At Rapid7, often get asked what the top 10 Metasploit modules are.
This is a hard question to answer: What does "top" mean anyway? Is it a
personal opinion, or what is being used in the industry? Because many
Metasploit users work in highly sensitive environments, and because we
respect our users' privacy, the product doesn't report any usage reports
back to us.
We may have found a way to answer your questions: We looked at our metasploit.com web server stats, specifically the Metasploit Auxiliary and Exploit Database, which exploit and module pages were researched the most. Here they are, annotated with Tod Beardley's excellent comments:
Let
us know if you find this ranking interesting so we can continue sharing
it in the future. We're excited to see how this list will look next
month, and what the major changes will be!
- MS12-020 Microsoft Remote Desktop Use-After-Free DoS (CVE-2012-0002, MSB-MS12-020): This
is the 2012 RDP Bug, where it was implied -- but never proven in public
-- that a pre-auth bug in RDP can allow for remote code execution. This
is likely the most popular module we have due to both recency bias and
because there was an unusual level of spontaneous organization of the
Metasploit developer community to search for the correct path to remote
code execution. So far, nobody’s gotten RCE yet (in public), but the
Metasploit module provides the most clues.
- Microsoft Server Service Relative Path Stack Corruption (CVE-2008-4250, MSB-MS08-067): A
four year old vulnerability that tends to give the most reliable shells
on Windows 2003 Server and Windows XP. It’s also got a great pile of
language pack targets. All of Metasploit’s exploits provide US English
targeted shellcode, a few might provide Chinese, Spanish, French, or
other popular languages; this one has targets in pretty much every
language you’ve ever heard of. This exploit is also not ancient, so it’s
reasonable to expect to find some unpatched systems in a medium to
large enterprise vulnerable to it.
- Microsoft Server Service NetpwPathCanonicalize Overflow (CVE-2006-3439, MSB-MS06-040): A
six year old vulnerability that’s notable in that there’s no official
patch from Microsoft for this on Windows NT 4.0. This was discovered
after NT went end-of-life, so if you need remote root on an NT machine
(and there are still plenty out there), this is going to be your first
choice.
- Microsoft RPC DCOM Interface Overflow (CVE-2003-0352, MSB-MS03-026): A
nine year old vulnerability that used to be the de-facto standard
exploit for Windows machines -- this is the RPC DCom bug, and it affects
ancient NT machines. It was most notable in that it was used by the
Blaster and Nachi worms to transit networks. It’s now pretty much a case
study in stack buffer overflows in Windows, so it’s got a lot of
historical value. If memory serves, this was the most reliable exploit
in Metasploit v2.
- Microsoft Windows 7 / Server 2008 R2 SMB Client Infinite Loop (CVE-2010-0017, MSB-MS10-006): Not
sure why this module is popular -- it’s a client side DoS.
Historically, it’s a neat DoS, since it demos a bug in Windows 7’s
kernel, but all the module does is crash Windows 7 clients after you get
a user to connect to you.
- Adobe PDF Embedded EXE Social Engineering (CVE-2010-1240): This
module exploits CVE-2010-1240 in Adobe Reader. The idea is that you can
embed and execute a Meterpreter PE Executable in a PDF, and when the
user opens the PDF, surprise shells! Since it’s on this list, it’s
probably the most popular social engineering-style module.
- Apache mod_isapi <= 2.2.14 Dangling Pointer (CVE-2010-0425): Although
this is an exploit in Apache, don’t be fooled! It’s only exploitable on
Windows (so that knocks out the biggest chunk of Apache installs at the
time of this module’s release), and it’s only a DoS. Again, kind of a
mystery as to why it’s so popular.
- Java AtomicReferenceArray Type Violation Vulnerability (CVE-2012-0507): This
was initially discovered in the wild as a Java 0-day, and this module
represented the fevered work of sinn3r and Juan Vazquez, who turned out
the first reliable public cross-platform exploit for the bug. The blog post "CVE-2012-0507 - Java Strikes Again"
shows a screenshot of Meterpreter sessions on Windows, Ubuntu, and OSX
systems. In fact, this may be the first publicly demonstrable Java
exploit that Just Works against all three platforms for the vulnerable
versions of Java -- no extra configuration or fingerprinting is needed.
- Microsoft Windows Authenticated User Code Execution (CVE-1999-0504): The
PSExec module is a utility module -- given an SMB username and password
with sufficient privileges on the target machine, the user can get a
shell. It’s not sexy, but it’s super handy for testing payloads and
setup. Even though it’s a lowly #9, I’d bet it’s the most-used module in
classroom and test environments.
- Microsoft Plug and Play Service Overflow (CVE-2005-1983, MSB-MS05-039): This exploits the Plug and Play service on Windows 2000. This is the exploit that MS06-040 replaced, though until MS06-040, this was the most reliable exploit around for Windows 2000. The Zotob worm used it. Note that while the exploit isn’t 100% reliable, failed attempts had a tendency to trigger a reboot of the target, so the next attempt would be 100% successful. In other words, for some people, the reboot-on-failure is really more of a feature than a bug.
Posts
