At a heavily attended panel Wednesday at the Black Hat security conference here, HD Moore and "spoonm" unveiled the latest release of the Metasploit Framework, an exploit tool designed to quickly take over a variety of target platforms.
Although the framework was developed several months ago, the "preview release" of Version 2.2 offers users the opportunity to develop their own custom modules. The tool, written in Perl for Unix environments, also includes a Cygwin shell to enable it to run under Windows. The official Version 2.2 will be available in a week or so.
Both researchers demonstrated the tool "owning," or taking over, Mac OS X, Windows 2000 Server and Windows XP systems, although the duo used a VMWare virtual machine to speed the process. Metasploit even runs on a Sharp Zaurus PDA, which when equipped with a Wi-Fi card can be used to attack while mobile.
The authors described the tool as the open-source, cheap alternative to Immunitys Canvas and Core Security Technologys Impact tools, designed for commercial applications and requiring the latest exploits almost as quickly as possible. Metasploit currently contains 35 exploits and 40 payloads; the tool was designed to point the user to the exploit appropriate for the operating system.
Although available for several months, the tool is apparently still relatively unknown even in security circles, judging from the reaction of attendees. Patrick Chambet, a senior consultant at French IT security firm Edelweb SA, said he found the presentation the most interesting of the day. Another researcher said he worried that Metasploit would be used by "script kiddies" as a means to quickly own other boxes. For their part, Moore and spoonm described Metasploit as a research tool.
Most vulnerabilities submitted to Bugtraq and other mailing lists are "crappy," according to Moore, who said it is often too hard to tell what the programmer meant by the code attached to the submissions.
Users can choose from between a command line, GUI or console interface. The framework also includes a "msfupdatesystem" command, which can connect to the Metasploit server to pull new updates and exploits.
All of the connections can be routed through SSL or a transparent SSL proxy, Moore said. Metasploit can perform VNC server injection as well as .DLL injection, which can load a DLL into the target machines RAM without the need to write information to disk.