Making Beautiful Exploits



This week, most of our energy has been spent on making Metasploit modules more beautiful. If you're not aware, we have this long-standing bug, Couple hundred msftidy warnings, which deal mostly with the style and syntax of Metasploit modules. msftidy.rb is a little Ruby script that does some basic sanity checking on new Metasploit modules checking, and hopefully soon, some basic fixing, too. If you plan to commit to Metasploit, I strongly encourage you to see about working this little guy into your pre-commit hooks by using the script pre-commit-hook.rb down in tools/dev land:

https://github.com/rapid7/metasploit-framework/blob/master/tools/dev/pre-commit- hook.rb

Setting this up is pretty easy -- the comment docs explain it best:

# To install this script, make this your pre-commit hook your local # metasploit-framework clone. For example, if you have checked out # the Metasploit Framework to: # # /home/mcfakepants/git/metasploit-framework # # then you will copy this script to: # # /home/mcfakepants/git/metasploit-framework/.git/hooks/pre-commit # # You must mark it executable (chmod +x), and do not name it # pre-commit.rb (just pre-commit) # # If you want to keep up on changes with this hook, just: # # ln -sf <this file> <path to commit hook>

That's it! You can now safely commit things to your local feature branch and know that you're not accidentally trying to send us modules that core committers will no doubt bug you about. For a little while, we had msftidy also checking incoming pull requests on Travis-CI, but apparently that's not quite working anymore (still digging into it, probably has to do with commit depth). Soon it'll work again, I promise, so we can auto-fail anything that doesn't pass this minimum bar we've established for acceptability.

Yes, this is all a little bit fascist. But it's fascism with a heart, I promise. Beloved Metasploit contributor Chris John Riley mused on msftidy's ways in a tweet about his joy in using msftidy to clean up his code. That sparked a little bit of a back and forth from a few Metasploit graybeards about the particular virtues of msftidy. Of course, I just happen to have this soap box right here, so I may as well use it.

For me, as a maintainer of a whole lot of people's code (around 200ish direct contributors), msftidy gives me a way to stave off code rot. Remember, we're not writing code for computers -- that's the easy part. We spend an awful lot of time writing code for humans, and as it so often happens, one of those humans is yourself, six months in the future, looking at a bug report.

So, when some simple patterns are recognized and reused, it makes the business of figuring out bugs, adding functionality, and generally maintaining a library of about 2500 Metasploit modules kind of a reasonable task. Otherwise, we'd be spending all our time trying to figure out tabstops and chasing down shadow datastore options and cleaning out old SVN artifacts over and over and over again, leaving no time left over to do useful work like advance the state of the art of security.

To be clear: if you want to write in your own personal idiomatic style, go nuts! I won't stop you. Seriously, there are 1600 forks of Metasploit. Maybe some of them do things a little differently. Sadly, though, we won't be able to accept your nuggets of awesome in our professional (free) product, so if you want to have your stuff in the most popular Metasploit fork, there are some (honestly, not too hard) basic guidelines to follow.

Thanks to William Vu and Christian Mehlmauer for their recent work on making msftidy a better tool for sustainable security development.

New Modules

This week's release features two new modules, including another bit of browser trickery from Joe Vennix, a Firefox shellcode execution wrapper. It's pretty neat, in that you can upgrade your Firefox javascript shells (detailed in Joe's blog post from January, 2014) to proper Meterpreter shells, all without writing anything to disk. Dang!

Exploit modules

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows, either the totally free Metasploit Community Edition, or the 7-day free trial of Metasploit Pro. If you're the sort to track bleeding-edge development code, then these modules are but an msfupdate command away. For readers who are already using Metasploit Community or Metasploit Pro, you'll be able to install the new hotness today via the Administration : Software Updates button.

For additional details on what's changed and what's current, please see Brandont's most excellent release notes.