Home page logo
/

bugtraq logo Bugtraq mailing list archives

Metasploit Framework v3.0 Alpha Release 1
From: H D Moore <sflist () digitaloffense net>
Date: Thu, 15 Dec 2005 01:58:18 -0600

The Metasploit staff is proud to present the first alpha release of the 
3.0 branch of the Metasploit Framework. This release marks a major 
milestone in the evolution of the Metasploit Framework and is based on a 
complete rewrite of the 2.x series.

The 3.0 branch is designed to provide automation capabilities at every 
stage of the discovery and exploitation process. Nearly every component 
of the framework can be extended, hooked, and automated, allowing for 
streamlined penetration testing and tight integration with third-party 
products. Unlike the 2.0 series, the 3.0 branch is written in Ruby, an 
object-oriented, interpreted scripting language, that has drastically 
simplified the implementation of the framework.

This release includes 44 exploits, 76 payloads, 7 encoders, 2 nops, and 2 
recon modules. The supported platforms are Linux , Mac OS X, and most 
BSDs. The framework requires version 1.8.1 or newer of the Ruby 
interpreter. Windows is not supported at this time, either through Cygwin 
or the native build. Mac OS X users will need to install Ruby from source 
(or an OSS package manager) due to a build error in the version of Ruby 
supplied with Mac OS 10.4.

The latest 3.0 code, developer documentation, and general information can 
be found online at the following location:
 - http://metasploit.com/projects/Framework/msf3/

This is an *alpha release*, expect things to break, crash, and generally 
not work very well. This version is being released to gather feedback 
from the community and to weed out the major bugs before entering the 
true beta period. There are many features that have not been completely 
implemented at this point and there are still some edges that will need 
to be smoothed out prior to the final release. A few major features are 
not implemented, including msfweb's exploit mode, some levels of session 
interaction, and the more user-friendly scripting APIs.

Bugs can be submitted to msfdev[at]metasploit.com, or by subscribing to 
the framework-beta mailing list. To subscribe, send a blank email to 
framework-beta-subscribe[at]metasploit.com.

To demonstrate how the 3.0 branch has simplified exploit development, 
check out the following code sample, which provides the exploit body for 
the 3Com 3CDaemon 2.0 FTP Username Overflow (3cdaemon_ftp_user.rb):

--- connect print_status("Trying target #{target.name}...") buf = 
Rex::Text.rand_text_english(2048, payload_badchars) seh = 
generate_seh_payload(target.ret) buf[229, seh.length] = seh 
send_cmd( ['USER', buf] , false ) disconnect handler ---

This release includes many new features that are not present in the 2.x 
series. The highlights are presented below:

[ The Metasploit Console Interface ]

The msfconsole interface in version 3.0 is similar to the 2.x series, 
however the available command set and interaction options have been 
dramatically extended.

* Backgrounded exploits -- It's now possible to execute an exploit in the 
background. This means you can have an exploit that triggers a passive 
vulnerability (such as a browser bug, a sniffer exploit, etc) while 
performing other tasks. Each successful exploit attempt will show up in 
the list of active sessions, any of which can be accessed at any time.

* Multi-session exploits -- Unlike the 2.x series, the 3.0 branch is 
capable of creating multiple sessions from a single exploit. This is 
especially useful in the context of passive exploits that can have 
multiple clients connecting.

* Multiple concurrent sessions -- It is possible to have more than one 
active session established. An active session can sent to the background 
through the ^Z sequence.

* IRB mode -- The console interface supports dropping into a Ruby 
scripting interface that allows direct interactation with the framework 
instance. This makes it possible to do low-level interaction with 
sessions and framework modules.

[ The Meterpreter Payload ]

The Meterpreter payload has been extended and refined for the 3.0 branch. 
The underlying architecture and design remains the same, but the feature 
set and interface has been greatly enhanced to not only make scripting 
the post-exploitation process possible but to also increase the level of 
functionality. Instead of having separate modules for each of the major 
subsystems (Fs, Process, Net, Sys), the 3.0 Meterpreter has merged all of 
these common elements into one extension called Stdapi (short for the 
Standard API). This API provides access to the file system, registry, 
network, threads, processes, user interface, and much more. Some of the 
cooler features of the new version of Meterpreter include:

* In-memory process migration -- This feature makes it possible to migrate 
the Meterpreter server instance to a completely different process, such 
as a system service like lsass.exe, without having to establish a new 
connection. Migrating to a privileged process has the added benefit of 
making the server impossible to kill without taking down the whole 
machine.

* Disabling user keyboard and mouse input -- This feature makes it 
possible to prevent local keyboard and mouse input. Useful in certain 
situations :-)

* SAM database hash retrieval -- The SAM Juicer extension, written by 
Vinnie Liu, has been integrated into a privilege escalation extension 
known as 'priv'. The current version allows 'pwdump'-style password hash 
retrieval, without the requirement of writing a DLL to the disk. In the 
future, this extension will provide local privilege escalation exploits.

* Advanced process manipulation -- The 3.0 Meterpreter has extensive 
support for interacting with processes in terms of loading and unloading 
DLLs; reading, writing, querying, allocating, and freeing memory; 
opening, creating, closing, terminating, suspending, querying, and 
modifying threads; writing, and reading standard input output, and so on.

* IRB mode -- This feature is especially cool for all of the scripters out 
there. It allows a user to drop into an interactive Ruby shell that can 
be used to access the Meterpreter instance at the scripting level. This 
can be very useful because the scripting level features are far more 
powerful and than the standard user-interface. For example, the IRB mode 
can be used to search and replace strings in the virtual memory of any 
accessible remote process.

* Network pivoting -- Similar to certain commercial products, the 3.0 
branch supports seamless attack pivoting. The Meterpreter automatically 
provides a pivoting point to be used with the 'route' command in the 
console interface. Although pivoting was possible with the 2.x series, 
the level of integration was simply not there for effective 
island-hopping attacks.

[ The Opcode Database Command Line Interface ]

The 3.0 version of the Metasploit Framework comes with a command line 
interface to the Metasploit Opcode Database. This can be used instead of 
the web-based wizard to easily search for portable opcode addresses. The 
interface is provided through the msfopcode command which is found in the 
root directory of the installation. This interface is merely a front-end 
to a the Rex::Exploitation::OpcodeDb::Client class interface that 
interfaces with a HTTP-based XML protocol running on the Metasploit.com 
web-server. More information about this component can be found at the 
following URL: 
- http://metasploit.com/projects/Framework/msf3/msfopcode.html

Enjoy!

- The Metasploit Framework Development Team


  By Date           By Thread  

Current thread:
  • Metasploit Framework v3.0 Alpha Release 1 H D Moore (Dec 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]