The Metasploit staff is proud to present the first alpha release of the 3.0 branch of the Metasploit Framework. This release marks a major milestone in the evolution of the Metasploit Framework and is based on a complete rewrite of the 2.x series. The 3.0 branch is designed to provide automation capabilities at every stage of the discovery and exploitation process. Nearly every component of the framework can be extended, hooked, and automated, allowing for streamlined penetration testing and tight integration with third-party products. Unlike the 2.0 series, the 3.0 branch is written in Ruby, an object-oriented, interpreted scripting language, that has drastically simplified the implementation of the framework. This release includes 44 exploits, 76 payloads, 7 encoders, 2 nops, and 2 recon modules. The supported platforms are Linux , Mac OS X, and most BSDs. The framework requires version 1.8.1 or newer of the Ruby interpreter. Windows is not supported at this time, either through Cygwin or the native build. Mac OS X users will need to install Ruby from source (or an OSS package manager) due to a build error in the version of Ruby supplied with Mac OS 10.4. The latest 3.0 code, developer documentation, and general information can be found online at the following location: - http://metasploit.com/projects/Framework/msf3/ This is an *alpha release*, expect things to break, crash, and generally not work very well. This version is being released to gather feedback from the community and to weed out the major bugs before entering the true beta period. There are many features that have not been completely implemented at this point and there are still some edges that will need to be smoothed out prior to the final release. A few major features are not implemented, including msfweb's exploit mode, some levels of session interaction, and the more user-friendly scripting APIs. Bugs can be submitted to msfdev[at]metasploit.com, or by subscribing to the framework-beta mailing list. To subscribe, send a blank email to framework-beta-subscribe[at]metasploit.com. To demonstrate how the 3.0 branch has simplified exploit development, check out the following code sample, which provides the exploit body for the 3Com 3CDaemon 2.0 FTP Username Overflow (3cdaemon_ftp_user.rb): --- connect print_status("Trying target #{target.name}...") buf = Rex::Text.rand_text_english(2048, payload_badchars) seh = generate_seh_payload(target.ret) buf[229, seh.length] = seh send_cmd( ['USER', buf] , false ) disconnect handler --- This release includes many new features that are not present in the 2.x series. The highlights are presented below: [ The Metasploit Console Interface ] The msfconsole interface in version 3.0 is similar to the 2.x series, however the available command set and interaction options have been dramatically extended. * Backgrounded exploits -- It's now possible to execute an exploit in the background. This means you can have an exploit that triggers a passive vulnerability (such as a browser bug, a sniffer exploit, etc) while performing other tasks. Each successful exploit attempt will show up in the list of active sessions, any of which can be accessed at any time. * Multi-session exploits -- Unlike the 2.x series, the 3.0 branch is capable of creating multiple sessions from a single exploit. This is especially useful in the context of passive exploits that can have multiple clients connecting. * Multiple concurrent sessions -- It is possible to have more than one active session established. An active session can sent to the background through the ^Z sequence. * IRB mode -- The console interface supports dropping into a Ruby scripting interface that allows direct interactation with the framework instance. This makes it possible to do low-level interaction with sessions and framework modules. [ The Meterpreter Payload ] The Meterpreter payload has been extended and refined for the 3.0 branch. The underlying architecture and design remains the same, but the feature set and interface has been greatly enhanced to not only make scripting the post-exploitation process possible but to also increase the level of functionality. Instead of having separate modules for each of the major subsystems (Fs, Process, Net, Sys), the 3.0 Meterpreter has merged all of these common elements into one extension called Stdapi (short for the Standard API). This API provides access to the file system, registry, network, threads, processes, user interface, and much more. Some of the cooler features of the new version of Meterpreter include: * In-memory process migration -- This feature makes it possible to migrate the Meterpreter server instance to a completely different process, such as a system service like lsass.exe, without having to establish a new connection. Migrating to a privileged process has the added benefit of making the server impossible to kill without taking down the whole machine. * Disabling user keyboard and mouse input -- This feature makes it possible to prevent local keyboard and mouse input. Useful in certain situations :-) * SAM database hash retrieval -- The SAM Juicer extension, written by Vinnie Liu, has been integrated into a privilege escalation extension known as 'priv'. The current version allows 'pwdump'-style password hash retrieval, without the requirement of writing a DLL to the disk. In the future, this extension will provide local privilege escalation exploits. * Advanced process manipulation -- The 3.0 Meterpreter has extensive support for interacting with processes in terms of loading and unloading DLLs; reading, writing, querying, allocating, and freeing memory; opening, creating, closing, terminating, suspending, querying, and modifying threads; writing, and reading standard input output, and so on. * IRB mode -- This feature is especially cool for all of the scripters out there. It allows a user to drop into an interactive Ruby shell that can be used to access the Meterpreter instance at the scripting level. This can be very useful because the scripting level features are far more powerful and than the standard user-interface. For example, the IRB mode can be used to search and replace strings in the virtual memory of any accessible remote process. * Network pivoting -- Similar to certain commercial products, the 3.0 branch supports seamless attack pivoting. The Meterpreter automatically provides a pivoting point to be used with the 'route' command in the console interface. Although pivoting was possible with the 2.x series, the level of integration was simply not there for effective island-hopping attacks. [ The Opcode Database Command Line Interface ] The 3.0 version of the Metasploit Framework comes with a command line interface to the Metasploit Opcode Database. This can be used instead of the web-based wizard to easily search for portable opcode addresses. The interface is provided through the msfopcode command which is found in the root directory of the installation. This interface is merely a front-end to a the Rex::Exploitation::OpcodeDb::Client class interface that interfaces with a HTTP-based XML protocol running on the Metasploit.com web-server. More information about this component can be found at the following URL: - http://metasploit.com/projects/Framework/msf3/msfopcode.html Enjoy! - The Metasploit Framework Development Team
