search

muga / msgpack-java-0.7

Apache License 2.0
4 stars 4 forks source link

readValue(Unpacker) called instead of readValue() #2

Open tux-mind opened 10 years ago

tux-mind commented 10 years ago

hi, i found a bug in your msgpack implementation. i'm working with the msfrpcd, which encode data though msgpack. it encode exceptions too. i think that you should call readValue() and not readValue(uc) here: https://github.com/muga/msgpack-java-0.7/blob/6a0c954f96add92cca1e4b46681aa49600d17bd0/src/main/java/org/msgpack/unpacker/UnpackerIterator.java#L42 the data i receive:

{"error":true,"error_class":"ArgumentError","error_string":"Invalid Message Format","error_backtrace":["lib/msf/core/rpc/v10/service.rb:121:in `process'","lib/msf/core/rpc/v10/service.rb:89:in `on_request_uri'","lib/msf/core/rpc/v10/service.rb:71:in `block in start'","lib/rex/proto/http/handler/proc.rb:38:in `call'","lib/rex/proto/http/handler/proc.rb:38:in `on_request'","lib/rex/proto/http/server.rb:355:in `dispatch_request'","lib/rex/proto/http/server.rb:289:in `on_client_data'","lib/rex/proto/http/server.rb:149:in `block in start'","lib/rex/io/stream_server.rb:48:in `call'","lib/rex/io/stream_server.rb:48:in `on_client_data'","lib/rex/io/stream_server.rb:192:in `block in monitor_clients'","lib/rex/io/stream_server.rb:190:in `each'","lib/rex/io/stream_server.rb:190:in `monitor_clients'","lib/rex/io/stream_server.rb:73:in `block in start'","lib/rex/thread_factory.rb:22:in `call'","lib/rex/thread_factory.rb:22:in `block in spawn'","lib/msf/core/thread_manager.rb:100:in `call'","lib/msf/core/thread_manager.rb:100:in `block in spawn'"],"error_message":"Invalid Message Format"}

the exception i got:

org.msgpack.MessageTypeException: Map is end but readMapEnd() is not called
     at org.msgpack.unpacker.UnpackerStack.checkCount(UnpackerStack.java:64)
     at org.msgpack.unpacker.Converter.readValue(Converter.java:308)
     at org.msgpack.unpacker.UnpackerIterator.hasNext(UnpackerIterator.java:42)
     at it.evilsocket.dsploit.net.msfrpc.unMsg(msfrpc.java:208)
     at it.evilsocket.dsploit.net.MsfRpcd.run(MsfRpcd.java:121)

my code:

            switch(src.getType())
            {
                case MAP:
                    out = new HashMap(conv.readMapBegin());
                    i = conv.iterator();
                    while(i.hasNext())
                        ((HashMap)out).put(i.next(), i.next());
                    conv.readMapEnd(true);
                    break;

the exception is thrown within the hasNext() method, so isn't the second next() call, that is unchecked. using a debugger i found that the exception is thrown after i successfully read everything and i should get `false' from the hasNext() method. here you are some extra info from my debugger about the iterator object: http://pastebin.com/EZQyTWYY

hope this helps. -- tux_mind

open source rocks ;)

oza commented 10 years ago

Thank you for reporting, @tux-mind. Could you tell me the version of msgpack-java you're using? Are you using version 0.7?

tux-mind commented 10 years ago

5b41360cbeb8af21fc9f0c1757baabe9 msgpack-rpc-0.7.1-SNAPSHOT.jar if you point me out where i can find a quick reference on how to compile the jar from your repo i will do that and i'll report everything you need. btw i just pushed my code: https://github.com/tux-mind/dsploit/blob/master/src/it/evilsocket/dsploit/net/msfrpc.java#L235 it's an android app but i think that the bugs it's on the Array inside a Map "parsing", not an android stuff. thanks for your work @oza :)