Weekly Update: Corelan, MSFTidy, and UNC Path Injection

28 Hours Later

This week, much of the Metasploit Framework and Metasploit Pro teams here at Rapid7 had the opportunity to get some intense, in-person training on exploit development from long-time Metapsloit contributor, Peter corelanc0d3r Van Eeckhoutte and local Corelan Teammates @_sinn3r and TheLightCosine. I'm the first to admit that my memory corruption skills are pretty light (I hang around mostly on network wires, not stack memory), so to have exclusive access to a hacker luminaries like these guys while being able to practice that skill set over two days was an amazing experience. Also, Peter's class was literally right about 28 hours over two days (which is how long it takes to zombify a person, apparently). If you have a chance to attend one, you will want to bulk up on proteins beforehand.

This is all a long way of explaining why we haven't been too active on IRC and on SecurityStreet this past week and why this blog post is a little bit late. Sorry about that. (:

MSFTidy as a Pre-Commit hook

Aside from the modules below, this release packages up a Git pre-commit hook for exploit developers. Git's pre-commit hooks are a useful mechanism to fire off a last-minute check on some code you're about to commit, and we have this great utility to do just that, so why not marry the two together? Now, if you simply link msftidy to your pre-commit hooks (as explained in the comment docs here) you will no longer suffer the wrath of sinn3r or Juan when you describe your exploit as a "stack overflow" when it's really a stack buffer overflow (among the many other lint checks).

Using this pre-commit hook will at least make sure that your code passes a minimum syntax and style bar, which tends to mean a faster trip through our Pull Queue, which means more exploits, which means more shells for everyone.

New Modules

In this week's haul of eight new modules, we have a really handy UNC path injector for Word documents from Metasploit contribution newcomer Artien Sphaz Bel. With this module, Sphaz has essentially automated a classic NTLM hash-stealing attack by using arbitrary documents, making this crazy useful. Thanks Sphaz! Of course, this means the race is on for XLSX and PPTX versions of the same attack (because, you know, variety).

Here are the rest -- thanks to everyone who threw in this week while we were basking in the radioactive supernova of 31337ness that is Corelan Team.

• Microsoft Word UNC Path Injector by SphaZ
• Novell Groupwise Agents HTTP Directory Traversal by juan vazquez and r () b13$ exploits CVE-2012-0419
• Simple Web Server 2.3-RC1 Directory Traversal by sinn3r and CwG GeNiuS exploits OSVDB-88877
• Titan FTP Administrative Password Disclosure by Spencer McIntyre exploits CVE-2013-1625
• Novell GroupWise Client gwcls1.dll ActiveX Remote Code Execution by juan vazquez and rgod exploits ZDI-13-008
• VMWare OVF Tools Format String Vulnerability by juan vazquez and Jeremy Brown exploits CVE-2012-3569
• VMWare OVF Tools Format String Vulnerability by juan vazquez and Jeremy Brown exploits CVE-2012-3569
• Windows Manage Persistent Payload Installer by Carlos Perez