Register VulnAttempts for both Exploit and Auxiliary modules

cdelafuente-r7 · cdelafuente-r7 · commit 4ccab4543dec · 2025-05-28T18:19:12.000+02:00
diff --git a/lib/msf/base/simple/auxiliary.rb b/lib/msf/base/simple/auxiliary.rb
@@ -189,15 +189,26 @@ def self.job_run_proc(ctx, &block)
     rescue Msf::Auxiliary::Failed => e
       mod.error = e
       mod.print_error("Auxiliary aborted due to failure: #{e.message}")
+
+      # The caller should have already set mod.fail_reason
+      if mod.fail_reason == Msf::Module::Failure::None
+        mod.fail_reason = Msf::Module::Failure::Unknown
+      end
+      mod.fail_detail ||= e.to_s
+
       mod.cleanup
       return
     rescue ::Timeout::Error => e
       mod.error = e
+      mod.fail_reason = Msf::Module::Failure::TimeoutExpired
+      mod.fail_detail ||= e.to_s
       mod.print_error("Auxiliary triggered a timeout exception")
       mod.cleanup
       return
     rescue ::Interrupt => e
       mod.error = e
+      mod.fail_reason = Msf::Module::Failure::UserInterrupt
+      mod.fail_detail ||= e.to_s
       mod.print_error("Stopping running against current target...")
       mod.cleanup
       mod.print_status("Control-C again to force quit all targets.")
@@ -209,9 +220,13 @@ def self.job_run_proc(ctx, &block)
       return
     rescue ::Msf::OptionValidateError => e
       mod.error = e
+      mod.fail_reason = Msf::Module::Failure::BadConfig
+      mod.fail_detail ||= e.to_s
       ::Msf::Ui::Formatter::OptionValidateError.print_error(mod, e)
     rescue ::Exception => e
       mod.error = e
+      mod.fail_reason = Msf::Module::Failure::Unknown
+      mod.fail_detail ||= e.to_s
       mod.print_error("Auxiliary failed: #{e.class} #{e}")
       if(e.class.to_s != 'Msf::OptionValidateError')
         mod.print_error("Call stack:")
@@ -226,6 +241,16 @@ def self.job_run_proc(ctx, &block)
 
     end
     return result
+  ensure
+    # Register an attempt in the database (an `Mdm::ExploitAttempt` (and
+    # possibly an `Mdm::VulnAttempt`).
+    #
+    # Since auxiliary modules don't report clearly when it is a success or a
+    # failure, we are calling #report_failure keeping the `mod.fail_reason`
+    # value unchanged. This value is set to `Msf::Module::Failure::None` when
+    # no error was reported. It should be set to another
+    # `Msf::Module::Failure::*` value otherwise.
+    mod.report_failure
   end
 
   #
diff --git a/lib/msf/core/auxiliary.rb b/lib/msf/core/auxiliary.rb
@@ -46,6 +46,7 @@ def initialize(info = {})
 
     self.sockets = Array.new
     self.queue   = Array.new
+    self.fail_reason = Msf::Module::Failure::None
   end
 
   #
@@ -159,9 +160,27 @@ def abort_sockets
 
   # Override Msf::Module#fail_with for Msf::Simple::Auxiliary::job_run_proc
   def fail_with(reason, msg = nil)
-    raise Msf::Auxiliary::Failed, "#{reason.to_s}: #{msg}"
+    allowed_values = Msf::Module::Failure.constants.collect {|e| Msf::Module::Failure.const_get(e)}
+    if allowed_values.include?(reason)
+      self.fail_reason = reason
+    else
+      self.fail_reason = Msf::Module::Failure::Unknown
+    end
+
+    self.fail_detail = msg
+    raise Msf::Auxiliary::Failed, "#{reason.to_s}: #{(msg || "No failure message given")}"
   end
 
+  #
+  # The reason why the module was not successful (one of the constant defined above)
+  #
+  attr_accessor  :fail_reason
+
+  #
+  # Detailed exception string indicating why the module was not successful
+  #
+  attr_accessor  :fail_detail
+
   attr_accessor :queue
 
 protected
diff --git a/lib/msf/core/db_manager/exploit_attempt.rb b/lib/msf/core/db_manager/exploit_attempt.rb
@@ -33,16 +33,31 @@ def report_exploit_attempt(host, opts)
   # @option (see #do_report_failure_or_success)
   # @return (see #do_report_failure_or_success)
   def report_exploit_failure(opts)
-    return unless opts.has_key?(:refs) && !opts[:refs].blank?
-    host   = opts[:host] || return
+    return unless opts[:refs].present? && opts[:host].present?
 
+    host = opts[:host]
     wspace = Msf::Util::DBManager.process_opts_workspace(opts, framework)
-    port   = opts[:port]
-    proto   = opts[:proto] || Msf::DBManager::DEFAULT_SERVICE_PROTO
-    svc    = opts[:service]
+    opts = opts.clone()
+    port = opts[:port]
+    proto = opts[:proto] || Msf::DBManager::DEFAULT_SERVICE_PROTO
+    svc = opts[:service]
+    rids = opts.delete(:ref_ids) || []
+
+    opts[:refs].each do |ref|
+      if ref.instance_of?(Mdm::Module::Ref)
+        str = ref.name
+      elsif (ref.respond_to?(:ctx_id)) && (ref.respond_to?(:ctx_val))
+        str = "#{ref.ctx_id}-#{ref.ctx_val}"
+      elsif (ref.is_a?(Hash) && ref[:ctx_id] && ref[:ctx_val])
+        str = "#{ref[:ctx_id]}-#{ref[:ctx_val]}"
+      elsif ref.is_a?(String)
+        str = ref
+      end
+      rids << find_or_create_ref(name: str) unless str.nil?
+    end
 
