This post is the seventh in a series, 12 Days of HaXmas, where we take a look at some of more notable advancements in the Metasploit Framework over the course of 2013.
Today is the last day of the year, so there's no better time to get all weepy and sentimental about Metasploit development over a glass or four of champagne. I continue to be amazed, honored, and humbled by the amount of talent, skill, and brute force labor that goes in to keeping the Metasploit juggernaut rolling. With that, here's a quick stat check of what we've been up to.
We successfully published three major releases of Metasploit over the course of the year. April saw the release of Metasploit 4.6, which solidified full integration with the Kali Linux distribution as well as coverage for the OWASP 10 (2013 edition). In July, we released Metasploit 4.7, which introduced firewall egress testing and the automation oomph introduced by Metasploit Pro's MetaModules. In November, we published Metasploit 4.8 which boasts much better integration with Nexpose (Rapid7's delightful vulnerability scanner) for vulnerability validation capabilities.
Coincidentally, we ended the year in 2012 with exactly 2012 modules, across exploits, auxiliary and post modules, and payloads. We're ending 2013 with 2448 modules; that's just about 1.2 modules a day, every day. Major target categories that got attention were client-side browser and file format exploits (made easier now with the new BrowserExploitServer mixin), a bunch of new cross-platform web application server-side exploits, and of course the SAP modules that we've been yammering about since October. We also now have a huge trove of new SOHO router scanners and exploits, which are themselves a subset of our newly extended ARM and MIPS embedded device target support which Juan talked about yesterday.
OJ talked at length earlier this HaXmas about the Windows Meterpreter overhaul, but did you know that we've made significant advances with Java Meterpreter and landed the brand new and most excellent Python Meterpreter? Yep, and the Android Meterpreter is still coming along, too. It's been a great year all around for Metasploit payloads -- we have over 100 payloads new to 2013, so if you haven't peeked in on those lately, now's a fine time to catch up.
Finally, but most importantly, we've had some amazing support from the open source security community over 2013. We've had 204 committers over the year to Metasploit, more than any other year. The depth of talent, drive, and commitment among these committers really and truly does astound me every day. Y'all are the reason why Metasploit is where it is today.
The top 25 commiters (according to git logs) are:
And here are all the names and aliases of people who are credited with at least one commit this year: Jeff Jarmoc, Joe Vennix, g0tmi1k, Karn Ganeshen, scriptjunkie, Peter Toth, Nathan Einwechter, Matt Andreko, Doug P, root, agix, Ramon de C Valle, Console, Bruno Morisson, Charlie Eriksen, bwall, bcoles, shuckins-r7, schierlm, modpr0be, Markus Wulftange, xistence, smilingraccoon, Dejan Lukan, lsanchez-r7, rsmudge, Joshua J. Drake, Mekanismen, ChrisJohnRiley, Rick Flores (nanotechz9l) 12, SphaZ, Roberto Soares Espreto, bmerinofe, MrXors, timwr, Kacper Nowak, Thomas Hibbert, zeknox, AverageSecurityGuy, shellster, darknight007, Brandon Perry, lmercer, Ruslaideemin, KarnGaneshen, Geyslan G. Bem, dummys, jvennix-r7, kaospunk, Brian Wallace, SeawolfRN, Joshua Abraham, J.Townsend, Josh, doug, Robin Wood, dcbz, h0ng10, corelanc0d3r, Matteo Cantoni, salcho, f8lerror, TecR0c, Borja Merino, Jonathan Claudius, Boris, Sven Vetsch / Disenchant, sgabe, jonvalt, heyder, Joshua Harper, xard4s, Rich Lundeen, Brandon McCann, Ricardo Almeida, dougsko, Thomas McCarthy, Cristiano Maruti, John Sherwood, DoI, joernchen of Phenoelit, jamcut, Jon Hart, Alexandre Maloteaux, William Vu, jgor, Tod Beardsley, Davy Douhine, Shelby Spencer, ddouhine, Jonathan, Enrique A. Sanchez Montellano, Stephen Haywood, Charles Smith, trustedsec, ZeroChaos, Dhiru Kholia, Sean Verity, Daniele Martini, Patrick Webster, Thomas Ring, booboule, Tabassassin, Brandon Knight, T0X1C-1, Wolfgang Ettlinger, Frederic Basse, Ryan Wincey, CG, Jose Selvi, Nicholas Davis, joe, Trevor Rosen, Norbert Szetei, rbsec, Fernando Arias, Tyler Krpata, nemski, Henrik Kentsson, Joe Barrett, pyoor, Jonathan Rudenberg, Booboule, Trenton Ivey, Winterspite, ethicalhack3r, Alexia Cole, Rick Flores, Gerry Eisenhaur, Joe Rozner, Paul, MosDefAssassin, Till Maas, Geyslan Gregorio Bem, tkrpata, Vlatko Kosturjak, violet, Juushya, Icewall, Joff Thyer, yehualiu, Sagi Shahar, allfro, rogueclown, danielemartini, Artien Bel, Doug Prostko, Joshua Harper PI GCFE GCFA, Darren Martyn, Newpid0, Thorsten Fischer, Russell Sim, matthiaskaiser, zyx2k, TrustedSec, Matthias Kaiser, Joel Parish, julianvilas, jwpari, cbgabriel, Garret Picchioni, steponequit, Melih SARICA, Julian Vilas, Antoine, LinuxGeek247, ringt, farias-r7, bannedit, Nick Rivera, Stephen Fewer, Bouke van der Bijl, Gregory Man, TabAssassin, Sam Gaudet, luh2, Gary Spillman, Tonimir Kisasondi
Oh, that's some sweet, sweet SEO right there. Thanks to every single one of you for your contribution of your time and expertise to the Framework!
New ModulesOh, and hey, we released the final Metasploit update for the year just now, too -- 13 new modules this week, including the veristle intelligence-gathering DNS scraper module from zeknox and an exploit for Red Hat CloudForms from Ramon. Thanks guys!
- Red Hat CloudForms Management Engine 5.1 agent/linuxpkgs Path Traversal by Ramon de C Valle exploits CVE-2013-2068
- Synology DiskStation Manager SLICEUPLOAD Remote Command Execution by Markus Wulftange exploits CVE-2013-6955
- Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution by joev, Mariusz Mlynski, and moz_bug_r_a4 exploits CVE-2013-1710
- HP SiteScope issueSiebelCmd Remote Code Execution by juan vazquez and rgod exploits ZDI-13-263
- OpenSIS 'modname' PHP Code Execution by Brendan Coles and EgiX exploits CVE-2013-1349
- Zimbra Collaboration Server LFI by Mekanismen and rubina119 exploits CVE-2013-7091
- RealNetworks RealPlayer Version Attribute Buffer Overflow by Gabor Seljan exploits CVE-2013-6877
Auxiliary and post modules
- Red Hat CloudForms Management Engine 5.1 miq_policy/explorer SQL Injection by Ramon de C Valle exploits CVE-2013-2050
- DNS Non-Recursive Record Scraper by Brandon McCann "zeknox" and Rob Dixon "304geek"
- Chargen Probe Utility by Matteo Cantoni exploits CVE-1999-0103
- Poison Ivy Command and Control Scanner by SeawolfRN
- OSX Gather Autologin Password as Root by joev
- OSX Gather Safari LastSession.plist by sinn3r
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.