We are excited to announce the immediate availability of version 3.3 of
the Metasploit Framework. This release includes 446 exploits, 216
auxiliary modules, and hundreds of payloads, including an in-memory VNC
service and the Meterpreter. In addition, the Windows payloads now
support NX, DEP, IPv6, and the Windows 7 platform. More than 180 bugs
were fixed since last year=E2=80=99s release of version 3.2, making this one of
the more well-tested releases yet.
Metasploit runs on all modern operating systems, including Linux,
Windows, Mac OS X, and most flavors of BSD. Metasploit has been used on
a wide range of hardware platforms, from massive Unix mainframes to the
Apple=C2=AE iPhone=E2=84=A2. Installers are available for the Windows and Linux
platforms, bundling all dependencies into a single package for ease of
installation. The latest version of the Metasploit Framework, as well as
images, video demonstrations, documentation and installation
instructions for many platforms, can be found online at
This release of the Metasploit Framework was driven by numerous key
contributors, including James Lee, Yoann Guillot, Steve Tornio, MC,
Chris Gates, Alexander Kornbrust, Ramon Carvalle, Stephen Fewer, Ryan
Linn, Lurene Grenier, Mike Kershaw, Patrick Webster, Max Moser, Efrain
Torres, Alexander Sotirov, Ty Bodell, Joshua Drake, JR, Carlos Perez,
Kris Katterjohn and many others.
The startup speed up the Metasploit Console and all utilities has been
greatly improved due to performance patches by Yoann Guillot and a
string processing overhaul by James Lee. Metasploit now fully supports
the 1.9.1 version of the Ruby interpreter, clearing the way for support
under a variety of alternate Ruby VMs in the future.
The Windows installation now includes a fully-functional console
interface, using Cygwin and RXVT as a front-end to the framework. The
Windows installer now runs on all supported versions of Windows, from
Windows 2000 to Windows 7. The Windows version of Metasploit is now
portable and can be silently installed via the /S /D=Dest parameters.
The Linux installers now include everything needed to run the Metasploit
Framework on most versions of Linux released over the last five years.
The official Linux installers are recommended for anyone using a Linux
distribution other than Ubuntu (8.04+). These installers include Ruby
1.9.1, Subversion 1.6.6, and all dependencies, along with convenient
scripts for keeping the framework updated.
The Metasploit Console now indicates how many days have passed since the
last update, reminding users when their installation becomes out of
date. The console now uses a Ruby implementation of the Readline library
by default, solving a number of issues with Mac OS X and other platforms
with broken Readline support. The console now supports and enables ANSI
colors by default, making it much easier to discern between errors and
status messages on a busy terminal.
The database functionality is now enabled by default, as long RubyGems
and at least one database driver is available on the system. The
db_drivername plugins are deprecated and the db_driver and db_create
commands are active by default. The db commands now support filters for
everything from open ports to IP ranges. The db_autopwn command now
cross-references across multiple ports and services name instead of a
single port, when the -p parameter is supplied.
All applicable exploits now have OSVDB references thanks to a major
effort by Steve Tornio. Two-ways links have been setup between the
Metasploit module browser and their matching OSVDB entries. CVE
references have been audited across the entire module tree, with a
number of typos and other fixes corrected in the process.
Oracle exploit support has been implemented through a tag-team effort
between MC and Chris Gates, with assistance from Alexander Kornbrust.
Oracle modules have been developed for exploiting TNS protocol stack and
Web-based Oracle services, as well as post-authentication database-level
privilege escalation flaws. Microsoft SQL Server support has been
overhauled, with the addition of a brand new native Ruby TDS driver
exclusive to the Metasploit Framework and a large number of new modules.
Microsoft SQL Server 2000 through 2008 versions have been tested with
the new modules. The MSSQL and Oracle login modules can now brute force
passwords from a dictionary file.
Automated client-side exploitation has been overhauled with a rewrite of
the browser_autopwn module by James Lee. A number of existing
client-side exploits have been updated to use better fingerprinting and
evasion techniques. All TCP-based exploits can now be launched through
SOCKS4, SOCKS5, and HTTP proxies.
