Exploit reliability has been a primary goal of the Metasploit Framework since the beginning. We require all modules to be consistent, reliable, and in cases where targeting is tricky, for this to be reflected in the Exploit Rank and in the default target settings. This policy has resulted in us turning down community submissions and withholding exploits that just didn't quite make the cut for mass distribution. Over the years our core developers and contributors have amassed dozens of modules that suffer from minor flaws or require just a bit more time to get right. These modules tend to be forgotten and eventually lose compatibility with the rest of the framework.

This process is not optimal; even when a module isn't "done", it may still be useful as a proof of concept or as a starting point for another developer to bring it to the next step. A half-finished exploit still provides a level of technical insight into a vulnerability that is difficult to obtain from most public vulnerability databases.

In an effort to improve this situation, we are happy to announce the Metasploit Framework "unstable" module tree. This tree provides a place for rough cut modules and proof of concepts to be submitted, shared, and easily used by other members of the community. Once a module is improved to the point that it meets the standards for inclusion into the main tree, it will be merged over and available via the normal update mechanism. This provides a faster path for community developers to receive feedback and can serve as a reference for anyone interested in the exploit details of a flaw when no stable module is available.

To kick things off, we seeded this tree with fifteen modules from the Rapid7 module archive. Some of these exploits are nearly done, but suffer from minor issues related to automatic exploitation, or have compatibility problems with certain payloads. We hope the community finds these modules useful and submits their own "backlog" for the public to review and improve.

To use these modules, check out the new tree from Subversion and load them into the Metasploit Framework console. The simple way to do this is outlined below:

$ svn co https://metasploit.com/svn/framework3/unstable/modules/ ~/.msf3/unstable/
$ msfconsole -m ~/.msf3/unstable/

To load the unstable tree automatically on startup, enter the following commands into the msfconsole prompt.

msf> setg MsfModulePaths /home/USERNAME/.msf3/unstable/
msf> save

For developers who would like to submit modules, please create a Redmine ticket or send them via email at msfdev[at]metasploit.com. Note that the Name field of the module should start with INCOMPLETE or UNRELIABLE depending on the status. This will indicate where it should live in the unstable tree and make it easy for folks to identify unstable modules via the standard console commands. The unstable tree is currently for modules only, but this does include Meterpreter scripts that have been ported to the new Post module format.

-HD