Last updated at Mon, 24 Jul 2017 18:53:33 GMT

Java Payload Cleanup

If you've been watching the Metasploit source repository, you will have noticed some movement in Java Payload land -- specifically, PR#1217, which landed this week. Thanks to the refactoring efforts of Michael @mihi42 Schriel, testing by @Meatballs, and integration from James @egyp7 Lee, the Javapayload and Java Meterpreter projects can now more easily be hacked at with Eclipse, a preferred IDE for Java nerds. There's also a slew of new unit tests, so you have more assurance that your hackery won't break existing functionality. This is good news for you if you are a) more of a Java guy than a Ruby guy, and b) you want to make meaningful contributions to the Metasploit framework. Thanks a ton, guys!

ZDI Sport Fishing

This week also sees a trio of ZDI-derived Metasploit modules -- we have exploits now for ZDI-13-051, ZDI-13-052, and ZDI-13-053. They all target the HP Intelligent Management Center (IMC), and all three were initially reported to the Zero Day Initiative (ZDI). ZDI, if you weren't aware, is now part of HP's new HP Security Research (HPSR) group. Yes, that's a lot of acronyms.

ZDI-disclosed vulnerabilities are especially attractive for some exploit developers, including our own Juan Vazquez. By dint of being disclosed by ZDI, we know for sure that some money has already changed hands. This makes them de-facto "high value" vulnerabilities, and not just goofy crashes or exposed in unlikely, contrived attack scenarios. In addition, we know that there are organizations out there who put a premium on protecting against ZDI vulns. Those folks like to be able to use Metasploit modules to test the efficacy of their defenses, both pre- and post-patch.

This is all incidental to the fact that ZDI vulns are generally rewarding to research. It's like fishing in a pond that you know is stocked; it's a lot easier to be confident and be successful when you know for sure that there is an exploit worth catching there. If you're looking to get involved with exploit development on targets that aren't just toys or CTF targets, ZDI can provide a pretty rich target landscape.

New Modules

Besides HP IMC, we of course have a passel of new modules. Passel?  How about a clutch? No, a murder. Of course. Below is this week's murder of Metasploit modules.


If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.