Metasploit Framework v3.0 Alpha Release 1
The Metasploit staff is proud to present the first alpha release of the
3.0 branch of the Metasploit Framework. This release marks a major
milestone in the evolution of the Metasploit Framework and is based on a
complete rewrite of the 2.x series.
The 3.0 branch is designed to provide automation capabilities at every
stage of the discovery and exploitation process. Nearly every component
of the framework can be extended, hooked, and automated, allowing for
streamlined penetration testing and tight integration with third-party
products. Unlike the 2.0 series, the 3.0 branch is written in Ruby, an
object-oriented, interpreted scripting language, that has drastically
simplified the implementation of the framework.
This release includes 44 exploits, 76 payloads, 7 encoders, 2 nops, and 2
recon modules. The supported platforms are Linux , Mac OS X, and most
BSDs. The framework requires version 1.8.1 or newer of the Ruby
interpreter. Windows is not supported at this time, either through Cygwin
or the native build. Mac OS X users will need to install Ruby from source
(or an OSS package manager) due to a build error in the version of Ruby
supplied with Mac OS 10.4.
The latest 3.0 code, developer documentation, and general information can
be found online at the following location:
- http://metasploit.com/projects/Framework/msf3/
This is an *alpha release*, expect things to break, crash, and generally
not work very well. This version is being released to gather feedback
from the community and to weed out the major bugs before entering the
true beta period. There are many features that have not been completely
implemented at this point and there are still some edges that will need
to be smoothed out prior to the final release. A few major features are
not implemented, including msfweb's exploit mode, some levels of session
interaction, and the more user-friendly scripting APIs.
Bugs can be submitted to msfdev[at]metasploit.com, or by subscribing to
the framework-beta mailing list. To subscribe, send a blank email to
framework-beta-subscribe[at]metasploit.com.
To demonstrate how the 3.0 branch has simplified exploit development,
check out the following code sample, which provides the exploit body for
the 3Com 3CDaemon 2.0 FTP Username Overflow (3cdaemon_ftp_user.rb):
--- connect print_status("Trying target #{target.name}...") buf =
Rex::Text.rand_text_english(2048, payload_badchars) seh =
generate_seh_payload(target.ret) buf[229, seh.length] = seh
send_cmd( ['USER', buf] , false ) disconnect handler ---
This release includes many new features that are not present in the 2.x
series. The highlights are presented below:
[ The Metasploit Console Interface ]
The msfconsole interface in version 3.0 is similar to the 2.x series,
however the available command set and interaction options have been
dramatically extended.
* Backgrounded exploits -- It's now possible to execute an exploit in the
background. This means you can have an exploit that triggers a passive
vulnerability (such as a browser bug, a sniffer exploit, etc) while
performing other tasks. Each successful exploit attempt will show up in
the list of active sessions, any of which can be accessed at any time.
* Multi-session exploits -- Unlike the 2.x series, the 3.0 branch is
capable of creating multiple sessions from a single exploit. This is
especially useful in the context of passive exploits that can have
multiple clients connecting.
* Multiple concurrent sessions -- It is possible to have more than one
active session established. An active session can sent to the background
through the ^Z sequence.
* IRB mode -- The console interface supports dropping into a Ruby
scripting interface that allows direct interactation with the framework
instance. This makes it possible to do low-level interaction with
sessions and framework modules.
[ The Meterpreter Payload ]
The Meterpreter payload has been extended and refined for the 3.0 branch.
The underlying architecture and design remains the same, but the feature
set and interface has been greatly enhanced to not only make scripting
the post-exploitation process possible but to also increase the level of
functionality. Instead of having separate modules for each of the major
subsystems (Fs, Process, Net, Sys), the 3.0 Meterpreter has merged all of
these common elements into one extension called Stdapi (short for the
Standard API). This API provides access to the file system, registry,
network, threads, processes, user interface, and much more. Some of the
cooler features of the new version of Meterpreter include:
* In-memory process migration -- This feature makes it possible to migrate
the Meterpreter server instance to a completely different process, such
as a system service like lsass.exe, without having to establish a new
connection. Migrating to a privileged process has the added benefit of
making the server impossible to kill without taking down the whole
machine.
* Disabling user keyboard and mouse input -- This feature makes it
possible to prevent local keyboard and mouse input. Useful in certain
situations :-)
* SAM database hash retrieval -- The SAM Juicer extension, written by
Vinnie Liu, has been integrated into a privilege escalation extension
known as 'priv'. The current version allows 'pwdump'-style password hash
retrieval, without the requirement of writing a DLL to the disk. In the
future, this extension will provide local privilege escalation exploits.
* Advanced process manipulation -- The 3.0 Meterpreter has extensive
support for interacting with processes in terms of loading and unloading
DLLs; reading, writing, querying, allocating, and freeing memory;
opening, creating, closing, terminating, suspending, querying, and
modifying threads; writing, and reading standard input output, and so on.
* IRB mode -- This feature is especially cool for all of the scripters out
there. It allows a user to drop into an interactive Ruby shell that can
be used to access the Meterpreter instance at the scripting level. This
can be very useful because the scripting level features are far more
powerful and than the standard user-interface. For example, the IRB mode
can be used to search and replace strings in the virtual memory of any
accessible remote process.
* Network pivoting -- Similar to certain commercial products, the 3.0
branch supports seamless attack pivoting. The Meterpreter automatically
provides a pivoting point to be used with the 'route' command in the
console interface. Although pivoting was possible with the 2.x series,
the level of integration was simply not there for effective
island-hopping attacks.
[ The Opcode Database Command Line Interface ]
The 3.0 version of the Metasploit Framework comes with a command line
interface to the Metasploit Opcode Database. This can be used instead of
the web-based wizard to easily search for portable opcode addresses. The
interface is provided through the msfopcode command which is found in the
root directory of the installation. This interface is merely a front-end
to a the Rex::Exploitation::OpcodeDb::Client class interface that
interfaces with a HTTP-based XML protocol running on the Metasploit.com
web-server. More information about this component can be found at the
following URL:
- http://metasploit.com/projects/Framework/msf3/msfopcode.html
Enjoy!
- The Metasploit Framework Development Team