Derbycon After-Action Report

As many of you know, last week and weekend was the fourth annual Derbycon -- a mid-sized gathering of security professionals from around the world, held in Louisville, Kentucky. A merge conflict* of Metasploit movers and shakers were there, and it's always nice to see friends, peers, and adversaries all gathered in the same place to swap info, both professional and personal. If you missed it -- which is likely, given the readership of this blog would outstrip all reasonable resources of the venue -- you can catch a ton of the talks generously provided by Irongeek. Of special interest to Metasploit users and developers would be James Egypt Lee's tour of the New Shiny in Metasploit Framework, and there's tons of good material from other Metasploit contributors. Look for the talks presented by Brandon Perry, Carlos DarkOperator Perez, Brandon zeknox McCann and Royce r3dy Davis, Jon Cran, and of course many, many others. There's hours upon hours of content there.

Of course, this is all a long way around of saying that I didn't write a weekly update blog post last week, so today's installment will cover roughly the last thirteen days of Metasploit movement.

[Br]eaking [Ba]sh

If this is the first time you're hearing about Shellshock, the Bash Bug, a Bug called Bash, Bashbleed, Heartshock.... well, you should probably just head on over to Jen Ellis's delightful write up of the bash bruhaha. Also, you're very, very behind, but that's okay. I won't judge.

Now that you're refreshed, you'll no doubt wonder where the Metasploit elves are on this. Well, we've published six new Metasploit modules that exercise Shellshock. Remember, the bug is in bash, and is absolutely not tied to just one application or protocol, so I can guarantee this is not the end of the story. The situation with bash is evolving on a daily basis, and we're keeping pace with the new developments as they surface so penetration testers, auditors, QA folks, IT administrators, and all the rest can validate their defenses and mitigations.

For ease of use, here's the list of new bash-related modules:

Tons of thanks to all the researchers and contributors that helped on these.

(The image of Hulk addressing bash via bash techniques by Acegiak)

Other New Modules

Over the last couple weeks, we've added a great pile of new modules -- 16 all together. Of course, bash-related modules take center stage, commanding six modules all by itself, as indicated above. The non-bash modules are listed below. Note that the PXE Exploit Server module isn't technically new -- it's replacing the deprecated file location for the old PXE Exploit Server (for details, just see PR3923).

Exploit modules

Auxiliary and post modules