About

me

My name is Matt Weeks and my email is scriptjunkie@scriptjunkie.us. You can find my resume here. I occasionally tweet at @scriptjunkie1. I know there is more important stuff to worry about, but I do a lot of information security research.

PGP key

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.0

mQINBFGQLWwBEAChj84Zh/S+WxjsEpDHp0ewKOAZQocyxc1rjt4VG9CaxeLJtA8Il5LYO8KV
Ei9AnI+TCh/Eyj+bot0aJQM9pCc6WOUFHvkqmOnjT8YJITRKTM8ggooXUi59I100JGOc2290
ILfZe+kuh6U27jdusu0XNQ64NWY7Eh9jPyiyGA5ow6PSsecg7Mehylx60MI8PfiZqQQ15dux
g2X2ZEbq9CYxe5SwO5etVSSJiiRQmPGQt5bur5u3Mphrmm8mRHvKOuxJGZd7w4BGxthJlyrL
F568kuGkiNDURyjvK4VoS/UIHAO8iqBPYPiL8rrMlBiDyaKsKyWeRSYOmMwqxR7xJd/2ng8L
gU9mHW1jbQFWpBMLrE8tFzSeMn5XJHd4aRADQGmB17GC4Lv6gC3krTZ9wNsHC7ANVRwaMRfR
Lt6ExvrfEozymok66Im2eczbQGTDG3gqxhaB7phHDbcr+bGIfe8OuCSSbnjVEjEoxx8lF2aT
BvMWoH84rtsRqur6+otPvipLFT2wNKE/4XzhMJ/91wsQb8Z0+OdNHd2wiZVRCb/Om0UAnI14
YBsywEKlR6m/nX/n5ujiI3FkdRzxgEzmCT/s6pKD51IXadTH2X1NQtz30OfUrxxBHA1mFUT+
5cK0cVfpSW1yckI0VtrY124B7qU+t4OhBm0ZHtQqv0coL9z0NQARAQABtC5zY3JpcHRqdW5r
aWUudXMgPHNjcmlwdGp1bmtpZUBzY3JpcHRqdW5raWUudXM+iQI5BBMBAgAjBQJRkC1sAhsv
BwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQ4PSQUlkca139aA/7Bi7tFJkE821f/XRN
mkJ03Vhq8+KfXSu6wV4C4jxrVBk2jYBDpZzuuSKCsLnHbngYqlfTW3cmzq/J6v3sJSHTdFcL
y1MLHElgRhL/8zKr4YuIvZBNnIFpaLoiwPnjaGvAOei/o60HvGkislIP1Bx52XtdDycL6eS+
TXXrLBPhTJjFEw4z4peFrDvAs0obNNZieLJWMrwiYoMQ4yHFDoSZVlYFMaO3IsG9Jsy12k7S
l4ZBHOUT7wdkeVtcMyRXCmYKREoH4slFIu5yrivsf+RtzG5a0a8WSOUWz33sd77u4fgY7a4t
uVFoeiYmP0pKsu7GN1yU5i1FS1YhGneiGI4jhrWLi6gMMFP4/SZs3YZ8nW3yOWwNwqAin84M
mDmng6sqo4mV1cCuaJTY0bLOvWIbNRx1YM7bFsEdtWfDLykXLuqMZr5TLK2j/IxlZX5xh9Oo
KUtmtt+7oC9Ibj6g0hDW/S3kQXSSk3usSprzgCW+s1q0NO3QlK9i9BiZhJbsrra39ZQcpGb0
PkpgyOVQK+6dsxVgcgdR2nLmElpxV0GNAmLDPiMt3JKlD1rI47pVhbekJ+n8Kwt0IDbZDVoD
tzQZQ1B7L5T2Qd1fzEwIx2A1tNuS7UnFTW08Mojs0OXleHmIDJ3NN537KKPcHdmRV+FPyE0R
+H1NmhRhMeo23pVsbHm5Ag0EUZAtbAEQAMA7hRo7X4RsX9wWU1oQAPLQmkRS1avpYi6v91ZH
hoNA25KlgTIc5avooQ5NZrH4zu6a9s4YJ/eW0vpwHvwo0ZCRTLyuGXvPZMC1SRT0/pDJwSMm
9mAaVG9wgaFxGktnwQTZ82Vr/99c0QtUM/V4Z4oaEla671AzSol2FqxB4q+zUOEmWLUCSUNB
