Sample Resource Scripts
About a week ago, munky9001 posted on Reddit the headline, DB_Autopwn Deprecated! About time. Shortly after, HD wrote up a blog post, Six Ways to Automate Metasploit, with the moral of the story being, "don't cry for db_autopwn, there are already much better methods to get your automated pwnage on." Of these, the easiest and most straightforward way to automate things is to write a resource script.
This week's update now includes a standard location for resource scripts contributed by the Metasploit community, creatively named $install_dir/scripts/resource . Running scripts out of this location from the framework command prompt is as straightforward as
> resource scripts/resource/rc_script_name.rc
...and you're off.
There's exactly one rc script in there right now (thanks Mubix!), but if you have a resource script that you'd like to share, please feel free to submit it via a pull request to our GitHub repository -- especially if your favorite resource script does something novel and interesting with modules, targets, or something we haven't thought of yet.
Metasploit contributor pello brings us a new auxiliary module, dns_fuzzer.rb. As part of testing, I threw this module against three different DNS resolvers to just watch the traffic, and promptly crashed one of targets. Clearly, grown-up DNS servers shouldn't fall over in the face of malformed traffic delivered at regular Internet speeds, so if you're feeling like hunting for remote 0-day for fame and fortune, you could do worse than starting with this module.
We have three new modules exploiting CVE-classified bugs: CVE-2011-4350, which affects the Yaws webserver; CVE-2011-4453, which affects the PHP application PmWiki; and CVE-2005-4832, which affects Oracle Database Server 10g. The Oracle bug dates back to 2005, but as mentioned last week, running installations of older, unpatched software is often a surprising finding that a penetration tester can present to a client.
As for the non-CVE-classified exploits, we're now shipping modules for Family Connections (a quasi-blog application), Traq (a bug tracking application), Ability Server (a commercial FTP server), and CoDeSys Webserver. That last one with the funny camel-cased name apparently has something to do with a webserver that's used to control remote PLC's for SCADA operations, so the fact that it's unclassified seems a little disconcerting.
For those of you who rely on the msfupdate command to track Framework development, you already have these sitting in your local checkout. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new Framework hotness today when you check for updates through the Software Updates menu under Administration.
For more details on what's changed and what's current, please see Jonathan Cran's most excellent release notes.