Land #16316, deref services correctly

lib/msf/core/exploit/remote/dns/server.rb

@@ -130,22 +130,11 @@ def start_service
   end
 
   #
-  # Stops the server
-  # @param destroy [TrueClass,FalseClass] Dereference the server object
-  def stop_service(destroy = false)
-    Rex::ServiceManager.stop_service(self.service) if self.service
-    if destroy
-      @dns_resolver = nil if @dns_resolver
-      self.service = nil if self.service
-    end
-  end
-
+  # Dereference the DNS service
   #
-  # Resets the DNS server
-  #
-  def reset_service
-    stop_service(true)
-    start_service
+  def cleanup
+    super
+    @dns_resolver = nil if @dns_resolver
   end
 
   #

lib/msf/core/exploit/remote/http_server/php_include.rb

@@ -55,15 +55,9 @@ def exploit
     #	print_error("reverse payload instead of bind.")
     #end
 
-    begin
-      print_status("PHP include server started.");
-      php_exploit
-      ::IO.select(nil, nil, nil, 5)
-    rescue ::Interrupt
-      raise $!
-    ensure
-      stop_service
-    end
+    print_status("PHP include server started.");
+    php_exploit
+    ::IO.select(nil, nil, nil, 5)
   end
 
   #

lib/msf/core/exploit/remote/ldap/server.rb

@@ -96,14 +96,6 @@ def start_service
       rescue ::Errno::EACCES => e
         raise Rex::BindFailed, e.message
       end
-
-      #
-      # Resets the LDAP server
-      #
-      def reset_service
-        cleanup
-        start_service
-      end
     end
   end
 end

lib/msf/core/exploit/remote/socket_server.rb

@@ -59,7 +59,7 @@ def primer
   def cleanup
     super
     if service
-      stopped = stop_service
+      stopped = cleanup_service
       if stopped
         print_status("Server stopped.")
       end
@@ -79,9 +79,9 @@ def start_service(opts = {})
   end
 
   #
-  # Stops the service.
+  # Cleans up the service; either closing the socket, or deferencing the service
   #
-  def stop_service
+  def cleanup_service
     if service
       begin
         if self.service.kind_of?(Rex::Service)

lib/msf/core/handler/reverse_http.rb

@@ -260,9 +260,8 @@ def setup_handler
   def stop_handler
     if self.service
       self.service.remove_resource((luri + "/").gsub("//", "/"))
-      if self.service.resources.empty? && self.sessions == 0
-        Rex::ServiceManager.stop_service(self.service)
-      end
+      self.service.deref
+      self.service = nil
     end
   end
 

lib/rex/post/meterpreter/packet_dispatcher.rb

@@ -721,6 +721,9 @@ def initialize_passive_dispatcher
       'Proc'             => Proc.new { |cli, req| on_passive_request(cli, req) },
       'VirtualDirectory' => true
     )
+
+    # Add a reference count to the handler
+    self.passive_service.ref
   end
 
   def shutdown_passive_dispatcher
@@ -729,9 +732,7 @@ def shutdown_passive_dispatcher
       resource_uri = "/" + self.conn_id.to_s.gsub(/(^\/|\/$)/, '') + "/"
       self.passive_service.remove_resource(resource_uri) if self.passive_service
 
-      if self.passive_service.resources.empty?
-        Rex::ServiceManager.stop_service(self.passive_service)
-      end
+      self.passive_service.deref
       self.passive_service = nil
     end
     super

lib/rex/proto/dns/server.rb

@@ -318,7 +318,7 @@ def default_dispatch_request(cli,data)
   # Returns the hardcore alias for the DNS service
   #
   def self.hardcore_alias(*args)
-    "#{(args[0] || '')}#{(args[1] || '')}"
+    "#{(args[0] || '')}-#{(args[1] || '')}-#{args[5] || ''}"
   end
 
