Greetings, fellow citizens of the Internet. It's time for your favorite blog post and mine, the Metasploit Weekly Wrapup.
So Many Repos
If you've been following along with Metasploit Framework development, you may have noticed that we have more than a couple repositories for committing code. I wanted to take a moment today to outline which of the 84 public repos under the Rapid7 GitHub account you, the intrepid open source, are most likely to care about:
Meterpreter: This is the flagship command shell interpreter, and is usually the payload you want for any given exploit delivered by Metasploit. There's a ton of activity in there on making life even better for you offensive security types.
Meterpreter-deps: Chunks of code that Meterpreter depends on to be built. This doesn't ship with Meterpreter directly, but is used to build it.
Metasploit-payloads: This is where the build artifacts for the Windows and POSIX meterpreters live now, and where the rest of the Meterpreter payloads are headed. It intends to replace the old meterpreter_bins repository, and if we ever get into the business of compiled payloads that aren't Meterpreter, they'll likely show up here. All one happy persistent shell family.
Metasploit-credential: Metasploit-credential is responsible for most of the back-end logic around how authentication works. It's been shipping for nearly a year, and many - but not all - of the most popular bruteforce modules rely on it to track usernames, passwords, realms, tokens, and how they all interrelate.
Metasploit_data_models: This gem handles all the database and ActiveRecord components of Metasploit, and provides the means to treat Metasploit as a Rails Engine - see the link for more on what Rails Engines provide for other Rails-based applications. If you're a Rails-ish developer and want to integrate Metasploit-flavored things in your web application, you'll want to start here to get a sense of how it all works.
Metasploit-model: This is the pixie dust that lets metasploit_data_models and metasploit-framework actually function together in the ways you'd expect.
Metasploit-concern: This allows for using ActiveSupport::Concerns in Metasploit-based applications. They're all the rage in Rails land, and tend to make the syntax of some functions a lot easier to read and understand. You're invited to read this writeup from DHH on why Concerns are good for your Rails applications, and then deconvince yourself about their usefulness with Corey Haines' blog post on why he doesn't use ActiveSupport::Concern.
Recog: Recog is a stand-alone project that abstracts out all the logic needed to make fingerprinting calls on services and hosts. It's used by both Metasploit and Nexpose, and if you're in the remote identification business and like working in Ruby, you'll definitely want to check it out.
While far from inclusive of the several dozen repos, this should be enough to get you started if you happen to be looking for projects related to Metasploit that you want to make your mark on.
Now, with all these gems, we're still working out a decent, contributor-friendly way to manage the various feature requests and bug reports involving these repositories. On the one hand, most people today only notice bugs or come up with enhancement ideas when using Metasploit Framework or Metasploit Pro proper, and simply report against those projects. This is how we handle things today, and it seems okay. After all, if you're running into an issue with metasploit-credential, you're almost certainly using normal, everyday Metasploit.
On the other hand, these are for real, stand-alone repositories that do not technically require Metasploit Framework to function, and could come up for use in someone else's Rails-based application. As such, they may be deserving of their own issue trackers, which they have today, even though they are rarely used. Actually embracing this, though, means slightly more accounting overhead when we want to find out how much "work" has gone into "Metasploit," and how much there is left to do. It also tends to require more sophisitication on the part of the user to figure out where a bug "really" is, and many, many Metasploit users are not professional Ruby developers.
So, if you happen to know of a good, open-source, multi-repository methodology to track changes and measure things like developer velocity and technical debt that doesn't require a master's degree in Jive Mechanics, please tweet it at @metasploit. Getting a handle on the true labor investment the open source community is contributing to Metasploit is a subject near and dear to my heart, mainly because I know we wouldn't be anywhere without you all. The Metasploit community is kind of a huge open source success story, after all. We have over 3,800 forks today, which puts us in the top one hundred GitHub projects running, and I'm always interested in how to keep telling that story so that not only we get better at producing quality software, but so that other open source projects can replicate our success.
The Metasploit T-Shirt Contest
In non-code news, the Metasploit T-Shirt Design Contest has one more week to go. You can sign up over at 99Designs, and as of this moment, we have 106 designs submitted. There are already some pretty rockin' designs in there, so competition is stiff. If you're of a graphic design bent, and want to completely blow the cover of thousands of onsite penetration testers, then maybe take this upcoming holiday weekend to scribble something amazing.
You're welcome to inspect the entire diff from the last Wrapup blog post by popping over to this compare view. The high points for the last couple weeks have all been around the incremental fixes to Meterpreter - the work from OJ and Brent accounts for about 28% of the total commits since May 6. If you haven't messed around with Meterpreter lately, now is a fine time to jump in - see the repos mentioned above to get started. The projects compile cleanly, the codebase is mostly sane, and we're rocketing forward with making Meterpreter even more stable, useful, and pleasant to both work on and with.
In module land, we have ten new modules, three of which target F5 Networks gear. Thanks to Denis Kolegov for seeing those auxiliary modules through!
- SixApart MovableType Storable Perl Code Execution by John Lightsey exploits CVE-2015-1592
- WordPress RevSlider File Upload and Execute Vulnerability by Simo Ben youssef and Tom Sellers exploits OSVDB-115118
- Adobe Flash Player domainMemory ByteArray Use After Free by juan vazquez, Unknown, bilou, and hdarwin exploits CVE-2015-0359
Auxiliary and post modules
- F5 BigIP Access Policy Manager Session Exhaustion Denial of Service by Denis Kolegov, Nikita Oleksov, and Oleg Broslavsky
- F5 BigIP HTTP Virtual Server Scanner by Denis Kolegov, Nikita Oleksov, and Oleg Broslavsky
- F5 Networks Devices Management Interface Scanner by Denis Kolegov, Nikita Oleksov, and Oleg Broslavsky
- InfluxDB Enum Utility by Roberto Soares Espreto
- HTTP HTML Title Tag Content Grabber by Stuart Morgan
- Brocade Enable Login Check Scanner by h00die exploits CVE-1999-0502