Pull Requests: Want to help?
Metasploit has a first world problem: We get so much code from contributors out in the world, it gets hard to keep up. Most open source projects aren't popular enough to warrant more than three or four contributors, total. Metasploit has over two hundred, last I checked. We're no Rails (those guys have over 2,000 contributors), but for security software, that's not too bad.
The problem is, our backlog of outstanding pull requests (PRs) is steadily increasing, and now we're now floating about a hundred outstanding pull requests. Since Metasploit is fundamentally a communal effort, I'm hopeful that you generous folks out there in Open Source Land can maybe help us take a bite out of this backlog.
First off, check out the new Landing a Pull Request guide. While you might think that this guide is meant only for Rapid7 employees, it's not. The power of GitHub as a source control management system lies in the ability for literally anyone to contribute fixes in a distributed way. Let me quote from the Collaboration between Contributorssection:
If Alice knows a solution to Bob's pull request that Juan pointed out, it is easy for Alice to provide that solution by following [this procedure]. Git blame will still work correctly, commit histories will all be accurate, everyone on the pull request will be notified of Alice's changes, and Juan doesn't have to wait around for Bob to figure out how to use send_request_cgi() or whatever the problem was."
What this means is that if you see something languishing in our pull queue, and you think you can help move things along, go for it! Most of the time, PRs don't get landed due to a lack of verification or testing. So, while some old PR might get solved with some bugfixes, more likely, what we really need is some solid verification procedure to prove that the PR actually works. Even better, for non-module PRs, would be some rspec tests added to the outstanding PR. Merely 1'ing a PR isn't likely to be very helpful, but squeaky wheels do get greased. The point is, the opportunities to collaborate on advancing the state of the art in open source security development really are there for the taking.
Speaking of contributing, summer is approaching, and that means it's time to start trolling (trawling?) for interns. We have a pretty formidible job description up, but if you're reading this blog, you probably already have some deep and abiding interest in open source security software, so feel free to pop your resume off to me at todb at metasploit dot com. If you already live here in Austin, then hooray for you, since this internship requires a fair amount of in-person showing up to the office. If you already have contributed code to Metasploit or some other open source project, then you are already way ahead of the game and I would be very interested in talking to you.
If interning isn't your thing, but you know an enterprising college student who might be a good fit, give them the shortlink: http://r-7.co/MSF-INTERN.
Armitage and MSFGui
Finally, as mentioned in the Metasploit 4.6.0 release notes, we've removed the two alternate Java front ends, Armitage and MSFGui, from Metasploit's main distributions. Those projects, run by Raphael @armitagehacker Mudge and Matthew @scriptjunkie Weeks, respectively, are now being distributed separately from the framework source repository. You can track them at http://www.fastandeasyhacking.com/manual (for Armitage) and http://www.scriptjunkie.us/msfgui/ (for MSFGui). So, if you are sitting on a source checkout of Metasploit and you find that your Java client doesn't work any more, that's probably why. You can get your install back in shape by just fetching from upstream, direct from those guys.
We've got four new modules this week. We've been busy preparing for conference season, so module throughput has been a little slower than usual.
- MediaWiki SVG XML Entity Expansion Remote File Access by juan vazquez, Christian Mehlmauer, and Daniel Franke exploits OSVDB-92490
- Netgear DGN2200B pppoe.cgi Remote Command Execution by juan vazquez and Michael Messner exploits OSVDB-90320
- Java Applet Reflection Type Confusion Remote Code Execution by juan vazquez and Jeroen Frijters
- Free Float FTP Server USER Command Buffer Overflow by D35m0nd142 and Doug Prostko exploits OSVDB-69621
If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.