Fix OptPath options with empty strings

[cdelafuente-r7]

This fixes an issue when any OptPath option is set to an empty string. Before this fix, #normalize was calling File.expand_path(""), which returns the current working directory. I assume it is not what we expect when setting this kind of option to an empty string.

For example, it breaks the scanner/postgres/postgres_login module:

msf6 auxiliary(scanner/postgres/postgres_login) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 auxiliary(scanner/postgres/postgres_login) > set PASS_FILE ""
PASS_FILE =>
msf6 auxiliary(scanner/postgres/postgres_login) > set USER_FILE ""
USER_FILE =>
msf6 auxiliary(scanner/postgres/postgres_login) > set USERPASS_FILE "/home/msfuser/dev/src/metasploit-framework/postgres_custom_userpass.txt"
USERPASS_FILE => /home/msfuser/dev/src/metasploit-framework/postgres_custom_userpass.txt
msf6 auxiliary(scanner/postgres/postgres_login) > options

Module options (auxiliary/scanner/postgres/postgres_login):

   Name              Current Setting                                                               Required  Description
   ----              ---------------                                                               --------  -----------
   BLANK_PASSWORDS   false                                                                         no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                                             yes       How fast to bruteforce, from 0 to 5
   DATABASE          template1                                                                     yes       The database to authenticate against
   DB_ALL_CREDS      false                                                                         no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                                         no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                                         no        Add all users in the current database to the list
   DB_SKIP_EXISTING  none                                                                          no        Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
   PASSWORD                                                                                        no        A specific password to authenticate with
   PASS_FILE                                                                                       no        File containing passwords, one per line
   Proxies                                                                                         no        A proxy chain of format type:host:port[,type:host:port][...]
   RETURN_ROWSET     true                                                                          no        Set to true to see query result sets
   RHOSTS            127.0.0.1                                                                     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT             5432                                                                          yes       The target port
   STOP_ON_SUCCESS   false                                                                         yes       Stop guessing when a credential works for a host
   THREADS           1                                                                             yes       The number of concurrent threads (max one per host)
   USERNAME                                                                                        no        A specific username to authenticate as
   USERPASS_FILE     /home/msfuser/dev/src/metasploit-framework/postgres_custom_userpass.txt  no        File containing (space-separated) users and passwords, one pair per line
   USER_AS_PASS      false                                                                         no        Try the username as the password for all users
   USER_FILE                                                                                       no        File containing users, one per line
   VERBOSE           true                                                                          yes       Whether to print output for all attempts

msf6 auxiliary(scanner/postgres/postgres_login) > run

[*] Error: 127.0.0.1: Errno::EISDIR Is a directory @ io_fillbuf - fd:16 /home/msfuser/dev/src/metasploit-framework
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

After this fix:

msf6 auxiliary(scanner/postgres/postgres_login) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 auxiliary(scanner/postgres/postgres_login) > set PASS_FILE ""
PASS_FILE =>
msf6 auxiliary(scanner/postgres/postgres_login) > set USER_FILE ""
USER_FILE =>
msf6 auxiliary(scanner/postgres/postgres_login) > set USERPASS_FILE "/home/msfuser/dev/src/metasploit-framework/postgres_custom_userpass.txt"
USERPASS_FILE => /home/msfuser/dev/src/metasploit-framework/postgres_custom_userpass.txt
msf6 auxiliary(scanner/postgres/postgres_login) > options

Module options (auxiliary/scanner/postgres/postgres_login):

