Merge branch using Rex sockets as IO

2015-10-09 13:42:09 -05:00 · 2015-10-09 13:42:09 -05:00 · c48246c91c
parent 3cd9dc4fde 347495e2f5
commit c48246c91c
5 changed files with 9 additions and 87 deletions
--- a/lib/msf/java/rmi/client.rb
+++ b/lib/msf/java/rmi/client.rb
@ -19,23 +19,6 @@ module Msf
        include Msf::Java::Rmi::Client::Jmx
        include Exploit::Remote::Tcp

-        def initialize(info = {})
-          super
-
-          register_advanced_options(
-            [
-              OptInt.new('RmiReadLoopTimeout', [ true, 'Maximum number of seconds to wait for data between read iterations', 1])
-            ], Msf::Java::Rmi::Client
-          )
-        end
-
-        # Returns the timeout to wait for data between read iterations
-        #
-        # @return [Fixnum]
-        def read_loop_timeout
-          datastore['RmiReadLoopTimeout'] || 1
-        end
-
        # Returns the target host
        #
        # @return [String]
@ -103,9 +86,8 @@ module Msf
        # @see Rex::Proto::Rmi::Model::ProtocolAck.decode
        def recv_protocol_ack(opts = {})
          nsock = opts[:sock] || sock
-          data = safe_get_once(nsock)
          begin
-            ack = Rex::Proto::Rmi::Model::ProtocolAck.decode(StringIO.new(data))
+            ack = Rex::Proto::Rmi::Model::ProtocolAck.decode(nsock)
          rescue Rex::Proto::Rmi::DecodeError
            return nil
          end
@ -123,41 +105,15 @@ module Msf
        # @see Rex::Proto::Rmi::Model::ReturnData.decode
        def recv_return(opts = {})
          nsock = opts[:sock] || sock
-          data = safe_get_once(nsock)

          begin
-            return_data = Rex::Proto::Rmi::Model::ReturnData.decode(StringIO.new(data))
+            return_data = Rex::Proto::Rmi::Model::ReturnData.decode(nsock)
          rescue Rex::Proto::Rmi::DecodeError
            return nil
          end

          return_data.return_value
        end
-
-        # Helper method to read fragmented data from a ```Rex::Socket::Tcp```
-        #
-        # @param nsock [Rex::Socket::Tcp]
-        # @return [String]
-        def safe_get_once(nsock = sock, loop_timeout = read_loop_timeout)
-          data = ''
-          begin
-            res = nsock.get_once
-          rescue ::EOFError
-            res = nil
-          end
-
-          while res && nsock.has_read_data?(loop_timeout)
-            data << res
-            begin
-              res = nsock.get_once
-            rescue ::EOFError
-              res = nil
-            end
-          end
-
-          data << res if res
-          data
-        end
      end
    end
  end
--- a/modules/exploits/multi/misc/java_rmi_server.rb
+++ b/modules/exploits/multi/misc/java_rmi_server.rb
@ -154,7 +154,13 @@ class Metasploit3 < Msf::Exploit::Remote
      arguments: build_dgc_clean_args(new_url)
    )

-    return_value = recv_return
+    begin
+      return_value = recv_return
+    rescue Rex::StreamClosedError
+      # There should be a session...
+      disconnect
+      return
+    end

    if return_value.nil? && !session_created?
      fail_with(Failure::Unknown, 'RMI Call failed')
--- a/spec/lib/msf/java/rmi/client/jmx/connection_spec.rb
+++ b/spec/lib/msf/java/rmi/client/jmx/connection_spec.rb
@ -101,14 +101,6 @@ describe Msf::Java::Rmi::Client::Jmx::Connection do
          io.write(get_object_instance_response)
          io.seek(0)
        end
-
-        allow_any_instance_of(::StringIO).to receive(:get_once) do |io, length, timeout|
-          io.read
-        end
-
-        allow_any_instance_of(::StringIO).to receive(:has_read_data?) do |io|
-          false
-        end
      end

      it "returns true" do
@ -125,14 +117,6 @@ describe Msf::Java::Rmi::Client::Jmx::Connection do
          io.write(create_mbean_response)
          io.seek(0)
        end
-
-        allow_any_instance_of(::StringIO).to receive(:get_once) do |io, length, timeout|
-          io.read
-        end
-
-        allow_any_instance_of(::StringIO).to receive(:has_read_data?) do |io|
-          false
-        end
      end

      it "returns true" do
@ -149,14 +133,6 @@ describe Msf::Java::Rmi::Client::Jmx::Connection do
          io.write(invoke_response)
          io.seek(0)
        end
-
-        allow_any_instance_of(::StringIO).to receive(:get_once) do |io, length, timeout|
-          io.read
-        end
-
-        allow_any_instance_of(::StringIO).to receive(:has_read_data?) do |io|
-          false
-        end
      end

      it "returns true" do
--- a/spec/lib/msf/java/rmi/client/jmx/server_spec.rb
+++ b/spec/lib/msf/java/rmi/client/jmx/server_spec.rb
@ -47,14 +47,6 @@ describe Msf::Java::Rmi::Client::Jmx::Server do
          io.write(new_client_response)
          io.seek(0)
        end
-
-        allow_any_instance_of(::StringIO).to receive(:get_once) do |io, length, timeout|
-          io.read
-        end
-
-        allow_any_instance_of(::StringIO).to receive(:has_read_data?) do |io|
-          false
-        end
      end

      it "returns the reference information" do
--- a/spec/lib/msf/java/rmi/client_spec.rb
+++ b/spec/lib/msf/java/rmi/client_spec.rb
@ -44,14 +44,6 @@ describe Msf::Java::Rmi::Client do
    allow_any_instance_of(::StringIO).to receive(:put) do |io, data|
      io.write(data)
    end
-
-    allow_any_instance_of(::StringIO).to receive(:get_once) do |io, length, timeout|
-      io.read
-    end
-
-    allow_any_instance_of(::StringIO).to receive(:has_read_data?) do |io|
-      false
-    end
  end

  describe "#send_header" do