   #

lib/rex/proto/http/server.rb

@@ -127,7 +127,7 @@ def inspect
   # Returns the hardcore alias for the HTTP service
   #
   def self.hardcore_alias(*args)
-    "#{(args[0] || '')}#{(args[1] || '')}"
+    "#{(args[0] || '')}-#{(args[1] || '')}-#{args[4] || ''}"
   end
 
   #

lib/rex/proto/ldap/server.rb

@@ -251,7 +251,7 @@ def search_ldif(filter, msgid, attrflt = :all)
         # Returns the hardcore alias for the LDAP service
         #
         def self.hardcore_alias(*args)
-          "#{args[0] || ''}#{args[1] || ''}"
+          "#{args[0] || ''}-#{args[1] || ''}-#{args[4] || ''}"
         end
 
         #

lib/rex/proto/ssh/server.rb

@@ -72,7 +72,7 @@ def inspect
   # Returns the hardcore alias for the SSH service
   #
   def self.hardcore_alias(*args)
-    "#{(args[0])}#{(args[1])}"
+    "#{(args[0])}-#{(args[1])}-#{args[4] || ''}"
   end
 
   #

modules/auxiliary/admin/scada/yokogawa_bkbcopyd_client.rb

@@ -116,7 +116,7 @@ def on_client_data(c)
   end
 
   def on_client_close(c)
-    stop_service
+    cleanup_service
   end
 end
 

modules/auxiliary/gather/safari_file_url_navigation.rb

@@ -322,14 +322,12 @@ def cleanup
     super
 
     # Kill FTP
-    stop_service
+    cleanup_service
 
     # clear my resource, deregister ref, stop/close the HTTP socket
     begin
       @http_service.remove_resource(datastore['URIPATH'])
       @http_service.deref
-      @http_service.stop
-      @http_service.close
       @http_service = nil
     rescue
     end

modules/auxiliary/server/dns/native_server.rb

@@ -24,7 +24,16 @@ def initialize(info = {})
       },
       'Author'         => 'RageLtMan <rageltman[at]sempervictus>',
       'License'        => MSF_LICENSE,
-      'References'     => []
+      'References'     => [],
+      'Actions'     =>
+        [
+          [ 'Service', 'Description' => 'Serve DNS entries' ]
+        ],
+      'PassiveActions' =>
+        [
+          'Service'
+        ],
+      'DefaultAction'  => 'Service'
     ))
   end
 
@@ -37,8 +46,6 @@ def run
       service.wait
     rescue Rex::BindFailed => e
       print_error "Failed to bind to port #{datastore['RPORT']}: #{e.message}"
-    ensure
-      stop_service(true)
     end
   end
 

modules/auxiliary/server/ldap.rb

@@ -39,15 +39,13 @@ def initialize(info = {})
   end
 
   #
-  # Wrapper for service execution and cleanup
+  # Wrapper for service execution
   #
   def run
     start_service
     service.wait
   rescue Rex::BindFailed => e
     print_error "Failed to bind to port #{datastore['SRVPORT']}: #{e.message}"
-  ensure
-    stop_service
   end
 
   #

modules/auxiliary/spoof/dns/native_spoofer.rb

@@ -25,7 +25,17 @@ def initialize(info = {})
       },
       'Author'         => 'RageLtMan <rageltman[at]sempervictus>',
       'License'        => MSF_LICENSE,
-      'References'     => []
+      'References'     => [],
+      'Actions'     =>
+        [
+          [ 'Service', 'Description' => 'Serve DNS entries' ]
+        ],
+      'PassiveActions' =>
+        [
+          'Service'
+        ],
+      'DefaultAction'  => 'Service'
+
     ))
 
     register_options(
@@ -47,13 +57,15 @@ def run
       service.wait
     rescue Rex::BindFailed => e
       print_error "Failed to bind to port #{datastore['RPORT']}: #{e.message}"
-    ensure
-      @capture_thread.kill if @capture_thread
-      close_pcap
-      stop_service(true)
     end
   end
 
