Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix metasploit-framework#15968 (Multiple Socket Abstraction Bugs) #20

Merged
merged 3 commits into from
Jan 26, 2022
Merged

Fix metasploit-framework#15968 (Multiple Socket Abstraction Bugs) #20

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
ee9e212
Wait for the monitor thread before closing
zeroSteiner Jan 21, 2022
846bfd2
fd isn't always defined
zeroSteiner Jan 21, 2022
caa6027
Force the monitor thread to close the rsock
zeroSteiner Jan 21, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 34 additions & 10 deletions lib/rex/io/socket_abstraction.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,9 @@ def initialize_abstraction
#
def cleanup_abstraction
lsock.close if lsock and !lsock.closed?

monitor_thread.join if monitor_thread&.alive?

rsock.close if rsock and !rsock.closed?

self.lsock = nil
Expand Down Expand Up @@ -111,19 +114,36 @@ def localinfo
#
attr_reader :rsock

module MonitoredRSock
def close
@close_requested = true
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This only ever goes from true to false so I don't think there's a synchronization problem here but if another solution is preferred happy to go a different direction.

@monitor_thread.join
nil
end

def sysclose
self.class.instance_method(:close).bind(self).call
end

attr_reader :close_requested
attr_writer :monitor_thread
end

protected

def monitor_rsock(threadname = 'SocketMonitorRemote')
self.monitor_thread = Rex::ThreadFactory.spawn(threadname, false) do
rsock.extend(MonitoredRSock)
rsock.monitor_thread = self.monitor_thread = Rex::ThreadFactory.spawn(threadname, false) do
loop do
closed = false
buf = nil
closed = rsock.nil? || rsock.close_requested

unless rsock
wlog('monitor_rsock: the remote socket is nil, exiting loop')
if closed
wlog('monitor_rsock: the remote socket has been closed, exiting loop')
break
end

buf = nil

begin
s = Rex::ThreadSafe.select([rsock], nil, nil, 0.2)
next if s.nil? || s[0].nil?
Expand Down Expand Up @@ -159,10 +179,10 @@ def monitor_rsock(threadname = 'SocketMonitorRemote')
# Using syswrite() breaks SSL streams.
sent = write(data)

# sf: Only remove the data off the queue is write was successfull.
# This way we naturally perform a resend if a failure occured.
# sf: Only remove the data off the queue is write was successful.
# This way we naturally perform a resend if a failure occurred.
# Catches an edge case with meterpreter TCP channels where remote send
# failes gracefully and a resend is required.
# fails gracefully and a resend is required.
if sent.nil?
closed = true
wlog('monitor_rsock: failed writing, socket must be dead')
Expand All @@ -182,14 +202,18 @@ def monitor_rsock(threadname = 'SocketMonitorRemote')

begin
close_write if respond_to?('close_write')
rescue IOError
rescue StandardError
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Forgot to mention, the Meterpreter error raised when calling close_write on an invalid handle is not derived from IOError so I changed this to StandardError.

end

break
end

rsock.sysclose
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is now the one and only location where a monitored rsock will actually be closed. Other attempts to close it will result in the request being made and it's up to this loop to honor it and exit.

end
end

attr_accessor :monitor_thread
attr_writer :lsock, :rsock
end
end; end
end
end
2 changes: 1 addition & 1 deletion lib/rex/io/stream_server.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -141,7 +141,7 @@ def monitor_listener
begin
cli = accept
unless cli
elog("The accept() returned nil in stream server listener monitor: #{fd.inspect}")
elog('The accept() returned nil in stream server listener monitor')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dropped the fd.inspect part because fd isn't available in Meterpreter channels which caused an exception to be thrown.

::IO.select(nil, nil, nil, 0.10)
next
end
Expand Down