Dissecting CrystalPrintControl

This week's update is, by all accounts, pretty light. This may be the first update we've shipped that has exactly one new module.  To make up for the lack of quantity, though, we've got some quality for you, oh boy.

If it's snowy and blustery where you live, grab yourself a cup of hot cocoa, gather the kids, and watch their little eyes twinkle in the firelight as you regale them with the classic fable of how Metasploit Exploitation Elf Juan @_juan_vazquez Vazquez exploited a heap-based buffer overflow in the Crystal Reports Viewer CrystalPrintControl, all while outside the default process heap. No small task, and if that's not the true meaning of Christmas, then I don't know what is.

Red, Green, Refactor (and lint check!)

We also shipped a long-awaited API enhancement to writing Metasploit modules in the form of the normalize_uri() method, which is part of the remote exploit HttpClient mixin. It's a method that ensures your HTTP URI's slashes are all nicely formed in the cases where you want that, which is nice and all... but the big delivery here is the RSpec coverage for normalize_uri(). We now kick this new functionality through 23 tests to ensure now and forever that anytime we break it, we know about it.

I've talked before about Metasploit's Travis-CI integration for testable commits, so this update delivers on that continuous integration promise. Metasploit Framework now has something like 447 test cases, which is 447 more than we've had in a while. (For the historians, we did have a brief spell of checking in unit tests for some functionality, but that fell out of vogue pretty fast -- Rspec testing should be significantly more durable).

Thanks Luke @KronicDeth Imhoff and HD @hdmoore Moore for seeing this all through. I, for one, welcome our new TDD overlords. In addition, Wei @_sinn3r Chen has been busy updating the venerable msftidy.rb utility. Msftidy is is essentially a lint checker for Metasploit modules, and offers lots of warnings and error reporting for common problems we see in module submissions. If you're the sort to keep your own module trees for Metasploit, but haven't kicked them through msftidy lately, you might be surprised at the syntax coverage we offer now.

New Module

Yep, it's just the one, described in detail in Juan and sinn3r's post.

Availability

If you're new to Metasploit, you can get started by downloading Metasploit for Linux or Windows. If you're already tracking the bleeding-edge of Metasploit development, then these modules are but an msfupdate command away. For readers who prefer the packaged updates for Metasploit Community and Metasploit Pro, you'll be able to install the new hotness today when you check for updates through the Software Updates menu under Administration.

For additional details on what's changed and what's current, please see Brandon Turner's most excellent release notes.

Update: The latest update is now actually 2012121903, with  release notes here. It's an Xmas miracle!