Top 10 Most Searched Metasploit Exploit and Auxiliary Modules
Published by Christian Kirsch
At Rapid7, we often get asked what the top 10 Metasploit modules are. This is a hard question to answer: What does “top” mean anyway? Is it a personal opinion, or what is being used in the industry? Because many Metasploit users work in highly sensitive environments, and because we respect our users’ privacy, the product doesn’t report any usage reports back to us.
We may have found a way to answer your questions: We looked at our metasploit.com web server stats, specifically the Metasploit Auxiliary and Exploit Database, which exploit and module pages were researched the most. Here they are, annotated with Tod Beardley’s excellent comments:
- MS12-020 Microsoft Remote Desktop Use-After-Free DoS (CVE-2012-0002, MSB-MS12-020): This is the 2012 RDP Bug, where it was implied — but never proven in public — that a pre-auth bug in RDP can allow for remote code execution. This is likely the most popular module we have due to both recency bias and because there was an unusual level of spontaneous organization of the Metasploit developer community to search for the correct path to remote code execution. So far, nobody’s gotten RCE yet (in public), but the Metasploit module provides the most clues.
- Microsoft Server Service Relative Path Stack Corruption (CVE-2008-4250, MSB-MS08-067): A four year old vulnerability that tends to give the most reliable shells on Windows 2003 Server and Windows XP. It’s also got a great pile of language pack targets. All of Metasploit’s exploits provide US English targeted shellcode, a few might provide Chinese, Spanish, French, or other popular languages; this one has targets in pretty much every language you’ve ever heard of. This exploit is also not ancient, so it’s reasonable to expect to find some unpatched systems in a medium to large enterprise vulnerable to it.