We are excited to announce the immediate availability of version 3.3 of the Metasploit Framework. This release includes 446 exploits, 216 auxiliary modules, and hundreds of payloads, including an in-memory VNC service and the Meterpreter. In addition, the Windows payloads now support NX, DEP, IPv6, and the Windows 7 platform. More than 180 bugs were fixed since last year's release of version 3.2, making this one of the more well-tested releases yet.
Metasploit runs on all modern operating systems, including Linux, Windows, Mac OS X, and most flavors of BSD. Metasploit has been used on a wide range of hardware platforms, from massive Unix mainframes to the Apple® iPhone™. Installers are available for the Windows and Linux platforms, bundling all dependencies into a single package for ease of installation. The latest version of the Metasploit Framework, as well as images, video demonstrations, documentation and installation instructions for many platforms, can be found online at http://www.metasploit.com/framework/.
This release of the Metasploit Framework was driven by numerous key contributors, including James Lee, Yoann Guillot, Steve Tornio, MC, Chris Gates, Alexander Kornbrust, Ramon Valle, Stephen Fewer, Ryan Linn, Lurene Grenier, Mike Kershaw, Patrick Webster, Max Moser, Efrain Torres, Alexander Sotirov, Ty Bodell, Joshua Drake, JR, Carlos Perez, Kris Katterjohn and many others.
The startup speed up the Metasploit Console and all utilities has been greatly improved due to performance patches by Yoann Guillot and a string processing overhaul by James Lee. Metasploit now fully supports the 1.9.1 version of the Ruby interpreter, clearing the way for support under a variety of alternate Ruby VMs in the future.
The Windows installation now includes a fully-functional console interface, using Cygwin and RXVT as a front-end to the framework. The Windows installer now runs on all supported versions of Windows, from Windows 2000 to Windows 7. The Windows version of Metasploit is now portable and can be silently installed via the /S /D=Dest parameters.
The Linux installers now include everything needed to run the Metasploit Framework on most versions of Linux released over the last five years. The official Linux installers are recommended for anyone using a Linux distribution other than Ubuntu (8.04 ). These installers include Ruby 1.9.1, Subversion 1.6.6, and all dependencies, along with convenient scripts for keeping the framework updated.
The Metasploit Console now indicates how many days have passed since the last update, reminding users when their installation becomes out of date. The console now uses a Ruby implementation of the Readline library by default, solving a number of issues with Mac OS X and other platforms with broken Readline support. The console now supports and enables ANSI colors by default, making it much easier to discern between errors and status messages on a busy terminal.
The database functionality is now enabled by default, as long RubyGems and at least one database driver is available on the system. The db_drivername plugins are deprecated and the db_driver and db_create commands are active by default. The db commands now support filters for everything from open ports to IP ranges. The db_autopwn command now cross-references across multiple ports and services name instead of a single port, when the -p parameter is supplied.
All applicable exploits now have OSVDB references thanks to a major effort by Steve Tornio. Two-ways links have been setup between the Metasploit module browser and their matching OSVDB entries. CVE references have been audited across the entire module tree, with a number of typos and other fixes corrected in the process.
Oracle exploit support has been implemented through a tag-team effort between MC and Chris Gates, with assistance from Alexander Kornbrust. Oracle modules have been developed for exploiting TNS protocol stack and Web-based Oracle services, as well as post-authentication database-level privilege escalation flaws. Microsoft SQL Server support has been overhauled, with the addition of a brand new native Ruby TDS driver exclusive to the Metasploit Framework and a large number of new modules. Microsoft SQL Server 2000 through 2008 versions have been tested with the new modules. The MSSQL and Oracle login modules can now brute force passwords from a dictionary file.
Automated client-side exploitation has been overhauled with a rewrite of the browser_autopwn module by James Lee. A number of existing client-side exploits have been updated to use better fingerprinting and evasion techniques. All TCP-based exploits can now be launched through SOCKS4, SOCKS5, and HTTP proxies.