3Ot4c/yqutf18+lyIfOU4Fux6RA4wByy3MxXj3foJNdR0Ftz5c0Z9C075X1Q46iGDeL4AJHr
g6QNhr1q68qvLVVXDCk74092NeAv3t0gFxEBbuDYjkjZ8v3XDByVg+CHvERssa4rmiGetljN
SouPZ4RVSs2DwQm7FcB1+CE37tBRNCfMGiVD/5bTXL6dOcoptJr69nJLRhoOoAQBbqZjz7IV
NOQYbj9OVW+0jHZGr5e5sWiUpwWGPj1VcyNtjCbhtmk250UC5LN2Vh5et+S0TIEHO4hPQ0dH
4i9FZxsDyb035M2izJaQXun/hNNbfHYFgk5c8hwDDD70sZjc3rCGJieemVIaZzRYtNoDAVjD
t4/uPxxf3Ukp8hBd2RImVvkWeZIkhvENBzEadTDaPLyDTig8qABopIQPiumCQtRuiqbC11kf
ORaX2qNfN+RMLE6XwIogn85jaIQ9X+IIpyAybm1pNd0v52ryru/ySWyEUllvm/0a0AudABEB
AAGJBD4EGAECAAkFAlGQLWwCGy4CKQkQ4PSQUlkca13BXSAEGQECAAYFAlGQLWwACgkQ6J3i
VckhosZOdhAAnqJpczg7e0miClhetrysCr+bY3DNJ3M4WHulpHZIvgbGLB8oO/0Z4XUYlC/v
dWQ/WxPcssZhAFnPElb+0yDM0/YtCh4XHUQAXfRQRA1sqYjO8Y/VNZadrU6FNyVwJIr7RPQ6
vzjWWQTU3/Fa47vnE51nLTEdVeP3A3dbenEzs78OgUxicFMNkGubyG+eYHxFTyLUf3NlkQBV
2bQndvpp5ZOci+ooeEZ4eO6fzgI1BD1ZGl7NZHcxp+3yM/GL1cb7Q2UsBIBCW2u8BIlDUrKr
Pm/2v7ODVqjkP2zexcX2sXZ2U3M7TjS0w81Y8PeZ+2DP5aVkaUB6wobnJFPJfrNa/afRVo0Z
X8QEvoN9mf6fxdJ3aED9VUPO7ERfVNyg8PLSJnp+LrBOG4TO7GerA5j65NOnWtf8CLN1HO9X
5uZraZDhaWvD6zFSeVz/2/dzeu3cJLxboV/qFAUDw8+WooRX568GKIfG9Sf3EH2/x1BHmLkQ
2eFqFnui1Nf6TLNFE0QYC2QKrRknq6Yg2jpsiTTrMgxnFal7O26xkHQ4CcMPPAcYZwEugWhk
zv0faSJ6CYosmFECbel7fcq2suP2sQrYH701Jo3HabZYeegjbKJ9KCjDxwNaFm4D0dEq7q7V
4QYLBi4Lwe0LWvV9HRRI3/8ODEjDVWNnmD5PybNkbrecCaqSOg//StT3u6Bt1NsKrj/f8Svv
eVGtOhj9O2LhP3U26eGxNAoNWXF0K14jbFU/9cTKPDMRcbqnRnR6fc5BEzZ+DZuxN7KrH6iQ
apxSRktvpj/gTJY+H8k7ogRAbKdEq+JLDwSFdW0oy/ycdZHysXYs4keneyaNBRL7qCtDYnb+
L7V6G5sBl04bfScVktQ1KwjfXL7bhoPEeW2/lADS2yifzKM/fpXTLHl1WI720y0WYQEUs2sw
kYLLAq14zLbJHeJ1LsqJ7s7PV6iUTfxXICbdbTk/mHrP6w/N30cy9UW62zUC4z1o6NsHYFIQ
K6mSCfDyvZyw8uv3Iv/cGCv7LFGs1nCpbi3Fh3mO1w+ynsBsBVCHOXDgWuKcEBnP4IuHXJWp
bb0bXw4f1eYg79KeSTZexTzw0+ylteicuWfl7cScQvxfuclOZIivzuUUwWkyKUNVgl9kmMhB
OPkWAnOCbjAHU+/TUKmx4DM60cD2VhqhLvFA26PkPMi3Kd/R69oA5J42amaspTvLU6AuGkCY
ocCoiJQ3DXJOs6+fWblRKacHJXkr4X6hPCY8yEtgtkuWuRWuLHvV1IBYcYs2CTc9ugjDRofC
a7Y8Hbtjhd8i8jLzlGxyc/41CJSIWflB8H5Q5x43yucvueQY51PGCbxeFAcYFgCN04qSTyWn
f0cNpnotyumhMaY=
=FiXw
-----END PGP PUBLIC KEY BLOCK-----

