diff --git a/pkgs/development/ruby-modules/gem-config/default.nix b/pkgs/development/ruby-modules/gem-config/default.nix
@@ -21,7 +21,7 @@
 , libiconv, postgresql, v8_3_16_14, clang, sqlite, zlib, imagemagick
 , pkgconfig , ncurses, xapian_1_2_22, gpgme, utillinux, fetchpatch, tzdata, icu, libffi
 , cmake, libssh2, openssl, mysql, darwin, git, perl, gecode_3, curl
-, libmsgpack, qt48, libsodium, snappy, libossp_uuid, lxc
+, libmsgpack, qt48, libsodium, snappy, libossp_uuid, lxc, libpcap
 }@args:
 
 let
@@ -135,6 +135,10 @@ in
     buildInputs = [ curl ];
   };
 
+  pcaprub = attrs: {
+    buildInputs = [ libpcap ];
+  };
+
   pg = attrs: {
     buildFlags = [
       "--with-pg-config=${postgresql}/bin/pg_config"
@@ -207,6 +211,14 @@ in
     '';
   };
 
+  rb-readline = attrs: {
+    dontBuild = false;
+    postPatch = ''
+      substituteInPlace lib/rbreadline.rb \
+        --replace 'infocmp' '${ncurses.dev}/bin/infocmp'
+    '';
+  };
+
   timfel-krb5-auth = attrs: {
     buildInputs = [ kerberos ];
   };