Metasploit now supports 64-bit Windows as a target platform, with the ability to use standard stagers, generate executables with embedded payloads and load Meterpeter on 64-bit systems. Metasploit now supports 64-bit Linux on the PowerPC architecture as a target platform. The alphanumeric encoders have seen a number of bug fixes and improvements since version 3.2, including the ability to prepend alphanumeric GetEIP code via the AllowWin32SEH parameter.
AIX support as a target platform has been improved, with a number of additional payloads and an exploit module for the newly discovered rpc_ttdbserverd realpath vulnerability. These payloads support versions 5.3.7 through 6.1.4 of the AIX platform and work with auxiliary modules and the database to select the right syscall numbers for each particular operating system revision. 64-bit PowerPC Linux is now supported on the POWER and Cell Broadband chips through an effort by Ramon Valle of RISE Security
The reverse_tcp stager now has a configurable number of retries (ReverseConnectRetries) and exits gracefully if the connection fails. The reverse_tcp_allports stager will cycle through all possible outbound ports in order to punch through host or network firewalls. The standard Windows stagers were overhauled to use a new hashing method, support Windows 7, allocate their own memory during staging and avoid a middle stager by performing their own reliable transfer mechanism. The new stager development was driven by Stephen Fewer of Harmony Security.
Support for JSP payloads has been integrated, opening the door for new exploit modules for Java-based application engines, like Bea and Tomcat. The existing CMD, PHP, Ruby and Perl payloads have all seen a revamp and update to their compatibility-matching system.
Auxiliary scanner modules now instantiate a new module instance for each thread, allowing more of the exploit mixins to be used to develop network scanners. This greatly improved the reliability of the existing scanners and allowed for dozens of new ones to be developed. Scanner modules now report their progress as they scan the network and the frequency of reports can be controlled through advanced options.
A simple fuzzer API has been added as a mixin, along with over a dozen new fuzzer modules that demonstrate their use and capabilities. While fuzzing is not the focus of the framework, the API is easy to use and can meet the requirements of many on-the-spot service tests. Ryan Linn's HTTP NTLM capture module has been integrated into the framework.
Support for the DECT COM-ON-AIR driver has been integrated into Metasploit, along with two example modules for locating DECT base stations and detecting active calls. The Lorcon2 library is now supported through a new ruby-lorcon2 Ruby extension and exploit mixin. All existing modules using the old Lorcon API have been ported. The airpwn and dnspwn modules developed by Mike Kershaw (also one of the Lorcon2 authors) have been integrated into the framework. The pcaprub Ruby extension has been updated to build on Ruby 1.9.1. Max Moser's pSnuffle packet sniffer (modeled after dsniff) has been integrated into the framework.
The Meterpreter and VNC injection payloads now use Stephen Fewer's Reflective DLL injection technique; the previous DLL injection stages have been renamed and will be deprecated in a future release. The Meterpreter now negotiates a full SSL link after the staging process has been completed, even going so far as to fake a HTTP request over the SSL session to mimic the traffic profile of a normal web browser. The Metepreter AutoRunScript parameter can now support multiple scripts with arguments. The Meterpreter can now take screen shots, provided that the process has access to the desktop (e.g. migrated into explorer.exe), using the ESPIA extension developed by Efrain Torres.
The Meterpreter can now capture traffic from the compromised system, using an in-memory sniffing extension based on the MicroOLAP Packet Sniffing SDK. This feature creates a ring buffer of up to 200,000 packets, allowing a snapshot to be downloaded and converted to a standard pcap log file. The Meterpreter can now capture keystrokes, including those of console logins, by migrating in the appropriate process and using the keyscan commands. The long-missing "rm" command has finally been added to the Meterpreter command line. The "background" command has been added for situations when using ^Z is not feasible. Alexander Sotirov's METSVC has been added to the framework and a Meterpreter script has been included to automatically deploy it on a compromised system.
The beginnings of POSIX support have been implemented by JR, targeting the Linux and BSD platforms. The stdapi extension for POSIX has been partially completed and should continue to improve going forward.
All Metepreter scripts now support the "-h" parameter for usage. As of Metasploit 3.3, there are almost 30 different Metepreter scripts included in the release, many of which were exclusively written by Carlos Perez.
Enjoy the release!