   Name              Current Setting                                                               Required  Description
   ----              ---------------                                                               --------  -----------
   BLANK_PASSWORDS   false                                                                         no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                                             yes       How fast to bruteforce, from 0 to 5
   DATABASE          template1                                                                     yes       The database to authenticate against
   DB_ALL_CREDS      false                                                                         no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                                         no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                                         no        Add all users in the current database to the list
   DB_SKIP_EXISTING  none                                                                          no        Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
   PASSWORD                                                                                        no        A specific password to authenticate with
   PASS_FILE                                                                                       no        File containing passwords, one per line
   Proxies                                                                                         no        A proxy chain of format type:host:port[,type:host:port][...]
   RETURN_ROWSET     true                                                                          no        Set to true to see query result sets
   RHOSTS            127.0.0.1                                                                     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT             5432                                                                          yes       The target port
   STOP_ON_SUCCESS   false                                                                         yes       Stop guessing when a credential works for a host
   THREADS           1                                                                             yes       The number of concurrent threads (max one per host)
   USERNAME                                                                                        no        A specific username to authenticate as
   USERPASS_FILE     /home/msfuser/dev/src/metasploit-framework/postgres_custom_userpass.txt  no        File containing (space-separated) users and passwords, one pair per line
   USER_AS_PASS      false                                                                         no        Try the username as the password for all users
   USER_FILE                                                                                       no        File containing users, one per line
   VERBOSE           true                                                                          yes       Whether to print output for all attempts

msf6 auxiliary(scanner/postgres/postgres_login) > run

[-] 127.0.0.1:5432 - LOGIN FAILED: myuser1:pass1@template1 (Incorrect: unknown auth type '10' with buffer content:
52 00 00 00 17 00 00 00 0a 53 43 52 41 4d 2d 53    |R........SCRAM-S|
48 41 2d 32 35 36 00 00                            |HA-256..|

)
[-] 127.0.0.1:5432 - LOGIN FAILED: myuser2:pass2@template1 (Incorrect: unknown auth type '10' with buffer content:
52 00 00 00 17 00 00 00 0a 53 43 52 41 4d 2d 53    |R........SCRAM-S|
48 41 2d 32 35 36 00 00                            |HA-256..|

)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/postgres/postgres_login) > cat /home/msfuser/dev/src/metasploit-framework/postgres_custom_userpass.txt
[*] exec: cat /home/msfuser/dev/src/metasploit-framework/postgres_custom_userpass.txt

myuser1 pass1
myuser2 pass2

Note that unsetting options lead to a confusing output of the show options/options commands. The default value is displayed but the actual option value is still nil. This is something we are aware of and will be fixed later.

msf6 auxiliary(scanner/postgres/postgres_login) > unset PASS_FILE
Unsetting PASS_FILE...
msf6 auxiliary(scanner/postgres/postgres_login) > unset USER_FILE
Unsetting USER_FILE...
msf6 auxiliary(scanner/postgres/postgres_login) > options

Module options (auxiliary/scanner/postgres/postgres_login):

   Name              Current Setting                                                                           Required  Description
   ----              ---------------                                                                           --------  -----------
   BLANK_PASSWORDS   false                                                                                     no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                                                                                         yes       How fast to bruteforce, from 0 to 5
   DATABASE          template1                                                                                 yes       The database to authenticate against
   DB_ALL_CREDS      false                                                                                     no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false                                                                                     no        Add all passwords in the current database to the list
   DB_ALL_USERS      false                                                                                     no        Add all users in the current database to the list
   DB_SKIP_EXISTING  none                                                                                      no        Skip existing credentials stored in the current database (Accepted: none, user, user&realm)
   PASSWORD                                                                                                    no        A specific password to authenticate with
   PASS_FILE         /Users/cdelafuente/dev/src/metasploit-framework/data/wordlists/postgres_default_pass.txt  no        File containing passwords, one per line
   Proxies                                                                                                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RETURN_ROWSET     true                                                                                      no        Set to true to see query result sets
   RHOSTS            127.0.0.1                                                                                 yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT             5432                                                                                      yes       The target port
   STOP_ON_SUCCESS   false                                                                                     yes       Stop guessing when a credential works for a host
   THREADS           1                                                                                         yes       The number of concurrent threads (max one per host)
   USERNAME                                                                                                    no        A specific username to authenticate as
   USERPASS_FILE     /Users/cdelafuente/dev/src/metasploit-framework/postgres_custom_userpass.txt              no        File containing (space-separated) users and passwords, one pair per line
   USER_AS_PASS      false                                                                                     no        Try the username as the password for all users
   USER_FILE         /Users/cdelafuente/dev/src/metasploit-framework/data/wordlists/postgres_default_user.txt  no        File containing users, one per line
   VERBOSE           true                                                                                      yes       Whether to print output for all attempts

msf6 auxiliary(scanner/postgres/postgres_login) > run

[-] 127.0.0.1:5432 - LOGIN FAILED: myuser1:pass1@template1 (Incorrect: unknown auth type '10' with buffer content:
52 00 00 00 17 00 00 00 0a 53 43 52 41 4d 2d 53    |R........SCRAM-S|
48 41 2d 32 35 36 00 00                            |HA-256..|