diff --git a/pkgs/tools/security/metasploit/Gemfile b/pkgs/tools/security/metasploit/Gemfile
@@ -0,0 +1,4 @@
+# frozen_string_literal: true
+source "https://rubygems.org"
+
+gem "metasploit-framework", git: "https://github.com/rapid7/metasploit-framework", ref: "refs/tags/4.14.17"
diff --git a/pkgs/tools/security/metasploit/Gemfile.lock b/pkgs/tools/security/metasploit/Gemfile.lock
@@ -0,0 +1,264 @@
+GIT
+  remote: https://github.com/rapid7/metasploit-framework
+  revision: fd3da8f3350d6cf7f0449bf0ead4d51747525c0a
+  ref: refs/tags/4.14.17
+  specs:
+    metasploit-framework (4.14.17)
+      actionpack (~> 4.2.6)
+      activerecord (~> 4.2.6)
+      activesupport (~> 4.2.6)
+      bcrypt
+      bit-struct
+      filesize
+      jsobfu
+      json
+      metasm
+      metasploit-concern
+      metasploit-credential
+      metasploit-model
+      metasploit-payloads (= 1.2.29)
+      metasploit_data_models
+      metasploit_payloads-mettle (= 0.1.9)
+      msgpack
+      nessus_rest
+      net-ssh
+      network_interface
+      nexpose
+      nokogiri
+      octokit
+      openssl-ccm
+      openvas-omp
+      packetfu
+      patch_finder
+      pcaprub
+      pg
+      railties
+      rb-readline
+      recog
+      redcarpet
+      rex-arch (= 0.1.4)
+      rex-bin_tools
+      rex-core
+      rex-encoder
+      rex-exploitation
+      rex-java
+      rex-mime
+      rex-nop
+      rex-ole
+      rex-powershell
+      rex-random_identifier
+      rex-registry
+      rex-rop_builder
+      rex-socket
+      rex-sslscan
+      rex-struct2
+      rex-text
+      rex-zip
+      robots
+      ruby_smb
+      rubyntlm
+      rubyzip
+      sqlite3
+      sshkey
+      tzinfo
+      tzinfo-data
+      windows_error
+      xmlrpc
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actionpack (4.2.8)
+      actionview (= 4.2.8)
+      activesupport (= 4.2.8)
+      rack (~> 1.6)
+      rack-test (~> 0.6.2)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    actionview (4.2.8)
+      activesupport (= 4.2.8)
+      builder (~> 3.1)
+      erubis (~> 2.7.0)
+      rails-dom-testing (~> 1.0, >= 1.0.5)
+      rails-html-sanitizer (~> 1.0, >= 1.0.3)
+    activemodel (4.2.8)
+      activesupport (= 4.2.8)
+      builder (~> 3.1)
+    activerecord (4.2.8)
+      activemodel (= 4.2.8)
+      activesupport (= 4.2.8)
+      arel (~> 6.0)
+    activesupport (4.2.8)
+      i18n (~> 0.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.3, >= 0.3.4)
+      tzinfo (~> 1.1)
+    addressable (2.5.1)
+      public_suffix (~> 2.0, >= 2.0.2)
+    arel (6.0.4)
+    arel-helpers (2.3.0)
+      activerecord (>= 3.1.0, < 6)
+    bcrypt (3.1.11)
+    bindata (2.4.0)
+    bit-struct (0.16)
+    builder (3.2.3)
+    erubis (2.7.0)
+    faraday (0.12.1)
+      multipart-post (>= 1.2, < 3)
+    filesize (0.1.1)
+    i18n (0.8.1)
+    jsobfu (0.4.2)
+      rkelly-remix
+    json (2.1.0)
+    loofah (2.0.3)
+      nokogiri (>= 1.5.9)
+    metasm (1.0.3)
+    metasploit-concern (2.0.4)
+      activemodel (~> 4.2.6)
+      activesupport (~> 4.2.6)
+      railties (~> 4.2.6)
+    metasploit-credential (2.0.9)
+      metasploit-concern
+      metasploit-model
+      metasploit_data_models
+      pg
+      railties
+      rubyntlm
+      rubyzip
+    metasploit-model (2.0.4)
+      activemodel (~> 4.2.6)
+      activesupport (~> 4.2.6)
+      railties (~> 4.2.6)
+    metasploit-payloads (1.2.29)
+    metasploit_data_models (2.0.14)
+      activerecord (~> 4.2.6)
+      activesupport (~> 4.2.6)
+      arel-helpers
+      metasploit-concern
+      metasploit-model
+      pg
+      postgres_ext
+      railties (~> 4.2.6)
+      recog (~> 2.0)
+    metasploit_payloads-mettle (0.1.9)
+    mini_portile2 (2.1.0)
+    minitest (5.10.2)
+    msgpack (1.1.0)
+    multipart-post (2.0.0)
+    nessus_rest (0.1.6)
+    net-ssh (4.1.0)
+    network_interface (0.0.1)
+    nexpose (6.0.0)
+    nokogiri (1.7.2)
+      mini_portile2 (~> 2.1.0)
+    octokit (4.7.0)
+      sawyer (~> 0.8.0, >= 0.5.3)
+    openssl-ccm (1.2.1)
+    openvas-omp (0.0.4)
+    packetfu (1.1.13)
+      pcaprub
+    patch_finder (1.0.2)
+    pcaprub (0.12.4)
+    pg (0.20.0)
+    pg_array_parser (0.0.9)
+    postgres_ext (3.0.0)
+      activerecord (>= 4.0.0)
+      arel (>= 4.0.1)
+      pg_array_parser (~> 0.0.9)
+    public_suffix (2.0.5)
+    rack (1.6.6)
+    rack-test (0.6.3)
+      rack (>= 1.0)
+    rails-deprecated_sanitizer (1.0.3)
+      activesupport (>= 4.2.0.alpha)
+    rails-dom-testing (1.0.8)
+      activesupport (>= 4.2.0.beta, < 5.0)
+      nokogiri (~> 1.6)
+      rails-deprecated_sanitizer (>= 1.0.1)
+    rails-html-sanitizer (1.0.3)
+      loofah (~> 2.0)
+    railties (4.2.8)
+      actionpack (= 4.2.8)
+      activesupport (= 4.2.8)
+      rake (>= 0.8.7)
+      thor (>= 0.18.1, < 2.0)
+    rake (12.0.0)
+    rb-readline (0.5.4)
+    recog (2.1.6)
+      nokogiri
+    redcarpet (3.4.0)
+    rex-arch (0.1.4)
+      rex-text
+    rex-bin_tools (0.1.3)
+      metasm
+      rex-arch
+      rex-core
+      rex-struct2
+      rex-text
+    rex-core (0.1.10)
+    rex-encoder (0.1.4)
+      metasm
+      rex-arch
+      rex-text
+    rex-exploitation (0.1.14)
+      jsobfu
+      metasm
+      rex-arch
+      rex-encoder
+      rex-text
+    rex-java (0.1.5)
+    rex-mime (0.1.5)
+      rex-text
+    rex-nop (0.1.1)
+      rex-arch
+    rex-ole (0.1.6)
+      rex-text
+    rex-powershell (0.1.72)
+      rex-random_identifier
+      rex-text
+    rex-random_identifier (0.1.2)
+      rex-text
+    rex-registry (0.1.3)
+    rex-rop_builder (0.1.3)
+      metasm
+      rex-core
+      rex-text
+    rex-socket (0.1.6)
+      rex-core
+    rex-sslscan (0.1.4)
+      rex-socket
+      rex-text
+    rex-struct2 (0.1.2)
+    rex-text (0.2.15)
+    rex-zip (0.1.3)
+      rex-text
+    rkelly-remix (0.0.7)
+    robots (0.10.1)
+    ruby_smb (0.0.12)
+      bindata
+      rubyntlm
+      windows_error
+    rubyntlm (0.6.2)
+    rubyzip (1.2.1)
+    sawyer (0.8.1)
+      addressable (>= 2.3.5, < 2.6)
+      faraday (~> 0.8, < 1.0)
+    sqlite3 (1.3.13)
+    sshkey (1.9.0)
+    thor (0.19.4)
+    thread_safe (0.3.6)
+    tzinfo (1.2.3)
+      thread_safe (~> 0.1)
+    tzinfo-data (1.2017.2)
+      tzinfo (>= 1.0.0)
+    windows_error (0.1.2)
+    xmlrpc (0.3.0)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  metasploit-framework!
+
+BUNDLED WITH
+   1.14.6
diff --git a/pkgs/tools/security/metasploit/default.nix b/pkgs/tools/security/metasploit/default.nix
@@ -1,34 +1,51 @@
-{ stdenv, fetchurl, makeWrapper, ruby }:
-
-stdenv.mkDerivation rec {
+{ stdenv, fetchFromGitHub, makeWrapper, ruby, bundlerEnv, ncurses }:
+
+# Maintainer notes for updating:
+# 1. increment version number in expression and in Gemfile
+# 2. run $ nix-shell --command "bundler install && bundix"
+#    in metasploit in nixpkgs
+
+let
+  env = bundlerEnv {
+    inherit ruby;
+    name = "metasploit-bundler-env";
+    gemdir = ./.;
+  };
+in stdenv.mkDerivation rec {
   name = "metasploit-framework-${version}";
-  version = "3.3.1";
+  version = "4.14.17";
 
