Thoughts on Metasploit
On the 28/10/2006 HD Moore released version 2.7 of his infamous Metasploit package. In my opinion he deserves to be credited for his excellent contributions in this area. However, I do wonder how long this framework will be effective?
Metasploit 3 seems to be going in the same direction as the commercial Core Impact exploit suite which allows detection and point and click exploitation abilities. The unique feature of the Core Impact tool set is the ability to install agents on the exploited system. Attacks can then be taken further via these agents giving the tool depth as well as breadth, but for how long?
How long will *overflow vulnerabilities last? Windows XP2 comes standard with a firewall and stack protection. Other host operating systems are also heading in this direction. Some may argue that it is still possible to get around stack protection (this is only possible in certain circumstances), however, I can see vendors learning lessons and moving on. Again, how long will *overflow vulnerabilities be around and therefore how long will these tools be effective?
I certainly can’t take credit for most of the Metasploit Framework — spoonm, skape, vlad, optyx, and dozens of contributors are the real reason behind the project’s success. Buffer overflows will continue to be effective for at least another 5-10 years. There may be diminishing returns for newer applications and operating systems, but legacy systems (NT 4.0, which is remotely exploitable, with no patch, right now) and Windows 2000, will continue to be used for many years to come. Outside of overfows and memory corruption bugs, there are still many different directions for Metasploit to branch out. Web applications are just as vulnerable as ever, logic problems (auth bypass, administrative access gain) aren’t going away anytime soon, and even if every software flaw ever was fixed, we still have a way in by brute forcing credentials. Buffer overflows will become less important in the long run, but exploits are forever :-)
I also believe that bufferoverflows will fade away. However, I am not quite sure how Metasploit design will fit into the new type of attacks. It is not as generic as it should be. Even if it is, I don’t believe that this is the way forward. After all, it is designed to be simple as well.
To add to HDM’s point, I have noticed more and more web application exploits being added into its archive. So it does look like both network and web application exploits are being implemented. However, this doesn’t include client-side exploitation (XSS etc) which I think is what pdp is trying to say.
As a side note, we have some really exciting times ahead..