Land rapid7#14769, Handle nil versions in preparation for rubygems 4

Author: gwillcox-r7

lib/metasploit/framework/api/version.rb

@@ -10,7 +10,7 @@ module Version
       end
 
       VERSION = "#{Version::MAJOR}.#{Version::MINOR}.#{Version::PATCH}"
-      GEM_VERSION = Gem::Version.new(VERSION)
+      GEM_VERSION = Rex::Version.new(VERSION)
     end
   end
-end
+end

lib/metasploit/framework/core/version.rb

@@ -13,7 +13,7 @@ module Version
       end
 
       VERSION = Metasploit::Framework::VERSION
-      GEM_VERSION = Gem::Version.new(Metasploit::Framework::GEM_VERSION)
+      GEM_VERSION = Rex::Version.new(Metasploit::Framework::GEM_VERSION)
     end
   end
 end

lib/metasploit/framework/login_scanner/phpmyadmin.rb

@@ -14,7 +14,7 @@ def check_setup
 
           if res && res.body.include?('phpMyAdmin')
             if res.body =~ /PMA_VERSION:"(\d+\.\d+\.\d+)"/
-              version = Gem::Version.new($1)
+              version = Rex::Version.new($1)
             end
             return version.to_s
           end

lib/msf/core/exploit/remote/http/drupal.rb

@@ -23,7 +23,7 @@ def setup
 
   # Determine Drupal version
   #
-  # @return [Gem::Version] Version as Gem::Version
+  # @return [Rex::Version] Version as Rex::Version
   def drupal_version
     res = send_request_cgi(
       'method' => 'GET',
@@ -49,12 +49,12 @@ def drupal_version
 
   # Return CHANGELOG.txt
   #
-  # @param version [Gem::Version] Gem::Version or version string
+  # @param version [Rex::Version] Rex::Version or version string
   # @return [String] CHANGELOG.txt as a string
   def drupal_changelog(version)
-    return unless version && Gem::Version.correct?(version)
+    return unless version && Rex::Version.correct?(version)
 
-    uri = Gem::Version.new(version) < Gem::Version.new('8') ?
+    uri = Rex::Version.new(version) < Rex::Version.new('8') ?
           normalize_uri(target_uri.path, 'CHANGELOG.txt') :
           normalize_uri(target_uri.path, 'core/CHANGELOG.txt')
 
@@ -89,16 +89,16 @@ def drupal_patch(changelog, patch)
   # Match a Drupal version
   #
   # @param string [String] String to match against
-  # @return [Gem::Version] Version as Gem::Version
+  # @return [Rex::Version] Version as Rex::Version
   def version_match(string)
     return unless string
 
     # Perl devs love me; Ruby devs hate me
     string =~ /^Drupal ([\d.]+)/
 
-    return unless $1 && Gem::Version.correct?($1)
+    return unless $1 && Rex::Version.correct?($1)
 
-    Gem::Version.new($1)
+    Rex::Version.new($1)
   end
 
 end

lib/msf/core/exploit/remote/http/wordpress/version.rb

@@ -189,20 +189,20 @@ def extract_and_check_version(body, type, item_type, fixed_version = nil, vuln_i
       if vuln_introduced_version.nil?
         # All versions are vulnerable
         return Msf::Exploit::CheckCode::Appears(details:{version: version})
-      elsif Gem::Version.new(version) >= Gem::Version.new(vuln_introduced_version)
+      elsif Rex::Version.new(version) >= Rex::Version.new(vuln_introduced_version)
         # Newer or equal to the version it was introduced
         return Msf::Exploit::CheckCode::Appears(details:{version: version})
       else
         return Msf::Exploit::CheckCode::Safe(details:{version: version})
       end
     else
       # Version older than fixed version
-      if Gem::Version.new(version) < Gem::Version.new(fixed_version)
+      if Rex::Version.new(version) < Rex::Version.new(fixed_version)
         if vuln_introduced_version.nil?
           # Older than fixed version, no vuln introduction date, flag as vuln
           return Msf::Exploit::CheckCode::Appears(details:{version: version})
         # vuln_introduced_version provided, check if version is newer
-        elsif Gem::Version.new(version) >= Gem::Version.new(vuln_introduced_version)
+        elsif Rex::Version.new(version) >= Rex::Version.new(vuln_introduced_version)
           return Msf::Exploit::CheckCode::Appears(details:{version: version})
         else
           # Not in range, nut vulnerable

