In this week's episode, the role of Tod Beardsley will be played by egypt.
Smaller is better
Perhaps the most prominent addition to the framework this week is not an addition at all, but rather a deletion. We've been working toward a slimmer, more manageable source tree for a while now, and as part of that effort, we recently removed a pile of old-and-busted unit tests. This update goes a bit further, moving source code for some compiled payloads into seperate repositories. Metasploit's version of Javapayload (which includes Java and Android Meterpreter) can now be found at rapid7/metasploit-javapayload, the native C meterpreter lives in rapid7/meterpreter, and the excellent packet manipulation library, PacketFu, has been pulled out of the tree in favor of the standalone gem. As so often is the case when anything involving Java arises, thanks again go to mihi for his help with a consolidated java build environment. By my calculations, the framework repository is now somewhere in the neighborhood of 45MB lighter.
Less is more
Another thing that has gotten much smaller is our pull queue, thanks to the tireless efforts of the lovely wvu. Having someone working full-time on ticket husbandry has made many things go more smoothly, and as a result the number of pull requests and unresolved issues has been steadily falling. Which, of course, means that now is a great time to submit that patch you've been meaning to write!
This week brings 6 new modules:
- Sun Java Web Start Double Quote Injection by Rh0 exploits CVE-2012-1533
- MS13-037 Microsoft Internet Explorer COALineDashStyleArray Integer Overflow by juan vazquez, 4B5F5F4B, and Nicolas Joly exploits MS13-037
- Monkey HTTPD Header Parsing Denial of Service (DoS) by Doug Prostko exploits CVE-2013-3843
- InfoVista VistaPortal Application Bruteforce Login Utility by Karn Ganeshen
- RFCode Reader Web Interface Login / Bruteforce Utility by Karn Ganeshen
- SAPRouter Port Scanner by Bruno Morisson and nmonkee
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.