+  def cleanup
+    super
+    @capture_thread.kill if @capture_thread
+    close_pcap
+  end
+
   #
   # Generates reply with src and dst reversed
   # Maintains original packet structure, proto, etc, changes ip_id

modules/exploits/linux/http/vestacp_exec.rb

@@ -242,7 +242,6 @@ def exploit
     payload_implant
     login
     start_backup_and_trigger_payload
-    stop_service
   end
 
   def on_request_uri(cli, _request)

modules/exploits/multi/http/jboss_maindeployer.rb

@@ -216,7 +216,7 @@ def exploit
     end
 
     print_status("Shutting down the web service...")
-    stop_service
+    cleanup_service
 
 
     #

modules/exploits/multi/http/mutiny_subnetmask_exec.rb

@@ -148,9 +148,6 @@ def wait_linux_payload
 
     #print_status("Giving time to the payload to execute...")
     #select(nil, nil, nil, 20) unless session_created?
-
-    print_status("Shutting down the web service...")
-    stop_service
   end
 
   # Handle incoming requests from the target

modules/exploits/multi/http/oracle_weblogic_wsat_deserialization_rce.rb

@@ -166,12 +166,12 @@ def on_request_uri(cli, request)
   #     sleep 1
   #     waited += 1
   #     if waited > datastore['HTTP_DELAY']
-  #       stop_service
+  #       cleanup_service
   #       return Exploit::CheckCode::Safe
   #     end
   #   end
   #
-  #   stop_service
+  #   cleanup_service
   #   return Exploit::CheckCode::Vulnerable
   # end
 

modules/exploits/multi/http/ubiquiti_unifi_log4shell.rb

@@ -100,7 +100,7 @@ def check
     wait_until { @search_received }
     @search_received ? Exploit::CheckCode::Vulnerable : Exploit::CheckCode::Unknown('No LDAP search query was received.')
   ensure
-    stop_service
+    cleanup_service
   end
 
   def build_ldap_search_response_payload
@@ -149,7 +149,5 @@ def exploit
 
     wait_until { @search_received && (!handler_enabled? || session_created?) }
     handler
-  ensure
-    cleanup
   end
 end

modules/exploits/multi/misc/java_jmx_server.rb

@@ -183,8 +183,6 @@ def exploit
       method: 'run'
     )
     disconnect
-    vprint_status("Stopping service...")
-    stop_service
   end
 
   def is_rmi?

modules/exploits/multi/misc/java_rmi_server.rb

@@ -183,27 +183,10 @@ def on_request_uri(cli,  request)
       })
 
       print_status("Replied to request for payload JAR")
-      stop_service
+      cleanup_service
     end
   end
 
-  def cleanup
-    # Normally service termination should not be managed on the module's level, but this is a
-    # special case.
-    #
-    # Originally this special service termination routine was implemented in
-    # Exploit::Remote::TcpServer#stop_service, but that would actually cause all HttpServers to stop
-    # if one of them attempts to register a resource that is already taken, which seems to be a
-    # harsh punishment. This is why the fix is moved here.
-    #
-    # See references:
-    # https://github.com/rapid7/metasploit-framework/pull/4203
-    # https://github.com/rapid7/metasploit-framework/issues/6445
-    service.stop if service
-
-    super
-  end
-
   def autofilter
     return true
   end

modules/exploits/multi/wyse/hagent_untrusted_hsdata.rb

@@ -194,8 +194,7 @@ def exploit
     rescue ::Timeout::Error
       print_status("Timed out waiting on the HTTP request")
       wdmserver.close
-      disconnect()
-      stop_service()
+      disconnect
       return
     end
 
@@ -210,7 +209,6 @@ def exploit
       print_status("No executable sent :(")
     end
 
-    stop_service()
     wdmserver.close()
 
     handler

modules/exploits/osx/browser/safari_file_policy.rb

@@ -232,15 +232,10 @@ def start_http(opts={})
   def cleanup
     super
 
-    # Kill FTP
-    stop_service()
-
     # clear my resource, deregister ref, stop/close the HTTP socket
     begin
       @http_service.remove_resource(datastore['URIPATH'])
       @http_service.deref
-      @http_service.stop
-      @http_service.close
       @http_service = nil
     rescue
     end