Day dawns for Metasploit 3.0

What type of evasion techniques are part of 3.0?

H D Moore: Metasploit 3 supports evasion options for almost every module. The evasion options are broken down by protocol and can be seen with the "show evasions" command in the console interface. A module that uses the SMB, DCERPC, and TCP protocols can benefit from over 15 different evasion options.

These options cover settings such as the maximum DCERPC fragment size, whether to obfuscate different SMB transactions, and how many bytes to send at a time in each TCP segment. Client-side modules, such as browser exploits, support compression, chunked encoding, and unicode obfuscation, in addition to any Javascript-based encoding implemented in the module itself. Web application exploits support all of the "standard" encoding methods (unicode, hex encoding, etc) in addition to things like header padding, junk relative directories, and pipelined requests.

One of the great things about the structure of Metasploit 3 is that adding a new evasion method rarely requires the modules themselves to be updated. It's even possible to develop a loadable plugin that implements new, unpublished evasion routines (and sell it, if you wish to do so).

How much did the community contribute from the first public release to version 3.0?

H D Moore: The security community has been awesome, but we know that exploit development isn't for everyone. Even those who excel at exploit development don't always want to use someone else's framework. There are four people who actively contribute to the project and at least a dozen more that send in patches and bug reports. During the 3.0 rewrite, the Metasploit team kept close tabs on who contributed what code, and although we did receive some excellent patches, nearly 100% of the framework was written by skape, spoonm, and me.

What is going on with the license terms?

H D Moore: After watching both Snort (Sourcefire) and Nessus (Tenable) deal with license abuse and change to commercial models, we decided that the best thing we can do to avoid these problems is to remove the loophole that allows them to exist in the first place. The GPL, like most open-source licenses, allows anyone to repackage and sell your code. While we want everyone to be able to use and contribute to the Metasploit Framework, we did not want see companies profit by reselling our software. At the same time, we do want security professionals and researchers to be able to use the framework to do their jobs. After careful review of all of the OSI approved licenses, we decided to hire a lawyer and write our own. The Metasploit Framework License is the final result. We believe that the license is an excellent compromise between open-source and a commercial EULA. We realized that by placing the framework under a custom license, we are preventing other projects from reusing our code. To address this, we decided to release the entire Metasploit Rex library under the 3-clause BSD license. This library provides most of the API used by the Metasploit Framework (Sockets, SMB, HTTP, encoding, etc), but does not include any user interfaces or exploit modules.

Metasploit LLC is a Texas-based company created to hold the copyrights, trademarks, and domains of the Metasploit Project. Each of the core developers transferred their copyrights to the LLC, allowing us to enforce our licensing terms and put a corporate face on the project. The LLC earns no income, sells no services, and has no commercial plans.

Will you continue to maintain the 2.0 branch since it's under the GPL v2?

H D Moore: No. We may commit a few patches from time to time, but the branch has been "dead" since January of 2007.

This release includes support for kernel-mode payloads. What difficulties did you have to overcome to implement this feature? How does it work?

H D Moore: Matt Miller did an excellent job of designing a kernel-to-userland staging system that supports a wide range of exploits in a reliable fashion. A great description of how this stager was developed can be found in his Uninformed Journal article.

How does it work from and against Windows Vista?

H D Moore: Vista will introduce some interesting challenges when it comes to exploiting memory corruption vulnerabilities, but most of the features in Metasploit will require no modification to work on that platform. The Windows version of the framework uses the native Ruby interpreter and provides all functionality through the new web interface. As long as Ruby works properly on Vista, the Framework should work just fine.

In terms of payload coverage, there may be a few payloads that will not work completely under Vista, but these are either non-critical or easily fixed. When targeting a Vista system, the Meterpreter payload really shines, since a "generic" Meterpreter shell avoids the usual problems with running a command shell, and opens the way for local exploits through the use of dynamically loaded extensions. Kernel-mode payloads have not been tested yet, but will likely require modifications to work properly. This should be doable in a way that will maintain backwards compatibility with Windows XP SP2. The real question is whether we will find enough memory corruption bugs for these payloads to be useful.