Ensure no race conditions on handlers

scriptjunkie · scriptjunkie · commit b0d2949f9a4c · 2014-02-15T15:21:16.000-06:00
Configurable WfsDelay
diff --git a/lib/msf/core/handler/reverse_hop_http.rb b/lib/msf/core/handler/reverse_hop_http.rb
@@ -32,6 +32,7 @@ class << self; attr_accessor :hop_handlers end
   attr_accessor :current_url # :nodoc:
   attr_accessor :control # :nodoc:
   attr_accessor :refs # :nodoc:
+  attr_accessor :lock # :nodoc:
 
   #
   # Keeps track of what hops have active handlers
@@ -59,14 +60,16 @@ def self.general_handler_type
   def setup_handler
     self.handlers = {}
     self.closed_handlers = {}
+    self.lock = Mutex.new
   end
 
   #
   # Starts the handler along with a monitoring thread to handle data transfer
   #
   def start_handler
+    # Our HTTP client and URL for talking to the hop
     uri = URI(full_uri)
-    # Our HTTP client for talking to the hop
+    self.control = "#{uri.request_uri}control"
     self.mclient = Rex::Proto::Http::Client.new(
       uri.host,
       uri.port,
@@ -87,9 +90,7 @@ def start_handler
     ReverseHopHttp.hop_handlers[full_uri] = self
     self.monitor_thread = Rex::ThreadFactory.spawn('ReverseHopHTTP', false, uri,
         self) do |uri, hop_http|
-      control = "#{uri.request_uri}control"
-      hop_http.control = control
-      hop_http.send_new_stage(control) # send stage to hop
+      hop_http.send_new_stage # send stage to hop
       delay = 1 # poll delay
       # Continue to loop as long as at least one handler or one session is depending on us
       until hop_http.refs < 1 && hop_http.handlers.empty?
@@ -112,13 +113,17 @@ def start_handler
         urlen = received.slice!(0,4).unpack('V')[0]
         urlpath = received.slice!(0,urlen)
 
+        # do not want handlers to change while we dispatch this
+        hop_http.lock.lock
         #received is now the binary contents of the message
         if hop_http.handlers.include? urlpath
           pack = Rex::Proto::Http::Packet.new
           pack.body = received
           hop_http.current_url = urlpath
           hop_http.handlers[urlpath].call(hop_http, pack)
+          hop_http.lock.unlock
         elsif !closed_handlers.include? urlpath
+          hop_http.lock.unlock
           #New session!
           conn_id = urlpath.gsub("/","")
           # Short-circuit the payload's handle_connection processing for create_session
@@ -132,7 +137,9 @@ def start_handler
             :ssl                => false,
           })
           # send new stage to hop so next inbound session will get a unique ID.
-          hop_http.send_new_stage(control)
+          hop_http.send_new_stage
+        else
+          hop_http.lock.unlock
         end
       end
       hop_http.monitor_thread = nil #make sure we're out
@@ -163,8 +170,10 @@ def add_resource(res, opts={})
   # Removes a resource.
   #
   def remove_resource(res)
+    lock.lock
     handlers.delete(res)
     closed_handlers[res] = true
+    lock.unlock
   end
 
   #
@@ -230,7 +239,7 @@ def initialize(info = {})
   #
   # Generates and sends a stage up to the hop point to be ready for the next client
   #
-  def send_new_stage(control)
+  def send_new_stage
     conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
     url = full_uri + conn_id + "/\x00"
 
diff --git a/modules/payloads/stagers/windows/reverse_hop_http.rb b/modules/payloads/stagers/windows/reverse_hop_http.rb
@@ -24,6 +24,7 @@ def initialize(info = {})
       'Arch'          => ARCH_X86,
       'Handler'       => Msf::Handler::ReverseHopHttp,
       'Convention'    => 'sockedi http',
+      'DefaultOptions' => { 'WfsDelay' => 30 },
       'Stager'        =>
         {
           'Offsets' =>
@@ -284,11 +285,4 @@ def generate
     self.module_info['Stager']['Assembly'] = payload_data.to_s
     super
   end
-
-  #
-  # Always wait at least 20 seconds for this payload (due to staging delays)
-  #
-  def wfs_delay
-    20
-  end
 end
