Spring has come again to Austin, TX, home of the Rapid7 Metasploit team. While the season here brings pollen and allergies, it also brings fields full of bluebonnets and folks taking pictures before they all disappear. Let's celebrate by looking at what's popped up in Metasploit this week.
New Data Model
Last week, we landed the beginning of a new backend service for Metasploit, dubbed 'Goliath', which creates a new abstraction between Metasploit Framework and how it interacts with the database. Traditionally, Metasploit has used a Ruby library called Active Record to provide an Object-Relational model to one of several backend databases (PostgreSQL today, but SQLite and MySQL were supported in the past). Active Record is a fairly standard way of accessing databases with Ruby, but as implemented in Metasploit, it has a number of limitations:
- Large-scale data storage and retrieval is slow. Often, database transactions are limited by the speed of Ruby.
- Multiple users, especially across multiple machines, are not able to share data easily or efficiently.
- Data is difficult and fragile to access from other languages or tools.
- It is difficult to store unstructured data in a useful way, so modules resort to saving files instead.
- Data is highly relational, further slowing data access. Queries can span a half-dozen tables or more.
- It is difficult for non-experts to approach or contribute to the data model code.
To address the first three problems, Goliath performs all of the database interactions in a new standalone service. This service performs all of the searching, storing, and updating of data in a separate process, freeing Metasploit Framework to do other things. Since Ruby does not take advantage of multiple CPUs very well, having a separate process also improves overall performance, with the initial implementation running 30% faster than Metasploit 4. The interface to Goliath is structured as a familiar REST API, which is makes it simple to access from other tools or languages.
The code in the tree currently just adds the initial backend service, and converts about half of the basic data types (hosts, services, etc.) in Metasploit to work with the new service. More conversion work is underway, and during that time, the original 'local database' model also remains in place. Once all of the data model is converted to run in the new service, we will start reworking the data model itself to better suit the needs of modules.
There is a lot of additional work to be done in the near future, but you can read more on the design and roadmap here.
The Rapid7 Metsaploit team is on the move. This week marks the beginning of Rapid7's transition from our old office in North-West Austin to a spot directly downtown in the iconic Frost Bank tower. The IT gear is all packed up for the move, and as a result, some tests and build services will be temporarily unavailable. But the move will help the team grow along with all of the other Rapid7 teams in the Austin office.
The Metasploit team is looking for a pair of talented new junior developers to work from the new office as well. We have roles for a security researcher, software engineer, product manager, and more. If you're looking to get your feet wet with a great team working on some amazing offensive security projects, give the Metasploit team a try.
A lot of great modules landed this week, and there are many more in the queue.
Here is a sampling of a few:
Exploit modules (5 new)
- ClipBucket beats_uploader Unauthenticated Arbitrary File Upload by Touhid M.Shaikh and www.sec-consult.com
- Joomla Component Fields SQLi Remote Code Execution by Mateus Lino and luisco100, which exploits CVE-2017-8917
- Exodus Wallet (ElectronJS Framework) remote Code Execution by Daniel Teixeira and Wflki, which exploits CVE-2018-1000006
- GitStack Unsanitized Argument RCE by Jacob Robles and Kacper Szurek, which exploits CVE-2018-5955
- ManageEngine Applications Manager Remote Code Execution by Mehmet Ince, which exploits CVE-2018-7890
Auxiliary and post modules (1 new)
- Etcd Keys API Information Gathering by Giovanni Collazo and h00die
In addition to the Goliath database project above, Metasploit also made popular modules targeting MS17-010 and Jenkins easier and more reliable to use. If you are a Komand user, definitely check out the new Metasploit Komand plugin. We are especially looking for feedback on how this integration helps your workflows, and you can look forward to other Metasploit-Komand integrations in the future.
- Remote data service "Goliath" by Chris Lee, James Barnett, and Matthew Kienow
- Ruby 2.5 support by Brent Cook
- Error Handling with Android Screenshots by Tim Wright
- Komand Automation Plugin by Mike Rinehart
- MS17-010 Exploit Improvements: Automatic Pipe Auditing and ARM WinRT Support by zerosum0x0, auxilus, and William Vu
- Powershell Support for jenkins_xstream_deserialize by attackdebris
As always, you can update to the latest Metasploit Framework with
and you can get more details on the changes since the last blog post from
To install fresh, check out the open-source-only Nightly Installers, or the binary installers which also include the commercial editions. PLEASE NOTE that these installers, and Metasploit Framework versions included in distros such as Kali, Parrot, etc., are based off the stable Metasploit 4 branch. If you'd like to try out the newer things going into Metasploit 5, that work is available in the master branch of the Metasploit Framework repo on GitHub.