merge patches to fix a race condition in java meterpreter stager and a compatibility fix for gcj-based JVMs, thanks mihi\! java meterpreter now works with tomcat_mgr_deploy, see #3009

git-svn-id: file:///home/svn/framework3/trunk@10864 4d416f70-5f16-0410-b530-b9f4589650da
2010-11-02 19:59:57 +00:00 · 2010-11-02 19:59:57 +00:00 · dcb850f56a
parent 313317224f
commit dcb850f56a
9 changed files with 63 additions and 8 deletions
--- a/data/java/com/metasploit/meterpreter/MemoryBufferURLConnection.class
+++ b/data/java/com/metasploit/meterpreter/MemoryBufferURLConnection.class
--- a/data/java/com/metasploit/meterpreter/MemoryBufferURLStreamHandler.class
+++ b/data/java/com/metasploit/meterpreter/MemoryBufferURLStreamHandler.class
--- a/data/java/metasploit/Payload.class
+++ b/data/java/metasploit/Payload.class
--- a/data/java/metasploit/PayloadServlet.class
+++ b/data/java/metasploit/PayloadServlet.class
--- a/external/source/javapayload/JavaPayload4Meterpreter.jar
+++ b/external/source/javapayload/JavaPayload4Meterpreter.jar
--- a/external/source/javapayload/build.xml
+++ b/external/source/javapayload/build.xml
@ -7,7 +7,7 @@
 	<target name="compile">
 		<mkdir dir="build" />
-		<javac srcdir="src" destdir="build" source="1.1" target="1.1" debug="no" />
+		<javac srcdir="src" destdir="build" source="1.1" target="1.1" classpath="lib/servlet-api-2.2.jar" debug="no" />
 	</target>
 	<target name="jar" depends="compile">
@ -65,4 +65,14 @@
 		</jar>
 		<delete file="build/metasploit.dat"/>
 	</target>
 	<target name="deploy" depends="compile">
 		<copy todir="../../../data/java">
 			<fileset dir="build">
 				<exclude name="javapayload/stage/JSh*.class" />
 				<exclude name="javapayload/stage/SendParameters.class" />
 				<exclude name="javapayload/stage/SystemInfo.class" />
 			</fileset>
 		</copy>
 	</target>
 </project>
--- a/external/source/javapayload/lib/servlet-api-2.2.jar
+++ b/external/source/javapayload/lib/servlet-api-2.2.jar
--- a/external/source/javapayload/src/com/metasploit/meterpreter/MemoryBufferURLConnection.java
+++ b/external/source/javapayload/src/com/metasploit/meterpreter/MemoryBufferURLConnection.java
@ -8,8 +8,8 @@ import java.net.MalformedURLException;
 import java.net.URL;
 import java.net.URLConnection;
 import java.util.ArrayList;
 import java.util.Hashtable;
 import java.util.List;
 import java.util.Map;
 /**
 * An {@link URLConnection} for an URL that is stored completely in memory.
@ -23,10 +23,42 @@ public class MemoryBufferURLConnection extends URLConnection {
 	static {
 		// tweak the cache of already loaded protocol handlers via reflection
 		try {
-			Field fld = URL.class.getDeclaredField("handlers");
+			Field fld;
 			try {
 				fld = URL.class.getDeclaredField("handlers");
 			} catch (NoSuchFieldException ex) {
 				try {
 					// GNU Classpath (libgcj) calls this field differently
 					fld = URL.class.getDeclaredField("ph_cache");					
 				} catch (NoSuchFieldException ex2) {
 					// throw the original exception
 					throw ex;
 				}
 			}
 			fld.setAccessible(true);
-			Hashtable handlers = (Hashtable) fld.get(null);
+			Map handlers = (Map) fld.get(null);
-			handlers.put("metasploitmembuff", new MemoryBufferURLStreamHandler());
+			// Note that although this is a static initializer, it can happen 
 			// that two threads are entering this spot at the same time: When
 			// there is more than one classloader context (e. g. in a servlet
 			// container with Spawn=0) and more than one of them is loading
 			// a copy of this class at the same time. Work around this by
 			// letting all of them use the same URL stream handler object.
 			synchronized(handlers) {
 				// do not use the "real" class name here as the same class
 				// loaded in different classloader contexts is not the same
 				// one for Java -> ClassCastException
 				Object /*MemoryBufferURLStreamHandler*/ handler;
 				if (handlers.containsKey("metasploitmembuff")) {
 					handler = handlers.get("metasploitmembuff");
 				} else {
 					handler = new MemoryBufferURLStreamHandler();
 					handlers.put("metasploitmembuff", handler);
 				}
 				// for the same reason, use reflection to obtain the files List
 				files = (List) handler.getClass().getMethod("getFiles", new Class[0]).invoke(handler, new Object[0]);
 			}
 		} catch (Exception ex) {
 			throw new RuntimeException(ex.toString());
 		}
@ -36,9 +68,11 @@ public class MemoryBufferURLConnection extends URLConnection {
 	 * Create a new URL from a byte array and its content type.
 	 */
 	public static URL createURL(byte[] data, String contentType) throws MalformedURLException {
 		synchronized(files) {
 			files.add(data);
 			return new URL("metasploitmembuff", "", (files.size() - 1) + "/" + contentType);
 		}
 	}
 	private final byte[] data;
 	private final String contentType;
@ -47,7 +81,9 @@ public class MemoryBufferURLConnection extends URLConnection {
 		super(url);
 		String file = url.getFile();
 		int pos = file.indexOf('/');
 		synchronized (files) {
 			data = (byte[]) files.get(Integer.parseInt(file.substring(0, pos)));
 		}
 		contentType = file.substring(pos + 1);
 	}
--- a/external/source/javapayload/src/com/metasploit/meterpreter/MemoryBufferURLStreamHandler.java
+++ b/external/source/javapayload/src/com/metasploit/meterpreter/MemoryBufferURLStreamHandler.java
@ -4,6 +4,8 @@ import java.io.IOException;
 import java.net.URL;
 import java.net.URLConnection;
 import java.net.URLStreamHandler;
 import java.util.ArrayList;
 import java.util.List;
 /**
 * An {@link URLStreamHandler} for a {@link MemoryBufferURLConnection}
@ -11,7 +13,14 @@ import java.net.URLStreamHandler;
 * @author mihi
 */
 public class MemoryBufferURLStreamHandler extends URLStreamHandler {
 	private List files = new ArrayList();
 	protected URLConnection openConnection(URL u) throws IOException {
 		return new MemoryBufferURLConnection(u);
 	}
 	public List getFiles() {
 		return files;
 	}
 }