     # Look up the service as appropriate
-    if port and svc.nil?
+    if port && svc.nil?
       # only one result can be returned, as the +port+ field restricts potential results to a single service
       svc = services(:workspace => wspace,
                      :hosts => {address: host},
@@ -52,19 +67,30 @@ def report_exploit_failure(opts)
 
     # Look up the host as appropriate
     if !host || !host.kind_of?(::Mdm::Host)
-      if svc.kind_of? ::Mdm::Service
+      if svc&.kind_of? ::Mdm::Service
         host = svc.host
       else
         host = get_host(workspace: wspace, address: host)
       end
     end
 
     # Bail if we dont have a host object
-    return if not host
+    return unless host
+
+    vuln = nil
+    if rids.present?
+      if svc
+        # Try to find an existing vulnerability with the same service & references
+        vuln = find_vuln_by_refs(rids, host, svc, false)
+      else
+        # Try to find an existing vulnerability with the same host & references
+        vuln = find_vuln_by_refs(rids, host, nil, false)
+      end
+    end
 
-    opts = opts.clone()
     opts[:service] = svc
     opts[:host] = host
+    opts[:vuln] = vuln if vuln
 
     do_report_failure_or_success(opts)
   end
@@ -137,7 +163,7 @@ def do_report_failure_or_success(opts)
         ref_objs = ::Mdm::Ref.where(name: ref_names)
 
         # Try find a matching vulnerability
-        vuln = find_vuln_by_refs(ref_objs, host, svc)
+        vuln = find_vuln_by_refs(ref_objs, host, svc, false)
       end
 
       attempt_info = {
diff --git a/lib/msf/core/db_manager/vuln.rb b/lib/msf/core/db_manager/vuln.rb
@@ -44,8 +44,8 @@ def find_vuln_by_details(details_map, host, service=nil)
     other_vulns.empty? ? nil : other_vulns.first
   end
 
-  def find_vuln_by_refs(refs, host, service=nil)
-    ref_ids = refs.find_all { |ref| ref.name.starts_with? 'CVE-'}
+  def find_vuln_by_refs(refs, host, service = nil, cve_only = true)
+    ref_ids = cve_only ? refs.find_all { |ref| ref.name.starts_with? 'CVE-'} : refs
     relation = host.vulns.joins(:refs)
     if !service.try(:id).nil?
       return relation.where(service_id: service.try(:id), refs: { id: ref_ids}).first
diff --git a/lib/msf/core/exploit.rb b/lib/msf/core/exploit.rb
@@ -1460,34 +1460,6 @@ def handle_exception e
     return self.fail_reason
   end
 
-  def report_failure
-    return unless framework.db and framework.db.active
-
-    info = {
-      :timestamp   => Time.now.utc,
-      :workspace   => framework.db.find_workspace(self.workspace),
-      :module      => self.fullname,
-      :fail_reason => self.fail_reason,
-      :fail_detail => self.fail_detail,
-      :target_name => self.target.name,
-      :username    => self.owner,
-      :refs        => self.references,
-      :run_id      => self.datastore['RUN_ID']
-    }
-
-    if self.datastore['RHOST'] && (self.options['RHOST'] || self.options['RHOSTS'])
-      info[:host] = self.datastore['RHOST']
-    end
-
-    if self.datastore['RPORT'] and self.options['RPORT']
-      info[:port] = self.datastore['RPORT']
-      if self.class.ancestors.include?(Msf::Exploit::Remote::Tcp)
-        info[:proto] = 'tcp'
-      end
-    end
-
-    framework.db.report_exploit_failure(info)
-  end
 
   ##
   #
diff --git a/lib/msf/core/module.rb b/lib/msf/core/module.rb
@@ -48,6 +48,7 @@ class Module
     include Msf::Module::Author
     include Msf::Module::Compatibility
     include Msf::Module::DataStore
+    include Msf::Module::Failure
     include Msf::Module::FullName
     include Msf::Module::ModuleInfo
     include Msf::Module::ModuleStore
diff --git a/lib/msf/core/module/failure.rb b/lib/msf/core/module/failure.rb
@@ -38,4 +38,35 @@ module Msf::Module::Failure
 
   # The exploit was interrupted by the user
   UserInterrupt   = 'user-interrupt'
-end
+
+
+  def report_failure
+    return unless framework.db and framework.db.active
+
+    info = {
+      timestamp: Time.now.utc,
+      workspace: framework.db.find_workspace(self.workspace),
+      module: self.fullname,
+      fail_reason: self.fail_reason,
+      fail_detail: self.fail_detail,
+      username: self.owner,
+      refs: self.references,
+      run_id: self.datastore['RUN_ID']
+    }
+    info[:target_name] = self.target.name if self.respond_to?(:target)
+
+    if self.datastore['RHOST'] && (self.options['RHOST'] || self.options['RHOSTS'])
+      info[:host] = self.datastore['RHOST']
+    end
+
+    if self.datastore['RPORT'] and self.options['RPORT']
+      info[:port] = self.datastore['RPORT']
+      if self.class.ancestors.include?(Msf::Exploit::Remote::Tcp)
+        info[:proto] = 'tcp'
+      end
+    end
+
+    framework.db.report_exploit_failure(info)
+  end
+
+end
diff --git a/spec/support/shared/examples/msf/db_manager/exploit_attempt.rb b/spec/support/shared/examples/msf/db_manager/exploit_attempt.rb
