Improvements to the cleanup process, close sockets properly for exploits and auxiliary

git-svn-id: file:///home/svn/framework3/trunk@9187 4d416f70-5f16-0410-b530-b9f4589650da

lib/msf/core/auxiliary.rb

@@ -6,14 +6,14 @@ module Msf
 #
 # The auxiliary class acts as a base class for all modules that perform
 # reconnaisance, retrieve data, brute force logins, or any other action
-# that doesn't fit our concept of an 'exploit' (involving payloads and 
+# that doesn't fit our concept of an 'exploit' (involving payloads and
 # targets and whatnot).
 #
 ###
 class Auxiliary < Msf::Module
 
 	require 'msf/core/auxiliary/mixins'
-	
+
 	#
 	# Returns MODULE_AUX to indicate that this is an auxiliary module.
 	#
@@ -27,9 +27,9 @@ class Auxiliary < Msf::Module
 	def type
 		MODULE_AUX
 	end
-	
+
 	#
-	# Creates an instance of the auxiliary module. 
+	# Creates an instance of the auxiliary module.
 	#
 	def initialize(info = {})
 
@@ -41,14 +41,14 @@ class Auxiliary < Msf::Module
 			info['Actions'], Array,
 			[ AuxiliaryAction ], 'AuxiliaryAction'
 		)
-		
+
 		self.passive = (info['Passive'] and info['Passive'] == true) || false
 		self.default_action = info['DefaultAction']
 		self.sockets = Array.new
 		self.queue   = Array.new
 		self.passive_actions = info['PassiveActions'] || []
 	end
-	
+
 	#
 	# Creates a singleton instance of this auxiliary class
 	#
@@ -56,7 +56,7 @@ class Auxiliary < Msf::Module
 		return @@aux_singleton if @@aux_singleton
 		@@aux_singleton = self.new(info)
 	end
-	
+
 	def run
 		print_status("Running the default Auxiliary handler")
 	end
@@ -78,7 +78,7 @@ class Auxiliary < Msf::Module
 		end
 		return nil
 	end
-	
+
 	#
 	# Returns a boolean indicating whether this module should be run passively
 	#
@@ -87,7 +87,7 @@ class Auxiliary < Msf::Module
 		return passive_action?(act.name) if act
 		return self.passive
 	end
-	
+
 	#
 	# Returns a boolean indicating whether this specific action should be run passively
 	#
@@ -109,23 +109,23 @@ class Auxiliary < Msf::Module
 	def autofilter
 		false
 	end
-	
+
 	#
-	# Provides a list of ports that can be used for matching this module 
+	# Provides a list of ports that can be used for matching this module
 	# against target systems.
 	#
 	def autofilter_ports
 		@autofilter_ports || []
 	end
-	
+
 	#
-	# Provides a list of services that can be used for matching this module 
+	# Provides a list of services that can be used for matching this module
 	# against target systems.
-	#	
+	#
 	def autofilter_services
-		@autofilter_services || []	
+		@autofilter_services || []
 	end
-	
+
 	#
 	# Adds a port into the list of ports
 	#
@@ -135,28 +135,28 @@ class Auxiliary < Msf::Module
 		@autofilter_ports.flatten!
 		@autofilter_ports.uniq!
 	end
-	
+
 	def register_autofilter_services(services=[])
 		@autofilter_services ||= []
 		@autofilter_services << services
 		@autofilter_services.flatten!
-		@autofilter_services.uniq!	
+		@autofilter_services.uniq!
 	end
-	
-		
+
+
 	#
 	# Called directly before 'run'
 	#
 	def setup
 	end
-	
+
 	#
 	# Called after 'run' returns
 	#
 	def cleanup
 		abort_sockets()
 	end
-	
+
 	#
 	# Adds a socket to the list of sockets opened by this exploit.
 	#
@@ -178,32 +178,33 @@ class Auxiliary < Msf::Module
 	#
 	def abort_sockets
 		sockets.delete_if { |sock|
-			if (sock.respond_to?('abortive_close'))
-				sock.abortive_close = true 
-			end
-			begin
-				disconnect(sock)
-			rescue
+			if (sock.respond_to?('abortive_close='))
+				sock.abortive_close = true
 			end
 
+			begin
+				sock.close
+			rescue ::Exception
+			end
 			true
 		}
 	end
-		
-	# 
+
+	#
 	# Allow access to the hash table of actions and the string containing
 	# the default action
-	# 
+	#
 	attr_reader :actions, :default_action, :passive, :passive_actions
 	attr_accessor :queue
-	
+
 protected
-	
+
 	attr_writer :actions, :default_action
 	attr_accessor :sockets
 	attr_writer :passive, :passive_actions
-	
+
 
 end
 
 end
+

lib/msf/core/auxiliary/scanner.rb

@@ -51,10 +51,10 @@ def run
 	#
 
 	if(Rex::Compat.is_windows)
-		if(threads_max > 16)
+		if(threads_max > 32)
 			print_error("Warning: The Windows platform cannot reliably support more than 16 threads")
 			print_error("Thread count has been adjusted to 16")
-			threads_max = 16
+			threads_max = 32
 		end
 	end
 