)
[-] 127.0.0.1:5432 - LOGIN FAILED: myuser2:pass2@template1 (Incorrect: unknown auth type '10' with buffer content:
52 00 00 00 17 00 00 00 0a 53 43 52 41 4d 2d 53    |R........SCRAM-S|
48 41 2d 32 35 36 00 00                            |HA-256..|

)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

[gwillcox-r7]

Before patch:

 ~/git/metasploit-framework │ master *1 ?6  ./msfconsole             ✔ │ 55s │ 3.0.2 Ruby 
                                                  

      .:okOOOkdc'           'cdkOOOko:.
    .xOOOOOOOOOOOOc       cOOOOOOOOOOOOx.
   :OOOOOOOOOOOOOOOk,   ,kOOOOOOOOOOOOOOO:
  'OOOOOOOOOkkkkOOOOO: :OOOOOOOOOOOOOOOOOO'
  oOOOOOOOO.    .oOOOOoOOOOl.    ,OOOOOOOOo
  dOOOOOOOO.      .cOOOOOc.      ,OOOOOOOOx
  lOOOOOOOO.         ;d;         ,OOOOOOOOl
  .OOOOOOOO.   .;           ;    ,OOOOOOOO.
   cOOOOOOO.   .OOc.     'oOO.   ,OOOOOOOc
    oOOOOOO.   .OOOO.   :OOOO.   ,OOOOOOo
     lOOOOO.   .OOOO.   :OOOO.   ,OOOOOl
      ;OOOO'   .OOOO.   :OOOO.   ;OOOO;
       .dOOo   .OOOOocccxOOOO.   xOOd.
         ,kOl  .OOOOOOOOOOOOO. .dOk,
           :kk;.OOOOOOOOOOOOO.cOk:
             ;kOOOOOOOOOOOOOOOk:
               ,xOOOOOOOOOOOx,
                 .lOOOOOOOl.
                    ,dOd,
                      .

       =[ metasploit v6.1.26-dev-4067ced73d               ]
+ -- --=[ 2194 exploits - 1162 auxiliary - 400 post       ]
+ -- --=[ 600 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: You can use help to view all 
available commands

[*] Starting persistent handler(s)...
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/scanner/postgres/postgres_login 
msf6 auxiliary(scanner/postgres/postgres_login) > set PASS_FILE ""
PASS_FILE => 
msf6 auxiliary(scanner/postgres/postgres_login) > set USER_FILE ""
USER_FILE => 
msf6 auxiliary(scanner/postgres/postgres_login) > set USERPASS_FILE /var/www/challenge.php
USERPASS_FILE => /var/www/challenge.php
msf6 auxiliary(scanner/postgres/postgres_login) > run

[-] Msf::OptionValidateError The following options failed to validate: RHOSTS
msf6 auxiliary(scanner/postgres/postgres_login) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 auxiliary(scanner/postgres/postgres_login) > run

[*] Error: 127.0.0.1: Errno::EISDIR Is a directory @ io_fillbuf - fd:10 /home/gwillcox/git/metasploit-framework
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/postgres/postgres_login) > 

[gwillcox-r7]

After Patch:

~/git/metasploit-framework │ land-pr16029:pr/16029 *1 ?6  ./msfconsole  
                                                  

     .~+P``````-o+:.                                      -o+:.
.+oooyysyyssyyssyddh++os-`````                        ```````````````          `
+++++++++++++++++++++++sydhyoyso/:.````...`...-///::+ohhyosyyosyy/+om++:ooo///o
++++///////~~~~///////++++++++++++++++ooyysoyysosso+++++++++++++++++++///oossosy
--.`                 .-.-...-////+++++++++++++++////////~~//////++++++++++++///
                                `...............`              `...-/////...`


