Enable word wrapped rex tables by default

[adfoster-r7]

Enables word wrapped rex tables by default, apart from the following potentially workflow breaking areas:

• Search command - as it breaks the workflow of copying module names in conjunction with the use <paste-buffer> command
• Creds command - as it breaks the workflow of copying credentials and pasting them into applications

In a future PR these other above areas will be enabled too, once it's confirmed that this PR doesn't break other use cases/tooling.

Before

After

Verification

• Ensure that search + creds commands don't wordwrap
• Ensure that other tables wrap, such as options/info/etc
• Ensure features set wrapped_tables false disables functionality

[gwillcox-r7]

All looks good, minus the one part on the open3 import which should really be a seperate PR, and which now seems to be being tracked at #14674. If you want to remove this edit from this PR so we can track it appropriately in #14674, then that should be the only change needed.

Will proceed with testing this now.

[adfoster-r7]

Converting this to a draft; now that I think about it - I'd prefer to skip today's release, and ensure it doesn't have any issues with Pro.

[gwillcox-r7]

Confirmed that the creds command doesn't wrap:

Creds Output Wraps

msf6 > creds
Credentials
===========

host           origin         service        public  private                                                            realm            private_type  JtR Format
----           ------         -------        ------  -------                                                            -----            ------------  ----------
172.23.130.48  172.23.130.48  445/tcp (smb)  test    aad3b435b51404eeaad3b435b51404ee:0cb6948805f797bf2a82807973b89537  DESKTOP-A8KJL0F  NTLM hash     nt,lm
172.23.130.48  172.23.130.48  445/tcp (smb)  normal  aad3b435b51404eeaad3b435b51404ee:a38673ad58b19421e952fc317b62c3c4  DESKTOP-A8KJL0F  NTLM hash     nt,lm

Also search doesn't wrap

   94   exploit/windows/local/cve_2020_0787_bits_arbitrary_file_move                       2020-03-10       excellent  Yes    Background Intelligent Transfer Service Arbitrary File Move Privilege Elevation Vulnerability
   95   exploit/windows/local/cve_2020_0796_smbghost                                       2020-03-13       good       Yes    SMBv3 Compression Buffer Overflow
   96   exploit/windows/local/cve_2020_1048_printerdemon                                   2019-11-04       excellent  Yes    Microsoft Spooler Local Privilege Elevation Vulnerability
   97   exploit/windows/local/cve_2020_1054_drawiconex_lpe                                 2020-02-20       normal     Yes    Microsoft Windows DrawIconEx OOB Write Local Privilege Elevation
   98   exploit/windows/local/cve_2020_1313_system_orchestrator                            2019-11-04       excellent  Yes    Windows Update Orchestrator unchecked ScheduleWork call
   99   exploit/windows/local/cve_2020_1337_printerdemon                                   2019-11-04       excellent  Yes    Microsoft Spooler Local Privilege Elevation Vulnerability
   100  exploit/windows/local/cve_2020_17136                                               2020-03-10       normal     Yes    CVE-2020-1170 Cloud Filter Arbitrary File Creation EOP
   101  exploit/windows/local/druva_insync_insynccphwnet64_rcp_type_5_priv_esc             2020-02-25       excellent  Yes    Druva inSync inSyncCPHwnet64.exe RPC Type 5 Privilege Escalation
   102  exploit/windows/local/gog_galaxyclientservice_privesc                              2020-04-28       excellent  Yes    GOG GalaxyClientService Privilege Escalation
   103  exploit/windows/misc/veeam_one_agent_deserialization                               2020-04-15       normal     Yes    Veeam ONE Agent .NET Deserialization
   104  exploit/windows/nimsoft/nimcontroller_bof                                          2020-02-05       excellent  Yes    CA Unified Infrastructure Management Nimsoft 7.80 - Remote Buffer Overflow
   105  exploit/windows/scada/rockwell_factorytalk_rce                                     2020-06-22       excellent  Yes    Rockwell FactoryTalk View SE SCADA Unauthenticated Remote Code Execution
   106  post/osx/escalate/tccbypass                                                                         normal     Yes    Bypass the macOS TCC Framework
   107  post/windows/gather/credentials/pulse_secure                                                        normal     Yes    Windows Pulse Secure Connect Client Saved Password Extractor


Interact with a module by name or index. For example info 107, use 107 or use post/windows/gather/credentials/pulse_secure

msf6 >

However other parts like info appear to only be wrapping on the options, not on the description text, likely cause they aren't considered tables:

Tables In Info Output Wrap, But Not Rest of The Text

msf6 exploit(windows/scada/rockwell_factorytalk_rce) > info

       Name: Rockwell FactoryTalk View SE SCADA Unauthenticated Remote Code Execution
     Module: exploit/windows/scada/rockwell_factorytalk_rce
   Platform: Windows
       Arch: x86, x64
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent
  Disclosed: 2020-06-22

Provided by:
  Pedro Ribeiro <pedrib@gmail.com>
  Radek Domanski <radek.domanski@gmail.com>

Available targets:
  Id  Name
  --  ----
  0   Rockwell Automation FactoryTalk SE

