Metasploit wrappers don't support spaces inside CWD

[jeffmcjunkin]

Inside Ubuntu 20.04 on WSL2 on a Windows 10 x64 20H2 host, after installing the latest Metasploit as of today via the omnibus installer:

jeff@DESKTOP-12PMAF5:/mnt/c/Users/Jeff McJunkin$ msfvenom -h
/usr/bin/msfvenom: 14: cd: can't cd to /mnt/c/Users/Jeff

 ** Welcome to Metasploit Framework Initial Setup **
    Please answer a few questions to get started.

Examining the source of msfvenom shows it gathers the current working directory (CWD), then changes to it later without quotes:

jeff@DESKTOP-12PMAF5:~$ which msfvenom
/usr/bin/msfvenom
jeff@DESKTOP-12PMAF5:~$ file /usr/bin/msfvenom
/usr/bin/msfvenom: symbolic link to /etc/alternatives/msfvenom
jeff@DESKTOP-12PMAF5:~$ file /etc/alternatives/msfvenom
/etc/alternatives/msfvenom: symbolic link to /opt/metasploit-framework/bin/msfvenom
jeff@DESKTOP-12PMAF5:~$ file /opt/metasploit-framework/bin/msfvenom
/opt/metasploit-framework/bin/msfvenom: POSIX shell script, ASCII text executable
jeff@DESKTOP-12PMAF5:~$ head -n 15 /opt/metasploit-framework/bin/msfvenom
#!/bin/sh
cmd=`basename $0`

CWD=`pwd`
SCRIPTDIR=/opt/metasploit-framework/bin
cd $SCRIPTDIR
EMBEDDED=$SCRIPTDIR/../embedded
BIN=$EMBEDDED/bin
FRAMEWORK=$EMBEDDED/framework

LOCALCONF=~/.msf4
DB=$LOCALCONF/db
DBCONF=$LOCALCONF/database.yml
cd $CWD

Since WSL2 makes the home directory based on the Windows username ("Jeff McJunkin") in my case, the path has spaces, and needs to be quoted.

The other shell wrappers do the same:

jeff@DESKTOP-12PMAF5:/opt/metasploit-framework/bin$ egrep '^cd \$CWD' *
msfbinscan:cd $CWD
msfconsole:cd $CWD
msfd:cd $CWD
msfelfscan:cd $CWD
msfmachscan:cd $CWD
msfpescan:cd $CWD
msfrop:cd $CWD
msfrpc:cd $CWD
msfrpcd:cd $CWD
msfvenom:cd $CWD

The fix should be simple -- change cd $CWD in all the shell wrappers to cd "$CWD". This will likely be a more common issue as WSL2 adoption rises, but it's not a WSL2-specific bug.

[DidierA]

same issue as #134

[bcoles]

All instances of cd $CWD should be fixed in #186.

There are a few other instances of unquoted cd commands which may (or may not) pose an issue. The first two of these are ok, but adding quotes should also be ok:

https://github.com/rapid7/metasploit-omnibus/blob/6c77070a873e4ed50574719de5710b943a0ad8cf/config/templates/metasploit-framework-wrappers/msfwrapper.erb#L6

https://github.com/rapid7/metasploit-omnibus/blob/6c77070a873e4ed50574719de5710b943a0ad8cf/config/templates/metasploit-framework-wrappers/msfwrapper.erb#L110

This may (or may not) cause an issue, depending on the (user-specified?) install location:

https://github.com/rapid7/metasploit-omnibus/blob/6c77070a873e4ed50574719de5710b943a0ad8cf/config/templates/metasploit-framework-wrappers/msfdb.erb#L23

Given the presence of multiple missing quotes for command arguments, it may be worth reviewing the wrappers more thoroughly.

Default shellcheck output:

``` root@kali:~/Desktop/metasploit-omnibus# sed -e 's/<%= .* %>//g' config/templates/metasploit-framework-wrappers/msfwrapper.erb | shellcheck - In - line 2: cmd=`basename $0` ^-----------^ SC2006 (style): Use $(...) notation instead of legacy backticks `...`. ^-- SC2086 (info): Double quote to prevent globbing and word splitting. Did you mean: cmd=$(basename "$0") In - line 4: CWD=`pwd` ^---^ SC2006 (style): Use $(...) notation instead of legacy backticks `...`. Did you mean: CWD=$(pwd) In - line 6: cd $SCRIPTDIR ^-----------^ SC2164 (warning): Use 'cd ... || exit' or 'cd ... || return' in case cd fails. Did you mean: cd $SCRIPTDIR || exit In - line 14: cd "$CWD" ^-------^ SC2164 (warning): Use 'cd ... || exit' or 'cd ... || return' in case cd fails. Did you mean: cd "$CWD" || exit In - line 28: while read -p "Would you like to use and setup a new database (recommended)? " yn; do ^--^ SC2162 (info): read without -r will mangle backslashes. ^-- SC3045 (warning): In POSIX sh, read -p is undefined. In - line 39: if ! hash $cmd 2>/dev/null; then ^--^ SC2086 (info): Double quote to prevent globbing and word splitting. Did you mean: if ! hash "$cmd" 2>/dev/null; then In - line 40: while read -p "Would you like to add $cmd and other programs to your default PATH? " yn; do ^--^ SC2162 (info): read without -r will mangle backslashes. ^-- SC3045 (warning): In POSIX sh, read -p is undefined. In - line 51: if [ -e $DB -a -e $DBCONF ]; then ^-- SC2166 (warning): Prefer [ p ] && [ q ] as [ p -a q ] is not well defined. In - line 81: -a ! -e $LOCALCONF/database.yml ]; then ^-- SC2166 (warning): Prefer [ p ] && [ q ] as [ p -a q ] is not well defined. In - line 84: if [ "`id -u`" -gt 0 ]; then ^-----^ SC2006 (style): Use $(...) notation instead of legacy backticks `...`. Did you mean: if [ "$(id -u)" -gt 0 ]; then In - line 97: if [ $cmd = "msfconsole" ]; then ^--^ SC2086 (info): Double quote to prevent globbing and word splitting. Did you mean: if [ "$cmd" = "msfconsole" ]; then In - line 98: if [ -n "`find $FRAMEWORK/$cmd -mmin +20160`" ]; then ^-- SC2006 (style): Use $(...) notation instead of legacy backticks `...`. ^--^ SC2086 (info): Double quote to prevent globbing and word splitting. Did you mean: if [ -n "$(find $FRAMEWORK/"$cmd" -mmin +20160)" ]; then In - line 107: exec $BIN/ruby $FRAMEWORK/$cmd "$@" ^--^ SC2086 (info): Double quote to prevent globbing and word splitting. Did you mean: exec $BIN/ruby $FRAMEWORK/"$cmd" "$@" In - line 110: (cd $FRAMEWORK && $BIN/ruby $BIN/$cmd "$@") ^--^ SC2086 (info): Double quote to prevent globbing and word splitting. Did you mean: (cd $FRAMEWORK && $BIN/ruby $BIN/"$cmd" "$@") In - line 112: exec $BIN/ruby $BIN/$cmd "$@" ^--^ SC2086 (info): Double quote to prevent globbing and word splitting. Did you mean: exec $BIN/ruby $BIN/"$cmd" "$@" For more information: https://www.shellcheck.net/wiki/SC2164 -- Use 'cd ... || exit' or 'cd ... |... https://www.shellcheck.net/wiki/SC2166 -- Prefer [ p ] && [ q ] as [ p -a q... https://www.shellcheck.net/wiki/SC3045 -- In POSIX sh, read -p is undefined. ```