About

me

My name is Matt Weeks and my email is scriptjunkie at scriptjunkie {nospam} us or scriptjunkie at metasploit {nospam} com. I occasionally tweet at @scriptjunkie1. I know there is more important stuff to worry about, but I do a lot of information security research.

shameless self promotion:

I am a community developer for the Metasploit framework, one of the most widely-used security tools in the world. Since 2009, I have written and released client-side exploits, privilege escalation exploits, and persistence tools. I have also written shellcode, payloads for various architectures and exploits, DHCP and PXE servers, and the graphical user interface. I wrote the most recent executable shellcode injection capability in Metasploit, and I created a mechanism to directly execute shellcode in Microsoft Office documents via macros. I also contributed to the writing and maintenance of the Remote Procedure Call and GUI interfaces, and my work provides a backend for the Armitage and Cobalt Strike tools to interface with Metasploit. Below are links to some of the public releases from this work, but full details can be viewed by searching Metasploit public repository commit logs for commits from scriptjunkie.

“Direct shellcode execution in MS Office macros” This article detailed how my new Metasploit payload work could create a macro for a Microsoft Office document that would directly execute an arbitrary shellcode payload without dropping an executable or spawning another process. My work is now in wide use by penetration testers for social engineering attacks. January 22, 2012. http://www.scriptjunkie.us/2012/01/direct-shellcode-execution-in-ms-office-macros/

“Network Nightmare – Intel PXE” and “Network Nightmare: Ruling The Nightlife Between Shutdown And Boot With Pxesploit” In this series of presentations at DEFCON and the Intel Security Conference, I demonstrated how the PXE protocol provides the equivalent of a reliable, remote, root, unpatched, unauthenticated exploit for a popular service, many ways it could be exploited, complete with code released for the Metasploit framework. This attack is also popular with pentesters. August 7, 2011. http://www.scriptjunkie.us/2011/12/network-nightmare-intel/ http://www.defcon.org/html/links/dc-archives/dc-19-archive.html#Weeks

“Custom Payloads in Metasploit 4” This article introduced some payload work I had written for Metasploit, including the ability to create parallel multipayloads, and use fully custom executables in exploits. August 14, 2011. http://www.scriptjunkie.us/2011/08/custom-payloads-in-metasploit-4/

Other releases:

“Malicious VM to Host Attacks” In this article, I demonstrated and released an exploit that would allow a VirtualBox VM to compromise the host. May 6, 2012. http://www.scriptjunkie.us/2012/05/malicious-vm-to-host-attacks/

“Original Source Forgery” This article demonstrated the ability to alter the apparent original source of a webpage and hide attacks such as XSS. September 8, 2011. http://www.scriptjunkie.us/2011/09/original-source-forgery/

“Bypassing DEP/ASLR in browser exploits with McAfee and Symantec” This article demonstrated a DEP/ASLR bypass in fully-patched Windows Vista and 7 systems using DLL’s from common antivirus vendors. It resulted in a change to the Firefox browser to force ASLR for extensions, and fixes for similar vulnerabilities in antivirus products. June 28, 2011. http://www.scriptjunkie.us/2011/06/bypassing-dep-aslr-in-browser-exploits-with-mcafee-symantec/ also see http://blog.kylehuey.com/post/18120485831/address-space-layout-randomization-now-mandatory-for

“Why Encoding does not Matter and How Metasploit Generates EXE’s” This article dissected popular techniques for antivirus evasion, and explained how payload executables are actually generated in Metasploit, dispelling popular myths widely taught by reputable organizations such as SANS. April 15, 2011. http://www.scriptjunkie.us/2011/04/why-encoding-does-not-matter-and-how-metasploit-generates-exes/

“Chaos, Cryptology, and the Coupled Map Lattice” This paper fully broke a mobile device cryptosystem proposed in an IEEE journal implemented with a chaos theory-based hardware random number generator. April 19, 2010. http://www.scriptjunkie.us/files/chaos.pdf

“Counterattack – Turning the tables on exploitation attempts from tools like Metasploit” This Black Hat DC 2011 presentation released the first vulnerabilities in Metasploit itself, and demonstrated numerous ways of compromising an attacking system. My fix is now the basis of preventing exploits such as this one in the widely-used Metasploit framework, and led to the immediate removal of the vulnerable msfweb interface among other changes. https://www.blackhat.com/html/bh-dc-11/bh-dc-11-archives.html#Weeks

  1. No comments yet.
(will not be published)