@@ -96,6 +96,8 @@ def run
 					rescue ::Exception => e
 						print_status("Error: #{targ}: #{e.class} #{e.message}")
 						elog("Error running against host #{targ}: #{e.message}\n#{e.backtrace.join("\n")}")
+					ensure
+						nmod.cleanup
 					end
 				end
 			end
@@ -163,6 +165,8 @@ def run
 							raise $!
 						rescue ::Exception => e
 							print_status("Error: #{mybatch[0]}-#{mybatch[-1]}: #{e}")
+						ensure
+							nmod.cleanup
 						end
 					end
 					thread[:batch_size] = batch.length

lib/msf/core/exploit.rb

@@ -188,15 +188,14 @@ class Exploit < Msf::Module
 		#
 		def abort_sockets
 			sockets.delete_if { |sock|
-				if (sock.respond_to?('abortive_close'))
+				if (sock.respond_to?('abortive_close='))
 					sock.abortive_close = true
 				end
 
 				begin
-					disconnect(sock)
-				rescue
+					sock.close
+				rescue ::Exception
 				end
-
 				true
 			}
 		end
@@ -420,6 +419,7 @@ class Exploit < Msf::Module
 		if (payload_instance and handler_enabled?)
 			payload_instance.cleanup_handler
 		end
+		self.abort_sockets if self.respond_to?('abort_sockets')
 	end
 
 	#

lib/msf/core/exploit/http.rb

@@ -179,7 +179,6 @@ module Exploit::Remote::HttpClient
 	#
 	def cleanup
 		super
-
 		disconnect
 	end
 
@@ -1028,3 +1027,4 @@ module Exploit::Remote::HttpServer::PHPInclude
 
 end
 end
+

lib/msf/core/exploit/tcp.rb

@@ -183,7 +183,6 @@ module Exploit::Remote::Tcp
 	#
 	def cleanup
 		super
-
 		disconnect
 	end
 
@@ -325,6 +324,7 @@ module Exploit::Remote::TcpServer
 	# Stops the service, if one was created.
 	#
 	def cleanup
+		super
 		if(service)
 			stop_service()
 			print_status("Server stopped.")

lib/msf/core/exploit/udp.rb

@@ -19,13 +19,13 @@ module Exploit::Remote::Udp
 				Opt::RHOST,
 				Opt::RPORT,
 			], Msf::Exploit::Remote::Udp)
-			
+
 		register_advanced_options(
 			[
 				Opt::CPORT,
 				Opt::CHOST
 			], Msf::Exploit::Remote::Udp
-		)			
+		)
 	end
 
 	#
@@ -67,12 +67,12 @@ module Exploit::Remote::Udp
 		if (nsock == udp_sock)
 			self.udp_sock = nil
 		end
-	
+
 		# Remove this socket from the list of sockets created by this exploit
 		remove_socket(nsock)
 	end
 
-	# 
+	#
 	# Claims the UDP socket if the payload so desires.
 	#
 	def handler(nsock = self.udp_sock)
@@ -96,7 +96,6 @@ module Exploit::Remote::Udp
 	#
 	def cleanup
 		super
-
 		disconnect_udp
 	end
 
@@ -155,3 +154,4 @@ protected
 
 end
 end
+

lib/msf/core/exploit_driver.rb

@@ -184,9 +184,10 @@ protected
 					(exploit.passive? == true) ? nil : payload.wfs_delay + exploit.wfs_delay)
 			end
 		rescue ::Exception
-
 			exploit.framework.events.on_module_error(exploit, $!)
 			exploit.print_error("Exploit failed: #{$!}")
+			exploit.error = $!
+
 			elog("Exploit failed (#{exploit.refname}): #{$!}", 'core', LEV_0)
 			dlog("Call stack:\n#{$@.join("\n")}", 'core', LEV_3)
 

modules/auxiliary/scanner/discovery/udp_sweep.rb

@@ -77,7 +77,8 @@ class Metasploit3 < Msf::Auxiliary
 
 		# Create an unbound UDP socket if no CHOST is specified, otherwise
 		# create a UDP socket bound to CHOST (in order to avail of pivoting)
-		udp_sock = Rex::Socket::Udp.create( { 'LocalHost' => datastore['CHOST'] || nil } )
+		udp_sock = Rex::Socket::Udp.create( { 'LocalHost' => datastore['CHOST'] || nil, 'Context' => {'Msf' => framework, 'MsfExploit' => self} })
+		add_socket(udp_sock)
 