lib/msf/core/payload/apk.rb

@@ -150,8 +150,8 @@ def backdoor_apk(apkfile, raw_payload, signature = true, manifest = true, apk_da
       raise RuntimeError, "apktool not found. If it's not in your PATH, please add it."
     end
 
-    apk_v = Gem::Version.new(apktool)
-    unless apk_v >= Gem::Version.new('2.0.1')
+    apk_v = Rex::Version.new(apktool)
+    unless apk_v >= Rex::Version.new('2.0.1')
       raise RuntimeError, "apktool version #{apk_v} not supported, please download at least version 2.0.1."
     end
 

lib/rex.rb

@@ -94,6 +94,9 @@ module Rex
 require 'rex/sslscan/scanner'
 require 'rex/sslscan/result'
 
+# Versions
+require 'rex/version'
+
 # Overload the Kernel.sleep() function to be thread-safe
 Kernel.class_eval("
   def sleep(seconds=nil)

lib/rex/post/hwbridge/extensions/automotive/automotive.rb

@@ -120,7 +120,7 @@ def send_isotp_and_wait_for_response(bus, src_id, dst_id, data, opt = {})
     data = [ data ] if data.is_a? Integer
     if data.size < 8
       # Padding is handled differently after 0.0.3
-      if Gem::Version.new(client.api_version) < Gem::Version.new('0.0.4')
+      if Rex::Version.new(client.api_version) < Rex::Version.new('0.0.4')
         data = padd_packet(data, opt['PADDING']) if opt.key? 'PADDING'
       end
       data = array2hex(data).join

lib/rex/version.rb

@@ -0,0 +1,11 @@
+class Rex::Version < Gem::Version
+
+  def initialize(version)
+    if version.nil?
+      # Rubygems 4 is deprecating `nil` as a valid version number
+      # Currently it is the equivalent of a `0` so we set that here to keep the same functionality
+      version = 0
+    end
+    super version
+  end
+end

modules/auxiliary/admin/http/allegro_rompager_auth_bypass.rb

@@ -210,7 +210,7 @@ def check_response_fingerprint(res, fallback_status)
     # ensure the fingerprint at least appears vulnerable
     if /RomPager\/(?<version>[\d\.]+)/ =~ fp
       vprint_status("#{peer} is RomPager #{version}")
-      if Gem::Version.new(version) < Gem::Version.new('4.34')
+      if Rex::Version.new(version) < Rex::Version.new('4.34')
         if /realm="(?<model>.+)"/ =~ fp
           return model
         end

modules/auxiliary/admin/http/joomla_registration_privesc.rb

@@ -54,7 +54,7 @@ def check
       return Exploit::CheckCode::Safe
     end
 
-    version = Gem::Version.new(joomla_version)
+    version = Rex::Version.new(joomla_version)
 
     unless version
       vprint_error('Unable to detect Joomla version')
@@ -63,7 +63,7 @@ def check
 
     vprint_status("Detected Joomla version #{version}")
 
