Vulnerability Report Enhancement #20424
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
cdelafuente-r7
commented
Jul 29, 2025
Gemfile
Outdated
Comment on lines
6
to
7
| gem 'metasploit_data_models', git: 'git@github.com:cdelafuente-r7/metasploit_data_models.git', branch: 'MS-9930_resource_layered_services' | ||
|
|
Contributor
Author
There was a problem hiding this comment.
This has been added to make testing possible before the metasploit_data_models PR is landed. This will need to be removed before landing this PR
Contributor
Neat. Is there any way we can do this programmatically? Automatically populating vulnerabilities for every module which returns |
cdelafuente-r7
commented
Jul 29, 2025
| service = (port ? host.services.find_by_port(port.to_i) : nil) | ||
|
|
||
| vuln_info[:service] = service if service | ||
| if session.exploit.respond_to?(:service_details) && session.exploit.service_details |
Contributor
Author
There was a problem hiding this comment.
This takes advantage of the #service_details method, which some modules implement. For now, the lib/msf/core/exploit/remote/http_client.rb mixin implement it. Maybe we can enforce exploit modules to implemented it in the future.
For example:
https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/tomcat_mgr_upload.rb#L428
https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/remote/http_client.rb#L932
Contributor
Author
|
@bcoles, See the previous implementation: https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/ui/console/module_command_dispatcher.rb#L177 |
cdelafuente-r7
force-pushed
the
enh/MS-9930/vuln_report
branch
from
0b71adf to
3a8499a
Compare
Contributor
Thanks. I tried to verify this before posting, but as usual the database config is broken in my dev environment. |
cdelafuente-r7
force-pushed
the
enh/MS-9930/vuln_report
branch
4 times, most recently
from
43f4854 to
7a41ca5
Compare
cdelafuente-r7
force-pushed
the
enh/MS-9930/vuln_report
branch
3 times, most recently
from
46d565c to
2df584b
Compare
cdelafuente-r7
force-pushed
the
enh/MS-9930/vuln_report
branch
from
2df584b to
7f876c6
Compare
lib/msf/core/db_manager/service.rb
Outdated
| return | ||
| end | ||
| service_obj.state ||= Msf::ServiceState::Open | ||
| service_obj.info ||= '' |
Contributor
There was a problem hiding this comment.
We should probably propagate the service info here.
Suggested change
| service_obj.info ||= '' | |
| service_obj.info = service[:info] if service[:info] |
Contributor
Author
There was a problem hiding this comment.
Thank you for the heads up. This has been addressed in b628c75
Contributor
|
I have tested this and recorded the outputs below for each verification step. I believe everything is working as expected. Module used for testingOutput##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
# Exploit mixins should be called first
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::WmapScanServer
# Scanner mixin should be near last
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize
super(
'Name' => 'Report Vuln Project',
'Description' => 'Reports vulns with services that include resources and parent services',
'Author' => 'cdelafuente-r7',
'License' => MSF_LICENSE
)
register_options(
[
OptString.new('TARGETURI', [true, 'URI to test', '/']),
]
)
end
def check_host(target_host)
# Build service layers
tcp_service = {
name: 'TCP',
proto: 'tcp',
port: rport,
resource: {port: rport},
parents: nil
}
http_service = {
name: 'HTTP',
proto: 'tcp',
port: rport,
