Revert "Merge branch using Rex sockets as IO"

This reverts commit c48246c91c, reversing changes made to 3cd9dc4fde.
2015-10-09 14:09:12 -05:00 · 2015-10-09 14:09:12 -05:00 · 5e9faad4dc
parent c48246c91c
commit 5e9faad4dc
5 changed files with 87 additions and 9 deletions
--- a/lib/msf/java/rmi/client.rb
+++ b/lib/msf/java/rmi/client.rb
@ -19,6 +19,23 @@ module Msf
        include Msf::Java::Rmi::Client::Jmx
        include Exploit::Remote::Tcp

+        def initialize(info = {})
+          super
+
+          register_advanced_options(
+            [
+              OptInt.new('RmiReadLoopTimeout', [ true, 'Maximum number of seconds to wait for data between read iterations', 1])
+            ], Msf::Java::Rmi::Client
+          )
+        end
+
+        # Returns the timeout to wait for data between read iterations
+        #
+        # @return [Fixnum]
+        def read_loop_timeout
+          datastore['RmiReadLoopTimeout'] || 1
+        end
+
        # Returns the target host
        #
        # @return [String]
@ -86,8 +103,9 @@ module Msf
        # @see Rex::Proto::Rmi::Model::ProtocolAck.decode
        def recv_protocol_ack(opts = {})
          nsock = opts[:sock] || sock
+          data = safe_get_once(nsock)
          begin
-            ack = Rex::Proto::Rmi::Model::ProtocolAck.decode(nsock)
+            ack = Rex::Proto::Rmi::Model::ProtocolAck.decode(StringIO.new(data))
          rescue Rex::Proto::Rmi::DecodeError
            return nil
          end
@ -105,15 +123,41 @@ module Msf
        # @see Rex::Proto::Rmi::Model::ReturnData.decode
        def recv_return(opts = {})
          nsock = opts[:sock] || sock
+          data = safe_get_once(nsock)

          begin
-            return_data = Rex::Proto::Rmi::Model::ReturnData.decode(nsock)
+            return_data = Rex::Proto::Rmi::Model::ReturnData.decode(StringIO.new(data))
          rescue Rex::Proto::Rmi::DecodeError
            return nil
          end

          return_data.return_value
        end
+
+        # Helper method to read fragmented data from a ```Rex::Socket::Tcp```
+        #
+        # @param nsock [Rex::Socket::Tcp]
+        # @return [String]
+        def safe_get_once(nsock = sock, loop_timeout = read_loop_timeout)
+          data = ''
+          begin
+            res = nsock.get_once
+          rescue ::EOFError
+            res = nil
+          end
+
+          while res && nsock.has_read_data?(loop_timeout)
+            data << res
+            begin
+              res = nsock.get_once
+            rescue ::EOFError
+              res = nil
+            end
+          end
+
+          data << res if res
+          data
+        end
      end
    end
  end
--- a/modules/exploits/multi/misc/java_rmi_server.rb
+++ b/modules/exploits/multi/misc/java_rmi_server.rb
@ -154,13 +154,7 @@ class Metasploit3 < Msf::Exploit::Remote
      arguments: build_dgc_clean_args(new_url)
    )

-    begin
-      return_value = recv_return
-    rescue Rex::StreamClosedError
-      # There should be a session...
-      disconnect
-      return
-    end
+    return_value = recv_return

    if return_value.nil? && !session_created?
      fail_with(Failure::Unknown, 'RMI Call failed')
--- a/spec/lib/msf/java/rmi/client/jmx/connection_spec.rb
+++ b/spec/lib/msf/java/rmi/client/jmx/connection_spec.rb
@ -101,6 +101,14 @@ describe Msf::Java::Rmi::Client::Jmx::Connection do
          io.write(get_object_instance_response)
          io.seek(0)
        end
+
+        allow_any_instance_of(::StringIO).to receive(:get_once) do |io, length, timeout|
+          io.read
+        end
+
+        allow_any_instance_of(::StringIO).to receive(:has_read_data?) do |io|
+          false
+        end
      end

      it "returns true" do
@ -117,6 +125,14 @@ describe Msf::Java::Rmi::Client::Jmx::Connection do
          io.write(create_mbean_response)
          io.seek(0)
        end
+
+        allow_any_instance_of(::StringIO).to receive(:get_once) do |io, length, timeout|
+          io.read
+        end
+
+        allow_any_instance_of(::StringIO).to receive(:has_read_data?) do |io|
+          false
+        end
      end

      it "returns true" do
@ -133,6 +149,14 @@ describe Msf::Java::Rmi::Client::Jmx::Connection do
          io.write(invoke_response)
          io.seek(0)
        end
+
+        allow_any_instance_of(::StringIO).to receive(:get_once) do |io, length, timeout|
+          io.read
+        end
+
+        allow_any_instance_of(::StringIO).to receive(:has_read_data?) do |io|
+          false
+        end
      end

      it "returns true" do
--- a/spec/lib/msf/java/rmi/client/jmx/server_spec.rb
+++ b/spec/lib/msf/java/rmi/client/jmx/server_spec.rb
@ -47,6 +47,14 @@ describe Msf::Java::Rmi::Client::Jmx::Server do
          io.write(new_client_response)
          io.seek(0)
        end
+
+        allow_any_instance_of(::StringIO).to receive(:get_once) do |io, length, timeout|
+          io.read
+        end
+
+        allow_any_instance_of(::StringIO).to receive(:has_read_data?) do |io|
+          false
+        end
      end

      it "returns the reference information" do
--- a/spec/lib/msf/java/rmi/client_spec.rb
+++ b/spec/lib/msf/java/rmi/client_spec.rb
@ -44,6 +44,14 @@ describe Msf::Java::Rmi::Client do
    allow_any_instance_of(::StringIO).to receive(:put) do |io, data|
      io.write(data)
    end
+
+    allow_any_instance_of(::StringIO).to receive(:get_once) do |io, length, timeout|
+      io.read
+    end
+
+    allow_any_instance_of(::StringIO).to receive(:has_read_data?) do |io|
+      false
+    end
  end

  describe "#send_header" do