Just a quick update this week for some new Metasploit modules. We're holding off on the usual Framework and Pro enhancements as we button up the next point release for Metasploit Pro, Express, and Community Editions. That said, we do have a few neat new modules that I wanted to hilight, so let's take a look.

Hacking the Hackers

This week's haul includes something a little unusual -- an exploit for Poison Ivy, a blackhat-favored Remote Administration Tool (RAT). Community contributor Gal Badishi wrote the poisonivy_bof module which implements a vulnerability discovered by Andrzej Dereszowski in Poison Ivy 2.3.2. Given that this version has been current since 2008 or so, I don't expect a fix any time soon -- besides, if you happen to find it listening (Poison Ivy binds to TCP/3460 by default), it's a pretty good bet the owner of the computer doesn't know it's running.

As a pen-tester, retaking ownership of a machine that's already been compromised is a great story to be able to tell your client -- it really underlines the importance of offensive security testing in live environments. Finding listening RATs and backdoors and the like is one thing, but to be able to turn them around and immediately use them to gather more information on the target network is pretty ninja.

Function Prototype Mismatching, Explained

Earlier this week, Metasploit's Juan Vazquez provided a ton of details on implementing vulnerability researcher Andrea "rgod" Micalizzi vulnerability in IBM's Rational ClearQuest CQOle ActiveX control, over in his blog post, It isn't Always about Buffer Overflow. I'm getting spoiled by these technical deep dives into how Juan and sinn3r write up these exploits, and a more than a little jealous that they get to spend all their time producing Metapsloit awesomeness. The described exploit is in this week's update, so have fun poking at it.

Return of WPAD

This week's update also has a new auxiliary module from community contributor "et" which a implements the WPAD man-in-the-middle (MITM) attack. I'm a little surprised we didn't already have this attack knocking around, since it can be such a handy way to redirect client victims to your custom phishing site. In fact, Metasploit contributor James "egypt" Lee's travel laptop is named "wpad," so if you happen to be on a network near him, be careful with your proxy settings. (:

If you're not familiar with how the WPAD MITM works, some guy at some company wrote up the attack with a demo a few years ago. It's an okay read.

New Modules

Here are the new modules -- for details and usage, follow the links to our Exploit Database.


If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

For additional details on what's changed and what's current, please see the most excellent release notes.