From 9e01b0f4e5b596619adace81feb4453972e52597 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Fri, 8 Oct 2010 04:46:53 +0000
Subject: [PATCH] Fix a race condition in concurrent session handling

git-svn-id: file:///home/svn/framework3/trunk@10596 4d416f70-5f16-0410-b530-b9f4589650da
---
 lib/msf/core/handler/bind_tcp.rb           | 4 ++--
 lib/msf/core/handler/passivex.rb           | 4 ++--
 lib/msf/core/handler/reverse_tcp_double.rb | 4 ++--
 lib/msf/core/rpc/session.rb                | 2 +-
 lib/msf/scripts/meterpreter/services.rb    | 6 +++---
 5 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/lib/msf/core/handler/bind_tcp.rb b/lib/msf/core/handler/bind_tcp.rb
index b37b801067..5efefd9aa9 100644
--- a/lib/msf/core/handler/bind_tcp.rb
+++ b/lib/msf/core/handler/bind_tcp.rb
@@ -144,9 +144,9 @@ module BindTcp
 				# Start a new thread and pass the client connection
 				# as the input and output pipe.  Client's are expected
 				# to implement the Stream interface.
-				conn_threads << Thread.new {
+				conn_threads << Thread.new(client) { |client_copy|
 					begin
-						handle_connection(client)
+						handle_connection(client_copy)
 					rescue
 						elog("Exception raised from BindTcp.handle_connection: #{$!}")
 					end
diff --git a/lib/msf/core/handler/passivex.rb b/lib/msf/core/handler/passivex.rb
index 90eec51c48..13a20428dd 100644
--- a/lib/msf/core/handler/passivex.rb
+++ b/lib/msf/core/handler/passivex.rb
@@ -455,9 +455,9 @@ if (marker == false) {
 				# that we've found a new session.  We call handle_connection using
 				# the lsock of the local stream.
 				if (s = find_session_channel(sid))
-					Thread.new {
+					Thread.new(cli) { |cli_copy|
 						begin
-							s.remote = cli
+							s.remote = cli_copy
 							handle_connection(s.lsock)
 						rescue ::Exception
 							elog("Exception raised during PX handle connection: #{$!}", 'core', LEV_1)
diff --git a/lib/msf/core/handler/reverse_tcp_double.rb b/lib/msf/core/handler/reverse_tcp_double.rb
index c0d7f9fd29..fe784c2cec 100644
--- a/lib/msf/core/handler/reverse_tcp_double.rb
+++ b/lib/msf/core/handler/reverse_tcp_double.rb
@@ -114,9 +114,9 @@ module ReverseTcpDouble
 				# Start a new thread and pass the client connection
 				# as the input and output pipe.  Client's are expected
 				# to implement the Stream interface.
-				conn_threads << Thread.new {
+				conn_threads << Thread.new(sock_inp, sock_out) { | sock_inp_copy, sock_out_copy|
 					begin
-						chan = TcpReverseDoubleSessionChannel.new(sock_inp, sock_out)
+						chan = TcpReverseDoubleSessionChannel.new(sock_inp_copy, sock_out_copy)
 						handle_connection(chan.lsock)
 					rescue
 						elog("Exception raised from handle_connection: #{$!}\n\n#{$@.join("\n")}")
diff --git a/lib/msf/core/rpc/session.rb b/lib/msf/core/rpc/session.rb
index 0517d8a338..1879b81e2c 100644
--- a/lib/msf/core/rpc/session.rb
+++ b/lib/msf/core/rpc/session.rb
@@ -128,7 +128,7 @@ class Session < Base
 		# so don't do it here
 		#@framework.events.on_session_command(s, buff)
 
-		Thread.new { s.console.run_single(buff) }
+		Thread.new(s) { |sess| sess.console.run_single(buff) }
 
 		{}
 	end
diff --git a/lib/msf/scripts/meterpreter/services.rb b/lib/msf/scripts/meterpreter/services.rb
index e590c68662..1bce9a6cdb 100644
--- a/lib/msf/scripts/meterpreter/services.rb
+++ b/lib/msf/scripts/meterpreter/services.rb
@@ -13,11 +13,11 @@ def service_list
 	services = []
 	registry_enumkeys(serviceskey).each do |s|
 		if threadnum < 10
-			a.push(::Thread.new {
+			a.push(::Thread.new(s) { |sk|
 					begin
-						srvtype = registry_getvaldata("#{serviceskey}\\#{s}","Type").to_s
+						srvtype = registry_getvaldata("#{serviceskey}\\#{sk}","Type").to_s
 						if srvtype =~ /32|16/
-							services << s
+							services << sk
 						end
 					rescue
 					end