Upgrading to Ruby 2.1.5

As you probably know, Metasploit is a fairly complex set of programs written in my favorite language, Ruby. Specifically, we've been on Ruby version 1.9.3 for a long while now. Well, time marches on, and the 1.9.3 branch has been in maintenance mode for most of 2014, and will reach end of life by February of 2015. So, we need to get moving on the upgrade to version 2.1.

This is a welcome upgrade, to be sure, if for no other reason than the performance gains between versions 1.9.3 and 2.1.5. Check out the comparisons on Is Ruby Fast Yet? if you don't believe me. And unlike the shift from the 1.8 to 1.9 branch, backwards compatibility with Ruby 1.9.3 is pretty painless for us.

Of course, major version changes of the Ruby interpreter need to be handled carefully so as not to introduce new and exciting bugs. To that end, James egypt Lee and Luke KronicDeth Imhoff have been performing the due diligence required to ensure that the transition is as smooth as possible for the penetration testers of the world. Once Pull Request #4084 lands next week, we should be ready to rock on the new Ruby hotness.

For those of you who use the installed versions of Metasploit -- Metasploit Community, Express, and Pro -- you don't have to do anything special. We'll have a point release of those versions of Metasploit that ships with Ruby 2.1 in the first week of January, 2015.

For the open source developer community, we'll have documentation ready next week on how to work with Metasploit with Ruby 2.1 -- essentially, you'll be updating your local .ruby-version, installing Ruby 2.1 in the usual way, and re-install your bundled gems. The whole procedure should take maybe 10 minutes.

Update: Documentation for devs is now available at the usual MSF-DEV wiki.

Update: As of November 14, 2014, the latest Ruby version is now 2.1.5.


Upgrading to Ruby 1.9.3-p550

Speaking of upgrading Ruby, there was a security bulletin for Ruby 1.9.3. CVE-2014-8080 describes a bug where untrusted data can trigger a DoS condition in the rexml mixin (which we use in quite a few Metasploit modules). It would be a bummer to have your penetration testing workstation get all its memory consumed by a malicious target. It's not a hair-on-fire, pre-auth code execution bug or anything, but an upgrade is certainly in order.

Again, Metasploit Community, Express, and Pro users don't need to do anything other than upgrade Metasploit to the latest, (which will be ready for the next release as well) and developers will want to install Ruby version 1.9.3-p550 (bumped up from 1.9.3-p547) when they get a chance.

New Modules

Since last week, we've landed four new exploits and eight new auxiliary and post modules. Especially interesting is the local exploit for CVE-2014-4113, which leverages a local kernel vulnerability to get elevated privileges on most every version of Windows out there.

Exploit modules

Auxiliary and post modules