Merge pull request #20800 from adfoster-r7/add-autocheck-vulnerability-logic

smcintyre-r7 · web-flow · commit d4eba39b1d8c · 2025-12-22T15:58:18.000-05:00
Add autocheck report_vuln logic
diff --git a/lib/msf/core/exploit/remote/auto_check.rb b/lib/msf/core/exploit/remote/auto_check.rb
@@ -40,11 +40,35 @@ def with_prepended_auto_check
 
     warning_msg = 'ForceExploit is enabled, proceeding with exploitation.'
     error_msg = '"set ForceExploit true" to override check result.'
-
     check_code = check
+
     case check_code
     when Exploit::CheckCode::Vulnerable, Exploit::CheckCode::Appears
       print_good(check_code.message)
+
+      if respond_to?(:report_vuln)
+        report_vuln_opts = {
+          name: fullname,
+          username: respond_to?(:owner) ? owner : nil,
+          refs: references,
+          info: description.strip
+        }
+
+        if respond_to?(:session) && session.respond_to?(:session_host)
+          report_vuln(
+            **report_vuln_opts,
+            host: session.session_host
+          )
+        elsif respond_to?(:rhost)
+          report_vuln(
+            **report_vuln_opts,
+            host: rhost,
+            port: respond_to?(:rport) ? rport : nil,
+            proto: Msf::DBManager::DEFAULT_SERVICE_PROTO
+          )
+        end
+      end
+
       return yield
     when Exploit::CheckCode::Detected
       print_warning(check_code.message)
diff --git a/spec/lib/msf/core/exploit/remote/auto_check_spec.rb b/spec/lib/msf/core/exploit/remote/auto_check_spec.rb
@@ -68,16 +68,78 @@
     context 'when the check method returns vulnerable' do
       let(:check_result) { ::Msf::Exploit::CheckCode::Vulnerable }
 
-      before(:each) do
-        subject.send(opts[:method])
+      context 'when there is no session or rhost details' do
+        before(:each) do
+          subject.send(opts[:method])
+        end
+
+        it "calls the check method" do
+          expect(subject).to have_received(:check)
+        end
+
+        it "calls the original #{opts[:method]} method" do
+          expect(subject).to have_received(:"original_#{opts[:method]}_call")
+        end
       end
 
-      it "calls the check method" do
-        expect(subject).to have_received(:check)
+      context 'when a session is present' do
+        subject do
+          mock_module_with_session.new
+        end
+
+        before(:each) do
+          mock_session = instance_double(Msf::Sessions::Meterpreter_x64_Linux, session_host: '192.0.2.2')
+          allow(subject).to receive(:session).and_return(mock_session)
+          allow(subject).to receive(:report_vuln).and_call_original
+          subject.send(opts[:method])
+        end
+
+        it "calls the check method" do
+          expect(subject).to have_received(:check)
+        end
+
+        it "calls the original #{opts[:method]} method" do
+          expect(subject).to have_received(:"original_#{opts[:method]}_call")
+        end
+
+        it "registers the vulnerability" do
+          expect(subject).to have_received(:report_vuln).with(hash_including(
+            name: a_kind_of(String),
+            info: a_kind_of(String),
+            refs: a_kind_of(Array),
+            host: '192.0.2.2'
+          ))
+        end
       end
 
-      it "calls the original #{opts[:method]} method" do
-        expect(subject).to have_received(:"original_#{opts[:method]}_call")
+      context 'when rhost is present' do
+        subject do
+          mock_module_with_rhost.new
+        end
+
+        before(:each) do
+          allow(subject).to receive(:report_vuln).and_call_original
+          subject.send(opts[:method])
+        end
+
+        it "calls the check method" do
+          expect(subject).to have_received(:check)
+        end
+
+        it "calls the original #{opts[:method]} method" do
+          expect(subject).to have_received(:"original_#{opts[:method]}_call")
+        end
+
+        it "registers the vulnerability" do
+          expect(subject).to have_received(:report_vuln).with(hash_including(
+            name: a_kind_of(String),
+            info: a_kind_of(String),
+            refs: a_kind_of(Array),
+            host: '192.0.2.2',
+            port: 8080,
+            proto: 'tcp'
+          ))
+        end
       end
     end
 
@@ -121,7 +183,7 @@
       prepend context_described_class
 
       def check
-        # mocked
+        raise 'should be mocked'
       end
 
       def run
@@ -139,6 +201,32 @@ def exploit
       def original_exploit_call
         # Helper for verifying the original exploit function was called
       end
+
+      def report_vuln(opts)
+        original_report_vuln(opts)
+      end
+
+      def original_report_vuln(opts)
+        # Helper for verifying the original exploit function was called
+      end
+    end
+  end
+  let(:mock_module_with_session) do
+    Class.new(mock_module_with_prepend_autocheck) do
+      def session
+        raise 'should be mocked'
+      end
+    end
+  end
+  let(:mock_module_with_rhost) do
+    Class.new(mock_module_with_prepend_autocheck) do
+      def rhost
+        '192.0.2.2'
+      end
+
+      def rport
+        8080
+      end
     end
   end
   let(:mock_module_with_include_autocheck) do