resource: {method: 'GET'},
parents: tcp_service
}
web_app_service = {
name: 'MyCMS',
proto: 'tcp',
port: rport,
resource: {base_url: '/mycms'},
parents: http_service
}
# Return Vulnerable with vuln details
Exploit::CheckCode::Vulnerable(
'Target is vulnerable!',
vuln: {
host: target_host,
port: rport,
proto: 'tcp',
name: 'Test Vulnerability from check method',
info: "Module #{fullname} - vulnerability detected during check",
refs: references,
exploited_at: Time.now.utc,
service: web_app_service,
resource: {uri: datastore['TARGETURI']}
}
)
end
def run_host(target_host)
print_status("Reporting vuln\n")
tcp_service = {}
[80, 443, 389, 445].each do |port|
tcp_service[port] = {
name: 'TCP',
proto: 'tcp',
port: port,
resource: {port: port},
parents: nil
}
end
ssl_service = {
name: 'SSL',
proto: 'tcp',
port: 443,
resource: {cert_chain: ['CN=*.foo.com', 'C=US, O=foo, CN=www']},
parents: tcp_service[443]
}
http_service = {
name: 'HTTP',
proto: 'tcp',
port: 80,
resource: {method: 'GET'},
parents: tcp_service[80]
}
https_service = {
name: 'HTTPS',
proto: 'tcp',
port: 443,
resource: {method: 'GET'},
parents: ssl_service
}
web_app_service = {
name: 'MyCMS',
proto: 'tcp',
port: 80,
resource: {base_url: '/mycms'},
parents: http_service
}
web_app_service2 = {
name: 'OtherCMS',
proto: 'tcp',
port: 80, #[80, 443]
resource: {base_url: '/othercms'},
parents: [http_service, https_service]
}
ldap_service = {
name: 'LDAP',
proto: 'tcp',
port: 389,
resource: {dn: 'CN=Certificate,DC=company,DC=com'},
parents: tcp_service[389]
}
vuln = report_vuln(
host: target_host,
port: rport,
proto: 'tcp',
name: 'Test Vulnerability - Web',
info: "Module #{fullname}",
refs: references,
exploited_at: Time.now.utc,
service: web_app_service,
resource: {uri: '/profile'}
)
print_vuln_details(vuln)
vuln = report_vuln(
host: target_host,
port: rport,
proto: 'tcp',
name: 'Test Vulnerability - Web',
info: "Module #{fullname}",
refs: references,
exploited_at: Time.now.utc,
service: web_app_service,
resource: {uri: '/search?param=query'}
)
print_vuln_details(vuln)
vuln = report_vuln(
host: target_host,
port: rport,
proto: 'tcp',
name: 'Test Vulnerability - Web',
info: "Module #{fullname}",
refs: references,
exploited_at: Time.now.utc,
service: web_app_service2,
resource: {uri: '/profile'},
)
print_vuln_details(vuln)
vuln = report_vuln(
host: target_host,
port: rport,
proto: 'tcp',
name: 'Test Vulnerability #4 - ESC1',
info: "Module #{fullname}",
refs: references,
exploited_at: Time.now.utc,
service: ldap_service,
resource: {template: 'Esc1-Template'}
)
print_vuln_details(vuln)
# Another example with HTTPS service showing SSL layer
vuln = report_vuln(
host: target_host,
port: 443,
proto: 'tcp',
name: 'Test Vulnerability - HTTPS API',
info: "Module #{fullname} - API endpoint vulnerability",
refs: references,
exploited_at: Time.now.utc,
service: {
name: 'API',
proto: 'tcp',
port: 443,
resource: {endpoint: '/api/v1'},
parents: https_service
},
resource: {path: '/users', method: 'POST'}
)
print_vuln_details(vuln)
# Since the service is not specified, this will assign the first service
# registered in the database for this host with the given port and proto (default: tcp).
# This is likely to be the TCP service.
# Setting sname and proto will help to find the right service.
vuln = report_vuln({
:host => rhost,
:port => rport,
#:sname => 'HTTPS',
#:proto => 'tcp',
:name => "#{self.name} - Old Fashion",
:refs => self.references,
:info => "Module #{self.fullname} found vulnerable JBoss Seam 2 resource."
