Open Source Metasploit, Now on ARM

The annual pilgrimage to Las Vegas for the various security shows is over, and we're all back in real life now... but not before proving, in a slightly different and probably ill-considered way, that Metasploit runs on ARM:

Yep, that's my arm, with Metasploit permanently installed. I'm pretty well committed to this notion of open source security; I talked with the folks at SecureNinja about Metasploit Framework in particular (see the video), as well as at BSidesLV about open source security in general with Mister_X (have another video). So, thanks to all of you, users and developers alike, for making Metasploit such the overwhelming and humbling success it is.

Open Source Standards

Speaking of my and Rapid7's commitment to open source, it's high time that we got with the rest of the Ruby development community. We're embarking on a project to convert our massive, highly used, often updated Ruby codebase to the Ruby standard of "two space" indentation. While that might seem like a big deal, we know that just jumping in and doing it will instantly cause code conflicts for pretty much everyone else. So, we're taking a measured approach, and have cobbled together a plan for mass tab destruction throughout Metasploit.

The short story is, once this pull request is merged to the master branch, community contributors who work on other Ruby widgets no longer need to set up special environments for working with Metasploit; your usual configurations will work here as well. By October, this should all be behind us, GitHub default layouts of code and diffs will look normal, and the world will be a better place. Hooray!

Advanced !persistent Threats: CVE-2013-1690

Also over conference time, it was revealed that there was some malware leveraging an older Firefox vulnerability targeting specifically the Tor Browser Bundle. The exploit implementation was pretty complex, so we took a run at it pretty much as soon as the shows were over. See @sinn3r's and Juan Vazquez's detailed blog post and module, published earlier today. While the threat was certainly advanced, it was the opposite of persistent; according to samples and reports, the payload's entire purpose was to phone home with the victim's MAC address and IP address and get out of there, thus piercing the anonymity that Tor intends to provide.

While the Metasploit module is not currently functional against TBB specifically, it does work against plain-Jane, unpatched Firefox. In addition, it doesn't merely collect information about targets, but pops shells like a proper, well-behaved exploit should.

What this means for you: it's a fine time to test if your network or host-based IDS/IPS/AV is catching the specific TBB exploit, or if they're going the extra mile and catching the exercise of the vulnerability. This kind of alternate implementation and validation is always useful to keep your security vendors honest.

Incidentally, if you'd like to throw in on making the Metasploit module for CVE-2013-1690 more universally useful, feel free to catch up with the blog post and create your own branch for Metasploit Framework over on GitHub to get to it.  To be honest, we don't deal with Firefox vulns very often, since the common experience is that the patches are too hard to avoid, thanks to Mozilla's aggressive patch practices.  In this case, what with all the LiveCDs and other read-only media, it could be useful for a penetration-tester to have something like this in his pocket for that next social engineering engagement against targets who might favor stability over security a little too much.

New Modules

We've got five new modules with this week's update, including a conversion of Tavis @taviso Ormandy's privilege escalation exploit and the slew of PineApp issues, once again reversed from ZDI advisories by our own Juan Vazquez.

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.