-  src = fetchurl {
-    url = "http://downloads.metasploit.com/data/releases/archive/framework-${version}.tar.bz2";
-    sha256 = "07clzw1zfnqjhyydsc4mza238isai58p7aygh653qxsqb9a0j7qw";
+  src = fetchFromGitHub {
+    owner = "rapid7";
+    repo = "metasploit-framework";
+    rev = version;
+    sha256 = "0g666lxin9f0v9vhfh3s913ym8fnh32rpfl1rpj8d8n1azch5fn0";
   };
 
-  buildInputs = [makeWrapper];
+  buildInputs = [ makeWrapper ];
+
+  dontPatchelf = true; # stay away from exploit executables
 
   installPhase = ''
-    mkdir -p $out/share/msf
-    mkdir -p $out/bin
+    mkdir -p $out/{bin,share/msf}
 
     cp -r * $out/share/msf
 
     for i in $out/share/msf/msf*; do
-        makeWrapper $i $out/bin/$(basename $i) --prefix RUBYLIB : $out/share/msf/lib
+      bin=$out/bin/$(basename $i)
+      cat > $bin <<EOF
+#!/bin/sh -e
+exec ${env}/bin/bundle exec ${ruby}/bin/ruby $i "\$@"
+EOF
+      chmod +x $bin
     done
   '';
 
-  postInstall = ''
-    patchShebangs $out/share/msf
-  '';
-
-  meta = {
+  meta = with stdenv.lib; {
     description = "Metasploit Framework - a collection of exploits";
     homepage = https://github.com/rapid7/metasploit-framework/wiki;
-    platforms = stdenv.lib.platforms.unix;
+    platforms = platforms.unix;
+    license = licenses.bsd3;
+    maintainers = [ maintainers.makefu ];
   };
 }