})
print_vuln_details(vuln)
# Old fashion way to report a service
report_service(
host: rhost,
port: 5060,
proto: 'tcp',
name: 'SIP',
info: 'report service without resource'
)
report_service(
host: rhost,
port: 389,
proto: 'tcp',
name: 'LDAP',
info: 'report service without resource: should pick the already registered LDAP service',
)
report_service(
host: rhost,
port: 389,
proto: 'tcp',
name: 'LDAP',
resource: {dn: 'CN=Foo,DC=anothercompany,DC=com'},
info: 'report service with a new resource: should create a new LDAP service',
)
# Reporting a vulnerability on a DCERPC service running over SMB
vuln = report_vuln(
workspace: myworkspace,
host: rhost,
name: "CA Allows Write Privileges",
info: "Certificate Authority allows unauthorized write access",
refs: [ SiteReference.new('URL', 'https://example.com') ],
port: 445,
proto: 'tcp',
service: {
name: 'AD CS',
proto: 'tcp',
port: 445,
#resource: {CA: 'My-CA'},
parents: {
name: 'DCERPC',
proto: 'tcp',
port: 445,
resource: {named_pipe: 'icpr'},
parents: {
name: 'SMB',
proto: 'tcp',
port: 445,
resource: {share: 'IPC$'},
parents: tcp_service[445]
}
}
},
resource: {CA: 'msflab-DC-CA'} # the CA name needed in requests
)
end
def print_vuln_details(vuln)
print_status("Vulnerability ID: #{vuln.id}")
print_status("Name: #{vuln.name}")
print_status("Info: #{vuln.info}")
print_status("References: #{vuln.refs.map { |ref| "#{ref.name}" }.join(', ')}")
print_status("Exploited at: #{vuln.exploited_at}")
print_status("Resource: #{vuln.resource.to_json}")
print_status("Service: #{vuln.service.name} (port: #{vuln.service.port}, resource: #{vuln.service.resource.to_json})")
str = "Parent Services:\n"
service = vuln.service.parents.first
loop do
break unless service
str << "\t#{service.name} (resource: #{service.resource.to_json})\n"
service = service.parents.first
end
print_status(str)
end
endrun check and make sure it returns a Vulnerable CheckCode
Verify the vulnerability has been reported with the vulns command
|
Contributor
|
Will hold off on landing this until the following is resolved. |
Contributor
|
I also tested the
Everything seems to be backwards compatible and worked as expected: |
cgranleese-r7
approved these changes
Nov 27, 2025
Contributor
Author
|
The last commit (d9d4e6d) fixes a bug found by @smcintyre-r7 (see cdelafuente-r7#4 (comment)). The issue was that deleting a service automatically delete its children via |
cdelafuente-r7
force-pushed
the
enh/MS-9930/vuln_report
branch
from
6f55274 to
12323eb
Compare
Contributor
|
Everything seems to be working as intended. The previous issue has also been fixed and services can now be deleted in bulk: |
Contributor
Release NotesUpdates how vulnerabilities and services are reported by adding a resource field to both models. It also add a parents field to make layered services possible. An optional resource field can now be provided and the existing service field has been updated to also accept an option hash. |
cdelafuente-r7
force-pushed
the
enh/MS-9930/vuln_report
branch
from
a29034f to
baeb61f
Compare
- update `#report_service` and `#report_vuln` - update vulnerability report when a session is established - update CheckCode and `#cmd_check` to report a vulnerability when Vulnerable checkcode is returned - update `vulns` and `services` commands to display the `resource` and parent services - specs
cdelafuente-r7
force-pushed
the
enh/MS-9930/vuln_report
branch
from
baeb61f to
fbea976
Compare
Contributor
|
CI failures unrelated to these changes. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR updates how vulnerability and services are reported by adding a
resourcefield to both models. It also add aparentsfield to make layered services possible.This PR needs to be landed prior this one.
Description
#report_serviceand#report_vulnhave been updated to add the necessary logic for resources and layered services. An optionalresourcefield can now be provided and the existingservicefield has been updated to also accept an option hash. For example:Services can also include a
resource. Note that this field is not validated and any key/value pair is accepted, as long as it is a valid hash. It will be serialized and stored as a JSONB in the database.Services can also have parents to better describe the service layers. For example:
This can be set from a call to
#report_service:or calling
#report_vuln:Note that a service can have multiple parents (e.i.
Web Appcan haveHTTPandHTTPSparent services). An array of hashes can be passed as a value of theparentskey:This PR updates the way a vulnerability is reported report when a session is established and adds the service used by the exploit that got a session.
It updates
CheckCodeand thecheckcommand to report a vulnerability when aVulnerablecheckcode is returned. It is now possible to pass avulnargument with the vulnerability details that will be passed to#report_vuln:Finally, it updates the
vulnsandservicescommands to display theresourceand parent services.Verification
./msfdb reinitto update the schemamsfconsolecheckand make sure it returns aVulnerableCheckCodevulnscommandservicescommand (alsoservices -vreport_vulnfollowing the new schema (see above)vulnscommandservicescommandScenarios