Open Source Exploit Development

January 09, 2013

Today's Whiteboard Wednesday video is presented by Tod Beardsley who talks about open source exploit development. Learn how Metasploit was created and how the open source community is leveraged to make Metasploit so powerful.

Tod also talks about why open source exploits matter to you and just how powerful it is to have groups of developers all working together on code reviews and building exploits. Together, the open source community has helped Metasploit host the world's largest database of quality assured exploits.

Download Metasploit today!

Video Transcript

Hi. I'm Tod; and I work on Metasploit Framework, almost all the time. I'm an engineering manager there. Today, I'm going to talk about the philosophy of open source exploit development and why it's important. One of the big reasons why I continue to work on Metasploit and why I find the work so fascinating is that I feel like open source exploit development is really,really good for planet earth. Not just us, not just our customers, but for everyone, and this is why.

Show more Show less

Way back when, we used to trade exploits around, those of us in the public space, as all one-offs. They were written just kind of one off, one off, one off. They were written in a variety of languages: C, Perl, Python, a teensy little bit of Ruby, Assembly sometimes. This was kind of the way you did it, and it kind of sucked a lot because you weren't really sure of the pedigree or providence of certain exploits. Sometimes they would break, and sometimes they would be big blobs of binary, and you had no idea what the whole point of the thing was. Sometimes they had extra backdoors with them, and that was super not cool.

A few years back, Metasploit Project came into being. This was mainly the effort of HD Moore, a gentleman named Scape and a gentleman named Spoonem, and a lot of other open source contributors, put together this awesome thing called Metasploit. The whole idea was you could exploit vulnerabilities and keep the payloads separate so you could concentrate on exercising the vulnerability and bring along the payload of your choice with you. Metasploit 1.0 had something like 30-something exploits with it. This turned out to be a really good idea because you got to get a lot of people out on the internet contributing what seemed to them to be one-off exploits, but it was all in a common language; it was like a lingua franca of exploit development.

When you are working in defense, for example, at the time, I was at a company that built intrusion prevention systems. When we would have proof of concept that were Metasploit modules, it was super-awesome for us because we could demonstrate that the exploit works, the vulnerability works, and then we could also demonstrate things like our signatures to catch it would work. That was super-great.

Why does anyone other than us care? Back at the top, I said this was important for planet earth, and this is why: There was, once upon a time, a couple of months ago, a Oracle, Java 0-day in the wild. There's a whole bunch of back-story on that, but I'm not going to talk about that, but it was in the wild and it was exploiting people. This came to light due largely to FireEye, a nice company out there that does exploit and vulnerability research, Jay Duck, who is a Metasploit contributor, and our guys; Sinner, Juan, us, and everybody. We all saw this, got together and made the 0-day into a reliable Metasploit module, and shipped that. What this did was bring a whole bunch of visibility to something that was secret, 2 days earlier. The practical effect was, the Open JDK people also were affected by the supposed Oracle, Java 0-day bug. In their test harness, they used the Metasploit exploit to validate that their patches worked. We saw a patch out of Oracle in the neighborhood of 4 days to a week after we published, which typical turnaround for Oracle is 30 days-ish to longer than 30 days. The moral of the story is that when we bring a very public light to exploit development, to certain vulnerabilities, we can get patches out super-fast, we raise awareness of the thing, and generally make the world a better place. Hooray for us.

Hooray for you because Metasploit doesn't happen in a vacuum. We require public participation. It's not a spectator sport, it's very hands on kind of stuff, so that's where all these eyeballs come in. We develop mostly in public. We are on GetHub; yay octocat. Where we have a fairly complicated way for us to deal with community contributors, just to make sure that you're hitting things like minimum standards of code quality, and reliability, and what all, and not shipping back doors in Metasploit, because that would suck.

From your point of view, you just start here and you end up over here, and that's it. It's great, it's social coding, which means lots and lots of people can look at your stuff. If it's totally broken, we will hear about within an hour. Instead of developing in a vacuum like some software companies do, we develop very much in the open. I invite and implore you to bring your expertise to the Metasploit development family, I guess, here. That sounds a little weird. Not so much a family, but a band of rogues and rascals, and you could be one too.

Look us up on GitHub/RapidSeven/MetasploitFramework. I'm looking forward to seeing your contribution.