PostgreSQL CREATE LANGUAGE Execution - Fix version detection

[bcoles]

This PR fixes the version detection in the PostgreSQL CREATE LANGUAGE Execution module. Fixes #11629

Prior to this PR, the version detection was overly complex and unreliable, causing the check method to fail with NoMethodError undefined method `[]' for nil:NilClass

This PR simplifies the version detection to match ^PostgreSQL ([\d\.]+).

Reviewing the PostgreSQL documentation for version 8/9 indicates that SELECT version() returns the version in this format.

• https://www.postgresql.org/docs/8.0/tutorial-accessdb.html
• https://www.postgresql.org/docs/9.6/tutorial-accessdb.html

[-] ***rting the Metasploit Framework console...\
[-] * WARNING: No database support: No database YAML file
[-] ***
                                                  

   _______________                        |*\_/*|________
  |  ___________  |     .-.     .-.      ||_/-\_|______  |
  | |           | |    .****. .****.     | |           | |
  | |   0   0   | |    .*****.*****.     | |   0   0   | |
  | |     -     | |     .*********.      | |     -     | |
  | |   \___/   | |      .*******.       | |   \___/   | |
  | |___     ___| |       .*****.        | |___________| |
  |_____|\_/|_____|        .***.         |_______________|
    _|__|/ \|_|_.............*.............._|________|_
   / ********** \                          / ********** \
 /  ************  \                      /  ************  \
--------------------                    -------------------


       =[ metasploit v5.0.14-dev-79d22ef0d7               ]
+ -- --=[ 1884 exploits - 1064 auxiliary - 329 post       ]
+ -- --=[ 553 payloads - 44 encoders - 10 nops            ]
+ -- --=[ 2 evasion                                       ]

msf5 > use exploit/multi/postgres/postgres_createlang 
msf5 exploit(multi/postgres/postgres_createlang) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 exploit(multi/postgres/postgres_createlang) > set username msf
username => msf
msf5 exploit(multi/postgres/postgres_createlang) > set password msf
password => msf
msf5 exploit(multi/postgres/postgres_createlang) > check
[*] 127.0.0.1:5432 - The target appears to be vulnerable.
msf5 exploit(multi/postgres/postgres_createlang) > set verbose true
verbose => true
msf5 exploit(multi/postgres/postgres_createlang) > check

[*] 127.0.0.1:5432 - 127.0.0.1:5432 Postgres - querying with 'select version()'
[*] 127.0.0.1:5432 - PostgreSQL 10.4 (Debian 10.4-2) on x86_64-pc-linux-gnu, compiled by gcc (Debian 7.3.0-18) 7.3.0, 64-bit
[*] 127.0.0.1:5432 - The target appears to be vulnerable.
msf5 exploit(multi/postgres/postgres_createlang) > 

[bcoles]

I have no idea why the original module used /(?<software>\w{10}) in the regex.

This implies that PostgreSQL it not always the expected software name; however I can find no information to indicate this would be the case, and no information as to what other expected values could be, beyond the fact that it should 10 characters in length. Perhaps this was a misguided attempt at case insensitive matching?

The original PR (#6417) was extensively reviewed; however the convoluted regex was never questioned.

If the PostgreSQL banner can lie about the software, it may also lie about the version. As such, this module could potentially benefit form implementation of a ForceExploit advanced option.

[wvu]

Current behavior:

msf5 exploit(multi/postgres/postgres_createlang) > check

[*] 127.0.0.1:5432 - 127.0.0.1:5432 Postgres - querying with 'select version()'
[-] Check failed: NoMethodError undefined method `[]' for nil:NilClass
msf5 exploit(multi/postgres/postgres_createlang) >

Fixed behavior:

msf5 exploit(multi/postgres/postgres_createlang) > check

[*] 127.0.0.1:5432 - 127.0.0.1:5432 Postgres - querying with 'select version()'
[*] 127.0.0.1:5432 - PostgreSQL 10.4 on x86_64-apple-darwin17.5.0, compiled by Apple LLVM version 9.1.0 (clang-902.0.39.1), 64-bit
[*] 127.0.0.1:5432 - The target appears to be vulnerable.
msf5 exploit(multi/postgres/postgres_createlang) >