 			# Send each probe to each host
 			@probes.each do |probe|

modules/auxiliary/scanner/netbios/nbname.rb

@@ -58,7 +58,8 @@ class Metasploit3 < Msf::Auxiliary
 
 			# Create an unbound UDP socket if no CHOST is specified, otherwise
 			# create a UDP socket bound to CHOST (in order to avail of pivoting)
-			udp_sock = Rex::Socket::Udp.create( { 'LocalHost' => datastore['CHOST'] || nil } )
+			udp_sock = Rex::Socket::Udp.create( { 'LocalHost' => datastore['CHOST'] || nil, 'Context' => {'Msf' => framework, 'MsfExploit' => self} })
+			add_socket(udp_sock)
 
 			batch.each do |ip|
 				begin

modules/auxiliary/scanner/ntp/ntp_monlist.rb

@@ -61,7 +61,8 @@ class Metasploit3 < Msf::Auxiliary
 
 			# Create an unbound UDP socket if no CHOST is specified, otherwise
 			# create a UDP socket bound to CHOST (in order to avail of pivoting)
-			udp_sock = Rex::Socket::Udp.create( { 'LocalHost' => datastore['CHOST'] || nil } )
+			udp_sock = Rex::Socket::Udp.create( { 'LocalHost' => datastore['CHOST'] || nil, 'Context' => {'Msf' => framework, 'MsfExploit' => self} })
+			add_socket(udp_sock)
 
 			# Try three times since NTP servers can be a bit busy
 			1.upto(3)  do

modules/auxiliary/scanner/sip/enumerator.rb

@@ -58,9 +58,11 @@ class Metasploit3 < Msf::Auxiliary
 			udp_sock = Rex::Socket::Udp.create(
 				{
 					'LocalHost' => datastore['CHOST'] || nil,
-					'LocalPort' => datastore['CPORT'].to_i
+					'LocalPort' => datastore['CPORT'].to_i,
+					'Context'   => { 'Msf' => framework, 'MsfExploit' => self }
 				}
 			)
+			add_socket(udp_sock)
 
 			mini = datastore['MINEXT']
 			maxi = datastore['MAXEXT']
@@ -167,3 +169,4 @@ class Metasploit3 < Msf::Auxiliary
 		end
 	end
 end
+

modules/auxiliary/scanner/sip/options.rb

@@ -55,9 +55,11 @@ class Metasploit3 < Msf::Auxiliary
 			udp_sock = Rex::Socket::Udp.create(
 				{
 					'LocalHost' => datastore['CHOST'] || nil,
-					'LocalPort' => datastore['CPORT'].to_i
+					'LocalPort' => datastore['CPORT'].to_i,
+					'Context' => {'Msf' => framework, 'MsfExploit' => self}
 				}
 			)
+			add_socket(udp_sock)
 
 			batch.each do |ip|
 				data = create_probe(ip)
@@ -163,3 +165,4 @@ class Metasploit3 < Msf::Auxiliary
 
 
 end
+

modules/auxiliary/scanner/snmp/community.rb

@@ -70,7 +70,8 @@ class Metasploit3 < Msf::Auxiliary
 
 			# Create an unbound UDP socket if no CHOST is specified, otherwise
 			# create a UDP socket bound to CHOST (in order to avail of pivoting)
-			udp_sock = Rex::Socket::Udp.create( { 'LocalHost' => datastore['CHOST'] || nil } )
+			udp_sock = Rex::Socket::Udp.create( { 'LocalHost' => datastore['CHOST'] || nil, 'Context' => {'Msf' => framework, 'MsfExploit' => self} })
+			add_socket(udp_sock)
 
 			print_status(">> progress (#{batch[0]}-#{batch[-1]}) #{idx}/#{@comms.length * batch.length}...")
 			@comms.each do |comm|

modules/auxiliary/scanner/tftp/tftpbrute.rb

@@ -49,6 +49,7 @@ class Metasploit3 < Msf::Auxiliary
 						}
 				}
 			)
+			add_socket(udp_sock)
 
 			fd = File.open(datastore['DICTIONARY'], 'r')
 			fd.read(fd.stat.size).split("\n").each do |filename|

modules/exploits/multi/wyse/hagent_untrusted_hsdata.rb

@@ -104,6 +104,9 @@ class Metasploit3 < Msf::Exploit::Remote
 			}
 		})
 
+		# Let this close automatically
+		add_socket(wdmserver)
+
 		wdmserver_port = wdmserver.getsockname[2]
 		print_status("Starting the HTTP service on port #{wdmserver_port}")
 
@@ -150,7 +153,12 @@ class Metasploit3 < Msf::Exploit::Remote
 
 		# Download some response data
 		resp = sock.get_once(-1, 10)
-		print_status("Received: " + resp)
+		print_status("Received: #{resp}")
+
+		if not resp
+			print_error("No reply from the target, this may not be a vulnerable system")
+			return
+		end
 
 		print_status("Waiting on a connection to the HTTP service")
 		begin

modules/exploits/windows/ftp/microsoft_ftpd_nlst.rb

@@ -143,6 +143,8 @@ class Metasploit3 < Msf::Exploit::Remote
 			}
 		)
 
+		add_socket(srv)
+
 		begin
 
 		thr = Thread.new { srv.accept }
@@ -174,3 +176,4 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 end
+

modules/exploits/windows/license/calicclnt_getconfig.rb

@@ -100,6 +100,8 @@ class Metasploit3 < Msf::Exploit::Remote
 						'MsfExploit' => self,
 					})
 
+			add_socket(fakecaservice)
+
 			fakecaservice.start
 			print_status("Waiting for the license agent to connect back...")
 			begin