Skip to content

RPC vulns and services reports resources and parents (service only)#21305

Open
sjanusz-r7 wants to merge 2 commits intorapid7:masterfrom
sjanusz-r7:db-vulns-and-services-rpc-new-report-approach
Open

RPC vulns and services reports resources and parents (service only)#21305
sjanusz-r7 wants to merge 2 commits intorapid7:masterfrom
sjanusz-r7:db-vulns-and-services-rpc-new-report-approach

Conversation

@sjanusz-r7
Copy link
Copy Markdown
Contributor

@sjanusz-r7 sjanusz-r7 commented Apr 15, 2026
edited
Loading

Closes #21250

This PR adds the reporting of resource for both the db.vulns and db.services RPC calls. It also adds the parents field to the services only.

Tested in Pro, no changes/impact.

Before

db.vulns

no resources

>> rpc.call("db.vulns", {})
=> 
{"vulns"=>
  [{"port"=>389, "proto"=>"tcp", "time"=>1776246155, "host"=>"192.168.112.3", "name"=>"LDAP Login Scanner", "refs"=>""},
   {"port"=>445, "proto"=>"tcp", "time"=>1776246892, "host"=>"10.140.108.118", "name"=>"ESC15", "refs"=>"URL-https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc"},
   {"port"=>389, "proto"=>"tcp", "time"=>1776246437, "host"=>"10.140.108.118", "name"=>"LDAP Login Scanner", "refs"=>""},
   {"port"=>445, "proto"=>"tcp", "time"=>1776246891, "host"=>"10.140.108.118", "name"=>"ESC16_2", "refs"=>""},

db.services

No resources and no parents

>> rpc.call("db.services", {})
=> 
{"services"=>
  [{"host"=>"192.168.112.3", "created_at"=>1776246154, "updated_at"=>1776246154, "port"=>389, "proto"=>"tcp", "state"=>"open", "name"=>"ldap", "info"=>""},
   {"host"=>"10.140.108.118", "created_at"=>1776246437, "updated_at"=>1776246437, "port"=>389, "proto"=>"tcp", "state"=>"open", "name"=>"ldap", "info"=>""},
   {"host"=>"10.140.108.118", "created_at"=>1776246677, "updated_at"=>1776246677, "port"=>445, "proto"=>"tcp", "state"=>"open", "name"=>"icertpassage", "info"=>""},

After

db.vulns

>> rpc.call("db.vulns", {})
=> 
{"vulns"=>
  [{"port"=>389, "proto"=>"tcp", "time"=>1776246155, "host"=>"192.168.112.3", "name"=>"LDAP Login Scanner", "refs"=>"", "resource"=>{}},
   {"port"=>445,
    "proto"=>"tcp",
    "time"=>1776246892,
    "host"=>"10.140.108.118",
    "name"=>"ESC15",
    "refs"=>"URL-https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc",
    "resource"=>{"ldap_dn"=>"CN=ESC15,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=pro,DC=local", "template_name"=>"ESC15"}},
   {"port"=>389, "proto"=>"tcp", "time"=>1776246437, "host"=>"10.140.108.118", "name"=>"LDAP Login Scanner", "refs"=>"", "resource"=>{}},
   {"port"=>445,
    "proto"=>"tcp",
    "time"=>1776246891,
    "host"=>"10.140.108.118",
    "name"=>"ESC16_2",
    "refs"=>"",
    "resource"=>{"ldap_dn"=>"CN=Administrator,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=pro,DC=local", "template_name"=>"Administrator"}},
    ...
  ]
}

db.services

>> rpc.call("db.services", {})
=> 
{"services"=>
   {"host"=>"10.140.108.118",
    "created_at"=>1776246677,
    "updated_at"=>1776246677,
    "port"=>445,
    "proto"=>"tcp",
    "state"=>"open",
    "name"=>"icertpassage",
    "info"=>"",
    "resource"=>{"dcerpc"=>{"pipe"=>"cert"}},
    "parents"=>
     [{"host"=>"10.140.108.118",
       "created_at"=>1776246676,
       "updated_at"=>1776246677,
       "port"=>445,
       "proto"=>"tcp",
       "state"=>"open",
       "name"=>"dcerpc",
       "info"=>"",
       "resource"=>{"smb"=>{"share"=>"IPC$"}},
       "parents"=>[{"host"=>"10.140.108.118", "created_at"=>1776246676, "updated_at"=>1776246676, "port"=>445, "proto"=>"tcp", "state"=>"open", "name"=>"smb", "info"=>"", "resource"=>{}, "parents"=>[]}]}]},

JSON RPC

This also works for JSON RPC:
=> Vulns

      {
        "port": 445,
        "proto": "tcp",
        "time": 1776246892,
        "host": "x",
        "name": "ESC15",
        "refs": "URL-https://trustedsec.com/blog/ekuwu-not-just-another-ad-cs-esc",
        "resource": {
          "ldap_dn": "CN=ESC15,CN=Certificate Templates,CN=Public Key Services,CN=Services,CN=Configuration,DC=ad,DC=pro,DC=local",
          "template_name": "ESC15"
        }
      },

=> services

      {
        "host": "x",
        "created_at": 1776246677,
        "updated_at": 1776246677,
        "port": 445,
        "proto": "tcp",
        "state": "open",
        "name": "icertpassage",
        "info": "",
        "resource": {
          "dcerpc": {
            "pipe": "cert"
          }
        },
        "parents": [
          {
            "host": "x",
            "created_at": 1776246676,
            "updated_at": 1776246677,
            "port": 445,
            "proto": "tcp",
            "state": "open",
            "name": "dcerpc",
            "info": "",
            "resource": {
              "smb": {
                "share": "IPC$"
              }
            },
            "parents": [
              {
                "host": "x",
                "created_at": 1776246676,
                "updated_at": 1776246676,
                "port": 445,
                "proto": "tcp",
                "state": "open",
                "name": "smb",
                "info": "",
                "resource": {},
                "parents": []
              }
            ]
          }
        ]
      },

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • Use the ldap_login, smb_login, ldap_esc_vulnerable_cert_finder modules against the persistent Pro ADCS VM
  • start RPC server using load msgrpc
  • Connect to RPC server
  • Call rpc.call("db.services", {})
  • Call rpc.call("db.vulns", {})
  • Confirm the resources field is present for vulns
  • Confirm the resources and parents fields are present for services

@adfoster-r7 adfoster-r7 requested a review from Copilot April 16, 2026 09:11
Copilot AI reviewed Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adds richer reporting metadata to the RPC database endpoints to align with updated service/vulnerability reporting, specifically exposing resource data and service parent relationships to RPC consumers.

Changes:

  • db.services: refactors service serialization into a helper and adds resource + recursive parents.
  • db.vulns: adds resource to each returned vulnerability.

Comment thread lib/msf/core/rpc/v10/rpc_db.rb Outdated
Comment thread lib/msf/core/rpc/v10/rpc_db.rb Outdated
Comment thread lib/msf/core/rpc/v10/rpc_db.rb Outdated
Comment thread lib/msf/core/rpc/v10/rpc_db.rb
@sjanusz-r7 sjanusz-r7 force-pushed the db-vulns-and-services-rpc-new-report-approach branch from 73697ef to c07df96 Compare April 28, 2026 16:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

Metasploit Kanban
Status: Todo

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Update the db.vulns and db.services RPC endpoints to align with the new way to report vulnerabilities and services

3 participants

@sjanusz-r7 @smcintyre-r7