shameless self promotion:

I am a community developer for the Metasploit framework, one of the most widely-used security tools in the world. Since 2009, I have written and released client-side exploits, privilege escalation exploits, and persistence tools. I have also written shellcode, payloads for various architectures and exploits, DHCP and PXE servers, and the graphical user interface. I wrote the most recent executable shellcode injection capability in Metasploit, and I created a mechanism to directly execute shellcode in Microsoft Office documents via macros. I also contributed to the writing and maintenance of the Remote Procedure Call and GUI interfaces, and my work provides a backend for the Armitage and Cobalt Strike tools to interface with Metasploit. Below are links to some of the public releases from this work, but full details can be viewed by searching Metasploit public repository commit logs for commits from scriptjunkie.

“Direct shellcode execution in MS Office macros” This article detailed how my new Metasploit payload work could create a macro for a Microsoft Office document that would directly execute an arbitrary shellcode payload without dropping an executable or spawning another process. My work is now in wide use by penetration testers for social engineering attacks. January 22, 2012. http://www.scriptjunkie.us/2012/01/direct-shellcode-execution-in-ms-office-macros/

“Network Nightmare – Intel PXE” and “Network Nightmare: Ruling The Nightlife Between Shutdown And Boot With Pxesploit” In this series of presentations at DEFCON and the Intel Security Conference, I demonstrated how the PXE protocol provides the equivalent of a reliable, remote, root, unpatched, unauthenticated exploit for a popular service, many ways it could be exploited, complete with code released for the Metasploit framework. This attack is also popular with pentesters. August 7, 2011. http://www.scriptjunkie.us/2011/12/network-nightmare-intel/ http://www.defcon.org/html/links/dc-archives/dc-19-archive.html#Weeks

“Custom Payloads in Metasploit 4” This article introduced some payload work I had written for Metasploit, including the ability to create parallel multipayloads, and use fully custom executables in exploits. August 14, 2011. http://www.scriptjunkie.us/2011/08/custom-payloads-in-metasploit-4/

Other releases:

“Malicious VM to Host Attacks” In this article, I demonstrated and released an exploit that would allow a VirtualBox VM to compromise the host. May 6, 2012. http://www.scriptjunkie.us/2012/05/malicious-vm-to-host-attacks/

“Original Source Forgery” This article demonstrated the ability to alter the apparent original source of a webpage and hide attacks such as XSS. September 8, 2011. http://www.scriptjunkie.us/2011/09/original-source-forgery/

“Bypassing DEP/ASLR in browser exploits with McAfee and Symantec” This article demonstrated a DEP/ASLR bypass in fully-patched Windows Vista and 7 systems using DLL’s from common antivirus vendors. It resulted in a change to the Firefox browser to force ASLR for extensions, and fixes for similar vulnerabilities in antivirus products. June 28, 2011. http://www.scriptjunkie.us/2011/06/bypassing-dep-aslr-in-browser-exploits-with-mcafee-symantec/ also see http://blog.kylehuey.com/post/18120485831/address-space-layout-randomization-now-mandatory-for

“Why Encoding does not Matter and How Metasploit Generates EXE’s” This article dissected popular techniques for antivirus evasion, and explained how payload executables are actually generated in Metasploit, dispelling popular myths widely taught by reputable organizations such as SANS. April 15, 2011. http://www.scriptjunkie.us/2011/04/why-encoding-does-not-matter-and-how-metasploit-generates-exes/

“Chaos, Cryptology, and the Coupled Map Lattice” This paper fully broke a mobile device cryptosystem proposed in an IEEE journal implemented with a chaos theory-based hardware random number generator. April 19, 2010. http://www.scriptjunkie.us/files/chaos.pdf

“Counterattack - Turning the tables on exploitation attempts from tools like Metasploit” This Black Hat DC 2011 presentation released the first vulnerabilities in Metasploit itself, and demonstrated numerous ways of compromising an attacking system. My fix is now the basis of preventing exploits such as this one in the widely-used Metasploit framework, and led to the immediate removal of the vulnerable msfweb interface among other changes. https://www.blackhat.com/html/bh-dc-11/bh-dc-11-archives.html#Weeks

  1. #1 by drwolf on March 27, 2014 - 7:37 pm

    CVE-2014-1761 sounds like it is right up you alley.

  2. #2 by drwolf on March 27, 2014 - 7:51 pm

    *your…lol

  3. #3 by Derp on February 1, 2015 - 3:18 am

    your blog is fuckin rad. thanks for some frank and transparent opinions

  4. #4 by Aaron Rogers on July 6, 2016 - 8:38 pm

    Matt,

    Thank you for the work that you do! Your blog is great.

    I’m wondering if you could offer some advice/suggested resources for doing the following:

    I’ve got a RHEL6.7 server running apache. I’ve been asked to enable hardware token (smartcard) authentication on the server’s application home page if a token is available, but use username/password authentication if there is no token available.

    Basically, it comes down to this:
    If I have a smartcard inserted into my card reader and I go to https://servername.domain I should be prompted to enter the pin to my smartcard and, if the pin is correct, be taken to the app home page.

    If I do not have a smartcard in my card reader and I go to s://servername.domain I should be prompted to enter a username/password to authenticate.

    Is the above scenario possible? If so, how would I go about it?

    Thanks so much for any help/advice you can office!

    Aaron

(will not be published)