Timeouts added for handlers

git-svn-id: file:///home/svn/framework3/trunk@3773 4d416f70-5f16-0410-b530-b9f4589650da

lib/msf/core/exploit.rb

@@ -258,6 +258,11 @@ class Exploit < Msf::Module
 		self.default_target = info['DefaultTarget']
 		self.payload_info = info['Payload'] || {}
 		self.session_count = 0
+		self.active_timeout = 120
+		
+		if (info['Payload'] and info['Payload']['ActiveTimeout'])
+			self.active_timeout = info['Payload']['ActiveTimeout'].to_i
+		end
 	end
 
 	##
@@ -300,6 +305,12 @@ class Exploit < Msf::Module
 		reset_session_counts
 
 		if (payload_instance)
+		
+			# Configure the payload handler
+			payload_instance.exploit_config = {
+				'active_timeout' => self.active_timeout
+			}
+		
 			# Set up the payload handlers
 			payload_instance.setup_handler
 	
@@ -823,7 +834,11 @@ protected
 	#  Number of sessions created by this exploit instance.
 	#
 	attr_writer :session_count
-
+	#
+	#  Maximum number of seconds for active handlers
+	#
+	attr_accessor :active_timeout
+	
 	#
 	# Overrides the base class method and serves to initialize default
 	# compatibilities for exploits

lib/msf/core/handler.rb

@@ -112,7 +112,7 @@ module Handler
 	#
 	def handler(sock)
 	end
-
+	
 	#
 	# Handles an established connection supplied in the in and out 
 	# handles.  The handles are passed as parameters in case this
@@ -151,6 +151,11 @@ module Handler
 		
 		return session
 	end
+	
+	#
+	# Set by the exploit module to configure handler
+	#
+	attr_accessor :exploit_config
 
 protected
 
@@ -199,7 +204,7 @@ protected
 
 	attr_accessor :session_waiter_event # :nodoc:
 	attr_accessor :pending_connections  # :nodoc:
-
+	
 end
 
 end

lib/msf/core/handler/bind_tcp.rb

@@ -44,12 +44,6 @@ module BindTcp
 		self.conn_threads = []
 	end
 
-	#
-	# No setup to speak of for bind handlers.
-	#
-	def setup_handler
-	end
-
 	#
 	# Kills off the connection threads if there are any hanging around.
 	#
@@ -65,6 +59,14 @@ module BindTcp
 	# Starts monitoring for an outbound connection to become established.
 	#
 	def start_handler
+
+		# Maximum number of seconds to run the handler
+		ctimeout = 300
+		
+		if (exploit_config and exploit_config['active_timeout'])
+			ctimeout = exploit_config['active_timeout'].to_i
+		end
+	
 		self.listener_thread = Thread.new {
 			client = nil
 
@@ -76,34 +78,33 @@ module BindTcp
 					caller
 			end
 
-			# Keep trying to connect
-			callcc { |ctx|
-				while true
-					begin
-						client = Rex::Socket::Tcp.create(
-							'PeerHost' => datastore['RHOST'],
-							'PeerPort' => datastore['LPORT'].to_i,
-							'Proxies'  => datastore['Proxies'],
-							'Comm'     => comm,
-							'Context'  =>
-								{
-									'Msf'        => framework,
-									'MsfPayload' => self,
-									'MsfExploit' => assoc_exploit
-								})
-					rescue Rex::ConnectionRefused
-						# Connection refused is a-okay
-					rescue
-						wlog("Exception caught in bind handler: #{$!}")
-					end
-
-					ctx.call if (client)	
-	
-					# Wait a second before trying again
-					Rex::ThreadSafe.sleep(0.5)
+			stime = Time.now.to_i
+			
+			while (stime + ctimeout > Time.now.to_i)
+				begin
+					client = Rex::Socket::Tcp.create(
+						'PeerHost' => datastore['RHOST'],
+						'PeerPort' => datastore['LPORT'].to_i,
+						'Proxies'  => datastore['Proxies'],
+						'Comm'     => comm,
+						'Context'  =>
+							{
+								'Msf'        => framework,
+								'MsfPayload' => self,
+								'MsfExploit' => assoc_exploit
+							})
+				rescue Rex::ConnectionRefused
+					# Connection refused is a-okay
+				rescue ::Exception
+					wlog("Exception caught in bind handler: #{$!}")
 				end
-			}
 
+				break if client
+
+				# Wait a second before trying again
+				Rex::ThreadSafe.sleep(0.5)
+			end
+			
 			# Valid client connection?
 			if (client)
 				# Start a new thread and pass the client connection
@@ -116,6 +117,8 @@ module BindTcp
 						elog("Exception raised from BindTcp.handle_connection: #{$!}")
 					end
 				}
+			else
+				wlog("No connection received before the handler completed")
 			end
 		}
 	end

lib/msf/core/module.rb

@@ -35,7 +35,11 @@ class Module
 		def fullname
 			return type + '/' + refname
 		end
-
+	
+		def shortname
+			return refname.split('/')[-1]
+		end
+		
 		#
 		# Returns this module's ranking.
 		#
@@ -154,6 +158,17 @@ class Module
 		return self.class.refname
 	end
 
