HTTPS clone URL
Subversion checkout URL
- Committer Keys
- Committer Rights
- Common Metasploit Module Coding Mistakes
- Contributing to Metasploit
- Creating Metasploit Framework LoginScanners
- Debugging Dead Meterpreter Sessions
- Decommissioning Redmine
- Downloads by Version
- Evading Anti Virus
- Exploit Ranking
- Git cheatsheet
- Git Gotchas
- Git Reference Sites
- Guidelines for Accepting Modules and Enhancements
- How payloads work
- How to add and update gems in metasploit framework
- How to check Microsoft patch levels for your exploit
- How to clean up files using FileDropper
- How to deprecate a Metasploit module
- How to do reporting or store data in module development
- How to get Oracle Support working with Kali Linux
- How to get started with writing a Meterpreter script
- How to get started with writing a post module
- How to get started with writing an auxiliary module
- How to get started with writing an exploit
- How to log in Metasploit
- How to Send an HTTP Request Using HTTPClient
- How to send an HTTP request using Rex::Proto::Http::Client
- How to use a Metasploit module appropriately
- How to use a reverse shell in Metasploit
- How to use datastore options
- How to use exim_gethostbyname_bof.rb (Exim GHOST Buffer Overflow)
- How to use Msf::Auxiliary::AuthBrute to write a bruteforcer
- How to use msfvenom
- How to use PhpEXE to exploit an arbitrary file upload bug
- How to use Powershell in an exploit
- How to use Railgun for Windows post exploitation
- How to Use the FILEFORMAT mixin to create a file format exploit
- How to use the Msf::Exploit::Remote::Tcp mixin
- How to use the Seh mixin to exploit an exception handler
- How to use WbemExec for a write privilege attack on Windows
- How to write a browser exploit using BrowserExploitServer
- How to write a browser exploit using HttpServer
- How to write a check() method
- How to write a HTTP LoginScanner Module
- How to write a module using HttpServer and HttpClient
- How to zip files with Rex::Zip::Archive
- Indentation Standards
- Information About Unmet Browser Exploit Requirements
- Issue Labels
- Keeping in sync with rapid7 master
- Landing Meterpreter Pull Requests
- Landing Pull Requests
- Loading External Modules
- Metasploit development environment
- Metasploit Loginpalooza
- Metasploit module reference identifiers
- Meterpreter Configuration
- Meterpreter HTTP Communication
- Meterpreter Paranoid Mode
- Meterpreter Reliable Network Communication
- Meterpreter Sleep Control
- Meterpreter Stageless Mode
- Meterpreter Timeout Control
- Meterpreter Transport Control
- Meterpreter Unicode Support
- Meterpreter Wishlist
- Nightly Installers
- Oracle Usage
- Payload Rename Justification
- Payload UUID
- Remote Branch Pruning
- Reporting a Bug
- Resuscitating Dead Pull Requests
- Rolling back merges
- Setting Up a Metasploit Development Environment
- State of Meterpreter
- Style Tips
- The ins and outs of HTTP and HTTPS communications in Meterpreter and Metasploit Stagers
- Unstable Modules
- Using Git
- Using Metasploit
- What does my Rex::Proto::SMB Error mean?
- Home Welcome to Metasploit!
- Using Metasploit A collection of useful links for penetration testers.
Setting Up a Metasploit Development Environment From
- CONTIBUTING.md What should your contributions look like?
- Landing Pull Requests Working with other people's contributions.
- Using Git All about Git and GitHub.
- Contributing to Metasploit Be a part of our open source community.
- Meterpreter All about the Meterpreter payload.
Clone this wiki locally
Sometimes, modules contributed to Metasploit don't quite cross the finish line. This can be for a variety of reasons. Most often, it is because the module submission was a "drive-by" -- the original author is not interested (or not able) to implement and test needed changes in order to make the module production worthy.
Luckily, git makes it easy to be a pack rat for these unfinished modules. We have a separate branch for these unstable modules, imaginatively named, Unstable.
Unstable modules have their own special directory structure -- they should not hit the regular
modules/ subdirectory, since we don't want to conflict with existing or future modules. We also want to make it easy to spot which modules are unstable. So, new modules should get landed there with the following procedure.
- First, get unstable up to date with upstream/master:
git checkout unstable; git merge upstream/master; push upstream
- Create a local branch off of the PR:
git checkout -b temp-pr1234 --track upstream/pr/1234
- Create a local branch off of unstable:
git checkout -b unstable-pr1234-modulename --track upstream/unstable
- Find the module paths:
git diff upstream/master...upstream/pr/1234 --name-only
- Git checkout the module(s) in question:
git checkout temp-pr1234 modules/exploits/path/to/module.rb
- Move the files to the appropriate directory:
git mv modules/exploits/path/to/module.rb unstable-modules/exploits/incomplete
- Commit the result:
- Send a pull request targeting the unstable branch, not the master branch: https://github.com/YOU/metasploit-framework/compare/rapid7:unstable...unstable-pr1234-modulename?expand=1 . Be sure to mention the original pull request number in the description so the PR will be updated accordingly.
This assumes you're set up for development a la http://r-7.co/MSF-DEV with Rapid7's branch being the "upstream" repo.
For an example of this procedure, see PR #2801.
If someone has library changes that cannot be merged to master, we cannot hang on to them in unstable. There is no sensible way to maintain that kind of branch over any reasonable time period, since conflicts will surely abound soon. Unstable scripts and plugins are okay, though.
If you'd like to rescue an unstable module, great! Just note that it's an unstable rescue in the pull request, and the original PR number (if you can find it), when you pull it back out. You can do a similiar
git checkout to grab the file and then
git mv it to the right spot again.
This is not
unstable in the Debian sense -- they're not latest versions, they get no fixes unless someone adopts them, and they may end up crashing out all of framework when loaded. No guarantees are made, ever, despite things like