[framework] Metasploit 3 Updates
H D Moore
hdm at metasploit.com
Tue Apr 24 01:53:24 CDT 2007
Lots of updates tonight, especially for users of 3.0-current.
First off, the Auxilliary/Scanner modules have been overhauled. A new
option is available (THREADS) that determines how many concurrent tests
are performed at once. Modules that export run_host() can now test
multiple systems at the same time, without resorting to run_batch() and
their own threading model. I ported the smb/version, mssql/login, and
added http/version along with http/writable (based on Kashif's code).
These modules should serve as a style guide for anyone that wants to
write a metasploit3-based scanning module.
Quick links:
http://metasploit.com/svn/framework3/trunk/modules/auxiliary/scanner/smb/version.rb
http://metasploit.com/svn/framework3/trunk/modules/auxiliary/scanner/http/version.rb
http://metasploit.com/svn/framework3/trunk/modules/auxiliary/scanner/http/writable.rb
http://metasploit.com/svn/framework3/trunk/modules/auxiliary/scanner/mssql/mssql_login.rb
Auxiliary/Scanner modules can now use almost all exploit mixins, even in
threaded mode, without ill side effects. This was accomplished by
wrapping common accessors with a thread-specific hash access inside the
scanner mixin. Neat hack to allow multiple concurrent threads inside the
same module instance :-)
The TCP mixin now provides a new advanced option (ConnectTimeout), this
can be used to override the default TCP timeout for connection attempts
and massively speeds up TCP-based scanner modules. Set this to a value
between 1 and 5, along with a THREADS value > 100 to get a wicked fast
scanner/port sweeper.
The String, Raw, and AddressRange option types now support file: prefixes
for loading data from a file. This means you can use Kashif's
http/writable module, set the DATA option to be a local ASP file, set the
PATH option to be /pwned.asp, and mass-pwn vulnerable web servers in a
single step :-) The syntax for this is always file:<PATH>, regardless of
the operating system. In the case of Windows, this will be file:C:
\\some\\file.txt (need double backslashes to escape the shell) and on
Unix this will be file:/home/user/some/file.txt.
A number of bugs were fixed (meterpreter), a couple new exploits were
added by MC (ipswitch_wug_maincfgret, windvd7_applicationtype), the
socket API was cleaned up a little, and Fabrice's latest MSFGUI changes
were merged into the stable tree.
One notable thing missing from this patch is any kind of
Auxiliary/Reporting use. I need a few days to clean up the API and define
what actually goes into all of those fields. Once that gets figured out,
expect some neat automated reporting and information dumps based on the
database plugins and the variables tracking/auxiliary modules ;-)
Enjoy!
-HD
More information about the framework
mailing list