+	#
+	# Returns the module's framework short name.  This is a
+	# possibly conflicting name used for things like console
+	# prompts.
+	#
+	# reverse_tcp
+	#
+	def shortname
+		return self.class.shortname
+	end
+	
 	#
 	# Returns the unduplicated class associated with this module.
 	#

lib/msf/ui/console/command_dispatcher/core.rb

@@ -20,7 +20,7 @@ class Core
 	include Msf::Ui::Console::CommandDispatcher
 
 	# Session command options
-	@@session_opts = Rex::Parser::Arguments.new(
+	@@sessions_opts = Rex::Parser::Arguments.new(
 		"-i" => [ true,  "Interact with the supplied session identifier." ],
 		"-h" => [ false, "Help banner."                                   ],
 		"-l" => [ false, "List all active sessions."                      ],
@@ -39,30 +39,30 @@ class Core
 	# Returns the list of commands supported by this command dispatcher
 	def commands
 		{
-			"?"       => "Help menu",
-			"back"    => "Move back from the current context",
-			"banner"  => "Display an awesome metasploit banner",
-			"exit"    => "Exit the console",
-			"help"    => "Help menu",
-			"info"    => "Displays information about one or more module",
-			"irb"     => "Drop into irb scripting mode",
-			"jobs"    => "Displays and manages jobs",
-			"load"    => "Load a framework plugin",
-			"persist" => "Persist or restore framework state information",
-			"quit"    => "Exit the console",
-			"route"   => "Route traffic through a session",
-			"save"    => "Saves the active datastores",
-			"search"  => "Adds one or more module search paths",
-			"session" => "Dump session listings and display information about sessions",
-			"set"     => "Sets a variable to a value",
-			"setg"    => "Sets a global variable to a value",
-			"show"    => "Displays modules of a given type, or all modules",
-			"unload"  => "Unload a framework plugin",
-			"unset"   => "Unsets one or more variables",
-			"unsetg"  => "Unsets one or more global variables",
-			"use"     => "Selects a module by name",
-			"version" => "Show the console library version number",
-			"sleep"   => "Do nothing for the specified number of seconds",
+			"?"        => "Help menu",
+			"back"     => "Move back from the current context",
+			"banner"   => "Display an awesome metasploit banner",
+			"exit"     => "Exit the console",
+			"help"     => "Help menu",
+			"info"     => "Displays information about one or more module",
+			"irb"      => "Drop into irb scripting mode",
+			"jobs"     => "Displays and manages jobs",
+			"load"     => "Load a framework plugin",
+			"persist"  => "Persist or restore framework state information",
+			"quit"     => "Exit the console",
+			"route"    => "Route traffic through a session",
+			"save"     => "Saves the active datastores",
+			"search"   => "Adds one or more module search paths",
+			"sessions" => "Dump session listings and display information about sessions",
+			"set"      => "Sets a variable to a value",
+			"setg"     => "Sets a global variable to a value",
+			"show"     => "Displays modules of a given type, or all modules",
+			"unload"   => "Unload a framework plugin",
+			"unset"    => "Unsets one or more variables",
+			"unsetg"   => "Unsets one or more global variables",
+			"use"      => "Selects a module by name",
+			"version"  => "Show the console library version number",
+			"sleep"    => "Do nothing for the specified number of seconds",
 		}
 	end
 
@@ -544,7 +544,7 @@ class Core
 	#
 	# Provides an interface to the sessions currently active in the framework.
 	#
-	def cmd_session(*args)
+	def cmd_sessions(*args)
 		if (args.length == 0)
 			args.unshift("-h")
 		end
@@ -555,7 +555,7 @@ class Core
 		sid    = nil
 
 		# Parse the command options
-		@@session_opts.parse(args) { |opt, idx, val|
+		@@sessions_opts.parse(args) { |opt, idx, val|
 			case opt
 				when "-q"
 					quiet = true
@@ -575,7 +575,7 @@ class Core
 					print(
 						"Usage: session [options]\n\n" +
 						"Active session manipulation and interaction.\n" +
-						@@session_opts.usage())
+						@@sessions_opts.usage())
 					return false
 			end
 		}
@@ -619,7 +619,7 @@ class Core
 	#
 	# Tab completion for the route command
 	#
-	def cmd_session_tabs(str, words)
+	def cmd_sessions_tabs(str, words)
 		if (not words[1])
 			return %w{-q -i -l -h}
 		end
@@ -984,7 +984,7 @@ class Core
 		mod.init_ui(driver.input, driver.output)
 
 		# Update the command prompt
-		driver.update_prompt("#{mod.type}(#{mod.refname}) ")
+		driver.update_prompt("#{mod.type}(#{mod.shortname}) ")
 	end
 	
 	#

modules/exploits/windows/browser/ms06_001_wmf_setabortproc.rb

@@ -49,6 +49,7 @@ class Exploits::Windows::Browser::MS06_001_WMF_SETABORTPROC < Msf::Exploit::Remo
 						{
 							'ConnectionType' => '-find',
 						},
+					'StackAdjustment' => -3500,
 				},
 			'Platform'       => 'win',
 			'Targets'        =>

modules/exploits/windows/ftp/servu_mdtm.rb

@@ -129,7 +129,7 @@ class Exploits::Windows::Ftp::ServUMDTMOverflow < Msf::Exploit::Remote
 	
 	def exploit
 	
-		p generate_egghunter
+#		generate_egghunter
 		connect_login
 		
 		print_status("Trying target #{target.name}...")