-    if version.between?(Gem::Version.new('3.4.4'), Gem::Version.new('3.6.3'))
+    if version.between?(Rex::Version.new('3.4.4'), Rex::Version.new('3.6.3'))
       return Exploit::CheckCode::Appears
     end
 

modules/auxiliary/admin/http/netgear_r6700_pass_reset.rb

@@ -100,13 +100,13 @@ def retrieve_version
       fail_with(Failure::UnexpectedReply, 'Failed to obtain device version: no version number found in response') # Taken from https://stackoverflow.com/questions/4115115/extract-a-substring-from-a-string-in-ruby-using-a-regular-expression
     end
     raw_version_number = version[0].gsub('V', '') # If we got a result, then take the first result from the returned array, and remove the leading 'V'.
-    Gem::Version.new(raw_version_number) # Finally lets turn it into a Gem::Version object for later use in other parts of the code.
+    Rex::Version.new(raw_version_number) # Finally lets turn it into a Rex::Version object for later use in other parts of the code.
   end
 
   def check
     target_version = retrieve_version
     print_status("Target is running firmware version #{target_version}")
-    if (target_version < Gem::Version.new('1.0.4.94')) && (target_version >= Gem::Version.new('1.0.2.62'))
+    if (target_version < Rex::Version.new('1.0.4.94')) && (target_version >= Rex::Version.new('1.0.2.62'))
       return Exploit::CheckCode::Appears
     else
       return Exploit::Checkcode::Safe
@@ -115,12 +115,12 @@ def check
 
   def find_offset
     target_version = retrieve_version
-    if target_version == Gem::Version.new('1.0.4.84')
+    if target_version == Rex::Version.new('1.0.4.84')
       print_status("#{peer} - Identified Netgear R6700v3 (firmware V1.0.0.4.84_10.0.58) as the target.")
       # this offset is where execution will jump to
       # a part in the middle of the binary that resets the admin password
       return "\x58\x9a\x03"
-    elsif target_version == Gem::Version.new('1.0.4.82')
+    elsif target_version == Rex::Version.new('1.0.4.82')
       print_status("#{peer} - Identified Netgear R6700v3 (firmware V1.0.0.4.82_10.0.57) as the target.")
       return "\x48\x9a\x03"
     end

modules/auxiliary/admin/http/pfadmin_set_protected_alias.rb

@@ -66,9 +66,9 @@ def check
     if res.body =~ /<div id="footer".*Postfix Admin/m
       version = res.body.match(/<div id="footer"[^<]*<a[^<]*Postfix\s*Admin\s*([^<]*)<\//mi)
       return Exploit::CheckCode::Detected unless version
-      if Gem::Version.new("2.91") > Gem::Version.new(version[1])
+      if Rex::Version.new("2.91") > Rex::Version.new(version[1])
         return Exploit::CheckCode::Detected
-      elsif Gem::Version.new("3.0.1") < Gem::Version.new(version[1])
+      elsif Rex::Version.new("3.0.1") < Rex::Version.new(version[1])
         return Exploit::CheckCode::Detected
       end
       return Exploit::CheckCode::Appears

modules/auxiliary/gather/memcached_extractor.rb

@@ -128,7 +128,7 @@ def run_host(ip)
       connect
       if (version = determine_version)
         vprint_good("Connected to memcached version #{version}")
-        if (Gem::Version.new(version) >= Gem::Version.new('1.5.4'))
+        if (Rex::Version.new(version) >= Rex::Version.new('1.5.4'))
           command_string = "lru_crawler"
         else
           command_string = 'cachedump'

modules/auxiliary/gather/qnap_backtrace_admin_hash.rb

@@ -64,7 +64,7 @@ def check
       @target = (xml.at('//platform').text == 'TS-NASX86' ? 'x86' : 'ARM')
       vprint_status("QNAP #{info[0]} #{info[1..-1].join('-')} detected")
 
-      if Gem::Version.new(info[1]) < Gem::Version.new('4.2.3')
+      if Rex::Version.new(info[1]) < Rex::Version.new('4.2.3')
         Exploit::CheckCode::Appears
       else
         Exploit::CheckCode::Detected

modules/auxiliary/scanner/couchdb/couchdb_enum.rb

@@ -88,11 +88,11 @@ def get_version
 
   def check
     return Exploit::CheckCode::Unknown unless get_version
-    version = Gem::Version.new(@version)
+    version = Rex::Version.new(@version)
     return Exploit::CheckCode::Unknown if version.version.empty?
     vprint_good("#{peer} - Found CouchDB version #{version}")
 
