Added spec to reproduce the username/password generation error in case PASSWORD_SPRAY and USER_AS_PASS are both enabled

Mathiou04 · Mathiou04 · commit 8c5bead4a099 · 2024-10-10T21:15:50.000+02:00
Added minimal code to fix the issue, extracting the code to generate username:username credentials in the PASSWORD_SPRAY case
diff --git a/lib/metasploit/framework/credential_collection.rb b/lib/metasploit/framework/credential_collection.rb
@@ -280,6 +280,16 @@ def each_unfiltered_password_first
         yield Metasploit::Framework::Credential.new(public: '', private: '', realm: realm, private_type: :password)
       end
 
+      if user_as_pass
+        if user_fd
+          user_fd.each_line do |user_from_file|
+            user_from_file.chomp!
+            yield Metasploit::Framework::Credential.new(public: user_from_file, private: user_from_file, realm: realm, private_type: private_type(password))
+          end
+          user_fd.seek(0)
+        end
+      end
+
       if password.present?
         if nil_passwords
           yield Metasploit::Framework::Credential.new(public: username, private: nil, realm: realm, private_type: :password)
@@ -309,9 +319,6 @@ def each_unfiltered_password_first
             if username.present?
               yield Metasploit::Framework::Credential.new(public: username, private: pass_from_file, realm: realm, private_type: :password)
             end
-            if user_as_pass
-              yield Metasploit::Framework::Credential.new(public: pass_from_file, private: pass_from_file, realm: realm, private_type: :password)
-            end
             next unless user_fd
 
             user_fd.each_line do |user_from_file|
diff --git a/spec/lib/metasploit/framework/credential_collection_spec.rb b/spec/lib/metasploit/framework/credential_collection_spec.rb
@@ -157,6 +157,24 @@
           Metasploit::Framework::Credential.new(public: "user3", private: "password2"),
         )
       end
+
+      context 'when :user_as_pass is true' do
+        let(:user_as_pass) { true }
+
+        specify  do
+          expect { |b| collection.each(&b) }.to yield_successive_args(
+            Metasploit::Framework::Credential.new(public: "user1", private: "user1"),
+            Metasploit::Framework::Credential.new(public: "user2", private: "user2"),
+            Metasploit::Framework::Credential.new(public: "user3", private: "user3"),
+            Metasploit::Framework::Credential.new(public: "user1", private: "password1"),
+            Metasploit::Framework::Credential.new(public: "user2", private: "password1"),
+            Metasploit::Framework::Credential.new(public: "user3", private: "password1"),
+            Metasploit::Framework::Credential.new(public: "user1", private: "password2"),
+            Metasploit::Framework::Credential.new(public: "user2", private: "password2"),
+            Metasploit::Framework::Credential.new(public: "user3", private: "password2"),
+          )
+        end
+      end
     end
 
     context 'when given a username and password' do
