In addition to the nuclear-powered exploit, we've got a new slew of updates, fixes and modules this week for Metasploit, so let's jump right into the highlights for this update.


Updated WMAP Plugin


Longtime community contributor Efrain Torres provided a much-anticipated update to the Wmap plugin. Wmap automates up a bunch of web-based Metasploit modules via the Metasploit console, from HTTP version scanning to file path bruteforcing to blind SQL injection testing. If you're not already familiar with Wmap, feel free to download the latest Metasploit installer and give it a whirl against Metasploitable or your preferred test environment. It's pretty exhaustive stuff, so for more details on what all you can do with Wmap, Read the Fine Material here.


Msfconsole Searching


We've also picked up a set of patches from contributor RageLtMan to make searching from the console interface a lot easier. By using the -S (note the capital) option for the "hosts", "services", "vulns", "creds", "notes", and "loot" commands, users can now pass a search term to filter the result set on. This makes working in the console directly somewhat easier to manage when you have several hosts with several services in your penetration testing target list. For example, by simply passing "services -S dropbear" you will display only those services that mention the DropBear SSH service. Pretty handy, so thanks for that, RageLtMan!


New Modules


As to be expected, this update comes with a passel of new and exciting exploits, auxiliary modules, and even a new payload.


  • afp_server_info, an auxiliary module from Gregory Man, interrogates Apple Filing Protocol (AFP) servers for banner information by parsing out the initial encoded responses.
  • mongodb_login, also from Gregory, bruteforces MongoDB services on the off chance it has a user and password configured -- it usually isn't.
  • asus_net4switch_ipswcom exploits OSVDB-79438, a vulnerability in the ASUS Net4Switch ActiveX control (by sinn3r)
  • djstudio_pls_bof exploits CVE-2009-4656, a file format vulnerability in DJ Studio Pro (by Sebastien Duguette and Death-Shadow-Dark)
  • ibm_pcm_ws exploits CVE-2012-0201, a file format vulnerability in IBM's Personal Communications iSeries (by TecR0c, with surprisingly thorough description documentation, so thanks TecRoc!)
  • sysax_ssh_username, a remote, pre-authentication exploit for OSVDB-79689 in Sysax SSH server for Windows (by sinn3r).
  • vlc_realtext, a file format vulnerability in VLC Media player (by Juan Vazquez). The original vulnerability was discovered by Tobias Klein, author of A Bug Hunter's Diary, but this is not the VLC vulnerability discussed in that book -- this one was from a couple months prior, so might add a little more context to BHD.
  • apple_ios_backup, by HD Moore and bannedit, is a post module which snags sensitive data from a an iOS backup. This was previously a Windows-only post module, but has been upgraded to operate on OSX targets as well.


In addition to these, we're shipping a new payload for ARM-based Linux systems, shell_bind_tcp (by civ and hal), which opens a listening TCP port using native ARM shellcode. I got a chance to use a pwnie express to test it out, which is a totally fun device to mess around with. The shellcode works like a champ, so that whole testing experience was pretty fun and enlightening.




If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.


For additional details on what's changed and what's current, please see Jonathan Cran's most excellent release notes.