Different error after failed run (maybe outside the scope of this PR):

msf5 exploit(multi/postgres/postgres_createlang) > run

[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4444
[*] 127.0.0.1:5432 - 127.0.0.1:5432 Postgres - querying with 'select version()'
[*] 127.0.0.1:5432 - PostgreSQL 10.4 on x86_64-apple-darwin17.5.0, compiled by Apple LLVM version 9.1.0 (clang-902.0.39.1), 64-bit
[*] 127.0.0.1:5432 - 127.0.0.1:5432 Postgres - querying with 'select version()'
[*] 127.0.0.1:5432 - 127.0.0.1:5432 - PostgreSQL 10.4 on x86_64-apple-darwin17.5.0, compiled by Apple LLVM version 9.1.0 (clang-902.0.39.1), 64-bit
[*] 127.0.0.1:5432 - 127.0.0.1:5432 Postgres - querying with 'CREATE LANGUAGE plperlu'
[-] 127.0.0.1:5432 - 127.0.0.1:5432 - error occurred loading perl
[*] 127.0.0.1:5432 - 127.0.0.1:5432 Postgres - querying with 'CREATE LANGUAGE plpythonu'
[-] 127.0.0.1:5432 - 127.0.0.1:5432 - error occurred loading python
[*] 127.0.0.1:5432 - 127.0.0.1:5432 Postgres - querying with 'CREATE LANGUAGE plpython2u'
[-] 127.0.0.1:5432 - 127.0.0.1:5432 - error occurred loading python2
[*] 127.0.0.1:5432 - 127.0.0.1:5432 Postgres - querying with 'CREATE LANGUAGE plpython3u'
[-] 127.0.0.1:5432 - 127.0.0.1:5432 - error occurred loading python3
[*] 127.0.0.1:5432 - 127.0.0.1:5432 Postgres - Disconnected
[*] Exploit completed, but no session was created.
msf5 exploit(multi/postgres/postgres_createlang) > check

[*] 127.0.0.1:5432 - 127.0.0.1:5432 Postgres - querying with 'select version()'
[-] Check failed: NoMethodError undefined method `>=' for nil:NilClass
msf5 exploit(multi/postgres/postgres_createlang) > log
[snip]
[04/01/2019 15:33:02] [e(0)] core: undefined method `>=' for nil:NilClass
/rapid7/metasploit-framework/lib/postgres/postgres-pr/message.rb:49:in `read'
/rapid7/metasploit-framework/lib/postgres/postgres-pr/connection.rb:138:in `block in query'
/rapid7/metasploit-framework/lib/postgres/postgres-pr/connection.rb:137:in `loop'
/rapid7/metasploit-framework/lib/postgres/postgres-pr/connection.rb:137:in `query'
/rapid7/metasploit-framework/lib/msf/core/exploit/postgres.rb:158:in `postgres_query'
/rapid7/metasploit-framework/lib/msf/core/exploit/postgres.rb:245:in `postgres_authed_fingerprint'
/rapid7/metasploit-framework/lib/msf/core/exploit/postgres.rb:218:in `postgres_fingerprint'
/rapid7/metasploit-framework/modules/exploits/multi/postgres/postgres_createlang.rb:65:in `vuln_version?'
/rapid7/metasploit-framework/modules/exploits/multi/postgres/postgres_createlang.rb:61:in `check'
/rapid7/metasploit-framework/lib/msf/base/simple/exploit.rb:192:in `check_simple'
/rapid7/metasploit-framework/lib/msf/base/simple/exploit.rb:199:in `check_simple'
/rapid7/metasploit-framework/lib/msf/ui/console/module_command_dispatcher.rb:229:in `check_simple'
/rapid7/metasploit-framework/lib/msf/ui/console/module_command_dispatcher.rb:147:in `cmd_check'
/rapid7/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:522:in `run_command'
/rapid7/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:473:in `block in run_single'
/rapid7/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:467:in `each'
/rapid7/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:467:in `run_single'
/rapid7/metasploit-framework/lib/rex/ui/text/shell.rb:151:in `run'
/rapid7/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/rapid7/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
./msfconsole:49:in `<main>'

[wvu]

Release Notes

The version detection in theexploit/multi/postgres/postgres_createlang module has been improved.