Time for another Metasploit Update - this week we've got some new goodies for Meterpreter's Railgun, SSH, AIX, and a few new exploit modules. Enjoy!

Railgun Updates

Metasploit open source contributors Chao-Mu and kernelsmith have been busy over the last month or so, cranking out a pile of commits to Railgun in order to facilitate Windows API error message handling. For you non-post module developers, Railgun is a super-handy Meterpreter extension that "turns Ruby into a weapon," and you can get the technical details on the RailgunUsage wiki page over on the Metasploit development site. I wanted to highlight this effort this week because this is a great example of the collaborative feature building that goes on around here. Thanks guys!

New Modules (and scripts!)

In between handling customer feature requests and bug reports for Metasploit Pro, thelightcosine knocked out a couple new AIX-centric modules: a password hash dumper for AIX passwords (post/aix/hashdump) and a John the Ripper module to crack the same. AIX is a touch more exotic when it comes to operating systems, but there are plenty of enterprises that have one or two running. What's more, those machines have a tendency to run some pretty critical infrastructure.

Thomas Ring took up the challenge posed a couple weeks ago to submit some example resource scripts to demonstrate some low-level automation by working up three new Oracle-based scripts to automatically interrogate found Oracle servers for more information. This is a great example of driving Metasploit modules via data from the database, and has spurred some conversation on where RC scripts might go in the future.

In addition to these, we have six other modules added to Metasploit Framework:

  • drupal_views_user_enumeration , which exploits an information disclosure on Drupal usernames
  • sybase_easerver_traversal, which exploits CVE-2011-2474, a directory traversal vulnerability in Sybase EAServer
  • op5_license, which exploits CVE-2012-0261, a remote command execution vulnerability on OP5 Monitor
  • op5_welcome, which exploits CVE-2012-0262, another RCE vulnerability on, you guessed it, OP5 Monitor
  • xampp_webdav_upload_php, a WebDAV-vectored general purpose PHP file include exploit
  • adobe_reader_u3d, which exploits CVE-2011-2462, a file format bug in Adobe Reader (a tricky bug nailed down by exploit heavyweights sinn3r, jduck, and Juan Vazquez in another display of collaborative development teamwork)

Availability

For those of you who rely on the msfupdate command to track Framework development, you already have these sitting in your local checkout. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new Framework hotness today when you check for updates through the Software Updates menu under Administration.

For more details on what's changed and what's current, please see Jonathan Cran's most excellent release notes.