-    return Exploit::CheckCode::Appears if version < Gem::Version.new('1.7.0') || version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0'))
+    return Exploit::CheckCode::Appears if version < Rex::Version.new('1.7.0') || version.between?(Rex::Version.new('2.0.0'), Rex::Version.new('2.1.0'))
 
     Exploit::CheckCode::Safe
   end
@@ -216,9 +216,9 @@ def run
 
     if datastore['CREATEUSER']
       fail_with(Failure::Unknown, 'get_version failed in run') unless get_version
-      version = Gem::Version.new(@version)
+      version = Rex::Version.new(@version)
       print_good("#{peer} - Found CouchDB version #{version}")
-      create_user if version < Gem::Version.new('1.7.0') || version.between?(Gem::Version.new('2.0.0'), Gem::Version.new('2.1.0'))
+      create_user if version < Rex::Version.new('1.7.0') || version.between?(Rex::Version.new('2.0.0'), Rex::Version.new('2.1.0'))
     end
     auth = basic_auth(username, password) if username && password
     get_server_info(auth) if datastore['SERVERINFO']

modules/auxiliary/scanner/http/allegro_rompager_misfortune_cookie.rb

@@ -78,7 +78,7 @@ def check_response_fingerprint(res, fallback_status)
     fp = http_fingerprint(response: res)
     if /RomPager\/(?<version>[\d\.]+)/ =~ fp
       vprint_status("#{peer} is RomPager #{version}")
-      if Gem::Version.new(version) < Gem::Version.new('4.34')
+      if Rex::Version.new(version) < Rex::Version.new('4.34')
         return Exploit::CheckCode::Appears
       end
     end

modules/auxiliary/scanner/http/bmc_trackit_passwd_reset.rb

@@ -66,7 +66,7 @@ def check_host(ip)
       version = res.body.scan(/\bBuild=([\d\.]+)/).flatten.first
       if version
         fix_version = '11.4'
-        if Gem::Version.new(version) < Gem::Version.new(fix_version)
+        if Rex::Version.new(version) < Rex::Version.new(fix_version)
           report_vuln(
             host: ip,
             port: rport,

modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb

@@ -50,7 +50,7 @@ def get_version(res)
 
   def is_version_tested?(version)
     # As of Sep 4 2014, version 7.4 is the latest and that's the last one we've tested
-    if Gem::Version.new(version) < Gem::Version.new('7.5')
+    if Rex::Version.new(version) < Rex::Version.new('7.5')
       return true
     end
 

modules/auxiliary/scanner/http/limesurvey_zip_traversals.rb

@@ -174,7 +174,7 @@ def determine_version(cookie)
     /Version\s+(?<version>\d\.\d{1,2}\.\d{1,2})/ =~ res.body
     return nil unless version
 
-    Gem::Version.new(version)
+    Rex::Version.new(version)
   end
 
   def run_host(ip)
@@ -188,14 +188,14 @@ def run_host(ip)
       cve_2019_9960_pre3_15_9 cookie, ip
     end
     vprint_status "Version Detected: #{version.version}"
-    if version.between?(Gem::Version.new('4.0'), Gem::Version.new('4.1.11'))
+    if version.between?(Rex::Version.new('4.0'), Rex::Version.new('4.1.11'))
       cve_2020_11455 cookie, ip
-    elsif version.between?(Gem::Version.new('2.50.0'), Gem::Version.new('3.15.9'))
+    elsif version.between?(Rex::Version.new('2.50.0'), Rex::Version.new('3.15.9'))
       cve_2019_9960_version_3 cookie, ip
     # 2.50 is when LimeSurvey started doing almost daily releases.  This version was
     # picked arbitrarily as I can't seem to find a lower bounds on when this other
     # method may be needed.
-    elsif version < Gem::Version.new('2.50.0')
+    elsif version < Rex::Version.new('2.50.0')
       cve_2019_9960_pre25 cookie, ip
     else
       print_bad "No exploit for version #{version.version}"

modules/auxiliary/scanner/http/wordpress_content_injection.rb

@@ -50,14 +50,14 @@ def initialize(info = {})
 
   def check_host(_ip)
     if (version = wordpress_version)
-      version = Gem::Version.new(version)
+      version = Rex::Version.new(version)
     else
       return Exploit::CheckCode::Safe
     end
 
     vprint_status("WordPress #{version}: #{full_uri}")
 
