2ce6f325f5
There are still strong reservations about using Nokogiri to parse untrusted XML data. http://www.wireharbor.com/hidden-security-risks-of-xml-parsing-xxe-attack/ It is also believed that many desktop operating systems are still shipping out-of-date and vulnerable libxml2 libraries, which become exposed via Nokogiri. For example: http://stackoverflow.com/questions/18627075/nokogiri-1-6-0-still-pulls-in-wrong-version-of-libxml-on-os-x While this isn't a problem for binary builds of Metasploit (Metasploit Community, Express, or Pro) it can be a problem for development versions or Kali's / Backtrack's version. So, the compromise here is to allow for modules that don't directly expose XML parsing. I can't say for sure that the various libxml2 vulnerabilities (current and future) aren't also exposed via `Nokogiri::HTML` but I also can't come up with a reasonable demo. Metasploit committers should still look at any module that relies on Nokogiri very carefully, and suggest alternatives if there are any. But, it's sometimes going to be required for complex HTML parsing. tl;dr: Use REXML for XML parsing, and Nokogiri for HTML parsing if you absolutely must. |
||
|---|---|---|
| config | ||
| data | ||
| db | ||
| documentation | ||
| external | ||
| lib | ||
| modules | ||
| plugins | ||
| scripts | ||
| spec | ||
| test | ||
| tools | ||
| .gitignore | ||
| .gitmodules | ||
| .mailmap | ||
| .rspec | ||
| .ruby-gemset | ||
| .ruby-version | ||
| .simplecov | ||
| .travis.yml | ||
| .yardopts | ||
| CONTRIBUTING.md | ||
| COPYING | ||
| Gemfile | ||
| Gemfile.lock | ||
| HACKING | ||
| LICENSE | ||
| README.md | ||
| Rakefile | ||
| msfbinscan | ||
| msfcli | ||
| msfconsole | ||
| msfd | ||
| msfelfscan | ||
| msfencode | ||
| msfmachscan | ||
| msfpayload | ||
| msfpescan | ||
| msfrop | ||
| msfrpc | ||
| msfrpcd | ||
| msfupdate | ||
| msfvenom | ||
README.md
Metasploit 
The Metasploit Framework is released under a BSD-style license. See COPYING for more details.
The latest version of this software is available from http://metasploit.com/
Bug tracking and development information can be found at: https://dev.metasploit.com/redmine/projects/framework/
The public GitHub source repository can be found at: https://github.com/rapid7/metasploit-framework
Questions and suggestions can be sent to: msfdev(at)metasploit.com
The framework mailing list is the place to discuss features and ask for help. To subscribe, visit the following web page: https://mail.metasploit.com/mailman/listinfo/framework
The mailing list archives are available from: https://mail.metasploit.com/pipermail/framework/
Installing
Generally, you should use the free installer which contains all dependencies and will get you up and running with a few clicks. See the Dev Environment Setup if you'd like to deal with dependencies on your own.
Using Metasploit
Metasploit can do all sorts of things. The first thing you'll want to do
is start msfconsole, but after that, you'll probably be best served by
reading some of the great tutorials online:
Contributing
See the Dev Environment Setup guide on GitHub which will walk you through the whole process starting from installing all the dependencies, to cloning the repository, and finally to submitting a pull request. For slightly more info, see Contributing.