Today marks the first Metasploit update of the new year, and it's been a little while since the last, so there's a bumper crop of new modules; eighteen to be precise.

Internet Explorer 0-day and Browser Autopwn

While we didn't ship an update over the holidays, that didn't stop @_sinn3r, @_juan_vazquez_, @eromang, @yomuds, and @binjo from tearing into the latest public 0-day for Microsoft Internet Explorer 8. For the details on exploit development, take a look at sinn3r's fantastico write up. As with all complex and interesting exploits, there's always some touch up after the initial release, and ie_cbutton_uaf is no exception. It's now a component of Metasploit's Browser Autopwn meta-module.

If you aren't familiar, Browser Autopwn is a throw-everything-at-it approach to client exploitation, and it's been a part of Metasploit for several years now. Here's a video of one of the earlier incarnations by the guys over at pauldotcom, and the usual use hasn't changed a whole lot since then (however, many more exploits are now included). As you can see, all you need to do is fire it up, let all the exploits set themselves up, then await your target. If he's running IE8, you can be sure that ie_cbutton_uaf will pop a shell for you, since as of this writing, there's still no hotfix available.

ICMP Exfiltration

Every once in a while, you might find your self in an argument with a network engineer about the security implications of ping. Yes, good old, reliable, required by RFC792 ICMP Type 8 ping. What harm could there be in allowing computers to ping arbitrary hosts on the Internet?

Well, this update includes community contributor @ChrisJohnRiley's delightful ICMP Exfiltration Service module. What this does is set up a listener to catch data tunneled out of a target site over good old, reliable, required by RFC792 ICMP Type 8 ping. The data being exfiltrated out is then saved off as loot, for use in your report demonstrating the security implications of allowing ping from the desktop.

If you're dealing with a client that doesn't care about exfiltration, then first, you should get them to read Iftach Ian Amit's paper from January of 2012, and then remind them that if they spent any time at all on splitting their DNS infrastructure, implementing egress firewall rules, or implementing a BYOD policy, then they are implicitly buying into to exfiltration awareness anyway.

Windows Post Modules

Also this week, we see three new post modules from community contributor @zeknox. I'm a fan of post modules; they're usually pretty easy to write and test, and often end up automating off an otherwise troublesome pen-testing chore. Of the bunch, my favorite is the Windows NetLM Downgrade Attack; this is a sneaky way to snag cleartext passwords from a user by forcing a machine to use the weak LM hashing algorithm when authenticating to SMB servers. This comes in handy, of course, when you control the SMB server in question. For more on this technique, see Brandon's write-up over on, or the original scenario described by Dave Howard.

Report Speedups

For those of you on Metasploit Pro and Express, you should also see significant improvements in your report generation. All Standard Reports there have been updated to use disk virtualization. Instead of holding the report generation objects in memory, they are now written to disk as needed. The main goal of this change was to allow the generation of reports against datasets of any arbitrary size. Very large numbers of hosts or other objects that previously caused report generation to crash are now handled with the greatest of ease. Additional gravy: report generation now uses about 25% less memory and takes 13% less time on average!

New Modules

Last update had just the one new module. We make up for that this week, with eighteen. Here they are.

Exploit modules

Auxiliary and Post modules


If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

For additional details on what's changed and what's current, please see Brandon Turner's most excellent release notes.