                                  .::::::::::-.                     .::::::-
                                .hmMMMMMMMMMMNddds\...//M\\.../hddddmMMMMMMNo
                                 :Nm-/NMMMMMMMMMMMMM$$NMMMMm&&MMMMMMMMMMMMMMy
                                 .sm/`-yMMMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMMh`
                                  -Nd`  :MMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMMh`
                                   -Nh` .yMMMMMMMMMM$$MMMMMN&&MMMMMMMMMMMm/
    `oo/``-hd:  ``                 .sNd  :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMm/
      .yNmMMh//+syysso-``````       -mh` :MMMMMMMMMM$$MMMMMN&&MMMMMMMMMMd
    .shMMMMN//dmNMMMMMMMMMMMMs`     `:```-o++++oooo+:/ooooo+:+o+++oooo++/
    `///omh//dMMMMMMMMMMMMMMMN/:::::/+ooso--/ydh//+s+/ossssso:--syN///os:
          /MMMMMMMMMMMMMMMMMMd.     `/++-.-yy/...osydh/-+oo:-`o//...oyodh+
          -hMMmssddd+:dMMmNMMh.     `.-=mmk.//^^^\\.^^`:++:^^o://^^^\\`::
          .sMMmo.    -dMd--:mN/`           ||--X--||          ||--X--||
........../yddy/:...+hmo-...hdd:............\\=v=//............\\=v=//.........
================================================================================
=====================+--------------------------------+=========================
=====================| Session one died of dysentery. |=========================
=====================+--------------------------------+=========================
================================================================================

                     Press ENTER to size up the situation

%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%% Date: April 25, 1848 %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%% Weather: It's always cool in the lab %%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%% Health: Overweight %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%% Caffeine: 12975 mg %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%% Hacked: All the things %%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

                        Press SPACE BAR to continue



       =[ metasploit v6.1.23-dev-59de13be43               ]
+ -- --=[ 2190 exploits - 1161 auxiliary - 400 post       ]
+ -- --=[ 600 payloads - 45 encoders - 10 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Use the resource command to run 
commands from a file

[*] Starting persistent handler(s)...
msf6 payload(windows/x64/meterpreter/reverse_tcp) > use auxiliary/scanner/postgres/postgres_login
msf6 auxiliary(scanner/postgres/postgres_login) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 auxiliary(scanner/postgres/postgres_login) > set PASS_FILE ""
PASS_FILE => 
msf6 auxiliary(scanner/postgres/postgres_login) > set USER_FILE ""
USER_FILE => 
msf6 auxiliary(scanner/postgres/postgres_login) > set USERPASS_FILE /var/www/challenge.php
USERPASS_FILE => /var/www/challenge.php
msf6 auxiliary(scanner/postgres/postgres_login) > run

[!] No active DB -- Credential data will not be saved!
[-] 127.0.0.1:5432 - LOGIN FAILED: <?php:@template1 (Incorrect: unknown auth type '10' with buffer content:
52 00 00 00 17 00 00 00 0a 53 43 52 41 4d 2d 53    |R........SCRAM-S|
48 41 2d 32 35 36 00 00                            |HA-256..|

)
[-] 127.0.0.1:5432 - LOGIN FAILED: class:user {@template1 (Incorrect: unknown auth type '10' with buffer content:
52 00 00 00 17 00 00 00 0a 53 43 52 41 4d 2d 53    |R........SCRAM-S|
48 41 2d 32 35 36 00 00                            |HA-256..|

)
[-] 127.0.0.1:5432 - LOGIN FAILED: public:string $username;@template1 (Incorrect: unknown auth type '10' with buffer content:
52 00 00 00 17 00 00 00 0a 53 43 52 41 4d 2d 53    |R........SCRAM-S|
48 41 2d 32 35 36 00 00                            |HA-256..|
*cut for brevity*

[gwillcox-r7]

Will go ahead and land this now, looks to be working as expected.

[gwillcox-r7]

Release Notes

A bug existed in the normalize function of lib/msf/core/opt_path.rb whereby the path parameter passed in wasn't checked to see if it was empty prior to calling File.expand_path on it. In these cases the path returned would be that of the current directory, which could lead to unexpected results. This has been fixed with improved validation to ensure that the path parameter is not an empty string prior to expanding the path.