Check supported:
  Yes

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  Proxies                     no        A proxy chain of format t
                                        ype:host:port[,type:host:
                                        port][...]
  RHOSTS                      yes       The target host(s), range
                                         CIDR identifier, or host
                                        s file with syntax 'file:
                                        <path>'
  RPORT      80               yes       The target port (TCP)
  SRVHOST                     yes       IP address of the host se
                                        rving the exploit
  SRVPORT    8080             yes       Port of the host serving
                                        the exploit on
  SSL        false            no        Negotiate SSL/TLS for out
                                        going connections
  SSLCert                     no        Path to a custom SSL cert
                                        ificate (default is rando
                                        mly generated)
  TARGETURI  /rsviewse/       yes       The base path to Rockwell
                                         FactoryTalk
  URIPATH                     no        The URI to use for this e
                                        xploit (default is random
                                        )
  VHOST                       no        HTTP server virtual host

Payload information:

Description:
  This module exploits a series of vulnerabilities to achieve 
  unauthenticated remote code execution on the Rockwell FactoryTalk 
  View SE SCADA product as the IIS user. The attack relies on the 
  chaining of five separate vulnerabilities. The first vulnerability 
  is an unauthenticated project copy request, the second is a 
  directory traversal, and the third is a race condition. In order to 
  achieve full remote code execution on all targets, two information 
  leak vulnerabilities are also abused. This exploit was used by the 
  Flashback team (Pedro Ribeiro + Radek Domanski) in Pwn2Own Miami 
  2020 to win the EWS category.

References:
  https://www.thezdi.com/blog/2020/7/22/chaining-5-bugs-for-code-execution-on-the-rockwell-factorytalk-hmi-at-pwn2own-miami
  https://github.com/pedrib/PoC/blob/master/advisories/Pwn2Own/Miami_2020/replicant/replicant.md
  https://github.com/rdomanski/Exploits_and_Advisories/tree/master/advisories/Pwn2Own/Miami2020/replicant.md
  https://cvedetails.com/cve/CVE-2020-12027/
  https://cvedetails.com/cve/CVE-2020-12028/
  https://cvedetails.com/cve/CVE-2020-12029/
  http://www.zerodayinitiative.com/advisories/ZDI-20-727
  http://www.zerodayinitiative.com/advisories/ZDI-20-728
  http://www.zerodayinitiative.com/advisories/ZDI-20-729
  http://www.zerodayinitiative.com/advisories/ZDI-20-730

msf6 exploit(windows/scada/rockwell_factorytalk_rce) > 

That being said as far as the tables go within these outputs they are wrapping as intended, as can be seen with options:

Options Wrapping Output

msf6 exploit(windows/scada/rockwell_factorytalk_rce) > show options 
Module options (exploit/windows/scada/rockwell_factorytalk_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format
                                         type:host:port[,type:hos
                                         t:port][...]
   RHOSTS                      yes       The target host(s), rang
                                         e CIDR identifier, or ho
                                         sts file with syntax 'fi
                                         le:<path>'
   RPORT      80               yes       The target port (TCP)
   SRVHOST                     yes       IP address of the host s
                                         erving the exploit
   SRVPORT    8080             yes       Port of the host serving
                                          the exploit on
   SSL        false            no        Negotiate SSL/TLS for ou
                                         tgoing connections
   SSLCert                     no        Path to a custom SSL cer
                                         tificate (default is ran
                                         domly generated)
   TARGETURI  /rsviewse/       yes       The base path to Rockwel
                                         l FactoryTalk
   URIPATH                     no        The URI to use for this
                                         exploit (default is rand
                                         om)
   VHOST                       no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted:
                                         '', seh, thread, process
                                        , none)
   LHOST     172.18.16.105    yes       The listen address (an in
                                        terface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Rockwell Automation FactoryTalk SE


msf6 exploit(windows/scada/rockwell_factorytalk_rce) > 

So looks like this PR is working in so far as what it claims to do 👍, but we should be aware there is likely more work to be done here to get other sections of text to wrap properly and to give a consistent user experience.

[gwillcox-r7]

Oh woops one more confirmation but did confirm that setting this option to false does indeed revert the wrapping behavior as intended:

Setting wrapped_tables to false works successfully

msf6 exploit(windows/scada/rockwell_factorytalk_rce) > features set wrapped_tables false 
wrapped_tables => false
[*] Reloading module...
msf6 exploit(windows/scada/rockwell_factorytalk_rce) > show options

Module options (exploit/windows/scada/rockwell_factorytalk_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SRVHOST                     yes       IP address of the host serving the exploit
   SRVPORT    8080             yes       Port of the host serving the exploit on
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /rsviewse/       yes       The base path to Rockwell FactoryTalk
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.18.16.105    yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Rockwell Automation FactoryTalk SE


msf6 exploit(windows/scada/rockwell_factorytalk_rce) >

[adfoster-r7]

Tested this with Pro on a local development environment on osx, and it shows that the wrapped tables functionality depends on the engine's terminal width server side - rather than the browser's console width.

This can be shown in the below screenshot. First the option command was run in the browser. Then Pro's engine terminal window was then resized on the host machine (not the browser), and the option command was run again:

Note: I am not replicating the exact production environment locally, I will have to retest this and confirm its behavior. Or make code changes to support this correctly.

Update:

Production environments work as expected, most likely due to the work of rapid7/rex-text#38

[gwillcox-r7]

Testing after rebase shows the results are the same, no issues with functionality being affected. Will go ahead and land this now.

[gwillcox-r7]

Release Notes

Updated Rex tables to have word wrapping enabled by default for all Rex tables (except for those output by the creds and search commands). This feature can optionally be turned off by issuing the features set wrapped_tables false command.