-    if version.between?(Gem::Version.new('4.7'), Gem::Version.new('4.7.1'))
+    if version.between?(Rex::Version.new('4.7'), Rex::Version.new('4.7.1'))
       Exploit::CheckCode::Appears
     else
       Exploit::CheckCode::Detected

modules/auxiliary/scanner/http/wordpress_multicall_creds.rb

@@ -76,7 +76,7 @@ def check_setup
     elsif !wordpress_xmlrpc_enabled?
       print_error("#{peer}:#{rport}#{wordpress_url_xmlrpc} does not enable XMLRPC")
       false
-    elsif Gem::Version.new(version) >= Gem::Version.new('4.4.1')
+    elsif Rex::Version.new(version) >= Rex::Version.new('4.4.1')
       print_error("#{peer}#{wordpress_url_xmlrpc} Target's version (#{version}) is not vulnerable to this attack.")
       vprint_status("Dropping CHUNKSIZE from #{datastore['CHUNKSIZE']} to 1")
       datastore['CHUNKSIZE'] = 1

modules/auxiliary/scanner/http/wp_loginizer_log_sqli.rb

@@ -57,7 +57,7 @@ def run_host(ip)
       return
     end
 
-    if Gem::Version.new(wp_ver) < Gem::Version.new('5.4')
+    if Rex::Version.new(wp_ver) < Rex::Version.new('5.4')
       vprint_error("Wordpress (core) #{wp_ver} is unexploitable.  Version 5.4+ required.")
       return
     end

modules/auxiliary/scanner/smb/smb_uninit_cred.rb

@@ -178,7 +178,7 @@ def get_samba_info
 
   # Converts a version string into an object so we can eval it
   def version(v)
-    Gem::Version.new(v)
+    Rex::Version.new(v)
   end
 
 

modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb

@@ -58,16 +58,16 @@ def initialize(info = {})
 
   # Vulnerable since 0.6.0 and patched in 0.7.6 and 0.8.4
   def check_banner(ip, version)
-    version =~ /libssh[_-]?([\d.]*)$/ && $1 && (v = Gem::Version.new($1))
+    version =~ /libssh[_-]?([\d.]*)$/ && $1 && (v = Rex::Version.new($1))
 
     if v.nil?
       vprint_error("#{ip}:#{rport} - #{version} does not appear to be libssh")
       Exploit::CheckCode::Unknown
     elsif v.to_s.empty?
       vprint_warning("#{ip}:#{rport} - libssh version not reported")
       Exploit::CheckCode::Detected
-    elsif v.between?(Gem::Version.new('0.6.0'), Gem::Version.new('0.7.5')) ||
-          v.between?(Gem::Version.new('0.8.0'), Gem::Version.new('0.8.3'))
+    elsif v.between?(Rex::Version.new('0.6.0'), Rex::Version.new('0.7.5')) ||
+          v.between?(Rex::Version.new('0.8.0'), Rex::Version.new('0.8.3'))
       vprint_good("#{ip}:#{rport} - #{version} appears to be unpatched")
       Exploit::CheckCode::Appears
     else

modules/auxiliary/sqli/openemr/openemr_sqli_dump.rb

@@ -68,7 +68,7 @@ def check
     version.sub! ')', ''
     version.strip!
 
-    return Exploit::CheckCode::Safe unless Gem::Version.new(version) < Gem::Version.new('5.0.1.7')
+    return Exploit::CheckCode::Safe unless Rex::Version.new(version) < Rex::Version.new('5.0.1.7')
 
     Exploit::CheckCode::Appears
   end