feat: add --test flag to the ronin-exploits CLI

[flavorjones]

Currently, to test whether a target is vulnerable, users need to run something like:

ronin-exploits --file=path/to/exploit.rb --dry-run --irb

and then run "test" from the REPL.

This feature would allow users to instead run:

ronin-exploits --file=path/to/exploit.rb --test

Printed output looks like one of these lines, depending on the return type:

[+] Vulnerable: <test result message>
[-] NotVulnerable: <test result message>
[~] Unknown: <test result message>
[!] Unexpected: <other result type>

What drove me to submit this feature is my thought that a flag like this would have sped up feedback loops while I was iterating on https://github.com/ronin-rb/community-pocs/blob/main/exploits/activemq/CVE-2023-46604.rb

[postmodern]

Good idea. The logic should be moved to the Run command as it's own method, since it's printing to stdout. Also, should update the ## Options documentation above the Run class and the man/ronin-exploits-run.1.md markdown man-page to mention the new option.

Also, since this is a new feature, it should be based off of the 1.1.0 version branch.

This did give me another idea about calling perform_test before perform_build and raising an exception if NotVulnerable was returned, to prevent sending an exploit to a non-vulnerable target.

[flavorjones]

@postmodern I've rebased onto 1.1.0 and made most of the requested changes.

I haven't tackled the "precheck" functionality you suggested mostly because I wanted to get agreement on what the feature should look like. What would you think of this:

• by default, invoke run_test as you suggest, raising ExploitFailed if it returns NotVulnerable
• allow a --no-precheck flag to skip the test
• allow a --test flag to ONLY run the test

WDYT?

[postmodern]

The -D short flag disappeared, and should call exploit.perform_test. Other than that, looks good.

[postmodern]

Do we need to return the result here?

[flavorjones]

I figured it was better to return it in case the caller wanted to act on the result, rather than return the case statement's value.

[postmodern]

@postmodern I've rebased onto 1.1.0 and made most of the requested changes.

I haven't tackled the "precheck" functionality you suggested mostly because I wanted to get agreement on what the feature should look like. What would you think of this:

• by default, invoke run_test as you suggest, raising ExploitFailed if it returns NotVulnerable
• allow a --no-precheck flag to skip the test
• allow a --test flag to ONLY run the test

WDYT?

I'll think about this some more than open another issue. We could explicitly call exploit.perform_test in run_exploit and print an error message if NotVulnerable is returned (seems reasonable, imo). Or we could add that check into Exploit#exploit and raise an ExploitFailed exception, which is then rescued/printed in Run#run_exploit; this goes back to the age old debate "is this really an exceptional state?".

[postmodern]

@flavorjones see issue #124. It doesn't necessary have to be implemented in 1.1.0, and could be postponed until after 1.1.0 is released; unless you need this functionality ASAP.

[flavorjones]

@postmodern I've addressed your comments except for the -D which I removed because it was being clobbered by the --debug short flag -D. Let me know if you want --dry-run to own that flag.

[postmodern]

@flavorjones oh good catch! I'll rename -D, --debug to -d, --debug in main.

[postmodern]

@flavorjones fixed in the main branch (0f84934) and rebased the 1.1.0 branch to include the fix. Will also be released in the upcoming 1.0.5 patch release.

[flavorjones]

@postmodern OK, I've rebased onto latest 1.1.0, un-removed the -D flag, and updated the code to call @exploit.perform_test.

[postmodern]

Oops, made a merge commit instead of a squash merge. Manually re-squash-merged the commits and made sure to preserve your authorship. 😬