Hi folks. It's been a little while. I know, I know. Things have been a little wonky around here lately, as you no doubt have noticed. So, while this is nominally the Weekly Metasploit Wrapup, it's been a little more than a month since the Community Cutover on April 1st. That said, our blog platform now seems stable enough to resume writing these missives, so let's cover the highlights of what's been going on in the People's Republic of Metasploit since the last post.

If you just want to see the diffs, just check out the GitHub compare. Only about a thousand changes to go through for the last several weeks, so have a blast with that.

WordPress Exploitation Extravaganza

Metasploit now boasts over a dozen new WordPress-related exploits an auxiliary modules, most of which were contributed by Roberto espreto Soares, with hat tips to community committer Christian FireFart Mehlmauer for landing assistance. This avalanche of exploits illustrates rather obviously the problems historically associated with wordpress plugins, arguably to the point that this particular dead horse has truly been beaten into a soupy, dessicated mass.

So, we've had to rate limit the sheer volume of WordPress exploits that were hitting the Metasploit pull request queue, lest we accidentally become WordPressSploit. In fact, after I so cruelly dismissed a handful of new WordPress modules in this comment, that's precisely what Roberto did, and now he's chugging away on WPSploit, which can be used as a local add-on for all your WordPress plugin exploitation needs. All you need to do to track it is keep up a local clone of that repository, and symlink the auxiliary and exploit module directory structures in your local $HOME/.msf4 directory, and you can pick them up immediately. After all, who am I to be the sole arbiter of what's worthy of a Metasploit module?

This development over the last couple weeks illustrates the ease of forking and maintaining a customized build out of Metasploit Framework. After all, we have a permissive, open license, and given the collaborative power of GitHub, pretty much anyone with an interest can start building out their own sub-communities of exploit development. Yeah, that open source model is pretty powerful stuff, and WPSploit is already up to 18 additional modules.

Naturally, given the third of our three-clause license, Rapid7 neither endorses or promotes the use of this (or any other) side-repository of Metasploit modules, but I'm happy to let you know that it exists and that I'm happy about it.

Another Round of Flash Exploits

On the other side of the browser connection, we also have four new client-side Flash exploits contributed by our own Juan Vazquez, half of which were based on the research work of hdarwin89. This has been an area of interest for a while for Juan, especially given that there are more than a couple black market exploit kits that include a number of Flash exploits. Now that he's wrapped up the server side Java Remote Management Interface research, presented at last month's InfoSec SouthWest, Juan has dived head first into Flash exploitation research and development in order to better simulate the world of Internet crime.

Want to Help?

If you're the sort of person who reads this blog regularly, want to help out, and lives in Austin, Texas, USA (or can get here quickly), we have an internship open for working on the Metasploit family of products. Don't worry, all of Rapid7's internships are paid, and in fact, the last intern we picked up for Framework, William Vu, turned out to be an amazing new permanent hire, and is a huge reason why Metasploit Framework is now the in the top ten of all GitHub-hosted Ruby projects. So, this is definitely not a boring, go-get-me-coffee-and-then-do-all-this-horrible-gruntwork kind of internship; a successful applicant has every opportunity to make a name for themselves here on the forefront of open source, openly developed security software. For more details on the requirements, see the official job description here. And hey, I'd be happy to review your resume if you'd like. Hit me up on Twitter.

New Modules

Right, so like I said at the top, it's been about a month since the last Weekly Wrapup, so there are more than the usual on the "new" module list -- thirty-nine, to be precise, including the above-mentioned WordPress and Flash modules. Other highlights include a denial of service module for the much-ballyhooed HTTP.sys overflow (use with care, for you will bluescreen if successful!), a local exploit for the Apple OSX "rootpipe" bug (a patch for which was not backported to older versions of OSX), and a couple SOHO router/DOCSIS modem exploits.

You can check the release notes for the last three Metasploit Pro and Community updates over here.

Exploit modules

Auxiliary and post modules