]
140
+        # @return [String]
141
+        def safe_get_once(nsock = sock, loop_timeout = read_loop_timeout)
142
+          data = ''
143
+          begin
144
+            res = nsock.get_once
145
+          rescue ::EOFError
146
+            res = nil
147
+          end
148
+
149
+          while res && nsock.has_read_data?(loop_timeout)
150
+            data << res
151
+            begin
152
+              res = nsock.get_once
153
+            rescue ::EOFError
154
+              res = nil
155
+            end
156
+          end
157
+
158
+          data << res if res
159
+          data
160
+        end
117 161
       end
118 162
     end
119 163
   end

+ 1
- 7
modules/exploits/multi/misc/java_rmi_server.rb View File

@@ -154,13 +154,7 @@ class Metasploit3 < Msf::Exploit::Remote
154 154
       arguments: build_dgc_clean_args(new_url)
155 155
     )
156 156
 
157
-    begin
158
-      return_value = recv_return
159
-    rescue Rex::StreamClosedError
160
-      # There should be a session...
161
-      disconnect
162
-      return
163
-    end
157
+    return_value = recv_return
164 158
 
165 159
     if return_value.nil? && !session_created?
166 160
       fail_with(Failure::Unknown, 'RMI Call failed')

+ 24
- 0
spec/lib/msf/java/rmi/client/jmx/connection_spec.rb View File

@@ -101,6 +101,14 @@ describe Msf::Java::Rmi::Client::Jmx::Connection do
101 101
           io.write(get_object_instance_response)
102 102
           io.seek(0)
103 103
         end
104
+
105
+        allow_any_instance_of(::StringIO).to receive(:get_once) do |io, length, timeout|
106
+          io.read
107
+        end
108
+
109
+        allow_any_instance_of(::StringIO).to receive(:has_read_data?) do |io|
110
+          false
111
+        end
104 112
       end
105 113
 
106 114
       it "returns true" do
@@ -117,6 +125,14 @@ describe Msf::Java::Rmi::Client::Jmx::Connection do
117 125
           io.write(create_mbean_response)
118 126
           io.seek(0)
119 127
         end
128
+
129
+        allow_any_instance_of(::StringIO).to receive(:get_once) do |io, length, timeout|
130
+          io.read
131
+        end
132
+
133
+        allow_any_instance_of(::StringIO).to receive(:has_read_data?) do |io|
134
+          false
135
+        end
120 136
       end
121 137
 
122 138
       it "returns true" do
@@ -133,6 +149,14 @@ describe Msf::Java::Rmi::Client::Jmx::Connection do
133 149
           io.write(invoke_response)
134 150
           io.seek(0)
135 151
         end
152
+
153
+        allow_any_instance_of(::StringIO).to receive(:get_once) do |io, length, timeout|
154
+          io.read
155
+        end
156
+
157
+        allow_any_instance_of(::StringIO).to receive(:has_read_data?) do |io|
158
+          false
159
+        end
136 160
       end
137 161
 
138 162
       it "returns true" do

+ 8
- 0
spec/lib/msf/java/rmi/client/jmx/server_spec.rb View File

@@ -47,6 +47,14 @@ describe Msf::Java::Rmi::Client::Jmx::Server do
47 47
           io.write(new_client_response)
48 48
           io.seek(0)
49 49
         end
50
+
51
+        allow_any_instance_of(::StringIO).to receive(:get_once) do |io, length, timeout|
52
+          io.read
53
+        end
54
+
55
+        allow_any_instance_of(::StringIO).to receive(:has_read_data?) do |io|
56
+          false
57
+        end
50 58
       end
51 59
 
52 60
       it "returns the reference information" do

+ 8
- 0
spec/lib/msf/java/rmi/client_spec.rb View File

@@ -44,6 +44,14 @@ describe Msf::Java::Rmi::Client do
44 44
     allow_any_instance_of(::StringIO).to receive(:put) do |io, data|
45 45
       io.write(data)
46 46
     end
47
+
48
+    allow_any_instance_of(::StringIO).to receive(:get_once) do |io, length, timeout|
49
+      io.read
50
+    end
51
+
52
+    allow_any_instance_of(::StringIO).to receive(:has_read_data?) do |io|
53
+      false
54
+    end
47 55
   end
48 56
 
49 57
   describe "#send_header" do

Loading…
Cancel
Save