The payload encoding library can now embed Metasploit payloads into
arbitrary executables. The -x parameter to msfencode allows an arbitrary
executable to be used as a vector for a Metasploit payload. This
significantly reduces the impact of anti-virus tests during penetration
tests and allows the use of familiar executables in social engineering
endeavors. Payloads can be generated as VBA macros for insertion into
Word documents, as Windows Scripting Hosts scripts and the standard
Metasploit now supports 64-bit Windows as a target platform, with the
ability to use standard stagers, generate executables with embedded
payloads and load Meterpeter on 64-bit systems. Metasploit now supports
64-bit Linux on the PowerPC architecture as a target platform. The
alphanumeric encoders have seen a number of bug fixes and improvements
since version 3.2, including the ability to prepend alphanumeric GetEIP
code via the AllowWin32SEH parameter.
AIX support as a target platform has been improved, with a number of
additional payloads and an exploit module for the newly discovered
rpc_ttdbserverd realpath vulnerability. These payloads support versions
5.3.7 through 6.1.4 of the AIX platform and work with auxiliary modules
and the database to select the right syscall numbers for each particular
operating system revision. 32-bit PowerPC support now includes POWER and
Cell Broadband chips in the supported architecture set through an effort
by Ramon Carvalle of RiSE Security.
The reverse_tcp stager now has a configurable number of retries
(ReverseConnectRetries) and exits gracefully if the connection fails.
The reverse_tcp_allports stager will cycle through all possible outbound
ports in order to punch through host or network firewalls. The standard
Windows stagers were overhauled to use a new hashing method, support
Windows 7, allocate their own memory during staging and avoid a middle
stager by performing their own reliable transfer mechanism. The new
stager development was driven by Stephen Fewer of Harmony Security.
Support for JSP payloads has been integrated, opening the door for new
exploit modules for Java-based application engines, like Bea and Tomcat.
The existing CMD, PHP, Ruby and Perl payloads have all seen a revamp and
update to their compatibility-matching system.
Auxiliary scanner modules now instantiate a new module instance for each
thread, allowing more of the exploit mixins to be used to develop
network scanners. This greatly improved the reliability of the existing
scanners and allowed for dozens of new ones to be developed. Scanner
modules now report their progress as they scan the network and the
frequency of reports can be controlled through advanced options.
A simple fuzzer API has been added as a mixin, along with over a dozen
new fuzzer modules that demonstrate their use and capabilities. While
fuzzing is not the focus of the framework, the API is easy to use and
can meet the requirements of many on-the-spot service tests. Ryan Linn's
HTTP NTLM capture module has been integrated into the framework.
Support for the DECT COM-ON-AIR driver has been integrated into
Metasploit, along with two example modules for locating DECT base
stations and detecting active calls. The Lorcon2 library is now
supported through a new ruby-lorcon2 Ruby extension and exploit mixin.
All existing modules using the old Lorcon API have been ported. The
airpwn and dnspwn modules developed by Mike Kershaw (also one of the
Lorcon2 authors) have been integrated into the framework. The pcaprub
Ruby extension has been updated to build on Ruby 1.9.1. Max Moser's
pSnuffle packet sniffer (modeled after dsniff) has been integrated into
The Meterpreter and VNC injection payloads now use Stephen Fewer's
Reflective DLL injection technique; the previous DLL injection stages
have been renamed and will be deprecated in a future release. The
Meterpreter now negotiates a full SSL link after the staging process has
been completed, even going so far as to fake a HTTP request over the SSL
session to mimic the traffic profile of a normal web browser. The
Metepreter AutoRunScript parameter can now support multiple scripts with
arguments. The Meterpreter can now take screen shots, provided that the
process has access to the desktop (e.g. migrated into explorer.exe),
using the ESPIA extension developed by Efrain Torres.
The Meterpreter can now capture traffic from the compromised system,
using an in-memory sniffing extension based on the MicroOLAP Packet
Sniffing SDK. This feature creates a ring buffer of up to 200,000
packets, allowing a snapshot to be downloaded and converted to a
standard pcap log file. The Meterpreter can now capture keystrokes,
including those of console logins, by migrating in the appropriate
process and using the keyscan commands. The long-missing "rm" command
has finally been added to the Meterpreter command line. The "background"
command has been added for situations when using ^Z is not feasible.
Alexander Sotirov's METSVC has been added to the framework and a
Meterpreter script has been included to automatically deploy it on a
The beginnings of POSIX support have been implemented by JR, targeting
the Linux and BSD platforms. The stdapi extension for POSIX has been
partially completed and should continue to improve going forward.
All Metepreter scripts now support the "-h" parameter for usage. As of
Metasploit 3.3, there are almost 30 different Metepreter scripts
included in the release, many of which were exclusively written by
Enjoy the release!